From 8501f551753668af3ba9dcc518ec02e3d868bb75 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Wed, 6 Jul 2022 19:09:10 -0700 Subject: [PATCH 01/20] Setup dex to proivde oidc authentication JupyterHub provides oauth2, but *not* oidc. This sucks, but as with most problems in computer science, we can solve this with another layer of indirection. In this case, we use https://dexidp.io to setup an oidc provider that is itself authenticated via JupyterHub. This is transparent to the user (because we don't require any consent screens), so in practice it's gonna look like JupyterHub is providing oidc itself. Instead of automatically injecting config from the deployer, we're instead manually copy-pasting config into the .values files directly. This helps with right to replicate, and keeps our deployer smaller --- config/clusters/2i2c/staging.values.yaml | 8 +++ .../basehub/templates/dex/configmap.yaml | 50 ++++++++++++++ .../basehub/templates/dex/deployment.yaml | 50 ++++++++++++++ .../basehub/templates/dex/service.yaml | 16 +++++ .../templates/docs-service-config.yaml | 17 ----- .../templates/docs-service-deployment.yaml | 69 ------------------- .../basehub/templates/nginx-docs-service.yaml | 16 ----- helm-charts/basehub/values.schema.yaml | 17 +++++ helm-charts/basehub/values.yaml | 3 + 9 files changed, 144 insertions(+), 102 deletions(-) create mode 100644 helm-charts/basehub/templates/dex/configmap.yaml create mode 100644 helm-charts/basehub/templates/dex/deployment.yaml create mode 100644 helm-charts/basehub/templates/dex/service.yaml delete mode 100644 helm-charts/basehub/templates/docs-service-config.yaml delete mode 100644 helm-charts/basehub/templates/docs-service-deployment.yaml delete mode 100644 helm-charts/basehub/templates/nginx-docs-service.yaml diff --git a/config/clusters/2i2c/staging.values.yaml b/config/clusters/2i2c/staging.values.yaml index 8cd8eced20..d0b7680ea7 100644 --- a/config/clusters/2i2c/staging.values.yaml +++ b/config/clusters/2i2c/staging.values.yaml @@ -1,3 +1,7 @@ +dex: + enabled: true + hubHostName: staging.2i2c.cloud + jupyterhub: custom: docs_service: @@ -23,6 +27,10 @@ jupyterhub: name: 2i2c url: https://2i2c.org hub: + services: + dex: + url: http://dex + oauth_redirect_uri: https://staging.2i2c.cloud/services/dex/callback config: Authenticator: allowed_users: &staging_users diff --git a/helm-charts/basehub/templates/dex/configmap.yaml b/helm-charts/basehub/templates/dex/configmap.yaml new file mode 100644 index 0000000000..f7e6a6b997 --- /dev/null +++ b/helm-charts/basehub/templates/dex/configmap.yaml @@ -0,0 +1,50 @@ +{{- if .Values.dex.enabled -}} +kind: ConfigMap +apiVersion: v1 +metadata: + name: dex + labels: + app: dex +data: + dex.yaml: | + # dex expands env vars in values, but does *not* interpolate + # them. So we can use an env var for OAUTH2_CLIENT_SECRET as + # it is just an expansion, but can not use env vars when constructing + # URLs as there's no interpolation! grr. + issuer: https://{{ .Values.dex.hubHostName }}/services/dex + storage: + type: sqlite3 + config: + # /srv/db is a PVC mounted for persistence + file: /srv/db/dex.sqlite + + web: + # Listen on all interfaces, so this is publicly visible + http: 0.0.0.0:5556 + + oauth2: + # Don't explicitly require users to grant access via the + # dex interface, for a smoother interface + skipApprovalScreen: true + + connectors: + - type: oauth + id: hub + name: hub + config: + # Connector config values starting with a "$" will read from the environment. + clientID: service-dex + clientSecret: $OAUTH2_CLIENT_SECRET + redirectURI: https://{{ .Values.dex.hubHostName }}/services/dex/callback + userIDKey: name + tokenURL: http://proxy-public/hub/api/oauth2/token + authorizationURL: https://{{ .Values.dex.hubHostName }}/hub/api/oauth2/authorize + userInfoURL: http://proxy-public/hub/api/user + + staticClients: + - id: oauth2-proxy + redirectURIs: + - 'http://127.0.0.1:9000/oauth2/callback' + name: 'oauth2-proxy' + secret: proxy +{{- end }} diff --git a/helm-charts/basehub/templates/dex/deployment.yaml b/helm-charts/basehub/templates/dex/deployment.yaml new file mode 100644 index 0000000000..be1c3b4f7b --- /dev/null +++ b/helm-charts/basehub/templates/dex/deployment.yaml @@ -0,0 +1,50 @@ +{{- if .Values.dex.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dex +spec: + replicas: 1 + selector: + matchLabels: + app: dex + template: + metadata: + labels: + app: dex + annotations: + checksum/config: {{ include (print $.Template.BasePath "/dex/configmap.yaml") . | sha256sum }} + spec: + volumes: + - name: db + persistentVolumeClaim: + claimName: dex + - name: config + configMap: + name: dex + securityContext: + # The upstream repo runs with gid 0, and setting this makes + # sure the db volume we mount can be written to by the dex process + fsGroup: 0 + containers: + - name: dex + image: ghcr.io/dexidp/dex:v2.32.0 + ports: + - name: dex + containerPort: 5556 + env: + - name: OAUTH2_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: hub + key: hub.services.dex.apiToken + volumeMounts: + - name: config + mountPath: /srv/config + - name: db + mountPath: /srv/db + command: + - dex + - serve + - /srv/config/dex.yaml +{{- end }} diff --git a/helm-charts/basehub/templates/dex/service.yaml b/helm-charts/basehub/templates/dex/service.yaml new file mode 100644 index 0000000000..1f6a17a832 --- /dev/null +++ b/helm-charts/basehub/templates/dex/service.yaml @@ -0,0 +1,16 @@ +{{- if .Values.dex.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: dex + labels: + app: dex +spec: + type: ClusterIP + ports: + - name: http + port: 80 + targetPort: dex + selector: + app: dex +{{- end }} diff --git a/helm-charts/basehub/templates/docs-service-config.yaml b/helm-charts/basehub/templates/docs-service-config.yaml deleted file mode 100644 index 498a40a1a3..0000000000 --- a/helm-charts/basehub/templates/docs-service-config.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.jupyterhub.custom.docs_service.enabled -}} -kind: ConfigMap -apiVersion: v1 -metadata: - name: nginx-docs-configmap - labels: - app: docs-service -data: - nginx.conf: | - server { - listen 8080; - location / { - index index.html; - root /etc/nginx/html; - } - } -{{- end }} diff --git a/helm-charts/basehub/templates/docs-service-deployment.yaml b/helm-charts/basehub/templates/docs-service-deployment.yaml deleted file mode 100644 index 02b5a5441e..0000000000 --- a/helm-charts/basehub/templates/docs-service-deployment.yaml +++ /dev/null @@ -1,69 +0,0 @@ -{{- if .Values.jupyterhub.custom.docs_service.enabled -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: docs-service -spec: - replicas: 1 - selector: - matchLabels: - app: docs-service - template: - metadata: - labels: - app: docs-service - spec: - volumes: - - name: nginx-config - configMap: - name: nginx-docs-configmap - - name: docs - emptyDir: {} - initContainers: - - name: docs-clone - image: alpine/git - args: - - clone - - --depth=1 - - --branch={{ .Values.jupyterhub.custom.docs_service.branch | required "jupyterhub.custom.docs_service.branch is required with jupyterhub.custom.docs_service.enabled set to true" }} - - --single-branch - - -- - - '{{ .Values.jupyterhub.custom.docs_service.repo | required "jupyterhub.custom.docs_service.repo is required with jupyterhub.custom.docs_service.enabled set to true" }}' - - /srv/docs - securityContext: - runAsUser: 1000 - allowPrivilegeEscalation: False - readOnlyRootFilesystem: True - volumeMounts: - - name: docs - mountPath: /srv/docs - containers: - - name: docs-sync - image: alpine/git - workingDir: /srv/docs - command: - - /bin/sh - args: - - -c - - "while true; do git fetch origin; git reset --hard origin/master; sleep\ - \ 5m; done" - securityContext: - runAsUser: 1000 - allowPrivilegeEscalation: False - readOnlyRootFilesystem: True - volumeMounts: - - name: docs - mountPath: /srv/docs - - name: nginx-docs-service - image: nginx:1.19 - command: ["/usr/sbin/nginx", "-g", "daemon off;"] - ports: - - name: nginx-port - containerPort: 8080 - volumeMounts: - - name: nginx-config - mountPath: /etc/nginx/conf.d/default.conf - subPath: nginx.conf - - name: docs - mountPath: /etc/nginx/html/services/docs -{{- end }} diff --git a/helm-charts/basehub/templates/nginx-docs-service.yaml b/helm-charts/basehub/templates/nginx-docs-service.yaml deleted file mode 100644 index 8f9e622591..0000000000 --- a/helm-charts/basehub/templates/nginx-docs-service.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.jupyterhub.custom.docs_service.enabled -}} -apiVersion: v1 -kind: Service -metadata: - name: docs-service - labels: - app: docs-service -spec: - type: ClusterIP - ports: - - name: http - port: 80 - targetPort: nginx-port - selector: - app: docs-service -{{- end }} diff --git a/helm-charts/basehub/values.schema.yaml b/helm-charts/basehub/values.schema.yaml index 987fb29e18..b22fdcea48 100644 --- a/helm-charts/basehub/values.schema.yaml +++ b/helm-charts/basehub/values.schema.yaml @@ -17,7 +17,24 @@ required: - global - jupyterhub - userServiceAccount + - dex properties: + dex: + type: object + additionalProperties: false + required: + - enabled + properties: + enabled: + type: boolean + description: | + Enable dex to provide OIDC + hubHostName: + type: string + description: | + Publicly accessible domain name of the hub. + + Used to construct URLs. userServiceAccount: type: object additionalProperties: false diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index f7024a14e4..8ee90f4cee 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -5,6 +5,9 @@ userServiceAccount: enabled: true annotations: {} +dex: + enabled: false + azureFile: enabled: false pv: From ae9d1e38649da985cd436f3c8bfaafbb5c99d4f2 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Wed, 6 Jul 2022 21:02:34 -0700 Subject: [PATCH 02/20] Setup oauth2-proxy alongside dex We'll use nginx-ingress to authenticate against our hub, and we'll run an oauth2-proxy as a sidecar with dex so it can be used to authenticate requests! --- config/clusters/2i2c/staging.values.yaml | 4 ++- .../basehub/templates/dex/configmap.yaml | 18 ++++++++--- .../basehub/templates/dex/deployment.yaml | 30 ++++++++++++++++++- .../basehub/templates/dex/service.yaml | 7 +++-- 4 files changed, 51 insertions(+), 8 deletions(-) diff --git a/config/clusters/2i2c/staging.values.yaml b/config/clusters/2i2c/staging.values.yaml index d0b7680ea7..18026fe425 100644 --- a/config/clusters/2i2c/staging.values.yaml +++ b/config/clusters/2i2c/staging.values.yaml @@ -29,8 +29,10 @@ jupyterhub: hub: services: dex: - url: http://dex + url: http://dex:5556 oauth_redirect_uri: https://staging.2i2c.cloud/services/dex/callback + oauth2-proxy: + url: http://dex:9000 config: Authenticator: allowed_users: &staging_users diff --git a/helm-charts/basehub/templates/dex/configmap.yaml b/helm-charts/basehub/templates/dex/configmap.yaml index f7e6a6b997..2955f484c6 100644 --- a/helm-charts/basehub/templates/dex/configmap.yaml +++ b/helm-charts/basehub/templates/dex/configmap.yaml @@ -34,7 +34,7 @@ data: config: # Connector config values starting with a "$" will read from the environment. clientID: service-dex - clientSecret: $OAUTH2_CLIENT_SECRET + clientSecret: $HUB_OAUTH2_CLIENT_SECRET redirectURI: https://{{ .Values.dex.hubHostName }}/services/dex/callback userIDKey: name tokenURL: http://proxy-public/hub/api/oauth2/token @@ -44,7 +44,17 @@ data: staticClients: - id: oauth2-proxy redirectURIs: - - 'http://127.0.0.1:9000/oauth2/callback' - name: 'oauth2-proxy' - secret: proxy + - https://{{ .Values.dex.hubHostName }}/services/oauth2-proxy/oauth2/callback + name: oauth2-proxy + secret: $OAUTH2_PROXY_CLIENT_SECRET + oauth2-proxy.cfg: | + provider = "oidc" + client_id = "oauth2-proxy" + redirect_url = "https://{{ .Values.dex.hubHostName }}/services/oauth2-proxy/oauth2/callback" + oidc_issuer_url = "https://{{ .Values.dex.hubHostName }}/services/dex" + oidc_email_claim = "sub" + insecure_oidc_allow_unverified_email = true + email_domains = "*" + http_address = "http://0.0.0.0:9000" + skip_provider_button = true {{- end }} diff --git a/helm-charts/basehub/templates/dex/deployment.yaml b/helm-charts/basehub/templates/dex/deployment.yaml index be1c3b4f7b..37c2fc63d0 100644 --- a/helm-charts/basehub/templates/dex/deployment.yaml +++ b/helm-charts/basehub/templates/dex/deployment.yaml @@ -14,6 +14,7 @@ spec: app: dex annotations: checksum/config: {{ include (print $.Template.BasePath "/dex/configmap.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/dex/secret.yaml") . | sha256sum }} spec: volumes: - name: db @@ -33,11 +34,16 @@ spec: - name: dex containerPort: 5556 env: - - name: OAUTH2_CLIENT_SECRET + - name: HUB_OAUTH2_CLIENT_SECRET valueFrom: secretKeyRef: name: hub key: hub.services.dex.apiToken + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: dex + key: oauth2Proxy.clientSecret volumeMounts: - name: config mountPath: /srv/config @@ -47,4 +53,26 @@ spec: - dex - serve - /srv/config/dex.yaml + - name: oauth2-proxy + image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0 + command: + - oauth2-proxy + - --config=/srv/config/oauth2-proxy.cfg + volumeMounts: + - name: config + mountPath: /srv/config + ports: + - name: oauth2-proxy + containerPort: 9000 + env: + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: dex + key: oauth2Proxy.cookieSecret + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: dex + key: oauth2Proxy.clientSecret {{- end }} diff --git a/helm-charts/basehub/templates/dex/service.yaml b/helm-charts/basehub/templates/dex/service.yaml index 1f6a17a832..b9ea04526e 100644 --- a/helm-charts/basehub/templates/dex/service.yaml +++ b/helm-charts/basehub/templates/dex/service.yaml @@ -8,9 +8,12 @@ metadata: spec: type: ClusterIP ports: - - name: http - port: 80 + - name: dex + port: 5556 targetPort: dex + - name: oauth2-proxy + port: 9000 + targetPort: oauth2-proxy selector: app: dex {{- end }} From 8a8645236c64565c897bba82316ea8092c7e2242 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Wed, 6 Jul 2022 21:07:26 -0700 Subject: [PATCH 03/20] Disable docs_service on staging hub Was making deployment slower, and this will go away soon --- config/clusters/2i2c/staging.values.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/config/clusters/2i2c/staging.values.yaml b/config/clusters/2i2c/staging.values.yaml index 18026fe425..eef509dbf5 100644 --- a/config/clusters/2i2c/staging.values.yaml +++ b/config/clusters/2i2c/staging.values.yaml @@ -4,10 +4,6 @@ dex: jupyterhub: custom: - docs_service: - enabled: true - repo: https://github.com/jupyterhub/nbgitpuller - branch: gh-pages 2i2c: add_staff_user_ids_to_admin_users: true add_staff_user_ids_of_type: "google" From d84f6035100bcbd9507e7ac4eab1fe656a2a3482 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Wed, 6 Jul 2022 21:10:50 -0700 Subject: [PATCH 04/20] Add missing template files --- .pre-commit-config.yaml | 2 +- .../basehub/templates/dex/_helpers.tpl | 9 ++++++++ helm-charts/basehub/templates/dex/pvc.yaml | 12 +++++++++++ helm-charts/basehub/templates/dex/secret.yaml | 21 +++++++++++++++++++ 4 files changed, 43 insertions(+), 1 deletion(-) create mode 100644 helm-charts/basehub/templates/dex/_helpers.tpl create mode 100644 helm-charts/basehub/templates/dex/pvc.yaml create mode 100644 helm-charts/basehub/templates/dex/secret.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 6118699665..b746db9e03 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -50,4 +50,4 @@ repos: hooks: - id: sops-encryption # Add files here if they contain the word 'secret' but should not be encrypted - exclude: secrets\.md|helm-charts/support/templates/prometheus-ingres-auth/secret\.yaml + exclude: secrets\.md|helm-charts/support/templates/prometheus-ingres-auth/secret\.yaml|helm-charts/basehub/templates/dex/secret\.yaml diff --git a/helm-charts/basehub/templates/dex/_helpers.tpl b/helm-charts/basehub/templates/dex/_helpers.tpl new file mode 100644 index 0000000000..b44872ea82 --- /dev/null +++ b/helm-charts/basehub/templates/dex/_helpers.tpl @@ -0,0 +1,9 @@ +# Until https://github.com/Masterminds/sprig/issues/282 is fixed +{{- define "randHex" -}} + {{- $result := "" }} + {{- range $i := until . }} + {{- $rand_hex_char := mod (randNumeric 4 | atoi) 16 | printf "%x" }} + {{- $result = print $result $rand_hex_char }} + {{- end }} + {{- $result }} +{{- end }} diff --git a/helm-charts/basehub/templates/dex/pvc.yaml b/helm-charts/basehub/templates/dex/pvc.yaml new file mode 100644 index 0000000000..95480b9c1a --- /dev/null +++ b/helm-charts/basehub/templates/dex/pvc.yaml @@ -0,0 +1,12 @@ +{{ if .Values.dex.enabled -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: dex +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +{{- end }} \ No newline at end of file diff --git a/helm-charts/basehub/templates/dex/secret.yaml b/helm-charts/basehub/templates/dex/secret.yaml new file mode 100644 index 0000000000..afb05fe5ba --- /dev/null +++ b/helm-charts/basehub/templates/dex/secret.yaml @@ -0,0 +1,21 @@ +{{- if .Values.dex.enabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: dex +type: Opaque +stringData: + {{- $k8sState := lookup "v1" "Secret" .Release.Namespace "dex" | default (dict "data" (dict)) }} + + {{- if hasKey $k8sState.data "oauth2Proxy.clientSecret" }} + oauth2Proxy.clientSecret: {{ index $k8sState.data "oauth2Proxy.clientSecret" | b64dec }} + {{- else }} + oauth2Proxy.clientSecret: {{ include "randHex" 64 }} + {{- end }} + + {{- if hasKey $k8sState.data "oauth2Proxy.cookieSecret" }} + oauth2Proxy.cookieSecret: {{ index $k8sState.data "oauth2Proxy.cookieSecret" | b64dec }} + {{- else }} + oauth2Proxy.cookieSecret: {{ include "randHex" 16 }} + {{- end }} +{{- end }} From fd3eabed13e83f31fde06a1d728e1e493fd16daa Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Thu, 7 Jul 2022 19:42:10 -0700 Subject: [PATCH 05/20] Add staticSites that can be protected by oauth2-proxy - Uses nginx to serve these, and a 5min git pull to pull a git repo. Copied from earlier docs_service code - Use ingress provider to specify the path under which the static site is available, rather than the hub proxy. This is simpler and allows us to put them anywehere (like staging.2i2c.cloud/textbook rather than staging.2i2c.cloud/services/textbook) - Use nginx-ingress to provide authentication for the static server, via https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/ --- config/clusters/2i2c/staging.values.yaml | 8 +++ .../basehub/templates/dex/configmap.yaml | 23 +++--- .../basehub/templates/dex/deployment.yaml | 6 +- .../basehub/templates/static/configmap.yaml | 17 +++++ .../basehub/templates/static/deployment.yaml | 71 +++++++++++++++++++ .../basehub/templates/static/ingress.yaml | 24 +++++++ .../basehub/templates/static/service.yaml | 16 +++++ helm-charts/basehub/values.schema.yaml | 29 ++++++++ helm-charts/basehub/values.yaml | 4 ++ 9 files changed, 189 insertions(+), 9 deletions(-) create mode 100644 helm-charts/basehub/templates/static/configmap.yaml create mode 100644 helm-charts/basehub/templates/static/deployment.yaml create mode 100644 helm-charts/basehub/templates/static/ingress.yaml create mode 100644 helm-charts/basehub/templates/static/service.yaml diff --git a/config/clusters/2i2c/staging.values.yaml b/config/clusters/2i2c/staging.values.yaml index eef509dbf5..c4ce17f9a0 100644 --- a/config/clusters/2i2c/staging.values.yaml +++ b/config/clusters/2i2c/staging.values.yaml @@ -2,6 +2,13 @@ dex: enabled: true hubHostName: staging.2i2c.cloud +staticSites: + enabled: true + repo: https://github.com/inferentialthinking/inferentialthinking.github.io + branch: master + host: staging.2i2c.cloud + path: /textbook + jupyterhub: custom: 2i2c: @@ -27,6 +34,7 @@ jupyterhub: dex: url: http://dex:5556 oauth_redirect_uri: https://staging.2i2c.cloud/services/dex/callback + oauth_no_confirm: true oauth2-proxy: url: http://dex:9000 config: diff --git a/helm-charts/basehub/templates/dex/configmap.yaml b/helm-charts/basehub/templates/dex/configmap.yaml index 2955f484c6..0d623a567f 100644 --- a/helm-charts/basehub/templates/dex/configmap.yaml +++ b/helm-charts/basehub/templates/dex/configmap.yaml @@ -7,10 +7,6 @@ metadata: app: dex data: dex.yaml: | - # dex expands env vars in values, but does *not* interpolate - # them. So we can use an env var for OAUTH2_CLIENT_SECRET as - # it is just an expansion, but can not use env vars when constructing - # URLs as there's no interpolation! grr. issuer: https://{{ .Values.dex.hubHostName }}/services/dex storage: type: sqlite3 @@ -24,7 +20,7 @@ data: oauth2: # Don't explicitly require users to grant access via the - # dex interface, for a smoother interface + # dex interface, for a smoother experience skipApprovalScreen: true connectors: @@ -32,9 +28,10 @@ data: id: hub name: hub config: - # Connector config values starting with a "$" will read from the environment. clientID: service-dex - clientSecret: $HUB_OAUTH2_CLIENT_SECRET + # Env vars are expanded via gomplate, which is present in the + # upstream dex docker image + clientSecret: {{ "{{" }} .Env.HUB_OAUTH2_CLIENT_SECRET {{ "}}" }} redirectURI: https://{{ .Values.dex.hubHostName }}/services/dex/callback userIDKey: name tokenURL: http://proxy-public/hub/api/oauth2/token @@ -46,15 +43,25 @@ data: redirectURIs: - https://{{ .Values.dex.hubHostName }}/services/oauth2-proxy/oauth2/callback name: oauth2-proxy - secret: $OAUTH2_PROXY_CLIENT_SECRET + # Env vars are expanded via gomplate, which is present in the + # upstream dex docker image + secret: {{ "{{" }} .Env.OAUTH2_PROXY_CLIENT_SECRET {{ "}}" }} oauth2-proxy.cfg: | provider = "oidc" + # This is hardcoded in the dex config client_id = "oauth2-proxy" redirect_url = "https://{{ .Values.dex.hubHostName }}/services/oauth2-proxy/oauth2/callback" oidc_issuer_url = "https://{{ .Values.dex.hubHostName }}/services/dex" oidc_email_claim = "sub" + # We don't actually use email for anything here, so skip email verification insecure_oidc_allow_unverified_email = true email_domains = "*" + # Listen on port 9000 http_address = "http://0.0.0.0:9000" + # Don't require user interaction to log in - treat this more like SSO skip_provider_button = true + # This is exposed to the internet as a JupyterHub service, + # so it is only available prefixed with this URL + reverse_proxy = true + proxy_prefix = "/services/oauth2-proxy/oauth2" {{- end }} diff --git a/helm-charts/basehub/templates/dex/deployment.yaml b/helm-charts/basehub/templates/dex/deployment.yaml index 37c2fc63d0..19fa311299 100644 --- a/helm-charts/basehub/templates/dex/deployment.yaml +++ b/helm-charts/basehub/templates/dex/deployment.yaml @@ -34,6 +34,7 @@ spec: - name: dex containerPort: 5556 env: + # These are expanded by the dex config - name: HUB_OAUTH2_CLIENT_SECRET valueFrom: secretKeyRef: @@ -49,7 +50,9 @@ spec: mountPath: /srv/config - name: db mountPath: /srv/db - command: + # Needs to be args, not cmd - this allows gomplate based + # expansion of config file + args: - dex - serve - /srv/config/dex.yaml @@ -65,6 +68,7 @@ spec: - name: oauth2-proxy containerPort: 9000 env: + # This is read by oauth2-proxy - name: OAUTH2_PROXY_COOKIE_SECRET valueFrom: secretKeyRef: diff --git a/helm-charts/basehub/templates/static/configmap.yaml b/helm-charts/basehub/templates/static/configmap.yaml new file mode 100644 index 0000000000..f7bdf93076 --- /dev/null +++ b/helm-charts/basehub/templates/static/configmap.yaml @@ -0,0 +1,17 @@ +{{- if .Values.staticSites.enabled -}} +kind: ConfigMap +apiVersion: v1 +metadata: + name: static-sites + labels: + app: static-sites +data: + nginx.conf: | + server { + listen 8080; + location {{ .Values.staticSites.path }} { + index index.html; + alias /srv/content/repo; + } + } +{{- end }} diff --git a/helm-charts/basehub/templates/static/deployment.yaml b/helm-charts/basehub/templates/static/deployment.yaml new file mode 100644 index 0000000000..54669eb3b2 --- /dev/null +++ b/helm-charts/basehub/templates/static/deployment.yaml @@ -0,0 +1,71 @@ +{{- if .Values.staticSites.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: static-sites +spec: + replicas: 1 + selector: + matchLabels: + app: static-sites + template: + metadata: + labels: + app: static-sites + annotations: + checksum/config: {{ include (print $.Template.BasePath "/static/configmap.yaml") . | sha256sum }} + spec: + volumes: + - name: nginx-config + configMap: + name: static-sites + - name: content + emptyDir: {} + initContainers: + - name: site-clone + image: alpine/git + args: + - clone + - --depth=1 + - --branch={{ .Values.staticSites.branch | required "staticSites.branch is required with staticSite.enabled set to true" }} + - --single-branch + - -- + - '{{ .Values.staticSites.repo | required "staticSites.repo is required with staticSites.enabled set to true" }}' + - /srv/content/repo + securityContext: + runAsUser: 1000 + allowPrivilegeEscalation: False + readOnlyRootFilesystem: True + volumeMounts: + - name: content + mountPath: /srv/content + containers: + - name: content-sync + image: alpine/git + workingDir: /srv/content + command: + - /bin/sh + args: + - -c + - "while true; do git fetch origin; git reset --hard origin/{{ .Values.staticSites.branch }}; sleep\ + \ 5m; done" + securityContext: + runAsUser: 1000 + allowPrivilegeEscalation: False + readOnlyRootFilesystem: True + volumeMounts: + - name: content + mountPath: /srv/content + - name: server + image: nginx:1.19 + command: ["/usr/sbin/nginx", "-g", "daemon off;"] + ports: + - name: nginx + containerPort: 8080 + volumeMounts: + - name: nginx-config + mountPath: /etc/nginx/conf.d/default.conf + subPath: nginx.conf + - name: content + mountPath: /srv/content +{{- end }} diff --git a/helm-charts/basehub/templates/static/ingress.yaml b/helm-charts/basehub/templates/static/ingress.yaml new file mode 100644 index 0000000000..216f20413b --- /dev/null +++ b/helm-charts/basehub/templates/static/ingress.yaml @@ -0,0 +1,24 @@ +{{- if .Values.staticSites.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + # Authenticate with oauth2-proxy so only hub logged-in users see this + # https://kubernetes.github.io/ingress-nginx/examples/auth/oauth-external-auth/ + nginx.ingress.kubernetes.io/auth-url: "http://dex.{{ .Release.Namespace }}.svc.cluster.local:9000/services/oauth2-proxy/oauth2/auth" + nginx.ingress.kubernetes.io/auth-signin: "https://$host/services/oauth2-proxy/oauth2/start?rd=$escaped_request_uri" + name: static-sites +spec: + ingressClassName: nginx + rules: + - host: {{ .Values.staticSites.host}} + http: + paths: + - path: {{ .Values.staticSites.path }} + pathType: Prefix + backend: + service: + name: static-sites + port: + number: 80 +{{- end }} \ No newline at end of file diff --git a/helm-charts/basehub/templates/static/service.yaml b/helm-charts/basehub/templates/static/service.yaml new file mode 100644 index 0000000000..9d7cefc353 --- /dev/null +++ b/helm-charts/basehub/templates/static/service.yaml @@ -0,0 +1,16 @@ +{{- if .Values.staticSites.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: static-sites + labels: + app: static-sites +spec: + type: ClusterIP + ports: + - name: http + port: 80 + targetPort: nginx + selector: + app: static-sites +{{- end }} diff --git a/helm-charts/basehub/values.schema.yaml b/helm-charts/basehub/values.schema.yaml index b22fdcea48..333cd6ad1f 100644 --- a/helm-charts/basehub/values.schema.yaml +++ b/helm-charts/basehub/values.schema.yaml @@ -18,7 +18,36 @@ required: - jupyterhub - userServiceAccount - dex + - staticSites properties: + staticSites: + type: object + additionalProperties: false + required: + - enabled + properties: + enabled: + type: boolean + description: | + Enable hosting static sites associated with this hub. + repo: + type: string + description: | + Git repo to clone and serve statically + branch: + type: string + description: | + Branch in given git repo to check out after cloning the repo + host: + type: string + description: | + DNS host name of the JupyterHub. + + Must match what the JupyterHub and dex are set up with. + path: + type: string + description: | + Absolute path under which the static sites should be available dex: type: object additionalProperties: false diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index 8ee90f4cee..124281b087 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -8,6 +8,10 @@ userServiceAccount: dex: enabled: false +staticSites: + enabled: false + branch: main + azureFile: enabled: false pv: From 77cf89cc2f031a3e7320a050a57ab548946bae5c Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Fri, 8 Jul 2022 02:13:12 -0700 Subject: [PATCH 06/20] Remove all references to docs_site Add a how-to on enabling staticSites instead --- config/clusters/cloudbank/staging.values.yaml | 4 - docs/howto/customize/docs-service.md | 34 ------- docs/howto/features/static-sites.md | 83 ++++++++++++++++++ docs/images/docs-service.png | Bin 19687 -> 0 bytes helm-charts/basehub/values.schema.yaml | 15 ---- helm-charts/basehub/values.yaml | 12 +-- 6 files changed, 84 insertions(+), 64 deletions(-) delete mode 100644 docs/howto/customize/docs-service.md create mode 100644 docs/howto/features/static-sites.md delete mode 100644 docs/images/docs-service.png diff --git a/config/clusters/cloudbank/staging.values.yaml b/config/clusters/cloudbank/staging.values.yaml index 60ca46718b..02f8198cb1 100644 --- a/config/clusters/cloudbank/staging.values.yaml +++ b/config/clusters/cloudbank/staging.values.yaml @@ -1,9 +1,5 @@ jupyterhub: custom: - docs_service: - enabled: true - repo: https://github.com/jupyterhub/nbgitpuller - branch: gh-pages 2i2c: add_staff_user_ids_to_admin_users: true add_staff_user_ids_of_type: "google" diff --git a/docs/howto/customize/docs-service.md b/docs/howto/customize/docs-service.md deleted file mode 100644 index 96d4d2f13b..0000000000 --- a/docs/howto/customize/docs-service.md +++ /dev/null @@ -1,34 +0,0 @@ -# Connect static web content with the hub - -The 2i2c hubs can be configured to provide static web content as a [JupyterHub service](https://jupyterhub.readthedocs.io/en/stable/reference/services.html), available -at `https:///services/docs`. This can be a great tool to provide hub-specific documentation right from inside the hub. - -```{figure} ../../images/docs-service.png -``` - -To enable the docs service service for a hub: - -1. Mark it as *enabled* by setting `jupyterhub.custom.docs_service.enabled` to *True* in the - appropriate file under `config/clusters/`. -2. Specify the GitHub repository where the static HTML files are hosted, by setting `jupyterhub.custom.docs_service.repo`. -3. Specify the GitHub branch of the respository where the static HTML files are hosted, by setting `jupyterhub.custom.docs_service.docs_service.branch`. - -Example config: - -```yaml - jupyterhub: - custom: - docs_service: - enabled: true - repo: https://github.com/ - branch: -``` - -```{note} - -Depending on what Static Site Generator has been used to generate the website's static content, it **may** or **may not** use relative paths routing by default. -For example, [Sphinx](https://www.sphinx-doc.org/en/master/) handles relative paths by default, whereas, [Hugo](https://gohugo.io/) leaves all [relative URLs unchanged](https://gohugo.io/content-management/urls/#relative-urls). - -However, having relative URLS is a **must** in order for the hub docs service to work. Please check with the docs of your SSG of choice and enable relative URLs if they -aren't enabled already. -``` diff --git a/docs/howto/features/static-sites.md b/docs/howto/features/static-sites.md new file mode 100644 index 0000000000..7c10abb920 --- /dev/null +++ b/docs/howto/features/static-sites.md @@ -0,0 +1,83 @@ +# Deploy authenticated static websites along the hub + +We can deploy *authenticated* static websites on the same domain as the hub +that is only accessible to users who have access to the hub. The source +for these come from git repositories that should contain rendered HTML, +and will be updated every 5 minutes. They can be under any prefix on the +same domain as the hub (such as `/docs`, `/textbook`, etc). + +You can enable this with the following config in the `.values.yaml` +file for your hub. + +```yaml + +dex: + # Enable authentication + enabled: true + hubHostName: + +staticSites: + enabled: true + repo: + branch: + host: + path: + +jupyterhub: + hub: + services: + dex: + url: http://dex:5556 + oauth_redirect_url: https:///services/dex/callback + oauth_no_confirm: true + oauth2-proxy: + url: http://dex:9000 + +``` + +```{note} +We manually configure the hub services instead of autogenerating +them in our deploy scripts. This leads to some additional copy-pasting and +duplication, but keeps our config explicit and simple. +``` + +## Example + +Here's a sample that hosts the data8 textbook under `https://staging.2i2c.cloud/textbook`: + +```yaml +dex: + enabled: true + hubHostName: staging.2i2c.cloud + +staticSites: + enabled: true + repo: https://github.com/inferentialthinking/inferentialthinking.github.io + branch: master + host: staging.2i2c.cloud + path: /textbook + +jupyterhub: + hub: + services: + dex: + url: http://dex:5556 + oauth_redirect_uri: https://staging.2i2c.cloud/services/dex/callback + oauth_no_confirm: true + oauth2-proxy: + url: http://dex:9000 +``` + +This clones the [repo]( https://github.com/inferentialthinking/inferentialthinking.github.io), +checks out the `master` branch and keeps it up to date by doing a +`git pull` every 5 minutes. It is made available under `/textbook`, +and requires users be logged-in to the hub before they can access it. + +### Note on relative URLs + +Depending on what Static Site Generator has been used to generate the website's static content, it **may** or **may not** use relative paths routing by default. +For example, [Sphinx](https://www.sphinx-doc.org/en/master/) handles relative paths by default, whereas, [Hugo](https://gohugo.io/) leaves all [relative URLs unchanged](https://gohugo.io/content-management/urls/#relative-urls). + +However, having relative URLS is a **must** in order for the hub docs service to work. Please check with the docs of your SSG of choice and enable relative URLs if they +aren't enabled already. +``` \ No newline at end of file diff --git a/docs/images/docs-service.png b/docs/images/docs-service.png deleted file mode 100644 index d5b6ec49cccafb775ebd10870715952c8aea49ed..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 19687 zcmeIabx@s8vp)zSKoSB32(CdB++6}ef?Lo42Pe3@oDc{e2ol`g-QC^YU4pyAIlt%d ze(!tlZq-)p-L0*yU)7yI4u@yv>FMd|>FNG-L!g431nMh-S8#A}sFI&WmEho>I|ARE zUmyXW4QFhUz>greFX|3Tdd_4vcGkwG7Di+at~N$wMlPntaBwd3Dxr#K2=88qLV3i( zzJEs`%2}$Fv>x5S-RCr3L6)Jui|XF-95)zO@2yA1Tx}m$O2+=lELY?Do2IK5MNQ|uyvE4#{Y>q^E{aqjeaMm3 z9U~mvs~4sKSL(7dyav{mjCzLF`bLZ{mNo#paB%!WE;f1w=0*-=`bH+ERs!V54K3tk zriKFKY8G!irmoq@ zM3)!%4tvZ*PWCj!!CZh`T~>kYleL`@89O68BQt}Ti>VVUx!@}@emg^BUL{fSe@Fno z36OttaIoQJVsdtNW^`s_w6-&0V&UQ8VPa-wVr69jMljgBS~=*sFj(1Bz)1XyhNzLf zft{(1gQ>L@8H}c$zO|!+0696(PxcRS*be-gx|RJuLIA|U1nXg9VPt0dufrWojsGu( z!+QR6IP7I!1ydIz3w2RbOCu|LfCT|^78Z7vCu;xMt?^&Gd6=JiVWfB^E%i){)JzQ> zzWtZ?{Ym|0AydmIVG=ga1dn{zqK@EeZU$2LF$C{qH5NSO4kW8Cd~7oipIPDTohm0*>Ev zdlAVmFM#Ip!Y}|1jtovxRQQX_{K1l|$Cs%`=;@3_9Hn77jYS(ZrZ1U7z{ihWNWss7 zJ~DhoQ7@X6GS}Xpp4V(Cik?>eT7cc6Uxlq%trT!U_g*OV6_R1a_vcifec!xzX-Ks& zxOjhWz}i7c`R=3d^Ocbv0}{#Y>A<_S6yl`cWuU*G`SquwcjW(S_A#pYw8&};PA;^><%S3XRLr5h;iQaK>#Xup>G;n@;T4%qk z?|h0;I+ZRyM31caMEK+^=P>Q5ch%t@sQ<$VNPI^-Z^NnK11)X(*BYx!ALkC-d3B4` z;%>Veib4q|VWTu_-Q&HGu`D6uYj5>W?eL!i!nRJkV{!T3T9Qqj1*);P9>#EUXB#m*!R>OzY~|0&km73*mIV#AVexdWP~9ZDDRlE1!6TSo{ zWOE&-48Yxr$vC3Ws8GBdRy^>IRffs^*j$O(_AlSR#t>pIN ztVVC?96W0Wk?n1`R@~VOnFEvKAyw+%sn`qm$I)tPDr0Y;i^(PP2Tqw$(bE_9wQgF3 zZlRmBcXY7GvMFpCR?NloBSRk@9UWt{11EMn&8j#xs<0j^rp&Ukvyp=6Y9lRUxFtzG z@*%sTGa))~Z_?QwO6Up1qKW0PrX0)9VpT+wiqn~XjSVu%hcNf(x_ct6j59F&9ynp|mjGaBIvXb4ZZVP98eEeD4 zFsv(-n6LKXY#@%^REf;u6wE+RzsUr?Md3{Nb$`?l*55A$xyTVxR8hiwqIAW(OvZ@(WB+Q5hYU>apX1^pC1F)Cz;_Cs)nUXV_-hCIGX zwjI%vamC)hYT?oh&Wh`Zrv~H-?(6GID=#l^du(tzT%V8^LR~yg;YC!?(CAxka-XX* zSM!k$Qd3ilOh}NnvSK{n88Lx8+|F8X7B`+rCCbq>I3I7vnI!A&PZxQU<=XEIdpw-> z7#bM?BAwO^dfVzx>eUN*yw58x?%s7!Qda(CYs-R-js3mkSx#Lu(P}UlJhX|1BC*|CRj#J4(*krEUsPS_8E0K`b zL#1@~SLQa9=!g;92Og}2=^2)ch_>B!I~Rmds);fS&xvcnTRMw;=`t?}W3&JiN&YbJ zdia8PLCFix96~@}w~t_Xc#Mmu`+=!d@EWO*v@rnx5&JWN@7AoK#ez=jY5xq1yhriJ zoTgrlcBT~1U<9+5R}8ltBh8Lz42n%YGvHgAWdUe+t z{PDggl=o(pjVvuKMGCX!O`4pZE;kt=aXMP;Yr0+@7)|>GpPQe*KE$=M`FOpu1BPCM zcc%()6%`dPj#pALGbz!Cc{>56?;RX`UFd^QYBYeex3^cjo1FmnSw?2F3m0TKkuBQ@ z90@Jgtv~!{y%a9|BnM7>etNnUbF-DESmx7(YyEU3o6Yw}1t}tkku>t#F)a^NbZW(h zy}#di)BT*YsBYC10M3d`B6s-U;9%>)>!u$#GK=dQI@wmbsN#DF1oPXT*_At%u-&i#>C3pC@uV%BfSu^pQIT9;;RxIoI}NPoR-M573{7lUo+yhg5pbMh+(`W^L~ z4RjY71TAgNN9GRZXH&EcODisA`Xw{&^BaY#bbflPP7QU3)eCsM4(|bx##67Ytu4Cl zBmo9QNnQQ3lM|;wcSxIl8MA)p3&?30xYTw-oRy6YVSoGW+qb1)sFxNa?&JM6IuQl8 z)+_e3C6d{rOE-;rhYvWxKO2tf>D~;+W=qP*yao===H(1%2ha%=U*2p}OiWA>F)>6n zkS9kZwJdLutLKV(8~k#ow@c2*^-oS6bYJoHCReoSCTO>+_V@4>VhWD)FAMl2AhNfO zy>^e+I6rEzV)u+R>2;CWD*2B1R6nXu=Iy0eA)Ls>2S0)(^zI$7#UW^enZkFL{MKl9 zAr1cbJvUzYa}9~E`xLR<=5HmPR!ZEzb;eW}(Oy|maW$jo{b`tU(|s$TLdlh{#JqTA1%L4iO=S zlC9W5*y`rjd4805&$HdUE)Mib@ z&d!e8Zu5n9gA=0e{na6NlAIqZq4>9N-&SwsIOg*56d~XH%&P1z{wltD_3E>vWE)_a z6csUEB+}!coSvQn_FqRw$7hH2HA2bE0ASfKKjvz@R(&78oBP60`vt*-S7xx`Kxi6m#?RX7x zmZii^kiS@NZ_#j$dYZBF3~*v{-l-DNt#otT;|~7aI)?Vlo!sYWtn3RXf7a>n32u*l zy!hef6t8Z~_;)@(TwkCM+%HvR2hqI<-+m5##69goR?S=G8--3t^H^YZ*`_v<4- zWlT*!tQOn^1_tW=9Zj>CEB}cu^zi#77PT%OQUa%CdUbWQc}WxJ2@yk54EU?CFgzSG z8qw-7-!VT!DeG&W-@o4k1qYwHHO*R7e>^darv~&;y=a=6$sG-cc|S)69tT=U58ayn zl;O!%#m|9CIuUpY*?K{TuvxbZZv!`W^$u@oU)bagfE1TLy!rS5oaJ4;Kab;L)0f7P+P? z+|^%w(y~G;j34RGc#L(reyyZMg4WdX`}SN7!*hfolY4&6y5atfISwNYlPjk4$Y+Xf zd*6dB>rxw6_Uple6=shQ^X=_fbq;ad!GNBn8lp(!T2bjQzCJom`QBuROShulJ3iV_ zXYko`;c!W6Ib<<4GGGZkxf zGz&)VI*#3ark6}w>p(T1jpU7PwuN8?W~z0oc&D1Ll*ec!rVJNKm`u=(%Pu#ZyWDOW zbwV6yn~0oN@fK>X_3tQJ(%mUHJ<3Cj7S2=E9w~dzh^k3LjanxuxiLH*JeIv&;p=V=Uj7($7?7RSkJi4|VCy5XaFvViYIlAPXie>Byq+d%h^80lkB$B8=H`|v(nI=6qevAn zZY(S;-qOkUq}DYH2s^Wr`+O>P2Ar?;pQ)vkCrW7%B${;GKhu*xnc$3H-~LLI=Vh>3 zM<_VC-cndsg__@JCa4dIB;}~<6G|)jb}T{ki?lma_+>NgFJFiun%2nTlKTgIL824g zuw#i9lIAfzkr+l_CCL`=m)vmmlvpD=LDJr%TGdB>UTjvmC3d!>2D4QcbES!4XV&ki zvWOu{M2`VWS$!b{f5bx&Y#fYksvc*Vp%iun_gJ}q@@IR#qRf2SK9rF;7ZVU`sEJsi zioCy{snM1Jv-(@EcZFRkv39OF`QS$@r9^d7hQC#mw9O-Q(^?$6N-Ju}lOYi!#a$)n zZ4IciSki7!eb;OjN8xUtcfcAlcxRUt3yFKZe1SpuY{UlVksNXnHXAV6c7tNCr5zD? zb&yqy>84$&pY)kEdnDbaO@CXUD!H`NFv2}6d|K$&MYCkH8NM?bVa=zzgVUQJT_Q@8 z&~#`#qQ!86REZ(zWWw{Wy4#e$i0LQyHCJ;Q*9&s|_bYWtjkEAFvgvxcku~8%G)i@j z7EJ3zAML2wjJxdk$7?Lz#RzJa=Vxk$!aJ)BCN$0$jqUQ0M(Y|04#ItT;MyhoYlA_C z>>iE@T-L^IKM+v`J04P`Kl!5>b%)^J4KTsf=au8U`EP@Yxo2yBJsYO1g{Nxe?AYtI zOGnh7NGI5NydJoLSUWa0771QlQ~HFVc}uL6T7;5tq`tp!wu zCRWdOaefs4Fi!Tuq&aJ4W}#?EfhLg7``gxpk=F@_F&a-iWZmq4mkNs(@nCN=*!{~m zcB06V_3`~j(dXVqCI?Ojz-9J;O^jB$(T1R)A!RE2;r2Y)&^$v~lCcP>eSYa!!qN5v z2gX<@a*Cz{|Jdg3vzKrqik$R|vc&?C?tYX0IG2_?eP4%@ zj}pPwS1CO+Hn_p=q+gw9e)BU{L5L+&S5{r7t(RoSeq&I={mJ_ChM4$E-dkY@(TuR} z>8oIBQBh@2$)8cRa}1T^@^@Pu(jBX z*3GCmAmwwWtcp6Kos-Nj|5aS#QG{1B3Z63AE1k()hq0-^!&m1fUVH&2ucULrKW=P8}DkS%U9 zh^Gbu4kA9M5E22m=lRAD!h=Ax7GN5GakRu&+9Fh12f5pa`JQuga~^lQIRFrah=dDa z?g4v2PP)K4etOTZB&DR<&8p7&Xi^lkv}8Oy_yM2+b$F_!q{S>pc41M(2d?{daJNH! zse3;QZK$3&R;|BFpGwSf{-|V^eA^sQ&8Y7Tn;=Uw_?PJt`tQ4 zbyuO@Sh_V7xF#ByKG?`t{4Nl#7$(?ulZ_+m#C3{G$^YwOva7L4fK(s7LZF0gS2;n$ zcJ9!$nsi=!=K1t8&k|g=V0?FOBaxHk!f^2Xui#_iarILfLw2k%E=KxMe}pDNj8 zDwqDD+vg}I_k}!xN z2a#DgrpK&y>Ey21BKr3$xl-en^@SOdbrj>X^0Jm|qDhR}JC)U3Kjc07*)s^~^g&&- zSgEDc%EoJ^>OW!nRZ+THUINBScZjrd$7OVQC=it z$xCftN)}qCoo(R2y>FFVv>y==u4%xJ)apAbLbgG`7)w*ol&4?dUQbx9`BC&f?PYk0BMqs+g#Q=X%g8H9xeh2 z=W;@F;^IhvSu|N~_5SxUtl+Owx0^|Nh5T&7a+rLOrSUR`qegc~8~G?+m4EQ{ms)l- z+2R(6TcZvDD_r5r3*J%=L^Bv1E!I8U^ayPS(G`=?(}w`TcQR*JzkV5jqYLZly%PdL z##5peuqhd`fwZ0>VEr2J0q zf6G&CZV-N;ZPzb6@fXI9kM9Tf%;gJmkYuo|q1J0R*N?L+H`LLxCHk(%Vcd|!z{iQ7 zy0Wc!&<2$1Q74fUZ-)=d{dd}8weZekXw%>?lH;v{iI->8p@vA;C{)gm1a?x3A2}qd z>5Yzp2l`A)>g2+_FM@{+I^sQV0?K^);Y0E^)HoTQ$(npdt)Up$#i#bkx{`oIg zZ02}TVV|G~$13Ao&w_Ph?}Mz^;q^q3Ay>i~#b2&Mp_eQyozJbb@wvINM~;d%>)#1- z{0YcNP;V)D#x?c!P<=!q>q`1sS%?$!Y`Q{M2WR2z)rXS&^amHgdro>X^PD7j{5)== zrdn!&ki?o5{T*8_1u=*p*Uiub%Ius-F;;T4++N_Jp=B=xONNlG>|s=*u-k#)vUYW3 zdp>Rd`Lfa259hw3>KW?+gQ4=FxAmvm-sWTW`~ubpJ$d>Igz~2gT%0q=B37Y0TegYn zyj=EyRUsiE6F7;uFe6hJl?d(aI`UnAoaKZf9v3kQt8eDPy?aBiPM~uByl6|m>_-<8 z$Di4XqmF}Qv^)yW{i@2+@5RvaB}kXgV_G0!_y3OhxF0vg!0=WgewW`J{^-hTYCW=C zOPv75=>h95vC07N8PTm#%J9e$_= zJ)y*%U0q`>U?`HX+(|QFiaf3xR*V4r@L;(qVR2E*4~@7V$Z)W{Mu-{c!jk828_$w< zJ#M;IuLDYsPEK9;Gcz-vXItHNypI`}S}os|Ro&xmZ^a4i!q9}GvFA_PIz4lzp?5Oz z{AhqM(TR6P%ujO$z)&ymy#a>>rD9%WX(pw!(U|jU<*LW5Vj@+w$JoF0#bQQE`{!n) z`+on@t;Ypiis>I*Tl+3n5LC)5tA$;6hHT!BIL@Mot%7CU;WL64zi1q1*{M-^VzAAL zGehFqI#uX2IGoW?1m0k*_?w%AP%soWLF%t{Co2P8RErId5|#L`zSUpgcZIN+$`-}|UaX+_TBAfH6e}q!Q}$|~ zEmp7~y4=y4!}L*tg~k2@T@1t<fAm^>UT*fI^T*Gb^6QHRV{zHYX^uj+)i zRc`56LmY5f3q<_la!`xu9`1GTQ2c9x)E=gVw|3=3Ja(NIOb_mId&rwtxW(P7p3koX zBv|g`pR2`83pA&{+3(TdUcN^a|NQ#sUeE%Mo!#|wBw*_7ppVz~XPc5<(EF8%qOUa{ zXV;;cDk@!VKFBPxk${cDBtA?qR902Rd7<_I-wQl;-3*rq`1NaR1Poz=yS=>ykW?&y z2lahwmq$V&Xgx20M^o|fCG1Y**l+yeLOQY@2C@y@ZWr&-{C!{qfx#}G5QXgW@`(0! z5i>Kh7cXDF6BJDDK914D1E?YEDBG*;rtdwEj%OV_;ePRp-}AmtpT6o(Y|?rgzO9?d zhg%})F&f=6J%?TNV$qd*kkc&gHsB??XlXomRCzNs#I=>5|9l`^TRlW`Fqd+$vl8i1 zLR1sT9*F+3!AP80k%9>=oatl25X;G8^Xq--nN@Xrp>F6sN4F7v?1!0;`lKPf#p)05 zgqI}W)3s_oeDJ8o*l!zBZ<1iP46JRrF1e$l;}G&3Xh9kR)|OjbOifE0G&`#f`upZf zmOdU506<;<>leP!tI|Z!3xzhX_Gr-Kz?O=NO7-DGUR&AMR}O-Ae$nD$^|TZp{~4D~nw#8?rurdyL``FQ_*dTcX?T zu{G(Ly;e{eB**Is4e<55|JkE^)p#_CIcU5=XZ=rZuy>9ds?ehk-_aWISL86M;DrV^ z@&0L&y3o)M`HEJ!64MTS`?}&Of}W1xy)|2S44X`DRt2L<`j|dMsuhYNeb_cvdSxbet&7RE{#t^zZOM zN#56fIjw(ex*Z)Bt+-Hd=ylJxhrXz(0qWTXWUVw)h!aUf*>S(K>!A05<_yZzbBl^l z-82}G(W|Pe8c(|kVcs493U!APON)zl<0B-ko_{lSQlF{TZ&dTws=s#Gnvo2GE7|jScy)wKo<(7)U_SZxo{~ zZfIy&kTPIZQ(->C$m_V*2}{BO=?IT*Q#Dx732T;X54ciD%iv?rP;8P8c3FLc41Cwe z&-Bx&`61(<)XnHTlzkH!1CB5pIOu(l)OvV*#>bU_WRjj<^ZsR`eChd3d8uGDQ$J+7u%e?o>AifrVGuip1>GZf4dM|6PZGJMQYw3!w4^B~9^5 z4NeH7*Zs}jbbN@1lg2T{R@M^$Hoo)zrDbN+BFlg{w{DWtW{9eH?gzoQ_s`Nl}(=cMC%;6XLOT zeD)7w*gV0aX`un1`6j>MVR?Y;S85zmDj(hL@|vpIezLW}%WvrBaD>5JituWq8g+U+ zzqA7Gz<|mMcqe6{dpgHq>Q&PrPM!+sBBh)>xNVE}r0gq|sZd~fy@-&M;_U2hdOEs> z%z=I}QQnAbk@(dTWOR}*6n$d$b4D?UKN7k@gy1K50z}_1u}jIqqR8-$d>oA(_wREs z2sq!^YFcUC5hzDME;0+S->B_GhQ`kYzELb1DX={hPrV zKO=zYMprd_j7-rV$4ly}o{B*>+ZD24OC@~I<&1CtlXqO_&dmN%aq6i$1UH%%7&Jfk zy)MtY0-7y$xTSBt8x#lWCssLx?UoiEtfFMTE}NDjKR@`r1H*))T23^IyRN$|)9k@=yA^@YEZM zJR*ylF2?B8Vv!#q^R&JEPuuIzx;P1^i9$8dwVmQNr3Au;O^EX8Y0IX@D{(L`rGY0H zPeg{1NAthG`PT!}AQ57Wa3|hxR#tC3)4mu!{tmHjY^8DI%f$9nTzlG|pE(K=qL~P& z$s9J(SEEc{_cCCDwOe}+6z!P$BW$r9QUDU#pSv=E&0xy+wEnf#+PcT)UT?duY22GN zS&H6Xyf)bi9bE%kOP|9oLeQ%J3Z57c0^w&gx1ob(Key#cRM@u}$PoWggx;8F?5wDl zhMJgo`e5Mu;6<_guzqgc;EV6q))z?wOA2qCYO%iSnY$AE`LxL(q9+;Hw0g85cU2L( z-jyMKk#P&;NLVo$>(JI{almzi93tbKtojt#ES=Jtb6RgVskMaB?F*B9U6nQoQhQ89 z29+4yNt?S^53SU4c@c*RoZzAYP1ZF}B9B`W=TIcheNiD1KxirGJE*xoN;(S@=2er#+T*L~oeb$5u&N zOpI7gjYy7W^`N^q1rmInLh7@R=~W^nE$zDY6L+@BoeM~&ZvdIv&70E=mnNM{v8UZ& zgYAZI(2tETosJm^=aZgG5e*nhP|vm;#NXq;tc1gMoy54__hx*5Civld?PhAxDFPmk zG2Bvs$>7q2ZBcWuBG*zkf;{wRVN%zmPP?V)6Z``QbNYd_F+T~qii%2%44}9`JM?+d zC4$$9Lyw1X<|j=Lhbz!+YxETnsYB$!rhVgVfrj%4bSHvy7k&UwL?b=;_RbpMGW@Co zX2LMkw20pIpuErh34b}oi&`ZqX6Zvfa&W#N9@(0oa^4c3lg5V<1nv~1k!uHucRcc9H59R20FS8p!S0r2xei$ z7vbUFL&hkJqN2R@OI%ALyApgSZm1l79(op>bhc{fG?u#&6V0;;J*dp=~JB&fc^~@;~-5&?i>@$!R%-Lv(KJ zOq4_j$cdG&##X=(ioId#bN^PRj>qRjU($H?3I&(ZaCXYmSW5OKj|=5RVSdh|u1ty||=#}n?WllO%< zmu;c9@+C1tDI`YSDbuV_iJ1a{;UC$cz} zvnK5%6MpKVbGFqMN19oxf@^-{x2L|J9t$L8^WQnP3BOz&(sEw1Y*b*58Sv! z526{h`whYb#8U)4dwY9zFZZSZ9PtAsMmSo|K?W4ls7kLQmtiy5sN!SPlz3ls5$e&( zAGH91MZ{MQyo|x9?zO?hDa49j6D=p=?v52jH`D##+CZost?WasY9%wldU$w#-ZT4M z`W7HXN+v;o+*L1#xxFpLBc9 zB*kd0{pX_7f+c{6OaMLt0DRAH?GKEM&`?uTGg}UtRRR7(*_?$sJx-yj`6}H_e$HZFsl7an;6`(>z@mgZ%l;$!0sB$*8R(~ zvjL{_ren{r!-X2;A0dEq$Jp|4*6IbIGOsoph}og z#|Y6EC!t|d{?%&Dik z$V&LIo=-qx8`zMJT?ZsuM!Ow04pq{x8Nj<(RRWgh+*ons+nkVcZS@KfY)uf|4!tD z-Q~jgO~iuPZ*t2_pt!7IDbzGRGb?ND(hVqyP!4_^O5|ZXc?6;n_)0(6eH4($_GImU zcj=qjSz@b*Re~T=#5D`DuCBKl0@Gkewy(&wZZh_s3ZBX^2HTZk)@d9G$YcT8E|bIg zDnLgaO)h7*24W_FN+m7En0A<{#4zQ6(Ipl=(G}w7*Fqg%hNR9PK5WtmtpQan9s8F6 z%gnDcgu7HuuKo1bU4)M7c1U=gk7NuDDFJwtIGZU5V6Io}f%J9A1ci6cUroY#Dw!{EsKa^BdV_DL;jXKBpD?mJX1P^4j+c&K1+z7MD}P-X(e%M5bI7^dbxEgUeJ@u&arvyz`| ze_@{4i-sjRKqP>OYU8p2e8{_i_7;3)J~S_Iwzc>5*FAos=I9&d*fwGIn7nBLhgr-$OivNI-PWvWv~tCKtyH7rGBT;m#)&Ue@-pDCB3n4sW1bS zxwDT|I#sxBGfz)z*7DraUNR)K;jAYGZPU#^1~qt^)jcMsZ%NA(WHfbQC0dW-db4|2 zc$RqVT|}8fb?#Hpz?vydv)*B`>ZGitHSCv^a%$(qf=JRNFfLQ0f(0C*6=CNSUOouS zGe$+4gm_mAjlP7`+5XPZm3Vl}J01CzbAt%BTwEdW=K+f9HXnFwAvP?aTT@UYDg9b! zBslv>9e{?&JO*Erf?=TnPL@}#$3CH%u&u$wZf^C}9d`F1FEW149N)mo$ zPE5*J;1*eKKFr~kHNvp4Z;pR^ zeXxB!$3it$gkW56=4}-Fa1^FE)}P%>OG zvokwppl{)j*Lld>SlEbq&`8;oALyTDu7yU((svpq`z7vc(^uc9c~piDB)3GK_@?F% zK9Z}w_4v3mC@d<}@*|nY|L^&nm0R;AIm>QQK?`$*nz9(LB9>cn^$@2q>zc*-=9Th! z8hr;?-mFcKF(J<8?z=^Mf|g?Guj07jbL)hUZzi#3l&vEk#*UN^nN3)SS7Tys-QBP~ zKCYkWbuun>W2Y2RtbH9y$+7I$FMdBOzOy!b&e#3tu!V1$!vn9Sdm-AYSa(A$#Wh5tswc$BoHF@}a9~1@S^7 zwZfm~?h5vAHG(c1Lv6vho{2Ee<~G8g=T{AfBT6#K#C%)5RXs;@l5Fb4K|<4w59d>nBrh@r|q+PJQ!DaLZrhWeO{aL`SEeoU)&uKy`fi!Th;3 zA)Fg#g)ZV!4yD5Vy3b}9Fr&$|LEH%uNaMsudFLw%b-1s<1$Xh{4iD=+Zd6NyZ;(Nn zuiQ6&PkQfw4?d+NXDK_bL>mhC$DzY}8-=qw+464AZd|jN-Ln_pW}RbEla)X1)*~Rh zHgtCXz9@DuFKtOON9tNHd~etVpRwzs5?xXAeEt4)GCL zbH-u8ig?dA!7EU;m8exoa=gD0D3|gntwkz($0fZuKkF>?(nX2%+sR$O>L#Z9h@qAM zXrt2$oE<4Sd7`jr&6t*7jXIB18tV1^roj9|i@_@i)tD4B|MKUI;78=nu;h`osjcSD zpYIa~O`rxj*^YmTc*O^!P60e4Z4kQnGEOw>ez+nVHFWIAmEU4fQS|nrSVrzk9sMw%KV zHBKmt>AoftU`O-3FdssroyO*HTXxPZen~}N!PJ(bP_3tH?pQ$^OKi5c8Fj>5%*m%T%h(p@XjHFOJlRcdp|{T$DQV}HBm?0> zoc4;?*iwvp2K`qTNN9quiO(}XSiS7{!go9J(0@*v5^F*`=UJ@I68?Iw;nY<*PMB&L zlYd{!Tx&-`Sm_K_+vO+s^MYNqin~BX!=>o%SjHSP7Pp)(j9o^fLwKJz4IDNF0yZH@ zR>%l$91j9>4dskJ}E-!7USBV4@PgvLjl30U} zth1C|I-W~iab324J_uA)a6hQ*$A)@hC!hc zK8s25&VhaDdYhA2?SlIgpT$V}`Y3&Rj-kGG_|LTzw?Fp;Tcr2%ca33V7%p<9gx+so%B2Kcsw~i_ki7+AmI} zdy81eAZgs6`dq6aQ~_W`C8}pZ!V{y-mGl$LF@3+v@|AMp>xdoAiNK$q z;U~{4JJC$pDICQH!QlBzji@3QzbNo97PqJLN#usi+kxN66h>b9)2@Rd^-QK#3s_qpowW^6PsTs_G-xYJ&PZ&rsc1f z#~J&3%zk?l47PWXay{Y(LQ!HGC^6XA#hUGX|VeZCb*1_fseK*hzXz!$WR zq}V#X+z&!E*BMT>I91L=WOgo;DvBE~Q6FQ|vF{NqmvDOizBxPBP>C80fxOgGo{PJQ zpeX#dcF3D-ANyuYsJJA##T_+42fpUafgw7Q4m?cFs}EQH#<3z!Tnf|3~0wDDKp@1QsAAyDvJ+P$v(o|0nr z3?n?0qtvR=#?pL7c5I%vKFK_VdqSjd=n{kxK3$$QLVgPNl8@1lEio}5WJ@kp$X%E& zeMafB60eeQ;)mAGQND(qUP#e{g`+7xb?1jIm}Wqrv)0G@VBTzCcx>vK+dAB$c+-~BxvzOgIC;eV723`Yx44y+ZiV9`5gI&DUUC&=|K7S^ z?7Xf|l<@Bsfe240ubC+nll1Ys*@L|}7saqjQLae(6c-?%f#L$qgj|VRw4QxsJt!NhN(Mv7aE-E&X zlBmlhLS&|)k?Yu`2I6Qm+u&?nq3ZYyx?!uwn0jpKT*xldiw%QNhIxCxCUc(KZ8LtX zoK>m9v@^(*iPpy(i-m5jNB*t_*4>B61czXc8H&cY^MIuKBaw#fx6m&VU8 zk2k+^&#XJi=4g{M7a>CACAS+kyH;TJq^ttiHtx4c_hKb+|Mq?|YHfI_tuJLH^=1gV zdL=JJ3mOV^U3i(q5n0R>mVM9wUHc62l9NgKeofOtc9j+rAo;qBJ6d`w2>JFQj_Ox7 z%n#qHFa;;914{`&E|qMCsgF@b=Qs!EF?2yokjn z`2AOvZ78hEs{`u)JxYg-ImZ=WacQJ#YqWKMrI)t&Fr-DV8HPpKR%#SAPRZvjw{^#~3ZKFDf}(ft1%7P@Jf{ocjeEqfuIpDi~}YfXIBh&P^~PgEzZ*^3Pqlk)!uH*GE2<9 z!Zwu!nIBfOAqoLd5$l3)PoUgTmP7TkBxyx0=(3Dlu3;ZJBCnm^Q_f?@=dim?<^=9e z20jdFVO;f5!Ba+b(?b+9Lhyyjo#8q-BCzg3E)-m-S{LOv)h9W2u{)MTx)}R$Y1p#S z=}QqgZvJ&(z-NDag_^e~&y|0MCR&5cgC9jjJ4_6O-7G?jpSUKpqCsk3(Q97$eh$VRxduWCigbpS}U;-v%r<^shD!4~qr= z)&B4OwKNQG1R9SCPB7vG`_vmdVHep_&7wV@81jkWAv0yZM5-r<56Bx0ue16onBlo_ zWJfc_&iLAONFR*0p&qr+R`D(8vobfCWrp@&tmozHDvT7H1y>ldV4K2#wSZpNS^Is; zQ0sZ$HI7NVv!7-2g`L{=sGc$Oyp{{jI+{Jxo`^1}hAk;0AKr8`;43kGY(HJ6G7?!y#W9JB=6s?uMY8w`<@CdS-|-F8XgYLFB1)T(E584_zs5`!3%uCeNsXOK6O9u v!G3uyNep~`f0u^<{9vYp{o}9y{a-?4@i4zh-K{x;twvHzPPAA=_s9PN?xqN8 diff --git a/helm-charts/basehub/values.schema.yaml b/helm-charts/basehub/values.schema.yaml index 333cd6ad1f..9109a8db15 100644 --- a/helm-charts/basehub/values.schema.yaml +++ b/helm-charts/basehub/values.schema.yaml @@ -189,7 +189,6 @@ properties: required: - singleuserAdmin - cloudResources - - docs_service - 2i2c properties: homepage: @@ -297,20 +296,6 @@ properties: properties: enabled: type: boolean - docs_service: - type: object - additionalProperties: false - required: - - enabled - - repo - - branch - properties: - enabled: - type: boolean - repo: - type: string - branch: - type: string 2i2c: type: object additionalProperties: false diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index 124281b087..35fe0d301b 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -11,7 +11,6 @@ dex: staticSites: enabled: false branch: main - azureFile: enabled: false pv: @@ -62,10 +61,6 @@ jupyterhub: projectId: "" scratchBucket: enabled: false - docs_service: - enabled: false - repo: "" - branch: "" 2i2c: # Should 2i2c engineering staff user IDs be injected to the admin_users # configuration of the JupyterHub's authenticator by our custom @@ -459,12 +454,7 @@ jupyterhub: if authenticator_class == "github" and c.Authenticator.allowed_users: print("WARNING: hub.config.JupyterHub.authenticator_class was set to github and c.Authenticator.allowed_users was set, custom 2i2c jupyterhub config is now resetting allowed_users to an empty set.") c.Authenticator.allowed_users = set() - 05-add-docs-service-if-enabled: | - from z2jh import get_config - - if get_config("custom.docs_service.enabled"): - c.JupyterHub.services.append({"name": "docs", "url": "http://docs-service"}) - 06-gh-teams: | + 05-gh-teams: | from textwrap import dedent from tornado import gen, web from oauthenticator.github import GitHubOAuthenticator From 138d000f1530791336a0fac31b2444e8568109ea Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Fri, 8 Jul 2022 02:23:47 -0700 Subject: [PATCH 07/20] Don't display dex & oauth2-proxy in control panel Co-authored-by: Georgiana Elena --- config/clusters/2i2c/staging.values.yaml | 2 ++ docs/howto/features/static-sites.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/config/clusters/2i2c/staging.values.yaml b/config/clusters/2i2c/staging.values.yaml index c4ce17f9a0..ae4692f10e 100644 --- a/config/clusters/2i2c/staging.values.yaml +++ b/config/clusters/2i2c/staging.values.yaml @@ -35,8 +35,10 @@ jupyterhub: url: http://dex:5556 oauth_redirect_uri: https://staging.2i2c.cloud/services/dex/callback oauth_no_confirm: true + display: false oauth2-proxy: url: http://dex:9000 + display: false config: Authenticator: allowed_users: &staging_users diff --git a/docs/howto/features/static-sites.md b/docs/howto/features/static-sites.md index 7c10abb920..f27ed3a56e 100644 --- a/docs/howto/features/static-sites.md +++ b/docs/howto/features/static-sites.md @@ -30,7 +30,9 @@ jupyterhub: url: http://dex:5556 oauth_redirect_url: https:///services/dex/callback oauth_no_confirm: true + display: false oauth2-proxy: + display: false url: http://dex:9000 ``` From 2e182077c85541d61c977087503b06b061f440ac Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Fri, 8 Jul 2022 02:30:49 -0700 Subject: [PATCH 08/20] Add static-sites to features index --- docs/howto/features/index.md | 2 +- docs/howto/k8s/node-administration.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/howto/features/index.md b/docs/howto/features/index.md index 958265541f..0831292e6f 100644 --- a/docs/howto/features/index.md +++ b/docs/howto/features/index.md @@ -10,7 +10,7 @@ See the sections below for more details: cloud-access gpu github -../customize/docs-service +static-sites ../customize/configure-login-page ../operate/override-domain.md ``` diff --git a/docs/howto/k8s/node-administration.md b/docs/howto/k8s/node-administration.md index 6087468607..446e52fa73 100644 --- a/docs/howto/k8s/node-administration.md +++ b/docs/howto/k8s/node-administration.md @@ -34,7 +34,7 @@ Sometimes you might need to delete or to perform maintenance on a node in the cl * Pods created by [ReplicaSet](https://kubernetes.io/docs/concepts/workloads/controllers/replicaset/) objects, through [Deployments](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) Once deleted, these Pods will get re-created and assigned to a different node (because the current node it's cordoned). - The [hub, proxy](https://github.com/2i2c-org/infrastructure/tree/HEAD/helm-charts/basehub/Chart.yaml) and the [docs service](https://github.com/2i2c-org/infrastructure/tree/HEAD/helm-charts/basehub/templates/docs-service-deployment.yaml) are some examples of such pods. + The [hub & proxy](https://github.com/2i2c-org/infrastructure/tree/HEAD/helm-charts/basehub/Chart.yaml) pods are some examples of such pods. * Pods created by [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) objects. These run on every node, regardless of their `cordon` status. So, they don't need to be deleted, otherwise, they will be re-created on the same cordoned node. From f19da9d06b81a1ce59b3799ecc088d2ab5e2beae Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Fri, 8 Jul 2022 02:34:24 -0700 Subject: [PATCH 09/20] Move where login page customization docs is present And don't count overriding domains as a feature --- docs/howto/features/index.md | 3 +-- .../configure-login-page.md => features/login-page.md} | 0 2 files changed, 1 insertion(+), 2 deletions(-) rename docs/howto/{customize/configure-login-page.md => features/login-page.md} (100%) diff --git a/docs/howto/features/index.md b/docs/howto/features/index.md index 0831292e6f..4c4683bfff 100644 --- a/docs/howto/features/index.md +++ b/docs/howto/features/index.md @@ -11,6 +11,5 @@ cloud-access gpu github static-sites -../customize/configure-login-page -../operate/override-domain.md +login-page ``` diff --git a/docs/howto/customize/configure-login-page.md b/docs/howto/features/login-page.md similarity index 100% rename from docs/howto/customize/configure-login-page.md rename to docs/howto/features/login-page.md From 02f82232cd88eaac5d8e4c384d2acd2ac847c139 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Fri, 8 Jul 2022 15:11:24 -0700 Subject: [PATCH 10/20] Add support for pulling from private github repos Instead of using deploy keys, we use https://github.com/yuvipanda/git-credential-helpers, which is also used for pulling from private repos with nbgitpuller. I've created a new GitHub app for the 2i2c staging hub, at https://github.com/apps/2i2c-staging-hub-static-pull and 'installed' it for the private repo at https://github.com/yuvipanda/test-repo-push. This allows the static-sites pod to pull it, and it's available at https://staging.2i2c.cloud/textbook/ now --- config/clusters/2i2c/cluster.yaml | 6 +-- .../2i2c/enc-staging.secret.values.yaml | 17 ++++++--- config/clusters/2i2c/staging.values.yaml | 4 +- docs/topic/features.md | 3 +- .../basehub/templates/static/deployment.yaml | 38 ++++++++++++++++--- helm-charts/basehub/values.schema.yaml | 21 ++++++++++ helm-charts/basehub/values.yaml | 8 ++++ 7 files changed, 78 insertions(+), 19 deletions(-) diff --git a/config/clusters/2i2c/cluster.yaml b/config/clusters/2i2c/cluster.yaml index aa79db158a..8da6f8b403 100644 --- a/config/clusters/2i2c/cluster.yaml +++ b/config/clusters/2i2c/cluster.yaml @@ -16,14 +16,10 @@ hubs: domain: staging.2i2c.cloud helm_chart: basehub auth0: - # connection update? Also ensure the basehub Helm chart is provided a - # matching value for jupyterhub.custom.2i2c.add_staff_user_ids_of_type! connection: google-oauth2 helm_chart_values_files: - # The order in which you list files here is the order the will be passed - # to the helm upgrade command in, and that has meaning. Please check - # that you intend for these files to be applied in this order. - staging.values.yaml + - enc-staging.secret.values.yaml - name: dask-staging display_name: "2i2c dask staging" domain: dask-staging.2i2c.cloud diff --git a/config/clusters/2i2c/enc-staging.secret.values.yaml b/config/clusters/2i2c/enc-staging.secret.values.yaml index a858020c50..fca5ed2a64 100644 --- a/config/clusters/2i2c/enc-staging.secret.values.yaml +++ b/config/clusters/2i2c/enc-staging.secret.values.yaml @@ -1,3 +1,7 @@ +staticSites: + githubApp: + id: ENC[AES256_GCM,data:5l6P6jk3,iv:s0awYuy3EGl7lvZYwkANsBp+/nMpGWViiamGmEiYB/g=,tag:L354TM6f2ku/miQfGkj0XQ==,type:int] + privateKey: ENC[AES256_GCM,data:cqYMwii8aK7/NVIhgVEPd2XQl32MVWfjNC3zhe5i4qX7G5lKH+EE5+wvaVeDnp7QjYMH6u5FsMOn/fk5/cxshOilI7Uc4Q9Wo+jkGMrW4FgQEW1pn71DrSTuvtR9e+pidch+SRgBLEbVXaLn5CbNf/UEAlfEm+pESWKkDAj+NqZLPCa59mlRGqY6NowpBnEiyi4RywCQCnQ8hBVHjJlGc/Wblp6KrziTrCZV44Y3V+umYHS/+JvXECpaOjDnDu5JAzOLi96zl20L6ut1OmtFBVwVVEv4te6JmHSmQrB91y69oJ2GvKi8M2+lfHBSkh5Vs8867HU/Ccy1swdFS8DQL7yG/uo69JMifWgtzp2oeNSUMls3XOJiUc9Dy2r9mBt46J55WKt8/WBttK1dLe948aGT6cR2FoAbmsi46ZdjqE5SuGVhK809tLw3+6RLiCw2Xd6iT7vO1ekqLoasL2OQo053l9PFHbwKw/uxGb6kygfyyHwiVVna+lrEdRhCgNwS+SiKlWc7O7RgXHwciWopS7Pa1DXgK74yYrjp84hKeiQ5hB1oh9PThUTwRAVaWFJqjqZr6Obf3p2zP+lwMyy6g1gaQI9BtmUfsus0QENRdK5O5wwlt4xBXYt0jvjkuUFDj84TJLTr+jvex7StlCERaa4Ck5BfhybNLBkLtIbPy7FxwKg/0KEln9W2xdNmyTLP9IOyW65p7hm6BZdxv6O7G1FqcTDyJlLgSR8eOzhNlfrKjERjtILpb8CO8Asuv/y2uAcNWSocwqr7QStfQ7o4YYmKVvQ5Af7BJ5/QGO0pNxQfknSVyjgauHfhuyFtQgef6sx+SvqrEjle253003lEctYnkDP0dKwuOf3x+iHivbl1y+GRq/Y0zIFJaVa12htd90QPdSiOR54+AIWAc00YIEklfFBLamPLur+wkpNs4slpiabx1lRg7Cp+ly/+g1BAHqAkq+nCfZRrOffa+p0Fwb2Ub7LX/IzfZZZ7eT6sjfxNSfoCV/Q/OSoH9Ijsg2ymC8WHp27nHkO0y7x0OE7SJsNWzdGJ3k74UQi4FFAeK1PWeoWib7+anMdDklfi9Vo0xBUf2/U5svZFoHwaB6EiUkMQ/E1ZUMsOi/z68+PHQ5W6V99tlbFOg8vSosp9HCWa57w/CWRZSuJMpE1gXzlAXY4fLN9n7Rp7wyOWWDT6S7r7CtBQn2B0/Q4viYCsNBGQEiaeV1ivGRY0pNO0KPmNHAOn0PhbN4nCaLZPs2XR19HQGTS6+I02DGhCqwWSg8taff4o64bIeWx5rXp3VLibxyMIXa5CpbmNaaH6t937JjCy8msB9YtuH56i9augGK4oxWp1ZaFbIsMIfPKT5HiGY1nfYOJjarjxtFceeKp/uOFPHO3HrUsAWAoyyEA0MuuMTHy7kipBqUaas1qgjkVYTa7N+zHkNMQKu07LBZo9IgsawRuJV0zg0l2d2rYTvv3sqLf9dva8G6wBAh3mJBWNvtA05o0R07LLYumfIGLA84ra+ioh+BQKLJkxWUI5KOVi4Rz4zwuk6FYS3XCq92p4zIGxQ4/8pIjRlafNOZcHQLjFcGDLJN+daIKj7V6aqEAxhVol+otbj7q6w6fJs3VQFigQAjo1SMb9tvWcT4ROcxIkvvqmO2iEldsvFt2f9qqPknoJJUfiU9seNKnwpfn8TWVz8sY2X4vl6m263Z2lZEKYKwa3RFikVjj2HyPwt0bu4nrHn/GCEuJyjYU34u8e9bz1/QmhDYvCn2vpz7EWMxQifnZP1WiX0rrrFXI2cDG4ilGeYa+fWdpaGCM5leGx63/1Br0i6KdQf44Jdrz2JVu6NnU/rES3O/8YOcQ3dwIinya4HItvFHQY4QK5giONDSvWzWD0rKfFnC132OrPmHpPYZOk3OZNjz5NOSMRADlMkmdF9UiyMXTK1pNmN9/yVd0NxTQeGOnv4cIvlKCIQ49vX/lJpCyk5xITsedgTc6vHkhy85iSBygArUbThwHZhLifmu+saWM7ei35p1Qqs6KbpojEUYAXV+JhlZwk2KRsTd0z4EbzABUZUl7SGLKIKjWYsf08fny7u6Pvz9bwHm5Es3SR8xoorxj2G+1pGgpw1o8jzplg9U5GESKuZoEITnlfjUbkv30WkOsxJvedaJj2DVbAwvcdrhSblAVwBI/KJQdcX83PiEPdhMCOQBscYeQKPeKjjcGAOrcTdW4hpv6X/eexBM8uKswS5w==,iv:B2915Ni6E8g8B5fQIDbAKC7+gwBPmgIn70xM61XKHko=,tag:mlvYFiV4ODEh8nKqHVC16w==,type:str] jupyterhub: hub: config: @@ -7,13 +11,14 @@ jupyterhub: sops: kms: [] gcp_kms: - - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs - created_at: '2022-03-21T10:38:36Z' - enc: CiQA4OM7eJn+A9b0ulwu64MnqKfDM1EwtoKzj7Utg4iXOccLCroSSQDm5XgWCwOR2/FDqBIOrVVltPV7nASpq8h+fiHw5dYTSaPUyAMYwQ62iytA2kwTGQcOMmtxZVhn4dpGt2b0VlEvdiHP02Cgzvo= + - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs + created_at: "2022-03-21T10:38:36Z" + enc: CiQA4OM7eJn+A9b0ulwu64MnqKfDM1EwtoKzj7Utg4iXOccLCroSSQDm5XgWCwOR2/FDqBIOrVVltPV7nASpq8h+fiHw5dYTSaPUyAMYwQ62iytA2kwTGQcOMmtxZVhn4dpGt2b0VlEvdiHP02Cgzvo= azure_kv: [] hc_vault: [] - lastmodified: '2022-03-21T10:38:36Z' - mac: ENC[AES256_GCM,data:D50ijsF6YmlX/El96nrIgxEcEmfbJabVvKIO33zi8PfjqkQZj7L9XdGMz9FzNRvtSu2+PwhZRr+98pqWb4N2SvuVjqPfskJwigVVQifNxOtI2P3V2LvnA/rnYvvTkpfzrcwBJPHsUL8VCAeY8OjxdEpamqFsrlyFG4z2HQ0dAQg=,iv:uDkxaW/3dZZTer1iuqhfIHtZ8vvOY7TCKfFnaI2pcZM=,tag:XjF32PtqZifGwW0LsKa/8Q==,type:str] + age: [] + lastmodified: "2022-07-08T21:47:54Z" + mac: ENC[AES256_GCM,data:UqEuUCa03jB11mePDMLns+ep4TLD1NzC38QSz/88hn0ri7VNbMwF1cFXya1hFnsElJdDTjTK/+gSXtj+IMF59npo5/yDs3HMm4gN6kl6WnyTp8D9JqHX1nkNIUhvUYg2pg8WzEqhdEKVqDEmCvQk3KXCAMtQicHnY73Ok8Afa10=,iv:jjE+WRz7aOQ1Tyrd2AoYvduxcXbmw8OnSri2FJPJcyM=,tag:pejj35mW3LyCL8/TrLeJtg==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.6.1 + version: 3.7.1 diff --git a/config/clusters/2i2c/staging.values.yaml b/config/clusters/2i2c/staging.values.yaml index ae4692f10e..ff90f5471e 100644 --- a/config/clusters/2i2c/staging.values.yaml +++ b/config/clusters/2i2c/staging.values.yaml @@ -4,10 +4,12 @@ dex: staticSites: enabled: true - repo: https://github.com/inferentialthinking/inferentialthinking.github.io + repo: https://github.com/yuvipanda/test-repo-push branch: master host: staging.2i2c.cloud path: /textbook + githubApp: + enabled: true jupyterhub: custom: diff --git a/docs/topic/features.md b/docs/topic/features.md index 42f488b331..47dcf77482 100644 --- a/docs/topic/features.md +++ b/docs/topic/features.md @@ -48,4 +48,5 @@ A single bucket can also be designated as as *scratch bucket*, which will set a `SCRATCH_BUCKET` (and a deprecated `PANGEO_SCRATCH`) environment variable of the form `:///`. This can be used by individual users to store objects temporarily for their own use, although there is nothing -preventing other users from accessing these objects! \ No newline at end of file +preventing other users from accessing these objects! + diff --git a/helm-charts/basehub/templates/static/deployment.yaml b/helm-charts/basehub/templates/static/deployment.yaml index 54669eb3b2..0396b37b62 100644 --- a/helm-charts/basehub/templates/static/deployment.yaml +++ b/helm-charts/basehub/templates/static/deployment.yaml @@ -16,15 +16,21 @@ spec: checksum/config: {{ include (print $.Template.BasePath "/static/configmap.yaml") . | sha256sum }} spec: volumes: - - name: nginx-config + - name: config configMap: name: static-sites - name: content emptyDir: {} + {{ if .Values.staticSites.githubApp.enabled }} + - name: git-config + secret: + secretName: static-sites + {{ end }} initContainers: - - name: site-clone - image: alpine/git - args: + - name: content-clone + image: quay.io/yuvipanda/git-credential-helpers:0.2 + command: + - git - clone - --depth=1 - --branch={{ .Values.staticSites.branch | required "staticSites.branch is required with staticSite.enabled set to true" }} @@ -39,9 +45,19 @@ spec: volumeMounts: - name: content mountPath: /srv/content + {{ if .Values.staticSites.githubApp.enabled }} + - name: git-config + mountPath: /etc/gitconfig + subPath: gitconfig + readOnly: true + - name: git-config + mountPath: /etc/github/github-app-private-key.pem + subPath: github-app-private-key.pem + readOnly: true + {{ end }} containers: - name: content-sync - image: alpine/git + image: quay.io/yuvipanda/git-credential-helpers:0.2 workingDir: /srv/content command: - /bin/sh @@ -56,6 +72,16 @@ spec: volumeMounts: - name: content mountPath: /srv/content + {{ if .Values.staticSites.githubApp.enabled }} + - name: git-config + mountPath: /etc/gitconfig + subPath: gitconfig + readOnly: true + - name: git-config + mountPath: /etc/github/github-app-private-key.pem + subPath: github-app-private-key.pem + readOnly: true + {{ end }} - name: server image: nginx:1.19 command: ["/usr/sbin/nginx", "-g", "daemon off;"] @@ -63,7 +89,7 @@ spec: - name: nginx containerPort: 8080 volumeMounts: - - name: nginx-config + - name: config mountPath: /etc/nginx/conf.d/default.conf subPath: nginx.conf - name: content diff --git a/helm-charts/basehub/values.schema.yaml b/helm-charts/basehub/values.schema.yaml index 9109a8db15..6cdc69d420 100644 --- a/helm-charts/basehub/values.schema.yaml +++ b/helm-charts/basehub/values.schema.yaml @@ -30,6 +30,27 @@ properties: type: boolean description: | Enable hosting static sites associated with this hub. + githubApp: + type: object + additionalProperties: false + description: | + Enable using a GitHub app to authenticate the cloner, + so private repositories can be cloned. Uses + https://github.com/yuvipanda/git-credential-helpers + properties: + enabled: + type: boolean + description: | + Enable the github app integration + id: + type: integer + description: | + Integer id of GitHub app to use when cloning private repos + privateKey: + type: string + description: | + Private RSA key created to authenticate as this GitHuba pp + repo: type: string description: | diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index 35fe0d301b..3c3605842e 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -11,6 +11,14 @@ dex: staticSites: enabled: false branch: main + githubApp: + enabled: false + # Primarily here for validation to 'work', + # as these are set in secret config otherwise. I don't like this, + # as we won't catch these values missing if they aren't set. + id: 0 + privateKey: "" + azureFile: enabled: false pv: From c7918f67b6189f8bd205e4d4e5c8a729762bb825 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Fri, 8 Jul 2022 17:06:56 -0700 Subject: [PATCH 11/20] Add docs on doing this from a private repo --- docs/howto/features/static-sites.md | 82 ++++++++++++++++++++++++++--- 1 file changed, 76 insertions(+), 6 deletions(-) diff --git a/docs/howto/features/static-sites.md b/docs/howto/features/static-sites.md index f27ed3a56e..bcfc67f8cd 100644 --- a/docs/howto/features/static-sites.md +++ b/docs/howto/features/static-sites.md @@ -75,11 +75,81 @@ checks out the `master` branch and keeps it up to date by doing a `git pull` every 5 minutes. It is made available under `/textbook`, and requires users be logged-in to the hub before they can access it. -### Note on relative URLs +## Using private GitHub repos -Depending on what Static Site Generator has been used to generate the website's static content, it **may** or **may not** use relative paths routing by default. -For example, [Sphinx](https://www.sphinx-doc.org/en/master/) handles relative paths by default, whereas, [Hugo](https://gohugo.io/) leaves all [relative URLs unchanged](https://gohugo.io/content-management/urls/#relative-urls). +We use [git-credentials-helper](https://github.com/yuvipanda/git-credential-helpers) +to support pulling content from private repos. -However, having relative URLS is a **must** in order for the hub docs service to work. Please check with the docs of your SSG of choice and enable relative URLs if they -aren't enabled already. -``` \ No newline at end of file +### Setup GitHub app + +`git-credentials-helper` uses a [GitHub App](https://docs.github.com/en/developers/apps) +to pull private repos. So you first need to create a GitHub app for each hub that wants +to pull private repos as static content. + +1. Create a [GitHub app in the 2i2c org](https://github.com/organizations/2i2c-org/settings/apps/new). + +2. Give it a descriptive name (such as ' static site deploy + authenticator') and description, as users will see this when authorizing + access to their private repos. + +3. Disable webhooks (uncheck the 'Active' checkbox under 'Webhooks'). All other + textboxes can be left empty. + +4. Under 'Repository permissions', select 'Read' for 'Contents'. + +5. Under 'Where can this GitHub App be installed?', select 'Any account'. This will + enable users to push to their own user repositories or other organization repositaries, + rather than just the 2i2c repos. + +6. Create the application with the 'Create GitHub app' button. + +7. Copy the numeric 'App id' from the app info page you should be redirected to. + +8. Create a new private key for authentication use with the `Generate a private key` + button. This should download a private key file, that you should keep safe. + +### Helm values configuration + +Now, we can configure our static files server to make use of the GitHub app to authenticate. + +1. Enable the gitHub app in the `.values.yaml` file for the hub. + + ```yaml + staticFiles: + githubApp: + enabled: true + ``` + +2. Create a sops-encrypted file (usually in the form of + `enc-.secret.values.yaml`) to hold the secret values required to authenticate + the GitHub app. + + ```yaml + staticFiles: + githubApp: + id: + privateKey: | + + ``` + + Make sure this file is also listed under `helm_chart_values_files` for the hub in + the cluster's `cluster.yaml` so it is read during deployment. + +### Grant access to the private repo + +Finally, someone with admin rights on the private repo to be pulled needs to +grant the github app we just setup access to the private repo. **This is the only +part that hub admins rather than 2i2c engineers need to do**. + +1. Go to the 'Public page' of the GitHub app created. This usually is of the + form `https://github.com/apps/`. You can find this in the information + page of the app after you create it, under 'Public link' + +2. Install the app in the organization the private repo is in, and grant it access + *only* to the repo that needs to be pulled. + +### Do a deploy + +After all the permissions are setup, you should make sure the config under +`staticSites.repo` and `staticSites.branch` are set appropriately, and do a deployment +to pull in the private repo! \ No newline at end of file From d3e9ff7525e1bcd2bf4cb208c90c82194d1cd2f1 Mon Sep 17 00:00:00 2001 From: Yuvi Panda Date: Sat, 9 Jul 2022 12:14:24 -0700 Subject: [PATCH 12/20] Apply formatting nitpicks Co-authored-by: Erik Sundell --- helm-charts/basehub/templates/dex/pvc.yaml | 2 +- .../basehub/templates/static/deployment.yaml | 22 +++++++++---------- .../basehub/templates/static/ingress.yaml | 4 ++-- 3 files changed, 14 insertions(+), 14 deletions(-) diff --git a/helm-charts/basehub/templates/dex/pvc.yaml b/helm-charts/basehub/templates/dex/pvc.yaml index 95480b9c1a..56e6aafd6d 100644 --- a/helm-charts/basehub/templates/dex/pvc.yaml +++ b/helm-charts/basehub/templates/dex/pvc.yaml @@ -9,4 +9,4 @@ spec: resources: requests: storage: 1Gi -{{- end }} \ No newline at end of file +{{- end }} diff --git a/helm-charts/basehub/templates/static/deployment.yaml b/helm-charts/basehub/templates/static/deployment.yaml index 0396b37b62..60d787adaa 100644 --- a/helm-charts/basehub/templates/static/deployment.yaml +++ b/helm-charts/basehub/templates/static/deployment.yaml @@ -21,11 +21,11 @@ spec: name: static-sites - name: content emptyDir: {} - {{ if .Values.staticSites.githubApp.enabled }} + {{- if .Values.staticSites.githubApp.enabled }} - name: git-config secret: secretName: static-sites - {{ end }} + {{- end }} initContainers: - name: content-clone image: quay.io/yuvipanda/git-credential-helpers:0.2 @@ -45,7 +45,7 @@ spec: volumeMounts: - name: content mountPath: /srv/content - {{ if .Values.staticSites.githubApp.enabled }} + {{- if .Values.staticSites.githubApp.enabled }} - name: git-config mountPath: /etc/gitconfig subPath: gitconfig @@ -54,7 +54,7 @@ spec: mountPath: /etc/github/github-app-private-key.pem subPath: github-app-private-key.pem readOnly: true - {{ end }} + {{- end }} containers: - name: content-sync image: quay.io/yuvipanda/git-credential-helpers:0.2 @@ -72,7 +72,7 @@ spec: volumeMounts: - name: content mountPath: /srv/content - {{ if .Values.staticSites.githubApp.enabled }} + {{- if .Values.staticSites.githubApp.enabled }} - name: git-config mountPath: /etc/gitconfig subPath: gitconfig @@ -81,7 +81,7 @@ spec: mountPath: /etc/github/github-app-private-key.pem subPath: github-app-private-key.pem readOnly: true - {{ end }} + {{- end }} - name: server image: nginx:1.19 command: ["/usr/sbin/nginx", "-g", "daemon off;"] @@ -89,9 +89,9 @@ spec: - name: nginx containerPort: 8080 volumeMounts: - - name: config - mountPath: /etc/nginx/conf.d/default.conf - subPath: nginx.conf - - name: content - mountPath: /srv/content + - name: config + mountPath: /etc/nginx/conf.d/default.conf + subPath: nginx.conf + - name: content + mountPath: /srv/content {{- end }} diff --git a/helm-charts/basehub/templates/static/ingress.yaml b/helm-charts/basehub/templates/static/ingress.yaml index 216f20413b..aef1f3e09d 100644 --- a/helm-charts/basehub/templates/static/ingress.yaml +++ b/helm-charts/basehub/templates/static/ingress.yaml @@ -11,7 +11,7 @@ metadata: spec: ingressClassName: nginx rules: - - host: {{ .Values.staticSites.host}} + - host: {{ .Values.staticSites.host }} http: paths: - path: {{ .Values.staticSites.path }} @@ -21,4 +21,4 @@ spec: name: static-sites port: number: 80 -{{- end }} \ No newline at end of file +{{- end }} From db10eb5dfefdcaa439065dc86c470967ae014891 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Sat, 9 Jul 2022 12:28:33 -0700 Subject: [PATCH 13/20] Rename staticSites to staticWebsite for clarity --- .../clusters/2i2c/enc-staging.secret.values.yaml | 10 +++++----- config/clusters/2i2c/staging.values.yaml | 2 +- docs/howto/features/static-sites.md | 6 +++--- .../basehub/templates/static/configmap.yaml | 4 ++-- .../basehub/templates/static/deployment.yaml | 14 +++++++------- helm-charts/basehub/templates/static/ingress.yaml | 6 +++--- helm-charts/basehub/templates/static/service.yaml | 2 +- helm-charts/basehub/values.schema.yaml | 4 ++-- helm-charts/basehub/values.yaml | 2 +- 9 files changed, 25 insertions(+), 25 deletions(-) diff --git a/config/clusters/2i2c/enc-staging.secret.values.yaml b/config/clusters/2i2c/enc-staging.secret.values.yaml index fca5ed2a64..86bf3ee6fe 100644 --- a/config/clusters/2i2c/enc-staging.secret.values.yaml +++ b/config/clusters/2i2c/enc-staging.secret.values.yaml @@ -1,7 +1,7 @@ -staticSites: +staticWebsite: githubApp: - id: ENC[AES256_GCM,data:5l6P6jk3,iv:s0awYuy3EGl7lvZYwkANsBp+/nMpGWViiamGmEiYB/g=,tag:L354TM6f2ku/miQfGkj0XQ==,type:int] - privateKey: ENC[AES256_GCM,data:cqYMwii8aK7/NVIhgVEPd2XQl32MVWfjNC3zhe5i4qX7G5lKH+EE5+wvaVeDnp7QjYMH6u5FsMOn/fk5/cxshOilI7Uc4Q9Wo+jkGMrW4FgQEW1pn71DrSTuvtR9e+pidch+SRgBLEbVXaLn5CbNf/UEAlfEm+pESWKkDAj+NqZLPCa59mlRGqY6NowpBnEiyi4RywCQCnQ8hBVHjJlGc/Wblp6KrziTrCZV44Y3V+umYHS/+JvXECpaOjDnDu5JAzOLi96zl20L6ut1OmtFBVwVVEv4te6JmHSmQrB91y69oJ2GvKi8M2+lfHBSkh5Vs8867HU/Ccy1swdFS8DQL7yG/uo69JMifWgtzp2oeNSUMls3XOJiUc9Dy2r9mBt46J55WKt8/WBttK1dLe948aGT6cR2FoAbmsi46ZdjqE5SuGVhK809tLw3+6RLiCw2Xd6iT7vO1ekqLoasL2OQo053l9PFHbwKw/uxGb6kygfyyHwiVVna+lrEdRhCgNwS+SiKlWc7O7RgXHwciWopS7Pa1DXgK74yYrjp84hKeiQ5hB1oh9PThUTwRAVaWFJqjqZr6Obf3p2zP+lwMyy6g1gaQI9BtmUfsus0QENRdK5O5wwlt4xBXYt0jvjkuUFDj84TJLTr+jvex7StlCERaa4Ck5BfhybNLBkLtIbPy7FxwKg/0KEln9W2xdNmyTLP9IOyW65p7hm6BZdxv6O7G1FqcTDyJlLgSR8eOzhNlfrKjERjtILpb8CO8Asuv/y2uAcNWSocwqr7QStfQ7o4YYmKVvQ5Af7BJ5/QGO0pNxQfknSVyjgauHfhuyFtQgef6sx+SvqrEjle253003lEctYnkDP0dKwuOf3x+iHivbl1y+GRq/Y0zIFJaVa12htd90QPdSiOR54+AIWAc00YIEklfFBLamPLur+wkpNs4slpiabx1lRg7Cp+ly/+g1BAHqAkq+nCfZRrOffa+p0Fwb2Ub7LX/IzfZZZ7eT6sjfxNSfoCV/Q/OSoH9Ijsg2ymC8WHp27nHkO0y7x0OE7SJsNWzdGJ3k74UQi4FFAeK1PWeoWib7+anMdDklfi9Vo0xBUf2/U5svZFoHwaB6EiUkMQ/E1ZUMsOi/z68+PHQ5W6V99tlbFOg8vSosp9HCWa57w/CWRZSuJMpE1gXzlAXY4fLN9n7Rp7wyOWWDT6S7r7CtBQn2B0/Q4viYCsNBGQEiaeV1ivGRY0pNO0KPmNHAOn0PhbN4nCaLZPs2XR19HQGTS6+I02DGhCqwWSg8taff4o64bIeWx5rXp3VLibxyMIXa5CpbmNaaH6t937JjCy8msB9YtuH56i9augGK4oxWp1ZaFbIsMIfPKT5HiGY1nfYOJjarjxtFceeKp/uOFPHO3HrUsAWAoyyEA0MuuMTHy7kipBqUaas1qgjkVYTa7N+zHkNMQKu07LBZo9IgsawRuJV0zg0l2d2rYTvv3sqLf9dva8G6wBAh3mJBWNvtA05o0R07LLYumfIGLA84ra+ioh+BQKLJkxWUI5KOVi4Rz4zwuk6FYS3XCq92p4zIGxQ4/8pIjRlafNOZcHQLjFcGDLJN+daIKj7V6aqEAxhVol+otbj7q6w6fJs3VQFigQAjo1SMb9tvWcT4ROcxIkvvqmO2iEldsvFt2f9qqPknoJJUfiU9seNKnwpfn8TWVz8sY2X4vl6m263Z2lZEKYKwa3RFikVjj2HyPwt0bu4nrHn/GCEuJyjYU34u8e9bz1/QmhDYvCn2vpz7EWMxQifnZP1WiX0rrrFXI2cDG4ilGeYa+fWdpaGCM5leGx63/1Br0i6KdQf44Jdrz2JVu6NnU/rES3O/8YOcQ3dwIinya4HItvFHQY4QK5giONDSvWzWD0rKfFnC132OrPmHpPYZOk3OZNjz5NOSMRADlMkmdF9UiyMXTK1pNmN9/yVd0NxTQeGOnv4cIvlKCIQ49vX/lJpCyk5xITsedgTc6vHkhy85iSBygArUbThwHZhLifmu+saWM7ei35p1Qqs6KbpojEUYAXV+JhlZwk2KRsTd0z4EbzABUZUl7SGLKIKjWYsf08fny7u6Pvz9bwHm5Es3SR8xoorxj2G+1pGgpw1o8jzplg9U5GESKuZoEITnlfjUbkv30WkOsxJvedaJj2DVbAwvcdrhSblAVwBI/KJQdcX83PiEPdhMCOQBscYeQKPeKjjcGAOrcTdW4hpv6X/eexBM8uKswS5w==,iv:B2915Ni6E8g8B5fQIDbAKC7+gwBPmgIn70xM61XKHko=,tag:mlvYFiV4ODEh8nKqHVC16w==,type:str] + id: ENC[AES256_GCM,data:TqWfwqYN,iv:50C2fKLQ5pWFYb0CxeLpnS0O+yr6eoR+uZPM1R6AMVI=,tag:SZNh/GW4tQzJe9h8e7H7IA==,type:int] + privateKey: ENC[AES256_GCM,data:cCYjLHeqHmDWnOTtfcgX8uVDh+Kva/ezy7XIkudQ+LanX/yNJ8Dha7kEZ3NSfV0LeyuYynwHITCY5H8g/zi7raiGjhLLeMIONvIgOHQUX5hnppbIM/Um9DjrZLKBWSW0i22y3Y5kvzSUbg7Y8ktWDTz0fAdBaaqPRFxZUvzhAywXNIrPbVWE4IhAM8zOn11038/Cns62/P3LYUiUOR/YVYKmaPAPk9Ct6gWDOQL+R6jRJlOh7I1lP/HPz2P8140f0YaQJ0ZA/LYJJFWegSDgDGygFB026Bc5WnBkw5zSEqbLvqjo6/e/C1+lqB6i+o66hmbVXjbzrChSkguYOqKucs6O/s8OwugFW3MHgyHrJ8p+XGquPID1tE3mBfw7nzVD9QRC91KEdkgvXCOt1frTS5oSgPQMCfLf2GpLIR/tMdo9/0WbpCWdYkV+IOVbY0tsvKeJJMVvbw9Z307S7w5hopbKCY7GrGLj3XU7BJyzHU1OW2YXewnq2lKiYaorRrCJuRbv+Vlq2Tja/8MLHZokdC7jdgFzdYkXeRHdecy+4ab+rlyzdAkaTfzXeYQrc991tHKsPg9A54VrpZTeE64V+6UNE83EIzoREAsKuSvh0bXnxSJjmli0INYUHl1oefvoU/R/EaAPku4X1hmdgCI/Hc6kygBmnQnekg1Mv6KXh2jz/SrblRTMrAzdNhdC+vuybwTkBUwuouMNXlWHvppi2EKa9Oj7WZjkP3YEVjAymOuVvXnStCGiru3wEJWjh2U7DRAGxwlNHeVK7rPtAw8F7ZQV4xZlkNYMkT3SAfVOEqhDknOHfhZ+OODsMu0ttCGt/W7fFz8mZijp5RqkNMLyBYNfJlZfb7JHuuWLTBx+e6xq8lOF4S9kCq6b115y8KKNnQsm9EToXNretFr/UpNZW6oCp/VgyYgnhsossp7W9vnk8uc31W/ufUCWG1ucB429FEO55QrQMXtK3/WlkRTLx95Ywxp+NjsgAAVAOy/bKWjHC6aIDd4Izal7Q6qtd3Z05huKjhe9BSn6Q36xTPtxogW3RxmTCP+LHDl8hkQTSy2gKkXfb3Mc12BXxIyzKgwe3kDvKg1I2CM1cjCVhAQM70LtOYkLBUSxkPKirsTZ/3wIX3YceqCn2TATa1xKTgwrfVVLnZEzu7lkXOtq+77PL1KNv/ECUPti3LYguV8vYIpxs79Ps4HeWh0QWsqzWnfBKngcRG5I9f21TDHG1UhIWVn5X8mlcNbbXbps21EQ7kG2kFB0cCS7guft59Y/+IYRHC7ZWqk+SdoAFLKVYtIkW5ByL4pwEtk58CmwPGFjGdP12zC+kmvxzHNfvHAAMEujGWL21C7ASBiLPG8k7yhRbWuBwHan9mZMF4ZwBVmuQASyLXaHl2GUP/kHWIzuKYD29IWToPLvFtXdNoKuzgmaTPxK/vNWDVQOmkFmWZ6YhU9cTGH+PRGEhkZCcgOYLodaR7PyS2Gp1tam5fyX2HMuaxjzs5R98la3d5ouhlpXYAQvMkHbCEdGFGyg78RFmUObSpqGMW1zykCoJr/EpsTO/iQFkM4kvj/W5TFW3/6OA16OoT76aLqn4YCr363TQMc91EGVzT1yoD8FI7KIgBP2KLl8BMzX9YriQMMa20yt/6V1Fn0XsGTijwHcKWc544Sz6SShn5js5sZPNqsn59zz8+/L6i8C6mQkUBzkAJ4171FAng5Pyw6krE2HTt0cXkStqeAU40jH9rDKT+YarjtA4xK1aywIj2pJ7SU3WYKuskI3fqOqT8vP8XW3ZFA/w/K0Wh/Wbq9mVSJchTEcobXsmlQ8WbNv3031luZcFZ/SLdznv8X1LX6RiPeoLLgMxTuTe/mMNF8OfM9pzLunUgAqR0qnPCJU1Yn4NaduLyJXh4oMtRnv1hBW4ZkP5RHJ4vG06L/L4RHaPeTs2CzxCjhezQFtuOS05ZQqKK9PZO0jvpvWMJzVfNqELJLeJhu9aBH7/faH2rzP6GMg/6uQMnoeu/y0+vODdGFOxWYnGmD4vS596nuWkgbby71z2xTDfojyfT8dpn2zdCdFIMh6GOtwIX6dczLp8mE4v8PDezoHMCB+KD+vFKdmH2QO4mBDZBQ9kX81cPsLyMzxzmKRvdc+BRJscSBF6i7x5jhgdAIuKHt1GP9g0aSkj7p+w8bHUBKno4Bn0mCW/mklVGZqlGU4Itbrc2NALxzHDH2vjz5ZRqGRiKSrvzxzIrQ75Q==,iv:AnfRr6ahIYFKvZAf3zMCA/Gf7JQ5RS4UBcVQXWht20k=,tag:TQ20Jlhg6G5+2+YyrTrykw==,type:str] jupyterhub: hub: config: @@ -17,8 +17,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2022-07-08T21:47:54Z" - mac: ENC[AES256_GCM,data:UqEuUCa03jB11mePDMLns+ep4TLD1NzC38QSz/88hn0ri7VNbMwF1cFXya1hFnsElJdDTjTK/+gSXtj+IMF59npo5/yDs3HMm4gN6kl6WnyTp8D9JqHX1nkNIUhvUYg2pg8WzEqhdEKVqDEmCvQk3KXCAMtQicHnY73Ok8Afa10=,iv:jjE+WRz7aOQ1Tyrd2AoYvduxcXbmw8OnSri2FJPJcyM=,tag:pejj35mW3LyCL8/TrLeJtg==,type:str] + lastmodified: "2022-07-09T19:24:38Z" + mac: ENC[AES256_GCM,data:p0uiJOe91dPvfL8Fn4KlqiEO/8Pe1ww6K/2eLPTRkQKob8p4JnyD2ak5B5mGaYGFiDF9p0j0E50XPIToe0zzOJGLZOSTeI6G3BYFP5lgwjqbZ58UPQPn4HLEtE4Uoiq45He+1zmgcjXO9epTnACN5NQeBvGG5aoomfk8yYKU514=,iv:/uLuaJZEqBVKujgfqQuvpSYLD3XaymbATlmnNIwE47o=,tag:EFH8KC4XYOs96dCPVK0rtQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.1 diff --git a/config/clusters/2i2c/staging.values.yaml b/config/clusters/2i2c/staging.values.yaml index ff90f5471e..3509568a69 100644 --- a/config/clusters/2i2c/staging.values.yaml +++ b/config/clusters/2i2c/staging.values.yaml @@ -2,7 +2,7 @@ dex: enabled: true hubHostName: staging.2i2c.cloud -staticSites: +staticWebsite: enabled: true repo: https://github.com/yuvipanda/test-repo-push branch: master diff --git a/docs/howto/features/static-sites.md b/docs/howto/features/static-sites.md index bcfc67f8cd..7df00c5558 100644 --- a/docs/howto/features/static-sites.md +++ b/docs/howto/features/static-sites.md @@ -16,7 +16,7 @@ dex: enabled: true hubHostName: -staticSites: +staticWebsite: enabled: true repo: branch: @@ -52,7 +52,7 @@ dex: enabled: true hubHostName: staging.2i2c.cloud -staticSites: +staticWebsite: enabled: true repo: https://github.com/inferentialthinking/inferentialthinking.github.io branch: master @@ -151,5 +151,5 @@ part that hub admins rather than 2i2c engineers need to do**. ### Do a deploy After all the permissions are setup, you should make sure the config under -`staticSites.repo` and `staticSites.branch` are set appropriately, and do a deployment +`staticWebsite.repo` and `staticWebsite.branch` are set appropriately, and do a deployment to pull in the private repo! \ No newline at end of file diff --git a/helm-charts/basehub/templates/static/configmap.yaml b/helm-charts/basehub/templates/static/configmap.yaml index f7bdf93076..47cd57ca5b 100644 --- a/helm-charts/basehub/templates/static/configmap.yaml +++ b/helm-charts/basehub/templates/static/configmap.yaml @@ -1,4 +1,4 @@ -{{- if .Values.staticSites.enabled -}} +{{- if .Values.staticWebsite.enabled -}} kind: ConfigMap apiVersion: v1 metadata: @@ -9,7 +9,7 @@ data: nginx.conf: | server { listen 8080; - location {{ .Values.staticSites.path }} { + location {{ .Values.staticWebsite.path }} { index index.html; alias /srv/content/repo; } diff --git a/helm-charts/basehub/templates/static/deployment.yaml b/helm-charts/basehub/templates/static/deployment.yaml index 60d787adaa..a84b0b6257 100644 --- a/helm-charts/basehub/templates/static/deployment.yaml +++ b/helm-charts/basehub/templates/static/deployment.yaml @@ -1,4 +1,4 @@ -{{- if .Values.staticSites.enabled -}} +{{- if .Values.staticWebsite.enabled -}} apiVersion: apps/v1 kind: Deployment metadata: @@ -21,7 +21,7 @@ spec: name: static-sites - name: content emptyDir: {} - {{- if .Values.staticSites.githubApp.enabled }} + {{- if .Values.staticWebsite.githubApp.enabled }} - name: git-config secret: secretName: static-sites @@ -33,10 +33,10 @@ spec: - git - clone - --depth=1 - - --branch={{ .Values.staticSites.branch | required "staticSites.branch is required with staticSite.enabled set to true" }} + - --branch={{ .Values.staticWebsite.branch | required "staticWebsite.branch is required with staticSite.enabled set to true" }} - --single-branch - -- - - '{{ .Values.staticSites.repo | required "staticSites.repo is required with staticSites.enabled set to true" }}' + - '{{ .Values.staticWebsite.repo | required "staticWebsite.repo is required with staticWebsite.enabled set to true" }}' - /srv/content/repo securityContext: runAsUser: 1000 @@ -45,7 +45,7 @@ spec: volumeMounts: - name: content mountPath: /srv/content - {{- if .Values.staticSites.githubApp.enabled }} + {{- if .Values.staticWebsite.githubApp.enabled }} - name: git-config mountPath: /etc/gitconfig subPath: gitconfig @@ -63,7 +63,7 @@ spec: - /bin/sh args: - -c - - "while true; do git fetch origin; git reset --hard origin/{{ .Values.staticSites.branch }}; sleep\ + - "while true; do git fetch origin; git reset --hard origin/{{ .Values.staticWebsite.branch }}; sleep\ \ 5m; done" securityContext: runAsUser: 1000 @@ -72,7 +72,7 @@ spec: volumeMounts: - name: content mountPath: /srv/content - {{- if .Values.staticSites.githubApp.enabled }} + {{- if .Values.staticWebsite.githubApp.enabled }} - name: git-config mountPath: /etc/gitconfig subPath: gitconfig diff --git a/helm-charts/basehub/templates/static/ingress.yaml b/helm-charts/basehub/templates/static/ingress.yaml index aef1f3e09d..114d9bf597 100644 --- a/helm-charts/basehub/templates/static/ingress.yaml +++ b/helm-charts/basehub/templates/static/ingress.yaml @@ -1,4 +1,4 @@ -{{- if .Values.staticSites.enabled -}} +{{- if .Values.staticWebsite.enabled -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -11,10 +11,10 @@ metadata: spec: ingressClassName: nginx rules: - - host: {{ .Values.staticSites.host }} + - host: {{ .Values.staticWebsite.host }} http: paths: - - path: {{ .Values.staticSites.path }} + - path: {{ .Values.staticWebsite.path }} pathType: Prefix backend: service: diff --git a/helm-charts/basehub/templates/static/service.yaml b/helm-charts/basehub/templates/static/service.yaml index 9d7cefc353..a181240475 100644 --- a/helm-charts/basehub/templates/static/service.yaml +++ b/helm-charts/basehub/templates/static/service.yaml @@ -1,4 +1,4 @@ -{{- if .Values.staticSites.enabled -}} +{{- if .Values.staticWebsite.enabled -}} apiVersion: v1 kind: Service metadata: diff --git a/helm-charts/basehub/values.schema.yaml b/helm-charts/basehub/values.schema.yaml index 6cdc69d420..765bfc9123 100644 --- a/helm-charts/basehub/values.schema.yaml +++ b/helm-charts/basehub/values.schema.yaml @@ -18,9 +18,9 @@ required: - jupyterhub - userServiceAccount - dex - - staticSites + - staticWebsite properties: - staticSites: + staticWebsite: type: object additionalProperties: false required: diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index 3c3605842e..9beaa07491 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -8,7 +8,7 @@ userServiceAccount: dex: enabled: false -staticSites: +staticWebsite: enabled: false branch: main githubApp: From aa9bc43d382d6cca9f7c257e26fc71085a82e5d1 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Sat, 9 Jul 2022 12:35:00 -0700 Subject: [PATCH 14/20] Nest config for git repo for clarity --- config/clusters/2i2c/staging.values.yaml | 6 ++-- docs/howto/features/static-sites.md | 14 +++++---- .../basehub/templates/static/deployment.yaml | 6 ++-- helm-charts/basehub/values.schema.yaml | 29 +++++++++++++------ helm-charts/basehub/values.yaml | 4 ++- 5 files changed, 39 insertions(+), 20 deletions(-) diff --git a/config/clusters/2i2c/staging.values.yaml b/config/clusters/2i2c/staging.values.yaml index 3509568a69..6d57c2f19a 100644 --- a/config/clusters/2i2c/staging.values.yaml +++ b/config/clusters/2i2c/staging.values.yaml @@ -4,8 +4,10 @@ dex: staticWebsite: enabled: true - repo: https://github.com/yuvipanda/test-repo-push - branch: master + source: + git: + repo: https://github.com/yuvipanda/test-repo-push + branch: master host: staging.2i2c.cloud path: /textbook githubApp: diff --git a/docs/howto/features/static-sites.md b/docs/howto/features/static-sites.md index 7df00c5558..16414a014e 100644 --- a/docs/howto/features/static-sites.md +++ b/docs/howto/features/static-sites.md @@ -18,8 +18,10 @@ dex: staticWebsite: enabled: true - repo: - branch: + source: + git: + repo: + branch: host: path: @@ -54,8 +56,10 @@ dex: staticWebsite: enabled: true - repo: https://github.com/inferentialthinking/inferentialthinking.github.io - branch: master + source: + git: + repo: https://github.com/inferentialthinking/inferentialthinking.github.io + branch: master host: staging.2i2c.cloud path: /textbook @@ -151,5 +155,5 @@ part that hub admins rather than 2i2c engineers need to do**. ### Do a deploy After all the permissions are setup, you should make sure the config under -`staticWebsite.repo` and `staticWebsite.branch` are set appropriately, and do a deployment +`staticWebsite.source.git.repo` and `staticWebsite.source.git.repo` are set appropriately, and do a deployment to pull in the private repo! \ No newline at end of file diff --git a/helm-charts/basehub/templates/static/deployment.yaml b/helm-charts/basehub/templates/static/deployment.yaml index a84b0b6257..67876f7b28 100644 --- a/helm-charts/basehub/templates/static/deployment.yaml +++ b/helm-charts/basehub/templates/static/deployment.yaml @@ -33,10 +33,10 @@ spec: - git - clone - --depth=1 - - --branch={{ .Values.staticWebsite.branch | required "staticWebsite.branch is required with staticSite.enabled set to true" }} + - --branch={{ .Values.staticWebsite.source.git.branch | required "staticWebsite.source.git.branch is required with staticSite.enabled set to true" }} - --single-branch - -- - - '{{ .Values.staticWebsite.repo | required "staticWebsite.repo is required with staticWebsite.enabled set to true" }}' + - '{{ .Values.staticWebsite.source.git.repo | required "staticWebsite.source.git.repo is required with staticWebsite.enabled set to true" }}' - /srv/content/repo securityContext: runAsUser: 1000 @@ -63,7 +63,7 @@ spec: - /bin/sh args: - -c - - "while true; do git fetch origin; git reset --hard origin/{{ .Values.staticWebsite.branch }}; sleep\ + - "while true; do git fetch origin; git reset --hard origin/{{ .Values.staticWebsite.source.git.branch }}; sleep\ \ 5m; done" securityContext: runAsUser: 1000 diff --git a/helm-charts/basehub/values.schema.yaml b/helm-charts/basehub/values.schema.yaml index 765bfc9123..ce034b85fd 100644 --- a/helm-charts/basehub/values.schema.yaml +++ b/helm-charts/basehub/values.schema.yaml @@ -30,6 +30,26 @@ properties: type: boolean description: | Enable hosting static sites associated with this hub. + source: + type: object + additionalProperties: false + description: | + Source of the static files to serve + properties: + git: + type: object + additionalProperties: false + description: | + Config of git repository to pull from + properties: + repo: + type: string + description: | + Git repo to clone and serve statically + branch: + type: string + description: | + Branch in given git repo to check out after cloning the repo githubApp: type: object additionalProperties: false @@ -50,15 +70,6 @@ properties: type: string description: | Private RSA key created to authenticate as this GitHuba pp - - repo: - type: string - description: | - Git repo to clone and serve statically - branch: - type: string - description: | - Branch in given git repo to check out after cloning the repo host: type: string description: | diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index 9beaa07491..6ac0849472 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -10,7 +10,9 @@ dex: staticWebsite: enabled: false - branch: main + source: + git: + branch: main githubApp: enabled: false # Primarily here for validation to 'work', From c9160866ccf2fb89330797c69fa3faa0c5eee18e Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Sat, 9 Jul 2022 13:52:45 -0700 Subject: [PATCH 15/20] Address more indent nitpicks --- .../basehub/templates/dex/configmap.yaml | 28 ++++---- .../basehub/templates/dex/deployment.yaml | 66 +++++++++---------- helm-charts/basehub/templates/dex/secret.yaml | 8 +-- 3 files changed, 51 insertions(+), 51 deletions(-) diff --git a/helm-charts/basehub/templates/dex/configmap.yaml b/helm-charts/basehub/templates/dex/configmap.yaml index 0d623a567f..a46ba58685 100644 --- a/helm-charts/basehub/templates/dex/configmap.yaml +++ b/helm-charts/basehub/templates/dex/configmap.yaml @@ -24,24 +24,24 @@ data: skipApprovalScreen: true connectors: - - type: oauth - id: hub - name: hub - config: - clientID: service-dex - # Env vars are expanded via gomplate, which is present in the - # upstream dex docker image - clientSecret: {{ "{{" }} .Env.HUB_OAUTH2_CLIENT_SECRET {{ "}}" }} - redirectURI: https://{{ .Values.dex.hubHostName }}/services/dex/callback - userIDKey: name - tokenURL: http://proxy-public/hub/api/oauth2/token - authorizationURL: https://{{ .Values.dex.hubHostName }}/hub/api/oauth2/authorize - userInfoURL: http://proxy-public/hub/api/user + - type: oauth + id: hub + name: hub + config: + clientID: service-dex + # Env vars are expanded via gomplate, which is present in the + # upstream dex docker image + clientSecret: {{ "{{" }} .Env.HUB_OAUTH2_CLIENT_SECRET {{ "}}" }} + redirectURI: https://{{ .Values.dex.hubHostName }}/services/dex/callback + userIDKey: name + tokenURL: http://proxy-public/hub/api/oauth2/token + authorizationURL: https://{{ .Values.dex.hubHostName }}/hub/api/oauth2/authorize + userInfoURL: http://proxy-public/hub/api/user staticClients: - id: oauth2-proxy redirectURIs: - - https://{{ .Values.dex.hubHostName }}/services/oauth2-proxy/oauth2/callback + - https://{{ .Values.dex.hubHostName }}/services/oauth2-proxy/oauth2/callback name: oauth2-proxy # Env vars are expanded via gomplate, which is present in the # upstream dex docker image diff --git a/helm-charts/basehub/templates/dex/deployment.yaml b/helm-charts/basehub/templates/dex/deployment.yaml index 19fa311299..cb5b435224 100644 --- a/helm-charts/basehub/templates/dex/deployment.yaml +++ b/helm-charts/basehub/templates/dex/deployment.yaml @@ -34,49 +34,49 @@ spec: - name: dex containerPort: 5556 env: - # These are expanded by the dex config - - name: HUB_OAUTH2_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: hub - key: hub.services.dex.apiToken - - name: OAUTH2_PROXY_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: dex - key: oauth2Proxy.clientSecret + # These are expanded by the dex config + - name: HUB_OAUTH2_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: hub + key: hub.services.dex.apiToken + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: dex + key: oauth2Proxy.clientSecret volumeMounts: - - name: config - mountPath: /srv/config - - name: db - mountPath: /srv/db + - name: config + mountPath: /srv/config + - name: db + mountPath: /srv/db # Needs to be args, not cmd - this allows gomplate based # expansion of config file args: - - dex - - serve - - /srv/config/dex.yaml + - dex + - serve + - /srv/config/dex.yaml - name: oauth2-proxy image: quay.io/oauth2-proxy/oauth2-proxy:v7.3.0 command: - - oauth2-proxy - - --config=/srv/config/oauth2-proxy.cfg + - oauth2-proxy + - --config=/srv/config/oauth2-proxy.cfg volumeMounts: - - name: config - mountPath: /srv/config + - name: config + mountPath: /srv/config ports: - name: oauth2-proxy containerPort: 9000 env: - # This is read by oauth2-proxy - - name: OAUTH2_PROXY_COOKIE_SECRET - valueFrom: - secretKeyRef: - name: dex - key: oauth2Proxy.cookieSecret - - name: OAUTH2_PROXY_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: dex - key: oauth2Proxy.clientSecret + # This is read by oauth2-proxy + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: dex + key: oauth2Proxy.cookieSecret + - name: OAUTH2_PROXY_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: dex + key: oauth2Proxy.clientSecret {{- end }} diff --git a/helm-charts/basehub/templates/dex/secret.yaml b/helm-charts/basehub/templates/dex/secret.yaml index afb05fe5ba..74d0bec2d4 100644 --- a/helm-charts/basehub/templates/dex/secret.yaml +++ b/helm-charts/basehub/templates/dex/secret.yaml @@ -8,14 +8,14 @@ stringData: {{- $k8sState := lookup "v1" "Secret" .Release.Namespace "dex" | default (dict "data" (dict)) }} {{- if hasKey $k8sState.data "oauth2Proxy.clientSecret" }} - oauth2Proxy.clientSecret: {{ index $k8sState.data "oauth2Proxy.clientSecret" | b64dec }} + oauth2Proxy.clientSecret: {{ index $k8sState.data "oauth2Proxy.clientSecret" | b64dec }} {{- else }} - oauth2Proxy.clientSecret: {{ include "randHex" 64 }} + oauth2Proxy.clientSecret: {{ include "randHex" 64 }} {{- end }} {{- if hasKey $k8sState.data "oauth2Proxy.cookieSecret" }} - oauth2Proxy.cookieSecret: {{ index $k8sState.data "oauth2Proxy.cookieSecret" | b64dec }} + oauth2Proxy.cookieSecret: {{ index $k8sState.data "oauth2Proxy.cookieSecret" | b64dec }} {{- else }} - oauth2Proxy.cookieSecret: {{ include "randHex" 16 }} + oauth2Proxy.cookieSecret: {{ include "randHex" 16 }} {{- end }} {{- end }} From bdd595670c45716f9870343879c41369e39c35dd Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Sat, 9 Jul 2022 14:09:25 -0700 Subject: [PATCH 16/20] Next url of ingress for static website --- config/clusters/2i2c/staging.values.yaml | 5 +++-- docs/howto/features/static-sites.md | 10 +++++---- .../basehub/templates/static/configmap.yaml | 2 +- .../basehub/templates/static/ingress.yaml | 4 ++-- helm-charts/basehub/values.schema.yaml | 22 ++++++++++++------- 5 files changed, 26 insertions(+), 17 deletions(-) diff --git a/config/clusters/2i2c/staging.values.yaml b/config/clusters/2i2c/staging.values.yaml index 6d57c2f19a..2c4c5b9ff2 100644 --- a/config/clusters/2i2c/staging.values.yaml +++ b/config/clusters/2i2c/staging.values.yaml @@ -8,8 +8,9 @@ staticWebsite: git: repo: https://github.com/yuvipanda/test-repo-push branch: master - host: staging.2i2c.cloud - path: /textbook + url: + host: staging.2i2c.cloud + path: /textbook githubApp: enabled: true diff --git a/docs/howto/features/static-sites.md b/docs/howto/features/static-sites.md index 16414a014e..b766e51e8b 100644 --- a/docs/howto/features/static-sites.md +++ b/docs/howto/features/static-sites.md @@ -22,8 +22,9 @@ staticWebsite: git: repo: branch: - host: - path: + url: + host: + path: jupyterhub: hub: @@ -60,8 +61,9 @@ staticWebsite: git: repo: https://github.com/inferentialthinking/inferentialthinking.github.io branch: master - host: staging.2i2c.cloud - path: /textbook + url: + host: staging.2i2c.cloud + path: /textbook jupyterhub: hub: diff --git a/helm-charts/basehub/templates/static/configmap.yaml b/helm-charts/basehub/templates/static/configmap.yaml index 47cd57ca5b..e6fdd1f9a7 100644 --- a/helm-charts/basehub/templates/static/configmap.yaml +++ b/helm-charts/basehub/templates/static/configmap.yaml @@ -9,7 +9,7 @@ data: nginx.conf: | server { listen 8080; - location {{ .Values.staticWebsite.path }} { + location {{ .Values.staticWebsite.url.path }} { index index.html; alias /srv/content/repo; } diff --git a/helm-charts/basehub/templates/static/ingress.yaml b/helm-charts/basehub/templates/static/ingress.yaml index 114d9bf597..10b8646468 100644 --- a/helm-charts/basehub/templates/static/ingress.yaml +++ b/helm-charts/basehub/templates/static/ingress.yaml @@ -11,10 +11,10 @@ metadata: spec: ingressClassName: nginx rules: - - host: {{ .Values.staticWebsite.host }} + - host: {{ .Values.staticWebsite.url.host }} http: paths: - - path: {{ .Values.staticWebsite.path }} + - path: {{ .Values.staticWebsite.url.path }} pathType: Prefix backend: service: diff --git a/helm-charts/basehub/values.schema.yaml b/helm-charts/basehub/values.schema.yaml index ce034b85fd..807f078c65 100644 --- a/helm-charts/basehub/values.schema.yaml +++ b/helm-charts/basehub/values.schema.yaml @@ -70,16 +70,22 @@ properties: type: string description: | Private RSA key created to authenticate as this GitHuba pp - host: - type: string + url: + type: object + additionalProperties: false description: | - DNS host name of the JupyterHub. + URL where this static website should be available + properties: + host: + type: string + description: | + DNS host name of the JupyterHub. - Must match what the JupyterHub and dex are set up with. - path: - type: string - description: | - Absolute path under which the static sites should be available + Must match what the JupyterHub and dex are set up with. + path: + type: string + description: | + Absolute path under which the static sites should be available dex: type: object additionalProperties: false From f3a810a1c5f0322acf23fa1905b4b9a33c584068 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Sat, 9 Jul 2022 14:19:34 -0700 Subject: [PATCH 17/20] Make github auth config more descriptive --- .../2i2c/enc-staging.secret.values.yaml | 11 +++++----- config/clusters/2i2c/staging.values.yaml | 2 +- docs/howto/features/static-sites.md | 15 +++++++------ .../basehub/templates/static/deployment.yaml | 6 ++--- helm-charts/basehub/values.schema.yaml | 22 ++++++++++++------- helm-charts/basehub/values.yaml | 13 ++++++----- 6 files changed, 39 insertions(+), 30 deletions(-) diff --git a/config/clusters/2i2c/enc-staging.secret.values.yaml b/config/clusters/2i2c/enc-staging.secret.values.yaml index 86bf3ee6fe..6bc065c916 100644 --- a/config/clusters/2i2c/enc-staging.secret.values.yaml +++ b/config/clusters/2i2c/enc-staging.secret.values.yaml @@ -1,7 +1,8 @@ staticWebsite: - githubApp: - id: ENC[AES256_GCM,data:TqWfwqYN,iv:50C2fKLQ5pWFYb0CxeLpnS0O+yr6eoR+uZPM1R6AMVI=,tag:SZNh/GW4tQzJe9h8e7H7IA==,type:int] - privateKey: ENC[AES256_GCM,data:cCYjLHeqHmDWnOTtfcgX8uVDh+Kva/ezy7XIkudQ+LanX/yNJ8Dha7kEZ3NSfV0LeyuYynwHITCY5H8g/zi7raiGjhLLeMIONvIgOHQUX5hnppbIM/Um9DjrZLKBWSW0i22y3Y5kvzSUbg7Y8ktWDTz0fAdBaaqPRFxZUvzhAywXNIrPbVWE4IhAM8zOn11038/Cns62/P3LYUiUOR/YVYKmaPAPk9Ct6gWDOQL+R6jRJlOh7I1lP/HPz2P8140f0YaQJ0ZA/LYJJFWegSDgDGygFB026Bc5WnBkw5zSEqbLvqjo6/e/C1+lqB6i+o66hmbVXjbzrChSkguYOqKucs6O/s8OwugFW3MHgyHrJ8p+XGquPID1tE3mBfw7nzVD9QRC91KEdkgvXCOt1frTS5oSgPQMCfLf2GpLIR/tMdo9/0WbpCWdYkV+IOVbY0tsvKeJJMVvbw9Z307S7w5hopbKCY7GrGLj3XU7BJyzHU1OW2YXewnq2lKiYaorRrCJuRbv+Vlq2Tja/8MLHZokdC7jdgFzdYkXeRHdecy+4ab+rlyzdAkaTfzXeYQrc991tHKsPg9A54VrpZTeE64V+6UNE83EIzoREAsKuSvh0bXnxSJjmli0INYUHl1oefvoU/R/EaAPku4X1hmdgCI/Hc6kygBmnQnekg1Mv6KXh2jz/SrblRTMrAzdNhdC+vuybwTkBUwuouMNXlWHvppi2EKa9Oj7WZjkP3YEVjAymOuVvXnStCGiru3wEJWjh2U7DRAGxwlNHeVK7rPtAw8F7ZQV4xZlkNYMkT3SAfVOEqhDknOHfhZ+OODsMu0ttCGt/W7fFz8mZijp5RqkNMLyBYNfJlZfb7JHuuWLTBx+e6xq8lOF4S9kCq6b115y8KKNnQsm9EToXNretFr/UpNZW6oCp/VgyYgnhsossp7W9vnk8uc31W/ufUCWG1ucB429FEO55QrQMXtK3/WlkRTLx95Ywxp+NjsgAAVAOy/bKWjHC6aIDd4Izal7Q6qtd3Z05huKjhe9BSn6Q36xTPtxogW3RxmTCP+LHDl8hkQTSy2gKkXfb3Mc12BXxIyzKgwe3kDvKg1I2CM1cjCVhAQM70LtOYkLBUSxkPKirsTZ/3wIX3YceqCn2TATa1xKTgwrfVVLnZEzu7lkXOtq+77PL1KNv/ECUPti3LYguV8vYIpxs79Ps4HeWh0QWsqzWnfBKngcRG5I9f21TDHG1UhIWVn5X8mlcNbbXbps21EQ7kG2kFB0cCS7guft59Y/+IYRHC7ZWqk+SdoAFLKVYtIkW5ByL4pwEtk58CmwPGFjGdP12zC+kmvxzHNfvHAAMEujGWL21C7ASBiLPG8k7yhRbWuBwHan9mZMF4ZwBVmuQASyLXaHl2GUP/kHWIzuKYD29IWToPLvFtXdNoKuzgmaTPxK/vNWDVQOmkFmWZ6YhU9cTGH+PRGEhkZCcgOYLodaR7PyS2Gp1tam5fyX2HMuaxjzs5R98la3d5ouhlpXYAQvMkHbCEdGFGyg78RFmUObSpqGMW1zykCoJr/EpsTO/iQFkM4kvj/W5TFW3/6OA16OoT76aLqn4YCr363TQMc91EGVzT1yoD8FI7KIgBP2KLl8BMzX9YriQMMa20yt/6V1Fn0XsGTijwHcKWc544Sz6SShn5js5sZPNqsn59zz8+/L6i8C6mQkUBzkAJ4171FAng5Pyw6krE2HTt0cXkStqeAU40jH9rDKT+YarjtA4xK1aywIj2pJ7SU3WYKuskI3fqOqT8vP8XW3ZFA/w/K0Wh/Wbq9mVSJchTEcobXsmlQ8WbNv3031luZcFZ/SLdznv8X1LX6RiPeoLLgMxTuTe/mMNF8OfM9pzLunUgAqR0qnPCJU1Yn4NaduLyJXh4oMtRnv1hBW4ZkP5RHJ4vG06L/L4RHaPeTs2CzxCjhezQFtuOS05ZQqKK9PZO0jvpvWMJzVfNqELJLeJhu9aBH7/faH2rzP6GMg/6uQMnoeu/y0+vODdGFOxWYnGmD4vS596nuWkgbby71z2xTDfojyfT8dpn2zdCdFIMh6GOtwIX6dczLp8mE4v8PDezoHMCB+KD+vFKdmH2QO4mBDZBQ9kX81cPsLyMzxzmKRvdc+BRJscSBF6i7x5jhgdAIuKHt1GP9g0aSkj7p+w8bHUBKno4Bn0mCW/mklVGZqlGU4Itbrc2NALxzHDH2vjz5ZRqGRiKSrvzxzIrQ75Q==,iv:AnfRr6ahIYFKvZAf3zMCA/Gf7JQ5RS4UBcVQXWht20k=,tag:TQ20Jlhg6G5+2+YyrTrykw==,type:str] + githubAuth: + githubApp: + id: ENC[AES256_GCM,data:EDJXakop,iv:BPu3qh9zpMVJWVNxPIfScoaeA+avSsacqxA6adriU98=,tag:wHxbuCOLrjvyu8/m0bj3rg==,type:int] + privateKey: ENC[AES256_GCM,data:9kGfIIw3C42l41ewl3rAJqxLL7Onj4WPPSy+VgU/qRgBcaGVUIjFs7S3CTmtY2lnFS3VFsmVgNN6js2FrmUXGOqOpwFDjk2otHCCW1tikivnUzzJ93gsB4kEadxg88LsWMcnsfuJRXYxMlgo3pxt76VX2FO+rkrOB058dHlc/FqdkRmMheGMh+7j8HwOkQT1xOK4e2fpX3jGkDJZ/CuzPd4CmGzcVEDQ1sijPdYZosG22CstXgOmK6tZLWXOD7+Ia+Fl59R2+fYlqQYKRDABt7HjV0H6yybTrP/Uz5Q4iFLOYDOZrc3ZCbGRTdfwq1zM/kCDq795WiMC5MybU3C4jGmwXocXPJpfoIcxlHOfKMagZ5bWkwO1uok+9jFk9IV1OCCWj+BBs1gPS6vgOgRq8nhmVIxy0oEVlPg/lDy0VgD9cYtShulg+BwnCLOMBA75S857xmMCkbREkGax/6DZKYfXl9Fs7UR9JokwZuTyspR8Tk1xQTKEVZJ06KxID2YnJWvPsgoEF9bTkOcYWYFjm+Vo6a5kGHfetTNmguKYJpnlxAYOrBC4VuiItboXbTTSM9Hn9BnDgQjbUchfjnzS2BdmWDW52YC8iFpiTWLr7QslZJQuKnAn3+aqud9Gp5uDJumPAch3Q1U41Sj+YiyV2Rhxdvshc2wiEe4PrvLiaR5jlh8BnLkqRaLm5kFN7poiqLNrI8XsHoerjufxJGwVtIfPUmvDmmRS8ya03Wkxze/MzYv0hnIlOWYm8/L9xfXpoduhVdluC/1iRFNA7jyQN4YEBNHIznPZNBRdMm+2DDdEPu2m+Xh6eT5tgTKAyvQTh1eECTZUOL19L6kVzOGBRzTKTNw7sBrGFQh0QeyzX+0qqrf/KcsP65rs0zGezrxbGPdtPGT75vywhw7nYM6GijpxYZOujZJsvUlleGZDUe5f7lgIQB7BAcm5Z6QZXSsJbSz93UDZKSVRPDB4twnUOhMM/ruNJ5WpsA6PgK9wwxCYHllCTr3IqoTXAqz11s42KMfKCiX5zBzcM406Gn1+37HZ8YXLo4CZ3n294EQupTB66gHE77ziP5uCUmtY3iDiNXmH6aUKs+rZpSZ20UVY2q6HzvkK1chkLib3v0INjDqrmoYBjdJ0h2Zxaokzp9ug18Ut5DWh9QTVOXI1qiICxgJoF7UtZMVc7VWZDLJzspZGNbZCVskNUEL+XqNjgsWyuQcSUpGmy5sw1zF0VxSJQqWVlBrJ8lLgeBrHsywcJ+b1PB1Wo4ir9jEo2+goMWwFNjmRtbjhyDgzxUS2oX9Ej4rIhWxF4E91uF1y/rMV2w0C7mqHgUoRFzbRP/aqmiTqfWdpYW+IqOg3eYIkWZ3eXRRPB44tH63mBA1yNkKdql3MUJFxluGhSrVLZWLDc+wDnQJEQGvuG0gCvjn1KYv71nWhAKPkhnqo1OlcFrLRL6nyLlXNoPXKL5EeIDtGOExxR3bqGVajfKmaQsmEf6G7FeTxokSMcQPS+EF2NJ44/Cut16whG2CcWwi6mlSHzk1vvTdQiVSb1K81mtRimfuAq+gXbivzGS7jbFHZO8yuNVFpjkTHtHKmJwI8rd9ehMWH+TbJhblRgLjb96B9G0A/b0veYRWRpmfv4x/RNoCUFaQXLHaEAY/w4WBzSMiych4vGqyF2XILin6xMU8MeVhyh33FyiWZzLKhTF3E0rcYYVYr62722M+jbm0jjafrIDMMBj0ceIf50g3zlfRVW8G1xbllB7Yc8DwxcuZtatffMKsyu1u1/Q91F7jzJfz9RljRyJzs0nVsJc1R2hA0arlqmT8GWD1LI56lKQsYI0FYGc0C9h83rbZlNrV4Moxhayg7qSxXOQ/LI2t+2ds208RDsK8dieiCmJlGtel1eKKVqBobKQGH+0yKTBiWHcEMY5rqsyglYBG4MnLLwnqeOc9juX1Rp+QNyP9lmo3/H7E3HAgBUickW/AwZxAWOG+P1HKB85cd148OnVnPCg5uaCpMnhZGBWoVRXtAzALBkMCkI7zJduegIm8JtfYyoWpr6/HcsCslAUADERzzB141id0BlsCoJE4xsUFM5NkPiaVk56VvdRrFJ5rEL226AQCbmC6mx+wpFlgNv/ympuP3HvABJI9Z0G1UKZ9TZWbNUY38VHCPxREWaxc+r8mt1QoSH6sHfKbJ5SnLPhpqC4OvRks/JLTN3Bc96npcmVAyFxMKAJf3nDHW6EZKFu/OlA==,iv:iu/nD/1zYDo9OY4q+j0sd+E5ODjLHZ3Otbkd0qte8WM=,tag:wD9S4cOGUeCVZIh9mRrI/w==,type:str] jupyterhub: hub: config: @@ -17,8 +18,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2022-07-09T19:24:38Z" - mac: ENC[AES256_GCM,data:p0uiJOe91dPvfL8Fn4KlqiEO/8Pe1ww6K/2eLPTRkQKob8p4JnyD2ak5B5mGaYGFiDF9p0j0E50XPIToe0zzOJGLZOSTeI6G3BYFP5lgwjqbZ58UPQPn4HLEtE4Uoiq45He+1zmgcjXO9epTnACN5NQeBvGG5aoomfk8yYKU514=,iv:/uLuaJZEqBVKujgfqQuvpSYLD3XaymbATlmnNIwE47o=,tag:EFH8KC4XYOs96dCPVK0rtQ==,type:str] + lastmodified: "2022-07-09T21:14:35Z" + mac: ENC[AES256_GCM,data:xfxx30hp48xu13udRZUkEBX0C4RirV6sO6jqDICdfQkvQI/EtvUWF97GCFWgfAlnOI/W26BSftpg6QW9IwyzUO55PfJy/L4TQ03Ee+thu51tXjAywHfswWvE/ovA9fKQ4fU2QcNHb72Q53qUsx912CR7sXOvQajRekMPXZSJU10=,iv:f195Wlf+Yjods46WKt40Db88J1yGiTZDBWCmQWO3kF0=,tag:PIJAjOIRaLKRVmMFkBxEkQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.1 diff --git a/config/clusters/2i2c/staging.values.yaml b/config/clusters/2i2c/staging.values.yaml index 2c4c5b9ff2..ea42881440 100644 --- a/config/clusters/2i2c/staging.values.yaml +++ b/config/clusters/2i2c/staging.values.yaml @@ -11,7 +11,7 @@ staticWebsite: url: host: staging.2i2c.cloud path: /textbook - githubApp: + githubAuth: enabled: true jupyterhub: diff --git a/docs/howto/features/static-sites.md b/docs/howto/features/static-sites.md index b766e51e8b..1e245674bd 100644 --- a/docs/howto/features/static-sites.md +++ b/docs/howto/features/static-sites.md @@ -121,8 +121,8 @@ Now, we can configure our static files server to make use of the GitHub app to a 1. Enable the gitHub app in the `.values.yaml` file for the hub. ```yaml - staticFiles: - githubApp: + staticWebsite: + gitHubAuth: enabled: true ``` @@ -131,11 +131,12 @@ Now, we can configure our static files server to make use of the GitHub app to a the GitHub app. ```yaml - staticFiles: - githubApp: - id: - privateKey: | - + staticWebsite: + githubAuth: + githubApp: + id: + privateKey: | + ``` Make sure this file is also listed under `helm_chart_values_files` for the hub in diff --git a/helm-charts/basehub/templates/static/deployment.yaml b/helm-charts/basehub/templates/static/deployment.yaml index 67876f7b28..4fe8389cac 100644 --- a/helm-charts/basehub/templates/static/deployment.yaml +++ b/helm-charts/basehub/templates/static/deployment.yaml @@ -21,7 +21,7 @@ spec: name: static-sites - name: content emptyDir: {} - {{- if .Values.staticWebsite.githubApp.enabled }} + {{- if .Values.staticWebsite.githubAuth.enabled }} - name: git-config secret: secretName: static-sites @@ -45,7 +45,7 @@ spec: volumeMounts: - name: content mountPath: /srv/content - {{- if .Values.staticWebsite.githubApp.enabled }} + {{- if .Values.staticWebsite.githubAuth.enabled }} - name: git-config mountPath: /etc/gitconfig subPath: gitconfig @@ -72,7 +72,7 @@ spec: volumeMounts: - name: content mountPath: /srv/content - {{- if .Values.staticWebsite.githubApp.enabled }} + {{- if .Values.staticWebsite.githubAuth.enabled }} - name: git-config mountPath: /etc/gitconfig subPath: gitconfig diff --git a/helm-charts/basehub/values.schema.yaml b/helm-charts/basehub/values.schema.yaml index 807f078c65..92e1550843 100644 --- a/helm-charts/basehub/values.schema.yaml +++ b/helm-charts/basehub/values.schema.yaml @@ -50,7 +50,7 @@ properties: type: string description: | Branch in given git repo to check out after cloning the repo - githubApp: + githubAuth: type: object additionalProperties: false description: | @@ -62,14 +62,20 @@ properties: type: boolean description: | Enable the github app integration - id: - type: integer - description: | - Integer id of GitHub app to use when cloning private repos - privateKey: - type: string + githubApp: + type: object + additionalProperties: false description: | - Private RSA key created to authenticate as this GitHuba pp + Configuration of the github app to use for authentication + properties: + id: + type: integer + description: | + Integer id of GitHub app to use when cloning private repos + privateKey: + type: string + description: | + Private RSA key created to authenticate as this GitHuba pp url: type: object additionalProperties: false diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index 6ac0849472..47e3bf1ed0 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -13,13 +13,14 @@ staticWebsite: source: git: branch: main - githubApp: + githubAuth: enabled: false - # Primarily here for validation to 'work', - # as these are set in secret config otherwise. I don't like this, - # as we won't catch these values missing if they aren't set. - id: 0 - privateKey: "" + githubApp: + # Primarily here for validation to 'work', + # as these are set in secret config otherwise. I don't like this, + # as we won't catch these values missing if they aren't set. + id: 0 + privateKey: "" azureFile: enabled: false From b9c74e66c7992d00065bdc93d5afcc4aec07acec Mon Sep 17 00:00:00 2001 From: Yuvi Panda Date: Mon, 11 Jul 2022 14:38:47 -0500 Subject: [PATCH 18/20] Fix typo Co-authored-by: Georgiana Elena --- docs/howto/features/static-sites.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/howto/features/static-sites.md b/docs/howto/features/static-sites.md index 1e245674bd..2864c2cc58 100644 --- a/docs/howto/features/static-sites.md +++ b/docs/howto/features/static-sites.md @@ -104,7 +104,7 @@ to pull private repos as static content. 4. Under 'Repository permissions', select 'Read' for 'Contents'. 5. Under 'Where can this GitHub App be installed?', select 'Any account'. This will - enable users to push to their own user repositories or other organization repositaries, + enable users to push to their own user repositories or other organization repositories, rather than just the 2i2c repos. 6. Create the application with the 'Create GitHub app' button. From fd2ef70a0d7c2a243a67fb29bb9010c38796756f Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Mon, 11 Jul 2022 17:04:32 -0500 Subject: [PATCH 19/20] Add missing secret template file --- .pre-commit-config.yaml | 2 +- helm-charts/basehub/templates/static/secret.yaml | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 helm-charts/basehub/templates/static/secret.yaml diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index b746db9e03..b133e091e5 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -50,4 +50,4 @@ repos: hooks: - id: sops-encryption # Add files here if they contain the word 'secret' but should not be encrypted - exclude: secrets\.md|helm-charts/support/templates/prometheus-ingres-auth/secret\.yaml|helm-charts/basehub/templates/dex/secret\.yaml + exclude: secrets\.md|helm-charts/support/templates/prometheus-ingres-auth/secret\.yaml|helm-charts/basehub/templates/dex/secret\.yaml|helm-charts/basehub/templates/static/secret\.yaml diff --git a/helm-charts/basehub/templates/static/secret.yaml b/helm-charts/basehub/templates/static/secret.yaml new file mode 100644 index 0000000000..9e64bd8b78 --- /dev/null +++ b/helm-charts/basehub/templates/static/secret.yaml @@ -0,0 +1,16 @@ +{{- if .Values.staticWebsite.enabled -}} +{{- if .Values.staticWebsite.githubAuth.enabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: static-sites +type: Opaque +stringData: + gitconfig: | + [credential "https://github.com"] + helper = !git-credential-github-app --app-key-file /etc/github/github-app-private-key.pem --app-id {{ .Values.staticWebsite.githubAuth.githubApp.id }} + useHttpPath = true + github-app-private-key.pem: | + {{ .Values.staticWebsite.githubAuth.githubApp.privateKey | nindent 4 }} +{{- end }} +{{- end }} From 3a68b4a15199157172ef038783fad8575bc69e1e Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Mon, 11 Jul 2022 17:13:48 -0500 Subject: [PATCH 20/20] Use ingress instead of url as config key Ref https://github.com/2i2c-org/infrastructure/pull/1502#discussion_r917731563 --- config/clusters/2i2c/staging.values.yaml | 2 +- docs/howto/features/static-sites.md | 4 ++-- helm-charts/basehub/templates/static/configmap.yaml | 2 +- helm-charts/basehub/templates/static/ingress.yaml | 4 ++-- helm-charts/basehub/values.schema.yaml | 4 ++-- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/config/clusters/2i2c/staging.values.yaml b/config/clusters/2i2c/staging.values.yaml index ea42881440..81c011865c 100644 --- a/config/clusters/2i2c/staging.values.yaml +++ b/config/clusters/2i2c/staging.values.yaml @@ -8,7 +8,7 @@ staticWebsite: git: repo: https://github.com/yuvipanda/test-repo-push branch: master - url: + ingress: host: staging.2i2c.cloud path: /textbook githubAuth: diff --git a/docs/howto/features/static-sites.md b/docs/howto/features/static-sites.md index 2864c2cc58..2938ae33b3 100644 --- a/docs/howto/features/static-sites.md +++ b/docs/howto/features/static-sites.md @@ -22,7 +22,7 @@ staticWebsite: git: repo: branch: - url: + ingress: host: path: @@ -61,7 +61,7 @@ staticWebsite: git: repo: https://github.com/inferentialthinking/inferentialthinking.github.io branch: master - url: + ingress: host: staging.2i2c.cloud path: /textbook diff --git a/helm-charts/basehub/templates/static/configmap.yaml b/helm-charts/basehub/templates/static/configmap.yaml index e6fdd1f9a7..d8173db54e 100644 --- a/helm-charts/basehub/templates/static/configmap.yaml +++ b/helm-charts/basehub/templates/static/configmap.yaml @@ -9,7 +9,7 @@ data: nginx.conf: | server { listen 8080; - location {{ .Values.staticWebsite.url.path }} { + location {{ .Values.staticWebsite.ingress.path }} { index index.html; alias /srv/content/repo; } diff --git a/helm-charts/basehub/templates/static/ingress.yaml b/helm-charts/basehub/templates/static/ingress.yaml index 10b8646468..8125b9dea3 100644 --- a/helm-charts/basehub/templates/static/ingress.yaml +++ b/helm-charts/basehub/templates/static/ingress.yaml @@ -11,10 +11,10 @@ metadata: spec: ingressClassName: nginx rules: - - host: {{ .Values.staticWebsite.url.host }} + - host: {{ .Values.staticWebsite.ingress.host }} http: paths: - - path: {{ .Values.staticWebsite.url.path }} + - path: {{ .Values.staticWebsite.ingress.path }} pathType: Prefix backend: service: diff --git a/helm-charts/basehub/values.schema.yaml b/helm-charts/basehub/values.schema.yaml index 92e1550843..837422a7f4 100644 --- a/helm-charts/basehub/values.schema.yaml +++ b/helm-charts/basehub/values.schema.yaml @@ -76,11 +76,11 @@ properties: type: string description: | Private RSA key created to authenticate as this GitHuba pp - url: + ingress: type: object additionalProperties: false description: | - URL where this static website should be available + Configuration for the ingress that gets traffic into the static site properties: host: type: string