standup.sh & teardown.sh for non-cluster-level-admin users (#546)

NaomiEisen · web-flow · commit 87e54bbd5cc5 · 2025-12-03T14:12:50.000-05:00
* Add idea to gitignore

* Add non-admin flag option

* Add non-admin run option

* Update show_usage function

* Update LLMDBENCH_USER_IS_ADMIN usage
diff --git a/.gitignore b/.gitignore
@@ -57,6 +57,8 @@ env.bak/
 venv.bak/
 environment/
 
+.idea/
+
 scenarios/none.sh
 
 # Python specifics
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -12,7 +12,7 @@ repos:
     # You are encouraged to use static refs such as tags, instead of branch name
     #
     # Running "pre-commit autoupdate" automatically updates rev to latest tag
-    rev: 0.13.1+ibm.61.dss
+    rev: 0.13.1+ibm.64.dss
     hooks:
       - id: detect-secrets # pragma: whitelist secret
         # Add options for detect-secrets-hook binary. You can run `detect-secrets-hook --help` to list out all possible options.
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-05-16T02:30:29Z",
+  "generated_at": "2025-11-30T10:06:26Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -87,7 +87,7 @@
       }
     ]
   },
-  "version": "0.13.1+ibm.61.dss",
+  "version": "0.13.1+ibm.64.dss",
   "word_list": {
     "file": null,
     "hash": null
diff --git a/setup/env.sh b/setup/env.sh
@@ -549,23 +549,33 @@ else
   export LLMDBENCH_CONTROL_KCMD=$(echo $LLMDBENCH_CONTROL_KCMD | $LLMDBENCH_CONTROL_SCMD 's^oc ^kubectl ^g')
 fi
 
-export LLMDBENCH_USER_IS_ADMIN=0
-if [[ $LLMDBENCH_CONTROL_DEPLOY_IS_OPENSHIFT -eq 1 ]]; then
-  admin_user=$($LLMDBENCH_CONTROL_KCMD get clusterrolebindings -o json | jq '.items[] | select(.roleRef.name=="cluster-admin")' | jq '.subjects[0].name'  | grep $($LLMDBENCH_CONTROL_KCMD whoami) || true)
-  if [[ ! -z ${admin_user} || $($LLMDBENCH_CONTROL_KCMD whoami) == "system:admin" ]]; then
-    export LLMDBENCH_USER_IS_ADMIN=1
-  fi
-else
-  not_admin=$($LLMDBENCH_CONTROL_KCMD get crds 2>&1 | grep -i Forbidden || true)
-  if [[ -z ${not_admin} ]]; then
-    export LLMDBENCH_USER_IS_ADMIN=1
-    is_ns=$($LLMDBENCH_CONTROL_KCMD get namespace -o name| grep -E "namespace/${LLMDBENCH_VLLM_COMMON_NAMESPACE}$" || true)
-    if [[ ! -z ${is_ns} ]]; then
-      export LLMDBENCH_CONTROL_PROXY_UID=$($LLMDBENCH_CONTROL_KCMD get namespace ${LLMDBENCH_VLLM_COMMON_NAMESPACE} -o json | jq -e -r '.metadata.annotations["openshift.io/sa.scc.uid-range"]' | perl -F'/' -lane 'print $F[0]+1');
+if [[ -z "${LLMDBENCH_USER_IS_ADMIN:-}" ]]; then # Check if variable was overridden
+  export LLMDBENCH_USER_IS_ADMIN=0
+  if [[ $LLMDBENCH_CONTROL_DEPLOY_IS_OPENSHIFT -eq 1 ]]; then
+    admin_user=$($LLMDBENCH_CONTROL_KCMD get clusterrolebindings -o json | jq '.items[] | select(.roleRef.name=="cluster-admin")' | jq '.subjects[0].name'  | grep $($LLMDBENCH_CONTROL_KCMD whoami) || true)
+    if [[ ! -z ${admin_user} || $($LLMDBENCH_CONTROL_KCMD whoami) == "system:admin" ]]; then
+      export LLMDBENCH_USER_IS_ADMIN=1
+    fi
+  else
+    not_admin=$($LLMDBENCH_CONTROL_KCMD get crds 2>&1 | grep -i Forbidden || true)
+    if [[ -z ${not_admin} ]]; then
+      export LLMDBENCH_USER_IS_ADMIN=1
+      is_ns=$($LLMDBENCH_CONTROL_KCMD get namespace -o name| grep -E "namespace/${LLMDBENCH_VLLM_COMMON_NAMESPACE}$" || true)
+      if [[ ! -z ${is_ns} ]]; then
+        export LLMDBENCH_CONTROL_PROXY_UID=$($LLMDBENCH_CONTROL_KCMD get namespace ${LLMDBENCH_VLLM_COMMON_NAMESPACE} -o json | jq -e -r '.metadata.annotations["openshift.io/sa.scc.uid-range"]' | perl -F'/' -lane 'print $F[0]+1');
+      fi
     fi
   fi
 fi
 
+# Config to avoid blocked commands for non-admin users
+if [[ $LLMDBENCH_USER_IS_ADMIN -eq 0 ]]; then
+  announce "ℹ️  Configuring environment for non-admin users."
+  export LLMDBENCH_VLLM_GAIE_CHART_VERSION="v0"
+  export LLMDBENCH_VLLM_MODELSERVICE_GAIE_MONITORING_PROMETHEUS_ENABLED=false
+  export LLMDBENCH_VLLM_MODELSERVICE_INFERENCE_POOL=false
+fi
+
 export LLMDBENCH_CONTROL_DEPLOY_IS_MINIKUBE=${LLMDBENCH_CONTROL_DEPLOY_IS_MINIKUBE:-0}
 has_minikube=$($LLMDBENCH_CONTROL_KCMD get pods -n kube-system 2>&1 | grep 'etcd-minikube' || true)
 if [[ ! -z ${has_minikube} ]]; then
diff --git a/setup/standup.sh b/setup/standup.sh
@@ -41,6 +41,7 @@ function show_usage {
             -u/--wva [deploy model with Workload Variant Autoscaler (default=$LLMDBENCH_WVA_ENABLED)] \n \
             -n/--dry-run [just print the command which would have been executed (default=$LLMDBENCH_CONTROL_DRY_RUN) ] \n \
             -v/--verbose [print the command being executed, and result (default=$LLMDBENCH_CONTROL_VERBOSE) ] \n \
+            -i/--non-admin [run the setup script as a non-cluster-level admin user] \n \
             -h/--help (show this help)\n \
 
             * [step list] can take of form of comma-separated single/double digits (e.g. \"-s 0,1,5\") or ranges (e.g. \"-s 1-7\")"
@@ -131,6 +132,10 @@ while [[ $# -gt 0 ]]; do
         export LLMDBENCH_CLIOVERRIDE_CONTROL_VERBOSE=1
         export LLMDBENCH_CONTROL_VERBOSE=1
         ;;
+        -i|--non-admin)
+        announce "ℹ️  You are running as a non-cluster-level admin user."
+        export LLMDBENCH_CLIOVERRIDE_USER_IS_ADMIN=0
+        ;;
         -h|--help)
         show_usage
         if [[ "${BASH_SOURCE[0]}" == "${0}" ]]
diff --git a/setup/steps/07_deploy_setup.py b/setup/steps/07_deploy_setup.py
@@ -173,7 +173,11 @@ def main():
             model_dir.mkdir(parents=True, exist_ok=True)
 
             # Generate helmfile YAML content
-            helmfile_content = f"""repositories:
+            non_admin_defaults = ""
+            if not ev['user_is_admin'] == "0": # Avoid default namespace creation for non cluster-level admin users
+                non_admin_defaults = "helmDefaults:\n  createNamespace: false\n---\n\n"
+
+            helmfile_content = f"""{non_admin_defaults}repositories:
   - name: {ev['vllm_modelservice_helm_repository']}
     url: {ev['vllm_modelservice_helm_repository_url']}
   - name: {ev['vllm_infra_helm_repository']}
diff --git a/setup/teardown.sh b/setup/teardown.sh
@@ -36,6 +36,7 @@ function show_usage {
               -m/--models [list the models to be deployed (default=$LLMDBENCH_DEPLOY_MODEL_LIST) ] \n \
               -t/--methods [list of standup methods (default=$LLMDBENCH_DEPLOY_METHODS, possible values \"standalone\" and \"modelservice\") ] \n \
               -v/--verbose [print the command being executed, and result (default=$LLMDBENCH_CONTROL_VERBOSE) ] \n \
+              -i/--non-admin [run the teardown script as a non-cluster-level admin user] \n \
               -h/--help (show this help)"
 }
 
@@ -96,6 +97,10 @@ while [[ $# -gt 0 ]]; do
         export LLMDBENCH_CLIOVERRIDE_CONTROL_VERBOSE=1
         export LLMDBENCH_CONTROL_VERBOSE=1
         ;;
+        -i|--non-admin)
+        announce "ℹ️  You are running as a non-cluster-level admin user."
+        export LLMDBENCH_CLIOVERRIDE_USER_IS_ADMIN=0
+        ;;
         -h|--help)
         show_usage
         if [[ "${BASH_SOURCE[0]}" == "${0}" ]]
@@ -162,9 +167,11 @@ for tgtns in ${LLMDBENCH_VLLM_COMMON_NAMESPACE} ${LLMDBENCH_HARNESS_NAMESPACE};
       llmdbench_execute_cmd "${LLMDBENCH_CONTROL_KCMD} delete --namespace $tgtns --ignore-not-found=true httproute $(model_attribute $model modelid_label)" ${LLMDBENCH_CONTROL_DRY_RUN} ${LLMDBENCH_CONTROL_VERBOSE}
     fi
 
-    for cr in ${LLMDBENCH_VLLM_MODELSERVICE_RELEASE}-modelservice-endpoint-picker ${LLMDBENCH_VLLM_MODELSERVICE_RELEASE}-modelservice-epp-metrics-scrape ${LLMDBENCH_VLLM_MODELSERVICE_RELEASE}-modelservice-manager ${LLMDBENCH_VLLM_MODELSERVICE_RELEASE}-modelservice-metrics-auth ${LLMDBENCH_VLLM_MODELSERVICE_RELEASE}-modelservice-admin ${LLMDBENCH_VLLM_MODELSERVICE_RELEASE}-modelservice-editor ${LLMDBENCH_VLLM_MODELSERVICE_RELEASE}-modelservice-viewer; do
-      llmdbench_execute_cmd "${LLMDBENCH_CONTROL_KCMD} delete --ignore-not-found=true ClusterRole $cr" ${LLMDBENCH_CONTROL_DRY_RUN} ${LLMDBENCH_CONTROL_VERBOSE}
-    done
+    if [[ $LLMDBENCH_USER_IS_ADMIN -eq 1 ]] ; then # Non-admin users cannot delete ClusterRole
+      for cr in ${LLMDBENCH_VLLM_MODELSERVICE_RELEASE}-modelservice-endpoint-picker ${LLMDBENCH_VLLM_MODELSERVICE_RELEASE}-modelservice-epp-metrics-scrape ${LLMDBENCH_VLLM_MODELSERVICE_RELEASE}-modelservice-manager ${LLMDBENCH_VLLM_MODELSERVICE_RELEASE}-modelservice-metrics-auth ${LLMDBENCH_VLLM_MODELSERVICE_RELEASE}-modelservice-admin ${LLMDBENCH_VLLM_MODELSERVICE_RELEASE}-modelservice-editor ${LLMDBENCH_VLLM_MODELSERVICE_RELEASE}-modelservice-viewer; do
+        llmdbench_execute_cmd "${LLMDBENCH_CONTROL_KCMD} delete --ignore-not-found=true ClusterRole $cr" ${LLMDBENCH_CONTROL_DRY_RUN} ${LLMDBENCH_CONTROL_VERBOSE}
+      done
+    fi
   fi
 done
 

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ repos:`
`12`	`12`	`# You are encouraged to use static refs such as tags, instead of branch name`
`13`	`13`	`#`
`14`	`14`	`# Running "pre-commit autoupdate" automatically updates rev to latest tag`
`15`		`- rev: 0.13.1+ibm.61.dss`
	`15`	`+ rev: 0.13.1+ibm.64.dss`
`16`	`16`	`hooks:`
`17`	`17`	`- id: detect-secrets # pragma: whitelist secret`
`18`	`18`	# Add options for detect-secrets-hook binary. You can run `detect-secrets-hook --help` to list out all possible options.
Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`	`"files": "^.secrets.baseline$",`
`4`	`4`	`"lines": null`
`5`	`5`	`},`
`6`		`- "generated_at": "2025-05-16T02:30:29Z",`
	`6`	`+ "generated_at": "2025-11-30T10:06:26Z",`
`7`	`7`	`"plugins_used": [`
`8`	`8`	`{`
`9`	`9`	`"name": "AWSKeyDetector"`
`@@ -87,7 +87,7 @@`
`87`	`87`	`}`
`88`	`88`	`]`
`89`	`89`	`},`
`90`		`- "version": "0.13.1+ibm.61.dss",`
	`90`	`+ "version": "0.13.1+ibm.64.dss",`
`91`	`91`	`"word_list": {`
`92`	`92`	`"file": null,`
`93`	`93`	`"hash": null`