k8s-manifests/jupyter/base/values/values.yaml

hub:
  config:
    Authenticator:
      auto_login: true
      enable_auth_state: true
    JupyterHub:
      tornado_settings:
        headers: { 'Content-Security-Policy': "frame-ancestors *;" }
  db:
    pvc:
      storageClassName: csi-sc-cinderplugin
  extraConfig:
    oauthCode: |
      import time
      import requests
      from datetime import datetime
      from oauthenticator.generic import GenericOAuthenticator

      def get_nextcloud_access_token(refresh_token):
        client_id = os.environ['NEXTCLOUD_CLIENT_ID']
        client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']

        url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/api/v1/token'
        code = refresh_token
        data = {
          'grant_type': refresh_token,
          'code': code,
          'refresh_token': refresh_token,
          'client_id': client_id,
          'client_secret': client_secret
        }
        response = requests.post(url, data=data)
        return response.json()

      def post_auth_hook(authenticator, handler, authentication):
        user = authentication['auth_state']['oauth_user']['ocs']['data']['id']
        auth_state = authentication['auth_state']
        auth_state['token_expires'] =  time.time() + auth_state['token_response']['expires_in']
        authentication['auth_state'] = auth_state
        return authentication

      class NextcloudOAuthenticator(GenericOAuthenticator):
        def __init__(self, *args, **kwargs):
          super().__init__(*args, **kwargs)
          self.user_dict = {}

        async def pre_spawn_start(self, user, spawner):
          super().pre_spawn_start(user, spawner)
          auth_state = await user.get_auth_state()
          if not auth_state:
            return
          access_token = auth_state['access_token']
          spawner.environment['NEXTCLOUD_ACCESS_TOKEN'] = access_token

        async def refresh_user(self, user, handler=None):
          debug = 'NEXTCLOUD_DEBUG_OAUTH' in os.environ
          auth_state = await user.get_auth_state()
          if not auth_state:
            if debug:
              print(f'auth_state missing for {user}')
            return False
          access_token = auth_state['access_token']
          refresh_token = auth_state['refresh_token']
          token_response = auth_state['token_response']
          now = time.time()
          now_hr = datetime.fromtimestamp(now)
          expires = auth_state['token_expires']
          expires_hr = datetime.fromtimestamp(expires)
          if debug:
            print(f'auth_state for {user}: {auth_state}')
          if now >= expires:
            if debug:
              print(f'Time is: {now_hr}, token expired: {expires_hr}')
              print(f'Refreshing token for {user}')
            try:
              token_response = get_nextcloud_access_token(refresh_token)
              auth_state['access_token'] = token_response['access_token']
              auth_state['refresh_token'] = token_response['refresh_token']
              auth_state['token_expires'] = now + token_response['expires_in']
              auth_state['token_response'] = token_response
              if debug:
                print(f'Successfully refreshed token for {user}')
                print(f'auth_state for {user}: {auth_state}')
              return auth_state
            except Exception as e:
              if debug:
                print(f'Failed to refresh token for {user}')
              return False
            return False
          if debug:
            print(f'Time is: {now_hr}, token expires: {expires_hr}')
          return True

      c.JupyterHub.authenticator_class = NextcloudOAuthenticator
      c.NextcloudOAuthenticator.client_id = os.environ['NEXTCLOUD_CLIENT_ID']
      c.NextcloudOAuthenticator.client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
      c.NextcloudOAuthenticator.login_service = 'Sunet Drive'
      c.NextcloudOAuthenticator.username_claim = lambda r: r.get('ocs', {}).get('data', {}).get('id')
      c.NextcloudOAuthenticator.userdata_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/ocs/v2.php/cloud/user?format=json'
      c.NextcloudOAuthenticator.authorize_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/authorize'
      c.NextcloudOAuthenticator.token_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/api/v1/token'
      c.NextcloudOAuthenticator.oauth_callback_url = 'https://' + os.environ['JUPYTER_HOST'] + '/hub/oauth_callback'
      c.NextcloudOAuthenticator.allow_all = True
      c.NextcloudOAuthenticator.refresh_pre_spawn = True
      c.NextcloudOAuthenticator.enable_auth_state = True
      c.NextcloudOAuthenticator.auth_refresh_age = 3600
      c.NextcloudOAuthenticator.post_auth_hook = post_auth_hook

  extraEnv:
    NEXTCLOUD_DEBUG_OAUTH: "yes"
    NEXTCLOUD_HOST: sunet.drive.test.sunet.se
    JUPYTER_HOST: jupyter.drive.test.sunet.se
    JUPYTERHUB_CRYPT_KEY:
      valueFrom:
        secretKeyRef:
          name: jupyterhub-secrets
          key: crypt-key
    NEXTCLOUD_CLIENT_ID:
      valueFrom:
        secretKeyRef:
          name: nextcloud-oauth-secrets
          key: client-id
    NEXTCLOUD_CLIENT_SECRET:
      valueFrom:
        secretKeyRef:
          name: nextcloud-oauth-secrets
          key: client-secret
    networkPolicy:
      enabled: false

singleuser:
  image:
    name: docker.sunet.se/drive/jupyter-custom
    tag: lab-4.0.10
  storage:
    dynamic:
      storageClass: csi-sc-cinderplugin
  extraEnv:
    JUPYTER_ENABLE_LAB: "yes"
  extraFiles:
    jupyter_notebook_config:
      mountPath: /home/jovyan/.jupyter/jupyter_server_config.py
      stringData: |
        import os
        c = get_config()
        c.NotebookApp.allow_origin = '*'
        c.NotebookApp.tornado_settings = {
            'headers': { 'Content-Security-Policy': "frame-ancestors *;" }
        }
        os.system('/usr/local/bin/nc-sync')
      mode: 0644
JupyterHub code 2023-05-03 09:19:31 +00:00			`hub:`
			`config:`
			`Authenticator:`
			`auto_login: true`
			`enable_auth_state: true`
			`JupyterHub:`
			`tornado_settings:`
			`headers: { 'Content-Security-Policy': "frame-ancestors *;" }`
DB is supposed to be under hub 2023-09-28 06:36:09 +00:00			`db:`
			`pvc:`
			`storageClassName: csi-sc-cinderplugin`
JupyterHub code 2023-05-03 09:19:31 +00:00			`extraConfig:`
			`oauthCode: \|`
Add expiration check 2024-01-13 14:47:22 +00:00			`import time`
Add code to refresh token 2024-01-15 11:29:56 +00:00			`import requests`
Cleaner debug 2024-01-15 09:14:07 +00:00			`from datetime import datetime`
Try old code again 2024-01-12 09:26:03 +00:00			`from oauthenticator.generic import GenericOAuthenticator`
Try to modify authstate after declaration 2024-01-13 15:31:06 +00:00
Add code to refresh token 2024-01-15 11:29:56 +00:00			`def get_nextcloud_access_token(refresh_token):`
			`client_id = os.environ['NEXTCLOUD_CLIENT_ID']`
			`client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']`

			`url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/api/v1/token'`
			`code = refresh_token`
			`data = {`
			`'grant_type': refresh_token,`
			`'code': code,`
Typo 2024-01-15 11:36:00 +00:00			`'refresh_token': refresh_token,`
Add code to refresh token 2024-01-15 11:29:56 +00:00			`'client_id': client_id,`
			`'client_secret': client_secret`
			`}`
			`response = requests.post(url, data=data)`
			`return response.json()`

Switch to custom class 2024-01-12 13:04:13 +00:00			`def post_auth_hook(authenticator, handler, authentication):`
Format 2024-01-13 14:30:12 +00:00			`user = authentication['auth_state']['oauth_user']['ocs']['data']['id']`
Try to modify authstate after declaration 2024-01-13 15:31:06 +00:00			`auth_state = authentication['auth_state']`
			`auth_state['token_expires'] = time.time() + auth_state['token_response']['expires_in']`
			`authentication['auth_state'] = auth_state`
Format 2024-01-13 14:30:12 +00:00			`return authentication`
Try to modify authstate after declaration 2024-01-13 15:31:06 +00:00
Switch to custom class 2024-01-12 13:04:13 +00:00			`class NextcloudOAuthenticator(GenericOAuthenticator):`
			`def __init__(self, args, *kwargs):`
Format 2024-01-13 14:30:12 +00:00			`super().__init__(args, *kwargs)`
			`self.user_dict = {}`

use persited auth_state 2024-01-13 15:20:19 +00:00			`async def pre_spawn_start(self, user, spawner):`
Format 2024-01-13 14:30:12 +00:00			`super().pre_spawn_start(user, spawner)`
use persited auth_state 2024-01-13 15:20:19 +00:00			`auth_state = await user.get_auth_state()`
			`if not auth_state:`
			`return`
			`access_token = auth_state['access_token']`
Format 2024-01-13 14:30:12 +00:00			`spawner.environment['NEXTCLOUD_ACCESS_TOKEN'] = access_token`
Add refresh user function 2024-01-13 14:30:57 +00:00
			`async def refresh_user(self, user, handler=None):`
Cleaner debug 2024-01-15 09:14:07 +00:00			`debug = 'NEXTCLOUD_DEBUG_OAUTH' in os.environ`
use persited auth_state 2024-01-13 15:20:19 +00:00			`auth_state = await user.get_auth_state()`
			`if not auth_state:`
Cleaner debug 2024-01-15 09:14:07 +00:00			`if debug:`
			`print(f'auth_state missing for {user}')`
use persited auth_state 2024-01-13 15:20:19 +00:00			`return False`
			`access_token = auth_state['access_token']`
			`refresh_token = auth_state['refresh_token']`
Fix typo 2024-01-13 15:24:28 +00:00			`token_response = auth_state['token_response']`
Remove exception 2024-01-13 15:21:55 +00:00			`now = time.time()`
Cleaner debug 2024-01-15 09:14:07 +00:00			`now_hr = datetime.fromtimestamp(now)`
Fix typo 2024-01-13 15:24:28 +00:00			`expires = auth_state['token_expires']`
Cleaner debug 2024-01-15 09:14:07 +00:00			`expires_hr = datetime.fromtimestamp(expires)`
Use access token again 2024-01-15 11:07:53 +00:00			`if debug:`
			`print(f'auth_state for {user}: {auth_state}')`
Remove exception 2024-01-13 15:21:55 +00:00			`if now >= expires:`
Cleaner debug 2024-01-15 09:14:07 +00:00			`if debug:`
			`print(f'Time is: {now_hr}, token expired: {expires_hr}')`
Add code to refresh token 2024-01-15 11:29:56 +00:00			`print(f'Refreshing token for {user}')`
			`try:`
			`token_response = get_nextcloud_access_token(refresh_token)`
			`auth_state['access_token'] = token_response['access_token']`
			`auth_state['refresh_token'] = token_response['refresh_token']`
			`auth_state['token_expires'] = now + token_response['expires_in']`
			`auth_state['token_response'] = token_response`
			`if debug:`
			`print(f'Successfully refreshed token for {user}')`
			`print(f'auth_state for {user}: {auth_state}')`
			`return auth_state`
			`except Exception as e:`
			`if debug:`
			`print(f'Failed to refresh token for {user}')`
			`return False`
Add expiration check 2024-01-13 14:47:22 +00:00			`return False`
Cleaner debug 2024-01-15 09:14:07 +00:00			`if debug:`
			`print(f'Time is: {now_hr}, token expires: {expires_hr}')`
Remove exception 2024-01-13 15:21:55 +00:00			`return True`
Add refresh user function 2024-01-13 14:30:57 +00:00
Switch to custom class 2024-01-12 13:04:13 +00:00			`c.JupyterHub.authenticator_class = NextcloudOAuthenticator`
			`c.NextcloudOAuthenticator.client_id = os.environ['NEXTCLOUD_CLIENT_ID']`
			`c.NextcloudOAuthenticator.client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']`
			`c.NextcloudOAuthenticator.login_service = 'Sunet Drive'`
			`c.NextcloudOAuthenticator.username_claim = lambda r: r.get('ocs', {}).get('data', {}).get('id')`
			`c.NextcloudOAuthenticator.userdata_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/ocs/v2.php/cloud/user?format=json'`
			`c.NextcloudOAuthenticator.authorize_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/authorize'`
			`c.NextcloudOAuthenticator.token_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/api/v1/token'`
			`c.NextcloudOAuthenticator.oauth_callback_url = 'https://' + os.environ['JUPYTER_HOST'] + '/hub/oauth_callback'`
			`c.NextcloudOAuthenticator.allow_all = True`
			`c.NextcloudOAuthenticator.refresh_pre_spawn = True`
			`c.NextcloudOAuthenticator.enable_auth_state = True`
			`c.NextcloudOAuthenticator.auth_refresh_age = 3600`
			`c.NextcloudOAuthenticator.post_auth_hook = post_auth_hook`

JupyterHub code 2023-05-03 09:19:31 +00:00			`extraEnv:`
Cleaner debug 2024-01-15 09:14:07 +00:00			`NEXTCLOUD_DEBUG_OAUTH: "yes"`
JupyterHub code 2023-05-03 09:19:31 +00:00			`NEXTCLOUD_HOST: sunet.drive.test.sunet.se`
			`JUPYTER_HOST: jupyter.drive.test.sunet.se`
Allow authstate to be persisted 2024-01-13 15:09:47 +00:00			`JUPYTERHUB_CRYPT_KEY:`
			`valueFrom:`
			`secretKeyRef:`
			`name: jupyterhub-secrets`
			`key: crypt-key`
JupyterHub code 2023-05-03 09:19:31 +00:00			`NEXTCLOUD_CLIENT_ID:`
			`valueFrom:`
			`secretKeyRef:`
			`name: nextcloud-oauth-secrets`
			`key: client-id`
			`NEXTCLOUD_CLIENT_SECRET:`
			`valueFrom:`
			`secretKeyRef:`
			`name: nextcloud-oauth-secrets`
			`key: client-secret`
Update charts to 3.2.1 and make values.yaml match docs 2024-01-11 08:27:05 +00:00			`networkPolicy:`
			`enabled: false`
Simplify Signed-off-by: Micke Nordin <kano@sunet.se> 2024-01-10 12:45:44 +00:00
JupyterHub code 2023-05-03 09:19:31 +00:00			`singleuser:`
			`image:`
			`name: docker.sunet.se/drive/jupyter-custom`
Upgrade lab to lab-4.0.10 2024-01-12 15:07:42 +00:00			`tag: lab-4.0.10`
JupyterHub code 2023-05-03 09:19:31 +00:00			`storage:`
Try persistant storage 2024-01-12 15:12:57 +00:00			`dynamic:`
			`storageClass: csi-sc-cinderplugin`
JupyterHub code 2023-05-03 09:19:31 +00:00			`extraEnv:`
			`JUPYTER_ENABLE_LAB: "yes"`
			`extraFiles:`
			`jupyter_notebook_config:`
			`mountPath: /home/jovyan/.jupyter/jupyter_server_config.py`
			`stringData: \|`
			`import os`
			`c = get_config()`
			`c.NotebookApp.allow_origin = '*'`
			`c.NotebookApp.tornado_settings = {`
			`'headers': { 'Content-Security-Policy': "frame-ancestors *;" }`
			`}`
			`os.system('/usr/local/bin/nc-sync')`
			`mode: 0644`