chore update func tests for tls changes

Signed-off-by: Humair Khan <[email protected]>

api/v1alpha1/dspipeline_types.go

@@ -45,9 +45,10 @@ type DSPASpec struct {
 	// +kubebuilder:default:="v1"
 	DSPVersion string `json:"dspVersion,omitempty"`
 
-	// InterPodTLS Set to "enable" or "disable" tls communication between DSPA components. Default to "enable". Only supported in OpenShift.
-	// +kubebuilder:default:="enabled"
-	InterPodTLS string `json:"InterPodTLS,omitempty"`
+	// InterPodTLS Set to "true" or "false" tls communication between DSPA components. Default to enable Inter-Pod tls by setting to "true". Only supported in DSP V2 and OpenShift.
+	// +kubebuilder:default:=true
+	// +kubebuilder:validation:Optional
+	InterPodTLS *bool `json:"interPodTLS"`
 
 	// WorkflowController is an argo-specific component that manages a DSPA's Workflow objects and handles the orchestration of them with the central Argo server
 	// +kubebuilder:validation:Optional

config/crd/bases/datasciencepipelinesapplications.opendatahub.io_datasciencepipelinesapplications.yaml

@@ -35,12 +35,6 @@ spec:
             type: object
           spec:
             properties:
-              InterPodTLS:
-                default: enabled
-                description: InterPodTLS Set to "enable" or "disable" tls communication
-                  between DSPA components. Default to "enable". Only supported in
-                  OpenShift.
-                type: string
               apiServer:
                 default:
                   deploy: true
@@ -347,6 +341,12 @@ spec:
               dspVersion:
                 default: v1
                 type: string
+              interPodTLS:
+                default: true
+                description: InterPodTLS Set to "true" or "false" tls communication
+                  between DSPA components. Default to enable Inter-Pod tls by setting
+                  to "true". Only supported in DSP V2 and OpenShift.
+                type: boolean
               mlmd:
                 properties:
                   deploy:

config/internal/persistence-agent/deployment.yaml.tmpl

@@ -40,8 +40,10 @@ spec:
               {{ else }}
               value: PipelineRun
               {{ end }}
+            {{ if .InterPodTLS }}
             - name: SSL_CERT_DIR
               value: "/etc/pki/tls/certs:/var/run/secrets/kubernetes.io/serviceaccount/"
+            {{ end }}
           image: "{{.PersistenceAgent.Image}}"
           imagePullPolicy: IfNotPresent
           name: ds-pipeline-persistenceagent

controllers/dspipeline_params.go

@@ -87,7 +87,7 @@ type DSPAParams struct {
 	CustomCABundle *dspa.CABundle
 	DSPONamespace  string
 	// Use to enable tls communication between component pods.
-	InterPodTLS string
+	InterPodTLS bool
 
 	APIServerServiceDNSName string
 }
@@ -578,7 +578,6 @@ func (p *DSPAParams) ExtractParams(ctx context.Context, dsp *dspa.DataSciencePip
 	p.Namespace = dsp.Namespace
 	p.DSPONamespace = os.Getenv("DSPO_NAMESPACE")
 	p.DSPVersion = dsp.Spec.DSPVersion
-	p.InterPodTLS = dsp.Spec.InterPodTLS
 	p.Owner = dsp
 	p.APIServer = dsp.Spec.APIServer.DeepCopy()
 	p.APIServerDefaultResourceName = apiServerDefaultResourceNamePrefix + dsp.Name
@@ -595,8 +594,19 @@ func (p *DSPAParams) ExtractParams(ctx context.Context, dsp *dspa.DataSciencePip
 	p.MLMD = dsp.Spec.MLMD.DeepCopy()
 	p.CustomCABundleRootMountPath = config.CustomCABundleRootMountPath
 	p.PiplinesCABundleMountPath = config.GetCABundleFileMountPath()
+	p.InterPodTLS = false
 	dspTrustedCAConfigMapKey := config.CustomDSPTrustedCAConfigMapKey
 
+	// InterPodTLS is only used in v2 dsp
+	if p.UsingV2Pipelines(dsp) {
+		// by default it's enabled when omitted
+		if dsp.Spec.InterPodTLS == nil {
+			p.InterPodTLS = true
+		} else {
+			p.InterPodTLS = *dsp.Spec.InterPodTLS
+		}
+	}
+
 	log := loggr.WithValues("namespace", p.Namespace).WithValues("dspa_name", p.Name)
 
 	if p.APIServer != nil {

controllers/testdata/declarative/case_2/expected/created/mlpipelines-ui_deployment.yaml

@@ -46,7 +46,7 @@ spec:
             - name: ARGO_ARCHIVE_LOGS
               value: "true"
             - name: ML_PIPELINE_SERVICE_HOST
-              value: ds-pipeline-testdsp2
+              value: ds-pipeline-testdsp2.default.svc.cluster.local
             - name: ML_PIPELINE_SERVICE_PORT
               value: '8888'
             - name: METADATA_ENVOY_SERVICE_SERVICE_HOST

controllers/testdata/declarative/case_4/expected/created/mlpipelines-ui_deployment.yaml

@@ -46,7 +46,7 @@ spec:
             - name: ARGO_ARCHIVE_LOGS
               value: "true"
             - name: ML_PIPELINE_SERVICE_HOST
-              value: ds-pipeline-testdsp4
+              value: ds-pipeline-testdsp4.default.svc.cluster.local
             - name: ML_PIPELINE_SERVICE_PORT
               value: '8888'
             - name: METADATA_ENVOY_SERVICE_SERVICE_HOST

controllers/testdata/declarative/case_5/expected/created/mlpipelines-ui_deployment.yaml

@@ -46,7 +46,7 @@ spec:
             - name: ARGO_ARCHIVE_LOGS
               value: "true"
             - name: ML_PIPELINE_SERVICE_HOST
-              value: ds-pipeline-testdsp5
+              value: ds-pipeline-testdsp5.default.svc.cluster.local
             - name: ML_PIPELINE_SERVICE_PORT
               value: '8888'
             - name: METADATA_ENVOY_SERVICE_SERVICE_HOST

controllers/testdata/declarative/case_6/expected/created/apiserver_deployment.yaml

@@ -115,6 +115,8 @@ spec:
           args:
             - --config=/config
             - -logtostderr=true
+            - --tlsCertPath=/etc/tls/private/tls.crt
+            - --tlsCertKeyPath=/etc/tls/private/tls.key
           ports:
             - containerPort: 8888
               name: http
@@ -123,29 +125,15 @@ spec:
               name: grpc
               protocol: TCP
           livenessProbe:
-            exec:
-              command:
-                - wget
-                - -q
-                - -S
-                - -O
-                - '-'
-                - http://localhost:8888/apis/v1beta1/healthz
-            initialDelaySeconds: 3
-            periodSeconds: 5
-            timeoutSeconds: 2
+            httpGet:
+              path: /apis/v1beta1/healthz
+              port: http
+              scheme: HTTPS
           readinessProbe:
-            exec:
-              command:
-                - wget
-                - -q
-                - -S
-                - -O
-                - '-'
-                - http://localhost:8888/apis/v1beta1/healthz
-            initialDelaySeconds: 3
-            periodSeconds: 5
-            timeoutSeconds: 2
+            httpGet:
+              path: /apis/v1beta1/healthz
+              port: http
+              scheme: HTTPS
           resources:
             requests:
               cpu: 250m
@@ -157,14 +145,17 @@ spec:
             - name: server-config
               mountPath: /config/config.json
               subPath: config.json
+            - mountPath: /etc/tls/private
+              name: proxy-tls
             - name: ca-bundle
               mountPath: /dspa/custom-certs
         - name: oauth-proxy
           args:
             - --https-address=:8443
             - --provider=openshift
             - --openshift-service-account=ds-pipeline-testdsp6
-            - --upstream=http://localhost:8888
+            - --upstream=https://ds-pipeline-testdsp6.default.svc.cluster.local:8888
+            - --upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
             - --tls-cert=/etc/tls/private/tls.crt
             - --tls-key=/etc/tls/private/tls.key
             - --cookie-secret=SECRET

controllers/testdata/declarative/case_7/expected/created/apiserver_deployment.yaml

@@ -108,6 +108,8 @@ spec:
             - --config=/config
             - -logtostderr=true
             - --sampleconfig=/config/sample_config.json
+            - --tlsCertPath=/etc/tls/private/tls.crt
+            - --tlsCertKeyPath=/etc/tls/private/tls.key
           ports:
             - containerPort: 8888
               name: http
@@ -116,29 +118,15 @@ spec:
               name: grpc
               protocol: TCP
           livenessProbe:
-            exec:
-              command:
-                - wget
-                - -q
-                - -S
-                - -O
-                - '-'
-                - http://localhost:8888/apis/v1beta1/healthz
-            initialDelaySeconds: 3
-            periodSeconds: 5
-            timeoutSeconds: 2
+            httpGet:
+              path: /apis/v1beta1/healthz
+              port: http
+              scheme: HTTPS
           readinessProbe:
-            exec:
-              command:
-                - wget
-                - -q
-                - -S
-                - -O
-                - '-'
-                - http://localhost:8888/apis/v1beta1/healthz
-            initialDelaySeconds: 3
-            periodSeconds: 5
-            timeoutSeconds: 2
+            httpGet:
+              path: /apis/v1beta1/healthz
+              port: http
+              scheme: HTTPS
           resources:
             requests:
               cpu: 1231m
@@ -150,6 +138,8 @@ spec:
             - name: server-config
               mountPath: /config/config.json
               subPath: config.json
+            - mountPath: /etc/tls/private
+              name: proxy-tls
             - mountPath: /config/sample_config.json
               name: sample-config
               subPath: sample_config.json
@@ -160,7 +150,8 @@ spec:
             - --https-address=:8443
             - --provider=openshift
             - --openshift-service-account=ds-pipeline-testdsp7
-            - --upstream=http://localhost:8888
+            - --upstream=https://ds-pipeline-testdsp7.default.svc.cluster.local:8888
+            - --upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
             - --tls-cert=/etc/tls/private/tls.crt
             - --tls-key=/etc/tls/private/tls.key
             - --cookie-secret=SECRET

controllers/testdata/declarative/case_7/expected/created/mlpipelines-ui_deployment.yaml

@@ -46,9 +46,13 @@ spec:
             - name: ARGO_ARCHIVE_LOGS
               value: "true"
             - name: ML_PIPELINE_SERVICE_HOST
-              value: ds-pipeline-testdsp7
+              value: ds-pipeline-testdsp7.default.svc.cluster.local
             - name: ML_PIPELINE_SERVICE_PORT
               value: '8888'
+            - name: ML_PIPELINE_SERVICE_SCHEME
+              value: 'https'
+            - name: NODE_EXTRA_CA_CERTS
+              value: '/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt'
             - name: METADATA_ENVOY_SERVICE_SERVICE_HOST
               value: ds-pipeline-md-testdsp7
             - name: METADATA_ENVOY_SERVICE_SERVICE_PORT

controllers/testdata/declarative/case_7/expected/created/persistence-agent_deployment.yaml

@@ -36,6 +36,8 @@ spec:
               value: ""
             - name: EXECUTIONTYPE
               value: Workflow
+            - name: SSL_CERT_DIR
+              value: "/etc/pki/tls/certs:/var/run/secrets/kubernetes.io/serviceaccount/"
           image: persistenceagent:test7
           imagePullPolicy: IfNotPresent
           name: ds-pipeline-persistenceagent

controllers/testdata/declarative/case_8/expected/created/apiserver_deployment.yaml

@@ -115,6 +115,8 @@ spec:
           args:
             - --config=/config
             - -logtostderr=true
+            - --tlsCertPath=/etc/tls/private/tls.crt
+            - --tlsCertKeyPath=/etc/tls/private/tls.key
           ports:
             - containerPort: 8888
               name: http
@@ -123,29 +125,15 @@ spec:
               name: grpc
               protocol: TCP
           livenessProbe:
-            exec:
-              command:
-                - wget
-                - -q
-                - -S
-                - -O
-                - '-'
-                - http://localhost:8888/apis/v1beta1/healthz
-            initialDelaySeconds: 3
-            periodSeconds: 5
-            timeoutSeconds: 2
+            httpGet:
+              path: /apis/v1beta1/healthz
+              port: http
+              scheme: HTTPS
           readinessProbe:
-            exec:
-              command:
-                - wget
-                - -q
-                - -S
-                - -O
-                - '-'
-                - http://localhost:8888/apis/v1beta1/healthz
-            initialDelaySeconds: 3
-            periodSeconds: 5
-            timeoutSeconds: 2
+            httpGet:
+              path: /apis/v1beta1/healthz
+              port: http
+              scheme: HTTPS
           resources:
             requests:
               cpu: 250m
@@ -157,14 +145,17 @@ spec:
             - name: server-config
               mountPath: /config/config.json
               subPath: config.json
+            - mountPath: /etc/tls/private
+              name: proxy-tls
             - name: ca-bundle
               mountPath: /dsp-custom-certs
         - name: oauth-proxy
           args:
             - --https-address=:8443
             - --provider=openshift
             - --openshift-service-account=ds-pipeline-testdsp8
-            - --upstream=http://localhost:8888
+            - --upstream=https://ds-pipeline-testdsp8.default.svc.cluster.local:8888
+            - --upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
             - --tls-cert=/etc/tls/private/tls.crt
             - --tls-key=/etc/tls/private/tls.key
             - --cookie-secret=SECRET

controllers/testdata/declarative/case_9/config.yaml

@@ -0,0 +1,14 @@
+Images:
+  MlPipelineUI: frontend:test9
+  MariaDB: mariadb:test9
+  Minio: minio:test9
+  OAuthProxy: oauth-proxy:test9
+ImagesV2:
+  Argo:
+    ApiServer: api-server:test9
+    ArgoLauncherImage: argolauncherimage:test9
+    ArgoDriverImage: argodriverimage:test9
+    PersistentAgent: persistenceagent:test9
+DSPO:
+  ApiServer:
+    IncludeOwnerReference: false

controllers/testdata/declarative/case_9/deploy/00_cr.yaml

@@ -0,0 +1,22 @@
+# Test:
+# interPodTLS = false, should disable any tls configs for apiserver, pa, and kfp ui
+apiVersion: datasciencepipelinesapplications.opendatahub.io/v1alpha1
+kind: DataSciencePipelinesApplication
+metadata:
+  name: testdsp9
+spec:
+  dspVersion: v2
+  interPodTLS: false
+  objectStorage:
+    minio:
+      image: minio:test9
+  database:
+    mariaDB:
+      deploy: true
+  mlpipelineUI:
+    deploy: true
+    image: frontend:test9
+  apiServer:
+    deploy: true
+    enableOauth: true
+    enableSamplePipeline: false