feat: option to disable create default userGroup on ODH and self-managed

[zdtsw]

Description

user env variable ODH_USE_EXTERNAL_AUTH to disable user group creation.
this works by manually create subscritpon and set value to "true"
by install operator from Operatorhub will still ,by default, to create group

(a different soltuion than #1276)

https://issues.redhat.com/browse/RHOAIENG-14214

How Has This Been Tested?

• delete odh-admin group from cluster
• create

apiVersion: operators.coreos.com/v1alpha1
kind: CatalogSource
metadata:
  name: rhoai-catalog-dev
  namespace: openshift-marketplace
spec:
  displayName: usergroup
  image: 'quay.io/wenzhou/opendatahub-operator-catalog:v2.14.1007'
  publisher: wen
  sourceType: grpc

and

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription 
metadata:
  name: opendatahub-operator
  namespace: openshift-operators
spec:
  name: opendatahub-operator
  channel: fast
  source: rhoai-catalog-dev
  sourceNamespace: openshift-marketplace
  config:
     env:
      - name: "ODH_DISABLE_USERGROUP"
        value: "true"

• see operator installed
• manually create DSCI
• check no group created afterwards

Screenshot or short clip

Merge criteria

• You have read the contributors guide.
• Commit messages are meaningful - have a clear and concise summary and detailed explanation of what was changed and why.
• Pull Request contains a description of the solution, a link to the JIRA issue, and to any dependent or related Pull Request.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from zdtsw. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[lburgazzoli]

nit: since we don't need to distinguish between an empty value and an unset value, the check can probably simplified with os.Getenv("DISABLE_USERGROUP") == "true"

[lburgazzoli]

nit: since we don't need to distinguish between an empty value and an unset value, the check can probably simplified with os.Getenv("DISABLE_USERGROUP") == "true"

[lburgazzoli]

Ideally the env var name should be defined as a constant and better to add a prefix i.e. ODH_ to avoid any risk with env vars automatically injected in the pod or defined by the container.

[lphiri]

@zdtsw @lburgazzoli i wonder if we should make this config closer to what we want to things to be in future. Disabling group is only one aspect, but things like secret generation is also broken with external oidc because it uses OauthClient CR. Would renaming the environment to point to why we are making this change help, for example ODH_USE_EXTERNAL_AUTH? This would be closer to what we eventually want to add to the DSCI API like Luca was suggesting.

[lburgazzoli]

@lphiri yep that make sense

[zdtsw]

/test opendatahub-operator-e2e

[VaishnaviHire]

When upgrading, what is the default value for this env variable?

[zdtsw]

If e value is set in the subscription, it will persist even later upgrade to new Operator version. Subscription should not get changed.

[VaishnaviHire]

/lgtm

Just a small request to keep the env name platform agnostic.

[adelton]

@zdtsw @lburgazzoli i wonder if we should make this config closer to what we want to things to be in future. Disabling group is only one aspect, but things like secret generation is also broken with external oidc because it uses OauthClient CR. Would renaming the environment to point to why we are making this change help, for example ODH_USE_EXTERNAL_AUTH? This would be closer to what we eventually want to add to the DSCI API like Luca was suggesting.

I might actually prefer the environment variable name to be very explicit about what effect it has on the functionally.

If at the very end of some revamp we say "now adding ODH_USE_EXTERNAL_AUTH which acts as ODH_DISABLE_USERGROUP, ODH_DISABLE_SECRETS, and ODH_DISABLE_SOMETHING_ELSE all being set to true", that is fine. But currently it seems we are overloading that ODH_USE_EXTERNAL_AUTH with multiple "automagic" functional behaviours which are bound to change/evolve in the future, which might be confusing people.

[zdtsw]

close it in favor of #1297