Add more coverage for InferenceGraph

* Add more coverage for InferenceGraph
* Add more tests for Serverless InferenceGraph to cover for private cases and auth
* Add test cases for Raw InferenceGraph covering basic deployment, auth, private cases, and combinations.

Additionally, this moves to using the unprivileged client for IG-related fixtures.

---

## Summary by CodeRabbit

* New Features
    * Added comprehensive tests covering multiple deployment and authentication scenarios for inference graphs, including raw and serverless modes.
    * Introduced utilities for creating and managing service accounts and role-based access for inference graph viewing.
    * Added new helper functions for handling inference graph pod selection and Kubernetes role creation.
    * Enhanced inference utilities to support InferenceGraph objects with improved exposure detection and inference execution.
* Bug Fixes
    * Improved handling of authentication and authorization checks in inference response verification, especially for raw deployment scenarios.
* Tests
    * Expanded test coverage for inference graphs to validate access control, deployment modes, and service exposure.
    * Added fixtures to support flexible, parameterized test setups for various user privilege levels.
* Chores
    * Updated fixtures to use unprivileged clients and namespaces, enhancing security and test reliability.
    * Refined configuration for ONNX inference endpoint to improve deployment compatibility.

---------

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: Jooho Lee <ljhiyh@gmail.com>

Author: 3 people

tests/model_serving/model_server/inference_graph/conftest.py

@@ -1,3 +1,4 @@
+from secrets import token_hex
 from typing import Generator, Any
 
 import pytest
@@ -6,17 +7,21 @@
 from ocp_resources.inference_graph import InferenceGraph
 from ocp_resources.inference_service import InferenceService
 from ocp_resources.namespace import Namespace
+from ocp_resources.role_binding import RoleBinding
 from ocp_resources.secret import Secret
+from ocp_resources.service_account import ServiceAccount
 from ocp_resources.serving_runtime import ServingRuntime
 
-from utilities.constants import ModelFormat, KServeDeploymentType, ModelStoragePath
+from utilities.constants import ModelFormat, KServeDeploymentType, ModelStoragePath, Annotations, Labels
 from utilities.inference_utils import create_isvc
+from utilities.infra import create_inference_token, create_inference_graph_view_role
 
 
 @pytest.fixture
 def dog_breed_inference_graph(
-    admin_client: DynamicClient,
-    model_namespace: Namespace,
+    request: FixtureRequest,
+    unprivileged_client: DynamicClient,
+    unprivileged_model_namespace: Namespace,
     dog_cat_inference_service: InferenceService,
     dog_breed_inference_service: InferenceService,
 ) -> Generator[InferenceGraph, Any, Any]:
@@ -34,28 +39,58 @@ def dog_breed_inference_graph(
             ],
         }
     }
+
+    annotations = {}
+    labels = {}
+    networking_label = Labels.Kserve.NETWORKING_KNATIVE_IO
+    try:
+        if request.param.get("deployment-mode"):
+            annotations[Annotations.KserveIo.DEPLOYMENT_MODE] = request.param["deployment-mode"]
+            if request.param["deployment-mode"] == KServeDeploymentType.RAW_DEPLOYMENT:
+                networking_label = Labels.Kserve.NETWORKING_KSERVE_IO
+    except AttributeError:
+        pass
+
+    try:
+        if request.param.get("enable-auth"):
+            annotations[Annotations.KserveAuth.SECURITY] = "true"
+    except AttributeError:
+        pass
+
+    try:
+        name = request.param["name"]
+    except (AttributeError, KeyError):
+        name = "dog-breed-pipeline"
+
+    try:
+        if not request.param["external-route"]:
+            labels[networking_label] = "cluster-local"
+    except (AttributeError, KeyError):
+        pass
+
     with InferenceGraph(
-        client=admin_client,
-        name="dog-breed-pipeline",
-        namespace=model_namespace.name,
+        client=unprivileged_client,
+        name=name,
+        namespace=unprivileged_model_namespace.name,
         nodes=nodes,
+        annotations=annotations,
+        label=labels,
     ) as inference_graph:
         inference_graph.wait_for_condition(condition=inference_graph.Condition.READY, status="True")
         yield inference_graph
 
 
-@pytest.fixture
+@pytest.fixture(scope="class")
 def dog_cat_inference_service(
-    request: FixtureRequest,
-    admin_client: DynamicClient,
-    model_namespace: Namespace,
+    unprivileged_client: DynamicClient,
+    unprivileged_model_namespace: Namespace,
     ovms_kserve_serving_runtime: ServingRuntime,
     models_endpoint_s3_secret: Secret,
 ) -> Generator[InferenceService, Any, Any]:
     with create_isvc(
-        client=admin_client,
+        client=unprivileged_client,
         name="dog-cat-classifier",
-        namespace=model_namespace.name,
+        namespace=unprivileged_model_namespace.name,
         runtime=ovms_kserve_serving_runtime.name,
         storage_key=models_endpoint_s3_secret.name,
         storage_path=ModelStoragePath.CAT_DOG_ONNX,
@@ -66,18 +101,17 @@ def dog_cat_inference_service(
         yield isvc
 
 
-@pytest.fixture
+@pytest.fixture(scope="class")
 def dog_breed_inference_service(
-    request: FixtureRequest,
-    admin_client: DynamicClient,
-    model_namespace: Namespace,
+    unprivileged_client: DynamicClient,
+    unprivileged_model_namespace: Namespace,
     ovms_kserve_serving_runtime: ServingRuntime,
     models_endpoint_s3_secret: Secret,
 ) -> Generator[InferenceService, Any, Any]:
     with create_isvc(
-        client=admin_client,
+        client=unprivileged_client,
         name="dog-breed-classifier",
-        namespace=model_namespace.name,
+        namespace=unprivileged_model_namespace.name,
         runtime=ovms_kserve_serving_runtime.name,
         storage_key=models_endpoint_s3_secret.name,
         storage_path=ModelStoragePath.DOG_BREED_ONNX,
@@ -86,3 +120,62 @@ def dog_breed_inference_service(
         protocol_version="v2",
     ) as isvc:
         yield isvc
+
+
+@pytest.fixture
+def inference_graph_unprivileged_sa_token(
+    bare_service_account: ServiceAccount,
+) -> str:
+    return create_inference_token(model_service_account=bare_service_account)
+
+
+@pytest.fixture
+def inference_graph_sa_token_with_access(
+    service_account_with_access: ServiceAccount,
+) -> str:
+    return create_inference_token(model_service_account=service_account_with_access)
+
+
+@pytest.fixture
+def service_account_with_access(
+    unprivileged_client: DynamicClient,
+    unprivileged_model_namespace: Namespace,
+    dog_breed_inference_graph: InferenceGraph,
+    bare_service_account: ServiceAccount,
+) -> Generator[ServiceAccount, Any, Any]:
+    with create_inference_graph_view_role(
+        client=unprivileged_client,
+        name=f"{dog_breed_inference_graph.name}-view",
+        namespace=unprivileged_model_namespace.name,
+        resource_names=[dog_breed_inference_graph.name],
+    ) as role:
+        with RoleBinding(
+            client=unprivileged_client,
+            namespace=unprivileged_model_namespace.name,
+            name=f"{bare_service_account.name}-view",
+            role_ref_name=role.name,
+            role_ref_kind=role.kind,
+            subjects_kind=bare_service_account.kind,
+            subjects_name=bare_service_account.name,
+        ):
+            yield bare_service_account
+
+
+@pytest.fixture
+def bare_service_account(
+    request: FixtureRequest,
+    unprivileged_client: DynamicClient,
+    unprivileged_model_namespace: Namespace,
+) -> Generator[ServiceAccount, Any, Any]:
+    try:
+        if request.param["name"]:
+            name = request.param["name"]
+    except (AttributeError, KeyError):
+        name = "sa-" + token_hex(4)
+
+    with ServiceAccount(
+        client=unprivileged_client,
+        namespace=unprivileged_model_namespace.name,
+        name=name,
+    ) as sa:
+        yield sa

tests/model_serving/model_server/inference_graph/test_inference_graph_deployment.py

@@ -6,18 +6,83 @@
 from utilities.manifests.onnx import ONNX_INFERENCE_CONFIG
 
 
+@pytest.mark.serverless
+@pytest.mark.sanity
 @pytest.mark.parametrize(
-    "model_namespace,ovms_kserve_serving_runtime",
-    [pytest.param({"name": "kserve-inference-graph-deploy"}, {"runtime-name": ModelInferenceRuntime.ONNX_RUNTIME})],
+    "unprivileged_model_namespace,ovms_kserve_serving_runtime",
+    [
+        pytest.param(
+            {"name": "kserve-inference-graph-deploy"},
+            {"runtime-name": ModelInferenceRuntime.ONNX_RUNTIME},
+        )
+    ],
     indirect=True,
 )
 class TestInferenceGraphDeployment:
-    def test_inference_graph_deployment(self, dog_breed_inference_graph):
+    @pytest.mark.parametrize(
+        "dog_breed_inference_graph",
+        [{"name": "dog-breed-serverless-pipeline"}],
+        indirect=True,
+    )
+    def test_inference_graph_serverless_deployment(self, dog_breed_inference_graph):
+        verify_inference_response(
+            inference_service=dog_breed_inference_graph,
+            inference_config=ONNX_INFERENCE_CONFIG,
+            inference_type=Inference.GRAPH,
+            model_name="dog-breed-classifier",
+            protocol=Protocols.HTTPS,
+            use_default_query=True,
+        )
+
+    @pytest.mark.parametrize(
+        "dog_breed_inference_graph",
+        [{"name": "dog-breed-private-serverless-ig", "external-route": False}],
+        indirect=True,
+    )
+    def test_private_inference_graph_serverless_deployment(self, dog_breed_inference_graph):
+        verify_inference_response(
+            inference_service=dog_breed_inference_graph,
+            inference_config=ONNX_INFERENCE_CONFIG,
+            inference_type=Inference.GRAPH,
+            model_name="dog-breed-classifier",
+            protocol=Protocols.HTTP,
+            use_default_query=True,
+        )
+
+    @pytest.mark.smoke
+    @pytest.mark.parametrize(
+        "dog_breed_inference_graph",
+        [{"name": "dog-breed-auth-serverless-ig", "enable-auth": True}],
+        indirect=True,
+    )
+    def test_inference_graph_serverless_authentication(
+        self, dog_breed_inference_graph, inference_graph_sa_token_with_access
+    ):
+        verify_inference_response(
+            inference_service=dog_breed_inference_graph,
+            inference_config=ONNX_INFERENCE_CONFIG,
+            inference_type=Inference.GRAPH,
+            model_name="dog-breed-classifier",
+            protocol=Protocols.HTTPS,
+            use_default_query=True,
+            token=inference_graph_sa_token_with_access,
+        )
+
+    @pytest.mark.parametrize(
+        "dog_breed_inference_graph",
+        [{"name": "dog-breed-bad-auth-serverless-ig", "enable-auth": True}],
+        indirect=True,
+    )
+    def test_inference_graph_serverless_authentication_without_privileges(
+        self, dog_breed_inference_graph, inference_graph_unprivileged_sa_token
+    ):
         verify_inference_response(
             inference_service=dog_breed_inference_graph,
             inference_config=ONNX_INFERENCE_CONFIG,
             inference_type=Inference.GRAPH,
             model_name="dog-breed-classifier",
             protocol=Protocols.HTTPS,
             use_default_query=True,
+            token=inference_graph_unprivileged_sa_token,
+            authorized_user=False,
         )