Enable model-registry with UI by default

.github/workflows/full_kubeflow_integration_test.yaml

@@ -95,16 +95,7 @@ jobs:
 
 
     - name: Install Model Registry
-      run: |
-        kustomize build applications/model-registry/upstream/overlays/db | kubectl apply -n kubeflow -f -
-        kustomize build applications/model-registry/upstream/options/istio | kubectl apply -n kubeflow -f -
-
-    - name: Install Model Registry UI
-      run: |
-        kustomize build applications/model-registry/upstream/options/ui/overlays/istio | kubectl apply -n kubeflow -f -
-
-    - name: Install KF Model Catalog
-      run: ./tests/model_catalog_install.sh
+      run: ./tests/model_registry_install.sh
 
     - name: Install Spark
       run: chmod u+x tests/*.sh && ./tests/spark_install.sh
@@ -202,45 +193,12 @@ jobs:
         cd experimental/ray/
         ./test.sh ${KF_PROFILE}
 
-    - name: Test Model Registry Deployment
-      run: |
-        kubectl wait --for=condition=available -n kubeflow deployment/model-registry-db --timeout=60s
-        kubectl wait --for=condition=available -n kubeflow deployment/model-registry-deployment --timeout=60s
-
-    - name: Test Model Registry UI Deployment
-      run: kubectl wait --for=condition=available -n kubeflow deployment/model-registry-ui --timeout=60s
-
-    - name: Test Model Registry API
-      run: |
-        export KF_TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)"
-
-        nohup kubectl port-forward svc/model-registry-service -n kubeflow 8082:8080 &
-        sleep 5
-        curl -s -X 'GET' \
-          'http://localhost:8082/api/model_registry/v1alpha3/registered_models?pageSize=100&orderBy=ID&sortOrder=DESC' \
-          -H 'accept: application/json'
-
-        curl -s --fail \
-          "localhost:8080/model-registry/api/v1/model_registry?namespace=${KF_PROFILE}" \
-          -H "Authorization: Bearer ${KF_TOKEN}"
+    - name: Run Model Registry Tests
+      run: ./tests/model_registry_test.sh
 
-    - name: Run Model Catalog API tests
+    - name: Run Model Catalog API Tests
       run: ./tests/model_catalog_test.sh
 
-    - name: Test Model Registry API with Unauthorized Token
-      run: |
-        UNAUTHORIZED_TOKEN=$(kubectl -n test-unauthorized create token test-unauthorized || kubectl -n test-unauthorized create token default)
-
-        STATUS_CODE=$(curl -s \
-          --output /dev/stderr --write-out "%{http_code}" \
-          "localhost:8080/model-registry/api/v1/model_registry?namespace=${KF_PROFILE}" \
-          -H "Authorization: Bearer ${UNAUTHORIZED_TOKEN}")
-
-        if test $STATUS_CODE -ne 403; then
-          echo "Error: Unauthorized access was not correctly rejected. Got status code: ${STATUS_CODE}"
-          exit 1
-        fi
-
     - name: Apply Pod Security Standards Restricted
       run: ./tests/PSS_enable.sh restricted
 

.github/workflows/model_registry_test.yaml

@@ -45,84 +45,11 @@ jobs:
     - name: Create KF Profile
       run: kustomize build common/user-namespace/base | kubectl apply -f -
 
-    - name: Build & Apply KF Model Registry manifests
-      run: |
-        kustomize build applications/model-registry/upstream/overlays/db | kubectl apply -n kubeflow -f -
-        kustomize build applications/model-registry/upstream/options/istio | kubectl apply -n kubeflow -f -
+    - name: Install Model Registry
+      run: ./tests/model_registry_install.sh
 
-    - name: Build & Apply KF Model Registry UI manifests
-      run: |
-        kustomize build applications/model-registry/upstream/options/ui/overlays/istio | kubectl apply -n kubeflow -f -
-
-    - name: Test KF Model Registry deployment
-      run: |
-        echo "Waiting for all Model Registry Pods to become ready..."
-        if ! kubectl wait --for=condition=available -n kubeflow deployment/model-registry-db --timeout=60s ; then
-            kubectl events -A
-            kubectl describe deployment/model-registry-db -n kubeflow
-            kubectl logs deployment/model-registry-db -n kubeflow
-            exit 1
-        fi
-        kubectl wait --for=condition=available -n kubeflow deployment/model-registry-deployment --timeout=60s
-    - name: Test KF Model Registry UI deployment
-      run: |
-        echo "Waiting for all Model Registry UI Pods to become ready..."
-        if ! kubectl wait --for=condition=available -n kubeflow deployment/model-registry-ui --timeout=60s ; then
-            kubectl events -A
-            kubectl describe deployment/model-registry-ui -n kubeflow
-            kubectl logs deployment/model-registry-ui -n kubeflow
-            exit 1
-        fi
-    - name: Dry-run KF Model Registry API directly
-      run: |
-        echo "Dry-run KF Model Registry API directly..."
-        nohup kubectl port-forward svc/model-registry-service -n kubeflow 8081:8080 &
-        while ! curl localhost:8081; do echo "waiting for port-forwarding 8081"; sleep 1; done; echo "port-forwarding 8181 ready"
-        curl -v -X 'GET' \
-          'http://localhost:8081/api/model_registry/v1alpha3/registered_models?pageSize=100&orderBy=ID&sortOrder=DESC' \
-          -H 'accept: application/json'
-
-    # for these steps below ensure same steps as kserve (ie: Istio with external authentication, cert-manager, knative) so to achieve same setup
     - name: Port forward Istio gateway
-      run: |
-        INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}')
-        nohup kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80 &
-        while ! curl localhost:8080; do echo waiting for port-forwarding; sleep 1; done; echo port-forwarding ready
-
-    - name: Dry-run KF Model Registry REST API
-      run: |
-        echo "Dry-run KF Model Registry REST API..."
-        export KF_TOKEN="$(kubectl -n default create token default)"
-        curl -v -H "Authorization: Bearer "$KF_TOKEN http://localhost:8080/api/model_registry/v1alpha3/registered_models
-
-    - name: Dry-run KF Model Registry REST API UI
-      run: |
-        echo "Dry-run KF Model Registry REST API..."
-        export KF_PROFILE=kubeflow-user-example-com
-        export KF_TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)"
-
-        STATUS_CODE=$(curl -v \
-            --silent --output /dev/stderr --write-out "%{http_code}" \
-            "localhost:8080/model-registry/api/v1/model_registry?namespace=${KF_PROFILE}" \
-            -H "Authorization: Bearer ${KF_TOKEN}")
-
-        if test $STATUS_CODE -ne 200; then
-            echo "Error, this call should be authorized to list model registries in namespace ${KF_PROFILE}."
-            exit 1
-        fi
-
-    - name: Dry-run KF Model Registry REST API UI with unauthorized SA Token
-      run: |
-        echo "Dry-run KF Model Registry REST API..."
-        export KF_PROFILE=kubeflow-user-example-com
-        export KF_TOKEN="$(kubectl -n default create token default)"
-
-        STATUS_CODE=$(curl -v \
-            --silent --output /dev/stderr --write-out "%{http_code}" \
-            "localhost:8080/model-registry/api/v1/model_registry?namespace=${KF_PROFILE}" \
-            -H "Authorization: Bearer ${KF_TOKEN}")
+      run: ./tests/port_forward_gateway.sh
 
-        if test $STATUS_CODE -ne 403; then
-            echo "Error, this call should fail to list model registry resources in namespace ${KF_PROFILE}."
-            exit 1
-        fi
+    - name: Run Model Registry Tests
+      run: ./tests/model_registry_test.sh

applications/dashboard/overlays/istio/kustomization.yaml

@@ -7,3 +7,8 @@ resources:
 - ../../upstream/poddefaults-webhooks/overlays/cert-manager
 - ../../upstream/profile-controller/overlays/kubeflow-pss
 
+patches:
+  - path: patches/configmap.yaml
+    target:
+      kind: ConfigMap
+      name: dashboard-config

applications/dashboard/overlays/istio/patches/configmap.yaml

@@ -0,0 +1,132 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: dashboard-config
+data:
+  settings: |-
+    {
+      "DASHBOARD_FORCE_IFRAME": true
+    }
+  links: |-
+    {
+        "menuLinks": [
+            {
+                "icon": "book",
+                "link": "/jupyter/",
+                "text": "Notebooks",
+                "type": "item"
+            },
+            {
+                "icon": "assessment",
+                "link": "/tensorboards/",
+                "text": "TensorBoards",
+                "type": "item"
+            },
+            {
+                "icon": "device:storage",
+                "link": "/volumes/",
+                "text": "Volumes",
+                "type": "item"
+            },
+            {
+                "icon": "kubeflow:katib",
+                "link": "/katib/",
+                "text": "Katib Experiments",
+                "type": "item"
+            },
+            {
+                "type": "item",
+                "link": "/kserve-endpoints/",
+                "text": "KServe Endpoints",
+                "icon": "kubeflow:models"
+            },
+            {
+                "icon": "assignment",
+                "link": "/model-registry/",
+                "text": "Model Registry",
+                "type": "item"
+            },
+            {
+                "icon": "kubeflow:pipeline-centered",
+                "items": [
+                    {
+                        "link": "/pipeline/#/pipelines",
+                        "text": "Pipelines",
+                        "type": "item"
+                    },
+                    {
+                        "link": "/pipeline/#/experiments",
+                        "text": "Experiments",
+                        "type": "item"
+                    },
+                    {
+                        "link": "/pipeline/#/runs",
+                        "text": "Runs",
+                        "type": "item"
+                    },
+                    {
+                        "link": "/pipeline/#/recurringruns",
+                        "text": "Recurring Runs",
+                        "type": "item"
+                    },
+                    {
+                        "link": "/pipeline/#/artifacts",
+                        "text": "Artifacts",
+                        "type": "item"
+                    },
+                    {
+                        "link": "/pipeline/#/executions",
+                        "text": "Executions",
+                        "type": "item"
+                    }
+                ],
+                "text": "Pipelines",
+                "type": "section"
+            }
+        ],
+        "externalLinks": [],
+        "documentationItems": [
+            {
+                "desc": "The Kubeflow website",
+                "link": "https://www.kubeflow.org/",
+                "text": "Kubeflow Website"
+            },
+            {
+                "desc": "Documentation for Kubeflow Pipelines",
+                "link": "https://www.kubeflow.org/docs/components/pipelines/",
+                "text": "Kubeflow Pipelines Documentation"
+            },
+            {
+                "desc": "Documentation for Kubeflow Notebooks",
+                "link": "https://www.kubeflow.org/docs/components/notebooks/",
+                "text": "Kubeflow Notebooks Documentation"
+            },
+            {
+                "desc": "Documentation for Kubeflow Training Operator",
+                "link": "https://www.kubeflow.org/docs/components/training/",
+                "text": "Kubeflow Training Operator Documentation"
+            },
+            {
+                "desc": "Documentation for Katib",
+                "link": "https://www.kubeflow.org/docs/components/katib/",
+                "text": "Katib Documentation"
+            }
+        ],
+        "quickLinks": [
+            {
+                "desc": "Kubeflow Notebooks",
+                "link": "/jupyter/new",
+                "text": "Create a new Notebook"
+            },
+            {
+                "desc": "Kubeflow Pipelines",
+                "link": "/pipeline/#/pipelines",
+                "text": "Upload a Pipeline"
+            },
+            {
+                "desc": "Pipelines",
+                "link": "/pipeline/#/runs",
+                "text": "View Pipeline Runs"
+            }
+        ]
+    }

applications/model-registry/upstream/options/catalog/overlays/demo/kustomization.yaml

@@ -64,6 +64,8 @@ patches:
             - name: demo-perf-data
               mountPath: /demo-perf-data
           securityContext:
+            runAsNonRoot: true
+            runAsUser: 65534
             allowPrivilegeEscalation: false
             capabilities:
               drop:

applications/model-registry/upstream/options/istio/istio-authorization-policy.yaml

@@ -8,4 +8,20 @@ spec:
     matchLabels:
       component: model-registry-server
   rules:
-  - {}
+  # Allow all requests from the ingress gateway.
+  # External users are authenticated by oauth2-proxy/authservice at the gateway,
+  # which injects the kubeflow-userid header.
+  - from:
+    - source:
+        principals:
+        - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
+  # Allow internal requests with a valid Kubernetes JWT (authorization header)
+  # but strictly block any request that also carries a kubeflow-userid header,
+  # preventing identity spoofing from within the cluster.
+  - when:
+    - key: request.headers[authorization]
+      values:
+      - "*"
+    - key: request.headers[kubeflow-userid]
+      notValues:
+      - "*"

example/kustomization.yaml

@@ -95,6 +95,15 @@ resources:
 # Spark Operator
 - ../applications/spark/spark-operator/overlays/kubeflow
 
+# Model Registry
+- ../applications/model-registry/upstream/overlays/postgres
+# Model Registry Istio networking (VirtualService for /api/model_registry/)
+- ../applications/model-registry/upstream/options/istio
+# Model Registry UI
+- ../applications/model-registry/upstream/options/ui/overlays/istio
+# Model Catalog (demo)
+- ../applications/model-registry/upstream/options/catalog/overlays/demo
+
 # Ray is an experimental integration
 # Here is the documentation for Ray: https://docs.ray.io/en/latest/
 # Here is the internal documentation for Ray: - ../experimental/ray/README.md