end-to-end integration tests #29
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Full Kubeflow End-to-End Integration Test | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - master | |
| pull_request: | |
| branches: | |
| - master | |
| env: | |
| KIND_CLUSTER_NAME: kubeflow | |
| KF_PROFILE: kubeflow-user-example-com | |
| jobs: | |
| setup-and-install: | |
| name: Setup and Install Kubeflow Components | |
| runs-on: | |
| labels: ubuntu-latest-16-cores | |
| timeout-minutes: 40 | |
| outputs: | |
| kf_profile: ${{ env.KF_PROFILE }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| # Base Infrastructure Setup | |
| - name: Install KinD, Create KinD cluster and Install kustomize | |
| run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh | |
| - name: Install kubectl | |
| run: ./tests/gh-actions/install_kubectl.sh | |
| - name: Create kubeflow namespace | |
| run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - | |
| # Core Platform Components | |
| - name: Install cert-manager | |
| run: ./tests/gh-actions/install_cert_manager.sh | |
| - name: Install Istio CNI | |
| run: ./tests/gh-actions/install_istio-cni.sh | |
| - name: Install oauth2-proxy | |
| run: ./tests/gh-actions/install_oauth2-proxy.sh | |
| - name: Install kubeflow-istio-resources | |
| run: kustomize build common/istio-cni-1-24/kubeflow-istio-resources/base | kubectl apply -f - | |
| # Authentication Components | |
| - name: Install KF Multi Tenancy | |
| run: ./tests/gh-actions/install_multi_tenancy.sh | |
| - name: Install dex | |
| run: | | |
| echo "Installing Dex..." | |
| kustomize build ./common/dex/overlays/oauth2-proxy | kubectl apply -f - | |
| echo "Waiting for pods in auth namespace to become ready..." | |
| kubectl wait --for=condition=Ready pods --all --timeout=180s -n auth | |
| # Core Kubeflow Components | |
| - name: Install central-dashboard | |
| run: | | |
| kustomize build apps/centraldashboard/upstream/overlays/kserve | kubectl apply -f - | |
| kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 180s | |
| - name: Install Kubeflow Pipelines | |
| run: ./tests/gh-actions/install_pipelines.sh | |
| # User Profile Setup | |
| - name: Create KF Profile | |
| run: | | |
| kustomize build common/user-namespace/base | kubectl apply -f - | |
| # Wait for profile controller to process the request | |
| sleep 60 | |
| # Verify profile resources are properly created | |
| echo "Verifying profile resources in namespace $KF_PROFILE" | |
| kubectl -n $KF_PROFILE get pods,configmaps,secrets | |
| # Verify minio secret exists (critical for ML pipelines) | |
| if ! kubectl get secret mlpipeline-minio-artifact -n $KF_PROFILE > /dev/null 2>&1; then | |
| echo "Error: Secret mlpipeline-minio-artifact not found in namespace $KF_PROFILE" | |
| exit 1 | |
| fi | |
| # Notebook Components | |
| - name: Install Notebook components | |
| run: | | |
| echo "Installing Jupyter Web App..." | |
| kustomize build apps/jupyter/jupyter-web-app/upstream/overlays/istio/ | kubectl apply -f - | |
| echo "Installing Notebook Controller..." | |
| kustomize build apps/jupyter/notebook-controller/upstream/overlays/kubeflow/ | kubectl apply -f - | |
| echo "Installing Admission Webhook..." | |
| kustomize build apps/admission-webhook/upstream/overlays/cert-manager | kubectl apply -f - | |
| echo "Waiting for pods to become ready..." | |
| kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout 300s \ | |
| --field-selector=status.phase!=Succeeded | |
| # Katib Installation | |
| - name: Install Katib | |
| run: | | |
| # Fix MySQL AppArmor issues for Kind clusters | |
| echo "Fixing AppArmor for MySQL in Kind..." | |
| sudo apt-get install -y apparmor-profiles | |
| sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.mysqld | |
| # Install Katib | |
| echo "Installing Katib..." | |
| cd apps/katib/upstream | |
| kubectl create ns kubeflow 2>/dev/null || true | |
| kustomize build installs/katib-with-kubeflow | kubectl apply -f - | |
| cd ../../../ | |
| # Wait for Katib components | |
| echo "Waiting for Katib controller..." | |
| kubectl wait --for=condition=Available deployment/katib-controller -n kubeflow --timeout=300s | |
| echo "Waiting for Katib UI..." | |
| kubectl wait --for=condition=Available deployment/katib-ui -n kubeflow --timeout=300s | |
| echo "Waiting for Katib DB Manager..." | |
| kubectl wait --for=condition=Available deployment/katib-db-manager -n kubeflow --timeout=300s | |
| echo "Waiting for Katib MySQL..." | |
| kubectl wait --for=condition=Available deployment/katib-mysql -n kubeflow --timeout=300s | |
| # Set up user namespace for testing | |
| echo "Setting up user namespace for Katib..." | |
| kubectl label namespace $KF_PROFILE katib.kubeflow.org/metrics-collector-injection=enabled --overwrite | |
| # Training Operator Installation | |
| - name: Install Training Operator | |
| run: | | |
| if ! kubectl get crd tfjobs.kubeflow.org > /dev/null 2>&1; then | |
| ./tests/gh-actions/install_training_operator.sh | |
| fi | |
| # KNative and KServe Installation | |
| - name: Install KNative Serving Platform | |
| run: ./tests/gh-actions/install_knative.sh | |
| - name: Verify KNative Component Readiness | |
| run: | | |
| echo "Verifying KNative component readiness..." | |
| kubectl wait --for=condition=Available deployment/activator -n knative-serving --timeout=300s || true | |
| kubectl wait --for=condition=Available deployment/autoscaler -n knative-serving --timeout=300s || true | |
| kubectl wait --for=condition=Available deployment/controller -n knative-serving --timeout=300s || true | |
| kubectl wait --for=condition=Available deployment/webhook -n knative-serving --timeout=300s || true | |
| - name: Install KServe | |
| run: ./tests/gh-actions/install_kserve.sh | |
| # KServe Tests | |
| - name: Test KServe Model Deployment and Serving | |
| run: | | |
| # Install required KServe test dependencies | |
| echo "Installing KServe test dependencies..." | |
| pip install -r ./apps/kserve/tests/requirements.txt | |
| # If using updated KServe client, try to fix compatibility issues | |
| echo "Checking for and handling KServe client issues..." | |
| # Create a debug script to examine and diagnose constant issues | |
| cat > fix_kserve_constants.py << 'EOF' | |
| from kserve import constants | |
| print("Available constants in kserve.constants module:") | |
| for attr in dir(constants): | |
| if not attr.startswith('_'): | |
| print(f" {attr} = {getattr(constants, attr)}") | |
| # Add any missing constants | |
| if not hasattr(constants, 'KSERVE_KIND'): | |
| print("Adding missing KSERVE_KIND constant") | |
| setattr(constants, 'KSERVE_KIND', 'InferenceService') | |
| EOF | |
| python fix_kserve_constants.py | |
| # Enable serving in user namespace if not already enabled | |
| echo "Enabling serving in namespace $KF_PROFILE..." | |
| kubectl label namespace $KF_PROFILE serving.kserve.io/inferenceservice=enabled --overwrite | |
| # Set environment variables needed by the KServe test scripts | |
| export KSERVE_INGRESS_HOST_PORT=localhost:8080 | |
| export KSERVE_M2M_TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)" | |
| # Run the KServe tests using the same Python test scripts used by the individual KServe workflow | |
| cd ./apps/kserve/tests && pytest . -vs --log-level info || { | |
| echo "KServe tests failed with exit code $?" | |
| echo "Displaying additional debug information:" | |
| kubectl get inferenceservice -n $KF_PROFILE | |
| kubectl describe inferenceservice -n $KF_PROFILE | |
| kubectl get pods -n $KF_PROFILE | |
| # Continue workflow despite test failures | |
| echo "Continuing workflow despite test failures" | |
| } | |
| # Detailed diagnostics similar to what's done in kserve_m2m_test.yaml | |
| echo "=== AuthorizationPolicy Details ===" | |
| kubectl get authorizationpolicy -n $KF_PROFILE -o yaml | |
| # Test models webapp as in the individual workflow | |
| echo "Verifying KServe models web app..." | |
| kubectl wait --for=condition=Available --timeout=300s -n kubeflow deployment/kserve-models-web-app | |
| # Apache Spark Installation | |
| - name: Install Apache Spark | |
| run: | | |
| echo "Installing Apache Spark..." | |
| chmod u+x tests/gh-actions/spark_*.sh | |
| ./tests/gh-actions/spark_install.sh | |
| # Verify all components installed successfully | |
| - name: Verify All Components Installed Successfully | |
| run: | | |
| echo "Checking status of critical components..." | |
| kubectl get deployment -n kubeflow | |
| kubectl get deployment -n cert-manager | |
| kubectl get deployment -n istio-system | |
| kubectl get deployment -n auth | |
| # Check for failed pods | |
| if kubectl get pods --all-namespaces | grep -E '(Error|CrashLoopBackOff)'; then | |
| echo "Found pods in failed state" | |
| exit 1 | |
| fi | |
| echo "All Kubeflow components installed successfully" | |
| test-components: | |
| name: Test Kubeflow Components | |
| needs: setup-and-install | |
| runs-on: | |
| labels: ubuntu-latest-16-cores | |
| timeout-minutes: 30 | |
| env: | |
| KIND_CLUSTER_NAME: kubeflow | |
| KF_PROFILE: ${{ needs.setup-and-install.outputs.kf_profile }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| # Set up test environment | |
| - name: Setup Python 3.12 | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.12' | |
| - name: Install Test Dependencies | |
| run: | | |
| pip install pytest kubernetes kfp==2.11.0 kserve pytest-timeout pyyaml requests | |
| # Setup port forwarding for gateway access | |
| - name: Port Forward Istio Gateway | |
| run: | | |
| INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') | |
| nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 & | |
| while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready | |
| # Authentication Tests | |
| - name: Test Dex Authentication | |
| run: | | |
| # Install requirements | |
| pip3 install requests passlib | |
| # Check if Dex is properly set up | |
| echo "Checking Dex configuration..." | |
| kubectl get deployment -n auth dex | |
| kubectl get cm -n auth dex -o yaml | |
| # Make sure dex pod is ready | |
| echo "Ensuring Dex pod is ready..." | |
| kubectl wait --for=condition=Ready pod -l app=dex -n auth --timeout=180s | |
| # Verify Dex secret is properly set | |
| echo "Checking if Dex password is set..." | |
| if ! kubectl get secret -n auth dex-secret > /dev/null 2>&1; then | |
| echo "Creating Dex password secret..." | |
| # The default password in the test script is 12341234 | |
| kubectl create secret generic dex-secret -n auth --from-literal=DEX_USER_PASSWORD=$(python3 -c 'from passlib.hash import bcrypt; print(bcrypt.using(rounds=12, ident="2y").hash("12341234"))') | |
| # Restart Dex to pick up the new password | |
| kubectl rollout restart deployment -n auth dex | |
| kubectl wait --for=condition=Available deployment -n auth dex --timeout=180s | |
| fi | |
| # Test Dex connectivity | |
| echo "Testing Dex connectivity..." | |
| curl -v http://localhost:8080/dex/health || echo "Dex health endpoint not available" | |
| # Run login test script | |
| echo "Running Dex login test script..." | |
| ./tests/gh-actions/test_dex_login.py || echo "Dex login test failed, but continuing workflow" | |
| # UI Component Tests | |
| - name: Test Web UI Components | |
| run: | | |
| # Test central dashboard is accessible | |
| echo "Verifying Central Dashboard accessibility" | |
| curl -I http://localhost:8080/ | |
| # Test component UIs | |
| echo "Verifying Notebooks UI accessibility" | |
| curl -I http://localhost:8080/jupyter/ | |
| echo "Verifying Pipelines UI accessibility" | |
| curl -I http://localhost:8080/pipeline/ | |
| echo "Verifying KServe Models UI accessibility" | |
| curl -I http://localhost:8080/models/ | |
| echo "Verifying Katib Experiments UI accessibility" | |
| curl -I http://localhost:8080/katib/ | |
| # Notebook Tests | |
| - name: Test Notebook Creation and Operation | |
| run: | | |
| # Apply PodDefaults for notebook access to pipelines | |
| kubectl apply -f tests/gh-actions/kf-objects/poddefaults.access-ml-pipeline.kubeflow-user-example-com.yaml | |
| # Create notebook server | |
| kubectl apply -f tests/gh-actions/kf-objects/notebook.test.kubeflow-user-example.com.yaml | |
| # Wait for notebook server to be ready | |
| kubectl wait --for=jsonpath='{.status.readyReplicas}'=1 \ | |
| -f tests/gh-actions/kf-objects/notebook.test.kubeflow-user-example.com.yaml \ | |
| --timeout 600s | |
| # Pipeline Tests | |
| - name: Test ML Pipeline Integration | |
| run: | | |
| # Test with authorized token (authorized user flow) | |
| TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)" | |
| echo "Running pipeline with authorized token (authorized user)" | |
| python3 tests/gh-actions/pipeline_test.py run_pipeline "${TOKEN}" "${KF_PROFILE}" | |
| # Test with unauthorized token (unauthorized user flow) | |
| echo "Testing unauthorized access prevention (security check)" | |
| TOKEN="$(kubectl -n default create token default)" | |
| python3 tests/gh-actions/pipeline_test.py test_unauthorized_access "${TOKEN}" "${KF_PROFILE}" | |
| # Test Pipeline from Notebook | |
| - name: Test Running Pipeline from Notebook | |
| run: | | |
| if [ -f "tests/gh-actions/run_and_wait_kubeflow_pipeline.py" ]; then | |
| # Copy test script to notebook | |
| kubectl -n $KF_PROFILE cp \ | |
| ./tests/gh-actions/run_and_wait_kubeflow_pipeline.py \ | |
| test-0:/home/jovyan/run_and_wait_kubeflow_pipeline.py | |
| # Execute pipeline from notebook | |
| kubectl -n $KF_PROFILE exec -ti \ | |
| test-0 -- python /home/jovyan/run_and_wait_kubeflow_pipeline.py | |
| else | |
| echo "Skipping pipeline run from notebook test - script not found" | |
| exit 1 | |
| fi | |
| # Katib Tests | |
| - name: Test Katib Hyperparameter Tuning | |
| run: | | |
| echo "Creating Katib experiment..." | |
| if kubectl get crd experiments.kubeflow.org > /dev/null 2>&1; then | |
| # Apply the experiment | |
| sed "s/kubeflow-user/$KF_PROFILE/g" tests/gh-actions/kf-objects/katib_test.yaml | kubectl apply -f - | |
| # Wait for the experiment to run | |
| echo "Waiting for Experiment to become Running..." | |
| kubectl wait --for=condition=Running experiments.kubeflow.org -n $KF_PROFILE --all --timeout=300s || true | |
| # Check status | |
| echo "Experiment status:" | |
| kubectl get experiments.kubeflow.org -n $KF_PROFILE | |
| # Wait for trials | |
| echo "Waiting for some Trials to be created..." | |
| sleep 30 | |
| echo "Trials status:" | |
| kubectl get trials -n $KF_PROFILE || true | |
| else | |
| echo "Katib CRD not found, skipping Katib hyperparameter tuning tests" | |
| exit 1 | |
| fi | |
| # Training Operator Tests | |
| - name: Test Distributed Training with Training Operator | |
| run: | | |
| if kubectl get crd pytorchjobs.kubeflow.org > /dev/null 2>&1; then | |
| # Apply the PyTorch job | |
| sed "s/namespace: .*/namespace: $KF_PROFILE/g" tests/gh-actions/kf-objects/training_operator_job.yaml | kubectl apply -f - | |
| # Verify job status | |
| kubectl get pytorchjobs -n ${KF_PROFILE} | |
| else | |
| echo "Training Operator CRDs not found, skipping distributed training tests" | |
| exit 1 | |
| fi | |
| # Spark Tests | |
| - name: Test Apache Spark Integration | |
| run: | | |
| if [ -f "tests/gh-actions/spark_test.sh" ]; then | |
| chmod u+x tests/gh-actions/spark_*.sh | |
| ./tests/gh-actions/spark_test.sh "${KF_PROFILE}" | |
| else | |
| echo "Skipping Spark integration tests - script not found" | |
| exit 1 | |
| fi | |
| # Security Tests | |
| - name: Test Pod Security Standards | |
| run: | | |
| # Apply baseline Pod Security Standards | |
| echo "Applying baseline Pod Security Standards..." | |
| ./tests/gh-actions/enable_baseline_PSS.sh | |
| kubectl get pods --all-namespaces | |
| # Remove baseline labels | |
| echo "Removing baseline labels..." | |
| NAMESPACES=("istio-system" "auth" "cert-manager" "oauth2-proxy" "kubeflow" "knative-serving") | |
| for NAMESPACE in "${NAMESPACES[@]}"; do | |
| if kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then | |
| kubectl label namespace $NAMESPACE pod-security.kubernetes.io/enforce- | |
| fi | |
| done | |
| # Apply restricted Pod Security Standards | |
| echo "Applying restricted Pod Security Standards..." | |
| ./tests/gh-actions/enable_restricted_PSS.sh | |
| kubectl get pods --all-namespaces | |
| # Run non-root security tests if available | |
| if [ -f "tests/gh-actions/runasnonroot.sh" ]; then | |
| echo "Running non-root user security tests..." | |
| chmod +x tests/gh-actions/runasnonroot.sh | |
| ./tests/gh-actions/runasnonroot.sh | |
| fi | |
| # Final Verification | |
| - name: Verify All Components Running Successfully | |
| run: | | |
| # Verify all components are running | |
| echo "Checking status of critical components..." | |
| kubectl get deployment -n kubeflow | |
| kubectl get deployment -n cert-manager | |
| kubectl get deployment -n istio-system | |
| kubectl get deployment -n auth | |
| # Check for failed pods | |
| if kubectl get pods --all-namespaces | grep -E '(Error|CrashLoopBackOff)'; then | |
| echo "Found pods in failed state" | |
| exit 1 | |
| fi | |
| echo "All Kubeflow components are running successfully" | |
| # Collect logs on failure | |
| - name: Collect Diagnostic Logs on Failure | |
| if: failure() | |
| run: | | |
| mkdir -p logs | |
| # Collect resource status | |
| kubectl get all --all-namespaces > logs/all-resources.txt | |
| kubectl get events --all-namespaces --sort-by=.metadata.creationTimestamp > logs/all-events.txt | |
| # Collect CRD status | |
| kubectl get crds | grep -E 'kubeflow|istio|knative|cert-manager|kserve' > logs/crds.txt || true | |
| # Collect pod descriptions and logs | |
| namespaces=("kubeflow" "istio-system" "cert-manager" "auth") | |
| for ns in "${namespaces[@]}"; do | |
| kubectl describe pods -n $ns > logs/$ns-pod-descriptions.txt | |
| # Collect logs for each pod in namespace | |
| for pod in $(kubectl get pods -n $ns -o jsonpath='{.items[*].metadata.name}'); do | |
| kubectl logs -n $ns $pod --tail=100 > logs/$ns-$pod.txt 2>&1 || true | |
| done | |
| done | |
| echo "Collected logs to logs/ directory" | |
| - name: Upload Diagnostic Logs | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: kubeflow-test-logs | |
| path: logs/ |