nebari-dev · costrouc · Feb 16, 2022 · Feb 15, 2022 · Feb 16, 2022 · Feb 16, 2022
diff --git a/qhub/deploy.py b/qhub/deploy.py
@@ -9,6 +9,7 @@
 import tempfile
 import json
 import textwrap
+from urllib.parse import urlencode
 
 from qhub.provider import terraform
 from qhub.utils import (
@@ -653,7 +654,7 @@ def _attempt_keycloak_connection(
 
 def provision_06_kubernetes_keycloak_configuration(stage_outputs, config, check=True):
     directory = "stages/06-kubernetes-keycloak-configuration"
-    realm_id = f"qhub-{config['project_name']}"
+    realm_id = "qhub"
 
     stage_outputs[directory] = terraform.deploy(
         directory=directory,
@@ -664,7 +665,7 @@ def provision_06_kubernetes_keycloak_configuration(stage_outputs, config, check=
             ),
             "authentication": config["security"]["authentication"],
             "default_project_groups": ["users"]
-            if config["security"].get("shared_users_group")
+            if config["security"].get("shared_users_group", False)
             else [],
         },
     )
@@ -741,6 +742,17 @@ def _attempt_keycloak_connection(
 def provision_07_kubernetes_services(stage_outputs, config, check=True):
     directory = "stages/07-kubernetes-services"
 
+    final_logout_uri = f"https://{config['domain']}/hub/login"
+
+    # Compound any logout URLs from extensions so they are are logged out in succession
+    # when Keycloak and JupyterHub are logged out
+    for ext in config.get("tf_extensions", []):
+        if ext.get("logout", "") != "":
+            final_logout_uri = "{}?{}".format(
+                f"https://{config['domain']}/{ext['urlslug']}{ext['logout']}",
+                urlencode({"redirect_uri": final_logout_uri}),
+            )
+
     stage_outputs[directory] = terraform.deploy(
         directory=directory,
         input_vars={
@@ -774,6 +786,12 @@ def provision_07_kubernetes_services(stage_outputs, config, check=True):
             "jupyterhub-overrides": [
                 json.dumps(config.get("jupyterhub", {}).get("overrides", {}))
             ],
+            "jupyterhub-hub-extraEnv": json.dumps(
+                config.get("jupyterhub", {})
+                .get("overrides", {})
+                .get("hub", {})
+                .get("extraEnv", [])
+            ),
             # dask-gateway
             "dask-gateway-image": split_docker_image_name(
                 config["default_images"]["dask_gateway"]
@@ -794,6 +812,7 @@ def provision_07_kubernetes_services(stage_outputs, config, check=True):
             "clearml-enable-forwardauth": config.get("clearml", {}).get(
                 "enable_forward_auth", False
             ),
+            "jupyterhub-logout-redirect-url": final_logout_uri,
         },
     )
 
@@ -831,8 +850,8 @@ def _attempt_connect_url(
             sys.exit(1)
 
 
-def provision_08_enterprise_qhub(stage_outputs, config, check=True):
-    directory = "stages/08-enterprise-qhub"
+def provision_08_qhub_tf_extensions(stage_outputs, config, check=True):
+    directory = "stages/08-qhub-tf-extensions"
 
     stage_outputs[directory] = terraform.deploy(
         directory=directory,
@@ -843,7 +862,10 @@ def provision_08_enterprise_qhub(stage_outputs, config, check=True):
                 "realm_id"
             ]["value"],
             "tf_extensions": config.get("tf_extensions", []),
-            "qhub_config": config,
+            "qhub_config_yaml": config,
+            "keycloak_qhub_bot_password": stage_outputs[
+                "stages/05-kubernetes-keycloak"
+            ]["keycloak_qhub_bot_password"]["value"],
             "helm_extensions": config.get("helm_extensions", []),
         },
     )
@@ -892,7 +914,7 @@ def guided_install(
         ):
             provision_06_kubernetes_keycloak_configuration(stage_outputs, config)
             provision_07_kubernetes_services(stage_outputs, config)
-            provision_08_enterprise_qhub(stage_outputs, config)
+            provision_08_qhub_tf_extensions(stage_outputs, config)
 
             print("QHub deployed successfully")
 

diff --git a/qhub/keycloak.py b/qhub/keycloak.py
@@ -89,9 +89,7 @@ def get_keycloak_admin_from_config(config_filename):
             server_url=keycloak_server_url,
             username=keycloak_username,
             password=keycloak_password,
-            realm_name=os.environ.get(
-                "KEYCLOAK_REALM", f"qhub-{config['project_name']}"
-            ),
+            realm_name=os.environ.get("KEYCLOAK_REALM", "qhub"),
             user_realm_name="master",
             auto_refresh_token=("get", "put", "post", "delete"),
             verify=should_verify_tls,

diff --git a/qhub/render/__init__.py b/qhub/render/__init__.py
@@ -67,7 +67,7 @@ def render_template(output_directory, config_filename, force=False, dry_run=Fals
         "stages/05-kubernetes-keycloak",
         "stages/06-kubernetes-keycloak-configuration",
         "stages/07-kubernetes-services",
-        "stages/08-enterprise-qhub",
+        "stages/08-qhub-tf-extensions",
     ]
     if config["provider"] != "local" and config["terraform_state"]["type"] == "remote":
         directories.append(f"stages/01-terraform-state/{config['provider']}")
@@ -204,9 +204,9 @@ def render_contents(config: Dict):
                     QHubKubernetesProvider(config),
                 ]
             ),
-            "stages/08-enterprise-qhub/_qhub.tf.json": tf_render_objects(
+            "stages/08-qhub-tf-extensions/_qhub.tf.json": tf_render_objects(
                 [
-                    QHubTerraformState("08-enterprise-qhub", config),
+                    QHubTerraformState("08-qhub-tf-extensions", config),
                     QHubKubernetesProvider(config),
                 ]
             ),

diff --git a/qhub/schema.py b/qhub/schema.py
@@ -346,7 +346,8 @@ class CDSDashboards(Base):
 
 
 class QHubExtensionEnv(Base):
-    code: str
+    name: str
+    value: str
 
 
 class QHubExtension(Base):
@@ -355,9 +356,11 @@ class QHubExtension(Base):
     urlslug: str
     private: bool = False
     oauth2client: bool = False
+    keycloakadmin: bool = False
+    jwt: bool = False
     qhubconfigyaml: bool = False
-    envs: typing.Optional[typing.List[QHubExtensionEnv]]
     logout: typing.Optional[str]
+    envs: typing.Optional[typing.List[QHubExtensionEnv]]
 
 
 # ======== External Container Registry ========
@@ -428,7 +431,7 @@ class Main(Base):
     environments: typing.Dict[str, CondaEnvironment]
     monitoring: typing.Optional[Monitoring]
     clearml: typing.Optional[ClearML]
-    extensions: typing.Optional[typing.List[QHubExtension]]
+    tf_extensions: typing.Optional[typing.List[QHubExtension]]
     jupyterhub: typing.Optional[JupyterHub]
     prevent_deploy: bool = (
         False  # Optional, but will be given default value if not present

diff --git a/qhub/template/stages/05-kubernetes-keycloak/outputs.tf b/qhub/template/stages/05-kubernetes-keycloak/outputs.tf
@@ -3,3 +3,9 @@ output "keycloak_credentials" {
   sensitive   = true
   value       = module.kubernetes-keycloak-helm.credentials
 }
+
+output "keycloak_qhub_bot_password" {
+  description = "keycloak qhub-bot credentials"
+  sensitive   = true
+  value       = random_password.keycloak-qhub-bot-password.result
+}
diff --git a/qhub/template/stages/07-kubernetes-services/jupyterhub.tf b/qhub/template/stages/07-kubernetes-services/jupyterhub.tf
@@ -124,4 +124,7 @@ module "jupyterhub" {
 
   theme = var.jupyterhub-theme
   profiles = var.jupyterlab-profiles
+
+  jupyterhub-logout-redirect-url = var.jupyterhub-logout-redirect-url
+  jupyterhub-hub-extraEnv        = var.jupyterhub-hub-extraEnv
 }
diff --git a/qhub/template/stages/07-kubernetes-services/modules/kubernetes/services/jupyterhub/main.tf b/qhub/template/stages/07-kubernetes-services/modules/kubernetes/services/jupyterhub/main.tf
@@ -102,8 +102,19 @@ resource "helm_release" "jupyterhub" {
           }
         }
       }
-    })
-  ], var.overrides)
+    })],
+  var.overrides,
+  [jsonencode({
+    hub = {
+          extraEnv = concat([
+          {
+            name = "OAUTH_LOGOUT_REDIRECT_URL",
+            value = format("%s?redirect_uri=%s", "https://${var.external-url}/auth/realms/${var.realm_id}/protocol/openid-connect/logout", urlencode(var.jupyterhub-logout-redirect-url))
+          }],
+        jsondecode(var.jupyterhub-hub-extraEnv))
+    }
+   })]
+  )
 
   set {
     name  = "proxy.secretToken"
@@ -151,6 +162,7 @@ module "jupyterhub-openid-client" {
     "practitioner" = ["jupyterhub_developer"]
   }
   callback-url-paths = [
-    "https://${var.external-url}/hub/oauth_callback"
+    "https://${var.external-url}/hub/oauth_callback",
+    var.jupyterhub-logout-redirect-url
   ]
 }
diff --git a/...emplate/stages/07-kubernetes-services/modules/kubernetes/services/jupyterhub/variables.tf b/...emplate/stages/07-kubernetes-services/modules/kubernetes/services/jupyterhub/variables.tf
@@ -116,3 +116,15 @@ variable "conda-store-environments" {
   type        = map(any)
   default     = {}
 }
+
+variable "jupyterhub-logout-redirect-url" {
+  description = "Next redirect destination following a Keycloak logout"
+  type = string
+  default = ""
+}
+
+variable "jupyterhub-hub-extraEnv" {
+  description = "Extracted overrides to merge with jupyterhub.hub.extraEnv"
+  type        = string
+  default     = "[]"
+}
diff --git a/qhub/template/stages/07-kubernetes-services/variables.tf b/qhub/template/stages/07-kubernetes-services/variables.tf
@@ -25,3 +25,15 @@ variable "node_groups" {
     value = string
   }))
 }
+
+variable "jupyterhub-logout-redirect-url" {
+  description = "Next redirect destination following a Keycloak logout"
+  type = string
+  default = ""
+}
+
+variable "jupyterhub-hub-extraEnv" {
+  description = "Extracted overrides to merge with jupyterhub.hub.extraEnv"
+  type        = string
+  default     = "[]"
+}
diff --git a/qhub/template/stages/08-enterprise-qhub/modules/qhubextension/locals.tf b/qhub/template/stages/08-enterprise-qhub/modules/qhubextension/locals.tf
diff --git a/qhub/template/stages/08-enterprise-qhub/tf-extensions.tf b/qhub/template/stages/08-enterprise-qhub/tf-extensions.tf
diff --git a/...ages/08-enterprise-qhub/helm-extension.tf → ...s/08-qhub-tf-extensions/helm-extension.tf b/...ages/08-enterprise-qhub/helm-extension.tf → ...s/08-qhub-tf-extensions/helm-extension.tf
diff --git a/...rise-qhub/modules/helm-extensions/main.tf → ...xtensions/modules/helm-extensions/main.tf b/...rise-qhub/modules/helm-extensions/main.tf → ...xtensions/modules/helm-extensions/main.tf
diff --git a/...qhub/modules/helm-extensions/variables.tf → ...ions/modules/helm-extensions/variables.tf b/...qhub/modules/helm-extensions/variables.tf → ...ions/modules/helm-extensions/variables.tf
diff --git a/...ise-qhub/modules/qhubextension/ingress.tf → ...tensions/modules/qhubextension/ingress.tf b/...ise-qhub/modules/qhubextension/ingress.tf → ...tensions/modules/qhubextension/ingress.tf
@@ -30,7 +30,6 @@ resource "kubernetes_manifest" "qhubextension-ingressroute" {
           ]
         }
       ]
-      tls = local.tls
     }
   }
 }

diff --git a/.../modules/qhubextension/keycloak-config.tf → .../modules/qhubextension/keycloak-config.tf b/.../modules/qhubextension/keycloak-config.tf → .../modules/qhubextension/keycloak-config.tf
@@ -3,9 +3,9 @@ resource "keycloak_openid_client" "keycloak_ext_client" {
   count         = var.oauth2client ? 1 : 0
   realm_id      = var.qhub-realm-id
   client_id     = "${var.name}-client"
-  client_secret = var.keycloak-client-password
+  client_secret = random_password.qhub-ext-client[count.index].result
 
-  name    = "FastAPI Client"
+  name    = "${var.name} Client"
   enabled = true
 
   access_type           = "CONFIDENTIAL"
@@ -16,6 +16,12 @@ resource "keycloak_openid_client" "keycloak_ext_client" {
   ]
 }
 
+resource "random_password" "qhub-ext-client" {
+  count = var.oauth2client ? 1 : 0
+  length  = 32
+  special = false
+}
+
 resource "keycloak_openid_group_membership_protocol_mapper" "group_membership_mapper" {
   count = var.oauth2client ? 1 : 0
 

diff --git a/qhub/template/stages/08-qhub-tf-extensions/modules/qhubextension/locals.tf b/qhub/template/stages/08-qhub-tf-extensions/modules/qhubextension/locals.tf
@@ -0,0 +1,61 @@
+locals {
+  middlewares = (var.private) ? ([{
+    name      = "traefik-forward-auth"
+    namespace = var.namespace
+  }]) : ([])
+
+  oauth2client_envs = (var.oauth2client) ? ([{
+    name  = "OAUTH2_AUTHORIZE_URL"
+    value = "https://${var.external-url}/auth/realms/${var.qhub-realm-id}/protocol/openid-connect/auth"
+  },
+  {
+    name  = "OAUTH2_ACCESS_TOKEN_URL"
+    value = "https://${var.external-url}/auth/realms/${var.qhub-realm-id}/protocol/openid-connect/token"
+  },
+  {
+    name  = "OAUTH2_USER_DATA_URL"
+    value = "https://${var.external-url}/auth/realms/${var.qhub-realm-id}/protocol/openid-connect/userinfo"
+  },
+  {
+    name  = "OAUTH2_REDIRECT_BASE"
+    value = "https://${var.external-url}/${var.urlslug}/"
+  },
+  {
+    name  = "COOKIE_OAUTH2STATE_NAME"
+    value = "${var.name}-o2state"
+  },
+  {
+    name  = "OAUTH2_CLIENT_ID"
+    value = "${var.name}-client"
+  },
+  {
+    name  = "OAUTH2_CLIENT_SECRET"
+    value = random_password.qhub-ext-client[0].result
+  }]) :  ([])
+
+  keycloakadmin_envs = (var.keycloakadmin) ? ([{
+    name  = "KEYCLOAK_SERVER_URL"
+    value = "http://keycloak-headless.${var.namespace}:8080/auth/"
+  },
+  {
+    name  = "KEYCLOAK_REALM"
+    value = var.qhub-realm-id
+  },
+  {
+    name  = "KEYCLOAK_ADMIN_USERNAME"
+    value = "qhub-bot"
+  },
+  {
+    name  = "KEYCLOAK_ADMIN_PASSWORD"
+    value = var.keycloak_qhub_bot_password
+  }]) :  ([])
+
+  jwt_envs = (var.jwt) ? ([{
+    name  = "COOKIE_AUTHORIZATION_NAME"
+    value = "${var.name}-jwt"
+  },
+  {
+    name  = "JWT_SECRET_KEY"
+    value = random_password.qhub-jwt-secret[0].result
+  }]) :  ([])
+}