Generate random traefik api password

bootstrap/bootstrap.py

@@ -86,20 +86,12 @@ def main():
         'git+https://github.com/jupyterhub/the-littlest-jupyterhub.git'
     )
 
-    traefik_proxy_repo_path = 'jupyterhub-traefik-proxy==0.1.0a1'
-
     subprocess.check_output([
         os.path.join(hub_prefix, 'bin', 'pip'),
         'install'
     ] + pip_flags + [tljh_repo_path], stderr=subprocess.STDOUT)
     logger.info('Setup tljh package')
 
-    subprocess.check_output([
-        os.path.join(hub_prefix, 'bin', 'pip'),
-        'install'
-    ] + [traefik_proxy_repo_path], stderr=subprocess.STDOUT)
-    logger.info('Setup traefik-proxy package')
-
     logger.info('Starting TLJH installer...')
     os.execv(
         os.path.join(hub_prefix, 'bin', 'python3'),

dev-requirements.txt

@@ -2,4 +2,3 @@ pytest
 pytest-cov
 codecov
 pytoml
-passlib

integration-tests/requirements.txt

@@ -1,4 +1,3 @@
 pytest
 pytest-asyncio
-passlib
 git+https://github.com/yuvipanda/hubtraf.git

setup.py

@@ -13,7 +13,9 @@ setup(
     install_requires=[
         'ruamel.yaml==0.15.*',
         'jinja2',
-        'pluggy>0.7<1.0'
+        'pluggy>0.7<1.0',
+        'passlib',
+        'jupyterhub-traefik-proxy==0.1.0a1'
     ],
     entry_points={
         'console_scripts': [

tests/test_configurer.py

@@ -168,7 +168,7 @@ def test_auth_api_default():
     c = apply_mock_config({})
 
     assert c.TraefikTomlProxy.traefik_api_username == 'api_admin'
-    assert c.TraefikTomlProxy.traefik_api_password == 'admin'
+    assert len(c.TraefikTomlProxy.traefik_api_password) == 0
 
 
 def test_set_auth_api():

tljh/config.py

@@ -13,12 +13,15 @@ tljh-config show firstlevel.second_level
 """
 
 import argparse
+import asyncio
 from collections import Sequence, Mapping
 from copy import deepcopy
 import os
 import re
 import sys
-import asyncio
+import time
+
+import requests
 
 from .yaml import yaml
 
@@ -174,10 +177,8 @@ def remove_config_value(config_path, key_path, value):
         yaml.dump(config, f)
 
 def check_hub_ready():
-    import requests
-
     try:
-        r = requests.get('http://127.0.0.1:80')
+        r = requests.get('http://127.0.0.1:80', verify=False)
         return r.status_code == 200
     except:
         return False
@@ -190,7 +191,6 @@ def reload_component(component):
     """
     # import here to avoid circular imports
     from tljh import systemd, traefik
-    import time
 
     if component == 'hub':
         systemd.restart_service('jupyterhub')

tljh/configurer.py

@@ -10,7 +10,9 @@ FIXME: A strong feeling that JSON Schema should be involved somehow.
 
 import os
 
-from .config import CONFIG_FILE
+from passlib.apache import HtpasswdFile
+
+from .config import CONFIG_FILE, STATE_DIR
 from .yaml import yaml
 
 # Default configuration for tljh
@@ -50,7 +52,7 @@ default = {
         'ip': "127.0.0.1",
         'port': 8099,
         'username': 'api_admin',
-        'password': 'admin',
+        'password': '',
         'basic_auth': ''
     },
     'user_environment': {
@@ -95,9 +97,13 @@ def set_if_not_none(parent, key, value):
         setattr(parent, key, value)
 
 def generate_traefik_api_credentials():
-    from passlib.apache import HtpasswdFile
+    proxy_secret_path = os.path.join(STATE_DIR, 'traefik-api.secret')
+    with open(proxy_secret_path,'r') as f:
+        password = f.read()
 
+    default['auth_api']['password'] = password
     ht = HtpasswdFile()
+    # generate htpassword
     ht.set_password(default['auth_api']['username'], default['auth_api']['password'])
     traefik_api_hashed_password = str(ht.to_string()).split(":")[1][:-3]
     default['auth_api']['basic_auth'] = default['auth_api']['username'] + ":" + traefik_api_hashed_password

tljh/installer.py

@@ -120,9 +120,18 @@ def ensure_jupyterhub_service(prefix):
     with open(os.path.join(HERE, 'systemd-units', 'jupyterhub.service')) as f:
         hub_unit_template = f.read()
 
+    # with open(os.path.join(HERE, 'systemd-units', 'configurable-http-proxy.service')) as f:
+    #     chp_unit_template = f.read()
+
     with open(os.path.join(HERE, 'systemd-units', 'traefik.service')) as f:
         traefik_unit_template = f.read()
 
+    #Set up proxy / hub secret token if it is not already setup
+    proxy_secret_path = os.path.join(STATE_DIR, 'traefik-api.secret')
+    if not os.path.exists(proxy_secret_path):
+        with open(proxy_secret_path, 'w') as f:
+            f.write(secrets.token_hex(32))
+
     traefik.ensure_traefik_config(STATE_DIR)
 
     unit_params = dict(
@@ -132,13 +141,14 @@ def ensure_jupyterhub_service(prefix):
     )
     systemd.install_unit('jupyterhub.service', hub_unit_template.format(**unit_params))
     systemd.install_unit('traefik.service', traefik_unit_template.format(**unit_params))
+    # systemd.install_unit('configurable-http-proxy.service', chp_unit_template.format(**unit_params))
     systemd.reload_daemon()
 
     # If JupyterHub is running, we want to restart it.
     systemd.restart_service('jupyterhub')
     systemd.restart_service('traefik')
 
-    # Mark JupyterHub & CHP to start at boot time
+    # Mark JupyterHub & traefik to start at boot time
     systemd.enable_service('jupyterhub')
     systemd.enable_service('traefik')
 

tljh/systemd-units/jupyterhub.service

@@ -16,7 +16,6 @@ PrivateTmp=yes
 PrivateDevices=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
-# Source CONFIGPROXY_AUTH_TOKEN from here!
 Environment=TLJH_INSTALL_PREFIX={install_prefix}
 ExecStart={python_interpreter_path} -m jupyterhub.app -f {jupyterhub_config_path}