Skip to content

LCORE-2035: konflux tls e2e fix #1775

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
radofuchs wants to merge 17 commits into
base: main
Choose a base branch
from
Draft

LCORE-2035: konflux tls e2e fix #1775

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
7a1ef36
Add TLS fixes for konflux run
May 20, 2026
99b1b31
add all tests
May 20, 2026
61f0d36
set proxy tests to skipped
May 21, 2026
c2c47c3
remove optimizations for restarts
May 21, 2026
c0556c1
Merge branch 'lightspeed-core:main' into LCORE_2035_koflux_tls_e2e_fix
radofuchs May 21, 2026
b5fec6d
fix failing tests
May 22, 2026
3cd2580
fix failing tests
May 22, 2026
70b69c9
add logging
May 25, 2026
1fbca1a
fix
May 25, 2026
2e605cc
Merge branch 'lightspeed-core:main' into LCORE_2035_koflux_tls_e2e_fix
radofuchs May 25, 2026
9b30f01
fix for tls restarts
May 25, 2026
bdb29dc
fix
May 25, 2026
dcffd89
fix
May 26, 2026
dd2e319
fix
May 26, 2026
da56ae2
extend llama-stack timeout
May 26, 2026
56ca5dc
fix sync between mock tls and llama-stack
May 26, 2026
f1d29a8
fix lightspeed-stack restart time
May 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .tekton/integration-tests/pipeline/lightspeed-stack-integration-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,8 @@ spec:
echo "========== End parameters =========="
- name: lightspeed-stack-integration-tests
description: Task to run integration tests from lightspeed-stack repository
# Full Behave suite (proxy + tls) can exceed 2h; needs PipelineRun timeouts >= this value.
timeout: 3h
params:
- name: SNAPSHOT
value: $(params.SNAPSHOT)
Expand Down
104 changes: 104 additions & 0 deletions tests/e2e-prow/rhoai/manifests/lightspeed/e2e-mock-tls-inference.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
# Mock HTTPS OpenAI API for tls.feature (Konflux / Prow; no Docker Compose).
# Llama Stack run.yaml uses https://e2e-mock-tls-inference.<ns>.svc.cluster.local:8443|8444|8445/v1
apiVersion: v1
kind: Pod
metadata:
name: e2e-mock-tls-inference
labels:
app: e2e-mock-tls-inference
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: e2e-mock-tls-inference
image: python:3.12-slim
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: PYTHONPATH
value: /app:/tmp/pydeps
command:
- /bin/sh
- -c
- |
set -e
pip install --quiet --no-cache-dir --target /tmp/pydeps 'trustme>=1.2.1' 'cryptography>=42.0.0'
NS="${POD_NAMESPACE:-default}"
export TLS_CERT_DNS_NAMES="mock-tls-inference,localhost,127.0.0.1,e2e-mock-tls-inference,e2e-mock-tls-inference.${NS}.svc.cluster.local"
exec python /app/server.py
ports:
- containerPort: 8443
name: tls
- containerPort: 8444
name: mtls
- containerPort: 8445
name: mismatch
volumeMounts:
- name: server-script
mountPath: /app/server.py
subPath: server.py
readOnly: true
- name: certs-work
mountPath: /certs
readinessProbe:
exec:
command:
- python3
- -c
- |
import ssl, urllib.request
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
urllib.request.urlopen("https://localhost:8443/health", context=ctx)
initialDelaySeconds: 8
periodSeconds: 5
livenessProbe:
exec:
command:
- python3
- -c
- |
import ssl, urllib.request
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
urllib.request.urlopen("https://localhost:8443/health", context=ctx)
initialDelaySeconds: 15
periodSeconds: 20
volumes:
- name: server-script
configMap:
name: e2e-mock-tls-inference-script
- name: certs-work
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: e2e-mock-tls-inference
spec:
selector:
app: e2e-mock-tls-inference
ports:
- name: tls
port: 8443
targetPort: tls
- name: mtls
port: 8444
targetPort: mtls
- name: mismatch
port: 8445
targetPort: mismatch
8 changes: 8 additions & 0 deletions tests/e2e-prow/rhoai/manifests/lightspeed/llama-stack-openai.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -201,6 +201,10 @@ spec:
mountPath: /tmp/interception-proxy-ca.pem
subPath: ca.pem
readOnly: true
# tls.feature: client/CA PEMs from Secret e2e-mock-tls-certs (optional).
- name: mock-tls-certs
mountPath: /certs
readOnly: true
volumes:
- name: app-root
emptyDir: {}
Expand All @@ -217,3 +221,7 @@ spec:
secret:
secretName: e2e-interception-proxy-ca
optional: true
- name: mock-tls-certs
secret:
secretName: e2e-mock-tls-certs
optional: true
Loading
Loading