Add sanitize_label function

nebari-dev · Jul 12, 2023 · 6d498f5 · 6d498f5
1 parent e6ef4b8
commit 6d498f5
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 4 deletions.
diff --git a/.gitignore b/.gitignore
@@ -131,3 +131,6 @@ dmypy.json
 
 # vscode
 .vscode/
+
+# Mac
+.DS_Store
diff --git a/README.md b/README.md
@@ -1,5 +1,5 @@
 # Nebari Workflow Controller
-A kubernetes admission controller to enable volumeMount permisions on Argo Workflows on Nebari and provide a convenience method for deploying jupyterlab-like workflows for users.
+A kubernetes admission controller to enable volumeMount permissions on Argo Workflows on Nebari and provide a convenience method for deploying jupyterlab-like workflows for users.
 
 # Run project
 - `pip install .`

diff --git a/nebari_workflow_controller/utils.py b/nebari_workflow_controller/utils.py
@@ -1,6 +1,7 @@
 import base64
 import logging
 import os
+import re
 import traceback
 
 from keycloak import KeycloakAdmin
@@ -70,6 +71,16 @@ def validate_service_account(service_account: str) -> bool:
     return False
 
 
+def sanitize_label(s: str):
+    """
+    Modify string to match username generated by Jupyterhub.
+    Also ensures it is a valid Kubernetes 'name'.
+    """
+    s = s.lower()
+    pattern = r"[^A-Za-z0-9_-]"
+    return re.sub(pattern, lambda x: "-" + hex(ord(x.group()))[2:], s)
+
+
 def get_keycloak_user(request):
     kcadm = KeycloakAdmin(
         server_url=os.environ["KEYCLOAK_URL"],
@@ -127,6 +138,9 @@ def get_keycloak_uid_username(
                 for user in kcadm.get_users():
                     if user["username"] == preferred_username:
                         return user["id"], preferred_username
+                raise NWFCUnsupportedException(
+                    "Workflow was created by system-serviceaccount, but user not found in Keycloak. Check that the `PREFERRED_USERNAME` is correctly set in your JupyterLab server."
+                )
 
     elif label_added_by_argo == "workflows.argoproj.io/resubmitted-from-workflow":
         raise NWFCUnsupportedException(
@@ -196,13 +210,14 @@ def find_invalid_volume_mount(
                         return denyReason
 
 
-def get_user_pod_spec(keycloak_user):
+def get_user_pod_spec(keycloak_user: KeycloakUser):
     config.incluster_config.load_incluster_config()
     k8s_client = client.CoreV1Api()
 
+    sanitized_username = sanitize_label(keycloak_user.username)
     jupyter_pod_list = k8s_client.list_namespaced_pod(
         os.environ["NAMESPACE"],
-        label_selector=f"hub.jupyter.org/username={keycloak_user.username}",
+        label_selector=f"hub.jupyter.org/username={sanitized_username}",
     ).items
 
     if len(jupyter_pod_list) > 1:
@@ -312,7 +327,13 @@ def mutate_template(
     spec_keep_portions,
     template,
 ):
-    target = "container" if "container" in template else "script" if "script" in template else None
+    target = (
+        "container"
+        if "container" in template
+        else "script"
+        if "script" in template
+        else None
+    )
 
     if target is None:
         return