diff --git a/.github/workflows/admission_webhook_test.yaml b/.github/workflows/admission_webhook_test.yaml index 3a4d8e04af..2660a70e7a 100644 --- a/.github/workflows/admission_webhook_test.yaml +++ b/.github/workflows/admission_webhook_test.yaml @@ -2,14 +2,14 @@ name: Build & Apply PodDefaults manifests in KinD on: pull_request: paths: - - .github/workflows/admission_webhook_test.yaml - - apps/admission-webhook/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - tests/gh-actions/install_cert_manager.sh - - common/cert-manager/** + - .github/workflows/admission_webhook_test.yaml + - apps/admission-webhook/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_cert_manager.sh + - common/cert-manager/** jobs: build: diff --git a/.github/workflows/bentoml_test.yaml b/.github/workflows/bentoml_test.yaml index 71b59956ff..41a8fc276b 100644 --- a/.github/workflows/bentoml_test.yaml +++ b/.github/workflows/bentoml_test.yaml @@ -2,13 +2,13 @@ name: Build & Apply BentoML Yatai Stack manifests in KinD on: pull_request: paths: - - .github/workflows/bentoml_test.yaml - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_cert_manager.sh - - common/cert-manager/** - - contrib/bentoml/** + - .github/workflows/bentoml_test.yaml + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_cert_manager.sh + - common/cert-manager/** + - contrib/bentoml/** jobs: build: diff --git a/.github/workflows/centraldashboard_test.yaml b/.github/workflows/centraldashboard_test.yaml index 6fd9337da1..f5373d1277 100644 --- a/.github/workflows/centraldashboard_test.yaml +++ b/.github/workflows/centraldashboard_test.yaml @@ -2,12 +2,12 @@ name: Build & Apply CentralDashboard manifests in KinD on: pull_request: paths: - - .github/workflows/centraldashboard_test.yaml - - apps/centraldashboard/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh + - .github/workflows/centraldashboard_test.yaml + - apps/centraldashboard/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh jobs: build: diff --git a/.github/workflows/dex_test.yaml b/.github/workflows/dex_test.yaml index 140772cf79..f06bd0e7a4 100644 --- a/.github/workflows/dex_test.yaml +++ b/.github/workflows/dex_test.yaml @@ -2,12 +2,12 @@ name: Build & Apply Dex manifests in KinD on: pull_request: paths: - - .github/workflows/dex_test.yaml - - common/dex/base/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh + - .github/workflows/dex_test.yaml + - common/dex/base/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh jobs: build: @@ -33,3 +33,14 @@ jobs: cd common/dex kustomize build overlays/istio | kubectl apply -f - kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 180s + + - name: port forward + run: | + ingress_gateway_service=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') + nohup kubectl port-forward --namespace istio-system svc/${ingress_gateway_service} 8080:80 & + while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready + + - name: test dex login + run: | + pip3 install requests + ./tests/gh-actions/test_dex_login.py diff --git a/.github/workflows/jupyter_web_application_test.yaml b/.github/workflows/jupyter_web_application_test.yaml index 6cd555d8f9..13715e1740 100644 --- a/.github/workflows/jupyter_web_application_test.yaml +++ b/.github/workflows/jupyter_web_application_test.yaml @@ -2,12 +2,12 @@ name: Build & Apply JWA manifests in KinD on: pull_request: paths: - - .github/workflows/jupyter_web_application_test.yaml - - apps/jupyter/jupyter-web-app/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh + - .github/workflows/jupyter_web_application_test.yaml + - apps/jupyter/jupyter-web-app/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh jobs: build: diff --git a/.github/workflows/katib_test.yaml b/.github/workflows/katib_test.yaml index c61e2237b3..9edace0aa7 100644 --- a/.github/workflows/katib_test.yaml +++ b/.github/workflows/katib_test.yaml @@ -2,14 +2,14 @@ name: Build & Apply Katib manifests in KinD on: pull_request: paths: - - .github/workflows/katib_test.yaml - - apps/katib/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - tests/gh-actions/install_cert_manager.sh - - common/cert-manager/** + - .github/workflows/katib_test.yaml + - apps/katib/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_cert_manager.sh + - common/cert-manager/** jobs: build: diff --git a/.github/workflows/kserve_cni_test.yaml b/.github/workflows/kserve_cni_test.yaml index eb48f8fb34..c9ac27229e 100644 --- a/.github/workflows/kserve_cni_test.yaml +++ b/.github/workflows/kserve_cni_test.yaml @@ -2,69 +2,69 @@ name: Build & Apply KServe manifests in KinD, using istio CNI on: pull_request: paths: - - .github/workflows/kserve_cni_test.yaml - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - common/istio-cni-1-22/** - - tests/gh-actions/install_cert_manager.sh - - common/cert-manager/** - - tests/gh-actions/install_knative-cni.sh - - common/knative/** - - tests/gh-actions/install_kserve.sh + - .github/workflows/kserve_cni_test.yaml + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - common/istio-cni-1-22/** + - tests/gh-actions/install_cert_manager.sh + - common/cert-manager/** + - tests/gh-actions/install_knative-cni.sh + - common/knative/** + - tests/gh-actions/install_kserve.sh jobs: build: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@v4 - - name: Install KinD - run: ./tests/gh-actions/install_kind.sh + - name: Install KinD + run: ./tests/gh-actions/install_kind.sh - - name: Create KinD Cluster - run: kind create cluster --config tests/gh-actions/kind-cluster.yaml + - name: Create KinD Cluster + run: kind create cluster --config tests/gh-actions/kind-cluster.yaml - - name: Install kustomize - run: ./tests/gh-actions/install_kustomize.sh + - name: Install kustomize + run: ./tests/gh-actions/install_kustomize.sh - - name: Create kubeflow namespace - run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - + - name: Create kubeflow namespace + run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - - - name: Install Istio CNI - run: ./tests/gh-actions/install_istio-cni.sh + - name: Install Istio CNI + run: ./tests/gh-actions/install_istio-cni.sh - - name: Install cert-manager - run: ./tests/gh-actions/install_cert_manager.sh + - name: Install cert-manager + run: ./tests/gh-actions/install_cert_manager.sh - - name: Install knative CNI - run: ./tests/gh-actions/install_knative-cni.sh + - name: Install knative CNI + run: ./tests/gh-actions/install_knative-cni.sh - - name: Build & Apply manifests - run: ./tests/gh-actions/install_kserve.sh + - name: Build & Apply manifests + run: ./tests/gh-actions/install_kserve.sh - - name: Create test namespace - run: kubectl create ns kserve-test + - name: Create test namespace + run: kubectl create ns kserve-test - - name: Setup python 3.9 - uses: actions/setup-python@v4 - with: - python-version: 3.9 + - name: Setup python 3.9 + uses: actions/setup-python@v4 + with: + python-version: 3.9 - - name: Install test dependencies - run: pip install -r ./contrib/kserve/tests/requirements.txt + - name: Install test dependencies + run: pip install -r ./contrib/kserve/tests/requirements.txt - - name: Port forward - run: | - INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') - nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 & + - name: Port forward + run: | + INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') + nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 & - - name: Run kserve tests - run: | - export KSERVE_INGRESS_HOST_PORT=localhost:8080 - cd ./contrib/kserve/tests && pytest . + - name: Run kserve tests + run: | + export KSERVE_INGRESS_HOST_PORT=localhost:8080 + cd ./contrib/kserve/tests && pytest . - - name: Run kserve models webapp test - run: | - kubectl wait --for=condition=Available --timeout=300s -n kubeflow deployment/kserve-models-web-app + - name: Run kserve models webapp test + run: | + kubectl wait --for=condition=Available --timeout=300s -n kubeflow deployment/kserve-models-web-app diff --git a/.github/workflows/kserve_m2m_test.yaml b/.github/workflows/kserve_m2m_test.yaml index 3b79215e57..b468702f1a 100644 --- a/.github/workflows/kserve_m2m_test.yaml +++ b/.github/workflows/kserve_m2m_test.yaml @@ -2,88 +2,88 @@ name: Deploy and test KServe with m2m auth in KinD on: pull_request: paths: - - .github/workflows/kserve_m2m_test.yaml - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - contrib/kserve/** - - common/oidc-client/oauth2-proxy/** - - common/istio*/** - - tests/gh-actions/install_istio_with_ext_auth.sh* - - tests/gh-actions/install_cert_manager.sh - - common/cert-manager/** - - tests/gh-actions/install_knative.sh - - common/knative/** - - tests/gh-actions/install_kserve.sh + - .github/workflows/kserve_m2m_test.yaml + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - contrib/kserve/** + - common/oauth2-proxy/** + - common/istio*/** + - tests/gh-actions/install_istio_with_ext_auth.sh* + - tests/gh-actions/install_cert_manager.sh + - common/cert-manager/** + - tests/gh-actions/install_knative.sh + - common/knative/** + - tests/gh-actions/install_kserve.sh jobs: build: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@v4 - - name: Install KinD - run: ./tests/gh-actions/install_kind.sh + - name: Install KinD + run: ./tests/gh-actions/install_kind.sh - - name: Create KinD Cluster - run: kind create cluster --config tests/gh-actions/kind-cluster.yaml + - name: Create KinD Cluster + run: kind create cluster --config tests/gh-actions/kind-cluster.yaml - - name: Install kubectl - run: ./tests/gh-actions/install_kubectl.sh + - name: Install kubectl + run: ./tests/gh-actions/install_kubectl.sh - - name: Install kustomize - run: ./tests/gh-actions/install_kustomize.sh + - name: Install kustomize + run: ./tests/gh-actions/install_kustomize.sh - - name: Create kubeflow namespace - run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - + - name: Create kubeflow namespace + run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - - - name: Install Istio with external authentication - run: ./tests/gh-actions/install_istio_with_ext_auth.sh + - name: Install Istio with external authentication + run: ./tests/gh-actions/install_istio_with_ext_auth.sh - - name: Install cert-manager - run: ./tests/gh-actions/install_cert_manager.sh + - name: Install cert-manager + run: ./tests/gh-actions/install_cert_manager.sh - - name: Install knative - run: ./tests/gh-actions/install_knative.sh + - name: Install knative + run: ./tests/gh-actions/install_knative.sh - - name: Build & Apply manifests - run: ./tests/gh-actions/install_kserve.sh + - name: Build & Apply manifests + run: ./tests/gh-actions/install_kserve.sh - - name: Create test namespace - run: kubectl create ns kserve-test + - name: Create test namespace + run: kubectl create ns kserve-test - - name: Setup python 3.9 - uses: actions/setup-python@v4 - with: - python-version: 3.9 + - name: Setup python 3.9 + uses: actions/setup-python@v4 + with: + python-version: 3.9 - - name: Install test dependencies - run: pip install -r ./contrib/kserve/tests/requirements.txt + - name: Install test dependencies + run: pip install -r ./contrib/kserve/tests/requirements.txt - - name: Port forward - run: | - INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') - nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 & - while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready + - name: Port forward + run: | + INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') + nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 & + while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready - - name: Wait for the kubeflow-m2m-oidc-configurator Job - run: | - ./tests/gh-actions/wait_for_kubeflow_m2m_oidc_configurator.sh + - name: Wait for the kubeflow-m2m-oidc-configurator Job + run: | + ./tests/gh-actions/wait_for_kubeflow_m2m_oidc_configurator.sh - - name: Run kserve tests with m2m token from SA default/default - run: | - export KSERVE_INGRESS_HOST_PORT=localhost:8080 - export KSERVE_M2M_TOKEN="$(kubectl -n default create token default)" - cd ./contrib/kserve/tests && pytest . -vs --log-level info + - name: Run kserve tests with m2m token from SA default/default + run: | + export KSERVE_INGRESS_HOST_PORT=localhost:8080 + export KSERVE_M2M_TOKEN="$(kubectl -n default create token default)" + cd ./contrib/kserve/tests && pytest . -vs --log-level info - - name: Run and fail kserve tests without kserve m2m token - run: | - export KSERVE_INGRESS_HOST_PORT=localhost:8080 - cd ./contrib/kserve/tests - if pytest . -vs --log-level info; then - echo "This test should fail with an HTTP redirect to oauth2-proxy/dex auth."; exit 1 - else - echo "Task failed successfully!" - echo "This is a provisional way of testing that m2m is enabled for kserve." - fi + - name: Run and fail kserve tests without kserve m2m token + run: | + export KSERVE_INGRESS_HOST_PORT=localhost:8080 + cd ./contrib/kserve/tests + if pytest . -vs --log-level info; then + echo "This test should fail with an HTTP redirect to oauth2-proxy/dex auth."; exit 1 + else + echo "Task failed successfully!" + echo "This is a provisional way of testing that m2m is enabled for kserve." + fi diff --git a/.github/workflows/kserve_test.yaml b/.github/workflows/kserve_test.yaml index e4d5ef7cfe..81b9825115 100644 --- a/.github/workflows/kserve_test.yaml +++ b/.github/workflows/kserve_test.yaml @@ -2,69 +2,69 @@ name: Build & Apply KServe manifests in KinD on: pull_request: paths: - - .github/workflows/kserve_test.yaml - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - contrib/kserve/** - - tests/gh-actions/install_cert_manager.sh - - common/cert-manager/** - - tests/gh-actions/install_knative.sh - - common/knative/** - - tests/gh-actions/install_kserve.sh + - .github/workflows/kserve_test.yaml + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - contrib/kserve/** + - tests/gh-actions/install_cert_manager.sh + - common/cert-manager/** + - tests/gh-actions/install_knative.sh + - common/knative/** + - tests/gh-actions/install_kserve.sh jobs: build: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@v4 - - name: Install KinD - run: ./tests/gh-actions/install_kind.sh + - name: Install KinD + run: ./tests/gh-actions/install_kind.sh - - name: Create KinD Cluster - run: kind create cluster --config tests/gh-actions/kind-cluster.yaml + - name: Create KinD Cluster + run: kind create cluster --config tests/gh-actions/kind-cluster.yaml - - name: Install kustomize - run: ./tests/gh-actions/install_kustomize.sh + - name: Install kustomize + run: ./tests/gh-actions/install_kustomize.sh - - name: Create kubeflow namespace - run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - + - name: Create kubeflow namespace + run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - - - name: Install Istio - run: ./tests/gh-actions/install_istio.sh + - name: Install Istio + run: ./tests/gh-actions/install_istio.sh - - name: Install cert-manager - run: ./tests/gh-actions/install_cert_manager.sh + - name: Install cert-manager + run: ./tests/gh-actions/install_cert_manager.sh - - name: Install knative - run: ./tests/gh-actions/install_knative.sh + - name: Install knative + run: ./tests/gh-actions/install_knative.sh - - name: Build & Apply manifests - run: ./tests/gh-actions/install_kserve.sh + - name: Build & Apply manifests + run: ./tests/gh-actions/install_kserve.sh - - name: Create test namespace - run: kubectl create ns kserve-test + - name: Create test namespace + run: kubectl create ns kserve-test - - name: Setup python 3.9 - uses: actions/setup-python@v4 - with: - python-version: 3.9 + - name: Setup python 3.9 + uses: actions/setup-python@v4 + with: + python-version: 3.9 - - name: Install test dependencies - run: pip install -r ./contrib/kserve/tests/requirements.txt + - name: Install test dependencies + run: pip install -r ./contrib/kserve/tests/requirements.txt - - name: Port forward - run: | - INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') - nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 & + - name: Port forward + run: | + INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') + nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 & - - name: Run kserve tests - run: | - export KSERVE_INGRESS_HOST_PORT=localhost:8080 - cd ./contrib/kserve/tests && pytest . + - name: Run kserve tests + run: | + export KSERVE_INGRESS_HOST_PORT=localhost:8080 + cd ./contrib/kserve/tests && pytest . - - name: Run kserve models webapp test - run: | - kubectl wait --for=condition=Available --timeout=300s -n kubeflow deployment/kserve-models-web-app \ No newline at end of file + - name: Run kserve models webapp test + run: | + kubectl wait --for=condition=Available --timeout=300s -n kubeflow deployment/kserve-models-web-app diff --git a/.github/workflows/linting_bash_python_yaml_files.yaml b/.github/workflows/linting_bash_python_yaml_files.yaml index 3d168fde5f..bd38c1eea4 100644 --- a/.github/workflows/linting_bash_python_yaml_files.yaml +++ b/.github/workflows/linting_bash_python_yaml_files.yaml @@ -125,7 +125,7 @@ jobs: fi - name: Display changed files - if: always() # Always run this step + if: always() # Always run this step run: cat changed_files_in_PR.txt || echo "No bash files have changed in this PR." - name: Run ShellCheck on changed files diff --git a/.github/workflows/manifests_example_test.yaml b/.github/workflows/manifests_example_test.yaml index 72579e63b8..55ed3ce040 100644 --- a/.github/workflows/manifests_example_test.yaml +++ b/.github/workflows/manifests_example_test.yaml @@ -1,8 +1,8 @@ name: Unit Test on: - - push - - pull_request +- push +- pull_request jobs: build: @@ -19,4 +19,3 @@ jobs: - name: Unit Test run: | kustomize build example - diff --git a/.github/workflows/metacontroller_test.yaml b/.github/workflows/metacontroller_test.yaml index 403c126aa1..987d30cd74 100644 --- a/.github/workflows/metacontroller_test.yaml +++ b/.github/workflows/metacontroller_test.yaml @@ -2,15 +2,15 @@ name: Build & Apply contrib/metacontroller in KinD on: pull_request: paths: - - .github/workflows/metacontroller_test.yaml - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - contrib/metacontroller/** - - tests/gh-actions/install_cert_manager.sh - - common/cert-manager/** - - tests/gh-actions/install_istio.sh - - common/istio*/** + - .github/workflows/metacontroller_test.yaml + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - contrib/metacontroller/** + - tests/gh-actions/install_cert_manager.sh + - common/cert-manager/** + - tests/gh-actions/install_istio.sh + - common/istio*/** jobs: build: diff --git a/.github/workflows/model_registry_test.yaml b/.github/workflows/model_registry_test.yaml index 082d9b540b..e3c59aa6cb 100644 --- a/.github/workflows/model_registry_test.yaml +++ b/.github/workflows/model_registry_test.yaml @@ -1,14 +1,14 @@ -# If anyone changes or improve the following tests for Model Registry, please +# If anyone changes or improve the following tests for Model Registry, please # consider reflecting the same changes on https://github.com/kubeflow/model-registry name: Deploy and test Kubeflow Model Registry on: pull_request: paths: - - apps/model-registry/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - common/istio*/** + - apps/model-registry/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - common/istio*/** jobs: build-kfmr: @@ -61,7 +61,7 @@ jobs: 'http://localhost:8081/api/model_registry/v1alpha3/registered_models?pageSize=100&orderBy=ID&sortOrder=DESC' \ -H 'accept: application/json' - # for these steps below ensure same steps as kserve (ie: Istio with external authentication, cert-manager, knative) so to achieve same setup + # for these steps below ensure same steps as kserve (ie: Istio with external authentication, cert-manager, knative) so to achieve same setup - name: Port forward Istio gateway run: | INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') diff --git a/.github/workflows/notebook_controller_m2m_test.yaml b/.github/workflows/notebook_controller_m2m_test.yaml index 8c49bf40a3..fa0f70a934 100644 --- a/.github/workflows/notebook_controller_m2m_test.yaml +++ b/.github/workflows/notebook_controller_m2m_test.yaml @@ -2,15 +2,15 @@ name: Test Notebook Controller with m2m auth manifests in KinD on: pull_request: paths: - - .github/workflows/notebook_controller_m2m_test.yaml - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - apps/jupyter/** - - common/oidc-client/oauth2-proxy/** - - common/istio*/** - - tests/gh-actions/install_istio_with_ext_auth.sh* - - tests/gh-actions/install_multi_tenancy.sh + - .github/workflows/notebook_controller_m2m_test.yaml + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - apps/jupyter/** + - common/oauth2-proxy/** + - common/istio*/** + - tests/gh-actions/install_istio_with_ext_auth.sh* + - tests/gh-actions/install_multi_tenancy.sh jobs: build: diff --git a/.github/workflows/notebook_controller_test.yaml b/.github/workflows/notebook_controller_test.yaml index abb01afaf0..a423f05459 100644 --- a/.github/workflows/notebook_controller_test.yaml +++ b/.github/workflows/notebook_controller_test.yaml @@ -2,13 +2,13 @@ name: Build & Apply Notebook Controller manifests in KinD on: pull_request: paths: - - .github/workflows/notebook_controller_test.yaml - - apps/jupyter/notebook-controller/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - common/istio*/** + - .github/workflows/notebook_controller_test.yaml + - apps/jupyter/notebook-controller/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - common/istio*/** jobs: build: diff --git a/.github/workflows/pipeline_run_from_notebook.yaml b/.github/workflows/pipeline_run_from_notebook.yaml index 8e965bb375..7d91966adc 100644 --- a/.github/workflows/pipeline_run_from_notebook.yaml +++ b/.github/workflows/pipeline_run_from_notebook.yaml @@ -2,19 +2,19 @@ name: Create Pipeline Run from Kubeflow Notebook on: pull_request: paths: - - .github/workflows/pipeline_run_from_notebook.yaml - - apps/jupyter/notebook-controller/upstream/** - - apps/pipeline/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - tests/gh-actions/install_cert_manager.sh - - common/cert-manager/** - - common/oidc-client/oauth2-proxy/** - - common/istio*/** - - common/oidc-client/** - - apps/jupyter/** + - .github/workflows/pipeline_run_from_notebook.yaml + - apps/jupyter/notebook-controller/upstream/** + - apps/pipeline/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_cert_manager.sh + - common/cert-manager/** + - common/oauth2-proxy/** + - common/istio*/** + - common//** + - apps/jupyter/** jobs: build: diff --git a/.github/workflows/pipeline_test.yaml b/.github/workflows/pipeline_test.yaml index 2df9ee79c0..2cfcca0cf6 100644 --- a/.github/workflows/pipeline_test.yaml +++ b/.github/workflows/pipeline_test.yaml @@ -2,125 +2,125 @@ name: Deploy and test Kubeflow Pipelines manifests with m2m auth in KinD on: pull_request: paths: - - .github/workflows/pipeline_test.yaml - - apps/pipeline/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - tests/gh-actions/install_cert_manager.sh - - common/cert-manager/** - - common/oidc-client/oauth2-proxy/** - - common/istio*/** - - tests/gh-actions/install_istio_with_ext_auth.sh + - .github/workflows/pipeline_test.yaml + - apps/pipeline/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_cert_manager.sh + - common/cert-manager/** + - common/oauth2-proxy/** + - common/istio*/** + - tests/gh-actions/install_istio_with_ext_auth.sh jobs: build: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Install KinD - run: ./tests/gh-actions/install_kind.sh - - - name: Create KinD Cluster - run: kind create cluster --config tests/gh-actions/kind-cluster.yaml - - - name: Install kustomize - run: ./tests/gh-actions/install_kustomize.sh - - - name: Install kubectl - run: ./tests/gh-actions/install_kubectl.sh - - - name: Install Istio with external authentication - run: ./tests/gh-actions/install_istio_with_ext_auth.sh - - - name: Install cert-manager - run: ./tests/gh-actions/install_cert_manager.sh - - - name: Create kubeflow namespace - run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - - - - name: Install KF Pipelines - run: ./tests/gh-actions/install_pipelines.sh - - - name: Install KF Multi Tenancy - run: ./tests/gh-actions/install_multi_tenancy.sh - - - name: Install kubeflow-istio-resources - run: kustomize build common/istio-1-22/kubeflow-istio-resources/base | kubectl apply -f - - - - name: Create KF Profile - run: kustomize build common/user-namespace/base | kubectl apply -f - - - - name: port forward - run: | - ingress_gateway_service=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') - nohup kubectl port-forward --namespace istio-system svc/${ingress_gateway_service} 8080:80 & - while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready - - - name: Wait for the kubeflow-m2m-oidc-configurator Job - run: | - ./tests/gh-actions/wait_for_kubeflow_m2m_oidc_configurator.sh - - - name: List and deploy test pipeline with authorized ServiceAccount Token - run: | - pip3 install kfp==2.4.0 - KF_PROFILE=kubeflow-user-example-com - TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)" - - python -c ' - from time import sleep - import kfp - import sys - - token = sys.argv[1] - namespace = sys.argv[2] - client = kfp.Client(host="http://localhost:8080/pipeline", existing_token=token) - - pipeline = client.list_pipelines().pipelines[0] - pipeline_name = pipeline.display_name - pipeline_id = pipeline.pipeline_id - pipeline_version_id = client.list_pipeline_versions(pipeline_id).pipeline_versions[0].pipeline_version_id - experiment_id = client.create_experiment("m2m-test", namespace=namespace).experiment_id - - print(f"Starting pipeline {pipeline_name}.") - run_id = client.run_pipeline(experiment_id=experiment_id, job_name="m2m-test", pipeline_id=pipeline_id, version_id=pipeline_version_id).run_id - - while True: - status = client.get_run(run_id=run_id).state - if status in ["PENDING", "RUNNING"]: - print(f"Waiting for run_id: {run_id}, status: {status}.") - sleep(10) - else: - print(f"Run with id {run_id} finished with status: {status}.") - if status != "SUCCEEDED": - print("Pipeline failed") - raise SystemExit(1) - break - ' "${TOKEN}" "${KF_PROFILE}" - - - name: Fail to list pipelines with unauthorized ServiceAccount Token - run: | - pip3 install kfp==2.4.0 - KF_PROFILE=kubeflow-user-example-com - TOKEN="$(kubectl -n default create token default)" - - python -c ' - import kfp - import sys - from kfp_server_api.exceptions import ApiException - - token = sys.argv[1] - namespace = sys.argv[2] - client = kfp.Client(host="http://localhost:8080/pipeline", existing_token=token) - - try: - pipeline = client.list_runs(namespace=namespace) - except ApiException as e: - assert e.status == 403, "This API Call should return unauthorized/forbidden error." - ' "${TOKEN}" "${KF_PROFILE}" - - echo "Test succeeded. Token from unauthorized ServiceAccount cannot list \ - piplines in $KF_PROFILE namespace." + - name: Checkout + uses: actions/checkout@v4 + + - name: Install KinD + run: ./tests/gh-actions/install_kind.sh + + - name: Create KinD Cluster + run: kind create cluster --config tests/gh-actions/kind-cluster.yaml + + - name: Install kustomize + run: ./tests/gh-actions/install_kustomize.sh + + - name: Install kubectl + run: ./tests/gh-actions/install_kubectl.sh + + - name: Install Istio with external authentication + run: ./tests/gh-actions/install_istio_with_ext_auth.sh + + - name: Install cert-manager + run: ./tests/gh-actions/install_cert_manager.sh + + - name: Create kubeflow namespace + run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - + + - name: Install KF Pipelines + run: ./tests/gh-actions/install_pipelines.sh + + - name: Install KF Multi Tenancy + run: ./tests/gh-actions/install_multi_tenancy.sh + + - name: Install kubeflow-istio-resources + run: kustomize build common/istio-1-22/kubeflow-istio-resources/base | kubectl apply -f - + + - name: Create KF Profile + run: kustomize build common/user-namespace/base | kubectl apply -f - + + - name: port forward + run: | + ingress_gateway_service=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') + nohup kubectl port-forward --namespace istio-system svc/${ingress_gateway_service} 8080:80 & + while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready + + - name: Wait for the kubeflow-m2m-oidc-configurator Job + run: | + ./tests/gh-actions/wait_for_kubeflow_m2m_oidc_configurator.sh + + - name: List and deploy test pipeline with authorized ServiceAccount Token + run: | + pip3 install kfp==2.4.0 + KF_PROFILE=kubeflow-user-example-com + TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)" + + python -c ' + from time import sleep + import kfp + import sys + + token = sys.argv[1] + namespace = sys.argv[2] + client = kfp.Client(host="http://localhost:8080/pipeline", existing_token=token) + + pipeline = client.list_pipelines().pipelines[0] + pipeline_name = pipeline.display_name + pipeline_id = pipeline.pipeline_id + pipeline_version_id = client.list_pipeline_versions(pipeline_id).pipeline_versions[0].pipeline_version_id + experiment_id = client.create_experiment("m2m-test", namespace=namespace).experiment_id + + print(f"Starting pipeline {pipeline_name}.") + run_id = client.run_pipeline(experiment_id=experiment_id, job_name="m2m-test", pipeline_id=pipeline_id, version_id=pipeline_version_id).run_id + + while True: + status = client.get_run(run_id=run_id).state + if status in ["PENDING", "RUNNING"]: + print(f"Waiting for run_id: {run_id}, status: {status}.") + sleep(10) + else: + print(f"Run with id {run_id} finished with status: {status}.") + if status != "SUCCEEDED": + print("Pipeline failed") + raise SystemExit(1) + break + ' "${TOKEN}" "${KF_PROFILE}" + + - name: Fail to list pipelines with unauthorized ServiceAccount Token + run: | + pip3 install kfp==2.4.0 + KF_PROFILE=kubeflow-user-example-com + TOKEN="$(kubectl -n default create token default)" + + python -c ' + import kfp + import sys + from kfp_server_api.exceptions import ApiException + + token = sys.argv[1] + namespace = sys.argv[2] + client = kfp.Client(host="http://localhost:8080/pipeline", existing_token=token) + + try: + pipeline = client.list_runs(namespace=namespace) + except ApiException as e: + assert e.status == 403, "This API Call should return unauthorized/forbidden error." + ' "${TOKEN}" "${KF_PROFILE}" + + echo "Test succeeded. Token from unauthorized ServiceAccount cannot list \ + piplines in $KF_PROFILE namespace." diff --git a/.github/workflows/profiles_test.yaml b/.github/workflows/profiles_test.yaml index 2352352bf9..d562ff7c0d 100644 --- a/.github/workflows/profiles_test.yaml +++ b/.github/workflows/profiles_test.yaml @@ -2,13 +2,13 @@ name: Build & Apply Profiles manifests in KinD on: pull_request: paths: - - .github/workflows/profiles_test.yaml - - apps/profiles/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - common/istio*/** + - .github/workflows/profiles_test.yaml + - apps/profiles/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - common/istio*/** jobs: build: diff --git a/.github/workflows/ray_test.yaml b/.github/workflows/ray_test.yaml index 56732ddbc6..d726105e84 100644 --- a/.github/workflows/ray_test.yaml +++ b/.github/workflows/ray_test.yaml @@ -2,10 +2,10 @@ name: Build & Apply Ray manifest in KinD on: pull_request: paths: - - .github/workflows/ray_test.yaml - - contrib/ray/** - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh + - .github/workflows/ray_test.yaml + - contrib/ray/** + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh jobs: build: diff --git a/.github/workflows/seldon_test.yaml b/.github/workflows/seldon_test.yaml index 822ba29df4..c98b8be446 100644 --- a/.github/workflows/seldon_test.yaml +++ b/.github/workflows/seldon_test.yaml @@ -2,15 +2,15 @@ name: Build & Apply Seldon manifests in KinD on: pull_request: paths: - - .github/workflows/seldon_test.yaml - - tests/gh-actions/kind-cluster.yaml - - contrib/seldon/** - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - common/istio*/** - - tests/gh-actions/install_cert_manager.sh - - common/cert-manager/** + - .github/workflows/seldon_test.yaml + - tests/gh-actions/kind-cluster.yaml + - contrib/seldon/** + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - common/istio*/** + - tests/gh-actions/install_cert_manager.sh + - common/cert-manager/** jobs: build: diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index dc8c85a9da..e56901a44c 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -7,7 +7,7 @@ name: Mark stale issues and pull requests on: schedule: - - cron: '0 0 * * *' # Run every day at midnight + - cron: '0 0 * * *' # Run every day at midnight jobs: stale: @@ -17,40 +17,32 @@ jobs: pull-requests: write steps: - - uses: actions/stale@v5 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - days-before-stale: 60 - days-before-close: 21 - # The message that will be added as a comment to the issues - # when the stale workflow marks it automatically as stale with a label. - stale-issue-message: > - This issue has been automatically marked as stale because it has not had - recent activity. It will be closed if no further activity occurs. Thank you - for your contributions. - # The message that will be added as a comment to the issues - # when the stale workflow closes it automatically after being stale for too long. - close-issue-message: > - This issue has been automatically closed because it has not had recent - activity. Please comment "/reopen" to reopen it. - stale-issue-label: lifecycle/stale - # Exclude them from being marked as stale - exempt-issue-labels: lifecycle/frozen,enhancement,good first issue - # The message that will be added as a comment to the pull requests - # when the stale workflow marks it automatically as stale with a label. - stale-pr-message: > - This pull request has been automatically marked as stale because it has not had - recent activity. It will be closed if no further activity occurs. Thank you - for your contributions. - # The message that will be added as a comment to the pull requests - # when the stale workflow closes it automatically after being stale for too long. - close-pr-message: > - This pull request has been automatically closed because it has not had recent - activity.You can reopen the PR if you want. - stale-pr-label: lifecycle/stale - # Exclude them from being marked as stale - exempt-pr-labels: lifecycle/frozen,enhancement,good first issue - # The issues or the pull requests with a milestone will not be marked as stale automatically - exempt-all-milestones: true - # Learn more about operations: https://github.com/actions/stale#operations-per-run. - operations-per-run: 250 \ No newline at end of file + - uses: actions/stale@v5 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + days-before-stale: 60 + days-before-close: 21 + # The message that will be added as a comment to the issues + # when the stale workflow marks it automatically as stale with a label. + stale-issue-message: > + This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. + # The message that will be added as a comment to the issues + # when the stale workflow closes it automatically after being stale for too long. + close-issue-message: > + This issue has been automatically closed because it has not had recent activity. Please comment "/reopen" to reopen it. + stale-issue-label: lifecycle/stale + # Exclude them from being marked as stale + exempt-issue-labels: lifecycle/frozen,enhancement,good first issue + # The message that will be added as a comment to the pull requests + # when the stale workflow marks it automatically as stale with a label. + stale-pr-message: "This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. \n" + # The message that will be added as a comment to the pull requests + # when the stale workflow closes it automatically after being stale for too long. + close-pr-message: "This pull request has been automatically closed because it has not had recent activity.You can reopen the PR if you want. \n" + stale-pr-label: lifecycle/stale + # Exclude them from being marked as stale + exempt-pr-labels: lifecycle/frozen,enhancement,good first issue + # The issues or the pull requests with a milestone will not be marked as stale automatically + exempt-all-milestones: true + # Learn more about operations: https://github.com/actions/stale#operations-per-run. + operations-per-run: 250 diff --git a/.github/workflows/tensorboard_controller_test.yaml b/.github/workflows/tensorboard_controller_test.yaml index 9e1104fce7..69c044db9a 100644 --- a/.github/workflows/tensorboard_controller_test.yaml +++ b/.github/workflows/tensorboard_controller_test.yaml @@ -2,13 +2,13 @@ name: Build & Apply Tensorboard Controller manifests in KinD on: pull_request: paths: - - .github/workflows/tensorboard_controller_test.yaml - - apps/tensorboard/tensorboard-controller/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - common/istio*/** + - .github/workflows/tensorboard_controller_test.yaml + - apps/tensorboard/tensorboard-controller/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - common/istio*/** jobs: build: diff --git a/.github/workflows/tensorboards_web_application_test.yaml b/.github/workflows/tensorboards_web_application_test.yaml index b74640325b..a0072655d4 100644 --- a/.github/workflows/tensorboards_web_application_test.yaml +++ b/.github/workflows/tensorboards_web_application_test.yaml @@ -2,13 +2,13 @@ name: Build & Apply TWA manifests in KinD on: pull_request: paths: - - .github/workflows/tensorboards_web_application_test.yaml - - apps/tensorboard/tensorboards-web-app/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - common/istio*/** + - .github/workflows/tensorboards_web_application_test.yaml + - apps/tensorboard/tensorboards-web-app/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - common/istio*/** jobs: build: diff --git a/.github/workflows/training_operator_test.yaml b/.github/workflows/training_operator_test.yaml index 5be7d5dffe..e9b107beb1 100644 --- a/.github/workflows/training_operator_test.yaml +++ b/.github/workflows/training_operator_test.yaml @@ -2,14 +2,14 @@ name: Build & Apply Training Operator manifests in KinD on: pull_request: paths: - - .github/workflows/training_operator_test.yaml - - apps/training-operator/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - common/istio*/** - - tests/gh-actions/kf-objects/tfjob.yaml + - .github/workflows/training_operator_test.yaml + - apps/training-operator/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - common/istio*/** + - tests/gh-actions/kf-objects/tfjob.yaml jobs: build: diff --git a/.github/workflows/triage_issues.yaml b/.github/workflows/triage_issues.yaml index 5d4551ce97..14bcb4703b 100644 --- a/.github/workflows/triage_issues.yaml +++ b/.github/workflows/triage_issues.yaml @@ -1,4 +1,4 @@ -# Define a GitHub action workflow to determine whether issues +# Define a GitHub action workflow to determine whether issues # should be added or removed from the Needs Triage Kanban board. name: Check Triage Status of Issue on: @@ -10,10 +10,9 @@ jobs: test: runs-on: ubuntu-latest steps: - - name: Update Kanban - uses: kubeflow/code-intelligence/Issue_Triage/action@master - with: - # Letting input NEEDS_TRIAGE_PROJECT_CARD_ID use the default value - ISSUE_NUMBER: ${{ github.event.issue.number }} - GITHUB_PERSONAL_ACCESS_TOKEN: ${{ secrets.triage_projects_github_token }} - + - name: Update Kanban + uses: kubeflow/code-intelligence/Issue_Triage/action@master + with: + # Letting input NEEDS_TRIAGE_PROJECT_CARD_ID use the default value + ISSUE_NUMBER: ${{ github.event.issue.number }} + GITHUB_PERSONAL_ACCESS_TOKEN: ${{ secrets.triage_projects_github_token }} diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index f10d0ee828..99bfa64265 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -3,48 +3,46 @@ name: Image Extracting and Security Scanning on: push: branches: - - master + - master jobs: image-extraction-and-security-scan: runs-on: ubuntu-latest steps: - - name: Checkout code - uses: actions/checkout@v3 - - # Install kustomize - - name: Install kustomize - run: | - sudo apt update - sudo apt install snapd - sudo snap install kustomize - - # Install trivy - - name: Install trivy - run: | - sudo apt update - sudo snap install trivy - - # Install Python - - name: Setup Python - uses: actions/setup-python@v5 - with: - python-version: '3.12' - - # Install prettytable package - - name: Install prettytable - run: | - pip install prettytable - - - name: Run image extracting and security scanning script - run: | - cd hack - python3 trivy_scan.py - - # - name: Upload trivy scanned_results - # uses: actions/upload-artifact@v4 - # with: - # name: trivy_scanned_results - # path: image_lists/ - - + - name: Checkout code + uses: actions/checkout@v3 + + # Install kustomize + - name: Install kustomize + run: | + sudo apt update + sudo apt install snapd + sudo snap install kustomize + + # Install trivy + - name: Install trivy + run: | + sudo apt update + sudo snap install trivy + + # Install Python + - name: Setup Python + uses: actions/setup-python@v5 + with: + python-version: '3.12' + + # Install prettytable package + - name: Install prettytable + run: | + pip install prettytable + + - name: Run image extracting and security scanning script + run: | + cd hack + python3 trivy_scan.py + + # - name: Upload trivy scanned_results + # uses: actions/upload-artifact@v4 + # with: + # name: trivy_scanned_results + # path: image_lists/ diff --git a/.github/workflows/volumes_web_application_test.yaml b/.github/workflows/volumes_web_application_test.yaml index ee832b0aab..4165b90faa 100644 --- a/.github/workflows/volumes_web_application_test.yaml +++ b/.github/workflows/volumes_web_application_test.yaml @@ -2,13 +2,13 @@ name: Build & Apply VWA manifests in KinD on: pull_request: paths: - - .github/workflows/volumes_web_application_test.yaml - - apps/volumes-web-app/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - common/istio*/** + - .github/workflows/volumes_web_application_test.yaml + - apps/volumes-web-app/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - common/istio*/** jobs: build: diff --git a/README.md b/README.md index e88f320ed7..46ba457a36 100644 --- a/README.md +++ b/README.md @@ -224,7 +224,7 @@ The oauth2-proxy extends your Istio Ingress-Gateway capabilities, to be able to ```sh echo "Installing oauth2-proxy..." -kustomize build common/oidc-client/oauth2-proxy/overlays/m2m-self-signed/ | kubectl apply -f - +kustomize build common/oauth2-proxy/overlays/m2m-self-signed/ | kubectl apply -f - kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy ``` @@ -561,6 +561,6 @@ The Kubeflow security working group follows a responsible disclosure policy for ## Frequently Asked Questions - **Q:** What versions of Istio, Knative, Cert-Manager, Argo, ... are compatible with Kubeflow? \ - **A:** Please refer to each individual component's documentation for a dependency compatibility range. For Istio, Knative, Dex, Cert-Manager and OIDC-AuthService, the versions in `common` are the ones we have validated. + **A:** Please refer to each individual component's documentation for a dependency compatibility range. For Istio, Knative, Dex, Cert-Manager and OAuth2 Proxy, the versions in `common` are the ones we have validated. - **Q:** Can I use earlier version of Kustomize with Kubeflow manifests? - **A:** No, it is not supported anymore, although it might be possible with manual effort. \ No newline at end of file + **A:** No, it is not supported anymore, although it might be possible with manual effort. diff --git a/apps/centraldashboard/upstream/overlays/oauth2-proxy/kustomization.yaml b/apps/centraldashboard/overlays/oauth2-proxy/kustomization.yaml similarity index 62% rename from apps/centraldashboard/upstream/overlays/oauth2-proxy/kustomization.yaml rename to apps/centraldashboard/overlays/oauth2-proxy/kustomization.yaml index 7115c8893a..bdd73a2f6d 100644 --- a/apps/centraldashboard/upstream/overlays/oauth2-proxy/kustomization.yaml +++ b/apps/centraldashboard/overlays/oauth2-proxy/kustomization.yaml @@ -3,7 +3,7 @@ kind: Kustomization resources: # Using kserve overlay because it's also used in example installation. -- ../kserve +- ../../upstream/overlays/kserve components: -- ../../../../../common/oidc-client/oauth2-proxy/components/central-dashboard +- ../../../../common/oauth2-proxy/components/central-dashboard diff --git a/common/dex/base/config-map.yaml b/common/dex/base/config-map.yaml index 70ce4002df..a71484f3eb 100644 --- a/common/dex/base/config-map.yaml +++ b/common/dex/base/config-map.yaml @@ -25,6 +25,6 @@ data: staticClients: # https://github.com/dexidp/dex/pull/1664 - idEnv: OIDC_CLIENT_ID - redirectURIs: ["/authservice/oidc/callback"] + redirectURIs: ["/oauth2/callback"] name: 'Dex Login Application' secretEnv: OIDC_CLIENT_SECRET diff --git a/common/istio-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml b/common/istio-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml index 086e1bdb88..4f9b7365be 100644 --- a/common/istio-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml +++ b/common/istio-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml @@ -5,4 +5,4 @@ resources: - ../../base components: -- ../../../../oidc-client/oauth2-proxy/components/istio-external-auth-patches +- ../../../../oauth2-proxy/components/istio-external-auth-patches diff --git a/common/istio-cni-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml b/common/istio-cni-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml index 086e1bdb88..4f9b7365be 100644 --- a/common/istio-cni-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml +++ b/common/istio-cni-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml @@ -5,4 +5,4 @@ resources: - ../../base components: -- ../../../../oidc-client/oauth2-proxy/components/istio-external-auth-patches +- ../../../../oauth2-proxy/components/istio-external-auth-patches diff --git a/common/oidc-client/oauth2-proxy/OWNERS b/common/oauth2-proxy/OWNERS similarity index 100% rename from common/oidc-client/oauth2-proxy/OWNERS rename to common/oauth2-proxy/OWNERS diff --git a/common/oidc-client/README.md b/common/oauth2-proxy/README.md similarity index 99% rename from common/oidc-client/README.md rename to common/oauth2-proxy/README.md index 6a8986d940..12b02fd0ae 100644 --- a/common/oidc-client/README.md +++ b/common/oauth2-proxy/README.md @@ -1,4 +1,4 @@ -# Kubeflow Authentication using OIDC +# Kubeflow Authentication using Oauth2 Proxy ## Istio Envoy Filter @@ -132,4 +132,4 @@ This is based on the following: [^3]: [oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) [^4]: [Kubernetes TokenReview](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/) [^5]: [Kubernetes SubjectAccessReview](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/subject-access-review-v3/) -[^6]: [Kube RBAC Proxy](https://github.com/brancz/kube-rbac-proxy) +[^6]: [Kube RBAC Proxy](https://github.com/brancz/kube-rbac-proxy) \ No newline at end of file diff --git a/common/oidc-client/oauth2-proxy/base/README.md b/common/oauth2-proxy/base/README.md similarity index 100% rename from common/oidc-client/oauth2-proxy/base/README.md rename to common/oauth2-proxy/base/README.md diff --git a/common/oauth2-proxy/base/deployment.yaml b/common/oauth2-proxy/base/deployment.yaml new file mode 100644 index 0000000000..eba3f09429 --- /dev/null +++ b/common/oauth2-proxy/base/deployment.yaml @@ -0,0 +1,85 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: oauth2-proxy + labels: + app: oauth2-proxy +spec: + replicas: 2 + selector: + matchLabels: + app.kubernetes.io/name: oauth2-proxy + template: + metadata: + labels: + app.kubernetes.io/name: oauth2-proxy + spec: + volumes: + - name: configmain + configMap: + name: oauth2-proxy + defaultMode: 420 + containers: + - name: oauth2-proxy + image: quay.io/oauth2-proxy/oauth2-proxy:latest + args: + - --http-address=0.0.0.0:4180 + - --config=/etc/oauth2_proxy/oauth2_proxy.cfg + ports: + - name: http + containerPort: 4180 + protocol: TCP + - name: metrics + containerPort: 44180 + protocol: TCP + env: + - name: OAUTH2_PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: oauth2-proxy + key: client-id + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy + key: client-secret + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy + key: cookie-secret + - name: OAUTH2_PROXY_COOKIE_SECURE + valueFrom: + configMapKeyRef: + name: oauth2-proxy-parameters + key: FORCE_HTTPS + - name: OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY + valueFrom: + configMapKeyRef: + name: oauth2-proxy-parameters + key: ALLOW_SELF_SIGNED_ISSUER + - name: OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS + valueFrom: + configMapKeyRef: + name: oauth2-proxy-parameters + key: ENABLE_M2M_TOKENS + - name: OAUTH2_PROXY_EXTRA_JWT_ISSUERS + valueFrom: + configMapKeyRef: + name: oauth2-proxy-parameters + key: EXTRA_JWT_ISSUERS + volumeMounts: + - name: configmain + mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg + subPath: oauth2_proxy.cfg + livenessProbe: + httpGet: + path: /ping + port: http + scheme: HTTP + readinessProbe: + httpGet: + path: /ping + port: http + scheme: HTTP + resources: {} diff --git a/common/oidc-client/oauth2-proxy/base/kustomization.yaml b/common/oauth2-proxy/base/kustomization.yaml similarity index 96% rename from common/oidc-client/oauth2-proxy/base/kustomization.yaml rename to common/oauth2-proxy/base/kustomization.yaml index 94e959bd27..0e470f0603 100644 --- a/common/oidc-client/oauth2-proxy/base/kustomization.yaml +++ b/common/oauth2-proxy/base/kustomization.yaml @@ -48,7 +48,7 @@ configMapGenerator: # If extra jwt issuers are meant to be used with m2m bearer tokens, # each issuer has to be added with RequestAuthentication so Istio can # verify, trust and use the JWT. See - # 'common/oidc-client/oauth2-proxy/components/istio-m2m' for details. + # 'common/oauth2-proxy/components/istio-m2m' for details. # Examples: # - EXTRA_JWT_ISSUERS=https://kubernetes.default.svc.cluster.local=https://kubernetes.default.svc.cluster.local # - EXTRA_JWT_ISSUERS=https://oidc.eks.region.amazonaws.com/id/1234abcd=https://kubernetes.default.svc diff --git a/common/oidc-client/oauth2-proxy/base/namespace.yaml b/common/oauth2-proxy/base/namespace.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/base/namespace.yaml rename to common/oauth2-proxy/base/namespace.yaml diff --git a/common/oidc-client/oauth2-proxy/base/oauth2-proxy-config.yaml b/common/oauth2-proxy/base/oauth2-proxy-config.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/base/oauth2-proxy-config.yaml rename to common/oauth2-proxy/base/oauth2-proxy-config.yaml diff --git a/common/oidc-client/oauth2-proxy/base/params.yaml b/common/oauth2-proxy/base/params.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/base/params.yaml rename to common/oauth2-proxy/base/params.yaml diff --git a/common/oidc-client/oauth2-proxy/base/rbac.tokenreviews.yaml b/common/oauth2-proxy/base/rbac.tokenreviews.yaml similarity index 66% rename from common/oidc-client/oauth2-proxy/base/rbac.tokenreviews.yaml rename to common/oauth2-proxy/base/rbac.tokenreviews.yaml index 4da90d4b4e..1b071279e8 100644 --- a/common/oidc-client/oauth2-proxy/base/rbac.tokenreviews.yaml +++ b/common/oauth2-proxy/base/rbac.tokenreviews.yaml @@ -3,12 +3,12 @@ kind: ClusterRole metadata: name: authn-delegator rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create --- apiVersion: rbac.authorization.k8s.io/v1 @@ -20,5 +20,5 @@ roleRef: kind: ClusterRole name: authn-delegator subjects: - - kind: ServiceAccount - name: oauth2-proxy +- kind: ServiceAccount + name: oauth2-proxy diff --git a/common/oidc-client/oauth2-proxy/base/service.yaml b/common/oauth2-proxy/base/service.yaml similarity index 76% rename from common/oidc-client/oauth2-proxy/base/service.yaml rename to common/oauth2-proxy/base/service.yaml index b8ee06324d..260213a63a 100644 --- a/common/oidc-client/oauth2-proxy/base/service.yaml +++ b/common/oauth2-proxy/base/service.yaml @@ -7,7 +7,7 @@ spec: selector: app.kubernetes.io/name: oauth2-proxy ports: - - port: 80 - name: http - targetPort: http + - port: 80 + name: http + targetPort: http publishNotReadyAddresses: true diff --git a/common/oidc-client/oauth2-proxy/base/serviceaccount.yaml b/common/oauth2-proxy/base/serviceaccount.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/base/serviceaccount.yaml rename to common/oauth2-proxy/base/serviceaccount.yaml diff --git a/common/oidc-client/oauth2-proxy/README.md b/common/oauth2-proxy/components/README.md similarity index 97% rename from common/oidc-client/oauth2-proxy/README.md rename to common/oauth2-proxy/components/README.md index caa0aab16f..aedbba080f 100644 --- a/common/oidc-client/oauth2-proxy/README.md +++ b/common/oauth2-proxy/components/README.md @@ -177,9 +177,9 @@ make the following changes to the `example/kustomization.yaml` file: bearer tokens with self-signed in-cluster issuer ``` # from - - ../common/oidc-client/oidc-authservice/base + - ../common//oidc-authservice/base # to - - ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed + - ../common/oauth2-proxy/overlays/m2m-self-signed ``` * change Dex overlay ``` @@ -192,7 +192,7 @@ make the following changes to the `example/kustomization.yaml` file: # from - ../apps/centraldashboard/upstream/overlays/kserve # to - - ../apps/centraldashboard/upstream/overlays/oauth2-proxy + - ../apps/centraldashboard/manuel-patches/overlays/oauth2-proxy ``` All those changes combined can be done with this single command: @@ -208,10 +208,10 @@ index c1a85789..4a50440c 100644 - ../common/istio-1-22/istio-namespace/base -- ../common/istio-1-22/istio-install/base -# OIDC Authservice --- ../common/oidc-client/oidc-authservice/base +-- ../common//oidc-authservice/base +- ../common/istio-1-22/istio-install/overlays/oauth2-proxy +# oauth2-proxy for OIDC -+- ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed ++- ../common/oauth2-proxy/overlays/m2m-self-signed # Dex -- ../common/dex/overlays/istio +- ../common/dex/overlays/oauth2-proxy @@ -223,7 +223,7 @@ index c1a85789..4a50440c 100644 - ../apps/katib/upstream/installs/katib-with-kubeflow # Central Dashboard -- ../apps/centraldashboard/upstream/overlays/kserve -+- ../apps/centraldashboard/upstream/overlays/oauth2-proxy ++- ../apps/centraldashboard/overlays # Admission Webhook - ../apps/admission-webhook/upstream/overlays/cert-manager # Jupyter Web App diff --git a/common/oidc-client/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/README.md b/common/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/README.md similarity index 100% rename from common/oidc-client/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/README.md rename to common/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/README.md diff --git a/common/oidc-client/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/clusterrolebinding.unauthenticated-oidc-viewer.yaml b/common/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/clusterrolebinding.unauthenticated-oidc-viewer.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/clusterrolebinding.unauthenticated-oidc-viewer.yaml rename to common/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/clusterrolebinding.unauthenticated-oidc-viewer.yaml diff --git a/common/oidc-client/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/kustomization.yaml b/common/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/kustomization.yaml rename to common/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/components/central-dashboard/kustomization.yaml b/common/oauth2-proxy/components/central-dashboard/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/central-dashboard/kustomization.yaml rename to common/oauth2-proxy/components/central-dashboard/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/components/central-dashboard/patches/deployment.logout-url.yaml b/common/oauth2-proxy/components/central-dashboard/patches/deployment.logout-url.yaml similarity index 68% rename from common/oidc-client/oauth2-proxy/components/central-dashboard/patches/deployment.logout-url.yaml rename to common/oauth2-proxy/components/central-dashboard/patches/deployment.logout-url.yaml index 0d6b504191..bd2605e8d2 100644 --- a/common/oidc-client/oauth2-proxy/components/central-dashboard/patches/deployment.logout-url.yaml +++ b/common/oauth2-proxy/components/central-dashboard/patches/deployment.logout-url.yaml @@ -10,9 +10,7 @@ spec: - name: centraldashboard env: # This successfully logs out the user but the user is not redirected to - # the home page. This is because of custom integration with - # oidc-authservice which will provide response with 'afterLogoutURL'. - # https://github.com/arrikto/oidc-authservice/blob/0c4ea9a/server.go#L509 + # the home page. # https://github.com/kubeflow/kubeflow/blob/c6c4492/components/centraldashboard/public/components/logout-button.js#L50 # Please refresh the page after logging out. - name: LOGOUT_URL diff --git a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/README.md b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/README.md similarity index 100% rename from common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/README.md rename to common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/README.md diff --git a/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml new file mode 100644 index 0000000000..639e96cb49 --- /dev/null +++ b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml @@ -0,0 +1,39 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: kubeflow-m2m-oidc-configurator + namespace: istio-system +spec: + schedule: '*/5 * * * *' + concurrencyPolicy: Forbid + jobTemplate: + spec: + backoffLimit: 3 + ttlSecondsAfterFinished: 600 + template: + metadata: + labels: {} + spec: + restartPolicy: OnFailure + serviceAccountName: kubeflow-m2m-oidc-configurator + containers: + - image: docker.io/curlimages/curl + name: kubeflow-m2m-oidc-configurator + command: + - /script.sh + envFrom: + - configMapRef: + name: kubeflow-m2m-oidc-configurator-envs + volumeMounts: + - mountPath: /script.sh + name: script + subPath: script.sh + resources: {} + volumes: + - name: script + configMap: + name: kubeflow-m2m-oidc-configurator-script + defaultMode: 0777 + items: + - key: script.sh + path: script.sh diff --git a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/kustomization.yaml b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/kustomization.yaml rename to common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml similarity index 69% rename from common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml rename to common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml index 305a8fb5c0..9bb2578515 100644 --- a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml +++ b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml @@ -11,13 +11,13 @@ metadata: name: kubeflow-m2m-oidc-configurator namespace: istio-system rules: - - apiGroups: - - security.istio.io - resources: - - requestauthentications - verbs: - - get - - patch +- apiGroups: + - security.istio.io + resources: + - requestauthentications + verbs: + - get + - patch --- apiVersion: rbac.authorization.k8s.io/v1 @@ -30,6 +30,6 @@ roleRef: kind: Role name: kubeflow-m2m-oidc-configurator subjects: - - kind: ServiceAccount - name: kubeflow-m2m-oidc-configurator - namespace: istio-system +- kind: ServiceAccount + name: kubeflow-m2m-oidc-configurator + namespace: istio-system diff --git a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/script.sh b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/script.sh similarity index 100% rename from common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/script.sh rename to common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/script.sh diff --git a/common/oidc-client/oauth2-proxy/components/README.md b/common/oauth2-proxy/components/istio-external-auth-patches/README.md similarity index 100% rename from common/oidc-client/oauth2-proxy/components/README.md rename to common/oauth2-proxy/components/istio-external-auth-patches/README.md diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/kustomization.yaml b/common/oauth2-proxy/components/istio-external-auth-patches/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/kustomization.yaml rename to common/oauth2-proxy/components/istio-external-auth-patches/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/patches/cm.enable-oauth2-proxy.yaml b/common/oauth2-proxy/components/istio-external-auth-patches/patches/cm.enable-oauth2-proxy.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/patches/cm.enable-oauth2-proxy.yaml rename to common/oauth2-proxy/components/istio-external-auth-patches/patches/cm.enable-oauth2-proxy.yaml diff --git a/common/oauth2-proxy/components/istio-external-auth-patches/patches/deployment.jwt-refresh-interval.yaml b/common/oauth2-proxy/components/istio-external-auth-patches/patches/deployment.jwt-refresh-interval.yaml new file mode 100644 index 0000000000..a11dfd1282 --- /dev/null +++ b/common/oauth2-proxy/components/istio-external-auth-patches/patches/deployment.jwt-refresh-interval.yaml @@ -0,0 +1,18 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: istiod + namespace: istio-system +spec: + template: + spec: + containers: + - name: discovery + env: + # Istio will refresh the JWT Public Keys provided with + # RequestAuthentication by default every 20 minutes. For deployment + # from scratch this is not ideal because there is a high chance that + # the istiod will be available before dex is available, triggering + # Istio mechanism to use a placeholder jwt until refreshed. + - name: PILOT_JWT_PUB_KEY_REFRESH_INTERVAL + value: "1m" diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/README.md b/common/oauth2-proxy/components/istio-external-auth/README.md similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/README.md rename to common/oauth2-proxy/components/istio-external-auth/README.md diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy-cloudflare.yaml b/common/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy-cloudflare.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy-cloudflare.yaml rename to common/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy-cloudflare.yaml diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy.yaml b/common/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy.yaml rename to common/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy.yaml diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth/kustomization.yaml b/common/oauth2-proxy/components/istio-external-auth/kustomization.yaml similarity index 81% rename from common/oidc-client/oauth2-proxy/components/istio-external-auth/kustomization.yaml rename to common/oauth2-proxy/components/istio-external-auth/kustomization.yaml index ec79597930..cf906f840c 100644 --- a/common/oidc-client/oauth2-proxy/components/istio-external-auth/kustomization.yaml +++ b/common/oauth2-proxy/components/istio-external-auth/kustomization.yaml @@ -5,7 +5,7 @@ resources: - authorizationpolicy.istio-ingressgateway-oauth2-proxy.yaml - requestauthentication.dex-jwt.yaml -# If you're running Kubeflow behind CloudFlare, use +# If you're running Kubeflow behind CloudFlare, use # authorizationpolicy.istio-ingressgateway-oauth2-proxy-cloudflare.yaml -# instead of +# instead of # authorizationpolicy.istio-ingressgateway-oauth2-proxy.yaml diff --git a/common/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml b/common/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml new file mode 100644 index 0000000000..55f4565281 --- /dev/null +++ b/common/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml @@ -0,0 +1,19 @@ +apiVersion: security.istio.io/v1beta1 +kind: RequestAuthentication +metadata: + name: dex-jwt + namespace: istio-system +spec: + jwtRules: + # forwardOriginalToken must be set to true so the authorization header will + # be passed between Kubeflow Components and Istio can configure the + # Kubeflow Auth Headers based on this request authorization header. + - forwardOriginalToken: true + issuer: http://dex.auth.svc.cluster.local:5556/dex + # These 5 lines provides integration of istio/oauth2-proxy with + # Kubeflow custom auth headers. + outputClaimToHeaders: + - header: kubeflow-userid + claim: email + - header: kubeflow-groups + claim: groups diff --git a/common/oidc-client/oauth2-proxy/components/istio-m2m/README.md b/common/oauth2-proxy/components/istio-m2m/README.md similarity index 84% rename from common/oidc-client/oauth2-proxy/components/istio-m2m/README.md rename to common/oauth2-proxy/components/istio-m2m/README.md index 40ec0619b6..750f34de8e 100644 --- a/common/oidc-client/oauth2-proxy/components/istio-m2m/README.md +++ b/common/oauth2-proxy/components/istio-m2m/README.md @@ -13,7 +13,7 @@ the platform-managed Kubernetes OIDC issuer in the `RequestAuthentication` for s and authentication compliance with the platform's security standards. For scenarios where the OIDC issuer is served behind self-signed certificates, the kustomize -overlay using this component should include the `common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer` +overlay using this component should include the `common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer` component. This additional configuration is necessary to handle the self-signed nature of the -certificates. This setup is the default in the Kustomize overlay defined in `common/oidc-client/oauth2-proxy/overlays/m2m-self-signed`, -which is tailored for environments with self-signed OIDC issuers. \ No newline at end of file +certificates. This setup is the default in the Kustomize overlay defined in `common/oauth2-proxy/overlays/m2m-self-signed`, +which is tailored for environments with self-signed OIDC issuers. diff --git a/common/oidc-client/oauth2-proxy/components/istio-m2m/kustomization.yaml b/common/oauth2-proxy/components/istio-m2m/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-m2m/kustomization.yaml rename to common/oauth2-proxy/components/istio-m2m/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/components/istio-m2m/params.yaml b/common/oauth2-proxy/components/istio-m2m/params.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-m2m/params.yaml rename to common/oauth2-proxy/components/istio-m2m/params.yaml diff --git a/common/oauth2-proxy/components/istio-m2m/requestauthentication.yaml b/common/oauth2-proxy/components/istio-m2m/requestauthentication.yaml new file mode 100644 index 0000000000..39563d5ef9 --- /dev/null +++ b/common/oauth2-proxy/components/istio-m2m/requestauthentication.yaml @@ -0,0 +1,14 @@ +apiVersion: security.istio.io/v1beta1 +kind: RequestAuthentication +metadata: + name: m2m-token-issuer + namespace: istio-system +spec: + jwtRules: + - forwardOriginalToken: true + issuer: M2M_TOKEN_ISSUER_PLACEHOLDER + outputClaimToHeaders: + - claim: sub + header: x-auth-request-user + - claim: sub + header: kubeflow-userid diff --git a/common/oidc-client/kubeflow_auth_diagram.svg b/common/oauth2-proxy/components/kubeflow_auth_diagram.svg similarity index 100% rename from common/oidc-client/kubeflow_auth_diagram.svg rename to common/oauth2-proxy/components/kubeflow_auth_diagram.svg diff --git a/common/oidc-client/oauth2-proxy/overlays/m2m-self-signed/kustomization.yaml b/common/oauth2-proxy/overlays/m2m-self-signed/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/overlays/m2m-self-signed/kustomization.yaml rename to common/oauth2-proxy/overlays/m2m-self-signed/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/overlays/m2m/README.md b/common/oauth2-proxy/overlays/m2m/README.md similarity index 100% rename from common/oidc-client/oauth2-proxy/overlays/m2m/README.md rename to common/oauth2-proxy/overlays/m2m/README.md diff --git a/common/oidc-client/oauth2-proxy/overlays/m2m/component-overwrite-m2m-token-issuer/kustomization.yaml b/common/oauth2-proxy/overlays/m2m/component-overwrite-m2m-token-issuer/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/overlays/m2m/component-overwrite-m2m-token-issuer/kustomization.yaml rename to common/oauth2-proxy/overlays/m2m/component-overwrite-m2m-token-issuer/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/overlays/m2m/kustomization.yaml b/common/oauth2-proxy/overlays/m2m/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/overlays/m2m/kustomization.yaml rename to common/oauth2-proxy/overlays/m2m/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/base/deployment.yaml b/common/oidc-client/oauth2-proxy/base/deployment.yaml deleted file mode 100644 index f8ef99b4b7..0000000000 --- a/common/oidc-client/oauth2-proxy/base/deployment.yaml +++ /dev/null @@ -1,85 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: oauth2-proxy - labels: - app: oauth2-proxy -spec: - replicas: 2 - selector: - matchLabels: - app.kubernetes.io/name: oauth2-proxy - template: - metadata: - labels: - app.kubernetes.io/name: oauth2-proxy - spec: - volumes: - - name: configmain - configMap: - name: oauth2-proxy - defaultMode: 420 - containers: - - name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:latest - args: - - --http-address=0.0.0.0:4180 - - --config=/etc/oauth2_proxy/oauth2_proxy.cfg - ports: - - name: http - containerPort: 4180 - protocol: TCP - - name: metrics - containerPort: 44180 - protocol: TCP - env: - - name: OAUTH2_PROXY_CLIENT_ID - valueFrom: - secretKeyRef: - name: oauth2-proxy - key: client-id - - name: OAUTH2_PROXY_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: oauth2-proxy - key: client-secret - - name: OAUTH2_PROXY_COOKIE_SECRET - valueFrom: - secretKeyRef: - name: oauth2-proxy - key: cookie-secret - - name: OAUTH2_PROXY_COOKIE_SECURE - valueFrom: - configMapKeyRef: - name: oauth2-proxy-parameters - key: FORCE_HTTPS - - name: OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY - valueFrom: - configMapKeyRef: - name: oauth2-proxy-parameters - key: ALLOW_SELF_SIGNED_ISSUER - - name: OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS - valueFrom: - configMapKeyRef: - name: oauth2-proxy-parameters - key: ENABLE_M2M_TOKENS - - name: OAUTH2_PROXY_EXTRA_JWT_ISSUERS - valueFrom: - configMapKeyRef: - name: oauth2-proxy-parameters - key: EXTRA_JWT_ISSUERS - volumeMounts: - - name: configmain - mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg - subPath: oauth2_proxy.cfg - livenessProbe: - httpGet: - path: /ping - port: http - scheme: HTTP - readinessProbe: - httpGet: - path: /ping - port: http - scheme: HTTP - resources: {} diff --git a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml b/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml deleted file mode 100644 index 3d3fc2c281..0000000000 --- a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - name: kubeflow-m2m-oidc-configurator - namespace: istio-system -spec: - schedule: '*/5 * * * *' - concurrencyPolicy: Forbid - jobTemplate: - spec: - backoffLimit: 3 - ttlSecondsAfterFinished: 600 - template: - metadata: - labels: {} - spec: - restartPolicy: OnFailure - serviceAccountName: kubeflow-m2m-oidc-configurator - containers: - - image: docker.io/curlimages/curl - name: kubeflow-m2m-oidc-configurator - command: - - /script.sh - envFrom: - - configMapRef: - name: kubeflow-m2m-oidc-configurator-envs - volumeMounts: - - mountPath: /script.sh - name: script - subPath: script.sh - resources: {} - volumes: - - name: script - configMap: - name: kubeflow-m2m-oidc-configurator-script - defaultMode: 0777 - items: - - key: script.sh - path: script.sh diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/patches/deployment.jwt-refresh-interval.yaml b/common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/patches/deployment.jwt-refresh-interval.yaml deleted file mode 100644 index 96987bc69c..0000000000 --- a/common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/patches/deployment.jwt-refresh-interval.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: istiod - namespace: istio-system -spec: - template: - spec: - containers: - - name: discovery - env: - # Istio will refresh the JWT Public Keys provided with - # RequestAuthentication by default every 20 minutes. For deployment - # from scratch this is not ideal because there is a high chance that - # the istiod will be available before dex is available, triggering - # Istio mechanism to use a placeholder jwt until refreshed. - - name: PILOT_JWT_PUB_KEY_REFRESH_INTERVAL - value: "1m" diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth/README.md b/common/oidc-client/oauth2-proxy/components/istio-external-auth/README.md deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml b/common/oidc-client/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml deleted file mode 100644 index 4da92ad8b5..0000000000 --- a/common/oidc-client/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: security.istio.io/v1beta1 -kind: RequestAuthentication -metadata: - name: dex-jwt - namespace: istio-system -spec: - jwtRules: - # forwardOriginalToken must be set to true so the authorization header will - # be passed between Kubeflow Components and Istio can configure the - # Kubeflow Auth Headers based on this request authorization header. - - forwardOriginalToken: true - issuer: http://dex.auth.svc.cluster.local:5556/dex - # These 5 lines provides integration of istio/oauth2-proxy with - # Kubeflow custom auth headers. - outputClaimToHeaders: - - header: kubeflow-userid - claim: email - - header: kubeflow-groups - claim: groups diff --git a/common/oidc-client/oauth2-proxy/components/istio-m2m/requestauthentication.yaml b/common/oidc-client/oauth2-proxy/components/istio-m2m/requestauthentication.yaml deleted file mode 100644 index af0b3ecd67..0000000000 --- a/common/oidc-client/oauth2-proxy/components/istio-m2m/requestauthentication.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: security.istio.io/v1beta1 -kind: RequestAuthentication -metadata: - name: m2m-token-issuer - namespace: istio-system -spec: - jwtRules: - - forwardOriginalToken: true - issuer: M2M_TOKEN_ISSUER_PLACEHOLDER - outputClaimToHeaders: - - claim: sub - header: x-auth-request-user - - claim: sub - header: kubeflow-userid diff --git a/common/oidc-client/oidc-authservice/base/envoy-filter.yaml b/common/oidc-client/oidc-authservice/base/envoy-filter.yaml deleted file mode 100644 index 63e55a878d..0000000000 --- a/common/oidc-client/oidc-authservice/base/envoy-filter.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: authn-filter -spec: - workloadSelector: - labels: - istio: ingressgateway - configPatches: - - applyTo: HTTP_FILTER - match: - context: GATEWAY - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - patch: - # For some reason, INSERT_FIRST doesn't work - operation: INSERT_BEFORE - value: - # See: https://www.envoyproxy.io/docs/envoy/v1.17.0/configuration/http/http_filters/ext_authz_filter#config-http-filters-ext-authz - name: "envoy.filters.http.ext_authz" - typed_config: - '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz - http_service: - server_uri: - uri: http://$(AUTHSERVICE_SERVICE).$(AUTHSERVICE_NAMESPACE).svc.cluster.local - cluster: outbound|8080||$(AUTHSERVICE_SERVICE).$(AUTHSERVICE_NAMESPACE).svc.cluster.local - timeout: 10s - authorization_request: - allowed_headers: - patterns: - # XXX: MUST be lowercase! - - exact: "authorization" - - exact: "cookie" - - exact: "x-auth-token" - authorization_response: - allowed_upstream_headers: - patterns: - - exact: "kubeflow-userid" diff --git a/common/oidc-client/oidc-authservice/base/kustomization.yaml b/common/oidc-client/oidc-authservice/base/kustomization.yaml deleted file mode 100644 index 9509fb44df..0000000000 --- a/common/oidc-client/oidc-authservice/base/kustomization.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - rbac.yaml - - service.yaml - - statefulset.yaml - - envoy-filter.yaml - - pvc.yaml - -namespace: istio-system - -configMapGenerator: - - name: oidc-authservice-parameters - envs: - - params.env - -secretGenerator: - - name: oidc-authservice-client - type: Opaque - envs: - - secret_params.env - -generatorOptions: - disableNameSuffixHash: true - -vars: - - name: AUTHSERVICE_NAMESPACE - objref: - kind: Service - name: authservice - apiVersion: v1 - fieldref: - fieldpath: metadata.namespace - - name: AUTHSERVICE_SERVICE - objref: - kind: Service - name: authservice - apiVersion: v1 - fieldref: - fieldpath: metadata.name -configurations: - - params.yaml -images: - - name: gcr.io/arrikto/kubeflow/oidc-authservice - newName: docker.io/kubeflowmanifestswg/oidc-authservice - newTag: e236439 diff --git a/common/oidc-client/oidc-authservice/base/params.env b/common/oidc-client/oidc-authservice/base/params.env deleted file mode 100644 index ab998157fd..0000000000 --- a/common/oidc-client/oidc-authservice/base/params.env +++ /dev/null @@ -1,11 +0,0 @@ -OIDC_PROVIDER=http://dex.auth.svc.cluster.local:5556/dex -OIDC_AUTH_URL=/dex/auth -OIDC_SCOPES=profile email groups -AUTHSERVICE_URL_PREFIX=/authservice/ -SKIP_AUTH_URLS=/dex -AFTER_LOGOUT_URL=/ -USERID_HEADER=kubeflow-userid -USERID_PREFIX= -USERID_CLAIM=email -PORT="8080" -STORE_PATH=/var/lib/authservice/data.db diff --git a/common/oidc-client/oidc-authservice/base/params.yaml b/common/oidc-client/oidc-authservice/base/params.yaml deleted file mode 100644 index fcec4c57c4..0000000000 --- a/common/oidc-client/oidc-authservice/base/params.yaml +++ /dev/null @@ -1,5 +0,0 @@ -varReference: -- path: spec/configPatches/patch/value/typed_config/http_service/server_uri/uri - kind: EnvoyFilter -- path: spec/configPatches/patch/value/typed_config/http_service/server_uri/cluster - kind: EnvoyFilter diff --git a/common/oidc-client/oidc-authservice/base/pvc.yaml b/common/oidc-client/oidc-authservice/base/pvc.yaml deleted file mode 100644 index da2f06ba3a..0000000000 --- a/common/oidc-client/oidc-authservice/base/pvc.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: authservice-pvc -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi \ No newline at end of file diff --git a/common/oidc-client/oidc-authservice/base/rbac.yaml b/common/oidc-client/oidc-authservice/base/rbac.yaml deleted file mode 100644 index 8399498c1c..0000000000 --- a/common/oidc-client/oidc-authservice/base/rbac.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: authservice - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: authn-delegator -rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: authn-delegators -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: authn-delegator -subjects: - - kind: ServiceAccount - name: authservice diff --git a/common/oidc-client/oidc-authservice/base/secret_params.env b/common/oidc-client/oidc-authservice/base/secret_params.env deleted file mode 100644 index dc56c6c90f..0000000000 --- a/common/oidc-client/oidc-authservice/base/secret_params.env +++ /dev/null @@ -1,2 +0,0 @@ -CLIENT_ID=kubeflow-oidc-authservice -CLIENT_SECRET=pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok diff --git a/common/oidc-client/oidc-authservice/base/service.yaml b/common/oidc-client/oidc-authservice/base/service.yaml deleted file mode 100644 index 8b62830bcf..0000000000 --- a/common/oidc-client/oidc-authservice/base/service.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: authservice -spec: - type: ClusterIP - selector: - app: authservice - ports: - - port: 8080 - name: http-authservice - targetPort: http-api - publishNotReadyAddresses: true \ No newline at end of file diff --git a/common/oidc-client/oidc-authservice/base/statefulset.yaml b/common/oidc-client/oidc-authservice/base/statefulset.yaml deleted file mode 100644 index 05fbc63c96..0000000000 --- a/common/oidc-client/oidc-authservice/base/statefulset.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: oidc-authservice -spec: - replicas: 1 - selector: - matchLabels: - app: authservice - serviceName: authservice - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - labels: - app: authservice - spec: - serviceAccountName: authservice - containers: - - name: authservice - image: gcr.io/arrikto/kubeflow/oidc-authservice:e236439 - imagePullPolicy: Always - ports: - - name: http-api - containerPort: 8080 - envFrom: - - secretRef: - name: oidc-authservice-client - - configMapRef: - name: oidc-authservice-parameters - volumeMounts: - - name: data - mountPath: /var/lib/authservice - readinessProbe: - httpGet: - path: / - port: 8081 - securityContext: - fsGroup: 111 - volumes: - - name: data - persistentVolumeClaim: - claimName: authservice-pvc diff --git a/common/oidc-client/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml b/common/oidc-client/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml deleted file mode 100644 index 539c28cae4..0000000000 --- a/common/oidc-client/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -bases: - - ../../base -patchesStrategicMerge: - - statefulset.yaml -images: - - name: busybox - newTag: "latest" - newName: busybox \ No newline at end of file diff --git a/common/oidc-client/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml b/common/oidc-client/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml deleted file mode 100644 index 2e29fc100a..0000000000 --- a/common/oidc-client/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: oidc-authservice -spec: - template: - spec: - initContainers: - - name: fix-permission - image: busybox - command: ['sh', '-c'] - args: ['chmod -R 777 /var/lib/authservice;'] - volumeMounts: - - mountPath: /var/lib/authservice - name: data diff --git a/example/kustomization.yaml b/example/kustomization.yaml index 3e028a16df..0308d5e602 100644 --- a/example/kustomization.yaml +++ b/example/kustomization.yaml @@ -41,7 +41,7 @@ resources: - ../common/istio-1-22/istio-namespace/base - ../common/istio-1-22/istio-install/overlays/oauth2-proxy # oauth2-proxy -- ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed +- ../common/oauth2-proxy/overlays/m2m-self-signed # Dex - ../common/dex/overlays/oauth2-proxy # KNative @@ -64,7 +64,7 @@ resources: # Katib - ../apps/katib/upstream/installs/katib-with-kubeflow # Central Dashboard -- ../apps/centraldashboard/upstream/overlays/oauth2-proxy +- ../apps/centraldashboard/overlays/oauth2-proxy # Admission Webhook - ../apps/admission-webhook/upstream/overlays/cert-manager # Jupyter Web App diff --git a/hack/trivy_scan.py b/hack/trivy_scan.py index ff7706bb1b..91da390394 100644 --- a/hack/trivy_scan.py +++ b/hack/trivy_scan.py @@ -34,8 +34,8 @@ "automl": "../apps/katib/upstream/installs", "pipelines": "../apps/pipeline/upstream/env ../apps/kfp-tekton/upstream/env", "training": "../apps/training-operator/upstream/overlays", - "manifests": "../common/cert-manager/cert-manager/base ../common/cert-manager/kubeflow-issuer/base ../common/istio-1-22/istio-crds/base ../common/istio-1-22/istio-namespace/base ../common/istio-1-22/istio-install/overlays/oauth2-proxy ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed ../common/dex/overlays/oauth2-proxy ../common/knative/knative-serving/overlays/gateways ../common/knative/knative-eventing/base ../common/istio-1-22/cluster-local-gateway/base ../common/kubeflow-namespace/base ../common/kubeflow-roles/base ../common/istio-1-22/kubeflow-istio-resources/base", - "workbenches": "../apps/pvcviewer-controller/upstream/base ../apps/admission-webhook/upstream/overlays ../apps/centraldashboard/upstream/overlays/oauth2-proxy ../apps/jupyter/jupyter-web-app/upstream/overlays ../apps/volumes-web-app/upstream/overlays ../apps/tensorboard/tensorboards-web-app/upstream/overlays ../apps/profiles/upstream/overlays ../apps/jupyter/notebook-controller/upstream/overlays ../apps/tensorboard/tensorboard-controller/upstream/overlays", + "manifests": "../common/cert-manager/cert-manager/base ../common/cert-manager/kubeflow-issuer/base ../common/istio-1-22/istio-crds/base ../common/istio-1-22/istio-namespace/base ../common/istio-1-22/istio-install/overlays/oauth2-proxy ../common/oauth2-proxy/overlays/m2m-self-signed ../common/dex/overlays/oauth2-proxy ../common/knative/knative-serving/overlays/gateways ../common/knative/knative-eventing/base ../common/istio-1-22/cluster-local-gateway/base ../common/kubeflow-namespace/base ../common/kubeflow-roles/base ../common/istio-1-22/kubeflow-istio-resources/base", + "workbenches": "../apps/pvcviewer-controller/upstream/base ../apps/admission-webhook/upstream/overlays ../apps/centraldashboard/overlays ../apps/jupyter/jupyter-web-app/upstream/overlays ../apps/volumes-web-app/upstream/overlays ../apps/tensorboard/tensorboards-web-app/upstream/overlays ../apps/profiles/upstream/overlays ../apps/jupyter/notebook-controller/upstream/overlays ../apps/tensorboard/tensorboard-controller/upstream/overlays", "serving": "../contrib/kserve - ../contrib/kserve/models-web-app/overlays/kubeflow", "model-registry": "../apps/model-registry/upstream", } @@ -403,4 +403,4 @@ def extract_images(version): log("Output saved to:", output_file) log("Severity counts with images respect to WGs are saved in the",ALL_SEVERITY_COUNTS) -log("Scanned Json reports on images are saved in",SCAN_REPORTS_DIR) \ No newline at end of file +log("Scanned Json reports on images are saved in",SCAN_REPORTS_DIR) diff --git a/proposals/20240606-jwt-handling.md b/proposals/20240606-jwt-handling.md index 19db305f74..76839c4288 100644 --- a/proposals/20240606-jwt-handling.md +++ b/proposals/20240606-jwt-handling.md @@ -62,7 +62,7 @@ With the above implementation we move all the logic of handling the JWTs to the This proposal aims to put more focus on keeping and validating `id_tokens` but also bridging to the existing functionality of the backends, to avoid extensive changes. ### Implementation The technical details for the above proposal translate to the following -1. Common Kubeflow manifests, for all components, for configuring Istio for supporting multiple issuers ([Dex](https://github.com/kubeflow/manifests/blob/v1.9-branch/common/oidc-client/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml) and [K8s-m2m](https://github.com/kubeflow/manifests/blob/v1.9-branch/common/oidc-client/oauth2-proxy/components/istio-m2m/requestauthentication.yaml)), via `RequestAuthentication` objects +1. Common Kubeflow manifests, for all components, for configuring Istio for supporting multiple issuers ([Dex](https://github.com/kubeflow/manifests/blob/v1.9-branch/common/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml) and [K8s-m2m](https://github.com/kubeflow/manifests/blob/v1.9-branch/common/oauth2-proxy/components/istio-m2m/requestauthentication.yaml)), via `RequestAuthentication` objects 2. `AuthorizationPolicy` objects of components, for allowing access from Istio IngressGateway, will need to be extended for also requiring a JWT 3. Backends that need to be accessible from other user-namespaces will need to have an `AuthorizationPolicy` that allows any request, only if it has a JWT 4. Backends don't need any logic for validating the JWTs and their existence diff --git a/tests/gh-actions/install_istio_with_ext_auth.sh b/tests/gh-actions/install_istio_with_ext_auth.sh index e77839eb10..871fec394d 100755 --- a/tests/gh-actions/install_istio_with_ext_auth.sh +++ b/tests/gh-actions/install_istio_with_ext_auth.sh @@ -12,6 +12,6 @@ kubectl wait --for=condition=Ready pods --all -n istio-system --timeout=300s \ --field-selector=status.phase!=Succeeded echo "Installing oauth2-proxy..." -cd common/oidc-client +cd common/ kustomize build oauth2-proxy/overlays/m2m-self-signed/ | kubectl apply -f - kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy diff --git a/tests/gh-actions/test_dex_login.py b/tests/gh-actions/test_dex_login.py new file mode 100644 index 0000000000..b027d5ba92 --- /dev/null +++ b/tests/gh-actions/test_dex_login.py @@ -0,0 +1,108 @@ +import re +import requests +import sys +from urllib.parse import urlsplit + +def get_istio_auth_session(url: str, username: str, password: str) -> dict: + """ + Determine if the specified URL is secured by Dex and try to obtain a session cookie. + WARNING: only Dex `staticPasswords` and `LDAP` authentication are currently supported + (we default default to using `staticPasswords` if both are enabled) + + :param url: Kubeflow server URL, including protocol + :param username: Dex `staticPasswords` or `LDAP` username + :param password: Dex `staticPasswords` or `LDAP` password + :return: auth session information + """ + # define the default return object + auth_session = { + "endpoint_url": url, # KF endpoint URL + "redirect_url": None, # KF redirect URL, if applicable + "dex_login_url": None, # Dex login URL (for POST of credentials) + "is_secured": None, # True if KF endpoint is secured + "session_cookie": None # Resulting session cookies in the form "key1=value1; key2=value2" + } + + # use a persistent session (for cookies) + with requests.Session() as s: + + ################ + # Determine if Endpoint is Secured + ################ + resp = s.get(url, allow_redirects=True) + if resp.status_code != 200: + raise RuntimeError( + f"HTTP status code '{resp.status_code}' for GET against: {url}" + ) + + auth_session["redirect_url"] = resp.url + + # if we were NOT redirected, then the endpoint is UNSECURED + if len(resp.history) == 0: + auth_session["is_secured"] = False + return auth_session + else: + auth_session["is_secured"] = True + + ################ + # Get Dex Login URL + ################ + redirect_url_obj = urlsplit(auth_session["redirect_url"]) + + # if we are at `/auth?=xxxx` path, we need to select an auth type + if re.search(r"/auth$", redirect_url_obj.path): + + ####### + # TIP: choose the default auth type by including ONE of the following + ####### + + # OPTION 1: set "staticPasswords" as default auth type + redirect_url_obj = redirect_url_obj._replace( + path=re.sub(r"/auth$", "/auth/local", redirect_url_obj.path) + ) + # OPTION 2: set "ldap" as default auth type + # redirect_url_obj = redirect_url_obj._replace( + # path=re.sub(r"/auth$", "/auth/ldap", redirect_url_obj.path) + # ) + + # if we are at `/auth/xxxx/login` path, then no further action is needed (we can use it for login POST) + if re.search(r"/auth/.*/login$", redirect_url_obj.path): + auth_session["dex_login_url"] = redirect_url_obj.geturl() + + # else, we need to be redirected to the actual login page + else: + # this GET should redirect us to the `/auth/xxxx/login` path + resp = s.get(redirect_url_obj.geturl(), allow_redirects=True) + if resp.status_code != 200: + raise RuntimeError( + f"HTTP status code '{resp.status_code}' for GET against: {redirect_url_obj.geturl()}" + ) + + # set the login url + auth_session["dex_login_url"] = resp.url + + ################ + # Attempt Dex Login + ################ + resp = s.post( + auth_session["dex_login_url"], + data={"login": username, "password": password}, + allow_redirects=True + ) + + return resp.status_code + +KUBEFLOW_ENDPOINT = "http://localhost:8080" +KUBEFLOW_USERNAME = "user@example.com" +KUBEFLOW_PASSWORD = "12341234" + +resp = get_istio_auth_session( + url=KUBEFLOW_ENDPOINT, + username=KUBEFLOW_USERNAME, + password=KUBEFLOW_PASSWORD +) + +if resp == 200: + sys.exit(0) +else: + sys.exit(1)