Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support kubespawner internal_ssl #2064

Closed
thomasv314 opened this issue Feb 24, 2021 · 1 comment · Fixed by #2065
Closed

Support kubespawner internal_ssl #2064

thomasv314 opened this issue Feb 24, 2021 · 1 comment · Fixed by #2065
Labels
bug

Comments

@thomasv314
Copy link

Bug description

jupyterhub/kubespawner#409 added support for internal_ssl, where a hub container using KubeSpawner requires the ability to delete services and secrets

Expected behaviour

Latest kubespawner works with zero-to-jupyterhub chart

Actual behaviour

How to reproduce

c.JupyterHub.internal_ssl = True
c.JupyterHub.spawner_class = 'kubespawner.KubeSpawner'

Your personal set up

zero-to-jupyterhub, k8s 1.18

kubespawner @ master/a16e400
  • Configuration 
# jupyterhub_config.py
c.JupyterHub.internal_ssl = True
c.JupyterHub.spawner_class = 'kubespawner.KubeSpawner'
c.JupyterHub.bind_url = "https://0.0.0.0:8081"
c.JupyterHub.hub_bind_url = "https://0.0.0.0:8081"
c.ConfigurableHTTPProxy.api_url = 'https://proxy-api.myns.svc.cluster.local:8001'
c.JupyterHub.trusted_alt_names = ["IP:127.0.0.1", "DNS:jupyter.{{ .Environment.Values.domain }}", "DNS:*.myns.svc.cluster.local"]
c.JupyterHub.hub_connect_url = "https://hub.myns.svc.cluster.local:8081"

c.KubeSpawner.working_dir = '/home/jovyan/'
c.KubeSpawner.internal_ssl = True
c.KubeSpawner.ssl_alt_names = [
  "IP:127.0.0.1",
  "DNS:jupyter.{{ .Environment.Values.domain }}",
  "DNS:*.myns.svc.cluster.local"
]
  • Logs 
[I 2021-02-24 17:39:55.681 JupyterHub spawner:2247] Deleting secret/jupyter-tom-2evendetta-40foo-2ecom
[E 2021-02-24 17:39:55.684 JupyterHub spawner:2260] Error deleting {kind}/{name}: {e}
  Traceback (most recent call last):
       File "/usr/local/lib/python3.8/dist-packages/kubespawner/spawner.py", line 2248, in _ensure_not_exists
         await gen.with_timeout(
       File "/usr/lib/python3.8/concurrent/futures/thread.py", line 57, in run
         result = self.fn(*self.args, **self.kwargs)
       File "/usr/local/lib/python3.8/dist-packages/kubespawner/spawner.py", line 1964, in asynchronize
         return method(*args, **kwargs)
       File "/usr/local/lib/python3.8/dist-packages/kubernetes/client/api/core_v1_api.py", line 12753, in delete_namespaced_secret
         return self.delete_namespaced_secret_with_http_info(name, namespace, **kwargs)  # noqa: E501
       File "/usr/local/lib/python3.8/dist-packages/kubernetes/client/api/core_v1_api.py", line 12860, in delete_namespaced_secret_with_http_info
         return self.api_client.call_api(
       File "/usr/local/lib/python3.8/dist-packages/kubernetes/client/api_client.py", line 348, in call_api
         return self.__call_api(resource_path, method,
       File "/usr/local/lib/python3.8/dist-packages/kubernetes/client/api_client.py", line 180, in __call_api
         response_data = self.request(
       File "/usr/local/lib/python3.8/dist-packages/kubernetes/client/api_client.py", line 415, in request
         return self.rest_client.DELETE(url,
       File "/usr/local/lib/python3.8/dist-packages/kubernetes/client/rest.py", line 265, in DELETE
         return self.request("DELETE", url,
       File "/usr/local/lib/python3.8/dist-packages/kubernetes/client/rest.py", line 233, in request
         raise ApiException(http_resp=r)
     kubernetes.client.exceptions.ApiException: (403)
     Reason: Forbidden
     HTTP response headers: HTTPHeaderDict({'Audit-Id': 'f89ae4b4-cffc-4d2a-9fae-e637fe821ea8', 'Cache-Control': 'no-cache, private', 'Content-Type': 'application/json', 'X-Content-Type-Options': 'nosniff', 'Date': 'Wed, 24 Feb 2021 17:39:55 GMT', 'Content-Length': '382'})
     HTTP response body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"secrets \"jupyter-tom-2evendetta-40foo-2ecom\" is forbidden: User \"system:serviceaccount:myns:hub\" cannot delete resource \"secrets\" in API group \"\" in the namespace \"myns\"","reason":"Forbidden","details":{"name":"jupyter-tom-2evendetta-40foo-2ecom","kind":"secrets"},"code":403}
@thomasv314 thomasv314 added the bug label Feb 24, 2021
@welcome
Copy link

welcome bot commented Feb 24, 2021

Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please try to follow the issue template as it helps other other community members to contribute more effectively.
welcome
You can meet the other Jovyans by joining our Discourse forum. There is also an intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

@consideRatio consideRatio mentioned this issue Feb 24, 2021
Merged
consideRatio added a commit that referenced this issue Feb 24, 2021
@consideRatio
Merge pull request #2065 from thomasv314/fix/GH-2064
764fd9a 
Allow hub container to delete secrets/services
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
1 participant
@thomasv314