How to use ssh to Z-JH in local cluster

It’s a good idea for data scientist.
They can use vscode to link the single note-book by ssh , it useful to debug .

Now , Let me say how I practice .

1、The latest helm version 1.2.0 is seem stable .

2、Use jupyterhub-ssh to build a jupyterhub-ssh service.By the way, we have choose a version at first.

https://yuvipanda.github.io/jupyterhub-ssh/index.yaml

3、Use the special value for zero-to-jupyter.
proxy.https.enable must be true. for TLS
proxy.https.type must be letsencrypt. for start deployment auto-https
proxy.https.host can’t empty

4、change traefik extraStaticConfig, I think I need dnsChallenge in local cluster.
I blocked in this step , learning traefik now , anybody have some suggestions ?

5、Now traefik is useless, and I can give up TLS , so , just change service port to jupyter-ssh is greate, and delete useless network policy, fine.

I also have cert-manager build certs, But I don’t know how to use it , The cert.yaml is like this.

---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: jupyterhub-self-signing-issuer
spec:
  selfSigned: {}

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: jupyterhub-cert
  namespace: jupyterhub-system
spec:
  dnsNames:
    - hub.jupyterhub-system.svc.cluster.local
  isCA: true
  secretName: jupyterhub-tls
  issuerRef:
    name: jupyterhub-self-signing-issuer
    kind: ClusterIssuer

OK, then I give up to use traefik, because it was so difficult to use , delete some useless things, and do not use TLS , It’s so happy to use JH , So greate, ssh done.

Hi! I installed it according to the configuration on github, but I still can’t use ssh connection. Is it necessary to modify some configuration?

Hi,

It depends how you have your ingress setup.

Are you using an external ingress controller like NGINX Ingress Controller ?

If so, you need to do three things:

  1. Expose a TCP Service
  2. Label your ingress controller
  3. Configure the jupyterhub-ssh Network Policy so that it allows the network flow from the ingress to your jupyterhub-ssh service

1 and 2 can be accomplished with a configuration like:

controller:
  podLabels:
    example.org/network-access-jupyter-ssh-server: "true"

# Enable tcp-services-configmap that will add additional port to services mapping
tcp:
  22022: jhub/jupyterhub-ssh:22

For number 3:

ssh:
  enabled: true

  networkPolicy:
    ingress:
      - ports:
        - protocol: TCP
          port: ssh

        from:
          - namespaceSelector:
              matchLabels:
                kubernetes.io/metadata.name: ingress-namespace-name
            podSelector:
              matchLabels:
                example.org/network-access-jupyter-ssh-server: 'true'

You should then be able to do ssh myuser@myjupyterhub.example.org -p 22022

This here is super exciting.
I have tried to get it working, but I just keep getting timeout when connecting to the pods via. ssh.
I have re-build the docker image in the repo mentioned above, but that unfortunately led to no logs being outputted to std-out.
Our setup is pretty standard, k8s cluster setup. I create a connection to the svc deployed with the helm setup. Like so: kubectl -n jhub port-forward svc/jupyterhub-ssh 8022:22. and then I do the following ssh <user name>@127.0.0.1 -p 8022. But all I get is a timeout. Not sure what I’m missing? Do the pods that we are connecting in to need sshd, service daemon? Is there any logging I can check to see what take place? Any help is appreciated, thanks.

Hi and welcome !

Did you check the NetworkPolicy side of things ?

The default one from jupyterhub-ssh is restrictive (and correctly so).

1 Like