Update kserve/kserve manifests from v0.18.0#3406
Merged
google-oss-prow[bot] merged 9 commits intoMay 12, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Updates Kubeflow manifests tracking for KServe to v0.17.0, accounting for the fact that the original v0.17.0 tag did not include the required install artifacts.
Changes:
- Bumps the KServe synchronization script reference from v0.16.0 to v0.17.0.
- Updates the root README component table entry for KServe to v0.17.0 and links to the release branch path containing the install files.
Reviewed changes
Copilot reviewed 2 out of 6 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| scripts/synchronize-kserve-kserve-manifests.sh | Updates the git ref used by the sync script to target KServe v0.17.0. |
| README.md | Updates the KServe row to reflect v0.17.0 and links to the install directory on the release branch. |
You can also share your feedback on Copilot code review. Take the survey.
christian-heusel
force-pushed
the
synchronize-kserve-manifests-release-0.17
branch
from
75d9f0b to
8d493ea
Compare
1 task
Contributor
|
@christian-heusel/ @juliusvonkohout I noticed the |
christian-heusel
force-pushed
the
synchronize-kserve-manifests-release-0.17
branch
from
fa00f5a to
01b9dab
Compare
Member
|
Please rebase to master |
christian-heusel
force-pushed
the
synchronize-kserve-manifests-release-0.17
branch
3 times, most recently
from
49816e7 to
2d01eef
Compare
Contributor
Author
|
/hold |
google-oss-prow
Bot
added
do-not-merge/hold
and removed
do-not-merge/work-in-progress
labels
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the Kubeflow Manifests KServe component to align with KServe v0.17.0 (synced from release-0.17 due to the upstream tag missing install artifacts), and applies Kubeflow-specific fixes to keep the deployment functional in the kubeflow namespace.
Changes:
- Update the KServe synchronization script/version metadata for the v0.17.0 sync workflow.
- Add/adjust Kustomize patches to fix cert-manager CA injection references and webhook certificate SANs for
kubeflownamespace installs. - Refresh KServe cluster resources (runtime images, new runtimes, and updated LLM-related templates/configs).
Reviewed changes
Copilot reviewed 3 out of 7 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
| scripts/synchronize-kserve-kserve-manifests.sh | Updates sync inputs/versioning for the v0.17.0 KServe manifests sync. |
| applications/kserve/kserve/kustomization.yaml | Adds patches to fix cert-manager injection + certificate SAN issues and updates LLM-related patch targeting. |
| applications/kserve/kserve/kserve-cluster-resources.yaml | Updates runtime images/annotations and substantially revises LLM templates and related configs. |
| README.md | Updates the KServe “Upstream Revision” entry to v0.17.0. |
Member
|
@christian-heusel @vrajjbhatt Got confirmation from Kserve to use 0.18.0 instead. Please create another PR for that version instead. |
christian-heusel
force-pushed
the
synchronize-kserve-manifests-release-0.17
branch
from
2d01eef to
a1c1edd
Compare
christian-heusel
changed the title
christian-heusel
force-pushed
the
synchronize-kserve-manifests-release-0.17
branch
from
9d29df1 to
d7a542e
Compare
Member
|
@christian-heusel Thanks so much for this work, can you rebase and look into |
There are a few specialties regarding this release as the initial v0.17.0 tag did not contain the needed install files, see the linked issue for more details. This is also the reason that the manifests were synced from the `release-v0.17` branch manually instead of using the tag as we normally do. Additionally the sync came with a bunch of script which I did not include into the changes as they were only scripts: - `applications/kserve/kserve/keda-dependency-install.sh` - `applications/kserve/kserve/kserve-knative-mode-dependency-install.sh` - `applications/kserve/kserve/kserve-knative-mode-full-install-with-manifests.sh` - `applications/kserve/kserve/kserve-standard-mode-dependency-install.sh` - `applications/kserve/kserve/kserve-standard-mode-full-install-with-manifests.sh` - `applications/kserve/kserve/llmisvc-dependency-install.sh` - `applications/kserve/kserve/llmisvc-full-install-with-manifests.sh` Link: kserve/kserve#5255 Signed-off-by: Christian Heusel <christian@heusel.eu>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Christian Heusel <christian@heusel.eu>
Signed-off-by: Christian Heusel <christian@heusel.eu>
kserve_kubeflow.yaml v0.17.0 introduced a second set of Certificate resources that still reference the upstream kserve namespace instead of kubeflow. These duplicates override the correct kubeflow-scoped ones, causing cert-manager to issue certs with kserve.svc SANs, which results in TLS verification failures on the webhook server. Patch all three Certificates (serving-cert, llmisvc-serving-cert, localmodel-serving-cert) to use the correct kubeflow.svc SANs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Christian Heusel <christian@heusel.eu>
kserve_kubeflow.yaml v0.17.0 hardcodes cert-manager.io/inject-ca-from: kserve/<cert-name> on all webhook configurations and relevant CRDs, but the Certificate resources live in the kubeflow namespace. cert-manager's ca-injector uses this annotation to populate the webhook caBundle, so with the wrong namespace reference the caBundle is never set and TLS verification fails with "certificate signed by unknown authority". Patch all 12 affected resources (1 MutatingWebhookConfiguration, 3 CRDs, 8 ValidatingWebhookConfigurations) to use kubeflow/<cert-name> instead. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Christian Heusel <christian@heusel.eu>
Signed-off-by: Christian Heusel <christian@heusel.eu>
Usually this works automatically, however due to the changes for kserve v0.17.0 this has to be done manually once. Signed-off-by: Christian Heusel <christian@heusel.eu>
… targets Replace 12 individual strategic merge patches with 3 JSON 6902 patches that use name regex targets, grouping resources by their cert name. Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Christian Heusel <christian@heusel.eu>
Signed-off-by: Christian Heusel <christian@heusel.eu>
christian-heusel
force-pushed
the
synchronize-kserve-manifests-release-0.17
branch
from
9ec0153 to
aa67f78
Compare
Member
|
Thanks for your efforts |
Member
|
Thank you |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: juliusvonkohout The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Member
|
/unhold |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request Template for Kubeflow Manifests
✏️ Summary of Changes
Update the manifests for kserve from 0.16.0 to v0.18.0
🚧 Remaining ToDo's:
kubectl delete clusterrolebinding llmisvc-manager-rolebinding --ignore-not-foundon pre-existing cluster ➡️ documentation(kserve): add upgrade notes for v0.16.x to v0.17.0 migration #3420📦 Dependencies
none
🐛 Related Issues
./install/v0.17.0/directory present in thev0.17.0kserve release kserve/kserve#5255✅ Contributor Checklist