feat: GitHub Actions workflow to test the KServe Models Web Application #643

Workflow file for this run

.github/workflows/kserve_test.yaml at 8708548

	name: Test KServe
	on:
	pull_request:
	paths:
	- tests/install_KinD_create_KinD_cluster_install_kustomize.sh
	- .github/workflows/kserve_test.yaml
	- applications/kserve/**
	- apps/kserve/**
	- tests/kserve/**
	- tests/kserve_test.sh
	- tests/kserve_install.sh
	- tests/kserve_jwt_authentication_test.sh
	- common/istio/*
	- common/oauth2-proxy/**
	- tests/oauth2-proxy_install.sh
	- common/cert-manager/**
	- tests/istio*
	- common/knative/**
	- tests/knative_install.sh
	- tests/authenticationtest.sh
	- tests/final_validation.sh

	permissions:
	contents: read
	actions: read

	jobs:
	test-basic-kserve:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Install KinD, Create KinD cluster and Install kustomize
	run: ./tests/install_KinD_create_KinD_cluster_install_kustomize.sh

	- name: Install kubectl
	run: ./tests/kubectl_install.sh

	- name: Create kubeflow namespace
	run: kustomize build common/kubeflow-namespace/base \| kubectl apply -f -

	- name: Install Istio CNI
	run: ./tests/istio-cni_install.sh

	- name: Install oauth2-proxy
	run: ./tests/oauth2-proxy_install.sh

	- name: Install cert-manager
	run: ./tests/cert_manager_install.sh

	- name: Install knative CNI
	run: ./tests/knative_install.sh

	- name: Install KServe
	run: ./tests/kserve_install.sh

	- name: Install KF Multi Tenancy
	run: ./tests/multi_tenancy_install.sh

	- name: Install kubeflow-istio-resources
	run: kustomize build common/istio/kubeflow-istio-resources/base \| kubectl apply -f -

	- name: Create KF Profile
	run: ./tests/kubeflow_profile_install.sh

	- name: Setup python 3.12
	uses: actions/setup-python@v4
	with:
	python-version: 3.12

	- name: Port forward
	run: ./tests/port_forward_gateway.sh

	- name: Run KServe tests
	run: ./tests/kserve_test.sh kubeflow-user-example-com

	- name: Detailed KServe Access Diagnostics
	run: \|
	export KSERVE_INGRESS_HOST_PORT=localhost:8080
	export KSERVE_M2M_TOKEN="$(kubectl -n kubeflow-user-example-com create token default-editor)"

	echo "=== AuthorizationPolicy Details ==="
	kubectl get authorizationpolicy -n kubeflow-user-example-com -o yaml

	echo "=== Detailed Curl Test ==="
	curl -vv \
	-H "Host: isvc-sklearn.kubeflow-user-example-com.example.com" \
	-H "Authorization: Bearer ${KSERVE_M2M_TOKEN}" \
	-H "Content-Type: application/json" \
	"http://${KSERVE_INGRESS_HOST_PORT}/v1/models/isvc-sklearn:predict" \
	-d '{"instances": [[6.8, 2.8, 4.8, 1.4], [6.0, 3.4, 4.5, 1.6]]}'

	- name: Run kserve models webapp test
	run: \|
	kubectl wait --for=condition=Available --timeout=300s -n kubeflow deployment/kserve-models-web-app

	- name: Apply Pod Security Standards restricted levels
	run: ./tests/PSS_enable.sh

	test-jwt-authentication:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Install KinD, Create KinD cluster and Install kustomize
	run: ./tests/install_KinD_create_KinD_cluster_install_kustomize.sh

	- name: Install kubectl
	run: ./tests/kubectl_install.sh

	- name: Create kubeflow namespace
	run: kustomize build common/kubeflow-namespace/base \| kubectl apply -f -

	- name: Install Istio CNI
	run: ./tests/istio-cni_install.sh

	- name: Install oauth2-proxy
	run: ./tests/oauth2-proxy_install.sh

	- name: Install knative CNI with secure cluster-local-gateway
	run: ./tests/knative_install.sh

	- name: Verify secure cluster-local-gateway configuration
	run: \|
	kubectl get authorizationpolicy,requestauthentication -n istio-system \| grep cluster-local-gateway
	kubectl get requestauthentication cluster-local-gateway-jwt -n istio-system -o yaml
	kubectl get authorizationpolicy cluster-local-gateway -n istio-system -o yaml
	kubectl get authorizationpolicy cluster-local-gateway-require-jwt -n istio-system -o yaml

	- name: Setup python 3.12
	uses: actions/setup-python@v4
	with:
	python-version: 3.12

	- name: Port forward
	run: ./tests/port_forward_gateway.sh

	- name: Wait for cluster-local-gateway to be ready
	run: \|
	kubectl wait --for=condition=Available --timeout=120s deployment/cluster-local-gateway -n istio-system
	sleep 100

	- name: Run Basic JWT Authentication Tests
	run: \|
	export KSERVE_INGRESS_HOST_PORT=localhost:8080
	curl -s -o /dev/null -w "%{http_code}" -H "Host: test.example.com" "http://localhost:8080/" \| grep -q "403"

	- name: Run Knative Service JWT Authentication Tests
	run: \|
	export KSERVE_INGRESS_HOST_PORT=localhost:8080
	./tests/knative_authentication_test.sh

	- name: Test External Access Configuration
	run: \|
	export KSERVE_INGRESS_HOST_PORT=localhost:8080
	./tests/kserve_setup_external_access.sh kubeflow-user-example-com secure-model-predictor
	# Test external access pattern
	TOKEN=$(kubectl -n kubeflow-user-example-com create token default-editor)
	RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \
	-H "Authorization: Bearer $TOKEN" \
	-H "Content-Type: application/json" \
	"http://localhost:8080/kserve/kubeflow-user-example-com/secure-model-predictor/" \
	2>/dev/null \|\| echo "404")
	if [ "$RESPONSE" != "404" ] && [ "$RESPONSE" != "200" ] && [ "$RESPONSE" != "503" ]; then
	exit 1
	fi

	- name: Apply Pod Security Standards restricted levels
	run: ./tests/PSS_enable.sh

	test-secure-authentication:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Install KinD, Create KinD cluster and Install kustomize
	run: ./tests/install_KinD_create_KinD_cluster_install_kustomize.sh

	- name: Install kubectl
	run: ./tests/kubectl_install.sh

	- name: Create kubeflow namespace
	run: kustomize build common/kubeflow-namespace/base \| kubectl apply -f -

	- name: Install Istio CNI
	run: ./tests/istio-cni_install.sh

	- name: Install oauth2-proxy
	run: ./tests/oauth2-proxy_install.sh

	- name: Install cert-manager
	run: ./tests/cert_manager_install.sh

	- name: Install knative CNI (with secure cluster-local-gateway)
	run: ./tests/knative_install.sh

	- name: Install KServe
	run: ./tests/kserve_install.sh

	- name: Install KF Multi Tenancy
	run: ./tests/multi_tenancy_install.sh

	- name: Install kubeflow-istio-resources
	run: kustomize build common/istio/kubeflow-istio-resources/base \| kubectl apply -f -

	- name: Create KF Profile
	run: ./tests/kubeflow_profile_install.sh

	- name: Setup python 3.12
	uses: actions/setup-python@v4
	with:
	python-version: 3.12

	- name: Port forward
	run: ./tests/port_forward_gateway.sh

	- name: Verify JWT authentication policies are applied
	run: \|
	kubectl get authorizationpolicy cluster-local-gateway-require-jwt -n istio-system
	kubectl get requestauthentication cluster-local-gateway-jwt -n istio-system
	kubectl get authorizationpolicy cluster-local-gateway -n istio-system
	kubectl get deployment cluster-local-gateway -n istio-system
	kubectl wait --for=condition=Available deployment/cluster-local-gateway -n istio-system --timeout=120s
	kubectl get pods -n istio-system -l app=cluster-jwks-proxy \| grep -q Running \|\| kubectl get pods -n istio-system -l app=cluster-jwks-proxy

	- name: Wait for configurations to propagate
	run: sleep 60

	- name: Run KServe secure authentication tests
	run: ./tests/kserve_jwt_authentication_test.sh kubeflow-user-example-com

	- name: Apply Pod Security Standards restricted levels
	run: ./tests/PSS_enable.sh

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: GitHub Actions workflow to test the KServe Models Web Application #643

Workflow file

feat: GitHub Actions workflow to test the KServe Models Web Application #643

Uh oh!

Jobs

Run details

Workflow file for this run