-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RHOAIENG-11155: Better explanation of 'Authorize Access' UI #449
base: main
Are you sure you want to change the base?
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Thank for opening this PR! Steps to reproduce:
What i missed? |
@@ -1 +1 @@ | |||
odh-notebook-controller-image=quay.io/opendatahub/odh-notebook-controller:main-3f931d2 | |||
odh-notebook-controller-image=quay.io/dlutz/odh-notebook-controller:authorize-access |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
testing purposes? where? what?
0a53f60
to
8e285fd
Compare
This reverts commit 8e285fd.
VolumeSource: corev1.VolumeSource{ | ||
Secret: &corev1.SecretVolumeSource{ | ||
SecretName: Name + "-oauth-client-generated", | ||
DefaultMode: pointer.Int32Ptr(420), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@daniellutz the idea here is that the linter only runs on new code, so that's why it is not flagging the existing usages of pointer.Int32Ptr
. What you should do here is to simply use ptr.To
instead of this, and it will work just fine. The idea is that ptr.To is a better replacement for the old functions, and it could not be used before because it requires go 1.18+ features https://pkg.go.dev/k8s.io/utils/ptr#section-readme
@daniellutz regarding ODH Notebook Controller Integration Test / build (pull_request) Failing after 14m
That's never going to pass because in the test we are running in a KinD cluster (https://kind.sigs.k8s.io/) and we only have the notebook controller and no other components of rhoai, most importantly we don't have rhods-operator that would create your oauth secret for the pod; so the solution should be to create the secret in test setup. I'll take a look r.n. edit: got it resolved; but when i copied actual random secret from my cluster, I got yelled at by prodsec code scanning tool that I am leaking secrets into github. need to get some example secret that will not trigger their bots |
"notebook-name": notebook.Name, | ||
}, | ||
Annotations: map[string]string{ | ||
"secret-generator.opendatahub.io/name": "secret", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI: This specific annotations used by rhoai-operator to create a secret <secret-name>-generated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Based on the discussion with platform, team
we got to know, it would better if the logic of secret is on own side, so lets adjust that
@@ -209,6 +209,26 @@ func NewNotebookOAuthSecret(notebook *nbv1.Notebook) *corev1.Secret { | |||
} | |||
} | |||
|
|||
// NewNotebookOAuthClientSecret defines the desired OAuth client secret object | |||
func NewNotebookOAuthClientSecret(notebook *nbv1.Notebook) *corev1.Secret { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As we would not be utilizing, opendatahub-operator secretgenerator,
lets change the logic here, and write our own secret create
please take this as reference:
func NewNotebookOAuthSecret(notebook *nbv1.Notebook) *corev1.Secret { |
and adjust this function , and for secret generation,
utilize the logic of random function from here: https://github.com/opendatahub-io/opendatahub-operator/blob/c1671ab5fd11baea814f8acdee1bc448d502fb1c/controllers/secretgenerator/secret.go#L91
func NewNotebookOAuthClientSecret(notebook *nbv1.Notebook) *corev1.Secret { | |
func NewNotebookOAuthClientSecret(notebook *nbv1.Notebook) *corev1.Secret { | |
// Generate the client secret for the OAuth proxy | |
randomValue := make([]byte, 32) | |
for i := 0; i < secret.Complexity; i++ { | |
num, err := rand.Int(rand.Reader, big.NewInt(int64(len(letterRunes)))) | |
if err != nil { | |
return err | |
} | |
randomValue[i] = letterRunes[num.Int64()] | |
} | |
// Create a Kubernetes secret to store the cookie secret | |
return &corev1.Secret{ | |
ObjectMeta: metav1.ObjectMeta{ | |
Name: notebook.Name + "-oauth-client", | |
Namespace: notebook.Namespace, | |
Labels: map[string]string{ | |
"notebook-name": notebook.Name, | |
}, | |
}, | |
StringData: map[string]string{ | |
"secret": string(randomValue), | |
}, | |
} |
and adjust the oauth-proxy to directly pick value from this secret
This feature will improve the user experience in a way that the user required OAuth scope will change from a UI showing the scopes to a simple login confirmation page, according to https://issues.redhat.com/browse/RHOAIENG-11155
Description
There is an option to inject the OAuth scope into the proxy sidecar container, in a way that it will be required only for the user to confirm his login to accept it, instead of showing up a page with confusing permissions and a bad user experience.
Not only the OAuth scope need to be passed on, but also a volume need to be mounted to gather the OAuth client secret, in a way that the application understands who is authenticating properly.
How Has This Been Tested?
Manual tests have been executed, using
devFlags
and with a clean test running in OpenShift Local environment.Merge criteria: