-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Request to deprecate compiler.build_python_component(build_image=,..) flag #1661
Comments
@gaoning777, will it be covered by your component builder work? |
This flag was added initially to avoid rebuilding the image if the image already exists. E.g. when users has run the notebook once and need to run it again without building the image, setting the flag will only generate the containerop. Since we will have a fast build that takes very little time, the new version will not have this configuration any more. I will cover that. |
But that
Sure. |
Waiting for @gaoning777 's refactoring to complete. |
Completed. Go ahead. |
@gaoning777 Can you please LGTM #1657 ? |
* Add SANs to server.crt On my testing environment (debian 11, openssl 1.1.1k, minikube with k8s 1.20, go 1.15, kfserving 0.5) I get some TLS errors when testing kfserving, namely "x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching" when trying to deploy a simple InferenceService resource. After some digging I found this problem: ``` openssl req -noout -text -in server.csr | grep "Subject Alternative Name" -A 1 X509v3 Subject Alternative Name: DNS:kfserving-webhook-server-service, DNS:kfserving-webhook-server-service.kfserving-system, DNS:kfserving-webhook-server-service.kfserving-system.svc, DNS:kfserving-webhook-server-service.kfserving-system.svc.cluster, DNS:kfserving-webhook-server-service.kfserving-system.svc.cluster.local openssl x509 -in server.crt -text -noout | grep "Subject Alternative Name" -A 1 ``` Meanwhile if I add this patch: ``` openssl x509 -in server.crt -text -noout | grep "Subject Alternative Name" -A 1 X509v3 Subject Alternative Name: DNS:kfserving-webhook-server-service, DNS:kfserving-webhook-server-service.kfserving-system, DNS:kfserving-webhook-server-service.kfserving-system.svc, DNS:kfserving-webhook-server-service.kfserving-system.svc.cluster, DNS:kfserving-webhook-server-service.kfserving-system.svc.cluster.local ``` As far as I got go 1.15 introduces a stricter policy for TLS certs, and openssl by default doesn't copy SANs from a .csr to .crt if not explicitly told. gh: kubeflow#1657 * Add patch for conversion webhook in self-signed-ca.sh Co-authored-by: haijohn <haijohnzju@gmail.com> gh: kubeflow#1657 Co-authored-by: haijohn <haijohnzju@gmail.com>
This is a request to eliminate redundant methods of building docker / components. specifically to remove compiler.build_python_component(build_image=,..) flag. This flag eliminates the container build operation from build_python_component however it will not inject the python function into the container or pass it on. This allows for modification of component definition without changing the base container image. However this is redundant as dsl.ContainerOp provides the same functionality.
This will ensure that
The text was updated successfully, but these errors were encountered: