From 27d243f7aa206fb0dd725a25e11d73186e53d7b0 Mon Sep 17 00:00:00 2001 From: AlexMorreale Date: Mon, 30 Jul 2018 13:26:19 -0400 Subject: [PATCH 01/14] allow specifying a image pull secret for the kubespawner --- images/hub/jupyterhub_config.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/images/hub/jupyterhub_config.py b/images/hub/jupyterhub_config.py index 6f7cae23ea..f87d694839 100644 --- a/images/hub/jupyterhub_config.py +++ b/images/hub/jupyterhub_config.py @@ -48,6 +48,10 @@ c.KubeSpawner.image_pull_policy = get_config('singleuser.image-pull-policy') +image_secret = get_config('singleuser.image-pull-secret', None) +if image_secret: + c.KubeSpawner.image_pull_secrets = image_secret + c.KubeSpawner.events_enabled = get_config('singleuser.events', False) c.KubeSpawner.extra_labels = get_config('singleuser.extra-labels', {}) From f3e0da143f71e000a20af0c85401cde6aea4302c Mon Sep 17 00:00:00 2001 From: AlexMorreale Date: Mon, 30 Jul 2018 13:33:29 -0400 Subject: [PATCH 02/14] allow adding an image pull secret name via helm --- jupyterhub/templates/hub/configmap.yaml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/jupyterhub/templates/hub/configmap.yaml b/jupyterhub/templates/hub/configmap.yaml index d828c4d58f..ffd58fecbe 100644 --- a/jupyterhub/templates/hub/configmap.yaml +++ b/jupyterhub/templates/hub/configmap.yaml @@ -67,7 +67,7 @@ data: auth.gitlab.client-secret: {{ .Values.auth.gitlab.clientSecret | quote }} auth.gitlab.callback-url: {{ .Values.auth.gitlab.callbackUrl | quote }} {{- end }} - + {{- if eq .Values.auth.type "mediawiki" }} auth.mediawiki.client-id: {{ .Values.auth.mediawiki.clientId | quote }} auth.mediawiki.client-secret: {{ .Values.auth.mediawiki.clientSecret | quote }} @@ -80,7 +80,7 @@ data: auth.globus.callback-url: {{ .Values.auth.globus.callbackUrl | quote }} auth.globus.identity-provider: {{ .Values.auth.globus.identityProvider | quote }} {{- end }} - + {{- if eq .Values.auth.type "lti" }} auth.lti.consumers: | {{- .Values.auth.lti.consumers | toYaml | trimSuffix "\n" | nindent 4 }} @@ -108,7 +108,7 @@ data: auth.ldap.dn.user.search-base: {{ .Values.auth.ldap.dn.user.searchBase | quote }} auth.ldap.dn.user.attribute: {{ .Values.auth.ldap.dn.user.attribute | quote }} {{- end }} - + {{- if eq .Values.auth.type "dummy" }} {{- if .Values.auth.dummy.password }} auth.dummy.password: {{ .Values.auth.dummy.password | quote }} @@ -133,6 +133,9 @@ data: {{- .Values.singleuser.cloudMetadata | toYaml | trimSuffix "\n" | nindent 4 }} singleuser.start-timeout: {{ .Values.singleuser.startTimeout | quote }} singleuser.image-pull-policy: {{ .Values.singleuser.image.pullPolicy | quote }} + {{- if .Values.singleuser.image.pullSecret }} + singleuser.image-pull-secret: {{ .Values.singleuser.image.pullSecret | quote }} + {{- end }} {{- if .Values.singleuser.cmd }} singleuser.cmd: {{ .Values.singleuser.cmd | quote }} {{- end }} @@ -190,8 +193,8 @@ data: {{ $key | quote }}: {{ $value | quote }} {{- end }} {{- end }} - - + + {{- /* KubeSpawner */}} kubespawner.common-labels: | {{- $_ := merge (dict "heritageLabel" "jupyterhub") . }} From bb6612ab4b62692fbe8c6004ed0f668d1e349cee Mon Sep 17 00:00:00 2001 From: AlexMorreale Date: Mon, 30 Jul 2018 16:17:07 -0400 Subject: [PATCH 03/14] allow generating secret --- jupyterhub/templates/hub/regsecret.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 jupyterhub/templates/hub/regsecret.yaml diff --git a/jupyterhub/templates/hub/regsecret.yaml b/jupyterhub/templates/hub/regsecret.yaml new file mode 100644 index 0000000000..34593f9d6e --- /dev/null +++ b/jupyterhub/templates/hub/regsecret.yaml @@ -0,0 +1,10 @@ +{{- if .Values.singleuser.image.createPullSecret }} +kind: Secret +apiVersion: v1 +metadata: + name: {{ .Values.singleuser.image.pullSecret.name }} + namespace: {{ .Release.Namespace }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ .Values.singleuser.image.pullSecret.dockerConfigJson }} +{{- end }} From 0088fd62b2d27aff6f501d3ce5f53848579ddab1 Mon Sep 17 00:00:00 2001 From: AlexMorreale Date: Tue, 31 Jul 2018 15:12:32 -0400 Subject: [PATCH 04/14] remove useless conditional --- images/hub/jupyterhub_config.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/images/hub/jupyterhub_config.py b/images/hub/jupyterhub_config.py index f87d694839..ada373cca4 100644 --- a/images/hub/jupyterhub_config.py +++ b/images/hub/jupyterhub_config.py @@ -48,9 +48,7 @@ c.KubeSpawner.image_pull_policy = get_config('singleuser.image-pull-policy') -image_secret = get_config('singleuser.image-pull-secret', None) -if image_secret: - c.KubeSpawner.image_pull_secrets = image_secret +c.KubeSpawner.image_pull_secrets = get_config('singleuser.image-pull-secret', None) c.KubeSpawner.events_enabled = get_config('singleuser.events', False) From 241e78c91db8c04f945e14c1604e0691dceb6a67 Mon Sep 17 00:00:00 2001 From: AlexMorreale Date: Tue, 31 Jul 2018 15:12:50 -0400 Subject: [PATCH 05/14] use name field --- jupyterhub/templates/hub/configmap.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jupyterhub/templates/hub/configmap.yaml b/jupyterhub/templates/hub/configmap.yaml index ffd58fecbe..3bbb499717 100644 --- a/jupyterhub/templates/hub/configmap.yaml +++ b/jupyterhub/templates/hub/configmap.yaml @@ -133,8 +133,8 @@ data: {{- .Values.singleuser.cloudMetadata | toYaml | trimSuffix "\n" | nindent 4 }} singleuser.start-timeout: {{ .Values.singleuser.startTimeout | quote }} singleuser.image-pull-policy: {{ .Values.singleuser.image.pullPolicy | quote }} - {{- if .Values.singleuser.image.pullSecret }} - singleuser.image-pull-secret: {{ .Values.singleuser.image.pullSecret | quote }} + {{- if .Values.singleuser.image.pullSecret.name }} + singleuser.image-pull-secret: {{ .Values.singleuser.image.pullSecret.name | quote }} {{- end }} {{- if .Values.singleuser.cmd }} singleuser.cmd: {{ .Values.singleuser.cmd | quote }} From b0da47109eb036c2316fc505b881ec5487722cb5 Mon Sep 17 00:00:00 2001 From: AlexMorreale Date: Tue, 31 Jul 2018 16:26:53 -0400 Subject: [PATCH 06/14] move regsecret to image-credential-secret and add labels to secret --- jupyterhub/templates/hub/regsecret.yaml | 10 ---------- .../singleuser/image-credentials-secret.yaml | 12 ++++++++++++ 2 files changed, 12 insertions(+), 10 deletions(-) delete mode 100644 jupyterhub/templates/hub/regsecret.yaml create mode 100644 jupyterhub/templates/singleuser/image-credentials-secret.yaml diff --git a/jupyterhub/templates/hub/regsecret.yaml b/jupyterhub/templates/hub/regsecret.yaml deleted file mode 100644 index 34593f9d6e..0000000000 --- a/jupyterhub/templates/hub/regsecret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -{{- if .Values.singleuser.image.createPullSecret }} -kind: Secret -apiVersion: v1 -metadata: - name: {{ .Values.singleuser.image.pullSecret.name }} - namespace: {{ .Release.Namespace }} -type: kubernetes.io/dockerconfigjson -data: - .dockerconfigjson: {{ .Values.singleuser.image.pullSecret.dockerConfigJson }} -{{- end }} diff --git a/jupyterhub/templates/singleuser/image-credentials-secret.yaml b/jupyterhub/templates/singleuser/image-credentials-secret.yaml new file mode 100644 index 0000000000..cb21b53856 --- /dev/null +++ b/jupyterhub/templates/singleuser/image-credentials-secret.yaml @@ -0,0 +1,12 @@ +{{- if .Values.singleuser.image.pullSecret }} +kind: Secret +apiVersion: v1 +metadata: + name: singleuser-image-credentials + labels: + {{- $_ := merge (dict "componentSuffix" "-image-credentials") . }} + {{- include "jupyterhub.labels" $_ | nindent 4 }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ .Values.singleuser.image.pullSecret.dockerConfigJson }} +{{- end }} From 14126411c067fca74deb8b873acacb39ba6f83bd Mon Sep 17 00:00:00 2001 From: AlexMorreale Date: Tue, 31 Jul 2018 16:28:32 -0400 Subject: [PATCH 07/14] simplify using a pull secret --- jupyterhub/templates/hub/configmap.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jupyterhub/templates/hub/configmap.yaml b/jupyterhub/templates/hub/configmap.yaml index 3bbb499717..badd0ae3ff 100644 --- a/jupyterhub/templates/hub/configmap.yaml +++ b/jupyterhub/templates/hub/configmap.yaml @@ -133,8 +133,8 @@ data: {{- .Values.singleuser.cloudMetadata | toYaml | trimSuffix "\n" | nindent 4 }} singleuser.start-timeout: {{ .Values.singleuser.startTimeout | quote }} singleuser.image-pull-policy: {{ .Values.singleuser.image.pullPolicy | quote }} - {{- if .Values.singleuser.image.pullSecret.name }} - singleuser.image-pull-secret: {{ .Values.singleuser.image.pullSecret.name | quote }} + {{- if .Values.singleuser.image.pullSecret }} + singleuser.image-pull-secret: singleuser-image-credentials {{- end }} {{- if .Values.singleuser.cmd }} singleuser.cmd: {{ .Values.singleuser.cmd | quote }} From 72d201f2cc84ef474f1bc072ba647e7495b2f5bd Mon Sep 17 00:00:00 2001 From: AlexMorreale Date: Tue, 31 Jul 2018 16:43:03 -0400 Subject: [PATCH 08/14] base64 encode in template for dockerconfigjson secret --- jupyterhub/templates/singleuser/image-credentials-secret.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jupyterhub/templates/singleuser/image-credentials-secret.yaml b/jupyterhub/templates/singleuser/image-credentials-secret.yaml index cb21b53856..4cb5f2b8bf 100644 --- a/jupyterhub/templates/singleuser/image-credentials-secret.yaml +++ b/jupyterhub/templates/singleuser/image-credentials-secret.yaml @@ -8,5 +8,5 @@ metadata: {{- include "jupyterhub.labels" $_ | nindent 4 }} type: kubernetes.io/dockerconfigjson data: - .dockerconfigjson: {{ .Values.singleuser.image.pullSecret.dockerConfigJson }} + .dockerconfigjson: {{ .Values.singleuser.image.pullSecret.dockerConfigJson| b64enc }} {{- end }} From a94dd0dc8b96f6811dea3d27349d7728c8d9dbea Mon Sep 17 00:00:00 2001 From: AlexMorreale Date: Tue, 31 Jul 2018 17:02:08 -0400 Subject: [PATCH 09/14] use singleuser.image.pullSecret helper to create pullSecret --- jupyterhub/templates/_helpers.tpl | 14 +++++++++++--- .../singleuser/image-credentials-secret.yaml | 2 +- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/jupyterhub/templates/_helpers.tpl b/jupyterhub/templates/_helpers.tpl index b1cf6added..69d6c0da44 100644 --- a/jupyterhub/templates/_helpers.tpl +++ b/jupyterhub/templates/_helpers.tpl @@ -9,7 +9,7 @@ generate some output based on one single dictionary of input that we call the helpers scope. When you are in helm, you access your current scope with a single a single punctuation (.). - + When you ask a helper to render its content, one often forward the current scope to the helper in order to allow it to access .Release.Name, .Values.rbac.enabled and similar values. @@ -27,7 +27,7 @@ To let a helper access the current scope along with additional values we have opted to create dictionary containing additional values that is then populated with additional values from the current scope through a the merge function. - + #### Example - Passing a new scope augmented with the old {{- $_ := merge (dict "appLabel" "kube-lego") . }} {{- include "jupyterhub.matchLabels" $_ | nindent 6 }} @@ -97,7 +97,7 @@ Used by "jupyterhub.labels" and "jupyterhub.nameField". NOTE: The component label is determined by either... - - 1: The provided scope's .componentLabel + - 1: The provided scope's .componentLabel - 2: The template's filename if living in the root folder - 3: The template parent folder's name - : ...and is combined with .componentPrefix and .componentSuffix @@ -172,3 +172,11 @@ component: {{ include "jupyterhub.componentLabel" . }} {{- $_ := merge (dict "componentLabel" "singleuser-server") . -}} {{ include "jupyterhub.matchLabels" $_ | replace ": " "=" | replace "\n" "," | quote }} {{- end }} + +{{- /* + singleuser.image.pullSecret: + allows creating a base64 encoded docker registry json blob +*/}} +{{- define "singleuser.image.pullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.singleuser.image.pullSecret.registry (printf "%s:%s" .Values.singleuser.image.pullSecret.username .Values.singleuser.image.pullSecret.password | b64enc) | b64enc }} +{{- end }} diff --git a/jupyterhub/templates/singleuser/image-credentials-secret.yaml b/jupyterhub/templates/singleuser/image-credentials-secret.yaml index 4cb5f2b8bf..4327fcb619 100644 --- a/jupyterhub/templates/singleuser/image-credentials-secret.yaml +++ b/jupyterhub/templates/singleuser/image-credentials-secret.yaml @@ -8,5 +8,5 @@ metadata: {{- include "jupyterhub.labels" $_ | nindent 4 }} type: kubernetes.io/dockerconfigjson data: - .dockerconfigjson: {{ .Values.singleuser.image.pullSecret.dockerConfigJson| b64enc }} + .dockerconfigjson: {{ template "singleuser.image.pullSecret" . }} {{- end }} From cbc53aafcc630d746990f8c8adc18fa67163655c Mon Sep 17 00:00:00 2001 From: AlexMorreale Date: Tue, 31 Jul 2018 17:23:46 -0400 Subject: [PATCH 10/14] include > template --- jupyterhub/templates/singleuser/image-credentials-secret.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jupyterhub/templates/singleuser/image-credentials-secret.yaml b/jupyterhub/templates/singleuser/image-credentials-secret.yaml index 4327fcb619..40d26648e4 100644 --- a/jupyterhub/templates/singleuser/image-credentials-secret.yaml +++ b/jupyterhub/templates/singleuser/image-credentials-secret.yaml @@ -8,5 +8,5 @@ metadata: {{- include "jupyterhub.labels" $_ | nindent 4 }} type: kubernetes.io/dockerconfigjson data: - .dockerconfigjson: {{ template "singleuser.image.pullSecret" . }} + .dockerconfigjson: {{ include "singleuser.image.pullSecret" . }} {{- end }} From fead3a81f4d5da15330f525e6865051bbeee27da Mon Sep 17 00:00:00 2001 From: AlexMorreale Date: Wed, 1 Aug 2018 12:58:45 -0400 Subject: [PATCH 11/14] add name prefix so that it will one day match kube-spawner code --- images/hub/jupyterhub_config.py | 2 +- jupyterhub/templates/hub/configmap.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/images/hub/jupyterhub_config.py b/images/hub/jupyterhub_config.py index ada373cca4..99054d2cef 100644 --- a/images/hub/jupyterhub_config.py +++ b/images/hub/jupyterhub_config.py @@ -48,7 +48,7 @@ c.KubeSpawner.image_pull_policy = get_config('singleuser.image-pull-policy') -c.KubeSpawner.image_pull_secrets = get_config('singleuser.image-pull-secret', None) +c.KubeSpawner.image_pull_secrets = get_config('singleuser.image-pull-secret-name', None) c.KubeSpawner.events_enabled = get_config('singleuser.events', False) diff --git a/jupyterhub/templates/hub/configmap.yaml b/jupyterhub/templates/hub/configmap.yaml index badd0ae3ff..e3a7e59ab0 100644 --- a/jupyterhub/templates/hub/configmap.yaml +++ b/jupyterhub/templates/hub/configmap.yaml @@ -134,7 +134,7 @@ data: singleuser.start-timeout: {{ .Values.singleuser.startTimeout | quote }} singleuser.image-pull-policy: {{ .Values.singleuser.image.pullPolicy | quote }} {{- if .Values.singleuser.image.pullSecret }} - singleuser.image-pull-secret: singleuser-image-credentials + singleuser.image-pull-secret-name: singleuser-image-credentials {{- end }} {{- if .Values.singleuser.cmd }} singleuser.cmd: {{ .Values.singleuser.cmd | quote }} From ffe59fa2621ce7a8def28ea3afc5938dbbebdb9b Mon Sep 17 00:00:00 2001 From: AlexMorreale Date: Wed, 1 Aug 2018 15:33:01 -0400 Subject: [PATCH 12/14] move image pull secret up a level in chart.yml --- jupyterhub/templates/_helpers.tpl | 6 +++--- jupyterhub/templates/hub/configmap.yaml | 2 +- .../templates/singleuser/image-credentials-secret.yaml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/jupyterhub/templates/_helpers.tpl b/jupyterhub/templates/_helpers.tpl index 69d6c0da44..08b5646129 100644 --- a/jupyterhub/templates/_helpers.tpl +++ b/jupyterhub/templates/_helpers.tpl @@ -174,9 +174,9 @@ component: {{ include "jupyterhub.componentLabel" . }} {{- end }} {{- /* - singleuser.image.pullSecret: + singleuser.imagePullSecret: allows creating a base64 encoded docker registry json blob */}} -{{- define "singleuser.image.pullSecret" }} -{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.singleuser.image.pullSecret.registry (printf "%s:%s" .Values.singleuser.image.pullSecret.username .Values.singleuser.image.pullSecret.password | b64enc) | b64enc }} +{{- define "singleuser.imagePullSecret" }} +{{- printf "{\"auths\": {\"%s\": {\"auth\": \"%s\"}}}" .Values.singleuser.imagePullSecret.registry (printf "%s:%s" .Values.singleuser.imagePullSecret.username .Values.singleuser.imagePullSecret.password | b64enc) | b64enc }} {{- end }} diff --git a/jupyterhub/templates/hub/configmap.yaml b/jupyterhub/templates/hub/configmap.yaml index e3a7e59ab0..2e2ac9222b 100644 --- a/jupyterhub/templates/hub/configmap.yaml +++ b/jupyterhub/templates/hub/configmap.yaml @@ -133,7 +133,7 @@ data: {{- .Values.singleuser.cloudMetadata | toYaml | trimSuffix "\n" | nindent 4 }} singleuser.start-timeout: {{ .Values.singleuser.startTimeout | quote }} singleuser.image-pull-policy: {{ .Values.singleuser.image.pullPolicy | quote }} - {{- if .Values.singleuser.image.pullSecret }} + {{- if .Values.singleuser.imagePullSecret }} singleuser.image-pull-secret-name: singleuser-image-credentials {{- end }} {{- if .Values.singleuser.cmd }} diff --git a/jupyterhub/templates/singleuser/image-credentials-secret.yaml b/jupyterhub/templates/singleuser/image-credentials-secret.yaml index 40d26648e4..2a6073a87a 100644 --- a/jupyterhub/templates/singleuser/image-credentials-secret.yaml +++ b/jupyterhub/templates/singleuser/image-credentials-secret.yaml @@ -1,4 +1,4 @@ -{{- if .Values.singleuser.image.pullSecret }} +{{- if .Values.singleuser.imagePullSecret }} kind: Secret apiVersion: v1 metadata: @@ -8,5 +8,5 @@ metadata: {{- include "jupyterhub.labels" $_ | nindent 4 }} type: kubernetes.io/dockerconfigjson data: - .dockerconfigjson: {{ include "singleuser.image.pullSecret" . }} + .dockerconfigjson: {{ include "singleuser.imagePullSecret" . }} {{- end }} From 84d295d98448ad41abf82dbb29e8fca66df32f41 Mon Sep 17 00:00:00 2001 From: AlexMorreale Date: Thu, 2 Aug 2018 10:53:11 -0400 Subject: [PATCH 13/14] add documentation for imagePullSecret for singleuser container --- jupyterhub/schema.yaml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/jupyterhub/schema.yaml b/jupyterhub/schema.yaml index fc9b643359..947314620c 100644 --- a/jupyterhub/schema.yaml +++ b/jupyterhub/schema.yaml @@ -305,6 +305,37 @@ properties: type: - string - "null" + imagePullSecret: + type: object + description: | + Create a custom image pull secert used for spawned users. + + This secret is created in the same namespace as your jupyterhub deployment and will be used to pull your single user image. + properties: + registry: + type: string + description: | + Name of the private registry you want to create a credential set for. + + Examples: + - private.jfrog.io + - alexmorreale.privatereg.net + username: + type: string + description: | + Name of the user you want to use to connect to your private registry. + + Examples: + - alexmorreale + - alex@pfc.com + password: + type: string + description: | + Password of the user you want to use to connect to your private registry. + + Examples: + - plaintextpassword + - abc123SECRETzyx098 image: type: object description: | From 1724563aa377eac0f4caf22e003f5c1fb9b0e2f0 Mon Sep 17 00:00:00 2001 From: AlexMorreale Date: Thu, 2 Aug 2018 10:55:33 -0400 Subject: [PATCH 14/14] add documentation about singluser imagePullPolicy --- jupyterhub/schema.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/jupyterhub/schema.yaml b/jupyterhub/schema.yaml index 947314620c..a83fbfaecd 100644 --- a/jupyterhub/schema.yaml +++ b/jupyterhub/schema.yaml @@ -305,6 +305,17 @@ properties: type: - string - "null" + imagePullPolicy: + type: string + enum: + - IfNotPresent + - Always + - Never + description: | + Set the imagePullPolicy on the singleuser pods that are spun up by the hub. + + See [the kubernetes docs](https://kubernetes.io/docs/concepts/containers/images/#updating-images) + for more info on what the values mean. imagePullSecret: type: object description: |