New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RHOAIENG-4873: Kserve self signed certs #241
RHOAIENG-4873: Kserve self signed certs #241
Conversation
@jackdelahunt I know this is marked as Draft, but just wondering if it's actually needed? What's the overlap with #230? |
@grdryn sorry I didn't update this much, this is for self signed certs with kserve. The other PR is just for git |
@jackdelahunt: This pull request references RHOAIENG-4873 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
9020cdf
to
c9116fc
Compare
@jackdelahunt: This pull request references RHOAIENG-4873 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.16.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- I think we should prefer the term TLS cert rather than SSL cert.
- Where we say "self-signed cert", should we instead be saying something like "certificate authority"? Just because a cert isn't trusted by default, doesn't mean that it's "self-signed", does it? It could be signed by a centralized CA owned by the users organisation, and I guess that's what they'd need to import here in that case, is it?
@grdryn And then of course same thing goes for changing the naming of things with self signed in them |
a07f46d
to
f7cdf22
Compare
While I agree TLS is the correct term there is potential confusion with underlying dependencies that still use the term
|
I definitely haven't thought about this as much as you have (and don't necessarily fully understand all of the implications). My suggestion was mainly based on having a quick scan at other projects documentation, and how some appear to prefer "TLS certificate" rather than "SSL certificate" or SSL/TLS certificate". I don't have a strong enough opinion, so fine with it being ssl. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve with one little inline comment.
@LaVLaS I think you've tested this, so I'll leave it to you to override the test job and give the lgtm
- `GO` - Custom Go installation path that is not set in your `PATH` | ||
|
||
```bash | ||
- `S3_SELF_SIGNED_CERT` - Self signed cert to be used for S3 when pulling models |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- `S3_SELF_SIGNED_CERT` - Self signed cert to be used for S3 when pulling models |
^ this looks like a mistake - it's already listed on line 41, and doesn't seem to make sense here inside this code block
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Created a small follow up #248
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
Everything work as intended (success & expected failure) when a cert is required. Additionally, existing works flow where a cert is not required and omitted worked as inteded
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: grdryn, LaVLaS The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
You are correct on the use of TLS over SSL. I have no object on using the |
/override ci/prow/test-ai-edge Adding override due to openshift-ci downtime and offline tests were successful for each use case with/without certs and existing functionality was preserved |
@LaVLaS: Overrode contexts on behalf of LaVLaS: ci/prow/test-ai-edge In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Description
Add support for using self signed certs with kserve to download models from an object store
How Has This Been Tested?
Set the new env variable
S3_SELF_SIGNED_CERT
as the path to the certAnd then run
Merge criteria: