Skip to content

fix: bump mlflow-kubernetes-plugins to 1.3.0 for MLflow 3.13 auth coverage #315

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
openshift-merge-bot merged 1 commit into from
Jun 19, 2026
Merged

fix: bump mlflow-kubernetes-plugins to 1.3.0 for MLflow 3.13 auth coverage #315

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions requirements/konflux-pypi-requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
# This file was autogenerated by uv via requirements/compile.py
#
# python requirements/compile.py
mlflow-kubernetes-plugins==1.2.1 \
--hash=sha256:29907e9c6ba3dc26dc7cb76d4a2cd4ff0003ff8db6486d76c456edceda0f84be \
--hash=sha256:79a015e12d4110c994540df4ecdc8003d67a3441fd85d0db98718a753c3867d6
mlflow-kubernetes-plugins==1.3.0 \
--hash=sha256:226575fdf66bbf09beb7e035c0fff57201c53f4815e74d499e36af0d9c51238f \
--hash=sha256:6a2a9b074290e14d47553a592f22f730d355357936c8552b978d3f3618214e4a
# via -r requirements/konflux-pypi.in
prometheus-flask-exporter==0.23.2 \
--hash=sha256:41fc9bbd7d48cc958ed8384aacf60c3621d9e903768be61c4e7f0c63872eaf1a \
Expand Down
2 changes: 1 addition & 1 deletion requirements/konflux-pypi.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@
#
# python requirements/compile.py

mlflow-kubernetes-plugins==1.2.1
mlflow-kubernetes-plugins==1.3.0

@coderabbitai coderabbitai Bot Jun 19, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

What are the changes in mlflow-kubernetes-plugins version 1.3.0 compared to 1.2.1?

💡 Result:

The mlflow-kubernetes-plugins package version 1.3.0, released on June 12, 2026 [1][2], is part of the Kubeflow mlflow-integration repository [2]. While official release notes detailing specific code changes between 1.2.1 and 1.3.0 are not explicitly indexed in public summaries, the package maintains its core functionality as a Kubernetes-backed WorkspaceProvider and an optional Kubernetes RBAC authorization plugin [3][2]. Key information regarding this release: - Repository Migration: The project is now hosted under the kubeflow/mlflow-integration repository [2], having moved from its previous location at opendatahub-io/mlflow-kubernetes-plugins [4]. - Versioning: Version 1.3.0 was released shortly after 1.2.1 (which was released on May 8, 2026) [1][5]. - Dependencies: Version 1.3.0 requires MLflow <4.0.0, >=3.10.0, Kubernetes >=29.0.0, and graphql-core >=3.2.0 [3]. It requires Python >=3.12 [3]. - Scope: The plugin continues to provide workspace mapping to Kubernetes namespaces and Kubernetes-based request authorization [3][2]. For a complete list of commits or granular code changes between versions 1.2.1 and 1.3.0, please consult the commit history directly on the kubeflow/mlflow-integration GitHub repository [2].

Citations:

🏁 Script executed:

#!/bin/bash
# Check transitive dependencies of mlflow-kubernetes-plugins 1.3.0
pip show mlflow-kubernetes-plugins 2>/dev/null || echo "Package not installed, checking PyPI metadata"

# Try to fetch package metadata from PyPI
python3 - <<'PY'
import json
import urllib.request

try:
    url = "https://pypi.org/pypi/mlflow-kubernetes-plugins/1.3.0/json"
    with urllib.request.urlopen(url, timeout=10) as response:
        data = json.loads(response.read())
        print("=== mlflow-kubernetes-plugins 1.3.0 Dependencies ===")
        requires = data['info'].get('requires_dist', [])
        if requires:
            for req in requires:
                print(req)
        else:
            print("No requires_dist found")
except Exception as e:
    print(f"Error fetching metadata: {e}")
PY

Repository: opendatahub-io/mlflow

Length of output: 264

🏁 Script executed:

#!/bin/bash
# Check if requirements/konflux-aipcc-requirements.txt exists and examine it
if [ -f "requirements/konflux-aipcc-requirements.txt" ]; then
    echo "=== Contents of konflux-aipcc-requirements.txt ==="
    head -50 requirements/konflux-aipcc-requirements.txt
else
    echo "File not found. Searching for similar files:"
    find . -name "*requirements*.txt" -o -name "*requirements*.in" 2>/dev/null | grep -v ".git"
fi

Repository: opendatahub-io/mlflow

Length of output: 2729

🌐 Web query:

mlflow-kubernetes-plugins 1.3.0 release notes changelog kubeflow mlflow-integration

💡 Result:

Not enough source evidence was retrieved in this run to provide the actual “release notes/changelog” contents for mlflow-kubernetes-plugins version 1.3.0. What I could verify from authoritative sources - The package exists and is described as providing a Kubernetes-backed workspace provider plus an optional Kubernetes authorization plugin for MLflow workspaces. [1] - In the Kubeflow integration docs, the entry points are: - kubernetes -> MLflow hook mlflow.workspace_provider [2] - kubernetes-auth -> MLflow hook mlflow.app [3] - mlflow-kubernetes-plugins 1.3.0 has dependency constraints for MLflow (>=3.10.0, <4.0.0). [1] What is missing (for 1.3.0 specifically) - I did not find any retrieved page (PyPI, the integration repo, or GitHub release pages indexed in the search results) that contains the text of the 1.3.0 “release notes” or a “what’s changed” changelog section for that exact version. [1] If you want, I can do a second targeted search round specifically for the GitHub release tag “v1.3.0” and/or a compare link “v1.2.x...v1.3.0” to extract the exact changelog entries.

Citations:

🏁 Script executed:

#!/bin/bash
# Extract locked MLflow version from konflux-aipcc-requirements.txt to check compatibility
grep "^mlflow==" requirements/konflux-aipcc-requirements.txt | head -5

Repository: opendatahub-io/mlflow

Length of output: 47

🌐 Web query:

site:github.com kubeflow/mlflow-integration v1.3.0 release changelog

💡 Result:

The kubeflow/mlflow-integration repository currently lists version v1.3.0 as its latest release, published on June 12, 2026 [1]. There is no publicly available changelog text specifically attached to the v1.3.0 release tag in the repository's release section [1]. It is important to note that the Kubeflow ecosystem previously released a major version labeled v1.3.0 in April 2021 [2]; however, this is distinct from the versioning used by the kubeflow/mlflow-integration repository, which was created in March 2026 [1]. Users should not confuse the repository's v1.3.0 release with the historical Kubeflow 1.3.0 platform release [2][3]. For details on the latest changes, users may refer to the repository's commit history or pull request logs, as the official release page for v1.3.0 does not contain descriptive release notes [1].

Citations:

🌐 Web query:

mlflow-kubernetes-plugins 1.3.0 transitive dependencies kubernetes graphql-core requirements

💡 Result:

The mlflow-kubernetes-plugins version 1.3.0 package requires the following primary dependencies [1]: - mlflow: >=3.10.0 and <4.0.0 [1] - kubernetes: >=29.0.0 [1] - graphql-core: >=3.2.0 [1] The dependency on graphql-core is listed as a direct dependency of the package [1]. Transitive dependencies are the dependencies of these primary packages, which will vary based on the specific versions of mlflow, kubernetes, and graphql-core installed in your Python environment [1].

Citations:

MLflow 3.13 compatibility is satisfied; shift focus to test validation evidence.

The version constraint for mlflow-kubernetes-plugins 1.3.0 explicitly requires MLflow >=3.10.0, <4.0.0—MLflow 3.13 falls within this range. No compatibility risk exists on that axis.

However, dependency bumps remain a supply-chain surface (CWE-1104: Use of Unmaintained Third Party Components). The valid concern is test validation:

Provide:

  1. Test results confirming mlflow-kubernetes-plugins 1.3.0 works with your locked MLflow version
  2. Verification that transitive dependencies of 1.3.0 (kubernetes >=29.0.0, graphql-core >=3.2.0) do not conflict with locked versions in requirements/konflux-aipcc-requirements.txt

Note: GitHub release page for v1.3.0 contains no descriptive release notes; consult commit history if detailed changelog is required.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@requirements/konflux-pypi.in` at line 13, The
mlflow-kubernetes-plugins==1.3.0 dependency update in the konflux-pypi.in file
lacks test validation evidence. Run integration tests with
mlflow-kubernetes-plugins 1.3.0 against your locked MLflow version to confirm
runtime compatibility. Additionally, check the transitive dependencies
introduced by mlflow-kubernetes-plugins 1.3.0 (kubernetes >=29.0.0 and
graphql-core >=3.2.0) against the version constraints already locked in
requirements/konflux-aipcc-requirements.txt to verify there are no conflicts or
version mismatches. Document the test results and dependency verification
findings in the pull request to provide the required validation evidence.

psycopg2
prometheus-flask-exporter
# Starlette 1.0.1+ is not yet available on the rhoai/3.4 AIPCC index.
Expand Down
Loading