Failed to submit session Jupyter Kubernetes ~ error: error reading input for Password

Get Help
1

Hi, I was clone Jupyter app for my ondemand with kubernetes cluster from repo GitHub - OSC/bc_k8s_jupyter: Run a batch connect Jupyter in a kuberentes cluster (so my form.yml and submit.yml.erb is same as github version without no change) and I facing this problem with this error error: error reading input for Password and need the help

image
image1257×839 32.2 KB

I read this discourse Running Jupyter on K8s via OOD and still didn’t has the solving.

Here is my cluster configuration /etc/ood/config/clusters.d/k3s_cluster.yml:

v2:
metadata:
title: “k3s-cluster”
login:
host: “ondemand-dev.mytestdev.my.id”
job:
adapter: “kubernetes”
config_file: “~/.kube/config”
cluster: “open-ondemand”
context: “open-ondemand”
bin: “/usr/bin/kubectl”
username_prefix: “prod-”
namespace_prefix: “user-”
all_namespaces: false
auto_supplemental_groups: false
server:
endpoint: “https://192.168.1.4:6443
cert_authority_file: “~/.kube/ca.crt”
auth:
type: “oidc”
mounts:
batch_connect:
ssh_allow: false
basic:
script_wrapper: |
module purge
%s
vnc:
script_wrapper: |
module purge
export PATH=“/opt/TurboVNC/bin/vncserver”
export WEBSOCKIFY_CMD=“/usr/bin/websockify”
%s

since error: error reading input for Password is might from --cluster, so I check the ~/.kube/config configuration

apiVersion: v1
clusters:

  • cluster:
    certificate-authority: ca.crt
    server: https://192.168.1.4:6443
    name: kubernetes
  • cluster:
    certificate-authority: /home/sinaupc/.kube/ca.crt
    server: https://192.168.1.4:6443
    name: open-ondemand
    contexts:
  • context:
    cluster: kubernetes
    user: ondemand@kubernetes
    name: ondemand@kubernetes
  • context:
    cluster: open-ondemand
    namespace: user-sinaupc
    user: prod-sinaupc
    name: open-ondemand
    current-context: open-ondemand
    kind: Config
    users:
  • name: ondemand@kubernetes
    user:
    token:
  • name: prod-sinaupc
    user:
    token:

I use cluster open-ondemand and context open-ondemand. For token I follow the instruction Tokens for Bootstrapping. Since I use Keycloack for OIDC authentication, I use auth: type: “oidc” and follow this instruction OIDC Audience for create audiance mapper. Also follow the instruction for Deploy Hooks to bootstrap users Kubernetes

Here is the log in /var/log/ondemand-nginx/sinaupc/error.log

App 11937 output: [2025-09-28 15:49:48 +0000 ] INFO “execve = [{}, “/usr/bin/kubectl --kubeconfig=~/.kube/config --context=open-ondemand --namespace=user-sinaupc -o json create -f -”]”
App 11937 output: [2025-09-28 15:49:48 +0000 ] ERROR “ERROR: OodCore::JobAdapterError - error: error reading input for Password”
App 11937 output: [2025-09-28 15:49:48 +0000 ] INFO “execve = [“git”, “describe”, “–always”, “–tags”]”

Also I try to change exec these script to run hook and create new namespaces, network, rolebinding, etc and hope for auth credential for kubeconfig
sudo -E /opt/ood/hooks/k8s-bootstrap/k8s-bootstrap-ondemand.sh sinaupc /etc/ood/config/hook.env and sudo -u sinaupc /opt/ood/hooks/k8s-bootstrap/set-k8s-creds.sh sinaupc /etc/ood/config/hook.env

From these, I got new namespace user-sinaupc, but in kubeconfig .kube/config I only get this update configuration:

name: prod-sinaupc
user:
auth-provider:
config:
client-id: ondemand-dev.mytestdev.my.id
client-secret: secret
id-token: “”
idp-issuer-url: https://ondemand-idpdev.mytestdev.my.id/realms/ondemand
refresh-token: “”
name: oidc

I don’t know why id-token and refresh-token is missed. I try to get the token and refresh from my user with this command
TOKEN=$(curl -s -X POST “$ISSUER/protocol/openid-connect/token”
-d “grant_type=password”
-d “client_id=$CLIENT_ID”
-d “client_secret=$CLIENT_SECRET”
-d “username=sinaupc”
-d “password=<password>”
-d “scope=openid offline_access k3s-audience” | jq -r ‘.access_token’)

REFRESH=$(curl -s -X POST “$ISSUER/protocol/openid-connect/token”
-d “grant_type=password”
-d “client_id=$CLIENT_ID”
-d “client_secret=$CLIENT_SECRET”
-d “username=sinaupc”
-d “password=<password>”
-d “scope=openid offline_access k3s-audience” | jq -r ‘.refresh_token’)

And put the $TOKEN and $REFRESH on my kubeconfig like

name: prod-sinaupc
user:
auth-provider:
config:
client-id: ondemand-dev.mytestdev.my.id
client-secret: secret
id-token: “token from $TOKEN”
idp-issuer-url: https://ondemand-idpdev.mytestdev.my.id/realms/ondemand
refresh-token: “refresh token from $REFRESH”
name: oidc

But this is still didn’t solve my problem error: error reading input for Password

I didn’t know why OOD still need password, eventhough with this context and user I have access to kubectl without password

sinaupc@ondemand-dev:~$ kubectl config use-context open-ondemand
Switched to context “open-ondemand”.
sinaupc@ondemand-dev:~$ kubectl get pods -n user-sinaupc
No resources found in user-sinaupc namespace.

What should I check again to solve this problem, do you have any solve?

2

Ok solve
But now, this happen when running a Jupyter container from OOD

Screenshot 2025-09-29 092103
Screenshot 2025-09-29 0921031919×1008 35.6 KB

3

The 404 appears to be coming from Jupyter itself so that’s good. Can you share the before.sh.erb that loads it so we can see how it’s configured?

By the way, our production Jupyter app also runs on Kubernetes, so that may help with configuration.