controllers

package
v0.0.0-...-211a77d Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 18, 2025 License: Apache-2.0 Imports: 55 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	AnnotationInjectAuth               = "notebooks.opendatahub.io/inject-auth"
	AnnotationValueReconciliationLock  = "odh-notebook-controller-lock"
	AnnotationAuthSidecarCPURequest    = "notebooks.opendatahub.io/auth-sidecar-cpu-request"
	AnnotationAuthSidecarMemoryRequest = "notebooks.opendatahub.io/auth-sidecar-memory-request"
	AnnotationAuthSidecarCPULimit      = "notebooks.opendatahub.io/auth-sidecar-cpu-limit"
	AnnotationAuthSidecarMemoryLimit   = "notebooks.opendatahub.io/auth-sidecar-memory-limit"
	DefaultAuthSidecarCPURequest       = "100m"
	DefaultAuthSidecarMemoryRequest    = "64Mi"
	DefaultAuthSidecarCPULimit         = "100m"
	DefaultAuthSidecarMemoryLimit      = "64Mi"
)
View Source 
const (
	// Finalizer names for cross-namespace resource cleanup
	HTTPRouteFinalizerName      = "notebook.opendatahub.io/httproute-cleanup"
	ReferenceGrantFinalizerName = "notebook.opendatahub.io/referencegrant-cleanup"
	KubeRbacProxyFinalizerName  = "notebook.opendatahub.io/kube-rbac-proxy-cleanup"
)
View Source 
const (
	OdhConfigMapName        = "odh-trusted-ca-bundle"    // Use ODH Trusted CA Bundle Contains ca-bundle.crt and odh-ca-bundle.crt
	SelfSignedConfigMapName = "kube-root-ca.crt"         // Self-Signed Certs Contains ca.crt
	ServiceCAConfigMapName  = "openshift-service-ca.crt" // Service CA Bundle Contains service-ca.crt
)
View Source 
const (
	// kube-rbac-proxy configuration
	KubeRbacProxyServicePort     = 8443
	KubeRbacProxyServicePortName = "kube-rbac-proxy"
	KubeRbacProxyConfigSuffix    = "-kube-rbac-proxy-config"
	KubeRbacProxyServiceSuffix   = "-kube-rbac-proxy"
)
View Source 
const (
	NotebookPort                             = 8888
	NotebookKubeRbacProxyPort                = 8443
	NotebookKubeRbacProxyHealthPort          = 8444
	NotebookKubeRbacProxyNetworkPolicySuffix = "-kube-rbac-proxy-np"
)
View Source 
const (
	// HTTPRouteSubDomainMaxLen is the max length of the HTTPRoute subdomain
	HTTPRouteSubDomainMaxLen = 63
	// DefaultGatewayName is the default Gateway name to use for HTTPRoutes prepared by the opendatahub-operator
	DefaultGatewayName = "data-science-gateway"
	// DefaultGatewayNamespace is the default Gateway namespace prepared by the opendatahub-operator
	DefaultGatewayNamespace = "openshift-ingress"
)

HTTPRoute hostname generation constants

View Source 
const (
	ContainerNameKubeRbacProxy = "kube-rbac-proxy"

	KubeRbacProxyConfigVolumeName = "kube-rbac-proxy-config"
	KubeRbacProxyConfigMountPath  = "/etc/kube-rbac-proxy"
	KubeRbacProxyConfigFileName   = "config-file.yaml"
	KubeRbacProxyConfigFilePath   = KubeRbacProxyConfigMountPath + "/" + KubeRbacProxyConfigFileName

	KubeRbacProxyTLSCertsVolumeName = "kube-rbac-proxy-tls-certificates"
	KubeRbacProxyTLSCertsMountPath  = "/etc/tls/private"
	KubeRbacProxyTLSCertFileName    = "tls.crt"
	KubeRbacProxyTLSCertFilePath    = KubeRbacProxyTLSCertsMountPath + "/" + KubeRbacProxyTLSCertFileName
	KubeRbacProxyTLSKeyFileName     = "tls.key"
	KubeRbacProxyTLSKeyFilePath     = KubeRbacProxyTLSCertsMountPath + "/" + KubeRbacProxyTLSKeyFileName

	IMAGE_STREAM_NOT_FOUND_EVENT     = "imagestream-not-found"
	IMAGE_STREAM_TAG_NOT_FOUND_EVENT = "imagestream-tag-not-found"

	WorkbenchImageNamespaceAnnotation = "opendatahub.io/workbench-image-namespace"
	LastImageSelectionAnnotation      = "notebooks.opendatahub.io/last-image-selection"

	KubeRbacProxyTLSCertVolumeSecretSuffix = "-kube-rbac-proxy-tls"
)
View Source 
const (
	// Finalizer to handle OAuthClient cleanup since it's cluster-scoped and can't use owner references
	NotebookOAuthClientFinalizer = "notebook-oauth-client-finalizer.opendatahub.io"
)
View Source 
const (
	// ReferenceGrantName is the consistent name for ReferenceGrant per namespace
	ReferenceGrantName = "notebook-httproute-access"
)

Variables

View Source 
var (
	NoPendingUpdates = &UpdatesPending{}
)

Functions

func CheckAndMountCACertBundle 

func CheckAndMountCACertBundle(ctx context.Context, cli client.Client, notebook *nbv1.Notebook, log logr.Logger) error

CheckAndMountCACertBundle checks if the odh-trusted-ca-bundle ConfigMap is present

func CompareNotebookHTTPRoutes 

func CompareNotebookHTTPRoutes(r1 gatewayv1.HTTPRoute, r2 gatewayv1.HTTPRoute) bool

CompareNotebookHTTPRoutes checks if two HTTPRoutes are equal, if not return false

func CompareNotebookNetworkPolicies 

func CompareNotebookNetworkPolicies(np1 netv1.NetworkPolicy, np2 netv1.NetworkPolicy) bool

CompareNotebookNetworkPolicies checks if two services are equal, if not return false

func CompareNotebookReferenceGrants 

func CompareNotebookReferenceGrants(rg1 gatewayv1beta1.ReferenceGrant, rg2 gatewayv1beta1.ReferenceGrant) bool

CompareNotebookReferenceGrants checks if two ReferenceGrants are equal, if not return false

func CompareNotebooks 

func CompareNotebooks(nb1 nbv1.Notebook, nb2 nbv1.Notebook) bool

CompareNotebooks checks if two notebooks are equal, if not return false.

func InjectCertConfig 

func InjectCertConfig(notebook *nbv1.Notebook, configMapName string) error

func InjectKubeRbacProxy 

func InjectKubeRbacProxy(notebook *nbv1.Notebook, kubeRbacProxyConfig KubeRbacProxyConfig) error

InjectKubeRbacProxy injects the kube-rbac-proxy proxy sidecar container in the Notebook spec

func InjectProxyConfigEnvVars 

func InjectProxyConfigEnvVars(notebook *nbv1.Notebook) error

func InjectReconciliationLock 

func InjectReconciliationLock(meta *metav1.ObjectMeta) error

InjectReconciliationLock injects the kubeflow notebook controller culling stop annotation to explicitly start the notebook pod when the ODH notebook controller finishes the reconciliation. Otherwise, a race condition may happen while mounting the notebook service account pull secret into the pod.

The ODH notebook controller will remove this annotation when the first reconciliation is completed (see RemoveReconciliationLock).

func KubeRbacProxyInjectionIsEnabled 

func KubeRbacProxyInjectionIsEnabled(meta metav1.ObjectMeta) bool

KubeRbacProxyInjectionIsEnabled returns true if the kube-rbac-proxy sidecar injection annotation is present in the notebook.

func MountElyraRuntimeConfigSecret 

func MountElyraRuntimeConfigSecret(ctx context.Context, client client.Client, notebook *nbv1.Notebook, log logr.Logger) error

MountElyraRuntimeConfigSecret injects the Elyra runtime configuration Secret as a volume mount into the Notebook pod. This function is invoked by the webhook during Notebook mutation.

func MountPipelineRuntimeImages 

func MountPipelineRuntimeImages(ctx context.Context, client client.Client, notebook *nbv1.Notebook, log logr.Logger) error

func NewFeastConfig 

func NewFeastConfig(notebook *nbv1.Notebook) error

NewFeastConfig creates a new Feast config.

func NewKubeRbacProxyNetworkPolicy 

func NewKubeRbacProxyNetworkPolicy(notebook *nbv1.Notebook) *netv1.NetworkPolicy

NewKubeRbacProxyNetworkPolicy defines the desired kube-rbac-proxy Network Policy

func NewNotebookHTTPRoute 

func NewNotebookHTTPRoute(notebook *nbv1.Notebook, centralNamespace string) *gatewayv1.HTTPRoute

NewNotebookHTTPRoute defines the desired HTTPRoute object in the central namespace. The HTTPRoute is created in the controller's namespace and references the backend Service in the user's namespace using cross-namespace references.

func NewNotebookKubeRbacProxyClusterRoleBinding 

func NewNotebookKubeRbacProxyClusterRoleBinding(notebook *nbv1.Notebook) *rbacv1.ClusterRoleBinding

TODO: We need to revisit in favor of https://issues.redhat.com/browse/RHOAIENG-36109 NewNotebookKubeRbacProxyClusterRoleBinding defines the desired ClusterRoleBinding object for kube-rbac-proxy authentication This creates one ClusterRoleBinding per notebook that grants auth-delegator permissions.

func NewNotebookKubeRbacProxyConfigMap 

func NewNotebookKubeRbacProxyConfigMap(notebook *nbv1.Notebook) *corev1.ConfigMap

NewNotebookKubeRbacProxyConfigMap defines the desired ConfigMap object for kube-rbac-proxy

func NewNotebookKubeRbacProxyHTTPRoute 

func NewNotebookKubeRbacProxyHTTPRoute(notebook *nbv1.Notebook, centralNamespace string) *gatewayv1.HTTPRoute

NewNotebookKubeRbacProxyHTTPRoute defines the desired HTTPRoute object for kube-rbac-proxy

func NewNotebookKubeRbacProxyService 

func NewNotebookKubeRbacProxyService(notebook *nbv1.Notebook) *corev1.Service

NewNotebookKubeRbacProxyService defines the desired service object for kube-rbac-proxy

func NewNotebookNetworkPolicy 

func NewNotebookNetworkPolicy(notebook *nbv1.Notebook, log logr.Logger, namespace string) *netv1.NetworkPolicy

NewNotebookNetworkPolicy defines the desired network policy for Notebook port

func NewNotebookReferenceGrant 

func NewNotebookReferenceGrant(namespace string, centralNamespace string) *gatewayv1beta1.ReferenceGrant

NewNotebookReferenceGrant creates a ReferenceGrant that allows HTTPRoutes from the central application namespace to reference Services in the user's namespace where Notebooks are created.

func NewRoleBinding 

func NewRoleBinding(notebook *nbv1.Notebook, rolebindingName, roleRefKind, roleRefName string) *rbacv1.RoleBinding

NewRoleBinding defines the desired RoleBinding or ClusterRoleBinding object. Parameters:

  • notebook: The Notebook resource instance for which the RoleBinding or ClusterRoleBinding is being created.
  • rolebindingName: The name to assign to the RoleBinding or ClusterRoleBinding object.
  • roleRefKind: The kind of role reference to bind to, which can be either Role or ClusterRole.
  • roleRefName: The name of the Role or ClusterRole to reference.

func ReconciliationLockIsEnabled 

func ReconciliationLockIsEnabled(meta metav1.ObjectMeta) bool

ReconciliationLockIsEnabled returns true if the reconciliation lock annotation is present in the notebook.

func SetContainerImageFromRegistry 

func SetContainerImageFromRegistry(ctx context.Context, cli client.Client, notebook *nbv1.Notebook, log logr.Logger, controllerNamespace string) error

SetContainerImageFromRegistry checks if there is an internal registry and takes the corresponding actions to set the container.image value. If an internal registry is detected, it uses the default values specified in the Notebook Custom Resource (CR). Otherwise, it checks the last-image-selection annotation to find the image stream and fetches the image from status.dockerImageReference, assigning it to the container.image value.

Types

type FirstDifferenceReporter 

type FirstDifferenceReporter struct {
	// contains filtered or unexported fields
}

FirstDifferenceReporter is a custom go-cmp reporter that only records the first difference.

func (*FirstDifferenceReporter) PopStep 

func (r *FirstDifferenceReporter) PopStep()

func (*FirstDifferenceReporter) PushStep 

func (r *FirstDifferenceReporter) PushStep(ps cmp.PathStep)

func (*FirstDifferenceReporter) Report 

func (r *FirstDifferenceReporter) Report(rs cmp.Result)

func (*FirstDifferenceReporter) String 

func (r *FirstDifferenceReporter) String() string

type KubeRbacProxyConfig 

type KubeRbacProxyConfig struct {
	ProxyImage string
}

type NotebookWebhook 

type NotebookWebhook struct {
	Log                 logr.Logger
	Client              client.Client
	Config              *rest.Config
	Decoder             admission.Decoder
	KubeRbacProxyConfig KubeRbacProxyConfig
	// controller namespace
	Namespace string
}

NotebookWebhook holds the webhook configuration.

func (*NotebookWebhook) ClusterWideProxyIsEnabled 

func (w *NotebookWebhook) ClusterWideProxyIsEnabled() bool

func (*NotebookWebhook) Handle 

func (w *NotebookWebhook) Handle(ctx context.Context, req admission.Request) admission.Response

Handle transforms the Notebook objects.

type OpenshiftNotebookReconciler 

type OpenshiftNotebookReconciler struct {
	client.Client
	Namespace string
	Scheme    *runtime.Scheme
	Log       logr.Logger
	Config    *rest.Config
}

OpenshiftNotebookReconciler holds the controller configuration.

func (*OpenshiftNotebookReconciler) CleanupKubeRbacProxyClusterRoleBinding 

func (r *OpenshiftNotebookReconciler) CleanupKubeRbacProxyClusterRoleBinding(notebook *nbv1.Notebook, ctx context.Context) error

CleanupKubeRbacProxyClusterRoleBinding removes the ClusterRoleBinding associated with the namespace if this is the last auth-enabled notebook in the namespace

func (*OpenshiftNotebookReconciler) CreateNotebookCertConfigMap 

func (r *OpenshiftNotebookReconciler) CreateNotebookCertConfigMap(notebook *nbv1.Notebook,
	ctx context.Context) error

createNotebookCertConfigMap creates a ConfigMap workbench-trusted-ca-bundle that contains the root certificates from the ConfigMap odh-trusted-ca-bundle and the self-signed certificates from the ConfigMap kube-root-ca.crt The ConfigMap workbench-trusted-ca-bundle is used by the notebook to trust the root and self-signed certificates.

func (*OpenshiftNotebookReconciler) DeleteHTTPRouteForNotebook 

func (r *OpenshiftNotebookReconciler) DeleteHTTPRouteForNotebook(notebook *nbv1.Notebook, ctx context.Context) error

DeleteHTTPRouteForNotebook deletes the HTTPRoute for a notebook from the central namespace. This is called during notebook deletion as part of finalizer cleanup.

func (*OpenshiftNotebookReconciler) DeleteReferenceGrantIfLastNotebook 

func (r *OpenshiftNotebookReconciler) DeleteReferenceGrantIfLastNotebook(notebook *nbv1.Notebook, ctx context.Context) error

DeleteReferenceGrantIfLastNotebook removes the ReferenceGrant from a namespace if the given notebook is the last one in that namespace.

func (*OpenshiftNotebookReconciler) EnsureConflictingHTTPRouteAbsent 

func (r *OpenshiftNotebookReconciler) EnsureConflictingHTTPRouteAbsent(
	notebook *nbv1.Notebook, ctx context.Context, isAuthMode bool) error

EnsureConflictingHTTPRouteAbsent deletes any existing conflicting HTTPRoute for the notebook to prevent conflicts when switching between auth and non-auth modes.

func (*OpenshiftNotebookReconciler) EnsureNotebookConfigMap 

func (r *OpenshiftNotebookReconciler) EnsureNotebookConfigMap(notebook *nbv1.Notebook, ctx context.Context) error

func (*OpenshiftNotebookReconciler) IsConfigMapDeleted 

func (r *OpenshiftNotebookReconciler) IsConfigMapDeleted(notebook *nbv1.Notebook, ctx context.Context) bool

IsConfigMapDeleted check if configmap is deleted and the notebook is using the configmap as a volume

func (*OpenshiftNotebookReconciler) NewElyraRuntimeConfigSecret 

func (r *OpenshiftNotebookReconciler) NewElyraRuntimeConfigSecret(ctx context.Context, dynamicConfig *rest.Config, c client.Client, notebook *nbv1.Notebook, controllerNamespace string, log logr.Logger) error

NewElyraRuntimeConfigSecret defines and handles the creation, watch and update to the desired ElyraRuntimeConfig secret object

func (*OpenshiftNotebookReconciler) Reconcile 

func (r *OpenshiftNotebookReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error)

Reconcile performs the reconciling of the Openshift objects for a Kubeflow Notebook.

func (*OpenshiftNotebookReconciler) ReconcileAllNetworkPolicies 

func (r *OpenshiftNotebookReconciler) ReconcileAllNetworkPolicies(notebook *nbv1.Notebook, ctx context.Context) error

ReconcileAllNetworkPolicies will manage the network policies reconciliation required by the notebook.

func (*OpenshiftNotebookReconciler) ReconcileElyraRuntimeConfigSecret 

func (r *OpenshiftNotebookReconciler) ReconcileElyraRuntimeConfigSecret(notebook *nbv1.Notebook, ctx context.Context) error

ReconcileElyraRuntimeConfigSecret handles the reconciliation of the Elyra runtime config secret. This function is invoked by the ODH Notebook Controller and is required for enabling Elyra functionality in notebooks.

func (*OpenshiftNotebookReconciler) ReconcileHTTPRoute 

func (r *OpenshiftNotebookReconciler) ReconcileHTTPRoute(
	notebook *nbv1.Notebook, ctx context.Context) error

ReconcileHTTPRoute will manage the creation, update and deletion of the HTTPRoute when the notebook is reconciled

func (*OpenshiftNotebookReconciler) ReconcileKubeRbacProxyClusterRoleBinding 

func (r *OpenshiftNotebookReconciler) ReconcileKubeRbacProxyClusterRoleBinding(notebook *nbv1.Notebook, ctx context.Context) error

ReconcileKubeRbacProxyClusterRoleBinding will manage the ClusterRoleBinding reconciliation required by the notebook kube-rbac-proxy for authentication (tokenreviews and subjectaccessreviews)

func (*OpenshiftNotebookReconciler) ReconcileKubeRbacProxyConfigMap 

func (r *OpenshiftNotebookReconciler) ReconcileKubeRbacProxyConfigMap(notebook *nbv1.Notebook, ctx context.Context) error

ReconcileKubeRbacProxyConfigMap will manage the ConfigMap reconciliation required by the notebook kube-rbac-proxy

func (*OpenshiftNotebookReconciler) ReconcileKubeRbacProxyHTTPRoute 

func (r *OpenshiftNotebookReconciler) ReconcileKubeRbacProxyHTTPRoute(
	notebook *nbv1.Notebook, ctx context.Context) error

ReconcileKubeRbacProxyHTTPRoute will manage the creation, update and deletion of the kube-rbac-proxy HTTPRoute when the notebook is reconciled.

func (*OpenshiftNotebookReconciler) ReconcileKubeRbacProxyService 

func (r *OpenshiftNotebookReconciler) ReconcileKubeRbacProxyService(notebook *nbv1.Notebook, ctx context.Context) error

ReconcileKubeRbacProxyService will manage the service reconciliation required by the notebook kube-rbac-proxy

func (*OpenshiftNotebookReconciler) ReconcileNotebookServiceAccount 

func (r *OpenshiftNotebookReconciler) ReconcileNotebookServiceAccount(notebook *nbv1.Notebook, ctx context.Context) error

ReconcileNotebookServiceAccount will manage the service account reconciliation required by the notebook for kube-rbac-proxy

func (*OpenshiftNotebookReconciler) ReconcileReferenceGrant 

func (r *OpenshiftNotebookReconciler) ReconcileReferenceGrant(notebook *nbv1.Notebook, ctx context.Context) error

ReconcileReferenceGrant ensures a ReferenceGrant exists in the Notebook's namespace to allow HTTPRoutes from the central namespace to reference backend Services. Only one ReferenceGrant per namespace is needed, shared by all Notebooks in that namespace.

func (*OpenshiftNotebookReconciler) ReconcileRoleBindings 

func (r *OpenshiftNotebookReconciler) ReconcileRoleBindings(
	notebook *nbv1.Notebook, ctx context.Context) error

ReconcileRoleBindings will manage multiple RoleBinding and ClusterRoleBinding reconciliations

func (*OpenshiftNotebookReconciler) RemoveReconciliationLock 

func (r *OpenshiftNotebookReconciler) RemoveReconciliationLock(notebook *nbv1.Notebook,
	ctx context.Context) error

RemoveReconciliationLock waits until the image pull secret is mounted in the notebook service account to remove the reconciliation lock annotation.

func (*OpenshiftNotebookReconciler) SetupWithManager 

func (r *OpenshiftNotebookReconciler) SetupWithManager(mgr ctrl.Manager) error

SetupWithManager sets up the controller with the Manager.

func (*OpenshiftNotebookReconciler) UnsetNotebookCertConfig 

func (r *OpenshiftNotebookReconciler) UnsetNotebookCertConfig(notebook *nbv1.Notebook, ctx context.Context) error

UnsetEnvVars removes the environment variables from the notebook container

type UpdatesPending 

type UpdatesPending struct {
	Reason string
}

UpdatesPending is either NoPendingUpdates, or a new value providing a Reason for the update.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.