RHOAIENG-11155: Better explanation of 'Authorize Access' UI

components/odh-notebook-controller/controllers/notebook_controller.go

@@ -225,6 +225,12 @@ func (r *OpenshiftNotebookReconciler) Reconcile(ctx context.Context, req ctrl.Re
 			if err != nil {
 				return ctrl.Result{}, err
 			}
+
+			// Call the OAuthClient reconciler
+			err = r.ReconcileOAuthClient(notebook, ctx)
+			if err != nil {
+				return ctrl.Result{}, err
+			}
 		} else {
 			// Call the route reconciler (see notebook_route.go file)
 			err = r.ReconcileRoute(notebook, ctx)

components/odh-notebook-controller/controllers/notebook_controller_test.go

@@ -641,6 +641,15 @@
 									},
 								},
 							},
+							{
+								Name: "oauth-client",
+								VolumeSource: corev1.VolumeSource{
+									Secret: &corev1.SecretVolumeSource{
+										SecretName:  Name + "-oauth-client",
+										DefaultMode: pointer.Int32Ptr(420),
+									},
+								},
+							},
 							{
 								Name: "tls-certificates",
 								VolumeSource: corev1.VolumeSource{
@@ -1024,6 +1033,9 @@
 			"--upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
 			"--email-domain=*",
 			"--skip-provider-button",
+			`--client-id=` + name + `-` + namespace + `-oauth-client`,
+			"--client-secret-file=/etc/oauth/client/secret",
+			"--scope=user:info user:check-access",
 			`--openshift-sar={"verb":"get","resource":"notebooks","resourceAPIGroup":"kubeflow.org",` +
 				`"resourceName":"` + name + `","namespace":"$(NAMESPACE)"}`,
 			"--logout-url=https://example.notebook-url/notebook/" + namespace + "/" + name,
@@ -1072,6 +1084,10 @@
 			},
 		},
 		VolumeMounts: []corev1.VolumeMount{
+			{
+				Name:      "oauth-client",
+				MountPath: "/etc/oauth/client",
+			},
 			{
 				Name:      "oauth-config",
 				MountPath: "/etc/oauth/config",

components/odh-notebook-controller/controllers/notebook_oauth.go

@@ -19,17 +19,23 @@ import (
 	"context"
 	"crypto/rand"
 	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"math/big"
 	"reflect"
 
 	"k8s.io/apimachinery/pkg/util/intstr"
 
 	nbv1 "github.com/kubeflow/kubeflow/components/notebook-controller/api/v1"
+	oauthv1 "github.com/openshift/api/oauth/v1"
 	routev1 "github.com/openshift/api/route/v1"
 	corev1 "k8s.io/api/core/v1"
 	apierrs "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	logf "sigs.k8s.io/controller-runtime/pkg/log"
 )
 
 const (
@@ -39,12 +45,24 @@ const (
 	// taken from https://catalog.redhat.com/software/containers/openshift4/ose-oauth-proxy/5cdb2133bed8bd5717d5ae64?image=66cefc14401df6ff4664ec43&architecture=amd64&container-tabs=overview
 	// and kept in sync with the manifests here and in ClusterServiceVersion metadata of opendatahub operator
 	OAuthProxyImage = "registry.redhat.io/openshift4/ose-oauth-proxy@sha256:4f8d66597feeb32bb18699326029f9a71a5aca4a57679d636b876377c2e95695"
+
+	// Strings used in secret generation
+	letterRunes = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+
+	// Complexity of generated secrets, this will be stored in a const for now, but in the future
+	// there is the possibility of creating a specific file to manage secrets, change the size of
+	// the complexity if required, etc. For now, a complexity of 16 will suffice.
+	SECRET_DEFAULT_COMPLEXITY = 16
 )
 
 type OAuthConfig struct {
 	ProxyImage string
 }
 
+type OAuthClientConfig struct {
+	Name string
+}
+
 // NewNotebookServiceAccount defines the desired service account object
 func NewNotebookServiceAccount(notebook *nbv1.Notebook) *corev1.ServiceAccount {
 	return &corev1.ServiceAccount{
@@ -209,39 +227,92 @@ func NewNotebookOAuthSecret(notebook *nbv1.Notebook) *corev1.Secret {
 	}
 }
 
+// The NewNotebookOAuthClientSecret will generate a random secret that will be used
+// by the OAuth proxy sidecar container to automatically accept the required permissions
+// for the user to access a notebook instead of showing up a page where the user needs to
+// aggree with content he might not fully understand
+// More info: https://issues.redhat.com/browse/RHOAIENG-11155
+func NewNotebookOAuthClientSecret(notebook *nbv1.Notebook) *corev1.Secret {
+	// Generate the client secret for the OAuth proxy
+	randomValue := make([]byte, SECRET_DEFAULT_COMPLEXITY)
+	for i := 0; i < SECRET_DEFAULT_COMPLEXITY; i++ {
+		num, err := rand.Int(rand.Reader, big.NewInt(int64(len(letterRunes))))
+		if err != nil {
+			fmt.Printf("Error generating secret: %v\n", err)
+		}
+		randomValue[i] = letterRunes[num.Int64()]
+	}
+
+	// Create a Kubernetes secret to store the cookie secret
+	return &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      notebook.Name + "-oauth-client",
+			Namespace: notebook.Namespace,
+			Labels: map[string]string{
+				"notebook-name": notebook.Name,
+			},
+		},
+		StringData: map[string]string{
+			"secret": string(randomValue),
+		},
+	}
+}
+
 // ReconcileOAuthSecret will manage the OAuth secret reconciliation required by
 // the notebook OAuth proxy
 func (r *OpenshiftNotebookReconciler) ReconcileOAuthSecret(notebook *nbv1.Notebook, ctx context.Context) error {
-	// Initialize logger format
-	log := r.Log.WithValues("notebook", notebook.Name, "namespace", notebook.Namespace)
-
 	// Generate the desired OAuth secret
-	desiredSecret := NewNotebookOAuthSecret(notebook)
+	desiredOAuthSecret := NewNotebookOAuthSecret(notebook)
+	_ = r.createSecret(notebook, ctx, desiredOAuthSecret)
+
+	// Generate the desired OAuthClientSecret
+	desiredOAuthClientSecret := NewNotebookOAuthClientSecret(notebook)
+	_ = r.createSecret(notebook, ctx, desiredOAuthClientSecret)
+
+	return nil
+}
+
+func (r *OpenshiftNotebookReconciler) ReconcileOAuthClient(notebook *nbv1.Notebook, ctx context.Context) error {
+	log := logf.FromContext(ctx)
+
+	err := r.createOAuthClient(notebook, ctx)
+	if err != nil {
+		log.Error(err, "Unable to handle OAuthClient creation / update")
+		return err
+	}
+
+	return nil
+}
 
-	// Create the OAuth secret if it does not already exist
-	foundSecret := &corev1.Secret{}
+func (r *OpenshiftNotebookReconciler) createSecret(notebook *nbv1.Notebook, ctx context.Context, desiredSecret *corev1.Secret) error {
+	log := logf.FromContext(ctx)
+
+	secret := &corev1.Secret{}
 	err := r.Get(ctx, types.NamespacedName{
 		Name:      desiredSecret.Name,
 		Namespace: notebook.Namespace,
-	}, foundSecret)
+	}, secret)
+
 	if err != nil {
 		if apierrs.IsNotFound(err) {
-			log.Info("Creating OAuth Secret")
-			// Add .metatada.ownerReferences to the OAuth secret to be deleted by
+			log.Info("Creating ", "secret", desiredSecret.Name)
+
+			// Add .metatada.ownerReferences to the OAuth client secret to be deleted by
 			// the Kubernetes garbage collector if the notebook is deleted
 			err = ctrl.SetControllerReference(notebook, desiredSecret, r.Scheme)
 			if err != nil {
-				log.Error(err, "Unable to add OwnerReference to the OAuth Secret")
+				log.Error(err, "Unable to add OwnerReference to secret ", desiredSecret.Name)
 				return err
 			}
-			// Create the OAuth secret in the Openshift cluster
+
+			// Create the OAuth client secret in the Openshift cluster
 			err = r.Create(ctx, desiredSecret)
 			if err != nil && !apierrs.IsAlreadyExists(err) {
-				log.Error(err, "Unable to create the OAuth Secret")
+				log.Error(err, "Unable to create secret ", desiredSecret.Name)
 				return err
 			}
 		} else {
-			log.Error(err, "Unable to fetch the OAuth Secret")
+			log.Error(err, "Unable to fetch secret")
 			return err
 		}
 	}
@@ -264,3 +335,61 @@ func (r *OpenshiftNotebookReconciler) ReconcileOAuthRoute(
 	notebook *nbv1.Notebook, ctx context.Context) error {
 	return r.reconcileRoute(notebook, ctx, NewNotebookOAuthRoute)
 }
+
+func (r *OpenshiftNotebookReconciler) createOAuthClient(notebook *nbv1.Notebook, ctx context.Context) error {
+	log := logf.FromContext(ctx)
+
+	//
+	oauthClientRoute := &routev1.Route{}
+	err := r.Get(ctx, types.NamespacedName{
+		Name:      notebook.Name,
+		Namespace: notebook.Namespace,
+	}, oauthClientRoute)
+	if err != nil {
+		log.Error(err, "Unable to retrieve route", "route", notebook.Name)
+		return err
+	}
+
+	//
+	secret := &corev1.Secret{}
+	err = r.Get(ctx, types.NamespacedName{
+		Name:      notebook.Name + "-oauth-client",
+		Namespace: notebook.Namespace,
+	}, secret)
+	if err != nil {
+		log.Error(err, "Unable to retrieve secret", "secret", notebook.Name)
+		return err
+	}
+
+	stringData := string(secret.Data["secret"])
+
+	oauthClient := &oauthv1.OAuthClient{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "OAuthClient",
+			APIVersion: "oauth.openshift.io/v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: notebook.Name + "-" + notebook.Namespace + "-oauth-client",
+		},
+		Secret:       stringData,
+		RedirectURIs: []string{"https://" + oauthClientRoute.Spec.Host},
+		GrantMethod:  oauthv1.GrantHandlerAuto,
+	}
+
+	err = r.Client.Create(ctx, oauthClient)
+	if err != nil {
+		if apierrs.IsAlreadyExists(err) {
+			data, err := json.Marshal(oauthClient)
+			if err != nil {
+				return fmt.Errorf("failed to get DataScienceCluster custom resource data: %w", err)
+			}
+			if err = r.Client.Patch(ctx, oauthClient, client.RawPatch(types.ApplyPatchType, data),
+				client.ForceOwnership, client.FieldOwner("rhods-operator")); err != nil {
+				return fmt.Errorf("failed to patch existing OAuthClient CR: %w", err)
+			}
+			return nil
+		}
+	}
+
+	return nil
+}

components/odh-notebook-controller/controllers/notebook_webhook.go

@@ -100,6 +100,9 @@ func InjectOAuthProxy(notebook *nbv1.Notebook, oauth OAuthConfig) error {
 			"--upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
 			"--email-domain=*",
 			"--skip-provider-button",
+			`--client-id=` + notebook.Name + `-` + notebook.Namespace + `-oauth-client`,
+			"--client-secret-file=/etc/oauth/client/secret",
+			"--scope=user:info user:check-access",
 			`--openshift-sar={"verb":"get","resource":"notebooks","resourceAPIGroup":"kubeflow.org",` +
 				`"resourceName":"` + notebook.Name + `","namespace":"$(NAMESPACE)"}`,
 		},
@@ -147,6 +150,10 @@ func InjectOAuthProxy(notebook *nbv1.Notebook, oauth OAuthConfig) error {
 			},
 		},
 		VolumeMounts: []corev1.VolumeMount{
+			{
+				Name:      "oauth-client",
+				MountPath: "/etc/oauth/client",
+			},
 			{
 				Name:      "oauth-config",
 				MountPath: "/etc/oauth/config",
@@ -202,6 +209,29 @@ func InjectOAuthProxy(notebook *nbv1.Notebook, oauth OAuthConfig) error {
 		*notebookVolumes = append(*notebookVolumes, oauthVolume)
 	}
 
+	// Add the OAuth Client configuration volume:
+	// https://pkg.go.dev/k8s.io/api/core/v1#Volume
+	clientVolumeExists := false
+	clientVolume := corev1.Volume{
+		Name: "oauth-client",
+		VolumeSource: corev1.VolumeSource{
+			Secret: &corev1.SecretVolumeSource{
+				SecretName:  notebook.Name + "-oauth-client",
+				DefaultMode: pointer.Int32(420),
+			},
+		},
+	}
+	for index, volume := range *notebookVolumes {
+		if volume.Name == "oauth-client" {
+			(*notebookVolumes)[index] = clientVolume
+			clientVolumeExists = true
+			break
+		}
+	}
+	if !clientVolumeExists {
+		*notebookVolumes = append(*notebookVolumes, clientVolume)
+	}
+
 	// Add the TLS certificates volume:
 	// https://pkg.go.dev/k8s.io/api/core/v1#Volume
 	tlsVolumeExists := false

components/odh-notebook-controller/main.go

@@ -40,6 +40,7 @@ import (
 
 	nbv1 "github.com/kubeflow/kubeflow/components/notebook-controller/api/v1"
 	configv1 "github.com/openshift/api/config/v1"
+	oauthv1 "github.com/openshift/api/oauth/v1"
 	routev1 "github.com/openshift/api/route/v1"
 	metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	//+kubebuilder:scaffold:imports
@@ -56,6 +57,7 @@ func init() {
 	utilruntime.Must(nbv1.AddToScheme(scheme))
 	utilruntime.Must(routev1.AddToScheme(scheme))
 	utilruntime.Must(configv1.AddToScheme(scheme))
+	utilruntime.Must(oauthv1.AddToScheme(scheme))
 
 	//+kubebuilder:scaffold:scheme
 }