I am trying to install jupyterhub into my GKE cluster, i currently have gitlab ee running on there. I have created a OAuth application in my running Gitlab instance and i also have an ingress created. The last thing to do is to install jupyterhub with a config values. Mine does not seem to work.
Expected behaviour
I expect that when i run helm install, that i should have jupyterhub running and integrated with Gitlab
gitlab:
clientId: "0d45e17e520127da41cc32867f545502d61c06e52dc16a0f8d656b5ebe55c1aa"
clientSecret: "3c8ceb99991e556e14de76d6a92cbbec4b8f607dca949566849832db81264cbc"
callbackUrl: "http://jupyter.34.142.108.231.nip.io/hub/oauth_callback"
# Limit access to members of specific projects or groups:
# allowedGitlabGroups: [ "my-group-1", "my-group-2" ]
# allowedProjectIds: [ 12345, 6789 ]
ingress:
enabled: true
host: jupyter.34.142.108.231.nip.io
# tls:
# - hosts:
# - <JupyterHostanme>
# secretName: jupyter-cert
# annotations:
# kubernetes.io/ingress.class: "nginx"
# kubernetes.io/tls-acme: "true"
#-----------------------------------------------------------------------------
## NO MODIFICATIONS REQUIRED BEYOND THIS POINT
##-----------------------------------------------------------------------------
hub:
extraEnv:
JUPYTER_ENABLE_LAB: 1
extraConfig: |
c.KubeSpawner.cmd = ['jupyter-labhub']
c.GitLabOAuthenticator.scope = ['api read_repository write_repository']
async def add_auth_env(spawner):
'''
We set user's id, login and access token on single user image to
enable repository integration for JupyterHub.
See: https://gitlab.com/gitlab-org/gitlab-foss/issues/47138#note_154294790
'''
auth_state = await spawner.user.get_auth_state()
if not auth_state:
spawner.log.warning("No auth state for %s", spawner.user)
return
spawner.environment['GITLAB_ACCESS_TOKEN'] = auth_state['access_token']
spawner.environment['GITLAB_USER_LOGIN'] = auth_state['gitlab_user']['username']
spawner.environment['GITLAB_USER_ID'] = str(auth_state['gitlab_user']['id'])
spawner.environment['GITLAB_USER_EMAIL'] = auth_state['gitlab_user']['email']
spawner.environment['GITLAB_USER_NAME'] = auth_state['gitlab_user']['name']
c.KubeSpawner.pre_spawn_hook = add_auth_env
auth:
type: gitlab
state:
enabled: true
singleuser:
defaultUrl: "/lab"
image:
name: registry.gitlab.com/gitlab-org/jupyterhub-user-image
tag: latest
lifecycleHooks:
postStart:
exec:
command:
- "sh"
- "-c"
- >
git clone https://gitlab.com/gitlab-org/nurtch-demo.git DevOps-Runbook-Demo || true;
echo "https://oauth2:${GITLAB_ACCESS_TOKEN}@${GITLAB_HOST}" > ~/.git-credentials;
git config --global credential.helper store;
git config --global user.email "${GITLAB_USER_EMAIL}";
git config --global user.name "${GITLAB_USER_NAME}";
jupyter serverextension enable --py jupyterlab_git
proxy:
service:
type: ClusterIP
Actual behaviour
upon running the helm install i get error bellow
The JupyterHub Helm chart’s auth config has been reworked and requires changes.
The new way to configure authentication in chart version 0.11.0+ is printed
below for your convenience. The values are not shown by default to ensure no
secrets are exposed, run helm upgrade with --set global.safeToShowValues=true
to show them.
I’m having the same issue as @floormind, and I’ve played a bit around with the config file.
The config file the user refers to is the recommended runbook integration config from your page here. That config file is outdated, as the GitLab OAuth integration is now implemented differently. It also no longer needs ingress. extraConfig also is specified in a different way now compared to what is listed in the GitHub documentation.
The below config file produces a working JupyterHub Kubernetes application, but cloning with ssh from GitLab does not work with the generated .git-credentials file.
The .git-credentials file does contain credentials on the format specified below, but it does not work for cloning a repository from GitLab.
In order to gain access to GitLab from the JupyterLab server, I have to generate SSH-keys separately. Can we get some help to get the .git-credentials file working with the GitLab auth token?
#-----------------------------------------------------------------------------
# The gitlab and ingress sections must be customized!
#-----------------------------------------------------------------------------
##Enable verbose logging:
debug:
enabled: true
#This runs, but does not set environment variables
hub:
config:
GitLabOAuthenticator:
client_id: <gitlab-application-id>
client_secret: <gitlab-application-secret>
oauth_callback_url: <https://jupyter-domain.mydomain.com/hub/oauth_callback>
gitlab_url: <https://gitlab-domain.mydomain.com>
enable_auth_state: true
JupyterHub:
authenticator_class: gitlab
extraEnv:
JUPYTERHUB_CRYPT_KEY: "$(openssl rand -hex 32)"
extraConfig: #This is where we are supposed to get Gitlab access tokens
gitlab-config: |
c.JupyterHub.spawner_class = 'kubespawner.KubeSpawner'
c.KubeSpawner.cmd = ['jupyter-labhub']
async def add_auth_env(spawner):
'''
We set user's id, login and access token on single user image to
enable repository integration for JupyterHub.
See: https://gitlab.com/gitlab-org/gitlab-foss/issues/47138#note_154294790
'''
auth_state = await spawner.user.get_auth_state()
if not auth_state:
spawner.log.warning("No auth state for %s", spawner.user)
return
spawner.environment['GITLAB_ACCESS_TOKEN'] = auth_state['access_token']
spawner.environment['GITLAB_USER_LOGIN'] = auth_state['gitlab_user']['username']
spawner.environment['GITLAB_USER_ID'] = str(auth_state['gitlab_user']['id'])
spawner.environment['GITLAB_USER_EMAIL'] = auth_state['gitlab_user']['email']
spawner.environment['GITLAB_USER_NAME'] = auth_state['gitlab_user']['name']
c.KubeSpawner.pre_spawn_hook = add_auth_env
singleuser:
defaultUrl: "/lab"
image:
name: jupyter/tensorflow-notebook #Changed which image is being used
tag: tensorflow-2.6.2
extraEnv:
JUPYTERHUB_SINGLEUSER_APP: "jupyter_server.serverapp.ServerApp"
lifecycleHooks:
postStart:
exec:
command: #git clone https://gitlab.com/gitlab-org/nurtch-demo.git DevOps-Runbook-Demo || true; ##Removed command
- "sh"
- "-c"
- >
echo "https://oauth2:${GITLAB_ACCESS_TOKEN}@${GITLAB_HOST}" > ~/.git-credentials;
git config --global credential.helper store;
git config --global user.email "${GITLAB_USER_EMAIL}";
git config --global user.name "${GITLAB_USER_NAME}";
#Not certain that this setting is compatible with Ingress
proxy: #This singleuser setting is functional as of 2022.02.24 with jhub chart version 1.1.1 IF autohttps pod is restarted manually
https: ##This setting works when you delete the autohttps pod or delay its deployment
enabled: true
hosts:
- <jupyter-domain.mydomain.com>
letsencrypt:
contactEmail: <contact@mydomain.com>
service:
loadBalancerIP: <load-balancer-IP>
Hi! The only thing I can think of is to look at the requested and available GitLab scopes. Note it may be out of date so please check the latest GitLab information too. If you change the scopes be aware that you may need to forcibly delete any existing tokens to force a refresh.
If that doesn’t lead anywhere it might be worth opening a support request with GitLab since it’s their runbook? If you do please share the answer here, it’s definitely something that others would find useful.