Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

air-gapped environment Runtime environment dependencies: local Https PKI and BasicAuth #2812

Closed
shalberd opened this issue Jun 29, 2022 · 2 comments
Closed

air-gapped environment Runtime environment dependencies: local Https PKI and BasicAuth #2812

shalberd opened this issue Jun 29, 2022 · 2 comments
Assignees
@akchinSTC
Labels
component:pipeline-editor pipeline editor component:pipeline-runtime issues related to pipeline runtimes e.g. kubeflow pipelines kind:enhancement New feature or request

Comments

@shalberd
Copy link
Contributor

shalberd commented Jun 29, 2022
edited
Loading

Is your feature request related to a problem? Please describe.
Similar to issues related to Airflow components and package components, where requests.get was used without a possibility to add Http Basic Auth initially and without possibility to add a private PKI CA Certificate as trusted.

In the documentation to runtime environment dependencies https://elyra.readthedocs.io/en/latest/recipes/running-elyra-in-air-gapped-environment.htmt, it is mentioned that during pipeline execution in the Kubeflow Pipelines or Apache Airflow environment, a different location for e.g. ELYRA_BOOTSTRAP_SCRIPT_URL, ELYRA_REQUIREMENTS_URL_PY37 (after Elyra 3.6) and ELYRA_REQUIREMENTS_URL can be added as an env file.

A hard requirement so far is ""you must store a copy of these files in a location that is accessible via an anonymous HTTP GET request and configure the following environment
variables in the environment where JupyterLab is running:""

This can be seen in

https://github.com/elyra-ai/elyra/blob/main/elyra/airflow/operator.py#L98 where the values of the ENV files are referenced and then downloaded into the filesystem with curl for airflow and

for kubeflow pipeline runtime dependencies in

https://github.com/elyra-ai/elyra/blob/main/elyra/kfp/operator.py#L194

That is not practical in an enterprise environment, similar to the PKI non-trusted issue.

The curl commands implemented will not work with Http Basic Auth and also not with https locations having a non-publicly trusted CA and/or intermediate CA.

Describe the solution you'd like
A solution based on curl, or even better yet requests.get, that supports Http Basic Auth with user id and password or api key.
A solution that also supports trusting custom CA certificates mapped in the container filesystem.

Describe alternatives you've considered
Authentication is a must, and internal PKI is also very commin for SSL certificates of systems in enterprise environments.
I see no alternative.

Additional context
Add any other context or screenshots about the feature request here.
@shalberd shalberd added the kind:enhancement New feature or request label Jun 29, 2022
@ptitzler ptitzler added the component:pipeline-runtime issues related to pipeline runtimes e.g. kubeflow pipelines label Jun 29, 2022
@ptitzler
Copy link
Member

Related: #2805 (investigate removal of remote file dependencies)

@ptitzler ptitzler added the component:pipeline-editor pipeline editor label Jun 29, 2022
@shalberd shalberd mentioned this issue Jul 1, 2022
Open
@shalberd
Copy link
Contributor Author

solved with #2912 and #2797

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@akchinSTC akchinSTC

Labels
component:pipeline-editor pipeline editor component:pipeline-runtime issues related to pipeline runtimes e.g. kubeflow pipelines kind:enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ptitzler @akchinSTC @shalberd