Add hub.loadRoles configuration

The motivation for adding a dedicated chart configuration is that hub.config.JupyterHub.load_roles would end up being overridden easily if configured from multiple config files. So, having a dictionary configuration for the same thing can help.
jupyterhub · Sep 26, 2021 · 13474af · 13474af
1 parent 8bbaa3d
commit 13474af
Show file tree

Hide file tree

Showing 6 changed files with 79 additions and 1 deletion.
diff --git a/.github/workflows/test-chart.yaml b/.github/workflows/test-chart.yaml
@@ -147,6 +147,7 @@ jobs:
           #
           # The upgrade-from input should match the version information from
           # https://jupyterhub.github.io/helm-chart/info.json
+          #
           - k3s-channel: v1.19
             test: upgrade
             upgrade-from: stable
@@ -276,6 +277,7 @@ jobs:
           echo
 
           helm diff upgrade --install jupyterhub ./jupyterhub --values dev-config.yaml \
+              --values dev-config-local-chart-extra-config.yaml \
               ${{ matrix.local-chart-extra-args }} \
               --show-secrets \
               --context=3 \
@@ -302,7 +304,7 @@ jobs:
 
       - name: "Install local chart"
         run: |
-          helm upgrade --install jupyterhub ./jupyterhub --values dev-config.yaml ${{ matrix.local-chart-extra-args }}
+          helm upgrade --install jupyterhub ./jupyterhub --values dev-config.yaml --values dev-config-local-chart-extra-config.yaml ${{ matrix.local-chart-extra-args }}
 
       - name: "Await local chart"
         uses: jupyterhub/action-k8s-await-workloads@v1

diff --git a/dev-config-local-chart-extra-config.yaml b/dev-config-local-chart-extra-config.yaml
@@ -0,0 +1,26 @@
+# This config file is useful in the upgrade tests, where we upgrade from
+# either the latest stable chart or the latest dev release of the chart. This
+# config is only applied to the chart we upgrade to. It helps us handle
+# situations when we add new configuration options that would fail with a schema
+# validation error in the previous chart versions.
+#
+# Note that one could think that it would be possible to have dev-config.yaml
+# include this config and then pass --set hub.some-option=null to null it out
+# when it must not be passed, but that still triggers schema validation errors.
+#
+hub:
+  # FIXME: move loadRoles to dev-config.yaml after 2.0.0 is released.
+  loadRoles:
+    test-role-1:
+      description: Access to users' information and group membership
+      scopes: [users, groups]
+      users: [cyclops, gandalf]
+      services: [test]
+      groups: [cats]
+    test-role-2-explicit-name:
+      name: test-role-2
+      description: Access to users' information and group membership
+      scopes: [users, groups]
+      users: [cyclops, gandalf]
+      services: [test]
+      groups: [cats]
diff --git a/jupyterhub/files/hub/jupyterhub_config.py b/jupyterhub/files/hub/jupyterhub_config.py
@@ -388,6 +388,13 @@ def camelCaseify(s):
 
     c.JupyterHub.services.append(service)
 
+for key, role in get_config("hub.loadRoles", {}).items():
+    # c.JupyterHub.load_roles is a list of dicts, but
+    # hub.loadRoles is a dict of dicts to make the config mergable
+    role.setdefault("name", key)
+
+    c.JupyterHub.load_roles.append(role)
+
 
 set_config_if_not_none(c.Spawner, "cmd", "singleuser.cmd")
 set_config_if_not_none(c.Spawner, "default_url", "singleuser.defaultUrl")

diff --git a/jupyterhub/schema.yaml b/jupyterhub/schema.yaml
@@ -1201,6 +1201,40 @@ properties:
               An alias for api_token provided for backward compatibility by
               the JupyterHub Helm chart that will be transformed to
               api_token.
+      loadRoles:
+        type: object
+        additionalProperties: true
+        description: |
+          This is where you should define JupyterHub roles and apply them to
+          JupyterHub users, groups, and services to grant them additional
+          permissions as defined in JupyterHub's RBAC system.
+
+          Complement this documentation with [JupyterHub's
+          documentation](https://jupyterhub.readthedocs.io/en/latest/rbac/roles.html#defining-roles)
+          about `load_roles`.
+
+          Note that while JupyterHub's native configuration `load_roles` accepts
+          a list of role objects, this Helm chart only accept a dictionary where
+          each key represents the name of a role and the value is the actual
+          role object.
+
+          ```yaml
+          hub:
+            loadRoles:
+              teacher:
+                description: Access to users' information and group membership
+
+                # this role provides permissions to...
+                scopes: [users, groups]
+
+                # this role will be assigned to...
+                users: [erik]
+                services: [grading-service]
+                groups: [teachers]
+          ```
+
+          When configuring JupyterHub roles via this Helm chart, the `name`
+          field can be omitted as it can be implied by the dictionary key.
       shutdownOnLogout:
         type: [boolean, "null"]
         description: *jupyterhub-native-config-description

diff --git a/jupyterhub/values.yaml b/jupyterhub/values.yaml
@@ -88,6 +88,7 @@ hub:
     runAsGroup: 1000
     allowPrivilegeEscalation: false
   lifecycle: {}
+  loadRoles: {}
   services: {}
   pdb:
     enabled: false

diff --git a/tools/templates/lint-and-validate-values.yaml b/tools/templates/lint-and-validate-values.yaml
@@ -160,6 +160,14 @@ hub:
       oauth_roles: [dummy]
       info:
         key1: value1
+  loadRoles:
+    test-role-1:
+      name: test-role-1
+      description: Access to users' information and group membership
+      scopes: [users, groups]
+      users: [cyclops, gandalf]
+      services: [test-service-1]
+      groups: [test-group-1]
   pdb:
     enabled: true
     maxUnavailable: 1