How am I supposed to use `existingSecret`

qTipTip · July 6, 2020, 2:45pm

Hi!

I am deploying JupyterHub on a Kubernetes cluster. The authentication is done using Azure AD.
The config.yaml is version controlled in Git, and I would like to get rid of any references to the AzureAD client secrets. That is

auth:
  azuread:
    callbackUrl: ...
    clientId: ...
    clientSecret: ...
    tenantId: ...

type: azuread

I have tried to navigate previous posts on this issue, to no avail. I know of the concept of existingSecret, however there are no references to how exactly you are supposed to use this.

Could anyone provide some insight on how I can expose the AzureAD authentication secrets as a kubernetes secret, to avoid having to commit this to VCS?

Cheers in advance

sgibson91 · July 6, 2020, 8:58pm

I don’t know about existingSecret, but I stored my secrets in an Azure Key Vault, then used an Azure Pipeline to populate my config file and upgrade the cluster when I pushed to the default branch: https://www.github.com/alan-turing-institute/hub23-deploy/tree/main/.az-pipelines%2Fcd-pipeline.yml (This is for a BinderHub, but it’s dependent on the z2jh-k8s chart).

More documentation here: https://alan-turing-institute.github.io/hub23-deploy

qTipTip · July 10, 2020, 10:42am

Thanks for the tips! I’ll take a look.

I’d still love some advice on the existingSecret, which was introduced in Z2JH 0.9, if I recall correctly.