password example and profile

Author: alex-treebeard

README.md

@@ -76,8 +76,11 @@ Some considerations:
 
 ### Set a new password
 
-The `user_password` variable allows you to set a non-default password. This is
-essential for deploying Kubeflow.
+It's critical to not use the default password for internet-facing deployments.
+
+See the See [examples/k3s-existing-istio](examples/k3s-existing-istio) for deployment with a non-default dex password (passed in via terraform CLI)
+
+Note that dex will only pick up new config at start -- you may have to restart the dex pod manually for a password change to take effect.
 
 ### Make Kubeflow available securely on a network using HTTPS
 

examples/eks-https-loadbalancer/kubeflow.tf

@@ -52,6 +52,20 @@ gateway:
               limits:
                 cpu: 2000m
                 memory: 1024Mi
+dex:
+  spec:
+    project: default
+    source:
+      kustomize:
+        patches:
+        - target:
+            kind: Secret
+            name: dex-passwords
+          patch: |-
+            - op: replace
+              path: /stringData/DEX_USER_PASSWORD
+              value: ${bcrypt(var.password)}
+
 EOF
   ]
   depends_on = [

examples/eks-https-loadbalancer/variables.tf

@@ -1,3 +1,7 @@
+variable "password" {
+  sensitive   = true
+  description = "password for [email protected]"
+}
 
 variable "host" {
 }

helm/example-profile/Chart.yaml

@@ -0,0 +1,12 @@
+{{ if .Values.exampleProfile.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: 102-example-profile
+  annotations:
+    argocd.argoproj.io/sync-wave: "102"
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+{{ .Values.exampleProfile.spec | toYaml | indent 2 }}
+{{- end -}}

helm/example-profile/templates/all.yaml

@@ -353,3 +353,20 @@ volumesWebApp:
         prune: false
       syncOptions:
         - ServerSideApply=true
+
+exampleProfile:
+  enabled: true
+  spec:
+    project: default
+    source:
+      path: common/user-namespace/base
+      repoURL: https://github.com/kubeflow/manifests
+      targetRevision: 776d4f4
+    destination:
+      namespace: argocd
+      name: in-cluster
+    syncPolicy:
+      automated:
+        prune: false
+      syncOptions:
+        - ServerSideApply=true

helm/kubeflow-argo-apps/templates/100-kubeflow-notebooks/102-example-profile.yaml

@@ -30,12 +30,12 @@ EOF
 
 locals {
   user_vals = "\n${var.kubeflow_values[0]}"
-  default_values = [
+  top_level_values = [
     <<EOF
 treebeardKubeflow:
-  repoURL: "ghcr.io/treebeardtech"
-  targetRevision: 0.1-2024-03-08-T10-50-10
-  chart: 'kubeflow-argo-apps'
+  repoURL: ${var.treebeard_kubeflow_dependency["repoURL"]}
+  targetRevision: ${var.treebeard_kubeflow_dependency["targetRevision"]}
+  chart: ${var.treebeard_kubeflow_dependency["chart"]}
   values: ${indent(4, local.user_vals)}
 EOF
   ]
@@ -46,7 +46,7 @@ resource "helm_release" "kubeflow_apps" {
   namespace     = "argocd"
   chart         = "${path.module}/helm/kubeflow-bootstrap"
   wait_for_jobs = true
-  values        = concat(local.default_values)
+  values        = concat(local.top_level_values)
 
   dynamic "set" {
     iterator = item
@@ -71,4 +71,8 @@ resource "helm_release" "kubeflow_apps" {
     null_resource.start,
     helm_release.argo_cd
   ]
-}
+}
+
+output "top_level_values" {
+  value = local.top_level_values
+}

helm/kubeflow-argo-apps/values.yaml

@@ -1,3 +1,13 @@
+variable "treebeard_kubeflow_dependency" {
+  description = "Configuration for Treebeard Kubeflow helm"
+  type        = map(string)
+  default = {
+    repoURL        = "ghcr.io/treebeardtech"
+    targetRevision = "0.1-2024-03-08-T12-25-15"
+    chart          = "kubeflow-argo-apps"
+  }
+}
+
 variable "enable_argocd" {
   type    = bool
   default = true