From b251c717b56ffa25a4a2109613b0cfff82cc0de2 Mon Sep 17 00:00:00 2001 From: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> Date: Mon, 4 Nov 2024 10:33:51 +0100 Subject: [PATCH 1/3] istio-cni by default Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> --- .github/workflows/kserve_cni_test.yaml | 62 ------------------- .../notebook_controller_m2m_test.yaml | 2 +- .../workflows/pipeline_run_from_notebook.yaml | 2 +- .github/workflows/pipeline_swfs_test.yaml | 2 +- .github/workflows/pipeline_test.yaml | 2 +- .github/workflows/training_operator_test.yaml | 2 +- README.md | 14 ++--- common/oauth2-proxy/components/README.md | 12 ++-- contrib/kserve/README.md | 10 +-- example/kustomization.yaml | 10 +-- hack/trivy_scan.py | 2 +- .../kustomization.yaml | 10 +-- tests/gh-actions/install_istio.sh | 2 +- tests/gh-actions/install_knative-cni.sh | 23 ------- tests/gh-actions/install_knative.sh | 4 +- 15 files changed, 37 insertions(+), 122 deletions(-) delete mode 100644 .github/workflows/kserve_cni_test.yaml delete mode 100755 tests/gh-actions/install_knative-cni.sh diff --git a/.github/workflows/kserve_cni_test.yaml b/.github/workflows/kserve_cni_test.yaml deleted file mode 100644 index fb1259793..000000000 --- a/.github/workflows/kserve_cni_test.yaml +++ /dev/null @@ -1,62 +0,0 @@ -name: Build & Apply KServe manifests in KinD, using istio CNI -on: - pull_request: - paths: - - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - - .github/workflows/kserve_cni_test.yaml - - common/istio-cni-1-23/** - - tests/gh-actions/install_cert_manager.sh - - common/cert-manager/** - - tests/gh-actions/install_knative-cni.sh - - common/knative/** - - tests/gh-actions/install_kserve.sh - -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Install KinD, Create KinD cluster and Install kustomize - run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - - - name: Create kubeflow namespace - run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - - - - name: Install Istio CNI - run: ./tests/gh-actions/install_istio-cni.sh - - - name: Install cert-manager - run: ./tests/gh-actions/install_cert_manager.sh - - - name: Install knative CNI - run: ./tests/gh-actions/install_knative-cni.sh - - - name: Build & Apply manifests - run: ./tests/gh-actions/install_kserve.sh - - - name: Create test namespace - run: kubectl create ns kserve-test - - - name: Setup python 3.9 - uses: actions/setup-python@v4 - with: - python-version: 3.9 - - - name: Install test dependencies - run: pip install -r ./contrib/kserve/tests/requirements.txt - - - name: Port forward - run: | - INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}') - nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 & - - - name: Run kserve tests - run: | - export KSERVE_INGRESS_HOST_PORT=localhost:8080 - cd ./contrib/kserve/tests && pytest . - - - name: Run kserve models webapp test - run: | - kubectl wait --for=condition=Available --timeout=300s -n kubeflow deployment/kserve-models-web-app diff --git a/.github/workflows/notebook_controller_m2m_test.yaml b/.github/workflows/notebook_controller_m2m_test.yaml index cb70027de..0d829cd33 100644 --- a/.github/workflows/notebook_controller_m2m_test.yaml +++ b/.github/workflows/notebook_controller_m2m_test.yaml @@ -34,7 +34,7 @@ jobs: run: ./tests/gh-actions/install_oauth2-proxy.sh - name: Install kubeflow-istio-resources - run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f - + run: kustomize build common/istio-cni-1-23/kubeflow-istio-resources/base | kubectl apply -f - - name: Install KF Multi Tenancy run: ./tests/gh-actions/install_multi_tenancy.sh diff --git a/.github/workflows/pipeline_run_from_notebook.yaml b/.github/workflows/pipeline_run_from_notebook.yaml index 3f1aee391..094315511 100644 --- a/.github/workflows/pipeline_run_from_notebook.yaml +++ b/.github/workflows/pipeline_run_from_notebook.yaml @@ -37,7 +37,7 @@ jobs: run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - - name: Install kubeflow-istio-resources - run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f - + run: kustomize build common/istio-cni-1-23/kubeflow-istio-resources/base | kubectl apply -f - - name: Install KF Pipelines run: ./tests/gh-actions/install_pipelines.sh diff --git a/.github/workflows/pipeline_swfs_test.yaml b/.github/workflows/pipeline_swfs_test.yaml index 27b9b4e6e..9919bd2d2 100644 --- a/.github/workflows/pipeline_swfs_test.yaml +++ b/.github/workflows/pipeline_swfs_test.yaml @@ -45,7 +45,7 @@ jobs: run: ./tests/gh-actions/install_multi_tenancy.sh - name: Install kubeflow-istio-resources - run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f - + run: kustomize build common/istio-cni-1-23/kubeflow-istio-resources/base | kubectl apply -f - - name: Create KF Profile run: kustomize build common/user-namespace/base | kubectl apply -f - diff --git a/.github/workflows/pipeline_test.yaml b/.github/workflows/pipeline_test.yaml index 792d5937e..a3afd9581 100644 --- a/.github/workflows/pipeline_test.yaml +++ b/.github/workflows/pipeline_test.yaml @@ -44,7 +44,7 @@ jobs: run: ./tests/gh-actions/install_multi_tenancy.sh - name: Install kubeflow-istio-resources - run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f - + run: kustomize build common/istio-cni-1-23/kubeflow-istio-resources/base | kubectl apply -f - - name: Create KF Profile run: kustomize build common/user-namespace/base | kubectl apply -f - diff --git a/.github/workflows/training_operator_test.yaml b/.github/workflows/training_operator_test.yaml index d90957c2b..46337ba2c 100644 --- a/.github/workflows/training_operator_test.yaml +++ b/.github/workflows/training_operator_test.yaml @@ -38,7 +38,7 @@ jobs: run: ./tests/gh-actions/install_multi_tenancy.sh - name: Install kubeflow-istio-resources - run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f - + run: kustomize build common/istio-cni-1-23/kubeflow-istio-resources/base | kubectl apply -f - - name: Create KF Profile run: kustomize build common/user-namespace/base | kubectl apply -f - diff --git a/README.md b/README.md index 871a8c36e..e0a1b8521 100644 --- a/README.md +++ b/README.md @@ -207,13 +207,13 @@ network authorization and implement routing policies. If you use Cilium CNI on your cluster, you have to configure it properly for Istio as shown [here](https://docs.cilium.io/en/latest/network/servicemesh/istio/), otherwise you will get RBAC access denied on the central dashboard. -Install Istio: +Install Istio-CNI: ```sh -echo "Installing Istio configured with external authorization..." -kustomize build common/istio-1-23/istio-crds/base | kubectl apply -f - -kustomize build common/istio-1-23/istio-namespace/base | kubectl apply -f - -kustomize build common/istio-1-23/istio-install/overlays/oauth2-proxy | kubectl apply -f - +echo "Installing Istio-CNI configured with external authorization..." +kustomize build common/istio-cni-1-23/istio-crds/base | kubectl apply -f - +kustomize build common/istio-cni-1-23/istio-namespace/base | kubectl apply -f - +kustomize build common/istio-cni-1-23/istio-install/overlays/oauth2-proxy | kubectl apply -f - echo "Waiting for all Istio Pods to become ready..." kubectl wait --for=condition=Ready pods --all -n istio-system --timeout 300s @@ -343,7 +343,7 @@ Install Knative Serving: ```sh kustomize build common/knative/knative-serving/overlays/gateways | kubectl apply -f - -kustomize build common/istio-1-23/cluster-local-gateway/base | kubectl apply -f - +kustomize build common/istio-cni-1-23/cluster-local-gateway/base | kubectl apply -f - ``` Optionally, you can install Knative Eventing which can be used for inference request logging: @@ -390,7 +390,7 @@ Create the Kubeflow Gateway, `kubeflow-gateway` and ClusterRole, Install kubeflow istio resources: ```sh -kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f - +kustomize build common/istio-cni-1-23/kubeflow-istio-resources/base | kubectl apply -f - ``` #### Kubeflow Pipelines diff --git a/common/oauth2-proxy/components/README.md b/common/oauth2-proxy/components/README.md index 8332d6d5e..12ca9196d 100644 --- a/common/oauth2-proxy/components/README.md +++ b/common/oauth2-proxy/components/README.md @@ -154,9 +154,9 @@ make the following changes to the `example/kustomization.yaml` file: * use `oauth2-proxy` overlay for istio-install ``` # from - - ../common/istio-1-23/istio-install/base + - ../common/istio-cni-1-23/istio-install/base # to - - ../common/istio-1-23/istio-install/overlays/oauth2-proxy + - ../common/istio-cni-1-23/istio-install/overlays/oauth2-proxy ``` * change `OIDC Authservice` to `oauth2-proxy for OIDC` and use overlay for m2m bearer tokens with self-signed in-cluster issuer @@ -189,12 +189,12 @@ index c1a85789..4a50440c 100644 +++ b/example/kustomization.yaml @@ -38,11 +38,11 @@ resources: # Istio - - ../common/istio-1-23/istio-crds/base - - ../common/istio-1-23/istio-namespace/base --- ../common/istio-1-23/istio-install/base + - ../common/istio-cni-1-23/istio-crds/base + - ../common/istio-cni-1-23/istio-namespace/base +-- ../common/istio-cni-1-23/istio-install/base -# OIDC Authservice -- ../common//oidc-authservice/base -+- ../common/istio-1-23/istio-install/overlays/oauth2-proxy ++- ../common/istio-cni-1-23/istio-install/overlays/oauth2-proxy +# oauth2-proxy for OIDC +- ../common/oauth2-proxy/overlays/m2m-dex-and-kind # Dex diff --git a/contrib/kserve/README.md b/contrib/kserve/README.md index d0ae01118..e67a1051b 100644 --- a/contrib/kserve/README.md +++ b/contrib/kserve/README.md @@ -61,15 +61,15 @@ For upgrading see [UPGRADE.md](UPGRADE.md) ``` 5. Install Istio ```sh - kubectl apply -k ../../common/istio-1-23/istio-crds/base - kubectl apply -k ../../common/istio-1-23/istio-namespace/base - kubectl apply -k ../../common/istio-1-23/istio-install/base + kubectl apply -k ../../common/istio-cni-1-23/istio-crds/base + kubectl apply -k ../../common/istio-cni-1-23/istio-namespace/base + kubectl apply -k ../../common/istio-cni-1-23/istio-install/base ``` 6. Install knative ```sh kubectl apply -k ../../common/knative/knative-serving/overlays/gateways - kubectl apply -k ../../common/istio-1-23/cluster-local-gateway/base - kubectl apply -k ../../common/istio-1-23/kubeflow-istio-resources/base + kubectl apply -k ../../common/istio-cni-1-23/cluster-local-gateway/base + kubectl apply -k ../../common/istio-cni-1-23/kubeflow-istio-resources/base ``` 7. Install kserve ```sh diff --git a/example/kustomization.yaml b/example/kustomization.yaml index f2bd43d92..7d8be1183 100644 --- a/example/kustomization.yaml +++ b/example/kustomization.yaml @@ -37,9 +37,9 @@ resources: - ../common/cert-manager/base - ../common/cert-manager/kubeflow-issuer/base # Istio -- ../common/istio-1-23/istio-crds/base -- ../common/istio-1-23/istio-namespace/base -- ../common/istio-1-23/istio-install/overlays/oauth2-proxy +- ../common/istio-cni-1-23/istio-crds/base +- ../common/istio-cni-1-23/istio-namespace/base +- ../common/istio-cni-1-23/istio-install/overlays/oauth2-proxy # oauth2-proxy # NOTE: only uncomment ONE of the following overlays, depending on your cluster type - ../common/oauth2-proxy/overlays/m2m-dex-only # for all clusters @@ -52,7 +52,7 @@ resources: - ../common/knative/knative-serving/overlays/gateways # Uncomment the following line if `knative-eventing` is required # - ../common/knative/knative-eventing/base -- ../common/istio-1-23/cluster-local-gateway/base +- ../common/istio-cni-1-23/cluster-local-gateway/base # Kubeflow namespace - ../common/kubeflow-namespace/base # NetworkPolicies @@ -60,7 +60,7 @@ resources: # Kubeflow Roles - ../common/kubeflow-roles/base # Kubeflow Istio Resources -- ../common/istio-1-23/kubeflow-istio-resources/base +- ../common/istio-cni-1-23/kubeflow-istio-resources/base # Kubeflow Pipelines diff --git a/hack/trivy_scan.py b/hack/trivy_scan.py index b93334156..40e4983dc 100755 --- a/hack/trivy_scan.py +++ b/hack/trivy_scan.py @@ -34,7 +34,7 @@ "automl": "../apps/katib/upstream/installs", "pipelines": "../apps/pipeline/upstream/env ../apps/kfp-tekton/upstream/env", "training": "../apps/training-operator/upstream/overlays", - "manifests": "../common/cert-manager/cert-manager/base ../common/cert-manager/kubeflow-issuer/base ../common/istio-1-23/istio-crds/base ../common/istio-1-23/istio-namespace/base ../common/istio-1-23/istio-install/overlays/oauth2-proxy ../common/oauth2-proxy/overlays/m2m-self-signed ../common/dex/overlays/oauth2-proxy ../common/knative/knative-serving/overlays/gateways ../common/knative/knative-eventing/base ../common/istio-1-23/cluster-local-gateway/base ../common/kubeflow-namespace/base ../common/kubeflow-roles/base ../common/istio-1-23/kubeflow-istio-resources/base", + "manifests": "../common/cert-manager/cert-manager/base ../common/cert-manager/kubeflow-issuer/base ../common/istio-cni-1-23/istio-crds/base ../common/istio-cni-1-23/istio-namespace/base ../common/istio-cni-1-23/istio-install/overlays/oauth2-proxy ../common/oauth2-proxy/overlays/m2m-self-signed ../common/dex/overlays/oauth2-proxy ../common/knative/knative-serving/overlays/gateways ../common/knative/knative-eventing/base ../common/istio-cni-1-23/cluster-local-gateway/base ../common/kubeflow-namespace/base ../common/kubeflow-roles/base ../common/istio-cni-1-23/kubeflow-istio-resources/base", "workbenches": "../apps/pvcviewer-controller/upstream/base ../apps/admission-webhook/upstream/overlays ../apps/centraldashboard/overlays ../apps/jupyter/jupyter-web-app/upstream/overlays ../apps/volumes-web-app/upstream/overlays ../apps/tensorboard/tensorboards-web-app/upstream/overlays ../apps/profiles/upstream/overlays ../apps/jupyter/notebook-controller/upstream/overlays ../apps/tensorboard/tensorboard-controller/upstream/overlays", "serving": "../contrib/kserve - ../contrib/kserve/models-web-app/overlays/kubeflow", "model-registry": "../apps/model-registry/upstream", diff --git a/tests/gh-actions/deploy-dex-login-environment/kustomization.yaml b/tests/gh-actions/deploy-dex-login-environment/kustomization.yaml index 3d34b0f0a..21cbbf2cf 100644 --- a/tests/gh-actions/deploy-dex-login-environment/kustomization.yaml +++ b/tests/gh-actions/deploy-dex-login-environment/kustomization.yaml @@ -34,14 +34,14 @@ sortOptions: resources: # Istio -- ../../../common/istio-1-23/istio-crds/base -- ../../../common/istio-1-23/istio-namespace/base -- ../../../common/istio-1-23/istio-install/overlays/oauth2-proxy +- ../../../common/istio-cni-1-23/istio-crds/base +- ../../../common/istio-cni-1-23/istio-namespace/base +- ../../../common/istio-cni-1-23/istio-install/overlays/oauth2-proxy # oauth2-proxy - ../../../common/oauth2-proxy/overlays/m2m-dex-and-kind # Dex - ../../../common/dex/overlays/oauth2-proxy -- ../../../common/istio-1-23/cluster-local-gateway/base +- ../../../common/istio-cni-1-23/cluster-local-gateway/base # Kubeflow namespace - ../../../common/kubeflow-namespace/base # NetworkPolicies @@ -49,7 +49,7 @@ resources: # Kubeflow Roles - ../../../common/kubeflow-roles/base # Kubeflow Istio Resources -- ../../../common/istio-1-23/kubeflow-istio-resources/base +- ../../../common/istio-cni-1-23/kubeflow-istio-resources/base # Central Dashboard - ../../../apps/centraldashboard/overlays/oauth2-proxy # Profiles + KFAM diff --git a/tests/gh-actions/install_istio.sh b/tests/gh-actions/install_istio.sh index 5d8e66d42..6fdc6ad4e 100755 --- a/tests/gh-actions/install_istio.sh +++ b/tests/gh-actions/install_istio.sh @@ -1,7 +1,7 @@ #!/bin/bash set -e echo "Installing Istio (with ExtAuthZ from oauth2-proxy) ..." -cd common/istio-1-23 +cd common/istio-cni-1-23 kustomize build istio-crds/base | kubectl apply -f - kustomize build istio-namespace/base | kubectl apply -f - kustomize build istio-install/overlays/oauth2-proxy | kubectl apply -f - diff --git a/tests/gh-actions/install_knative-cni.sh b/tests/gh-actions/install_knative-cni.sh deleted file mode 100755 index c3d6a7132..000000000 --- a/tests/gh-actions/install_knative-cni.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash -set -euo pipefail - -echo "Installing KNative with Istio-CNI ..." - -# Retry mechanism for applying Knative manifests -set +e -for i in {1..5}; do - kustomize build common/knative/knative-serving/base | kubectl apply -f - - if [[ $? -eq 0 ]]; then - break - fi - echo "Retrying in 30 seconds..." - sleep 30 -done -set -e - -kustomize build common/istio-cni-1-23/cluster-local-gateway/base | kubectl apply -f - -kustomize build common/istio-cni-1-23/kubeflow-istio-resources/base | kubectl apply -f - - -kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=300s \ - --field-selector=status.phase!=Succeeded -kubectl patch cm config-domain --patch '{"data":{"example.com":""}}' -n knative-serving diff --git a/tests/gh-actions/install_knative.sh b/tests/gh-actions/install_knative.sh index 1d84031d5..f65f7823f 100755 --- a/tests/gh-actions/install_knative.sh +++ b/tests/gh-actions/install_knative.sh @@ -15,8 +15,8 @@ for i in {1..5}; do done set -e -kustomize build common/istio-1-23/cluster-local-gateway/base | kubectl apply -f - -kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f - +kustomize build common/istio-cni-1-23/cluster-local-gateway/base | kubectl apply -f - +kustomize build common/istio-cni-1-23/kubeflow-istio-resources/base | kubectl apply -f - kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=300s \ --field-selector=status.phase!=Succeeded From 10d13368a10d73f28fec6d20c57d7d018c0a832d Mon Sep 17 00:00:00 2001 From: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> Date: Mon, 4 Nov 2024 10:46:24 +0100 Subject: [PATCH 2/3] istio-cni installation script by default Signed-off-by: juliusvonkohout <45896133+juliusvonkohout@users.noreply.github.com> --- .github/workflows/admission_webhook_test.yaml | 4 ++-- .github/workflows/centraldashboard_test.yaml | 4 ++-- .github/workflows/dex_test.yaml | 2 +- .github/workflows/jupyter_web_application_test.yaml | 4 ++-- .github/workflows/katib_test.yaml | 4 ++-- .github/workflows/kserve_m2m_test.yaml | 4 ++-- .github/workflows/kserve_test.yaml | 2 +- .github/workflows/model_registry_test.yaml | 4 ++-- .github/workflows/notebook_controller_m2m_test.yaml | 4 ++-- .github/workflows/notebook_controller_test.yaml | 4 ++-- .github/workflows/pipeline_run_from_notebook.yaml | 4 ++-- .github/workflows/pipeline_swfs_test.yaml | 4 ++-- .github/workflows/pipeline_test.yaml | 4 ++-- .github/workflows/profiles_test.yaml | 4 ++-- .github/workflows/ray_test.yaml | 2 +- .github/workflows/spark_test.yaml | 2 +- .github/workflows/tensorboard_controller_test.yaml | 4 ++-- .github/workflows/tensorboards_web_application_test.yaml | 4 ++-- .github/workflows/training_operator_test.yaml | 4 ++-- .github/workflows/volumes_web_application_test.yaml | 4 ++-- 20 files changed, 36 insertions(+), 36 deletions(-) diff --git a/.github/workflows/admission_webhook_test.yaml b/.github/workflows/admission_webhook_test.yaml index fecfb8b5e..4ff9da9f8 100644 --- a/.github/workflows/admission_webhook_test.yaml +++ b/.github/workflows/admission_webhook_test.yaml @@ -5,7 +5,7 @@ on: - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - .github/workflows/admission_webhook_test.yaml - apps/admission-webhook/upstream/** - - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_istio-cni.sh - tests/gh-actions/install_cert_manager.sh - common/cert-manager/** @@ -20,7 +20,7 @@ jobs: run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - name: Install Istio - run: ./tests/gh-actions/install_istio.sh + run: ./tests/gh-actions/install_istio-cni.sh - name: Install cert-manager run: ./tests/gh-actions/install_cert_manager.sh diff --git a/.github/workflows/centraldashboard_test.yaml b/.github/workflows/centraldashboard_test.yaml index 4ec4c0baf..1726f8e25 100644 --- a/.github/workflows/centraldashboard_test.yaml +++ b/.github/workflows/centraldashboard_test.yaml @@ -5,7 +5,7 @@ on: - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - .github/workflows/centraldashboard_test.yaml - apps/centraldashboard/upstream/** - - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_istio-cni.sh jobs: build: @@ -18,7 +18,7 @@ jobs: run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - name: Install Istio - run: ./tests/gh-actions/install_istio.sh + run: ./tests/gh-actions/install_istio-cni.sh - name: Build & Apply manifests run: | diff --git a/.github/workflows/dex_test.yaml b/.github/workflows/dex_test.yaml index 8a9be1347..1edcf8485 100644 --- a/.github/workflows/dex_test.yaml +++ b/.github/workflows/dex_test.yaml @@ -5,7 +5,7 @@ on: - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - .github/workflows/dex_test.yaml - common/dex/base/** - - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_istio-cni.sh jobs: build: diff --git a/.github/workflows/jupyter_web_application_test.yaml b/.github/workflows/jupyter_web_application_test.yaml index f1054d15b..85a93f1bb 100644 --- a/.github/workflows/jupyter_web_application_test.yaml +++ b/.github/workflows/jupyter_web_application_test.yaml @@ -5,7 +5,7 @@ on: - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - .github/workflows/jupyter_web_application_test.yaml - apps/jupyter/jupyter-web-app/upstream/** - - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_istio-cni.sh jobs: build: @@ -18,7 +18,7 @@ jobs: run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - name: Install Istio - run: ./tests/gh-actions/install_istio.sh + run: ./tests/gh-actions/install_istio-cni.sh - name: Build & Apply manifests run: | diff --git a/.github/workflows/katib_test.yaml b/.github/workflows/katib_test.yaml index 973fa1558..a59f4c820 100644 --- a/.github/workflows/katib_test.yaml +++ b/.github/workflows/katib_test.yaml @@ -5,7 +5,7 @@ on: - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - .github/workflows/katib_test.yaml - apps/katib/upstream/** - - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_istio-cni.sh - tests/gh-actions/install_cert_manager.sh - common/cert-manager/** @@ -20,7 +20,7 @@ jobs: run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - name: Install Istio - run: ./tests/gh-actions/install_istio.sh + run: ./tests/gh-actions/install_istio-cni.sh - name: Install cert-manager run: ./tests/gh-actions/install_cert_manager.sh diff --git a/.github/workflows/kserve_m2m_test.yaml b/.github/workflows/kserve_m2m_test.yaml index 86e77f58c..2b9eb7338 100644 --- a/.github/workflows/kserve_m2m_test.yaml +++ b/.github/workflows/kserve_m2m_test.yaml @@ -7,7 +7,7 @@ on: - contrib/kserve/** - common/oauth2-proxy/** - common/istio*/** - - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_istio-cni.sh - tests/gh-actions/install_oauth2-proxy.sh - tests/gh-actions/install_cert_manager.sh - common/cert-manager/** @@ -32,7 +32,7 @@ jobs: run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - - name: Install Istio - run: ./tests/gh-actions/install_istio.sh + run: ./tests/gh-actions/install_istio-cni.sh - name: Install oauth2-proxy run: ./tests/gh-actions/install_oauth2-proxy.sh diff --git a/.github/workflows/kserve_test.yaml b/.github/workflows/kserve_test.yaml index 0a01979c7..675c27994 100644 --- a/.github/workflows/kserve_test.yaml +++ b/.github/workflows/kserve_test.yaml @@ -25,7 +25,7 @@ jobs: run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - - name: Install Istio - run: ./tests/gh-actions/install_istio.sh + run: ./tests/gh-actions/install_istio-cni.sh - name: Install cert-manager run: ./tests/gh-actions/install_cert_manager.sh diff --git a/.github/workflows/model_registry_test.yaml b/.github/workflows/model_registry_test.yaml index 79d23ac22..de2894390 100644 --- a/.github/workflows/model_registry_test.yaml +++ b/.github/workflows/model_registry_test.yaml @@ -6,7 +6,7 @@ on: paths: - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - apps/model-registry/upstream/** - - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_istio-cni.sh - common/istio*/** jobs: @@ -26,7 +26,7 @@ jobs: run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - - name: Install Istio - run: ./tests/gh-actions/install_istio.sh + run: ./tests/gh-actions/install_istio-cni.sh - name: Install oauth2-proxy run: ./tests/gh-actions/install_oauth2-proxy.sh diff --git a/.github/workflows/notebook_controller_m2m_test.yaml b/.github/workflows/notebook_controller_m2m_test.yaml index 0d829cd33..562111b0f 100644 --- a/.github/workflows/notebook_controller_m2m_test.yaml +++ b/.github/workflows/notebook_controller_m2m_test.yaml @@ -7,7 +7,7 @@ on: - apps/jupyter/** - common/oauth2-proxy/** - common/istio*/** - - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_istio-cni.sh - tests/gh-actions/install_oauth2-proxy.sh - tests/gh-actions/install_multi_tenancy.sh @@ -28,7 +28,7 @@ jobs: run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - - name: Install Istio - run: ./tests/gh-actions/install_istio.sh + run: ./tests/gh-actions/install_istio-cni.sh - name: Install oauth2-proxy run: ./tests/gh-actions/install_oauth2-proxy.sh diff --git a/.github/workflows/notebook_controller_test.yaml b/.github/workflows/notebook_controller_test.yaml index 31bba9579..02f603108 100644 --- a/.github/workflows/notebook_controller_test.yaml +++ b/.github/workflows/notebook_controller_test.yaml @@ -5,7 +5,7 @@ on: - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - .github/workflows/notebook_controller_test.yaml - apps/jupyter/notebook-controller/upstream/** - - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_istio-cni.sh - common/istio*/** jobs: @@ -19,7 +19,7 @@ jobs: run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - name: Install Istio - run: ./tests/gh-actions/install_istio.sh + run: ./tests/gh-actions/install_istio-cni.sh - name: Build & Apply manifests run: | diff --git a/.github/workflows/pipeline_run_from_notebook.yaml b/.github/workflows/pipeline_run_from_notebook.yaml index 094315511..e95b21387 100644 --- a/.github/workflows/pipeline_run_from_notebook.yaml +++ b/.github/workflows/pipeline_run_from_notebook.yaml @@ -6,7 +6,7 @@ on: - .github/workflows/pipeline_run_from_notebook.yaml - apps/jupyter/notebook-controller/upstream/** - apps/pipeline/upstream/** - - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_istio-cni.sh - tests/gh-actions/install_cert_manager.sh - common/cert-manager/** - common/oauth2-proxy/** @@ -25,7 +25,7 @@ jobs: run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - name: Install Istio - run: ./tests/gh-actions/install_istio.sh + run: ./tests/gh-actions/install_istio-cni.sh - name: Install oauth2-proxy run: ./tests/gh-actions/install_oauth2-proxy.sh diff --git a/.github/workflows/pipeline_swfs_test.yaml b/.github/workflows/pipeline_swfs_test.yaml index 9919bd2d2..0055926fd 100644 --- a/.github/workflows/pipeline_swfs_test.yaml +++ b/.github/workflows/pipeline_swfs_test.yaml @@ -5,7 +5,7 @@ on: - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - .github/workflows/pipeline_swfs_test.yaml - apps/pipeline/upstream/** - - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_istio-cni.sh - tests/gh-actions/install_cert_manager.sh - tests/gh-actions/install_oauth2-proxy.sh - common/cert-manager/** @@ -27,7 +27,7 @@ jobs: run: ./tests/gh-actions/install_kubectl.sh - name: Install Istio - run: ./tests/gh-actions/install_istio.sh + run: ./tests/gh-actions/install_istio-cni.sh - name: Install oauth2-proxy run: ./tests/gh-actions/install_oauth2-proxy.sh diff --git a/.github/workflows/pipeline_test.yaml b/.github/workflows/pipeline_test.yaml index a3afd9581..6e4d77ace 100644 --- a/.github/workflows/pipeline_test.yaml +++ b/.github/workflows/pipeline_test.yaml @@ -5,7 +5,7 @@ on: - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - .github/workflows/pipeline_test.yaml - apps/pipeline/upstream/** - - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_istio-cni.sh - tests/gh-actions/install_cert_manager.sh - tests/gh-actions/install_oauth2-proxy.sh - common/cert-manager/** @@ -26,7 +26,7 @@ jobs: run: ./tests/gh-actions/install_kubectl.sh - name: Install Istio - run: ./tests/gh-actions/install_istio.sh + run: ./tests/gh-actions/install_istio-cni.sh - name: Install oauth2-proxy run: ./tests/gh-actions/install_oauth2-proxy.sh diff --git a/.github/workflows/profiles_test.yaml b/.github/workflows/profiles_test.yaml index c1ad802a8..9ab59c625 100644 --- a/.github/workflows/profiles_test.yaml +++ b/.github/workflows/profiles_test.yaml @@ -5,7 +5,7 @@ on: - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - .github/workflows/profiles_test.yaml - apps/profiles/upstream/** - - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_istio-cni.sh - common/istio*/** jobs: @@ -19,7 +19,7 @@ jobs: run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - name: Install Istio - run: ./tests/gh-actions/install_istio.sh + run: ./tests/gh-actions/install_istio-cni.sh - name: Build & Apply manifests run: | diff --git a/.github/workflows/ray_test.yaml b/.github/workflows/ray_test.yaml index e66e02fbc..bebf81a43 100644 --- a/.github/workflows/ray_test.yaml +++ b/.github/workflows/ray_test.yaml @@ -17,7 +17,7 @@ jobs: run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - name: Install Istio - run: ./tests/gh-actions/install_istio.sh + run: ./tests/gh-actions/install_istio-cni.sh - name: Install oauth2-proxy run: ./tests/gh-actions/install_oauth2-proxy.sh diff --git a/.github/workflows/spark_test.yaml b/.github/workflows/spark_test.yaml index 327315929..2bdfe18c2 100644 --- a/.github/workflows/spark_test.yaml +++ b/.github/workflows/spark_test.yaml @@ -17,7 +17,7 @@ jobs: run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - name: Install Istio - run: ./tests/gh-actions/install_istio.sh + run: ./tests/gh-actions/install_istio-cni.sh - name: Install oauth2-proxy run: ./tests/gh-actions/install_oauth2-proxy.sh diff --git a/.github/workflows/tensorboard_controller_test.yaml b/.github/workflows/tensorboard_controller_test.yaml index f6b248fde..a5a7c8c98 100644 --- a/.github/workflows/tensorboard_controller_test.yaml +++ b/.github/workflows/tensorboard_controller_test.yaml @@ -5,7 +5,7 @@ on: - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - .github/workflows/tensorboard_controller_test.yaml - apps/tensorboard/tensorboard-controller/upstream/** - - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_istio-cni.sh - common/istio*/** jobs: @@ -19,7 +19,7 @@ jobs: run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - name: Install Istio - run: ./tests/gh-actions/install_istio.sh + run: ./tests/gh-actions/install_istio-cni.sh - name: Build & Apply manifests run: | diff --git a/.github/workflows/tensorboards_web_application_test.yaml b/.github/workflows/tensorboards_web_application_test.yaml index 377f83c47..dd7e5d68e 100644 --- a/.github/workflows/tensorboards_web_application_test.yaml +++ b/.github/workflows/tensorboards_web_application_test.yaml @@ -5,7 +5,7 @@ on: - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - .github/workflows/tensorboards_web_application_test.yaml - apps/tensorboard/tensorboards-web-app/upstream/** - - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_istio-cni.sh - common/istio*/** jobs: @@ -19,7 +19,7 @@ jobs: run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - name: Install Istio - run: ./tests/gh-actions/install_istio.sh + run: ./tests/gh-actions/install_istio-cni.sh - name: Build & Apply manifests run: | diff --git a/.github/workflows/training_operator_test.yaml b/.github/workflows/training_operator_test.yaml index 46337ba2c..6728d0624 100644 --- a/.github/workflows/training_operator_test.yaml +++ b/.github/workflows/training_operator_test.yaml @@ -5,7 +5,7 @@ on: - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - .github/workflows/training_operator_test.yaml - apps/training-operator/upstream/** - - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_istio-cni.sh - common/istio*/** - tests/gh-actions/kf-objects/tfjob.yaml @@ -23,7 +23,7 @@ jobs: run: ./tests/gh-actions/install_kubectl.sh - name: Install Istio - run: ./tests/gh-actions/install_istio.sh + run: ./tests/gh-actions/install_istio-cni.sh - name: Install oauth2-proxy run: ./tests/gh-actions/install_oauth2-proxy.sh diff --git a/.github/workflows/volumes_web_application_test.yaml b/.github/workflows/volumes_web_application_test.yaml index 7305d3bde..cbe337ad2 100644 --- a/.github/workflows/volumes_web_application_test.yaml +++ b/.github/workflows/volumes_web_application_test.yaml @@ -5,7 +5,7 @@ on: - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - .github/workflows/volumes_web_application_test.yaml - apps/volumes-web-app/upstream/** - - tests/gh-actions/install_istio.sh + - tests/gh-actions/install_istio-cni.sh - common/istio*/** jobs: @@ -19,7 +19,7 @@ jobs: run: ./tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - name: Install Istio - run: ./tests/gh-actions/install_istio.sh + run: ./tests/gh-actions/install_istio-cni.sh - name: Build & Apply manifests run: | From e57c0c491406ec10d35427c8a1e217035ca62e69 Mon Sep 17 00:00:00 2001 From: Michael Fraenkel <929377+fraenkel@users.noreply.github.com> Date: Wed, 11 Dec 2024 07:21:36 -0700 Subject: [PATCH 3/3] Disable init container injection for ray When istio is enabled, the kuberay-operator must disable the init container injection. See https://docs.ray.io/en/latest/cluster/kubernetes/k8s-ecosystem/istio.html#step-3-optional-enable-istio-mtls-strict-mode Signed-off-by: Michael Fraenkel <929377+fraenkel@users.noreply.github.com> --- .../overlays/kubeflow/disable-injection.yaml | 13 +++++++++++++ .../overlays/kubeflow/kustomization.yaml | 3 +++ contrib/ray/test.sh | 4 ++-- 3 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 contrib/ray/kuberay-operator/overlays/kubeflow/disable-injection.yaml diff --git a/contrib/ray/kuberay-operator/overlays/kubeflow/disable-injection.yaml b/contrib/ray/kuberay-operator/overlays/kubeflow/disable-injection.yaml new file mode 100644 index 000000000..bb757416a --- /dev/null +++ b/contrib/ray/kuberay-operator/overlays/kubeflow/disable-injection.yaml @@ -0,0 +1,13 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kuberay-operator + namespace: kubeflow +spec: + template: + spec: + containers: + - name: kuberay-operator + env: + - name: ENABLE_INIT_CONTAINER_INJECTION + value: "false" diff --git a/contrib/ray/kuberay-operator/overlays/kubeflow/kustomization.yaml b/contrib/ray/kuberay-operator/overlays/kubeflow/kustomization.yaml index 5520f1897..49421b7e5 100644 --- a/contrib/ray/kuberay-operator/overlays/kubeflow/kustomization.yaml +++ b/contrib/ray/kuberay-operator/overlays/kubeflow/kustomization.yaml @@ -1,3 +1,6 @@ namespace: kubeflow resources: - ../../base + +patches: +- path: disable-injection.yaml diff --git a/contrib/ray/test.sh b/contrib/ray/test.sh index 71c8c5eae..02c82b4d5 100755 --- a/contrib/ray/test.sh +++ b/contrib/ray/test.sh @@ -33,7 +33,7 @@ kubectl label namespace $NAMESPACE istio-injection=enabled kubectl get namespaces --selector=istio-injection=enabled # Install KubeRay operator -kustomize build kuberay-operator/overlays/standalone | kubectl -n kubeflow apply --server-side -f - +kustomize build kuberay-operator/overlays/kubeflow | kubectl -n kubeflow apply --server-side -f - # Wait for the operator to be ready. kubectl -n kubeflow wait --for=condition=available --timeout=600s deploy/kuberay-operator @@ -87,4 +87,4 @@ for ((i=0; i