From d87e89b88d4dae365b31dd2b9a88a8810e7bca1b Mon Sep 17 00:00:00 2001 From: Tom Zaspel Date: Tue, 23 Jul 2024 16:07:38 +0200 Subject: [PATCH 01/12] fix redirectURIs for in dex config since kubeflow uses oauth2 Signed-off-by: Tom Zaspel --- common/dex/base/config-map.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/dex/base/config-map.yaml b/common/dex/base/config-map.yaml index 70ce4002df..a71484f3eb 100644 --- a/common/dex/base/config-map.yaml +++ b/common/dex/base/config-map.yaml @@ -25,6 +25,6 @@ data: staticClients: # https://github.com/dexidp/dex/pull/1664 - idEnv: OIDC_CLIENT_ID - redirectURIs: ["/authservice/oidc/callback"] + redirectURIs: ["/oauth2/callback"] name: 'Dex Login Application' secretEnv: OIDC_CLIENT_SECRET From 608164b5223b776757865fdc21f65350de303569 Mon Sep 17 00:00:00 2001 From: Tom Zaspel Date: Fri, 26 Jul 2024 15:32:01 +0200 Subject: [PATCH 02/12] remove authservice and refactore code Signed-off-by: Tom Zaspel --- README.md | 6 +- .../upstream/base/deployment.yaml | 2 +- .../overlays/oauth2-proxy/kustomization.yaml | 2 +- .../overlays/oauth2-proxy/kustomization.yaml | 2 +- .../overlays/oauth2-proxy/kustomization.yaml | 2 +- common/{oidc-client => }/oauth2-proxy/OWNERS | 0 .../oauth2-proxy/base/README.md | 0 .../oauth2-proxy/base/deployment.yaml | 0 .../oauth2-proxy/base/kustomization.yaml | 2 +- .../oauth2-proxy/base/namespace.yaml | 0 .../base/oauth2-proxy-config.yaml | 0 .../oauth2-proxy/base/params.yaml | 0 .../oauth2-proxy/base/rbac.tokenreviews.yaml | 0 .../oauth2-proxy/base/service.yaml | 0 .../oauth2-proxy/base/serviceaccount.yaml | 0 .../components}/README.md | 10 +- .../README.md | 0 ...lebinding.unauthenticated-oidc-viewer.yaml | 0 .../kustomization.yaml | 0 .../central-dashboard/kustomization.yaml | 0 .../patches/deployment.logout-url.yaml | 4 +- .../README.md | 0 ...ronjob.kubeflow-m2m-oidc-configurator.yaml | 0 .../kustomization.yaml | 0 .../rbac.yaml | 0 .../script.sh | 0 .../istio-external-auth-patches}/README.md | 0 .../kustomization.yaml | 0 .../patches/cm.enable-oauth2-proxy.yaml | 0 .../deployment.jwt-refresh-interval.yaml | 0 .../components/istio-external-auth}/README.md | 0 ...ngressgateway-oauth2-proxy-cloudflare.yaml | 0 ...icy.istio-ingressgateway-oauth2-proxy.yaml | 0 .../istio-external-auth/kustomization.yaml | 0 .../requestauthentication.dex-jwt.yaml | 0 .../components/istio-m2m/README.md | 6 +- .../components/istio-m2m/kustomization.yaml | 0 .../components/istio-m2m/params.yaml | 0 .../istio-m2m/requestauthentication.yaml | 0 .../components}/kubeflow_auth_diagram.svg | 0 .../m2m-self-signed/kustomization.yaml | 0 .../oauth2-proxy/overlays/m2m/README.md | 0 .../kustomization.yaml | 0 .../overlays/m2m/kustomization.yaml | 0 common/oidc-client/README.md | 135 ------------------ .../components/istio-external-auth/README.md | 0 .../oidc-authservice/base/envoy-filter.yaml | 40 ------ .../oidc-authservice/base/kustomization.yaml | 47 ------ .../oidc-authservice/base/params.env | 11 -- .../oidc-authservice/base/params.yaml | 5 - .../oidc-authservice/base/pvc.yaml | 10 -- .../oidc-authservice/base/rbac.yaml | 30 ---- .../oidc-authservice/base/secret_params.env | 2 - .../oidc-authservice/base/service.yaml | 13 -- .../oidc-authservice/base/statefulset.yaml | 43 ------ .../ibm-storage-config/kustomization.yaml | 10 -- .../ibm-storage-config/statefulset.yaml | 15 -- example/kustomization.yaml | 2 +- hack/trivy_scan.py | 4 +- proposals/20240606-jwt-handling.md | 2 +- .../gh-actions/install_istio_with_ext_auth.sh | 2 +- 61 files changed, 22 insertions(+), 385 deletions(-) rename common/{oidc-client => }/oauth2-proxy/OWNERS (100%) rename common/{oidc-client => }/oauth2-proxy/base/README.md (100%) rename common/{oidc-client => }/oauth2-proxy/base/deployment.yaml (100%) rename common/{oidc-client => }/oauth2-proxy/base/kustomization.yaml (96%) rename common/{oidc-client => }/oauth2-proxy/base/namespace.yaml (100%) rename common/{oidc-client => }/oauth2-proxy/base/oauth2-proxy-config.yaml (100%) rename common/{oidc-client => }/oauth2-proxy/base/params.yaml (100%) rename common/{oidc-client => }/oauth2-proxy/base/rbac.tokenreviews.yaml (100%) rename common/{oidc-client => }/oauth2-proxy/base/service.yaml (100%) rename common/{oidc-client => }/oauth2-proxy/base/serviceaccount.yaml (100%) rename common/{oidc-client/oauth2-proxy => oauth2-proxy/components}/README.md (97%) rename common/{oidc-client => }/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/README.md (100%) rename common/{oidc-client => }/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/clusterrolebinding.unauthenticated-oidc-viewer.yaml (100%) rename common/{oidc-client => }/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/kustomization.yaml (100%) rename common/{oidc-client => }/oauth2-proxy/components/central-dashboard/kustomization.yaml (100%) rename common/{oidc-client => }/oauth2-proxy/components/central-dashboard/patches/deployment.logout-url.yaml (68%) rename common/{oidc-client => }/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/README.md (100%) rename common/{oidc-client => }/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml (100%) rename common/{oidc-client => }/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/kustomization.yaml (100%) rename common/{oidc-client => }/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml (100%) rename common/{oidc-client => }/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/script.sh (100%) rename common/{oidc-client/oauth2-proxy/components => oauth2-proxy/components/istio-external-auth-patches}/README.md (100%) rename common/{oidc-client => }/oauth2-proxy/components/istio-external-auth-patches/kustomization.yaml (100%) rename common/{oidc-client => }/oauth2-proxy/components/istio-external-auth-patches/patches/cm.enable-oauth2-proxy.yaml (100%) rename common/{oidc-client => }/oauth2-proxy/components/istio-external-auth-patches/patches/deployment.jwt-refresh-interval.yaml (100%) rename common/{oidc-client/oauth2-proxy/components/istio-external-auth-patches => oauth2-proxy/components/istio-external-auth}/README.md (100%) rename common/{oidc-client => }/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy-cloudflare.yaml (100%) rename common/{oidc-client => }/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy.yaml (100%) rename common/{oidc-client => }/oauth2-proxy/components/istio-external-auth/kustomization.yaml (100%) rename common/{oidc-client => }/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml (100%) rename common/{oidc-client => }/oauth2-proxy/components/istio-m2m/README.md (84%) rename common/{oidc-client => }/oauth2-proxy/components/istio-m2m/kustomization.yaml (100%) rename common/{oidc-client => }/oauth2-proxy/components/istio-m2m/params.yaml (100%) rename common/{oidc-client => }/oauth2-proxy/components/istio-m2m/requestauthentication.yaml (100%) rename common/{oidc-client => oauth2-proxy/components}/kubeflow_auth_diagram.svg (100%) rename common/{oidc-client => }/oauth2-proxy/overlays/m2m-self-signed/kustomization.yaml (100%) rename common/{oidc-client => }/oauth2-proxy/overlays/m2m/README.md (100%) rename common/{oidc-client => }/oauth2-proxy/overlays/m2m/component-overwrite-m2m-token-issuer/kustomization.yaml (100%) rename common/{oidc-client => }/oauth2-proxy/overlays/m2m/kustomization.yaml (100%) delete mode 100644 common/oidc-client/README.md delete mode 100644 common/oidc-client/oauth2-proxy/components/istio-external-auth/README.md delete mode 100644 common/oidc-client/oidc-authservice/base/envoy-filter.yaml delete mode 100644 common/oidc-client/oidc-authservice/base/kustomization.yaml delete mode 100644 common/oidc-client/oidc-authservice/base/params.env delete mode 100644 common/oidc-client/oidc-authservice/base/params.yaml delete mode 100644 common/oidc-client/oidc-authservice/base/pvc.yaml delete mode 100644 common/oidc-client/oidc-authservice/base/rbac.yaml delete mode 100644 common/oidc-client/oidc-authservice/base/secret_params.env delete mode 100644 common/oidc-client/oidc-authservice/base/service.yaml delete mode 100644 common/oidc-client/oidc-authservice/base/statefulset.yaml delete mode 100644 common/oidc-client/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml delete mode 100644 common/oidc-client/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml diff --git a/README.md b/README.md index e88f320ed7..14a5868b28 100644 --- a/README.md +++ b/README.md @@ -224,7 +224,7 @@ The oauth2-proxy extends your Istio Ingress-Gateway capabilities, to be able to ```sh echo "Installing oauth2-proxy..." -kustomize build common/oidc-client/oauth2-proxy/overlays/m2m-self-signed/ | kubectl apply -f - +kustomize build common/oauth2-proxy/overlays/m2m-self-signed/ | kubectl apply -f - kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy ``` @@ -561,6 +561,6 @@ The Kubeflow security working group follows a responsible disclosure policy for ## Frequently Asked Questions - **Q:** What versions of Istio, Knative, Cert-Manager, Argo, ... are compatible with Kubeflow? \ - **A:** Please refer to each individual component's documentation for a dependency compatibility range. For Istio, Knative, Dex, Cert-Manager and OIDC-AuthService, the versions in `common` are the ones we have validated. + **A:** Please refer to each individual component's documentation for a dependency compatibility range. For Istio, Knative, Dex, Cert-Manager and OAUTH2, the versions in `common` are the ones we have validated. - **Q:** Can I use earlier version of Kustomize with Kubeflow manifests? - **A:** No, it is not supported anymore, although it might be possible with manual effort. \ No newline at end of file + **A:** No, it is not supported anymore, although it might be possible with manual effort. diff --git a/apps/centraldashboard/upstream/base/deployment.yaml b/apps/centraldashboard/upstream/base/deployment.yaml index f9094e822e..a0012a18ff 100644 --- a/apps/centraldashboard/upstream/base/deployment.yaml +++ b/apps/centraldashboard/upstream/base/deployment.yaml @@ -41,7 +41,7 @@ spec: - name: DASHBOARD_CONFIGMAP value: CD_CONFIGMAP_NAME_PLACEHOLDER - name: LOGOUT_URL - value: '/authservice/logout' + value: '/oauth2/logout' - name: POD_NAMESPACE valueFrom: fieldRef: diff --git a/apps/centraldashboard/upstream/overlays/oauth2-proxy/kustomization.yaml b/apps/centraldashboard/upstream/overlays/oauth2-proxy/kustomization.yaml index 7115c8893a..05588e07c4 100644 --- a/apps/centraldashboard/upstream/overlays/oauth2-proxy/kustomization.yaml +++ b/apps/centraldashboard/upstream/overlays/oauth2-proxy/kustomization.yaml @@ -6,4 +6,4 @@ resources: - ../kserve components: -- ../../../../../common/oidc-client/oauth2-proxy/components/central-dashboard +- ../../../../../common/oauth2-proxy/components/central-dashboard diff --git a/common/istio-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml b/common/istio-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml index 086e1bdb88..4f9b7365be 100644 --- a/common/istio-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml +++ b/common/istio-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml @@ -5,4 +5,4 @@ resources: - ../../base components: -- ../../../../oidc-client/oauth2-proxy/components/istio-external-auth-patches +- ../../../../oauth2-proxy/components/istio-external-auth-patches diff --git a/common/istio-cni-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml b/common/istio-cni-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml index 086e1bdb88..4f9b7365be 100644 --- a/common/istio-cni-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml +++ b/common/istio-cni-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml @@ -5,4 +5,4 @@ resources: - ../../base components: -- ../../../../oidc-client/oauth2-proxy/components/istio-external-auth-patches +- ../../../../oauth2-proxy/components/istio-external-auth-patches diff --git a/common/oidc-client/oauth2-proxy/OWNERS b/common/oauth2-proxy/OWNERS similarity index 100% rename from common/oidc-client/oauth2-proxy/OWNERS rename to common/oauth2-proxy/OWNERS diff --git a/common/oidc-client/oauth2-proxy/base/README.md b/common/oauth2-proxy/base/README.md similarity index 100% rename from common/oidc-client/oauth2-proxy/base/README.md rename to common/oauth2-proxy/base/README.md diff --git a/common/oidc-client/oauth2-proxy/base/deployment.yaml b/common/oauth2-proxy/base/deployment.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/base/deployment.yaml rename to common/oauth2-proxy/base/deployment.yaml diff --git a/common/oidc-client/oauth2-proxy/base/kustomization.yaml b/common/oauth2-proxy/base/kustomization.yaml similarity index 96% rename from common/oidc-client/oauth2-proxy/base/kustomization.yaml rename to common/oauth2-proxy/base/kustomization.yaml index 94e959bd27..0e470f0603 100644 --- a/common/oidc-client/oauth2-proxy/base/kustomization.yaml +++ b/common/oauth2-proxy/base/kustomization.yaml @@ -48,7 +48,7 @@ configMapGenerator: # If extra jwt issuers are meant to be used with m2m bearer tokens, # each issuer has to be added with RequestAuthentication so Istio can # verify, trust and use the JWT. See - # 'common/oidc-client/oauth2-proxy/components/istio-m2m' for details. + # 'common/oauth2-proxy/components/istio-m2m' for details. # Examples: # - EXTRA_JWT_ISSUERS=https://kubernetes.default.svc.cluster.local=https://kubernetes.default.svc.cluster.local # - EXTRA_JWT_ISSUERS=https://oidc.eks.region.amazonaws.com/id/1234abcd=https://kubernetes.default.svc diff --git a/common/oidc-client/oauth2-proxy/base/namespace.yaml b/common/oauth2-proxy/base/namespace.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/base/namespace.yaml rename to common/oauth2-proxy/base/namespace.yaml diff --git a/common/oidc-client/oauth2-proxy/base/oauth2-proxy-config.yaml b/common/oauth2-proxy/base/oauth2-proxy-config.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/base/oauth2-proxy-config.yaml rename to common/oauth2-proxy/base/oauth2-proxy-config.yaml diff --git a/common/oidc-client/oauth2-proxy/base/params.yaml b/common/oauth2-proxy/base/params.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/base/params.yaml rename to common/oauth2-proxy/base/params.yaml diff --git a/common/oidc-client/oauth2-proxy/base/rbac.tokenreviews.yaml b/common/oauth2-proxy/base/rbac.tokenreviews.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/base/rbac.tokenreviews.yaml rename to common/oauth2-proxy/base/rbac.tokenreviews.yaml diff --git a/common/oidc-client/oauth2-proxy/base/service.yaml b/common/oauth2-proxy/base/service.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/base/service.yaml rename to common/oauth2-proxy/base/service.yaml diff --git a/common/oidc-client/oauth2-proxy/base/serviceaccount.yaml b/common/oauth2-proxy/base/serviceaccount.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/base/serviceaccount.yaml rename to common/oauth2-proxy/base/serviceaccount.yaml diff --git a/common/oidc-client/oauth2-proxy/README.md b/common/oauth2-proxy/components/README.md similarity index 97% rename from common/oidc-client/oauth2-proxy/README.md rename to common/oauth2-proxy/components/README.md index caa0aab16f..6bde23453b 100644 --- a/common/oidc-client/oauth2-proxy/README.md +++ b/common/oauth2-proxy/components/README.md @@ -41,7 +41,7 @@ emerges as a more advanced authentication proxy. It boasts broader community sup widely used in the industry, including in the official Istio documentation on [External Authorization](https://istio.io/latest/docs/tasks/security/authorization/authz-custom). -For more details on the `oauth2-proxy`, refer to the [official documentation](https://oauth2-proxy.github.io/oauth2-proxy/docs/behaviour). +For more details on the `oauth2-proxy`, refer to the [official documentation](https:/oauth2-proxy.github.io/oauth2-proxy/docs/behaviour). ## Available Components @@ -177,9 +177,9 @@ make the following changes to the `example/kustomization.yaml` file: bearer tokens with self-signed in-cluster issuer ``` # from - - ../common/oidc-client/oidc-authservice/base + - ../common//oidc-authservice/base # to - - ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed + - ../common/oauth2-proxy/overlays/m2m-self-signed ``` * change Dex overlay ``` @@ -208,10 +208,10 @@ index c1a85789..4a50440c 100644 - ../common/istio-1-22/istio-namespace/base -- ../common/istio-1-22/istio-install/base -# OIDC Authservice --- ../common/oidc-client/oidc-authservice/base +-- ../common//oidc-authservice/base +- ../common/istio-1-22/istio-install/overlays/oauth2-proxy +# oauth2-proxy for OIDC -+- ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed ++- ../common/oauth2-proxy/overlays/m2m-self-signed # Dex -- ../common/dex/overlays/istio +- ../common/dex/overlays/oauth2-proxy diff --git a/common/oidc-client/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/README.md b/common/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/README.md similarity index 100% rename from common/oidc-client/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/README.md rename to common/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/README.md diff --git a/common/oidc-client/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/clusterrolebinding.unauthenticated-oidc-viewer.yaml b/common/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/clusterrolebinding.unauthenticated-oidc-viewer.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/clusterrolebinding.unauthenticated-oidc-viewer.yaml rename to common/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/clusterrolebinding.unauthenticated-oidc-viewer.yaml diff --git a/common/oidc-client/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/kustomization.yaml b/common/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/kustomization.yaml rename to common/oauth2-proxy/components/allow-unauthenticated-issuer-discovery/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/components/central-dashboard/kustomization.yaml b/common/oauth2-proxy/components/central-dashboard/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/central-dashboard/kustomization.yaml rename to common/oauth2-proxy/components/central-dashboard/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/components/central-dashboard/patches/deployment.logout-url.yaml b/common/oauth2-proxy/components/central-dashboard/patches/deployment.logout-url.yaml similarity index 68% rename from common/oidc-client/oauth2-proxy/components/central-dashboard/patches/deployment.logout-url.yaml rename to common/oauth2-proxy/components/central-dashboard/patches/deployment.logout-url.yaml index 0d6b504191..bd2605e8d2 100644 --- a/common/oidc-client/oauth2-proxy/components/central-dashboard/patches/deployment.logout-url.yaml +++ b/common/oauth2-proxy/components/central-dashboard/patches/deployment.logout-url.yaml @@ -10,9 +10,7 @@ spec: - name: centraldashboard env: # This successfully logs out the user but the user is not redirected to - # the home page. This is because of custom integration with - # oidc-authservice which will provide response with 'afterLogoutURL'. - # https://github.com/arrikto/oidc-authservice/blob/0c4ea9a/server.go#L509 + # the home page. # https://github.com/kubeflow/kubeflow/blob/c6c4492/components/centraldashboard/public/components/logout-button.js#L50 # Please refresh the page after logging out. - name: LOGOUT_URL diff --git a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/README.md b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/README.md similarity index 100% rename from common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/README.md rename to common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/README.md diff --git a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml rename to common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml diff --git a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/kustomization.yaml b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/kustomization.yaml rename to common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml rename to common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml diff --git a/common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/script.sh b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/script.sh similarity index 100% rename from common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/script.sh rename to common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/script.sh diff --git a/common/oidc-client/oauth2-proxy/components/README.md b/common/oauth2-proxy/components/istio-external-auth-patches/README.md similarity index 100% rename from common/oidc-client/oauth2-proxy/components/README.md rename to common/oauth2-proxy/components/istio-external-auth-patches/README.md diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/kustomization.yaml b/common/oauth2-proxy/components/istio-external-auth-patches/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/kustomization.yaml rename to common/oauth2-proxy/components/istio-external-auth-patches/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/patches/cm.enable-oauth2-proxy.yaml b/common/oauth2-proxy/components/istio-external-auth-patches/patches/cm.enable-oauth2-proxy.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/patches/cm.enable-oauth2-proxy.yaml rename to common/oauth2-proxy/components/istio-external-auth-patches/patches/cm.enable-oauth2-proxy.yaml diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/patches/deployment.jwt-refresh-interval.yaml b/common/oauth2-proxy/components/istio-external-auth-patches/patches/deployment.jwt-refresh-interval.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/patches/deployment.jwt-refresh-interval.yaml rename to common/oauth2-proxy/components/istio-external-auth-patches/patches/deployment.jwt-refresh-interval.yaml diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/README.md b/common/oauth2-proxy/components/istio-external-auth/README.md similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-external-auth-patches/README.md rename to common/oauth2-proxy/components/istio-external-auth/README.md diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy-cloudflare.yaml b/common/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy-cloudflare.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy-cloudflare.yaml rename to common/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy-cloudflare.yaml diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy.yaml b/common/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy.yaml rename to common/oauth2-proxy/components/istio-external-auth/authorizationpolicy.istio-ingressgateway-oauth2-proxy.yaml diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth/kustomization.yaml b/common/oauth2-proxy/components/istio-external-auth/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-external-auth/kustomization.yaml rename to common/oauth2-proxy/components/istio-external-auth/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml b/common/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml rename to common/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml diff --git a/common/oidc-client/oauth2-proxy/components/istio-m2m/README.md b/common/oauth2-proxy/components/istio-m2m/README.md similarity index 84% rename from common/oidc-client/oauth2-proxy/components/istio-m2m/README.md rename to common/oauth2-proxy/components/istio-m2m/README.md index 40ec0619b6..750f34de8e 100644 --- a/common/oidc-client/oauth2-proxy/components/istio-m2m/README.md +++ b/common/oauth2-proxy/components/istio-m2m/README.md @@ -13,7 +13,7 @@ the platform-managed Kubernetes OIDC issuer in the `RequestAuthentication` for s and authentication compliance with the platform's security standards. For scenarios where the OIDC issuer is served behind self-signed certificates, the kustomize -overlay using this component should include the `common/oidc-client/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer` +overlay using this component should include the `common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer` component. This additional configuration is necessary to handle the self-signed nature of the -certificates. This setup is the default in the Kustomize overlay defined in `common/oidc-client/oauth2-proxy/overlays/m2m-self-signed`, -which is tailored for environments with self-signed OIDC issuers. \ No newline at end of file +certificates. This setup is the default in the Kustomize overlay defined in `common/oauth2-proxy/overlays/m2m-self-signed`, +which is tailored for environments with self-signed OIDC issuers. diff --git a/common/oidc-client/oauth2-proxy/components/istio-m2m/kustomization.yaml b/common/oauth2-proxy/components/istio-m2m/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-m2m/kustomization.yaml rename to common/oauth2-proxy/components/istio-m2m/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/components/istio-m2m/params.yaml b/common/oauth2-proxy/components/istio-m2m/params.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-m2m/params.yaml rename to common/oauth2-proxy/components/istio-m2m/params.yaml diff --git a/common/oidc-client/oauth2-proxy/components/istio-m2m/requestauthentication.yaml b/common/oauth2-proxy/components/istio-m2m/requestauthentication.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/components/istio-m2m/requestauthentication.yaml rename to common/oauth2-proxy/components/istio-m2m/requestauthentication.yaml diff --git a/common/oidc-client/kubeflow_auth_diagram.svg b/common/oauth2-proxy/components/kubeflow_auth_diagram.svg similarity index 100% rename from common/oidc-client/kubeflow_auth_diagram.svg rename to common/oauth2-proxy/components/kubeflow_auth_diagram.svg diff --git a/common/oidc-client/oauth2-proxy/overlays/m2m-self-signed/kustomization.yaml b/common/oauth2-proxy/overlays/m2m-self-signed/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/overlays/m2m-self-signed/kustomization.yaml rename to common/oauth2-proxy/overlays/m2m-self-signed/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/overlays/m2m/README.md b/common/oauth2-proxy/overlays/m2m/README.md similarity index 100% rename from common/oidc-client/oauth2-proxy/overlays/m2m/README.md rename to common/oauth2-proxy/overlays/m2m/README.md diff --git a/common/oidc-client/oauth2-proxy/overlays/m2m/component-overwrite-m2m-token-issuer/kustomization.yaml b/common/oauth2-proxy/overlays/m2m/component-overwrite-m2m-token-issuer/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/overlays/m2m/component-overwrite-m2m-token-issuer/kustomization.yaml rename to common/oauth2-proxy/overlays/m2m/component-overwrite-m2m-token-issuer/kustomization.yaml diff --git a/common/oidc-client/oauth2-proxy/overlays/m2m/kustomization.yaml b/common/oauth2-proxy/overlays/m2m/kustomization.yaml similarity index 100% rename from common/oidc-client/oauth2-proxy/overlays/m2m/kustomization.yaml rename to common/oauth2-proxy/overlays/m2m/kustomization.yaml diff --git a/common/oidc-client/README.md b/common/oidc-client/README.md deleted file mode 100644 index 6a8986d940..0000000000 --- a/common/oidc-client/README.md +++ /dev/null @@ -1,135 +0,0 @@ -# Kubeflow Authentication using OIDC - -## Istio Envoy Filter - -> EnvoyFilter provides a mechanism to customize the Envoy configuration generated by Istio Pilot. Use EnvoyFilter to modify values for certain fields, add specific filters, or even add entirely new listeners, clusters, etc.[^1] - -Kubeflow will use an Envoy Filter for every incoming request when is used -with `oidc-authservice`. - -Usage of EnvoyFilter is currently not recommended. The preferred method for configuring External -Authentication in Istio is the `envoyExtAuthzHttp` extension provider[^2]. - -Envoy Filter is set up with [oidc-authservice](https://github.com/arrikto/oidc-authservice). - -## Istio envoyExtAuthzHttp - -This is Istio's recommended approach for External Authorization[^2]. It is not limited to the use -of `oauth2-proxy`[^3] alone. This method is an industry standard, meeting all of Kubeflow's -current and foreseeable authentication needs. - -## Kubeflow Pipelines User and M2M Authentication and Authorization - -Kubeflow Pipelines component relies on the built-in kubernetes functionalities to authenticate and authorize -user requests, specifically the TokenReviews[^4] and SubjectAccessReview[^5]. - -The best way to describe how it works is to explain with an example. Lets analyze the flow -when client calls API to list the KF Pipeline Runs: - -1. api-server starts endpoints in: - - https://github.com/kubeflow/pipelines/blob/2.0.5/backend/src/apiserver/main.go#L95 - - Focusing on the pipelines run service: - - 1. Register Run Service: - * https://github.com/kubeflow/pipelines/blob/2.0.5/backend/src/apiserver/main.go#L116 - 2. proto RPC definition of ListRunsV1 - * https://github.com/kubeflow/pipelines/blob/2.0.5/backend/api/v1beta1/run.proto#L80 - 3. code definition of ListRunsV1 - * https://github.com/kubeflow/pipelines/blob/2.0.5/backend/src/apiserver/server/run_server.go#L226 - 4. ListRunsV1 calls internal method `listRuns` - * https://github.com/kubeflow/pipelines/blob/2.0.5/backend/src/apiserver/server/run_server.go#L188 - 5. `listRuns` calls internal method `canAccessRun` which itself calls `s.resourceManager.IsAuthorized` - * https://github.com/kubeflow/pipelines/blob/2.0.5/backend/src/apiserver/server/run_server.go#L637 - 6. `ResourceManager.IsAuthorized` first tries to authenticate over every available authenticator, which are the `TokenReviewAuthenticator` and `HTTPHeaderAuthenticator` - * here the user identity is either the user email provided directly in the `kubeflow-userid` header or the user identity obtained from provided token - * https://github.com/kubeflow/pipelines/blob/master/backend/src/apiserver/resource/resource_manager.go#L1667 - 7. `TokenReviewAuthenticator.GetUserIdentity` gets the token from `Authorization` header and calls the K8s Auth `authv1.TokenReview` with given token which in return provides `userInfo := review.Status.User`. `GetUserIdentity` return `userInfo.Username` which at this point is the `system:serviceaccount:default:default`. - * https://github.com/kubeflow/pipelines/blob/2.0.5/backend/src/apiserver/auth/authenticator_token_review.go#L53 - 8. Next in `ResourceManager.IsAuthorized` a SubjectAccessReview is created with `r.subjectAccessReviewClient.Create` with arguments specifying RBAC verbs provided in code definition of `RunServer.listRuns`. If the user (sa) is not authorized, an error is thrown - * https://github.com/kubeflow/pipelines/blob/master/backend/src/apiserver/resource/resource_manager.go#L1703 - * if the identity was obtained from token (service account), the `rolebinding.rbac.authorization.k8s.io/default-editor` provides the RBAC permission - * if the identity was obtained from header (user), the `rolebinding.rbac.authorization.k8s.io/user-example-com` or similar provides the RBAC permission -2. User calls api to list pipeline runs as unauthorized service account. - - * This can be done by running Pod with curl in `default` namespace: - ```bash - $ kubectl -n default run -ti --rm curl --image curlimages/curl --command -- sh - # v1beta1 - ~ $ curl "istio-ingressgateway.istio-system/pipeline/apis/v1beta1/runs?resource_reference_key.type=NAMESPACE&resource_reference_key.id=kubeflow-user-example-com" -H "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" - {"error":"Failed to list v1beta1 runs: Failed to list runs due to authorization error. Check if you have permission to access namespace kubeflow-user-example-com: Failed to access run . Check if you have access to namespace kubeflow-user-example-com: PermissionDenied: User 'system:serviceaccount:default:default' is not authorized with reason: (request: \u0026ResourceAttributes{Namespace:kubeflow-user-example-com,Verb:list,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:runs,Subresource:,Name:,}): Unauthorized access","code":7,"message":"Failed to list v1beta1 runs: Failed to list runs due to authorization error. Check if you have permission to access namespace kubeflow-user-example-com: Failed to access run . Check if you have access to namespace kubeflow-user-example-com: PermissionDenied: User 'system:serviceaccount:default:default' is not authorized with reason: (request: \u0026ResourceAttributes{Namespace:kubeflow-user-example-com,Verb:list,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:runs,Subresource:,Name:,}): Unauthorized access","details":[{"@type":"type.googleapis.com/google.rpc.Status","code":7,"message":"User 'system:serviceaccount:default:default' is not authorized with reason: (request: \u0026ResourceAttributes{Namespace:kubeflow-user-example-com,Verb:list,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:runs,Subresource:,Name:,})"}]} - # v2beta1 - ~ $ curl istio-ingressgateway.istio-system/pipeline/apis/v2beta1/runs?namespace=kubeflow-user-example-com -H "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" - {"error":"Failed to list runs: Failed to list runs due to authorization error. Check if you have permission to access namespace kubeflow-user-example-com: Failed to access run . Check if you have access to namespace kubeflow-user-example-com: PermissionDenied: User 'system:serviceaccount:default:default' is not authorized with reason: (request: \u0026ResourceAttributes{Namespace:kubeflow-user-example-com,Verb:list,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:runs,Subresource:,Name:,}): Unauthorized access","code":7,"message":"Failed to list runs: Failed to list runs due to authorization error. Check if you have permission to access namespace kubeflow-user-example-com: Failed to access run . Check if you have access to namespace kubeflow-user-example-com: PermissionDenied: User 'system:serviceaccount:default:default' is not authorized with reason: (request: \u0026ResourceAttributes{Namespace:kubeflow-user-example-com,Verb:list,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:runs,Subresource:,Name:,}): Unauthorized access","details":[{"@type":"type.googleapis.com/google.rpc.Status","code":7,"message":"User 'system:serviceaccount:default:default' is not authorized with reason: (request: \u0026ResourceAttributes{Namespace:kubeflow-user-example-com,Verb:list,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:runs,Subresource:,Name:,})"}]} - ``` -3. User calls api to list pipeline runs as authorized service account. - - * This can be done by running Pod with curl in `kubeflow-user-example-com` namespace specifying correct service account: - ```bash - $ kubectl -n kubeflow-user-example-com run -ti --rm curl --image curlimages/curl --command --overrides='{"spec": {"serviceAccountName": "default-editor"}}' -- sh - # v1beta1 - ~ $ curl "istio-ingressgateway.istio-system/pipeline/apis/v1beta1/runs?resource_reference_key.type=NAMESPACE&resource_reference_key.id=kubeflow-user-example-com" -H "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" - {} # empty response which is fine because no pipeline runs exist - # v2beta1 - ~ $ curl istio-ingressgateway.istio-system/pipeline/apis/v2beta1/runs?namespace=kubeflow-user-example-com -H "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" - {} # empty response which is fine because no pipeline runs exist - ``` - -### Auth analysis diagram for Kubeflow Pipelines - -![Kubeflow Auth Diagram](./kubeflow_auth_diagram.svg) - -## Kubeflow Notebooks User and M2M Authentication and Authorization - -The underlying mechanism is the same as in Kubeflow Pipelines. - -Similarly, to explain how it works, let's analyze the code step by step, starting from the api route definition -for listing notebooks: - -* list notebooks api route definition - * https://github.com/kubeflow/kubeflow/blob/v1.8.0/components/crud-web-apps/jupyter/backend/apps/common/routes/get.py#L53 - * this calls `crud_backend/api/notebook.py::list_notebooks` -* `crud_backend/api/notebook.py::list_notebooks` calls `authz.ensure_authorized` - * https://github.com/kubeflow/kubeflow/blob/v1.8.0/components/crud-web-apps/common/backend/kubeflow/kubeflow/crud_backend/api/notebook.py#L24 -* `crud_backend/authz.py::ensure_authorized` calls `crud_backend/authn.py::get_username` - * https://github.com/kubeflow/kubeflow/blob/v1.8.0/components/crud-web-apps/common/backend/kubeflow/kubeflow/crud_backend/authz.py#L101 - * https://github.com/kubeflow/kubeflow/blob/v1.8.0/components/crud-web-apps/common/backend/kubeflow/kubeflow/crud_backend/authn.py#L12 - * `crud_backend/authn.py::get_username` gets the user id from userid header (email or sa in format `system:serviceaccount:kubeflowusernamespace:default-editor`) -* `crud_backend/authz.py::ensure_authorized` calls `crud_backend/authz.py::is_authorized` - * https://github.com/kubeflow/kubeflow/blob/v1.8.0/components/crud-web-apps/common/backend/kubeflow/kubeflow/crud_backend/authz.py#L46 - * this calls `create_subject_access_review` which uses the same mechanism as pipelines with `r.subjectAccessReviewClient.Create` - -## KServe Authentication - -The analysis of KServe auth capabilities suggests that while it's possible to limit access to only authenticated agents, -there might be some improvements required to enable access only to authorized agents. - -This is based on the following: - -1. KServe Controller Manager patch integrating kube-rbac-proxy[^6]. - - This suggests the kserve **might** use the same mechanism based on - `SubjectAccessReviews`. Having a look at the kubeflow/manifests I see it's - not enabled. -2. Search through the docs and code: - - * https://github.com/kserve/kserve/tree/v0.12.0/docs/samples/istio-dex - * https://github.com/kserve/kserve/tree/v0.12.0/docs/samples/gcp-iap - - The docs above mention that while it's possible to enable authentication, - authorization is more complicated and probably we need to add - `AuthorizationPolicy`... - - > create an [Istio AuthorizationPolicy](https://istio.io/latest/docs/reference/config/security/authorization-policy/) to grant access to the pods or disable it - - Most probably some work is needed to enable authorized access to kserve models. - -## Links - -[^1]: [Envoy Filter](https://istio.io/latest/docs/reference/config/networking/envoy-filter/) -[^2]: [External Authorization](https://istio.io/latest/docs/tasks/security/authorization/authz-custom/) -[^3]: [oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) -[^4]: [Kubernetes TokenReview](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/) -[^5]: [Kubernetes SubjectAccessReview](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/subject-access-review-v3/) -[^6]: [Kube RBAC Proxy](https://github.com/brancz/kube-rbac-proxy) diff --git a/common/oidc-client/oauth2-proxy/components/istio-external-auth/README.md b/common/oidc-client/oauth2-proxy/components/istio-external-auth/README.md deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/common/oidc-client/oidc-authservice/base/envoy-filter.yaml b/common/oidc-client/oidc-authservice/base/envoy-filter.yaml deleted file mode 100644 index 63e55a878d..0000000000 --- a/common/oidc-client/oidc-authservice/base/envoy-filter.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: networking.istio.io/v1alpha3 -kind: EnvoyFilter -metadata: - name: authn-filter -spec: - workloadSelector: - labels: - istio: ingressgateway - configPatches: - - applyTo: HTTP_FILTER - match: - context: GATEWAY - listener: - filterChain: - filter: - name: "envoy.filters.network.http_connection_manager" - patch: - # For some reason, INSERT_FIRST doesn't work - operation: INSERT_BEFORE - value: - # See: https://www.envoyproxy.io/docs/envoy/v1.17.0/configuration/http/http_filters/ext_authz_filter#config-http-filters-ext-authz - name: "envoy.filters.http.ext_authz" - typed_config: - '@type': type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz - http_service: - server_uri: - uri: http://$(AUTHSERVICE_SERVICE).$(AUTHSERVICE_NAMESPACE).svc.cluster.local - cluster: outbound|8080||$(AUTHSERVICE_SERVICE).$(AUTHSERVICE_NAMESPACE).svc.cluster.local - timeout: 10s - authorization_request: - allowed_headers: - patterns: - # XXX: MUST be lowercase! - - exact: "authorization" - - exact: "cookie" - - exact: "x-auth-token" - authorization_response: - allowed_upstream_headers: - patterns: - - exact: "kubeflow-userid" diff --git a/common/oidc-client/oidc-authservice/base/kustomization.yaml b/common/oidc-client/oidc-authservice/base/kustomization.yaml deleted file mode 100644 index 9509fb44df..0000000000 --- a/common/oidc-client/oidc-authservice/base/kustomization.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: - - rbac.yaml - - service.yaml - - statefulset.yaml - - envoy-filter.yaml - - pvc.yaml - -namespace: istio-system - -configMapGenerator: - - name: oidc-authservice-parameters - envs: - - params.env - -secretGenerator: - - name: oidc-authservice-client - type: Opaque - envs: - - secret_params.env - -generatorOptions: - disableNameSuffixHash: true - -vars: - - name: AUTHSERVICE_NAMESPACE - objref: - kind: Service - name: authservice - apiVersion: v1 - fieldref: - fieldpath: metadata.namespace - - name: AUTHSERVICE_SERVICE - objref: - kind: Service - name: authservice - apiVersion: v1 - fieldref: - fieldpath: metadata.name -configurations: - - params.yaml -images: - - name: gcr.io/arrikto/kubeflow/oidc-authservice - newName: docker.io/kubeflowmanifestswg/oidc-authservice - newTag: e236439 diff --git a/common/oidc-client/oidc-authservice/base/params.env b/common/oidc-client/oidc-authservice/base/params.env deleted file mode 100644 index ab998157fd..0000000000 --- a/common/oidc-client/oidc-authservice/base/params.env +++ /dev/null @@ -1,11 +0,0 @@ -OIDC_PROVIDER=http://dex.auth.svc.cluster.local:5556/dex -OIDC_AUTH_URL=/dex/auth -OIDC_SCOPES=profile email groups -AUTHSERVICE_URL_PREFIX=/authservice/ -SKIP_AUTH_URLS=/dex -AFTER_LOGOUT_URL=/ -USERID_HEADER=kubeflow-userid -USERID_PREFIX= -USERID_CLAIM=email -PORT="8080" -STORE_PATH=/var/lib/authservice/data.db diff --git a/common/oidc-client/oidc-authservice/base/params.yaml b/common/oidc-client/oidc-authservice/base/params.yaml deleted file mode 100644 index fcec4c57c4..0000000000 --- a/common/oidc-client/oidc-authservice/base/params.yaml +++ /dev/null @@ -1,5 +0,0 @@ -varReference: -- path: spec/configPatches/patch/value/typed_config/http_service/server_uri/uri - kind: EnvoyFilter -- path: spec/configPatches/patch/value/typed_config/http_service/server_uri/cluster - kind: EnvoyFilter diff --git a/common/oidc-client/oidc-authservice/base/pvc.yaml b/common/oidc-client/oidc-authservice/base/pvc.yaml deleted file mode 100644 index da2f06ba3a..0000000000 --- a/common/oidc-client/oidc-authservice/base/pvc.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: authservice-pvc -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi \ No newline at end of file diff --git a/common/oidc-client/oidc-authservice/base/rbac.yaml b/common/oidc-client/oidc-authservice/base/rbac.yaml deleted file mode 100644 index 8399498c1c..0000000000 --- a/common/oidc-client/oidc-authservice/base/rbac.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: authservice - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: authn-delegator -rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: authn-delegators -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: authn-delegator -subjects: - - kind: ServiceAccount - name: authservice diff --git a/common/oidc-client/oidc-authservice/base/secret_params.env b/common/oidc-client/oidc-authservice/base/secret_params.env deleted file mode 100644 index dc56c6c90f..0000000000 --- a/common/oidc-client/oidc-authservice/base/secret_params.env +++ /dev/null @@ -1,2 +0,0 @@ -CLIENT_ID=kubeflow-oidc-authservice -CLIENT_SECRET=pUBnBOY80SnXgjibTYM9ZWNzY2xreNGQok diff --git a/common/oidc-client/oidc-authservice/base/service.yaml b/common/oidc-client/oidc-authservice/base/service.yaml deleted file mode 100644 index 8b62830bcf..0000000000 --- a/common/oidc-client/oidc-authservice/base/service.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: authservice -spec: - type: ClusterIP - selector: - app: authservice - ports: - - port: 8080 - name: http-authservice - targetPort: http-api - publishNotReadyAddresses: true \ No newline at end of file diff --git a/common/oidc-client/oidc-authservice/base/statefulset.yaml b/common/oidc-client/oidc-authservice/base/statefulset.yaml deleted file mode 100644 index 05fbc63c96..0000000000 --- a/common/oidc-client/oidc-authservice/base/statefulset.yaml +++ /dev/null @@ -1,43 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: oidc-authservice -spec: - replicas: 1 - selector: - matchLabels: - app: authservice - serviceName: authservice - template: - metadata: - annotations: - sidecar.istio.io/inject: "false" - labels: - app: authservice - spec: - serviceAccountName: authservice - containers: - - name: authservice - image: gcr.io/arrikto/kubeflow/oidc-authservice:e236439 - imagePullPolicy: Always - ports: - - name: http-api - containerPort: 8080 - envFrom: - - secretRef: - name: oidc-authservice-client - - configMapRef: - name: oidc-authservice-parameters - volumeMounts: - - name: data - mountPath: /var/lib/authservice - readinessProbe: - httpGet: - path: / - port: 8081 - securityContext: - fsGroup: 111 - volumes: - - name: data - persistentVolumeClaim: - claimName: authservice-pvc diff --git a/common/oidc-client/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml b/common/oidc-client/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml deleted file mode 100644 index 539c28cae4..0000000000 --- a/common/oidc-client/oidc-authservice/overlays/ibm-storage-config/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -bases: - - ../../base -patchesStrategicMerge: - - statefulset.yaml -images: - - name: busybox - newTag: "latest" - newName: busybox \ No newline at end of file diff --git a/common/oidc-client/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml b/common/oidc-client/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml deleted file mode 100644 index 2e29fc100a..0000000000 --- a/common/oidc-client/oidc-authservice/overlays/ibm-storage-config/statefulset.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: oidc-authservice -spec: - template: - spec: - initContainers: - - name: fix-permission - image: busybox - command: ['sh', '-c'] - args: ['chmod -R 777 /var/lib/authservice;'] - volumeMounts: - - mountPath: /var/lib/authservice - name: data diff --git a/example/kustomization.yaml b/example/kustomization.yaml index 3e028a16df..e5e6ca4264 100644 --- a/example/kustomization.yaml +++ b/example/kustomization.yaml @@ -41,7 +41,7 @@ resources: - ../common/istio-1-22/istio-namespace/base - ../common/istio-1-22/istio-install/overlays/oauth2-proxy # oauth2-proxy -- ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed +- ../common/oauth2-proxy/overlays/m2m-self-signed # Dex - ../common/dex/overlays/oauth2-proxy # KNative diff --git a/hack/trivy_scan.py b/hack/trivy_scan.py index ff7706bb1b..8e81958413 100644 --- a/hack/trivy_scan.py +++ b/hack/trivy_scan.py @@ -34,7 +34,7 @@ "automl": "../apps/katib/upstream/installs", "pipelines": "../apps/pipeline/upstream/env ../apps/kfp-tekton/upstream/env", "training": "../apps/training-operator/upstream/overlays", - "manifests": "../common/cert-manager/cert-manager/base ../common/cert-manager/kubeflow-issuer/base ../common/istio-1-22/istio-crds/base ../common/istio-1-22/istio-namespace/base ../common/istio-1-22/istio-install/overlays/oauth2-proxy ../common/oidc-client/oauth2-proxy/overlays/m2m-self-signed ../common/dex/overlays/oauth2-proxy ../common/knative/knative-serving/overlays/gateways ../common/knative/knative-eventing/base ../common/istio-1-22/cluster-local-gateway/base ../common/kubeflow-namespace/base ../common/kubeflow-roles/base ../common/istio-1-22/kubeflow-istio-resources/base", + "manifests": "../common/cert-manager/cert-manager/base ../common/cert-manager/kubeflow-issuer/base ../common/istio-1-22/istio-crds/base ../common/istio-1-22/istio-namespace/base ../common/istio-1-22/istio-install/overlays/oauth2-proxy ../common/oauth2-proxy/overlays/m2m-self-signed ../common/dex/overlays/oauth2-proxy ../common/knative/knative-serving/overlays/gateways ../common/knative/knative-eventing/base ../common/istio-1-22/cluster-local-gateway/base ../common/kubeflow-namespace/base ../common/kubeflow-roles/base ../common/istio-1-22/kubeflow-istio-resources/base", "workbenches": "../apps/pvcviewer-controller/upstream/base ../apps/admission-webhook/upstream/overlays ../apps/centraldashboard/upstream/overlays/oauth2-proxy ../apps/jupyter/jupyter-web-app/upstream/overlays ../apps/volumes-web-app/upstream/overlays ../apps/tensorboard/tensorboards-web-app/upstream/overlays ../apps/profiles/upstream/overlays ../apps/jupyter/notebook-controller/upstream/overlays ../apps/tensorboard/tensorboard-controller/upstream/overlays", "serving": "../contrib/kserve - ../contrib/kserve/models-web-app/overlays/kubeflow", "model-registry": "../apps/model-registry/upstream", @@ -403,4 +403,4 @@ def extract_images(version): log("Output saved to:", output_file) log("Severity counts with images respect to WGs are saved in the",ALL_SEVERITY_COUNTS) -log("Scanned Json reports on images are saved in",SCAN_REPORTS_DIR) \ No newline at end of file +log("Scanned Json reports on images are saved in",SCAN_REPORTS_DIR) diff --git a/proposals/20240606-jwt-handling.md b/proposals/20240606-jwt-handling.md index 19db305f74..76839c4288 100644 --- a/proposals/20240606-jwt-handling.md +++ b/proposals/20240606-jwt-handling.md @@ -62,7 +62,7 @@ With the above implementation we move all the logic of handling the JWTs to the This proposal aims to put more focus on keeping and validating `id_tokens` but also bridging to the existing functionality of the backends, to avoid extensive changes. ### Implementation The technical details for the above proposal translate to the following -1. Common Kubeflow manifests, for all components, for configuring Istio for supporting multiple issuers ([Dex](https://github.com/kubeflow/manifests/blob/v1.9-branch/common/oidc-client/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml) and [K8s-m2m](https://github.com/kubeflow/manifests/blob/v1.9-branch/common/oidc-client/oauth2-proxy/components/istio-m2m/requestauthentication.yaml)), via `RequestAuthentication` objects +1. Common Kubeflow manifests, for all components, for configuring Istio for supporting multiple issuers ([Dex](https://github.com/kubeflow/manifests/blob/v1.9-branch/common/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml) and [K8s-m2m](https://github.com/kubeflow/manifests/blob/v1.9-branch/common/oauth2-proxy/components/istio-m2m/requestauthentication.yaml)), via `RequestAuthentication` objects 2. `AuthorizationPolicy` objects of components, for allowing access from Istio IngressGateway, will need to be extended for also requiring a JWT 3. Backends that need to be accessible from other user-namespaces will need to have an `AuthorizationPolicy` that allows any request, only if it has a JWT 4. Backends don't need any logic for validating the JWTs and their existence diff --git a/tests/gh-actions/install_istio_with_ext_auth.sh b/tests/gh-actions/install_istio_with_ext_auth.sh index e77839eb10..871fec394d 100755 --- a/tests/gh-actions/install_istio_with_ext_auth.sh +++ b/tests/gh-actions/install_istio_with_ext_auth.sh @@ -12,6 +12,6 @@ kubectl wait --for=condition=Ready pods --all -n istio-system --timeout=300s \ --field-selector=status.phase!=Succeeded echo "Installing oauth2-proxy..." -cd common/oidc-client +cd common/ kustomize build oauth2-proxy/overlays/m2m-self-signed/ | kubectl apply -f - kubectl wait --for=condition=ready pod -l 'app.kubernetes.io/name=oauth2-proxy' --timeout=180s -n oauth2-proxy From 1c184a8c17596ae65b2759320042200d8f73abdb Mon Sep 17 00:00:00 2001 From: Tom Zaspel Date: Fri, 26 Jul 2024 15:35:50 +0200 Subject: [PATCH 03/12] remove authservice from github actions and refactore code Signed-off-by: Tom Zaspel --- .github/workflows/kserve_m2m_test.yaml | 2 +- .github/workflows/notebook_controller_m2m_test.yaml | 2 +- .github/workflows/pipeline_run_from_notebook.yaml | 4 ++-- .github/workflows/pipeline_test.yaml | 2 +- common/oauth2-proxy/components/README.md | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/kserve_m2m_test.yaml b/.github/workflows/kserve_m2m_test.yaml index 3b79215e57..6553bbdf8a 100644 --- a/.github/workflows/kserve_m2m_test.yaml +++ b/.github/workflows/kserve_m2m_test.yaml @@ -7,7 +7,7 @@ on: - tests/gh-actions/install_kind.sh - tests/gh-actions/install_kustomize.sh - contrib/kserve/** - - common/oidc-client/oauth2-proxy/** + - common/oauth2-proxy/** - common/istio*/** - tests/gh-actions/install_istio_with_ext_auth.sh* - tests/gh-actions/install_cert_manager.sh diff --git a/.github/workflows/notebook_controller_m2m_test.yaml b/.github/workflows/notebook_controller_m2m_test.yaml index 8c49bf40a3..16a06fd033 100644 --- a/.github/workflows/notebook_controller_m2m_test.yaml +++ b/.github/workflows/notebook_controller_m2m_test.yaml @@ -7,7 +7,7 @@ on: - tests/gh-actions/install_kind.sh - tests/gh-actions/install_kustomize.sh - apps/jupyter/** - - common/oidc-client/oauth2-proxy/** + - common/oauth2-proxy/** - common/istio*/** - tests/gh-actions/install_istio_with_ext_auth.sh* - tests/gh-actions/install_multi_tenancy.sh diff --git a/.github/workflows/pipeline_run_from_notebook.yaml b/.github/workflows/pipeline_run_from_notebook.yaml index 8e965bb375..0e49040318 100644 --- a/.github/workflows/pipeline_run_from_notebook.yaml +++ b/.github/workflows/pipeline_run_from_notebook.yaml @@ -11,9 +11,9 @@ on: - tests/gh-actions/install_istio.sh - tests/gh-actions/install_cert_manager.sh - common/cert-manager/** - - common/oidc-client/oauth2-proxy/** + - common/oauth2-proxy/** - common/istio*/** - - common/oidc-client/** + - common//** - apps/jupyter/** jobs: diff --git a/.github/workflows/pipeline_test.yaml b/.github/workflows/pipeline_test.yaml index 2df9ee79c0..a7f8bb9d2e 100644 --- a/.github/workflows/pipeline_test.yaml +++ b/.github/workflows/pipeline_test.yaml @@ -10,7 +10,7 @@ on: - tests/gh-actions/install_istio.sh - tests/gh-actions/install_cert_manager.sh - common/cert-manager/** - - common/oidc-client/oauth2-proxy/** + - common/oauth2-proxy/** - common/istio*/** - tests/gh-actions/install_istio_with_ext_auth.sh diff --git a/common/oauth2-proxy/components/README.md b/common/oauth2-proxy/components/README.md index 6bde23453b..1ce1a4af7d 100644 --- a/common/oauth2-proxy/components/README.md +++ b/common/oauth2-proxy/components/README.md @@ -41,7 +41,7 @@ emerges as a more advanced authentication proxy. It boasts broader community sup widely used in the industry, including in the official Istio documentation on [External Authorization](https://istio.io/latest/docs/tasks/security/authorization/authz-custom). -For more details on the `oauth2-proxy`, refer to the [official documentation](https:/oauth2-proxy.github.io/oauth2-proxy/docs/behaviour). +For more details on the `oauth2-proxy`, refer to the [official documentation](https://oauth2-proxy.github.io/oauth2-proxy/docs/behaviour). ## Available Components From c205dfb0a434b82c0be4858a7fc020ed9d2cb7a4 Mon Sep 17 00:00:00 2001 From: Tom Zaspel Date: Mon, 29 Jul 2024 17:13:54 +0200 Subject: [PATCH 04/12] adjust name of oauth2 in FAQ Signed-off-by: Tom Zaspel --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 14a5868b28..46ba457a36 100644 --- a/README.md +++ b/README.md @@ -561,6 +561,6 @@ The Kubeflow security working group follows a responsible disclosure policy for ## Frequently Asked Questions - **Q:** What versions of Istio, Knative, Cert-Manager, Argo, ... are compatible with Kubeflow? \ - **A:** Please refer to each individual component's documentation for a dependency compatibility range. For Istio, Knative, Dex, Cert-Manager and OAUTH2, the versions in `common` are the ones we have validated. + **A:** Please refer to each individual component's documentation for a dependency compatibility range. For Istio, Knative, Dex, Cert-Manager and OAuth2 Proxy, the versions in `common` are the ones we have validated. - **Q:** Can I use earlier version of Kustomize with Kubeflow manifests? **A:** No, it is not supported anymore, although it might be possible with manual effort. From b9259b25a0222db0a4f4c5bb5a0668bb1e0815d3 Mon Sep 17 00:00:00 2001 From: Tom Zaspel Date: Mon, 29 Jul 2024 17:14:43 +0200 Subject: [PATCH 05/12] create new directory in central dashboard called manuel-patches for oauth2-proxy Signed-off-by: Tom Zaspel --- .../oauth2-proxy/kustomization.yaml | 4 ++-- apps/centraldashboard/upstream/base/deployment.yaml | 2 +- common/oauth2-proxy/components/README.md | 4 ++-- example/kustomization.yaml | 2 +- hack/trivy_scan.py | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) rename apps/centraldashboard/{upstream/overlays => manuel-patches}/oauth2-proxy/kustomization.yaml (62%) diff --git a/apps/centraldashboard/upstream/overlays/oauth2-proxy/kustomization.yaml b/apps/centraldashboard/manuel-patches/oauth2-proxy/kustomization.yaml similarity index 62% rename from apps/centraldashboard/upstream/overlays/oauth2-proxy/kustomization.yaml rename to apps/centraldashboard/manuel-patches/oauth2-proxy/kustomization.yaml index 05588e07c4..bdd73a2f6d 100644 --- a/apps/centraldashboard/upstream/overlays/oauth2-proxy/kustomization.yaml +++ b/apps/centraldashboard/manuel-patches/oauth2-proxy/kustomization.yaml @@ -3,7 +3,7 @@ kind: Kustomization resources: # Using kserve overlay because it's also used in example installation. -- ../kserve +- ../../upstream/overlays/kserve components: -- ../../../../../common/oauth2-proxy/components/central-dashboard +- ../../../../common/oauth2-proxy/components/central-dashboard diff --git a/apps/centraldashboard/upstream/base/deployment.yaml b/apps/centraldashboard/upstream/base/deployment.yaml index a0012a18ff..f9094e822e 100644 --- a/apps/centraldashboard/upstream/base/deployment.yaml +++ b/apps/centraldashboard/upstream/base/deployment.yaml @@ -41,7 +41,7 @@ spec: - name: DASHBOARD_CONFIGMAP value: CD_CONFIGMAP_NAME_PLACEHOLDER - name: LOGOUT_URL - value: '/oauth2/logout' + value: '/authservice/logout' - name: POD_NAMESPACE valueFrom: fieldRef: diff --git a/common/oauth2-proxy/components/README.md b/common/oauth2-proxy/components/README.md index 1ce1a4af7d..1de9b9a1e3 100644 --- a/common/oauth2-proxy/components/README.md +++ b/common/oauth2-proxy/components/README.md @@ -192,7 +192,7 @@ make the following changes to the `example/kustomization.yaml` file: # from - ../apps/centraldashboard/upstream/overlays/kserve # to - - ../apps/centraldashboard/upstream/overlays/oauth2-proxy + - ../apps/centraldashboard/manuel-patches/overlays/oauth2-proxy ``` All those changes combined can be done with this single command: @@ -223,7 +223,7 @@ index c1a85789..4a50440c 100644 - ../apps/katib/upstream/installs/katib-with-kubeflow # Central Dashboard -- ../apps/centraldashboard/upstream/overlays/kserve -+- ../apps/centraldashboard/upstream/overlays/oauth2-proxy ++- ../apps/centraldashboard/manuel-patches/oauth2-proxy # Admission Webhook - ../apps/admission-webhook/upstream/overlays/cert-manager # Jupyter Web App diff --git a/example/kustomization.yaml b/example/kustomization.yaml index e5e6ca4264..105eae5e29 100644 --- a/example/kustomization.yaml +++ b/example/kustomization.yaml @@ -64,7 +64,7 @@ resources: # Katib - ../apps/katib/upstream/installs/katib-with-kubeflow # Central Dashboard -- ../apps/centraldashboard/upstream/overlays/oauth2-proxy +- ../apps/centraldashboard/manuel-patches/oauth2-proxy # Admission Webhook - ../apps/admission-webhook/upstream/overlays/cert-manager # Jupyter Web App diff --git a/hack/trivy_scan.py b/hack/trivy_scan.py index 8e81958413..8e99b88732 100644 --- a/hack/trivy_scan.py +++ b/hack/trivy_scan.py @@ -35,7 +35,7 @@ "pipelines": "../apps/pipeline/upstream/env ../apps/kfp-tekton/upstream/env", "training": "../apps/training-operator/upstream/overlays", "manifests": "../common/cert-manager/cert-manager/base ../common/cert-manager/kubeflow-issuer/base ../common/istio-1-22/istio-crds/base ../common/istio-1-22/istio-namespace/base ../common/istio-1-22/istio-install/overlays/oauth2-proxy ../common/oauth2-proxy/overlays/m2m-self-signed ../common/dex/overlays/oauth2-proxy ../common/knative/knative-serving/overlays/gateways ../common/knative/knative-eventing/base ../common/istio-1-22/cluster-local-gateway/base ../common/kubeflow-namespace/base ../common/kubeflow-roles/base ../common/istio-1-22/kubeflow-istio-resources/base", - "workbenches": "../apps/pvcviewer-controller/upstream/base ../apps/admission-webhook/upstream/overlays ../apps/centraldashboard/upstream/overlays/oauth2-proxy ../apps/jupyter/jupyter-web-app/upstream/overlays ../apps/volumes-web-app/upstream/overlays ../apps/tensorboard/tensorboards-web-app/upstream/overlays ../apps/profiles/upstream/overlays ../apps/jupyter/notebook-controller/upstream/overlays ../apps/tensorboard/tensorboard-controller/upstream/overlays", + "workbenches": "../apps/pvcviewer-controller/upstream/base ../apps/admission-webhook/upstream/overlays ../apps/centraldashboard/manuel-patches/oauth2-proxy ../apps/jupyter/jupyter-web-app/upstream/overlays ../apps/volumes-web-app/upstream/overlays ../apps/tensorboard/tensorboards-web-app/upstream/overlays ../apps/profiles/upstream/overlays ../apps/jupyter/notebook-controller/upstream/overlays ../apps/tensorboard/tensorboard-controller/upstream/overlays", "serving": "../contrib/kserve - ../contrib/kserve/models-web-app/overlays/kubeflow", "model-registry": "../apps/model-registry/upstream", } From 17171d7f8f7a60a3f3ce212f2592acc774943b24 Mon Sep 17 00:00:00 2001 From: Tom Zaspel Date: Mon, 29 Jul 2024 19:53:00 +0200 Subject: [PATCH 06/12] change manuel-patches to overlay Signed-off-by: Tom Zaspel --- .../oauth2-proxy/kustomization.yaml | 0 common/oauth2-proxy/components/README.md | 2 +- example/kustomization.yaml | 2 +- hack/trivy_scan.py | 2 +- 4 files changed, 3 insertions(+), 3 deletions(-) rename apps/centraldashboard/{manuel-patches => overlays}/oauth2-proxy/kustomization.yaml (100%) diff --git a/apps/centraldashboard/manuel-patches/oauth2-proxy/kustomization.yaml b/apps/centraldashboard/overlays/oauth2-proxy/kustomization.yaml similarity index 100% rename from apps/centraldashboard/manuel-patches/oauth2-proxy/kustomization.yaml rename to apps/centraldashboard/overlays/oauth2-proxy/kustomization.yaml diff --git a/common/oauth2-proxy/components/README.md b/common/oauth2-proxy/components/README.md index 1de9b9a1e3..aedbba080f 100644 --- a/common/oauth2-proxy/components/README.md +++ b/common/oauth2-proxy/components/README.md @@ -223,7 +223,7 @@ index c1a85789..4a50440c 100644 - ../apps/katib/upstream/installs/katib-with-kubeflow # Central Dashboard -- ../apps/centraldashboard/upstream/overlays/kserve -+- ../apps/centraldashboard/manuel-patches/oauth2-proxy ++- ../apps/centraldashboard/overlays # Admission Webhook - ../apps/admission-webhook/upstream/overlays/cert-manager # Jupyter Web App diff --git a/example/kustomization.yaml b/example/kustomization.yaml index 105eae5e29..06d856e843 100644 --- a/example/kustomization.yaml +++ b/example/kustomization.yaml @@ -64,7 +64,7 @@ resources: # Katib - ../apps/katib/upstream/installs/katib-with-kubeflow # Central Dashboard -- ../apps/centraldashboard/manuel-patches/oauth2-proxy +- ../apps/centraldashboard/overlays # Admission Webhook - ../apps/admission-webhook/upstream/overlays/cert-manager # Jupyter Web App diff --git a/hack/trivy_scan.py b/hack/trivy_scan.py index 8e99b88732..91da390394 100644 --- a/hack/trivy_scan.py +++ b/hack/trivy_scan.py @@ -35,7 +35,7 @@ "pipelines": "../apps/pipeline/upstream/env ../apps/kfp-tekton/upstream/env", "training": "../apps/training-operator/upstream/overlays", "manifests": "../common/cert-manager/cert-manager/base ../common/cert-manager/kubeflow-issuer/base ../common/istio-1-22/istio-crds/base ../common/istio-1-22/istio-namespace/base ../common/istio-1-22/istio-install/overlays/oauth2-proxy ../common/oauth2-proxy/overlays/m2m-self-signed ../common/dex/overlays/oauth2-proxy ../common/knative/knative-serving/overlays/gateways ../common/knative/knative-eventing/base ../common/istio-1-22/cluster-local-gateway/base ../common/kubeflow-namespace/base ../common/kubeflow-roles/base ../common/istio-1-22/kubeflow-istio-resources/base", - "workbenches": "../apps/pvcviewer-controller/upstream/base ../apps/admission-webhook/upstream/overlays ../apps/centraldashboard/manuel-patches/oauth2-proxy ../apps/jupyter/jupyter-web-app/upstream/overlays ../apps/volumes-web-app/upstream/overlays ../apps/tensorboard/tensorboards-web-app/upstream/overlays ../apps/profiles/upstream/overlays ../apps/jupyter/notebook-controller/upstream/overlays ../apps/tensorboard/tensorboard-controller/upstream/overlays", + "workbenches": "../apps/pvcviewer-controller/upstream/base ../apps/admission-webhook/upstream/overlays ../apps/centraldashboard/overlays ../apps/jupyter/jupyter-web-app/upstream/overlays ../apps/volumes-web-app/upstream/overlays ../apps/tensorboard/tensorboards-web-app/upstream/overlays ../apps/profiles/upstream/overlays ../apps/jupyter/notebook-controller/upstream/overlays ../apps/tensorboard/tensorboard-controller/upstream/overlays", "serving": "../contrib/kserve - ../contrib/kserve/models-web-app/overlays/kubeflow", "model-registry": "../apps/model-registry/upstream", } From bdb52ff2e2528b98135b7e050bfbf80899f6bb37 Mon Sep 17 00:00:00 2001 From: Tom Zaspel Date: Tue, 30 Jul 2024 12:51:36 +0200 Subject: [PATCH 07/12] Test if user can login to dex Signed-off-by: Tom Zaspel --- .github/workflows/dex_test.yaml | 11 +++ tests/gh-actions/test_dex_login.py | 108 +++++++++++++++++++++++++++++ 2 files changed, 119 insertions(+) create mode 100644 tests/gh-actions/test_dex_login.py diff --git a/.github/workflows/dex_test.yaml b/.github/workflows/dex_test.yaml index 140772cf79..c952438b49 100644 --- a/.github/workflows/dex_test.yaml +++ b/.github/workflows/dex_test.yaml @@ -33,3 +33,14 @@ jobs: cd common/dex kustomize build overlays/istio | kubectl apply -f - kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 180s + + - name: port forward + run: | + ingress_gateway_service=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') + nohup kubectl port-forward --namespace istio-system svc/${ingress_gateway_service} 8080:80 & + while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready + + - name: test dex login + run: | + pip3 install requests + ./tests/gh-actions/test_dex_login.py diff --git a/tests/gh-actions/test_dex_login.py b/tests/gh-actions/test_dex_login.py new file mode 100644 index 0000000000..b027d5ba92 --- /dev/null +++ b/tests/gh-actions/test_dex_login.py @@ -0,0 +1,108 @@ +import re +import requests +import sys +from urllib.parse import urlsplit + +def get_istio_auth_session(url: str, username: str, password: str) -> dict: + """ + Determine if the specified URL is secured by Dex and try to obtain a session cookie. + WARNING: only Dex `staticPasswords` and `LDAP` authentication are currently supported + (we default default to using `staticPasswords` if both are enabled) + + :param url: Kubeflow server URL, including protocol + :param username: Dex `staticPasswords` or `LDAP` username + :param password: Dex `staticPasswords` or `LDAP` password + :return: auth session information + """ + # define the default return object + auth_session = { + "endpoint_url": url, # KF endpoint URL + "redirect_url": None, # KF redirect URL, if applicable + "dex_login_url": None, # Dex login URL (for POST of credentials) + "is_secured": None, # True if KF endpoint is secured + "session_cookie": None # Resulting session cookies in the form "key1=value1; key2=value2" + } + + # use a persistent session (for cookies) + with requests.Session() as s: + + ################ + # Determine if Endpoint is Secured + ################ + resp = s.get(url, allow_redirects=True) + if resp.status_code != 200: + raise RuntimeError( + f"HTTP status code '{resp.status_code}' for GET against: {url}" + ) + + auth_session["redirect_url"] = resp.url + + # if we were NOT redirected, then the endpoint is UNSECURED + if len(resp.history) == 0: + auth_session["is_secured"] = False + return auth_session + else: + auth_session["is_secured"] = True + + ################ + # Get Dex Login URL + ################ + redirect_url_obj = urlsplit(auth_session["redirect_url"]) + + # if we are at `/auth?=xxxx` path, we need to select an auth type + if re.search(r"/auth$", redirect_url_obj.path): + + ####### + # TIP: choose the default auth type by including ONE of the following + ####### + + # OPTION 1: set "staticPasswords" as default auth type + redirect_url_obj = redirect_url_obj._replace( + path=re.sub(r"/auth$", "/auth/local", redirect_url_obj.path) + ) + # OPTION 2: set "ldap" as default auth type + # redirect_url_obj = redirect_url_obj._replace( + # path=re.sub(r"/auth$", "/auth/ldap", redirect_url_obj.path) + # ) + + # if we are at `/auth/xxxx/login` path, then no further action is needed (we can use it for login POST) + if re.search(r"/auth/.*/login$", redirect_url_obj.path): + auth_session["dex_login_url"] = redirect_url_obj.geturl() + + # else, we need to be redirected to the actual login page + else: + # this GET should redirect us to the `/auth/xxxx/login` path + resp = s.get(redirect_url_obj.geturl(), allow_redirects=True) + if resp.status_code != 200: + raise RuntimeError( + f"HTTP status code '{resp.status_code}' for GET against: {redirect_url_obj.geturl()}" + ) + + # set the login url + auth_session["dex_login_url"] = resp.url + + ################ + # Attempt Dex Login + ################ + resp = s.post( + auth_session["dex_login_url"], + data={"login": username, "password": password}, + allow_redirects=True + ) + + return resp.status_code + +KUBEFLOW_ENDPOINT = "http://localhost:8080" +KUBEFLOW_USERNAME = "user@example.com" +KUBEFLOW_PASSWORD = "12341234" + +resp = get_istio_auth_session( + url=KUBEFLOW_ENDPOINT, + username=KUBEFLOW_USERNAME, + password=KUBEFLOW_PASSWORD +) + +if resp == 200: + sys.exit(0) +else: + sys.exit(1) From 167872c85cc6a045195f851821bb885a26855910 Mon Sep 17 00:00:00 2001 From: Tom Zaspel <40226087+tzabbi@users.noreply.github.com> Date: Tue, 30 Jul 2024 11:09:31 +0000 Subject: [PATCH 08/12] Add kubeflow authentication oidc-authservice README.md Signed-off-by: Tom Zaspel <40226087+tzabbi@users.noreply.github.com> --- common/oauth2-proxy/README.md | 135 ++++++++++++++++++++++++++++++++++ 1 file changed, 135 insertions(+) create mode 100644 common/oauth2-proxy/README.md diff --git a/common/oauth2-proxy/README.md b/common/oauth2-proxy/README.md new file mode 100644 index 0000000000..12b02fd0ae --- /dev/null +++ b/common/oauth2-proxy/README.md @@ -0,0 +1,135 @@ +# Kubeflow Authentication using Oauth2 Proxy + +## Istio Envoy Filter + +> EnvoyFilter provides a mechanism to customize the Envoy configuration generated by Istio Pilot. Use EnvoyFilter to modify values for certain fields, add specific filters, or even add entirely new listeners, clusters, etc.[^1] + +Kubeflow will use an Envoy Filter for every incoming request when is used +with `oidc-authservice`. + +Usage of EnvoyFilter is currently not recommended. The preferred method for configuring External +Authentication in Istio is the `envoyExtAuthzHttp` extension provider[^2]. + +Envoy Filter is set up with [oidc-authservice](https://github.com/arrikto/oidc-authservice). + +## Istio envoyExtAuthzHttp + +This is Istio's recommended approach for External Authorization[^2]. It is not limited to the use +of `oauth2-proxy`[^3] alone. This method is an industry standard, meeting all of Kubeflow's +current and foreseeable authentication needs. + +## Kubeflow Pipelines User and M2M Authentication and Authorization + +Kubeflow Pipelines component relies on the built-in kubernetes functionalities to authenticate and authorize +user requests, specifically the TokenReviews[^4] and SubjectAccessReview[^5]. + +The best way to describe how it works is to explain with an example. Lets analyze the flow +when client calls API to list the KF Pipeline Runs: + +1. api-server starts endpoints in: + + https://github.com/kubeflow/pipelines/blob/2.0.5/backend/src/apiserver/main.go#L95 + + Focusing on the pipelines run service: + + 1. Register Run Service: + * https://github.com/kubeflow/pipelines/blob/2.0.5/backend/src/apiserver/main.go#L116 + 2. proto RPC definition of ListRunsV1 + * https://github.com/kubeflow/pipelines/blob/2.0.5/backend/api/v1beta1/run.proto#L80 + 3. code definition of ListRunsV1 + * https://github.com/kubeflow/pipelines/blob/2.0.5/backend/src/apiserver/server/run_server.go#L226 + 4. ListRunsV1 calls internal method `listRuns` + * https://github.com/kubeflow/pipelines/blob/2.0.5/backend/src/apiserver/server/run_server.go#L188 + 5. `listRuns` calls internal method `canAccessRun` which itself calls `s.resourceManager.IsAuthorized` + * https://github.com/kubeflow/pipelines/blob/2.0.5/backend/src/apiserver/server/run_server.go#L637 + 6. `ResourceManager.IsAuthorized` first tries to authenticate over every available authenticator, which are the `TokenReviewAuthenticator` and `HTTPHeaderAuthenticator` + * here the user identity is either the user email provided directly in the `kubeflow-userid` header or the user identity obtained from provided token + * https://github.com/kubeflow/pipelines/blob/master/backend/src/apiserver/resource/resource_manager.go#L1667 + 7. `TokenReviewAuthenticator.GetUserIdentity` gets the token from `Authorization` header and calls the K8s Auth `authv1.TokenReview` with given token which in return provides `userInfo := review.Status.User`. `GetUserIdentity` return `userInfo.Username` which at this point is the `system:serviceaccount:default:default`. + * https://github.com/kubeflow/pipelines/blob/2.0.5/backend/src/apiserver/auth/authenticator_token_review.go#L53 + 8. Next in `ResourceManager.IsAuthorized` a SubjectAccessReview is created with `r.subjectAccessReviewClient.Create` with arguments specifying RBAC verbs provided in code definition of `RunServer.listRuns`. If the user (sa) is not authorized, an error is thrown + * https://github.com/kubeflow/pipelines/blob/master/backend/src/apiserver/resource/resource_manager.go#L1703 + * if the identity was obtained from token (service account), the `rolebinding.rbac.authorization.k8s.io/default-editor` provides the RBAC permission + * if the identity was obtained from header (user), the `rolebinding.rbac.authorization.k8s.io/user-example-com` or similar provides the RBAC permission +2. User calls api to list pipeline runs as unauthorized service account. + + * This can be done by running Pod with curl in `default` namespace: + ```bash + $ kubectl -n default run -ti --rm curl --image curlimages/curl --command -- sh + # v1beta1 + ~ $ curl "istio-ingressgateway.istio-system/pipeline/apis/v1beta1/runs?resource_reference_key.type=NAMESPACE&resource_reference_key.id=kubeflow-user-example-com" -H "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" + {"error":"Failed to list v1beta1 runs: Failed to list runs due to authorization error. Check if you have permission to access namespace kubeflow-user-example-com: Failed to access run . Check if you have access to namespace kubeflow-user-example-com: PermissionDenied: User 'system:serviceaccount:default:default' is not authorized with reason: (request: \u0026ResourceAttributes{Namespace:kubeflow-user-example-com,Verb:list,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:runs,Subresource:,Name:,}): Unauthorized access","code":7,"message":"Failed to list v1beta1 runs: Failed to list runs due to authorization error. Check if you have permission to access namespace kubeflow-user-example-com: Failed to access run . Check if you have access to namespace kubeflow-user-example-com: PermissionDenied: User 'system:serviceaccount:default:default' is not authorized with reason: (request: \u0026ResourceAttributes{Namespace:kubeflow-user-example-com,Verb:list,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:runs,Subresource:,Name:,}): Unauthorized access","details":[{"@type":"type.googleapis.com/google.rpc.Status","code":7,"message":"User 'system:serviceaccount:default:default' is not authorized with reason: (request: \u0026ResourceAttributes{Namespace:kubeflow-user-example-com,Verb:list,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:runs,Subresource:,Name:,})"}]} + # v2beta1 + ~ $ curl istio-ingressgateway.istio-system/pipeline/apis/v2beta1/runs?namespace=kubeflow-user-example-com -H "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" + {"error":"Failed to list runs: Failed to list runs due to authorization error. Check if you have permission to access namespace kubeflow-user-example-com: Failed to access run . Check if you have access to namespace kubeflow-user-example-com: PermissionDenied: User 'system:serviceaccount:default:default' is not authorized with reason: (request: \u0026ResourceAttributes{Namespace:kubeflow-user-example-com,Verb:list,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:runs,Subresource:,Name:,}): Unauthorized access","code":7,"message":"Failed to list runs: Failed to list runs due to authorization error. Check if you have permission to access namespace kubeflow-user-example-com: Failed to access run . Check if you have access to namespace kubeflow-user-example-com: PermissionDenied: User 'system:serviceaccount:default:default' is not authorized with reason: (request: \u0026ResourceAttributes{Namespace:kubeflow-user-example-com,Verb:list,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:runs,Subresource:,Name:,}): Unauthorized access","details":[{"@type":"type.googleapis.com/google.rpc.Status","code":7,"message":"User 'system:serviceaccount:default:default' is not authorized with reason: (request: \u0026ResourceAttributes{Namespace:kubeflow-user-example-com,Verb:list,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:runs,Subresource:,Name:,})"}]} + ``` +3. User calls api to list pipeline runs as authorized service account. + + * This can be done by running Pod with curl in `kubeflow-user-example-com` namespace specifying correct service account: + ```bash + $ kubectl -n kubeflow-user-example-com run -ti --rm curl --image curlimages/curl --command --overrides='{"spec": {"serviceAccountName": "default-editor"}}' -- sh + # v1beta1 + ~ $ curl "istio-ingressgateway.istio-system/pipeline/apis/v1beta1/runs?resource_reference_key.type=NAMESPACE&resource_reference_key.id=kubeflow-user-example-com" -H "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" + {} # empty response which is fine because no pipeline runs exist + # v2beta1 + ~ $ curl istio-ingressgateway.istio-system/pipeline/apis/v2beta1/runs?namespace=kubeflow-user-example-com -H "Authorization: Bearer $(cat /run/secrets/kubernetes.io/serviceaccount/token)" + {} # empty response which is fine because no pipeline runs exist + ``` + +### Auth analysis diagram for Kubeflow Pipelines + +![Kubeflow Auth Diagram](./kubeflow_auth_diagram.svg) + +## Kubeflow Notebooks User and M2M Authentication and Authorization + +The underlying mechanism is the same as in Kubeflow Pipelines. + +Similarly, to explain how it works, let's analyze the code step by step, starting from the api route definition +for listing notebooks: + +* list notebooks api route definition + * https://github.com/kubeflow/kubeflow/blob/v1.8.0/components/crud-web-apps/jupyter/backend/apps/common/routes/get.py#L53 + * this calls `crud_backend/api/notebook.py::list_notebooks` +* `crud_backend/api/notebook.py::list_notebooks` calls `authz.ensure_authorized` + * https://github.com/kubeflow/kubeflow/blob/v1.8.0/components/crud-web-apps/common/backend/kubeflow/kubeflow/crud_backend/api/notebook.py#L24 +* `crud_backend/authz.py::ensure_authorized` calls `crud_backend/authn.py::get_username` + * https://github.com/kubeflow/kubeflow/blob/v1.8.0/components/crud-web-apps/common/backend/kubeflow/kubeflow/crud_backend/authz.py#L101 + * https://github.com/kubeflow/kubeflow/blob/v1.8.0/components/crud-web-apps/common/backend/kubeflow/kubeflow/crud_backend/authn.py#L12 + * `crud_backend/authn.py::get_username` gets the user id from userid header (email or sa in format `system:serviceaccount:kubeflowusernamespace:default-editor`) +* `crud_backend/authz.py::ensure_authorized` calls `crud_backend/authz.py::is_authorized` + * https://github.com/kubeflow/kubeflow/blob/v1.8.0/components/crud-web-apps/common/backend/kubeflow/kubeflow/crud_backend/authz.py#L46 + * this calls `create_subject_access_review` which uses the same mechanism as pipelines with `r.subjectAccessReviewClient.Create` + +## KServe Authentication + +The analysis of KServe auth capabilities suggests that while it's possible to limit access to only authenticated agents, +there might be some improvements required to enable access only to authorized agents. + +This is based on the following: + +1. KServe Controller Manager patch integrating kube-rbac-proxy[^6]. + + This suggests the kserve **might** use the same mechanism based on + `SubjectAccessReviews`. Having a look at the kubeflow/manifests I see it's + not enabled. +2. Search through the docs and code: + + * https://github.com/kserve/kserve/tree/v0.12.0/docs/samples/istio-dex + * https://github.com/kserve/kserve/tree/v0.12.0/docs/samples/gcp-iap + + The docs above mention that while it's possible to enable authentication, + authorization is more complicated and probably we need to add + `AuthorizationPolicy`... + + > create an [Istio AuthorizationPolicy](https://istio.io/latest/docs/reference/config/security/authorization-policy/) to grant access to the pods or disable it + + Most probably some work is needed to enable authorized access to kserve models. + +## Links + +[^1]: [Envoy Filter](https://istio.io/latest/docs/reference/config/networking/envoy-filter/) +[^2]: [External Authorization](https://istio.io/latest/docs/tasks/security/authorization/authz-custom/) +[^3]: [oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) +[^4]: [Kubernetes TokenReview](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-review-v1/) +[^5]: [Kubernetes SubjectAccessReview](https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/subject-access-review-v3/) +[^6]: [Kube RBAC Proxy](https://github.com/brancz/kube-rbac-proxy) \ No newline at end of file From 032ed47339732a36aa1b43b845e891141a5d82cb Mon Sep 17 00:00:00 2001 From: Tom Zaspel <40226087+tzabbi@users.noreply.github.com> Date: Tue, 30 Jul 2024 11:21:31 +0000 Subject: [PATCH 09/12] Fix yaml linter error Signed-off-by: Tom Zaspel <40226087+tzabbi@users.noreply.github.com> --- common/oauth2-proxy/base/deployment.yaml | 134 +++++++++--------- .../oauth2-proxy/base/rbac.tokenreviews.yaml | 16 +-- common/oauth2-proxy/base/service.yaml | 6 +- ...ronjob.kubeflow-m2m-oidc-configurator.yaml | 38 ++--- .../rbac.yaml | 20 +-- .../deployment.jwt-refresh-interval.yaml | 18 +-- .../istio-external-auth/kustomization.yaml | 4 +- .../requestauthentication.dex-jwt.yaml | 24 ++-- .../istio-m2m/requestauthentication.yaml | 14 +- example/kustomization.yaml | 2 +- 10 files changed, 138 insertions(+), 138 deletions(-) diff --git a/common/oauth2-proxy/base/deployment.yaml b/common/oauth2-proxy/base/deployment.yaml index f8ef99b4b7..eba3f09429 100644 --- a/common/oauth2-proxy/base/deployment.yaml +++ b/common/oauth2-proxy/base/deployment.yaml @@ -15,71 +15,71 @@ spec: app.kubernetes.io/name: oauth2-proxy spec: volumes: - - name: configmain - configMap: - name: oauth2-proxy - defaultMode: 420 + - name: configmain + configMap: + name: oauth2-proxy + defaultMode: 420 containers: - - name: oauth2-proxy - image: quay.io/oauth2-proxy/oauth2-proxy:latest - args: - - --http-address=0.0.0.0:4180 - - --config=/etc/oauth2_proxy/oauth2_proxy.cfg - ports: - - name: http - containerPort: 4180 - protocol: TCP - - name: metrics - containerPort: 44180 - protocol: TCP - env: - - name: OAUTH2_PROXY_CLIENT_ID - valueFrom: - secretKeyRef: - name: oauth2-proxy - key: client-id - - name: OAUTH2_PROXY_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: oauth2-proxy - key: client-secret - - name: OAUTH2_PROXY_COOKIE_SECRET - valueFrom: - secretKeyRef: - name: oauth2-proxy - key: cookie-secret - - name: OAUTH2_PROXY_COOKIE_SECURE - valueFrom: - configMapKeyRef: - name: oauth2-proxy-parameters - key: FORCE_HTTPS - - name: OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY - valueFrom: - configMapKeyRef: - name: oauth2-proxy-parameters - key: ALLOW_SELF_SIGNED_ISSUER - - name: OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS - valueFrom: - configMapKeyRef: - name: oauth2-proxy-parameters - key: ENABLE_M2M_TOKENS - - name: OAUTH2_PROXY_EXTRA_JWT_ISSUERS - valueFrom: - configMapKeyRef: - name: oauth2-proxy-parameters - key: EXTRA_JWT_ISSUERS - volumeMounts: - - name: configmain - mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg - subPath: oauth2_proxy.cfg - livenessProbe: - httpGet: - path: /ping - port: http - scheme: HTTP - readinessProbe: - httpGet: - path: /ping - port: http - scheme: HTTP - resources: {} + - name: oauth2-proxy + image: quay.io/oauth2-proxy/oauth2-proxy:latest + args: + - --http-address=0.0.0.0:4180 + - --config=/etc/oauth2_proxy/oauth2_proxy.cfg + ports: + - name: http + containerPort: 4180 + protocol: TCP + - name: metrics + containerPort: 44180 + protocol: TCP + env: + - name: OAUTH2_PROXY_CLIENT_ID + valueFrom: + secretKeyRef: + name: oauth2-proxy + key: client-id + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy + key: client-secret + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: oauth2-proxy + key: cookie-secret + - name: OAUTH2_PROXY_COOKIE_SECURE + valueFrom: + configMapKeyRef: + name: oauth2-proxy-parameters + key: FORCE_HTTPS + - name: OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY + valueFrom: + configMapKeyRef: + name: oauth2-proxy-parameters + key: ALLOW_SELF_SIGNED_ISSUER + - name: OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS + valueFrom: + configMapKeyRef: + name: oauth2-proxy-parameters + key: ENABLE_M2M_TOKENS + - name: OAUTH2_PROXY_EXTRA_JWT_ISSUERS + valueFrom: + configMapKeyRef: + name: oauth2-proxy-parameters + key: EXTRA_JWT_ISSUERS + volumeMounts: + - name: configmain + mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg + subPath: oauth2_proxy.cfg + livenessProbe: + httpGet: + path: /ping + port: http + scheme: HTTP + readinessProbe: + httpGet: + path: /ping + port: http + scheme: HTTP + resources: {} diff --git a/common/oauth2-proxy/base/rbac.tokenreviews.yaml b/common/oauth2-proxy/base/rbac.tokenreviews.yaml index 4da90d4b4e..1b071279e8 100644 --- a/common/oauth2-proxy/base/rbac.tokenreviews.yaml +++ b/common/oauth2-proxy/base/rbac.tokenreviews.yaml @@ -3,12 +3,12 @@ kind: ClusterRole metadata: name: authn-delegator rules: - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create +- apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create --- apiVersion: rbac.authorization.k8s.io/v1 @@ -20,5 +20,5 @@ roleRef: kind: ClusterRole name: authn-delegator subjects: - - kind: ServiceAccount - name: oauth2-proxy +- kind: ServiceAccount + name: oauth2-proxy diff --git a/common/oauth2-proxy/base/service.yaml b/common/oauth2-proxy/base/service.yaml index b8ee06324d..260213a63a 100644 --- a/common/oauth2-proxy/base/service.yaml +++ b/common/oauth2-proxy/base/service.yaml @@ -7,7 +7,7 @@ spec: selector: app.kubernetes.io/name: oauth2-proxy ports: - - port: 80 - name: http - targetPort: http + - port: 80 + name: http + targetPort: http publishNotReadyAddresses: true diff --git a/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml index 3d3fc2c281..639e96cb49 100644 --- a/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml +++ b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/cronjob.kubeflow-m2m-oidc-configurator.yaml @@ -17,23 +17,23 @@ spec: restartPolicy: OnFailure serviceAccountName: kubeflow-m2m-oidc-configurator containers: - - image: docker.io/curlimages/curl - name: kubeflow-m2m-oidc-configurator - command: - - /script.sh - envFrom: - - configMapRef: - name: kubeflow-m2m-oidc-configurator-envs - volumeMounts: - - mountPath: /script.sh - name: script - subPath: script.sh - resources: {} + - image: docker.io/curlimages/curl + name: kubeflow-m2m-oidc-configurator + command: + - /script.sh + envFrom: + - configMapRef: + name: kubeflow-m2m-oidc-configurator-envs + volumeMounts: + - mountPath: /script.sh + name: script + subPath: script.sh + resources: {} volumes: - - name: script - configMap: - name: kubeflow-m2m-oidc-configurator-script - defaultMode: 0777 - items: - - key: script.sh - path: script.sh + - name: script + configMap: + name: kubeflow-m2m-oidc-configurator-script + defaultMode: 0777 + items: + - key: script.sh + path: script.sh diff --git a/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml index 305a8fb5c0..9bb2578515 100644 --- a/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml +++ b/common/oauth2-proxy/components/configure-self-signed-kubernetes-oidc-issuer/rbac.yaml @@ -11,13 +11,13 @@ metadata: name: kubeflow-m2m-oidc-configurator namespace: istio-system rules: - - apiGroups: - - security.istio.io - resources: - - requestauthentications - verbs: - - get - - patch +- apiGroups: + - security.istio.io + resources: + - requestauthentications + verbs: + - get + - patch --- apiVersion: rbac.authorization.k8s.io/v1 @@ -30,6 +30,6 @@ roleRef: kind: Role name: kubeflow-m2m-oidc-configurator subjects: - - kind: ServiceAccount - name: kubeflow-m2m-oidc-configurator - namespace: istio-system +- kind: ServiceAccount + name: kubeflow-m2m-oidc-configurator + namespace: istio-system diff --git a/common/oauth2-proxy/components/istio-external-auth-patches/patches/deployment.jwt-refresh-interval.yaml b/common/oauth2-proxy/components/istio-external-auth-patches/patches/deployment.jwt-refresh-interval.yaml index 96987bc69c..a11dfd1282 100644 --- a/common/oauth2-proxy/components/istio-external-auth-patches/patches/deployment.jwt-refresh-interval.yaml +++ b/common/oauth2-proxy/components/istio-external-auth-patches/patches/deployment.jwt-refresh-interval.yaml @@ -7,12 +7,12 @@ spec: template: spec: containers: - - name: discovery - env: - # Istio will refresh the JWT Public Keys provided with - # RequestAuthentication by default every 20 minutes. For deployment - # from scratch this is not ideal because there is a high chance that - # the istiod will be available before dex is available, triggering - # Istio mechanism to use a placeholder jwt until refreshed. - - name: PILOT_JWT_PUB_KEY_REFRESH_INTERVAL - value: "1m" + - name: discovery + env: + # Istio will refresh the JWT Public Keys provided with + # RequestAuthentication by default every 20 minutes. For deployment + # from scratch this is not ideal because there is a high chance that + # the istiod will be available before dex is available, triggering + # Istio mechanism to use a placeholder jwt until refreshed. + - name: PILOT_JWT_PUB_KEY_REFRESH_INTERVAL + value: "1m" diff --git a/common/oauth2-proxy/components/istio-external-auth/kustomization.yaml b/common/oauth2-proxy/components/istio-external-auth/kustomization.yaml index ec79597930..cf906f840c 100644 --- a/common/oauth2-proxy/components/istio-external-auth/kustomization.yaml +++ b/common/oauth2-proxy/components/istio-external-auth/kustomization.yaml @@ -5,7 +5,7 @@ resources: - authorizationpolicy.istio-ingressgateway-oauth2-proxy.yaml - requestauthentication.dex-jwt.yaml -# If you're running Kubeflow behind CloudFlare, use +# If you're running Kubeflow behind CloudFlare, use # authorizationpolicy.istio-ingressgateway-oauth2-proxy-cloudflare.yaml -# instead of +# instead of # authorizationpolicy.istio-ingressgateway-oauth2-proxy.yaml diff --git a/common/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml b/common/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml index 4da92ad8b5..55f4565281 100644 --- a/common/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml +++ b/common/oauth2-proxy/components/istio-external-auth/requestauthentication.dex-jwt.yaml @@ -5,15 +5,15 @@ metadata: namespace: istio-system spec: jwtRules: - # forwardOriginalToken must be set to true so the authorization header will - # be passed between Kubeflow Components and Istio can configure the - # Kubeflow Auth Headers based on this request authorization header. - - forwardOriginalToken: true - issuer: http://dex.auth.svc.cluster.local:5556/dex - # These 5 lines provides integration of istio/oauth2-proxy with - # Kubeflow custom auth headers. - outputClaimToHeaders: - - header: kubeflow-userid - claim: email - - header: kubeflow-groups - claim: groups + # forwardOriginalToken must be set to true so the authorization header will + # be passed between Kubeflow Components and Istio can configure the + # Kubeflow Auth Headers based on this request authorization header. + - forwardOriginalToken: true + issuer: http://dex.auth.svc.cluster.local:5556/dex + # These 5 lines provides integration of istio/oauth2-proxy with + # Kubeflow custom auth headers. + outputClaimToHeaders: + - header: kubeflow-userid + claim: email + - header: kubeflow-groups + claim: groups diff --git a/common/oauth2-proxy/components/istio-m2m/requestauthentication.yaml b/common/oauth2-proxy/components/istio-m2m/requestauthentication.yaml index af0b3ecd67..39563d5ef9 100644 --- a/common/oauth2-proxy/components/istio-m2m/requestauthentication.yaml +++ b/common/oauth2-proxy/components/istio-m2m/requestauthentication.yaml @@ -5,10 +5,10 @@ metadata: namespace: istio-system spec: jwtRules: - - forwardOriginalToken: true - issuer: M2M_TOKEN_ISSUER_PLACEHOLDER - outputClaimToHeaders: - - claim: sub - header: x-auth-request-user - - claim: sub - header: kubeflow-userid + - forwardOriginalToken: true + issuer: M2M_TOKEN_ISSUER_PLACEHOLDER + outputClaimToHeaders: + - claim: sub + header: x-auth-request-user + - claim: sub + header: kubeflow-userid diff --git a/example/kustomization.yaml b/example/kustomization.yaml index 06d856e843..0308d5e602 100644 --- a/example/kustomization.yaml +++ b/example/kustomization.yaml @@ -64,7 +64,7 @@ resources: # Katib - ../apps/katib/upstream/installs/katib-with-kubeflow # Central Dashboard -- ../apps/centraldashboard/overlays +- ../apps/centraldashboard/overlays/oauth2-proxy # Admission Webhook - ../apps/admission-webhook/upstream/overlays/cert-manager # Jupyter Web App From 88864511a904c2f18360a8ca5e95348bb3722212 Mon Sep 17 00:00:00 2001 From: Tom Zaspel <40226087+tzabbi@users.noreply.github.com> Date: Tue, 30 Jul 2024 14:42:12 +0000 Subject: [PATCH 10/12] Fix yaml linting Signed-off-by: Tom Zaspel <40226087+tzabbi@users.noreply.github.com> --- .github/workflows/admission_webhook_test.yaml | 16 +- .github/workflows/bentoml_test.yaml | 14 +- .github/workflows/centraldashboard_test.yaml | 12 +- .github/workflows/dex_test.yaml | 26 +- .../jupyter_web_application_test.yaml | 12 +- .github/workflows/katib_test.yaml | 16 +- .github/workflows/kserve_cni_test.yaml | 94 +++---- .github/workflows/kserve_m2m_test.yaml | 128 +++++----- .github/workflows/kserve_test.yaml | 94 +++---- .../linting_bash_python_yaml_files.yaml | 21 +- .github/workflows/manifests_example_test.yaml | 4 +- .github/workflows/metacontroller_test.yaml | 18 +- .github/workflows/model_registry_test.yaml | 10 +- .../notebook_controller_m2m_test.yaml | 18 +- .../workflows/notebook_controller_test.yaml | 14 +- .../workflows/pipeline_run_from_notebook.yaml | 26 +- .github/workflows/pipeline_test.yaml | 234 +++++++++--------- .github/workflows/profiles_test.yaml | 14 +- .github/workflows/ray_test.yaml | 8 +- .github/workflows/seldon_test.yaml | 18 +- .github/workflows/stale.yaml | 68 +++-- .../tensorboard_controller_test.yaml | 14 +- .../tensorboards_web_application_test.yaml | 14 +- .github/workflows/training_operator_test.yaml | 16 +- .github/workflows/triage_issues.yaml | 12 +- .github/workflows/trivy.yaml | 80 +++--- .../volumes_web_application_test.yaml | 14 +- 27 files changed, 504 insertions(+), 511 deletions(-) diff --git a/.github/workflows/admission_webhook_test.yaml b/.github/workflows/admission_webhook_test.yaml index 3a4d8e04af..2660a70e7a 100644 --- a/.github/workflows/admission_webhook_test.yaml +++ b/.github/workflows/admission_webhook_test.yaml @@ -2,14 +2,14 @@ name: Build & Apply PodDefaults manifests in KinD on: pull_request: paths: - - .github/workflows/admission_webhook_test.yaml - - apps/admission-webhook/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - tests/gh-actions/install_cert_manager.sh - - common/cert-manager/** + - .github/workflows/admission_webhook_test.yaml + - apps/admission-webhook/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_cert_manager.sh + - common/cert-manager/** jobs: build: diff --git a/.github/workflows/bentoml_test.yaml b/.github/workflows/bentoml_test.yaml index 71b59956ff..41a8fc276b 100644 --- a/.github/workflows/bentoml_test.yaml +++ b/.github/workflows/bentoml_test.yaml @@ -2,13 +2,13 @@ name: Build & Apply BentoML Yatai Stack manifests in KinD on: pull_request: paths: - - .github/workflows/bentoml_test.yaml - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_cert_manager.sh - - common/cert-manager/** - - contrib/bentoml/** + - .github/workflows/bentoml_test.yaml + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_cert_manager.sh + - common/cert-manager/** + - contrib/bentoml/** jobs: build: diff --git a/.github/workflows/centraldashboard_test.yaml b/.github/workflows/centraldashboard_test.yaml index 6fd9337da1..f5373d1277 100644 --- a/.github/workflows/centraldashboard_test.yaml +++ b/.github/workflows/centraldashboard_test.yaml @@ -2,12 +2,12 @@ name: Build & Apply CentralDashboard manifests in KinD on: pull_request: paths: - - .github/workflows/centraldashboard_test.yaml - - apps/centraldashboard/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh + - .github/workflows/centraldashboard_test.yaml + - apps/centraldashboard/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh jobs: build: diff --git a/.github/workflows/dex_test.yaml b/.github/workflows/dex_test.yaml index c952438b49..8153edc32b 100644 --- a/.github/workflows/dex_test.yaml +++ b/.github/workflows/dex_test.yaml @@ -2,12 +2,12 @@ name: Build & Apply Dex manifests in KinD on: pull_request: paths: - - .github/workflows/dex_test.yaml - - common/dex/base/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh + - .github/workflows/dex_test.yaml + - common/dex/base/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh jobs: build: @@ -35,12 +35,12 @@ jobs: kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 180s - name: port forward - run: | - ingress_gateway_service=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') - nohup kubectl port-forward --namespace istio-system svc/${ingress_gateway_service} 8080:80 & - while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready + run: | + ingress_gateway_service=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') + nohup kubectl port-forward --namespace istio-system svc/${ingress_gateway_service} 8080:80 & + while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready - name: test dex login - run: | - pip3 install requests - ./tests/gh-actions/test_dex_login.py + run: | + pip3 install requests + ./tests/gh-actions/test_dex_login.py diff --git a/.github/workflows/jupyter_web_application_test.yaml b/.github/workflows/jupyter_web_application_test.yaml index 6cd555d8f9..13715e1740 100644 --- a/.github/workflows/jupyter_web_application_test.yaml +++ b/.github/workflows/jupyter_web_application_test.yaml @@ -2,12 +2,12 @@ name: Build & Apply JWA manifests in KinD on: pull_request: paths: - - .github/workflows/jupyter_web_application_test.yaml - - apps/jupyter/jupyter-web-app/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh + - .github/workflows/jupyter_web_application_test.yaml + - apps/jupyter/jupyter-web-app/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh jobs: build: diff --git a/.github/workflows/katib_test.yaml b/.github/workflows/katib_test.yaml index c61e2237b3..9edace0aa7 100644 --- a/.github/workflows/katib_test.yaml +++ b/.github/workflows/katib_test.yaml @@ -2,14 +2,14 @@ name: Build & Apply Katib manifests in KinD on: pull_request: paths: - - .github/workflows/katib_test.yaml - - apps/katib/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - tests/gh-actions/install_cert_manager.sh - - common/cert-manager/** + - .github/workflows/katib_test.yaml + - apps/katib/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_cert_manager.sh + - common/cert-manager/** jobs: build: diff --git a/.github/workflows/kserve_cni_test.yaml b/.github/workflows/kserve_cni_test.yaml index eb48f8fb34..c9ac27229e 100644 --- a/.github/workflows/kserve_cni_test.yaml +++ b/.github/workflows/kserve_cni_test.yaml @@ -2,69 +2,69 @@ name: Build & Apply KServe manifests in KinD, using istio CNI on: pull_request: paths: - - .github/workflows/kserve_cni_test.yaml - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - common/istio-cni-1-22/** - - tests/gh-actions/install_cert_manager.sh - - common/cert-manager/** - - tests/gh-actions/install_knative-cni.sh - - common/knative/** - - tests/gh-actions/install_kserve.sh + - .github/workflows/kserve_cni_test.yaml + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - common/istio-cni-1-22/** + - tests/gh-actions/install_cert_manager.sh + - common/cert-manager/** + - tests/gh-actions/install_knative-cni.sh + - common/knative/** + - tests/gh-actions/install_kserve.sh jobs: build: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@v4 - - name: Install KinD - run: ./tests/gh-actions/install_kind.sh + - name: Install KinD + run: ./tests/gh-actions/install_kind.sh - - name: Create KinD Cluster - run: kind create cluster --config tests/gh-actions/kind-cluster.yaml + - name: Create KinD Cluster + run: kind create cluster --config tests/gh-actions/kind-cluster.yaml - - name: Install kustomize - run: ./tests/gh-actions/install_kustomize.sh + - name: Install kustomize + run: ./tests/gh-actions/install_kustomize.sh - - name: Create kubeflow namespace - run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - + - name: Create kubeflow namespace + run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - - - name: Install Istio CNI - run: ./tests/gh-actions/install_istio-cni.sh + - name: Install Istio CNI + run: ./tests/gh-actions/install_istio-cni.sh - - name: Install cert-manager - run: ./tests/gh-actions/install_cert_manager.sh + - name: Install cert-manager + run: ./tests/gh-actions/install_cert_manager.sh - - name: Install knative CNI - run: ./tests/gh-actions/install_knative-cni.sh + - name: Install knative CNI + run: ./tests/gh-actions/install_knative-cni.sh - - name: Build & Apply manifests - run: ./tests/gh-actions/install_kserve.sh + - name: Build & Apply manifests + run: ./tests/gh-actions/install_kserve.sh - - name: Create test namespace - run: kubectl create ns kserve-test + - name: Create test namespace + run: kubectl create ns kserve-test - - name: Setup python 3.9 - uses: actions/setup-python@v4 - with: - python-version: 3.9 + - name: Setup python 3.9 + uses: actions/setup-python@v4 + with: + python-version: 3.9 - - name: Install test dependencies - run: pip install -r ./contrib/kserve/tests/requirements.txt + - name: Install test dependencies + run: pip install -r ./contrib/kserve/tests/requirements.txt - - name: Port forward - run: | - INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') - nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 & + - name: Port forward + run: | + INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') + nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 & - - name: Run kserve tests - run: | - export KSERVE_INGRESS_HOST_PORT=localhost:8080 - cd ./contrib/kserve/tests && pytest . + - name: Run kserve tests + run: | + export KSERVE_INGRESS_HOST_PORT=localhost:8080 + cd ./contrib/kserve/tests && pytest . - - name: Run kserve models webapp test - run: | - kubectl wait --for=condition=Available --timeout=300s -n kubeflow deployment/kserve-models-web-app + - name: Run kserve models webapp test + run: | + kubectl wait --for=condition=Available --timeout=300s -n kubeflow deployment/kserve-models-web-app diff --git a/.github/workflows/kserve_m2m_test.yaml b/.github/workflows/kserve_m2m_test.yaml index 6553bbdf8a..b468702f1a 100644 --- a/.github/workflows/kserve_m2m_test.yaml +++ b/.github/workflows/kserve_m2m_test.yaml @@ -2,88 +2,88 @@ name: Deploy and test KServe with m2m auth in KinD on: pull_request: paths: - - .github/workflows/kserve_m2m_test.yaml - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - contrib/kserve/** - - common/oauth2-proxy/** - - common/istio*/** - - tests/gh-actions/install_istio_with_ext_auth.sh* - - tests/gh-actions/install_cert_manager.sh - - common/cert-manager/** - - tests/gh-actions/install_knative.sh - - common/knative/** - - tests/gh-actions/install_kserve.sh + - .github/workflows/kserve_m2m_test.yaml + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - contrib/kserve/** + - common/oauth2-proxy/** + - common/istio*/** + - tests/gh-actions/install_istio_with_ext_auth.sh* + - tests/gh-actions/install_cert_manager.sh + - common/cert-manager/** + - tests/gh-actions/install_knative.sh + - common/knative/** + - tests/gh-actions/install_kserve.sh jobs: build: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@v4 - - name: Install KinD - run: ./tests/gh-actions/install_kind.sh + - name: Install KinD + run: ./tests/gh-actions/install_kind.sh - - name: Create KinD Cluster - run: kind create cluster --config tests/gh-actions/kind-cluster.yaml + - name: Create KinD Cluster + run: kind create cluster --config tests/gh-actions/kind-cluster.yaml - - name: Install kubectl - run: ./tests/gh-actions/install_kubectl.sh + - name: Install kubectl + run: ./tests/gh-actions/install_kubectl.sh - - name: Install kustomize - run: ./tests/gh-actions/install_kustomize.sh + - name: Install kustomize + run: ./tests/gh-actions/install_kustomize.sh - - name: Create kubeflow namespace - run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - + - name: Create kubeflow namespace + run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - - - name: Install Istio with external authentication - run: ./tests/gh-actions/install_istio_with_ext_auth.sh + - name: Install Istio with external authentication + run: ./tests/gh-actions/install_istio_with_ext_auth.sh - - name: Install cert-manager - run: ./tests/gh-actions/install_cert_manager.sh + - name: Install cert-manager + run: ./tests/gh-actions/install_cert_manager.sh - - name: Install knative - run: ./tests/gh-actions/install_knative.sh + - name: Install knative + run: ./tests/gh-actions/install_knative.sh - - name: Build & Apply manifests - run: ./tests/gh-actions/install_kserve.sh + - name: Build & Apply manifests + run: ./tests/gh-actions/install_kserve.sh - - name: Create test namespace - run: kubectl create ns kserve-test + - name: Create test namespace + run: kubectl create ns kserve-test - - name: Setup python 3.9 - uses: actions/setup-python@v4 - with: - python-version: 3.9 + - name: Setup python 3.9 + uses: actions/setup-python@v4 + with: + python-version: 3.9 - - name: Install test dependencies - run: pip install -r ./contrib/kserve/tests/requirements.txt + - name: Install test dependencies + run: pip install -r ./contrib/kserve/tests/requirements.txt - - name: Port forward - run: | - INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') - nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 & - while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready + - name: Port forward + run: | + INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') + nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 & + while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready - - name: Wait for the kubeflow-m2m-oidc-configurator Job - run: | - ./tests/gh-actions/wait_for_kubeflow_m2m_oidc_configurator.sh + - name: Wait for the kubeflow-m2m-oidc-configurator Job + run: | + ./tests/gh-actions/wait_for_kubeflow_m2m_oidc_configurator.sh - - name: Run kserve tests with m2m token from SA default/default - run: | - export KSERVE_INGRESS_HOST_PORT=localhost:8080 - export KSERVE_M2M_TOKEN="$(kubectl -n default create token default)" - cd ./contrib/kserve/tests && pytest . -vs --log-level info + - name: Run kserve tests with m2m token from SA default/default + run: | + export KSERVE_INGRESS_HOST_PORT=localhost:8080 + export KSERVE_M2M_TOKEN="$(kubectl -n default create token default)" + cd ./contrib/kserve/tests && pytest . -vs --log-level info - - name: Run and fail kserve tests without kserve m2m token - run: | - export KSERVE_INGRESS_HOST_PORT=localhost:8080 - cd ./contrib/kserve/tests - if pytest . -vs --log-level info; then - echo "This test should fail with an HTTP redirect to oauth2-proxy/dex auth."; exit 1 - else - echo "Task failed successfully!" - echo "This is a provisional way of testing that m2m is enabled for kserve." - fi + - name: Run and fail kserve tests without kserve m2m token + run: | + export KSERVE_INGRESS_HOST_PORT=localhost:8080 + cd ./contrib/kserve/tests + if pytest . -vs --log-level info; then + echo "This test should fail with an HTTP redirect to oauth2-proxy/dex auth."; exit 1 + else + echo "Task failed successfully!" + echo "This is a provisional way of testing that m2m is enabled for kserve." + fi diff --git a/.github/workflows/kserve_test.yaml b/.github/workflows/kserve_test.yaml index e4d5ef7cfe..81b9825115 100644 --- a/.github/workflows/kserve_test.yaml +++ b/.github/workflows/kserve_test.yaml @@ -2,69 +2,69 @@ name: Build & Apply KServe manifests in KinD on: pull_request: paths: - - .github/workflows/kserve_test.yaml - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - contrib/kserve/** - - tests/gh-actions/install_cert_manager.sh - - common/cert-manager/** - - tests/gh-actions/install_knative.sh - - common/knative/** - - tests/gh-actions/install_kserve.sh + - .github/workflows/kserve_test.yaml + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - contrib/kserve/** + - tests/gh-actions/install_cert_manager.sh + - common/cert-manager/** + - tests/gh-actions/install_knative.sh + - common/knative/** + - tests/gh-actions/install_kserve.sh jobs: build: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 + - name: Checkout + uses: actions/checkout@v4 - - name: Install KinD - run: ./tests/gh-actions/install_kind.sh + - name: Install KinD + run: ./tests/gh-actions/install_kind.sh - - name: Create KinD Cluster - run: kind create cluster --config tests/gh-actions/kind-cluster.yaml + - name: Create KinD Cluster + run: kind create cluster --config tests/gh-actions/kind-cluster.yaml - - name: Install kustomize - run: ./tests/gh-actions/install_kustomize.sh + - name: Install kustomize + run: ./tests/gh-actions/install_kustomize.sh - - name: Create kubeflow namespace - run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - + - name: Create kubeflow namespace + run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - - - name: Install Istio - run: ./tests/gh-actions/install_istio.sh + - name: Install Istio + run: ./tests/gh-actions/install_istio.sh - - name: Install cert-manager - run: ./tests/gh-actions/install_cert_manager.sh + - name: Install cert-manager + run: ./tests/gh-actions/install_cert_manager.sh - - name: Install knative - run: ./tests/gh-actions/install_knative.sh + - name: Install knative + run: ./tests/gh-actions/install_knative.sh - - name: Build & Apply manifests - run: ./tests/gh-actions/install_kserve.sh + - name: Build & Apply manifests + run: ./tests/gh-actions/install_kserve.sh - - name: Create test namespace - run: kubectl create ns kserve-test + - name: Create test namespace + run: kubectl create ns kserve-test - - name: Setup python 3.9 - uses: actions/setup-python@v4 - with: - python-version: 3.9 + - name: Setup python 3.9 + uses: actions/setup-python@v4 + with: + python-version: 3.9 - - name: Install test dependencies - run: pip install -r ./contrib/kserve/tests/requirements.txt + - name: Install test dependencies + run: pip install -r ./contrib/kserve/tests/requirements.txt - - name: Port forward - run: | - INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') - nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 & + - name: Port forward + run: | + INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') + nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 & - - name: Run kserve tests - run: | - export KSERVE_INGRESS_HOST_PORT=localhost:8080 - cd ./contrib/kserve/tests && pytest . + - name: Run kserve tests + run: | + export KSERVE_INGRESS_HOST_PORT=localhost:8080 + cd ./contrib/kserve/tests && pytest . - - name: Run kserve models webapp test - run: | - kubectl wait --for=condition=Available --timeout=300s -n kubeflow deployment/kserve-models-web-app \ No newline at end of file + - name: Run kserve models webapp test + run: | + kubectl wait --for=condition=Available --timeout=300s -n kubeflow deployment/kserve-models-web-app diff --git a/.github/workflows/linting_bash_python_yaml_files.yaml b/.github/workflows/linting_bash_python_yaml_files.yaml index 3d168fde5f..f49d53ab10 100644 --- a/.github/workflows/linting_bash_python_yaml_files.yaml +++ b/.github/workflows/linting_bash_python_yaml_files.yaml @@ -11,17 +11,19 @@ jobs: - name: Python Files Formatting Guidelines run: | echo "### Python Files Formatting Guidelines ### - If there is a formatting error in your python files, - 1. First install black + If there is a formatting error in your python files, + 1. First install black It requires Python 3.8+ to run. Install with 'pip install black' and if you use pipx, install Black with 'pipx install black'. If you want to format Jupyter Notebooks, install with 'pip install black[jupyter]'. - 2. Run the command + 2. Run the command 'python -m black {source_file_or_directory}' or - 'black {source_file_or_directory}' - to format python files. + 'black {source_file_or_directory}' + to format python files. " + + - uses: psf/black@stable with: src: | @@ -44,12 +46,11 @@ jobs: If there is a formatting error in your YAML file, you will see errors like the one below: 'Error: 6:4 [indentation] wrong indentation: expected 2 but found 3' - 6:4 means line 6, column 4. - To fix these errors, refer to the YAML formatting rules at: https://yamllint.readthedocs.io/en/stable/rules.html# Search for the keyword inside the brackets [] in the error message. In this example, it's 'indentation'. + Note: Some rules have been customized in the '.yamllint.yaml' file. Below is the content of that file: extends: default @@ -71,7 +72,7 @@ jobs: - name: Set up changed files id: changed_files run: | - git diff --name-status origin/master...HEAD | grep -E '^[AM].*\.(yaml|yml)$' | awk '{print $2}' > changed_files_in_PR.txt || true + git diff --name-only origin/master...HEAD | grep -E '^common/.*\.ya?ml$|^example/.*\.ya?ml$' > changed_files_in_PR.txt || true if [ ! -s changed_files_in_PR.txt ]; then echo "No YAML files have changed in this PR." > changed_files_in_PR.txt fi @@ -119,13 +120,13 @@ jobs: - name: Set up changed files id: changed_files run: | - git diff --name-only origin/master...HEAD | grep -E '^[AM].*\.sh$' | grep -v '^apps/' | awk '{print $2}' > changed_files_in_PR.txt || true + git diff --name-only origin/master...HEAD | grep -E '^.*\.sh$' | grep -v '^apps/' > changed_files_in_PR.txt || true if [ ! -s changed_files_in_PR.txt ]; then echo "No bash files have changed in this PR." fi - name: Display changed files - if: always() # Always run this step + if: always() # Always run this step run: cat changed_files_in_PR.txt || echo "No bash files have changed in this PR." - name: Run ShellCheck on changed files diff --git a/.github/workflows/manifests_example_test.yaml b/.github/workflows/manifests_example_test.yaml index 72579e63b8..12b6476e41 100644 --- a/.github/workflows/manifests_example_test.yaml +++ b/.github/workflows/manifests_example_test.yaml @@ -1,8 +1,8 @@ name: Unit Test on: - - push - - pull_request +- push +- pull_request jobs: build: diff --git a/.github/workflows/metacontroller_test.yaml b/.github/workflows/metacontroller_test.yaml index 403c126aa1..987d30cd74 100644 --- a/.github/workflows/metacontroller_test.yaml +++ b/.github/workflows/metacontroller_test.yaml @@ -2,15 +2,15 @@ name: Build & Apply contrib/metacontroller in KinD on: pull_request: paths: - - .github/workflows/metacontroller_test.yaml - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - contrib/metacontroller/** - - tests/gh-actions/install_cert_manager.sh - - common/cert-manager/** - - tests/gh-actions/install_istio.sh - - common/istio*/** + - .github/workflows/metacontroller_test.yaml + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - contrib/metacontroller/** + - tests/gh-actions/install_cert_manager.sh + - common/cert-manager/** + - tests/gh-actions/install_istio.sh + - common/istio*/** jobs: build: diff --git a/.github/workflows/model_registry_test.yaml b/.github/workflows/model_registry_test.yaml index 082d9b540b..bc6a857ee4 100644 --- a/.github/workflows/model_registry_test.yaml +++ b/.github/workflows/model_registry_test.yaml @@ -4,11 +4,11 @@ name: Deploy and test Kubeflow Model Registry on: pull_request: paths: - - apps/model-registry/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - common/istio*/** + - apps/model-registry/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - common/istio*/** jobs: build-kfmr: diff --git a/.github/workflows/notebook_controller_m2m_test.yaml b/.github/workflows/notebook_controller_m2m_test.yaml index 16a06fd033..fa0f70a934 100644 --- a/.github/workflows/notebook_controller_m2m_test.yaml +++ b/.github/workflows/notebook_controller_m2m_test.yaml @@ -2,15 +2,15 @@ name: Test Notebook Controller with m2m auth manifests in KinD on: pull_request: paths: - - .github/workflows/notebook_controller_m2m_test.yaml - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - apps/jupyter/** - - common/oauth2-proxy/** - - common/istio*/** - - tests/gh-actions/install_istio_with_ext_auth.sh* - - tests/gh-actions/install_multi_tenancy.sh + - .github/workflows/notebook_controller_m2m_test.yaml + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - apps/jupyter/** + - common/oauth2-proxy/** + - common/istio*/** + - tests/gh-actions/install_istio_with_ext_auth.sh* + - tests/gh-actions/install_multi_tenancy.sh jobs: build: diff --git a/.github/workflows/notebook_controller_test.yaml b/.github/workflows/notebook_controller_test.yaml index abb01afaf0..a423f05459 100644 --- a/.github/workflows/notebook_controller_test.yaml +++ b/.github/workflows/notebook_controller_test.yaml @@ -2,13 +2,13 @@ name: Build & Apply Notebook Controller manifests in KinD on: pull_request: paths: - - .github/workflows/notebook_controller_test.yaml - - apps/jupyter/notebook-controller/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - common/istio*/** + - .github/workflows/notebook_controller_test.yaml + - apps/jupyter/notebook-controller/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - common/istio*/** jobs: build: diff --git a/.github/workflows/pipeline_run_from_notebook.yaml b/.github/workflows/pipeline_run_from_notebook.yaml index 0e49040318..7d91966adc 100644 --- a/.github/workflows/pipeline_run_from_notebook.yaml +++ b/.github/workflows/pipeline_run_from_notebook.yaml @@ -2,19 +2,19 @@ name: Create Pipeline Run from Kubeflow Notebook on: pull_request: paths: - - .github/workflows/pipeline_run_from_notebook.yaml - - apps/jupyter/notebook-controller/upstream/** - - apps/pipeline/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - tests/gh-actions/install_cert_manager.sh - - common/cert-manager/** - - common/oauth2-proxy/** - - common/istio*/** - - common//** - - apps/jupyter/** + - .github/workflows/pipeline_run_from_notebook.yaml + - apps/jupyter/notebook-controller/upstream/** + - apps/pipeline/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_cert_manager.sh + - common/cert-manager/** + - common/oauth2-proxy/** + - common/istio*/** + - common//** + - apps/jupyter/** jobs: build: diff --git a/.github/workflows/pipeline_test.yaml b/.github/workflows/pipeline_test.yaml index a7f8bb9d2e..2cfcca0cf6 100644 --- a/.github/workflows/pipeline_test.yaml +++ b/.github/workflows/pipeline_test.yaml @@ -2,125 +2,125 @@ name: Deploy and test Kubeflow Pipelines manifests with m2m auth in KinD on: pull_request: paths: - - .github/workflows/pipeline_test.yaml - - apps/pipeline/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - tests/gh-actions/install_cert_manager.sh - - common/cert-manager/** - - common/oauth2-proxy/** - - common/istio*/** - - tests/gh-actions/install_istio_with_ext_auth.sh + - .github/workflows/pipeline_test.yaml + - apps/pipeline/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_cert_manager.sh + - common/cert-manager/** + - common/oauth2-proxy/** + - common/istio*/** + - tests/gh-actions/install_istio_with_ext_auth.sh jobs: build: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Install KinD - run: ./tests/gh-actions/install_kind.sh - - - name: Create KinD Cluster - run: kind create cluster --config tests/gh-actions/kind-cluster.yaml - - - name: Install kustomize - run: ./tests/gh-actions/install_kustomize.sh - - - name: Install kubectl - run: ./tests/gh-actions/install_kubectl.sh - - - name: Install Istio with external authentication - run: ./tests/gh-actions/install_istio_with_ext_auth.sh - - - name: Install cert-manager - run: ./tests/gh-actions/install_cert_manager.sh - - - name: Create kubeflow namespace - run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - - - - name: Install KF Pipelines - run: ./tests/gh-actions/install_pipelines.sh - - - name: Install KF Multi Tenancy - run: ./tests/gh-actions/install_multi_tenancy.sh - - - name: Install kubeflow-istio-resources - run: kustomize build common/istio-1-22/kubeflow-istio-resources/base | kubectl apply -f - - - - name: Create KF Profile - run: kustomize build common/user-namespace/base | kubectl apply -f - - - - name: port forward - run: | - ingress_gateway_service=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') - nohup kubectl port-forward --namespace istio-system svc/${ingress_gateway_service} 8080:80 & - while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready - - - name: Wait for the kubeflow-m2m-oidc-configurator Job - run: | - ./tests/gh-actions/wait_for_kubeflow_m2m_oidc_configurator.sh - - - name: List and deploy test pipeline with authorized ServiceAccount Token - run: | - pip3 install kfp==2.4.0 - KF_PROFILE=kubeflow-user-example-com - TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)" - - python -c ' - from time import sleep - import kfp - import sys - - token = sys.argv[1] - namespace = sys.argv[2] - client = kfp.Client(host="http://localhost:8080/pipeline", existing_token=token) - - pipeline = client.list_pipelines().pipelines[0] - pipeline_name = pipeline.display_name - pipeline_id = pipeline.pipeline_id - pipeline_version_id = client.list_pipeline_versions(pipeline_id).pipeline_versions[0].pipeline_version_id - experiment_id = client.create_experiment("m2m-test", namespace=namespace).experiment_id - - print(f"Starting pipeline {pipeline_name}.") - run_id = client.run_pipeline(experiment_id=experiment_id, job_name="m2m-test", pipeline_id=pipeline_id, version_id=pipeline_version_id).run_id - - while True: - status = client.get_run(run_id=run_id).state - if status in ["PENDING", "RUNNING"]: - print(f"Waiting for run_id: {run_id}, status: {status}.") - sleep(10) - else: - print(f"Run with id {run_id} finished with status: {status}.") - if status != "SUCCEEDED": - print("Pipeline failed") - raise SystemExit(1) - break - ' "${TOKEN}" "${KF_PROFILE}" - - - name: Fail to list pipelines with unauthorized ServiceAccount Token - run: | - pip3 install kfp==2.4.0 - KF_PROFILE=kubeflow-user-example-com - TOKEN="$(kubectl -n default create token default)" - - python -c ' - import kfp - import sys - from kfp_server_api.exceptions import ApiException - - token = sys.argv[1] - namespace = sys.argv[2] - client = kfp.Client(host="http://localhost:8080/pipeline", existing_token=token) - - try: - pipeline = client.list_runs(namespace=namespace) - except ApiException as e: - assert e.status == 403, "This API Call should return unauthorized/forbidden error." - ' "${TOKEN}" "${KF_PROFILE}" - - echo "Test succeeded. Token from unauthorized ServiceAccount cannot list \ - piplines in $KF_PROFILE namespace." + - name: Checkout + uses: actions/checkout@v4 + + - name: Install KinD + run: ./tests/gh-actions/install_kind.sh + + - name: Create KinD Cluster + run: kind create cluster --config tests/gh-actions/kind-cluster.yaml + + - name: Install kustomize + run: ./tests/gh-actions/install_kustomize.sh + + - name: Install kubectl + run: ./tests/gh-actions/install_kubectl.sh + + - name: Install Istio with external authentication + run: ./tests/gh-actions/install_istio_with_ext_auth.sh + + - name: Install cert-manager + run: ./tests/gh-actions/install_cert_manager.sh + + - name: Create kubeflow namespace + run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - + + - name: Install KF Pipelines + run: ./tests/gh-actions/install_pipelines.sh + + - name: Install KF Multi Tenancy + run: ./tests/gh-actions/install_multi_tenancy.sh + + - name: Install kubeflow-istio-resources + run: kustomize build common/istio-1-22/kubeflow-istio-resources/base | kubectl apply -f - + + - name: Create KF Profile + run: kustomize build common/user-namespace/base | kubectl apply -f - + + - name: port forward + run: | + ingress_gateway_service=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') + nohup kubectl port-forward --namespace istio-system svc/${ingress_gateway_service} 8080:80 & + while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready + + - name: Wait for the kubeflow-m2m-oidc-configurator Job + run: | + ./tests/gh-actions/wait_for_kubeflow_m2m_oidc_configurator.sh + + - name: List and deploy test pipeline with authorized ServiceAccount Token + run: | + pip3 install kfp==2.4.0 + KF_PROFILE=kubeflow-user-example-com + TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)" + + python -c ' + from time import sleep + import kfp + import sys + + token = sys.argv[1] + namespace = sys.argv[2] + client = kfp.Client(host="http://localhost:8080/pipeline", existing_token=token) + + pipeline = client.list_pipelines().pipelines[0] + pipeline_name = pipeline.display_name + pipeline_id = pipeline.pipeline_id + pipeline_version_id = client.list_pipeline_versions(pipeline_id).pipeline_versions[0].pipeline_version_id + experiment_id = client.create_experiment("m2m-test", namespace=namespace).experiment_id + + print(f"Starting pipeline {pipeline_name}.") + run_id = client.run_pipeline(experiment_id=experiment_id, job_name="m2m-test", pipeline_id=pipeline_id, version_id=pipeline_version_id).run_id + + while True: + status = client.get_run(run_id=run_id).state + if status in ["PENDING", "RUNNING"]: + print(f"Waiting for run_id: {run_id}, status: {status}.") + sleep(10) + else: + print(f"Run with id {run_id} finished with status: {status}.") + if status != "SUCCEEDED": + print("Pipeline failed") + raise SystemExit(1) + break + ' "${TOKEN}" "${KF_PROFILE}" + + - name: Fail to list pipelines with unauthorized ServiceAccount Token + run: | + pip3 install kfp==2.4.0 + KF_PROFILE=kubeflow-user-example-com + TOKEN="$(kubectl -n default create token default)" + + python -c ' + import kfp + import sys + from kfp_server_api.exceptions import ApiException + + token = sys.argv[1] + namespace = sys.argv[2] + client = kfp.Client(host="http://localhost:8080/pipeline", existing_token=token) + + try: + pipeline = client.list_runs(namespace=namespace) + except ApiException as e: + assert e.status == 403, "This API Call should return unauthorized/forbidden error." + ' "${TOKEN}" "${KF_PROFILE}" + + echo "Test succeeded. Token from unauthorized ServiceAccount cannot list \ + piplines in $KF_PROFILE namespace." diff --git a/.github/workflows/profiles_test.yaml b/.github/workflows/profiles_test.yaml index 2352352bf9..d562ff7c0d 100644 --- a/.github/workflows/profiles_test.yaml +++ b/.github/workflows/profiles_test.yaml @@ -2,13 +2,13 @@ name: Build & Apply Profiles manifests in KinD on: pull_request: paths: - - .github/workflows/profiles_test.yaml - - apps/profiles/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - common/istio*/** + - .github/workflows/profiles_test.yaml + - apps/profiles/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - common/istio*/** jobs: build: diff --git a/.github/workflows/ray_test.yaml b/.github/workflows/ray_test.yaml index 56732ddbc6..d726105e84 100644 --- a/.github/workflows/ray_test.yaml +++ b/.github/workflows/ray_test.yaml @@ -2,10 +2,10 @@ name: Build & Apply Ray manifest in KinD on: pull_request: paths: - - .github/workflows/ray_test.yaml - - contrib/ray/** - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh + - .github/workflows/ray_test.yaml + - contrib/ray/** + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh jobs: build: diff --git a/.github/workflows/seldon_test.yaml b/.github/workflows/seldon_test.yaml index 822ba29df4..c98b8be446 100644 --- a/.github/workflows/seldon_test.yaml +++ b/.github/workflows/seldon_test.yaml @@ -2,15 +2,15 @@ name: Build & Apply Seldon manifests in KinD on: pull_request: paths: - - .github/workflows/seldon_test.yaml - - tests/gh-actions/kind-cluster.yaml - - contrib/seldon/** - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - common/istio*/** - - tests/gh-actions/install_cert_manager.sh - - common/cert-manager/** + - .github/workflows/seldon_test.yaml + - tests/gh-actions/kind-cluster.yaml + - contrib/seldon/** + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - common/istio*/** + - tests/gh-actions/install_cert_manager.sh + - common/cert-manager/** jobs: build: diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index dc8c85a9da..0688b0e5c6 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -7,7 +7,7 @@ name: Mark stale issues and pull requests on: schedule: - - cron: '0 0 * * *' # Run every day at midnight + - cron: '0 0 * * *' # Run every day at midnight jobs: stale: @@ -17,40 +17,32 @@ jobs: pull-requests: write steps: - - uses: actions/stale@v5 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - days-before-stale: 60 - days-before-close: 21 - # The message that will be added as a comment to the issues - # when the stale workflow marks it automatically as stale with a label. - stale-issue-message: > - This issue has been automatically marked as stale because it has not had - recent activity. It will be closed if no further activity occurs. Thank you - for your contributions. - # The message that will be added as a comment to the issues - # when the stale workflow closes it automatically after being stale for too long. - close-issue-message: > - This issue has been automatically closed because it has not had recent - activity. Please comment "/reopen" to reopen it. - stale-issue-label: lifecycle/stale - # Exclude them from being marked as stale - exempt-issue-labels: lifecycle/frozen,enhancement,good first issue - # The message that will be added as a comment to the pull requests - # when the stale workflow marks it automatically as stale with a label. - stale-pr-message: > - This pull request has been automatically marked as stale because it has not had - recent activity. It will be closed if no further activity occurs. Thank you - for your contributions. - # The message that will be added as a comment to the pull requests - # when the stale workflow closes it automatically after being stale for too long. - close-pr-message: > - This pull request has been automatically closed because it has not had recent - activity.You can reopen the PR if you want. - stale-pr-label: lifecycle/stale - # Exclude them from being marked as stale - exempt-pr-labels: lifecycle/frozen,enhancement,good first issue - # The issues or the pull requests with a milestone will not be marked as stale automatically - exempt-all-milestones: true - # Learn more about operations: https://github.com/actions/stale#operations-per-run. - operations-per-run: 250 \ No newline at end of file + - uses: actions/stale@v5 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + days-before-stale: 60 + days-before-close: 21 + # The message that will be added as a comment to the issues + # when the stale workflow marks it automatically as stale with a label. + stale-issue-message: > + This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. + # The message that will be added as a comment to the issues + # when the stale workflow closes it automatically after being stale for too long. + close-issue-message: > + This issue has been automatically closed because it has not had recent activity. Please comment "/reopen" to reopen it. + stale-issue-label: lifecycle/stale + # Exclude them from being marked as stale + exempt-issue-labels: lifecycle/frozen,enhancement,good first issue + # The message that will be added as a comment to the pull requests + # when the stale workflow marks it automatically as stale with a label. + stale-pr-message: "This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. \n" + # The message that will be added as a comment to the pull requests + # when the stale workflow closes it automatically after being stale for too long. + close-pr-message: "This pull request has been automatically closed because it has not had recent activity.You can reopen the PR if you want. \n" + stale-pr-label: lifecycle/stale + # Exclude them from being marked as stale + exempt-pr-labels: lifecycle/frozen,enhancement,good first issue + # The issues or the pull requests with a milestone will not be marked as stale automatically + exempt-all-milestones: true + # Learn more about operations: https://github.com/actions/stale#operations-per-run. + operations-per-run: 250 diff --git a/.github/workflows/tensorboard_controller_test.yaml b/.github/workflows/tensorboard_controller_test.yaml index 9e1104fce7..69c044db9a 100644 --- a/.github/workflows/tensorboard_controller_test.yaml +++ b/.github/workflows/tensorboard_controller_test.yaml @@ -2,13 +2,13 @@ name: Build & Apply Tensorboard Controller manifests in KinD on: pull_request: paths: - - .github/workflows/tensorboard_controller_test.yaml - - apps/tensorboard/tensorboard-controller/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - common/istio*/** + - .github/workflows/tensorboard_controller_test.yaml + - apps/tensorboard/tensorboard-controller/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - common/istio*/** jobs: build: diff --git a/.github/workflows/tensorboards_web_application_test.yaml b/.github/workflows/tensorboards_web_application_test.yaml index b74640325b..a0072655d4 100644 --- a/.github/workflows/tensorboards_web_application_test.yaml +++ b/.github/workflows/tensorboards_web_application_test.yaml @@ -2,13 +2,13 @@ name: Build & Apply TWA manifests in KinD on: pull_request: paths: - - .github/workflows/tensorboards_web_application_test.yaml - - apps/tensorboard/tensorboards-web-app/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - common/istio*/** + - .github/workflows/tensorboards_web_application_test.yaml + - apps/tensorboard/tensorboards-web-app/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - common/istio*/** jobs: build: diff --git a/.github/workflows/training_operator_test.yaml b/.github/workflows/training_operator_test.yaml index 5be7d5dffe..e9b107beb1 100644 --- a/.github/workflows/training_operator_test.yaml +++ b/.github/workflows/training_operator_test.yaml @@ -2,14 +2,14 @@ name: Build & Apply Training Operator manifests in KinD on: pull_request: paths: - - .github/workflows/training_operator_test.yaml - - apps/training-operator/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - common/istio*/** - - tests/gh-actions/kf-objects/tfjob.yaml + - .github/workflows/training_operator_test.yaml + - apps/training-operator/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - common/istio*/** + - tests/gh-actions/kf-objects/tfjob.yaml jobs: build: diff --git a/.github/workflows/triage_issues.yaml b/.github/workflows/triage_issues.yaml index 5d4551ce97..17f0891020 100644 --- a/.github/workflows/triage_issues.yaml +++ b/.github/workflows/triage_issues.yaml @@ -10,10 +10,10 @@ jobs: test: runs-on: ubuntu-latest steps: - - name: Update Kanban - uses: kubeflow/code-intelligence/Issue_Triage/action@master - with: - # Letting input NEEDS_TRIAGE_PROJECT_CARD_ID use the default value - ISSUE_NUMBER: ${{ github.event.issue.number }} - GITHUB_PERSONAL_ACCESS_TOKEN: ${{ secrets.triage_projects_github_token }} + - name: Update Kanban + uses: kubeflow/code-intelligence/Issue_Triage/action@master + with: + # Letting input NEEDS_TRIAGE_PROJECT_CARD_ID use the default value + ISSUE_NUMBER: ${{ github.event.issue.number }} + GITHUB_PERSONAL_ACCESS_TOKEN: ${{ secrets.triage_projects_github_token }} diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index f10d0ee828..573912705c 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -3,48 +3,48 @@ name: Image Extracting and Security Scanning on: push: branches: - - master + - master jobs: image-extraction-and-security-scan: runs-on: ubuntu-latest steps: - - name: Checkout code - uses: actions/checkout@v3 - - # Install kustomize - - name: Install kustomize - run: | - sudo apt update - sudo apt install snapd - sudo snap install kustomize - - # Install trivy - - name: Install trivy - run: | - sudo apt update - sudo snap install trivy - - # Install Python - - name: Setup Python - uses: actions/setup-python@v5 - with: - python-version: '3.12' - - # Install prettytable package - - name: Install prettytable - run: | - pip install prettytable - - - name: Run image extracting and security scanning script - run: | - cd hack - python3 trivy_scan.py - - # - name: Upload trivy scanned_results - # uses: actions/upload-artifact@v4 - # with: - # name: trivy_scanned_results - # path: image_lists/ - - + - name: Checkout code + uses: actions/checkout@v3 + + # Install kustomize + - name: Install kustomize + run: | + sudo apt update + sudo apt install snapd + sudo snap install kustomize + + # Install trivy + - name: Install trivy + run: | + sudo apt update + sudo snap install trivy + + # Install Python + - name: Setup Python + uses: actions/setup-python@v5 + with: + python-version: '3.12' + + # Install prettytable package + - name: Install prettytable + run: | + pip install prettytable + + - name: Run image extracting and security scanning script + run: | + cd hack + python3 trivy_scan.py + + # - name: Upload trivy scanned_results + # uses: actions/upload-artifact@v4 + # with: + # name: trivy_scanned_results + # path: image_lists/ + + diff --git a/.github/workflows/volumes_web_application_test.yaml b/.github/workflows/volumes_web_application_test.yaml index ee832b0aab..4165b90faa 100644 --- a/.github/workflows/volumes_web_application_test.yaml +++ b/.github/workflows/volumes_web_application_test.yaml @@ -2,13 +2,13 @@ name: Build & Apply VWA manifests in KinD on: pull_request: paths: - - .github/workflows/volumes_web_application_test.yaml - - apps/volumes-web-app/upstream/** - - tests/gh-actions/kind-cluster.yaml - - tests/gh-actions/install_kind.sh - - tests/gh-actions/install_kustomize.sh - - tests/gh-actions/install_istio.sh - - common/istio*/** + - .github/workflows/volumes_web_application_test.yaml + - apps/volumes-web-app/upstream/** + - tests/gh-actions/kind-cluster.yaml + - tests/gh-actions/install_kind.sh + - tests/gh-actions/install_kustomize.sh + - tests/gh-actions/install_istio.sh + - common/istio*/** jobs: build: From 0f7404200185e05436613daee4bdbb3ffd6cd08f Mon Sep 17 00:00:00 2001 From: Hansini Karunarathne <107214435+hansinikarunarathne@users.noreply.github.com> Date: Tue, 30 Jul 2024 19:44:55 +0530 Subject: [PATCH 11/12] Add changes from comit: 08f217c1bfb232ebeb05d12f9aa17d5f848c19bb Signed-off-by: Tom Zaspel <40226087+tzabbi@users.noreply.github.com> --- .../linting_bash_python_yaml_files.yaml | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/.github/workflows/linting_bash_python_yaml_files.yaml b/.github/workflows/linting_bash_python_yaml_files.yaml index f49d53ab10..bd38c1eea4 100644 --- a/.github/workflows/linting_bash_python_yaml_files.yaml +++ b/.github/workflows/linting_bash_python_yaml_files.yaml @@ -11,19 +11,17 @@ jobs: - name: Python Files Formatting Guidelines run: | echo "### Python Files Formatting Guidelines ### - If there is a formatting error in your python files, - 1. First install black + If there is a formatting error in your python files, + 1. First install black It requires Python 3.8+ to run. Install with 'pip install black' and if you use pipx, install Black with 'pipx install black'. If you want to format Jupyter Notebooks, install with 'pip install black[jupyter]'. - 2. Run the command + 2. Run the command 'python -m black {source_file_or_directory}' or - 'black {source_file_or_directory}' - to format python files. + 'black {source_file_or_directory}' + to format python files. " - - - uses: psf/black@stable with: src: | @@ -46,11 +44,12 @@ jobs: If there is a formatting error in your YAML file, you will see errors like the one below: 'Error: 6:4 [indentation] wrong indentation: expected 2 but found 3' + 6:4 means line 6, column 4. + To fix these errors, refer to the YAML formatting rules at: https://yamllint.readthedocs.io/en/stable/rules.html# Search for the keyword inside the brackets [] in the error message. In this example, it's 'indentation'. - Note: Some rules have been customized in the '.yamllint.yaml' file. Below is the content of that file: extends: default @@ -72,7 +71,7 @@ jobs: - name: Set up changed files id: changed_files run: | - git diff --name-only origin/master...HEAD | grep -E '^common/.*\.ya?ml$|^example/.*\.ya?ml$' > changed_files_in_PR.txt || true + git diff --name-status origin/master...HEAD | grep -E '^[AM].*\.(yaml|yml)$' | awk '{print $2}' > changed_files_in_PR.txt || true if [ ! -s changed_files_in_PR.txt ]; then echo "No YAML files have changed in this PR." > changed_files_in_PR.txt fi @@ -120,7 +119,7 @@ jobs: - name: Set up changed files id: changed_files run: | - git diff --name-only origin/master...HEAD | grep -E '^.*\.sh$' | grep -v '^apps/' > changed_files_in_PR.txt || true + git diff --name-only origin/master...HEAD | grep -E '^[AM].*\.sh$' | grep -v '^apps/' | awk '{print $2}' > changed_files_in_PR.txt || true if [ ! -s changed_files_in_PR.txt ]; then echo "No bash files have changed in this PR." fi From 5784fca75ed31f2377c4827ba465e66d93385d4c Mon Sep 17 00:00:00 2001 From: Tom Zaspel Date: Wed, 31 Jul 2024 20:02:55 +0200 Subject: [PATCH 12/12] Fix even more lint issues Signed-off-by: Tom Zaspel --- .github/workflows/dex_test.yaml | 4 ++-- .github/workflows/manifests_example_test.yaml | 1 - .github/workflows/model_registry_test.yaml | 4 ++-- .github/workflows/stale.yaml | 8 ++++---- .github/workflows/triage_issues.yaml | 3 +-- .github/workflows/trivy.yaml | 2 -- 6 files changed, 9 insertions(+), 13 deletions(-) diff --git a/.github/workflows/dex_test.yaml b/.github/workflows/dex_test.yaml index 8153edc32b..f06bd0e7a4 100644 --- a/.github/workflows/dex_test.yaml +++ b/.github/workflows/dex_test.yaml @@ -42,5 +42,5 @@ jobs: - name: test dex login run: | - pip3 install requests - ./tests/gh-actions/test_dex_login.py + pip3 install requests + ./tests/gh-actions/test_dex_login.py diff --git a/.github/workflows/manifests_example_test.yaml b/.github/workflows/manifests_example_test.yaml index 12b6476e41..55ed3ce040 100644 --- a/.github/workflows/manifests_example_test.yaml +++ b/.github/workflows/manifests_example_test.yaml @@ -19,4 +19,3 @@ jobs: - name: Unit Test run: | kustomize build example - diff --git a/.github/workflows/model_registry_test.yaml b/.github/workflows/model_registry_test.yaml index bc6a857ee4..e3c59aa6cb 100644 --- a/.github/workflows/model_registry_test.yaml +++ b/.github/workflows/model_registry_test.yaml @@ -1,4 +1,4 @@ -# If anyone changes or improve the following tests for Model Registry, please +# If anyone changes or improve the following tests for Model Registry, please # consider reflecting the same changes on https://github.com/kubeflow/model-registry name: Deploy and test Kubeflow Model Registry on: @@ -61,7 +61,7 @@ jobs: 'http://localhost:8081/api/model_registry/v1alpha3/registered_models?pageSize=100&orderBy=ID&sortOrder=DESC' \ -H 'accept: application/json' - # for these steps below ensure same steps as kserve (ie: Istio with external authentication, cert-manager, knative) so to achieve same setup + # for these steps below ensure same steps as kserve (ie: Istio with external authentication, cert-manager, knative) so to achieve same setup - name: Port forward Istio gateway run: | INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index 0688b0e5c6..e56901a44c 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -22,21 +22,21 @@ jobs: repo-token: ${{ secrets.GITHUB_TOKEN }} days-before-stale: 60 days-before-close: 21 - # The message that will be added as a comment to the issues + # The message that will be added as a comment to the issues # when the stale workflow marks it automatically as stale with a label. stale-issue-message: > This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. - # The message that will be added as a comment to the issues + # The message that will be added as a comment to the issues # when the stale workflow closes it automatically after being stale for too long. close-issue-message: > This issue has been automatically closed because it has not had recent activity. Please comment "/reopen" to reopen it. stale-issue-label: lifecycle/stale # Exclude them from being marked as stale exempt-issue-labels: lifecycle/frozen,enhancement,good first issue - # The message that will be added as a comment to the pull requests + # The message that will be added as a comment to the pull requests # when the stale workflow marks it automatically as stale with a label. stale-pr-message: "This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. \n" - # The message that will be added as a comment to the pull requests + # The message that will be added as a comment to the pull requests # when the stale workflow closes it automatically after being stale for too long. close-pr-message: "This pull request has been automatically closed because it has not had recent activity.You can reopen the PR if you want. \n" stale-pr-label: lifecycle/stale diff --git a/.github/workflows/triage_issues.yaml b/.github/workflows/triage_issues.yaml index 17f0891020..14bcb4703b 100644 --- a/.github/workflows/triage_issues.yaml +++ b/.github/workflows/triage_issues.yaml @@ -1,4 +1,4 @@ -# Define a GitHub action workflow to determine whether issues +# Define a GitHub action workflow to determine whether issues # should be added or removed from the Needs Triage Kanban board. name: Check Triage Status of Issue on: @@ -16,4 +16,3 @@ jobs: # Letting input NEEDS_TRIAGE_PROJECT_CARD_ID use the default value ISSUE_NUMBER: ${{ github.event.issue.number }} GITHUB_PERSONAL_ACCESS_TOKEN: ${{ secrets.triage_projects_github_token }} - diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml index 573912705c..99bfa64265 100644 --- a/.github/workflows/trivy.yaml +++ b/.github/workflows/trivy.yaml @@ -46,5 +46,3 @@ jobs: # with: # name: trivy_scanned_results # path: image_lists/ - -