StatCan · mathis-marcotte · Jan 3, 2025 · Jan 7, 2025 · Jan 8, 2025 · Jan 9, 2025
diff --git a/docker-bits/4_CLI.Dockerfile b/docker-bits/4_CLI.Dockerfile
@@ -19,6 +19,8 @@ RUN apt-get update && \
       'zip' \
       'zsh' \
       'dos2unix' \
+      # installs necessary tool for kerberos authentication setup
+      'krb5-user' \
       # these are required by some r packages, adding these here so they get
       # installed into all images.
       'libfreetype6-dev' \
@@ -96,3 +98,7 @@ RUN wget -q "${GIT_CRED_MANAGER_URL}" -O ./gcm.deb \
   && echo "${GIT_CRED_MANAGER_SHA}  ./gcm.deb" | sha256sum -c - \
   && dpkg -i ./gcm.deb \
   && rm ./gcm.deb
+
+# add script for kerberos keytab creation
+COPY ktutil-keytab.sh /usr/local/bin/ktutil-keytab
+RUN chmod +x /usr/local/bin/ktutil-keytab
diff --git a/output/docker-stacks-datascience-notebook/ktutil-keytab.sh b/output/docker-stacks-datascience-notebook/ktutil-keytab.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+# creates the kerberos directory if not exist
+mkdir -p ~/krb5
+cd ~/krb5
+
+#clean up from previous run(or else it appends to the file instead of replacing it)
+if [ -f ./client.keytab ]; then
+    rm ./client.keytab
+fi
+
+# gets the user's username (legacy AD)
+read -p "Username(ex. marcoma):" user_name
+
+user_name="${user_name}@STATCAN.CA"
+# gets the user's password
+read -sp "Password for ${user_name}:" user_pass
+
+# deletes the password prompt for cleaner output
+echo -en "\r\e[K"
+
+{
+# adds entry for user, and requests password
+echo "addent -password -p ${user_name} -k 1 -e RC4-HMAC";
+# give password entered by user to ktutil
+echo "$user_pass"
+# creates keytab file
+echo "wkt client.keytab";
+} | ktutil
+
+# get the current namespace
+NS=$(kubectl get sa -o=jsonpath='{.items[0]..metadata.namespace}')
+
+# generate the secret
+kubectl create secret generic kerberos-keytab -n $NS --from-file=./client.keytab -o yaml --dry-run=client > ktutil_keytab.yaml
+
+# apply the secret
+kubectl apply -f ./ktutil_keytab.yaml
+
+
+#get the notebook name
+nb_name=${NB_PREFIX##*/}
+
+# Prompt user for notebook restart
+while true; do
+    read -p "In order to update the kerberos authentication, the notebook server needs to be restarted. Would you like to restart your notebook server?[Y/n]: " yn
+    case $yn in
+        [Yy]* ) echo "Your notebook server will now restart"; kubectl rollout restart statefulset $nb_name -n $NB_NAMESPACE; break;;
+        [Nn]* ) echo "Your notebook server will not be restarted"; exit;;
+        * ) echo "Only yes or no is an expected answer";;
+    esac
+done
diff --git a/output/jupyterlab-cpu/Dockerfile b/output/jupyterlab-cpu/Dockerfile
@@ -78,6 +78,8 @@ RUN apt-get update && \
       'zip' \
       'zsh' \
       'dos2unix' \
+      # installs necessary tool for kerberos authentication setup
+      'krb5-user' \
       # these are required by some r packages, adding these here so they get
       # installed into all images.
       'libfreetype6-dev' \
@@ -156,6 +158,10 @@ RUN wget -q "${GIT_CRED_MANAGER_URL}" -O ./gcm.deb \
   && dpkg -i ./gcm.deb \
   && rm ./gcm.deb
 
+# add script for kerberos keytab creation
+COPY ktutil-keytab.sh /usr/local/bin/ktutil-keytab
+RUN chmod +x /usr/local/bin/ktutil-keytab
+
 ###############################
 ###  docker-bits/5_DB-Drivers.Dockerfile
 ###############################

diff --git a/output/jupyterlab-cpu/ktutil-keytab.sh b/output/jupyterlab-cpu/ktutil-keytab.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+# creates the kerberos directory if not exist
+mkdir -p ~/krb5
+cd ~/krb5
+
+#clean up from previous run(or else it appends to the file instead of replacing it)
+if [ -f ./client.keytab ]; then
+    rm ./client.keytab
+fi
+
+# gets the user's username (legacy AD)
+read -p "Username(ex. marcoma):" user_name
+
+user_name="${user_name}@STATCAN.CA"
+# gets the user's password
+read -sp "Password for ${user_name}:" user_pass
+
+# deletes the password prompt for cleaner output
+echo -en "\r\e[K"
+
+{
+# adds entry for user, and requests password
+echo "addent -password -p ${user_name} -k 1 -e RC4-HMAC";
+# give password entered by user to ktutil
+echo "$user_pass"
+# creates keytab file
+echo "wkt client.keytab";
+} | ktutil
+
+# get the current namespace
+NS=$(kubectl get sa -o=jsonpath='{.items[0]..metadata.namespace}')
+
+# generate the secret
+kubectl create secret generic kerberos-keytab -n $NS --from-file=./client.keytab -o yaml --dry-run=client > ktutil_keytab.yaml
+
+# apply the secret
+kubectl apply -f ./ktutil_keytab.yaml
+
+
+#get the notebook name
+nb_name=${NB_PREFIX##*/}
+
+# Prompt user for notebook restart
+while true; do
+    read -p "In order to update the kerberos authentication, the notebook server needs to be restarted. Would you like to restart your notebook server?[Y/n]: " yn
+    case $yn in
+        [Yy]* ) echo "Your notebook server will now restart"; kubectl rollout restart statefulset $nb_name -n $NB_NAMESPACE; break;;
+        [Nn]* ) echo "Your notebook server will not be restarted"; exit;;
+        * ) echo "Only yes or no is an expected answer";;
+    esac
+done
diff --git a/output/jupyterlab-pytorch/Dockerfile b/output/jupyterlab-pytorch/Dockerfile
@@ -100,6 +100,8 @@ RUN apt-get update && \
       'zip' \
       'zsh' \
       'dos2unix' \
+      # installs necessary tool for kerberos authentication setup
+      'krb5-user' \
       # these are required by some r packages, adding these here so they get
       # installed into all images.
       'libfreetype6-dev' \
@@ -178,6 +180,10 @@ RUN wget -q "${GIT_CRED_MANAGER_URL}" -O ./gcm.deb \
   && dpkg -i ./gcm.deb \
   && rm ./gcm.deb
 
+# add script for kerberos keytab creation
+COPY ktutil-keytab.sh /usr/local/bin/ktutil-keytab
+RUN chmod +x /usr/local/bin/ktutil-keytab
+
 ###############################
 ###  docker-bits/5_DB-Drivers.Dockerfile
 ###############################

diff --git a/output/jupyterlab-pytorch/ktutil-keytab.sh b/output/jupyterlab-pytorch/ktutil-keytab.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+# creates the kerberos directory if not exist
+mkdir -p ~/krb5
+cd ~/krb5
+
+#clean up from previous run(or else it appends to the file instead of replacing it)
+if [ -f ./client.keytab ]; then
+    rm ./client.keytab
+fi
+
+# gets the user's username (legacy AD)
+read -p "Username(ex. marcoma):" user_name
+
+user_name="${user_name}@STATCAN.CA"
+# gets the user's password
+read -sp "Password for ${user_name}:" user_pass
+
+# deletes the password prompt for cleaner output
+echo -en "\r\e[K"
+
+{
+# adds entry for user, and requests password
+echo "addent -password -p ${user_name} -k 1 -e RC4-HMAC";
+# give password entered by user to ktutil
+echo "$user_pass"
+# creates keytab file
+echo "wkt client.keytab";
+} | ktutil
+
+# get the current namespace
+NS=$(kubectl get sa -o=jsonpath='{.items[0]..metadata.namespace}')
+
+# generate the secret
+kubectl create secret generic kerberos-keytab -n $NS --from-file=./client.keytab -o yaml --dry-run=client > ktutil_keytab.yaml
+
+# apply the secret
+kubectl apply -f ./ktutil_keytab.yaml
+
+
+#get the notebook name
+nb_name=${NB_PREFIX##*/}
+
+# Prompt user for notebook restart
+while true; do
+    read -p "In order to update the kerberos authentication, the notebook server needs to be restarted. Would you like to restart your notebook server?[Y/n]: " yn
+    case $yn in
+        [Yy]* ) echo "Your notebook server will now restart"; kubectl rollout restart statefulset $nb_name -n $NB_NAMESPACE; break;;
+        [Nn]* ) echo "Your notebook server will not be restarted"; exit;;
+        * ) echo "Only yes or no is an expected answer";;
+    esac
+done
diff --git a/output/jupyterlab-tensorflow/Dockerfile b/output/jupyterlab-tensorflow/Dockerfile
@@ -207,6 +207,8 @@ RUN apt-get update && \
       'zip' \
       'zsh' \
       'dos2unix' \
+      # installs necessary tool for kerberos authentication setup
+      'krb5-user' \
       # these are required by some r packages, adding these here so they get
       # installed into all images.
       'libfreetype6-dev' \
@@ -285,6 +287,10 @@ RUN wget -q "${GIT_CRED_MANAGER_URL}" -O ./gcm.deb \
   && dpkg -i ./gcm.deb \
   && rm ./gcm.deb
 
+# add script for kerberos keytab creation
+COPY ktutil-keytab.sh /usr/local/bin/ktutil-keytab
+RUN chmod +x /usr/local/bin/ktutil-keytab
+
 ###############################
 ###  docker-bits/5_DB-Drivers.Dockerfile
 ###############################

diff --git a/output/jupyterlab-tensorflow/ktutil-keytab.sh b/output/jupyterlab-tensorflow/ktutil-keytab.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+# creates the kerberos directory if not exist
+mkdir -p ~/krb5
+cd ~/krb5
+
+#clean up from previous run(or else it appends to the file instead of replacing it)
+if [ -f ./client.keytab ]; then
+    rm ./client.keytab
+fi
+
+# gets the user's username (legacy AD)
+read -p "Username(ex. marcoma):" user_name
+
+user_name="${user_name}@STATCAN.CA"
+# gets the user's password
+read -sp "Password for ${user_name}:" user_pass
+
+# deletes the password prompt for cleaner output
+echo -en "\r\e[K"
+
+{
+# adds entry for user, and requests password
+echo "addent -password -p ${user_name} -k 1 -e RC4-HMAC";
+# give password entered by user to ktutil
+echo "$user_pass"
+# creates keytab file
+echo "wkt client.keytab";
+} | ktutil
+
+# get the current namespace
+NS=$(kubectl get sa -o=jsonpath='{.items[0]..metadata.namespace}')
+
+# generate the secret
+kubectl create secret generic kerberos-keytab -n $NS --from-file=./client.keytab -o yaml --dry-run=client > ktutil_keytab.yaml
+
+# apply the secret
+kubectl apply -f ./ktutil_keytab.yaml
+
+
+#get the notebook name
+nb_name=${NB_PREFIX##*/}
+
+# Prompt user for notebook restart
+while true; do
+    read -p "In order to update the kerberos authentication, the notebook server needs to be restarted. Would you like to restart your notebook server?[Y/n]: " yn
+    case $yn in
+        [Yy]* ) echo "Your notebook server will now restart"; kubectl rollout restart statefulset $nb_name -n $NB_NAMESPACE; break;;
+        [Nn]* ) echo "Your notebook server will not be restarted"; exit;;
+        * ) echo "Only yes or no is an expected answer";;
+    esac
+done
diff --git a/output/remote-desktop/Dockerfile b/output/remote-desktop/Dockerfile
@@ -150,6 +150,8 @@ RUN apt-get update && \
       'zip' \
       'zsh' \
       'dos2unix' \
+      # installs necessary tool for kerberos authentication setup
+      'krb5-user' \
       # these are required by some r packages, adding these here so they get
       # installed into all images.
       'libfreetype6-dev' \
@@ -228,6 +230,10 @@ RUN wget -q "${GIT_CRED_MANAGER_URL}" -O ./gcm.deb \
   && dpkg -i ./gcm.deb \
   && rm ./gcm.deb
 
+# add script for kerberos keytab creation
+COPY ktutil-keytab.sh /usr/local/bin/ktutil-keytab
+RUN chmod +x /usr/local/bin/ktutil-keytab
+
 ###############################
 ###  docker-bits/6_remote-desktop.Dockerfile
 ###############################

diff --git a/output/remote-desktop/ktutil-keytab.sh b/output/remote-desktop/ktutil-keytab.sh
@@ -0,0 +1,51 @@
+#!/bin/bash
+# creates the kerberos directory if not exist
+mkdir -p ~/krb5
+cd ~/krb5
+
+#clean up from previous run(or else it appends to the file instead of replacing it)
+if [ -f ./client.keytab ]; then
+    rm ./client.keytab
+fi
+
+# gets the user's username (legacy AD)
+read -p "Username(ex. marcoma):" user_name
+
+user_name="${user_name}@STATCAN.CA"
+# gets the user's password
+read -sp "Password for ${user_name}:" user_pass
+
+# deletes the password prompt for cleaner output
+echo -en "\r\e[K"
+
+{
+# adds entry for user, and requests password
+echo "addent -password -p ${user_name} -k 1 -e RC4-HMAC";
+# give password entered by user to ktutil
+echo "$user_pass"
+# creates keytab file
+echo "wkt client.keytab";
+} | ktutil
+
+# get the current namespace
+NS=$(kubectl get sa -o=jsonpath='{.items[0]..metadata.namespace}')
+
+# generate the secret
+kubectl create secret generic kerberos-keytab -n $NS --from-file=./client.keytab -o yaml --dry-run=client > ktutil_keytab.yaml
+
+# apply the secret
+kubectl apply -f ./ktutil_keytab.yaml
+
+
+#get the notebook name
+nb_name=${NB_PREFIX##*/}
+
+# Prompt user for notebook restart
+while true; do
+    read -p "In order to update the kerberos authentication, the notebook server needs to be restarted. Would you like to restart your notebook server?[Y/n]: " yn
+    case $yn in
+        [Yy]* ) echo "Your notebook server will now restart"; kubectl rollout restart statefulset $nb_name -n $NB_NAMESPACE; break;;
+        [Nn]* ) echo "Your notebook server will not be restarted"; exit;;
+        * ) echo "Only yes or no is an expected answer";;
+    esac
+done
diff --git a/output/rstudio/Dockerfile b/output/rstudio/Dockerfile
@@ -78,6 +78,8 @@ RUN apt-get update && \
       'zip' \
       'zsh' \
       'dos2unix' \
+      # installs necessary tool for kerberos authentication setup
+      'krb5-user' \
       # these are required by some r packages, adding these here so they get
       # installed into all images.
       'libfreetype6-dev' \
@@ -156,6 +158,10 @@ RUN wget -q "${GIT_CRED_MANAGER_URL}" -O ./gcm.deb \
   && dpkg -i ./gcm.deb \
   && rm ./gcm.deb
 
+# add script for kerberos keytab creation
+COPY ktutil-keytab.sh /usr/local/bin/ktutil-keytab
+RUN chmod +x /usr/local/bin/ktutil-keytab
+
 ###############################
 ###  docker-bits/5_DB-Drivers.Dockerfile
 ###############################