Merge branch 'main' into move_functions

Author: dbasunag

tests/model_serving/model_runtime/image_validation/__init__.py

@@ -0,0 +1 @@
+"""Serving runtime image validation tests."""

tests/model_serving/model_runtime/image_validation/conftest.py

@@ -0,0 +1,90 @@
+"""
+Fixtures for serving runtime image validation tests.
+
+Creates minimal ServingRuntime + InferenceService so that deployments/pods
+are created and their spec.containers[*].image can be validated against
+the CSV relatedImages (registry.redhat.io, sha256 digest).
+"""
+
+from collections.abc import Generator
+from typing import Any
+
+import pytest
+from kubernetes.dynamic import DynamicClient
+from ocp_resources.namespace import Namespace
+from ocp_resources.pod import Pod
+from timeout_sampler import TimeoutSampler
+
+from tests.model_serving.model_runtime.image_validation.constant import PLACEHOLDER_STORAGE_URI
+from utilities.constants import KServeDeploymentType
+from utilities.inference_utils import create_isvc
+from utilities.infra import create_ns, wait_for_isvc_pods
+from utilities.serving_runtime import ServingRuntimeFromTemplate
+
+
+@pytest.fixture(scope="class")
+def serving_runtime_image_validation_namespace(
+    admin_client: DynamicClient,
+) -> Generator[Namespace, Any, Any]:
+    """
+    A dedicated namespace for serving runtime image validation.
+
+    Ensures deployments/pods created by the test have a clean namespace
+    that is torn down after the test.
+    """
+    name = "runtime-verification"
+    with create_ns(admin_client=admin_client, name=name, teardown=True) as ns:
+        yield ns
+
+
+@pytest.fixture(scope="function")
+def serving_runtime_pods_for_runtime(
+    request: pytest.FixtureRequest,
+    admin_client: DynamicClient,
+    serving_runtime_image_validation_namespace: Namespace,
+) -> Generator[tuple[list[Pod], str], Any, Any]:
+    """
+    For a given runtime config (parametrized), create ServingRuntime + InferenceService,
+    wait for pods, yield (pods, display_name) for validation. Teardown after test.
+    """
+    config = request.param
+    display_name = config["name"]
+    name_slug = display_name.replace("_", "-")
+    namespace_name = serving_runtime_image_validation_namespace.name
+    runtime_name = f"{name_slug}-runtime"
+    isvc_name = f"{name_slug}-isvc"
+
+    with ServingRuntimeFromTemplate(
+        client=admin_client,
+        name=runtime_name,
+        namespace=namespace_name,
+        template_name=config["template"],
+        deployment_type="raw",
+    ) as serving_runtime:
+        # Get model format from the runtime for the InferenceService spec.
+        model_format = serving_runtime.instance.spec.supportedModelFormats[0].name
+        with create_isvc(
+            client=admin_client,
+            name=isvc_name,
+            namespace=namespace_name,
+            model_format=model_format,
+            runtime=runtime_name,
+            storage_uri=PLACEHOLDER_STORAGE_URI,
+            deployment_mode=KServeDeploymentType.RAW_DEPLOYMENT,
+            wait=False,
+            wait_for_predictor_pods=False,
+            timeout=120,
+            teardown=True,
+        ) as isvc:
+            # Wait for pods to be created (300 seconds timeout)
+            for pods in TimeoutSampler(
+                wait_timeout=300,
+                sleep=5,
+                func=wait_for_isvc_pods,
+                client=admin_client,
+                isvc=isvc,
+                runtime_name=runtime_name,
+            ):
+                if pods:
+                    yield (pods, display_name)
+                    return

tests/model_serving/model_runtime/image_validation/constant.py

@@ -0,0 +1,19 @@
+"""Constants for serving runtime image validation tests."""
+
+from utilities.constants import RuntimeTemplates
+
+# Placeholder storage URI so the controller creates Deployment/Pod with runtime image.
+# No actual model or inference is required; pod phase does not need to be Ready.
+PLACEHOLDER_STORAGE_URI = "s3://dummy-bucket/dummy/"
+
+# Runtime configs: display name (for "name : passed") and template name.
+# For each we create ServingRuntime + InferenceService, wait for pod(s), validate, then teardown.
+RUNTIME_CONFIGS = [
+    {"name": "odh_openvino_model_server_image", "template": RuntimeTemplates.OVMS_KSERVE},
+    {"name": "odh_vllm_cpu_image", "template": RuntimeTemplates.VLLM_CPU_x86},
+    {"name": "odh_vllm_gaudi_image", "template": RuntimeTemplates.VLLM_GAUDI},
+    {"name": "odh_mlserver_image", "template": RuntimeTemplates.MLSERVER},
+    {"name": "rhaiis_vllm_cuda_image", "template": RuntimeTemplates.VLLM_CUDA},
+    {"name": "rhaiis_vllm_rocm_image", "template": RuntimeTemplates.VLLM_ROCM},
+    {"name": "rhaiis_vllm_spyre_image", "template": RuntimeTemplates.VLLM_SPYRE},
+]

tests/model_serving/model_runtime/image_validation/test_verify_serving_runtime_images.py

@@ -0,0 +1,58 @@
+"""
+Tests to verify that serving runtime component images meet the requirements:
+1. Images are hosted in registry.redhat.io
+2. Images use sha256 digest instead of tags
+3. Images are listed in the CSV's relatedImages section
+
+For each runtime template we create ServingRuntime + InferenceService, wait for pod(s),
+then validate the pod's container images against the cluster CSV (relatedImages) at runtime.
+No hardcoded image SHAs—validation uses whatever CSV is installed (e.g. rhods-operator.3.3.0).
+"""
+
+from typing import Self
+
+import pytest
+from ocp_resources.pod import Pod
+from simple_logger.logger import get_logger
+
+from tests.model_serving.model_runtime.image_validation.constant import RUNTIME_CONFIGS
+from utilities.general import validate_container_images
+
+LOGGER = get_logger(name=__name__)
+
+pytestmark = [
+    pytest.mark.downstream_only,
+    pytest.mark.skip_must_gather,
+    pytest.mark.smoke,
+]
+
+
+@pytest.mark.parametrize("serving_runtime_pods_for_runtime", RUNTIME_CONFIGS, indirect=True)
+class TestServingRuntimeImagesPerTemplate:
+    """
+    For each runtime template: create ServingRuntime + InferenceService, wait for pod(s),
+    validate pod images (registry.redhat.io, sha256, CSV), output runtimename : passed, then teardown.
+    """
+
+    def test_verify_serving_runtime_pod_images_from_template(
+        self: Self,
+        serving_runtime_pods_for_runtime: tuple[list[Pod], str],
+        related_images_refs: set[str],
+    ) -> None:
+        """
+        For the parametrized runtime: create SR+ISVC from template, validate pod images, report name : passed.
+        """
+        pods, runtime_name = serving_runtime_pods_for_runtime
+        validation_errors = []
+        for pod in pods:
+            LOGGER.info(f"Validating {pod.name} in {pod.namespace}")
+            validation_errors.extend(
+                validate_container_images(
+                    pod=pod,
+                    valid_image_refs=related_images_refs,
+                )
+            )
+
+        if validation_errors:
+            pytest.fail("\n".join(validation_errors))
+        LOGGER.info(f"{runtime_name} : passed")

tests/workbenches/test_imagestream_health.py

@@ -0,0 +1,205 @@
+"""ImageStream health checks for workbench-related images."""
+
+from typing import Any
+
+import pytest
+from kubernetes.dynamic import DynamicClient
+from ocp_resources.image_stream import ImageStream
+from pytest_testconfig import config as py_config
+from simple_logger.logger import get_logger
+
+pytestmark = [pytest.mark.smoke]
+LOGGER = get_logger(name=__name__)
+IMPORT_SUCCESS_CONDITION_TYPE = "ImportSuccess"
+
+
+def _validate_imagestream_tag_health(
+    imagestream_name: str,
+    tag_name: str,
+    tag_data: dict[str, Any],
+) -> list[str]:
+    """
+    Validate one ImageStream status tag and return all discovered errors.
+
+    A tag is considered healthy when it has at least one resolved item in
+    `status.tags[].items`, each item points to a digest-based image reference,
+    and an optional `ImportSuccess` condition (when present) is `True`.
+
+    Args:
+        imagestream_name: Name of the parent ImageStream (for error reporting).
+        tag_name: Name of the ImageStream tag being validated.
+        tag_data: Raw `status.tags[]` payload for the tag.
+
+    Returns:
+        List of validation error messages. Empty list means the tag is healthy.
+    """
+    errors: list[str] = []
+
+    raw_tag_items = tag_data.get("items")
+    tag_items = raw_tag_items if isinstance(raw_tag_items, list) else []
+    import_conditions = [
+        condition
+        for condition in (tag_data.get("conditions") or [])
+        if condition.get("type") == IMPORT_SUCCESS_CONDITION_TYPE
+    ]
+    latest_import_condition = (
+        max(import_conditions, key=lambda condition: condition.get("generation", -1)) if import_conditions else None
+    )
+    import_status = latest_import_condition.get("status") if latest_import_condition else "N/A"
+    LOGGER.info(
+        f"Checked ImageStream tag {imagestream_name}:{tag_name} "
+        f"(items_count={len(tag_items)}, import_success={import_status})"
+    )
+
+    # A tag is considered unresolved if no image item exists.
+    # In that case we expect an ImportSuccess=False condition to explain the failure reason.
+    if not tag_items:
+        failure_details = (
+            "no ImportSuccess condition was reported"
+            if not latest_import_condition
+            else (
+                f"status={latest_import_condition.get('status')}, "
+                f"reason={latest_import_condition.get('reason')}, "
+                f"message={latest_import_condition.get('message')}"
+            )
+        )
+        errors.append(
+            f"ImageStream {imagestream_name} tag {tag_name} has unresolved status.tags.items; "
+            f"ImportSuccess details: {failure_details}"
+        )
+        return errors
+
+    for item_index, item in enumerate(tag_items):
+        docker_image_reference = str(item.get("dockerImageReference", ""))
+        if "@sha256:" not in docker_image_reference:
+            errors.append(
+                f"ImageStream {imagestream_name} tag {tag_name} item #{item_index} "
+                "has unresolved dockerImageReference: "
+                f"{docker_image_reference}"
+            )
+
+        image_reference = str(item.get("image", ""))
+        if not image_reference.startswith("sha256:"):
+            errors.append(
+                f"ImageStream {imagestream_name} tag {tag_name} item #{item_index} has unresolved image reference: "
+                f"{image_reference}"
+            )
+
+    # If the tag resolved to items but ImportSuccess exists and reports failure, this is still an error.
+    if latest_import_condition and latest_import_condition.get("status") != "True":
+        errors.append(
+            f"ImageStream {imagestream_name} tag {tag_name} has resolved items but ImportSuccess is not True: "
+            f"status={latest_import_condition.get('status')}, "
+            f"reason={latest_import_condition.get('reason')}, "
+            f"message={latest_import_condition.get('message')}"
+        )
+
+    return errors
+
+
+def _validate_imagestreams_with_label(
+    imagestreams: list[ImageStream],
+    label_selector: str,
+    expected_count: int,
+) -> None:
+    """
+    Validate ImageStreams selected by label and fail the test if unhealthy.
+
+    This helper enforces:
+    - expected ImageStream count for the selector
+    - every tag declared in `spec.tags` appears in `status.tags`
+    - per-tag resolution/import checks via `_validate_imagestream_tag_health`
+
+    Args:
+        imagestreams: ImageStreams fetched for the label selector.
+        label_selector: Label selector used to fetch ImageStreams.
+        expected_count: Expected number of matching ImageStreams.
+
+    Raises:
+        pytest.fail: When any validation error is found.
+    """
+    errors: list[str] = []
+    actual_count = len(imagestreams)
+    LOGGER.info(
+        f"Checking ImageStreams for label selector '{label_selector}': "
+        f"expected_count={expected_count}, actual_count={actual_count}"
+    )
+    if imagestreams:
+        LOGGER.info(
+            f"ImageStreams matched for '{label_selector}': {', '.join(sorted(is_obj.name for is_obj in imagestreams))}"
+        )
+    if actual_count != expected_count:
+        imagestream_names = ", ".join(sorted(imagestream.name for imagestream in imagestreams))
+        errors.append(
+            f"Expected {expected_count} ImageStreams with label '{label_selector}', found {actual_count}. "
+            f"Found: [{imagestream_names}]"
+        )
+
+    for imagestream in imagestreams:
+        imagestream_data: dict[str, Any] = imagestream.instance.to_dict()
+        imagestream_name = imagestream_data.get("metadata", {}).get("name", imagestream.name)
+        LOGGER.info(f"Validating ImageStream {imagestream_name} (label selector: {label_selector})")
+
+        spec_tag_names = {
+            str(spec_tag.get("name"))
+            for spec_tag in imagestream_data.get("spec", {}).get("tags", [])
+            if spec_tag.get("name")
+        }
+        status_tags = imagestream_data.get("status", {}).get("tags", [])
+        status_tag_names = {str(status_tag.get("tag")) for status_tag in status_tags if status_tag.get("tag")}
+
+        missing_status_tags = sorted(spec_tag_names - status_tag_names)
+        LOGGER.info(
+            f"ImageStream {imagestream_name} tag coverage: "
+            f"spec_tags={sorted(spec_tag_names)}, status_tags={sorted(status_tag_names)}"
+        )
+        errors.extend([
+            f"ImageStream {imagestream_name} spec tag {missing_tag} is missing from status.tags "
+            f"(label selector: {label_selector})"
+            for missing_tag in missing_status_tags
+        ])
+
+        for status_tag in status_tags:
+            tag_name = str(status_tag.get("tag", "<missing-tag-name>"))
+            errors.extend(
+                _validate_imagestream_tag_health(
+                    imagestream_name=imagestream_name,
+                    tag_name=tag_name,
+                    tag_data=status_tag,
+                )
+            )
+
+    if errors:
+        pytest.fail("\n".join(errors))
+
+
+@pytest.mark.parametrize(
+    "label_selector, expected_imagestream_count",
+    [
+        pytest.param("opendatahub.io/notebook-image=true", 11, id="notebook_imagestreams"),
+        pytest.param("opendatahub.io/runtime-image=true", 7, id="runtime_imagestreams"),
+    ],
+)
+def test_workbench_imagestreams_health(
+    admin_client: DynamicClient,
+    label_selector: str,
+    expected_imagestream_count: int,
+) -> None:
+    """
+    Given workbench-related ImageStreams in the applications namespace.
+    When ImageStreams are listed by the expected workbench labels.
+    Then all expected ImageStreams exist and each tag is imported and resolved successfully.
+    """
+    imagestreams = list(
+        ImageStream.get(
+            client=admin_client,
+            namespace=py_config["applications_namespace"],
+            label_selector=label_selector,
+        )
+    )
+
+    _validate_imagestreams_with_label(
+        imagestreams=imagestreams,
+        label_selector=label_selector,
+        expected_count=expected_imagestream_count,
+    )