-
Notifications
You must be signed in to change notification settings - Fork 791
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make use of hub.existingSecret sustainable #2042
Make use of hub.existingSecret sustainable #2042
Conversation
This pull request has been mentioned on Jupyter Community Forum. There might be relevant details there: https://discourse.jupyter.org/t/how-am-i-supposed-to-use-existingsecret/5097/5 |
c.JupyterHub.proxy_auth_token = get_secret_value("JupyterHub.proxy_auth_token") | ||
c.ConfigurableHTTPProxy.auth_token = get_secret_value( | ||
"ConfigurableHTTPProxy.auth_token" | ||
) | ||
c.JupyterHub.cookie_secret = a2b_hex(get_secret_value("JupyterHub.cookie_secret")) | ||
c.CryptKeeper.keys = get_secret_value("CryptKeeper.keys").split(";") | ||
|
||
# load hub.config values, except potentially seeded secrets | ||
for section, sub_cfg in get_config("hub.config", {}).items(): | ||
if section == "JupyterHub" and sub_cfg in ["proxy_auth_token", "cookie_secret"]: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does this disallowed list do? To make sense, sub_config must always be a dict, so these sub_cfg in [list]
conditions will always be False. Or am I misunderstanding something?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah yes this logic is just malfunctional because I did the mental mistake of thinking sub_cfg was string representing the sub config key name ("proxy_auth_token"
).
Resolved by fcea63f I think.
{{- if .Values.hub.db.password }} | ||
{{- if eq .Values.hub.db.type "mysql" }} | ||
- name: MYSQL_PWD | ||
valueFrom: | ||
secretKeyRef: | ||
name: {{ include "jupyterhub.hub-secret.fullname" . }} | ||
name: {{ include "jupyterhub.hub-existing-secret-or-default.fullname" . }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if we set this env in juptyerhub_config instead of the pod? Could we get rid of this exceptional behavior?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Absolutely, If you think we can avoid that, it would be great! I has been assuming that we couldn't because it would be consumed by various tools outside our control.
Do you know how we would configure this in a way that covers all situations properly? Manipulating the connection string?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can set os.environ
in jupyterhub_config.py and it should work the same as setting it at the pod level. That will occur soon enough that it will affect the relevant targets (postgres/mysql imports later on in the same process), and also subprocesses, if there are any (there shouldn't be). Only init containers wouldn't get this env, but I don't think that's an issue, and they can always access the same secret if they need to.
So this should work in jupyterhub_config.py (with the appropriate if
s):
os.environ["MYSQL_PWD"] = values.db.password
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Haha doh oh yes of course!!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolved in 3a78453!
It sounds like there's loads of expertise hidden in here 😄 Is there somewhere we can document this knowledge (not necessarily in this PR)? The comments about supporting the use of Z2JH in other Helm charts, and how to configure it, sound particularly valuable to me. |
d49b3e9
to
95408de
Compare
2d535db
to
3987f1e
Compare
3987f1e
to
030f8ad
Compare
Tests added that works! This may be ready for merge now,thank you @minrk and @manics for your review efforts! Test shortcomings
|
3ed6a6d
to
1c721bb
Compare
111f9d7
to
2cadaae
Compare
aa87a81
to
404921f
Compare
d2a6fd8
to
bc0a69c
Compare
It seems that we error with 403 when accessing the jupyterhub api unless our hub.services.test.apiToken is set to something with at least 8 characters. No clue why. Perhaps 7 would be sufficient but 6 characters wasn't.
bc0a69c
to
802a41b
Compare
Done!!! |
Wonderful! |
jupyterhub/zero-to-jupyterhub-k8s#2042 Merge pull request #2042 from consideRatio/pr/existing-secret-reimplemented
Thanks @minrk! https://readthedocs.org/ seems to be down btw if you also got an error message. |
Reimplementation of hub.existingSecret
Use of hub.existingSecret hasn't been a good experience for users because they end up needing to manually update it whenever they change something passed to the hub pod through values.yaml to be read in jupyterhub_config.py.
This PR is solving this by allowing hub.existingSecret be mounted in parallel to the chart managed k8s Secret resource we make use of and then merging values.
Closes #2009.
Documentation preview
Available here.
Breaking changes
hub.existingSecrets
need to recreate their secrets and read the docs on the changes.hub.services
and referencing the api token from the chart managed k8s secret, need to referencehub.services.<service-name>.api_token
going onwards instead ofservice.token.<service-name>
Implementation challenges
lookup
of hub.existingSecret?There are two exceptions to the general rule of merging the config from hub.existingSecret. These exceptions are for
hub.db.password
andhub.config.JupyterHub.proxy_auth_token
, orhub.config.ConfigurableHTTPProxy.auth_token
as the non-deprecated value is called.These specific keys are exceptions as we need to know if they are declared in the chart managed or self managed k8s Secret during template rendering. This is because we reference one k8s Secret or the other as a source of an environment variable on the hub and/or proxy pod during template rendering. And, deciding this is a problem as I don't think we can or should rely on a
lookup
of a non-chart managed k8s resource. I'm actually not sure if this works or not, I just recall this to fail, but even if this recollection is wrong and it would work, it would be good to minimizelookup
calls in general I think due to the unknown performance or ability to do so in all k8s clusters independent on various k8s Secret mechanisms in play.I consider this challenge managed:
kubectl edit
the chart managed k8s secret in place if they want to update ConfigurableHTTPProxy.auth_token.Implementation steps
hub
used for: volume declaration hub pod, mounting env var from JupyterHub.proxy_auth_tokenhub-existing-secret
used for: volume declaration hub pod (conditional)hub-existing-secret-or-default
used for: mounting of hub.db.password env varUnrelated but part of PR