forked from phoenix-oss/llama-stack-mirror
		
	# What does this PR do?
This commit adds a new authentication system to the Llama Stack server
with support for Kubernetes and custom authentication providers. Key
changes include:
- Implemented KubernetesAuthProvider for validating Kubernetes service
account tokens
- Implemented CustomAuthProvider for validating tokens against external
endpoints - this is the same code that was already present.
- Added test for Kubernetes
- Updated server configuration to support authentication settings
- Added documentation for authentication configuration and usage
The authentication system supports:
- Bearer token validation
- Kubernetes service account token validation
- Custom authentication endpoints
## Test Plan
Setup a Kube cluster using Kind or Minikube.
Run a server with:
```
server:
  port: 8321
  auth:
    provider_type: kubernetes
    config:
      api_server_url: http://url
      ca_cert_path: path/to/cert (optional)
```
Run:
```
curl -s -L -H "Authorization: Bearer $(kubectl create token my-user)" http://127.0.0.1:8321/v1/providers
```
Or replace "my-user" with your service account.
Signed-off-by: Sébastien Han <seb@redhat.com>
		
	
			
		
			
				
	
	
		
			136 lines
		
	
	
	
		
			4.8 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
			
		
		
	
	
			136 lines
		
	
	
	
		
			4.8 KiB
		
	
	
	
		
			YAML
		
	
	
	
	
	
| name: Integration Auth Tests
 | |
| 
 | |
| on:
 | |
|   push:
 | |
|     branches: [ main ]
 | |
|   pull_request:
 | |
|     branches: [ main ]
 | |
|     paths:
 | |
|       - 'distributions/**'
 | |
|       - 'llama_stack/**'
 | |
|       - 'tests/integration/**'
 | |
|       - 'uv.lock'
 | |
|       - 'pyproject.toml'
 | |
|       - 'requirements.txt'
 | |
|       - '.github/workflows/integration-auth-tests.yml' # This workflow
 | |
| 
 | |
| concurrency:
 | |
|   group: ${{ github.workflow }}-${{ github.ref }}
 | |
|   cancel-in-progress: true
 | |
| 
 | |
| jobs:
 | |
|   test-matrix:
 | |
|     runs-on: ubuntu-latest
 | |
|     strategy:
 | |
|       matrix:
 | |
|         auth-provider: [kubernetes]
 | |
|       fail-fast: false # we want to run all tests regardless of failure
 | |
| 
 | |
|     steps:
 | |
|       - name: Checkout repository
 | |
|         uses: actions/checkout@v4
 | |
| 
 | |
|       - name: Install uv
 | |
|         uses: astral-sh/setup-uv@v5
 | |
|         with:
 | |
|           python-version: "3.10"
 | |
| 
 | |
|       - name: Set Up Environment and Install Dependencies
 | |
|         run: |
 | |
|           uv sync --extra dev --extra test
 | |
|           uv pip install -e .
 | |
|           llama stack build --template ollama --image-type venv
 | |
| 
 | |
|       - name: Install minikube
 | |
|         if: ${{ matrix.auth-provider == 'kubernetes' }}
 | |
|         uses: medyagh/setup-minikube@latest
 | |
| 
 | |
|       - name: Start minikube
 | |
|         if: ${{ matrix.auth-provider == 'kubernetes' }}
 | |
|         run: |
 | |
|           minikube start
 | |
|           kubectl get pods -A
 | |
| 
 | |
|       - name: Configure Kube Auth
 | |
|         if: ${{ matrix.auth-provider == 'kubernetes' }}
 | |
|         run: |
 | |
|           kubectl create namespace llama-stack
 | |
|           kubectl create serviceaccount llama-stack-auth -n llama-stack
 | |
|           kubectl create rolebinding llama-stack-auth-rolebinding --clusterrole=admin --serviceaccount=llama-stack:llama-stack-auth -n llama-stack
 | |
|           kubectl create token llama-stack-auth -n llama-stack > llama-stack-auth-token
 | |
| 
 | |
|       - name: Set Kubernetes Config
 | |
|         if: ${{ matrix.auth-provider == 'kubernetes' }}
 | |
|         run: |
 | |
|           echo "KUBERNETES_API_SERVER_URL=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}')" >> $GITHUB_ENV
 | |
|           echo "KUBERNETES_CA_CERT_PATH=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.certificate-authority}')" >> $GITHUB_ENV
 | |
| 
 | |
|       - name: Set Kube Auth Config and run server
 | |
|         env:
 | |
|           INFERENCE_MODEL: "meta-llama/Llama-3.2-3B-Instruct"
 | |
|         if: ${{ matrix.auth-provider == 'kubernetes' }}
 | |
|         run: |
 | |
|           run_dir=$(mktemp -d)
 | |
|           cat <<'EOF' > $run_dir/run.yaml
 | |
|           version: '2'
 | |
|           image_name: kube
 | |
|           apis:
 | |
|           - agents
 | |
|           - datasetio
 | |
|           - eval
 | |
|           - inference
 | |
|           - safety
 | |
|           - scoring
 | |
|           - telemetry
 | |
|           - tool_runtime
 | |
|           - vector_io
 | |
|           providers:
 | |
|             agents:
 | |
|             - provider_id: meta-reference
 | |
|               provider_type: inline::meta-reference
 | |
|               config:
 | |
|                 persistence_store:
 | |
|                   type: sqlite
 | |
|                   namespace: null
 | |
|                   db_path: ${env.SQLITE_STORE_DIR:~/.llama/distributions/ollama}/agents_store.db
 | |
|             telemetry:
 | |
|             - provider_id: meta-reference
 | |
|               provider_type: inline::meta-reference
 | |
|               config:
 | |
|                 service_name: "${env.OTEL_SERVICE_NAME:\u200B}"
 | |
|                 sinks: ${env.TELEMETRY_SINKS:console,sqlite}
 | |
|                 sqlite_db_path: ${env.SQLITE_DB_PATH:~/.llama/distributions/ollama/trace_store.db}
 | |
|           server:
 | |
|             port: 8321
 | |
|           EOF
 | |
|           yq eval '.server.auth = {"provider_type": "${{ matrix.auth-provider }}"}' -i $run_dir/run.yaml
 | |
|           yq eval '.server.auth.config = {"api_server_url": "${{ env.KUBERNETES_API_SERVER_URL }}", "ca_cert_path": "${{ env.KUBERNETES_CA_CERT_PATH }}"}' -i $run_dir/run.yaml
 | |
|           cat $run_dir/run.yaml
 | |
| 
 | |
|           source .venv/bin/activate
 | |
|           nohup uv run llama stack run $run_dir/run.yaml --image-type venv > server.log 2>&1 &
 | |
| 
 | |
|       - name: Wait for Llama Stack server to be ready
 | |
|         run: |
 | |
|           echo "Waiting for Llama Stack server..."
 | |
|           for i in {1..30}; do
 | |
|             if curl -s -L -H "Authorization: Bearer $(cat llama-stack-auth-token)" http://localhost:8321/v1/health | grep -q "OK"; then
 | |
|               echo "Llama Stack server is up!"
 | |
|               if grep -q "Enabling authentication with provider: ${{ matrix.auth-provider }}" server.log; then
 | |
|                 echo "Llama Stack server is configured to use ${{ matrix.auth-provider }} auth"
 | |
|                 exit 0
 | |
|               else
 | |
|                 echo "Llama Stack server is not configured to use ${{ matrix.auth-provider }} auth"
 | |
|                 cat server.log
 | |
|                 exit 1
 | |
|               fi
 | |
|             fi
 | |
|             sleep 1
 | |
|           done
 | |
|           echo "Llama Stack server failed to start"
 | |
|           cat server.log
 | |
|           exit 1
 | |
| 
 | |
|       - name: Test auth
 | |
|         run: |
 | |
|           curl -s -L -H "Authorization: Bearer $(cat llama-stack-auth-token)" http://127.0.0.1:8321/v1/providers|jq
 |