From 85a4afc6de53a6c0af553e3c63333bcc6738c42d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Edgar=20Hern=C3=A1ndez?= <ehernand@redhat.com>
Date: Wed, 22 Jan 2025 11:03:24 -0600
Subject: [PATCH] Enable forwarding Authorization header in InferenceGraphs
 (#467)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This will configure all `InferenceGraph` workloads to forward the standard HTTP `Authorization` header to the backing `InferenceServices`.

The `Authorization` header is used to receive/send credentials and let ODH stack to validate access.

By enabling forwarding of the `Authorization` header, we cover the case when there is an (some) auth-protected InferenceService(s) as part of an InferenceGraph. Access is fine-grained, so access to an InferenceGraph does not guarantee access to some InferenceService. The user needs to provide credentials to all resources (IGs and ISVC) that the request needs to go through. Since each workload validates credentials on its own, credentials need to be forwarded to all workloads of an InferenceGraph.

Signed-off-by: Edgar Hernández <23639005+israel-hdez@users.noreply.github.com>
---
 config/overlays/odh/inferenceservice-config-patch.yaml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/config/overlays/odh/inferenceservice-config-patch.yaml b/config/overlays/odh/inferenceservice-config-patch.yaml
index 1da7fa9fa4b..c648cb30308 100644
--- a/config/overlays/odh/inferenceservice-config-patch.yaml
+++ b/config/overlays/odh/inferenceservice-config-patch.yaml
@@ -68,7 +68,12 @@ data:
         "memoryRequest": "100Mi",
         "memoryLimit": "1Gi",
         "cpuRequest": "100m",
-        "cpuLimit": "1"
+        "cpuLimit": "1",
+        "headers": {
+          "propagate": [
+            "Authorization"
+          ]
+        }
     }
   deploy: |-
     {