-
Notifications
You must be signed in to change notification settings - Fork 792
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hub existingSecret functionality not working as expected #2009
Comments
This comment has been minimized.
This comment has been minimized.
Yeah =/ This is the kind of experience I feared from accepting this feature in the first place. The documentation has a note about you needing to keep it updated. Short termShort term, what you are required to do is to specify your passwords etc without hub.existingSecret set, then re-create the k8s secret, and then set hub.existingSecret again and remove your specification of passwords etc. Long termMy understanding of the feature wanted is: to be able to extract all secret information from a helm configuration file, and letting the Helm chart pick up on those from a k8s Secret. Currently this works, but, the major drawback is that one need to manually manage the k8s Secret even though the only change was in default configuration between Helm chart versions rather than the user provided passwords. I think it is possible to implement a better solution. Such solution should improve the user experience but also not add too fragile logic that is hard to maintain. Brainstorming long term solution
Related
|
@minrk @manics @yuvipanda - what do you think about the brainstormed solution above to making Sounds to me like a potential 1.0.0 enhancement to aim for. |
This issue has been mentioned on Jupyter Community Forum. There might be relevant details there: https://discourse.jupyter.org/t/how-am-i-supposed-to-use-existingsecret/5097/4 |
Reimplementation of hub.existingSecretThis is my preliminary strategy planned to make hub.existingSecret sustainable to use to manage sensitive configuration needed by the Helm chart. Use of hub.existingSecret hasn't been a good experience for users because they end up needing to manually update it whenever they change something passed to the hub pod through values.yaml to be read in jupyterhub_config.py. My idea is to solve this by allowing hub.existingSecret be mounted in parallel to the default k8s Secret resource we make use of and then merging values. For keys such as hub.db.password and hub.config.JupyterHub.proxy_auth_token that are root level keys in the secrets, the idea is to always favor reference to an hub.existingSecret if there is one set. Implementation challenges
Implementation steps
Feedback on the strategy appreciated of course. |
I realize the whole approach is being reworked for 1.0.0 but is it possible / is there interest to backport a simpler approach into 0.11.x and 0.10.x? Basically, prior to 0.10.x (and specifically, #1682), if So folks who are waiting on 1.0.0 and want to use This is a pretty dramatic difference - and not all that obvious from the documentation. @zarrarrana - we are in the exact same boat as you. How do you plan on solving this problem until 1.0.0? |
Hmmmm... This would work... jupyterhub_config.py have access to everything that is mounted, which still is quite a lot of the Helm chart values afaik - because it mounts the k8s Secret for example. hub:
extraConfig:
myExtraConfig:
from z2jh import get_config
a_lot_of_things = get_config("hub.something") The short answer with regards to backporting is that unless it is a security fix, we don't put in effort in doing it to reduce maintenance burden. This specific feature would also be quite complicated to backport actually because it relies on some other refactoring PRs. If you want this feature before next release, you can use the dev-release though. They are supposed to work at all time, and an actual release is pretty much just a snapshot. For the dev release version, see/click the badges in this projects README file. For reference, here is a version that can be used right now: |
I don't think this is correct; the secret is dropped completely if the
... ok, that's what I was looking for! Many thanks for your work; I do understand the concerns of maintenance burden. @zarrarrana - one workaround I found is this: https://docs.fluxcd.io/projects/helm-operator/en/stable/helmrelease-guide/values/#secrets That is, we can locally stop using |
Bug description
Hi, I am trying to update jupyterhub to helm chart 0.10.6 from 0.9.0, and with the recent change of moving values.yaml only to hub-secret and removing it from hub-config is breaking the Hub existingSecret functionality. In our existing deployment on EKS we use gitops/flux/helm operator for our deployments and we didn't want to add secrets to git, so we created hub-secret which only includes secrets(proxy token, db creds, crypto-key, cookie-secret, etc) using external secrets operator and set the name as existingSecret. Now when the existingSecret is set, the secret is not created and values.yaml doesn't make it to the hub pod and it doesn't start properly.
Expected behaviour
The previous behaviour of existingSecret should continue to work without having to add values.yaml to existingSecret.
The text was updated successfully, but these errors were encountered: