From aa3dac9fe6fa0c3d1596b54d5ccc951e8097b487 Mon Sep 17 00:00:00 2001
From: ppadti <ppadti@redhat.com>
Date: Tue, 17 Dec 2024 13:35:57 +0530
Subject: [PATCH] Allow private/public route selection in KServe, when
 authorino is not enabled

---
 .../cypress/cypress/pages/modelServing.ts     |  8 +++++
 .../modelServing/servingRuntimeList.cy.ts     | 22 ++++++++++++
 .../AuthServingRuntimeSection.tsx             | 35 ++++++++++++++-----
 .../kServeModal/ManageKServeModal.tsx         | 15 ++++----
 4 files changed, 64 insertions(+), 16 deletions(-)

diff --git a/frontend/src/__tests__/cypress/cypress/pages/modelServing.ts b/frontend/src/__tests__/cypress/cypress/pages/modelServing.ts
index e8fe0edad0..ec1e86356c 100644
--- a/frontend/src/__tests__/cypress/cypress/pages/modelServing.ts
+++ b/frontend/src/__tests__/cypress/cypress/pages/modelServing.ts
@@ -189,6 +189,14 @@ class ServingRuntimeModal extends Modal {
     super(`${edit ? 'Edit' : 'Add'} model server`);
   }
 
+  findAuthorinoNotEnabledAlert() {
+    return this.find().findByTestId('no-authorino-installed-alert');
+  }
+
+  findTokenAuthAlert() {
+    return this.find().findByTestId('token-authentication-prerequisite-alert');
+  }
+
   findSubmitButton() {
     return this.findFooter().findByTestId('modal-submit-button');
   }
diff --git a/frontend/src/__tests__/cypress/cypress/tests/mocked/modelServing/servingRuntimeList.cy.ts b/frontend/src/__tests__/cypress/cypress/tests/mocked/modelServing/servingRuntimeList.cy.ts
index 99a08aae0d..d057f3f504 100644
--- a/frontend/src/__tests__/cypress/cypress/tests/mocked/modelServing/servingRuntimeList.cy.ts
+++ b/frontend/src/__tests__/cypress/cypress/tests/mocked/modelServing/servingRuntimeList.cy.ts
@@ -909,6 +909,28 @@ describe('Serving Runtime List', () => {
       kserveModal.findAuthenticationCheckbox().should('not.exist');
     });
 
+    it('show warning alert on modal, when authorino operator is not installed/enabled', () => {
+      initIntercepts({
+        disableModelMeshConfig: false,
+        disableKServeConfig: false,
+        disableKServeAuthConfig: false,
+        servingRuntimes: [],
+        projectEnableModelMesh: false,
+      });
+
+      projectDetails.visitSection('test-project', 'model-server');
+
+      modelServingSection.findDeployModelButton().click();
+
+      kserveModal.shouldBeOpen();
+      kserveModal.findAuthorinoNotEnabledAlert().should('exist');
+      kserveModal.findModelRouteCheckbox().should('not.be.checked');
+      kserveModal.findModelRouteCheckbox().check();
+      kserveModal.findTokenAuthAlert().should('exist');
+      kserveModal.findModelRouteCheckbox().uncheck();
+      kserveModal.findTokenAuthAlert().should('not.exist');
+    });
+
     it('Kserve auth should be hidden when no required capabilities', () => {
       initIntercepts({
         disableModelMeshConfig: false,
diff --git a/frontend/src/pages/modelServing/screens/projects/ServingRuntimeModal/AuthServingRuntimeSection.tsx b/frontend/src/pages/modelServing/screens/projects/ServingRuntimeModal/AuthServingRuntimeSection.tsx
index 1c09124365..b7ef6dfcf6 100644
--- a/frontend/src/pages/modelServing/screens/projects/ServingRuntimeModal/AuthServingRuntimeSection.tsx
+++ b/frontend/src/pages/modelServing/screens/projects/ServingRuntimeModal/AuthServingRuntimeSection.tsx
@@ -20,6 +20,7 @@ type AuthServingRuntimeSectionProps<D extends CreatingModelServingObjectCommon>
   setData: UpdateObjectAtPropAndValue<D>;
   allowCreate: boolean;
   publicRoute?: boolean;
+  showModelRoute?: boolean;
 };
 
 const AuthServingRuntimeSection = <D extends CreatingModelServingObjectCommon>({
@@ -27,6 +28,7 @@ const AuthServingRuntimeSection = <D extends CreatingModelServingObjectCommon>({
   setData,
   allowCreate,
   publicRoute,
+  showModelRoute = true,
 }: AuthServingRuntimeSectionProps<D>): React.ReactNode => {
   const createNewToken = React.useCallback(() => {
     const name = 'default-name';
@@ -85,14 +87,16 @@ const AuthServingRuntimeSection = <D extends CreatingModelServingObjectCommon>({
           </FormGroup>
         </StackItem>
       )}
-      <StackItem>
-        <ServingRuntimeTokenSection
-          data={data}
-          setData={setData}
-          allowCreate={allowCreate}
-          createNewToken={createNewToken}
-        />
-      </StackItem>
+      {showModelRoute && (
+        <StackItem>
+          <ServingRuntimeTokenSection
+            data={data}
+            setData={setData}
+            allowCreate={allowCreate}
+            createNewToken={createNewToken}
+          />
+        </StackItem>
+      )}
       {((publicRoute && data.externalRoute && !data.tokenAuth) ||
         (!publicRoute && !data.tokenAuth)) && (
         <StackItem>
@@ -105,6 +109,21 @@ const AuthServingRuntimeSection = <D extends CreatingModelServingObjectCommon>({
           />
         </StackItem>
       )}
+      {publicRoute && data.externalRoute && !showModelRoute && (
+        <Alert
+          isInline
+          variant="warning"
+          title="Token authentication prerequisite not installed"
+          data-testid="token-authentication-prerequisite-alert"
+        >
+          <p>
+            Making models available through external routes without requiring token authentication
+            can lead to unauthorized access of your model. To enable token authentication, you must
+            first request that your cluster administrator install the Authorino operator on your
+            cluster.
+          </p>
+        </Alert>
+      )}
     </Stack>
   );
 };
diff --git a/frontend/src/pages/modelServing/screens/projects/kServeModal/ManageKServeModal.tsx b/frontend/src/pages/modelServing/screens/projects/kServeModal/ManageKServeModal.tsx
index 915ed5cde8..85a4f7ee23 100644
--- a/frontend/src/pages/modelServing/screens/projects/kServeModal/ManageKServeModal.tsx
+++ b/frontend/src/pages/modelServing/screens/projects/kServeModal/ManageKServeModal.tsx
@@ -418,14 +418,13 @@ const ManageKServeModal: React.FC<ManageKServeModalProps> = ({
                 setSelectedAcceleratorProfile={setSelectedAcceleratorProfile}
                 infoContent="Select a server size that will accommodate your largest model. See the product documentation for more information."
               />
-              {isAuthorinoEnabled && (
-                <AuthServingRuntimeSection
-                  data={createDataInferenceService}
-                  setData={setCreateDataInferenceService}
-                  allowCreate={allowCreate}
-                  publicRoute
-                />
-              )}
+              <AuthServingRuntimeSection
+                data={createDataInferenceService}
+                setData={setCreateDataInferenceService}
+                allowCreate={allowCreate}
+                publicRoute
+                showModelRoute={isAuthorinoEnabled}
+              />
             </>
           )}
         </FormSection>