feat: DSPO handle db tls connections and configs (v2) #577
Conversation
|
A new image has been built to help with testing out this PR: To use this image run the following: cd $(mktemp -d)
git clone git@github.com:opendatahub-io/data-science-pipelines-operator.git
cd data-science-pipelines-operator/
git fetch origin pull/577/head
git checkout -b pullrequest 6709929741e3daa52672b39e40876a2869d53e5c
oc new-project opendatahub
make deploy IMG="quay.io/opendatahub/data-science-pipelines-operator:pr-577"More instructions here on how to deploy and test a Data Science Pipelines Application. |
6709929 to
76b8cf7
Compare
|
Change to PR detected. A new PR build was completed. |
|
/hold |
dffc3ee to
2628402
Compare
|
Change to PR detected. A new PR build was completed. |
2628402 to
d72b805
Compare
|
Change to PR detected. A new PR build was completed. |
|
/unhold |
|
Change to PR detected. A new PR build was completed. |
9fc7115 to
472db5a
Compare
|
Change to PR detected. A new PR build was completed. |
1 similar comment
|
Change to PR detected. A new PR build was completed. |
70a9bf4 to
9ee3dac
Compare
|
Change to PR detected. A new PR build was completed. |
9ee3dac to
7376a5c
Compare
|
Change to PR detected. A new PR build was completed. |
7376a5c to
477e865
Compare
|
Change to PR detected. A new PR build was completed. |
477e865 to
5f6a984
Compare
|
Change to PR detected. A new PR build was completed. |
Signed-off-by: Humair Khan <HumairAK@users.noreply.github.com> (cherry picked from commit b400dff)
Signed-off-by: Humair Khan <HumairAK@users.noreply.github.com> (cherry picked from commit 574cd85)
Signed-off-by: Humair Khan <HumairAK@users.noreply.github.com> (cherry picked from commit 673a04a)
Signed-off-by: Humair Khan <HumairAK@users.noreply.github.com>
Signed-off-by: Humair Khan <HumairAK@users.noreply.github.com>
When a configmap trust ca store is provided, whether it's from a user provisioned configmap with a ca bundle via the DSPA's caBundle field, or whether it's a configmap name "odh-trusted-ca-bundle" (provided by odh or user), then this change will create an amalgmation of all of the certs from these configmaps and create a single dspo managed configmap. The resulting configmap has a single cert that is the accumulation of all afore mentioned certs, and can be passed as a single file to the dsp server, or pipeline pods to utilize. This helps work around issues and overhead work required when mounting to a ca path with multiple certs, because such a path requires that it first be re_hashed. Furthermore this allows us to work around issues related to aws cli being unable to utilize ca paths with it's AWS_CA_BUNDLE env variable when passing artifacts during the step-copy-artifacts step. Signed-off-by: Humair Khan <HumairAK@users.noreply.github.com>
Signed-off-by: Humair Khan <HumairAK@users.noreply.github.com>
5f6a984 to
7ade9ee
Compare
|
Change to PR detected. A new PR build was completed. |
|
|
||
| DefaultDBSecretNamePrefix = "ds-pipeline-db-" | ||
| DefaultDBSecretKey = "password" | ||
| DBDefaultExtraParams = "{\"tls\":\"%t\"}" |
There was a problem hiding this comment.
same comment as in the v1 patch -- I would prefer a type safe way of doing this / not using string templating. This seems like not idiomatic go.
There was a problem hiding this comment.
we can open a "would be nice to refactor this" ticket for this and add it to our backlog. Not really a big deal / definitely no need to block merge.
Signed-off-by: Humair Khan <HumairAK@users.noreply.github.com>
|
Change to PR detected. A new PR build was completed. |
|
/lgtm |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rimolive The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
The issue resolved by this Pull Request:
Resolves
RHOAIENG-16900
RHOAIENG-2385
Description of your changes:
Same as:
But for v2
Notes:
Testing instructions
Same as: #575 & #579
But for v2 with adjustments to work with v2:
Full instructions:
Deploy a secure/tls enabled s3/mariadb behind a self-signed cert (for example in a self-signed ocp cluster), provide these configs to the DSAP as external configs. Ensure they only accept tls based connections.
Deploy a cabundle as a configmap in the DSPA namespace:
Deploy DSPA configured to leverage these connections via external db/object store connections.
Confirm DSPO is able conduct successfull health checks (if it deploys the DSPA pods then health checks worked), if it didn't, log the error here.
Confirm DSPA comes up successfully, in this change DSPO willl udpate the DSP server's configs to enable "tls" for db connections. Confirm this behavior by running a successful pipeline.
Confirm DSPA "simple" v1 still works (no external db/s3 configured).
Confirm setting "customExtraParams" in the DSPA's ".spec.database.customExtraParams". Provide wrong ca bundle, confirm it fails to deploy dspa, then set ".spec.database.customExtraParams" to
{"tls":"true"}, it should work. Because the value is a json string, you should use|or>-to format the yaml value, example:Confirm that when you include an odh-trusted-ca-bundle configmap, and another cabundle in the DSPA via
.spec.cABundle, the result is a configmap nameddsp-trusted-ca-*that includes both bundles, which is mounted in the DSP Apiserver, as well as the user launcher pod.Checklist