feat: GitHub Actions workflow to test the KServe Models Web Application (#3253)

* added inital models web app test

Signed-off-by: Harshit Nayan <[email protected]>

* fix2: added models web app test

Signed-off-by: Harshit Nayan <[email protected]>

* fix3: added models-web-app test

Signed-off-by: Harshit Nayan <[email protected]>

* fix4: added models-web-app test

Signed-off-by: Harshit Nayan <[email protected]>

* refactor: simplify KServe models web app test by removing XSRF token handling

Signed-off-by: Harshit Nayan <[email protected]>

* fixed linting and auth

Signed-off-by: Harshit Nayan <[email protected]>

* feat: enhance KServe models web app test with XSRF token handling

Signed-off-by: Harshit Nayan <[email protected]>

* Update full_kubeflow_integration_test.yaml

Signed-off-by: Julius von Kohout <[email protected]>

* Update and rename kserve_models_web_app_test.sh to kserve_models_web_application_test.sh

Signed-off-by: Julius von Kohout <[email protected]>

* Reduce the unnecessary overhead

Signed-off-by: Julius von Kohout <[email protected]>

* Update kserve_models_web_application_test.sh

Signed-off-by: Julius von Kohout <[email protected]>

* Update kserve_models_web_app_test.yaml

Signed-off-by: Julius von Kohout <[email protected]>

* Update kserve_models_web_application_test.sh

Signed-off-by: Julius von Kohout <[email protected]>

* Apply suggestions from code review

Signed-off-by: Julius von Kohout <[email protected]>

* first install KServe then create profile

Signed-off-by: Harshit Nayan <[email protected]>

* added debugging to find issue

Signed-off-by: Harshit Nayan <[email protected]>

* added delay for sync

Signed-off-by: Harshit Nayan <[email protected]>

* Add debugging steps for JWT token and API call verification; update USERID_PREFIX in kustomization

Signed-off-by: Harshit Nayan <[email protected]>

* added todo comment

Signed-off-by: Harshit Nayan <[email protected]>

* removed debug steps

Signed-off-by: Harshit Nayan <[email protected]>

* Add checks for unauthorized access in inference service API calls

Signed-off-by: Harshit Nayan <[email protected]>

* Add checks for unauthorized access in inference service API calls

Signed-off-by: Harshit Nayan <[email protected]>

* Update kserve_models_web_application_test.sh

Signed-off-by: Julius von Kohout <[email protected]>

* Update kserve_models_web_app_test.yaml

Signed-off-by: Julius von Kohout <[email protected]>

* Update kserve_models_web_app_test.yaml

Signed-off-by: Julius von Kohout <[email protected]>

* Update sklearn-iris-private.yaml

Signed-off-by: Julius von Kohout <[email protected]>

* Update kserve_models_web_application_test.sh

Signed-off-by: Julius von Kohout <[email protected]>

* Delete tests/kserve/sklearn-iris-private.yaml

Signed-off-by: Julius von Kohout <[email protected]>

* Update kserve_models_web_app_test.yaml

Signed-off-by: Julius von Kohout <[email protected]>

* Rename kserve_models_web_app_test.yaml to kserve_models_web_application_test.yaml

Signed-off-by: Julius von Kohout <[email protected]>

* Update kserve_models_web_application_test.sh

Signed-off-by: Julius von Kohout <[email protected]>

---------

Signed-off-by: Harshit Nayan <[email protected]>
Signed-off-by: Julius von Kohout <[email protected]>
Co-authored-by: Julius von Kohout <[email protected]>

Author: LogicalGuy77

.github/workflows/full_kubeflow_integration_test.yaml

@@ -63,7 +63,7 @@ jobs:
     - name: Install KServe
       run: ./tests/kserve_install.sh
 
-    #- name: Install Pipelines
+    # - name: Install Pipelines
     #  run: ./tests/pipelines_install.sh
 
     - name: Install Pipelines with SeaweedFS
@@ -198,6 +198,9 @@ jobs:
       run: |
         ./tests/kserve_test.sh ${KF_PROFILE}
 
+    - name: Test KServe Models Web Application API
+      run: ./tests/kserve_models_web_application_test.sh "${KF_PROFILE}"
+
     - name: Run Spark Test
       run: chmod u+x tests/*.sh && ./tests/spark_test.sh "${KF_PROFILE}"
 

.github/workflows/kserve_models_web_application_test.yaml

@@ -0,0 +1,73 @@
+name: Test KServe Models Web Application
+on:
+  pull_request:
+    paths:
+    - tests/install_KinD_create_KinD_cluster_install_kustomize.sh
+    - .github/workflows/kserve_models_web_application_test.yaml
+    - applications/kserve/**
+    - tests/kserve*
+    - tests/istio*
+    - common/istio*/**
+    - common/knative/**
+    - common/oauth2-proxy/**
+
+permissions:
+  contents: read
+  actions: read
+
+env:
+  KF_PROFILE: kubeflow-user-example-com
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    timeout-minutes: 25
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Install KinD, Create KinD cluster and Install kustomize
+      run: ./tests/install_KinD_create_KinD_cluster_install_kustomize.sh
+
+    - name: Install kubectl
+      run: ./tests/kubectl_install.sh
+
+    - name: Create Kubeflow Namespace
+      run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
+
+    - name: Install Certificate Manager
+      run: ./tests/cert_manager_install.sh
+
+    - name: Install Istio CNI
+      run: ./tests/istio-cni_install.sh
+
+    - name: Install OAuth2 Proxy
+      run: ./tests/oauth2-proxy_install.sh
+
+    - name: Install Kubeflow Istio Resources
+      run: kustomize build common/istio/kubeflow-istio-resources/base | kubectl apply -f -
+
+    - name: Install Multi-Tenancy
+      run: ./tests/multi_tenancy_install.sh
+
+    - name: Install Knative
+      run: ./tests/knative_install.sh
+
+    - name: Install KServe
+      run: ./tests/kserve_install.sh
+
+    - name: Create KF Profile
+      run: ./tests/kubeflow_profile_install.sh
+
+    - name: Wait for All Pods to be Ready
+      run: |
+        kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=300s --field-selector=status.phase!=Succeeded
+        sleep 10
+        kubectl get deployment kserve-models-web-app -n kubeflow
+        kubectl wait --for=condition=Available deployment/kserve-models-web-app -n kubeflow --timeout=60s
+
+    - name: Port-forward the istio-ingress gateway
+      run: ./tests/port_forward_gateway.sh
+
+    - name: Test KServe Models Web Application API
+      run: ./tests/kserve_models_web_application_test.sh "${KF_PROFILE}"

applications/kserve/models-web-app/overlays/kubeflow/kustomization.yaml

@@ -16,6 +16,7 @@ configMapGenerator:
 - behavior: replace
   literals:
   - USERID_HEADER=kubeflow-userid
+  - USERID_PREFIX=""
   - APP_PREFIX=/kserve-endpoints
   - GRAFANA_PREFIX=/grafana
   - GRAFANA_CPU_MEMORY_DB=db/knative-serving-revision-cpu-and-memory-usage

tests/kserve_models_web_application_test.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+set -euxo pipefail
+
+
+KF_PROFILE=${1:-kubeflow-user-example-com}
+TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)"
+BASE_URL="localhost:8080/kserve-endpoints"
+
+cat <<EOF | kubectl apply -f -
+apiVersion: "serving.kserve.io/v1beta1"
+kind: "InferenceService"
+metadata:
+  name: "sklearn-iris"
+  namespace: ${KF_PROFILE}
+spec:
+  predictor:
+    sklearn:
+      storageUri: "gs://kfserving-examples/models/sklearn/1.0/model"
+      resources:
+        requests:
+          cpu: "50m"
+          memory: "128Mi"
+        limits:
+          cpu: "100m"
+          memory: "256Mi"
+EOF
+
+kubectl wait --for=condition=Ready inferenceservice/sklearn-iris -n ${KF_PROFILE} --timeout=120s
+kubectl get inferenceservice sklearn-iris -n ${KF_PROFILE}
+
+# Get XSRF token for API calls
+curl -s "http://${BASE_URL}/" \
+  -H "Authorization: Bearer ${TOKEN}" \
+  -v -c /tmp/kserve_xcrf.txt 2>&1 | grep -i "set-cookie"
+XSRFTOKEN=$(grep XSRF-TOKEN /tmp/kserve_xcrf.txt | awk '{print $NF}')
+
+RESPONSE=$(curl -s --fail-with-body \
+  "${BASE_URL}/api/namespaces/${KF_PROFILE}/inferenceservices" \
+  -H "Authorization: Bearer ${TOKEN}" \
+  -H "X-XSRF-TOKEN: ${XSRFTOKEN}" \
+  -H "Cookie: XSRF-TOKEN=${XSRFTOKEN}")
+
+echo "$RESPONSE" | grep -q "sklearn-iris" || exit 1
+kubectl get inferenceservice sklearn-iris -n ${KF_PROFILE} || exit 1
+READY=$(kubectl get isvc sklearn-iris -n ${KF_PROFILE} -o jsonpath='{.status.conditions[?(@.type=="Ready")].status}')
+[[ "$READY" == "True" ]] || {
+  echo "FAILURE: InferenceService Ready status is: $READY"
+  exit 1
+}
+
+kubectl delete inferenceservice sklearn-iris -n ${KF_PROFILE} || exit 1
+
+# Test unauthorized access
+TOKEN="$(kubectl -n default create token default)"
+BASE_URL="localhost:8080/kserve-endpoints"
+HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" "${BASE_URL}/api/namespaces/${KF_PROFILE}/inferenceservices" -H "Authorization: Bearer ${TOKEN}")
+[[ "$HTTP_CODE" == "403" || "$HTTP_CODE" == "401" ]] || { echo "FAILURE: Expected 401/403, got $HTTP_CODE"; exit 1; }
+echo "Test succeeded. Token from unauthorized ServiceAccount cannot list InferenceServices in $KF_PROFILE namespace."