feat(Backend + SDK): Update kfp backend and kubernetes sdk to support…

… ImagePullSecrets (kubeflow#10427) * Update kfp backend and kubernetes sdk to support ImagePullSecrets * update go.mod go.sum and csv files * update image_pull_secret method name * update unit tests * update apiserver.csv file * update set_image_pull_secrets name
rimolive · Mar 27, 2024 · 32a3cf0 · 32a3cf0
1 parent 91069c0
commit 32a3cf0
Show file tree

Hide file tree

Showing 7 changed files with 209 additions and 3 deletions.
diff --git a/backend/src/v2/driver/driver.go b/backend/src/v2/driver/driver.go
@@ -543,6 +543,11 @@ func extendPodSpecPatch(
 		}
 	}
 
+	// Get image pull secret information
+	for _, imagePullSecret := range kubernetesExecutorConfig.GetImagePullSecret() {
+		podSpec.ImagePullSecrets = append(podSpec.ImagePullSecrets, k8score.LocalObjectReference{Name: imagePullSecret.GetSecretName()})
+	}
+
 	return nil
 }
 

diff --git a/backend/third_party_licenses/driver.csv b/backend/third_party_licenses/driver.csv
@@ -32,7 +32,7 @@ github.com/josharian/intern,https://github.com/josharian/intern/blob/v1.0.0/lice
 github.com/json-iterator/go,https://github.com/json-iterator/go/blob/v1.1.12/LICENSE,MIT
 github.com/kubeflow/pipelines/api/v2alpha1/go,https://github.com/kubeflow/pipelines/blob/758c91f76784/api/LICENSE,Apache-2.0
 github.com/kubeflow/pipelines/backend,https://github.com/kubeflow/pipelines/blob/HEAD/LICENSE,Apache-2.0
-github.com/kubeflow/pipelines/kubernetes_platform/go/kubernetesplatform,https://github.com/kubeflow/pipelines/blob/bd9f74e34de6/kubernetes_platform/LICENSE,Apache-2.0
+github.com/kubeflow/pipelines/kubernetes_platform/go/kubernetesplatform,https://github.com/kubeflow/pipelines/blob/f51dc39614e4/kubernetes_platform/LICENSE,Apache-2.0
 github.com/kubeflow/pipelines/third_party/ml-metadata/go/ml_metadata,https://github.com/kubeflow/pipelines/blob/e1f0c010f800/third_party/ml-metadata/LICENSE,Apache-2.0
 github.com/mailru/easyjson,https://github.com/mailru/easyjson/blob/v0.7.7/LICENSE,MIT
 github.com/modern-go/concurrent,https://github.com/modern-go/concurrent/blob/bacd9c7ef1dd/LICENSE,Apache-2.0

diff --git a/kubernetes_platform/python/kfp/kubernetes/__init__.py b/kubernetes_platform/python/kfp/kubernetes/__init__.py
@@ -27,6 +27,7 @@
     'use_secret_as_env',
     'use_secret_as_volume',
     'add_node_selector',
+    'set_image_pull_secrets'
 ]
 
 from kfp.kubernetes.config_map import use_config_map_as_env
@@ -42,3 +43,4 @@
 from kfp.kubernetes.volume import CreatePVC
 from kfp.kubernetes.volume import DeletePVC
 from kfp.kubernetes.volume import mount_pvc
+from kfp.kubernetes.image import set_image_pull_secrets
diff --git a/kubernetes_platform/python/kfp/kubernetes/image.py b/kubernetes_platform/python/kfp/kubernetes/image.py
@@ -38,8 +38,7 @@ def set_image_pull_secrets(
 
     # Assuming secret_names is a list of strings
     image_pull_secret = [
-        pb.ImagePullSecret(secret_name=secret_name)
-        for secret_name in secret_names
+        pb.ImagePullSecret(secret_name=secret_name) for secret_name in secret_names
     ]
 
     msg.image_pull_secret.extend(image_pull_secret)

diff --git a/kubernetes_platform/python/test/snapshot/data/image_pull_secrets.py b/kubernetes_platform/python/test/snapshot/data/image_pull_secrets.py
@@ -0,0 +1,32 @@
+# Copyright 2024 The Kubeflow Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from kfp import dsl
+from kfp import kubernetes
+
+
+@dsl.component
+def comp():
+    pass
+
+
+@dsl.pipeline
+def my_pipeline():
+    task = comp()
+    kubernetes.set_image_pull_secrets(task, ['my-secret'])
+
+
+if __name__ == '__main__':
+    from kfp import compiler
+    compiler.Compiler().compile(my_pipeline, __file__.replace('.py', '.yaml'))
diff --git a/kubernetes_platform/python/test/snapshot/data/image_pull_secrets.yaml b/kubernetes_platform/python/test/snapshot/data/image_pull_secrets.yaml
@@ -0,0 +1,57 @@
+# PIPELINE DEFINITION
+# Name: my-pipeline
+components:
+  comp-comp:
+    executorLabel: exec-comp
+deploymentSpec:
+  executors:
+    exec-comp:
+      container:
+        args:
+        - --executor_input
+        - '{{$}}'
+        - --function_to_execute
+        - comp
+        command:
+        - sh
+        - -c
+        - "\nif ! [ -x \"$(command -v pip)\" ]; then\n    python3 -m ensurepip ||\
+          \ python3 -m ensurepip --user || apt-get install python3-pip\nfi\n\nPIP_DISABLE_PIP_VERSION_CHECK=1\
+          \ python3 -m pip install --quiet --no-warn-script-location 'kfp==2.6.0'\
+          \ '--no-deps' 'typing-extensions>=3.7.4,<5; python_version<\"3.9\"' && \"\
+          $0\" \"$@\"\n"
+        - sh
+        - -ec
+        - 'program_path=$(mktemp -d)
+
+
+          printf "%s" "$0" > "$program_path/ephemeral_component.py"
+
+          _KFP_RUNTIME=true python3 -m kfp.dsl.executor_main                         --component_module_path                         "$program_path/ephemeral_component.py"                         "$@"
+
+          '
+        - "\nimport kfp\nfrom kfp import dsl\nfrom kfp.dsl import *\nfrom typing import\
+          \ *\n\ndef comp():\n    pass\n\n"
+        image: python:3.7
+pipelineInfo:
+  name: my-pipeline
+root:
+  dag:
+    tasks:
+      comp:
+        cachingOptions:
+          enableCache: true
+        componentRef:
+          name: comp-comp
+        taskInfo:
+          name: comp
+schemaVersion: 2.1.0
+sdkVersion: kfp-2.6.0
+---
+platforms:
+  kubernetes:
+    deploymentSpec:
+      executors:
+        exec-comp:
+          imagePullSecret:
+          - secretName: my-secret
diff --git a/kubernetes_platform/python/test/unit/test_image_pull_secrets.py b/kubernetes_platform/python/test/unit/test_image_pull_secrets.py
@@ -0,0 +1,111 @@
+# Copyright 2024 The Kubeflow Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from google.protobuf import json_format
+from kfp import dsl
+from kfp import kubernetes
+
+
+class TestImagePullSecret:
+
+    def test_add_one(self):
+
+        @dsl.pipeline
+        def my_pipeline():
+            task = comp()
+            kubernetes.set_image_pull_secrets(task, ['secret-name'])
+
+        assert json_format.MessageToDict(my_pipeline.platform_spec) == {
+            'platforms': {
+                'kubernetes': {
+                    'deploymentSpec': {
+                        'executors': {
+                            'exec-comp': {
+                                'imagePullSecret': [{
+                                    'secretName':
+                                        'secret-name'
+                                }]
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+    def test_add_two(self):
+
+        @dsl.pipeline
+        def my_pipeline():
+            task = comp()
+            kubernetes.set_image_pull_secrets(task, ['secret-name1', 'secret-name2'])
+
+        assert json_format.MessageToDict(my_pipeline.platform_spec) == {
+            'platforms': {
+                'kubernetes': {
+                    'deploymentSpec': {
+                        'executors': {
+                            'exec-comp': {
+                                'imagePullSecret': [{
+                                    'secretName':
+                                        'secret-name1'
+                                }, {
+                                    'secretName':
+                                        'secret-name2'
+                                },
+                                ]
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+    def test_respects_other_configuration(self):
+
+        @dsl.pipeline
+        def my_pipeline():
+            task = comp()
+
+            # Load the secret as a volume
+            kubernetes.use_secret_as_volume(
+                task, secret_name='secret-name', mount_path='/mnt/my_vol')
+
+            # Set image pull secrets for a task using secret names
+            kubernetes.set_image_pull_secrets(task, ['secret-name'])
+
+        assert json_format.MessageToDict(my_pipeline.platform_spec) == {
+            'platforms': {
+                'kubernetes': {
+                    'deploymentSpec': {
+                        'executors': {
+                            'exec-comp': {
+                                'secretAsVolume': [{
+                                    'secretName': 'secret-name',
+                                    'mountPath': '/mnt/my_vol'
+                                }],
+                                'imagePullSecret': [{
+                                    'secretName':
+                                        'secret-name'
+                                }]
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+
+@dsl.component
+def comp():
+    pass