From b61ae67f4a5793093cd22d36c06c312d33349015 Mon Sep 17 00:00:00 2001 From: Humair Khan Date: Mon, 27 May 2024 18:32:12 -0400 Subject: [PATCH] chore update func tests for tls changes chore: convert interpod tls field to bool Signed-off-by: Humair Khan --- api/v1alpha1/dspipeline_types.go | 6 +-- ...b.io_datasciencepipelinesapplications.yaml | 12 +++--- .../mlpipelines-ui/deployment.yaml.tmpl | 4 +- controllers/dspipeline_params.go | 2 +- .../created/apiserver_deployment.yaml | 37 +++++++------------ .../created/persistence-agent_deployment.yaml | 4 ++ .../created/apiserver_deployment.yaml | 37 +++++++------------ .../created/mlpipelines-ui_deployment.yaml | 8 +++- .../created/persistence-agent_deployment.yaml | 2 + .../created/apiserver_deployment.yaml | 37 +++++++------------ .../created/apiserver_deployment.yaml | 37 +++++++------------ .../created/mlpipelines-ui_deployment.yaml | 8 +++- .../created/persistence-agent_deployment.yaml | 2 + .../created/apiserver_deployment.yaml | 37 +++++++------------ .../created/mlpipelines-ui_deployment.yaml | 8 +++- .../created/persistence-agent_deployment.yaml | 2 + .../created/apiserver_deployment.yaml | 37 +++++++------------ .../created/apiserver_deployment.yaml | 37 +++++++------------ .../created/mlpipelines-ui_deployment.yaml | 8 +++- .../created/persistence-agent_deployment.yaml | 2 + .../created/apiserver_deployment.yaml | 37 +++++++------------ tests/resources/dspa-lite.yaml | 1 + 22 files changed, 165 insertions(+), 200 deletions(-) diff --git a/api/v1alpha1/dspipeline_types.go b/api/v1alpha1/dspipeline_types.go index 21b5937f4..d15aeaa9e 100644 --- a/api/v1alpha1/dspipeline_types.go +++ b/api/v1alpha1/dspipeline_types.go @@ -45,9 +45,9 @@ type DSPASpec struct { // +kubebuilder:default:="v1" DSPVersion string `json:"dspVersion,omitempty"` - // InterPodTLS Set to "enable" or "disable" tls communication between DSPA components. Default to "enable". Only supported in OpenShift. - // +kubebuilder:default:="enabled" - InterPodTLS string `json:"InterPodTLS,omitempty"` + // InterPodTLS Set to "true" or "false" tls communication between DSPA components. Default to enable Inter-Pod tls by setting to "true". Only supported in OpenShift. + // +kubebuilder:default:=true + InterPodTLS bool `json:"interPodTLS,omitempty"` // WorkflowController is an argo-specific component that manages a DSPA's Workflow objects and handles the orchestration of them with the central Argo server // +kubebuilder:validation:Optional diff --git a/config/crd/bases/datasciencepipelinesapplications.opendatahub.io_datasciencepipelinesapplications.yaml b/config/crd/bases/datasciencepipelinesapplications.opendatahub.io_datasciencepipelinesapplications.yaml index dae078f5c..b14919357 100644 --- a/config/crd/bases/datasciencepipelinesapplications.opendatahub.io_datasciencepipelinesapplications.yaml +++ b/config/crd/bases/datasciencepipelinesapplications.opendatahub.io_datasciencepipelinesapplications.yaml @@ -35,12 +35,6 @@ spec: type: object spec: properties: - InterPodTLS: - default: enabled - description: InterPodTLS Set to "enable" or "disable" tls communication - between DSPA components. Default to "enable". Only supported in - OpenShift. - type: string apiServer: default: deploy: true @@ -347,6 +341,12 @@ spec: dspVersion: default: v1 type: string + interPodTLS: + default: true + description: InterPodTLS Set to "true" or "false" tls communication + between DSPA components. Default to enable Inter-Pod tls by setting + to "true". Only supported in OpenShift. + type: boolean mlmd: properties: deploy: diff --git a/config/internal/mlpipelines-ui/deployment.yaml.tmpl b/config/internal/mlpipelines-ui/deployment.yaml.tmpl index dd865237a..05e6201bc 100644 --- a/config/internal/mlpipelines-ui/deployment.yaml.tmpl +++ b/config/internal/mlpipelines-ui/deployment.yaml.tmpl @@ -46,8 +46,6 @@ spec: value: "true" - name: ML_PIPELINE_SERVICE_HOST value: {{.APIServerServiceDNSName}} - - name: DISABLE_GKE_METADATA - value: 'true' - name: ML_PIPELINE_SERVICE_PORT value: '8888' {{ if .InterPodTLS }} @@ -78,6 +76,8 @@ spec: - name: AWS_SSL value: "false" {{ end }} + - name: DISABLE_GKE_METADATA + value: 'true' image: {{.MlPipelineUI.Image}} imagePullPolicy: IfNotPresent livenessProbe: diff --git a/controllers/dspipeline_params.go b/controllers/dspipeline_params.go index 94816f223..27f108081 100644 --- a/controllers/dspipeline_params.go +++ b/controllers/dspipeline_params.go @@ -87,7 +87,7 @@ type DSPAParams struct { CustomCABundle *dspa.CABundle DSPONamespace string // Use to enable tls communication between component pods. - InterPodTLS string + InterPodTLS bool APIServerServiceDNSName string } diff --git a/controllers/testdata/declarative/case_0/expected/created/apiserver_deployment.yaml b/controllers/testdata/declarative/case_0/expected/created/apiserver_deployment.yaml index 7a9eb3302..209c50f20 100644 --- a/controllers/testdata/declarative/case_0/expected/created/apiserver_deployment.yaml +++ b/controllers/testdata/declarative/case_0/expected/created/apiserver_deployment.yaml @@ -118,6 +118,8 @@ spec: - --config=/config - -logtostderr=true - --sampleconfig=/config/sample_config.json + - --tlsCertPath=/etc/tls/private/tls.crt + - --tlsCertKeyPath=/etc/tls/private/tls.key ports: - containerPort: 8888 name: http @@ -126,29 +128,15 @@ spec: name: grpc protocol: TCP livenessProbe: - exec: - command: - - wget - - -q - - -S - - -O - - '-' - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS readinessProbe: - exec: - command: - - wget - - -q - - -S - - -O - - '-' - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS resources: requests: cpu: 250m @@ -160,6 +148,8 @@ spec: - name: server-config mountPath: /config/config.json subPath: config.json + - mountPath: /etc/tls/private + name: proxy-tls - mountPath: /config/sample_config.json name: sample-config subPath: sample_config.json @@ -170,7 +160,8 @@ spec: - --https-address=:8443 - --provider=openshift - --openshift-service-account=ds-pipeline-testdsp0 - - --upstream=http://localhost:8888 + - --upstream=https://ds-pipeline-testdsp0.default.svc.cluster.local:8888 + - --upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - --cookie-secret=SECRET diff --git a/controllers/testdata/declarative/case_0/expected/created/persistence-agent_deployment.yaml b/controllers/testdata/declarative/case_0/expected/created/persistence-agent_deployment.yaml index ecce799ab..3cd18dd5b 100644 --- a/controllers/testdata/declarative/case_0/expected/created/persistence-agent_deployment.yaml +++ b/controllers/testdata/declarative/case_0/expected/created/persistence-agent_deployment.yaml @@ -36,6 +36,8 @@ spec: value: "" - name: EXECUTIONTYPE value: PipelineRun + - name: SSL_CERT_DIR + value: "/etc/pki/tls/certs:/var/run/secrets/kubernetes.io/serviceaccount/" image: persistenceagent:test0 imagePullPolicy: IfNotPresent name: ds-pipeline-persistenceagent @@ -48,6 +50,8 @@ spec: - "--namespace=default" - "--mlPipelineServiceHttpPort=8888" - "--mlPipelineServiceGRPCPort=8887" + - "--mlPipelineAPIServerName=https://ds-pipeline-testdsp0.default.svc.cluster.local:8888" + - "--mlPipelineServiceTLSEnabled=true" livenessProbe: exec: command: diff --git a/controllers/testdata/declarative/case_2/expected/created/apiserver_deployment.yaml b/controllers/testdata/declarative/case_2/expected/created/apiserver_deployment.yaml index bc3b0a348..cdb71a077 100644 --- a/controllers/testdata/declarative/case_2/expected/created/apiserver_deployment.yaml +++ b/controllers/testdata/declarative/case_2/expected/created/apiserver_deployment.yaml @@ -118,6 +118,8 @@ spec: - --config=/config - -logtostderr=true - --sampleconfig=/config/sample_config.json + - --tlsCertPath=/etc/tls/private/tls.crt + - --tlsCertKeyPath=/etc/tls/private/tls.key ports: - containerPort: 8888 name: http @@ -126,29 +128,15 @@ spec: name: grpc protocol: TCP livenessProbe: - exec: - command: - - wget - - -q - - -S - - -O - - '-' - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS readinessProbe: - exec: - command: - - wget - - -q - - -S - - -O - - '-' - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS resources: requests: cpu: 1231m @@ -160,6 +148,8 @@ spec: - name: server-config mountPath: /config/config.json subPath: testserverconfigmapkeydspa2 + - mountPath: /etc/tls/private + name: proxy-tls - mountPath: /config/sample_config.json name: sample-config subPath: sample_config.json @@ -170,7 +160,8 @@ spec: - --https-address=:8443 - --provider=openshift - --openshift-service-account=ds-pipeline-testdsp2 - - --upstream=http://localhost:8888 + - --upstream=https://ds-pipeline-testdsp2.default.svc.cluster.local:8888 + - --upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - --cookie-secret=SECRET diff --git a/controllers/testdata/declarative/case_2/expected/created/mlpipelines-ui_deployment.yaml b/controllers/testdata/declarative/case_2/expected/created/mlpipelines-ui_deployment.yaml index 1cf56c112..48e42e49e 100644 --- a/controllers/testdata/declarative/case_2/expected/created/mlpipelines-ui_deployment.yaml +++ b/controllers/testdata/declarative/case_2/expected/created/mlpipelines-ui_deployment.yaml @@ -46,9 +46,13 @@ spec: - name: ARGO_ARCHIVE_LOGS value: "true" - name: ML_PIPELINE_SERVICE_HOST - value: ds-pipeline-testdsp2 + value: ds-pipeline-testdsp2.default.svc.cluster.local - name: ML_PIPELINE_SERVICE_PORT value: '8888' + - name: ML_PIPELINE_SERVICE_SCHEME + value: 'https' + - name: NODE_EXTRA_CA_CERTS + value: '/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt' - name: METADATA_ENVOY_SERVICE_SERVICE_HOST value: ds-pipeline-md-testdsp2 - name: METADATA_ENVOY_SERVICE_SERVICE_PORT @@ -69,6 +73,8 @@ spec: value: "minio-testdsp2.default.svc.cluster.local" - name: AWS_SSL value: "false" + - name: DISABLE_GKE_METADATA + value: 'true' image: frontend:test2 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/controllers/testdata/declarative/case_2/expected/created/persistence-agent_deployment.yaml b/controllers/testdata/declarative/case_2/expected/created/persistence-agent_deployment.yaml index db064397e..d17f64b9b 100644 --- a/controllers/testdata/declarative/case_2/expected/created/persistence-agent_deployment.yaml +++ b/controllers/testdata/declarative/case_2/expected/created/persistence-agent_deployment.yaml @@ -36,6 +36,8 @@ spec: value: "" - name: EXECUTIONTYPE value: PipelineRun + - name: SSL_CERT_DIR + value: "/etc/pki/tls/certs:/var/run/secrets/kubernetes.io/serviceaccount/" image: persistenceagent:test2 imagePullPolicy: IfNotPresent name: ds-pipeline-persistenceagent diff --git a/controllers/testdata/declarative/case_3/expected/created/apiserver_deployment.yaml b/controllers/testdata/declarative/case_3/expected/created/apiserver_deployment.yaml index 04f463221..64ec990ae 100644 --- a/controllers/testdata/declarative/case_3/expected/created/apiserver_deployment.yaml +++ b/controllers/testdata/declarative/case_3/expected/created/apiserver_deployment.yaml @@ -117,6 +117,8 @@ spec: args: - --config=/config - -logtostderr=true + - --tlsCertPath=/etc/tls/private/tls.crt + - --tlsCertKeyPath=/etc/tls/private/tls.key ports: - containerPort: 8888 name: http @@ -125,33 +127,21 @@ spec: name: grpc protocol: TCP livenessProbe: - exec: - command: - - wget - - -q - - -S - - -O - - '-' - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS readinessProbe: - exec: - command: - - wget - - -q - - -S - - -O - - '-' - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS volumeMounts: - name: server-config mountPath: /config/config.json subPath: config.json + - mountPath: /etc/tls/private + name: proxy-tls resources: requests: cpu: 250m @@ -164,7 +154,8 @@ spec: - --https-address=:8443 - --provider=openshift - --openshift-service-account=ds-pipeline-testdsp3 - - --upstream=http://localhost:8888 + - --upstream=https://ds-pipeline-testdsp3.default.svc.cluster.local:8888 + - --upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - --cookie-secret=SECRET diff --git a/controllers/testdata/declarative/case_4/expected/created/apiserver_deployment.yaml b/controllers/testdata/declarative/case_4/expected/created/apiserver_deployment.yaml index ae5c86efe..8048a5c81 100644 --- a/controllers/testdata/declarative/case_4/expected/created/apiserver_deployment.yaml +++ b/controllers/testdata/declarative/case_4/expected/created/apiserver_deployment.yaml @@ -118,9 +118,13 @@ spec: - name: server-config mountPath: /config/config.json subPath: config.json + - mountPath: /etc/tls/private + name: proxy-tls args: - --config=/config - -logtostderr=true + - --tlsCertPath=/etc/tls/private/tls.crt + - --tlsCertKeyPath=/etc/tls/private/tls.key ports: - containerPort: 8888 name: http @@ -129,29 +133,15 @@ spec: name: grpc protocol: TCP livenessProbe: - exec: - command: - - wget - - -q - - -S - - -O - - '-' - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS readinessProbe: - exec: - command: - - wget - - -q - - -S - - -O - - '-' - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS resources: requests: cpu: 1231m @@ -164,7 +154,8 @@ spec: - --https-address=:8443 - --provider=openshift - --openshift-service-account=ds-pipeline-testdsp4 - - --upstream=http://localhost:8888 + - --upstream=https://ds-pipeline-testdsp4.default.svc.cluster.local:8888 + - --upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - --cookie-secret=SECRET diff --git a/controllers/testdata/declarative/case_4/expected/created/mlpipelines-ui_deployment.yaml b/controllers/testdata/declarative/case_4/expected/created/mlpipelines-ui_deployment.yaml index f54c405fa..6cf9be790 100644 --- a/controllers/testdata/declarative/case_4/expected/created/mlpipelines-ui_deployment.yaml +++ b/controllers/testdata/declarative/case_4/expected/created/mlpipelines-ui_deployment.yaml @@ -46,9 +46,13 @@ spec: - name: ARGO_ARCHIVE_LOGS value: "true" - name: ML_PIPELINE_SERVICE_HOST - value: ds-pipeline-testdsp4 + value: ds-pipeline-testdsp4.default.svc.cluster.local - name: ML_PIPELINE_SERVICE_PORT value: '8888' + - name: ML_PIPELINE_SERVICE_SCHEME + value: 'https' + - name: NODE_EXTRA_CA_CERTS + value: '/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt' - name: METADATA_ENVOY_SERVICE_SERVICE_HOST value: ds-pipeline-md-testdsp4 - name: METADATA_ENVOY_SERVICE_SERVICE_PORT @@ -69,6 +73,8 @@ spec: value: "minio-testdsp4.default.svc.cluster.local" - name: AWS_SSL value: "false" + - name: DISABLE_GKE_METADATA + value: 'true' image: this-frontend-image-from-cr-should-be-used:test4 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/controllers/testdata/declarative/case_4/expected/created/persistence-agent_deployment.yaml b/controllers/testdata/declarative/case_4/expected/created/persistence-agent_deployment.yaml index c4118d680..02d88df9c 100644 --- a/controllers/testdata/declarative/case_4/expected/created/persistence-agent_deployment.yaml +++ b/controllers/testdata/declarative/case_4/expected/created/persistence-agent_deployment.yaml @@ -36,6 +36,8 @@ spec: value: "" - name: EXECUTIONTYPE value: PipelineRun + - name: SSL_CERT_DIR + value: "/etc/pki/tls/certs:/var/run/secrets/kubernetes.io/serviceaccount/" image: this-persistenceagent-image-from-cr-should-be-used:test4 imagePullPolicy: IfNotPresent name: ds-pipeline-persistenceagent diff --git a/controllers/testdata/declarative/case_5/expected/created/apiserver_deployment.yaml b/controllers/testdata/declarative/case_5/expected/created/apiserver_deployment.yaml index a295fabdc..c3669071c 100644 --- a/controllers/testdata/declarative/case_5/expected/created/apiserver_deployment.yaml +++ b/controllers/testdata/declarative/case_5/expected/created/apiserver_deployment.yaml @@ -121,6 +121,8 @@ spec: args: - --config=/config - -logtostderr=true + - --tlsCertPath=/etc/tls/private/tls.crt + - --tlsCertKeyPath=/etc/tls/private/tls.key ports: - containerPort: 8888 name: http @@ -129,29 +131,15 @@ spec: name: grpc protocol: TCP livenessProbe: - exec: - command: - - wget - - -q - - -S - - -O - - '-' - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS readinessProbe: - exec: - command: - - wget - - -q - - -S - - -O - - '-' - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS resources: requests: cpu: 250m @@ -163,12 +151,15 @@ spec: - name: server-config mountPath: /config/config.json subPath: config.json + - mountPath: /etc/tls/private + name: proxy-tls - name: oauth-proxy args: - --https-address=:8443 - --provider=openshift - --openshift-service-account=ds-pipeline-testdsp5 - - --upstream=http://localhost:8888 + - --upstream=https://ds-pipeline-testdsp5.default.svc.cluster.local:8888 + - --upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - --cookie-secret=SECRET diff --git a/controllers/testdata/declarative/case_5/expected/created/mlpipelines-ui_deployment.yaml b/controllers/testdata/declarative/case_5/expected/created/mlpipelines-ui_deployment.yaml index 83dd546b0..a9d45ae43 100644 --- a/controllers/testdata/declarative/case_5/expected/created/mlpipelines-ui_deployment.yaml +++ b/controllers/testdata/declarative/case_5/expected/created/mlpipelines-ui_deployment.yaml @@ -46,9 +46,13 @@ spec: - name: ARGO_ARCHIVE_LOGS value: "true" - name: ML_PIPELINE_SERVICE_HOST - value: ds-pipeline-testdsp5 + value: ds-pipeline-testdsp5.default.svc.cluster.local - name: ML_PIPELINE_SERVICE_PORT value: '8888' + - name: ML_PIPELINE_SERVICE_SCHEME + value: 'https' + - name: NODE_EXTRA_CA_CERTS + value: '/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt' - name: METADATA_ENVOY_SERVICE_SERVICE_HOST value: ds-pipeline-md-testdsp5 - name: METADATA_ENVOY_SERVICE_SERVICE_PORT @@ -69,6 +73,8 @@ spec: value: "minio-testdsp5.default.svc.cluster.local" - name: AWS_SSL value: "false" + - name: DISABLE_GKE_METADATA + value: 'true' image: frontend:test5 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/controllers/testdata/declarative/case_5/expected/created/persistence-agent_deployment.yaml b/controllers/testdata/declarative/case_5/expected/created/persistence-agent_deployment.yaml index 2a22a22ae..3c7f13e0a 100644 --- a/controllers/testdata/declarative/case_5/expected/created/persistence-agent_deployment.yaml +++ b/controllers/testdata/declarative/case_5/expected/created/persistence-agent_deployment.yaml @@ -36,6 +36,8 @@ spec: value: "" - name: EXECUTIONTYPE value: PipelineRun + - name: SSL_CERT_DIR + value: "/etc/pki/tls/certs:/var/run/secrets/kubernetes.io/serviceaccount/" image: persistenceagent:test5 imagePullPolicy: IfNotPresent name: ds-pipeline-persistenceagent diff --git a/controllers/testdata/declarative/case_6/expected/created/apiserver_deployment.yaml b/controllers/testdata/declarative/case_6/expected/created/apiserver_deployment.yaml index 0b09dc9c5..d10ec0d31 100644 --- a/controllers/testdata/declarative/case_6/expected/created/apiserver_deployment.yaml +++ b/controllers/testdata/declarative/case_6/expected/created/apiserver_deployment.yaml @@ -115,6 +115,8 @@ spec: args: - --config=/config - -logtostderr=true + - --tlsCertPath=/etc/tls/private/tls.crt + - --tlsCertKeyPath=/etc/tls/private/tls.key ports: - containerPort: 8888 name: http @@ -123,29 +125,15 @@ spec: name: grpc protocol: TCP livenessProbe: - exec: - command: - - wget - - -q - - -S - - -O - - '-' - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS readinessProbe: - exec: - command: - - wget - - -q - - -S - - -O - - '-' - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS resources: requests: cpu: 250m @@ -157,6 +145,8 @@ spec: - name: server-config mountPath: /config/config.json subPath: config.json + - mountPath: /etc/tls/private + name: proxy-tls - name: ca-bundle mountPath: /dspa/custom-certs - name: oauth-proxy @@ -164,7 +154,8 @@ spec: - --https-address=:8443 - --provider=openshift - --openshift-service-account=ds-pipeline-testdsp6 - - --upstream=http://localhost:8888 + - --upstream=https://ds-pipeline-testdsp6.default.svc.cluster.local:8888 + - --upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - --cookie-secret=SECRET diff --git a/controllers/testdata/declarative/case_7/expected/created/apiserver_deployment.yaml b/controllers/testdata/declarative/case_7/expected/created/apiserver_deployment.yaml index 2bbee637a..999511351 100644 --- a/controllers/testdata/declarative/case_7/expected/created/apiserver_deployment.yaml +++ b/controllers/testdata/declarative/case_7/expected/created/apiserver_deployment.yaml @@ -108,6 +108,8 @@ spec: - --config=/config - -logtostderr=true - --sampleconfig=/config/sample_config.json + - --tlsCertPath=/etc/tls/private/tls.crt + - --tlsCertKeyPath=/etc/tls/private/tls.key ports: - containerPort: 8888 name: http @@ -116,29 +118,15 @@ spec: name: grpc protocol: TCP livenessProbe: - exec: - command: - - wget - - -q - - -S - - -O - - '-' - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS readinessProbe: - exec: - command: - - wget - - -q - - -S - - -O - - '-' - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS resources: requests: cpu: 1231m @@ -150,6 +138,8 @@ spec: - name: server-config mountPath: /config/config.json subPath: config.json + - mountPath: /etc/tls/private + name: proxy-tls - mountPath: /config/sample_config.json name: sample-config subPath: sample_config.json @@ -160,7 +150,8 @@ spec: - --https-address=:8443 - --provider=openshift - --openshift-service-account=ds-pipeline-testdsp7 - - --upstream=http://localhost:8888 + - --upstream=https://ds-pipeline-testdsp7.default.svc.cluster.local:8888 + - --upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - --cookie-secret=SECRET diff --git a/controllers/testdata/declarative/case_7/expected/created/mlpipelines-ui_deployment.yaml b/controllers/testdata/declarative/case_7/expected/created/mlpipelines-ui_deployment.yaml index a3215a5be..560283963 100644 --- a/controllers/testdata/declarative/case_7/expected/created/mlpipelines-ui_deployment.yaml +++ b/controllers/testdata/declarative/case_7/expected/created/mlpipelines-ui_deployment.yaml @@ -46,9 +46,13 @@ spec: - name: ARGO_ARCHIVE_LOGS value: "true" - name: ML_PIPELINE_SERVICE_HOST - value: ds-pipeline-testdsp7 + value: ds-pipeline-testdsp7.default.svc.cluster.local - name: ML_PIPELINE_SERVICE_PORT value: '8888' + - name: ML_PIPELINE_SERVICE_SCHEME + value: 'https' + - name: NODE_EXTRA_CA_CERTS + value: '/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt' - name: METADATA_ENVOY_SERVICE_SERVICE_HOST value: ds-pipeline-md-testdsp7 - name: METADATA_ENVOY_SERVICE_SERVICE_PORT @@ -69,6 +73,8 @@ spec: value: "minio-testdsp7.default.svc.cluster.local" - name: AWS_SSL value: "false" + - name: DISABLE_GKE_METADATA + value: 'true' image: frontend:test7 imagePullPolicy: IfNotPresent livenessProbe: diff --git a/controllers/testdata/declarative/case_7/expected/created/persistence-agent_deployment.yaml b/controllers/testdata/declarative/case_7/expected/created/persistence-agent_deployment.yaml index abcb70d3e..a19952843 100644 --- a/controllers/testdata/declarative/case_7/expected/created/persistence-agent_deployment.yaml +++ b/controllers/testdata/declarative/case_7/expected/created/persistence-agent_deployment.yaml @@ -36,6 +36,8 @@ spec: value: "" - name: EXECUTIONTYPE value: Workflow + - name: SSL_CERT_DIR + value: "/etc/pki/tls/certs:/var/run/secrets/kubernetes.io/serviceaccount/" image: persistenceagent:test7 imagePullPolicy: IfNotPresent name: ds-pipeline-persistenceagent diff --git a/controllers/testdata/declarative/case_8/expected/created/apiserver_deployment.yaml b/controllers/testdata/declarative/case_8/expected/created/apiserver_deployment.yaml index 4b94b262b..540d1dc7b 100644 --- a/controllers/testdata/declarative/case_8/expected/created/apiserver_deployment.yaml +++ b/controllers/testdata/declarative/case_8/expected/created/apiserver_deployment.yaml @@ -115,6 +115,8 @@ spec: args: - --config=/config - -logtostderr=true + - --tlsCertPath=/etc/tls/private/tls.crt + - --tlsCertKeyPath=/etc/tls/private/tls.key ports: - containerPort: 8888 name: http @@ -123,29 +125,15 @@ spec: name: grpc protocol: TCP livenessProbe: - exec: - command: - - wget - - -q - - -S - - -O - - '-' - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS readinessProbe: - exec: - command: - - wget - - -q - - -S - - -O - - '-' - - http://localhost:8888/apis/v1beta1/healthz - initialDelaySeconds: 3 - periodSeconds: 5 - timeoutSeconds: 2 + httpGet: + path: /apis/v1beta1/healthz + port: http + scheme: HTTPS resources: requests: cpu: 250m @@ -157,6 +145,8 @@ spec: - name: server-config mountPath: /config/config.json subPath: config.json + - mountPath: /etc/tls/private + name: proxy-tls - name: ca-bundle mountPath: /dsp-custom-certs - name: oauth-proxy @@ -164,7 +154,8 @@ spec: - --https-address=:8443 - --provider=openshift - --openshift-service-account=ds-pipeline-testdsp8 - - --upstream=http://localhost:8888 + - --upstream=https://ds-pipeline-testdsp8.default.svc.cluster.local:8888 + - --upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt - --tls-cert=/etc/tls/private/tls.crt - --tls-key=/etc/tls/private/tls.key - --cookie-secret=SECRET diff --git a/tests/resources/dspa-lite.yaml b/tests/resources/dspa-lite.yaml index 531b353cb..b8ded38d3 100644 --- a/tests/resources/dspa-lite.yaml +++ b/tests/resources/dspa-lite.yaml @@ -4,6 +4,7 @@ metadata: name: test-dspa spec: dspVersion: v2 + interPodTLS: false apiServer: deploy: true enableOauth: false