Description of problem:

when running a Notebook and trying to access the Pipeline application server, the user is expected to provide a the server's route and a valid OpenShift token to access it.

But the notebook user cannot query the available routes, and the token available in the Notebook is refused by the server.

(app-root) (app-root) oc get routes
Error from server (Forbidden): routes.route.openshift.io is forbidden: User "system:serviceaccount:psap:psap" cannot list resource "routes" in API group "route.openshift.io" in the namespace "psap"

Prerequisites (if any, like setup, operators/versions):

1. create a DSProject for a basic user, and create a Notebook inside it
2. create a DSPApplication in the user project (from the command outside of the notebook, it doesn't work from inside, for the same reason as the route query fails)
3. install the kfp_tekton module (cf RHODS-8022)

pip install kfp_tekton==1.5.* --quiet

Steps to Reproduce

1. try to query the route
2. with the route manually defined, try to connect to the server with the notebook token

Actual results:

(app-root) (app-root) oc get routes
Error from server (Forbidden): routes.route.openshift.io is forbidden: User "system:serviceaccount:psap:psap" cannot list resource "routes" in API group "route.openshift.io" in the namespace "psap"

and the token is rejected

Reason: Forbidden

Expected results:

1. The route can be queried
2. The token can be easily accessed

Reproducibility (Always/Intermittent/Only Once):

always

Build Details:

Tested in RHODS 1.25-rc1 even if Pipelines got removed from this version.
Reported as early as possible to help things moving forward.

Workaround:

• Retrieve the route from elsewhere
• Retrieve the token from the user account, after oc login --username=...

Additional info:

Discussed in slack.