Merge branch 'main' into mm-ext

Author: rnetser

tests/model_explainability/trustyai_service/conftest.py

@@ -20,21 +20,26 @@
 from ocp_utilities.operators import install_operator, uninstall_operator
 
 from tests.model_explainability.trustyai_service.trustyai_service_utils import (
-    TRUSTYAI_SERVICE_NAME,
     wait_for_isvc_deployment_registered_by_trustyai_service,
 )
 from tests.model_explainability.trustyai_service.utils import (
     get_cluster_service_version,
     wait_for_mariadb_operator_deployments,
+    create_trustyai_service,
     wait_for_mariadb_pods,
+    TRUSTYAI_SERVICE_NAME,
 )
 
 from utilities.constants import Timeout, KServeDeploymentType, ApiGroups, Labels, Ports
 from utilities.inference_utils import create_isvc
 from utilities.infra import update_configmap_data
 
+
 OPENSHIFT_OPERATORS: str = "openshift-operators"
 
+TAI_DATA_CONFIG = {"filename": "data.csv", "format": "CSV"}
+TAI_METRICS_CONFIG = {"schedule": "5s"}
+TAI_DB_STORAGE_CONFIG = {"format": "DATABASE", "size": "1Gi", "databaseConfigurations": "db-credentials"}
 MARIADB: str = "mariadb"
 DB_CREDENTIALS_SECRET_NAME: str = "db-credentials"
 DB_NAME: str = "trustyai_db"
@@ -47,6 +52,14 @@
 LIGHTGBM: str = "lightgbm"
 MLFLOW: str = "mlflow"
 TIMEOUT_20MIN: int = 20 * Timeout.TIMEOUT_1MIN
+INVALID_TLS_CERTIFICATE: str = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJnRENDQVNlZ0F3SUJBZ0lRRGtTcXVuUWRzRmZwdi8zSm\
+5TS2ZoVEFLQmdncWhrak9QUVFEQWpBVk1STXcKRVFZRFZRUURFd3B0WVhKcFlXUmlMV05oTUI0WERUSTFNRFF4TkRFME1EUXhOMW9YRFRJNE1EUXhNekUx\
+TURReApOMW93RlRFVE1CRUdBMVVFQXhNS2JXRnlhV0ZrWWkxallUQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VICkEwSUFCQ2IxQ1IwUjV1akZ1QUR\
+Gd1NsazQzUUpmdDFmTFVnOWNJNyttZ0w3bVd3MmVLUXowL04ybm9KMGpJaDYKN0NnQ2syUW1jNTdWM1podkFWQzJoU2NEbWg2aldUQlhNQTRHQTFVZER3RU\
+Ivd1FFQXdJQ0JEQVBCZ05WSFJNQgpBZjhFQlRBREFRSC9NQjBHQTFVZERnUVdCQlNUa2tzSU9pL1pTbCtQRlJua2NQRlJ0QTRrMERBVkJnTlZIUkVFCkRqQ\
+U1nZ3B0WVhKcFlXUmlMV05oTUFvR0NDcUdTTTQ5QkFNQ0EwY0FNRVFDSUI1Q2F6VW1WWUZQYTFkS2txUGkKbitKSEQvNVZTTGd4aHVPclgzUGcxQnlzQWlB\
+RmcvTXlNWW9CZUNrUVRWdS9rUkIwK2N2Qy9RMDB4NExvVGpJaQpGdCtKMGc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0t\
+LS0t"  # pragma: allowlist secret
 
 
 @pytest.fixture(scope="class")
@@ -66,18 +79,14 @@ def trustyai_service_with_pvc_storage(
         trustyai_service.clean_up()
 
     else:
-        with TrustyAIService(
+        yield from create_trustyai_service(
             **trustyai_service_kwargs,
             storage={"format": "PVC", "folder": "/inputs", "size": "1Gi"},
-            data={"filename": "data.csv", "format": "CSV"},
-            metrics={"schedule": "5s"},
+            metrics=TAI_METRICS_CONFIG,
+            data=TAI_DATA_CONFIG,
+            wait_for_replicas=True,
             teardown=teardown_resources,
-        ) as trustyai_service:
-            trustyai_deployment = Deployment(
-                namespace=model_namespace.name, name=TRUSTYAI_SERVICE_NAME, wait_for_resource=True
-            )
-            trustyai_deployment.wait_for_replicas()
-            yield trustyai_service
+        )
 
 
 @pytest.fixture(scope="class")
@@ -89,18 +98,35 @@ def trustyai_service_with_db_storage(
     mariadb: MariaDB,
     trustyai_db_ca_secret: None,
 ) -> Generator[TrustyAIService, Any, Any]:
-    with TrustyAIService(
+    yield from create_trustyai_service(
         client=admin_client,
-        name=TRUSTYAI_SERVICE_NAME,
         namespace=model_namespace.name,
-        storage={"format": "DATABASE", "size": "1Gi", "databaseConfigurations": "db-credentials"},
-        metrics={"schedule": "5s"},
-    ) as trustyai_service:
-        trustyai_deployment = Deployment(
-            namespace=model_namespace.name, name=TRUSTYAI_SERVICE_NAME, wait_for_resource=True
-        )
-        trustyai_deployment.wait_for_replicas()
-        yield trustyai_service
+        storage=TAI_DB_STORAGE_CONFIG,
+        metrics=TAI_METRICS_CONFIG,
+        wait_for_replicas=True,
+    )
+
+
+@pytest.fixture(scope="class")
+def trustyai_service_with_invalid_db_cert(
+    admin_client: DynamicClient,
+    model_namespace: Namespace,
+    cluster_monitoring_config: ConfigMap,
+    user_workload_monitoring_config: ConfigMap,
+    mariadb: MariaDB,
+    trustyai_invalid_db_ca_secret: None,
+) -> Generator[TrustyAIService, None, None]:
+    """Create a TrustyAIService deployment with an invalid database certificate set as secret.
+
+    Yields: A secret with invalid database certificate set.
+    """
+    yield from create_trustyai_service(
+        client=admin_client,
+        namespace=model_namespace.name,
+        storage=TAI_DB_STORAGE_CONFIG,
+        metrics=TAI_METRICS_CONFIG,
+        wait_for_replicas=False,
+    )
 
 
 @pytest.fixture(scope="session")
@@ -229,7 +255,7 @@ def mariadb(
 @pytest.fixture(scope="class")
 def trustyai_db_ca_secret(
     admin_client: DynamicClient, model_namespace: Namespace, mariadb: MariaDB
-) -> Generator[None, Any, None]:
+) -> Generator[Secret, Any, None]:
     mariadb_ca_secret = Secret(
         client=admin_client, name=f"{mariadb.name}-ca", namespace=model_namespace.name, ensure_exists=True
     )
@@ -238,8 +264,21 @@ def trustyai_db_ca_secret(
         name=f"{TRUSTYAI_SERVICE_NAME}-db-ca",
         namespace=model_namespace.name,
         data_dict={"ca.crt": mariadb_ca_secret.instance.data["ca.crt"]},
-    ):
-        yield
+    ) as secret:
+        yield secret
+
+
+@pytest.fixture(scope="class")
+def trustyai_invalid_db_ca_secret(
+    admin_client: DynamicClient, model_namespace: Namespace, mariadb: MariaDB
+) -> Generator[Secret, Any, None]:
+    with Secret(
+        client=admin_client,
+        name=f"{TRUSTYAI_SERVICE_NAME}-db-ca",
+        namespace=model_namespace.name,
+        data_dict={"ca.crt": INVALID_TLS_CERTIFICATE},
+    ) as secret:
+        yield secret
 
 
 @pytest.fixture(scope="class")

tests/model_explainability/trustyai_service/test_trustyai_service.py

@@ -0,0 +1,27 @@
+import pytest
+from ocp_resources.namespace import Namespace
+
+from tests.model_explainability.trustyai_service.utils import validate_trustyai_service_db_conn_failure
+
+
+@pytest.mark.parametrize(
+    "model_namespace",
+    [
+        pytest.param(
+            {"name": "test-trustyai-service-invalid-db-cert"},
+        )
+    ],
+    indirect=True,
+)
+def test_trustyai_service_with_invalid_db_cert(
+    admin_client,
+    current_client_token,
+    model_namespace: Namespace,
+    trustyai_service_with_invalid_db_cert,
+):
+    """Test to make sure TrustyAIService pod fails when incorrect database TLS certificate is used."""
+    validate_trustyai_service_db_conn_failure(
+        client=admin_client,
+        namespace=model_namespace,
+        label_selector=f"app.kubernetes.io/instance={trustyai_service_with_invalid_db_cert.name}",
+    )

tests/model_explainability/trustyai_service/utils.py

@@ -1,14 +1,22 @@
+from typing import Generator, Any, Optional
+import re
+
 from kubernetes.dynamic import DynamicClient
 from kubernetes.dynamic.exceptions import ResourceNotFoundError, ResourceNotUniqueError
 from ocp_resources.cluster_service_version import ClusterServiceVersion
 from ocp_resources.deployment import Deployment
-from ocp_resources.maria_db import MariaDB
 from ocp_resources.mariadb_operator import MariadbOperator
+from ocp_resources.maria_db import MariaDB
+from ocp_resources.namespace import Namespace
 from ocp_resources.pod import Pod
+from ocp_resources.trustyai_service import TrustyAIService
 from simple_logger.logger import get_logger
 from timeout_sampler import TimeoutSampler
-
+from tests.model_explainability.trustyai_service.trustyai_service_utils import TRUSTYAI_SERVICE_NAME
 from utilities.constants import Timeout
+from timeout_sampler import retry
+
+from utilities.exceptions import TooManyPodsError, UnexpectedFailureError
 
 LOGGER = get_logger(name=__name__)
 
@@ -46,15 +54,15 @@ def wait_for_mariadb_operator_deployments(mariadb_operator: MariadbOperator) ->
 
 def wait_for_mariadb_pods(client: DynamicClient, mariadb: MariaDB, timeout: int = Timeout.TIMEOUT_5MIN) -> None:
     def _get_mariadb_pods() -> list[Pod]:
-        pods = [
-            pod
-            for pod in Pod.get(
+        _pods = [
+            _pod
+            for _pod in Pod.get(
                 dyn_client=client,
                 namespace=mariadb.namespace,
                 label_selector="app.kubernetes.io/instance=mariadb",
             )
         ]
-        return pods
+        return _pods
 
     sampler = TimeoutSampler(wait_timeout=timeout, sleep=1, func=lambda: bool(_get_mariadb_pods()))
 
@@ -68,3 +76,94 @@ def _get_mariadb_pods() -> list[Pod]:
             condition=Pod.Condition.READY,
             status="True",
         )
+
+
+@retry(
+    wait_timeout=Timeout.TIMEOUT_2MIN,
+    sleep=5,
+    exceptions_dict={TooManyPodsError: list(), UnexpectedFailureError: list()},
+)
+def validate_trustyai_service_db_conn_failure(
+    client: DynamicClient, namespace: Namespace, label_selector: Optional[str]
+) -> bool:
+    """Validate if invalid DB Certificate leads to pod crash loop.
+
+    Waits for TrustyAIService pod to fail and checks if the pod is in a CrashLoopBackOff state and
+    the LastState is in terminated state and the cause was a MariaDB TLS certificate exception.
+    Also checks if there are more than one pod for the service.
+
+    Args:
+        client: The OpenShift client.
+        namespace: Namespace under which the pod is created.
+        label_selector: The label selector used to select the correct pod(s) to monitor.
+
+    Returns:
+        bool: True if pod failure is of expected state else False.
+
+    Raises:
+        TimeoutExpiredError: if the method takes longer than `wait_timeout` to return a value.
+        TooManyPodsError: if the number of pods exceeds 1.
+        UnexpectedFailureError: if the pod failure is different from the expected failure mode.
+
+    """
+    pods = list(Pod.get(dyn_client=client, namespace=namespace.name, label_selector=label_selector))
+    mariadb_conn_failure_regex = (
+        r"^.+ERROR.+Could not connect to mariadb:.+ PKIX path validation failed: "
+        r"java\.security\.cert\.CertPathValidatorException: signature check failed"
+    )
+    if pods:
+        if len(pods) > 1:
+            raise TooManyPodsError("More than one pod found in TrustyAIService.")
+        for container_status in pods[0].instance.status.containerStatuses:
+            if (terminate_state := container_status.lastState.terminated) and terminate_state.reason in (
+                pods[0].Status.ERROR,
+                pods[0].Status.CRASH_LOOPBACK_OFF,
+            ):
+                if not re.search(mariadb_conn_failure_regex, terminate_state.message):
+                    raise UnexpectedFailureError(
+                        f"Service {TRUSTYAI_SERVICE_NAME} did not fail with a mariadb connection failure as expected.\
+                                  \nExpected format: {mariadb_conn_failure_regex}\
+                                  \nGot: {terminate_state.message}"
+                    )
+                return True
+    return False
+
+
+def create_trustyai_service(
+    client: DynamicClient,
+    namespace: str,
+    storage: dict[str, str],
+    metrics: dict[str, str],
+    name: str = TRUSTYAI_SERVICE_NAME,
+    data: Optional[dict[str, str]] = None,
+    wait_for_replicas: bool = True,
+    teardown: bool = True,
+) -> Generator[TrustyAIService, Any, Any]:
+    """Creates TrustyAIService and TrustyAI deployment.
+
+    Args:
+         client: the client.
+         namespace: Namespace to create the service in.
+         storage: Dict with storage configuration.
+         metrics: Dict with metrics configuration.
+         name: Name of the TrustyAI service and deployment (default "trustyai-service").
+         data: An optional dict with data.
+         wait_for_replicas: Wait until replicas are available (default True).
+         teardown: Teardown the service (default True).
+
+    Yields:
+         Generator[TrustyAIService, Any, Any]: The TrustyAI service.
+    """
+    with TrustyAIService(
+        client=client,
+        name=name,
+        namespace=namespace,
+        storage=storage,
+        metrics=metrics,
+        data=data,
+        teardown=teardown,
+    ) as trustyai_service:
+        trustyai_deployment = Deployment(namespace=namespace, name=name, wait_for_resource=True)
+        if wait_for_replicas:
+            trustyai_deployment.wait_for_replicas()
+        yield trustyai_service

utilities/exceptions.py

@@ -102,3 +102,11 @@ class ResourceNotReadyError(Exception):
 
 class PodContainersRestartError(Exception):
     pass
+
+
+class TooManyPodsError(Exception):
+    pass
+
+
+class UnexpectedFailureError(Exception):
+    pass