Skip to content

chore: Add securitycontext for PSS PoC (rootless Kubeflow) #256

chore: Add securitycontext for PSS PoC (rootless Kubeflow)

chore: Add securitycontext for PSS PoC (rootless Kubeflow) #256

name: Deploy and test KServe with m2m auth in KinD
on:
pull_request:
paths:
- tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
- .github/workflows/kserve_m2m_test.yaml
- contrib/kserve/**
- common/oauth2-proxy/**
- common/istio*/**
- tests/gh-actions/install_istio.sh
- tests/gh-actions/install_oauth2-proxy.sh
- tests/gh-actions/install_cert_manager.sh
- common/cert-manager/**
- tests/gh-actions/install_knative.sh
- common/knative/**
- tests/gh-actions/install_kserve.sh
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install KinD, Create KinD cluster and Install kustomize
run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
- name: Install kubectl
run: ./tests/gh-actions/install_kubectl.sh
- name: Create kubeflow namespace
run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
- name: Install Istio
run: ./tests/gh-actions/install_istio.sh
- name: Install oauth2-proxy
run: ./tests/gh-actions/install_oauth2-proxy.sh
- name: Install cert-manager
run: ./tests/gh-actions/install_cert_manager.sh
- name: Install knative
run: ./tests/gh-actions/install_knative.sh
- name: Build & Apply manifests
run: ./tests/gh-actions/install_kserve.sh
- name: Create test namespace
run: kubectl create ns kserve-test
- name: Setup python 3.9
uses: actions/setup-python@v4
with:
python-version: 3.9
- name: Install test dependencies
run: pip install -r ./contrib/kserve/tests/requirements.txt
- name: Port forward
run: |
INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}')
nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 &
while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready
- name: Run kserve tests with m2m token from SA default/default
run: |
export KSERVE_INGRESS_HOST_PORT=localhost:8080
export KSERVE_M2M_TOKEN="$(kubectl -n default create token default)"
cd ./contrib/kserve/tests && pytest . -vs --log-level info
- name: Run and fail kserve tests without kserve m2m token
run: |
export KSERVE_INGRESS_HOST_PORT=localhost:8080
cd ./contrib/kserve/tests
if pytest . -vs --log-level info; then
echo "This test should fail with an HTTP redirect to oauth2-proxy/dex auth."; exit 1
else
echo "Task failed successfully!"
echo "This is a provisional way of testing that m2m is enabled for kserve."
fi