forked from kubeflow/kubeflow
-
Notifications
You must be signed in to change notification settings - Fork 37
289 lines (252 loc) · 11.3 KB
/
odh_notebook_controller_integration_test.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
name: ODH Notebook Controller Integration Test
on:
push:
pull_request:
paths:
- .github/workflows/odh_notebook_controller_integration_test.yaml
- components/notebook-controller/**
- components/odh-notebook-controller/**
workflow_dispatch:
env:
TAG: integration-test
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install podman
run: |
sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_$(lsb_release -rs)/Release.key \
| gpg --dearmor \
| sudo tee /etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg > /dev/null
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/devel_kubic_libcontainers_unstable.gpg]\
https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/unstable/xUbuntu_$(lsb_release -rs)/ /" \
| sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:unstable.list > /dev/null
sudo apt-get update -qq
sudo apt-get -qq -y install podman
podman version
# temporary fix for https://github.com/containers/podman/issues/21024
wget https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_22.04/amd64/conmon_2.1.2~0_amd64.deb -O /tmp/conmon_2.1.2.deb
sudo apt install /tmp/conmon_2.1.2.deb
# Starting systemd user service
systemctl --user daemon-reload
systemctl --user start podman.socket
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Install Go
uses: actions/setup-go@v5
with:
check-latest: true
go-version-file: components/odh-notebook-controller/go.mod
cache-dependency-path: components/odh-notebook-controller/go.sum
- name: Build Notebook Controller Image
run: |
cd components/notebook-controller
make docker-build
env:
IMG: notebook-controller
CACHE_IMAGE: ghcr.io/${{ github.repository }}/components/notebook-controller/build-cache
- name: Build ODH Notebook Controller Image
run: |
cd components/odh-notebook-controller
make docker-build
env:
IMG: odh-notebook-controller
CACHE_IMAGE: ghcr.io/${{ github.repository }}/components/odh-notebook-controller/build-cache
- name: Install KinD
run: ./components/testing/gh-actions/install_kind.sh
- name: Create KinD Cluster
run: kind create cluster --config components/testing/gh-actions/kind-1-25.yaml
- name: Load image into KinD Cluster
run: |
podman save -o ${{env.IMG}}.tar localhost/${{env.IMG}}:${{env.TAG}}
kind load image-archive ${{env.IMG}}.tar
env:
IMG: notebook-controller
- name: Load odh image into KinD Cluster
run: |
podman save -o ${{env.IMG}}.tar localhost/${{env.IMG}}:${{env.TAG}}
kind load image-archive ${{env.IMG}}.tar
env:
IMG: odh-notebook-controller
- name: Install kustomize
run: ./components/testing/gh-actions/install_kustomize.sh
- name: Install Istio
run: ./components/testing/gh-actions/install_istio.sh
- name: Install fake OpenShift CRDs
run: |
kubectl apply -f - <<EOF
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
crd/fake: "true"
name: routes.route.openshift.io
spec:
group: route.openshift.io
names:
kind: Route
listKind: RouteList
singular: route
plural: routes
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
served: true
storage: true
EOF
- name: Build & Apply manifests
run: |
set -x
cd components/notebook-controller/config/overlays/kubeflow
kubectl create ns kubeflow
export CURRENT_NOTEBOOK_IMG=docker.io/kubeflownotebookswg/notebook-controller
export PR_NOTEBOOK_IMG=localhost/${{env.IMG}}:${{env.TAG}}
kustomize edit set image ${CURRENT_NOTEBOOK_IMG}=${PR_NOTEBOOK_IMG}
# configure culler
cat <<EOF | kubectl apply -f -
---
apiVersion: v1
kind: ConfigMap
metadata:
name: notebook-controller-culler-config
namespace: kubeflow
data:
ENABLE_CULLING: "true"
CULL_IDLE_TIME: "60" # In minutes (1 hour)
IDLENESS_CHECK_PERIOD: "5" # In minutes
EOF
kustomize build . | sed 's/imagePullPolicy: Always/imagePullPolicy: IfNotPresent/g' | kubectl apply -f -
kubectl wait pods -n kubeflow -l app=notebook-controller --for=condition=Ready --timeout=100s
env:
IMG: notebook-controller
- name: Print logs
if: "!cancelled()"
run: |
kubectl describe pods -n kubeflow -l app=notebook-controller
kubectl logs -n kubeflow -l app=notebook-controller
- name: Build & Apply ODH manifests
run: |
set -x
cd components/odh-notebook-controller/config/base
kubectl create ns opendatahub
echo "odh-notebook-controller-image=localhost/${{env.IMG}}:${{env.TAG}}" > params.env
cat <<EOF | kubectl apply -f -
---
apiVersion: v1
kind: ConfigMap
metadata:
name: notebook-controller-culler-config
namespace: opendatahub
data:
ENABLE_CULLING: "true"
CULL_IDLE_TIME: "60" # In minutes (1 hour)
IDLENESS_CHECK_PERIOD: "5" # In minutes
EOF
# odh-notebook-controller assumes that openshift-cert operator autocreates certificates when
# resources have the label `service.beta.openshift.io/serving-cert-secret-name`
# in kind we need to generate the certs ourselves, or use cert-operator (that's a kubebuilder recommendation)
openssl req -nodes -x509 -newkey rsa:4096 -sha256 -days 3650 -keyout ca-key.pem -out ca-cert.pem -subj "/CN=TestCA"
openssl req -nodes -newkey rsa:4096 -keyout server-key.pem -out server-csr.pem -subj "/CN=ServerC" -addext "subjectAltName = DNS:odh-notebook-controller-webhook-service.opendatahub.svc,DNS:odh-notebook-controller-webhook-service.opendatahub.svc.cluster.local"
openssl x509 -req -in server-csr.pem -CA ca-cert.pem -CAkey ca-key.pem -out server-cert.pem -days 365 -copy_extensions copyall -ext subjectAltName
# deploy certificate for the webhook
openssl x509 -noout -text -in server-cert.pem
kubectl create secret tls -n opendatahub odh-notebook-controller-webhook-cert --cert=server-cert.pem --key=server-key.pem
# deploy certificate for the notebook we'll start later
kubectl create secret tls minimal-notebook-tls --cert=server-cert.pem --key=server-key.pem
# deploy odh-notebook-controller manifests
# switching to unauthenticated oauth-proxy image, c.f. https://github.com/opendatahub-io/opendatahub-community/issues/100
kustomize build . | \
sed 's/imagePullPolicy: Always/imagePullPolicy: IfNotPresent/g' | \
sed 's|registry.redhat.io/openshift4/ose-oauth-proxy.*|quay.io/openshift/origin-oauth-proxy@sha256:1ece77d14a685ef2397c3a327844eea45ded00c95471e9e333e35ef3860b1895|g' | \
kubectl apply -f -
# patch the webhook with our self-signed CA
bundlePatch=$(cat <<END
[{"op": "replace", "path": "/webhooks/0/clientConfig/caBundle", "value": "$(cat ca-cert.pem | base64 | tr -d '\n')" }]
END
)
kubectl patch MutatingWebhookConfiguration/odh-notebook-controller-mutating-webhook-configuration --type=json -p="$bundlePatch"
# wait for the good result
kubectl wait pods -n opendatahub -l app=odh-notebook-controller --for=condition=Ready --timeout=100s
env:
IMG: odh-notebook-controller
- name: Print ODH logs
if: "!cancelled()"
run: |
kubectl describe pods -n opendatahub -l app=odh-notebook-controller
kubectl logs -n opendatahub -l app=odh-notebook-controller
- name: Create notebook and check it, this is from kubeflow readme
run: |
notebook_namespace=default
cat <<EOF | kubectl apply -f -
---
apiVersion: kubeflow.org/v1
kind: Notebook
metadata:
name: minimal-notebook
annotations:
notebooks.opendatahub.io/inject-oauth: "true"
spec:
template:
spec:
containers:
- name: minimal-notebook
image: quay.io/thoth-station/s2i-minimal-notebook:v0.3.0
imagePullPolicy: Always
workingDir: /opt/app-root/src
env:
- name: NOTEBOOK_ARGS
value: |
--ServerApp.port=8888
--ServerApp.token=''
--ServerApp.password=''
--ServerApp.base_url=/notebook/${notebook_namespace}/minimal-notebook
ports:
- name: notebook-port
containerPort: 8888
protocol: TCP
resources:
requests:
cpu: "1"
memory: 1m
limits:
cpu: "1"
memory: 1Gi
livenessProbe:
initialDelaySeconds: 10
periodSeconds: 5
timeoutSeconds: 1
successThreshold: 1
failureThreshold: 3
httpGet:
scheme: HTTP
path: /notebook/${notebook_namespace}/minimal-notebook/api
port: notebook-port
EOF
# wait for the statefulset to be created
timeout 100 bash -c -- 'until kubectl get statefulset minimal-notebook; do sleep 1; done'
# wait for the good result
kubectl rollout status --watch statefulset minimal-notebook
kubectl wait statefulset minimal-notebook --for=jsonpath='{.spec.replicas}'=1 --timeout=100s
kubectl rollout status --watch statefulset minimal-notebook --timeout=300s
kubectl wait pods minimal-notebook-0 --for=condition=Ready --timeout=100s
- name: Print notebook logs
if: "!cancelled()"
run: |
kubectl describe notebooks
kubectl describe statefulsets
kubectl describe pods
kubectl logs minimal-notebook-0
kubectl describe routes