Commit da53f3c9 authored by Dmitriy Zaporozhets's avatar Dmitriy Zaporozhets

Merge branch 'restrict-jupyter-login' into 'master'

Project whitelist for JupyterHub deployment

See merge request gitlab-org/gitlab-ce!25684
parents cde346f3 236927a4
...@@ -3,7 +3,7 @@ ...@@ -3,7 +3,7 @@
module Clusters module Clusters
module Applications module Applications
class Jupyter < ActiveRecord::Base class Jupyter < ActiveRecord::Base
VERSION = 'v0.6'.freeze VERSION = '0.9-174bbd5'.freeze
self.table_name = 'clusters_applications_jupyter' self.table_name = 'clusters_applications_jupyter'
...@@ -75,17 +75,22 @@ module Clusters ...@@ -75,17 +75,22 @@ module Clusters
"gitlab" => { "gitlab" => {
"clientId" => oauth_application.uid, "clientId" => oauth_application.uid,
"clientSecret" => oauth_application.secret, "clientSecret" => oauth_application.secret,
"callbackUrl" => callback_url "callbackUrl" => callback_url,
"gitlabProjectIdWhitelist" => [project_id]
} }
}, },
"singleuser" => { "singleuser" => {
"extraEnv" => { "extraEnv" => {
"GITLAB_CLUSTER_ID" => cluster.id "GITLAB_CLUSTER_ID" => cluster.id.to_s
} }
} }
} }
end end
def project_id
cluster&.project&.id
end
def gitlab_url def gitlab_url
Gitlab.config.gitlab.url Gitlab.config.gitlab.url
end end
......
---
title: Project level filtering for JupyterHub
merge_request: 25684
author: Amit Rathi (amit1rrr)
type: changed
...@@ -182,7 +182,7 @@ To add an existing Kubernetes cluster to your project: ...@@ -182,7 +182,7 @@ To add an existing Kubernetes cluster to your project:
namespace: 11 bytes namespace: 11 bytes
token: <authentication_token> token: <authentication_token>
``` ```
NOTE: **Note:** NOTE: **Note:**
For GKE clusters, you will need the For GKE clusters, you will need the
`container.clusterRoleBindings.create` permission to create a cluster `container.clusterRoleBindings.create` permission to create a cluster
...@@ -326,7 +326,7 @@ install it manually. ...@@ -326,7 +326,7 @@ install it manually.
NOTE: **Note:** NOTE: **Note:**
Before starting the installation of applications, make sure that time is synchronized Before starting the installation of applications, make sure that time is synchronized
between your GitLab server and your Kubernetes cluster. Otherwise, installation could fail between your GitLab server and your Kubernetes cluster. Otherwise, installation could fail
and you may get errors like `Error: remote error: tls: bad certificate` and you may get errors like `Error: remote error: tls: bad certificate`
in the `stdout` of pods created by GitLab in your Kubernetes cluster. in the `stdout` of pods created by GitLab in your Kubernetes cluster.
GitLab provides a one-click install for various applications which can GitLab provides a one-click install for various applications which can
...@@ -353,7 +353,7 @@ by GitLab before installing any of the applications. ...@@ -353,7 +353,7 @@ by GitLab before installing any of the applications.
| [Cert Manager](http://docs.cert-manager.io/en/latest/) | 11.6+ | Cert Manager is a native Kubernetes certificate management controller that helps with issuing certificates. Installing Cert Manager on your cluster will issue a certificate by [Let's Encrypt](https://letsencrypt.org/) and ensure that certificates are valid and up-to-date. | [stable/cert-manager](https://github.com/helm/charts/tree/master/stable/cert-manager) | | [Cert Manager](http://docs.cert-manager.io/en/latest/) | 11.6+ | Cert Manager is a native Kubernetes certificate management controller that helps with issuing certificates. Installing Cert Manager on your cluster will issue a certificate by [Let's Encrypt](https://letsencrypt.org/) and ensure that certificates are valid and up-to-date. | [stable/cert-manager](https://github.com/helm/charts/tree/master/stable/cert-manager) |
| [Prometheus](https://prometheus.io/docs/introduction/overview/) | 10.4+ | Prometheus is an open-source monitoring and alerting system useful to supervise your deployed applications. | [stable/prometheus](https://github.com/helm/charts/tree/master/stable/prometheus) | | [Prometheus](https://prometheus.io/docs/introduction/overview/) | 10.4+ | Prometheus is an open-source monitoring and alerting system useful to supervise your deployed applications. | [stable/prometheus](https://github.com/helm/charts/tree/master/stable/prometheus) |
| [GitLab Runner](https://docs.gitlab.com/runner/) | 10.6+ | GitLab Runner is the open source project that is used to run your jobs and send the results back to GitLab. It is used in conjunction with [GitLab CI/CD](https://about.gitlab.com/features/gitlab-ci-cd/), the open-source continuous integration service included with GitLab that coordinates the jobs. When installing the GitLab Runner via the applications, it will run in **privileged mode** by default. Make sure you read the [security implications](#security-implications) before doing so. | [runner/gitlab-runner](https://gitlab.com/charts/gitlab-runner) | | [GitLab Runner](https://docs.gitlab.com/runner/) | 10.6+ | GitLab Runner is the open source project that is used to run your jobs and send the results back to GitLab. It is used in conjunction with [GitLab CI/CD](https://about.gitlab.com/features/gitlab-ci-cd/), the open-source continuous integration service included with GitLab that coordinates the jobs. When installing the GitLab Runner via the applications, it will run in **privileged mode** by default. Make sure you read the [security implications](#security-implications) before doing so. | [runner/gitlab-runner](https://gitlab.com/charts/gitlab-runner) |
| [JupyterHub](http://jupyter.org/) | 11.0+ | [JupyterHub](https://jupyterhub.readthedocs.io/en/stable/) is a multi-user service for managing notebooks across a team. [Jupyter Notebooks](https://jupyter-notebook.readthedocs.io/en/latest/) provide a web-based interactive programming environment used for data analysis, visualization, and machine learning. We use a [custom Jupyter image](https://gitlab.com/gitlab-org/jupyterhub-user-image/blob/master/Dockerfile) that installs additional useful packages on top of the base Jupyter. You will also see ready-to-use DevOps Runbooks built with Nurtch's [Rubix library](https://github.com/amit1rrr/rubix). More information on creating executable runbooks can be found in [our Nurtch documentation](runbooks/index.md#nurtch-executable-runbooks). **Note**: Authentication will be enabled for any user of the GitLab server via OAuth2. HTTPS will be supported in a future release. | [jupyter/jupyterhub](https://jupyterhub.github.io/helm-chart/) | | [JupyterHub](http://jupyter.org/) | 11.0+ | [JupyterHub](https://jupyterhub.readthedocs.io/en/stable/) is a multi-user service for managing notebooks across a team. [Jupyter Notebooks](https://jupyter-notebook.readthedocs.io/en/latest/) provide a web-based interactive programming environment used for data analysis, visualization, and machine learning. We use a [custom Jupyter image](https://gitlab.com/gitlab-org/jupyterhub-user-image/blob/master/Dockerfile) that installs additional useful packages on top of the base Jupyter. Authentication will be enabled only for [project members](../members/index.md) with [Developer or higher](../../permissions.md) access to the project. You will also see ready-to-use DevOps Runbooks built with Nurtch's [Rubix library](https://github.com/amit1rrr/rubix). More information on creating executable runbooks can be found in [our Nurtch documentation](runbooks/index.md#nurtch-executable-runbooks). | [jupyter/jupyterhub](https://jupyterhub.github.io/helm-chart/) |
| [Knative](https://cloud.google.com/knative) | 11.5+ | Knative provides a platform to create, deploy, and manage serverless workloads from a Kubernetes cluster. It is used in conjunction with, and includes [Istio](https://istio.io) to provide an external IP address for all programs hosted by Knative. You will be prompted to enter a wildcard domain where your applications will be exposed. Configure your DNS server to use the external IP address for that domain. For any application created and installed, they will be accessible as `<program_name>.<kubernetes_namespace>.<domain_name>`. This will require your kubernetes cluster to have [RBAC enabled](#role-based-access-control-rbac). | [knative/knative](https://storage.googleapis.com/triggermesh-charts) | [Knative](https://cloud.google.com/knative) | 11.5+ | Knative provides a platform to create, deploy, and manage serverless workloads from a Kubernetes cluster. It is used in conjunction with, and includes [Istio](https://istio.io) to provide an external IP address for all programs hosted by Knative. You will be prompted to enter a wildcard domain where your applications will be exposed. Configure your DNS server to use the external IP address for that domain. For any application created and installed, they will be accessible as `<program_name>.<kubernetes_namespace>.<domain_name>`. This will require your kubernetes cluster to have [RBAC enabled](#role-based-access-control-rbac). | [knative/knative](https://storage.googleapis.com/triggermesh-charts)
With the exception of Knative, the applications will be installed in a dedicated With the exception of Knative, the applications will be installed in a dedicated
......
...@@ -39,7 +39,7 @@ describe Clusters::Applications::Jupyter do ...@@ -39,7 +39,7 @@ describe Clusters::Applications::Jupyter do
it 'should be initialized with 4 arguments' do it 'should be initialized with 4 arguments' do
expect(subject.name).to eq('jupyter') expect(subject.name).to eq('jupyter')
expect(subject.chart).to eq('jupyter/jupyterhub') expect(subject.chart).to eq('jupyter/jupyterhub')
expect(subject.version).to eq('v0.6') expect(subject.version).to eq('0.9-174bbd5')
expect(subject).to be_rbac expect(subject).to be_rbac
expect(subject.repository).to eq('https://jupyterhub.github.io/helm-chart/') expect(subject.repository).to eq('https://jupyterhub.github.io/helm-chart/')
expect(subject.files).to eq(jupyter.files) expect(subject.files).to eq(jupyter.files)
...@@ -57,7 +57,7 @@ describe Clusters::Applications::Jupyter do ...@@ -57,7 +57,7 @@ describe Clusters::Applications::Jupyter do
let(:jupyter) { create(:clusters_applications_jupyter, :errored, version: '0.0.1') } let(:jupyter) { create(:clusters_applications_jupyter, :errored, version: '0.0.1') }
it 'should be initialized with the locked version' do it 'should be initialized with the locked version' do
expect(subject.version).to eq('v0.6') expect(subject.version).to eq('0.9-174bbd5')
end end
end end
end end
...@@ -77,6 +77,7 @@ describe Clusters::Applications::Jupyter do ...@@ -77,6 +77,7 @@ describe Clusters::Applications::Jupyter do
expect(values).to include('singleuser') expect(values).to include('singleuser')
expect(values).to match(/clientId: '?#{application.oauth_application.uid}/) expect(values).to match(/clientId: '?#{application.oauth_application.uid}/)
expect(values).to match(/callbackUrl: '?#{application.callback_url}/) expect(values).to match(/callbackUrl: '?#{application.callback_url}/)
expect(values).to include("gitlabProjectIdWhitelist:\n - #{application.cluster.project.id}")
end end
context 'when cluster belongs to a project' do context 'when cluster belongs to a project' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment