Periodically run IAP endpoint ready test against auto deployments #51

jlewi · 2020-06-16T20:13:18Z

Follow on to #42

We should setup a periodic test that runs the IAP endpoint is ready test against the auto deployments.

issue-label-bot · 2020-06-16T20:13:29Z

Issue-Label Bot is automatically applying the labels:

Label	Probability
platform/gcp	0.94
kind/feature	0.93

Please mark this comment with 👍 or 👎 to give our bot feedback!
Links: app homepage, dashboard and code for this bot.

jlewi · 2020-06-16T23:49:25Z

Needed to grant workload identity the serviceAccountTokenCreator

gcloud iam service-accounts add-iam-policy-binding --project=kubeflow-ci  --role roles/iam.serviceAccountTokenCreator   --member "serviceAccount:kubeflow-ci.svc.id.goog[kf-ci/kf-ci]"   [email protected]

jlewi · 2020-06-16T23:55:01Z

The endpoit_ready_test.py is still failing when using workload identity with error

google.auth.exceptions.TransportError: Error calling the IAM signBytes API: b'{\n  "error": {\n    "code": 403,\n    "message": "Permission iam.serviceAccounts.signBlob is required to perform this operation on service account projects/-/serviceAccounts/[email protected].",\n    "status": "PERMISSION_DENIED"\n  }\n}\n'

Fix code to work with IAP using workload identity. * The existing code to get an ID token didn't seem to work with workload identity and didn't match the latest code on the IAP. The latest code appears to use a helper function to get the id token Related to: GoogleCloudPlatform/kubeflow-distribution#51 Create a tekton test for blueprints to verify the endpoint is ready.

* GoogleCloudPlatform#51: We want to periodically run a test to verify that IAP is working on the auto-deployed clusters. * Document the testing.

…ers (#54) * Periodically run test to verify IAP is working on auto-deployed clusters * #51: We want to periodically run a test to verify that IAP is working on the auto-deployed clusters. * Document the testing. * Fix urls. * Remove testing-repo; its now baked into the container.

jlewi · 2020-06-30T02:04:08Z

Latest test still failed
https://prow.k8s.io/view/gcs/kubernetes-jenkins/logs/kubeflow-gcp-blueprints-master-periodic/1277776211300323329
https://kf-ci-v1.endpoints.kubeflow-ci.cloud.goog/tekton/#/namespaces/kf-ci/pipelineruns/gcp-kf-ready-6vlzk

The task executed command:

args:
  - '-m'
  - kubeflow.testing.get_kf_testing_cluster
  - '--base=$(inputs.params.testing-cluster-pattern)'
  - '--location=$(inputs.params.testing-cluster-location)'
  - get-credentials

It looks like its not running the new version
https://github.com/kubeflow/testing/blob/master/acm-repos/kf-ci-v1/namespaces/kf-ci/tekton.dev_v1alpha1_task_iap-ready.yaml#L40

jlewi · 2020-06-30T02:05:45Z

Config management isn't syncing master.

   git:
      policyDir: /acm-repos/kf-ci-v1
      proxy: {}
      secretType: none
      syncBranch: gcp_blueprints
      syncRepo: https://github.com/jlewi/testing.git

related to GoogleCloudPlatform/kubeflow-distribution#51

* ACM should point at kubeflowt/testing/master related to GoogleCloudPlatform/kubeflow-distribution#51 * Delete old config for auto-deploy.yaml * Fix the makefile

jlewi · 2020-06-30T02:28:19Z

Nomos sync is still failing

nomos --contexts=kf-ci-v1 status
Connecting to clusters...
Current   Context    Status           Last Synced Token   Sync Branch
-------   -------    ------           -----------------   -----------
          kf-ci-v1   ERROR            ccefc51a            master   


Config Management Errors:
kf-ci-v1   KNV2010: unable to update resource: could not patch: Internal error occurred: failed calling webhook "pilot.validation.istio.io": Post https://istio-galley.istio-system.svc:443/admitpilot?timeout=30s: no endpoints available for service "istio-galley"

source: namespaces/auto-deploy/networking.istio.io_v1alpha3_virtualservice_auto-deploy-server.yaml
namespace: auto-deploy
metadata.name: auto-deploy-server
group: networking.istio.io
version: v1alpha3
kind: VirtualService

For more information, see https://cloud.google.com/anthos-config-management/docs/reference/errors#knv2010

Looks like its: kubeflow/testing#708

issue-label-bot · 2020-06-30T02:28:26Z

Issue-Label Bot is automatically applying the labels:

Label	Probability
area/engprod	0.64

Please mark this comment with 👍 or 👎 to give our bot feedback!
Links: app homepage, dashboard and code for this bot.

jlewi · 2020-06-30T02:43:14Z

It should be sync'd now

nomos --contexts=kf-ci-v1 status
Connecting to clusters...
Current   Context    Status           Last Synced Token   Sync Branch
-------   -------    ------           -----------------   -----------
          kf-ci-v1   SYNCED           28a61500            master

jlewi · 2020-07-01T01:45:23Z

Latest run:
https://kf-ci-v1.endpoints.kubeflow-ci.cloud.goog/tekton/#/namespaces/kf-ci/pipelineruns/gcp-kf-ready-mzpcs

Get credential failed for the iap-ready test.

INFO|2020-07-01T01:31:51|/usr/local/lib/python3.8/dist-packages/oauth2client/transport.py|157| Attempting refresh to obtain initial access_token
Traceback (most recent call last):
  File "/usr/lib/python3.8/runpy.py", line 192, in _run_module_as_main
    return _run_code(code, main_globals, None,
  File "/usr/lib/python3.8/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/srcCache/kubeflow/testing/py/kubeflow/testing/get_kf_testing_cluster.py", line 429, in <module>
    fire.Fire(CredentialHelper)
  File "/usr/local/lib/python3.8/dist-packages/fire/core.py", line 138, in Fire
    component_trace = _Fire(component, args, parsed_flag_args, context, name)
  File "/usr/local/lib/python3.8/dist-packages/fire/core.py", line 463, in _Fire
    component, remaining_args = _CallAndUpdateTrace(
  File "/usr/local/lib/python3.8/dist-packages/fire/core.py", line 672, in _CallAndUpdateTrace
    component = fn(*varargs, **kwargs)
  File "/srcCache/kubeflow/testing/py/kubeflow/testing/get_kf_testing_cluster.py", line 384, in get_credentials
    raise ValueError(message)
ValueError: No clusters found matching: project: kubeflow-ci-deployment, location: us-central1-c, pattern: kf-master-(?!n\d\d)

It used docker image: gcr.io/kubeflow-ci/test-worker-py3@sha256:804c6cc8a73face69d79c60bcd85b93fa04218db9ee31127fb529b41fcab43ac

The kf ready test which worked used it correctly as well
gcr.io/kubeflow-ci/test-worker-py3@sha256:804c6cc8a73face69d79c60bcd85b93fa04218db9ee31127fb529b41fcab43ac

nomos --contexts=kf-ci-v1 status
Connecting to clusters...
Current   Context    Status           Last Synced Token   Sync Branch
-------   -------    ------           -----------------   -----------
          kf-ci-v1   SYNCED           3fbde6d3            master

jlewi · 2020-07-01T01:46:57Z

That is the write image sha
https://github.com/kubeflow/testing/blob/master/images/latest_image.json

jlewi · 2020-07-01T01:48:15Z

kf-ready is using the old style format
https://github.com/kubeflow/testing/blob/master/acm-repos/kf-ci-v1/namespaces/kf-ci/tekton.dev_v1alpha1_task_kf-ready.yaml#L37

jlewi · 2020-07-01T01:48:53Z

The flag name is wrong it should be pattern not location.

* Related GoogleCloudPlatform/kubeflow-distribution#51 get-credentials isn't finding any clusters because when using Fire the parameter should be --pattern not --location * Related GoogleCloudPlatform/kubeflow-distribution#65 When copying the bucket output in the notebook tests the parameter should be params.notebook-output not params.output

jlewi · 2020-07-01T02:11:51Z

kubeflow/testing#712 seems to fix the get-credentials issue. Now the test is timing out with.

INFO|02:09:16|/workspace/kfctl-repo/py/kubeflow/kfctl/testing/util/gcp_util.py|93| https://kf-vbp-0701-ab4.endpoints.kubeflow-ci-deployment.cloud.goog: Endpoint not ready, exception caught 'str' object has no attribute 'text', request number: 3
INFO|02:09:26|/workspace/kfctl-repo/py/kubeflow/kfctl/testing/util/gcp_util.py|81| Trying url: https://kf-vbp-0701-ab4.endpoints.kubeflow-ci-deployment.cloud.goog

jlewi · 2020-07-01T02:17:00Z

I suspect this is the offending line:
https://github.com/kubeflow/kfctl/blob/baf59c2692f45847bbd042c78a751a761b2b7eaa/py/kubeflow/kfctl/testing/util/gcp_util.py#L85

* Related GoogleCloudPlatform/kubeflow-distribution#51 get-credentials isn't finding any clusters because when using Fire the parameter should be --pattern not --location * Related GoogleCloudPlatform/kubeflow-distribution#65 When copying the bucket output in the notebook tests the parameter should be params.notebook-output not params.output