test(workbenches): update existing workbench tests for RHOAI 3.0

With RHOAI 3.0 release, there were quite number of changes needed for
our tests as we moved from OAuth Proxy sidecar container to a Kube RBAC
Proxy. Also we moved to the Gateway API.

All tracked under the https://issues.redhat.com/browse/RHOAIENG-34310

Author: jstourac

tests/workbenches/conftest.py

@@ -1,5 +1,6 @@
 from typing import Generator
 
+from ocp_resources.resource import NamespacedResource
 import pytest
 from pytest_testconfig import config as py_config
 
@@ -11,7 +12,7 @@
 
 from ocp_resources.namespace import Namespace
 from ocp_resources.persistent_volume_claim import PersistentVolumeClaim
-from ocp_resources.route import Route
+from ocp_resources.gateway_gateway_networking_k8s_io import Gateway
 from ocp_resources.notebook import Notebook
 
 from utilities.constants import Labels
@@ -55,14 +56,23 @@ def default_notebook(
     namespace = request.param["namespace"]
     name = request.param["name"]
 
-    # Optional OAuth annotations
-    oauth_annotations = request.param.get("oauth_annotations", {})
+    # Optional Auth annotations
+    auth_annotations = request.param.get("auth_annotations", {})
 
-    # Set new Route url
-    route_name = "odh-dashboard" if py_config.get("distribution") == "upstream" else "rhods-dashboard"
-    route = Route(client=admin_client, name=route_name, namespace=py_config["applications_namespace"])
-    if not route.exists:
-        raise ResourceNotFoundError(f"Route {route.name} does not exist")
+    # Get hostname from Gateway CR
+    gateway = Gateway(
+        client=admin_client, 
+        name="data-science-gateway", 
+        namespace="openshift-ingress"
+    )
+    if not gateway.exists:
+        raise ResourceNotFoundError(f"Gateway {gateway.name} does not exist in namespace {gateway.namespace}")
+    
+    # Extract hostname from the first listener
+    try:
+        hostname = gateway.instance.spec.listeners[0].hostname
+    except (KeyError, IndexError, AttributeError) as e:
+        raise ResourceNotFoundError(f"Failed to get hostname from Gateway {gateway.name}: {e}")
 
     # Set the correct username
     username = get_username(dyn_client=admin_client)
@@ -96,18 +106,19 @@ def default_notebook(
         "kind": "Notebook",
         "metadata": {
             "annotations": {
-                "notebooks.opendatahub.io/inject-oauth": "true",
+                Labels.Notebook.INJECT_AUTH: "true",
                 "opendatahub.io/accelerator-name": "",
-                "opendatahub.io/service-mesh": "false",
                 "notebooks.opendatahub.io/last-image-selection": minimal_image,
                 # Add any additional annotations if provided
-                **oauth_annotations,
+                **auth_annotations,
             },
+            "finalizers": [
+                "notebook.opendatahub.io/kube-rbac-proxy-cleanup",
+            ],
             "labels": {
                 Labels.Openshift.APP: name,
                 Labels.OpenDataHub.DASHBOARD: "true",
                 "opendatahub.io/odh-managed": "true",
-                "sidecar.istio.io/inject": "false",
             },
             "name": name,
             "namespace": namespace,
@@ -129,9 +140,7 @@ def default_notebook(
                                     "                  "
                                     f"--ServerApp.base_url=/notebook/{namespace}/{name}\n"
                                     "                  "
-                                    "--ServerApp.quit_button=False\n"
-                                    "                  "
-                                    f'--ServerApp.tornado_settings={{"user":"{username}","hub_host":"https://{route.host}","hub_prefix":"/projects/{namespace}"}}',  # noqa: E501 line too long
+                                    "--ServerApp.quit_button=False\n",
                                 },
                                 {"name": "JUPYTER_IMAGE", "value": minimal_image_path},
                             ],
@@ -152,52 +161,48 @@ def default_notebook(
                             "workingDir": "/opt/app-root/src",
                         },
                         {
-                            "args": [
-                                "--provider=openshift",
-                                "--https-address=:8443",
-                                "--http-address=",
-                                f"--openshift-service-account={name}",
-                                "--cookie-secret-file=/etc/oauth/config/cookie_secret",
-                                "--cookie-expire=24h0m0s",
-                                "--tls-cert=/etc/tls/private/tls.crt",
-                                "--tls-key=/etc/tls/private/tls.key",
-                                "--upstream=http://localhost:8888",
-                                "--upstream-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
-                                "--email-domain=*",
-                                "--skip-provider-button",
-                                f'--openshift-sar={{"verb":"get","resource":"notebooks","resourceAPIGroup":"kubeflow.org","resourceName":"{name}","namespace":"$(NAMESPACE)"}}',  # noqa: E501 line too long
-                                f"--logout-url=https://{route.host}/projects/{namespace}?notebookLogout={name}",
-                            ],
-                            "env": [
-                                {"name": "NAMESPACE", "valueFrom": {"fieldRef": {"fieldPath": "metadata.namespace"}}}
-                            ],
-                            "image": "registry.redhat.io/openshift4/ose-oauth-proxy:v4.10",
-                            "imagePullPolicy": "Always",
-                            "livenessProbe": {
+                            "resources": {
+                                "limits": {"cpu": "100m", "memory": "64Mi"},
+                                "requests": {"cpu": "100m", "memory": "64Mi"},
+                            },
+                            "readinessProbe": {
                                 "failureThreshold": 3,
-                                "httpGet": {"path": "/oauth/healthz", "port": "oauth-proxy", "scheme": "HTTPS"},
-                                "initialDelaySeconds": 30,
+                                "httpGet": {"path": "/healthz", "port": 8444, "scheme": "HTTPS"},
+                                "initialDelaySeconds": 5,
                                 "periodSeconds": 5,
                                 "successThreshold": 1,
                                 "timeoutSeconds": 1,
                             },
-                            "name": "oauth-proxy",
-                            "ports": [{"containerPort": 8443, "name": "oauth-proxy", "protocol": "TCP"}],
-                            "readinessProbe": {
+                            "name": "kube-rbac-proxy",
+                            "livenessProbe": {
                                 "failureThreshold": 3,
-                                "httpGet": {"path": "/oauth/healthz", "port": "oauth-proxy", "scheme": "HTTPS"},
-                                "initialDelaySeconds": 5,
+                                "httpGet": {"path": "/healthz", "port": 8444, "scheme": "HTTPS"},
+                                "initialDelaySeconds": 30,
                                 "periodSeconds": 5,
                                 "successThreshold": 1,
                                 "timeoutSeconds": 1,
                             },
-                            "resources": {
-                                "limits": {"cpu": "100m", "memory": "64Mi"},
-                                "requests": {"cpu": "100m", "memory": "64Mi"},
-                            },
+                            "ports": [
+                                {"containerPort": 8443, "name": "kube-rbac-proxy", "protocol": "TCP"}
+                            ],
+                            "imagePullPolicy": "Always",
                             "volumeMounts": [
-                                {"mountPath": "/etc/oauth/config", "name": "oauth-config"},
-                                {"mountPath": "/etc/tls/private", "name": "tls-certificates"},
+                                {"mountPath": "/etc/kube-rbac-proxy", "name": "kube-rbac-proxy-config"},
+                                {"mountPath": "/etc/tls/private", "name": "kube-rbac-proxy-tls-certificates"},
+                            ],
+                            "image": "registry.redhat.io/rhoai/odh-kube-auth-proxy-rhel9@sha256:e4047ff1041a8b1efd21110751d0f87520d5483a7e26c35844f5d8d165de8177",
+                            "args": [
+                                "--secure-listen-address=0.0.0.0:8443",
+                                "--upstream=http://127.0.0.1:8888/",
+                                "--logtostderr=true",
+                                "--v=10",
+                                "--proxy-endpoints-port=8444",
+                                "--config-file=/etc/kube-rbac-proxy/config-file.yaml",
+                                "--tls-cert-file=/etc/tls/private/tls.crt",
+                                "--tls-private-key-file=/etc/tls/private/tls.key",
+                                "--auth-header-fields-enabled=true",
+                                "--auth-header-user-field-name=X-Auth-Request-User",
+                                "--auth-header-groups-field-name=X-Auth-Request-Groups",
                             ],
                         },
                     ],
@@ -206,11 +211,25 @@ def default_notebook(
                     "volumes": [
                         {"name": name, "persistentVolumeClaim": {"claimName": name}},
                         {"emptyDir": {"medium": "Memory"}, "name": "shm"},
+                        # {
+                        #     "name": "oauth-config",
+                        #     "secret": {"defaultMode": 420, "secretName": f"{name}-oauth-config"},
+                        # },
+                        # {"name": "tls-certificates", "secret": {"defaultMode": 420, "secretName": f"{name}-tls"}},
                         {
-                            "name": "oauth-config",
-                            "secret": {"defaultMode": 420, "secretName": f"{name}-oauth-config"},
+                            "name": "kube-rbac-proxy-config",
+                            "configMap": {
+                                "defaultMode": 420,
+                                "name": "test-kube-rbac-proxy-config"
+                            }
                         },
-                        {"name": "tls-certificates", "secret": {"defaultMode": 420, "secretName": f"{name}-tls"}},
+                        {
+                            "name": "kube-rbac-proxy-tls-certificates",
+                            "secret": {
+                                "defaultMode": 420,
+                                "secretName": "test-kube-rbac-proxy-tls"
+                            }
+                        }
                     ],
                 }
             }

tests/workbenches/notebook-controller/test_spawning.py

@@ -51,14 +51,14 @@ def test_create_simple_notebook(
         [
             pytest.param(
                 {
-                    "name": "test-oauth-notebook",
+                    "name": "test-auth-notebook",
                     "add-dashboard-label": True,
                 },
-                {"name": "test-oauth-notebook"},
+                {"name": "test-auth-notebook"},
                 {
-                    "namespace": "test-oauth-notebook",
-                    "name": "test-oauth-notebook",
-                    "oauth_annotations": {
+                    "namespace": "test-auth-notebook",
+                    "name": "test-auth-notebook",
+                    "auth_annotations": {
                         "notebooks.opendatahub.io/auth-sidecar-cpu-request": "200m",
                         "notebooks.opendatahub.io/auth-sidecar-memory-request": "128Mi",
                         "notebooks.opendatahub.io/auth-sidecar-cpu-limit": "500m",
@@ -69,18 +69,18 @@ def test_create_simple_notebook(
         ],
         indirect=True,
     )
-    def test_oauth_container_resource_customization(
+    def test_auth_container_resource_customization(
         self,
         unprivileged_client: DynamicClient,
         unprivileged_model_namespace: Namespace,
         users_persistent_volume_claim: PersistentVolumeClaim,
         default_notebook: Notebook,
     ):
         """
-        Test that OAuth container resource requests and limits can be customized using annotations.
+        Test that Auth container resource requests and limits can be customized using annotations.
 
-        This test verifies that when a Notebook CR is created with custom OAuth container resource
-        annotations, the spawned pod has the OAuth container with the specified resource values.
+        This test verifies that when a Notebook CR is created with custom Auth container resource
+        annotations, the spawned pod has the Auth container with the specified resource values.
         """
         notebook_pod = Pod(
             client=unprivileged_client,
@@ -90,42 +90,42 @@ def test_oauth_container_resource_customization(
         notebook_pod.wait()
         notebook_pod.wait_for_condition(condition=Pod.Condition.READY, status=Pod.Condition.Status.TRUE)
 
-        # Verify OAuth container has the expected resource values
-        oauth_container = self._get_oauth_container(pod=notebook_pod)
-        assert oauth_container, "OAuth proxy container not found in the pod"
+        # Verify Auth container has the expected resource values
+        auth_container = self._get_auth_container(pod=notebook_pod)
+        assert auth_container, "Auth proxy container not found in the pod"
 
         # Check CPU request
-        assert oauth_container.resources.requests["cpu"] == "200m", (
-            f"Expected CPU request '200m', got '{oauth_container.resources.requests['cpu']}'"
+        assert auth_container.resources.requests["cpu"] == "200m", (
+            f"Expected CPU request '200m', got '{auth_container.resources.requests['cpu']}'"
         )
 
         # Check memory request
-        assert oauth_container.resources.requests["memory"] == "128Mi", (
-            f"Expected memory request '128Mi', got '{oauth_container.resources.requests['memory']}'"
+        assert auth_container.resources.requests["memory"] == "128Mi", (
+            f"Expected memory request '128Mi', got '{auth_container.resources.requests['memory']}'"
         )
 
         # Check CPU limit
-        assert oauth_container.resources.limits["cpu"] == "500m", (
-            f"Expected CPU limit '500m', got '{oauth_container.resources.limits['cpu']}'"
+        assert auth_container.resources.limits["cpu"] == "500m", (
+            f"Expected CPU limit '500m', got '{auth_container.resources.limits['cpu']}'"
         )
 
         # Check memory limit
-        assert oauth_container.resources.limits["memory"] == "256Mi", (
-            f"Expected memory limit '256Mi', got '{oauth_container.resources.limits['memory']}'"
+        assert auth_container.resources.limits["memory"] == "256Mi", (
+            f"Expected memory limit '256Mi', got '{auth_container.resources.limits['memory']}'"
         )
 
-    def _get_oauth_container(self, pod: Pod):
+    def _get_auth_container(self, pod: Pod):
         """
-        Find and return the OAuth proxy container from the pod spec.
+        Find and return the Auth proxy container from the pod spec.
 
         Args:
             pod: The pod instance to search
 
         Returns:
-            The OAuth container if found, None otherwise
+            The Auth container if found, None otherwise
         """
         containers = pod.instance.spec.containers
         for container in containers:
-            if container.name == "oauth-proxy":
+            if container.name == "kube-rbac-proxy":
                 return container
         return None

utilities/constants.py

@@ -190,7 +190,7 @@ class KserveAuth:
         SECURITY: str = f"security.{ApiGroups.OPENDATAHUB_IO}/enable-auth"
 
     class Notebook:
-        INJECT_OAUTH: str = f"notebooks.{ApiGroups.OPENDATAHUB_IO}/inject-oauth"
+        INJECT_AUTH: str = f"notebooks.{ApiGroups.OPENDATAHUB_IO}/inject-auth"
 
     class OpenDataHubIo:
         MANAGED: str = Annotations.OpenDataHubIo.MANAGED