overlay and readme changes custom CA and use env as verify in Elyra

[shalberd]

Description

Background OCP / Openshift central

https://docs.openshift.com/container-platform/4.8/networking/configuring-a-custom-pki.html#installation-configure-proxy_configuring-a-custom-pki

key concept: additionalTrustBundle PEM-Format files

Configmap with label config.openshift.io/inject-trusted-cabundle: "true" provides a block of PEM Format CA files with key
ca-bundle.crt containing the user-provided (additionalTrustBundle e.g. from private PKI) and system CA certificates in a single bundle file.

opendatahub-io-contrib/jupyterhub-odh#137
elyra-ai/elyra#2912
elyra-ai/elyra#2797 (comment)

I tested this overlay output on a local macbook with kustomize v4.5.6 and command

kustomize build ./odh-manifests/jupyterhub/jupyterhub/overlays/trusted-ca-bundle-path

ConfigMap jupyterhub-cfg needs to have the following new section / value of key filled in which was previously empty

jupyterhub_config.py: |-
    if "TRUSTED_CA_BUNDLE_PATH" in os.environ:
          TRUSTED_CA_BUNDLE_PATH = os.environ.get("TRUSTED_CA_BUNDLE_PATH")
          basepath, filename = os.path.split({TRUSTED_CA_BUNDLE_PATH})
          spawner = c.OpenShiftSpawner`
     
    etc.

ConfigMap jupyter-singleuser-profiles needs to have the following new env filled in, as long as parameter trusted_ca_bundle_path was given in parameters section of KfDefs kustomizeConfig

profiles:
    - name: globals
      env:
        - name: TRUSTED_CA_BUNDLE_PATH
          value: /opt/app-root/etc/jupyter/custom/cacerts/trustedcas.pem

 - kustomizeConfig:
     overlays:
     - trusted-ca-bundle-path
     parameters:
       - name: trusted_ca_bundle_path
         value: "/opt/app-root/etc/jupyter/custom/cacerts/trustedcas.pem"
     repoRef:
       name: manifests
       path: jupyterhub/jupyterhub
   name: jupyterhub

How Has This Been Tested?

Merge criteria:

• The commits are squashed in a cohesive manner and have meaningful messages.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

[openshift-ci]

Hi @shalberd. Thanks for your PR.

I'm waiting for a opendatahub-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[LaVLaS]

This should be moved to the overlay and added via a kustomize patch so that the base deployment is not affected by the environment variable

[shalberd]

I wondered about effects, too. But when I remove the parameter s3_endpoint_url as a paremter in KfDef kustomizeConfig https://opendatahub.io/docs/administration/advanced-installation/object-storage.html, that env var S3_ENDPOINT_URL, too, was not present in both jupyterhub and spawned containers anymore. So I figured this approach was ok. What I mean is, if by default the param is empty, then the env, too, is non-existent.

[shalberd]

moved to the overlay, that is, jupyterhub-singleuser-profiles-configmap in its entirety.

[shalberd]

I have tested this without env TRUSTED_CA_BUNDLE_PATH, but with hardcoded path in line 43. Result was the correctly mounted pem file from new configmap trusted-cabundle that in Openshift with central additional trust CA settings auto-injects a file section ca-bundle.crt that is referenced and used here. This worked very nicely, see discussion at opendatahub-io-contrib/jupyterhub-odh#137 (comment)

this new jupyterhub.config.py section was added in the output of "kustomize build" as wanted in my local macbook tests.

[LaVLaS]

@shalberd Thank you for submitting this PR. In order to add this, I want to make sure that the base JupyterHub manifests is not modified and the application of any changes in support of reading a custom CA for JupyterHub is contained in the trusted-ca-path overlay

[shalberd]

I have medium-level experience with overlays in Kustomize. Will try, though. Especially wondering about where to define the parameter and how to define the add syntax to the configmap that adds the env variable. I have before added envs in overlays to DeploymentConfigs, but not to this special type of configmap for jupyterhub-singleuser-profiles.

[shalberd]

here, I need some input on whether this path reference and operation is good with respect to the original file with an existing env in base.

[shalberd]

this is the new configmap containing the PEM CAs (roots, intermediates) all-in-one file, auto-injected by openshift with key ca-bundle.crt https://docs.openshift.com/container-platform/4.8/networking/configuring-a-custom-pki.html#certificate-injection-using-operators_configuring-a-custom-pki

This could potentially also be used as golang env SSL_CERT_FILE in the operator for manifests tar.gz download from enterprise-internal locations secured with SSL certificates that are based on non-publicly-trusted CAs, as this file contains all system-level RHCOS publicly-trusted-CAs in addition to additonally-specified enterprise private PKI CAs. In RedHat's words: "Once your custom CA certificate is added to the cluster via ConfigMap, the Cluster Network Operator merges the user-provided and system CA certificates into a single bundle and injects the merged bundle" That would solve the cert verify problem at the golang/operator level as well. https://go.dev/src/crypto/x509/root_unix.go

Back to the issue at hand: The configmap has a a bunch of PEM-Format certificates all in one file. Order is always RootCAs and then IntermediateCAs.

[shalberd]

this notation should make sure the ops "replace" works for jupyterhub-configmap.yaml section data/jupyterhub_config.py in base. In the past, I only worked with patchesStrategicMerge yaml-based and ArgoCD in the past, but this approach seems cool, too as long as the json structure is well-defined.

Worked fine with kustomize build output for jupyterhub-configmap.yaml / jupyterhub-cfg ConfigMap.

[shalberd]

@shalberd Thank you for submitting this PR. In order to add this, I want to make sure that the base JupyterHub manifests is not modified and the application of any changes in support of reading a custom CA for JupyterHub is contained in the trusted-ca-path overlay

Yes. I just noticed there are changes ongoing to go with all KF Notebook Controller and Jupyter Notebooks instead of Jupyterhub. Since Elyra runs in the KF Notebook controller images soon, too, should we go ahead and bring in those custom PKI trusted CA changes from here to KF Notebook instead? Regarding location KF Notebook spawner, for adding a new volumeMount / volume filled with a file from a configmap containing a list of trusted CAs, is this the right location? https://github.com/opendatahub-io/odh-dashboard/tree/main/frontend/src/pages/notebookController/frontend/src/pages/notebookController/screens/server/SpawnerPage.tsx#L282 I would like to add an overlay. My aim is: a) add a new configmap that contains auto-injected system CAs and additonal trusted CAs in a file. b) have that file mapped to a volume and mount it to a location in the spawned container. c) Add an env variable TRUSTED_CA_BUNDLE_PATH for use by Elyra.

[shalberd]

@LaVLaS @vpavlin

Multiline scalar value pipe symbol in configmap

https://github.com/opendatahub-io/odh-manifests/blob/master/jupyterhub/jupyterhub/base/jupyterhub-singleuser-profiles-configmap.yaml#L6

seems to make add and replace operations with jsonpath kustomize / JsonPatches6902 for e.g. adding to env variables next to impossible. Everything after key /data/jupyterhub-singleuser-profiles.yaml is taken as literal ...

e.g.

versus without pipe symbol

I tested on my local macbook with kustomize v4.5.6. Getting output "add operation does not apply: doc is missing path"

--> found no other way than to include the entire configmap with the new env variable in the overlay instead of using merges via kustomize patchesStrategicMerge in overlay kustomization.yaml.

I cannot test this build result / yaml output result on the cluster, the kustomize aspects, that is, because I cannot download adapted recipes from an internal location that in our case has private PKI CAs. That, as I have mentioned, is a major drawback of the url definition / download functionality in kfdef manifests, but for another PR, I have ideas with regards to golang.

[shalberd]

this is the new ENV for this PR

[shalberd]

as long as the parameter is given /filled-out, either in params.env or in KfDef kustomizeConfig, the resulting configmap has the new env plus value correctly in it. Tested locally with kustomize build odh-manifests/jupyterhub/jupyterhub/overlays/trusted-ca-bundle-path

[shalberd]

I noticed that in --packages in the original file, where was a mix of commata and empty space separators for the --packages argument of PYSPARK_SUBMIT_ARGS. I used the correct notation here, with empty spaces between the packages listed.

In any case, there should not be a mix of comma-separations and empty spaces.

[shalberd]

I tested this as much as possible with kustomize locally, looking good from my perspective. Also added testing instructions at the very top of this PR.

Related PR for the operator and its download functionality (manifests tar.gz) from server locations secured with certs based on private PKI is here:

opendatahub-io/opendatahub-operator#173

[LaVLaS]

@shalberd Since we don't have access to an environment to reproduce the original issue, all we can do is verify the default JH deployment with no overlay works as intended. I will try to follow-up to see if the trusted-ca-bundle-path overlay is parsed successfully but that is the limit of what we can do considering we are switching to notebook controller for managing the lifecycle of Jupyter notebooks

[shalberd]

"Since we don't have access to an environment to reproduce the original issue, all we can do is verify the default JH deployment with no overlay works as intended."

That is fine by me, I did environment testing as much as possible from my part and overlay parsing testing with Kustomize, so it is good.

[LaVLaS]

/lgtm

@shalberd Thx for this update. As discussed I can only confirm that it does not break existing functionality in the environments that we have access to. Since we have moved to notebook-controller for managing the notebook lifecycle, this will most likely be the last update to JupyterHub in odh-manifests before we officially move it to the odh-contrib-manifests

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: LaVLaS

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• jupyterhub/OWNERS [LaVLaS]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[shalberd]

No idea why ci/prow/odh-manifests-e2e test is failing. All files are in the correct place, as well as permissions.

[shalberd]

/test odh-manifests-e2e

[openshift-ci]

@shalberd: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/test odh-manifests-e2e

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[anishasthana]

/ok-to-test

[LaVLaS]

/lgtm