Skip to content

Added tests to tests/gh-actions to enable baseline and restricted PSS #106

Added tests to tests/gh-actions to enable baseline and restricted PSS

Added tests to tests/gh-actions to enable baseline and restricted PSS #106

name: Test Notebook Controller with m2m auth manifests in KinD
on:
pull_request:
paths:
- .github/workflows/notebook_controller_m2m_test.yaml
- tests/gh-actions/kind-cluster.yaml
- tests/gh-actions/install_kind.sh
- tests/gh-actions/install_kustomize.sh
- apps/jupyter/**
- common/oidc-client/oauth2-proxy/**
- common/istio*/**
- tests/gh-actions/install_istio_with_ext_auth.sh*
- tests/gh-actions/install_multi_tenancy.sh
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install KinD
run: ./tests/gh-actions/install_kind.sh
- name: Create KinD Cluster
run: kind create cluster --config tests/gh-actions/kind-cluster.yaml
- name: Install kubectl
run: ./tests/gh-actions/install_kubectl.sh
- name: Install kustomize
run: ./tests/gh-actions/install_kustomize.sh
- name: Create kubeflow namespace
run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
- name: Install Istio with external authentication
run: ./tests/gh-actions/install_istio_with_ext_auth.sh
- name: Install kubeflow-istio-resources
run: kustomize build common/istio-1-22/kubeflow-istio-resources/base | kubectl apply -f -
- name: Install KF Multi Tenancy
run: ./tests/gh-actions/install_multi_tenancy.sh
- name: Build & Apply manifests
run: |
kustomize build apps/jupyter/jupyter-web-app/upstream/overlays/istio/ | kubectl apply -f -
kustomize build apps/jupyter/notebook-controller/upstream/overlays/kubeflow/ | kubectl apply -f -
kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=300s \
--field-selector=status.phase!=Succeeded
- name: Create KF Profile
run: kustomize build common/user-namespace/base | kubectl apply -f -
- name: Port forward
run: |
INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}')
nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 &
while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready
- name: Wait for the kubeflow-m2m-oidc-configurator Job
run: |
./tests/gh-actions/wait_for_kubeflow_m2m_oidc_configurator.sh
- name: List notebooks over API with authorized SA Token
run: |
KF_PROFILE=kubeflow-user-example-com
TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)"
STATUS_CODE=$(curl -v \
--silent --output /dev/stderr --write-out "%{http_code}" \
"localhost:8080/jupyter/api/namespaces/${KF_PROFILE}/notebooks" \
-H "Authorization: Bearer ${TOKEN}")
if test $STATUS_CODE -ne 200; then
echo "Error, this call should be authorized to list notebooks in namespace ${KF_PROFILE}."
exit 1
fi
- name: List notebooks over API with unauthorized SA Token
run: |
KF_PROFILE=kubeflow-user-example-com
TOKEN="$(kubectl -n default create token default)"
STATUS_CODE=$(curl -v \
--silent --output /dev/stderr --write-out "%{http_code}" \
"localhost:8080/jupyter/api/namespaces/${KF_PROFILE}/notebooks" \
-H "Authorization: Bearer ${TOKEN}")
if test $STATUS_CODE -ne 403; then
echo "Error, this call should fail to list notebooks in namespace ${KF_PROFILE}."
exit 1
fi