Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RHOAIENG-4873: Kserve self signed certs #241

Merged
merged 3 commits into from Apr 13, 2024
Merged

RHOAIENG-4873: Kserve self signed certs #241

merged 3 commits into from Apr 13, 2024

Conversation

jackdelahunt
Copy link
Contributor

@jackdelahunt jackdelahunt commented Apr 3, 2024
edited

Description

Add support for using self signed certs with kserve to download models from an object store

How Has This Been Tested?

  • Use the e2e test provided in the repo
  • Setup e2e tests as normal
make AWS_SECRET_ACCESS_KEY=... AWS_ACCESS_KEY_ID=... S3_REGION=... S3_ENDPOINT=... IMAGE_REGISTRY_USERNAME=...  IMAGE_REGISTRY_PASSWORD=... S3_BUCKET=... NAMESPACE=... TARGET_IMAGE_TAGS_JSON=... go-test-setup

  • Set the new env variable S3_SELF_SIGNED_CERT as the path to the cert

  • And then run

make AWS_SECRET_ACCESS_KEY=... AWS_ACCESS_KEY_ID=... S3_REGION=... S3_ENDPOINT=... IMAGE_REGISTRY_USERNAME=...  IMAGE_REGISTRY_PASSWORD=...  S3_BUCKET=... NAMESPACE=... TARGET_IMAGE_TAGS_JSON=... S3_SELF_SIGNED_CERT=... go-test

Merge criteria:

  • The commits are squashed in a cohesive manner and have meaningful messages.
  • Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
  • The developer has manually tested the changes and verified that the changes work

@grdryn
Copy link
Member

grdryn commented Apr 9, 2024

@jackdelahunt I know this is marked as Draft, but just wondering if it's actually needed? What's the overlap with #230?

@jackdelahunt
Copy link
Contributor Author

@grdryn sorry I didn't update this much, this is for self signed certs with kserve. The other PR is just for git

@jackdelahunt jackdelahunt changed the title Draft: Kserve self signed certs RHOAIENG-4873: Kserve self signed certs Apr 11, 2024
@openshift-ci-robot
Copy link

openshift-ci-robot commented Apr 11, 2024
edited by openshift-ci bot

@jackdelahunt: This pull request references RHOAIENG-4873 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

Description

How Has This Been Tested?

Merge criteria:

  • The commits are squashed in a cohesive manner and have meaningful messages.
  • Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
  • The developer has manually tested the changes and verified that the changes work

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot
Copy link

openshift-ci-robot commented Apr 11, 2024
edited by openshift-ci bot

@jackdelahunt: This pull request references RHOAIENG-4873 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set.

In response to this:

Description

Add support for using self signed certs with kserve to download models from an object store

How Has This Been Tested?

  • Use the e2e test provided in the repo
  • Setup e2e tests as normal
make AWS_SECRET_ACCESS_KEY=... AWS_ACCESS_KEY_ID=... S3_REGION=... S3_ENDPOINT=... IMAGE_REGISTRY_USERNAME=...  IMAGE_REGISTRY_PASSWORD=... S3_BUCKET=... NAMESPACE=... TARGET_IMAGE_TAGS_JSON=... go-test-setup

  • Set the new env variable S3_SELF_SIGNED_CERT as the path to the cert

  • And then run

make AWS_SECRET_ACCESS_KEY=... AWS_ACCESS_KEY_ID=... S3_REGION=... S3_ENDPOINT=... IMAGE_REGISTRY_USERNAME=...  IMAGE_REGISTRY_PASSWORD=...  S3_BUCKET=... NAMESPACE=... TARGET_IMAGE_TAGS_JSON=... S3_SELF_SIGNED_CERT=... go-test

Merge criteria:

  • The commits are squashed in a cohesive manner and have meaningful messages.
  • Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
  • The developer has manually tested the changes and verified that the changes work

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

grdryn
grdryn reviewed Apr 12, 2024
View reviewed changes
Copy link
Member

@grdryn grdryn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • I think we should prefer the term TLS cert rather than SSL cert.
  • Where we say "self-signed cert", should we instead be saying something like "certificate authority"? Just because a cert isn't trusted by default, doesn't mean that it's "self-signed", does it? It could be signed by a centralized CA owned by the users organisation, and I guess that's what they'd need to import here in that case, is it?

pipelines/tekton/aiedge-e2e/tasks/kserve-download-model.yaml Outdated Show resolved Hide resolved
test/e2e-tests/README.md Outdated Show resolved Hide resolved
Makefile Outdated Show resolved Hide resolved
Makefile Outdated Show resolved Hide resolved
test/e2e-tests/README.md Outdated Show resolved Hide resolved
test/e2e-tests/README.md Outdated Show resolved Hide resolved
test/e2e-tests/support/options.go Outdated Show resolved Hide resolved
test/e2e-tests/support/options.go Outdated Show resolved Hide resolved
pipelines/tekton/aiedge-e2e/aiedge-e2e.pipeline.yaml Outdated Show resolved Hide resolved
@jackdelahunt
Copy link
Contributor Author

jackdelahunt commented Apr 12, 2024
edited

  • Where we say "self-signed cert", should we instead be saying something like "certificate authority"?

@grdryn
So the configmaps that get mounted to the pipeline runs are called git-self-signed-cert and s3-self-signed-cert. What should these be renamed to? Just git-cert, git-CA-cert or git-signed-cert?

And then of course same thing goes for changing the naming of things with self signed in them

@LaVLaS
Copy link
Member

LaVLaS commented Apr 12, 2024

  • I think we should prefer the term TLS cert rather than SSL cert.

While I agree TLS is the correct term there is potential confusion with underlying dependencies that still use the term SSL for their public confgs & apis (See #241 (comment)
). In documentation, we could enforce the use of SSL/TLS where both apply or just tls based features/configs that we own completely

Where we say "self-signed cert", should we instead be saying something like "certificate authority"? Just because a cert isn't trusted by default, doesn't mean that it's "self-signed", does it? It could be signed by a centralized CA owned by the users organisation, and I guess that's what they'd need to import here in that case, is it?

self-signed cert is relative to whether it's issuer has been included in the trusted Certificate Authority bundle for the environment. Your example is correct and we are generalizing all of these "not trusted by default certificates" under the term self-signed cert. In a perfect environment, this PR only adds support for working with S3 stores in non-production environments

@grdryn
Copy link
Member

grdryn commented Apr 12, 2024

While I agree TLS is the correct term there is potential confusion with underlying dependencies that still use the term SSL for their public confgs & apis (See #241 (comment)
). In documentation, we could enforce the use of SSL/TLS where both apply or just tls based features/configs that we own completely

I definitely haven't thought about this as much as you have (and don't necessarily fully understand all of the implications). My suggestion was mainly based on having a quick scan at other projects documentation, and how some appear to prefer "TLS certificate" rather than "SSL certificate" or SSL/TLS certificate". I don't have a strong enough opinion, so fine with it being ssl.

grdryn
grdryn approved these changes Apr 12, 2024
View reviewed changes
Copy link
Member

@grdryn grdryn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve with one little inline comment.

@LaVLaS I think you've tested this, so I'll leave it to you to override the test job and give the lgtm

test/e2e-tests/README.md
- `GO` - Custom Go installation path that is not set in your `PATH`

```bash
- `S3_SELF_SIGNED_CERT` - Self signed cert to be used for S3 when pulling models
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- `S3_SELF_SIGNED_CERT` - Self signed cert to be used for S3 when pulling models

^ this looks like a mistake - it's already listed on line 41, and doesn't seem to make sense here inside this code block

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created a small follow up #248

LaVLaS
LaVLaS approved these changes Apr 12, 2024
View reviewed changes
Copy link
Member

@LaVLaS LaVLaS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

Everything work as intended (success & expected failure) when a cert is required. Additionally, existing works flow where a cert is not required and omitted worked as inteded

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Apr 12, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: grdryn, LaVLaS

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@LaVLaS
Copy link
Member

LaVLaS commented Apr 13, 2024

I definitely haven't thought about this as much as you have (and don't necessarily fully understand all of the implications). My suggestion was mainly based on having a quick scan at other projects documentation, and how some appear to prefer "TLS certificate" rather than "SSL certificate" or SSL/TLS certificate". I don't have a strong enough opinion, so fine with it being ssl.

You are correct on the use of TLS over SSL. I have no object on using the TLS or at minimum SSL/TLS in all documentation. The use in the pipeline was just parity with its use in the git-clone task and kserve/storage library

@LaVLaS
Copy link
Member

LaVLaS commented Apr 13, 2024

/override ci/prow/test-ai-edge
/lgtm

Adding override due to openshift-ci downtime and offline tests were successful for each use case with/without certs and existing functionality was preserved

@openshift-ci openshift-ci bot added the lgtm label Apr 13, 2024
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Apr 13, 2024

@LaVLaS: Overrode contexts on behalf of LaVLaS: ci/prow/test-ai-edge

In response to this:

/override ci/prow/test-ai-edge
/lgtm

Adding override due to openshift-ci downtime and offline tests were successful for each use case with/without certs and existing functionality was preserved

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-merge-bot openshift-merge-bot bot merged commit 242d58e into opendatahub-io:main Apr 13, 2024
2 checks passed
@jackdelahunt jackdelahunt deleted the kserve-ssc branch April 23, 2024 12:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@grdryn grdryn grdryn approved these changes

@LaVLaS LaVLaS LaVLaS approved these changes

Assignees

@LaVLaS LaVLaS

Labels
approved jira/valid-reference lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@jackdelahunt @grdryn @openshift-ci-robot @LaVLaS @openshift-merge-robot