[pull] main from kserve:main (#326)

* Fixes CVE-2024-45338 (kserve#533)

chore: Fix
[CVE-2024-45338](https://www.cve.org/CVERecord?id=CVE-2024-45338) -
Denial of Service on golang.org/x/net/html

#### Motivation

#### Modifications

#### Result

Signed-off-by: Spolti <[email protected]>

* [RHOAIENG-14237] Adding REST_PROXY_SKIP_VERIFY env var. (kserve#536)

#### Motivation
rest-proxy has a new environment variable for allowing the user to skip
verification when using TLS

#### Modifications
Adding the variable to the RESTProxyConfig and to the Deployments

#### Result
Users will be able to specify if they want to skip verification when
using TLS

See: [RHOAIENG-14237](https://issues.redhat.com/browse/RHOAIENG-14237)

Signed-off-by: Andres Llausas <[email protected]>

* Update GoLang, python and base images (kserve#538)

Signed-off-by: Spolti <[email protected]>

---------

Signed-off-by: Spolti <[email protected]>
Signed-off-by: Andres Llausas <[email protected]>
Co-authored-by: Filippe Spolti <[email protected]>
Co-authored-by: Andres Llausas <[email protected]>

Author: 3 people

Diff for: .github/workflows/fvt-base.yml

@@ -41,17 +41,18 @@ jobs:
       - name: Setup go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.21'
+          go-version: '1.22'
 
       - name: Start Minikube
-        uses: medyagh/[email protected].14
+        uses: medyagh/[email protected].19
         id: minikube
         with:
-          minikube-version: 1.32.0
+          minikube-version: 1.35.0
           container-runtime: docker
-          kubernetes-version: v1.26.1
+          kubernetes-version: v1.32.0
           cpus: max
           memory: max
+          addons: storage-provisioner
 
       - name: Check pods
         run: |

Diff for: .pre-commit-config.yaml

@@ -13,7 +13,7 @@
 # limitations under the License.
 repos:
   - repo: https://github.com/golangci/golangci-lint
-    rev: v1.51.2
+    rev: v1.60.3
     hooks:
       - id: golangci-lint
         entry: golangci-lint run

Diff for: Dockerfile

@@ -54,7 +54,7 @@ RUN GOOS=${TARGETOS:-linux} \
 ###############################################################################
 # Stage 2: Copy build assets to create the smallest final runtime image
 ###############################################################################
-FROM registry.access.redhat.com/ubi8/ubi-minimal:latest AS runtime
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5 AS runtime
 
 ARG USER=2000
 ARG IMAGE_VERSION

Diff for: Dockerfile.develop

@@ -21,8 +21,8 @@
 ###############################################################################
 # Create the develop, test, and build environment
 ###############################################################################
-ARG GOLANG_VERSION=1.21
-FROM registry.access.redhat.com/ubi8/go-toolset:$GOLANG_VERSION
+ARG GOLANG_VERSION=1.22
+FROM registry.access.redhat.com/ubi9/go-toolset:$GOLANG_VERSION
 
 
 # https://docs.docker.com/engine/reference/builder/#automatic-platform-args-in-the-global-scope
@@ -44,14 +44,15 @@ ENV HOME=/root
 WORKDIR /workspace
 
 # Install build and dev tools
-# NOTE: Require python38 to install pre-commit
+# NOTE: Require python to install pre-commit
 RUN --mount=type=cache,target=/root/.cache/dnf:rw \
     dnf install --setopt=cachedir=/root/.cache/dnf -y --nodocs \
        nodejs \
        jq \
-       python38 \
-    && ln -sf /usr/bin/python3 /usr/bin/python \
-    && ln -sf /usr/bin/pip3 /usr/bin/pip \
+       python3.11 \
+       python3.11-pip \
+    && alternatives --install /usr/bin/python python /usr/bin/python3.11 1 \
+    && alternatives --install /usr/bin/pip pip /usr/bin/pip3.11 1 \
     && true
 
 # Install pre-commit

Diff for: controllers/modelmesh/cluster_config.go

@@ -71,7 +71,7 @@ func (cc ClusterConfig) Reconcile(ctx context.Context, namespace string, cl clie
 		return err
 	}
 
-	if cc.SRSpecs == nil || len(cc.SRSpecs) == 0 {
+	if len(cc.SRSpecs) == 0 {
 		if !notfound {
 			return cl.Delete(ctx, m)
 		}

Diff for: controllers/modelmesh/modelmesh.go

@@ -37,25 +37,26 @@ const ModelMeshEtcdPrefix = "mm"
 
 // Models a deployment
 type Deployment struct {
-	ServiceName        string
-	ServicePort        uint16
-	Name               string
-	Namespace          string
-	Owner              mf.Owner
-	SRSpec             *kserveapi.ServingRuntimeSpec
-	DefaultVModelOwner string
-	Log                logr.Logger
-	Metrics            bool
-	PrometheusPort     uint16
-	PrometheusScheme   string
-	PayloadProcessors  string
-	ModelMeshImage     string
-	ModelMeshResources *corev1.ResourceRequirements
-	RESTProxyEnabled   bool
-	RESTProxyImage     string
-	RESTProxyResources *corev1.ResourceRequirements
-	RESTProxyPort      uint16
-	PVCs               []string
+	ServiceName         string
+	ServicePort         uint16
+	Name                string
+	Namespace           string
+	Owner               mf.Owner
+	SRSpec              *kserveapi.ServingRuntimeSpec
+	DefaultVModelOwner  string
+	Log                 logr.Logger
+	Metrics             bool
+	PrometheusPort      uint16
+	PrometheusScheme    string
+	PayloadProcessors   string
+	ModelMeshImage      string
+	ModelMeshResources  *corev1.ResourceRequirements
+	RESTProxyEnabled    bool
+	RESTProxySkipVerify bool
+	RESTProxyImage      string
+	RESTProxyResources  *corev1.ResourceRequirements
+	RESTProxyPort       uint16
+	PVCs                []string
 	// internal fields used when templating
 	AuthNamespace              string
 	ModelMeshLimitCPU          string

Diff for: controllers/modelmesh/proxy.go

@@ -26,6 +26,7 @@ const (
 	restProxyGrpcMaxMsgSizeEnvVar = "REST_PROXY_GRPC_MAX_MSG_SIZE_BYTES"
 	restProxyGrpcPortEnvVar       = "REST_PROXY_GRPC_PORT"
 	restProxyTlsEnvVar            = "REST_PROXY_USE_TLS"
+	restProxySkipVerifyEnvVar     = "REST_PROXY_SKIP_VERIFY"
 )
 
 func (m *Deployment) addRESTProxyToDeployment(deployment *appsv1.Deployment) error {
@@ -47,6 +48,9 @@ func (m *Deployment) addRESTProxyToDeployment(deployment *appsv1.Deployment) err
 				}, {
 					Name:  restProxyGrpcMaxMsgSizeEnvVar,
 					Value: strconv.Itoa(m.GrpcMaxMessageSize),
+				}, {
+					Name:  restProxySkipVerifyEnvVar,
+					Value: strconv.FormatBool(m.RESTProxySkipVerify),
 				},
 			},
 			Ports: []corev1.ContainerPort{

Diff for: controllers/servingruntime_controller.go

@@ -242,6 +242,7 @@ func (r *ServingRuntimeReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		RESTProxyEnabled:           cfg.RESTProxy.Enabled,
 		RESTProxyImage:             cfg.RESTProxy.Image.TaggedImage(),
 		RESTProxyPort:              cfg.RESTProxy.Port,
+		RESTProxySkipVerify:        cfg.RESTProxy.SkipVerify,
 		RESTProxyResources:         cfg.RESTProxy.Resources.ToKubernetesType(),
 		PullerImage:                cfg.StorageHelperImage.TaggedImage(),
 		PullerImageCommand:         cfg.StorageHelperImage.Command,

Diff for: controllers/testdata/servingruntime_controller.golden

@@ -671,6 +671,8 @@ spec:
           value: "false"
         - name: REST_PROXY_GRPC_MAX_MSG_SIZE_BYTES
           value: "16777216"
+        - name: REST_PROXY_SKIP_VERIFY
+          value: "false"
         image: kserve/rest-proxy:latest
         imagePullPolicy: Always
         name: rest-proxy

Diff for: fvt/fvtclient.go

@@ -28,11 +28,10 @@ import (
 	"strings"
 	"time"
 
-	"google.golang.org/grpc/credentials/insecure"
-
 	"github.com/go-logr/logr"
 	"github.com/kserve/kserve/pkg/apis/serving/v1beta1"
 	api "github.com/kserve/modelmesh-serving/apis/serving/v1alpha1"
+	"google.golang.org/grpc/credentials/insecure"
 
 	"github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
@@ -497,6 +496,29 @@ func (fvt *FVTClient) TailPodLogs(sinceTime string) {
 	}
 }
 
+func (fvt *FVTClient) PrintContainerEnvsFromAllPods() {
+	podList, err := fvt.Resource(gvrPods).Namespace(fvt.namespace).List(context.TODO(), metav1.ListOptions{
+		LabelSelector: "modelmesh-service=modelmesh-serving",
+	})
+	if err != nil {
+		fvt.log.Error(err, "Error listing the pods")
+	}
+	for _, podList := range podList.Items {
+		podName := podList.GetName()
+		err = fvt.RunKubectl("get", "pod/"+podName, "-o", "yaml")
+		if err != nil {
+			fvt.log.Error(err, "Error running kubectl exec env command")
+		}
+	}
+}
+
+func (fvt *FVTClient) PrintMMConfig() {
+	err := fvt.RunKubectl("get", "cm", UserConfigMapName, "-o", "yaml")
+	if err != nil {
+		fvt.log.Error(err, "Error running get config map command")
+	}
+}
+
 func (fvt *FVTClient) RunKubectl(args ...string) error {
 	args = append(args, "-n", fvt.namespace)
 	kubectlCmd := exec.Command("kubectl", args...)
@@ -533,13 +555,13 @@ func (fvt *FVTClient) RunKfsModelMetadata(req *inference.ModelMetadataRequest) (
 	return grpcClient.ModelMetadata(ctx, req)
 }
 
-func (fvt *FVTClient) RunKfsRestInference(modelName string, body []byte, tls bool) (string, error) {
+func (fvt *FVTClient) RunKfsRestInference(modelName string, body []byte, useTls bool) (string, error) {
 	if fvt.restConn == nil {
 		return "", errors.New("you must connect to model mesh before running an inference")
 	}
 
 	protocol := "http"
-	if tls {
+	if useTls {
 		protocol = "https"
 	}
 

Diff for: fvt/globals.go

@@ -28,7 +28,8 @@ var NameSpaceScopeMode = false
 var DefaultConfig = map[string]interface{}{
 	"podsPerRuntime": 1,
 	"restProxy": map[string]interface{}{
-		"enabled": true,
+		"enabled":    true,
+		"skipVerify": true,
 	},
 	"scaleToZero": map[string]interface{}{
 		"enabled": false,

Diff for: fvt/predictor/predictor_suite_test.go

@@ -87,11 +87,13 @@ var _ = JustBeforeEach(func() {
 })
 var _ = JustAfterEach(func() {
 	if CurrentSpecReport().Failed() {
+		FVTClientInstance.PrintMMConfig()
 		FVTClientInstance.PrintPredictors()
 		FVTClientInstance.PrintIsvcs()
 		FVTClientInstance.PrintPods()
 		FVTClientInstance.PrintDescribeNodes()
 		FVTClientInstance.PrintEvents()
 		FVTClientInstance.TailPodLogs(startTime)
+		FVTClientInstance.PrintContainerEnvsFromAllPods()
 	}
 })

Diff for: fvt/predictor/predictor_test.go

@@ -15,15 +15,15 @@
 package predictor
 
 import (
+	"crypto/sha1"
 	"fmt"
 	"time"
 
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-
 	inference "github.com/kserve/modelmesh-serving/fvt/generated"
 	tfsframework "github.com/kserve/modelmesh-serving/fvt/generated/tensorflow/core/framework"
 	tfsapi "github.com/kserve/modelmesh-serving/fvt/generated/tensorflow_serving/apis"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 
 	. "github.com/kserve/modelmesh-serving/fvt"
 	. "github.com/onsi/ginkgo/v2"
@@ -364,10 +364,16 @@ var _ = Describe("Predictor", func() {
 		BeforeAll(func() {
 			// load the test predictor object
 			tfPredictorObject = NewPredictorForFVT("tf-predictor.yaml")
+			rd := fmt.Sprintf("%x", sha1.Sum([]byte(time.Now().String())))
+			randomName := fmt.Sprintf("minimal-tf-predictor-%s", rd[len(rd)-5:])
+			SetString(tfPredictorObject, randomName, "metadata", "name")
+
 			tfPredictorName = tfPredictorObject.GetName()
 
 			CreatePredictorAndWaitAndExpectLoaded(tfPredictorObject)
 
+			WaitForStableActiveDeployState(time.Second * 60)
+
 			err := FVTClientInstance.ConnectToModelServing(Insecure)
 			Expect(err).ToNot(HaveOccurred())
 		})
@@ -1175,6 +1181,7 @@ var _ = Describe("TLS XGBoost inference", Ordered, Serial, func() {
 
 	It("should successfully run an inference with basic TLS", func() {
 		By("Updating the user ConfigMap to for basic TLS")
+
 		FVTClientInstance.UpdateConfigMapTLS(BasicTLSConfig)
 
 		By("Waiting for stable deploy state after UpdateConfigMapTLS")

Diff for: go.mod

@@ -1,6 +1,6 @@
 module github.com/kserve/modelmesh-serving
 
-go 1.21
+go 1.22.9
 
 require (
 	github.com/dereklstinson/cifar v0.0.0-20200421171932-5722a3b6a0c7
@@ -36,7 +36,7 @@ require (
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
 	golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa // indirect
-	golang.org/x/sync v0.5.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20231106174013-bbf56f31fb17 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231106174013-bbf56f31fb17 // indirect
 )
@@ -108,14 +108,14 @@ require (
 	go.opencensus.io v0.24.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.26.0 // indirect
-	golang.org/x/crypto v0.21.0 // indirect
-	golang.org/x/net v0.21.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
+	golang.org/x/net v0.25.0 // indirect
 	golang.org/x/oauth2 v0.14.0 // indirect
-	golang.org/x/sys v0.18.0 // indirect
-	golang.org/x/term v0.18.0 // indirect
-	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/term v0.27.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.4.0 // indirect
-	golang.org/x/tools v0.15.0 // indirect
+	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	google.golang.org/api v0.151.0 // indirect
@@ -142,6 +142,6 @@ replace (
 	// before removing it make sure that the next version of the related k8s dependencies contains the fix
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp => go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.44.0
 
-	// Fixes CVE-2023-45288
-	golang.org/x/net => golang.org/x/net v0.23.0
+	// Fixes CVE-2024-45338
+	golang.org/x/net => golang.org/x/net v0.33.0
 )