10 commits

Author	SHA1	Message	Date
Sébastien Han	450ed920d6	chore: do not build on auth ci test (#2505) ... # What does this PR do? Since we are using a very minimal run.yaml, there is not need to build. Signed-off-by: Sébastien Han <seb@redhat.com>	2025-06-24 21:08:33 +05:30
grs	e2e15ebb6c	feat(auth): allow token to be provided for use against jwks endpoint (#2394) ... Though the jwks endpoint does not usually require authentication, it does in a kubernetes cluster. While the cluster can be configured to allow anonymous access to that endpoint, this avoids the need to do so.	2025-06-13 10:13:41 +02:00
Sébastien Han	37f1e8a7f7	fix: use proper service account for kube auth (#2227) ... # What does this PR do? Not sure why it passed CI earlier... Strange only 24 workflows run here https://github.com/meta-llama/llama-stack/pull/2216 so the test never ran... Signed-off-by: Sébastien Han <seb@redhat.com>	2025-05-21 15:28:21 -07:00
Sébastien Han	6a62e783b9	chore: refactor workflow writting (#2225) ... # What does this PR do? Use a composite action to avoid similar steps repetitions and centralization of the defaults. Signed-off-by: Sébastien Han <seb@redhat.com>	2025-05-21 17:31:14 +02:00
Sébastien Han	c25acedbcd	chore: remove k8s auth in favor of k8s jwks endpoint (#2216) ... # What does this PR do? Kubernetes since 1.20 exposes a JWKS endpoint that we can use with our recent oauth2 recent implementation. The CI test has been kept intact for validation. Signed-off-by: Sébastien Han <seb@redhat.com>	2025-05-21 16:23:54 +02:00
dependabot[bot]	1341916caf	chore(github-deps): bump astral-sh/setup-uv from 5.4.1 to 6.0.1 (#2197)	2025-05-18 02:09:56 -04:00
Ihar Hrachyshka	268725868e	chore: enforce no git tags or branches in external github actions (#2159) ... # What does this PR do? Don't allow git tags and branches for external actions. Signed-off-by: Ihar Hrachyshka <ihar.hrachyshka@gmail.com>	2025-05-14 20:40:06 +02:00
Nathan Weinberg	a1fbfb51e2	ci(chore): use hashes for all version pinning (#2157) ... # What does this PR do? most third-party actions use hashes for pinning but not all do proper hash pinning on all remaining actions using tags Signed-off-by: Nathan Weinberg <nweinber@redhat.com>	2025-05-14 14:59:58 +02:00
Sébastien Han	b9b13a3670	chore: factor kube auth test distro (#2105) ... # What does this PR do? We just need to validate the auth so we don't need any API / Providers. Signed-off-by: Sébastien Han <seb@redhat.com>	2025-05-06 09:49:49 -07:00
Sébastien Han	79851d93aa	feat: Add Kubernetes authentication (#1778) ... # What does this PR do? This commit adds a new authentication system to the Llama Stack server with support for Kubernetes and custom authentication providers. Key changes include: - Implemented KubernetesAuthProvider for validating Kubernetes service account tokens - Implemented CustomAuthProvider for validating tokens against external endpoints - this is the same code that was already present. - Added test for Kubernetes - Updated server configuration to support authentication settings - Added documentation for authentication configuration and usage The authentication system supports: - Bearer token validation - Kubernetes service account token validation - Custom authentication endpoints ## Test Plan Setup a Kube cluster using Kind or Minikube. Run a server with: ``` server: port: 8321 auth: provider_type: kubernetes config: api_server_url: http://url ca_cert_path: path/to/cert (optional) ``` Run: ``` curl -s -L -H "Authorization: Bearer $(kubectl create token my-user)" http://127.0.0.1:8321/v1/providers ``` Or replace "my-user" with your service account. Signed-off-by: Sébastien Han <seb@redhat.com>	2025-04-28 22:24:58 +02:00