Skip to content

LCORE-2035: konflux tls e2e fix #1775

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
radofuchs wants to merge 33 commits into
base: main
Choose a base branch
from
Draft

LCORE-2035: konflux tls e2e fix #1775

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
7a1ef36
Add TLS fixes for konflux run
May 20, 2026
99b1b31
add all tests
May 20, 2026
61f0d36
set proxy tests to skipped
May 21, 2026
c2c47c3
remove optimizations for restarts
May 21, 2026
c0556c1
Merge branch 'lightspeed-core:main' into LCORE_2035_koflux_tls_e2e_fix
radofuchs May 21, 2026
b5fec6d
fix failing tests
May 22, 2026
3cd2580
fix failing tests
May 22, 2026
70b69c9
add logging
May 25, 2026
1fbca1a
fix
May 25, 2026
2e605cc
Merge branch 'lightspeed-core:main' into LCORE_2035_koflux_tls_e2e_fix
radofuchs May 25, 2026
9b30f01
fix for tls restarts
May 25, 2026
bdb29dc
fix
May 25, 2026
dcffd89
fix
May 26, 2026
dd2e319
fix
May 26, 2026
da56ae2
extend llama-stack timeout
May 26, 2026
56ca5dc
fix sync between mock tls and llama-stack
May 26, 2026
f1d29a8
fix lightspeed-stack restart time
May 26, 2026
4079a6a
print logs
May 27, 2026
d401013
print logs
May 27, 2026
8eacfd4
print logs
May 27, 2026
e9e54ba
clear the logic
May 28, 2026
67b7e7f
add logs dump to every failure
May 28, 2026
6872630
dump logs
May 29, 2026
ee336e0
dump logs
May 29, 2026
d4f1adc
added command to start mock tls server
May 29, 2026
9762ed8
added logs
May 29, 2026
30972e5
restart both services on failure
May 30, 2026
fedff09
split tls feature file
May 30, 2026
08597bb
redeploy mock tls
May 31, 2026
68f33f7
redeploy mock tls
May 31, 2026
a590157
run restart after llama
Jun 1, 2026
e7d2386
remove extra syncs
Jun 1, 2026
9b18ba4
fix
Jun 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .tekton/integration-tests/pipeline/lightspeed-stack-integration-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,8 @@ spec:
echo "========== End parameters =========="
- name: lightspeed-stack-integration-tests
description: Task to run integration tests from lightspeed-stack repository
# Full Behave suite (proxy + tls) can exceed 2h; needs PipelineRun timeouts >= this value.
timeout: 3h
params:
- name: SNAPSHOT
value: $(params.SNAPSHOT)
Expand Down
104 changes: 104 additions & 0 deletions tests/e2e-prow/rhoai/manifests/lightspeed/e2e-mock-tls-inference.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
# Mock HTTPS OpenAI API for tls-*.feature (Konflux / Prow; no Docker Compose).
# Llama Stack run.yaml uses https://e2e-mock-tls-inference.<ns>.svc.cluster.local:8443|8444|8445/v1
apiVersion: v1
kind: Pod
metadata:
name: e2e-mock-tls-inference
labels:
app: e2e-mock-tls-inference
spec:
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
containers:
- name: e2e-mock-tls-inference
image: python:3.12-slim
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: PYTHONPATH
value: /app:/tmp/pydeps
command:
- /bin/sh
- -c
- |
set -e
pip install --quiet --no-cache-dir --target /tmp/pydeps 'trustme>=1.2.1' 'cryptography>=42.0.0'
NS="${POD_NAMESPACE:-default}"
export TLS_CERT_DNS_NAMES="mock-tls-inference,localhost,127.0.0.1,e2e-mock-tls-inference,e2e-mock-tls-inference.${NS}.svc.cluster.local"
exec python /app/server.py
ports:
- containerPort: 8443
name: tls
- containerPort: 8444
name: mtls
- containerPort: 8445
name: mismatch
volumeMounts:
- name: server-script
mountPath: /app/server.py
subPath: server.py
readOnly: true
- name: certs-work
mountPath: /certs
readinessProbe:
exec:
command:
- python3
- -c
- |
import ssl, urllib.request
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
urllib.request.urlopen("https://localhost:8443/health", context=ctx)
initialDelaySeconds: 8
periodSeconds: 5
livenessProbe:
exec:
command:
- python3
- -c
- |
import ssl, urllib.request
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
urllib.request.urlopen("https://localhost:8443/health", context=ctx)
initialDelaySeconds: 15
periodSeconds: 20
volumes:
- name: server-script
configMap:
name: e2e-mock-tls-inference-script
- name: certs-work
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: e2e-mock-tls-inference
spec:
selector:
app: e2e-mock-tls-inference
ports:
- name: tls
port: 8443
targetPort: tls
- name: mtls
port: 8444
targetPort: mtls
- name: mismatch
port: 8445
targetPort: mismatch
33 changes: 32 additions & 1 deletion tests/e2e-prow/rhoai/manifests/lightspeed/llama-stack-openai.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,28 @@ spec:
- -c
- |
set -e
# Fast-path: PVC already has a valid venv from a previous pod creation in this pipeline run.
# TLS scenarios delete+recreate this pod up to 16 times; skipping the expensive install
# reduces per-restart time from ~6-15 min to ~30-90 s (just RAG seed refresh + chown).
if [[ -d /opt/app-root/.venv ]] \
&& /opt/app-root/.venv/bin/python --version >/dev/null 2>&1 \
&& [[ -d /opt/app-root/src ]]; then
echo "PVC cache hit: app-root already provisioned — skipping full install"
mkdir -p /opt/app-root/.e2e-rag-seed /opt/app-root/src/.llama/storage/rag /opt/app-root/src/.llama/storage/files
if [[ -f /rag-seed/kv_store.db.gz ]]; then
gzip -dc /rag-seed/kv_store.db.gz > /opt/app-root/.e2e-rag-seed/kv_store.db
_sz=$(stat -c%s /opt/app-root/.e2e-rag-seed/kv_store.db)
if [[ "${_sz}" -lt 1048576 ]]; then
echo "FATAL: RAG seed too small (${_sz} bytes); check rag-data ConfigMap"
exit 1
fi
cp -f /opt/app-root/.e2e-rag-seed/kv_store.db /opt/app-root/src/.llama/storage/rag/kv_store.db
fi
chmod -R 775 /opt/app-root && chown -R 1001:0 /opt/app-root
echo "PVC fast-path complete"
exit 0
fi
# Full provisioning (PVC is empty — first pod creation this pipeline run).
REPO_URL="${REPO_URL:-https://github.com/lightspeed-core/lightspeed-stack.git}"
REPO_REVISION="${REPO_REVISION:-main}"
case "$REPO_URL" in git@github.com:*) REPO_URL="https://github.com/${REPO_URL#git@github.com:}"; esac
Expand Down Expand Up @@ -201,9 +223,14 @@ spec:
mountPath: /tmp/interception-proxy-ca.pem
subPath: ca.pem
readOnly: true
# tls-*.feature: client/CA PEMs from Secret e2e-mock-tls-certs (optional).
- name: mock-tls-certs
mountPath: /certs
readOnly: true
volumes:
- name: app-root
emptyDir: {}
persistentVolumeClaim:
claimName: llama-stack-app-root
- name: config-cm
configMap:
name: llama-stack-config
Expand All @@ -217,3 +244,7 @@ spec:
secret:
secretName: e2e-interception-proxy-ca
optional: true
- name: mock-tls-certs
secret:
secretName: e2e-mock-tls-certs
optional: true
19 changes: 19 additions & 0 deletions tests/e2e-prow/rhoai/pipeline-konflux.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,25 @@ log "✅ Mock servers deployed"
#========================================
progress "Deploying lightspeed-stack and llama-stack"

# PVC for llama-stack app-root: caches dnf/uv/git install so TLS per-scenario pod
# recreates skip the expensive init (~6-15 min → ~1-2 min). Delete first to guarantee
# a fresh checkout for this pipeline revision; re-create immediately so the pod can bind.
log "Recreating llama-stack-app-root PVC (fresh per pipeline run)..."
oc delete pvc llama-stack-app-root -n "$NAMESPACE" --ignore-not-found=true 2>/dev/null || true
cat <<'EOF' | oc apply -n "$NAMESPACE" -f -
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: llama-stack-app-root
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
EOF
log "✅ llama-stack-app-root PVC created"

# Llama run config: single source with GitHub E2E (tests/e2e/configs/run-ci.yaml).
# Lightspeed stack: same tree as local/docker E2E (tests/e2e/configuration/server-mode).
oc create configmap llama-stack-config -n "$NAMESPACE" \
Expand Down
18 changes: 17 additions & 1 deletion tests/e2e-prow/rhoai/pipeline-services-konflux.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,25 @@ oc create secret generic llama-stack-ip-secret \
-n "$NAMESPACE" \
--dry-run=client -o yaml | oc apply -f -

# PVC must exist before the pod (pipeline-konflux.sh creates it; guard here for standalone use).
oc get pvc llama-stack-app-root -n "$NAMESPACE" >/dev/null 2>&1 || \
oc apply -n "$NAMESPACE" -f - <<'PVCEOF'
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: llama-stack-app-root
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
PVCEOF

timeout 120 oc delete pod llama-stack-service -n "$NAMESPACE" --ignore-not-found=true --wait=true 2>/dev/null || true
oc apply -n "$NAMESPACE" -f "$BASE_DIR/manifests/lightspeed/llama-stack-openai.yaml"
oc wait pod/llama-stack-service -n "$NAMESPACE" --for=condition=Ready --timeout=600s
# First boot runs the full init (dnf + git clone + uv sync ≈ 6-15 min); use a generous timeout.
oc wait pod/llama-stack-service -n "$NAMESPACE" --for=condition=Ready --timeout=900s
oc label pod llama-stack-service pod=llama-stack-service -n "$NAMESPACE"
oc expose pod llama-stack-service --name=llama-stack-service-svc --port=8321 --type=ClusterIP -n "$NAMESPACE"

Expand Down
Loading
Loading