User story

As a Data Scientist who wants to deploy a model with ModelMesh, when that model is stored in some "non-standard" storage provider,

I want to be able to provide a Certificate Authority certificate

so that ModelMesh can pull the model in a secure way, being able to verify the TLS connection that is secured by a certificate signed by that custom CA.

Details

I first encountered that limitation when trying to access a model through OpenShift Data Foundations (NooBaa in particular), which by default gets exposed through the internal cluster service endpoint https://s3.openshift-storage.svc: the model server was not able to download the model because the TLS connection is secured by the cluster's sevice-ca.crt.

Being an internal cluster service, in this case it is possible to workaround this by accessing the S3 endpoint via plain text HTTP instead.

However, some cluster environments might have a strict requirement to enforce TLS communications everywhere, including internal cluster services.

Moreover, there are scenarios where models can be stored in a custom S3 storage that is external to the cluster but still uses a custom CA. Examples can include an external Ceph cluster.

The request here is to be able to provide a custom CA that can be used by the model puller to verify the TLS connection to the S3 endpoint.

Additional info

This was discussed in the Open Data Hub slack: https://odh-io.slack.com/archives/C0330L52N22/p1684327623872829