Skip to content

LCORE-2035: konflux tls e2e fix #1775

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
radofuchs wants to merge 7 commits into
base: main
Choose a base branch
from
Draft

LCORE-2035: konflux tls e2e fix #1775

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
8a5fce6
add tunnel proxy and interception proxy servers to konflux tests
May 18, 2026
3609d25
reenable tests
May 18, 2026
176e358
fix
May 18, 2026
0757895
fix tests and add flaky tags
May 20, 2026
7a1ef36
Add TLS fixes for konflux run
May 20, 2026
99b1b31
add all tests
May 20, 2026
61f0d36
set proxy tests to skipped
May 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
77 changes: 77 additions & 0 deletions tests/e2e-prow/rhoai/manifests/lightspeed/e2e-interception-proxy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
# In-cluster TLS-intercepting proxy for proxy.feature (Konflux / Prow).
# Llama Stack run.yaml points at http://e2e-interception-proxy.<ns>.svc.cluster.local:8889
apiVersion: v1
kind: Pod
metadata:
name: e2e-interception-proxy
labels:
app: e2e-interception-proxy
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: e2e-interception-proxy
image: python:3.12-slim
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
workingDir: /app
env:
- name: HOME
value: /tmp
- name: PYTHONPATH
value: /app:/tmp/pydeps
command:
- /bin/sh
- -c
- |
set -e
pip install --quiet --no-cache-dir --target /tmp/pydeps 'trustme>=1.2.1'
exec python /app/interception_proxy.py
ports:
- containerPort: 8889
name: proxy
- containerPort: 8886
name: stats
volumeMounts:
- name: proxy-scripts
mountPath: /app
readOnly: true
readinessProbe:
httpGet:
path: /stats
port: stats
initialDelaySeconds: 5
periodSeconds: 5
livenessProbe:
httpGet:
path: /stats
port: stats
initialDelaySeconds: 10
periodSeconds: 15
volumes:
- name: proxy-scripts
configMap:
name: e2e-interception-proxy-script
---
apiVersion: v1
kind: Service
metadata:
name: e2e-interception-proxy
spec:
selector:
app: e2e-interception-proxy
ports:
- name: proxy
port: 8889
targetPort: proxy
- name: stats
port: 8886
targetPort: stats
104 changes: 104 additions & 0 deletions tests/e2e-prow/rhoai/manifests/lightspeed/e2e-mock-tls-inference.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
# Mock HTTPS OpenAI API for tls.feature (Konflux / Prow; no Docker Compose).
# Llama Stack run.yaml uses https://e2e-mock-tls-inference.<ns>.svc.cluster.local:8443|8444|8445/v1
apiVersion: v1
kind: Pod
metadata:
name: e2e-mock-tls-inference
labels:
app: e2e-mock-tls-inference
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: e2e-mock-tls-inference
image: python:3.12-slim
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: PYTHONPATH
value: /app:/tmp/pydeps
command:
- /bin/sh
- -c
- |
set -e
pip install --quiet --no-cache-dir --target /tmp/pydeps 'trustme>=1.2.1' 'cryptography>=42.0.0'
NS="${POD_NAMESPACE:-default}"
export TLS_CERT_DNS_NAMES="mock-tls-inference,localhost,127.0.0.1,e2e-mock-tls-inference,e2e-mock-tls-inference.${NS}.svc.cluster.local"
exec python /app/server.py
ports:
- containerPort: 8443
name: tls
- containerPort: 8444
name: mtls
- containerPort: 8445
name: mismatch
volumeMounts:
- name: server-script
mountPath: /app/server.py
subPath: server.py
readOnly: true
- name: certs-work
mountPath: /certs
readinessProbe:
exec:
command:
- python3
- -c
- |
import ssl, urllib.request
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
urllib.request.urlopen("https://localhost:8443/health", context=ctx)
initialDelaySeconds: 8
periodSeconds: 5
livenessProbe:
exec:
command:
- python3
- -c
- |
import ssl, urllib.request
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
urllib.request.urlopen("https://localhost:8443/health", context=ctx)
initialDelaySeconds: 15
periodSeconds: 20
volumes:
- name: server-script
configMap:
name: e2e-mock-tls-inference-script
- name: certs-work
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: e2e-mock-tls-inference
spec:
selector:
app: e2e-mock-tls-inference
ports:
- name: tls
port: 8443
targetPort: tls
- name: mtls
port: 8444
targetPort: mtls
- name: mismatch
port: 8445
targetPort: mismatch
69 changes: 69 additions & 0 deletions tests/e2e-prow/rhoai/manifests/lightspeed/e2e-tunnel-proxy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
# In-cluster HTTP CONNECT tunnel proxy for proxy.feature (Konflux / Prow).
# Llama Stack run.yaml points at http://e2e-tunnel-proxy.<ns>.svc.cluster.local:8888
apiVersion: v1
kind: Pod
metadata:
name: e2e-tunnel-proxy
labels:
app: e2e-tunnel-proxy
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: e2e-tunnel-proxy
image: python:3.12-slim
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
workingDir: /app
env:
- name: PYTHONPATH
value: /app
command: ["python", "/app/tunnel_proxy.py"]
ports:
- containerPort: 8888
name: proxy
- containerPort: 8887
name: stats
volumeMounts:
- name: proxy-scripts
mountPath: /app
readOnly: true
readinessProbe:
httpGet:
path: /stats
port: stats
initialDelaySeconds: 2
periodSeconds: 5
livenessProbe:
httpGet:
path: /stats
port: stats
initialDelaySeconds: 5
periodSeconds: 15
volumes:
- name: proxy-scripts
configMap:
name: e2e-tunnel-proxy-script
---
apiVersion: v1
kind: Service
metadata:
name: e2e-tunnel-proxy
spec:
selector:
app: e2e-tunnel-proxy
ports:
- name: proxy
port: 8888
targetPort: proxy
- name: stats
port: 8887
targetPort: stats
17 changes: 17 additions & 0 deletions tests/e2e-prow/rhoai/manifests/lightspeed/llama-stack-openai.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,15 @@ spec:
- name: rag-data
mountPath: /opt/app-root/rag-data-cm
readOnly: true
# proxy.feature (interception): PEM from Secret e2e-interception-proxy-ca (optional).
- name: interception-proxy-ca
mountPath: /tmp/interception-proxy-ca.pem
subPath: ca.pem
readOnly: true
# tls.feature: client/CA PEMs from Secret e2e-mock-tls-certs (optional).
- name: mock-tls-certs
mountPath: /certs
readOnly: true
volumes:
- name: app-root
emptyDir: {}
Expand All @@ -213,3 +222,11 @@ spec:
- name: rag-data
configMap:
name: rag-data
- name: interception-proxy-ca
secret:
secretName: e2e-interception-proxy-ca
optional: true
- name: mock-tls-certs
secret:
secretName: e2e-mock-tls-certs
optional: true
3 changes: 3 additions & 0 deletions tests/e2e-prow/rhoai/pipeline-konflux.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,6 +135,9 @@ oc wait pod/mock-jwks pod/mock-mcp \
}
log "✅ Mock servers deployed"

# e2e-tunnel-proxy and e2e-interception-proxy are deployed from proxy.feature steps
# (see tests/e2e/features/steps/proxy.py + e2e-ops deploy-e2e-*-proxy).

#========================================
# 5. DEPLOY LIGHTSPEED STACK AND LLAMA STACK
#========================================
Expand Down
Loading
Loading