Enable model-registry with UI by default

.github/workflows/full_kubeflow_integration_test.yaml

@@ -95,16 +95,7 @@ jobs:
 
 
     - name: Install Model Registry
-      run: |
-        kustomize build applications/model-registry/upstream/overlays/db | kubectl apply -n kubeflow -f -
-        kustomize build applications/model-registry/upstream/options/istio | kubectl apply -n kubeflow -f -
-
-    - name: Install Model Registry UI
-      run: |
-        kustomize build applications/model-registry/upstream/options/ui/overlays/istio | kubectl apply -n kubeflow -f -
-
-    - name: Install KF Model Catalog
-      run: ./tests/model_catalog_install.sh
+      run: ./tests/model_registry_install.sh
 
     - name: Install Spark
       run: chmod u+x tests/*.sh && ./tests/spark_install.sh
@@ -202,45 +193,12 @@ jobs:
         cd experimental/ray/
         ./test.sh ${KF_PROFILE}
 
-    - name: Test Model Registry Deployment
-      run: |
-        kubectl wait --for=condition=available -n kubeflow deployment/model-registry-db --timeout=60s
-        kubectl wait --for=condition=available -n kubeflow deployment/model-registry-deployment --timeout=60s
-
-    - name: Test Model Registry UI Deployment
-      run: kubectl wait --for=condition=available -n kubeflow deployment/model-registry-ui --timeout=60s
-
-    - name: Test Model Registry API
-      run: |
-        export KF_TOKEN="$(kubectl -n $KF_PROFILE create token default-editor)"
-
-        nohup kubectl port-forward svc/model-registry-service -n kubeflow 8082:8080 &
-        sleep 5
-        curl -s -X 'GET' \
-          'http://localhost:8082/api/model_registry/v1alpha3/registered_models?pageSize=100&orderBy=ID&sortOrder=DESC' \
-          -H 'accept: application/json'
-
-        curl -s --fail \
-          "localhost:8080/model-registry/api/v1/model_registry?namespace=${KF_PROFILE}" \
-          -H "Authorization: Bearer ${KF_TOKEN}"
+    - name: Run Model Registry Tests
+      run: ./tests/model_registry_test.sh
 
-    - name: Run Model Catalog API tests
+    - name: Run Model Catalog API Tests
       run: ./tests/model_catalog_test.sh
 
-    - name: Test Model Registry API with Unauthorized Token
-      run: |
-        UNAUTHORIZED_TOKEN=$(kubectl -n test-unauthorized create token test-unauthorized || kubectl -n test-unauthorized create token default)
-
-        STATUS_CODE=$(curl -s \
-          --output /dev/stderr --write-out "%{http_code}" \
-          "localhost:8080/model-registry/api/v1/model_registry?namespace=${KF_PROFILE}" \
-          -H "Authorization: Bearer ${UNAUTHORIZED_TOKEN}")
-
-        if test $STATUS_CODE -ne 403; then
-          echo "Error: Unauthorized access was not correctly rejected. Got status code: ${STATUS_CODE}"
-          exit 1
-        fi
-
     - name: Apply Pod Security Standards Restricted
       run: ./tests/PSS_enable.sh restricted
 

applications/dashboard/overlays/istio/kustomization.yaml

@@ -7,3 +7,8 @@ resources:
 - ../../upstream/poddefaults-webhooks/overlays/cert-manager
 - ../../upstream/profile-controller/overlays/kubeflow-pss
 
+patches:
+  - path: patches/configmap.yaml
+    target:
+      kind: ConfigMap
+      name: dashboard-config

applications/dashboard/overlays/istio/patches/configmap.yaml

@@ -0,0 +1,132 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: dashboard-config
+data:
+  settings: |-
+    {
+      "DASHBOARD_FORCE_IFRAME": true
+    }
+  links: |-
+    {
+        "menuLinks": [
+            {
+                "icon": "book",
+                "link": "/jupyter/",
+                "text": "Notebooks",
+                "type": "item"
+            },
+            {
+                "icon": "assessment",
+                "link": "/tensorboards/",
+                "text": "TensorBoards",
+                "type": "item"
+            },
+            {
+                "icon": "device:storage",
+                "link": "/volumes/",
+                "text": "Volumes",
+                "type": "item"
+            },
+            {
+                "icon": "kubeflow:katib",
+                "link": "/katib/",
+                "text": "Katib Experiments",
+                "type": "item"
+            },
+            {
+                "type": "item",
+                "link": "/kserve-endpoints/",
+                "text": "KServe Endpoints",
+                "icon": "kubeflow:models"
+            },
+            {
+                "icon": "assignment",
+                "link": "/model-registry/",
+                "text": "Model Registry",
+                "type": "item"
+            },
+            {
+                "icon": "kubeflow:pipeline-centered",
+                "items": [
+                    {
+                        "link": "/pipeline/#/pipelines",
+                        "text": "Pipelines",
+                        "type": "item"
+                    },
+                    {
+                        "link": "/pipeline/#/experiments",
+                        "text": "Experiments",
+                        "type": "item"
+                    },
+                    {
+                        "link": "/pipeline/#/runs",
+                        "text": "Runs",
+                        "type": "item"
+                    },
+                    {
+                        "link": "/pipeline/#/recurringruns",
+                        "text": "Recurring Runs",
+                        "type": "item"
+                    },
+                    {
+                        "link": "/pipeline/#/artifacts",
+                        "text": "Artifacts",
+                        "type": "item"
+                    },
+                    {
+                        "link": "/pipeline/#/executions",
+                        "text": "Executions",
+                        "type": "item"
+                    }
+                ],
+                "text": "Pipelines",
+                "type": "section"
+            }
+        ],
+        "externalLinks": [],
+        "documentationItems": [
+            {
+                "desc": "The Kubeflow website",
+                "link": "https://www.kubeflow.org/",
+                "text": "Kubeflow Website"
+            },
+            {
+                "desc": "Documentation for Kubeflow Pipelines",
+                "link": "https://www.kubeflow.org/docs/components/pipelines/",
+                "text": "Kubeflow Pipelines Documentation"
+            },
+            {
+                "desc": "Documentation for Kubeflow Notebooks",
+                "link": "https://www.kubeflow.org/docs/components/notebooks/",
+                "text": "Kubeflow Notebooks Documentation"
+            },
+            {
+                "desc": "Documentation for Kubeflow Training Operator",
+                "link": "https://www.kubeflow.org/docs/components/training/",
+                "text": "Kubeflow Training Operator Documentation"
+            },
+            {
+                "desc": "Documentation for Katib",
+                "link": "https://www.kubeflow.org/docs/components/katib/",
+                "text": "Katib Documentation"
+            }
+        ],
+        "quickLinks": [
+            {
+                "desc": "Kubeflow Notebooks",
+                "link": "/jupyter/new",
+                "text": "Create a new Notebook"
+            },
+            {
+                "desc": "Kubeflow Pipelines",
+                "link": "/pipeline/#/pipelines",
+                "text": "Upload a Pipeline"
+            },
+            {
+                "desc": "Pipelines",
+                "link": "/pipeline/#/runs",
+                "text": "View Pipeline Runs"
+            }
+        ]
+    }

applications/model-registry/upstream/options/catalog/overlays/demo/kustomization.yaml

@@ -64,6 +64,8 @@ patches:
             - name: demo-perf-data
               mountPath: /demo-perf-data
           securityContext:
+            runAsNonRoot: true
+            runAsUser: 65534
             allowPrivilegeEscalation: false
             capabilities:
               drop:

applications/model-registry/upstream/options/istio/istio-authorization-policy.yaml

@@ -8,4 +8,20 @@ spec:
     matchLabels:
       component: model-registry-server
   rules:
-  - {}
+  # Allow all requests from the ingress gateway.
+  # External users are authenticated by oauth2-proxy/authservice at the gateway,
+  # which injects the kubeflow-userid header.
+  - from:
+    - source:
+        principals:
+        - cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account
+  # Allow internal requests with a valid Kubernetes JWT (authorization header)
+  # but strictly block any request that also carries a kubeflow-userid header,
+  # preventing identity spoofing from within the cluster.
+  - when:
+    - key: request.headers[authorization]
+      values:
+      - "*"
+    - key: request.headers[kubeflow-userid]
+      notValues:
+      - "*"

example/kustomization.yaml

@@ -95,6 +95,15 @@ resources:
 # Spark Operator
 - ../applications/spark/spark-operator/overlays/kubeflow
 
+# Model Registry
+- ../applications/model-registry/upstream/overlays/postgres
+# Model Registry Istio networking (VirtualService for /api/model_registry/)
+- ../applications/model-registry/upstream/options/istio
+# Model Registry UI
+- ../applications/model-registry/upstream/options/ui/overlays/istio
+# Model Catalog (demo)
+- ../applications/model-registry/upstream/options/catalog/overlays/demo
+
 # Ray is an experimental integration
 # Here is the documentation for Ray: https://docs.ray.io/en/latest/
 # Here is the internal documentation for Ray: - ../experimental/ray/README.md

tests/model_registry_install.sh

@@ -0,0 +1,85 @@
+#!/bin/bash
+set -euxo pipefail
+
+# Install Model Registry server, UI, database, and catalog components
+# This script can be used for local testing without GitHub Actions
+# Usage: ./tests/model_registry_install.sh
+
+echo "Installing Model Registry components..."
+
+# Build and apply Model Registry server with database
+echo "Deploying Model Registry server (with database)..."
+kustomize build applications/model-registry/upstream/overlays/postgres \
+  | kubectl apply -n kubeflow -f -
+
+# Build and apply Model Registry Istio networking
+echo "Deploying Model Registry Istio resources..."
+kustomize build applications/model-registry/upstream/options/istio \
+  | kubectl apply -n kubeflow -f -
+
+# Build and apply Model Registry UI with Istio integration
+echo "Deploying Model Registry UI..."
+kustomize build applications/model-registry/upstream/options/ui/overlays/istio \
+  | kubectl apply -n kubeflow -f -
+
+# Build and apply Model Catalog (demo overlay)
+echo "Deploying Model Catalog..."
+kustomize build applications/model-registry/upstream/options/catalog/overlays/demo \
+  | kubectl apply -n kubeflow -f -
+
+# Wait for Model Registry database deployment
+echo "Waiting for Model Registry database to become ready..."
+if ! kubectl wait --for=condition=available -n kubeflow deployment/model-registry-db --timeout=120s; then
+    echo "ERROR: Model Registry database deployment failed"
+    kubectl get pods -n kubeflow -l app=model-registry-db
+    kubectl describe deployment/model-registry-db -n kubeflow
+    kubectl logs deployment/model-registry-db -n kubeflow
+    exit 1
+fi
+
+# Wait for Model Registry server deployment
+echo "Waiting for Model Registry server to become ready..."
+if ! kubectl wait --for=condition=available -n kubeflow deployment/model-registry-deployment --timeout=120s; then
+    echo "ERROR: Model Registry server deployment failed"
+    kubectl get pods -n kubeflow -l component=model-registry-server
+    kubectl describe deployment/model-registry-deployment -n kubeflow
+    kubectl logs deployment/model-registry-deployment -n kubeflow --all-containers
+    exit 1
+fi
+
+# Wait for Model Registry UI deployment
+echo "Waiting for Model Registry UI to become ready..."
+if ! kubectl wait --for=condition=available -n kubeflow deployment/model-registry-ui --timeout=120s; then
+    echo "ERROR: Model Registry UI deployment failed"
+    kubectl get pods -n kubeflow -l app=model-registry-ui
+    kubectl describe deployment/model-registry-ui -n kubeflow
+    kubectl logs deployment/model-registry-ui -n kubeflow --all-containers
+    exit 1
+fi
+
+# Wait for Model Catalog PostgreSQL StatefulSet
+echo "Waiting for Model Catalog database to become ready..."
+if ! kubectl wait --for=condition=ready -n kubeflow pod \
+  -l app.kubernetes.io/name=postgres,app.kubernetes.io/part-of=model-catalog \
+  --timeout=120s; then
+    echo "ERROR: Model Catalog database pod failed"
+    kubectl get pods -n kubeflow -l app.kubernetes.io/part-of=model-catalog
+    kubectl describe statefulset/model-catalog-postgres -n kubeflow
+    kubectl logs statefulset/model-catalog-postgres -n kubeflow
+    exit 1
+fi
+
+# Wait for Model Catalog server deployment
+echo "Waiting for Model Catalog server to become ready..."
+if ! kubectl wait --for=condition=available -n kubeflow deployment/model-catalog-server --timeout=120s; then
+    echo "ERROR: Model Catalog server deployment failed"
+    kubectl get pods -n kubeflow -l app.kubernetes.io/part-of=model-catalog
+    kubectl describe deployment/model-catalog-server -n kubeflow
+    kubectl logs deployment/model-catalog-server -n kubeflow --all-containers
+    exit 1
+fi
+
+echo "Model Registry installation complete!"
+kubectl get pods -n kubeflow -l component=model-registry-server
+kubectl get pods -n kubeflow -l app=model-registry-ui
+kubectl get pods -n kubeflow -l app.kubernetes.io/part-of=model-catalog