RHOAIENG-11155: Better explanation of 'Authorize Access' UI #449
Conversation
daniellutz
changed the title
|
Thank for opening this PR! Steps to reproduce:
What i missed? |
| @@ -1 +1 @@ | |||
| odh-notebook-controller-image=quay.io/opendatahub/odh-notebook-controller:main-3f931d2 | |||
| odh-notebook-controller-image=quay.io/dlutz/odh-notebook-controller:authorize-access | |||
There was a problem hiding this comment.
testing purposes? where? what?
daniellutz
force-pushed
the
authorize-access-ui
branch
from
0a53f60 to
8e285fd
Compare
openshift-merge-robot
added
needs-rebase
| VolumeSource: corev1.VolumeSource{ | ||
| Secret: &corev1.SecretVolumeSource{ | ||
| SecretName: Name + "-oauth-client-generated", | ||
| DefaultMode: pointer.Int32Ptr(420), |
There was a problem hiding this comment.
@daniellutz the idea here is that the linter only runs on new code, so that's why it is not flagging the existing usages of pointer.Int32Ptr. What you should do here is to simply use ptr.To instead of this, and it will work just fine. The idea is that ptr.To is a better replacement for the old functions, and it could not be used before because it requires go 1.18+ features https://pkg.go.dev/k8s.io/utils/ptr#section-readme
|
@daniellutz regarding ODH Notebook Controller Integration Test / build (pull_request) Failing after 14m That's never going to pass because in the test we are running in a KinD cluster (https://kind.sigs.k8s.io/) and we only have the notebook controller and no other components of rhoai, most importantly we don't have rhods-operator that would create your oauth secret for the pod; so the solution should be to create the secret in test setup. I'll take a look r.n. edit: got it resolved; but when i copied actual random secret from my cluster, I got yelled at by prodsec code scanning tool that I am leaking secrets into github. need to get some example secret that will not trigger their bots |
| "notebook-name": notebook.Name, | ||
| }, | ||
| Annotations: map[string]string{ | ||
| "secret-generator.opendatahub.io/name": "secret", |
There was a problem hiding this comment.
FYI: This specific annotations used by rhoai-operator to create a secret <secret-name>-generated
| @@ -209,6 +209,26 @@ func NewNotebookOAuthSecret(notebook *nbv1.Notebook) *corev1.Secret { | |||
| } | |||
| } | |||
|
|
|||
| // NewNotebookOAuthClientSecret defines the desired OAuth client secret object | |||
| func NewNotebookOAuthClientSecret(notebook *nbv1.Notebook) *corev1.Secret { | |||
There was a problem hiding this comment.
As we would not be utilizing, opendatahub-operator secretgenerator,
lets change the logic here, and write our own secret create
please take this as reference:
and adjust this function , and for secret generation,
utilize the logic of random function from here: https://github.com/opendatahub-io/opendatahub-operator/blob/c1671ab5fd11baea814f8acdee1bc448d502fb1c/controllers/secretgenerator/secret.go#L91
| func NewNotebookOAuthClientSecret(notebook *nbv1.Notebook) *corev1.Secret { | |
| func NewNotebookOAuthClientSecret(notebook *nbv1.Notebook) *corev1.Secret { | |
| // Generate the client secret for the OAuth proxy | |
| randomValue := make([]byte, 32) | |
| for i := 0; i < secret.Complexity; i++ { | |
| num, err := rand.Int(rand.Reader, big.NewInt(int64(len(letterRunes)))) | |
| if err != nil { | |
| return err | |
| } | |
| randomValue[i] = letterRunes[num.Int64()] | |
| } | |
| // Create a Kubernetes secret to store the cookie secret | |
| return &corev1.Secret{ | |
| ObjectMeta: metav1.ObjectMeta{ | |
| Name: notebook.Name + "-oauth-client", | |
| Namespace: notebook.Namespace, | |
| Labels: map[string]string{ | |
| "notebook-name": notebook.Name, | |
| }, | |
| }, | |
| StringData: map[string]string{ | |
| "secret": string(randomValue), | |
| }, | |
| } |
and adjust the oauth-proxy to directly pick value from this secret
- Add volumes to store the oauth-client configuration; - Add extra parameters to container creation, including --client-id, --client-secret and --scope; - Add method to generate the secret randomly when authenticating using OAuth; - Add link between the notebook's route, user's generated oauth secret and OAuthClient config;
daniellutz
force-pushed
the
authorize-access-ui
branch
from
b492194 to
5ba8387
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
I've had to change the methods from what we were trying before, due to unplanned changes from other teams to namespace watching to the secret generation work. Now, the script will get the notebook's route, automatically generate the secret, create the OAuthClient link between the route and the secret and enable the access without requesting permissions with the UI. Reach out in any case of questions, suggestions, etc. |
|
@daniellutz: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Looks like the test fails are legit This is running only on openshift-ci, that's why gha is passing. |
|
|
||
| // Create the OAuth secret if it does not already exist | ||
| foundSecret := &corev1.Secret{} | ||
| func (r *OpenshiftNotebookReconciler) createSecret(notebook *nbv1.Notebook, ctx context.Context, desiredSecret *corev1.Secret) error { |
There was a problem hiding this comment.
| func (r *OpenshiftNotebookReconciler) createSecret(notebook *nbv1.Notebook, ctx context.Context, desiredSecret *corev1.Secret) error { | |
| func (r *OpenshiftNotebookReconciler) reconcileSecret(notebook *nbv1.Notebook, ctx context.Context, desiredSecret *corev1.Secret) error { |
The function creates secret only if it does not already exist. So the name should reflect that.
| func (r *OpenshiftNotebookReconciler) createOAuthClient(notebook *nbv1.Notebook, ctx context.Context) error { | ||
| log := logf.FromContext(ctx) | ||
|
|
||
| // |
There was a problem hiding this comment.
do these empty comment lines mean anything? just asking
|
I'm trying the PR images This is what happens with running notebook if I switch from regular controllers in 2.17 nightly to the pr ones not very understandable to read, but I guess it's refusing to mount the oauth config as a volume, which is correct, to prevent pod restart. And pod was not restarted, so that's good. One more thing, what happens if i start the pod with old controller, then switch to new controller images, and only then I try to access the workbench (with all the oauth flow)? And that did immediately start working for me, no oauth dialog. Even without restarting the workbench container, apparently, the oauth prompt did not appear! I immediately got thrown into Jupyter. I'm shocked, will try this again. Starting and opening a brand new workbench gave me FAIL! |
This feature will improve the user experience in a way that the user required OAuth scope will change from a UI showing the scopes to a simple login confirmation page, according to https://issues.redhat.com/browse/RHOAIENG-11155
Description
There is an option to inject the OAuth scope into the proxy sidecar container, in a way that it will be required only for the user to confirm his login to accept it, instead of showing up a page with confusing permissions and a bad user experience.
Not only the OAuth scope need to be passed on, but also a volume need to be mounted to gather the OAuth client secret, in a way that the application understands who is authenticating properly.
How Has This Been Tested?
Manual tests have been executed, using
devFlagsand with a clean test running in OpenShift Local environment.Would be helpful to provide the ready-to-use devFlags here.
Merge criteria: