Helm chart: add imagePullSecrets for gateway.backend

[chadsr]

This PR adds imagePullSecrets support for the gateway.backend (dask-gateway) image used by schedulers and workers.

[consideRatio]

Support for the idea of this PR

Since we provide a dedicated option for the image pull policy and image name/tag etc for gateway.backend, I support adding imagePullSecrets next to it as well. But, we should not add everything we can configure as a dedicated configuration, then we should use the workaround below instead.

A workaround

imagePullSecrets can be configured via the following config options:

dask-gateway/dask-gateway-server/dask_gateway_server/backends/kubernetes/backend.py

Lines 143 to 180 in e6ee014

	worker_extra_container_config = Dict(
	help="""
	Any extra configuration for the worker container.
	This dict will be deep merged with the worker container (a
	``V1Container`` object) before submission. Keys should match those in
	the `kubernetes spec
	<https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core>`__,
	and should be camelCase.
	For example, here we add environment variables from a secret to the
	worker container:
	.. code::
	c.KubeClusterConfig.worker_extra_container_config = {
	"envFrom": [
	{"secretRef": {"name": "my-env-secret"}}
	]
	}
	""",
	config=True,
	)
	scheduler_extra_container_config = Dict(
	help="""
	Any extra configuration for the scheduler container.
	This dict will be deep merged with the scheduler container (a
	``V1Container`` object) before submission. Keys should match those in
	the `kubernetes spec
	<https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core>`__,
	and should be camelCase.
	See ``worker_extra_container_config`` for more information.
	""",
	config=True,
	)

that are exposed via the Helm chart's gateway.backend.scheduler.extraContainerConfig and gateway.backend.worker.extraContainerConfig that you can pass imagePullSecrets to.

Since gateway.backend.imagePullSecrets

[szachovy]

Hi,

Thanks @consideRatio for your input. I believe there should be gateway.backend.scheduler.extraPodConfig instead of gateway.backend.scheduler.extraContainerConfig

The minimal working proof:

jupyterhub:
  proxy:
    secretToken: "<token-1>"
  hub:
    services:
      dask-gateway:
        apiToken: "<token-2>"
dask-gateway:
  gateway:
    auth:
      jupyterhub:
        apiToken: "<token-2>"
    extraConfig:
      optionHandler: |
        from dask_gateway_server.options import Options, String
        def option_handler(options):
            return {
                "image": options.image,
                "scheduler_extra_pod_config": {"imagePullSecrets": [{"name": options.extra_pod_config}]},
            }
        c.Backend.cluster_options = Options(
            String("image", label="Image"),
            String("extra_pod_config", label="Image Pull Secrets"),
            handler=option_handler,
        )

If the scheduler and workers use the same image within the cluster, I am unsure whether to add "worker_extra_pod_config": {"imagePullSecrets": [{"name": options.extra_pod_config}]} to the returned function.

Best regards,
Wiktor