a few questions about authentication & config

[lwasser]

ok @betatim i have a few questions.

1. looking at the various yaml files - specifically values.yaml - the items are in different order which makes it difficult to know what things i need to add / are missing etc. Can we make a unified template that we use to add things in the right order and hierarchy.
2. the authentication. I don't love having a whitelist or authentication "out in the open" is it possible to also stash that in the secrets folder so someone doesn't grab a list of username from us? Or do you think that is an issue to be concerned with at all?
3. I tried to add myself and you as admins. however when i look at the control panel i dont see a way to see and shutdown other servers so i'm not an admin. I tried the code below to add us all. do i need to change this: c.JupyterHub.authenticator_class = 'hashauthenticator.HashAuthenticator' or something else for this to work? this part was confusing because each yaml file has things in different orders so it's hard to know what to add where and where hiererarchy is important.

   extraConfig:
     auth: |
       c.JupyterHub.authenticator_class = 'hashauthenticator.HashAuthenticator'
     admin: |
       c.Authenticator.admin_users = {'lwasser', 'jlpalomino ', 'betatim'}
       c.JupyterHub.admin_access = True

4. I tried to change my authenticator on the hub. Now something is happening where i see at the command line that there are several pods but i can't launch a new server from the website url without gettinga 504 gateway error. i'm not sure if this is because i made significant changes to the hub and jenny and my servers were not fully shut down. BUT because i wasn'ta n admin i couldn't shut down our servers so now how do i reset things?

This doesn't work. i suspect because the image-puller hash may be wrong? but i'm not sure where that came from.

kubectl describe pod hook-image-puller-1533307711-84jsw --namespace bootcamp-hub 

SO - how do i reset a hub?

What i did:

kubectl delete --all pods --namespace=bootcamp-hub

this deleted all pods! but it did seem like my workspace persisted when i logged in again... is this kosher behaviour??

[betatim]

(1) I've been thinking what the best approach is to providing config examples. I think having a template that shows off all the things will lead to a huge template. Right now thinking maybe the way to go is to create some complete example configs for particular uses cases ("generic workshop hub", "generic class hub", etc). My hope is that this would also make it easier to know "when do I need a custom hub image?". An ambitious but cool tool would be a generate-hub-config tool that asks you a few questions and then generates as much of the config for you as it can.

(2) We can put the config in the secrets part. In principle you could put all the config into the secret part as values.yaml and the secret file are merged before applying them. The downside to putting things in the secret part are that it is harder to discuss them on GitHub.

(3) for admin users we should follow https://earthlab-hub-ops.readthedocs.io/en/latest/authentication.html#user-whitelist-and-admin-accounts instead of using the extraConf escape hatch as I did for the wshub. The HashAuthenticator line is unrelated to admin users.

(4) should we discuss this in chat and the post a follow up here? I am not quite sure I understand what you want to do. In general the way to "restart" a pod is to delete it. The way kubernetes works is that in our helm chart (configured via values.yaml) we describe how we want things to be. Kubernetes will then try its hardest to make things that way. So deleting a pod will cause kubernetes to notice that the world isn't as it should be and start that pod again. This means that the way to change things is to change the configuration. This will make kubernetes notice that the world is not as you want it to be, it will then do its best to make the world the way it should be according to the configuration.

If you do want to bump the hub pod I would use kubectl delete pod hub-8649c59b9d-j4vh9 --namespace bootcamp-hub replacing the name of the pod with what ever it currently is. This is a useful tool to have because there currently is a bug in JupyterHub-on-kubernetes where the hub loses track of what user pods are running. This manifests in people trying to login but never getting a pod. The way to fix it is to restart the hub using the kubectl delete pod ... command from above. This bug doesn't surface very often though, maybe once a week or every ten days on mybinder.org.