feat(service-mesh): adds service mesh authz support for Dashboard and Workbenches #605
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
While testing those changes back and forth we discovered a regression affecting notebook pods created in the Application Namespace (so the same as controllers). It has a permission issue resulting in It does work however when the same Jupyter workbench is created in a new namespace (Data Science Project). The investigation is ongoing. Here are the pod details of both scenarios:
WORKAROUNDUse SMCP explicitly set to Related issue: #616 |
|
After deploying the data science cluster, if the user tries to log in to the dashboard quickly after the dashboard pod(s) are ready, they may hit an error page after login saying: Backend logs: {"level":50,"time":1696518565791,"pid":17,"hostname":"odh-dashboard-958bc566b-2qstq","msg":"Error writing log. Cannot read properties of undefined (reading 'spec')"}
{"level":50,"time":1696518565792,"pid":17,"hostname":"odh-dashboard-958bc566b-2qstq","reqId":"req-u","req":{"method":"GET","url":"/api/builds","hostname":"opendatahub.apps-crc.testing","remoteAddress":"127.0.0.6","remotePort":53401},"res":{"statusCode":500},"err":{"type":"TypeError","message":"Cannot read properties of undefined (reading 'spec')","stack":"TypeError: Cannot read properties of undefined (reading 'spec')\n at getNamespaces (/usr/src/app/backend/dist/utils/notebookUtils.js:30:44)\n at /usr/src/app/backend/dist/utils/route-security.js:22:70\n at Generator.next (<anonymous>)\n at fulfilled (/usr/src/app/backend/dist/utils/route-security.js:5:58)\n at process.processTicksAndRejections (node:internal/process/task_queues:95:5)"},"msg":"Cannot read properties of undefined (reading 'spec')"}Simply closing the tab, waiting 30 seconds (not a scientific value, YMMV) and reopening the route to the dashboard through the mesh should resolve the issue. Will have to figure out if this is already a known issue with dashboard experts. |
zdtsw
reviewed
Oct 5, 2023
| apiVersion: maistra.io/v2 | ||
| kind: ServiceMeshControlPlane | ||
| metadata: | ||
| name: minimal |
There was a problem hiding this comment.
should be "basic"? or changed default value
There was a problem hiding this comment.
This is just an example, and the name is more accurate in my eyes. Open for discussion.
There was a problem hiding this comment.
A more descriptive name, perhaps identifying this SMCP belonging to this product would be a good differentiator given that there could be multiple SMCPs deployed on a single cluster.
| Label string `json:"label,omitempty"` | ||
| // Image allows to define a custom container image to be used when deploying Authorino's instance. | ||
| // +kubebuilder:default="quay.io/kuadrant/authorino:v0.13.0" | ||
| Image string `json:"image,omitempty"` |
There was a problem hiding this comment.
not really sure what this image is here for.
There was a problem hiding this comment.
Perhaps more a DevFlag thing in the retrospect. Up for discussion. This new part of the spec is a slimmed version of #515
This was referenced Oct 5, 2023
bartoszmajsak
force-pushed
the
service-mesh-integration
branch
from
5632608 to
7ed09d5
Compare
|
There's one limitation we need to fix #617 |
| name: $name | ||
| source: $source | ||
| sourceNamespace: openshift-marketplace | ||
| EOF" |
There was a problem hiding this comment.
Is the subscription created in openshift-marketplace, or should it be openshift-opeators?
There was a problem hiding this comment.
Thanks for raising this concern. This just an example for devs on how to test it, not an official user guide. Perhaps it should be emphasized in the opening section.
We should make sure we refer to the right distribution channels when providing a final end user guide @cam-garrison
There was a problem hiding this comment.
as for now:
- for upstream, our operator is called
OpenDataHubfromcommunity-operatorsonfastchannel - for downstream, the operator is called
Red Hat OpenShift Data Sciencefromredhat-operatorsonalphachannel
| name: kiali | ||
| enabled: false | ||
| EOF | ||
| ``` |
There was a problem hiding this comment.
I sanity tested the spec, with the result being that the SMCP deployed fine with the above spec.
Note: "name: kiali" is not needed, the SMCP deployed fine without the name.
This was referenced Oct 9, 2023
VaishnaviHire
added
the
incubating
bartoszmajsak
force-pushed
the
service-mesh-integration
branch
from
290f1b1 to
e0f68b7
Compare
3 tasks
bartoszmajsak
force-pushed
the
service-mesh-integration
branch
3 times, most recently
from
876e587 to
454edb4
Compare
bartoszmajsak
added a commit
to maistra/opendatahub-operator
that referenced
this pull request
Oct 25, 2023
Extracts the fluent interface for Features from PR opendatahub-io#605. This allows other components to configure cluster resources using this interface before the original PR gets merged. No changes to the reconcile logic have been introduced.
bartoszmajsak
added a commit
to maistra/opendatahub-operator
that referenced
this pull request
Oct 25, 2023
Extracts the fluent interface for Features from PR opendatahub-io#605. This allows other components to configure cluster resources using this interface before the original PR gets merged. No changes to the reconcile logic have been introduced.
* initial add tracker spec * update tests, update crd * add omitempty to origin struct * undo accidental tag change * re add empty line * move pointer operator * add testing * lint * re-lint changes * add ownertype, move newOrigin() to shared util * Update apis/features/v1/features_types.go Co-authored-by: Bartosz Majsak <[email protected]> * remove origin from featureinitializer * modify kserve sm step to match dashboard's * make dsci servicemesh setup like dashboard's * fix merge issues, lint --------- Co-authored-by: Bartosz Majsak <[email protected]>
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
israel-hdez
added a commit
to israel-hdez/opendatahub-operator
that referenced
this pull request
Jan 15, 2024
This first iteration is to cover authentication needs for KServe * Add templates to install Authorino * Add templates to configure Service Mesh to use Authorino to delegate Authorization * Add KServe-specific templates add ability to secure KServe Inference Services * Add relevant fields to DSCInitialization resource * Code for proper cleanup, in case of uninstalling Most (if not all) of this code comes from pull request opendatahub-io#605. Attribution to original authors: @bartoszmajsak, @aslakknutsen, @cam-garrison, et. al. Related opendatahub-io/kserve#128 Signed-off-by: Edgar Hernández <[email protected]>
israel-hdez
added a commit
to israel-hdez/opendatahub-operator
that referenced
this pull request
Jan 18, 2024
This first iteration is to cover authentication needs for KServe * Add templates to install Authorino * Add templates to configure Service Mesh to use Authorino to delegate Authorization * Add KServe-specific templates add ability to secure KServe Inference Services * Add relevant fields to DSCInitialization resource * Code for proper cleanup, in case of uninstalling Most (if not all) of this code comes from pull request opendatahub-io#605. Attribution to original authors: @bartoszmajsak, @aslakknutsen, @cam-garrison, et. al. Related opendatahub-io/kserve#128 Signed-off-by: Edgar Hernández <[email protected]>
| success: | ||
| headers: | ||
| x-auth-data: | ||
| json: |
There was a problem hiding this comment.
This is fine, but only so you know. Authorino also has plain now, in case you prefer just the username as the value in the header, rather than a stringified JSON.
There was a problem hiding this comment.
Thanks @guicassolato
bartoszmajsak
pushed a commit
to israel-hdez/opendatahub-operator
that referenced
this pull request
Jan 23, 2024
This first iteration is to cover authentication needs for KServe * Add templates to install Authorino * Add templates to configure Service Mesh to use Authorino to delegate Authorization * Add KServe-specific templates add ability to secure KServe Inference Services * Add relevant fields to DSCInitialization resource * Code for proper cleanup, in case of uninstalling Most (if not all) of this code comes from pull request opendatahub-io#605. Attribution to original authors: @bartoszmajsak, @aslakknutsen, @cam-garrison, et. al. Related opendatahub-io/kserve#128 Signed-off-by: Edgar Hernández <[email protected]>
bartoszmajsak
pushed a commit
to israel-hdez/opendatahub-operator
that referenced
this pull request
Jan 23, 2024
This first iteration is to cover authentication needs for KServe * Add templates to install Authorino * Add templates to configure Service Mesh to use Authorino to delegate Authorization * Add KServe-specific templates add ability to secure KServe Inference Services * Add relevant fields to DSCInitialization resource * Code for proper cleanup, in case of uninstalling Most (if not all) of this code comes from pull request opendatahub-io#605. Attribution to original authors: @bartoszmajsak, @aslakknutsen, @cam-garrison, et. al. Related opendatahub-io/kserve#128 Signed-off-by: Edgar Hernández <[email protected]>
Merged
3 tasks
walkErr is propagated as part of recursive call when traversing directory tree. This adds a guard check and not proceed with the error happened in the call chain.
VaishnaviHire
pushed a commit
that referenced
this pull request
Feb 19, 2024
* feat(authz): Authorino for Service Mesh This first iteration is to cover authentication needs for KServe * Add templates to install Authorino * Add templates to configure Service Mesh to use Authorino to delegate Authorization * Add KServe-specific templates add ability to secure KServe Inference Services * Add relevant fields to DSCInitialization resource * Code for proper cleanup, in case of uninstalling Most (if not all) of this code comes from pull request #605. Attribution to original authors: @bartoszmajsak, @aslakknutsen, @cam-garrison, et. al. Related opendatahub-io/kserve#128 Signed-off-by: Edgar Hernández <[email protected]> * Fix linter issues Signed-off-by: Edgar Hernández <[email protected]> * Resolve feedback: Bartosz Signed-off-by: Edgar Hernández <[email protected]> * fix: Remove port from the authorization policy Also, add `/metrics` to the ignored paths for auth. Signed-off-by: Edgar Hernández <[email protected]> * Fix feedback: Bartosz Signed-off-by: Edgar Hernández <[email protected]> * More feedback: Bartosz Co-authored-by: Bartosz Majsak <[email protected]> * Fix feedback: Reto - Adjust AuthorizationPolicy Signed-off-by: Edgar Hernández <[email protected]> * Fix more feedback: Bartosz - Remove Authorino namespace field from DSCI. - Move around some code in kserve.go to servicemesh_setup.go Signed-off-by: Edgar Hernández <[email protected]> * chore: adds sec. prefix to authorino label selector * fix: adds base dir to manifest sources * chore: uses security instead of sec as a prefix in authorino label * fix: /healthz is called by _something_, skipp * fix: adopt ODH-ADR-0006 for clean up label * fix: uses correct CRD name for authconfigs Co-authored-by: Cameron Garrison <[email protected]> * Remove left-over file Signed-off-by: Edgar Hernández <[email protected]> * Feedback: remove auth-refs ConfigMap Signed-off-by: Edgar Hernández <[email protected]> * Add missing role.yaml changes Signed-off-by: Edgar Hernández <[email protected]> * Go back to installing Authorino on its own namespace Signed-off-by: Edgar Hernández <[email protected]> * Feedback: Add clean-up for KServe/OSSM-auth Signed-off-by: Edgar Hernández <[email protected]> * Feedback: Simplify namings Signed-off-by: Edgar Hernández <[email protected]> * fix: add auth-refs cm * Feedback: adjust labels and a log message Signed-off-by: Edgar Hernández <[email protected]> * Bugfix: Extension provider terminating with error when SMCP is gone Signed-off-by: Edgar Hernández <[email protected]> * Fix: add missing RBAC for ConfigMaps func Signed-off-by: Edgar Hernández <[email protected]> * Fix: Run `make bundle` and commit resulting changes Signed-off-by: Edgar Hernández <[email protected]> * Feedback: Wen - Better feature namings Signed-off-by: Edgar Hernández <[email protected]> * Feedback: Bartosz * Use feature logger * Don't trim -applications suffix on ResolveAuthNamespace Signed-off-by: Edgar Hernández <[email protected]> * Feedback: Wen - revert image placeholder was replaced Signed-off-by: Edgar Hernández <[email protected]> --------- Signed-off-by: Edgar Hernández <[email protected]> Co-authored-by: Bartosz Majsak <[email protected]> Co-authored-by: Aslak Knutsen <[email protected]> Co-authored-by: Cameron Garrison <[email protected]>
bartoszmajsak
added a commit
to bartoszmajsak/opendatahub-operator
that referenced
this pull request
Mar 8, 2024
This test ensures additional of extension provider for external
authorization and that it is removed from the control plane properly
using custom cleanup function.
NOTE: it is now failing to demonstrate existing bug
```
[FAILED] Timed out after 5.000s.
Expected
<[]interface {} | len:1, cap:1>: [
<map[string]interface {} | len:2>{
"envoyExtAuthzGrpc": <map[string]interface {} | len:2>{
"port": <int64>50051,
"service": <string>"authorino-authorino-authorization.auth-provider.svc.cluster.local",
},
"name": <string>"test-ns-auth-provider",
},
]
to be empty
```
bartoszmajsak
added a commit
to bartoszmajsak/opendatahub-operator
that referenced
this pull request
Mar 8, 2024
This test ensures additional of extension provider for external
authorization and that it is removed from the control plane properly
using custom cleanup function.
NOTE: it is now failing to demonstrate existing bug
```
[FAILED] Timed out after 5.000s.
Expected
<[]interface {} | len:1, cap:1>: [
<map[string]interface {} | len:2>{
"envoyExtAuthzGrpc": <map[string]interface {} | len:2>{
"port": <int64>50051,
"service": <string>"authorino-authorino-authorization.auth-provider.svc.cluster.local",
},
"name": <string>"test-ns-auth-provider",
},
]
to be empty
```
bartoszmajsak
added a commit
that referenced
this pull request
Mar 10, 2024
…uring cleanup (#905) ### Renames migration folder The reason for this is to have a simple naming convention instead of suggesting storing migration patches in dedicated folders named after tickets. Additionally, the feature explicitly orders files instead of assuming that the underlying fsys implementation fulfills such a contract. ### Ports #605 test for extension provider This test ensures the addition of an extension provider for external authorization and that it is removed from the control plane properly using a custom cleanup function. We have missed it in the original work. ### Fix: aligns provider name between template and cleanup logic This is short-term fix for the existing codebase. In the long term (which is actively worked on) we need to improve the way of how we are storing config information to limit cases where we rely on pre/suffixes. Cases like this should be kept as its own thing instead, as it represents the concept in the infrastructure/authz setup.
VaishnaviHire
pushed a commit
to VaishnaviHire/opendatahub-operator
that referenced
this pull request
Mar 11, 2024
* feat(authz): Authorino for Service Mesh This first iteration is to cover authentication needs for KServe * Add templates to install Authorino * Add templates to configure Service Mesh to use Authorino to delegate Authorization * Add KServe-specific templates add ability to secure KServe Inference Services * Add relevant fields to DSCInitialization resource * Code for proper cleanup, in case of uninstalling Most (if not all) of this code comes from pull request opendatahub-io#605. Attribution to original authors: @bartoszmajsak, @aslakknutsen, @cam-garrison, et. al. Related opendatahub-io/kserve#128 Signed-off-by: Edgar Hernández <[email protected]> * Fix linter issues Signed-off-by: Edgar Hernández <[email protected]> * Resolve feedback: Bartosz Signed-off-by: Edgar Hernández <[email protected]> * fix: Remove port from the authorization policy Also, add `/metrics` to the ignored paths for auth. Signed-off-by: Edgar Hernández <[email protected]> * Fix feedback: Bartosz Signed-off-by: Edgar Hernández <[email protected]> * More feedback: Bartosz Co-authored-by: Bartosz Majsak <[email protected]> * Fix feedback: Reto - Adjust AuthorizationPolicy Signed-off-by: Edgar Hernández <[email protected]> * Fix more feedback: Bartosz - Remove Authorino namespace field from DSCI. - Move around some code in kserve.go to servicemesh_setup.go Signed-off-by: Edgar Hernández <[email protected]> * chore: adds sec. prefix to authorino label selector * fix: adds base dir to manifest sources * chore: uses security instead of sec as a prefix in authorino label * fix: /healthz is called by _something_, skipp * fix: adopt ODH-ADR-0006 for clean up label * fix: uses correct CRD name for authconfigs Co-authored-by: Cameron Garrison <[email protected]> * Remove left-over file Signed-off-by: Edgar Hernández <[email protected]> * Feedback: remove auth-refs ConfigMap Signed-off-by: Edgar Hernández <[email protected]> * Add missing role.yaml changes Signed-off-by: Edgar Hernández <[email protected]> * Go back to installing Authorino on its own namespace Signed-off-by: Edgar Hernández <[email protected]> * Feedback: Add clean-up for KServe/OSSM-auth Signed-off-by: Edgar Hernández <[email protected]> * Feedback: Simplify namings Signed-off-by: Edgar Hernández <[email protected]> * fix: add auth-refs cm * Feedback: adjust labels and a log message Signed-off-by: Edgar Hernández <[email protected]> * Bugfix: Extension provider terminating with error when SMCP is gone Signed-off-by: Edgar Hernández <[email protected]> * Fix: add missing RBAC for ConfigMaps func Signed-off-by: Edgar Hernández <[email protected]> * Fix: Run `make bundle` and commit resulting changes Signed-off-by: Edgar Hernández <[email protected]> * Feedback: Wen - Better feature namings Signed-off-by: Edgar Hernández <[email protected]> * Feedback: Bartosz * Use feature logger * Don't trim -applications suffix on ResolveAuthNamespace Signed-off-by: Edgar Hernández <[email protected]> * Feedback: Wen - revert image placeholder was replaced Signed-off-by: Edgar Hernández <[email protected]> --------- Signed-off-by: Edgar Hernández <[email protected]> Co-authored-by: Bartosz Majsak <[email protected]> Co-authored-by: Aslak Knutsen <[email protected]> Co-authored-by: Cameron Garrison <[email protected]> (cherry picked from commit e32a7c2)
zdtsw
pushed a commit
to VaishnaviHire/opendatahub-operator
that referenced
this pull request
Mar 12, 2024
…uring cleanup (opendatahub-io#905) ### Renames migration folder The reason for this is to have a simple naming convention instead of suggesting storing migration patches in dedicated folders named after tickets. Additionally, the feature explicitly orders files instead of assuming that the underlying fsys implementation fulfills such a contract. ### Ports opendatahub-io#605 test for extension provider This test ensures the addition of an extension provider for external authorization and that it is removed from the control plane properly using a custom cleanup function. We have missed it in the original work. ### Fix: aligns provider name between template and cleanup logic This is short-term fix for the existing codebase. In the long term (which is actively worked on) we need to improve the way of how we are storing config information to limit cases where we rely on pre/suffixes. Cases like this should be kept as its own thing instead, as it represents the concept in the infrastructure/authz setup.
zdtsw
added a commit
to red-hat-data-services/rhods-operator
that referenced
this pull request
Mar 12, 2024
* Update bundle * feat(authz): Authorino for Service Mesh (#784) * feat(authz): Authorino for Service Mesh This first iteration is to cover authentication needs for KServe * Add templates to install Authorino * Add templates to configure Service Mesh to use Authorino to delegate Authorization * Add KServe-specific templates add ability to secure KServe Inference Services * Add relevant fields to DSCInitialization resource * Code for proper cleanup, in case of uninstalling Most (if not all) of this code comes from pull request opendatahub-io#605. Attribution to original authors: @bartoszmajsak, @aslakknutsen, @cam-garrison, et. al. Related opendatahub-io/kserve#128 Signed-off-by: Edgar Hernández <[email protected]> * Fix linter issues Signed-off-by: Edgar Hernández <[email protected]> * Resolve feedback: Bartosz Signed-off-by: Edgar Hernández <[email protected]> * fix: Remove port from the authorization policy Also, add `/metrics` to the ignored paths for auth. Signed-off-by: Edgar Hernández <[email protected]> * Fix feedback: Bartosz Signed-off-by: Edgar Hernández <[email protected]> * More feedback: Bartosz Co-authored-by: Bartosz Majsak <[email protected]> * Fix feedback: Reto - Adjust AuthorizationPolicy Signed-off-by: Edgar Hernández <[email protected]> * Fix more feedback: Bartosz - Remove Authorino namespace field from DSCI. - Move around some code in kserve.go to servicemesh_setup.go Signed-off-by: Edgar Hernández <[email protected]> * chore: adds sec. prefix to authorino label selector * fix: adds base dir to manifest sources * chore: uses security instead of sec as a prefix in authorino label * fix: /healthz is called by _something_, skipp * fix: adopt ODH-ADR-0006 for clean up label * fix: uses correct CRD name for authconfigs Co-authored-by: Cameron Garrison <[email protected]> * Remove left-over file Signed-off-by: Edgar Hernández <[email protected]> * Feedback: remove auth-refs ConfigMap Signed-off-by: Edgar Hernández <[email protected]> * Add missing role.yaml changes Signed-off-by: Edgar Hernández <[email protected]> * Go back to installing Authorino on its own namespace Signed-off-by: Edgar Hernández <[email protected]> * Feedback: Add clean-up for KServe/OSSM-auth Signed-off-by: Edgar Hernández <[email protected]> * Feedback: Simplify namings Signed-off-by: Edgar Hernández <[email protected]> * fix: add auth-refs cm * Feedback: adjust labels and a log message Signed-off-by: Edgar Hernández <[email protected]> * Bugfix: Extension provider terminating with error when SMCP is gone Signed-off-by: Edgar Hernández <[email protected]> * Fix: add missing RBAC for ConfigMaps func Signed-off-by: Edgar Hernández <[email protected]> * Fix: Run `make bundle` and commit resulting changes Signed-off-by: Edgar Hernández <[email protected]> * Feedback: Wen - Better feature namings Signed-off-by: Edgar Hernández <[email protected]> * Feedback: Bartosz * Use feature logger * Don't trim -applications suffix on ResolveAuthNamespace Signed-off-by: Edgar Hernández <[email protected]> * Feedback: Wen - revert image placeholder was replaced Signed-off-by: Edgar Hernández <[email protected]> --------- Signed-off-by: Edgar Hernández <[email protected]> Co-authored-by: Bartosz Majsak <[email protected]> Co-authored-by: Aslak Knutsen <[email protected]> Co-authored-by: Cameron Garrison <[email protected]> (cherry picked from commit e32a7c2) * fix(authz): Fix broken external auth configuration There are two misconfigurations being fixed: * In the SMCP, the service hostname of Authorino was coded with `-authorization` suffix, but the right suffix is `-authorino-authorization`. * In the `kserve-predictor` AuthorizationPolicy, the hardcoded `opendatahub-odh-auth-provider` provider name was used, but it should have been the template `{{ .AppNamespace }}-auth-provider`. In `pkg/feature/feature.go` the patch manifests (i.e. the ones containing `.patch` in the filename) are always applied. Thus, the first bullet is solved by fixing the patch file that adds the `extensionProvider` to the SMCP. For the second bullet, the faulty AuthorizationPolicy is created with a regular manifest template which is only applied if the resource does not exist. Thus, a patch manifest is added to properly fix the faulty policy (including operator upgrades). Signed-off-by: Edgar Hernández <[email protected]> (cherry picked from commit e4252a0) * fix: Rework operator precondition checks (#899) * init commit * tmp: switch to subsciption * tmp * fix up testing * linter on import * minor self nits * add bracket, make * use found,err for checking subscription Co-authored-by: Bartosz Majsak <[email protected]> * fix import + test error expected outputs * directly return errs rather than log and ret Co-authored-by: Bartosz Majsak <[email protected]> * remove unused log var from condiitons * move const fixtures to separate package * move creating op subscription to function * rename noop features in testing * remove redundant comments Co-authored-by: Bartosz Majsak <[email protected]> * move CreateSubscription to fixtures --------- Co-authored-by: Bartosz Majsak <[email protected]> (cherry picked from commit f44528e) * chore: follow up review comments from previous PR (#858) * update: follow up comments - cleanup commented out code - rename function - cleanup unnecessary sleep Signed-off-by: Wen Zhou <[email protected]> * update: add check on return err + remove apierrs.IsNotFound check Signed-off-by: Wen Zhou <[email protected]> * Update pkg/deploy/deploy.go Co-authored-by: Bartosz Majsak <[email protected]> * update(review): create new function DeleteSubscription Signed-off-by: Wen Zhou <[email protected]> * update: return for get and delete subscription - get: return 'sub, nil' or 'nil, err' here error can be real one or notfound Signed-off-by: Wen Zhou <[email protected]> * Update pkg/deploy/deploy.go Co-authored-by: Bartosz Majsak <[email protected]> * fix(linter) Signed-off-by: Wen Zhou <[email protected]> --------- Signed-off-by: Wen Zhou <[email protected]> Co-authored-by: Bartosz Majsak <[email protected]> (cherry picked from commit a81a3da) * fix(authz): ensures extauthz provider is removed from control plane during cleanup (#905) ### Renames migration folder The reason for this is to have a simple naming convention instead of suggesting storing migration patches in dedicated folders named after tickets. Additionally, the feature explicitly orders files instead of assuming that the underlying fsys implementation fulfills such a contract. ### Ports #605 test for extension provider This test ensures the addition of an extension provider for external authorization and that it is removed from the control plane properly using a custom cleanup function. We have missed it in the original work. ### Fix: aligns provider name between template and cleanup logic This is short-term fix for the existing codebase. In the long term (which is actively worked on) we need to improve the way of how we are storing config information to limit cases where we rely on pre/suffixes. Cases like this should be kept as its own thing instead, as it represents the concept in the infrastructure/authz setup. * chore: indentation Signed-off-by: Wen Zhou <[email protected]> * fix: use old package path till we cherry-pick refactor commit Signed-off-by: Wen Zhou <[email protected]> --------- Signed-off-by: Wen Zhou <[email protected]> Co-authored-by: Edgar Hernández <[email protected]> Co-authored-by: Edgar Hernández <[email protected]> Co-authored-by: Cameron Garrison <[email protected]> Co-authored-by: Wen Zhou <[email protected]> Co-authored-by: Bartosz Majsak <[email protected]>
|
@bartoszmajsak: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
bartoszmajsak
added a commit
to bartoszmajsak/opendatahub-operator
that referenced
this pull request
Jul 9, 2024
ReplaceChar is not used anywhere in the templates, so there is no point in keeping it around. Most likely spill over from infamous opendatahub-io#605.
5 tasks
openshift-merge-bot bot
pushed a commit
that referenced
this pull request
Jul 9, 2024
ReplaceChar is not used anywhere in the templates, so there is no point in keeping it around. Most likely spill over from infamous #605.
VaishnaviHire
pushed a commit
to VaishnaviHire/opendatahub-operator
that referenced
this pull request
Jul 24, 2024
ReplaceChar is not used anywhere in the templates, so there is no point in keeping it around. Most likely spill over from infamous opendatahub-io#605. (cherry picked from commit 0c363cf)
VaishnaviHire
pushed a commit
to VaishnaviHire/opendatahub-operator
that referenced
this pull request
Jul 24, 2024
ReplaceChar is not used anywhere in the templates, so there is no point in keeping it around. Most likely spill over from infamous opendatahub-io#605. (cherry picked from commit 0c363cf)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Code walk-through https://www.youtube.com/watch?v=n7vqYYVfaTg
Description
Enables service mesh for dashboard and workbench components (part of #496).
It addresses several limitations we encountered when using the initial kustomize/manifest and init-job solution, specifically:
Key features
Additional improvements
Cleanupimplementation for each componentdashboard.gohas it's own logic which will be invoked by reconciler on deletionsecretbecame it's own package with few enhancements as it's need for service mesh.EnvTesthelpers and unified with existing testsplatform == ""there's now a meaningful constantplatform == deploy.UnknownEnabling it
See
docs/SERVICE-MESH.mdHow Has This Been Tested?
make testwill run all tests, including OSSM features such as patching resources or cleaning up changes on deletion.We did extensive manual testing as well.
Merge criteria:
Additional merge criteria/dependencies:
Kubeflow- change reference inget_all_manifests.shfile.