Seed secrets (proxy.secretToken, etc) so they don't have to be manually generated #1993
Conversation
consideRatio
force-pushed
the
pr/seed-secrets
branch
6 times, most recently
from
776bafd to
dbe8403
Compare
consideRatio
force-pushed
the
pr/seed-secrets
branch
from
dbe8403 to
d6eca86
Compare
consideRatio
changed the title
|
I like it, I'll test it locally if I have time. I guess we'll need to update the Z2JH docs too? |
consideRatio
force-pushed
the
pr/seed-secrets
branch
from
d6eca86 to
f068a19
Compare
consideRatio
force-pushed
the
pr/seed-secrets
branch
2 times, most recently
from
ddf3e1a to
abdd456
Compare
consideRatio
force-pushed
the
pr/seed-secrets
branch
from
abdd456 to
78b6d75
Compare
consideRatio
force-pushed
the
pr/seed-secrets
branch
from
3aa39ca to
fc3f27e
Compare
|
|
||
| ``` | ||
| helm upgrade --cleanup-on-fail jhub jupyterhub/jupyterhub -f config.yaml | ||
| ``` |
There was a problem hiding this comment.
There is an open issue to improve the debugging section, so instead of finding an example with diagnosis etc that wasn't correct any more, I opted to delete the section.
| <!--- | ||
| Don't put an example here! People will just copy paste that & that's a | ||
| security issue. | ||
| --> |
There was a problem hiding this comment.
There were significant differences here, so I ended up updating some leading paragraphs as well.
consideRatio
force-pushed
the
pr/seed-secrets
branch
from
4f17b51 to
f96f255
Compare
consideRatio
force-pushed
the
pr/seed-secrets
branch
from
f96f255 to
4517d02
Compare
| @@ -372,6 +372,11 @@ def camelCaseify(s): | |||
| c.Spawner.debug = True | |||
|
|
|||
|
|
|||
| # load seeded secrets | |||
| c.JupyterHub.proxy_auth_token = get_secret_value("JupyterHub.proxy_auth_token") | |||
There was a problem hiding this comment.
To clarify: the change here is that these secrets are no longer optional in the chart, and cannot possibly be left unspecified or null, is that correct? The previous logic allowed these to be unspecified, in which case the existing default behavior would occur, but explicitly setting them to null or empty values is not the same thing.
There was a problem hiding this comment.
It is correct that we will now always provide a value to these three configuration options, if you search for "assert hack" you will find an assertion I make about that.
Any falsy value for proxy.secretToken, hub.cookieSecret, hub.config.CryptKeeper.keys would lead to automatic generation of a new passwords.
Is this indirectly influencing the behavior of JupyterHub?
There was a problem hiding this comment.
get_secret_value("JupyterHub.proxy_auth_token") returns the hub k8s Secret's key's value, which in turn is set by a named template, which in turn has priority logic to:
- return any explicitly set value
- return the previous k8s Secret's value
- return autogenerated value
|
This is great! Resetting / rotating these values is important when you believe they're compromised. Access to proxy secret basically gives you full access to every user's traffic, and access to cookie secret is terrible too. Rotating cookie secret logs everyone out (I think) and that's also very useful. So as long as these can be set explicitly, I'm <3. But, great that it isn't required! |
|
Thanks @minrk and @yuvipanda for your feedback!!
While it is a bit of a feature creep of this PR, do you have a suggestion on what API to use in order to do this? Passing |
If these properties are set explicitly, they should take precedence over the autogenerated values. I think that's the best way to do this. So if we are only autogenerating values when the fields are unset, that's good enough :) |
Okay yeah then we are good to go - that is what this PR currently does. |
consideRatio
force-pushed
the
pr/seed-secrets
branch
from
25bf8a0 to
b8c60ef
Compare
|
I added a randHex function and made the generated length 64 hex characters, which aligns with documentation in JupyterHub for cookie secret and how we previously instructed users to generate their passwords. That was the last itch I had with regards to this PR. |
|
Awesome! So great to have this resolved. |
jupyterhub/zero-to-jupyterhub-k8s#1993 Merge pull request #1993 from consideRatio/pr/seed-secrets
|
Wieeee thanks for review / merge @minrk @yuvipanda @manics! 🎉 ❤️ |
Followup fixes to seed secrets PR (#1993)
With jupyterhub/zero-to-jupyterhub-k8s#1993, these are no longer required to be explicitly set. We remove both just for staging hubs - doing so for production hubs will cause everyone to be logged out (cookieSecret) and temporarily disconnected (proxy.secretToken) so we aren't doing that yet
| {{- $result := "" }} | ||
| {{- range $i := until 100 }} | ||
| {{- if lt (len $result) . }} | ||
| {{- $rand_list := randAlphaNum . | splitList "" -}} |
There was a problem hiding this comment.
For those curious - randAlphaNum is cryptographically safe too - http://masterminds.github.io/sprig/strings.html.
|
Also, you can rotate these secrets with |
Follow-up to berkeley-dsep-infra/datahub#2381. I verified that this doesn't *actually* rotate the secrets themeselves - just removes them from git. This just reduces the amount of secret data we store here. See jupyterhub/zero-to-jupyterhub-k8s#1993 for more info on what is happening here.
Thanks to jupyterhub/zero-to-jupyterhub-k8s#1993, proxy.secretToken is automatically generated :)
Wouldn't it be great if we could automatically seed the passwords like
proxy.secretToken,hub.cookieSecret, andhub.config.CryptKeeper.keys, so that the user doesn't have to generate and set them manually?The reason we haven't before is that we had no mechanism to re-use previous generated passwords, but that changed with Helm 3.1 that introduced the
lookupfunction which we can make use of following #1994.The strategy in this PR is to...
lookupfunction!)With this, we close #1910.
Action points
Notes for changelog
Note that users should make the upgrade once and then remove what they previously set explicitly in order to avoid a key rotation.
Bonus feature for another PR