name: Deploy and test Kubeflow Pipelines manifests with m2m auth in KinD
- tests/gh-actions/
- .github/workflows/pipeline_test.yaml
- apps/pipeline/upstream/**
- tests/gh-actions/
- tests/gh-actions/
- tests/gh-actions/
- common/cert-manager/**
- common/oauth2-proxy/**
- common/istio/**
- tests/gh-actions/
runs-on: ubuntu-latest
- name: Checkout
uses: actions/checkout@v4
- name: Install KinD, Create KinD cluster and Install kustomize
run: ./tests/gh-actions/
- name: Install kubectl
run: ./tests/gh-actions/
- name: Install Istio
run: ./tests/gh-actions/
- name: Install oauth2-proxy
run: ./tests/gh-actions/
- name: Install cert-manager
run: ./tests/gh-actions/
- name: Create kubeflow namespace
run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
- name: Install KF Pipelines
run: ./tests/gh-actions/
- name: Install KF Multi Tenancy
run: ./tests/gh-actions/
- name: Install kubeflow-istio-resources
run: kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f -
- name: Create KF Profile
run: |
kustomize build common/user-namespace/base | kubectl apply -f -
sleep 30 # for the metacontroller to create the secret
METACONTROLLER_POD=$(kubectl get pods -n kubeflow -o json | jq -r '.items[] | select( | startswith("metacontroller")) |')
if [[ -z "$METACONTROLLER_POD" ]]; then
echo "Error: metacontroller pod not found in kubeflow namespace."
exit 1
kubectl logs -n kubeflow "$METACONTROLLER_POD"
PIPELINES_PROFILE_CONTROLLER_POD=$(kubectl get pods -n kubeflow -o json | jq -r '.items[] | select( | startswith("kubeflow-pipelines-profile-controller")) |')
echo "Error: kubeflow-pipelines-profile-controller pod not found in kubeflow namespace."
exit 1
kubectl logs -n kubeflow "$PIPELINES_PROFILE_CONTROLLER_POD"
kubectl -n $KF_PROFILE get pods,configmaps,secrets
if ! kubectl get secret mlpipeline-minio-artifact -n $KF_PROFILE > /dev/null 2>&1; then
echo "Error: Secret mlpipeline-minio-artifact not found in namespace $KF_PROFILE"
exit 1
kubectl get secret mlpipeline-minio-artifact -n "$KF_PROFILE" -o json | jq -r '.data | keys[] as $k | "\($k): \(. | .[$k] | @base64d)"' | tr '\n' ' '
- name: port forward
run: |
ingress_gateway_service=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0]}')
nohup kubectl port-forward --namespace istio-system svc/${ingress_gateway_service} 8080:80 &
while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready
- name: List and deploy test pipeline with authorized ServiceAccount Token
run: |
pip3 install kfp==2.11.0
TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)"
python3 tests/gh-actions/ run_pipeline "${TOKEN}" "${KF_PROFILE}"
- name: Fail to list pipelines with unauthorized ServiceAccount Token
run: |
pip3 install kfp==2.11.0
TOKEN="$(kubectl -n default create token default)"
python3 tests/gh-actions/ test_unauthorized_access "${TOKEN}" "${KF_PROFILE}"
echo "Test succeeded. Token from unauthorized ServiceAccount cannot list pipelines in $KF_PROFILE namespace."