feat: update project level auth config with kserve hosts #130
Conversation
|
Skipping CI for Draft Pull Request. |
| func (r *KserveAuthConfigReconciler) Reconcile(ctx context.Context, log logr.Logger, isvc *kservev1beta1.InferenceService) error { | ||
|
|
||
| if isvc.Status.URL == nil { | ||
| log.V(1).Info("Inference Service not ready yet, waiting for URL") |
There was a problem hiding this comment.
Could make it a warning. It's part of the normal flow to reconcile a few times before the Status.URL show up
There was a problem hiding this comment.
So, log does not have a warning func. Only Info and Error.
We have V(1) in the middle to raise verbosity, so I think this is good enough.
| func ConvertToStructuredResource(yamlContent []byte, out runtime.Object, opts ...manifestival.Option) error { | ||
|
|
||
| s := runtime.NewScheme() | ||
| RegisterSchemes(s) |
There was a problem hiding this comment.
not sure if I followed, why is this needed here?
There was a problem hiding this comment.
So, this is creating an empty Scheme which is needed by the decoder a few lines later.
I guess, the decoder won't work correctly if the Schemes/CRDs are not present in the Scheme.
|
So, I was trying to make this work. @aslakknutsen @bartoszmajsak I may meet with you soon to see if we can debug this. |
bartoszmajsak
force-pushed
the
kserve-auth
branch
from
7560e7b to
f8a0a55
Compare
aslakknutsen
force-pushed
the
kserve-auth
branch
from
f8a0a55 to
ec2b29e
Compare
aslakknutsen
force-pushed
the
kserve-auth
branch
from
0532f6b to
627491a
Compare
aslakknutsen
force-pushed
the
kserve-auth
branch
from
86a78ce to
f525bd5
Compare
aslakknutsen
force-pushed
the
kserve-auth
branch
from
f525bd5 to
dc42185
Compare
|
/retest |
|
/test unit |
controllers/kserve_inferenceservice_controller_authconfig_test.go
Outdated
Show resolved
Hide resolved
controllers/kserve_inferenceservice_controller_authconfig_test.go
Outdated
Show resolved
Hide resolved
|
|
||
| func disableAuth(isvc *kservev1beta1.InferenceService) error { | ||
| delete(isvc.Annotations, "enable-auth") | ||
| delete(isvc.Annotations, "security.opendatahub.io/enable-auth") |
There was a problem hiding this comment.
Maybe, these strings should be a const.
There was a problem hiding this comment.
Fixed a6c333a
Seeing them side by side I wonder if maybe we should have called it something like security.opendatahub.io/authorization instead...?
There was a problem hiding this comment.
It could be. Although, for enabling and disabling, I'm not sure if it is that useful to make distinction between authorization and authentication.
But you tell, I let you do the renaming if you think it is better.
There was a problem hiding this comment.
I was more thinking the short v "auth" vs "auth..." and "auth-x" vs "x-auth" order. (not authentication vs authorization)
security.opendatahub.io/authorization-group
security.opendatahub.io/enable-auth
security.opendatahub.io/authorization-group
security.opendatahub.io/authorization-enabled
There was a problem hiding this comment.
The security.opendatahub.io/authorization-enabled is the one that I see as potentially noisy for later. Right now, we are dealing only with authZ and the naming looks fine. But once we start looking at proper SSO, we may want to expand this with the authN part and add back to the AuthConfig the redirect that we removed previously. Then, this annotation would work to enable/disable both authN and authZ together, and its name will no longer fully reflect what it is doing.
This is what I was meaning about making the distinction.
There was a problem hiding this comment.
is security....io/enable sufficient? It hints at securing the Model. Would there be other types of 'security' that could make it confusing in the future at some point?
There was a problem hiding this comment.
is security....io/enable sufficient?
Uhm... I'm OK with it, but...
Would there be other types of 'security'
I don't know....
The only other thing that has been a topic lately is around TLS certs. But IDK if we will use annotations or labels for that.
israel-hdez
force-pushed
the
kserve-auth
branch
from
d995059 to
3a4e172
Compare
aslakknutsen
force-pushed
the
kserve-auth
branch
from
81863db to
a6c333a
Compare
|
/retest |
- Add HostExtractor interface. Hosts are defined differently between KServe and ModelMesh - Remove webhook CRD convertion. Not relevant to test cases. - Update controllers/reconcilers/kserve_authconfig_reconciler.go Co-authored-by: Bartosz Majsak <[email protected]> Co-authored-by: Edgar Hernández <[email protected]> Signed-off-by: Aslak Knutsen <[email protected]>
Signed-off-by: Aslak Knutsen <[email protected]>
Signed-off-by: Aslak Knutsen <[email protected]>
Signed-off-by: Aslak Knutsen <[email protected]>
Signed-off-by: Aslak Knutsen <[email protected]>
Signed-off-by: Aslak Knutsen <[email protected]>
Signed-off-by: Aslak Knutsen <[email protected]>
Signed-off-by: Aslak Knutsen <[email protected]>
Signed-off-by: Aslak Knutsen <[email protected]>
This fixes a reconcile loop. The `AuthConfig` from the template would end with `subresource.value` and `name.value` fields set to `null`, while the cluster stores these fields with empty strings. This would be detected as a diff at reconciliation and the `AuthConfig` would be re-applied causing a loop both in `odh-model-controller` and `authorino` controller. Adding the empty fields to the template stops the loop. Signed-off-by: Edgar Hernández <[email protected]>
Signed-off-by: Edgar Hernández <[email protected]>
This is to have parity with Model Mesh. Signed-off-by: Edgar Hernández <[email protected]>
Signed-off-by: Aslak Knutsen <[email protected]>
Signed-off-by: Aslak Knutsen <[email protected]>
aslakknutsen
force-pushed
the
kserve-auth
branch
from
d258fdd to
41f644b
Compare
|
/lgtm |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: aslakknutsen, israel-hdez The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Description
Add Authorino AuthConfig for KServe InferenceService hosts in ODHProject Namespaces.
The
InferenceServicecan be annotated withenable-authto trigger the creation of anAuthConfigthat secures theInferenceServiceaccess. The secure access require a kubernetes token and access togettheInferenceServiceresources in the targetNamespace.If
enable-authis not present, an AuthConfig for anonymous access will be created instead.How Has This Been Tested?
enable-auth:
grpc|curl -H "Authorization: Bearer $(oc whoami -t)" ...
no auth:
grpc|curl ...
Merge criteria:
Dependencies