Merge branch 'main' into upgrade_azurerm_provider

dcmcand · web-flow · commit 22e409c67bd2 · 2024-11-15T11:56:48.000+01:00
diff --git a/.github/workflows/test_local_integration.yaml b/.github/workflows/test_local_integration.yaml
@@ -73,6 +73,11 @@ jobs:
           python-version: "3.11"
           miniconda-version: "latest"
 
+      - name: Install JQ
+        run: |
+          sudo apt-get update
+          sudo apt-get install jq -y
+
       - name: Install Nebari and playwright
         run: |
           pip install .[dev]
@@ -97,6 +102,14 @@ jobs:
           nebari keycloak adduser --user "${TEST_USERNAME}" "${TEST_PASSWORD}" --config ${{ steps.init.outputs.config }}
           nebari keycloak listusers --config ${{ steps.init.outputs.config }}
 
+      - name: Await Workloads
+        uses: jupyterhub/action-k8s-await-workloads@v3
+        with:
+          workloads: "" # all
+          namespace: "dev"
+          timeout: 60
+          max-restarts: 0
+
       ### DEPLOYMENT TESTS
       - name: Deployment Pytests
         env:
diff --git a/src/_nebari/stages/infrastructure/__init__.py b/src/_nebari/stages/infrastructure/__init__.py
@@ -8,7 +8,7 @@
 import tempfile
 from typing import Annotated, Any, Dict, List, Literal, Optional, Tuple, Type, Union
 
-from pydantic import ConfigDict, Field, field_validator, model_validator
+from pydantic import ConfigDict, Field, PrivateAttr, field_validator, model_validator
 
 from _nebari import constants
 from _nebari.provider import terraform
@@ -136,7 +136,7 @@ class AWSAmiTypes(str, enum.Enum):
 
 class AWSNodeLaunchTemplate(schema.Base):
     pre_bootstrap_command: Optional[str] = None
-    ami_id: Optional[str] = None
+    _ami_id: Optional[str] = PrivateAttr(default=None)
 
 
 class AWSNodeGroupInputVars(schema.Base):
@@ -155,7 +155,7 @@ class AWSNodeGroupInputVars(schema.Base):
 def construct_aws_ami_type(gpu_enabled: bool, launch_template: AWSNodeLaunchTemplate):
     """Construct the AWS AMI type based on the provided parameters."""
 
-    if launch_template and launch_template.ami_id:
+    if launch_template and launch_template._ami_id:
         return "CUSTOM"
 
     if gpu_enabled:
diff --git a/src/_nebari/stages/infrastructure/template/aws/modules/network/main.tf b/src/_nebari/stages/infrastructure/template/aws/modules/network/main.tf
@@ -55,13 +55,15 @@ resource "aws_security_group" "main" {
   vpc_id = aws_vpc.main.id
 
   ingress {
+    description = "Allow all ports and protocols to enter the security group"
     from_port   = 0
     to_port     = 0
     protocol    = "-1"
     cidr_blocks = [var.vpc_cidr_block]
   }
 
   egress {
+    description = "Allow all ports and protocols to exit the security group"
     from_port   = 0
     to_port     = 0
     protocol    = "-1"
diff --git a/src/_nebari/upgrade.py b/src/_nebari/upgrade.py
@@ -6,6 +6,7 @@
 
 import json
 import logging
+import os
 import re
 import secrets
 import string
@@ -1297,11 +1298,38 @@ def _version_specific_upgrade(
 
             urllib3.disable_warnings()
 
-            keycloak_admin = get_keycloak_admin(
-                server_url=f"https://{config['domain']}/auth/",
-                username="root",
-                password=config["security"]["keycloak"]["initial_root_password"],
+            keycloak_username = os.environ.get("KEYCLOAK_ADMIN_USERNAME", "root")
+            keycloak_password = os.environ.get(
+                "KEYCLOAK_ADMIN_PASSWORD",
+                config["security"]["keycloak"]["initial_root_password"],
             )
+
+            try:
+                # Quick test to connect to Keycloak
+                keycloak_admin = get_keycloak_admin(
+                    server_url=f"https://{config['domain']}/auth/",
+                    username=keycloak_username,
+                    password=keycloak_password,
+                )
+            except ValueError as e:
+                if "invalid_grant" in str(e):
+                    rich.print(
+                        textwrap.dedent(
+                            """
+                            [red bold]Failed to connect to the Keycloak server.[/red bold]\n
+                            [yellow]Please set the [bold]KEYCLOAK_ADMIN_USERNAME[/bold] and [bold]KEYCLOAK_ADMIN_PASSWORD[/bold]
+                            environment variables with the Keycloak root credentials and try again.[/yellow]
+                            """
+                        )
+                    )
+                    exit()
+                else:
+                    # Handle other exceptions
+                    rich.print(
+                        f"[red bold]An unexpected error occurred: {repr(e)}[/red bold]"
+                    )
+                    exit()
+
             # Get client ID as role is bound to the JupyterHub client
             client_id = keycloak_admin.get_client_id("jupyterhub")
             role_name = "legacy-group-directory-creation-role"
diff --git a/tests/tests_deployment/test_jupyterhub_ssh.py b/tests/tests_deployment/test_jupyterhub_ssh.py
@@ -1,5 +1,6 @@
 import re
 import string
+import time
 import uuid
 
 import paramiko
@@ -14,64 +15,80 @@
 TIMEOUT_SECS = 300
 
 
-@pytest.fixture(scope="function")
+@pytest.fixture(scope="session")
 def paramiko_object(jupyterhub_access_token):
-    """Connects to JupyterHub ssh cluster from outside the cluster."""
+    """Connects to JupyterHub SSH cluster from outside the cluster.
+
+    Ensures the JupyterLab pod is ready before attempting reauthentication
+    by setting both `auth_timeout` and `banner_timeout` appropriately,
+    and by retrying the connection until the pod is ready or a timeout occurs.
+    """
     params = {
         "hostname": constants.NEBARI_HOSTNAME,
         "port": 8022,
         "username": constants.KEYCLOAK_USERNAME,
         "password": jupyterhub_access_token,
         "allow_agent": constants.PARAMIKO_SSH_ALLOW_AGENT,
         "look_for_keys": constants.PARAMIKO_SSH_LOOK_FOR_KEYS,
-        "auth_timeout": 5 * 60,
     }
 
     ssh_client = paramiko.SSHClient()
     ssh_client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
-    try:
-        ssh_client.connect(**params)
-        yield ssh_client
-    finally:
-        ssh_client.close()
-
-
-def run_command(command, stdin, stdout, stderr):
-    delimiter = uuid.uuid4().hex
-    stdin.write(f"echo {delimiter}start; {command}; echo {delimiter}end\n")
-
-    output = []
-
-    line = stdout.readline()
-    while not re.match(f"^{delimiter}start$", line.strip()):
-        line = stdout.readline()
 
-    line = stdout.readline()
-    if delimiter not in line:
-        output.append(line)
-
-    while not re.match(f"^{delimiter}end$", line.strip()):
-        line = stdout.readline()
-        if delimiter not in line:
-            output.append(line)
-
-    return "".join(output).strip()
-
-
-@pytest.mark.timeout(TIMEOUT_SECS)
-@pytest.mark.filterwarnings("ignore::urllib3.exceptions.InsecureRequestWarning")
-@pytest.mark.filterwarnings("ignore::ResourceWarning")
-def test_simple_jupyterhub_ssh(paramiko_object):
-    stdin, stdout, stderr = paramiko_object.exec_command("")
+    yield ssh_client, params
+
+    ssh_client.close()
+
+
+def invoke_shell(
+    client: paramiko.SSHClient, params: dict[str, any]
+) -> paramiko.Channel:
+    client.connect(**params)
+    return client.invoke_shell()
+
+
+def extract_output(delimiter: str, output: str) -> str:
+    # Extract the command output between the start and end delimiters
+    match = re.search(rf"{delimiter}start\n(.*)\n{delimiter}end", output, re.DOTALL)
+    if match:
+        print(match.group(1).strip())
+        return match.group(1).strip()
+    else:
+        return output.strip()
+
+
+def run_command_list(
+    commands: list[str], channel: paramiko.Channel, wait_time: int = 0
+) -> dict[str, str]:
+    command_delimiters = {}
+    for command in commands:
+        delimiter = uuid.uuid4().hex
+        command_delimiters[command] = delimiter
+        b = channel.send(f"echo {delimiter}start; {command}; echo {delimiter}end\n")
+        if b == 0:
+            print(f"Command '{command}' failed to send")
+    # Wait for the output to be ready before reading
+    time.sleep(wait_time)
+    while not channel.recv_ready():
+        time.sleep(1)
+        print("Waiting for output")
+    output = ""
+    while channel.recv_ready():
+        output += channel.recv(65535).decode("utf-8")
+    outputs = {}
+    for command, delimiter in command_delimiters.items():
+        command_output = extract_output(delimiter, output)
+        outputs[command] = command_output
+    return outputs
 
 
 @pytest.mark.timeout(TIMEOUT_SECS)
 @pytest.mark.filterwarnings("ignore::urllib3.exceptions.InsecureRequestWarning")
 @pytest.mark.filterwarnings("ignore::ResourceWarning")
 def test_print_jupyterhub_ssh(paramiko_object):
-    stdin, stdout, stderr = paramiko_object.exec_command("")
-
-    # commands to run and just print the output
+    client, params = paramiko_object
+    channel = invoke_shell(client, params)
+    # Commands to run and just print the output
     commands_print = [
         "id",
         "env",
@@ -80,52 +97,60 @@ def test_print_jupyterhub_ssh(paramiko_object):
         "ls -la",
         "umask",
     ]
-
-    for command in commands_print:
-        print(f'COMMAND: "{command}"')
-        print(run_command(command, stdin, stdout, stderr))
+    outputs = run_command_list(commands_print, channel)
+    for command, output in outputs.items():
+        print(f"COMMAND: {command}")
+        print(f"OUTPUT: {output}")
+    channel.close()
 
 
 @pytest.mark.timeout(TIMEOUT_SECS)
 @pytest.mark.filterwarnings("ignore::urllib3.exceptions.InsecureRequestWarning")
 @pytest.mark.filterwarnings("ignore::ResourceWarning")
 def test_exact_jupyterhub_ssh(paramiko_object):
-    stdin, stdout, stderr = paramiko_object.exec_command("")
-
-    # commands to run and exactly match output
-    commands_exact = [
-        ("id -u", "1000"),
-        ("id -g", "100"),
-        ("whoami", constants.KEYCLOAK_USERNAME),
-        ("pwd", f"/home/{constants.KEYCLOAK_USERNAME}"),
-        ("echo $HOME", f"/home/{constants.KEYCLOAK_USERNAME}"),
-        ("conda activate default && echo $CONDA_PREFIX", "/opt/conda/envs/default"),
-        (
-            "hostname",
-            f"jupyter-{escape_string(constants.KEYCLOAK_USERNAME, safe=set(string.ascii_lowercase + string.digits), escape_char='-').lower()}",
-        ),
-    ]
+    client, params = paramiko_object
+    channel = invoke_shell(client, params)
+    # Commands to run and exactly match output
+    commands_exact = {
+        "id -u": "1000",
+        "id -g": "100",
+        "whoami": constants.KEYCLOAK_USERNAME,
+        "pwd": f"/home/{constants.KEYCLOAK_USERNAME}",
+        "echo $HOME": f"/home/{constants.KEYCLOAK_USERNAME}",
+        "conda activate default && echo $CONDA_PREFIX": "/opt/conda/envs/default",
+        "hostname": f"jupyter-{escape_string(constants.KEYCLOAK_USERNAME, safe=set(string.ascii_lowercase + string.digits), escape_char='-').lower()}",
+    }
+    outputs = run_command_list(list(commands_exact.keys()), channel)
+    for command, output in outputs.items():
+        assert (
+            output == outputs[command]
+        ), f"Command '{command}' output '{outputs[command]}' does not match expected '{output}'"
 
-    for command, output in commands_exact:
-        assert output == run_command(command, stdin, stdout, stderr)
+    channel.close()
 
 
 @pytest.mark.timeout(TIMEOUT_SECS)
 @pytest.mark.filterwarnings("ignore::urllib3.exceptions.InsecureRequestWarning")
 @pytest.mark.filterwarnings("ignore::ResourceWarning")
 def test_contains_jupyterhub_ssh(paramiko_object):
-    stdin, stdout, stderr = paramiko_object.exec_command("")
-
-    # commands to run and string need to be contained in output
-    commands_contain = [
-        ("ls -la", ".bashrc"),
-        ("cat ~/.bashrc", "Managed by Nebari"),
-        ("cat ~/.profile", "Managed by Nebari"),
-        ("cat ~/.bash_logout", "Managed by Nebari"),
-        # ensure we don't copy over extra files from /etc/skel in init container
-        ("ls -la ~/..202*", "No such file or directory"),
-        ("ls -la ~/..data", "No such file or directory"),
-    ]
+    client, params = paramiko_object
+    channel = invoke_shell(client, params)
+
+    # Commands to run and check if the output contains specific strings
+    commands_contain = {
+        "ls -la": ".bashrc",
+        "cat ~/.bashrc": "Managed by Nebari",
+        "cat ~/.profile": "Managed by Nebari",
+        "cat ~/.bash_logout": "Managed by Nebari",
+        # Ensure we don't copy over extra files from /etc/skel in init container
+        "ls -la ~/..202*": "No such file or directory",
+        "ls -la ~/..data": "No such file or directory",
+    }
+
+    outputs = run_command_list(commands_contain.keys(), channel, 30)
+    for command, expected_output in commands_contain.items():
+        assert (
+            expected_output in outputs[command]
+        ), f"Command '{command}' output does not contain expected substring '{expected_output}'. Instead got '{outputs[command]}'"
 
-    for command, output in commands_contain:
-        assert output in run_command(command, stdin, stdout, stderr)
+    channel.close()
