From bba00ce7fba498e19a04a92c69bd0168efb3575e Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 18 Jul 2021 22:03:56 +0200 Subject: [PATCH] Add jupyterhub-ssh (including deployment workarounds) --- config/hubs/jmte.cluster.yaml | 65 +++++++++++++++++++++++++++++++- deployer/hub.py | 1 + hub-templates/daskhub/Chart.yaml | 13 ++++--- 3 files changed, 72 insertions(+), 7 deletions(-) diff --git a/config/hubs/jmte.cluster.yaml b/config/hubs/jmte.cluster.yaml index 473fdf313c..6d2efc4fa9 100644 --- a/config/hubs/jmte.cluster.yaml +++ b/config/hubs/jmte.cluster.yaml @@ -145,15 +145,60 @@ hubs: # Along with this, we also make use of the autohttps system that # requires us to configure an letsencrypt email. # - service: - type: LoadBalancer https: enabled: true type: letsencrypt letsencrypt: contactEmail: erik@sundellopensource.se + # jupyterhub-ssh notes: + # + # - We must accept port 22 traffic to the k8s Service receiving + # hub.jupytearth.org traffic. + # - We must accept traffic on the autohttps pod (traefik) as well as + # traffic will flow onwards from there. A port must be open, and + # the NetworkPolicy influencing trafik must tolerate incoming + # (ingress) traffic to the ssh port. + # - We must let traefik route the traffic to the jupyterhub-ssh + # service. An entrypoint must be declared, a service backend, and + # a router. + # + service: + type: LoadBalancer + extraPorts: + - name: ssh + port: 22 + targetPort: ssh + traefik: + extraPorts: + - name: ssh + containerPort: 8022 + networkPolicy: + allowedIngressPorts: [http, https, ssh] + extraStaticConfig: + entryPoints: + ssh: + address: :8022 + extraDynamicConfig: + tcp: + services: + ssh: + loadBalancer: + servers: + - address: jupyterhub-ssh:22 + routers: + ssh-router: + entrypoints: + - ssh + rule: HostSNI(`*`) + service: ssh + + + hub: + image: + name: quay.io/consideratio/k8s-hub + tag: 1.0.1-n045.h10b2c8d3 config: Authenticator: allowed_users: &users @@ -219,3 +264,19 @@ hubs: # per Dask cluster limits. c.ClusterConfig.cluster_max_cores = 256 c.ClusterConfig.cluster_max_memory = "1028G" + + + jupyterhub-ssh: + hubUrl: https://hub.jupytearth.org + + # FIXME: hostKey is set via a dirty hack in hub.py of the deployer CLI + # using an environment variable defined in a .gitignored .env + # file on my local computer. + # + # Related: https://github.com/yuvipanda/jupyterhub-ssh/issues/38 + + ssh: + enabled: true + + sftp: + enabled: false diff --git a/deployer/hub.py b/deployer/hub.py index 289269d8f4..fa210d986f 100644 --- a/deployer/hub.py +++ b/deployer/hub.py @@ -379,6 +379,7 @@ def deploy(self, auth_provider, secret_key, skip_hub_health_test=False): # we should put the config from config/hubs last. '-f', generated_values_file.name, '-f', values_file.name, + f'--set-string=jupyterhub-ssh.hostKey={os.environ["JUPYTERHUB_SSH_KEY_PRIV"]}', ] print(f"Running {' '.join(cmd)}") diff --git a/hub-templates/daskhub/Chart.yaml b/hub-templates/daskhub/Chart.yaml index fb1cc26a2f..f82db584cd 100644 --- a/hub-templates/daskhub/Chart.yaml +++ b/hub-templates/daskhub/Chart.yaml @@ -4,8 +4,11 @@ description: Deployment Chart for a dask-enabled JupyterHub name: daskhub version: "0.1.0" dependencies: - - name: basehub - repository: file://../basehub - - name: dask-gateway - version: "0.9.0" - repository: 'https://dask.org/dask-gateway-helm-repo/' + - name: basehub + repository: file://../basehub + - name: dask-gateway + version: "0.9.0" + repository: 'https://dask.org/dask-gateway-helm-repo/' + - name: jupyterhub-ssh + version: 0.0.1-n077.h0c9caba + repository: https://yuvipanda.github.io/jupyterhub-ssh/