Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RHOAIENG-11155: Better explanation of 'Authorize Access' UI #449

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
+123 −1
Open

RHOAIENG-11155: Better explanation of 'Authorize Access' UI #449

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
d9fb7b7
Add scope for oauth authentication
daniellutz Nov 12, 2024
2914a5f
Refactor code and fix tests
daniellutz Nov 13, 2024
55ddef2
Add the -generated to oauth-client volume name
daniellutz Nov 14, 2024
009b144
Add params.env for testing purposes
daniellutz Nov 12, 2024
8e285fd
Remove the -generated to oauth-client volume name
daniellutz Nov 14, 2024
3047718
Revert "Remove the -generated to oauth-client volume name"
daniellutz Nov 14, 2024
c9147f7
Merge branch 'main' into authorize-access-ui
jiridanek Nov 15, 2024
fefa76e
Create the oauth secrets in tests because we don't have rhods-operato…
jiridanek Nov 15, 2024
b492194
fixup, use nondeprecated pointer func alternative, see similar fixes …
jiridanek Nov 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions components/odh-notebook-controller/controllers/notebook_controller_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -646,6 +646,15 @@
},
},
},
{
Name: "oauth-client",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: Name + "-oauth-client-generated",
DefaultMode: pointer.Int32Ptr(420),

Check failure on line 654 in components/odh-notebook-controller/controllers/notebook_controller_test.go

View workflow job for this annotation

GitHub Actions / golangci-lint (components/odh-notebook-controller) 

SA1019: pointer.Int32Ptr is deprecated: Use ptr.To instead. (staticcheck)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@daniellutz the idea here is that the linter only runs on new code, so that's why it is not flagging the existing usages of pointer.Int32Ptr. What you should do here is to simply use ptr.To instead of this, and it will work just fine. The idea is that ptr.To is a better replacement for the old functions, and it could not be used before because it requires go 1.18+ features https://pkg.go.dev/k8s.io/utils/ptr#section-readme

},
},
},
{
Name: "tls-certificates",
VolumeSource: corev1.VolumeSource{
Expand Down Expand Up @@ -1027,6 +1036,9 @@
"--upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
"--email-domain=*",
"--skip-provider-button",
`--client-id=` + name + `-oauth-client`,
"--client-secret-file=/etc/oauth/client/secret",
"--scope=user:info user:check-access",
`--openshift-sar={"verb":"get","resource":"notebooks","resourceAPIGroup":"kubeflow.org",` +
`"resourceName":"` + name + `","namespace":"$(NAMESPACE)"}`,
"--logout-url=https://example.notebook-url/notebook/" + namespace + "/" + name,
Expand Down Expand Up @@ -1075,6 +1087,10 @@
},
},
VolumeMounts: []corev1.VolumeMount{
{
Name: "oauth-client",
MountPath: "/etc/oauth/client",
},
{
Name: "oauth-config",
MountPath: "/etc/oauth/config",
Expand Down
50 changes: 50 additions & 0 deletions components/odh-notebook-controller/controllers/notebook_oauth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,26 @@ func NewNotebookOAuthSecret(notebook *nbv1.Notebook) *corev1.Secret {
}
}

// NewNotebookOAuthClientSecret defines the desired OAuth client secret object
func NewNotebookOAuthClientSecret(notebook *nbv1.Notebook) *corev1.Secret {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As we would not be utilizing, opendatahub-operator secretgenerator,
lets change the logic here, and write our own secret create

please take this as reference:

kubeflow/components/odh-notebook-controller/controllers/notebook_oauth.go

Line 190 in 30afc15

func NewNotebookOAuthSecret(notebook *nbv1.Notebook) *corev1.Secret {

and adjust this function , and for secret generation,
utilize the logic of random function from here: https://github.com/opendatahub-io/opendatahub-operator/blob/c1671ab5fd11baea814f8acdee1bc448d502fb1c/controllers/secretgenerator/secret.go#L91

Suggested change
func NewNotebookOAuthClientSecret(notebook *nbv1.Notebook) *corev1.Secret {
func NewNotebookOAuthClientSecret(notebook *nbv1.Notebook) *corev1.Secret {
// Generate the client secret for the OAuth proxy
randomValue := make([]byte, 32)
for i := 0; i < secret.Complexity; i++ {
num, err := rand.Int(rand.Reader, big.NewInt(int64(len(letterRunes))))
if err != nil {
return err
}
randomValue[i] = letterRunes[num.Int64()]
}
// Create a Kubernetes secret to store the cookie secret
return &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: notebook.Name + "-oauth-client",
Namespace: notebook.Namespace,
Labels: map[string]string{
"notebook-name": notebook.Name,
},
},
StringData: map[string]string{
"secret": string(randomValue),
},
}

and adjust the oauth-proxy to directly pick value from this secret

// Generate the client secret for the OAuth proxy
return &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: notebook.Name + "-oauth-client",
Namespace: notebook.Namespace,
Labels: map[string]string{
"notebook-name": notebook.Name,
},
Annotations: map[string]string{
"secret-generator.opendatahub.io/name": "secret",
Copy link
Member

@atheo89 atheo89 Nov 15, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI: This specific annotations used by rhoai-operator to create a secret <secret-name>-generated

https://github.com/opendatahub-io/opendatahub-operator/tree/84d22f35a620f43f0e8b397b1b45e2bdb25a8f46/controllers/secretgenerator#basic-usage

"secret-generator.opendatahub.io/type": "random",
"secret-generator.opendatahub.io/complexity": "32",
"secret-generator.opendatahub.io/oauth-client-route": notebook.Name,
},
},
}
}

// ReconcileOAuthSecret will manage the OAuth secret reconciliation required by
// the notebook OAuth proxy
func (r *OpenshiftNotebookReconciler) ReconcileOAuthSecret(notebook *nbv1.Notebook, ctx context.Context) error {
Expand Down Expand Up @@ -246,6 +266,36 @@ func (r *OpenshiftNotebookReconciler) ReconcileOAuthSecret(notebook *nbv1.Notebo
}
}

// Generate the desired OAuth client secret
desiredClientSecret := NewNotebookOAuthClientSecret(notebook)
// Create the OAuth client secret if it does not already exist
foundClientSecret := &corev1.Secret{}
err = r.Get(ctx, types.NamespacedName{
Name: desiredClientSecret.Name,
Namespace: notebook.Namespace,
}, foundClientSecret)
if err != nil {
if apierrs.IsNotFound(err) {
log.Info("Creating OAuth Client Secret")
// Add .metatada.ownerReferences to the OAuth client secret to be deleted by
// the Kubernetes garbage collector if the notebook is deleted
err = ctrl.SetControllerReference(notebook, desiredClientSecret, r.Scheme)
if err != nil {
log.Error(err, "Unable to add OwnerReference to the OAuth Client Secret")
return err
}
// Create the OAuth client secret in the Openshift cluster
err = r.Create(ctx, desiredClientSecret)
if err != nil && !apierrs.IsAlreadyExists(err) {
log.Error(err, "Unable to create the OAuth Client Secret")
return err
}
} else {
log.Error(err, "Unable to fetch the OAuth Client Secret")
return err
}
}

return nil
}

Expand Down
30 changes: 30 additions & 0 deletions components/odh-notebook-controller/controllers/notebook_webhook.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,9 @@
"--upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
"--email-domain=*",
"--skip-provider-button",
`--client-id=` + notebook.Name + `-oauth-client`,
"--client-secret-file=/etc/oauth/client/secret",
"--scope=user:info user:check-access",
`--openshift-sar={"verb":"get","resource":"notebooks","resourceAPIGroup":"kubeflow.org",` +
`"resourceName":"` + notebook.Name + `","namespace":"$(NAMESPACE)"}`,
},
Expand Down Expand Up @@ -145,6 +148,10 @@
},
},
VolumeMounts: []corev1.VolumeMount{
{
Name: "oauth-client",
MountPath: "/etc/oauth/client",
},
{
Name: "oauth-config",
MountPath: "/etc/oauth/config",
Expand Down Expand Up @@ -200,6 +207,29 @@
*notebookVolumes = append(*notebookVolumes, oauthVolume)
}

// Add the OAuth Client configuration volume:
// https://pkg.go.dev/k8s.io/api/core/v1#Volume
clientVolumeExists := false
clientVolume := corev1.Volume{
Name: "oauth-client",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: notebook.Name + "-oauth-client-generated",
DefaultMode: pointer.Int32Ptr(420),

Check failure on line 218 in components/odh-notebook-controller/controllers/notebook_webhook.go

View workflow job for this annotation

GitHub Actions / golangci-lint (components/odh-notebook-controller) 

SA1019: pointer.Int32Ptr is deprecated: Use ptr.To instead. (staticcheck)
},
},
}
for index, volume := range *notebookVolumes {
if volume.Name == "oauth-client" {
(*notebookVolumes)[index] = clientVolume
clientVolumeExists = true
break
}
}
if !clientVolumeExists {
*notebookVolumes = append(*notebookVolumes, clientVolume)
}

// Add the TLS certificates volume:
// https://pkg.go.dev/k8s.io/api/core/v1#Volume
tlsVolumeExists := false
Expand Down
Loading