RHOAIENG-11155: Better explanation of 'Authorize Access' UI

[daniellutz]

This feature will improve the user experience in a way that the user required OAuth scope will change from a UI showing the scopes to a simple login confirmation page, according to https://issues.redhat.com/browse/RHOAIENG-11155

To test this PR, params.env have been changed to point to another generated image, so it will pick the correct content due to the changes made, so the test would be recommended to be with the devFlags instead of pointing directly to the PR generated image

Description

There is an option to inject the OAuth scope into the proxy sidecar container, in a way that it will be required only for the user to confirm his login to accept it, instead of showing up a page with confusing permissions and a bad user experience.

Not only the OAuth scope need to be passed on, but also a volume need to be mounted to gather the OAuth client secret, in a way that the application understands who is authenticating properly.

How Has This Been Tested?

Manual tests have been executed, using devFlags and with a clean test running in OpenShift Local environment.

• quay.io/opendatahub/kubeflow-notebook-controller:pr-449
• quay.io/opendatahub/odh-notebook-controller:pr-449

Merge criteria:

• The commits are squashed in a cohesive manner and have meaningful messages.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign caponetto for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[atheo89]

Thank for opening this PR!
Seems that in my end there is no oauth-client data in order to be mounted and start properly the oauth proxy.

Steps to reproduce:

1. Replace odh-notebook-controller image with the one that generated from this PR.

2. Create a new notebook

3. Then I got:
   

4. Logs from oauth conteiner show:

2024/11/14 08:31:30 provider.go:120: Defaulting client-id to system:serviceaccount:test:q2
2024/11/14 08:31:30 provider.go:125: Defaulting client-secret to service account token /var/run/secrets/kubernetes.io/serviceaccount/token
2024/11/14 08:31:30 main.go:140: Invalid configuration:
  cannot read client-secret-file: open /etc/oauth/client/secret: no such file or directory

atheodor@fedora:~-$ oc get secrets
NAME                       TYPE                      DATA   AGE
builder-dockercfg-jkztm    kubernetes.io/dockercfg   1      7d20h
default-dockercfg-knsk6    kubernetes.io/dockercfg   1      7d20h
deployer-dockercfg-9ngd6   kubernetes.io/dockercfg   1      7d20h
pipeline-dockercfg-5fn4m   kubernetes.io/dockercfg   1      7d20h
q2-dockercfg-2x9gd         kubernetes.io/dockercfg   1      35m
q2-oauth-client            Opaque                    0      35m      <---- Problematic secret
q2-oauth-config            Opaque                    1      35m
q2-tls                     kubernetes.io/tls         2      35m

6. Oauth-client didn't populated data secret and thats why failed

What i missed?

[jiridanek]

testing purposes? where? what?

[jiridanek]

@daniellutz the idea here is that the linter only runs on new code, so that's why it is not flagging the existing usages of pointer.Int32Ptr. What you should do here is to simply use ptr.To instead of this, and it will work just fine. The idea is that ptr.To is a better replacement for the old functions, and it could not be used before because it requires go 1.18+ features https://pkg.go.dev/k8s.io/utils/ptr#section-readme

[jiridanek]

@daniellutz regarding ODH Notebook Controller Integration Test / build (pull_request) Failing after 14m

  Warning  FailedMount  43s                kubelet            Unable to attach or mount volumes: unmounted volumes=[oauth-client], unattached volumes=[oauth-client oauth-config tls-certificates kube-api-access-mn78k]: timed out waiting for the condition

That's never going to pass because in the test we are running in a KinD cluster (https://kind.sigs.k8s.io/) and we only have the notebook controller and no other components of rhoai, most importantly we don't have rhods-operator that would create your oauth secret for the pod; so the solution should be to create the secret in test setup. I'll take a look r.n.

edit: got it resolved; but when i copied actual random secret from my cluster, I got yelled at by prodsec code scanning tool that I am leaking secrets into github. need to get some example secret that will not trigger their bots

[atheo89]

FYI: This specific annotations used by rhoai-operator to create a secret <secret-name>-generated

https://github.com/opendatahub-io/opendatahub-operator/tree/84d22f35a620f43f0e8b397b1b45e2bdb25a8f46/controllers/secretgenerator#basic-usage

[harshad16]

Based on the discussion with platform, team
we got to know, it would better if the logic of secret is on own side, so lets adjust that

[harshad16]

As we would not be utilizing, opendatahub-operator secretgenerator,
lets change the logic here, and write our own secret create

please take this as reference:

kubeflow/components/odh-notebook-controller/controllers/notebook_oauth.go

Line 190 in 30afc15

func NewNotebookOAuthSecret(notebook *nbv1.Notebook) *corev1.Secret {

and adjust this function , and for secret generation,
utilize the logic of random function from here: https://github.com/opendatahub-io/opendatahub-operator/blob/c1671ab5fd11baea814f8acdee1bc448d502fb1c/controllers/secretgenerator/secret.go#L91

Suggested change

	func NewNotebookOAuthClientSecret(notebook *nbv1.Notebook) *corev1.Secret {
	func NewNotebookOAuthClientSecret(notebook *nbv1.Notebook) *corev1.Secret {
	// Generate the client secret for the OAuth proxy
	randomValue := make([]byte, 32)
	for i := 0; i < secret.Complexity; i++ {
	num, err := rand.Int(rand.Reader, big.NewInt(int64(len(letterRunes))))
	if err != nil {
	return err
	}
	randomValue[i] = letterRunes[num.Int64()]
	}
	// Create a Kubernetes secret to store the cookie secret
	return &corev1.Secret{
	ObjectMeta: metav1.ObjectMeta{
	Name: notebook.Name + "-oauth-client",
	Namespace: notebook.Namespace,
	Labels: map[string]string{
	"notebook-name": notebook.Name,
	},
	},
	StringData: map[string]string{
	"secret": string(randomValue),
	},
	}

and adjust the oauth-proxy to directly pick value from this secret