From 2ec301e9bc9a347321073a0b3046efeabcbffd92 Mon Sep 17 00:00:00 2001 From: Enrique Garcia <40355845+garciagenrique@users.noreply.github.com> Date: Mon, 11 Nov 2024 17:25:44 +0100 Subject: [PATCH] change jhub auth_state (#289) --- .../cluster/flux/jhub/jhub-release.yaml | 11 ++++------- infrastructure/scripts/jhub_secrets.sh | 8 ++++++++ .../secrets/jhub/ss_jhub-vre-auth-state.yaml | 16 ++++++++++++++++ 3 files changed, 28 insertions(+), 7 deletions(-) create mode 100644 infrastructure/secrets/jhub/ss_jhub-vre-auth-state.yaml diff --git a/infrastructure/cluster/flux/jhub/jhub-release.yaml b/infrastructure/cluster/flux/jhub/jhub-release.yaml index 2e6dd686..e03d4532 100644 --- a/infrastructure/cluster/flux/jhub/jhub-release.yaml +++ b/infrastructure/cluster/flux/jhub/jhub-release.yaml @@ -63,6 +63,10 @@ spec: - profile - email - offline_access + + extraEnvFrom: + - secretRef: + name: jupyterhub-auth-state # in the secret: export JUPYTERHUB_CRYPT_KEY=$(openssl rand -hex 32) extraConfig: @@ -108,13 +112,6 @@ spec: # enable authentication state c.GenericOAuthenticator.enable_auth_state = True - - if 'JUPYTERHUB_CRYPT_KEY' not in os.environ: - warnings.warn( - "Need JUPYTERHUB_CRYPT_KEY env for persistent auth_state.\n" - " export JUPYTERHUB_CRYPT_KEY=$(openssl rand -hex 32)" - ) - c.CryptKeeper.keys = [os.urandom(32)] singleuser: defaultUrl: "/lab" diff --git a/infrastructure/scripts/jhub_secrets.sh b/infrastructure/scripts/jhub_secrets.sh index 70cdf065..212c4a2c 100644 --- a/infrastructure/scripts/jhub_secrets.sh +++ b/infrastructure/scripts/jhub_secrets.sh @@ -16,3 +16,11 @@ SECRET_FULL_PATH=${RAW_SECRETS_TMP_DIR}/${SECRET_FILE} echo "Creating ${SECRET_FILE} secret" cat $SECRET_FULL_PATH | kubeseal --controller-name=sealed-secrets-controller --controller-namespace=sealed-secrets --format yaml --namespace=${NAMESPACE} > ${SECRETS_STORE}/ss_${SECRET_FILE} kubectl apply -f ${SECRETS_STORE}/ss_${SECRET_FILE} + + +# To create a persistant auth-state for the jhub configuration +SECRET_FILE="jhub-vre-auth-state.yaml" +SECRET_FULL_PATH=${RAW_SECRETS_TMP_DIR}/${SECRET_FILE} +echo "Creating ${SECRET_FILE} secret" +cat $SECRET_FULL_PATH | kubeseal --controller-name=sealed-secrets-controller --controller-namespace=sealed-secrets --format yaml --namespace=${NAMESPACE} > ${SECRETS_STORE}/ss_${SECRET_FILE} +kubectl apply -f ${SECRETS_STORE}/ss_${SECRET_FILE} \ No newline at end of file diff --git a/infrastructure/secrets/jhub/ss_jhub-vre-auth-state.yaml b/infrastructure/secrets/jhub/ss_jhub-vre-auth-state.yaml new file mode 100644 index 00000000..8d55d8fa --- /dev/null +++ b/infrastructure/secrets/jhub/ss_jhub-vre-auth-state.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: jupyterhub-auth-state + namespace: jhub +spec: + encryptedData: + JUPYTERHUB_CRYPT_KEY: AgADs+T4zFyJjvDuFqxmNwpJ99FprUD0phLz/XoG8kcCm2KsY566LriqfYnEMz6TlGUGjPEJXEcwFHWsYaOMB9I6kP9AecmNWYFEKINgnU+nPkdVoTGjh3T8zlnW6JsX3tjRXZleKg8s7uKDBiv/jyXsy7bqzNc5LLR2CvR94a+NNns1H6o9Ji2zNoPCvhj2ZugTC5BS6yfOITREq8YDwfaz5j7o6spSE2LfmneIg0dBSyLufu0rd+Mq1fiZKVtDpIbZTtozPpd6NmLjIcSNuuFIyjVmdCqwxbW+qyPYA+93BTdiUKqPgUF3NIZHu1KMWu56T3coKtUQh8nkqASVuARGbm3z6HUDL2LynD0WkbScMQtRxqqyD5kZOQSGZuQxqmPvPjfwL0llUkOJX9LlDJnbQE9brafAxTVkRri34/aOhnU+vKy4Fov//wGvIQa080UuVKxb3QOUns0RZFulp2Bpx9Df62FDJjORPiLrKxJ9XAV9UwrFBqyEu5HPPvdK3sZml3fuSJqmO1PN9obkJU3UJqeEld6nqwJeEp0K9PqaYxocuIXsPWiG/RNhJ5rvf1pUXrv9DV7r6OR2EJprKxP4Tpx4TVqLi59c9dTyLQXkUkvLCMmgam9UCMEHvUQt0YUTjmKFnN0SGDGK4qMlDWTpFlMtlUlPu3mJ3hmv4DTBRkLTI7AHoeanJCCGDzPLZ2d8Gma2fnIS/TTjLVVX/lM393kzoxzCTLf9b4cTvTqJBReHHXTdMi0arQnLUTUR1f20LQq3jyqLoc0/0A8TNOSE + template: + metadata: + creationTimestamp: null + name: jupyterhub-auth-state + namespace: jhub + type: Opaque