Remove creation of OAuth resources/logic and add annotation

Author: ChristianZaccaria

Diff for: src/codeflare_sdk/cluster/cluster.py

@@ -33,10 +33,7 @@
 )
 from ..utils.kube_api_helpers import _kube_api_error_handling
 from ..utils.generate_yaml import is_openshift_cluster
-from ..utils.openshift_oauth import (
-    create_openshift_oauth_objects,
-    delete_openshift_oauth_objects,
-)
+
 from .config import ClusterConfiguration
 from .model import (
     AppWrapper,
@@ -226,10 +223,6 @@ def up(self):
         the MCAD queue.
         """
         namespace = self.config.namespace
-        if self.config.openshift_oauth:
-            create_openshift_oauth_objects(
-                cluster_name=self.config.name, namespace=namespace
-            )
 
         try:
             config_check()
@@ -281,11 +274,6 @@ def down(self):
         except Exception as e:  # pragma: no cover
             return _kube_api_error_handling(e)
 
-        if self.config.openshift_oauth:
-            delete_openshift_oauth_objects(
-                cluster_name=self.config.name, namespace=namespace
-            )
-
     def status(
         self, print_to_console: bool = True
     ) -> Tuple[CodeFlareClusterStatus, bool]:

Diff for: src/codeflare_sdk/templates/base-template.yaml

@@ -42,6 +42,7 @@ spec:
         metadata:
           annotations:
             sdk.codeflare.dev/local_interactive: "False"
+            codeflare.dev/oauth: 'False'
           labels:
             workload.codeflare.dev/appwrapper: "aw-kuberay"
             controller-tools.k8s.io: "1.0"

Diff for: src/codeflare_sdk/utils/generate_yaml.py

@@ -219,14 +219,29 @@ def update_rayclient_ingress(
     spec["rules"][0]["host"] = f"rayclient-{cluster_name}-{namespace}.{ingress_domain}"
 
 
-def update_names(yaml, item, appwrapper_name, cluster_name, namespace):
+def update_names(yaml, item, appwrapper_name, cluster_name, namespace, openshift_oauth):
     metadata = yaml.get("metadata")
     metadata["name"] = appwrapper_name
     metadata["namespace"] = namespace
     lower_meta = item.get("generictemplate", {}).get("metadata")
     lower_meta["labels"]["workload.codeflare.dev/appwrapper"] = appwrapper_name
+    lower_meta["annotations"]["codeflare.dev/oauth"] = f"{openshift_oauth}"
     lower_meta["name"] = cluster_name
     lower_meta["namespace"] = namespace
+    lower_spec = item.get("generictemplate", {}).get("spec")
+    if openshift_oauth:
+        cookie_secret_env_var = {
+            "name": "COOKIE_SECRET",
+            "valueFrom": {
+                "secretKeyRef": {
+                    "key": "cookie_secret",
+                    "name": f"{cluster_name}-oauth-config",
+                }
+            },
+        }
+        lower_spec["headGroupSpec"]["template"]["spec"]["containers"][0]["env"].append(
+            cookie_secret_env_var
+        )
 
 
 def update_labels(yaml, instascale, instance_types):
@@ -620,7 +635,7 @@ def _create_oauth_sidecar_object(
             "--upstream=http://localhost:8265",
             f"--tls-cert={tls_mount_location}/tls.crt",
             f"--tls-key={tls_mount_location}/tls.key",
-            f"--cookie-secret={b64encode(urandom(64)).decode('utf-8')}",  # create random string for encrypting cookie
+            "--cookie-secret=$(COOKIE_SECRET)",
             f'--openshift-delegate-urls={{"/":{{"resource":"pods","namespace":"{namespace}","verb":"get"}}}}',
         ],
         image="registry.redhat.io/openshift4/ose-oauth-proxy@sha256:1ea6a01bf3e63cdcf125c6064cbd4a4a270deaf0f157b3eabb78f60556840366",
@@ -707,7 +722,9 @@ def generate_appwrapper(
     item = resources["resources"].get("GenericItems")[0]
     ingress_item = resources["resources"].get("GenericItems")[1]
     route_item = resources["resources"].get("GenericItems")[2]
-    update_names(user_yaml, item, appwrapper_name, cluster_name, namespace)
+    update_names(
+        user_yaml, item, appwrapper_name, cluster_name, namespace, openshift_oauth
+    )
     update_labels(user_yaml, instascale, instance_types)
     update_priority(user_yaml, item, dispatch_priority, priority_val)
     update_custompodresources(

Diff for: src/codeflare_sdk/utils/openshift_oauth.py

@@ -3,6 +3,7 @@ apiVersion: ray.io/v1
 kind: RayCluster
 metadata:
   annotations:
+    codeflare.dev/oauth: 'False'
     sdk.codeflare.dev/ingress_domain: apps.cluster.awsroute.org
     sdk.codeflare.dev/local_interactive: 'False'
   labels:

Diff for: tests/test-case-no-mcad.yamls

@@ -33,6 +33,7 @@ spec:
         kind: RayCluster
         metadata:
           annotations:
+            codeflare.dev/oauth: 'False'
             sdk.codeflare.dev/ingress_domain: apps.cluster.awsroute.org
             sdk.codeflare.dev/local_interactive: 'False'
           labels:

Diff for: tests/test-case-prio.yaml

@@ -32,6 +32,7 @@ spec:
         kind: RayCluster
         metadata:
           annotations:
+            codeflare.dev/oauth: 'False'
             sdk.codeflare.dev/ingress_domain: apps.cluster.awsroute.org
             sdk.codeflare.dev/local_interactive: 'False'
           labels:

Diff for: tests/test-case.yaml

@@ -32,6 +32,7 @@ spec:
           annotations:
             sdk.codeflare.dev/ingress_domain: apps.cluster.awsroute.org
             sdk.codeflare.dev/local_interactive: 'False'
+            codeflare.dev/oauth: 'False'
           labels:
             controller-tools.k8s.io: '1.0'
             workload.codeflare.dev/appwrapper: unit-test-default-cluster