Skip to content

Commit

Permalink
add apiserver tls support
Browse files Browse the repository at this point in the history 
* add openshift ingress cabundle to pa/apiserver/ui
* add ui tls enabled kfp server client

Signed-off-by: Humair Khan <HumairAK@users.noreply.github.com>
  • Loading branch information
@HumairAK
HumairAK committed Jul 15, 2024
1 parent 8280dcd commit e356aa1
Show file tree
Hide file tree
Showing 23 changed files with 632 additions and 92 deletions.
6 changes: 6 additions & 0 deletions api/v1alpha1/dspipeline_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,12 @@ type DSPASpec struct {
// +kubebuilder:validation:Optional
// +kubebuilder:default:="v1"
DSPVersion string `json:"dspVersion,omitempty"`

// PodToPodTLS Set to "true" or "false" tls communication between DSPA components. Default to enable Inter-Pod tls by setting to "true". Only supported in DSP V2 on OpenShift.
// +kubebuilder:default:=true
// +kubebuilder:validation:Optional
PodToPodTLS *bool `json:"podToPodTLS"`

// WorkflowController is an argo-specific component that manages a DSPA's Workflow objects and handles the orchestration of them with the central Argo server
// +kubebuilder:validation:Optional
*WorkflowController `json:"workflowController,omitempty"`
Expand Down
5 changes: 5 additions & 0 deletions api/v1alpha1/zz_generated.deepcopy.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 6 additions & 0 deletions ...ses/datasciencepipelinesapplications.opendatahub.io_datasciencepipelinesapplications.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -748,6 +748,12 @@ spec:
type: object
type: object
type: object
podToPodTLS:
default: true
description: PodToPodTLS Set to "true" or "false" tls communication
between DSPA components. Default to enable Inter-Pod tls by setting
to "true". Only supported in DSP V2 on OpenShift.
type: boolean
scheduledWorkflow:
default:
deploy: true
Expand Down
47 changes: 31 additions & 16 deletions config/internal/apiserver/default/deployment.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,10 @@ spec:
value: "ds-pipeline-{{.Name}}.{{.Namespace}}.svc.cluster.local"
- name: ML_PIPELINE_SERVICE_PORT_GRPC
value: "8887"
{{ if .PodToPodTLS }}
- name: ML_PIPELINE_TLS_ENABLED
value: "true"
{{ end }}
{{ if (eq .DSPVersion "v2") }}
## Argo-Specific Env Vars ##
- name: EXECUTIONTYPE
Expand Down Expand Up @@ -179,32 +183,32 @@ spec:
{{ if .APIServer.EnableSamplePipeline }}
- --sampleconfig=/config/sample_config.json
{{ end }}
{{ if .PodToPodTLS }}
- --tlsCertPath=/etc/tls/private/tls.crt
- --tlsCertKeyPath=/etc/tls/private/tls.key
{{ end }}
ports:
- containerPort: 8888
name: http
- containerPort: 8887
name: grpc
livenessProbe:
exec:
command:
- wget
- -q
- -S
- -O
- '-'
- http://localhost:8888/apis/v1beta1/healthz
httpGet:
path: /apis/v1beta1/healthz
port: http
{{ if .PodToPodTLS }}
scheme: HTTPS
{{ end }}
initialDelaySeconds: 3
periodSeconds: 5
timeoutSeconds: 2
readinessProbe:
exec:
command:
- wget
- -q
- -S
- -O
- '-'
- http://localhost:8888/apis/v1beta1/healthz
httpGet:
path: /apis/v1beta1/healthz
port: http
{{ if .PodToPodTLS }}
scheme: HTTPS
{{ end }}
initialDelaySeconds: 3
periodSeconds: 5
timeoutSeconds: 2
Expand All @@ -231,6 +235,10 @@ spec:
- name: server-config
mountPath: /config/config.json
subPath: {{ .APIServer.CustomServerConfig.Key }}
{{ if .PodToPodTLS }}
- mountPath: /etc/tls/private
name: proxy-tls
{{ end }}
{{ if or .APIServer.EnableSamplePipeline .CustomCABundle }}
{{ if .APIServer.EnableSamplePipeline }}
- name: sample-config
Expand All @@ -250,7 +258,14 @@ spec:
- --https-address=:8443
- --provider=openshift
- --openshift-service-account={{.APIServerDefaultResourceName}}
{{ if .PodToPodTLS }}
# because we use certs signed by openshift, these certs are not valid for
# localhost, thus we have to use the service name
- --upstream=https://{{.APIServerServiceDNSName}}:8888
- --upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
{{ else }}
- --upstream=http://localhost:8888
{{ end }}
- --tls-cert=/etc/tls/private/tls.crt
- --tls-key=/etc/tls/private/tls.key
- --cookie-secret=SECRET
Expand Down
8 changes: 7 additions & 1 deletion config/internal/mlpipelines-ui/deployment.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,9 +45,15 @@ spec:
- name: ARGO_ARCHIVE_LOGS
value: "true"
- name: ML_PIPELINE_SERVICE_HOST
value: ds-pipeline-{{.Name}}
value: {{.APIServerServiceDNSName}}
- name: ML_PIPELINE_SERVICE_PORT
value: '8888'
{{ if .PodToPodTLS }}
- name: ML_PIPELINE_SERVICE_SCHEME
value: 'https'
- name: NODE_EXTRA_CA_CERTS
value: '/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt'
{{ end }}
- name: METADATA_ENVOY_SERVICE_SERVICE_HOST
value: ds-pipeline-md-{{.Name}}
- name: METADATA_ENVOY_SERVICE_SERVICE_PORT
Expand Down
9 changes: 8 additions & 1 deletion config/internal/persistence-agent/deployment.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,10 @@ spec:
{{ else }}
value: PipelineRun
{{ end }}
{{ if .PodToPodTLS }}
- name: SSL_CERT_DIR
value: "/etc/pki/tls/certs:/var/run/secrets/kubernetes.io/serviceaccount/"
{{ end }}
image: "{{.PersistenceAgent.Image}}"
imagePullPolicy: IfNotPresent
name: ds-pipeline-persistenceagent
Expand All @@ -48,7 +52,10 @@ spec:
- "--logtostderr=true"
- "--ttlSecondsAfterWorkflowFinish=86400"
- "--numWorker={{.PersistenceAgent.NumWorkers}}"
- "--mlPipelineAPIServerName={{.APIServerServiceName}}"
- "--mlPipelineAPIServerName={{.APIServerServiceDNSName}}"
{{ if .PodToPodTLS }}
- "--mlPipelineServiceTLSEnabled=true"
{{ end }}
- "--namespace={{.Namespace}}"
- "--mlPipelineServiceHttpPort=8888"
- "--mlPipelineServiceGRPCPort=8887"
Expand Down
2 changes: 1 addition & 1 deletion config/overlays/make-deploy/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@ patchesStrategicMerge:
images:
- name: controller
newName: quay.io/opendatahub/data-science-pipelines-operator
newTag: main
newTag: pr-656
18 changes: 18 additions & 0 deletions controllers/dspipeline_params.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,10 @@ type DSPAParams struct {
// pipeline pods
CustomCABundle *dspa.CABundle
DSPONamespace string
// Use to enable tls communication between component pods.
PodToPodTLS bool

APIServerServiceDNSName string
}

type DBConnection struct {
Expand Down Expand Up @@ -578,6 +582,7 @@ func (p *DSPAParams) ExtractParams(ctx context.Context, dsp *dspa.DataSciencePip
p.APIServer = dsp.Spec.APIServer.DeepCopy()
p.APIServerDefaultResourceName = apiServerDefaultResourceNamePrefix + dsp.Name
p.APIServerServiceName = fmt.Sprintf("%s-%s", config.DSPServicePrefix, p.Name)
p.APIServerServiceDNSName = fmt.Sprintf("%s.%s.svc.cluster.local", p.APIServerServiceName, p.Namespace)
p.ScheduledWorkflow = dsp.Spec.ScheduledWorkflow.DeepCopy()
p.ScheduledWorkflowDefaultResourceName = scheduledWorkflowDefaultResourceNamePrefix + dsp.Name
p.PersistenceAgent = dsp.Spec.PersistenceAgent.DeepCopy()
Expand All @@ -589,8 +594,19 @@ func (p *DSPAParams) ExtractParams(ctx context.Context, dsp *dspa.DataSciencePip
p.MLMD = dsp.Spec.MLMD.DeepCopy()
p.CustomCABundleRootMountPath = config.CustomCABundleRootMountPath
p.PiplinesCABundleMountPath = config.GetCABundleFileMountPath()
p.PodToPodTLS = false
dspTrustedCAConfigMapKey := config.CustomDSPTrustedCAConfigMapKey

// PodToPodTLS is only used in v2 dsp
if p.UsingV2Pipelines(dsp) {
// by default it's enabled when omitted
if dsp.Spec.PodToPodTLS == nil {
p.PodToPodTLS = true
} else {
p.PodToPodTLS = *dsp.Spec.PodToPodTLS
}
}

log := loggr.WithValues("namespace", p.Namespace).WithValues("dspa_name", p.Name)

if p.APIServer != nil {
Expand Down Expand Up @@ -683,6 +699,8 @@ func (p *DSPAParams) ExtractParams(ctx context.Context, dsp *dspa.DataSciencePip
}
}

// If ODH bundle is not present and

if p.APIServer.CABundleFileMountPath != "" {
p.CustomCABundleRootMountPath = p.APIServer.CABundleFileMountPath
}
Expand Down
2 changes: 1 addition & 1 deletion controllers/testdata/declarative/case_2/expected/created/mlpipelines-ui_deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ spec:
- name: ARGO_ARCHIVE_LOGS
value: "true"
- name: ML_PIPELINE_SERVICE_HOST
value: ds-pipeline-testdsp2
value: ds-pipeline-testdsp2.default.svc.cluster.local
- name: ML_PIPELINE_SERVICE_PORT
value: '8888'
- name: METADATA_ENVOY_SERVICE_SERVICE_HOST
Expand Down
2 changes: 1 addition & 1 deletion controllers/testdata/declarative/case_4/expected/created/mlpipelines-ui_deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ spec:
- name: ARGO_ARCHIVE_LOGS
value: "true"
- name: ML_PIPELINE_SERVICE_HOST
value: ds-pipeline-testdsp4
value: ds-pipeline-testdsp4.default.svc.cluster.local
- name: ML_PIPELINE_SERVICE_PORT
value: '8888'
- name: METADATA_ENVOY_SERVICE_SERVICE_HOST
Expand Down
2 changes: 1 addition & 1 deletion controllers/testdata/declarative/case_5/expected/created/mlpipelines-ui_deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ spec:
- name: ARGO_ARCHIVE_LOGS
value: "true"
- name: ML_PIPELINE_SERVICE_HOST
value: ds-pipeline-testdsp5
value: ds-pipeline-testdsp5.default.svc.cluster.local
- name: ML_PIPELINE_SERVICE_PORT
value: '8888'
- name: METADATA_ENVOY_SERVICE_SERVICE_HOST
Expand Down
39 changes: 16 additions & 23 deletions controllers/testdata/declarative/case_6/expected/created/apiserver_deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,8 @@ spec:
value: ds-pipeline-testdsp6.default.svc.cluster.local
- name: ML_PIPELINE_SERVICE_PORT_GRPC
value: "8887"
- name: ML_PIPELINE_TLS_ENABLED
value: "true"
- name: EXECUTIONTYPE
value: Workflow
- name: DB_DRIVER_NAME
Expand All @@ -115,6 +117,8 @@ spec:
args:
- --config=/config
- -logtostderr=true
- --tlsCertPath=/etc/tls/private/tls.crt
- --tlsCertKeyPath=/etc/tls/private/tls.key
ports:
- containerPort: 8888
name: http
Expand All @@ -123,29 +127,15 @@ spec:
name: grpc
protocol: TCP
livenessProbe:
exec:
command:
- wget
- -q
- -S
- -O
- '-'
- http://localhost:8888/apis/v1beta1/healthz
initialDelaySeconds: 3
periodSeconds: 5
timeoutSeconds: 2
httpGet:
path: /apis/v1beta1/healthz
port: http
scheme: HTTPS
readinessProbe:
exec:
command:
- wget
- -q
- -S
- -O
- '-'
- http://localhost:8888/apis/v1beta1/healthz
initialDelaySeconds: 3
periodSeconds: 5
timeoutSeconds: 2
httpGet:
path: /apis/v1beta1/healthz
port: http
scheme: HTTPS
resources:
requests:
cpu: 250m
Expand All @@ -157,14 +147,17 @@ spec:
- name: server-config
mountPath: /config/config.json
subPath: config.json
- mountPath: /etc/tls/private
name: proxy-tls
- name: ca-bundle
mountPath: /dspa/custom-certs
- name: oauth-proxy
args:
- --https-address=:8443
- --provider=openshift
- --openshift-service-account=ds-pipeline-testdsp6
- --upstream=http://localhost:8888
- --upstream=https://ds-pipeline-testdsp6.default.svc.cluster.local:8888
- --upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
- --tls-cert=/etc/tls/private/tls.crt
- --tls-key=/etc/tls/private/tls.key
- --cookie-secret=SECRET
Expand Down
39 changes: 16 additions & 23 deletions controllers/testdata/declarative/case_7/expected/created/apiserver_deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,8 @@ spec:
value: ds-pipeline-testdsp7.default.svc.cluster.local
- name: ML_PIPELINE_SERVICE_PORT_GRPC
value: "8887"
- name: ML_PIPELINE_TLS_ENABLED
value: "true"
- name: EXECUTIONTYPE
value: Workflow
- name: DB_DRIVER_NAME
Expand All @@ -108,6 +110,8 @@ spec:
- --config=/config
- -logtostderr=true
- --sampleconfig=/config/sample_config.json
- --tlsCertPath=/etc/tls/private/tls.crt
- --tlsCertKeyPath=/etc/tls/private/tls.key
ports:
- containerPort: 8888
name: http
Expand All @@ -116,29 +120,15 @@ spec:
name: grpc
protocol: TCP
livenessProbe:
exec:
command:
- wget
- -q
- -S
- -O
- '-'
- http://localhost:8888/apis/v1beta1/healthz
initialDelaySeconds: 3
periodSeconds: 5
timeoutSeconds: 2
httpGet:
path: /apis/v1beta1/healthz
port: http
scheme: HTTPS
readinessProbe:
exec:
command:
- wget
- -q
- -S
- -O
- '-'
- http://localhost:8888/apis/v1beta1/healthz
initialDelaySeconds: 3
periodSeconds: 5
timeoutSeconds: 2
httpGet:
path: /apis/v1beta1/healthz
port: http
scheme: HTTPS
resources:
requests:
cpu: 1231m
Expand All @@ -150,6 +140,8 @@ spec:
- name: server-config
mountPath: /config/config.json
subPath: config.json
- mountPath: /etc/tls/private
name: proxy-tls
- mountPath: /config/sample_config.json
name: sample-config
subPath: sample_config.json
Expand All @@ -160,7 +152,8 @@ spec:
- --https-address=:8443
- --provider=openshift
- --openshift-service-account=ds-pipeline-testdsp7
- --upstream=http://localhost:8888
- --upstream=https://ds-pipeline-testdsp7.default.svc.cluster.local:8888
- --upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
- --tls-cert=/etc/tls/private/tls.crt
- --tls-key=/etc/tls/private/tls.key
- --cookie-secret=SECRET
Expand Down
Loading

0 comments on commit e356aa1

Please sign in to comment.