From 87ad75939f4de79de7f8edf9e8687fc5faf277a2 Mon Sep 17 00:00:00 2001 From: ddalvi Date: Tue, 21 May 2024 01:04:45 -0400 Subject: [PATCH] Add ability to mount self-signed certs to kfp Detailed Changes: - Added `REQUESTS_CA_BUNDLE` to the environment variables. This is necessary because many Python-based libraries (e.g., requests) utilize this environment variable for SSL/TLS certificate verification. Notably, even though Boto3 is documented to use `AWS_CA_BUNDLE`, tests have shown that it only respects `REQUESTS_CA_BUNDLE`. Reference: https://requests.readthedocs.io/en/latest/user/advanced/#ssl-cert-verification and https://github.com/aws/aws-cli/issues/3425. - Configured `AWS_CA_BUNDLE` for AWS CLI and related utilities to ensure AWS services utilize our custom CA bundle for SSL/TLS. - Set up `SSL_CERT_FILE` environment variable for OpenSSL's default certificate file. This setting is important as the `SSL_CERT_DIR` path adjustments had inconsistent results across different environments, as discussed in OpenSSL documentation: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_default_verify_paths.html Signed-off-by: ddalvi Co-authored-by: Vani Haripriya Co-authored-by: Humair Khan --- .../src/v2/compiler/argocompiler/container.go | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/backend/src/v2/compiler/argocompiler/container.go b/backend/src/v2/compiler/argocompiler/container.go index 72b2f8350b70..6b5b3df4a7b7 100644 --- a/backend/src/v2/compiler/argocompiler/container.go +++ b/backend/src/v2/compiler/argocompiler/container.go @@ -15,7 +15,9 @@ package argocompiler import ( + "fmt" "os" + "strings" wfapi "github.com/argoproj/argo-workflows/v3/pkg/apis/workflow/v1alpha1" "github.com/golang/protobuf/jsonpb" @@ -27,6 +29,7 @@ import ( const ( volumeNameKFPLauncher = "kfp-launcher" + volumeNameCABUndle = "ca-bundle" DefaultLauncherImage = "gcr.io/ml-pipeline/kfp-launcher@sha256:8fe5e6e4718f20b021736022ad3741ddf2abd82aa58c86ae13e89736fdc3f08f" LauncherImageEnvVar = "V2_LAUNCHER_IMAGE" DefaultDriverImage = "gcr.io/ml-pipeline/kfp-driver@sha256:3c0665cd36aa87e4359a4c8b6271dcba5bdd817815cd0496ed12eb5dde5fd2ec" @@ -283,6 +286,59 @@ func (c *workflowCompiler) addContainerExecutorTemplate(refName string) string { extendPodMetadata(&executor.Metadata, k8sExecCfg) } } + caBundleCfgMapName := os.Getenv("ARTIFACT_COPY_STEP_CABUNDLE_CONFIGMAP_NAME") + caBundleCfgMapKey := os.Getenv("ARTIFACT_COPY_STEP_CABUNDLE_CONFIGMAP_KEY") + caBundleMountPath := os.Getenv("ARTIFACT_COPY_STEP_CABUNDLE_MOUNTPATH") + if caBundleCfgMapName != "" && caBundleCfgMapKey != "" { + caFile := fmt.Sprintf("%s/%s", caBundleMountPath, caBundleCfgMapKey) + var certDirectories = []string{ + caBundleMountPath, + "/etc/ssl/certs", + "/etc/pki/tls/certs", + } + // Add to REQUESTS_CA_BUNDLE for python request library. + executor.Container.Env = append(executor.Container.Env, k8score.EnvVar{ + Name: "REQUESTS_CA_BUNDLE", + Value: caFile, + }) + // For AWS utilities like cli, and packages. + executor.Container.Env = append(executor.Container.Env, k8score.EnvVar{ + Name: "AWS_CA_BUNDLE", + Value: caFile, + }) + // OpenSSL default cert file env variable. + // https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_default_verify_paths.html + executor.Container.Env = append(executor.Container.Env, k8score.EnvVar{ + Name: "SSL_CERT_FILE", + Value: caFile, + }) + sslCertDir := strings.Join(certDirectories, ":") + executor.Container.Env = append(executor.Container.Env, k8score.EnvVar{ + Name: "SSL_CERT_DIR", + Value: sslCertDir, + }) + volume := k8score.Volume{ + Name: volumeNameCABUndle, + VolumeSource: k8score.VolumeSource{ + ConfigMap: &k8score.ConfigMapVolumeSource{ + LocalObjectReference: k8score.LocalObjectReference{ + Name: caBundleCfgMapName, + }, + }, + }, + } + + executor.Volumes = append(executor.Volumes, volume) + + volumeMount := k8score.VolumeMount{ + Name: volumeNameCABUndle, + MountPath: caFile, + SubPath: caBundleCfgMapKey, + } + + executor.Container.VolumeMounts = append(executor.Container.VolumeMounts, volumeMount) + + } c.templates[nameContainerImpl] = executor c.wf.Spec.Templates = append(c.wf.Spec.Templates, *container, *executor) return nameContainerExecutor