dex: run 2 replicas without sticky service#3376
Conversation
Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
|
Welcome to the Kubeflow Manifests Repository Thanks for opening your first PR. Your contribution means a lot to the Kubeflow community. Before making more PRs: Community Resources:
Thanks again for helping to improve Kubeflow. |
There was a problem hiding this comment.
Pull request overview
Updates the Kubeflow Dex base manifests to run Dex with two replicas and attempts to keep the multi-step login flow stable by enabling sticky routing at the Kubernetes Service layer.
Changes:
- Increase Dex
Deploymentreplicas from1to2 - Add
sessionAffinity: ClientIPto the DexService
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| common/dex/base/deployment.yaml | Scales Dex to 2 replicas to improve availability. |
| common/dex/base/service.yaml | Enables Service-level ClientIP session affinity to reduce cross-pod auth-flow breakage. |
Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
Signed-off-by: Julius von Kohout <45896133+juliusvonkohout@users.noreply.github.com>
|
Thank you @danish9039 Let us please be precise as explained in the copilot-instructions.md. This is about authentication and not authorization. Are you sure that the storage backend supports it well https://github.com/danish9039/manifests/blob/d1b9474e935ef96d6786722b6c2d4c077e50674b/common/dex/base/config-map.yaml#L11 ? And please extend the Dex test to verify that multiple parallel sessions to different replicas and garbage collection works. |
Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
@juliusvonkohout Thank you for the feedback, sorry for the delay! I also extended the test to validate the For garbage collection, the intent is to make sure |
Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
danish9039
changed the title
|
@juliusvonkohout can we proceed with this ? |
|
"The test now treats a completed OAuth callback plus oauth2_proxy session cookie as authentication success even if the final landing page is rejected later by RBAC" We must also test the authorization and RBAC later. Please do not remove it. |
@juliusvonkohout Just to clarify, this PR does not remove any existing RBAC / authorization coverage from the Dex workflow; that coverage was not part of this test path before. |
There was a problem hiding this comment.
Hello @danish9039 a few technical changes are needed to be addresed :
-
Revert Base Replica Tuning (
common/dex/base/deployment.yaml): Scalingreplicasto2forces an HA footprint on all baseline deployments, which strains local KinD environments. Multi-replica scaling belongs in overlays, not inbase. -
Simplify
dex_login_test.py: Strip out thekubectlsubprocesses, pod log parsing, and concurrent GC asserts. This script must remain a lightweight, black-box HTTP E2E test. White-box validation of Dex internals tightly couples our CI to upstream behaviors ("less code is better"). -
Restore
200 OKRBAC Validation: Accepting403 Forbiddenbypasses the Istio/Envoy E2E authorization check. If RBAC propagation delays cause flakiness, remove the403short-circuit and implement a standard HTTP retry/polling block until the endpoint yields200 OKrouting. This implicitly tests RBAC without needing external KFP testing scripts.
Not really if the requests are very low or empty. So I want to have it by default |
|
Hello @juliusvonkohout Understood your valid point. |
|
@abdullahpathan22 Replying inline to the three points from your review:
|
| # try to get the session cookies | ||
| # NOTE: this will raise an exception if something goes wrong | ||
| session_cookies = dex_session_manager.get_session_cookies() No newline at end of file | ||
| except requests.RequestException as exc: |
There was a problem hiding this comment.
Please use proper variable names and check your code before commiting, especially if it is LLM generated. That ia a rule from the copilot-instructions.md.
There was a problem hiding this comment.
I'll keep this in mind
Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
|
@juliusvonkohout Addressed the comments |
| # Dex authcode GC window: authcodes must be deleted after token exchange completes. | ||
| GC_WAIT_SECONDS = 90 | ||
| REQUEST_TIMEOUT_SECONDS = 15 | ||
| PARALLEL_TEST_TIMEOUT_SECONDS = PARALLEL_SESSIONS * REQUEST_TIMEOUT_SECONDS |
There was a problem hiding this comment.
PARALLEL_TEST_TIMEOUT_SECONDS = PARALLEL_SESSIONS * REQUEST_TIMEOUT_SECONDS assumes each authentication session is bounded by a single request timeout, but each session performs multiple sequential HTTP requests (GET endpoint, oauth2 start, Dex login GET/POST, optional approval, optional 403 recovery, etc.). This makes the batch-wide timeout too tight under slow CI conditions and can trigger the as_completed timeout even though every individual request respects REQUEST_TIMEOUT_SECONDS. Consider sizing this based on the maximum expected end-to-end requests per session (plus buffer), or removing the global timeout entirely.
| PARALLEL_TEST_TIMEOUT_SECONDS = PARALLEL_SESSIONS * REQUEST_TIMEOUT_SECONDS | |
| # One end-to-end authentication session can perform multiple sequential HTTP requests: | |
| # endpoint GET, OAuth2 start, Dex login GET and POST, optional approval, and optional retry or recovery. | |
| MAXIMUM_SEQUENTIAL_HTTP_REQUESTS_PER_SESSION = 6 | |
| PARALLEL_TEST_TIMEOUT_BUFFER_SECONDS = 30 | |
| PARALLEL_TEST_TIMEOUT_SECONDS = ( | |
| PARALLEL_SESSIONS * REQUEST_TIMEOUT_SECONDS * MAXIMUM_SEQUENTIAL_HTTP_REQUESTS_PER_SESSION | |
| + PARALLEL_TEST_TIMEOUT_BUFFER_SECONDS | |
| ) |
There was a problem hiding this comment.
Adjusted this to a worst-case single-session timeout plus buffer, since the sessions run concurrently and the batch timeout should track the slowest session rather than sum across all sessions.
| for future in concurrent.futures.as_completed( | ||
| futures, timeout=PARALLEL_TEST_TIMEOUT_SECONDS | ||
| ): | ||
| authentication_result = future.result() | ||
| if not authentication_result.succeeded: | ||
| authentication_failures.append(authentication_result) |
There was a problem hiding this comment.
concurrent.futures.as_completed(..., timeout=PARALLEL_TEST_TIMEOUT_SECONDS) will raise TimeoutError if not all futures finish by the deadline, and that exception is currently unhandled (it will fail the test without reporting which sessions/pods were still running). Catch TimeoutError, cancel any pending futures, and raise a clearer RuntimeError (including how many sessions completed vs pending) or remove the batch-wide timeout and rely on the per-request timeouts instead.
| for future in concurrent.futures.as_completed( | |
| futures, timeout=PARALLEL_TEST_TIMEOUT_SECONDS | |
| ): | |
| authentication_result = future.result() | |
| if not authentication_result.succeeded: | |
| authentication_failures.append(authentication_result) | |
| completed_futures = set() | |
| try: | |
| for future in concurrent.futures.as_completed( | |
| futures, timeout=PARALLEL_TEST_TIMEOUT_SECONDS | |
| ): | |
| completed_futures.add(future) | |
| authentication_result = future.result() | |
| if not authentication_result.succeeded: | |
| authentication_failures.append(authentication_result) | |
| except concurrent.futures.TimeoutError as timeout_error: | |
| pending_futures = [ | |
| future for future in futures if future not in completed_futures | |
| ] | |
| for future in pending_futures: | |
| future.cancel() | |
| raise RuntimeError( | |
| "Parallel authentication sessions exceeded the batch timeout of " | |
| f"{PARALLEL_TEST_TIMEOUT_SECONDS} seconds: " | |
| f"completed={len(completed_futures)} " | |
| f"pending={len(pending_futures)}" | |
| ) from timeout_error |
There was a problem hiding this comment.
Added explicit TimeoutError handling here so the test now cancels pending futures and reports completed versus pending sessions instead of failing with a raw timeout.
Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
|
@juliusvonkohout I have addressed the comments, I think we can merge this now |
| Count the number of Dex authcode CRD objects currently in the cluster. | ||
| Dex creates one authcode object per login; the GC process deletes them after | ||
| the token exchange completes. Returns 0 if no instances exist. | ||
| """ | ||
| command_arguments = [ | ||
| "kubectl", | ||
| "--request-timeout", KUBECTL_REQUEST_TIMEOUT, | ||
| "get", DEX_AUTHCODE_RESOURCE, | ||
| "-A", "-o", "json", |
There was a problem hiding this comment.
Scoped the authcode query to the auth namespace so this check only counts resources created by the Dex instance under test.
| PARALLEL_SESSIONS = 8 | ||
| # Dex authcode GC window: authcodes must be deleted after token exchange completes. | ||
| GC_WAIT_SECONDS = 90 | ||
| REQUEST_TIMEOUT_SECONDS = 15 |
There was a problem hiding this comment.
Renamed this to GARBAGE_COLLECTION_WAIT_SECONDS so the test configuration stays explicit without relying on the GC abbreviation.
Signed-off-by: danish9039 <danishsiddiqui040@gmail.com>
|
THank you |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: juliusvonkohout The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Summary
replicas: 1toreplicas: 2Servicenon-sticky and clarify that Kubernetes-backed storage shares Dex authentication state across replicastests/dex_login_test.pyto validate the authentication flow for the two-replica setupTest changes
Scope
This PR stays focused on Dex and oauth2-proxy authentication. It does not add a separate authorization test.