chore: Add securitycontext for PSS PoC (rootless Kubeflow) #256
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Deploy and test KServe with m2m auth in KinD | |
on: | |
pull_request: | |
paths: | |
- tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh | |
- .github/workflows/kserve_m2m_test.yaml | |
- contrib/kserve/** | |
- common/oauth2-proxy/** | |
- common/istio*/** | |
- tests/gh-actions/install_istio.sh | |
- tests/gh-actions/install_oauth2-proxy.sh | |
- tests/gh-actions/install_cert_manager.sh | |
- common/cert-manager/** | |
- tests/gh-actions/install_knative.sh | |
- common/knative/** | |
- tests/gh-actions/install_kserve.sh | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Install KinD, Create KinD cluster and Install kustomize | |
run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh | |
- name: Install kubectl | |
run: ./tests/gh-actions/install_kubectl.sh | |
- name: Create kubeflow namespace | |
run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - | |
- name: Install Istio | |
run: ./tests/gh-actions/install_istio.sh | |
- name: Install oauth2-proxy | |
run: ./tests/gh-actions/install_oauth2-proxy.sh | |
- name: Install cert-manager | |
run: ./tests/gh-actions/install_cert_manager.sh | |
- name: Install knative | |
run: ./tests/gh-actions/install_knative.sh | |
- name: Build & Apply manifests | |
run: ./tests/gh-actions/install_kserve.sh | |
- name: Create test namespace | |
run: kubectl create ns kserve-test | |
- name: Setup python 3.9 | |
uses: actions/setup-python@v4 | |
with: | |
python-version: 3.9 | |
- name: Install test dependencies | |
run: pip install -r ./contrib/kserve/tests/requirements.txt | |
- name: Port forward | |
run: | | |
INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') | |
nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 & | |
while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready | |
- name: Run kserve tests with m2m token from SA default/default | |
run: | | |
export KSERVE_INGRESS_HOST_PORT=localhost:8080 | |
export KSERVE_M2M_TOKEN="$(kubectl -n default create token default)" | |
cd ./contrib/kserve/tests && pytest . -vs --log-level info | |
- name: Run and fail kserve tests without kserve m2m token | |
run: | | |
export KSERVE_INGRESS_HOST_PORT=localhost:8080 | |
cd ./contrib/kserve/tests | |
if pytest . -vs --log-level info; then | |
echo "This test should fail with an HTTP redirect to oauth2-proxy/dex auth."; exit 1 | |
else | |
echo "Task failed successfully!" | |
echo "This is a provisional way of testing that m2m is enabled for kserve." | |
fi |