Fix notebook template for RHOAI 3.0 compatibility

[kapil27]

• Changed annotation from 'inject-oauth' to 'inject-auth' (RHOAI 3.

Description

Problem:

create Pod jupyter-nb-kube-3aadmin-0 in StatefulSet jupyter-nb-kube-3aadmin failed error: 
pods "jupyter-nb-kube-3aadmin-0" is forbidden: error looking up service account 
test-ns-xxx/jupyter-nb-kube-3aadmin: serviceaccount "jupyter-nb-kube-3aadmin" not found

Root Cause

In RHOAI 3.0, the annotation for OAuth/auth injection was changed from inject-oauth to inject-auth. The notebook controller now automatically:
Creates the required service account
Injects the oauth-proxy/kube-rbac-proxy sidecar container
Creates OAuth and TLS secrets

How Has This Been Tested?

knema@knema-mac distributed-workloads % go test -v ./tests/kfto -run TestMnistSDKPyTorch251
=== RUN   TestMnistSDKPyTorch251
    kfto_mnist_sdk_test.go:153: OpenShift API URL: https://api.kfto-test-pool-gs94d.gcp.rh-ods.com:6443
    kfto_mnist_sdk_test.go:64: Created User RoleBinding  in namespace test-ns-2q4bj successfully
    kfto_mnist_sdk_test.go:67: Created Kueue ResourceFlavor rf-rjgbx successfully
    kfto_mnist_sdk_test.go:97: Created Kueue ClusterQueue cq-mgs2b successfully
    kfto_mnist_sdk_test.go:100: Created Kueue LocalQueue test-ns-2q4bj/lq-nl8fk successfully
    kfto_mnist_sdk_test.go:105: Created ConfigMap test-ns-2q4bj/config-7k6pg successfully
    kfto_mnist_sdk_test.go:117: OpenShift API URL: https://api.kfto-test-pool-gs94d.gcp.rh-ods.com:6443
    kfto_mnist_sdk_test.go:120: Created PersistentVolumeClaim test-ns-2q4bj/pvc-jv655 successfully
    notebook.go:152: Ingress domain: apps.kfto-test-pool-gs94d.gcp.rh-ods.com
    notebook.go:153: OpenShift API URL: https://api.kfto-test-pool-gs94d.gcp.rh-ods.com:6443
    test.go:163: Retrieving Pod Container test-ns-2q4bj/jupyter-nb-kube-3aadmin-0/jupyter-nb-kube-3aadmin logs
    test.go:144: Creating output directory in parent directory: /Users/knema/Project/kubeflow/distributed-workloads/tests/kfto/test/test-results
    test.go:154: Output directory has been created at: /Users/knema/Project/kubeflow/distributed-workloads/tests/kfto/test/test-results/TestMnistSDKPyTorch2512310908602
    test.go:163: Retrieving Pod Container test-ns-2q4bj/jupyter-nb-kube-3aadmin-0/kube-rbac-proxy logs
    test.go:163: Retrieving Pod Container test-ns-2q4bj/pytorch-ddp-master-0/pytorch logs
--- PASS: TestMnistSDKPyTorch251 (146.79s)
PASS
ok      github.com/opendatahub-io/distributed-workloads/tests/kfto      147.425s

• The commits are squashed in a cohesive manner and have meaningful messages.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

Summary by CodeRabbit

• Tests
  • Updated notebook test resources with changes to authentication configuration, including migration away from OAuth proxy and removal of related volumes and OAuth-specific annotations.

[coderabbitai]

Walkthrough

A test resource file is updated to replace OAuth-specific annotations and container configurations with simplified auth mechanism. The oauth-proxy container, related volumes, and logout URL annotation are removed.

Changes

Cohort / File(s)	Summary
Auth configuration refactoring tests/common/resources/custom-nb-small.yaml	Updated notebooks.opendatahub.io/inject-oauth annotation to notebooks.opendatahub.io/inject-auth; removed oauth-logout-url annotation; removed oauth-proxy container (args, env, image, probes, ports, resources, volume mounts); removed oauth-config and tls-certificates volumes

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Verify the annotation key change aligns with updated auth injection mechanism expectations
• Confirm oauth-proxy removal is intentional and no dependent configurations remain

Poem

🐰 OAuth's gone, auth steps in with grace,
No more proxies cluttering the place,
Annotations lean, volumes set free,
Simpler auth for you and me! ✨

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'Fix notebook template for RHOAI 3.0 compatibility' directly aligns with the main objective of the changeset. The primary change involves updating a notebook template configuration to be compatible with RHOAI 3.0 by changing the OAuth annotation from 'inject-oauth' to 'inject-auth' and removing the oauth-proxy container configuration. The title accurately captures this core change and the rationale for it.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 23a2284 and 445910a.

📒 Files selected for processing (1)

• tests/common/resources/custom-nb-small.yaml (1 hunks)

🔇 Additional comments (1)

tests/common/resources/custom-nb-small.yaml (1)

88-102: Simplified volume and container configuration is appropriate.

The removal of the oauth-proxy container and related volumes (oauth-config, tls-certificates) is expected, as RHOAI 3.0's notebook controller now automatically manages these components. The remaining configuration is cleaner and leverages the platform's built-in capabilities.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Annotation update aligns with RHOAI 3.0 requirements.

The change from inject-oauth to inject-auth is correct and reflects the RHOAI 3.0 annotation naming convention. Per the PR objectives, the notebook controller now automatically handles OAuth proxy injection and secret creation.

To ensure consistency across the codebase, please verify there are no other notebook template or configuration files still referencing the old inject-oauth annotation:

---

🏁 Script executed:

#!/bin/bash
# Description: Search for any remaining references to the old inject-oauth annotation

# Search for old annotation pattern in YAML and template files
rg -n 'inject-oauth' --type=yaml --type=tf -g '*.yaml' -g '*.template' -g '*.yml'

# Also search in any documentation that might reference this
rg -n 'inject-oauth' --type=md -g '*.md'

Length of output: 120

---

🏁 Script executed:

#!/bin/bash
# Broader search for all references to both old and new annotations
echo "=== Files with old inject-oauth annotation ==="
rg -l 'inject-oauth' --type=yaml --type=yml

echo ""
echo "=== Files with new inject-auth annotation ==="
rg -l 'inject-auth' --type=yaml --type=yml

echo ""
echo "=== Count of old annotation references ==="
rg 'inject-oauth' --type=yaml --type=yml | wc -l

echo ""
echo "=== Count of new annotation references ==="
rg 'inject-auth' --type=yaml --type=yml | wc -l

Length of output: 297

---

🏁 Script executed:

#!/bin/bash
# Broader search for all references to both old and new annotations (corrected syntax)
echo "=== Files with old inject-oauth annotation ==="
rg -l 'inject-oauth' --type=yaml

echo ""
echo "=== Files with new inject-auth annotation ==="
rg -l 'inject-auth' --type=yaml

echo ""
echo "=== All files with old annotation (with line numbers) ==="
rg -n 'inject-oauth' --type=yaml

echo ""
echo "=== All files with new annotation (with line numbers) ==="
rg -n 'inject-auth' --type=yaml

Length of output: 541

---

Update incomplete: second notebook file still uses old inject-oauth annotation.

The annotation change in tests/common/resources/custom-nb-small.yaml is correct for RHOAI 3.0, but the migration is incomplete. The file examples/stable-diffusion-dreambooth/yaml/distributed/workbench.yaml:5 still references the old inject-oauth annotation and must be updated to inject-auth to maintain consistency across the codebase.

🤖 Prompt for AI Agents

In tests/common/resources/custom-nb-small.yaml around line 12 the annotation was
updated to notebooks.opendatahub.io/inject-auth but the migration is incomplete:
open examples/stable-diffusion-dreambooth/yaml/distributed/workbench.yaml
(around line 5) and replace the old annotation key inject-oauth with the new
notebooks.opendatahub.io/inject-auth (or the same short form used elsewhere) so
the example uses the updated annotation; scan the file for any other occurrences
of inject-oauth and update them to inject-auth to keep consistency.

[sutaakar]

/lgtm
thanks

[kapil27]

@ChughShilpa please review and approve

[abhijeet-dhumal]

/lgtm
Thanks Kapil!

[sutaakar]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sutaakar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [sutaakar]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment