Skip to content

Fix notebook template for RHOAI 3.0 compatibility #484

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 4, 2025
Merged

Fix notebook template for RHOAI 3.0 compatibility #484

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 1 addition & 70 deletions tests/common/resources/custom-nb-small.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,10 +9,9 @@ apiVersion: kubeflow.org/v1
kind: Notebook
metadata:
annotations:
notebooks.opendatahub.io/inject-oauth: "true"
notebooks.opendatahub.io/inject-auth: "true"
Copy link

@coderabbitai coderabbitai bot Nov 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Annotation update aligns with RHOAI 3.0 requirements.

The change from inject-oauth to inject-auth is correct and reflects the RHOAI 3.0 annotation naming convention. Per the PR objectives, the notebook controller now automatically handles OAuth proxy injection and secret creation.

To ensure consistency across the codebase, please verify there are no other notebook template or configuration files still referencing the old inject-oauth annotation:

🏁 Script executed:

#!/bin/bash
# Description: Search for any remaining references to the old inject-oauth annotation

# Search for old annotation pattern in YAML and template files
rg -n 'inject-oauth' --type=yaml --type=tf -g '*.yaml' -g '*.template' -g '*.yml'

# Also search in any documentation that might reference this
rg -n 'inject-oauth' --type=md -g '*.md'

Length of output: 120

🏁 Script executed:

#!/bin/bash
# Broader search for all references to both old and new annotations
echo "=== Files with old inject-oauth annotation ==="
rg -l 'inject-oauth' --type=yaml --type=yml

echo ""
echo "=== Files with new inject-auth annotation ==="
rg -l 'inject-auth' --type=yaml --type=yml

echo ""
echo "=== Count of old annotation references ==="
rg 'inject-oauth' --type=yaml --type=yml | wc -l

echo ""
echo "=== Count of new annotation references ==="
rg 'inject-auth' --type=yaml --type=yml | wc -l

Length of output: 297

🏁 Script executed:

#!/bin/bash
# Broader search for all references to both old and new annotations (corrected syntax)
echo "=== Files with old inject-oauth annotation ==="
rg -l 'inject-oauth' --type=yaml

echo ""
echo "=== Files with new inject-auth annotation ==="
rg -l 'inject-auth' --type=yaml

echo ""
echo "=== All files with old annotation (with line numbers) ==="
rg -n 'inject-oauth' --type=yaml

echo ""
echo "=== All files with new annotation (with line numbers) ==="
rg -n 'inject-auth' --type=yaml

Length of output: 541

Update incomplete: second notebook file still uses old inject-oauth annotation.

The annotation change in tests/common/resources/custom-nb-small.yaml is correct for RHOAI 3.0, but the migration is incomplete. The file examples/stable-diffusion-dreambooth/yaml/distributed/workbench.yaml:5 still references the old inject-oauth annotation and must be updated to inject-auth to maintain consistency across the codebase.

🤖 Prompt for AI Agents 
In tests/common/resources/custom-nb-small.yaml around line 12 the annotation was
updated to notebooks.opendatahub.io/inject-auth but the migration is incomplete:
open examples/stable-diffusion-dreambooth/yaml/distributed/workbench.yaml
(around line 5) and replace the old annotation key inject-oauth with the new
notebooks.opendatahub.io/inject-auth (or the same short form used elsewhere) so
the example uses the updated annotation; scan the file for any other occurrences
of inject-oauth and update them to inject-auth to keep consistency.

notebooks.opendatahub.io/last-image-selection: codeflare-notebook:latest
notebooks.opendatahub.io/last-size-selection: {{.SizeSelection}}
notebooks.opendatahub.io/oauth-logout-url: https://odh-dashboard-{{.OpenDataHubNamespace}}.{{.IngressDomain}}/notebookController/kube-3aadmin/home
opendatahub.io/link: https://jupyter-nb-kube-3aadmin-{{.Namespace}}.{{.IngressDomain}}/notebook/{{.Namespace}}/jupyter-nb-kube-3aadmin
opendatahub.io/username: kube:admin
generation: 1
Expand Down Expand Up @@ -92,80 +91,12 @@ spec:
- mountPath: /opt/app-root/notebooks
name: {{.NotebookConfigMapName}}
workingDir: /opt/app-root/src
- args:
- --provider=openshift
- --https-address=:8443
- --http-address=
- --openshift-service-account=jupyter-nb-kube-3aadmin
- --cookie-secret-file=/etc/oauth/config/cookie_secret
- --cookie-expire=24h0m0s
- --tls-cert=/etc/tls/private/tls.crt
- --tls-key=/etc/tls/private/tls.key
- --upstream=http://localhost:8888
- --upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- --skip-auth-regex=^(?:/notebook/$(NAMESPACE)/jupyter-nb-kube-3aadmin)?/api$
- --email-domain=*
- --skip-provider-button
- --openshift-sar={"verb":"get","resource":"notebooks","resourceAPIGroup":"kubeflow.org","resourceName":"jupyter-nb-kube-3aadmin","namespace":"$(NAMESPACE)"}
- --logout-url=https://odh-dashboard-{{.OpenDataHubNamespace}}.{{.IngressDomain}}/notebookController/kube-3aadmin/home
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.redhat.io/openshift4/ose-oauth-proxy:v4.10
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
httpGet:
path: /oauth/healthz
port: oauth-proxy
scheme: HTTPS
initialDelaySeconds: 30
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
name: oauth-proxy
ports:
- containerPort: 8443
name: oauth-proxy
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /oauth/healthz
port: oauth-proxy
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
resources:
limits:
cpu: 100m
memory: 64Mi
requests:
cpu: 100m
memory: 64Mi
volumeMounts:
- mountPath: /etc/oauth/config
name: oauth-config
- mountPath: /etc/tls/private
name: tls-certificates
enableServiceLinks: false
serviceAccountName: jupyter-nb-kube-3aadmin
volumes:
- name: jupyterhub-nb-kube-3aadmin-pvc
persistentVolumeClaim:
claimName: {{.NotebookPVC}}
- name: oauth-config
secret:
defaultMode: 420
secretName: jupyter-nb-kube-3aadmin-oauth-config
- name: tls-certificates
secret:
defaultMode: 420
secretName: jupyter-nb-kube-3aadmin-tls
- name: {{.NotebookConfigMapName}}
configMap:
name: {{.NotebookConfigMapName}}