baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(jupyterhub): adjust vault token ttl and max-ttl

Browse Source
This commit is contained in:
Masaki Yatsu
2025-09-03 10:55:16 +09:00
parent 67dd348705
commit 22e73d9a3d
4 changed files with 58 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
jupyterhub/jupyterhub-values.gomplate.yaml
View File

@@ -11,6 +11,11 @@ hub:
#!/bin/bash #!/bin/bash
pip install --no-cache-dir hvac==2.3.0 pip install --no-cache-dir hvac==2.3.0
exec jupyterhub --config /usr/local/etc/jupyterhub/jupyterhub_config.py --upgrade-db exec jupyterhub --config /usr/local/etc/jupyterhub/jupyterhub_config.py --upgrade-db
user_policy.hcl:
mountPath: /srv/jupyterhub/user_policy.hcl
mode: 0644
stringData: |
{{ .Env.USER_POLICY_HCL | strings.Indent 8 }}
# Override the default command to run our startup script first # Override the default command to run our startup script first
command: command:
@@ -73,36 +78,15 @@ hub:
# Step 2: Create user-specific policy # Step 2: Create user-specific policy
user_policy_name = "jupyter-user-{}".format(username) user_policy_name = "jupyter-user-{}".format(username)
user_path = "secret/data/jupyter/users/{}/*".format(username)
user_metadata_path = "secret/metadata/jupyter/users/{}/*".format(username)
user_base_path = "secret/metadata/jupyter/users/{}".format(username)
user_policy = ( # Read policy template from file
"# User-specific policy for {}\n".format(username) + import os
"path \"{}\" ".format(user_path) + "{\n" + policy_template_path = "/srv/jupyterhub/user_policy.hcl"
" capabilities = [\"create\", \"update\", \"read\", \"delete\", \"list\"]\n" + with open(policy_template_path, 'r') as f:
"}\n\n" + policy_template = f.read()
"path \"{}\" ".format(user_metadata_path) + "{\n" +
" capabilities = [\"list\", \"read\", \"delete\", \"update\"]\n" + # Replace {username} placeholder with actual username
"}\n\n" + user_policy = policy_template.replace("{username}", username)
"path \"{}\" ".format(user_base_path) + "{\n" +
" capabilities = [\"list\"]\n" +
"}\n\n" +
"# Read access to shared resources\n" +
"path \"secret/data/jupyter/shared/*\" {\n" +
" capabilities = [\"read\", \"list\"]\n" +
"}\n\n" +
"path \"secret/metadata/jupyter/shared\" {\n" +
" capabilities = [\"list\"]\n" +
"}\n\n" +
"# Token management capabilities\n" +
"path \"auth/token/lookup-self\" {\n" +
" capabilities = [\"read\"]\n" +
"}\n\n" +
"path \"auth/token/renew-self\" {\n" +
" capabilities = [\"update\"]\n" +
"}"
)
# Write user-specific policy # Write user-specific policy
try: try:

11
jupyterhub/justfile
View File

@@ -17,6 +17,8 @@ export JUPYTER_PROFILE_TENSORFLOW_ENABLED := env("JUPYTER_PROFILE_TENSORFLOW_ENA
export JUPYTER_PROFILE_BUUN_STACK_ENABLED := env("JUPYTER_PROFILE_BUUN_STACK_ENABLED", "false") export JUPYTER_PROFILE_BUUN_STACK_ENABLED := env("JUPYTER_PROFILE_BUUN_STACK_ENABLED", "false")
export JUPYTER_PROFILE_BUUN_STACK_CUDA_ENABLED := env("JUPYTER_PROFILE_BUUN_STACK_CUDA_ENABLED", "false") export JUPYTER_PROFILE_BUUN_STACK_CUDA_ENABLED := env("JUPYTER_PROFILE_BUUN_STACK_CUDA_ENABLED", "false")
export IMAGE_REGISTRY := env("IMAGE_REGISTRY", "localhost:30500") export IMAGE_REGISTRY := env("IMAGE_REGISTRY", "localhost:30500")
export NOTEBOOK_VAULT_TOKEN_TTL := env("NOTEBOOK_VAULT_TOKEN_TTL", "1h")
export NOTEBOOK_VAULT_TOKEN_MAX_TTL := env("NOTEBOOK_VAULT_TOKEN_MAX_TTL", "720h")
export KEYCLOAK_REALM := env("KEYCLOAK_REALM", "buunstack") export KEYCLOAK_REALM := env("KEYCLOAK_REALM", "buunstack")
export LONGHORN_NAMESPACE := env("LONGHORN_NAMESPACE", "longhorn") export LONGHORN_NAMESPACE := env("LONGHORN_NAMESPACE", "longhorn")
export VAULT_ADDR := env("VAULT_ADDR", "http://vault.vault.svc:8200") export VAULT_ADDR := env("VAULT_ADDR", "http://vault.vault.svc:8200")
@@ -112,6 +114,9 @@ install:
just create-jupyterhub-vault-token just create-jupyterhub-vault-token
export JUPYTERHUB_VAULT_TOKEN=$(just vault::get jupyterhub/vault-token token) export JUPYTERHUB_VAULT_TOKEN=$(just vault::get jupyterhub/vault-token token)
# Read user policy template for Vault
export USER_POLICY_HCL=$(cat user_policy.hcl)
# https://z2jh.jupyter.org/en/stable/ # https://z2jh.jupyter.org/en/stable/
gomplate -f jupyterhub-values.gomplate.yaml -o jupyterhub-values.yaml gomplate -f jupyterhub-values.gomplate.yaml -o jupyterhub-values.yaml
@@ -207,14 +212,16 @@ setup-vault-jwt-auth:
echo " # Each user gets their own isolated Vault token and policy" echo " # Each user gets their own isolated Vault token and policy"
# Create JupyterHub Vault token (uses admin policy for JWT operations) # Create JupyterHub Vault token (uses admin policy for JWT operations)
create-jupyterhub-vault-token ttl="8760h": create-jupyterhub-vault-token:
#!/bin/bash #!/bin/bash
set -euo pipefail set -euo pipefail
echo "Creating JupyterHub Vault token with admin policy..." echo "Creating JupyterHub Vault token with admin policy..."
echo " TTL: ${NOTEBOOK_VAULT_TOKEN_TTL}"
echo " Max TTL: ${NOTEBOOK_VAULT_TOKEN_MAX_TTL}"
# JupyterHub needs admin privileges to read Keycloak credentials from Vault # JupyterHub needs admin privileges to read Keycloak credentials from Vault
# Create token and store in Vault # Create token and store in Vault
just vault::create-token-and-store admin jupyterhub/vault-token {{ ttl }} just vault::create-token-and-store admin jupyterhub/vault-token ${NOTEBOOK_VAULT_TOKEN_TTL} ${NOTEBOOK_VAULT_TOKEN_MAX_TTL}
echo "✓ JupyterHub Vault token created and stored" echo "✓ JupyterHub Vault token created and stored"
echo "" echo ""

30
jupyterhub/user_policy.hcl Normal file
View File

@@ -0,0 +1,30 @@
# User-specific policy for {username}
path "secret/data/jupyter/users/{username}/*" {
capabilities = ["create", "update", "read", "delete", "list"]
}
path "secret/metadata/jupyter/users/{username}/*" {
capabilities = ["list", "read", "delete", "update"]
}
path "secret/metadata/jupyter/users/{username}" {
capabilities = ["list"]
}
# Read access to shared resources
path "secret/data/jupyter/shared/*" {
capabilities = ["read", "list"]
}
path "secret/metadata/jupyter/shared" {
capabilities = ["list"]
}
# Token management capabilities
path "auth/token/lookup-self" {
capabilities = ["read"]
}
path "auth/token/renew-self" {
capabilities = ["update"]
}

8
vault/justfile
View File

@@ -137,14 +137,18 @@ create-admin-token root_token='': check-env
vault token create -policy=admin vault token create -policy=admin
# Create token with specified policy and store in Vault # Create token with specified policy and store in Vault
create-token-and-store policy path ttl="24h" root_token='': check-env create-token-and-store policy path ttl="24h" max_ttl="" root_token='': check-env
#!/bin/bash #!/bin/bash
set -euo pipefail set -euo pipefail
{{ _vault_root_env_setup }} {{ _vault_root_env_setup }}
echo "Creating token with policy '{{ policy }}'..." echo "Creating token with policy '{{ policy }}'..."
# Create token with specified policy # Create token with specified policy
token_output=$(vault token create -policy={{ policy }} -ttl={{ ttl }} -format=json) max_ttl_arg=""
if [ -n "{{ max_ttl }}" ]; then
max_ttl_arg="-explicit-max-ttl={{ max_ttl }}"
fi
token_output=$(vault token create -policy={{ policy }} -ttl={{ ttl }} ${max_ttl_arg} -format=json)
service_token=$(echo "${token_output}" | jq -r '.auth.client_token') service_token=$(echo "${token_output}" | jq -r '.auth.client_token')
echo "Storing token in Vault at path '{{ path }}'..." echo "Storing token in Vault at path '{{ path }}'..."