New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support chart wide and pod specific config of imagePullSecrets #1794
Support chart wide and pod specific config of imagePullSecrets #1794
Conversation
df27e4e
to
632aa7d
Compare
632aa7d
to
fedf1b9
Compare
It's quite a big change to review without knowledge of exactly how this all works. Is it possible someone wants to pull their singleuser image from a different registry to the hub and proxy? Do you have any idea how many users rely on a private registry? If it's a significant number maybe we should convert one of the existing CI jobs to test it? |
Yeah =/ Thank you for trying your best! I added some review comments which can potentially make it a bit easier to understand what various sections are about.
They can reference
Not sure, but it's quite common. I've tested it quite well manually by rendering templates and ensuring the output makes sense for various pods. We could add this as a test quite easily without much complexity added by adding a dummy image to a fake-private registry with credentials that are public, and then we try it as an extra I'm not sure how to go about getting such registry wich public credentials that we could make use of right now though, if I had that I could go ahead and add that to this PR as well right now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is great work! I'm happy to dogfood this in one of the clusters I maintain that require imagePullSecrets.
A few comments!
- Can we just use
imagePullSecrets
instead ofglobal.imagePullSecrets
? This is what we do for other global things (like rbac), and it would be nice to keep that consistent, instead of adding another layer. - Does this mean you can't have a separate secret for hub & user pods? I don't fully understand that, can you explain why?
- Pre-puller modes might need more than just single-user secrets, since they might also be pulling in additional images that are from different image sources - something specified with
singleuser.extraContainers
, for example. I think this is also configurable here, but wanted to make sure.
In general, <3 the globalized imagePullSecrets along with per-pod overrides!
Okay! See 247fcbf
You can have a separate secret(s) for hub & user pods. The docs were improved to make this clearer in 3bb4c91, and further improved in f9d6575 which hopefully makes it clear also under the
This is fine, since |
fedf1b9
to
c5813a5
Compare
@yuvipanda similarly to a discussion you had with regards to |
c5813a5
to
3115053
Compare
Co-authored-by: Harris Dimitriou <dimitriou.xar@gmail.com>
Co-authored-by: Harris Dimitriou <dimitriou.xar@gmail.com>
A imagePullPolicy doesn't make much sense here, as the context is to pull something ahead of time. Always for example will not really help much. I think? Co-authored-by: Harris Dimitriou <dimitriou.xar@gmail.com>
Co-authored-by: Harris Dimitriou <dimitriou.xar@gmail.com>
Co-authored-by: Harris Dimitriou <dimitriou.xar@gmail.com>
…gePullSecrets Co-authored-by: Harris Dimitriou <dimitriou.xar@gmail.com>
Co-authored-by: Harris Dimitriou <dimitriou.xar@gmail.com>
Co-authored-by: Harris Dimitriou <dimitriou.xar@gmail.com>
Co-authored-by: Harris Dimitriou <dimitriou.xar@gmail.com>
Co-authored-by: Harris Dimitriou <dimitriou.xar@gmail.com>
Co-authored-by: Harris Dimitriou <dimitriou.xar@gmail.com>
Co-authored-by: Harris Dimitriou <dimitriou.xar@gmail.com>
3115053
to
50c13cb
Compare
@yuvipanda I've now addressed your comments in #1794 (comment) and feel happy about this PR in general. If you think this looks good, perhaps we can merge @yuvipanda? |
Thanks for thoroughly working on this, @consideRatio! |
Motivation
Before a k8s pod can starts its containers, Kubelet, a k8s component will download the images from the image registry. If this image registry requires credentials to access it, the Pod can specify
spec.imagePullSecrets
. If that is done, Kubelet will look in the referenced Kubernetes Secret resources and use the credentials within them to download the images.This Helm chart both supports the creation of such k8s Secret with credentials, and the configuration of the hub pods and user pods
spec.imagePullSecrets
that reference the created Secret. What is missing though, is the same kind of configuration for all other pods.This PR aims to resolve this once and for all by providing a chart wide configuration that augments all pods
spec.imagePullSecrets
, either with a manually created k8s Secret, or by a k8s Secret created by the Helm chart given configured credentials.Helm chart config changes
Added
imagePullSecrets
- A place to specify manually created k8s Secret references for all pods.imagePullSecret.create|registry|username|password
- A place to specify credentials for the creation of a k8s Secret that will be added to the list of all podsspec.imagePullSecrets
.Updated
...image.pullPolicy
configuration is now available for all pods...image.pullSecrets
configuration is now available for all podsDeprecated
hub.imagePullSecret
- Deprecated in favor of chart wideimagePullSecret
singleuser.imagePullSecret
- Deprecated in favor of chart wideimagePullSecret
Implementation steps
imagePullSecret.create
etc, to create a k8s Secretresource with image registry credentials.
"jupyterhub.imagePullSecrets"
) that returns aJSON formatted list of Kubernetes Secret names or a blank string representing:
the Secret created by
imagePullSecret
, theimagePullSecrets
list, and the pod's specific config in
...image.pullSecrets
.function.
hub.imagePullSecret
andsingleuser.imagePullSecret
. A message will show asking the user to useimagePullSecret
instead from now on.imagePullSecrets
to allow users to specify manuallycreated Kubernetes Secret's for all pods to make use of.
...image.pullSecrets
and...image.pullPolicy
where it wasmissing for certain pods.
jupyterhub_config.py
logic of the user pod'simagePullPolicy
and
imagePullSecrets
Closes #981, Closes #1504, Closes #1467, Closes #1465