Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix istio VirtualService manifest #101

Merged
merged 1 commit into from
May 28, 2024

Conversation

tarilabs
Copy link
Member

Seems to me the definition proposed in this changed manifest makes it working, and it's aligned with other Kubeflow components' approach.

Description

Before, I was not able to reach by e2e test (from outside the cluster) the Model Registry REST API endpoint --unless of manual p.fwd.

This solution aligns for the REST API endpoint (the one on 8080) following similar strategy of other Kubeflow components: see here for some examples.

This way, request on the gateway for /model-registry/... will be routed to the correct service accordingly.

How Has This Been Tested?

Install vanilla KF, used 1.9.0-rc.0 without networkpolicies.
(I'm skipping networkpolicies as this PR I considered propaedeutic work to later work on networkpolicy for model registry)

Execute required step of p.fwd the istio-ingressgateway per normal vanilla KF installation:

INGRESS_GATEWAY_SERVICE=$(kubectl get svc --namespace istio-system --selector="app=istio-ingressgateway" --output jsonpath='{.items[0].metadata.name}')
kubectl port-forward --namespace istio-system svc/${INGRESS_GATEWAY_SERVICE} 8080:80

In another terminal:

export KF_TOKEN="$(kubectl -n default create token default)"

curl -H "Authorization: Bearer "$KF_TOKEN http://localhost:8080/model-registry/api/model_registry/v1alpha3/registered_models

Alternative solution (explored, but not adopted here)

I've explored with alternative solution of:

spec:
  gateways:
  - kubeflow-gateway
  hosts:
  - '*'
  http:
  - match:
      - headers:
          Host:
            exact: model-registry-service.kubeflow.svc.cluster.local
    route:
    - destination:
        host: model-registry-service.kubeflow.svc.cluster.local
        port:
          number: 8080
...

which works too, using:

export KF_TOKEN="$(kubectl -n default create token default)"
curl -H "Host: model-registry-service.kubeflow.svc.cluster.local" -H "Authorization: Bearer "$KF_TOKEN http://localhost:8080/model-registry/api/model_registry/v1alpha3/registered_models

The reasons I'm not proposing this solution:

  • does not align with other Kubeflow components VirtualService definitions
  • would require Host: model-registry-service.kubeflow.svc.cluster.local in the header of the REST api request, which is not allowed by front-end (JS) code.

Merge criteria:

  • The commits and have meaningful messages; the author will squash them after approval or will ask to merge with squash.
  • Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
  • The developer has manually tested the changes and verified that the changes work

@google-oss-prow google-oss-prow bot requested review from rareddy and Tomcli May 19, 2024 08:34
@rareddy
Copy link
Contributor

rareddy commented May 20, 2024

this matches with my understanding of virtualservice from examples I worked before. I have not tested but I am good with it.

@dhirajsb
Copy link
Contributor

This sort of solves the problem for model registry REST API. But I think we can solve it for both REST and gRPC by re-using some bits from our model registry midstream operator and maybe other virtualservice filtering capabilities.
Since this config is for a single model registry, we don't have the same dynamic hostname requirement as mids-stream. So, as long as we stick with that assumption, we should be able to create a virtualservice that should work with different gateway configs.
I need to experiment a bit and debug the envoy proxy logs and update this PR tomorrow.

@dhirajsb
Copy link
Contributor

BTW, url rewrite will break any clients that are using full paths declared in the REST API.

dhirajsb pushed a commit to dhirajsb/model-registry-kfp that referenced this pull request May 22, 2024
@dhirajsb
Copy link
Contributor

@tarilabs I created a PR on your repo branch tarilabs#2
Can you test it in your cluster and verify that it resolves both REST and gRPC routing without conflicting with dsp mlmd service? I'll test it more tomorrow in my cluster as well.

@tarilabs
Copy link
Member Author

@tarilabs I created a PR on your repo branch tarilabs#2 Can you test it in your cluster and verify that it resolves both REST and gRPC routing without conflicting with dsp mlmd service? I'll test it more tomorrow in my cluster as well.

thank you @dhirajsb

just to cross-check and for my understanding:

  • your proposed changes assumes /api/model_registry/ to be valid "cluster scope" for the single instance Model Registry (in kubeflow ns), so effectively leveraging a "common denominator" from our API paths so to avoid url rewrite. Correct?
  • not entirely sure whether this in your proposed change would conflict with this one. Isn't this colliding on the same base prefix? 🤔

@dhirajsb
Copy link
Contributor

Yes to cluster scope single registry for uri prefix check question.
As discussed previously, we have additional port and authority checks to avoid collisions with mlmd virtual service.

I also update my PR tarilabs#2 to simplify istio config further and tested the REST service endpoint in a local cluster and it works through the kubeflow-gateway.

@google-oss-prow google-oss-prow bot added size/M and removed size/XS labels May 27, 2024
@tarilabs
Copy link
Member Author

Thank you @dhirajsb for the amendment in linked PR: tarilabs#2 (review)

Tested with:

export KF_TOKEN="$(kubectl -n default create token default)"
curl -H "Authorization: Bearer "$KF_TOKEN http://localhost:8080/api/model_registry/v1alpha3/registered_models

(no path prefix from CLI)

and from Notebook:

image

Both working as expected.

@tarilabs tarilabs force-pushed the tarilabs-20240519-vsrestapi branch from b0fd5ad to 1419737 Compare May 27, 2024 19:30
fix: refactor istio virtualservice to support routes for REST internal and external routing, and gRPC internal routing (#2)

* fix: refactor istio virtualservice to support routes for REST internal and external routing, and gRPC internal routing

* fix: simplify istio config by excluding DB port and enabling istio sidecar injection in model registry deployment

Signed-off-by: Matteo Mortari <[email protected]>

Co-authored-by: Dhiraj Bokde <[email protected]>
@tarilabs tarilabs force-pushed the tarilabs-20240519-vsrestapi branch from 1419737 to bfdd604 Compare May 27, 2024 19:31
@tarilabs tarilabs changed the title fix istio VirtualService manifest for REST API fix istio VirtualService manifest May 27, 2024
Copy link
Contributor

@rareddy rareddy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rareddy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow bot merged commit c009d32 into kubeflow:main May 28, 2024
10 checks passed
mzhl1111 pushed a commit to mzhl1111/model-registry that referenced this pull request Jul 1, 2024
fix: refactor istio virtualservice to support routes for REST internal and external routing, and gRPC internal routing (kubeflow#2)

* fix: refactor istio virtualservice to support routes for REST internal and external routing, and gRPC internal routing

* fix: simplify istio config by excluding DB port and enabling istio sidecar injection in model registry deployment

Co-authored-by: Dhiraj Bokde <[email protected]>
Signed-off-by: muzhouliu <[email protected]>
tarilabs pushed a commit to tarilabs/model-registry that referenced this pull request Aug 4, 2024
[pull] main from kubeflow:main
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants