feat: disables features not needed for Istio deployments #96
Conversation
|
Hi @bartoszmajsak. Thanks for your PR. I'm waiting for a opendatahub-io member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
bartoszmajsak
changed the title
|
@harshad16 @LaVLaS could you please take a look when you find some time? Many thanks! |
|
@bartoszmajsak Can we update the e2e tests to capture the changes included in this PR? |
Thanks for looking at it @VaishnaviHire. I will update e2e tests as well. Can we ok-to-test in the meanwhile so I can see if there's anything else I overlooked? |
|
/ok-to-test |
There was a problem hiding this comment.
This is just for testing purposes - not sure if that's the place it should be put. If not I can move it somewhere else and adjust the build process.
| maistra.io/gateway-name: odh-gateway | ||
| maistra.io/gateway-namespace: odh-notebook-controller-system | ||
| spec: | ||
| host: opendatahub.apps-crc.testing |
There was a problem hiding this comment.
This is replaced on the fly when executing make setup-service-mesh target.
| protocol: HTTPS | ||
| tls: | ||
| mode: SIMPLE | ||
| credentialName: odh-dashboard-cert |
There was a problem hiding this comment.
If the overlays here are used mainly for testing purposes I can adjust tests to be using http if desired.
| .PHONY: e2e-test | ||
| e2e-test: ## Run e2e tests for the controller | ||
| go test ./e2e/ -run ^TestE2ENotebookController -v --nb-namespace=${K8S_NAMESPACE} ${E2E_TEST_FLAGS} | ||
| e2e-test: e2e-test-oauth ## Run e2e tests for the controller with oauth proxy |
There was a problem hiding this comment.
I decided to keep existing target behavior - to run only tests scenarios where oauth-proxy approach is defined. Happy to adjust based on your needs for CI. There's already a script in place to run the service mesh scenario https://github.com/opendatahub-io/kubeflow/pull/96/files#diff-13d60fc682972fcc720de0f06e1826afc91ba40af5d5c8bd987b370d44d0a332
components/odh-notebook-controller/config/base/kustomization.yaml
Outdated
Show resolved
Hide resolved
| // Verify if the configmap has key ISTIO_GATEWAY with value 'kubeflow/kubeflow-gateway' | ||
| require.EqualValuesf(t, "kubeflow/kubeflow-gateway", | ||
| configmap.Data["ISTIO_GATEWAY"], "error getting ISTIO_GATEWAY in the configmap") | ||
| break |
There was a problem hiding this comment.
I would like to suggest here checking only for the config map existence, as its values can differ by scenario. If the config map is misconfigured the test will fail so that should be enough for end-to-end verification in my eyes.
|
@VaishnaviHire I added e2e tests, please let me know if anything else is pending on my end. |
In order to handle creation of Notebooks which should belong to the service mesh we have to ensure this controller does not create unnecessary resources. For this purpose, when opendatahub.io/service-mesh annotation is present on the Notebook resource it will make sure that: - no OAuth Proxy related resources are created - no routes are created It will fail admission of a notebook pod for the injection of proxy sidecars if annotation opendatahub.io/service-mesh is present and set to true as well. I made few minor adjustements in the test code as I needed to re-use several resources, such as NetworkPolicy.
One reason being IDEs such as GoLand have troubles recongizing private funcs, but it is mainly due to the fact that it is a purely test code
bartoszmajsak
force-pushed
the
enable_ossm
branch
from
ccc8e3c to
3fead38
Compare
|
@bartoszmajsak Overall code changes look good to me. On the local test run I am seeing following error when creating Notebook instance Did you come across this while testing? Note that I am running the tests in the |
@VaishnaviHire Leaving aside the fact that I will fix the ns propagation. |
|
@VaishnaviHire I prepared a similar bash script for ci tests - https://github.com/opendatahub-io/kubeflow/pull/96/files#diff-13d60fc682972fcc720de0f06e1826afc91ba40af5d5c8bd987b370d44d0a332 Should this be incorporated as part of this work? |
|
@VaishnaviHire @harshad16 Could someone please give it another look? |
Yeah, Istio can be a bit finicky :-) @bartoszmajsak excellent work, and a big requirement for i.e. using an external auth provider like IBMAppID in conjunction with Istio / ServiceMesh, as well as for support for evaluating RBAC via the kubeflow profiles controller medium-term. Psyched to see your contribution. Wielkie dzię and merci vielmal; best regards from Lake Lauerz. |
bartoszmajsak
changed the title
Thanks @shalberd! Also for pointing out the profile controller - I will take a closer look to see how we can leverage it. Lake Lauerz is great - I must return there for SUP this summer! |
|
@bartoszmajsak if you ever want to connect with IBM's Sebastian Lehrig @lehrig, he's got heaps of experience making Kubeflow, including RBAC with Kubeflow Profiles controller, work on Openshift (within a PowerPC initiative). @raffaelespazzoli worked in detail on it, being the detective on Openshift |
|
thanks for the flowers @shalberd - kudos particularly goes to Raffaele who did lots of the ground work: https://cloud.redhat.com/blog/operationalizing-kubeflow-in-openshift |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: harshad16 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Thanks for taking care of it @harshad16. If you still have some details about the failures, such as logs, I can have a look and think about how this could be improved. |
Description
In order to handle the creation of Notebooks that should belong to the service mesh we have to ensure this controller does not create unnecessary resources. For this purpose, when
opendatahub.io/service-meshannotation is present and set totrueon the Notebook resource it will make sure that:It will fail the admission of a notebook pod for the injection of proxy sidecars if annotation
opendatahub.io/service-meshis present and set totrue.I made a few minor adjustments in the test code as I needed to re-use several resources, such as
NetworkPolicy.How Has This Been Tested?
Merge criteria: