Hide OAuth ClientID & other secrets

JupyterHub Zero to JupyterHub on Kubernetes
1

Hi,

This might sound very silly, but in our helm config.yaml for Jupyterhub, we have established and Azure AD authentication mechanism, by specifying the parameters like client_secret, client_id etc.
Obviously we would like to mask these sensitive parameters with ENV variables that are pulled from kubernetes secrets.

As per the configuration below, we already have the ENV variables variable created under hub.config.extraEnv and also have confirmed that this ENV can be echo-ed from inside the hub pod, we are still not able to replace the client_secret/client_id etc with ENV variable to the AzureADOAuth parameters. With the below configuration we get invalid client secret error from Azure AD.
Wondering if I am doing something wrong.


# hub relates to the hub pod, responsible for running JupyterHub, its configured
# Authenticator class KubeSpawner, and its configured Proxy class
# ConfigurableHTTPProxy. KubeSpawner creates the user pods, and
# ConfigurableHTTPProxy speaks with the actual ConfigurableHTTPProxy server in
# the proxy pod.
hub:
  revisionHistoryLimit:
  config:
    AzureAdOAuthenticator:
      admin_users: 
        - admin@abc.com
      username_claim: unique_name
      enable_auth_state: true
      client_id: 1234567aa-1234-12ab-a12c-xxxxxxx
      client_secret: '{JHUB_AUTH_CLIENT_SECRET}' #instead of 1234567aa-1234-12ab-a12c-xxxxxxx
      oauth_callback_url: https://my-jubyternotebook.mydomain.com/hub/oauth_callback
      tenant_id: 1234567aa-1234-12ab-a12c-xxxxxxx
      scope:
        - openid
        - profile
        - email
    JupyterHub:
      admin_access: true
      authenticator_class: azuread  
  
  extraConfig:
    CustomSpawner: | 
      c.Spawner.cmd = ['start.sh','jupyterhub-singleuser','--allow-root']
  extraEnv:
    JHUB_AUTH_CLIENT_SECRET:
      name: JHUB_AUTH_CLIENT_SECRET 
      valueFrom:
        secretKeyRef:
          name: jhub-auth-clientsecret
          key: clientsecret

  extraVolumes:
    - name: secrets-store01-inline
      csi:
        driver: secrets-store.csi.k8s.io
        readOnly: true
        volumeAttributes:
          secretProviderClass: "azure-abc-dev-kv-aks-user-msi"
  extraVolumeMounts:
    - name: secrets-store01-inline
      mountPath: "/mnt/secrets-store"
      readOnly: true
  image:
    name: jupyterhub/k8s-hub
    tag: "2.0.0"
2

Is this your literal config, or is that a placeholder for something else? If it’s that’s the actual text then it’s not going to be expanded.

You could instead try

  extraConfig:
    Something: | 
      import os
      c.AzureAdOAuthenticator.client_secret = os.getenv('JHUB_AUTH_CLIENT_SECRET')

Alternatively try not setting client_secret and set the environment var OAUTH_CLIENT_SECRET which I think will be picked up automatically (I haven’t tried this, so please report if it does/doesn’t work):

3

Thanks for the suggestion. Setting up the OAUTH_CLIENT_SECRET worked.
I was wondering if I have to hide the tenant_id as well - would i have to do it in the extraConfig as mentioned above?

4

You might be able to set it with OAUTH_CLIENT_ID?

5

That is actually a parameter differerent from the TenantId. Will look for alternatives.
Thank you - atleast I was able to get rid of the secrets.