add hub.config passthrough and use it for all auth config

[consideRatio]

Closes #1871.
Closes #1379 by updating the documentation examples to be directly mapped to LDAP config.

PR Status

Review -> merge remain, I don't know of anything I'd like to do further at this point for this PR.

• The deprecation logic is tested against all the auth config examples in the docs we had, and it worked out fine. Automating testing seems overkill as we shouldn't make changes to it over time.
• An e2e test of the deprecation and that the new configuration is valid has been done successfully.

Review suggestions

For me, the key part to review is the deprecation mechanisms. Secondary, we can focus on the documentation language etc, but I think we should iterate on that later as this PR is required for a release that I'd like to make. Below are some review points anyhow.

• 1. Updates to schema.yaml in 5d5778f
• 2. Changes in jupyterhub_config.py e4b64ce 72e3967
• 3. Adding of null safe lookup utility in ee323db
• 4. Handling of auth.state.cryptoKey in 9ed09c0
• 5. Transform of configuration in authentication.md 245e86c
  @minrk I replaced replaced env var based configuration as well, because I recall your refactoring in oauthenticator made us no longer need to use env vars + traitlet config but could instead rely on only traitlet config of token_url etc. I have also verified this worked for a deployment of mine. Does it sound okay to you?
• 6. The documentation added before the "Configuring authenticator classes" section - PR preview

Summary

This Helm chart's configuration of authenticator classes such as GitHubOAuthenticator were as observed by the influx of issues not so straightforward for users, and it wasn't so straightforward for maintainers either. We had to keep up with adding mappings between the helm charts configuration and the authentication classes configuration.

In this PR, we leave that system behind in favor of a more general system. In this transition users having configured authentication will fail directly when they run helm upgrade and be provided with an useful error message to help with the transition.

Transition message

config.yaml

auth:
  key1: val1
  key2:
    key3: val3
  type: github
  google:
    clientSecret: test-secret
    clientId: test-id
    callbackUrl: callback-url
  scopes:
    - profile
    - email
  state:
    enabled: true
  admin:
    access: true
    users:
      - cat
  whitelist:
    users:
      - kitten1
  allowedUsers: # maps to the same as whitelist.users
    - kitten2

helm upgrade

The JupyterHub Helm chart's auth config has been reworked and requires changes.

The new way to configure authentication in chart version 0.11.0+ is printed
below for your convinience. The values are not shown by default to ensure no
secrets are exposed, run helm upgrade with --set global.safeToShowValues=true to
show them.

hub:
  config:
    Authenticator:
      admin_users: '***'
      allowed_users: '***'
      enable_auth_state: '***'
    JupyterHub:
      admin_access: '***'
      authenticator_class: oauthenticator.github.GitHubOAuthenticator
    OAuthenticator:
      client_id: '***'
      client_secret: '***'
      oauth_callback_url: '***'
      scope: '***'
    WarningUnrecognizedConfig:
      key1: '***'
      key2.key3: '***'

For more details, please see the updated auth config documentation at:
https://zero-to-jupyterhub.readthedocs.io/en/latest/administrator/authentication.html

helm upgrade --set global.safeToShowValues=true

...

hub:
  config:
    Authenticator:
      admin_users:
      - cat
      allowed_users:
      - kitten1
      enable_auth_state: true
    JupyterHub:
      admin_access: true
      authenticator_class: oauthenticator.github.GitHubOAuthenticator
    OAuthenticator:
      client_id: test-id
      client_secret: test-secret
      oauth_callback_url: callback-url
      scope:
      - profile
      - email
    WarningUnrecognizedConfig:
      key1: val1
      key2.key3: val3

...

[manics]

I made a first pass through the docs, I'll go through the code and schema changes later.

[consideRatio]

@manics thank you for your review!

I want to clarify that I have not really changed the text or structure of the documentation about how to configure the specific authenticators, but I'll give it a pass given your review comments. The reason for it being listed as an addition is the rST -> markdown conversion I did to not need to work with rST.

[consideRatio]

@manics I've done a full pass of the auth docs following the questions you raised.

[choldgraf]

I wonder if @yuvipanda would be particularly interested in this, since we're doing a lot of auth config in 2i2c and this would probably affect us, no? I would review it myself, but I don't think I'm qualified to do so from a tech perspective :-/

[minrk]

This is awesome work! I left some minor comments in the docs, but so happy for this to move forward.

[minrk]

shortcut works and is perhaps easier to understand:

Suggested change

	authenticator_class: dummyauthenticator.DummyAuthenticator
	authenticator_class: dummy

We shouldn't be using dummyauthenticator anymore, as dummy ships with jupyterhub now.

[consideRatio]

Ah! So I'll remove jupyterhub-dummyauthenticator from the requirements.txt, and we deprecate the repsitory?

[minrk]

Yes, I believe so. This change is still needed to avoid the current crash loop backoffs because you've removed the dummyauthenticator package but are still using it in config.

[consideRatio]

Resolved by 5b0a011

[minrk]

Great work, @consideRatio!

[consideRatio]

Thanks @minrk and @manics for your review efforts!!! :Heart: ❤️ ❤️

[meeseeksmachine]

This pull request has been mentioned on Jupyter Community Forum. There might be relevant details there:

https://discourse.jupyter.org/t/jupyterhub-helm-chart-0-11-0-released/7521/1

[bsikander]

Two cents from my side while upgrading to 0.11.1.

When I tried to upgrade, helm suggested the configuration changes as mentioned in the PR. So, I just copy pasted the output in my CLI and placed in my config. Hub kept of giving 500 internal server errors and after digging deep inside, i found that hub was not recognising my provided authenticator configs and was using the dummy default authenticator. The root cause of the problem was that I had two hub.* tags in my yaml. One for hub.extraConfig.* and other one that CLI suggested hub.config.*. When I manually merged the two seperate yaml sections into one like below, it started to recognize.

hub:
  config:
     ........
  extraConfig:
     ........

Apart from this, dynamically setting the configurations worked also

hub:
    extraConfig:
        authenticator:
            c.JupyterHub.authenticator_class = "oauthenticator.azuread.AzureAdOAuthenticator"
            c.JupyterHub.admin_access = True
            c.AzureAdOAuthenticator.client_id = ""
            c.AzureAdOAuthenticator.client_secret = ""
            c.AzureAdOAuthenticator.tenant_id = ""
            c.AzureAdOAuthenticator.oauth_callback_url = ""
            c.Authenticator.admin_users = {'usera', 'userb'}