Update to latest OSL Prod.

ASFOpenSARlab · Oct 4, 2024 · 74d99c5 · 74d99c5
1 parent 7f422e4
commit 74d99c5
Show file tree

Hide file tree

Showing 49 changed files with 2,153 additions and 1,444 deletions.
diff --git a/README → README.md b/README → README.md
@@ -1,3 +1,7 @@
+
+** This code repo is a santized copy of the production OpenSARLab. It is not guarenteed to be current. **
+
+
 1. Build the docker images first based off `opensarlab-container`.
 
 1. Deploy the following in the same AWS account and region as the previous container images.

diff --git a/egress_configs/egress.yaml.j2 b/egress_configs/egress.yaml.j2
@@ -136,7 +136,7 @@ spec:
 ##  host: {{ host }}
 ##  workloadSelector:
 ##    matchLabels:
-##      egress-profile: {{ profile }}
+##      opensciencelab.local/egress-profile: {{ profile }}
 ##  trafficPolicy:
 ##    tls:
 ##      mode: ISTIO_MUTUAL
@@ -166,7 +166,7 @@ spec:
 ##  host: {{ host }}
 ##  workloadSelector:
 ##    matchLabels:
-##      egress-profile: {{ profile }}
+##      opensciencelab.local/egress-profile: {{ profile }}
 ##  trafficPolicy:
 ##    tls:
 ##      mode: ISTIO_MUTUAL
@@ -293,7 +293,7 @@ spec:
     {%- endif %}
   workloadSelector:
     labels:
-      egress-profile: {{ profile }}
+      opensciencelab.local/egress-profile: {{ profile }}
   egress:
     - hosts:
       {%- for host in hosts %}
@@ -320,7 +320,7 @@ metadata:
 spec:
   workloadSelector:
     labels:
-      egress-profile: {{ profile }}
+      opensciencelab.local/egress-profile: {{ profile }}
   configPatches:
 ##    - applyTo: NETWORK_FILTER
 ##      match:

diff --git a/egress_configs/render_egress.py b/egress_configs/render_egress.py
diff --git a/egress_configs/tests/helpers/jump_in_test_pod.sh b/egress_configs/tests/helpers/jump_in_test_pod.sh
@@ -1,6 +1,6 @@
 
 SE_PROFILE=none
 
-SOURCE_POD=$(kubectl -n jupyter get pod -l app=sleep -l egress-profile=$SE_PROFILE -o jsonpath='{.items[0].metadata.name}')
+SOURCE_POD=$(kubectl -n jupyter get pod -l app=sleep -l opensciencelab.local/egress-profile=$SE_PROFILE -o jsonpath='{.items[0].metadata.name}')
 
 kubectl -n jupyter exec -it $SOURCE_POD -- sh
diff --git a/egress_configs/tests/helpers/setup_minikube_and_istio.sh b/egress_configs/tests/helpers/setup_minikube_and_istio.sh
@@ -67,7 +67,7 @@ echo "Install small container called "sleep" for playing around with..."
 kubectl create namespace jupyter --dry-run=client -o yaml | kubectl apply -f -
 kubectl label namespace jupyter istio-injection=enabled --overwrite
 kubectl -n jupyter apply -f https://raw.githubusercontent.com/istio/istio/release-1.19/samples/sleep/sleep.yaml
-kubectl -n jupyter patch deployments/sleep -p '{"spec":{"template":{"metadata":{"labels":{"egress-profile":"'$SE_PROFILE'"}}}}}'
+kubectl -n jupyter patch deployments/sleep -p '{"spec":{"template":{"metadata":{"labels":{"opensciencelab.local/egress-profile":"'$SE_PROFILE'"}}}}}'
 kubectl scale --replicas=1 deployment sleep -n jupyter
 
 

diff --git a/jupyterhub/config.d/1_service_creds.py.jinja b/jupyterhub/config.d/1_service_creds.py.jinja
@@ -16,16 +16,18 @@ def get_jh_secret(secret_name: str) -> str:
 set_jh_secret('lab-user-ro-token', str(secrets.token_hex(32)))
 set_jh_secret('lab-user-w-token', str(secrets.token_hex(32)))
 
-c.JupyterHub.services = [
-    {
+# c.JupyterHub.services is defined eariler in the JupyterHub config
+c.JupyterHub.services.append({
         "name": "lab-user-ro-service",
         "api_token": get_jh_secret('lab-user-ro-token'),
-    },
-    {
+    }
+)
+c.JupyterHub.services.append({
         "name": "lab-user-w-service",
         "api_token": get_jh_secret('lab-user-w-token'),
-    },
-    {
+    }
+)
+c.JupyterHub.services.append({
         "name": "jupyterhub-idle-culler-service",
         "command": [
             sys.executable,
@@ -35,10 +37,10 @@ c.JupyterHub.services = [
             "--url=http://127.0.0.1:8081/lab/{{ parameters.lab_short_name }}/hub/api"
         ],
     }
-]
+)
 
-c.JupyterHub.load_roles = [
-    {
+# c.JupyterHub.load_roles is defined eariler in the JupyterHub config
+c.JupyterHub.load_roles.append({
         "name": "lab-user-ro-service-role",
         "scopes": [ 
             'read:roles:users',
@@ -48,17 +50,19 @@ c.JupyterHub.load_roles = [
         "services": [
             "lab-user-ro-service",
         ],
-    },
-    {
+    }
+)
+c.JupyterHub.load_roles.append({
         "name": "lab-user-w-service-role",
         "scopes": [ 
             'groups'
         ],
         "services": [
             "lab-user-w-service",
         ],
-    },
-    {
+    }
+)
+c.JupyterHub.load_roles.append({
         "name": "jupyterhub-idle-culler-role",
         "scopes": [
             "list:users",
@@ -74,4 +78,4 @@ c.JupyterHub.load_roles = [
             "jupyterhub-idle-culler-service"
         ],
     }
-]
+)
diff --git a/jupyterhub/config.d/2_auth.py b/jupyterhub/config.d/2_auth.py
@@ -5,33 +5,33 @@
 
 # This try/except is needed for debugging if a problem occurs. AWS Codebuild doesn't allow for useful error messaging.
 try:
-
     ## Set SSO token to secrets path
-    secrets_manager = boto3.client('secretsmanager', region_name=f"{z2jh.get_config('custom.AWS_REGION')}")
-    _sso_token = secrets_manager.get_secret_value(SecretId=f"sso-token/{z2jh.get_config('custom.AWS_REGION')}-{z2jh.get_config('custom.CLUSTER_NAME')}")
-    sso_token_path = os.environ.get('OPENSARLAB_SSO_TOKEN_PATH', '')
-    with open(sso_token_path, 'w') as file:
-        file.write(_sso_token['SecretString'])
-
-    # If an error occurs with setting the auth but JupyterHub still starts, the dummy login will be the default. 
+    secrets_manager = boto3.client(
+        "secretsmanager", region_name=f"{z2jh.get_config('custom.AWS_REGION')}"
+    )
+    _sso_token = secrets_manager.get_secret_value(
+        SecretId=f"sso-token/{z2jh.get_config('custom.AWS_REGION')}-{z2jh.get_config('custom.CLUSTER_NAME')}"
+    )
+    sso_token_path = os.environ.get("OPENSARLAB_SSO_TOKEN_PATH", "")
+    with open(sso_token_path, "w") as file:
+        file.write(_sso_token["SecretString"])
+
+    # If an error occurs with setting the auth but JupyterHub still starts, the dummy login will be the default.
     # This could lead to unauthorized entry. So disable login until the last needed moment.
     print("Disabling login temporarily...")
-    c.JupyterHub.authenticator_class = 'nullauthenticator.NullAuthenticator'
+    c.JupyterHub.authenticator_class = "nullauthenticator.NullAuthenticator"
 
-    LAB_SHORTNAME = os.environ['JUPYTERHUB_LAB_NAME']
+    LAB_SHORTNAME = os.environ["JUPYTERHUB_LAB_NAME"]
     c.JupyterHub.default_url = f"/lab/{LAB_SHORTNAME}/hub/home"
 
     c.JupyterHub.tornado_settings = {
-        'cookie_options': {
-            'expires_days': 1.
-        },
-        'headers': {
-            'x-jupyterhub-lab': LAB_SHORTNAME
-        }
+        "cookie_options": {"expires_days": 1.0},
+        "headers": {"x-jupyterhub-lab": LAB_SHORTNAME},
     }
 
     print("All good so far. Setting login to Portal Auth...")
     from jupyterhub.portal_auth import PortalAuthenticator
+
     c.JupyterHub.authenticator_class = PortalAuthenticator
 
 except Exception as e: