add .github/workflows/nb_controller_m2m_kind_test.yaml

Signed-off-by: Krzysztof Romanowski <krzysztof.romanowski.kr3@roche.com>

.github/workflows/kserve_m2m_kind_test.yaml

@@ -4,6 +4,8 @@ on:
     paths:
       - contrib/kserve/**
       - common/knative/**
+      - common/oidc-client/oauth2-proxy/**
+      - common/istio*/**
 
 jobs:
   build:

.github/workflows/nb_controller_m2m_kind_test.yaml

@@ -0,0 +1,83 @@
+name: Build & Apply Notebook Controller manifests in KinD
+on:
+  pull_request:
+    paths:
+      - apps/jupyter/**
+      - common/oidc-client/oauth2-proxy/**
+      - common/istio*/**
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Install KinD
+      run: ./tests/gh-actions/install_kind.sh
+
+    - name: Create KinD Cluster
+      run: kind create cluster --config tests/gh-actions/kind-cluster.yaml
+
+    - name: Install kubectl
+      run: ./tests/gh-actions/install_kubectl.sh
+
+    - name: Install kustomize
+      run: ./tests/gh-actions/install_kustomize.sh
+
+    - name: Create kubeflow namespace
+      run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
+
+    - name: Install Istio with ext auth
+      run: ./tests/gh-actions/install_istio_with_ext_auth.sh*
+
+    - name: Install kubeflow-istio-resources
+      run: kustomize build common/istio-1-17/kubeflow-istio-resources/base | kubectl apply -f -
+
+    - name: Install KF Multi Tenancy
+      run: ./tests/gh-actions/install_multi_tenancy.sh
+
+    - name: Build & Apply manifests
+      run: |
+        kustomize build apps/jupyter/jupyter-web-app/upstream/overlays/istio/ | kubectl apply -f -
+        kustomize build apps/jupyter/notebook-controller/upstream/overlays/kubeflow/ | kubectl apply -f -
+        kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 300s
+
+    - name: Create KF Profile
+      run: kustomize build common/user-namespace/base | kubectl apply -f -
+
+    - name: Port forward
+      run: |
+        INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}')
+        nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 &
+        while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready
+
+    - name: List notebooks over API with authorized SA Token
+      run: |
+        KF_PROFILE=kubeflow-user-example-com
+        TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)"
+
+        STATUS_CODE=$(curl -v \
+          --silent --output /dev/stderr --write-out "%{http_code}" \
+          "localhost:8080/jupyter/api/namespaces/${KF_PROFILE}/notebooks" \
+          -H "Authorization: Bearer ${TOKEN}")
+
+        if test $STATUS_CODE -ne 200; then
+          echo "Error, this call should be authorized to list notebooks in namespace ${KF_PROFILE}."
+          exit 1
+        fi
+
+    - name: List notebooks over API with unauthorized SA Token
+      run: |
+        KF_PROFILE=kubeflow-user-example-com
+        TOKEN="$(kubectl -n default create token default)"
+
+        STATUS_CODE=$(curl -v \
+          --silent --output /dev/stderr --write-out "%{http_code}" \
+          "localhost:8080/jupyter/api/namespaces/${KF_PROFILE}/notebooks" \
+          -H "Authorization: Bearer ${TOKEN}")
+
+        if test $STATUS_CODE -ne 403; then
+          echo "Error, this call should fail to list notebooks in namespace ${KF_PROFILE}."
+          exit 1
+        fi

.github/workflows/pipeline_kind_test.yaml

@@ -32,9 +32,12 @@ jobs:
     - name: Create kubeflow namespace
       run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
 
-    - name: Build & Apply manifests
+    - name: Build & Apply KF Pipelines manifests
       run: ./tests/gh-actions/install_pipelines.sh
 
+    - name: Install KF Multi Tenancy
+      run: ./tests/gh-actions/install_multi_tenancy.sh
+
     - name: Deploy test pipeline
       run: |
         pip3 install kfp==1.8.22

.github/workflows/pipeline_m2m_kind_test.yaml

@@ -6,6 +6,8 @@ on:
       - tests/gh-actions/kind-cluster.yaml
       - tests/gh-actions/install_istio.sh
       - common/cert-manager/**
+      - common/oidc-client/oauth2-proxy/**
+      - common/istio*/**
 
 jobs:
   build:
@@ -38,6 +40,9 @@ jobs:
       - name: Install KF Pipelines
         run: ./tests/gh-actions/install_pipelines.sh
 
+      - name: Install KF Multi Tenancy
+        run: ./tests/gh-actions/install_multi_tenancy.sh
+
       - name: Install kubeflow-istio-resources
         run: kustomize build common/istio-1-17/kubeflow-istio-resources/base | kubectl apply -f -
 

tests/gh-actions/install_multi_tenancy.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+set -euo pipefail
+
+echo "Installing Profiles Controller"
+kustomize build apps/profiles/upstream/overlays/kubeflow | kubectl apply -f -
+kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 180s
+
+echo "Installing Multitenancy Kubeflow Roles"
+kustomize build common/kubeflow-roles/base | kubectl apply -f -

tests/gh-actions/install_pipelines.sh

@@ -9,10 +9,3 @@ kustomize build env/cert-manager/platform-agnostic-multi-user | kubectl apply -f
 sleep 60
 kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 600s
 cd -
-
-echo "Installing Profiles Controller"
-kustomize build apps/profiles/upstream/overlays/kubeflow | kubectl apply -f -
-kubectl -n kubeflow wait --for=condition=Ready pods -l kustomize.component=profiles --timeout 180s
-
-echo "Installing Multitenancy Kubeflow Roles"
-kustomize build common/kubeflow-roles/base | kubectl apply -f -