Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: DSPO handle db tls connections and configs (v2) #577

Merged
merged 8 commits into from
Mar 11, 2024
Merged

feat: DSPO handle db tls connections and configs (v2) #577

merged 8 commits into from
Mar 11, 2024

Conversation

HumairAK
Copy link
Contributor

@HumairAK HumairAK commented Feb 26, 2024
edited
Loading

The issue resolved by this Pull Request:

Resolves

RHOAIENG-16900
RHOAIENG-2385

Description of your changes:

Same as:

Notes:

  1. New server config parameters (we currently only support mysql/mariadb configurations, postgres config doesn't support tls right now in kfp)
  2. MLMD pod is switched to use Model Registry's MLMD grpc image, so we can utilize their tls flags and mount the odh/user provided ca bundle in that pod.

Testing instructions

Same as: #575 & #579
But for v2 with adjustments to work with v2:

Full instructions:

Deploy a secure/tls enabled s3/mariadb behind a self-signed cert (for example in a self-signed ocp cluster), provide these configs to the DSAP as external configs. Ensure they only accept tls based connections.

Deploy a cabundle as a configmap in the DSPA namespace:

kind: ConfigMap
apiVersion: v1
metadata:
  name: odh-trusted-ca-bundle
data:
  ca-bundle.crt: | 
      <your-bundle>

Deploy DSPA configured to leverage these connections via external db/object store connections.

Confirm DSPO is able conduct successfull health checks (if it deploys the DSPA pods then health checks worked), if it didn't, log the error here.

Confirm DSPA comes up successfully, in this change DSPO willl udpate the DSP server's configs to enable "tls" for db connections. Confirm this behavior by running a successful pipeline.

Confirm DSPA "simple" v1 still works (no external db/s3 configured).

Confirm setting "customExtraParams" in the DSPA's ".spec.database.customExtraParams". Provide wrong ca bundle, confirm it fails to deploy dspa, then set ".spec.database.customExtraParams" to {"tls":"true"}, it should work. Because the value is a json string, you should use | or >- to format the yaml value, example:

spec:
  dspVersion: v2
  database:
    customExtraParams: |                           
      {"tls": "skip-verify"}

Confirm that when you include an odh-trusted-ca-bundle configmap, and another cabundle in the DSPA via .spec.cABundle, the result is a configmap named dsp-trusted-ca-* that includes both bundles, which is mounted in the DSP Apiserver, as well as the user launcher pod.

Checklist

  • The commits are squashed in a cohesive manner and have meaningful messages.
  • Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
  • The developer has manually tested the changes and verified that the changes work

@HumairAK HumairAK changed the title V2 rhoaieng 1690 and 2385 feat: DSPO handle db tls connections and configs Feb 26, 2024
@HumairAK HumairAK changed the title feat: DSPO handle db tls connections and configs feat: DSPO handle db tls connections and configs (v2) Feb 26, 2024
@dsp-developers
Copy link
Contributor

A new image has been built to help with testing out this PR: quay.io/opendatahub/data-science-pipelines-operator:pr-577
An OCP cluster where you are logged in as cluster admin is required.

To use this image run the following:

cd $(mktemp -d)
git clone git@github.com:opendatahub-io/data-science-pipelines-operator.git
cd data-science-pipelines-operator/
git fetch origin pull/577/head
git checkout -b pullrequest 6709929741e3daa52672b39e40876a2869d53e5c
oc new-project opendatahub
make deploy IMG="quay.io/opendatahub/data-science-pipelines-operator:pr-577"

More instructions here on how to deploy and test a Data Science Pipelines Application.

@dsp-developers
Copy link
Contributor

Change to PR detected. A new PR build was completed.
A new image has been built to help with testing out this PR: quay.io/opendatahub/data-science-pipelines-operator:pr-577

@HumairAK
Copy link
Contributor Author

/hold

@HumairAK HumairAK changed the title feat: DSPO handle db tls connections and configs (v2) wip: feat: DSPO handle db tls connections and configs (v2) Feb 28, 2024
@HumairAK HumairAK force-pushed the v2-RHOAIENG-1690-and-2385 branch 3 times, most recently from dffc3ee to 2628402 Compare February 29, 2024 21:34
@dsp-developers
Copy link
Contributor

Change to PR detected. A new PR build was completed.
A new image has been built to help with testing out this PR: quay.io/opendatahub/data-science-pipelines-operator:pr-577

@dsp-developers
Copy link
Contributor

Change to PR detected. A new PR build was completed.
A new image has been built to help with testing out this PR: quay.io/opendatahub/data-science-pipelines-operator:pr-577

@HumairAK HumairAK changed the title wip: feat: DSPO handle db tls connections and configs (v2) feat: DSPO handle db tls connections and configs (v2) Mar 1, 2024
@HumairAK
Copy link
Contributor Author

HumairAK commented Mar 5, 2024

/unhold

@dsp-developers
Copy link
Contributor

Change to PR detected. A new PR build was completed.
A new image has been built to help with testing out this PR: quay.io/opendatahub/data-science-pipelines-operator:pr-577

@dsp-developers
Copy link
Contributor

Change to PR detected. A new PR build was completed.
A new image has been built to help with testing out this PR: quay.io/opendatahub/data-science-pipelines-operator:pr-577

1 similar comment
@dsp-developers
Copy link
Contributor

Change to PR detected. A new PR build was completed.
A new image has been built to help with testing out this PR: quay.io/opendatahub/data-science-pipelines-operator:pr-577

@dsp-developers
Copy link
Contributor

Change to PR detected. A new PR build was completed.
A new image has been built to help with testing out this PR: quay.io/opendatahub/data-science-pipelines-operator:pr-577

@dsp-developers
Copy link
Contributor

Change to PR detected. A new PR build was completed.
A new image has been built to help with testing out this PR: quay.io/opendatahub/data-science-pipelines-operator:pr-577

@dsp-developers
Copy link
Contributor

Change to PR detected. A new PR build was completed.
A new image has been built to help with testing out this PR: quay.io/opendatahub/data-science-pipelines-operator:pr-577

@dsp-developers
Copy link
Contributor

Change to PR detected. A new PR build was completed.
A new image has been built to help with testing out this PR: quay.io/opendatahub/data-science-pipelines-operator:pr-577

@HumairAK
feat: dspo to reconcile on odh ca events.
55fdadd 
Signed-off-by: Humair Khan <HumairAK@users.noreply.github.com>
(cherry picked from commit b400dff)
@HumairAK
feat: use odh global config when provided.
fdb1804 
Signed-off-by: Humair Khan <HumairAK@users.noreply.github.com>
(cherry picked from commit 574cd85)
@HumairAK
feat: correct logger messages in dspa params
6433d51 
Signed-off-by: Humair Khan <HumairAK@users.noreply.github.com>
(cherry picked from commit 673a04a)
@HumairAK
feat: allow dspo to verify tls secured mysql
2600ac9 
Signed-off-by: Humair Khan <HumairAK@users.noreply.github.com>
@HumairAK
chore: mount ca bundle to mlmd
531c957 
Signed-off-by: Humair Khan <HumairAK@users.noreply.github.com>
@HumairAK
chore: allow dspo to handle multiple ca bundles
49207eb 
When a configmap trust ca store is provided, whether it's from a user
provisioned configmap with a ca bundle via the DSPA's caBundle field,
or whether it's a configmap name "odh-trusted-ca-bundle" (provided
by odh or user), then this change will create an amalgmation of all
of the certs from these configmaps and create a single dspo managed
configmap. The resulting configmap has a single cert that is the
accumulation of all afore mentioned certs, and can be passed as a single
file to the dsp server, or pipeline pods to utilize.

This helps work around issues and overhead work required when mounting
to a ca path with multiple certs, because such a path requires that it
first be re_hashed. Furthermore this allows us to work around issues
related to aws cli being unable to utilize ca paths with it's
AWS_CA_BUNDLE env variable when passing artifacts during the
step-copy-artifacts step.

Signed-off-by: Humair Khan <HumairAK@users.noreply.github.com>
@HumairAK
chore: add more cert tests.
7ade9ee 
Signed-off-by: Humair Khan <HumairAK@users.noreply.github.com>
@dsp-developers
Copy link
Contributor

Change to PR detected. A new PR build was completed.
A new image has been built to help with testing out this PR: quay.io/opendatahub/data-science-pipelines-operator:pr-577

@HumairAK HumairAK requested a review from rimolive March 11, 2024 17:32
gregsheremeta
gregsheremeta reviewed Mar 11, 2024
View reviewed changes
Copy link
Contributor

@gregsheremeta gregsheremeta left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nothing i've commented on should be considered a blocker to merging. I'm happy to tag lgtm now if you're rather merge now and fixup later (or not make any changes at all, that's fine too)

controllers/dspipeline_params.go Outdated Show resolved Hide resolved
controllers/dspipeline_params.go Outdated Show resolved Hide resolved
controllers/config/defaults.go

DefaultDBSecretNamePrefix = "ds-pipeline-db-"
DefaultDBSecretKey = "password"
DBDefaultExtraParams = "{\"tls\":\"%t\"}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same comment as in the v1 patch -- I would prefer a type safe way of doing this / not using string templating. This seems like not idiomatic go.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we can open a "would be nice to refactor this" ticket for this and add it to our backlog. Not really a big deal / definitely no need to block merge.

controllers/dspipeline_params.go Outdated Show resolved Hide resolved
@HumairAK
chore: clarify cabundle comments and error descriptions
1a30d8d 
Signed-off-by: Humair Khan <HumairAK@users.noreply.github.com>
@dsp-developers
Copy link
Contributor

Change to PR detected. A new PR build was completed.
A new image has been built to help with testing out this PR: quay.io/opendatahub/data-science-pipelines-operator:pr-577

@gregsheremeta
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Mar 11, 2024
@rimolive
Copy link
Contributor

/lgtm
/approve

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Mar 11, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rimolive

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@HumairAK HumairAK merged commit 8d9f36a into opendatahub-io:main Mar 11, 2024
5 of 6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gregsheremeta gregsheremeta gregsheremeta left review comments

@rimolive rimolive Awaiting requested review from rimolive

Assignees

@rimolive rimolive

@gregsheremeta gregsheremeta

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@HumairAK @dsp-developers @gregsheremeta @rimolive