Fix ml pipeline access from kfp step (#2795)

* fail gh action if pipeline failed in .github/workflows/pipeline_test.yaml

Signed-off-by: Krzysztof Romanowski <[email protected]>

* allow access to ml-pipeline when using trusted requestPrincipal or doesn't have auth header

Signed-off-by: Krzysztof Romanowski <[email protected]>

* add more triggers for the workflow

Signed-off-by: juliusvonkohout <[email protected]>

---------

Signed-off-by: Krzysztof Romanowski <[email protected]>
Signed-off-by: juliusvonkohout <[email protected]>
Co-authored-by: Krzysztof Romanowski <[email protected]>
Co-authored-by: juliusvonkohout <[email protected]>

.github/workflows/pipeline_run_from_notebook.yaml

@@ -4,10 +4,14 @@ on:
     paths:
       - .github/workflows/pipeline_run_from_notebook.yaml
       - apps/jupyter/notebook-controller/upstream/**
+      - apps/pipeline/upstream/**
       - tests/gh-actions/kind-cluster.yaml
       - tests/gh-actions/install_kind.sh
       - tests/gh-actions/install_kustomize.sh
       - tests/gh-actions/install_istio.sh
+      - tests/gh-actions/install_cert_manager.sh
+      - common/cert-manager/**
+      - common/oidc-client/oauth2-proxy/**
       - common/istio*/**
       - common/oidc-client/**
       - apps/jupyter/**

.github/workflows/pipeline_test.yaml

@@ -90,11 +90,14 @@ jobs:
 
           while True:
             status = client.get_run(run_id=run_id).state
-            if status not in ["SUCCEEDED", "FAILED", "ERROR"]:
+            if status in ["PENDING", "RUNNING"]:
               print(f"Waiting for run_id: {run_id}, status: {status}.")
               sleep(10)
             else:
               print(f"Run with id {run_id} finished with status: {status}.")
+              if status != "SUCCEEDED":
+                print("Pipeline failed")
+                raise SystemExit(1)
               break
           ' "${TOKEN}" "${KF_PROFILE}"
 

apps/kfp-tekton/upstream/base/installs/multi-user/istio-authorization-config.yaml

@@ -32,6 +32,10 @@ spec:
         - cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow
         - cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account
         - cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache
+  # allow access by any trusted principal
+  - from:
+    - source:
+        requestPrincipals: ["*"]
   # For user workloads, which cannot user http headers for authentication
   - when:
     - key: request.headers[kubeflow-userid]

apps/kfp-tekton/upstream/v1/base/installs/multi-user/istio-authorization-config.yaml

@@ -32,6 +32,10 @@ spec:
         - cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow
         - cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account
         - cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache
+  # allow access by any trusted principal
+  - from:
+    - source:
+        requestPrincipals: ["*"]
   # For user workloads, which cannot user http headers for authentication
   - when:
     - key: request.headers[kubeflow-userid]

apps/pipeline/upstream/base/installs/multi-user/istio-authorization-config.yaml

@@ -32,9 +32,14 @@ spec:
         - cluster.local/ns/kubeflow/sa/ml-pipeline-scheduledworkflow
         - cluster.local/ns/kubeflow/sa/ml-pipeline-viewer-crd-service-account
         - cluster.local/ns/kubeflow/sa/kubeflow-pipelines-cache
+  # allow access by any trusted principal
   - from:
     - source:
-        requestPrincipals: ["*"]  # allow access by any trusted principal
+        requestPrincipals: ["*"]
+  # For user workloads, which cannot user http headers for authentication
+  - when:
+    - key: request.headers[kubeflow-userid]
+      notValues: ['*']
 ---
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy