[pull] main from kserve:main (#326)

* Fixes CVE-2024-45338 (kserve#533)

chore: Fix
[CVE-2024-45338](https://www.cve.org/CVERecord?id=CVE-2024-45338) -
Denial of Service on golang.org/x/net/html

Signed-off-by: Spolti <fspolti@redhat.com>

* [RHOAIENG-14237] Adding REST_PROXY_SKIP_VERIFY env var. (kserve#536)

rest-proxy has a new environment variable for allowing the user to skip
verification when using TLS

Adding the variable to the RESTProxyConfig and to the Deployments

Users will be able to specify if they want to skip verification when
using TLS

See: [RHOAIENG-14237](https://issues.redhat.com/browse/RHOAIENG-14237)

Signed-off-by: Andres Llausas <allausas@redhat.com>

* Update GoLang, python and base images (kserve#538)

Signed-off-by: Spolti <fspolti@redhat.com>

---------

Signed-off-by: Spolti <fspolti@redhat.com>
Signed-off-by: Andres Llausas <allausas@redhat.com>
Co-authored-by: Filippe Spolti <fspolti@redhat.com>
Co-authored-by: Andres Llausas <allausas@redhat.com>
Signed-off-by: Mariah Holder <marholde@redhat.com>

Author: 3 people

.github/workflows/fvt-base.yml

@@ -41,17 +41,18 @@ jobs:
       - name: Setup go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.21'
+          go-version: '1.22'
 
       - name: Start Minikube
-        uses: medyagh/setup-minikube@v0.0.14
+        uses: medyagh/setup-minikube@v0.0.19
         id: minikube
         with:
-          minikube-version: 1.32.0
+          minikube-version: 1.35.0
           container-runtime: docker
-          kubernetes-version: v1.26.1
+          kubernetes-version: v1.32.0
           cpus: max
           memory: max
+          addons: storage-provisioner
 
       - name: Check pods
         run: |

.pre-commit-config.yaml

@@ -13,7 +13,7 @@
 # limitations under the License.
 repos:
   - repo: https://github.com/golangci/golangci-lint
-    rev: v1.51.2
+    rev: v1.60.3
     hooks:
       - id: golangci-lint
         entry: golangci-lint run

Dockerfile

@@ -54,7 +54,7 @@ RUN GOOS=${TARGETOS:-linux} \
 ###############################################################################
 # Stage 2: Copy build assets to create the smallest final runtime image
 ###############################################################################
-FROM registry.access.redhat.com/ubi8/ubi-minimal:latest AS runtime
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5 AS runtime
 
 ARG USER=2000
 ARG IMAGE_VERSION

Dockerfile.develop

@@ -21,8 +21,8 @@
 ###############################################################################
 # Create the develop, test, and build environment
 ###############################################################################
-ARG GOLANG_VERSION=1.21
-FROM registry.access.redhat.com/ubi8/go-toolset:$GOLANG_VERSION
+ARG GOLANG_VERSION=1.22
+FROM registry.access.redhat.com/ubi9/go-toolset:$GOLANG_VERSION
 
 
 # https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope
@@ -44,14 +44,15 @@ ENV HOME=/root
 WORKDIR /workspace
 
 # Install build and dev tools
-# NOTE: Require python38 to install pre-commit
+# NOTE: Require python to install pre-commit
 RUN --mount=type=cache,target=/root/.cache/dnf:rw \
     dnf install --setopt=cachedir=/root/.cache/dnf -y --nodocs \
        nodejs \
        jq \
-       python38 \
-    && ln -sf /usr/bin/python3 /usr/bin/python \
-    && ln -sf /usr/bin/pip3 /usr/bin/pip \
+       python3.11 \
+       python3.11-pip \
+    && alternatives --install /usr/bin/python python /usr/bin/python3.11 1 \
+    && alternatives --install /usr/bin/pip pip /usr/bin/pip3.11 1 \
     && true
 
 # Install pre-commit

controllers/modelmesh/cluster_config.go

@@ -71,7 +71,7 @@ func (cc ClusterConfig) Reconcile(ctx context.Context, namespace string, cl clie
 		return err
 	}
 
-	if cc.SRSpecs == nil || len(cc.SRSpecs) == 0 {
+	if len(cc.SRSpecs) == 0 {
 		if !notfound {
 			return cl.Delete(ctx, m)
 		}

controllers/modelmesh/modelmesh.go

@@ -37,25 +37,26 @@ const ModelMeshEtcdPrefix = "mm"
 
 // Models a deployment
 type Deployment struct {
-	ServiceName        string
-	ServicePort        uint16
-	Name               string
-	Namespace          string
-	Owner              mf.Owner
-	SRSpec             *kserveapi.ServingRuntimeSpec
-	DefaultVModelOwner string
-	Log                logr.Logger
-	Metrics            bool
-	PrometheusPort     uint16
-	PrometheusScheme   string
-	PayloadProcessors  string
-	ModelMeshImage     string
-	ModelMeshResources *corev1.ResourceRequirements
-	RESTProxyEnabled   bool
-	RESTProxyImage     string
-	RESTProxyResources *corev1.ResourceRequirements
-	RESTProxyPort      uint16
-	PVCs               []string
+	ServiceName         string
+	ServicePort         uint16
+	Name                string
+	Namespace           string
+	Owner               mf.Owner
+	SRSpec              *kserveapi.ServingRuntimeSpec
+	DefaultVModelOwner  string
+	Log                 logr.Logger
+	Metrics             bool
+	PrometheusPort      uint16
+	PrometheusScheme    string
+	PayloadProcessors   string
+	ModelMeshImage      string
+	ModelMeshResources  *corev1.ResourceRequirements
+	RESTProxyEnabled    bool
+	RESTProxySkipVerify bool
+	RESTProxyImage      string
+	RESTProxyResources  *corev1.ResourceRequirements
+	RESTProxyPort       uint16
+	PVCs                []string
 	// internal fields used when templating
 	AuthNamespace              string
 	ModelMeshLimitCPU          string

controllers/modelmesh/proxy.go

@@ -26,6 +26,7 @@ const (
 	restProxyGrpcMaxMsgSizeEnvVar = "REST_PROXY_GRPC_MAX_MSG_SIZE_BYTES"
 	restProxyGrpcPortEnvVar       = "REST_PROXY_GRPC_PORT"
 	restProxyTlsEnvVar            = "REST_PROXY_USE_TLS"
+	restProxySkipVerifyEnvVar     = "REST_PROXY_SKIP_VERIFY"
 )
 
 func (m *Deployment) addRESTProxyToDeployment(deployment *appsv1.Deployment) error {
@@ -47,6 +48,9 @@ func (m *Deployment) addRESTProxyToDeployment(deployment *appsv1.Deployment) err
 				}, {
 					Name:  restProxyGrpcMaxMsgSizeEnvVar,
 					Value: strconv.Itoa(m.GrpcMaxMessageSize),
+				}, {
+					Name:  restProxySkipVerifyEnvVar,
+					Value: strconv.FormatBool(m.RESTProxySkipVerify),
 				},
 			},
 			Ports: []corev1.ContainerPort{

controllers/servingruntime_controller.go

@@ -242,6 +242,7 @@ func (r *ServingRuntimeReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		RESTProxyEnabled:           cfg.RESTProxy.Enabled,
 		RESTProxyImage:             cfg.RESTProxy.Image.TaggedImage(),
 		RESTProxyPort:              cfg.RESTProxy.Port,
+		RESTProxySkipVerify:        cfg.RESTProxy.SkipVerify,
 		RESTProxyResources:         cfg.RESTProxy.Resources.ToKubernetesType(),
 		PullerImage:                cfg.StorageHelperImage.TaggedImage(),
 		PullerImageCommand:         cfg.StorageHelperImage.Command,

controllers/testdata/servingruntime_controller.golden

@@ -671,6 +671,8 @@ spec:
           value: "false"
         - name: REST_PROXY_GRPC_MAX_MSG_SIZE_BYTES
           value: "16777216"
+        - name: REST_PROXY_SKIP_VERIFY
+          value: "false"
         image: kserve/rest-proxy:latest
         imagePullPolicy: Always
         name: rest-proxy

fvt/fvtclient.go

@@ -28,11 +28,10 @@ import (
 	"strings"
 	"time"
 
-	"google.golang.org/grpc/credentials/insecure"
-
 	"github.com/go-logr/logr"
 	"github.com/kserve/kserve/pkg/apis/serving/v1beta1"
 	api "github.com/kserve/modelmesh-serving/apis/serving/v1alpha1"
+	"google.golang.org/grpc/credentials/insecure"
 
 	"github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
@@ -535,6 +534,29 @@ func (fvt *FVTClient) TailPodLogs(sinceTime string) {
 	}
 }
 
+func (fvt *FVTClient) PrintContainerEnvsFromAllPods() {
+	podList, err := fvt.Resource(gvrPods).Namespace(fvt.namespace).List(context.TODO(), metav1.ListOptions{
+		LabelSelector: "modelmesh-service=modelmesh-serving",
+	})
+	if err != nil {
+		fvt.log.Error(err, "Error listing the pods")
+	}
+	for _, podList := range podList.Items {
+		podName := podList.GetName()
+		err = fvt.RunKubectl("get", "pod/"+podName, "-o", "yaml")
+		if err != nil {
+			fvt.log.Error(err, "Error running kubectl exec env command")
+		}
+	}
+}
+
+func (fvt *FVTClient) PrintMMConfig() {
+	err := fvt.RunKubectl("get", "cm", UserConfigMapName, "-o", "yaml")
+	if err != nil {
+		fvt.log.Error(err, "Error running get config map command")
+	}
+}
+
 func (fvt *FVTClient) RunKubectl(args ...string) error {
 	args = append(args, "-n", fvt.namespace)
 	kubectlCmd := exec.Command("kubectl", args...)
@@ -571,13 +593,13 @@ func (fvt *FVTClient) RunKfsModelMetadata(req *inference.ModelMetadataRequest) (
 	return grpcClient.ModelMetadata(ctx, req)
 }
 
-func (fvt *FVTClient) RunKfsRestInference(modelName string, body []byte, tls bool) (string, error) {
+func (fvt *FVTClient) RunKfsRestInference(modelName string, body []byte, useTls bool) (string, error) {
 	if fvt.restConn == nil {
 		return "", errors.New("you must connect to model mesh before running an inference")
 	}
 
 	protocol := "http"
-	if tls {
+	if useTls {
 		protocol = "https"
 	}