Rhoaieng 14232 add auth crd #1452
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This PR can't be merged just yet 😢Please run For more info: https://github.com/opendatahub-io/opendatahub-operator/actions/runs/12318824711 |
This PR can't be merged just yet 😢Please run For more info: https://github.com/opendatahub-io/opendatahub-operator/actions/runs/12318856499 |
This PR can't be merged just yet 😢Please run For more info: https://github.com/opendatahub-io/opendatahub-operator/actions/runs/12349540685 |
StevenTobin
force-pushed
the
RHOAIENG-14232_Add_auth_crd
branch
from
c440ea7 to
7a0feef
Compare
|
/retest |
StevenTobin
force-pushed
the
RHOAIENG-14232_Add_auth_crd
branch
2 times, most recently
from
9c70e5b to
326ebe9
Compare
|
@lburgazzoli as per the slack conversation I added a watch in the DSCI so if the Auth CR is deleted the DSCI will recreate it. |
|
/retest |
2 similar comments
|
/retest |
|
/retest |
|
/retest |
StevenTobin
force-pushed
the
RHOAIENG-14232_Add_auth_crd
branch
2 times, most recently
from
cb6c462 to
8648a17
Compare
| if newGroups { | ||
| err := rr.Client.Update(ctx, ai) | ||
| if err != nil { | ||
| return errors.New("error adding groups to Auth CR") |
There was a problem hiding this comment.
Should such errors be wrapped?
|
I doubt commit message with progress commits makes any sense. Would it be possible to put PR's description there? |
StevenTobin
force-pushed
the
RHOAIENG-14232_Add_auth_crd
branch
from
8648a17 to
60b39f6
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1452 +/- ##
=======================================
Coverage ? 18.92%
=======================================
Files ? 161
Lines ? 10603
Branches ? 0
=======================================
Hits ? 2007
Misses ? 8370
Partials ? 226 ☔ View full report in Codecov by Sentry. |
StevenTobin
force-pushed
the
RHOAIENG-14232_Add_auth_crd
branch
from
60b39f6 to
cf8067f
Compare
|
/retest |
|
When only DSCI is created, without DSC, we see following error Should we have default values instead or update error message for users stating they need to enable dashboard? |
|
|
||
| const ( | ||
| AuthServiceName = "auth" | ||
| AuthInstanceName = "auth" |
There was a problem hiding this comment.
nit: we have been using the naming format default-*(e.g default-dsc, default-dsci, default-monitoring) , can we update the name here as well?
There was a problem hiding this comment.
I initially used that naming of default-auth, but @andrewballantyne made the point that it seems strange to use default-auth when it's intended to be a singleton and I agree. There will only ever be one, the system doesn't allow two. A prefix of default seemed strange. It implies that there might be other non-default auth instances or that we are creating a default because the user didn't provide an auth instance.
There was a problem hiding this comment.
@VaishnaviHire wonder if the same case should be made against components ?
There was a problem hiding this comment.
Yeah Andrew's and Steven's points make sense. I do not remember the reason why we went with default- prefix. I am okay with removing the default, but we will have to have upgrade logic to update the names for components and dsc/dsci in ODH releases
There was a problem hiding this comment.
i guess: we have default-dsc/default-dsci, we carried this "default-" to the component CRs.
and it is easier to have the pattern as filter.
|
When I delete |
Seems a case for dynamic watching since the The other option (that I don't know if it is feasible at thist stage) would be to do the migration only once at startup time |
I'll add a check for the kind existing to catch that. If the dashboardConfig doesn't exist we shouldn't do anything but continue. We don't need it to exist we just need to read the content if it does. |
Wonder if we should also watch the |
Yeah great point. I'll add that. |
|
/retest |
StevenTobin
force-pushed
the
RHOAIENG-14232_Add_auth_crd
branch
2 times, most recently
from
dc1497a to
3574f73
Compare
@VaishnaviHire I hadn't really considered it, but in the future the Auth CR may handle Auth concerns beyond the DSC and DSCi so I think it sticking around isn't a big issue. It's similar behaviour to the dashboardConfig and is similarly expected to be user configuration. |
|
/retest |
Functionality Create Auth singleton instance if none exists. Copy groups from odhDashboardConfig into auth cr. Create Roles for admin and allowed groups. Create CLusterRole for admin groups. Create required rolebindings for each group in both lists. Create requires clusterROlebinding for each admin group. Delete the rolebinding or clusterrolebinding for any group removed from either list. add dynamic watch for dashboardConfig, fix labels and move functions into seperate file remove gvk watch for dashboardconfig
StevenTobin
force-pushed
the
RHOAIENG-14232_Add_auth_crd
branch
from
d360014 to
0f87a2c
Compare
|
@StevenTobin: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| WatchesGVK( | ||
| gvk.CustomResourceDefinition, | ||
| reconciler.WithEventHandler(handlers.ToNamed(serviceApi.AuthInstanceName)), | ||
| reconciler.WithPredicates(predicate.NewPredicateFuncs(func(object client.Object) bool { | ||
| return object.GetName() == odhDashboardConfigCRDName | ||
| }))). |
There was a problem hiding this comment.
wonder: why we need to watch this CRD.
dashboard can update this CRD, but Auth CR only care about value from adminGroups and allowedGroups.
so the change to other part of the CRD should not trigger reconcile for Auth CR,
right?
There was a problem hiding this comment.
This is to trigger the dynamic watching when the OdhDashbaordConfig CRD gets deployed as consequence of the dashboard installation. Without this, the controller won't notice the existence of the OdhDashbaordConfig resource.
| }))). | ||
| WatchesGVK( | ||
| gvk.OdhDashboardConfig, | ||
| reconciler.Dynamic(shouldWatchDashboardConfig), |
There was a problem hiding this comment.
if we are locking down changes in odh-dashboard-config (as read-only) for groupsConfig block, do we still need to watch this object? as if the change is done for .spec.dashboardConfig.disalbeModelMesh should reconcile be triggered.
There was a problem hiding this comment.
We have two options:
- we do sync
OdhDashbaordConfigonly once when creating theAuthinstance - we do sync
OdhDashbaordConfigas part of the reconcile loop.
As today, it is done as part of the reconcile loop (2), so we must watch the resource to be consistent, otherwise the sync would happen by chance i.e, if the controller gets restarted. I guess that when the auth stanza in the OdhDashbaordConfig will be made read-only, we can probably switch to option (1), but that's something for @StevenTobin and @csams to clarify.
Description
Add Auth controller and CRD.
Functionality
RHOAIENG-14231
How Has This Been Tested?
Creation of CR and Rolebindings
odh-adminsandsystem:authenticated.admingroups-roleandallowedgroups-roleexist in the applications namespace.admingroups-rolebindingandallowedgroups-rolebindingexist in the applications namespace.Copying info from dashboardConfig
Screenshot or short clip
Merge criteria