Skip to content

Commit 15849af

Browse files
pull[bot]spoltiandresllh
authored andcommitted
[pull] main from kserve:main (#326)
* Fixes CVE-2024-45338 (kserve#533) chore: Fix [CVE-2024-45338](https://www.cve.org/CVERecord?id=CVE-2024-45338) - Denial of Service on golang.org/x/net/html Signed-off-by: Spolti <fspolti@redhat.com> * [RHOAIENG-14237] Adding REST_PROXY_SKIP_VERIFY env var. (kserve#536) rest-proxy has a new environment variable for allowing the user to skip verification when using TLS Adding the variable to the RESTProxyConfig and to the Deployments Users will be able to specify if they want to skip verification when using TLS See: [RHOAIENG-14237](https://issues.redhat.com/browse/RHOAIENG-14237) Signed-off-by: Andres Llausas <allausas@redhat.com> * Update GoLang, python and base images (kserve#538) Signed-off-by: Spolti <fspolti@redhat.com> --------- Signed-off-by: Spolti <fspolti@redhat.com> Signed-off-by: Andres Llausas <allausas@redhat.com> Co-authored-by: Filippe Spolti <fspolti@redhat.com> Co-authored-by: Andres Llausas <allausas@redhat.com> Signed-off-by: Mariah Holder <marholde@redhat.com>
1 parent 13f627d commit 15849af

File tree

16 files changed

+122
-74
lines changed

16 files changed

+122
-74
lines changed

.github/workflows/fvt-base.yml

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -41,17 +41,18 @@ jobs:
4141
- name: Setup go
4242
uses: actions/setup-go@v5
4343
with:
44-
go-version: '1.21'
44+
go-version: '1.22'
4545

4646
- name: Start Minikube
47-
uses: medyagh/setup-minikube@v0.0.14
47+
uses: medyagh/setup-minikube@v0.0.19
4848
id: minikube
4949
with:
50-
minikube-version: 1.32.0
50+
minikube-version: 1.35.0
5151
container-runtime: docker
52-
kubernetes-version: v1.26.1
52+
kubernetes-version: v1.32.0
5353
cpus: max
5454
memory: max
55+
addons: storage-provisioner
5556

5657
- name: Check pods
5758
run: |

.pre-commit-config.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313
# limitations under the License.
1414
repos:
1515
- repo: https://github.com/golangci/golangci-lint
16-
rev: v1.51.2
16+
rev: v1.60.3
1717
hooks:
1818
- id: golangci-lint
1919
entry: golangci-lint run

Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,7 @@ RUN GOOS=${TARGETOS:-linux} \
5454
###############################################################################
5555
# Stage 2: Copy build assets to create the smallest final runtime image
5656
###############################################################################
57-
FROM registry.access.redhat.com/ubi8/ubi-minimal:latest AS runtime
57+
FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5 AS runtime
5858

5959
ARG USER=2000
6060
ARG IMAGE_VERSION

Dockerfile.develop

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -21,8 +21,8 @@
2121
###############################################################################
2222
# Create the develop, test, and build environment
2323
###############################################################################
24-
ARG GOLANG_VERSION=1.21
25-
FROM registry.access.redhat.com/ubi8/go-toolset:$GOLANG_VERSION
24+
ARG GOLANG_VERSION=1.22
25+
FROM registry.access.redhat.com/ubi9/go-toolset:$GOLANG_VERSION
2626

2727

2828
# https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope
@@ -44,14 +44,15 @@ ENV HOME=/root
4444
WORKDIR /workspace
4545

4646
# Install build and dev tools
47-
# NOTE: Require python38 to install pre-commit
47+
# NOTE: Require python to install pre-commit
4848
RUN --mount=type=cache,target=/root/.cache/dnf:rw \
4949
dnf install --setopt=cachedir=/root/.cache/dnf -y --nodocs \
5050
nodejs \
5151
jq \
52-
python38 \
53-
&& ln -sf /usr/bin/python3 /usr/bin/python \
54-
&& ln -sf /usr/bin/pip3 /usr/bin/pip \
52+
python3.11 \
53+
python3.11-pip \
54+
&& alternatives --install /usr/bin/python python /usr/bin/python3.11 1 \
55+
&& alternatives --install /usr/bin/pip pip /usr/bin/pip3.11 1 \
5556
&& true
5657

5758
# Install pre-commit

controllers/modelmesh/cluster_config.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,7 @@ func (cc ClusterConfig) Reconcile(ctx context.Context, namespace string, cl clie
7171
return err
7272
}
7373

74-
if cc.SRSpecs == nil || len(cc.SRSpecs) == 0 {
74+
if len(cc.SRSpecs) == 0 {
7575
if !notfound {
7676
return cl.Delete(ctx, m)
7777
}

controllers/modelmesh/modelmesh.go

Lines changed: 20 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -37,25 +37,26 @@ const ModelMeshEtcdPrefix = "mm"
3737

3838
// Models a deployment
3939
type Deployment struct {
40-
ServiceName string
41-
ServicePort uint16
42-
Name string
43-
Namespace string
44-
Owner mf.Owner
45-
SRSpec *kserveapi.ServingRuntimeSpec
46-
DefaultVModelOwner string
47-
Log logr.Logger
48-
Metrics bool
49-
PrometheusPort uint16
50-
PrometheusScheme string
51-
PayloadProcessors string
52-
ModelMeshImage string
53-
ModelMeshResources *corev1.ResourceRequirements
54-
RESTProxyEnabled bool
55-
RESTProxyImage string
56-
RESTProxyResources *corev1.ResourceRequirements
57-
RESTProxyPort uint16
58-
PVCs []string
40+
ServiceName string
41+
ServicePort uint16
42+
Name string
43+
Namespace string
44+
Owner mf.Owner
45+
SRSpec *kserveapi.ServingRuntimeSpec
46+
DefaultVModelOwner string
47+
Log logr.Logger
48+
Metrics bool
49+
PrometheusPort uint16
50+
PrometheusScheme string
51+
PayloadProcessors string
52+
ModelMeshImage string
53+
ModelMeshResources *corev1.ResourceRequirements
54+
RESTProxyEnabled bool
55+
RESTProxySkipVerify bool
56+
RESTProxyImage string
57+
RESTProxyResources *corev1.ResourceRequirements
58+
RESTProxyPort uint16
59+
PVCs []string
5960
// internal fields used when templating
6061
AuthNamespace string
6162
ModelMeshLimitCPU string

controllers/modelmesh/proxy.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@ const (
2626
restProxyGrpcMaxMsgSizeEnvVar = "REST_PROXY_GRPC_MAX_MSG_SIZE_BYTES"
2727
restProxyGrpcPortEnvVar = "REST_PROXY_GRPC_PORT"
2828
restProxyTlsEnvVar = "REST_PROXY_USE_TLS"
29+
restProxySkipVerifyEnvVar = "REST_PROXY_SKIP_VERIFY"
2930
)
3031

3132
func (m *Deployment) addRESTProxyToDeployment(deployment *appsv1.Deployment) error {
@@ -47,6 +48,9 @@ func (m *Deployment) addRESTProxyToDeployment(deployment *appsv1.Deployment) err
4748
}, {
4849
Name: restProxyGrpcMaxMsgSizeEnvVar,
4950
Value: strconv.Itoa(m.GrpcMaxMessageSize),
51+
}, {
52+
Name: restProxySkipVerifyEnvVar,
53+
Value: strconv.FormatBool(m.RESTProxySkipVerify),
5054
},
5155
},
5256
Ports: []corev1.ContainerPort{

controllers/servingruntime_controller.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -242,6 +242,7 @@ func (r *ServingRuntimeReconciler) Reconcile(ctx context.Context, req ctrl.Reque
242242
RESTProxyEnabled: cfg.RESTProxy.Enabled,
243243
RESTProxyImage: cfg.RESTProxy.Image.TaggedImage(),
244244
RESTProxyPort: cfg.RESTProxy.Port,
245+
RESTProxySkipVerify: cfg.RESTProxy.SkipVerify,
245246
RESTProxyResources: cfg.RESTProxy.Resources.ToKubernetesType(),
246247
PullerImage: cfg.StorageHelperImage.TaggedImage(),
247248
PullerImageCommand: cfg.StorageHelperImage.Command,

controllers/testdata/servingruntime_controller.golden

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -671,6 +671,8 @@ spec:
671671
value: "false"
672672
- name: REST_PROXY_GRPC_MAX_MSG_SIZE_BYTES
673673
value: "16777216"
674+
- name: REST_PROXY_SKIP_VERIFY
675+
value: "false"
674676
image: kserve/rest-proxy:latest
675677
imagePullPolicy: Always
676678
name: rest-proxy

fvt/fvtclient.go

Lines changed: 26 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -28,11 +28,10 @@ import (
2828
"strings"
2929
"time"
3030

31-
"google.golang.org/grpc/credentials/insecure"
32-
3331
"github.com/go-logr/logr"
3432
"github.com/kserve/kserve/pkg/apis/serving/v1beta1"
3533
api "github.com/kserve/modelmesh-serving/apis/serving/v1alpha1"
34+
"google.golang.org/grpc/credentials/insecure"
3635

3736
"github.com/onsi/ginkgo/v2"
3837
. "github.com/onsi/gomega"
@@ -535,6 +534,29 @@ func (fvt *FVTClient) TailPodLogs(sinceTime string) {
535534
}
536535
}
537536

537+
func (fvt *FVTClient) PrintContainerEnvsFromAllPods() {
538+
podList, err := fvt.Resource(gvrPods).Namespace(fvt.namespace).List(context.TODO(), metav1.ListOptions{
539+
LabelSelector: "modelmesh-service=modelmesh-serving",
540+
})
541+
if err != nil {
542+
fvt.log.Error(err, "Error listing the pods")
543+
}
544+
for _, podList := range podList.Items {
545+
podName := podList.GetName()
546+
err = fvt.RunKubectl("get", "pod/"+podName, "-o", "yaml")
547+
if err != nil {
548+
fvt.log.Error(err, "Error running kubectl exec env command")
549+
}
550+
}
551+
}
552+
553+
func (fvt *FVTClient) PrintMMConfig() {
554+
err := fvt.RunKubectl("get", "cm", UserConfigMapName, "-o", "yaml")
555+
if err != nil {
556+
fvt.log.Error(err, "Error running get config map command")
557+
}
558+
}
559+
538560
func (fvt *FVTClient) RunKubectl(args ...string) error {
539561
args = append(args, "-n", fvt.namespace)
540562
kubectlCmd := exec.Command("kubectl", args...)
@@ -571,13 +593,13 @@ func (fvt *FVTClient) RunKfsModelMetadata(req *inference.ModelMetadataRequest) (
571593
return grpcClient.ModelMetadata(ctx, req)
572594
}
573595

574-
func (fvt *FVTClient) RunKfsRestInference(modelName string, body []byte, tls bool) (string, error) {
596+
func (fvt *FVTClient) RunKfsRestInference(modelName string, body []byte, useTls bool) (string, error) {
575597
if fvt.restConn == nil {
576598
return "", errors.New("you must connect to model mesh before running an inference")
577599
}
578600

579601
protocol := "http"
580-
if tls {
602+
if useTls {
581603
protocol = "https"
582604
}
583605

0 commit comments

Comments
 (0)