Document secure Kserve authentication via automated tests #53
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & Apply Dex manifests in KinD | |
| on: | |
| pull_request: | |
| paths: | |
| - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh | |
| - .github/workflows/dex_oauth2-proxy.yaml | |
| - common/cert-manager/** | |
| - common/oauth2-proxy/** | |
| - common/istio*/** | |
| - experimental/security/PSS/* | |
| - common/dex/base/** | |
| - tests/gh-actions/install_istio*.sh | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install KinD, Create KinD cluster and Install kustomize | |
| run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh | |
| - name: Install cert-manager | |
| run: ./tests/gh-actions/install_cert_manager.sh | |
| - name: Install Istio CNI | |
| run: ./tests/gh-actions/install_istio-cni.sh | |
| - name: Install oauth2-proxy | |
| run: ./tests/gh-actions/install_oauth2-proxy.sh | |
| - name: Create kubeflow namespace | |
| run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - | |
| - name: Install kubeflow-istio-resources | |
| run: kustomize build common/istio-cni-1-24/kubeflow-istio-resources/base | kubectl apply -f - | |
| - name: Install KF Multi Tenancy | |
| run: ./tests/gh-actions/install_multi_tenancy.sh | |
| - name: Install dex | |
| run: | | |
| echo "Installing Dex..." | |
| kustomize build ./common/dex/overlays/oauth2-proxy | kubectl apply -f - | |
| echo "Waiting for pods in auth namespace to become ready..." | |
| kubectl wait --for=condition=ready pods --all --timeout=180s -n auth | |
| - name: Install central-dashboard | |
| run: | | |
| kustomize build apps/centraldashboard/upstream/overlays/kserve | kubectl apply -f - | |
| kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 180s | |
| - name: Create KF Profile | |
| run: | | |
| kustomize build common/user-namespace/base | kubectl apply -f - | |
| sleep 30 # for the Profile controller to create the namespace from the profile | |
| PROFILE_CONTROLLER_POD=$(kubectl get pods -n kubeflow -o json | jq -r '.items[] | select(.metadata.name | startswith("profiles-deployment")) | .metadata.name') | |
| if [[ -z "$PROFILE_CONTROLLER_POD" ]]; then | |
| echo "Error: profiles-deployment pod not found in kubeflow namespace." | |
| exit 1 | |
| fi | |
| kubectl logs -n kubeflow "$PROFILE_CONTROLLER_POD" | |
| KF_PROFILE=kubeflow-user-example-com | |
| kubectl -n $KF_PROFILE get pods,configmaps,secrets | |
| - name: port forward | |
| run: | | |
| ingress_gateway_service=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') | |
| nohup kubectl port-forward --namespace istio-system svc/${ingress_gateway_service} 8080:80 & | |
| while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready | |
| - name: test dex login | |
| run: | | |
| pip3 install requests | |
| ./tests/gh-actions/test_dex_login.py | |
| - name: Apply Pod Security Standards baseline levels for static namespaces | |
| run: ./tests/gh-actions/enable_baseline_PSS.sh | |
| - name: Unapply applied baseline labels | |
| run: | | |
| NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow") | |
| for NAMESPACE in "${NAMESPACES[@]}"; do | |
| if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then | |
| kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce- | |
| fi | |
| done | |
| - name: Applying Pod Security Standards restricted levels for static namespaces | |
| run: ./tests/gh-actions/enable_restricted_PSS.sh |