-
Notifications
You must be signed in to change notification settings - Fork 797
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add hub.config passthrough and use it for all auth config #1943
Conversation
295c66f
to
b1a954a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I made a first pass through the docs, I'll go through the code and schema changes later.
@manics thank you for your review! I want to clarify that I have not really changed the text or structure of the documentation about how to configure the specific authenticators, but I'll give it a pass given your review comments. The reason for it being listed as an addition is the rST -> markdown conversion I did to not need to work with rST. |
@manics I've done a full pass of the auth docs following the questions you raised. |
20bf806
to
5ad8aa7
Compare
Working with Helm templates isn't funny... This has taken a lot of hours to complete.
While these were devleoped, I relied on the following tests to ensure they functioned as I wanted. __A values.yaml file__ ``` test: key1: val1 dict1: key1: val1 emptyDict: {} emptyList: [] empty: ``` __A Helm template file__ ``` {{- if ne (include "jupyterhub.digToJson" (list "test.key1" .Values)) "\"val1\"" }}{{ "digToJson test 1" | fail }}{{ end }} {{- if ne (include "jupyterhub.digToJson" (list "test.dict1" .Values)) "{\"key1\":\"val1\"}" }}{{ "digToJson test 2" | fail }}{{ end }} {{- if ne (include "jupyterhub.digToJson" (list "test.noDict" .Values)) "null" }}{{ "digToJson test 3" | fail }}{{ end }} {{- if ne (include "jupyterhub.digToJson" (list "test.noDict1.noDict2" .Values)) "null" }}{{ "digToJson test 4" | fail }}{{ end }} {{- if ne (include "jupyterhub.digToJson" (list "test.emptyDict" .Values)) "{}" }}{{ "digToJson test 5" | fail }}{{ end }} {{- if ne (include "jupyterhub.digToJson" (list "test.emptyList" .Values)) "[]" }}{{ "digToJson test 6" | fail }}{{ end }} {{- if ne (include "jupyterhub.digToJson" (list "test.empty" .Values)) "null" }}{{ "digToJson test 7" | fail }}{{ end }} {{- if not (include "jupyterhub.digToTrue" (list "test.key1" .Values)) }}{{ "digToTrue test 1" | fail }}{{ end }} {{- if not (include "jupyterhub.digToTrue" (list "test.dict1" .Values)) }}{{ "digToTrue test 2" | fail }}{{ end }} {{- if (include "jupyterhub.digToTrue" (list "test.noDict" .Values)) }}{{ "digToTrue test 3" | fail }}{{ end }} {{- if (include "jupyterhub.digToTrue" (list "test.noDict1.noDict2" .Values)) }}{{ "digToTrue test 4" | fail }}{{ end }} {{- if (include "jupyterhub.digToTrue" (list "test.emptyDict" .Values)) }}{{ "digToTrue test 5" | fail }}{{ end }} {{- if (include "jupyterhub.digToTrue" (list "test.emptyList" .Values)) }}{{ "digToTrue test 6" | fail }}{{ end }} {{- if (include "jupyterhub.digToTrue" (list "test.empty" .Values)) }}{{ "digToTrue test 7" | fail }}{{ end }} ```
I updated the logic for checking if we had a valid configuration as well using the Helm template helpers I introduced as I concluded it was needed to remain sane while checking nested config that may be null at any place. I deleted the entry in secret.yaml as it is only to be used to set an env variable for use by JupyterHub in the hub pod, which in turn is fine to delete because its only used by JupyterHub's CryptKeeper class which is responsible for managing encrypt/decrypt operations for JupyterHub.
51c65b0
to
24e3ce8
Compare
I wonder if @yuvipanda would be particularly interested in this, since we're doing a lot of auth config in 2i2c and this would probably affect us, no? I would review it myself, but I don't think I'm qualified to do so from a tech perspective :-/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is awesome work! I left some minor comments in the docs, but so happy for this to move forward.
jupyterhub/values.yaml
Outdated
config: | ||
JupyterHub: | ||
admin_access: true | ||
authenticator_class: dummyauthenticator.DummyAuthenticator |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
shortcut works and is perhaps easier to understand:
authenticator_class: dummyauthenticator.DummyAuthenticator | |
authenticator_class: dummy |
We shouldn't be using dummyauthenticator anymore, as dummy ships with jupyterhub now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah! So I'll remove jupyterhub-dummyauthenticator from the requirements.txt, and we deprecate the repsitory?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I believe so. This change is still needed to avoid the current crash loop backoffs because you've removed the dummyauthenticator
package but are still using it in config.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolved by 5b0a011
Co-authored-by: Min RK <[email protected]>
Co-authored-by: Min RK <[email protected]>
Co-authored-by: Min RK <[email protected]>
898447d
to
2e3a73a
Compare
Great work, @consideRatio! |
jupyterhub/zero-to-jupyterhub-k8s#1943 Merge pull request #1943 from consideRatio/pr/auth-rework
This pull request has been mentioned on Jupyter Community Forum. There might be relevant details there: https://discourse.jupyter.org/t/jupyterhub-helm-chart-0-11-0-released/7521/1 |
Breaking changes to fix: - All authenticator config has changed, and must be modified - jupyterhub/zero-to-jupyterhub-k8s#1943 - pdb has been disabled - we should file an issue to investigate if we want it - jupyterhub/zero-to-jupyterhub-k8s#1938 - Any networkpolicy changes we might need - https://github.com/jupyterhub/zero-to-jupyterhub-k8s/blob/master/CHANGELOG.md#breaking-changes-1
Breaking changes to fix: - All authenticator config has changed, and must be modified - jupyterhub/zero-to-jupyterhub-k8s#1943 - pdb has been disabled - we should file an issue to investigate if we want it - jupyterhub/zero-to-jupyterhub-k8s#1938 - Any networkpolicy changes we might need - https://github.com/jupyterhub/zero-to-jupyterhub-k8s/blob/master/CHANGELOG.md#breaking-changes-1
Breaking changes to fix: - All authenticator config has changed, and must be modified - jupyterhub/zero-to-jupyterhub-k8s#1943 - pdb has been disabled - we should file an issue to investigate if we want it - jupyterhub/zero-to-jupyterhub-k8s#1938 - Any networkpolicy changes we might need - https://github.com/jupyterhub/zero-to-jupyterhub-k8s/blob/master/CHANGELOG.md#breaking-changes-1
Two cents from my side while upgrading to 0.11.1. When I tried to upgrade, helm suggested the configuration changes as mentioned in the PR. So, I just copy pasted the output in my CLI and placed in my config. Hub kept of giving 500 internal server errors and after digging deep inside, i found that hub was not recognising my provided authenticator configs and was using the dummy default authenticator. The root cause of the problem was that I had two
Apart from this, dynamically setting the configurations worked also
|
Closes #1871.
Closes #1379 by updating the documentation examples to be directly mapped to LDAP config.
PR Status
Review -> merge remain, I don't know of anything I'd like to do further at this point for this PR.
Review suggestions
For me, the key part to review is the deprecation mechanisms. Secondary, we can focus on the documentation language etc, but I think we should iterate on that later as this PR is required for a release that I'd like to make. Below are some review points anyhow.
@minrk I replaced replaced env var based configuration as well, because I recall your refactoring in oauthenticator made us no longer need to use env vars + traitlet config but could instead rely on only traitlet config of token_url etc. I have also verified this worked for a deployment of mine. Does it sound okay to you?
Summary
This Helm chart's configuration of authenticator classes such as GitHubOAuthenticator were as observed by the influx of issues not so straightforward for users, and it wasn't so straightforward for maintainers either. We had to keep up with adding mappings between the helm charts configuration and the authentication classes configuration.
In this PR, we leave that system behind in favor of a more general system. In this transition users having configured authentication will fail directly when they run
helm upgrade
and be provided with an useful error message to help with the transition.Transition message
config.yaml
helm upgrade
helm upgrade --set global.safeToShowValues=true