Remove user/groups from YAML (nebari-dev#956)

qhub/render/__init__.py

@@ -63,53 +63,6 @@ def patch_versioning_extra_config(config):
         config["terraform_version"] = TERRAFORM_VERSION
 
 
-def patch_terraform_users(config):
-    """
-    Add terraform-friendly user information
-    """
-    incoming_groups = config.get("security", {}).get("groups", {})
-    config["tf_groups"] = [
-        {
-            "name": k,
-            "gid": str((v or {}).get("gid", "")),
-        }
-        for (k, v) in {"users": {}, "admin": {}, **incoming_groups}.items()
-        # Above forces existence of users and admin groups if not already provided in config
-    ]
-
-    group_index_lookup = {
-        obj["name"]: index for (index, obj) in enumerate(config["tf_groups"])
-    }
-
-    incoming_users = config.get("security", {}).get("users", {})
-
-    config["tf_users"] = []
-    for (k, v) in incoming_users.items():
-        if v is None:
-            v = {}
-        config["tf_users"].append(
-            {
-                "name": k,
-                "uid": str(v.get("uid", "")),
-                "password": v.get("password", ""),
-                "email": "@" in k and k or None,
-                "primary_group": v.get("primary_group", "users"),
-            }
-        )
-
-    config["tf_user_groups"] = []
-    for (k, v) in incoming_users.items():
-        if v is None:
-            v = {}
-        # Every user should be in the 'users' group
-        users_group_names = set(
-            [v.get("primary_group", "")] + v.get("secondary_groups", []) + ["users"]
-        ) - set([""])
-        config["tf_user_groups"].append(
-            [group_index_lookup[gname] for gname in users_group_names]
-        )
-
-
 def patch_terraform_extensions(config):
     """
     Add terraform-friendly extension details
@@ -298,8 +251,6 @@ def render_template(output_directory, config_filename, force=False):
 
     patch_versioning_extra_config(config)
 
-    patch_terraform_users(config)
-
     patch_terraform_extensions(config)
 
     config["qhub_config_yaml_path"] = str(filename.absolute())

qhub/schema.py

@@ -191,19 +191,6 @@ class GitHubAuthentication(Authentication):
     config: GitHubConfig
 
 
-# =========== Users and Groups =============
-
-
-class User(Base):
-    password: typing.Optional[str]
-    primary_group: typing.Optional[str]
-    secondary_groups: typing.Optional[typing.List[str]]
-
-
-class Group(Base):
-    gid: typing.Optional[int]
-
-
 # ================= Keycloak ==================
 
 
@@ -217,10 +204,6 @@ class Keycloak(Base):
 
 class Security(Base):
     authentication: Authentication
-    users: typing.Optional[typing.Dict[str, typing.Union[User, None]]]
-    groups: typing.Optional[
-        typing.Dict[str, typing.Union[Group, None]]
-    ]  # If gid is omitted, no attributes in Group means it appears as None
     keycloak: typing.Optional[Keycloak]
 
 

qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/kubernetes.tf

@@ -240,12 +240,6 @@ module "kubernetes-keycloak-config" {
   jupyterhub-keycloak-client-id     = local.jupyterhub-keycloak-client-id
   jupyterhub-keycloak-client-secret = random_password.jupyterhub-jhsecret.result
 
-  users = jsondecode("{{ cookiecutter.tf_users | jsonify | replace('"', '\\"') }}")
-
-  groups = jsondecode("{{ cookiecutter.tf_groups | jsonify | replace('"', '\\"') }}")
-
-  user_groups = jsondecode("{{ cookiecutter.tf_user_groups | jsonify | replace('"', '\\"') }}")
-
   {% if cookiecutter.security.authentication.type == "GitHub" -%}
   github_client_id     = {{ cookiecutter.security.authentication.config.client_id | jsonify }}
   github_client_secret = {{ cookiecutter.security.authentication.config.client_secret | jsonify }}

qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/keycloak-config/main.tf

@@ -15,60 +15,30 @@ resource "keycloak_realm" "realm-qhub" {
   display_name = "QHub ${var.name}"
 }
 
-resource "keycloak_user" "user" {
-  count = length(var.users)
-
+resource "keycloak_group" "admingroup" {
   realm_id = keycloak_realm.realm-qhub.id
-
-  username = var.users[count.index].name
-  enabled  = true
-  email    = var.users[count.index].email
+  name     = "admin"
 
   lifecycle {
     ignore_changes = all
   }
-
-  dynamic "initial_password" {
-    for_each = [for pwd in [var.users[count.index].password] : pwd if pwd != ""]
-    content {
-      value     = initial_password.value
-      temporary = false
-    }
-  }
 }
 
-resource "keycloak_group" "group" {
-  count = length(var.groups)
-
+resource "keycloak_group" "usersgroup" {
   realm_id = keycloak_realm.realm-qhub.id
-  name     = var.groups[count.index].name
+  name     = "users"
 
   lifecycle {
     ignore_changes = all
   }
-
 }
 
 resource "keycloak_default_groups" "default" {
   realm_id = keycloak_realm.realm-qhub.id
 
   group_ids = [
-    for g in keycloak_group.group : g.id if g.name == "users"
-  ]
-}
-
-resource "keycloak_user_groups" "user_groups" {
-  count = length(var.user_groups)
-
-  realm_id = keycloak_realm.realm-qhub.id
-
-  user_id = keycloak_user.user[count.index].id
-
-  group_ids = [
-    for i in var.user_groups[count.index] : keycloak_group.group[i].id
+    keycloak_group.usersgroup.id
   ]
-
-  exhaustive = false
 }
 
 resource "keycloak_openid_client" "qhub_client" {

qhub/template/{{ cookiecutter.repo_directory }}/infrastructure/modules/kubernetes/keycloak-config/variables.tf

@@ -43,24 +43,6 @@ variable "name" {
   type        = string
 }
 
-variable "users" {
-  description = "list of users data"
-  type        = list(map(any))
-  default     = []
-}
-
-variable "groups" {
-  description = "list of groups data"
-  type        = list(map(any))
-  default     = []
-}
-
-variable "user_groups" {
-  description = "list of user_groups data"
-  type        = list(list(number))
-  default     = []
-}
-
 variable "github_client_id" {
   description = "GitHub OAuth2 Client ID"
   type        = string
@@ -90,4 +72,3 @@ variable "auth0_subdomain" {
   type        = string
   default     = ""
 }
-