From 9984ce93815e5462baf8e742ff798ba8614a45b2 Mon Sep 17 00:00:00 2001 From: Lucas Fernandez Date: Mon, 29 Apr 2024 19:00:41 +0200 Subject: [PATCH] Add permissions to dashboard serviceaccount to fetch dsci and added extra tests --- .../e2e/modelServing/ServingRuntimeList.cy.ts | 39 +++++++++++ .../concepts/areas/__tests__/utils.spec.ts | 69 ++++++++++++++++++- manifests/base/cluster-role.yaml | 8 +++ 3 files changed, 115 insertions(+), 1 deletion(-) diff --git a/frontend/src/__tests__/cypress/cypress/e2e/modelServing/ServingRuntimeList.cy.ts b/frontend/src/__tests__/cypress/cypress/e2e/modelServing/ServingRuntimeList.cy.ts index 0ddbadafcf..4b9a773eb2 100644 --- a/frontend/src/__tests__/cypress/cypress/e2e/modelServing/ServingRuntimeList.cy.ts +++ b/frontend/src/__tests__/cypress/cypress/e2e/modelServing/ServingRuntimeList.cy.ts @@ -598,6 +598,7 @@ describe('Serving Runtime List', () => { initIntercepts({ disableModelMeshConfig: false, disableKServeConfig: false, + disableKServeAuthConfig: true, servingRuntimes: [], }); @@ -619,6 +620,44 @@ describe('Serving Runtime List', () => { kserveModal.findAuthenticationCheckbox().should('not.exist'); }); + it('Kserve auth should be hidden when no required capabilities', () => { + initIntercepts({ + disableModelMeshConfig: false, + disableKServeConfig: false, + disableKServeAuthConfig: false, + servingRuntimes: [], + requiredCapabilities: [], + }); + + projectDetails.visitSection('test-project', 'model-server'); + + modelServingSection.getServingPlatformCard('single-serving').findDeployModelButton().click(); + + kserveModal.shouldBeOpen(); + + // check external route, token should be checked and no alert + kserveModal.findAuthenticationCheckbox().should('not.exist'); + }); + + it('Kserve auth should be enabled if capabilities are prsent', () => { + initIntercepts({ + disableModelMeshConfig: false, + disableKServeConfig: false, + disableKServeAuthConfig: false, + servingRuntimes: [], + requiredCapabilities: [StackCapability.SERVICE_MESH, StackCapability.SERVICE_MESH_AUTHZ], + }); + + projectDetails.visitSection('test-project', 'model-server'); + + modelServingSection.getServingPlatformCard('single-serving').findDeployModelButton().click(); + + kserveModal.shouldBeOpen(); + + // check external route, token should be checked and no alert + kserveModal.findAuthenticationCheckbox().should('exist'); + }); + it('Do not deploy KServe model when user cannot edit namespace', () => { initIntercepts({ disableModelMeshConfig: false, diff --git a/frontend/src/concepts/areas/__tests__/utils.spec.ts b/frontend/src/concepts/areas/__tests__/utils.spec.ts index 4e1b639198..921e9a82f3 100644 --- a/frontend/src/concepts/areas/__tests__/utils.spec.ts +++ b/frontend/src/concepts/areas/__tests__/utils.spec.ts @@ -1,7 +1,7 @@ import { isAreaAvailable, SupportedArea } from '~/concepts/areas'; import { mockDscStatus } from '~/__mocks__/mockDscStatus'; import { mockDashboardConfig } from '~/__mocks__/mockDashboardConfig'; -import { StackComponent } from '~/concepts/areas/types'; +import { StackCapability, StackComponent } from '~/concepts/areas/types'; import { SupportedAreasStateMap } from '~/concepts/areas/const'; import { mockDsciStatus } from '~/__mocks__/mockDsciStatus'; @@ -188,5 +188,72 @@ describe('isAreaAvailable', () => { expect(isAvailable.requiredComponents).toBe(null); }); }); + + describe('requiredCapabilities', () => { + it('should enable area if both capabilities are enabled', () => { + // Make sure this test is valid + expect(SupportedAreasStateMap[SupportedArea.K_SERVE_AUTH].requiredCapabilities).toEqual([ + StackCapability.SERVICE_MESH, + StackCapability.SERVICE_MESH_AUTHZ, + ]); + + // Test both reliant areas + const isAvailableKserveAuth = isAreaAvailable( + SupportedArea.K_SERVE_AUTH, + mockDashboardConfig({ disableKServeAuth: false }).spec, + mockDscStatus({ + installedComponents: { + [StackComponent.K_SERVE]: true, + }, + }), + mockDsciStatus({ + requiredCapabilities: [ + StackCapability.SERVICE_MESH, + StackCapability.SERVICE_MESH_AUTHZ, + ], + }), + ); + + expect(isAvailableKserveAuth.status).toBe(true); + expect(isAvailableKserveAuth.featureFlags).toEqual({ + disableKServeAuth: 'on', + }); + expect(isAvailableKserveAuth.requiredCapabilities).toEqual({ + [StackCapability.SERVICE_MESH]: true, + [StackCapability.SERVICE_MESH_AUTHZ]: true, + }); + }); + + it('should enable area if one capability is missing', () => { + // Make sure this test is valid + expect(SupportedAreasStateMap[SupportedArea.K_SERVE_AUTH].requiredCapabilities).toEqual([ + StackCapability.SERVICE_MESH, + StackCapability.SERVICE_MESH_AUTHZ, + ]); + + // Test both reliant areas + const isAvailableKserveAuth = isAreaAvailable( + SupportedArea.K_SERVE_AUTH, + mockDashboardConfig({ disableKServeAuth: false }).spec, + mockDscStatus({ + installedComponents: { + [StackComponent.K_SERVE]: true, + }, + }), + mockDsciStatus({ + requiredCapabilities: [StackCapability.SERVICE_MESH], + }), + ); + + expect(isAvailableKserveAuth.status).toBe(false); + expect(isAvailableKserveAuth.featureFlags).toEqual({ + disableKServeAuth: 'on', + }); + expect(isAvailableKserveAuth.requiredCapabilities).toEqual({ + [StackCapability.SERVICE_MESH]: true, + [StackCapability.SERVICE_MESH_AUTHZ]: false, + }); + }); + }); }); }); diff --git a/manifests/base/cluster-role.yaml b/manifests/base/cluster-role.yaml index 228eaeed7c..c816375095 100644 --- a/manifests/base/cluster-role.yaml +++ b/manifests/base/cluster-role.yaml @@ -172,3 +172,11 @@ rules: - get resources: - datascienceclusters + - apiGroups: + - dscinitialization.opendatahub.io + verbs: + - list + - watch + - get + resources: + - dscinitializations