Merge pull request #1413 from jrobertboos/lcore-1251

LCORE-1251: Added TLS E2E Tests

Author: tisnik

docker-compose.yaml

@@ -25,12 +25,16 @@ services:
     container_name: llama-stack
     ports:
       - "8321:8321"  # Expose llama-stack on 8321 (adjust if needed)
+    depends_on:
+      mock-tls-inference:
+        condition: service_healthy
     volumes:
       - ./run.yaml:/opt/app-root/run.yaml:z
       - ${GCP_KEYS_PATH:-./tmp/.gcp-keys-dummy}:/opt/app-root/.gcp-keys:ro
       - ./lightspeed-stack.yaml:/opt/app-root/lightspeed-stack.yaml:ro
       - llama-storage:/opt/app-root/src/.llama/storage
       - ./tests/e2e/rag:/opt/app-root/src/.llama/storage/rag:z
+      - mock-tls-certs:/certs:ro
     environment:
       - BRAVE_SEARCH_API_KEY=${BRAVE_SEARCH_API_KEY:-}
       - TAVILY_SEARCH_API_KEY=${TAVILY_SEARCH_API_KEY:-}
@@ -141,9 +145,27 @@ services:
       retries: 3
       start_period: 2s
 
+  # Mock TLS inference server for TLS E2E tests
+  mock-tls-inference:
+    build:
+      context: ./tests/e2e/mock_tls_inference_server
+      dockerfile: Dockerfile
+    container_name: mock-tls-inference
+    networks:
+      - lightspeednet
+    volumes:
+      - mock-tls-certs:/certs
+    healthcheck:
+      test: ["CMD", "python", "-c", "import urllib.request,ssl;c=ssl.create_default_context();c.check_hostname=False;c.verify_mode=ssl.CERT_NONE;urllib.request.urlopen('https://localhost:8443/health',context=c)"]
+      interval: 5s
+      timeout: 3s
+      retries: 3
+      start_period: 5s
+
 
 volumes:
   llama-storage:
+  mock-tls-certs:
 
 networks:
   lightspeednet:

tests/e2e-prow/rhoai/configs/lightspeed-stack-tls.yaml

@@ -0,0 +1,22 @@
+name: Lightspeed Core Service (LCS)
+service:
+  host: 0.0.0.0
+  port: 8080
+  auth_enabled: false
+  workers: 1
+  color_log: true
+  access_log: true
+llama_stack:
+  use_as_library_client: false
+  url: http://${env.E2E_LLAMA_HOSTNAME}:8321
+  api_key: xyzzy
+user_data_collection:
+  feedback_enabled: true
+  feedback_storage: "/tmp/data/feedback"
+  transcripts_enabled: true
+  transcripts_storage: "/tmp/data/transcripts"
+authentication:
+  module: "noop"
+inference:
+  default_provider: tls-openai
+  default_model: mock-tls-model

tests/e2e/configuration/server-mode/lightspeed-stack-tls.yaml

@@ -0,0 +1,22 @@
+name: Lightspeed Core Service (LCS)
+service:
+  host: 0.0.0.0
+  port: 8080
+  auth_enabled: false
+  workers: 1
+  color_log: true
+  access_log: true
+llama_stack:
+  use_as_library_client: false
+  url: http://llama-stack:8321
+  api_key: xyzzy
+user_data_collection:
+  feedback_enabled: true
+  feedback_storage: "/tmp/data/feedback"
+  transcripts_enabled: true
+  transcripts_storage: "/tmp/data/transcripts"
+authentication:
+  module: "noop"
+inference:
+  default_provider: tls-openai
+  default_model: mock-tls-model

tests/e2e/features/environment.py

@@ -552,6 +552,17 @@ def after_feature(context: Context, feature: Feature) -> None:
         restart_container("lightspeed-stack")
         remove_config_backup(context.default_config_backup)
 
+    # Restore Lightspeed Stack config if the generic configure_service step switched it.
+    # This cleanup intentionally runs for any feature (not tag-gated) - any feature that
+    # leaves a backup file will trigger config restoration and container restarts.
+    backup_path = "lightspeed-stack.yaml.backup"
+    if os.path.exists(backup_path):
+        switch_config(backup_path)
+        remove_config_backup(backup_path)
+        if not context.is_library_mode:
+            restart_container("llama-stack")
+        restart_container("lightspeed-stack")
+
     # Clean up any proxy servers left from the last scenario
     if hasattr(context, "tunnel_proxy") or hasattr(context, "interception_proxy"):
         from tests.e2e.features.steps.proxy import _stop_proxy

tests/e2e/features/steps/proxy.py

@@ -142,9 +142,10 @@ def restore_if_modified(context: Context) -> None:
     _stop_proxy(context, "interception_proxy", "interception_proxy_loop")
 
     if os.path.exists(_LLAMA_STACK_CONFIG_BACKUP):
-        print("Restoring original Llama Stack config from backup...")
-        shutil.copy(_LLAMA_STACK_CONFIG_BACKUP, _LLAMA_STACK_CONFIG)
-        os.remove(_LLAMA_STACK_CONFIG_BACKUP)
+        print(
+            f"Restoring original Llama Stack config from {_LLAMA_STACK_CONFIG_BACKUP}..."
+        )
+        shutil.move(_LLAMA_STACK_CONFIG_BACKUP, _LLAMA_STACK_CONFIG)
         restart_container("llama-stack")
         restart_container("lightspeed-stack")
 

tests/e2e/features/steps/tls.py

@@ -0,0 +1,224 @@
+"""Step definitions for TLS configuration e2e tests.
+
+These tests configure Llama Stack's run.yaml with NetworkConfig TLS settings
+and verify the full pipeline works through the Lightspeed Stack.
+
+Config switching uses the same pattern as other e2e tests: overwrite the
+host-mounted run.yaml and restart Docker containers. Cleanup is handled
+by a Background step that restores the backup before each scenario.
+"""
+
+import copy
+from typing import Any, Optional
+
+from behave import given  # pyright: ignore[reportAttributeAccessIssue]
+from behave.runner import Context
+
+from tests.e2e.features.steps.proxy import (
+    _LLAMA_STACK_CONFIG,
+    _backup_llama_config,
+    _load_llama_config,
+    _write_config,
+)
+
+_TLS_PROVIDER_BASE: dict[str, Any] = {
+    "provider_id": "tls-openai",
+    "provider_type": "remote::openai",
+    "config": {
+        "api_key": "test-key",
+        "base_url": "https://mock-tls-inference:8443/v1",
+        "allowed_models": ["mock-tls-model"],
+    },
+}
+
+_TLS_MODEL_RESOURCE: dict[str, str] = {
+    "model_id": "mock-tls-model",
+    "provider_id": "tls-openai",
+    "provider_model_id": "mock-tls-model",
+}
+
+
+def _ensure_tls_provider(config: dict[str, Any]) -> dict[str, Any]:
+    """Find or create the tls-openai inference provider in the config.
+
+    If the provider does not exist, it is added along with the
+    mock-tls-model registered resource.
+
+    Parameters:
+        config: The Llama Stack configuration dictionary.
+
+    Returns:
+        The tls-openai provider configuration dictionary.
+    """
+    providers = config.setdefault("providers", {})
+    inference = providers.setdefault("inference", [])
+
+    for provider in inference:
+        if provider.get("provider_id") == "tls-openai":
+            return provider
+
+    # Provider not found — add it
+    provider = copy.deepcopy(_TLS_PROVIDER_BASE)
+    inference.append(provider)
+
+    # Also register the model resource
+    resources = config.setdefault("registered_resources", {})
+    models = resources.setdefault("models", [])
+    if not any(m.get("model_id") == "mock-tls-model" for m in models):
+        models.append(copy.deepcopy(_TLS_MODEL_RESOURCE))
+
+    return provider
+
+
+def _configure_tls(tls_config: dict[str, Any], base_url: Optional[str] = None) -> None:
+    """Configure TLS settings for the tls-openai provider.
+
+    Parameters:
+        tls_config: The TLS configuration dictionary.
+        base_url: Optional base URL override for the provider.
+    """
+    _backup_llama_config()
+    config = _load_llama_config()
+    provider = _ensure_tls_provider(config)
+    provider.setdefault("config", {}).setdefault("network", {})
+    if base_url is not None:
+        provider["config"]["base_url"] = base_url
+    provider["config"]["network"]["tls"] = tls_config
+    _write_config(config, _LLAMA_STACK_CONFIG)
+
+
+# --- Background Steps ---
+# Restart steps ("The original Llama Stack config is restored if modified",
+# "Llama Stack is restarted", "Lightspeed Stack is restarted") are defined in
+# proxy.py and shared across features by behave.
+
+
+# --- TLS Configuration Steps ---
+
+
+@given("Llama Stack is configured with TLS verification disabled")
+def configure_tls_verify_false(context: Context) -> None:
+    """Configure run.yaml with TLS verify: false."""
+    _configure_tls({"verify": False})
+
+
+@given("Llama Stack is configured with CA certificate verification")
+def configure_tls_verify_ca(context: Context) -> None:
+    """Configure run.yaml with TLS verify: /certs/ca.crt."""
+    _configure_tls({"verify": "/certs/ca.crt", "min_version": "TLSv1.2"})
+
+
+@given("Llama Stack is configured with TLS verification enabled")
+def configure_tls_verify_true(context: Context) -> None:
+    """Configure run.yaml with TLS verify: true (fails with self-signed certs)."""
+    _configure_tls({"verify": True})
+
+
+@given("Llama Stack is configured with mutual TLS authentication")
+def configure_tls_mtls(context: Context) -> None:
+    """Configure run.yaml with mutual TLS (client cert and key)."""
+    _configure_tls(
+        {
+            "verify": "/certs/ca.crt",
+            "client_cert": "/certs/client.crt",
+            "client_key": "/certs/client.key",
+        },
+        base_url="https://mock-tls-inference:8444/v1",
+    )
+
+
+@given('Llama Stack is configured with CA certificate path "{path}"')
+def configure_tls_verify_ca_path(context: Context, path: str) -> None:
+    """Configure run.yaml with TLS verify pointing to a specific CA cert path."""
+    _configure_tls({"verify": path})
+
+
+@given("Llama Stack is configured for mTLS without client certificate")
+def configure_mtls_no_client_cert(context: Context) -> None:
+    """Configure run.yaml for mTLS port without client cert (should fail)."""
+    _configure_tls(
+        {"verify": "/certs/ca.crt"},
+        base_url="https://mock-tls-inference:8444/v1",
+    )
+
+
+@given("Llama Stack is configured for mTLS with wrong client certificate")
+def configure_mtls_wrong_client_cert(context: Context) -> None:
+    """Configure run.yaml for mTLS with invalid client cert (CA cert as client cert)."""
+    _configure_tls(
+        {
+            "verify": "/certs/ca.crt",
+            "client_cert": "/certs/ca.crt",
+            "client_key": "/certs/client.key",
+        },
+        base_url="https://mock-tls-inference:8444/v1",
+    )
+
+
+@given("Llama Stack is configured for mTLS with untrusted client certificate")
+def configure_mtls_untrusted_client_cert(context: Context) -> None:
+    """Configure run.yaml for mTLS with client cert from untrusted CA."""
+    _configure_tls(
+        {
+            "verify": "/certs/ca.crt",
+            "client_cert": "/certs/untrusted-client.crt",
+            "client_key": "/certs/untrusted-client.key",
+        },
+        base_url="https://mock-tls-inference:8444/v1",
+    )
+
+
+@given("Llama Stack is configured for mTLS with expired client certificate")
+def configure_mtls_expired_client_cert(context: Context) -> None:
+    """Configure run.yaml for mTLS with an expired client certificate."""
+    _configure_tls(
+        {
+            "verify": "/certs/ca.crt",
+            "client_cert": "/certs/expired-client.crt",
+            "client_key": "/certs/client.key",
+        },
+        base_url="https://mock-tls-inference:8444/v1",
+    )
+
+
+@given("Llama Stack is configured with CA certificate and hostname mismatch server")
+def configure_tls_hostname_mismatch(context: Context) -> None:
+    """Configure run.yaml to connect to hostname-mismatch server (should fail)."""
+    _configure_tls(
+        {"verify": "/certs/ca.crt"},
+        base_url="https://mock-tls-inference:8445/v1",
+    )
+
+
+@given("Llama Stack is configured with mutual TLS and hostname mismatch server")
+def configure_mtls_hostname_mismatch(context: Context) -> None:
+    """Configure run.yaml for mTLS against hostname-mismatch server (should fail)."""
+    _configure_tls(
+        {
+            "verify": "/certs/ca.crt",
+            "client_cert": "/certs/client.crt",
+            "client_key": "/certs/client.key",
+        },
+        base_url="https://mock-tls-inference:8445/v1",
+    )
+
+
+@given(
+    'Llama Stack is configured with TLS minimum version "{version}" and hostname mismatch server'
+)
+def configure_tls_min_version_hostname_mismatch(context: Context, version: str) -> None:
+    """Configure run.yaml with TLS min version against hostname-mismatch server."""
+    _configure_tls(
+        {"verify": "/certs/ca.crt", "min_version": version},
+        base_url="https://mock-tls-inference:8445/v1",
+    )
+
+
+@given(
+    'Llama Stack is configured with TLS minimum version "{version}" and CA certificate path "{path}"'
+)
+def configure_tls_min_version_with_ca_path(
+    context: Context, version: str, path: str
+) -> None:
+    """Configure run.yaml with TLS minimum version and a specific CA cert path."""
+    _configure_tls({"verify": path, "min_version": version})