Enable NWC to mutate workflows created by service accounts

[iameskild]

Reference Issues or PRs

This PR is a related to the work being done to integrate Jupyter-Scheduler (#1832).

What does this implement/fix?

Put a x in the boxes that apply

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds a feature)
• Breaking change (fix or feature that would cause existing features not to work as expected)
• Documentation Update
• Code style update (formatting, renaming)
• Refactoring (no functional changes, no API changes)
• Build related changes
• Other (please describe):

Testing

• Did you test the pull request locally?
• Did you add new tests?

Documentation

Access-centered content checklist

Text styling

• The content is written with plain language (where relevant).
• If there are headers, they use the proper header tags (with only one level-one header: H1 or # in markdown).
• All links describe where they link to (for example, check the Nebari website).
• This content adheres to the Nebari style guides.

Non-text content

• All content is represented as text (for example, images need alt text, and videos need captions or descriptive transcripts).
• If there are emojis, there are not more than three in a row.
• Don't use flashing GIFs or videos.
• If the content were to be read as plain text, it still makes sense, and no information is missing.

Any other comments?

[Adam-D-Lewis]

I think this should be a config option somehow. Most other things in Nebari use traitlets, but I'd feel okay using an VALID_ARGO_ROLES ENV var for now.

[iameskild]

Agreed, this is not a good solution. I added a configmap to the nebari-workflow-controller deployment that provides a list of valid Argo roles (here). How does that solution work for you?

[Adam-D-Lewis]

This won't work in some cases. You can't always go back to the actual username b/c "Labels only contain [-_.0-9a-zA-Z]", so any other characters will be turned into "-") so not a 1 to 1 mapping.

[iameskild]

That's a good catch! I realize though that this is an issue elsewhere here. I added both the sanitize_label and desanitize_label functions to handle grabbing usernames from k8s labels. This is how JupyterHub converts usernames with disallowed characters (although I can't find the source code for how they accomplish this).

The two places where this is most important are:

• when we list_namespaced_pods based on keycloak username (here)
• when we grab the username from the label (here)

[Adam-D-Lewis]

see comments

[Adam-D-Lewis]

Have you run the tests? Could we add a test for the new functionality?

[costrouc]

LGTM. But like @Adam-D-Lewis mentioned it would be helpful to have tests for this worklfow.

[iameskild]

@costrouc @Adam-D-Lewis I added new tests that cover the special case where the Workflow was created via a service-account.

[costrouc]

@iameskild this are some detailed tests and I like the fixtures that you created in conftest.py. Thanks! LGTM.

[costrouc]

Since @Adam-D-Lewis is on PTO and we are trying to get a release out for nebari. I am comfortable with merging. @iameskild feel free to merge when it works best.