feat: Jupyterhub OIDC + Cleanup (#635)

* Jupyterhub OIDC + Cleanup

This PR handles a number of fixups for jupyterhub

* Move to jupyterhub's chart from bitnami's, which is quite limited in capability
* properly configure OIDC
* use postgres as backing datastore

* bump release status

Author: michaeljguarino

jupyterhub/helm/jupyterhub/Chart.lock

@@ -1,6 +1,9 @@
 dependencies:
 - name: jupyterhub
-  repository: https://charts.bitnami.com/bitnami
-  version: 3.0.12
-digest: sha256:7dbd4d47e44c4b1d35ad8ee1ccb3f52c3be682826399da28bffb98564b53938a
-generated: "2023-04-04T18:44:50.023965-10:00"
+  repository: https://jupyterhub.github.io/helm-chart/
+  version: 2.0.0
+- name: postgres
+  repository: https://pluralsh.github.io/module-library
+  version: 0.1.16
+digest: sha256:ffbd04f736eb925a2bad525b34393970e2915095021effc4155f31ee5adcc7fb
+generated: "2023-04-10T11:26:48.281791-04:00"

jupyterhub/helm/jupyterhub/Chart.yaml

@@ -2,12 +2,16 @@ apiVersion: v2
 name: jupyterhub
 description: helm chart for jupyterhub
 type: application
-version: 0.1.2
+version: 0.1.3
 appVersion: "3.1.1"
 maintainers:
   - name: Samuel Gordalina
     email: [email protected]
 dependencies:
   - name: jupyterhub
-    version: 3.0.12
-    repository: https://charts.bitnami.com/bitnami
+    version: 2.0.0
+    repository: https://jupyterhub.github.io/helm-chart/
+  - name: postgres
+    version: 0.1.16
+    repository: https://pluralsh.github.io/module-library
+    condition: postgres.enabled

jupyterhub/helm/jupyterhub/charts/jupyterhub-2.0.0.tgz

@@ -1,7 +1,7 @@
 {{/*
 Expand the name of the chart.
 */}}
-{{- define "jupyterhub.name" -}}
+{{- define "jupyterhub-plural.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
@@ -10,7 +10,7 @@ Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
-{{- define "jupyterhub.fullname" -}}
+{{- define "jupyterhub-plural.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
@@ -26,16 +26,16 @@ If release name contains chart name it will be used as a full name.
 {{/*
 Create chart name and version as used by the chart label.
 */}}
-{{- define "jupyterhub.chart" -}}
+{{- define "jupyterhub-plural.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 
 {{/*
 Common labels
 */}}
-{{- define "jupyterhub.labels" -}}
-helm.sh/chart: {{ include "jupyterhub.chart" . }}
-{{ include "jupyterhub.selectorLabels" . }}
+{{- define "jupyterhub-plural.labels" -}}
+helm.sh/chart: {{ include "jupyterhub-plural.chart" . }}
+{{ include "jupyterhub-plural.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
@@ -45,17 +45,17 @@ app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{/*
 Selector labels
 */}}
-{{- define "jupyterhub.selectorLabels" -}}
-app.kubernetes.io/name: {{ include "jupyterhub.name" . }}
+{{- define "jupyterhub-plural.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "jupyterhub-plural.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 {{/*
 Create the name of the service account to use
 */}}
-{{- define "jupyterhub.serviceAccountName" -}}
+{{- define "jupyterhub-plural.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create }}
-{{- default (include "jupyterhub.fullname" .) .Values.serviceAccount.name }}
+{{- default (include "jupyterhub-plural.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}

jupyterhub/helm/jupyterhub/charts/jupyterhub-3.0.12.tgz

@@ -4,7 +4,7 @@ metadata:
   name: scaling-manual
   labels:
     platform.plural.sh/pinned: 'true'
-{{ include "jupyterhub.labels" . | indent 4 }}
+{{ include "jupyterhub-plural.labels" . | indent 4 }}
 spec:
   name: JupyterHub Scaling
   description: overview of how to optimally scale your JupyterHub deployment
@@ -16,18 +16,18 @@ spec:
     prometheus:
       format: cpu
       legend: $pod
-      query: sum(rate(container_cpu_usage_seconds_total{namespace="{{ .Release.Namespace }}",pod=~"{{ include "jupyterhub.fullname" . }}.+"}[5m])) by (pod)
+      query: sum(rate(container_cpu_usage_seconds_total{namespace="{{ .Release.Namespace }}",pod=~"{{ include "jupyterhub-plural.fullname" . }}.+"}[5m])) by (pod)
   - name: jupyterhub-memory
     type: prometheus
     prometheus:
       format: memory
       legend: $pod
-      query: sum(container_memory_working_set_bytes{namespace="{{ .Release.Namespace }}",pod=~"{{ include "jupyterhub.fullname" . }}.+"}) by (pod)
+      query: sum(container_memory_working_set_bytes{namespace="{{ .Release.Namespace }}",pod=~"{{ include "jupyterhub-plural.fullname" . }}.+"}) by (pod)
   - name: jupyterhub
     type: kubernetes
     kubernetes:
       resource: deployment
-      name: {{ include "jupyterhub.fullname" . }}
+      name: {{ include "jupyterhub-plural.fullname" . }}
   actions:
   - name: scale
     action: config

jupyterhub/helm/jupyterhub/charts/postgres-0.1.16.tgz

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: jupyter.plural-postgres-jupyter.credentials.postgresql.acid.zalan.do
+  labels:
+{{ include "jupyterhub-plural.labels" . | indent 4 }}
+stringData:
+  username: jupyter
+  password: {{ .Values.postgres.password }}

jupyterhub/helm/jupyterhub/templates/_helpers.tpl

@@ -1,46 +1,50 @@
+postgres:
+  team: plural
+  user: jupyter
+  dbName: jupyter
+  ownerChart: jupyterhub
+  infix: '-postgres'
+  password: REPLACE_ME
+
 jupyterhub:
   hub:
-    adminUser: admin
-    password: password
     # image:
     #   repository: dkr.plural.sh/jupyterhub/bitnami/jupyterhub
     #   tag: 3.1.1-debian-11-r20
-    metrics:
-      serviceMonitor:
-        enabled: true
-
+    db:
+      type: postgres
+    initContainers:
+    - name: wait-for-pg
+      image: gcr.io/pluralsh/busybox:latest
+      imagePullPolicy: IfNotPresent
+      command: [ "/bin/sh", "-c", "until nc -zv plural-postgres-jupyter 5432 -w1; do echo 'waiting for db'; sleep 1; done" ]
+    networkPolicy:
+      egress:
+      - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0
+  
   proxy:
-    # image:
-      # registry: dkr.plural.sh/jupyterhub/bitnami/configurable-http-proxy
-      # tag: 4.5.4-debian-11-r39
-    ingress:
-      enabled: true
-      path: /.*
-      ingressClassName: nginx
-      annotations:
-        kubernetes.io/tls-acme: "true"
-        cert-manager.io/cluster-issuer: letsencrypt-prod
-        nginx.ingress.kubernetes.io/force-ssl-redirect: 'true'
-        nginx.ingress.kubernetes.io/use-regex: "true"
-      hostname: chart-example.local
-      extraTls: []
     service:
-      public:
-        type: ClusterIP
-    metrics:
-      serviceMonitor:
-        enabled: true
-
-  singleuser:
-    # image:
-      # repository: dkr.plural.sh/jupyterhub/bitnami/jupyter-base-notebook
-      # tag: 3.1.1-debian-11-r20
-    notebookDir: /data
-    extraEnvVars:
-      HOME: /data
-      JUPYTERHUB_ROOT_DIR: /data
-
-  # auxiliaryImage:
-    # image:
-      # repository: dkr.plural.sh/jupyterhub/bitnami/bitnami-shell
-      # tag: 11-debian-11-r102
+      type: ClusterIP
+    chp:
+      networkPolicy:
+        ingress:
+        - ports:
+          - port: http
+          from:
+          - namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: ingress-nginx
+  ingress:
+    enabled: true
+    ingressClassName: nginx
+    pathType: ImplementationSpecific
+    pathSuffix: '.*'
+    annotations:
+      kubernetes.io/tls-acme: "true"
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+      nginx.ingress.kubernetes.io/force-ssl-redirect: 'true'
+      nginx.ingress.kubernetes.io/use-regex: "true"
+    hosts:
+    - example.com

jupyterhub/helm/jupyterhub/templates/runbooks.yaml

@@ -1,15 +1,20 @@
 {{ $hostname := default "example.com" .Values.hostname }}
-{{ $password := dedupe . "jupyterhub.jupyterhub.hub.password" (randAlphaNum 30) }}
+{{ $jupyterPassword := dedupe . "jupyterhub.postgres.password" (randAlphaNum 20) }}
+{{ $jupyterDsn := default (printf "postgresql://jupyter:%s@plural-postgres-jupyter:5432/jupyter" $jupyterPassword) .Values.jupyterDsn }}
 
 global:
   application:
     links:
     - description: jupyterhub instance
       url: {{ $hostname }}
 
+postgres:
+  password: {{ $jupyterPassword }}
+
 jupyterhub:
   hub:
-    password: {{ $password }}
+    db:
+      url: {{ $jupyterDsn }}
     {{ if .OIDC }}
     config:
       GenericOAuthenticator:
@@ -21,16 +26,19 @@ jupyterhub:
         userdata_url: {{ .OIDC.Configuration.UserinfoEndpoint }}
         scope:
           - openid
+          - code
+          - offline
+          - offline_access
           - profile
         username_key: email
       JupyterHub:
         authenticator_class: generic-oauth
     {{ end }}
 
-  proxy:
-    ingress:
-      hostname: {{ $hostname }}
-      extraTls:
-        - hosts:
-          - {{ $hostname }}
-          secretName: jupyterhub-tls
+  ingress:
+    hosts:
+    - {{ $hostname }}
+    tls:
+    - hosts:
+      - {{ $hostname }}
+      secretName: jupyter-tls