First-class azuread support, oauth 0.11

[minrk]

Adds aliases for auth.type = azuread, so

auth:
  type: azuread
  azuread:
    clientId: ...
    clientSecret: ...
    tenantId: ...
    usernameClaim: ...
    callbackUrl: "https://<your_jupyterhub_host>/hub/oauth_callback"

should work now. OAuthenticator is updated to 0.11, which fixes some azuread issues, including the requirement to set tenant id via env, not just standard config.

/cc @cnf

[consideRatio]

After setting the authenticator_class as suggested, this LGTM. What are your thoughts about cutting the final z2jh release @minrk? Add beta.4 to test oauthenticator 0.11.0 also a while?

[minrk]

Since oauthenticator got a big refactor, let's do beta.4 in case there are regressions we haven't caught in testing (oauth is notoriously hard to test rigorously)

[cnf]

Running --version 0.9.0-beta.3.n022.hbc907f7 atm, and AD auth is working with the config mentioned by @minrk at the top.

I do have a question on how to configure this while keeping secrets out of the values.yaml file. maybe read them from k8s secrets?

[consideRatio]

@cnf I typically maintain two helm template value files for my helm chart deployments. One without sensitive stuff (values.yaml), and one with sensitive stuff (secret-values.yaml).

# values.yaml
auth:
  type: azuread
  azuread:
    clientId: ...
    tenantId: ...
    usernameClaim: ...
    callbackUrl: "https://<your_jupyterhub_host>/hub/oauth_callback"

# secret-values.yaml
auth:
    clientSecret: ...

I sometimes group everything into secret-values.yaml if they relate and I find it troublesome to separate them for readability reasons.

Further, all files named secret, or being in a folder called secret etc, is automatically encrypted on commit by the CLI called git-crypt.

I install using @minrk's built binaries of git-crypt: https://github.com/minrk/git-crypt-bin
git-crypt itself is found here: https://github.com/AGWA/git-crypt

.gitattributes for use with git-crypt

# NOTE: The syntax deviates from the .gitignore syntax, see this note for more info:
#       https://github.com/AGWA/git-crypt#gitattributes-file

# Encrypt / Decrypt anything including "id_rsa" or "secret" in the filename
**id_rsa** filter=git-crypt diff=git-crypt
**secret** filter=git-crypt diff=git-crypt
# Encrypt all files _directly under_ a folder with "secret" in its name.
# WARNING:
# - my-secret-folder/a.txt                  would be encrypted
# - my-secret-folder/another-folder/b.txt   would not be encrypted
**/*secret*/* filter=git-crypt diff=git-crypt
*secret*/* filter=git-crypt diff=git-crypt