Add user token in kind

Signed-off-by: lucferbux <[email protected]>
kubeflow · Nov 8, 2024 · 23be744 · 23be744
1 parent d0adca2
commit 23be744
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 1 deletion.
diff --git a/clients/ui/frontend/src/shared/api/apiUtils.ts b/clients/ui/frontend/src/shared/api/apiUtils.ts
@@ -1,6 +1,7 @@
 import { APIOptions } from '~/shared/api/types';
 import { EitherOrNone } from '~/shared/typeHelpers';
 import { ModelRegistryBody } from '~/app/types';
+import { USER_ACCESS_TOKEN } from '~/shared/utilities/const';
 
 export const mergeRequestInit = (
   opts: APIOptions = {},
@@ -60,6 +61,19 @@ const callRestJSON = <T>(
     requestData = JSON.stringify(data);
   }
 
+  // Get from the browser storage the value from the key USER_ACCESS_TOKEN
+  // and set it as the value for the header key 'x-forwarded-access-token'
+  // This is a security measure to ensure that the user is authenticated
+  // before making any API calls. Local Storage is not secure, but it is
+  // enough for this PoC.
+  const token = localStorage.getItem(USER_ACCESS_TOKEN);
+  if (token) {
+    otherOptions.headers = {
+      ...otherOptions.headers,
+      [USER_ACCESS_TOKEN]: token,
+    };
+  }
+
   return fetch(`${host}${path}${searchParams ? `?${searchParams}` : ''}`, {
     ...otherOptions,
     ...(contentType && { headers: { 'Content-Type': contentType } }),

diff --git a/clients/ui/frontend/src/shared/utilities/const.ts b/clients/ui/frontend/src/shared/utilities/const.ts
@@ -1,4 +1,6 @@
 // TODO: [Env Handling] Fetch the .env variable here.
 const POLL_INTERVAL = 30000;
 
+export const USER_ACCESS_TOKEN = 'x-forwarded-access-token';
+
 export { POLL_INTERVAL };
diff --git a/clients/ui/manifests/user-rbac/admin-rbac.yaml b/clients/ui/manifests/user-rbac/admin-rbac.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: admin-user
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: admin-user
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: admin-user
+    namespace: kube-system
diff --git a/clients/ui/manifests/user-rbac/kustomization.yaml b/clients/ui/manifests/user-rbac/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - admin-rbac.yaml
diff --git a/clients/ui/scripts/deploy_kind_cluster.sh b/clients/ui/scripts/deploy_kind_cluster.sh
@@ -41,6 +41,15 @@ kubectl apply -n kubeflow -k ./manifests/base
 echo "Waiting Model Registry UI to be available..."
 kubectl wait --for=condition=available -n kubeflow deployment/model-registry-ui --timeout=1m
 
+# Step 5: Apply admin user service account in the cluster
+echo "Applying admin user service account and rolebinding..."
+kubectl apply -k ./manifests/user-rbac
+
+# Step 6: Generate token for admin user and display it
+echo "Generating token for admin user, copy the following token in the local storage with key 'x-forwarded-access-token'..."
+echo -e "\033[32m$(kubectl -n kube-system create token admin-user)\033[0m"
+
 # Step 5: Port-forward the service
-echo "Model Registry should be available in localhost:8080"
+echo "Portfowarding Model Registry UI..."
+echo -e "\033[32mDashboard available in http://localhost:8080\033[0m"
 kubectl port-forward svc/model-registry-ui-service -n kubeflow 8080:8080