-
Notifications
You must be signed in to change notification settings - Fork 893
123 lines (98 loc) · 4.62 KB
/
pipeline_test.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
name: Deploy and test Kubeflow Pipelines manifests with m2m auth in KinD
on:
pull_request:
paths:
- .github/workflows/pipeline_test.yaml
- apps/pipeline/upstream/**
- tests/gh-actions/kind-cluster.yaml
- tests/gh-actions/install_kind.sh
- tests/gh-actions/install_kustomize.sh
- tests/gh-actions/install_istio.sh
- tests/gh-actions/install_cert_manager.sh
- common/cert-manager/**
- common/oidc-client/oauth2-proxy/**
- common/istio*/**
- tests/gh-actions/install_istio_with_ext_auth.sh
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install KinD
run: ./tests/gh-actions/install_kind.sh
- name: Create KinD Cluster
run: kind create cluster --config tests/gh-actions/kind-cluster.yaml
- name: Install kustomize
run: ./tests/gh-actions/install_kustomize.sh
- name: Install kubectl
run: ./tests/gh-actions/install_kubectl.sh
- name: Install Istio with ext auth
run: ./tests/gh-actions/install_istio_with_ext_auth.sh
- name: Install cert-manager
run: ./tests/gh-actions/install_cert_manager.sh
- name: Create kubeflow namespace
run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
- name: Install KF Pipelines
run: ./tests/gh-actions/install_pipelines.sh
- name: Install KF Multi Tenancy
run: ./tests/gh-actions/install_multi_tenancy.sh
- name: Install kubeflow-istio-resources
run: kustomize build common/istio-1-22/kubeflow-istio-resources/base | kubectl apply -f -
- name: Create KF Profile
run: kustomize build common/user-namespace/base | kubectl apply -f -
- name: port forward
run: |
ingress_gateway_service=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}')
nohup kubectl port-forward --namespace istio-system svc/${ingress_gateway_service} 8080:80 &
while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready
- name: Wait for the kubeflow-m2m-oidc-configurator Job
run: |
./tests/gh-actions/wait_for_kubeflow_m2m_oidc_configurator.sh
- name: List and deploy test pipeline with authorized ServiceAccount Token
run: |
pip3 install kfp==2.4.0
KF_PROFILE=kubeflow-user-example-com
TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)"
python -c '
from time import sleep
import kfp
import sys
token = sys.argv[1]
namespace = sys.argv[2]
client = kfp.Client(host="http://localhost:8080/pipeline", existing_token=token)
pipeline = client.list_pipelines().pipelines[0]
pipeline_name = pipeline.display_name
pipeline_id = pipeline.pipeline_id
pipeline_version_id = client.list_pipeline_versions(pipeline_id).pipeline_versions[0].pipeline_version_id
experiment_id = client.create_experiment("m2m-test", namespace=namespace).experiment_id
print(f"Starting pipeline {pipeline_name}.")
run_id = client.run_pipeline(experiment_id=experiment_id, job_name="m2m-test", pipeline_id=pipeline_id, version_id=pipeline_version_id).run_id
while True:
status = client.get_run(run_id=run_id).state
if status not in ["SUCCEEDED", "FAILED", "ERROR"]:
print(f"Waiting for run_id: {run_id}, status: {status}.")
sleep(10)
else:
print(f"Run with id {run_id} finished with status: {status}.")
break
' "${TOKEN}" "${KF_PROFILE}"
- name: Fail to list pipelines with unauthorized ServiceAccount Token
run: |
pip3 install kfp==2.4.0
KF_PROFILE=kubeflow-user-example-com
TOKEN="$(kubectl -n default create token default)"
python -c '
import kfp
import sys
from kfp_server_api.exceptions import ApiException
token = sys.argv[1]
namespace = sys.argv[2]
client = kfp.Client(host="http://localhost:8080/pipeline", existing_token=token)
try:
pipeline = client.list_runs(namespace=namespace)
except ApiException as e:
assert e.status == 403, "This API Call should return unauthorized/forbidden error."
' "${TOKEN}" "${KF_PROFILE}"
echo "Test succeeded. Token from unauthorized ServiceAccount cannot list \
piplines in $KF_PROFILE namespace."