Difficulty configuring Binderhub auth & github organization private repos

Hi there! My team asked me to set up Jupyterhub for them, so I did that and it works great. Now they want Binderhub, and I’m trying to understand how it fits in. Deploying via helm chart on an EKS cluster. Looks like it comes with its own installation of jupyterhub too, so I’ve been approaching this as a separate project.

My problem is that I cannot get github authentication to work. It works great in my Jupyterhub setup (also on the same EKS cluster, in its own namespace) but trying to replicate those settings into Binderhub’s helm values is not working. When I apply the below settings and visit Binderhub, I get a Binderhub-branded 404 page. If I set auth_enabled: false, Binderhub works fine but, no auth.

Here’s my helm values file:

config:
  BinderHub:
    auth_enabled: true
    use_registry: true
    image_prefix: dockerhubprefix/binder-prod-
    hub_url: https binderhub.mycloud
jupyterhub:
  cull:
    # don't cull authenticated users
    users: False
  custom:
    binderauth_enabled: true
  hub:
    config:
      GitHubOAuthenticator:
        client_id: redacted
        client_secret: redacted
        oauth_callback_url: https binderhub.mycloud /hub/oauth_callback
        admin_users:
          - my-github-username
        allowed_users:
          - someoneelse
        scope:
          - read:user
      JupyterHub:
        authenticator_class: github
    redirectToServer: false
    services:
      binder:
        oauth_no_confirm: true
        oauth_redirect_uri: "http binderhub.mycloud /oauth_callback"
        oauth_client_id: "binder-oauth-client-test"

  singleuser:
    # to make notebook servers aware of hub
    cmd: jupyterhub-singleuser
#auth: {}
ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: "nginx-jupyterhub"
    nginx.ingress.kubernetes.io/proxy-body-size: 200m
  hosts:
    - binderhub.mycloud

And this is what I see in the logs from the binder pod when I visit binderhub, expecting to see a login page but getting a binderhub-branded 404 page instead:

[I 210427 02:37:18 log:140] 302 GET / -> https binderhub.mycloud /hub/api/oauth2/authorize?client_id=binder-oauth-client-test&redirect_uri=http%3A%2F%2Fbinderhub.mycloud%2Foauth_callback&response_type=code&state=[secret] (@10.128.5.123) 1.68ms
[W 210427 02:37:18 log:140] 404 GET /hub/api/oauth2/authorize?client_id=binder-oauth-client-test&redirect_uri=http%3A%2F%2Fbinderhub.mycloud%2Foauth_callback&response_type=code&state=[secret] (@10.128.5.123) 10.79ms

I assume something i wrong with my helm values file but I can’t figure it out.

Aside from solving the github auth issue, I’m also unsure about how to get Binderhub access to private repos that are part of a github organization. The documentation provided for achieving private github repo access only shows you how to do it via a Personal Access Token, which cannot be generated for a Github Organization, only for an account.

(You may have noticed I had to remove the :// from some http links because the forum is interpreting these as external links, and as a new user, it says I have a limit of 2 external links. But in the real helm values file, know that I’m specifying full https links).

Can anyone offer any tips or suggestions on these matters?
Thanks in advance!

It looks like you’ve only got one ingress configured, presumably you want JupyterHub and BinderHub to be accessed via your ingress? If so they both need their own ingress configuration block.

A personal access token should have access to all repos a user can access, so if that user is a member of your organisation the token should provide access to all repos in that organisation. If you’ve changed the defaults for your GitHub organisation to restrict what members can see then you’ll obviously need to increase the access rights for that user.