feat: ConfigMap image mapping overrides for LLS Distro

Implements a mechanism for the Llama Stack Operator to read and apply
LLS Distribution image updates from a ConfigMap, enabling independent patching
for security fixes or bug fixes without requiring a new LLS Operator or RHOAI version.

- Add RHODS version detection from ClusterServiceVersion
- Add ImageMappingOverrides field to LlamaStackDistributionReconciler
- Implement parseImageMappingOverrides() to read image-overrides from ConfigMap
- Add RBAC permissions for operators.coreos.com/clusterserviceversions
- Support symbolic name mapping (e.g., rhdev-2.25) to specific images
- Included unit tests

The operator now reads image overrides from the 'image-overrides' key in the
operator ConfigMap, supporting YAML format with version-to-image mappings.
Overrides take precedence over default distribution images and are refreshed
on each reconciler initialization.

Closes: RHAIENG-1079
Signed-off-by: Derek Higgins <[email protected]>

Author: derekhiggins

README.md

@@ -104,6 +104,47 @@ Example to create a run.yaml ConfigMap, and a LlamaStackDistribution that refere
 kubectl apply -f config/samples/example-with-configmap.yaml
 ```
 
+## Image Mapping Overrides
+
+The operator supports ConfigMap-driven image updates for LLS Distribution images. This allows independent patching for security fixes or bug fixes without requiring a new operator version.
+
+### Configuration
+
+Create or update the operator ConfigMap with an `image-overrides` key:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: llama-stack-operator-config
+  namespace: llama-stack-k8s-operator-system
+data:
+  image-overrides: |
+    rh-dev-2.25: quay.io/rhoai/rhoai-fbc-fragment:rhoai-2.25@sha256:3bc98555
+```
+
+### Symbolic Name Format
+
+Use the format `rh-dev-<major>-<minor>` for symbolic names that correspond to RHOAI versions. The operator will automatically detect the current RHOAI version and apply the appropriate override.
+
+### How It Works
+
+1. The operator reads image overrides from the `image-overrides` key in the operator ConfigMap
+2. Overrides are parsed as YAML with version-to-image mappings
+3. When deploying a LlamaStackDistribution, the operator checks for overrides matching the current RHOAI version
+4. If an override exists, it uses the specified image instead of the default distribution image
+5. Changes to the ConfigMap automatically trigger reconciliation of all LlamaStackDistribution resources
+
+### Example Usage
+
+To update the LLS Distribution image for RHOAI 2.25:
+
+```bash
+kubectl patch configmap llama-stack-operator-config -n llama-stack-k8s-operator-system --type merge -p '{"data":{"image-overrides":"rh-dev-2.25: quay.io/opendatahub/llama-stack:latest"}}'
+```
+
+This will cause all LlamaStackDistribution resources using the `rh-dev` name to restart with the new image while using RHOAI version 2.25.Z, once RHOAI is upgraded to another version then the distribution will revert back to the default for that version.
+
 ## Developer Guide
 
 ### Prerequisites

config/crd/bases/llamastack.io_llamastackdistributions.yaml

@@ -87,6 +87,14 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - operators.coreos.com
+  resources:
+  - clusterserviceversions
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:

config/rbac/role.yaml

@@ -27,3 +27,6 @@ package controllers
 
 // NetworkPolicy permissions - controller creates and manages network policies
 //+kubebuilder:rbac:groups=networking.k8s.io,resources=networkpolicies,verbs=get;list;watch;create;update;patch;delete
+
+// ClusterServiceVersion permissions - controller reads CSV to get RHOAI version
+//+kubebuilder:rbac:groups=operators.coreos.com,resources=clusterserviceversions,verbs=get;list;watch

controllers/kubebuilder_rbac.go

@@ -34,6 +34,7 @@ import (
 	"github.com/llamastack/llama-stack-k8s-operator/pkg/cluster"
 	"github.com/llamastack/llama-stack-k8s-operator/pkg/deploy"
 	"github.com/llamastack/llama-stack-k8s-operator/pkg/featureflags"
+	olmv1alpha1 "github.com/operator-framework/api/pkg/operators/v1alpha1"
 	"gopkg.in/yaml.v3"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -47,6 +48,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/log"
@@ -89,6 +91,10 @@ type LlamaStackDistributionReconciler struct {
 	Scheme *runtime.Scheme
 	// Feature flags
 	EnableNetworkPolicy bool
+	// RHODS version
+	RHODSVersion string
+	// Image mapping overrides
+	ImageMappingOverrides map[string]string
 	// Cluster info
 	ClusterInfo *cluster.ClusterInfo
 	httpClient  *http.Client
@@ -474,6 +480,7 @@ func (r *LlamaStackDistributionReconciler) configMapUpdatePredicate(e event.Upda
 		} else {
 			r.EnableNetworkPolicy = EnableNetworkPolicy
 		}
+		r.ImageMappingOverrides = ParseImageMappingOverrides(newConfigMap.Data)
 		return true
 	}
 
@@ -1474,28 +1481,79 @@ func NewLlamaStackDistributionReconciler(ctx context.Context, client client.Clie
 		}
 	}
 
+	// get the version of RHODS/RHOAI from the ClusterServiceVersion in the current namespace
+	var rhodsVersion string
+	csvlist := &olmv1alpha1.ClusterServiceVersionList{}
+	listOpts := []ctrlclient.ListOption{
+		ctrlclient.InNamespace(operatorNamespace),
+	}
+	err = client.List(ctx, csvlist, listOpts...)
+	if err != nil {
+		fmt.Printf("failed to list ClusterServiceVersions: %v\n", err)
+	}
+	for _, csv := range csvlist.Items {
+		if strings.HasPrefix(csv.Name, "rhods-operator") {
+			rhodsVersion = csv.Spec.Version.String()
+			break
+		}
+	}
+	if rhodsVersion == "" {
+		fmt.Printf("failed to find RHODS version from ClusterServiceVersion\n")
+	}
+
 	// Parse feature flags from ConfigMap
 	enableNetworkPolicy, err := parseFeatureFlags(configMap.Data)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse feature flags: %w", err)
 	}
+
+	// Parse image mapping overrides from ConfigMap
+	imageMappingOverrides := ParseImageMappingOverrides(configMap.Data)
+
 	return &LlamaStackDistributionReconciler{
-		Client:              client,
-		Scheme:              scheme,
-		EnableNetworkPolicy: enableNetworkPolicy,
-		ClusterInfo:         clusterInfo,
-		httpClient:          &http.Client{Timeout: 5 * time.Second},
+		Client:                client,
+		Scheme:                scheme,
+		EnableNetworkPolicy:   enableNetworkPolicy,
+		RHODSVersion:          rhodsVersion,
+		ImageMappingOverrides: imageMappingOverrides,
+		ClusterInfo:           clusterInfo,
+		httpClient:            &http.Client{Timeout: 5 * time.Second},
 	}, nil
 }
 
+func ParseImageMappingOverrides(configMapData map[string]string) map[string]string {
+	imageMappingOverrides := make(map[string]string)
+
+	// Look for the image-overrides key in the ConfigMap data
+	if overridesYAML, exists := configMapData["image-overrides"]; exists {
+		// Parse the YAML content
+		var overrides map[string]string
+		if err := yaml.Unmarshal([]byte(overridesYAML), &overrides); err != nil {
+			// Log error but continue with empty overrides
+			fmt.Printf("failed to parse image-overrides YAML: %v\n", err)
+			return imageMappingOverrides
+		}
+
+		// Copy the parsed overrides to our result map
+		for version, image := range overrides {
+			fmt.Printf("image-mapping-override: %s: %s\n", version, image)
+			imageMappingOverrides[version] = image
+		}
+	}
+
+	return imageMappingOverrides
+}
+
 // NewTestReconciler creates a reconciler for testing, allowing injection of a custom http client and feature flags.
 func NewTestReconciler(client client.Client, scheme *runtime.Scheme, clusterInfo *cluster.ClusterInfo,
 	httpClient *http.Client, enableNetworkPolicy bool) *LlamaStackDistributionReconciler {
 	return &LlamaStackDistributionReconciler{
-		Client:              client,
-		Scheme:              scheme,
-		ClusterInfo:         clusterInfo,
-		httpClient:          httpClient,
-		EnableNetworkPolicy: enableNetworkPolicy,
+		Client:                client,
+		Scheme:                scheme,
+		ClusterInfo:           clusterInfo,
+		httpClient:            httpClient,
+		EnableNetworkPolicy:   enableNetworkPolicy,
+		RHODSVersion:          "",
+		ImageMappingOverrides: make(map[string]string),
 	}
 }