-
Notifications
You must be signed in to change notification settings - Fork 788
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automatic secret generation triggers constant redeploy (ArgoCD) #2887
Comments
This is a great coincidence... Just spent the morning figuring out why my hub kept restarting. Would be nice to have a solution for this. For reference, using version 1.20 of the chart. |
This works for most things, because in the So, we would need similar logic of merging configuration also in the proxy pod as we have in the hub pod if this is to be supported. Currently, the proxy pod reads the k8s Secret managed by the Helm chart like this - and doesn't respect zero-to-jupyterhub-k8s/jupyterhub/templates/proxy/deployment.yaml Lines 116 to 124 in dfeb8ea
Proposals on how this could be resolved are welcome, but if the complexity increase too much I'll be very inclined to reject such proposal to ensure sustainable maintenance of this Helm chart long term. Related background knowledgeThe
|
# During Helm template rendering, these values that can be autogenerated for | |
# users are set using the following logic: | |
# | |
# 1. Use chart configuration's value | |
# 2. Use k8s Secret's value | |
# 3. Use a new autogenerated value | |
# | |
# hub.config.ConfigurableHTTPProxy.auth_token: for hub to proxy-api authorization (JupyterHub.proxy_auth_token is deprecated) | |
# hub.config.JupyterHub.cookie_secret: for cookie encryption | |
# hub.config.CryptKeeper.keys: for auth state encryption | |
# | |
hub.config.ConfigurableHTTPProxy.auth_token: {{ include "jupyterhub.hub.config.ConfigurableHTTPProxy.auth_token" . | required "This should not happen: blank output from 'jupyterhub.hub.config.ConfigurableHTTPProxy.auth_token' template" | b64enc | quote }} | |
hub.config.JupyterHub.cookie_secret: {{ include "jupyterhub.hub.config.JupyterHub.cookie_secret" . | required "This should not happen: blank output from 'jupyterhub.hub.config.JupyterHub.cookie_secret' template" | b64enc | quote }} | |
hub.config.CryptKeeper.keys: {{ include "jupyterhub.hub.config.CryptKeeper.keys" . | required "This should not happen: blank output from 'jupyterhub.hub.config.CryptKeeper.keys' template" | b64enc | quote }} |
Here is the helm logic referenced to generate the key, using the lookup
function:
{{- define "jupyterhub.hub.config.ConfigurableHTTPProxy.auth_token" -}} | |
{{- if (.Values.hub.config | dig "ConfigurableHTTPProxy" "auth_token" "") }} | |
{{- .Values.hub.config.ConfigurableHTTPProxy.auth_token }} | |
{{- else if .Values.proxy.secretToken }} | |
{{- .Values.proxy.secretToken }} | |
{{- else }} | |
{{- $k8s_state := lookup "v1" "Secret" .Release.Namespace (include "jupyterhub.hub.fullname" .) | default (dict "data" (dict)) }} | |
{{- if hasKey $k8s_state.data "hub.config.ConfigurableHTTPProxy.auth_token" }} | |
{{- index $k8s_state.data "hub.config.ConfigurableHTTPProxy.auth_token" | b64dec }} | |
{{- else }} | |
{{- randAlphaNum 64 }} | |
{{- end }} | |
{{- end }} | |
{{- end }} |
I see... and of course ArgoCD uses |
I was looking a bit into Jupyterhub documentation because I ran into the same issue. I was thinking that I could actually generate the needed tokens myself (proxy auth mainly, but also the cookie secret) and spin up a k8s Secret that would be then used in EnvVars both for the Hub and the Proxy. Thoughts on that idea? Thanks folks! |
@IceS2 according to the Kubernetes documentation of
So, if you pass the variable as an I have tried a different approach, by using the I think that this can possible be overcame by using some label/annotation that you should update every time you change a value in any part of the chart, but I haven't tried to implement it, as I have decided for a simpler mitigation approach. At the end I have opted for using SyncWindows, so the Jupyter chart does not get synchronized during office hours. P.S. This is our Jupyter app config in Argo in case you want to give it a go:
|
Why would the secret keep changing if I pass a dummy value for it to get it from instead of being generated every time? I think it's actually different from placing it plain text in (I'm not a k8s expert so I might be saying stupid things xD) |
@IceS2 if the About the restarts, actually if you set the |
Great to see the activity in this repo! Thanks @consideRatio for the in depth reply! Makes sense. |
Hi @kanor1306 We also implemented the
We did a change to a definition to the hub. This triggers a redeploy of the hub (not the proxy). But we are still able to login / spawn Notebooks etc. Is there something we are missing to your specific situation? We are still on the Our
|
@BlueCog, also
But again, this is the case if using As far as my understanding of Argo goes, If you are not using
I am guessing that we are in a different use case, maybe in the structure of our Argo Application or something similar, and that is why we have different (although similar) problems |
Hey folks, I've just tested successfully what I mentioned here: We were already using this Helm Chart as part of our own since we needed to add a few other resources. I ended up adding a new secret (fetching the secret from AWS SSM in our case):
After that I'm using the following configuration:
The plaintext tokens on the configuration act as placeholders. |
Nice @IceS2 ! Then I think we have three scenario's for my initial post.
We/my team think scenario 2 is the best for us at te moment. If I understand the documentation correctly ArgoCD will ignore the secret rotation when looking to A side note is that it seems the Case closed? ;) |
Are there any adjustments needed for the last tag (3.0.0)? tried without
|
@gulldan the group is wrong on the Secret. Here is the correct ignore block:
|
Scenario
Deploying zero-to-jupyterhub-k8s via ArgoCD
ArgoCD checks now and then on changes in the code base. If this code base is Helm ArgoCD will use the
helm template
command.Because the tokens are automatically generated. For example: schema-proxy-secrettoken ArgoCD constantly thinks there is a new set of code (tokens) and will try to apply the latest state what in turn will result in a new deployment. This process repeats constantly.
Now the docs note that I can a default token via override file. But we don't want that because this will mean the secret is in plain text in the code base. We'd like to apply the secret for example via the existingsecret method.
Proposed change
Be able to set ALL secrets via existingsecret
Who would use this feature?
Everyone who works from a code base and don't want to commit secrets.
The text was updated successfully, but these errors were encountered: