Merge pull request #2016 from consideRatio/pr/fix-seed-secrets

Followup fixes to seed secrets PR (#1993)
jupyterhub · Jan 29, 2021 · 8b63e21 · 8b63e21
2 parents 68128df + 437ed29
commit 8b63e21
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 21 deletions.
diff --git a/.github/workflows/test-chart.yaml b/.github/workflows/test-chart.yaml
@@ -191,6 +191,9 @@ jobs:
           export STRING_REPLACER_A=$LOCAL_CHART_VERSION
           export STRING_REPLACER_B=$UPGRADE_FROM_VERSION
 
+          echo "NOTE: Helm diff upgrade won't trigger lookup functions, so it"
+          echo "      will look like we seed new passwords all the time."
+          echo
           echo "NOTE: For the helm diff only, we have replaced the new chart"
           echo "      version with the old chart version to reduce clutter."
           echo

diff --git a/jupyterhub/templates/hub/_helpers-passwords.tpl b/jupyterhub/templates/hub/_helpers-passwords.tpl
@@ -5,37 +5,38 @@
     proxy.secretToken       / hub.config.JupyterHub.proxy_auth_token
     hub.cookieSecret        / hub.config.JupyterHub.cookie_secret
     auth.state.cryptoKey    / hub.config.CryptKeeper.keys
+
+    Note that lookup logic returns falsy value when run with
+    `helm diff upgrade`, so it is a bit troublesome to test.
 */}}
 
 {{/*
     Returns given number of random Hex characters.
 
-    In practice, it generates up to 100 randAlphaNum strings
-    that are filtered from non-hex characters and augmented
-    to the resulting string that is finally trimmed down.
+    - randNumeric 4 | atoi generates a random number in [0, 10^4)
+      This is a range range evenly divisble by 16, but even if off by one,
+      that last partial interval offsetting randomness is only 1 part in 625.
+    - mod N 16 maps to the range 0-15
+    - printf "%x" represents a single number 0-15 as a single hex character
 */}}
 {{- define "jupyterhub.randHex" -}}
     {{- $result := "" }}
-    {{- range $i := until 100 }}
-        {{- if lt (len $result) . }}
-            {{- $rand_list := randAlphaNum . | splitList "" -}}
-            {{- $reduced_list := without $rand_list "g" "h" "i" "j" "k" "l" "m" "n" "o" "p" "q" "r" "s" "t" "u" "v" "w" "x" "y" "z" "A" "B" "C" "D" "E" "F" "G" "H" "I" "J" "K" "L" "M" "N" "O" "P" "Q" "R" "S" "T" "U" "V" "W" "X" "Y" "Z" }}
-            {{- $rand_string := join "" $reduced_list }}
-            {{- $result = print $result $rand_string -}}
-        {{- end }}
+    {{- range $i := until . }}
+        {{- $rand_hex_char := mod (randNumeric 4 | atoi) 16 | printf "%x" }}
+        {{- $result = print $result $rand_hex_char }}
     {{- end }}
-    {{- $result | trunc . }}
+    {{- $result }}
 {{- end }}
 
 {{- define "jupyterhub.config.JupyterHub.proxy_auth_token" -}}
     {{- if .Values.proxy.secretToken }}
         {{- .Values.proxy.secretToken }}
     {{- else }}
-        {{- $k8s_state := lookup "v1" "Secret" .Release.Namespace (include "jupyterhub.hub-secret.fullname" .) | default dict }}
-        {{- if and $k8s_state (hasKey $k8s_state "JupyterHub.proxy_auth_token") }}
-            {{- index $k8s_state "JupyterHub.proxy_auth_token" }}
+        {{- $k8s_state := lookup "v1" "Secret" .Release.Namespace (include "jupyterhub.hub-secret.fullname" .) | default (dict "data" (dict)) }}
+        {{- if hasKey $k8s_state.data "JupyterHub.proxy_auth_token" }}
+            {{- index $k8s_state.data "JupyterHub.proxy_auth_token" | b64dec }}
         {{- else }}
-            {{- include "jupyterhub.randHex" 64 }}
+            {{- randAlphaNum 64 }}
         {{- end }}
     {{- end }}
 {{- end }}
@@ -44,9 +45,9 @@
     {{- if .Values.hub.cookieSecret }}
         {{- .Values.hub.cookieSecret }}
     {{- else }}
-        {{- $k8s_state := lookup "v1" "Secret" .Release.Namespace (include "jupyterhub.hub-secret.fullname" .) | default dict }}
-        {{- if and $k8s_state (hasKey $k8s_state "JupyterHub.cookie_secret") }}
-            {{- index $k8s_state "JupyterHub.cookie_secret" }}
+        {{- $k8s_state := lookup "v1" "Secret" .Release.Namespace (include "jupyterhub.hub-secret.fullname" .) | default (dict "data" (dict)) }}
+        {{- if hasKey $k8s_state.data "JupyterHub.cookie_secret" }}
+            {{- index $k8s_state.data "JupyterHub.cookie_secret" | b64dec }}
         {{- else }}
             {{- include "jupyterhub.randHex" 64 }}
         {{- end }}
@@ -57,9 +58,9 @@
     {{- if .Values.hub.config.CryptKeeper }}
         {{- .Values.hub.config.CryptKeeper.keys | join ";" }}
     {{- else }}
-        {{- $k8s_state := lookup "v1" "Secret" .Release.Namespace (include "jupyterhub.hub-secret.fullname" .) | default dict }}
-        {{- if and $k8s_state (hasKey $k8s_state "CryptKeeper.keys") }}
-            {{- index $k8s_state "CryptKeeper.keys" }}
+        {{- $k8s_state := lookup "v1" "Secret" .Release.Namespace (include "jupyterhub.hub-secret.fullname" .) | default (dict "data" (dict)) }}
+        {{- if hasKey $k8s_state.data "CryptKeeper.keys" }}
+            {{- index $k8s_state.data "CryptKeeper.keys" | b64dec }}
         {{- else }}
             {{- include "jupyterhub.randHex" 64 }}
         {{- end }}