-
Notifications
You must be signed in to change notification settings - Fork 873
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Patch for knative istio probe issue #6962 #1137
Conversation
@jlewi Do you have any instruction on how to get the programmatic token and send request to KFServing on GCP IAP? I verified the knative istio probes are succeeding now but still need to send a request to the protected endpoint to test. |
Here are docs on programmatic authentication There is some example code here This is making a simple http request to the central dashboard over IAP and verifying we get a 200. |
Do we still need kfserving-gateway anymore with this change? Maybe we can delete them as well |
@jlewi thanks for the links! I think I am able to get authenticated now but I am getting a routing issue as following, seems like it did not hit the istio ingress gateway.
I set the host header
|
hmm, now I changed to use path based routing and able to hit the ingress gateway and getting 403, but that seems to be istio rbac rules which blocks it since istio sidecar injection is turned on by default in kubeflow user namespaces.
So as is kubeflow does not work with KFServing out of the box, I had to add following virtual service to get it working.
|
Finally after I disable istio sidecar, I get KFServing working on GCP IAP e2e !
|
/assign |
yes, I have removed them. |
@krishnadurai @jlewi @Jeffwan Can you help review this? |
@@ -221,7 +221,7 @@ spec: | |||
sidecar.istio.io/inject: "false" | |||
labels: | |||
app: networking-istio | |||
serving.knative.dev/release: "v0.11.1" | |||
serving.knative.dev/release: "v0.11.2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see knative serving version bump in this PR? is it in the scope?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is a minor version bump of 0.11 release and only networking istio deployment image is changed with the probing fix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM other than changing pinned manifests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
@ellis-bigelow could you take a look at this please on my behalf? |
@@ -89,8 +89,8 @@ data: | |||
} | |||
ingress: |- | |||
{ | |||
"ingressGateway" : "knative-ingress-gateway.knative-serving", | |||
"ingressService" : "kfserving-ingressgateway.istio-system.svc.cluster.local" | |||
"ingressGateway" : "kubeflow-gateway.kubeflow", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this ingressgateway called the kubeflow-gateway.kubeflow?
Isn't the istio gateway the only one we need?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kubeflow uses thiskubeflow-gateway
in kubeflow
namespace. istio-ingress gateway is not being used as it's in istio-system
.
This PR reverts some changes in #949 and bump the version.
/lgtm |
Adding the approved label |
I will leave up to tomorrow, if no one else comments on then I am going to unhold. |
/unhold |
/lgtm @yuzisun Thank you so much for driving this! |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ellis-bigelow, jlewi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
some error msg.
|
/retest |
|
/retest |
Which issue is resolved by this Pull Request:
Resolves kserve/kserve#760
Description of your changes:
Import knative patch for istio probe issue, I have tested on GCP IAP kfserving test cluster and confirmed that probe failures like HTTP 401/403 are no longer blocking knative to mark the service as ready.
Checklist:
cd manifests/tests
make generate-changed-only
make test