mirror of
https://github.com/meta-llama/llama-stack.git
synced 2025-10-11 21:48:36 +00:00
6954fe2274
Some checks failed
SqlStore Integration Tests / test-postgres (3.12) (push) Failing after 0s
SqlStore Integration Tests / test-postgres (3.13) (push) Failing after 0s
Integration Auth Tests / test-matrix (oauth2_token) (push) Failing after 2s
Integration Tests (Replay) / Integration Tests (, , , client=, ) (push) Failing after 4s
Python Package Build Test / build (3.12) (push) Failing after 1s
Test Llama Stack Build / generate-matrix (push) Successful in 3s
Test External Providers Installed via Module / test-external-providers-from-module (venv) (push) Has been skipped
Python Package Build Test / build (3.13) (push) Failing after 1s
Vector IO Integration Tests / test-matrix (push) Failing after 4s
Test Llama Stack Build / build-single-provider (push) Failing after 4s
Test Llama Stack Build / build-custom-container-distribution (push) Failing after 4s
Test Llama Stack Build / build-ubi9-container-distribution (push) Failing after 4s
API Conformance Tests / check-schema-compatibility (push) Successful in 11s
Test Llama Stack Build / build (push) Failing after 3s
Test External API and Providers / test-external (venv) (push) Failing after 5s
Unit Tests / unit-tests (3.12) (push) Failing after 4s
Unit Tests / unit-tests (3.13) (push) Failing after 3s
UI Tests / ui-tests (22) (push) Successful in 37s
Pre-commit / pre-commit (push) Successful in 2m1s
The AuthenticationMiddleware was blocking all requests without an Authorization header, including health and version endpoints that are needed by monitoring tools, load balancers, and Kubernetes probes. This commit allows endpoints ending in /health or /version to bypass authentication, enabling operational tooling to function properly without requiring credentials. Closes: #3735 Signed-off-by: Derek Higgins <derekh@redhat.com>
138 lines
5.6 KiB
YAML
138 lines
5.6 KiB
YAML
name: Integration Auth Tests
|
|
|
|
run-name: Run the integration test suite with Kubernetes authentication
|
|
|
|
on:
|
|
push:
|
|
branches: [ main ]
|
|
pull_request:
|
|
branches: [ main ]
|
|
paths:
|
|
- 'distributions/**'
|
|
- 'llama_stack/**'
|
|
- '!llama_stack/ui/**'
|
|
- 'tests/integration/**'
|
|
- 'uv.lock'
|
|
- 'pyproject.toml'
|
|
- 'requirements.txt'
|
|
- '.github/workflows/integration-auth-tests.yml' # This workflow
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && github.run_id || github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
test-matrix:
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
matrix:
|
|
auth-provider: [oauth2_token]
|
|
fail-fast: false # we want to run all tests regardless of failure
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
|
|
- name: Install dependencies
|
|
uses: ./.github/actions/setup-runner
|
|
|
|
- name: Install minikube
|
|
if: ${{ matrix.auth-provider == 'kubernetes' }}
|
|
uses: medyagh/setup-minikube@e3c7f79eb1e997eabccc536a6cf318a2b0fe19d9 # v0.0.20
|
|
|
|
- name: Start minikube
|
|
if: ${{ matrix.auth-provider == 'oauth2_token' }}
|
|
run: |
|
|
minikube start
|
|
kubectl get pods -A
|
|
|
|
- name: Configure Kube Auth
|
|
if: ${{ matrix.auth-provider == 'oauth2_token' }}
|
|
run: |
|
|
kubectl create namespace llama-stack
|
|
kubectl create serviceaccount llama-stack-auth -n llama-stack
|
|
kubectl create token llama-stack-auth -n llama-stack > llama-stack-auth-token
|
|
|
|
- name: Set Kubernetes Config
|
|
if: ${{ matrix.auth-provider == 'oauth2_token' }}
|
|
run: |
|
|
echo "KUBERNETES_API_SERVER_URL=$(kubectl get --raw /.well-known/openid-configuration| jq -r .jwks_uri)" >> $GITHUB_ENV
|
|
echo "KUBERNETES_CA_CERT_PATH=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.certificate-authority}')" >> $GITHUB_ENV
|
|
echo "KUBERNETES_ISSUER=$(kubectl get --raw /.well-known/openid-configuration| jq -r .issuer)" >> $GITHUB_ENV
|
|
echo "KUBERNETES_AUDIENCE=$(kubectl create token llama-stack-auth -n llama-stack --duration=1h | cut -d. -f2 | base64 -d | jq -r '.aud[0]')" >> $GITHUB_ENV
|
|
echo "TOKEN=$(cat llama-stack-auth-token)" >> $GITHUB_ENV
|
|
|
|
- name: Set Kube Auth Config and run server
|
|
env:
|
|
INFERENCE_MODEL: "meta-llama/Llama-3.2-3B-Instruct"
|
|
if: ${{ matrix.auth-provider == 'oauth2_token' }}
|
|
run: |
|
|
run_dir=$(mktemp -d)
|
|
cat <<'EOF' > $run_dir/run.yaml
|
|
version: '2'
|
|
image_name: kube
|
|
apis: []
|
|
providers: {}
|
|
server:
|
|
port: 8321
|
|
EOF
|
|
yq eval '.server.auth.provider_config.type = "${{ matrix.auth-provider }}"' -i $run_dir/run.yaml
|
|
yq eval '.server.auth.provider_config.tls_cafile = "${{ env.KUBERNETES_CA_CERT_PATH }}"' -i $run_dir/run.yaml
|
|
yq eval '.server.auth.provider_config.issuer = "${{ env.KUBERNETES_ISSUER }}"' -i $run_dir/run.yaml
|
|
yq eval '.server.auth.provider_config.audience = "${{ env.KUBERNETES_AUDIENCE }}"' -i $run_dir/run.yaml
|
|
yq eval '.server.auth.provider_config.jwks.uri = "${{ env.KUBERNETES_API_SERVER_URL }}"' -i $run_dir/run.yaml
|
|
yq eval '.server.auth.provider_config.jwks.token = "${{ env.TOKEN }}"' -i $run_dir/run.yaml
|
|
cat $run_dir/run.yaml
|
|
|
|
# avoid line breaks in the server log, especially because we grep it below.
|
|
export LLAMA_STACK_LOG_WIDTH=200
|
|
nohup uv run llama stack run $run_dir/run.yaml > server.log 2>&1 &
|
|
|
|
- name: Wait for Llama Stack server to be ready
|
|
run: |
|
|
echo "Waiting for Llama Stack server..."
|
|
for i in {1..30}; do
|
|
# Note: /v1/health does not require authentication
|
|
if curl -s -L http://localhost:8321/v1/health | grep -q "OK"; then
|
|
echo "Llama Stack server is up!"
|
|
if grep -q "Enabling authentication with provider: ${{ matrix.auth-provider }}" server.log; then
|
|
echo "Llama Stack server is configured to use ${{ matrix.auth-provider }} auth"
|
|
exit 0
|
|
else
|
|
echo "Llama Stack server is not configured to use ${{ matrix.auth-provider }} auth"
|
|
cat server.log
|
|
exit 1
|
|
fi
|
|
fi
|
|
sleep 1
|
|
done
|
|
echo "Llama Stack server failed to start"
|
|
cat server.log
|
|
exit 1
|
|
|
|
- name: Test auth
|
|
run: |
|
|
echo "Testing /v1/version without token (should succeed)..."
|
|
if curl -s -L -o /dev/null -w "%{http_code}" http://127.0.0.1:8321/v1/version | grep -q "200"; then
|
|
echo "/v1/version accessible without token (200)"
|
|
else
|
|
echo "/v1/version returned non-200 status without token"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Testing /v1/providers without token (should fail with 401)..."
|
|
if curl -s -L -o /dev/null -w "%{http_code}" http://127.0.0.1:8321/v1/providers | grep -q "401"; then
|
|
echo "/v1/providers blocked without token (401)"
|
|
else
|
|
echo "/v1/providers did not return 401 without token"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Testing /v1/providers with valid token (should succeed)..."
|
|
curl -s -L -H "Authorization: Bearer $(cat llama-stack-auth-token)" http://127.0.0.1:8321/v1/providers | jq
|
|
if [ $? -eq 0 ]; then
|
|
echo "/v1/providers accessible with valid token"
|
|
else
|
|
echo "/v1/providers failed with valid token"
|
|
exit 1
|
|
fi
|