fix(test/backend): Fix pod to pod TLS (#12357)

* Fix CI to pass the TLS client flags

This also adds wait logic for the cert-manager secret to be provisioned.

Signed-off-by: mprahl <[email protected]>

* Stop passing in explicit MySQL configurations to MLMD in TLS mode

This conflicts with the configuration options.

Signed-off-by: mprahl <[email protected]>

* Disable CI for unimplemented test scenarios

Pod to Pod TLS manifests are not yet implemented for Kubernetes Native API mode

Signed-off-by: mprahl <[email protected]>

* Build metadata-writer in CI to avoid TLS connection errors

Signed-off-by: mprahl <[email protected]>

* Provide --ca_cert_path only if one is set

Signed-off-by: mprahl <[email protected]>

* Use a clearer path for the custom CA files

Having it be under /etc/pki/tls could override the system CAs.

Signed-off-by: mprahl <[email protected]>

* Add missing mlPipelineServiceTLSEnabled flag on SWF TLS manifests

Signed-off-by: mprahl <[email protected]>

* Add TLS connection info to importer

Signed-off-by: mprahl <[email protected]>

---------

Signed-off-by: mprahl <[email protected]>
Signed-off-by: CollinHowland <[email protected]>

Author: mprahl

.github/actions/deploy/action.yml

@@ -60,7 +60,7 @@ runs:
     - name: Load Docker Images
       shell: bash
       run: |
-        APPS=("apiserver" "driver" "launcher" "scheduledworkflow" "persistenceagent" "frontend")
+        APPS=("apiserver" "driver" "launcher" "scheduledworkflow" "persistenceagent" "frontend" "metadata-writer")
         for app in "${APPS[@]}"; do
           docker image load -i ${{ inputs.image_path }}/$app/$app.tar
           docker push ${{ inputs.image_registry }}/$app:${{ inputs.image_tag }}

.github/actions/test-and-report/action.yml

@@ -81,9 +81,17 @@ runs:
         if [ -z $MULTI_USER ]; then
           MULTI_USER='false'
         fi
+        TLS_ENABLED=${{ inputs.tls_enabled }}
+        if [ -z $TLS_ENABLED ]; then
+          TLS_ENABLED='false'
+        fi
+        CA_CERT_PATH=${{ inputs.ca_cert_path }}
+        if [ -z $CA_CERT_PATH ]; then
+          CA_CERT_PATH=''
+        fi
         PULL_NUMBER="${{ github.event.inputs.pull_number || github.event.pull_request.number }}"
         REPO_NAME="${{ github.repository }}"
-        go run github.com/onsi/ginkgo/v2/ginkgo -r -v --cover -p --keep-going --github-output=true --nodes=${{ inputs.num_parallel_nodes }} -v --label-filter=${{ inputs.test_label }} -- -namespace=${{ inputs.default_namespace }} -multiUserMode=$MULTI_USER -useProxy=$USE_PROXY -userNamespace=${{ inputs.user_namespace }} -uploadPipelinesWithKubernetes=${{ inputs.upload_pipelines_with_kubernetes_client}} -pullNumber=$PULL_NUMBER -repoName=$REPO_NAME
+        go run github.com/onsi/ginkgo/v2/ginkgo -r -v --cover -p --keep-going --github-output=true --nodes=${{ inputs.num_parallel_nodes }} -v --label-filter=${{ inputs.test_label }} -- -namespace=${{ inputs.default_namespace }} -multiUserMode=$MULTI_USER -useProxy=$USE_PROXY -userNamespace=${{ inputs.user_namespace }} -uploadPipelinesWithKubernetes=${{ inputs.upload_pipelines_with_kubernetes_client}} -tlsEnabled=$TLS_ENABLED -caCertPath=$CA_CERT_PATH -pullNumber=$PULL_NUMBER -repoName=$REPO_NAME
       continue-on-error: true
 
     - name: Collect Pod logs in case of Test Failures

.github/resources/manifests/standalone/tls-enabled/kustomization.yaml

@@ -17,5 +17,8 @@ images:
   - name: ghcr.io/kubeflow/kfp-frontend
     newName: kind-registry:5000/frontend
     newTag: latest
+  - name: ghcr.io/kubeflow/kfp-metadata-writer
+    newName: kind-registry:5000/metadata-writer
+    newTag: latest
 patches:
   - path: apiserver-env.yaml

.github/workflows/api-server-tests.yml

@@ -101,10 +101,10 @@ jobs:
 
       - name: Configure Cluster CA Cert for TLS-Enabled Tests
         shell: bash
-        id: configure-cluster-ca-cert
-        if: ${{ matrix.pod_to_pod_tls_enabled == "true"}}
+        if: ${{ matrix.pod_to_pod_tls_enabled == 'true'}}
         run: |
-          kubectl get secret kfp-api-tls-cert -n kubeflow -o jsonpath='{.data.ca\.crt}' | base64 -d > "${{ env.API_TESTS_DIR }}"/ca.crt
+          kubectl get secret kfp-api-tls-cert -n kubeflow -o jsonpath='{.data.ca\.crt}' | base64 -d > "${{ github.workspace }}/ca.crt"
+          echo "CA_CERT_PATH=${{ github.workspace }}/ca.crt" >> $GITHUB_ENV
 
       - name: Configure Input Variables
         shell: bash
@@ -125,11 +125,6 @@ jobs:
             PROXY=false
           fi
           
-          if [ "${{ matrix.pod_to_pod_tls_enabled }}" == "true" ]; then
-            CA_CERT_PATH="ca.crt"
-          fi
-          
-          echo "CA_CERT_PATH=$CA_CERT_PATH" >> $GITHUB_OUTPUT
           echo "NUMBER_OF_NODES=$NUMBER_OF_NODES" >> $GITHUB_OUTPUT
           echo "TEST_LABEL=$TEST_LABEL" >> $GITHUB_OUTPUT
           echo "NAMESPACE=$NAMESPACE" >> $GITHUB_OUTPUT
@@ -149,7 +144,7 @@ jobs:
           python_version: ${{ env.PYTHON_VERSION }}
           report_name: "Standalone_k8sVersion=${{ matrix.k8s_version }}_argoVersion=${{ matrix.argo_version }}_cacheEnabled=${{ matrix.cache_enabled }}_proxyEnabled=${{ matrix.proxy }}"
           tls_enabled: ${{ matrix.pod_to_pod_tls_enabled }}
-          ca_cert_path: ${{ steps.configure-cluster-ca-cert.outputs.CA_CERT_PATH}}
+          ca_cert_path: ${{ env.CA_CERT_PATH }}
 
       - name: Notify test reports
         shell: bash
@@ -173,9 +168,10 @@ jobs:
         include:
           - k8s_version: "v1.31.0"
             cache_enabled: "true"
-            pipeline_store: "kubernetes"
+            # Pod to Pod TLS manifests are not yet implemented for Kubernetes Native API mode
+            pipeline_store: "database"
             pod_to_pod_tls_enabled: "true"
-            uploadPipelinesWithKubernetesClient: "true"
+            uploadPipelinesWithKubernetesClient: "false"
       fail-fast: false # So that failure in 1 type of parameterized job does not cause other jobs to terminate prematurely
     name: KFP API Server tests K8s Native API - K8sVersion=${{ matrix.k8s_version }} cacheEnabled=${{ matrix.cache_enabled }} argoVersion=${{ matrix.argo_version }} uploadPipelinesWithKubernetesClient=${{ matrix.uploadPipelinesWithKubernetesClient }}
 

.github/workflows/e2e-test.yml

@@ -111,13 +111,10 @@ jobs:
 
       - name: Configure Cluster CA Cert for TLS-Enabled Tests
         shell: bash
-        id: configure-cluster-ca-cert
-        if: ${{ matrix.pod_to_pod_tls_enabled == "true"}}
-        env:
-          SCHEME: "https"
+        if: ${{ matrix.pod_to_pod_tls_enabled == 'true'}}
         run: |
-          kubectl get secret kfp-api-tls-cert -n kubeflow -o jsonpath='{.data.ca\.crt}' | base64 -d > "${{ env.E2E_TESTS_DIR }}"/ca.crt
-
+          kubectl get secret kfp-api-tls-cert -n kubeflow -o jsonpath='{.data.ca\.crt}' | base64 -d > "${{ github.workspace }}/ca.crt"
+          echo "CA_CERT_PATH=${{ github.workspace }}/ca.crt" >> $GITHUB_ENV
       - name: Configure Input Variables
         shell: bash
         id: configure
@@ -132,11 +129,6 @@ jobs:
             NAMESPACE=${{ inputs.namespace }}
           fi
           
-          if [ "${{ matrix.pod_to_pod_tls_enabled }}" == "true" ]; then
-            CA_CERT_PATH="ca.crt"
-          fi
-          
-          echo "CA_CERT_PATH=$CA_CERT_PATH" >> $GITHUB_OUTPUT
           echo "NUMBER_OF_NODES=$NUMBER_OF_NODES" >> $GITHUB_OUTPUT
           echo "TEST_LABEL=$TEST_LABEL" >> $GITHUB_OUTPUT
           echo "NAMESPACE=$NAMESPACE" >> $GITHUB_OUTPUT
@@ -162,7 +154,7 @@ jobs:
           python_version: ${{ env.PYTHON_VERSION }}
           report_name: "${{ matrix.test_label}}Tests_K8s=${{ matrix.k8s_version }}_cacheEnabled=${{ matrix.cache_enabled }}_argoVersion=${{ matrix.argo_version}}_proxy=${{ matrix.proxy }}_storage=${{ matrix.storage }}"
           tls_enabled: ${{ matrix.pod_to_pod_tls_enabled }}
-          ca_cert_path: ${{ steps.configure.outputs.CA_CERT_PATH}}
+          ca_cert_path: ${{ env.CA_CERT_PATH }}
 
       - name: Notify test reports
         shell: bash

.github/workflows/image-builds-with-cache.yml

@@ -46,6 +46,10 @@ jobs:
           - image: frontend
             dockerfile: frontend/Dockerfile
             context: .
+
+          - image: metadata-writer
+            dockerfile: backend/metadata_writer/Dockerfile
+            context: .
     env:
       ARTIFACT_NAME: "${{ matrix.image }}"
       ARTIFACTS_PATH: "images_${{ github.sha }}"

.github/workflows/legacy-v2-api-integration-tests.yml

@@ -30,6 +30,10 @@ jobs:
         pipeline_store: [ "database", "kubernetes" ]
         k8s_version: [ "v1.31.0" ]
         pod_to_pod_tls_enabled: [ true, false ]
+        exclude:
+          # Pod to Pod TLS manifests are not yet implemented for Kubernetes Native API mode
+          - pipeline_store: "kubernetes"
+            pod_to_pod_tls_enabled: true
 
     name: API integration tests v2 - K8s with ${{ matrix.pipeline_store }} ${{ matrix.k8s_version }} pod_to_pod_tls_enabled=${{ matrix.pod_to_pod_tls_enabled }}
     steps:
@@ -64,22 +68,10 @@ jobs:
 
       - name: Configure Cluster CA Cert for TLS-Enabled Tests
         shell: bash
-        id: configure-cluster-ca-cert
         if: ${{ matrix.pod_to_pod_tls_enabled }}
         run: |
-          kubectl get secret kfp-api-tls-cert -n kubeflow -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt
-          CA_CERT_PATH="ca.crt"
-          echo "CA_CERT_PATH=CA_CERT_PATH" >> $GITHUB_OUTPUT
-
-      - name: Configure Input Variables
-        shell: bash
-        id: configure
-        if: ${{ steps.deploy.outcome == 'success' &&  matrix.pod_to_pod_tls_enabled == 'true'}}
-        run: |
-          if [ "${{ matrix.pod_to_pod_tls_enabled }}" == "true" ]; then
-            CA_CERT_PATH="/ca.crt"
-          fi
-          echo "CA_CERT_PATH=$CA_CERT_PATH" >> $GITHUB_OUTPUT
+          kubectl get secret kfp-api-tls-cert -n kubeflow -o jsonpath='{.data.ca\.crt}' | base64 -d > "${{ github.workspace }}/ca.crt"
+          echo "CA_CERT_PATH=${{ github.workspace }}/ca.crt" >> $GITHUB_ENV
 
       - name: Forward MLMD port
         id: forward-mlmd-port
@@ -91,10 +83,7 @@ jobs:
         id: tests
         if: ${{ steps.forward-mlmd-port.outcome == 'success' }}
         working-directory: ./backend/test/v2/integration
-        run: go test -v ./... -args -runIntegrationTests=true -namespace=kubeflow
-        with:
-          pod_to_pod_tls_enabled: ${{ matrix.pod_to_pod_tls_enabled }}
-          ca_cert_path: ${{ steps.configure.outputs.CA_CERT_PATH}}
+        run: go test -v ./... -args -runIntegrationTests=true -namespace=kubeflow -tlsEnabled=${{ matrix.pod_to_pod_tls_enabled }} -caCertPath=${{ env.CA_CERT_PATH }}
         env:
           PULL_NUMBER: ${{ github.event.pull_request.number }}
           PIPELINE_STORE: ${{ matrix.pipeline_store }}
@@ -110,5 +99,5 @@ jobs:
         if: always()
         uses: actions/upload-artifact@v4
         with:
-          name: kfp-api-integration-tests-v2-artifacts-k8s-${{ matrix.k8s_version }}-${{ matrix.pipeline_store }}
+          name: kfp-api-integration-tests-v2-artifacts-k8s-${{ matrix.k8s_version }}-${{ matrix.pipeline_store }}-tls-${{ matrix.pod_to_pod_tls_enabled }}
           path: /tmp/tmp*/*

backend/src/apiserver/common/const.go

@@ -68,6 +68,6 @@ const (
 )
 
 const (
-	TLSCertCAPath = "/etc/pki/tls/cert/ca.crt"
-	CABundleDir   = "/etc/pki/tls/cert"
+	TLSCertCAPath = "/kfp/certs/ca.crt"
+	CABundleDir   = "/kfp/certs"
 )

backend/src/crd/controller/scheduledworkflow/main.go

@@ -52,11 +52,12 @@ var (
 
 const (
 	// These flags match the persistence agent
-	mlPipelineAPIServerBasePathFlagName = "mlPipelineAPIServerBasePath"
-	mlPipelineAPIServerNameFlagName     = "mlPipelineAPIServerName"
-	mlPipelineAPIServerGRPCPortFlagName = "mlPipelineServiceGRPCPort"
-	caCertPathFlagName                  = "caCertPath"
-	apiTokenFile                        = "/var/run/secrets/kubeflow/tokens/scheduledworkflow-sa-token"
+	mlPipelineAPIServerBasePathFlagName   = "mlPipelineAPIServerBasePath"
+	mlPipelineAPIServerNameFlagName       = "mlPipelineAPIServerName"
+	mlPipelineAPIServerGRPCPortFlagName   = "mlPipelineServiceGRPCPort"
+	mlPipelineAPIServerTLSEnabledFlagName = "mlPipelineServiceTLSEnabled"
+	caCertPathFlagName                    = "caCertPath"
+	apiTokenFile                          = "/var/run/secrets/kubeflow/tokens/scheduledworkflow-sa-token"
 )
 
 func main() {
@@ -172,6 +173,7 @@ func init() {
 	flag.Float64Var(&clientQPS, "clientQPS", 5, "The maximum QPS to the master from this client.")
 	flag.StringVar(&mlPipelineAPIServerName, mlPipelineAPIServerNameFlagName, "ml-pipeline", "Name of the ML pipeline API server.")
 	flag.StringVar(&mlPipelineServiceGRPCPort, mlPipelineAPIServerGRPCPortFlagName, "8887", "GRPC Port of the ML pipeline API server.")
+	flag.BoolVar(&mlPipelineServiceTLSEnabled, mlPipelineAPIServerTLSEnabledFlagName, false, "Set to true if ML pipeline API server serves over TLS.")
 	flag.StringVar(&caCertPath, caCertPathFlagName, "", "CA cert to connect to the ML pipeline API server.")
 	flag.IntVar(&clientBurst, "clientBurst", 10, "Maximum burst for throttle from this client.")
 	var err error

backend/src/v2/compiler/argocompiler/container.go

@@ -216,9 +216,13 @@ func (c *workflowCompiler) addContainerDriverTemplate() string {
 	if common.GetMetadataTLSEnabled() {
 		args = append(args, "--metadata_tls_enabled")
 	}
-	if c.mlPipelineTLSEnabled || common.GetMetadataTLSEnabled() {
+
+	setCABundle := false
+	if common.GetCaBundleSecretName() != "" && (c.mlPipelineTLSEnabled || common.GetMetadataTLSEnabled()) {
 		args = append(args, "--ca_cert_path", common.TLSCertCAPath)
+		setCABundle = true
 	}
+
 	if value, ok := os.LookupEnv(PipelineLogLevelEnvVar); ok {
 		args = append(args, "--log_level", value)
 	}
@@ -254,8 +258,8 @@ func (c *workflowCompiler) addContainerDriverTemplate() string {
 			Env:       proxy.GetConfig().GetEnvVars(),
 		},
 	}
-	// If the apiserver is TLS-enabled, add the custom CA bundle to the container driver template.
-	if c.mlPipelineTLSEnabled {
+	// If TLS is enabled (apiserver or metadata), add the custom CA bundle to the container driver template.
+	if setCABundle {
 		ConfigureCustomCABundle(t)
 	}
 	c.templates[name] = t
@@ -541,7 +545,7 @@ func (c *workflowCompiler) addContainerExecutorTemplate(task *pipelinespec.Pipel
 		},
 	}
 	// If the apiserver is TLS-enabled, add the custom CA bundle to the executor.
-	if c.mlPipelineTLSEnabled {
+	if c.mlPipelineTLSEnabled || common.GetMetadataTLSEnabled() {
 		ConfigureCustomCABundle(executor)
 	}