Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable CILogon for binder-staging hub #1579

Closed
wants to merge 9 commits into from
25 changes: 24 additions & 1 deletion config/clusters/2i2c/binder-staging.values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,37 @@ binderhub:
DockerRegistry:
token_url: https://us-central1-docker.pkg.dev/v2/token?service=
BinderHub:
auth_enabled: true
hub_url: https://hub.binder-staging.2i2c.cloud
image_prefix: us-central1-docker.pkg.dev/two-eye-two-see/binder-staging-registry/binder-staging-

template_path: /etc/binderhub/custom/templates
extra_static_path: /etc/binderhub/custom/static
extra_static_url_prefix: /extra_static/
about_message: |
<p>binder.pangeo.io is public infrastructure operated by the <a href="https://2i2c.org">2i2c team</a>.<br /><br />
jupyterhub:
hub:
redirectToServer: false
config:
BinderSpawner:
auth_enabled: false
services:
binder:
oauth_no_confirm: true
oauth_redirect_uri: "https://binder-staging.2i2c.cloud/hub/oauth_callback"
JupyterHub:
authenticator_class: cilogon
CILogonOAuthenticator:
oauth_callback_url: "https://binder-staging.2i2c.cloud/hub/oauth_callback"
allowed_idps:
- http://google.com/accounts/o8/id:
username_derivation:
username_claim: email
Authenticator:
username_pattern: '^(.+@2i2c\.org|deployment-service-check)$'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sgibson91, maybe adding the username_pattern under hub.config.Authenticator like in

Authenticator:
# We only want 2i2c users to sign up
# Protects against cryptominers - https://github.com/2i2c-org/infrastructure/issues/1216
username_pattern: '^(.+@2i2c\.org|deployment-service-check)$'
# Delete any prior existing users in the db that don't pass username_pattern
delete_invalid_users: true
?

When I made the suggestion of adding it here, I assumed it would work this way too, since CILogonOAuthenticator is inheriting from the base Authenticator

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, will try that

I also seem to have acquired two instances of username_claim like this:

        CILogonOAuthenticator:
          oauth_callback_url: "https://binder-staging.2i2c.cloud/hub/oauth_callback"
          username_claim: "email"
          allowed_idps:
            - http://google.com/accounts/o8/id:
                username_derivation:
                  username_claim: "email"

I'm assuming one of these is wrong?

delete_invalid_users: true
singleuser:
cmd: jupyterhub-singleuser
initContainers:
- name: git-clone-templates
image: alpine/git
Expand Down
23 changes: 16 additions & 7 deletions config/clusters/2i2c/enc-binder-staging.secret.values.yaml
Original file line number Diff line number Diff line change
@@ -1,18 +1,27 @@
binderhub:
jupyterhub:
hub:
config:
CILogonOAuthenticator:
client_id: ENC[AES256_GCM,data:0geI4CrkoLofGQiINJdHaf/t5h6CLh+vBX319Oq7g1s/KWUW/1EsXx/VKNx1U3tt/F4=,iv:m07AeKeBbhrnc8G+xQZ1Y3g75kAzdIfGZg7iBfv9UCI=,tag:orVcBLft0DkuZOy/H8jsAg==,type:str]
client_secret: ENC[AES256_GCM,data:Yh6xjgQ9SqeEGeGz9gmEl29a93/XvvbQNoSVyHvZIgXB5QOXUTuwdPWXQCkBO9rt5UD0TjWad+PYRtB3ek2vyzr5sgoBIA6934P2quCvpJxya7MpsLk=,iv:ppL9hmPba7TjXTt0ND0J44oVFkz89Nl1jhCWbvECz0w=,tag:kBtB5nOzw4gMFSeoqWEuDg==,type:str]
services:
binder:
oauth_client_id: ENC[AES256_GCM,data:Tdc9bQmU0F/0jMf/S14XqXJqeybBqtycc0cbhdUYpTpaWaOJM6x8SOfOw7B8HWE3rDM=,iv:b/lA734rHp6n56bTRrqs6CPzYtyqTesDnH+juCSRlx0=,tag:1WGNxA4/ZdDZdoIQ3wlOHA==,type:str]
registry:
username: ENC[AES256_GCM,data:SqV10MEVeCv0,iv:C+ueMwvNELqYMCdDz3AGcDcpbR89cYhdJcLtHL2IUGI=,tag:k788+6EmUtzFFh66d10IPw==,type:str]
password: ENC[AES256_GCM,data:7f5vvxgFcahSe8i7J7n1SaNlpnc0KUhG47OTonWQLJmeCaDWhpurRVM69fwcKC9l77OV5IW13rskld9TOH8L5p/GoVZrQ1GemBPRQ2yE3CebmIIr2+nD+h7QFN225hL4b1PAtG1CDcRzhf1itSFn6qxjgJBcaJDOTTb+RoCtUzcdkL6HeTL1BW+CN/zlQBMLyxmaRbLNo508fRI+qfYtNh7eOflA+1Madfjzrqc0UZha1wWtz2tLIG98tSLaPuI8xoMPRrjGeOrqoFXGQnRNjtgWj0l9j0uMdR+/O6X65UWl77yryWvxf4hoeL2trVz2weR1OFfZHgy96ZTaC/IIzAqzUHVHRj6oL38rPRQ+PmLfMMZterAZe4J19oVIBT53QNZ/GoCzvTX03Tg9XM4m0B/+xT11DZZR7B+duHBo/dh2dbcvI7ibH0kv7O6Ij7kyeJrzSlAj/WvBD9gXK5+l2xec8ZAqxNCHeMC+A3COT5yWFiQBig1Q9/8ToP3Qop4wtNyiIL5Ss7dW0jxTC+PzCxIBC2RgxRwZGk5frFgazOXHmV7kY/jZrQEGVPm1rtvN7y2J0LRXt7YjJs1HyhQ8wKLGzB8FbqcqHolHYNEkbJKTBomFIEC5yiWEyq6QS/De/FXc0HRd8EgYEUtpMM313fm2ymYP95HqkDPcX+aZklAFm+ZTPW9lyykM4kgj3MLpkxVdYyBJiFBc+NewRcOa73f2mziHNtVLbhUxdcO0voVjoFIsFeESoATUfRnK+/Ot15B0t1Hs3Rcmf9iCi9qPqgm/I0iIP+W/V0/KfprRqXMSZTuxJlpdvZQwa72uZZBtoZ1eZtzHy8F/u8V5+K+sjKD8BgDUx9MaaO0ExcI3ACsH0AbTuNmrg2VC0IQVnUVgbxfXJxcsgQsMmv2TORc6PDGGKUy8DFxb9jCGTUYX6ewgKRtyHYC+xFQEMHGOLV9WzPunC5MjSraLrCdNWzomXmVp/xP1k1ZBn7bVTZMeRfuPlu2HvHzCmZShCxUcE5MRf8eSkDwAuL9eTYZ91qx/6UxyL6TyluDUTCd/NZAhAVyUdgNS3xwgkgC6JwwVpSpYADNc+HoGGnhuyZXH7+vjDSASemHq4q4FoZ+a5YEdDY7ypaLJ3RXwo/Gz5LzrjsCZRPeKKP8gJYp8AaZqXYS+BISraCawHKKxyGXGPCnLz/OI8FmludKF/lBWI+2USzvg9yrQseWZtMGQn8GA7ZRFDu1UthoDEFuIor1V1WbCyHFbk1dVyLULxs7g23YSwLzr87/opkFvRarxbgAAJHOorHjOMEdK2pmJ0rQ6cBp4qtjxQ5+C9iTDcZcWGBe8Zt48u3lTL+RgoNR5U6tX2Djcnt+5/1CD3YibKsnKhgOTmJ57JYmsiGtEwU/3ct464Kw0MZk50C4nhfBpK4wqS/x+6AHFml/RAYtTBwUngm7PH29Z3BB3vunhjVkg7LdyihbnhV/CMMLMTR+wVAlwOqxId86WAN5qjF3SLWACCi+yGSQEZUDjCVkfyxzzRWRJG/IICEmJtK0xEYmvCr7fKMsLKIxDWOiC81MG1DgIAd4QwxnSQZByKbLbkOyhgAz6XIK2MAPPNdF0ouAERJk3jtIDFmZD7SVPPRI8sLt8WturSvln1YCSOpXO25g7AhkCwKYkF0ct209nR9NeAJwxMMiqYwoCgx8x0VpxXw67iudZXMfWGXhQXOhyjPXs3riNISNQCnBUVupwB3LJqNCcVTTTSA1vIYUFSVyTM68Yk03QLmMdw3yKewMI+We549hGmEfHGqmCtRkUMQgaouKMfSk5k5mGb7lHYFx3hXPQLHF97Gcga/QFX9619/4rHMqFdYqP0SQ1eoDz7Wb8FCiUTNptDR5lR6Scrh89tH90wbxLa65mbpfJDC/AEdqmnpNCvn0t1OnLvOB4DthNL+iW6YoWhrjTU9xOOrmE4ES52YWvBk/5eeZZG2Ryn3FVy1gxsQbTVBaZtR4SHXzwb6KRXgceY2d7EwjPU3kW5zRMTIDxNFO1D98+wUE35tgIxs66sgrqCkBzwCKzpilL3Bw2QKqG9+COcMHJoWIOHp7MvVgFZocLdab/+dSKso3n7S4+nkRfhVGNFopDhztNYdS9yMm1BC1+X/eo0odtv2P1kQ/Ts0K6AZfAHI92owjfMnaetre+B29MNQvjbBWipAR3LEUcyCeFx96AfkSGiPhgxtuWKEBBrrnPeWyXqZyPSOCgNWusQY1sQvzNYysz4KsXC1MQKXaELzXMhCIu45l3wCobr3q5W+S3gf5O8K9ADe7AcKZPFHd4xJBLQWOa1en/1Cjxi5Gq11oCJXs7+4kV93R1iqQsGDh9NtelZVb1GwjkynuKRhe3lfhQuSt76Cv03GW7U4DG7xccai/koETnan8EDgW65JOkFKi/3fbyjJywQzeMpoMmGJGWVHujeDcc26onE6egCIrsig4Nf3DOS9zmU/HxTto4cVdMX7HV9FfRHJiFY/CHEwdExfGz6IIg2aDMlsALfp0XmLf8oVRt8nGXOCNJlhOLkAo1NvQq3aXxv/0JsjdPCuev1DfWWULQOIm/hQXBQMTe5g8woIUxIM9VDezDMOEsmzKWUR2qVv6msnJRhLU6Nf8oBS3QurQkUcJcK4nwuj/VSrJORGYoPE/V3POHT3QhsPDi0PKaZtzwqLeh4jrKdKtS5Gwu1LSg5Hwg+2dt0XFaV+1SXugnA+u2IZrqr57m/6X7lbmfHo0OYyjM3ZLyx3ivxAOFqdH9TIsp4/RIIBY2TAD0HTSlX4JShTZEXKOZ9GKpkYwWPnyXDgSjggPyDpOqzJjHIZ5G2+IZL66OvpLEztnEyPm/lgt/P5gqdtsbCDNJxDFMwpqRlh0M93Rr1r1DFo7uPVQZomUERLXpwHDVh3nbzjAmnnQVsVo7SlHT0NuY7uzX4BVFq1YM4JmO7IspGDALZZlst2L08P65jqqRAI1Qd9QI9slTnxn27a2fFC6LwtrXCseLImveGdCcHlAntERTKYqSfOrNWYBICm1yyOFde9tj/9r4Uoe/C7sxYEH1I0fZBmihtG+llZeNsFwDAteUXBKLKeuK47DZSVWtwyd4KXdoxRVvfUh/ZNA5I4HTPYCLY70BxMHBf9pfuAK18/wA+gweys31/Q==,iv:j1UJUS3ThiKxIUngJlE2jWvTtNxhX/AFhvpBSWO2v30=,tag:rWd9n5aOpX0HqmH0IOguig==,type:str]
username: ENC[AES256_GCM,data:9LeQi3hx9Dkd,iv:A6BPZhzafi9ae2eCMAz22CIspdTiQ1YgPVJ21dK/20s=,tag:w0wnwXKca54wJFT2KObwdA==,type:str]
password: ENC[AES256_GCM,data:OE4Ju2EBsTNvVYZBvlOQjEe6kanRcEUO/kWf2RTe2Ph/Ju7/weHok4HN7OwVF53AURm1yasvpJXQyAaZY2BuGj/wb/4zVuwpWrlS0OnUnU6m2z/aIDcbx4Dg+g3bucjTQXGNqXwZFsBFCNrmAHyFQnTBJfuzKI9ryVBrVxrqNcd1CstZ/HBKJ0BHd3IcavLS1Aw3fXAgOg+XsHJ3afR27TqhTyu/rKKh5X6k1Gy7KsLT5XCqNz3RR04SEx3wR16LAp0NfIkThxNXdtGJeJ7mVYAYZbi9k5/PJNJPFNtruApAGl30wwXqUmYzk8PzOMY+guc/RCjdRueDwZ964Rj8E/yp+YqeWHlDrsefF30amQYjDQpuNx74XvNSA0CNhCOLZInsm2aTGR60F8NbEpffx3XKFp+gCYZfkVKo2h8JtmzUCqHHXS6ixUWEizJsH1fybtocD9CsO/XM/oHdCc+xZXQ/7OPA9dc+rieZS2ot+doIHgWt9dwOXOl/hVooX3VBDD4UY9LF2y+5VV1GO+VaDS9M1p1Ke1YSRIC/kiB+H86wkgyujdcjZ726vIV4C0poSR7dDSz7CZ0NdC6Yr6zLQK3/24pQ9TM5xnW6Q/b/UUcffdtDgwpOvPSkJFF+9kuzhl8Tr3A/TB1Z02a1LFgy2oWzFBpcCZL7gLiBgu4ocVm+IzyGG+HPCnmZL5ywruF+q8SE+zNzXNFtZpUGnqs9simNWp2Cg0kaZOExXrbQrh/OX8rMqkemU/Vr1APe/zqUN8L3U79aJOoFPZzv1xVy02xryBx5kZ13WfT23dbhZaPxdzbuRBBcU67Z7EQIN53JjQ5HcrP0tCs21KOp0tkBQP+x1OJO6F4OA/nEImMOLmfggvvY9yRDnG6re6YoyT6sMEToxxyOdRs7sAfdEIviig70n+7e9UUBdOcxk4wad+86jNa9sBR2fLZXY+XX8Gk5c95hkohaPwZ+u1k7C5wHS0nHxm9tKNkHFCKOqAOMkIP2/+OxEy8+M5fWUP8H4dic1sZQYyTR8mfGIqXwuAAGXLNjKOFbC4kzU4IFFr2qfH23wB/5BkuTz/3y1QWBJEB2fPaPEsNZMdxDumWRIsGXiBPeEb9QYMRgKHm2yS2AfXDh4kWBZ1Fzud6yw8EibQNSLzAYm5dvv8l4WVD+VFrO24MPQG8WCIjNJvJsdOayH4wE1YEeDeFr9JXk7pEbtfMrUFUxsAZoEC2/kFD4KN4424GXF9PO+nYrtu0u2G3XhkFR4MWbCVDAEdpXe08GBvkbuzxayMd/kU107AXT+qXSHOGIlDg4+9NjJSf7ikIaiwFPQDbs+jI3kNjk1SBcp3Th8Pxiq+Fynj2czrNtJbuioicft7JVm+1lTkkfcnv9CmjbSrZHJMmm6gWEQTJoO/h6VgW05jwuEsw4ZsW5GGJ6esYHLjLCEKk6jhyUHJDHyz3ANxKijyMd0kDbAW4BxujvHAw0XvpsX4joLk1dayDfoKJUGaZVwmEAbY8EAVGMmPgEGUHlc+KTaeSfrC11DTDUfG/DAOMWMdCLilYvDHikPrEkRtDddAMEDo4zERa6V8iOjHhfo/FV7mfF/Kf/ryZBkT2GBa81Afd5W/hvjiVtqwnsStHOiHcGg6pL8zTA4J3wNpySKyG8ISm/H6rCV/sN9g0ZGpY98BMhVUbhRK93bi+PAvhTkcbhIKiCfr9XIR5+3GtvkIJklGeQRofo0HROTeReUOf9PoudlTVV1cm1XV1zxf/rOg0DLquXYas5sraPWPmb7GVME+qhXOU68MEk9CUQJaAtPFW7p6UyJkw8rSn2ZhvDi1Qp4ahYdKZErIj+R8pYAXG/IuAHf0YvA5uGV1qnijwv8CJwqk11VMl9nQI0y2b5zZ2JV7gfnmRfzHbfCF35hqaGa4lqNkXLhQguoRIFfzlh5lGvTy+Qr8V58UUfacKh9OPqXAzXqpJ0FOy/PiNONS2LCdDWevB0rYHdcIqNbTK90J9rxw0DnpEMeM6MVrnapWTW2Kp3zqxS4opUBBF10Bb36W++G6/uTzTUzcZ4TMAfLIeX/sQ7aYEKy4Jk2Ui+6tH7CTUxePUIopKzCv0AT0DyiUdbsvAEGTlxdAvtAKLRUdOTxNyL3DErjcEBs02BQh1ua0ub/Qh8GapZVKOt4ZGcvFgbxYnb72wZffkKZEQW36Lod1NycdxYVWHR0zu6veDXAWsbLbIN79vdyOnRuddpRbhFkSHUbSoxNVGUnUKQ3e9MI/8j85Xrn4EDE6H8twK/PmJ17IQ9KYDLG0uYHOP6kLAQuKSvszuooEvwYNSvh04ySASdOYHOCDbFSUkZGaS9PLFt8hRyqdRnfhA+PThQfoyedCOhS3DxvBbEa9Y5rur1njvza+6G/E5LKP0o6Zr68YWrJaU2a4nzIgJc0vDgqA89zySYmsoydIunoehx9F5JptjOFNyJdY0qD/iP3NxPvvMoGcDv4av0WC33Ku/wKuEH1Zcpq+LevDYy89ldeSWHJBZkSAxoynCVJzmPTSYiypAT4Wzr+yOLL0fcoPaH/b95acIIO7QZYOJ9AjLTuWOOo6OCRQumxDYt5ffratK3k3rQJp/pzI5sYBvDdRrD9N10ZKl5F2i2qUqaVHqM9CV1gTpCKGcOpwIS832CpbSd5VsjbIi97HuQym1ZFMEL4i1XEF4wfWUUqupAaVoMZYTspiJ4zqc2KBlFSftdSz6yUFa7HDEKJflZ1tonF3AGubRGuy1oQfLkWoK8LZlbQBL2HdI/U32PydYcD2aDijRiKVVs9M+CZ5qYn1nnkuBtLtK2mJV3qUSK3VuclztoWscOthk1kkkufxk1TdmrFuYIjXck7tt5sXc5AQIqRN6Wm3ZiuBZoV5TLT/joz/UmzPkZ6bFSfK3iBxVyAy1mMvYpENjsaaq+J07NoIwJpUFciEosYJUGysJ3ITGvVVuBKc/O0P+Ibi98GsLCdrvr2NbYpUSgewfWqKar+MY2pol0bo/wItJvLYQyi7gECU8T5CUOGxDimGwYv0a62ZNY+p5xDy6p7UiHOh6KI8bIapvF7SQLg5oIE+NTSrID3zGoZWrDxQQqVk6XeCm4t0WPv1gKyCcutZcjDLkC0lhaLKXqnJFalreAtsICK+QTyW5PWRkorrvIJrJ4PA==,iv:4C0Qrd30FUuEiGuJzkr62KE6ZnF75Dfcp44jGaCYvAU=,tag:8efkAp6LbHqDavzGbQh3NQ==,type:str]
sops:
kms: []
gcp_kms:
- resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
created_at: "2022-06-22T14:34:29Z"
enc: CiQA4OM7eFGhTSXEWGRC+ziKmycAB7N4nIMJD6lPYfSZCW//vIwSSQBq6cPrXydjRStxCoJhHa7W9K7HO6Kc87M6Zy6IcZpntGCm9UnlV+GVO0DPd/EbR40IXSUkPTKCC4CykPk5CDzU0reIGEPOSmc=
created_at: "2022-08-01T14:05:40Z"
enc: CiQA4OM7eBvlCz4HJOd6KfhEFgdrF/ttkqfBrPr+vllYTmeA/BYSSQBq6cPrnSK06vOUOKi/N/LsHQFknwhQiP4cH3LVJDy0p2GWL1z2/XtnIVljuyZCkSUomhKzNIp+ClTzsQ9EZ1+5nNslH4+yFN8=
azure_kv: []
hc_vault: []
age: []
lastmodified: "2022-06-22T14:34:29Z"
mac: ENC[AES256_GCM,data:w0ViXYtNKTU/dWokv+Yl4lJ0SBahWqw/4dLCyV/kfwNKmuBSustKpR/2vZzjCFyyZDR+jXuILWnpfmYVpHZcfLNKhhZcJNhEQDpfT/e822MPEI+kHEUwfYcRozFrA8EtmsHnSmI+2rDRlEtNObD64+aV6gVLoIP4e+pGu8cq2f8=,iv:IkCeO7Q79AOXeVryBh1YJNlXyvfbYdFwuN3mNl7oj98=,tag:jeEdamZbIhUDJTUuXQz58A==,type:str]
lastmodified: "2022-08-01T14:05:40Z"
mac: ENC[AES256_GCM,data:I1y4m6A09pKG5d2evlf2iTJ16ZkoKqWdjN9pVq2x3YscZ0V/bglf+qFEjtYxDYOvDcuJOMZ7PxydqbiHi2rwCSixvvZScUhsuPO6C4fbeS0LqIhbV07NAgSvTPPkNYrjYaRLtscrwGVoDPGcFdenfYKzJeVraaRxUudXAtwY1tY=,iv:IX+Qklvc7q/UkAVBRIqR4U3HaK9ry+DLd2B+yNPQ9uk=,tag:Iwy1HYw2s1Xtu9o1+WXQug==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.1
version: 3.7.3