Remove creation of OAuth resources/logic and add annotation

Author: ChristianZaccaria

src/codeflare_sdk/cluster/cluster.py

@@ -33,10 +33,7 @@
 )
 from ..utils.kube_api_helpers import _kube_api_error_handling
 from ..utils.generate_yaml import is_openshift_cluster
-from ..utils.openshift_oauth import (
-    create_openshift_oauth_objects,
-    delete_openshift_oauth_objects,
-)
+
 from .config import ClusterConfiguration
 from .model import (
     AppWrapper,
@@ -226,10 +223,6 @@ def up(self):
         the MCAD queue.
         """
         namespace = self.config.namespace
-        if self.config.openshift_oauth:
-            create_openshift_oauth_objects(
-                cluster_name=self.config.name, namespace=namespace
-            )
 
         try:
             config_check()
@@ -281,11 +274,6 @@ def down(self):
         except Exception as e:  # pragma: no cover
             return _kube_api_error_handling(e)
 
-        if self.config.openshift_oauth:
-            delete_openshift_oauth_objects(
-                cluster_name=self.config.name, namespace=namespace
-            )
-
     def status(
         self, print_to_console: bool = True
     ) -> Tuple[CodeFlareClusterStatus, bool]:

src/codeflare_sdk/templates/base-template.yaml

@@ -40,6 +40,8 @@ spec:
         apiVersion: ray.io/v1
         kind: RayCluster
         metadata:
+          annotations:
+            codeflare.dev/oauth: 'False'
           labels:
             workload.codeflare.dev/appwrapper: "aw-kuberay"
             controller-tools.k8s.io: "1.0"
@@ -169,6 +171,12 @@ spec:
                   - mountPath: /etc/ssl/certs/odh-ca-bundle.crt
                     name: odh-ca-cert
                     subPath: odh-ca-bundle.crt
+                  env:
+                  - name: COOKIE_SECRET
+                    valueFrom:
+                      secretKeyRef:
+                        name: jobtest-oauth-config
+                        key: cookie_secret
                 initContainers:
                 - command:
                   - sh

src/codeflare_sdk/utils/generate_yaml.py

@@ -219,12 +219,17 @@ def update_rayclient_ingress(
     spec["rules"][0]["host"] = f"rayclient-{cluster_name}-{namespace}.{ingress_domain}"
 
 
-def update_names(yaml, item, appwrapper_name, cluster_name, namespace):
+def update_names(yaml, item, appwrapper_name, cluster_name, namespace, openshift_oauth):
     metadata = yaml.get("metadata")
     metadata["name"] = appwrapper_name
     metadata["namespace"] = namespace
     lower_meta = item.get("generictemplate", {}).get("metadata")
     lower_meta["labels"]["workload.codeflare.dev/appwrapper"] = appwrapper_name
+    lower_meta["annotations"]["codeflare.dev/oauth"] = f"{openshift_oauth}"
+    lower_spec = item.get("generictemplate", {}).get("spec")
+    lower_spec["headGroupSpec"]["template"]["spec"]["containers"][0]["env"][-1][
+        "valueFrom"
+    ]["secretKeyRef"]["name"] = f"{cluster_name}-oauth-config"
     lower_meta["name"] = cluster_name
     lower_meta["namespace"] = namespace
 
@@ -694,7 +699,9 @@ def generate_appwrapper(
     item = resources["resources"].get("GenericItems")[0]
     ingress_item = resources["resources"].get("GenericItems")[1]
     route_item = resources["resources"].get("GenericItems")[2]
-    update_names(user_yaml, item, appwrapper_name, cluster_name, namespace)
+    update_names(
+        user_yaml, item, appwrapper_name, cluster_name, namespace, openshift_oauth
+    )
     update_labels(user_yaml, instascale, instance_types)
     update_priority(user_yaml, item, dispatch_priority, priority_val)
     update_custompodresources(

src/codeflare_sdk/utils/openshift_oauth.py

@@ -39,7 +39,6 @@
     get_cluster,
     _app_wrapper_status,
     _ray_cluster_status,
-    _get_ingress_domain,
     get_ingress_domain_from_client,
 )
 from codeflare_sdk.cluster.auth import (
@@ -48,10 +47,6 @@
     KubeConfigFileAuthentication,
     config_check,
 )
-from codeflare_sdk.utils.openshift_oauth import (
-    create_openshift_oauth_objects,
-    delete_openshift_oauth_objects,
-)
 from codeflare_sdk.utils.pretty_print import (
     print_no_resources_found,
     print_app_wrappers_status,
@@ -92,7 +87,6 @@
     read_template,
     enable_local_interactive,
 )
-import codeflare_sdk.utils.openshift_oauth as sdk_oauth
 
 import openshift
 from openshift.selector import Selector
@@ -114,7 +108,6 @@
 
 def mock_routes_api(mocker):
     mocker.patch.object(
-        sdk_oauth,
         "_route_api_getter",
         return_value=MagicMock(
             resources=MagicMock(
@@ -589,24 +582,6 @@ def test_rc_status(mocker):
     assert rc == None
 
 
-def test_delete_openshift_oauth_objects(mocker):
-    mocker.patch.object(client.CoreV1Api, "delete_namespaced_service_account")
-    mocker.patch.object(client.CoreV1Api, "delete_namespaced_service")
-    mocker.patch.object(client.NetworkingV1Api, "delete_namespaced_ingress")
-    mocker.patch.object(client.RbacAuthorizationV1Api, "delete_cluster_role_binding")
-    mock_routes_api(mocker)
-    delete_openshift_oauth_objects("test-cluster", "test-namespace")
-    client.CoreV1Api.delete_namespaced_service_account.assert_called_with(
-        name="test-cluster-oauth-proxy", namespace="test-namespace"
-    )
-    client.CoreV1Api.delete_namespaced_service.assert_called_with(
-        name="test-cluster-oauth", namespace="test-namespace"
-    )
-    client.RbacAuthorizationV1Api.delete_cluster_role_binding.assert_called_with(
-        name="test-cluster-rb"
-    )
-
-
 def test_cluster_uris(mocker):
     mocker.patch("kubernetes.client.ApisApi.get_api_versions")
     mocker.patch("kubernetes.config.load_kube_config", return_value="ignore")
@@ -2874,84 +2849,6 @@ def test_enable_local_interactive(mocker):
     }
 
 
-def test_create_openshift_oauth(mocker: MockerFixture):
-    create_namespaced_service_account = MagicMock()
-    create_cluster_role_binding = MagicMock()
-    create_namespaced_service = MagicMock()
-    mocker.patch.object(
-        client.CoreV1Api,
-        "create_namespaced_service_account",
-        create_namespaced_service_account,
-    )
-    mocker.patch.object(
-        client.RbacAuthorizationV1Api,
-        "create_cluster_role_binding",
-        create_cluster_role_binding,
-    )
-    mocker.patch.object(
-        client.CoreV1Api, "create_namespaced_service", create_namespaced_service
-    )
-    mock_routes_api(mocker)
-    create_openshift_oauth_objects("foo", "bar")
-    create_ns_sa_args = create_namespaced_service_account.call_args
-    create_crb_args = create_cluster_role_binding.call_args
-    create_ns_serv_args = create_namespaced_service.call_args
-    assert (
-        create_ns_sa_args.kwargs["namespace"] == create_ns_serv_args.kwargs["namespace"]
-    )
-    assert isinstance(create_ns_sa_args.kwargs["body"], client.V1ServiceAccount)
-    assert isinstance(create_crb_args.kwargs["body"], client.V1ClusterRoleBinding)
-    assert isinstance(create_ns_serv_args.kwargs["body"], client.V1Service)
-
-
-def test_replace_openshift_oauth(mocker: MockerFixture):
-    # not_found_exception = client.ApiException(reason="Conflict")
-    create_namespaced_service_account = MagicMock(
-        side_effect=client.ApiException(reason="Conflict")
-    )
-    create_cluster_role_binding = MagicMock(
-        side_effect=client.ApiException(reason="Conflict")
-    )
-    create_namespaced_service = MagicMock(
-        side_effect=client.ApiException(reason="Conflict")
-    )
-    mocker.patch.object(
-        client.CoreV1Api,
-        "create_namespaced_service_account",
-        create_namespaced_service_account,
-    )
-    mocker.patch.object(
-        client.RbacAuthorizationV1Api,
-        "create_cluster_role_binding",
-        create_cluster_role_binding,
-    )
-    mocker.patch.object(
-        client.CoreV1Api, "create_namespaced_service", create_namespaced_service
-    )
-    mocker.patch.object(dynamic.ResourceList, "get", return_value=True)
-    replace_namespaced_service_account = MagicMock()
-    replace_cluster_role_binding = MagicMock()
-    replace_namespaced_service = MagicMock()
-    mocker.patch.object(
-        client.CoreV1Api,
-        "replace_namespaced_service_account",
-        replace_namespaced_service_account,
-    )
-    mocker.patch.object(
-        client.RbacAuthorizationV1Api,
-        "replace_cluster_role_binding",
-        replace_cluster_role_binding,
-    )
-    mocker.patch.object(
-        client.CoreV1Api, "replace_namespaced_service", replace_namespaced_service
-    )
-    mock_routes_api(mocker)
-    create_openshift_oauth_objects("foo", "bar")
-    replace_namespaced_service_account.assert_called_once()
-    replace_cluster_role_binding.assert_called_once()
-    replace_namespaced_service.assert_called_once()
-
-
 def test_gen_app_wrapper_with_oauth(mocker: MockerFixture):
     mocker.patch("kubernetes.client.ApisApi.get_api_versions")
     mocker.patch(