diff --git a/deployer/README.md b/deployer/README.md index c96cb202d3..3bad308c1a 100644 --- a/deployer/README.md +++ b/deployer/README.md @@ -35,15 +35,20 @@ This section descripts all the deployment related subcommands the `deployer` can │ --help Show this message and exit. │ ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯ ╭─ Commands ───────────────────────────────────────────────────────────────────────────────────────────────────────────╮ -│ cilogon-client-create Create a CILogon OAuth client for a hub. │ -│ cilogon-client-delete Delete an existing CILogon client. │ +│ auth0-client-create Create an Auth0 client app for a hub. │ +│ auth0-client-get-all Retrieve details about all existing 2i2c CILogon clients. │ +│ cilogon-client-create Create a CILogon client for a hub. │ +│ cilogon-client-delete Delete an existing CILogon client. This deletes both the CILogon client │ +│ application, and the client credentials from the configuration file. │ │ cilogon-client-get Retrieve details about an existing CILogon client. │ -│ cilogon-client-get-all Retrieve details about all existing 2i2c CILogon OAuth clients. │ -│ cilogon-client-update Update the CILogon OAuth client of a hub. │ +│ cilogon-client-get-all Retrieve details about all existing 2i2c CILogon clients. │ +│ cilogon-client-update Update the CILogon client of a hub. │ │ component-logs Display logs from a particular component on a hub on a cluster │ │ decrypt-age Decrypt secrets sent to `support@2i2c.org` via `age` │ │ deploy Deploy one or more hubs in a given cluster │ -│ deploy-grafana-dashboards Deploy JupyterHub dashboards to grafana set up in the given cluster │ +│ deploy-grafana-dashboards Deploy the latest official JupyterHub dashboards to a cluster's grafana │ +│ instance. This is done via Grafana's REST API, authorized by using a previously │ +│ generated Grafana service account's access token. │ │ deploy-support Deploy support components to a cluster │ │ exec-homes-shell Pop an interactive shell with the home directories of the given hub mounted on │ │ /home │ @@ -51,7 +56,7 @@ This section descripts all the deployment related subcommands the `deployer` can │ generate-aws-cluster Automatically generate the files required to setup a new cluster on AWS │ │ generate-gcp-cluster Automatically generates the initial files, required to setup a new cluster on │ │ GCP │ -│ generate-helm-upgrade-jobs Analyse added or modified files from a GitHub Pull Request and decide which │ +│ generate-helm-upgrade-jobs Analyze added or modified files from a GitHub Pull Request and decide which │ │ clusters and/or hubs require helm upgrades to be performed for their *hub helm │ │ charts or the support helm chart. │ │ new-grafana-token Generate an API token for the cluster's Grafana `deployer` service account and │ @@ -383,9 +388,9 @@ create/delete/get/get-all/update/ CILogon clients using the 2i2c administrative ```bash Usage: deployer cilogon-client-create [OPTIONS] CLUSTER_NAME HUB_NAME - [HUB_TYPE] CALLBACK_URL - - Create a CILogon OAuth client for a hub. + [HUB_TYPE] HUB_DOMAIN + + Create a CILogon client for a hub. ╭─ Arguments ──────────────────────────────────────────────────────────────────────────────────────────────────────────╮ │ * cluster_name TEXT Name of cluster to operate on [default: None] [required] │ @@ -393,7 +398,9 @@ create/delete/get/get-all/update/ CILogon clients using the 2i2c administrative │ [required] │ │ hub_type [HUB_TYPE] Type of hub for which we'll create a CILogon client (ex: basehub, daskhub) │ │ [default: basehub] │ - │ * callback_url TEXT URL that is invoked after OAuth authorization [default: None] [required] │ + │ * hub_domain TEXT The hub domain, as specified in `cluster.yaml` (ex: staging.2i2c.cloud) │ + │ [default: None] │ + │ [required] │ ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯ ╭─ Options ────────────────────────────────────────────────────────────────────────────────────────────────────────────╮ │ --help Show this message and exit. │ @@ -403,17 +410,19 @@ create/delete/get/get-all/update/ CILogon clients using the 2i2c administrative - `cilogon-client-delete` ```bash - Usage: deployer cilogon-client-delete [OPTIONS] [CLUSTER_NAME] [HUB_NAME] + Usage: deployer cilogon-client-delete [OPTIONS] CLUSTER_NAME HUB_NAME - Delete an existing CILogon client. + Delete an existing CILogon client. This deletes both the CILogon client application, and the client credentials from + the configuration file. ╭─ Arguments ──────────────────────────────────────────────────────────────────────────────────────────────────────────╮ - │ cluster_name [CLUSTER_NAME] Name of cluster to operate or none if --client_id is passed │ - │ hub_name [HUB_NAME] Name of the hub for which we'll delete the CILogon client details or none if │ - │ --client_id is passed │ + │ * cluster_name TEXT Name of cluster to operate [default: None] [required] │ + │ * hub_name TEXT Name of the hub for which we'll delete the CILogon client details [default: None] │ + │ [required] │ ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯ ╭─ Options ────────────────────────────────────────────────────────────────────────────────────────────────────────────╮ - │ --client-id TEXT Id of the CILogon OAuth client to delete of the form cilogon:/client_id/ │ + │ --client-id TEXT (Optional) Id of the CILogon client to delete of the form `cilogon:/client_id/`. If the │ + │ id is not passed, it will be retrieved from the configuration file │ │ --help Show this message and exit. │ ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯ ``` @@ -422,7 +431,7 @@ create/delete/get/get-all/update/ CILogon clients using the 2i2c administrative ```bash Usage: deployer cilogon-client-get [OPTIONS] CLUSTER_NAME HUB_NAME - + Retrieve details about an existing CILogon client. ╭─ Arguments ──────────────────────────────────────────────────────────────────────────────────────────────────────────╮ @@ -436,6 +445,7 @@ create/delete/get/get-all/update/ CILogon clients using the 2i2c administrative ``` - `cilogon-client-get-all` + ```bash Usage: deployer cilogon-client-get-all [OPTIONS] @@ -449,16 +459,14 @@ create/delete/get/get-all/update/ CILogon clients using the 2i2c administrative - `cilogon-client-update` ```bash Usage: deployer cilogon-client-update [OPTIONS] CLUSTER_NAME HUB_NAME - CALLBACK_URL + HUB_DOMAIN - Update the CILogon OAuth client of a hub. + Update the CILogon client of a hub. ╭─ Arguments ──────────────────────────────────────────────────────────────────────────────────────────────────────────╮ │ * cluster_name TEXT Name of cluster to operate on [default: None] [required] │ │ * hub_name TEXT Name of the hub for which we'll update a CILogon client [default: None] [required] │ - │ * callback_url TEXT New callback_url to associate with the client. This URL is invoked after OAuth │ - │ authorization │ - │ [default: None] │ + │ * hub_domain TEXT The hub domain, as specified in `cluster.yaml` (ex: staging.2i2c.cloud) [default: None] │ │ [required] │ ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯ ╭─ Options ────────────────────────────────────────────────────────────────────────────────────────────────────────────╮ @@ -466,6 +474,51 @@ create/delete/get/get-all/update/ CILogon clients using the 2i2c administrative ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯ ``` +## Auth0 OAuth clients management tools + +create/get-all/ Auth0 clients using the 2i2c Auth0 administrative. + +**Command line usage:** + +- `auth0-client-create` + + ```bash + Usage: deployer auth0-client-create [OPTIONS] CLUSTER_NAME HUB_NAME [HUB_TYPE] + HUB_DOMAIN CONNECTION_TYPE + + Create an Auth0 client app for a hub. + + ╭─ Arguments ──────────────────────────────────────────────────────────────────────────────────────────────────────────╮ + │ * cluster_name TEXT Name of cluster to operate [default: None] [required] │ + │ * hub_name TEXT Name of the hub for which a new Auth0 client will be created [default: None] │ + │ [required] │ + │ hub_type [HUB_TYPE] Type of hub for which we'll create an Auth0 client (ex: basehub, daskhub) │ + │ [default: basehub] │ + │ * hub_domain TEXT The hub domain, as specified in `cluster.yaml` (ex: staging.2i2c.cloud) │ + │ [default: None] │ + │ [required] │ + │ * connection_type TEXT Auth0 connection type. One of dict_keys(['github', 'google-oauth2', │ + │ 'password', 'CILogon']) │ + │ [default: None] │ + │ [required] │ + ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯ + ╭─ Options ────────────────────────────────────────────────────────────────────────────────────────────────────────────╮ + │ --help Show this message and exit. │ + ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯ + ``` + +- `auth0-client-get-all` + + ```bash + Usage: deployer auth0-client-get-all [OPTIONS] + + Retrieve details about all existing 2i2c CILogon clients. + + ╭─ Options ────────────────────────────────────────────────────────────────────────────────────────────────────────────╮ + │ --help Show this message and exit. │ + ╰──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯ + ``` + ## Debugging helpers We also have some debug helpers commands that can be invoked as subcommands. diff --git a/deployer/deployer.py b/deployer/deployer.py index 404bdd998a..fa74095312 100644 --- a/deployer/deployer.py +++ b/deployer/deployer.py @@ -143,10 +143,6 @@ def deploy( None, help="Name of hub to operate deploy. Omit to deploy all hubs on the cluster", ), - config_path: str = typer.Option( - "shared/deployer/enc-auth-providers-credentials.secret.yaml", - help="File to read secret deployment config from", - ), dask_gateway_version: str = typer.Option( "2023.1.0", help="Version of dask-gateway to install CRDs for" ), @@ -158,10 +154,6 @@ def deploy( validate_hub_config(cluster_name, hub_name) validate_authenticator_config(cluster_name, hub_name) - with get_decrypted_file(config_path) as decrypted_file_path: - with open(decrypted_file_path) as f: - config = yaml.load(f) - config_file_path = find_absolute_path_to_cluster_file(cluster_name) with open(config_file_path) as f: cluster = Cluster(yaml.load(f), config_file_path.parent) diff --git a/docs/hub-deployment-guide/configure-auth/cilogon.md b/docs/hub-deployment-guide/configure-auth/cilogon.md index d77f215f19..31d452b1d2 100644 --- a/docs/hub-deployment-guide/configure-auth/cilogon.md +++ b/docs/hub-deployment-guide/configure-auth/cilogon.md @@ -37,10 +37,10 @@ The steps to enable the JupyterHub CILogonOAuthenticator for a hub are similar w This can be achieved by using the `deployer cilogon-client-create` command. - The command needs to be passed the cluster and hub name for which a client id and secret will be generated, but also the hub type, and the authorization callback URL. - - The authorization callback URL is the homepage url appended with `/hub/oauth_callback`. For example, `https://staging.2i2c.cloud/hub/oauth_callback`. + - The hub domain, as specified in `cluster.yaml` (ex: staging.2i2c.cloud). - Example script invocation that creates a CILogon OAuth client for the 2i2c dask-staging hub: ```bash - deployer cilogon-client-create create 2i2c dask-staging daskhub https://dask-staging.2i2c.cloud/hub/oauth_callback + deployer cilogon-client-create create 2i2c dask-staging daskhub dask-staging.2i2c.cloud ``` - If successful, the script will have created a secret values file under `config/clusters//enc-.secret.values.yaml`. This file holds the encrypted OAuth client id and secret that have been created for this hub. diff --git a/docs/hub-deployment-guide/configure-auth/index.md b/docs/hub-deployment-guide/configure-auth/index.md index cf0a02c5c0..b7cb0939ae 100644 --- a/docs/hub-deployment-guide/configure-auth/index.md +++ b/docs/hub-deployment-guide/configure-auth/index.md @@ -10,7 +10,7 @@ Switching authentication providers (e.g. from GitHub to Google) for a pre-existi ```{toctree} :maxdepth: 2 :caption: Authentication Providers -auth0 github-orgs cilogon +auth0 ```