Improve image tests (#315)

* Improve Image Tests

Author: gotsysdba

.github/workflows/image_smoke.yml

@@ -64,7 +64,7 @@ jobs:
           context: .
           file: ${{ matrix.build.dockerfile }}
           tags: ${{ matrix.build.name }}:${{ github.sha }}
-          load: ${{ matrix.build.name == 'aio' }}
+          load: true  # Load all images for smoke testing
           push: false
           cache-from: type=local,src=/tmp/.buildx-cache
           cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
@@ -97,36 +97,92 @@ jobs:
           sarif_file: trivy-results-aio.sarif
           category: trivy-aio
 
-      # Smoke test - only AIO (contains both server and client)
-      - name: Smoke Test - Verify Container Starts
+      # Smoke test - Server container
+      - name: Smoke Test - Server Container
+        if: matrix.build.name == 'server'
+        run: |
+          echo "Testing Server container startup..."
+
+          # Start server container in background
+          docker run -d --name test-server \
+            -e API_SERVER_KEY=test-key-for-ci \
+            server:${{ github.sha }}
+
+          # Wait and verify container is still running (max 30 seconds)
+          echo "Waiting for container to stabilize..."
+          sleep 10
+
+          if docker ps --filter "name=test-server" --filter "status=running" | grep -q test-server; then
+            echo "✅ Server container started and is running"
+            docker stop test-server
+            exit 0
+          else
+            echo "❌ Server container failed to start or crashed"
+            docker logs test-server 2>&1
+            exit 1
+          fi
+
+      # Smoke test - Client container
+      - name: Smoke Test - Client Container
+        if: matrix.build.name == 'client'
+        run: |
+          echo "Testing Client container startup..."
+
+          # Start client container in background
+          # Client requires API_SERVER_* env vars to be set
+          docker run -d --name test-client \
+            -e API_SERVER_KEY=test-key-for-ci \
+            -e API_SERVER_URL=http://localhost \
+            -e API_SERVER_PORT=8000 \
+            client:${{ github.sha }}
+
+          # Wait and verify container is still running
+          echo "Waiting for container to stabilize..."
+          sleep 10
+
+          if docker ps --filter "name=test-client" --filter "status=running" | grep -q test-client; then
+            echo "✅ Client container started and is running"
+            docker stop test-client
+            exit 0
+          else
+            echo "❌ Client container failed to start or crashed"
+            docker logs test-client 2>&1
+            exit 1
+          fi
+
+      # Smoke test - AIO container (both server and client)
+      - name: Smoke Test - AIO Container
         if: matrix.build.name == 'aio'
         run: |
-          echo "Testing AIO image startup..."
+          echo "Testing AIO container startup..."
 
           # Start container in background
           docker run -d --name test-aio \
             -e API_SERVER_KEY=test-key-for-ci \
             aio:${{ github.sha }}
 
-          # Wait for startup (max 30 seconds)
-          for i in {1..30}; do
-            if docker logs test-aio 2>&1 | grep -qE "Application startup complete|Uvicorn running|Starting server|Streamlit"; then
-              echo "✅ Container started successfully"
-              docker logs test-aio | tail -20
-              docker stop test-aio
-              exit 0
-            fi
-            sleep 1
-          done
-
-          echo "❌ Container failed to start within 30 seconds"
-          docker logs test-aio
-          docker stop test-aio || true
-          exit 1
-
-      - name: Cleanup Test Container
-        if: always() && matrix.build.name == 'aio'
+          # Wait and verify container is still running
+          echo "Waiting for container to stabilize..."
+          sleep 10
+
+          if docker ps --filter "name=test-aio" --filter "status=running" | grep -q test-aio; then
+            echo "✅ AIO container started and is running"
+            docker stop test-aio
+            exit 0
+          else
+            echo "❌ AIO container failed to start or crashed"
+            docker logs test-aio 2>&1
+            exit 1
+          fi
+
+      # Cleanup test containers
+      - name: Cleanup Test Containers
+        if: always()
         run: |
+          docker stop test-server 2>/dev/null || true
+          docker rm test-server 2>/dev/null || true
+          docker stop test-client 2>/dev/null || true
+          docker rm test-client 2>/dev/null || true
           docker stop test-aio 2>/dev/null || true
           docker rm test-aio 2>/dev/null || true
 
@@ -140,9 +196,13 @@ jobs:
     steps:
       - name: All Validations Passed
         run: |
-          echo "================================================"
+          echo "========================================================"
           echo "✅ All container image validations passed!"
-          echo "================================================"
+          echo "========================================================"
           echo "- Image builds (aio, client, server): ✅"
-          echo "- Security scan (AIO only): ✅"
-          echo "- Smoke test (AIO only): ✅"
+          echo "- Security scan (AIO): ✅"
+          echo "- Smoke tests:"
+          echo "  - Server container startup: ✅"
+          echo "  - Client container startup: ✅"
+          echo "  - AIO container startup: ✅"
+          echo "========================================================"

opentofu/modules/kubernetes/iam.tf

@@ -41,9 +41,9 @@ resource "oci_identity_policy" "workers_policies" {
     format("allow any-user to inspect buckets in compartment id %s where all {request.principal.type = 'workload', request.principal.namespace = '%s', request.principal.cluster_id = '%s'}", var.compartment_id, var.label_prefix, oci_containerengine_cluster.default_cluster.id),
     format("allow any-user to read objects in compartment id %s where all {request.principal.type = 'workload', request.principal.namespace = '%s', request.principal.cluster_id = '%s'}", var.compartment_id, var.label_prefix, oci_containerengine_cluster.default_cluster.id),
     format("allow any-user to manage repos in compartment id %s where all {request.principal.type = 'workload', request.principal.namespace = '%s', request.principal.cluster_id = '%s'}", var.compartment_id, var.label_prefix, oci_containerengine_cluster.default_cluster.id),
-    # Instance Principles
+    format("allow any-user to use generative-ai-family in tenancy where all {request.principal.type = 'workload', request.principal.namespace = '%s', request.principal.cluster_id = '%s'}", var.label_prefix, oci_containerengine_cluster.default_cluster.id),
+    # Instance Principals (required to pull images)
     format("allow dynamic-group %s to manage repos in compartment id %s", oci_identity_dynamic_group.workers_dynamic_group.name, var.compartment_id),
-    format("allow dynamic-group %s to use generative-ai-family in tenancy", oci_identity_dynamic_group.workers_dynamic_group.name),
   ]
   provider = oci.home_region
 }

src/.streamlit/config.toml

@@ -3,16 +3,6 @@
 [global]
 disableWidgetStateDuplicationWarning = true
 
-[theme]
-font = "sans-serif-pro"
-headingFont = "sans-serif"
-codeFont = "monospace"
-
-[theme.sidebar]
-font = "sans-serif"
-headingFont = "sans-serif"
-codeFont = "monospace"
-
 [browser]
 gatherUsageStats = false
 serverAddress = "localhost"

src/Dockerfile

@@ -3,14 +3,16 @@
 # spell-checker:disable
 ##################################################
 # Base - All-In-One
+# Build from the project root directory:
+#  podman build -f src/Dockerfile -t ai-optimizer-aio:latest .
 ##################################################
 FROM container-registry.oracle.com/os/oraclelinux:8-slim AS all_in_one_pyenv
 ENV RUNUSER=oracleai \
     VIRTUAL_ENV=/opt/.venv
 
-RUN groupadd $RUNUSER && \
+RUN groupadd -g 10001 $RUNUSER && \
     useradd -u 10001 -g $RUNUSER -md /app $RUNUSER && \
-    microdnf --nodocs -y install python3.11 python3.11-pip python3.11-devel && \
+    microdnf --nodocs -y install python3.11 python3.11-pip && \
     microdnf clean all && \
     python3.11 -m venv --symlinks --upgrade-deps $VIRTUAL_ENV
 

src/client/Dockerfile

@@ -3,16 +3,16 @@
 # spell-checker: disable
 #############################################################
 # Base - Web GUI
-# Build from the / directory:
+# Build from the project root directory:
 #  podman build -f src/client/Dockerfile -t ai-optimizer-client:latest .
 #############################################################
 FROM container-registry.oracle.com/os/oraclelinux:8-slim AS optimizer_base
 ENV RUNUSER=oracleai \
     VIRTUAL_ENV=/opt/.venv
 
-RUN groupadd $RUNUSER && \
+RUN groupadd -g 10001 $RUNUSER && \
     useradd -u 10001 -g $RUNUSER -md /app $RUNUSER && \
-    microdnf --nodocs -y install python3.11 python3.11-pip python3.11-devel && \
+    microdnf --nodocs -y install python3.11 python3.11-pip && \
     microdnf clean all && \
     python3.11 -m venv --symlinks --upgrade-deps $VIRTUAL_ENV
 

src/launch_client.py

@@ -94,6 +94,10 @@ def main() -> None:
         .stAppHeader img[alt="Logo"] {
             width: 50%;
         }
+        /* Fix emoji rendering in tab labels */
+        [data-testid="stMarkdownContainer"] p {
+            font-family: "sans-serif-pro" !important;
+        }
         </style>
         """,
     )

src/server/Dockerfile

@@ -2,7 +2,7 @@
 ## Licensed under the Universal Permissive License v1.0 as shown at http://oss.oracle.com/licenses/upl.
 #############################################################
 # Base - API Server
-# Build from the / directory:
+# Build from the project root directory:
 #  podman build -f src/server/Dockerfile -t ai-optimizer-server:latest .
 #############################################################
 # spell-checker: disable
@@ -12,9 +12,9 @@ ENV RUNUSER=oracleai
 ENV RUNUSER=oracleai \
     VIRTUAL_ENV=/opt/.venv
 
-RUN groupadd $RUNUSER && \
+RUN groupadd -g 10001 $RUNUSER && \
     useradd -u 10001 -g $RUNUSER -md /app $RUNUSER && \
-    microdnf --nodocs -y install python3.11 python3.11-pip python3.11-devel && \
+    microdnf --nodocs -y install python3.11 python3.11-pip && \
     microdnf clean all && \
     python3.11 -m venv --symlinks --upgrade-deps $VIRTUAL_ENV
 

src/server/patches/litellm_patch.py

@@ -102,14 +102,14 @@ def custom_validate_environment(
         api_base: Optional[str] = None,
     ) -> dict:
         """
-        Custom validate_environment to support instance principals.
-        When using instance principals, skip the validation of user/fingerprint/key.
+        Custom validate_environment to support instance principals and workload identity.
+        If oci_signer is present, use signer-based auth; otherwise use credential-based auth.
         """
-        oci_auth_type = optional_params.get("oci_auth_type")
+        oci_signer = optional_params.get("oci_signer")
 
-        # If using instance principals or workload identity, skip credential validation
-        if oci_auth_type in ("instance_principal", "oke_workload_identity"):
-            logger.info("Using OCI %s - skipping credential validation", oci_auth_type)
+        # If signer is provided, use signer-based authentication (instance principals/workload identity)
+        if oci_signer:
+            logger.info("OCI signer detected - using signer-based authentication")
             oci_region = optional_params.get("oci_region", "us-ashburn-1")
             api_base = (
                 api_base or litellm.api_base or f"https://inference.generativeai.{oci_region}.oci.oraclecloud.com"
@@ -133,7 +133,7 @@ def custom_validate_environment(
 
             return headers
 
-        # For standard auth, use original validation
+        # For credential-based auth, use original validation
         return original_validate_environment(
             self, headers, model, messages, optional_params, litellm_params, api_key, api_base
         )
@@ -161,20 +161,14 @@ def custom_sign_request(
         fake_stream: Optional[bool] = None,
     ) -> Tuple[dict, Optional[bytes]]:
         """
-        Custom sign_request to support instance principals.
-        Uses OCI SDK's native signers for instance principals.
+        Custom sign_request to support instance principals and workload identity.
+        If oci_signer is present, use it for signing; otherwise use credential-based auth.
         """
-        oci_auth_type = optional_params.get("oci_auth_type")
+        oci_signer = optional_params.get("oci_signer")
 
-        # If using instance principals or workload identity, use OCI SDK signers
-        if oci_auth_type in ("instance_principal", "oke_workload_identity"):
-            logger.info("Using OCI %s for request signing", oci_auth_type)
-
-            # Get the appropriate signer
-            if oci_auth_type == "instance_principal":
-                signer = oci.auth.signers.InstancePrincipalsSecurityTokenSigner()
-            else:  # oke_workload_identity
-                signer = oci.auth.signers.get_oke_workload_identity_resource_principal_signer()
+        # If signer is provided, use it for request signing
+        if oci_signer:
+            logger.info("Using OCI signer for request signing")
 
             # Prepare the request
             from urllib.parse import urlparse
@@ -202,8 +196,8 @@ def __init__(self, method, url, headers, body):
 
             mock_request = MockRequest(method=method, url=api_base, headers=prepared_headers, body=body)
 
-            # Sign the request using OCI SDK
-            signer.do_request_sign(mock_request, enforce_content_headers=True)
+            # Sign the request using the provided OCI signer
+            oci_signer.do_request_sign(mock_request, enforce_content_headers=True)
 
             # Update headers with signed headers
             headers.update(mock_request.headers)