Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: option to disable create default userGroup on ODH and self-managed #1278

Open
wants to merge 3 commits into
base: incubation
Choose a base branch
from
Open

feat: option to disable create default userGroup on ODH and self-managed #1278

wants to merge 3 commits into from

Conversation

zdtsw
Copy link
Member

@zdtsw zdtsw commented Oct 7, 2024
edited
Loading

Description

user env variable ODH_DISABLE_USERGROUP to disable user group creation.
this works by manually create subscritpon and set value to "true"
by install operator from Operatorhub will still ,by default, to create group

(a different soltuion than #1276)

How Has This Been Tested?

  • delete odh-admin group from cluster
  • create
apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: rhoai-catalog-dev
  namespace: openshift-marketplace
spec:
  displayName: usergroup
  image: 'quay.io/wenzhou/opendatahub-operator-catalog:v2.14.1007'
  publisher: wen
  sourceType: grpc

and

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription 
metadata:
  name: opendatahub-operator
  namespace: openshift-operators
spec:
  name: opendatahub-operator
  channel: fast
  source: rhoai-catalog-dev
  sourceNamespace: openshift-marketplace
  config:
     env:
      - name: "ODH_DISABLE_USERGROUP"
        value: "true"
  • see operator installed
  • manually create DSCI
  • check no group created afterwards

Screenshot or short clip

Merge criteria

  • You have read the contributors guide.
  • Commit messages are meaningful - have a clear and concise summary and detailed explanation of what was changed and why.
  • Pull Request contains a description of the solution, a link to the JIRA issue, and to any dependent or related Pull Request.
  • Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
  • The developer has manually tested the changes and verified that the changes work

@zdtsw
feat: option to disable create default userGroup on ODH and self-managed
9491db9 
- this only works if user create subscription and pass in variable

Signed-off-by: Wen Zhou <[email protected]>
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Oct 7, 2024

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Oct 7, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from zdtsw. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

lburgazzoli
lburgazzoli reviewed Oct 7, 2024
View reviewed changes
controllers/dscinitialization/dscinitialization_controller.go Outdated
return reconcile.Result{}, err
// Check if user opted for disabling creating user groups
disableUserGroup, exist := os.LookupEnv("DISABLE_USERGROUP")
if exist && disableUserGroup != "false" {
Copy link
Contributor

@lburgazzoli lburgazzoli Oct 7, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: since we don't need to distinguish between an empty value and an unset value, the check can probably simplified with os.Getenv("DISABLE_USERGROUP") == "true"

lburgazzoli
lburgazzoli reviewed Oct 7, 2024
View reviewed changes
controllers/dscinitialization/dscinitialization_controller.go Outdated
return reconcile.Result{}, err
// Check if user opted for disabling creating user groups
disableUserGroup, exist := os.LookupEnv("DISABLE_USERGROUP")
if exist && disableUserGroup != "false" {
Copy link
Contributor

@lburgazzoli lburgazzoli Oct 7, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: since we don't need to distinguish between an empty value and an unset value, the check can probably simplified with os.Getenv("DISABLE_USERGROUP") == "true"

lburgazzoli
lburgazzoli reviewed Oct 7, 2024
View reviewed changes
controllers/dscinitialization/dscinitialization_controller.go Outdated
if err != nil {
return reconcile.Result{}, err
// Check if user opted for disabling creating user groups
disableUserGroup, exist := os.LookupEnv("DISABLE_USERGROUP")
Copy link
Contributor

@lburgazzoli lburgazzoli Oct 7, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ideally the env var name should be defined as a constant and better to add a prefix i.e. ODH_ to avoid any risk with env vars automatically injected in the pod or defined by the container.

lphiri
lphiri reviewed Oct 7, 2024
View reviewed changes
Copy link

@lphiri lphiri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@zdtsw @lburgazzoli i wonder if we should make this config closer to what we want to things to be in future. Disabling group is only one aspect, but things like secret generation is also broken with external oidc because it uses OauthClient CR. Would renaming the environment to point to why we are making this change help, for example ODH_USE_EXTERNAL_AUTH? This would be closer to what we eventually want to add to the DSCI API like Luca was suggesting.

@lburgazzoli
Copy link
Contributor

@lphiri yep that make sense

@zdtsw zdtsw marked this pull request as ready for review October 7, 2024 15:42
@openshift-ci openshift-ci bot requested a review from grdryn October 7, 2024 15:42
@zdtsw
Copy link
Member Author

zdtsw commented Oct 7, 2024

/test opendatahub-operator-e2e

VaishnaviHire
VaishnaviHire reviewed Oct 7, 2024
View reviewed changes
controllers/dscinitialization/dscinitialization_controller.go
if err != nil {
return reconcile.Result{}, err
// Check if user opted for disabling creating user groups
if os.Getenv("ODH_USE_EXTERNAL_AUTH") == "true" {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When upgrading, what is the default value for this env variable?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If e value is set in the subscription, it will persist even later upgrade to new Operator version. Subscription should not get changed.

@VaishnaviHire
Copy link
Member

/lgtm

Just a small request to keep the env name platform agnostic.

@openshift-ci openshift-ci bot added the lgtm label Oct 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lburgazzoli lburgazzoli lburgazzoli left review comments

@lphiri lphiri lphiri left review comments

@VaishnaviHire VaishnaviHire VaishnaviHire left review comments

@grdryn grdryn Awaiting requested review from grdryn

Assignees

@VaishnaviHire VaishnaviHire

Labels
lgtm
Projects
ODH Platform Planning
Status: Todo
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@zdtsw @lburgazzoli @VaishnaviHire @lphiri