move generating traefik basic auth to traefik.py

compute this when we write the template, not when we load config
2025-12-18 21:54:05 +08:00 · 2019-02-22 10:53:36 +01:00
parent 436610f83e
commit 23ea539b28
3 changed files with 24 additions and 17 deletions
--- a/tljh/configurer.py
+++ b/tljh/configurer.py
@@ -10,8 +10,6 @@ FIXME: A strong feeling that JSON Schema should be involved somehow.

 import os

-from passlib.apache import HtpasswdFile
-
 from .config import CONFIG_FILE, STATE_DIR
 from .yaml import yaml

@@ -48,12 +46,11 @@ default = {
            'domains': [],
        },
    },
-    'auth_api': {
+    'traefik_api': {
        'ip': "127.0.0.1",
        'port': 8099,
        'username': 'api_admin',
        'password': '',
-        'basic_auth': ''
    },
    'user_environment': {
        'default_app': 'classic',
@@ -86,7 +83,7 @@ def apply_config(config_overrides, c):
    update_limits(c, tljh_config)
    update_user_environment(c, tljh_config)
    update_user_account_config(c, tljh_config)
-    update_auth_api(c, tljh_config)
+    update_traefik_api(c, tljh_config)


 def set_if_not_none(parent, key, value):
@@ -101,12 +98,7 @@ def generate_traefik_api_credentials():
    with open(proxy_secret_path,'r') as f:
        password = f.read()

-    default['auth_api']['password'] = password
-    ht = HtpasswdFile()
-    # generate htpassword
-    ht.set_password(default['auth_api']['username'], default['auth_api']['password'])
-    traefik_api_hashed_password = str(ht.to_string()).split(":")[1][:-3]
-    default['auth_api']['basic_auth'] = default['auth_api']['username'] + ":" + traefik_api_hashed_password
+    default['traefik_api']['password'] = password


 def update_auth(c, config):
@@ -172,12 +164,12 @@ def update_user_account_config(c, config):
    c.SystemdSpawner.username_template = 'jupyter-{USERNAME}'


-def update_auth_api(c, config):
+def update_traefik_api(c, config):
    """
    Set traefik api endpoint credentials
    """
-    c.TraefikTomlProxy.traefik_api_username = config['auth_api']['username']
-    c.TraefikTomlProxy.traefik_api_password = config['auth_api']['password']
+    c.TraefikTomlProxy.traefik_api_username = config['traefik_api']['username']
+    c.TraefikTomlProxy.traefik_api_password = config['traefik_api']['password']


 def _merge_dictionaries(a, b, path=None, update=True):
--- a/tljh/traefik.py
+++ b/tljh/traefik.py
@@ -4,6 +4,7 @@ import os
 from urllib.request import urlretrieve

 from jinja2 import Template
+from passlib.apache import HtpasswdFile

 from tljh.configurer import load_config

@@ -55,9 +56,23 @@ def ensure_traefik_binary(prefix):
        raise IOError(f"Checksum failed {traefik_bin}: {checksum} != {checksums[plat]}")


+def compute_basic_auth(username, password):
+    """Generate hashed HTTP basic auth from traefik_api username+password"""
+    ht = HtpasswdFile()
+    # generate htpassword
+    ht.set_password(username, password)
+    hashed_password = str(ht.to_string()).split(":")[1][:-3]
+    return username + ":" + hashed_password
+
+
 def ensure_traefik_config(state_dir):
    """Render the traefik.toml config file"""
    config = load_config()
+    config['traefik_api']['basic_auth'] = compute_basic_auth(
+        config['traefik_api']['username'],
+        config['traefik_api']['password'],
+    )
+
    with open(os.path.join(os.path.dirname(__file__), "traefik.toml.tpl")) as f:
        template = Template(f.read())
    new_toml = template.render(config)
--- a/tljh/traefik.toml.tpl
+++ b/tljh/traefik.toml.tpl
@@ -41,11 +41,11 @@ idleTimeout = "10m0s"
  {% endif %}
  {% endif %}
  [entryPoints.auth_api]
-  address = "127.0.0.1:{{auth_api['port']}}"
+  address = "127.0.0.1:{{traefik_api['port']}}"
  [entryPoints.auth_api.whiteList]
-  sourceRange = ['{{auth_api['ip']}}']
+  sourceRange = ['{{traefik_api['ip']}}']
  [entryPoints.auth_api.auth.basic]
-  users = ['{{auth_api['basic_auth']}}']
+  users = ['{{ traefik_api['basic_auth'] }}']

 [wss]
 protocol = "http"