From 46c54f5bfead365121d44c450c5357ee965ff9d1 Mon Sep 17 00:00:00 2001 From: Bobbins228 Date: Fri, 22 Mar 2024 15:46:59 +0000 Subject: [PATCH 1/5] Made ODH cert default cert for Token Auth --- src/codeflare_sdk/cluster/auth.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/codeflare_sdk/cluster/auth.py b/src/codeflare_sdk/cluster/auth.py index 36233a0ed..70d9ca68b 100644 --- a/src/codeflare_sdk/cluster/auth.py +++ b/src/codeflare_sdk/cluster/auth.py @@ -101,12 +101,16 @@ def login(self) -> str: """ global config_path global api_client + odh_ca_path = "/etc/pki/tls/custom-certs/ca-bundle.crt" try: configuration = client.Configuration() configuration.api_key_prefix["authorization"] = "Bearer" configuration.host = self.server configuration.api_key["authorization"] = self.token if self.skip_tls == False and self.ca_cert_path == None: + if os.path.isfile(odh_ca_path): + print(f"Authenticated with certificate located at {odh_ca_path}") + configuration.ssl_ca_cert = odh_ca_path configuration.verify_ssl = True elif self.skip_tls == False: configuration.ssl_ca_cert = self.ca_cert_path From 53e9192090687f1e820bbc5469311ca0a5e42c3e Mon Sep 17 00:00:00 2001 From: Bobbins228 Date: Mon, 13 May 2024 12:25:16 +0100 Subject: [PATCH 2/5] Added env variable option for setting ca-cert path --- src/codeflare_sdk/cluster/auth.py | 26 ++++++++++++++++++-------- tests/auth-test.crt | 20 ++++++++++++++++++++ tests/unit_test.py | 23 +++++++++++++++++------ 3 files changed, 55 insertions(+), 14 deletions(-) create mode 100644 tests/auth-test.crt diff --git a/src/codeflare_sdk/cluster/auth.py b/src/codeflare_sdk/cluster/auth.py index 70d9ca68b..91dadb058 100644 --- a/src/codeflare_sdk/cluster/auth.py +++ b/src/codeflare_sdk/cluster/auth.py @@ -81,7 +81,7 @@ def __init__( token: str, server: str, skip_tls: bool = False, - ca_cert_path: str = None, + ca_cert_path: str = "/etc/pki/tls/custom-certs/ca-bundle.crt", ): """ Initialize a TokenAuthentication object that requires a value for `token`, the API Token @@ -101,19 +101,29 @@ def login(self) -> str: """ global config_path global api_client - odh_ca_path = "/etc/pki/tls/custom-certs/ca-bundle.crt" try: configuration = client.Configuration() configuration.api_key_prefix["authorization"] = "Bearer" configuration.host = self.server configuration.api_key["authorization"] = self.token - if self.skip_tls == False and self.ca_cert_path == None: - if os.path.isfile(odh_ca_path): - print(f"Authenticated with certificate located at {odh_ca_path}") - configuration.ssl_ca_cert = odh_ca_path + ca_path_env = os.environ.get("CA_CERT_PATH") + + if self.skip_tls == False: + if ca_path_env != None: + self.ca_cert_path = ca_path_env + + if self.ca_cert_path == None: + configuration.ssl_ca_cert = None + elif os.path.isfile(self.ca_cert_path): + print( + f"Authenticated with certificate located at {self.ca_cert_path}" + ) + configuration.ssl_ca_cert = self.ca_cert_path + else: + raise FileNotFoundError( + f"Certificate file not found at {self.ca_cert_path}" + ) configuration.verify_ssl = True - elif self.skip_tls == False: - configuration.ssl_ca_cert = self.ca_cert_path else: urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) print("Insecure request warnings have been disabled") diff --git a/tests/auth-test.crt b/tests/auth-test.crt new file mode 100644 index 000000000..f470c6326 --- /dev/null +++ b/tests/auth-test.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDOTCCAiGgAwIBAgIUENjaZDrvhc5uV3j7GI8deZJwc+YwDQYJKoZIhvcNAQEL +BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM +GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA1MTMxMTE1NDZaFw0yNTA1 +MTMxMTE1NDZaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDEYYk81jvPijZXXeI9cByf5EIbOVaBTH7I51J9EKG5 +Y/KRXI43WgvVEiZ3jP8LJnSD79WhBiL6TgadQZje5ndroRYDM9vyqz1OUZapnOO+ +yzl01y/qSsH8Kn88eLAzkE9HSu4QN9PuJtySyksjDFQJ6kjyE8ZHUSorur0FlLLf +IToFgTuaIPDYjvFRchOCfZ7sV/MF7LxqFfFnaWOYvH41ZdvqJiRcVsMi+mYs9/I/ +I72IMXwVnQDVnK8H84ntEmHNN6NoVuMKla0So4/wKcHJSCgS3axLI2Ka2aaaJo9K +l2cn21NOyodF+DaSFy7qaGRXxoTQ2k9tUrSvxkBJvRmBAgMBAAGjITAfMB0GA1Ud +DgQWBBRTK8mO5XMcmR+Xg/PVNFnvz4eubDANBgkqhkiG9w0BAQsFAAOCAQEAlZva +6ws3zRff7u0tWT2JJaE1uPqsuAdHtVvEyAMp2QvYfyrgADTroUTaSU4p6ppX/t7v +ynHhuzR6UOVkuY0/CH1P3UUGrEPNOXT8i2BDwL+j4y2K2aRN8zU0Nu/IVePBhu+4 +Jdt+3P7/MuwiCON5JukgxUYlQKhVhzFj7GOd2+Ca+fh8Siq3tkWDSN54+90fgylQ ++74Yfya1NVabpzLqP3Isqu2XQhEVaBFvj8Yu0h83e3D8LeQToC3mVMF4yy5BZ9Ty +K66YGlGQgszWEUFPEdsB8Dj/iJMhkWXuyc3u/w0s3t7rXeMYYgr+xrEeK+g0oyB5 +xeZuMjd567Znmu5oMw== +-----END CERTIFICATE----- diff --git a/tests/unit_test.py b/tests/unit_test.py index 1d4ca3616..45e046702 100644 --- a/tests/unit_test.py +++ b/tests/unit_test.py @@ -123,27 +123,30 @@ def test_token_auth_creation(): assert token_auth.token == "token" assert token_auth.server == "server" assert token_auth.skip_tls == False - assert token_auth.ca_cert_path == None + assert token_auth.ca_cert_path == "/etc/pki/tls/custom-certs/ca-bundle.crt" token_auth = TokenAuthentication(token="token", server="server", skip_tls=True) assert token_auth.token == "token" assert token_auth.server == "server" assert token_auth.skip_tls == True - assert token_auth.ca_cert_path == None + assert token_auth.ca_cert_path == "/etc/pki/tls/custom-certs/ca-bundle.crt" token_auth = TokenAuthentication(token="token", server="server", skip_tls=False) assert token_auth.token == "token" assert token_auth.server == "server" assert token_auth.skip_tls == False - assert token_auth.ca_cert_path == None + assert token_auth.ca_cert_path == "/etc/pki/tls/custom-certs/ca-bundle.crt" token_auth = TokenAuthentication( - token="token", server="server", skip_tls=False, ca_cert_path="path/to/cert" + token="token", + server="server", + skip_tls=False, + ca_cert_path=f"{parent}/tests/auth-test.crt", ) assert token_auth.token == "token" assert token_auth.server == "server" assert token_auth.skip_tls == False - assert token_auth.ca_cert_path == "path/to/cert" + assert token_auth.ca_cert_path == f"{parent}/tests/auth-test.crt" except Exception: assert 0 == 1 @@ -174,7 +177,15 @@ def test_token_auth_login_tls(mocker): token="testtoken", server="testserver:6443", skip_tls=False, - ca_cert_path="path/to/cert", + ca_cert_path=f"{parent}/tests/auth-test.crt", + ) + assert token_auth.login() == ("Logged into testserver:6443") + + os.environ["CA_CERT_PATH"] = f"{parent}/tests/auth-test.crt" + token_auth = TokenAuthentication( + token="testtoken", + server="testserver:6443", + skip_tls=False, ) assert token_auth.login() == ("Logged into testserver:6443") From 6a00157fe1f6beb417cff9856d807f05efcdf8d9 Mon Sep 17 00:00:00 2001 From: Bobbins228 Date: Wed, 15 May 2024 14:24:24 +0100 Subject: [PATCH 3/5] Updated env var --- docs/authentication.md | 2 +- src/codeflare_sdk/cluster/auth.py | 4 ++-- tests/unit_test.py | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/authentication.md b/docs/authentication.md index 8812a6fc0..bb27f1716 100644 --- a/docs/authentication.md +++ b/docs/authentication.md @@ -17,7 +17,7 @@ auth.login() # log out with auth.logout() ``` Setting `skip_tls=True` allows interaction with an HTTPS server bypassing the server certificate checks although this is not secure.
-You can pass a custom certificate to `TokenAuthentication` by using `ca_cert_path="/path/to/cert"` when authenticating provided `skip_tls=False`. +You can pass a custom certificate to `TokenAuthentication` by using `ca_cert_path="/path/to/cert"` when authenticating provided `skip_tls=False`. Alternatively you can set the environment variable `CF_SDK_CA_CERT_PATH` to the path of your custom certificate. ## Method 2 Kubernetes Config File Authentication (Default location) If a user has authenticated to their cluster by alternate means e.g. run a login command like `oc login --token= --server=` their kubernetes config file should have updated.
diff --git a/src/codeflare_sdk/cluster/auth.py b/src/codeflare_sdk/cluster/auth.py index 91dadb058..e22cd8283 100644 --- a/src/codeflare_sdk/cluster/auth.py +++ b/src/codeflare_sdk/cluster/auth.py @@ -106,10 +106,10 @@ def login(self) -> str: configuration.api_key_prefix["authorization"] = "Bearer" configuration.host = self.server configuration.api_key["authorization"] = self.token - ca_path_env = os.environ.get("CA_CERT_PATH") + ca_path_env = os.environ.get("CF_SDK_CA_CERT_PATH", self.ca_cert_path) if self.skip_tls == False: - if ca_path_env != None: + if ca_path_env != self.ca_cert_path: self.ca_cert_path = ca_path_env if self.ca_cert_path == None: diff --git a/tests/unit_test.py b/tests/unit_test.py index 45e046702..28f21e7d4 100644 --- a/tests/unit_test.py +++ b/tests/unit_test.py @@ -181,7 +181,7 @@ def test_token_auth_login_tls(mocker): ) assert token_auth.login() == ("Logged into testserver:6443") - os.environ["CA_CERT_PATH"] = f"{parent}/tests/auth-test.crt" + os.environ["CF_SDK_CA_CERT_PATH"] = f"{parent}/tests/auth-test.crt" token_auth = TokenAuthentication( token="testtoken", server="testserver:6443", From 85aa438f99ebb6f9d266dd93be18cfd35e5e6316 Mon Sep 17 00:00:00 2001 From: Kevin Date: Tue, 21 May 2024 17:30:11 -0400 Subject: [PATCH 4/5] init arg should take priority over env var Signed-off-by: Kevin --- src/codeflare_sdk/cluster/auth.py | 24 ++++++++++++++++-------- tests/unit_test.py | 6 ++++-- 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/src/codeflare_sdk/cluster/auth.py b/src/codeflare_sdk/cluster/auth.py index e22cd8283..c39fe1d4a 100644 --- a/src/codeflare_sdk/cluster/auth.py +++ b/src/codeflare_sdk/cluster/auth.py @@ -32,6 +32,8 @@ global config_path config_path = None +WORKBENCH_CA_CERT_PATH = "/etc/pki/tls/custom-certs/ca-bundle.crt" + class Authentication(metaclass=abc.ABCMeta): """ @@ -81,7 +83,7 @@ def __init__( token: str, server: str, skip_tls: bool = False, - ca_cert_path: str = "/etc/pki/tls/custom-certs/ca-bundle.crt", + ca_cert_path: str = None, ): """ Initialize a TokenAuthentication object that requires a value for `token`, the API Token @@ -91,7 +93,17 @@ def __init__( self.token = token self.server = server self.skip_tls = skip_tls - self.ca_cert_path = ca_cert_path + self.ca_cert_path = self._gen_ca_cert_path(ca_cert_path) + + def _gen_ca_cert_path(self, ca_cert_path: str): + if ca_cert_path is not None: + return ca_cert_path + elif "CF_SDK_CA_CERT_PATH" in os.environ: + return os.environ.get("CF_SDK_CA_CERT_PATH") + elif os.path.exists(WORKBENCH_CA_CERT_PATH): + return WORKBENCH_CA_CERT_PATH + else: + return None def login(self) -> str: """ @@ -106,13 +118,9 @@ def login(self) -> str: configuration.api_key_prefix["authorization"] = "Bearer" configuration.host = self.server configuration.api_key["authorization"] = self.token - ca_path_env = os.environ.get("CF_SDK_CA_CERT_PATH", self.ca_cert_path) - - if self.skip_tls == False: - if ca_path_env != self.ca_cert_path: - self.ca_cert_path = ca_path_env - if self.ca_cert_path == None: + if not self.skip_tls: + if self.ca_cert_path is None: configuration.ssl_ca_cert = None elif os.path.isfile(self.ca_cert_path): print( diff --git a/tests/unit_test.py b/tests/unit_test.py index 28f21e7d4..c9a8fb786 100644 --- a/tests/unit_test.py +++ b/tests/unit_test.py @@ -123,19 +123,21 @@ def test_token_auth_creation(): assert token_auth.token == "token" assert token_auth.server == "server" assert token_auth.skip_tls == False - assert token_auth.ca_cert_path == "/etc/pki/tls/custom-certs/ca-bundle.crt" + assert token_auth.ca_cert_path == None token_auth = TokenAuthentication(token="token", server="server", skip_tls=True) assert token_auth.token == "token" assert token_auth.server == "server" assert token_auth.skip_tls == True - assert token_auth.ca_cert_path == "/etc/pki/tls/custom-certs/ca-bundle.crt" + assert token_auth.ca_cert_path == None + os.environ["CF_SDK_CA_CERT_PATH"] = f"/etc/pki/tls/custom-certs/ca-bundle.crt" token_auth = TokenAuthentication(token="token", server="server", skip_tls=False) assert token_auth.token == "token" assert token_auth.server == "server" assert token_auth.skip_tls == False assert token_auth.ca_cert_path == "/etc/pki/tls/custom-certs/ca-bundle.crt" + os.environ.pop("CF_SDK_CA_CERT_PATH") token_auth = TokenAuthentication( token="token", From 1ea0f1274b1b7618742a531a9036ea67efed69df Mon Sep 17 00:00:00 2001 From: Kevin Date: Thu, 23 May 2024 12:45:09 -0400 Subject: [PATCH 5/5] add team-a-queue to quicktest unit test cluster Signed-off-by: Kevin --- tests/unit_test.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tests/unit_test.py b/tests/unit_test.py index c9a8fb786..1fe139de5 100644 --- a/tests/unit_test.py +++ b/tests/unit_test.py @@ -314,7 +314,16 @@ def get_local_queue(group, version, namespace, plural): "namespace": "ns", }, "spec": {"clusterQueue": "cluster-queue"}, - } + }, + { + "apiVersion": "kueue.x-k8s.io/v1beta1", + "kind": "LocalQueue", + "metadata": { + "name": "team-a-queue", + "namespace": "ns", + }, + "spec": {"clusterQueue": "team-a-queue"}, + }, ], "kind": "LocalQueueList", "metadata": {"continue": "", "resourceVersion": "2266811"},