jupyter-health: use CHCS auth provider for staging #4977
Conversation
minrk
force-pushed
the
health-chcs-auth
branch
from
0840264 to
be97e32
Compare
|
Merging this PR will trigger the following deployment actions. Support and Staging deployments
Production deploymentsNo production hub upgrades will be triggered |
|
Manually deploying this, I see the following when pressing login:
Is there a way to provide access to 2i2c members to ensure we are able to help debug and support this - ideally by using either github / google identities? This deployment will stand out, because we otherwise have access to hubs as 2i2c employees using github / google identities. |
|
Since this is an oauth provider, we would need to create accounts for you on the oauth provider. Either that, or enable both with multiauthenticator, which I'm happy to try as well. That's not in the default image either, but it is proposed. I'm happy to test it here, and potentially merge jupyterhub/zero-to-jupyterhub-k8s#3459 |
|
@minrk I've pinged a few people in 2i2c about this as I'm not confident on merging this myself since it brings in an exception to other hubs. |
|
Makes sense! I'll suggest trying out multiauthenticator, which should be a generic solution for 2i2c, since you could add GitHub login for any deployment where a cluster wants to use credentials where you don't have accounts. |
|
I want to avoid putting pressure on z2jh to include multiauthenticator right away to unblock this, so lets reduce that option to having a custom image for jupyter-health where its installed for now. With that said, I see the following constructive short term choices remain:
I've looped in @Gman0909, @aprilmj, and @yuvipanda about this for now in slack. 2i2c internal slack reference https://2i2c.slack.com/archives/C07SJJWVCAD/p1729169838322779 |
Co-authored-by: Yuvi Panda <[email protected]>
|
🎉🎉🎉🎉 Monitor the deployment of the hubs here 👉 https://github.com/2i2c-org/infrastructure/actions/runs/11400373642 |
The JupyterHub CHCS client is a Public Application, meaning it has only a client id and requires PKCE, no client secret.
Not ready for prod since we only have test accounts on CHCS so far.