diff --git a/dev-config.yaml b/dev-config.yaml index 9f9e98eaa5..0ca5a7b3c0 100644 --- a/dev-config.yaml +++ b/dev-config.yaml @@ -10,13 +10,36 @@ proxy: requests: memory: 0 cpu: 0 - networkPolicy: + imagePullSecret: &imagePullSecret enabled: true + registry: gcr.io + username: _json_key + password: |- + { + "type": "service_account", + "project_id": "dummy-gcp-project", + "private_key_id": "asdfasdfasdfasdfasdfasdfasdfasdfasdfasdf", + "private_key": "-----BEGIN PRIVATE KEY-----........-----END PRIVATE KEY-----\n", + "client_email": "sa-name@dummy-gcp-project.iam.gserviceaccount.com", + "client_id": "107124232533563852236", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://oauth2.googleapis.com/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/sa-name%40dummy-gcp-project.iam.gserviceaccount.com" + } + secretToken: 97141abb55ea5321867979cb57bb2e6a86a2f4d6bb166fca45aedb07c212c42d + service: + type: NodePort + nodePorts: + http: 31212 hub: cookieSecret: 1470700e01f77171c2c67b12130c25081dfbdf2697af8c2f2bd05621b31100bf db: type: sqlite-memory + imagePullSecret: *imagePullSecret + networkPolicy: + enabled: true resources: requests: memory: 0 @@ -25,13 +48,9 @@ hub: test: admin: true apiToken: 0cc05feaefeeb29179e924ffc6d3886ffacf0d1a28ab225f5c210436ffc5cfd5 - networkPolicy: - enabled: true - singleuser: - storage: - type: none + imagePullSecret: *imagePullSecret memory: guarantee: null networkPolicy: @@ -51,6 +70,8 @@ singleuser: cidr: 104.28.9.110/32 - ipBlock: cidr: 104.28.8.110/32 + storage: + type: none prePuller: hook: @@ -62,3 +83,4 @@ scheduling: debug: enabled: true + diff --git a/jupyterhub/schema.yaml b/jupyterhub/schema.yaml index 4efc731c4a..618b9fe260 100644 --- a/jupyterhub/schema.yaml +++ b/jupyterhub/schema.yaml @@ -38,18 +38,18 @@ properties: See the [Kubernetes docs](https://kubernetes.io/docs/concepts/containers/images/#updating-images) for more info on what the values mean. - imagePullSecret: + imagePullSecret: &imagePullSecretSchema type: object description: | - Creates an image pull secret for you and makes the hub pod utilize - it, allowing it to pull images from private image registries. + Creates an image pull secret for you and makes the related pods utilize + it, allowing them to pull images from private image registries. Using this configuration option automates the following steps that normally is required to pull from private image registries. ```sh # you won't need to run this manually... - kubectl create secret docker-registry hub-image-credentials \ + kubectl create secret docker-registry -image-credentials \ --docker-server= \ --docker-username= \ --docker-email= \ @@ -60,7 +60,7 @@ properties: # you won't need to specify this manually... spec: imagePullSecrets: - - name: hub-image-credentials + - name: -image-credentials ``` To learn the username and password fields to access a gcr.io registry @@ -73,8 +73,10 @@ properties: type: boolean description: | Enable the creation of a Kubernetes Secret containing credentials - to access a image registry. By enabling this, the hub pod will also be configured - to use these credentials when it pulls its container image. + to access a image registry. By enabling this, related pods will + also be configured to use these credentials when they pull their + container images. + registry: type: string description: | @@ -470,6 +472,7 @@ properties: proxy: type: object properties: + imagePullSecret: *imagePullSecretSchema secretToken: type: string description: | @@ -707,91 +710,7 @@ properties: - "null" description: | Note that this field is referred to as *requests* by the Kubernetes API. - imagePullSecret: - type: object - description: | - Creates an image pull secret for you and makes the user pods utilize - it, allowing them to pull images from private image registries. - - Using this configuration option automates the following steps that - normally is required to pull from private image registries. - - ```sh - # you won't need to run this manually... - kubectl create secret docker-registry singleuser-image-credentials \ - --docker-server= \ - --docker-username= \ - --docker-email= \ - --docker-password= - ``` - - ```yaml - # you won't need to specify this manually... - spec: - imagePullSecrets: - - name: singleuser-image-credentials - ``` - - To learn the username and password fields to access a gcr.io registry - from a Kubernetes cluster not associated with the same google cloud - credentials, look into [this - guide](http://docs.heptio.com/content/private-registries/pr-gcr.html) - and read the notes about the password. - properties: - enabled: - type: boolean - description: | - Enable the creation of a Kubernetes Secret containing credentials - to access a image registry. By enabling this, user pods and image - puller pods will also be configured to use these credentials when - they pull their container images. - - registry: - type: string - description: | - Name of the private registry you want to create a credential set - for. It will default to Docker Hub's image registry. - - Examples: - - https://index.docker.io/v1/ - - quay.io - - eu.gcr.io - - alexmorreale.privatereg.net - username: - type: string - description: | - Name of the user you want to use to connect to your private - registry. For external gcr.io, you will use the `_json_key`. - - Examples: - - alexmorreale - - alex@pfc.com - - _json_key - password: - type: string - description: | - Password of the user you want to use to connect to your private - registry. - - Examples: - - plaintextpassword - - abc123SECRETzyx098 - - For gcr.io registries the password will be a big JSON blob for a - Google cloud service account, it should look something like below. - - ```yaml - password: |- - { - "type": "service_account", - "project_id": "jupyter-se", - "private_key_id": "f2ba09118a8d3123b3321bd9a7d6d0d9dc6fdb85", - ... - } - ``` - - Learn more in [this - guide](http://docs.heptio.com/content/private-registries/pr-gcr.html). + imagePullSecret: *imagePullSecretSchema image: type: object description: | diff --git a/jupyterhub/templates/_helpers.tpl b/jupyterhub/templates/_helpers.tpl index bdc8f95d52..d7d2ea986a 100644 --- a/jupyterhub/templates/_helpers.tpl +++ b/jupyterhub/templates/_helpers.tpl @@ -163,52 +163,25 @@ component: {{ include "jupyterhub.componentLabel" . }} {{- /* - jupyterhub.dockersingleuserconfigjson: + jupyterhub.dockerconfigjson: Creates a base64 encoded docker registry json blob for use in a image pull secret, just like the `kubectl create secret docker-registry` command does for the generated secrets data.dockerconfigjson field. The output is verified to be exactly the same even if you have a password spanning multiple lines as you may need to use a private GCR registry. - - https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod -*/}} -{{- define "jupyterhub.dockersingleuserconfigjson" -}} -{{ include "jupyterhub.dockersingleuserconfigjson.yaml" . | b64enc }} -{{- end }} - -{{- define "jupyterhub.dockersingleuserconfigjson.yaml" -}} -{{- with .Values.singleuser.imagePullSecret -}} -{ - "auths": { - {{ .registry | default "https://index.docker.io/v1/" | quote }}: { - "username": {{ .username | quote }}, - "password": {{ .password | quote }}, - {{- if .email }} - "email": {{ .email | quote }}, - {{- end }} - "auth": {{ (print .username ":" .password) | b64enc | quote }} - } - } -} -{{- end }} -{{- end }} - -{{- /* - jupyterhub.dockerhubconfigjson: - Creates a base64 encoded docker registry json blob for use in a image pull - secret, just like the `kubectl create secret docker-registry` command does - for the generated secrets data.dockerhubconfigjson field. The output is - verified to be exactly the same even if you have a password spanning - multiple lines as you may need to use a private GCR registry. + This template expects to be passed a structure like in: + - .Values.singleuser.imagePullSecret + - .Values.hub.imagePullSecret + - .Values.proxy.imagePullSecret - https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod */}} -{{- define "jupyterhub.dockerhubconfigjson" -}} -{{ include "jupyterhub.dockerhubconfigjson.yaml" . | b64enc }} +{{- define "jupyterhub.dockerconfigjson" -}} +{{ include "jupyterhub.dockerconfigjson.yaml" . | b64enc }} {{- end }} -{{- define "jupyterhub.dockerhubconfigjson.yaml" -}} -{{- with .Values.hub.imagePullSecret -}} +{{- define "jupyterhub.dockerconfigjson.yaml" -}} { "auths": { {{ .registry | default "https://index.docker.io/v1/" | quote }}: { @@ -222,7 +195,7 @@ component: {{ include "jupyterhub.componentLabel" . }} } } {{- end }} -{{- end }} + {{- /* jupyterhub.resources: diff --git a/jupyterhub/templates/hub/image-credentials-secret.yaml b/jupyterhub/templates/hub/image-credentials-secret.yaml index edafcd489a..89adbc894a 100644 --- a/jupyterhub/templates/hub/image-credentials-secret.yaml +++ b/jupyterhub/templates/hub/image-credentials-secret.yaml @@ -8,5 +8,5 @@ metadata: {{- include "jupyterhub.labels" $_ | nindent 4 }} type: kubernetes.io/dockerconfigjson data: - .dockerconfigjson: {{ include "jupyterhub.dockerhubconfigjson" . }} + .dockerconfigjson: {{ include "jupyterhub.dockerconfigjson" .Values.hub.imagePullSecret }} {{- end }} diff --git a/jupyterhub/templates/image-puller/_daemonset-helper.yaml b/jupyterhub/templates/image-puller/_daemonset-helper.yaml index 91fe5d605e..a0537d18e9 100644 --- a/jupyterhub/templates/image-puller/_daemonset-helper.yaml +++ b/jupyterhub/templates/image-puller/_daemonset-helper.yaml @@ -52,11 +52,10 @@ spec: imagePullSecrets: {{- if .Values.singleuser.imagePullSecret.enabled }} - name: {{ if .hook -}} hook- {{- end -}} singleuser-image-credentials - {{ else }} + {{- end }} {{- range .Values.singleuser.image.pullSecrets }} - name: {{ . }} {{- end }} - {{ end }} {{- end }} initContainers: - name: image-pull-singleuser diff --git a/jupyterhub/templates/proxy/deployment.yaml b/jupyterhub/templates/proxy/deployment.yaml index 3f6102d96e..999d47b977 100644 --- a/jupyterhub/templates/proxy/deployment.yaml +++ b/jupyterhub/templates/proxy/deployment.yaml @@ -48,6 +48,15 @@ spec: secret: secretName: {{ .Values.proxy.https.secret.name }} {{- end }} + {{- if or .Values.proxy.imagePullSecret.enabled .Values.proxy.chp.image.pullSecrets }} + imagePullSecrets: + {{- if .Values.proxy.imagePullSecret.enabled }} + - name: proxy-image-credentials + {{- end }} + {{- range .Values.proxy.chp.image.pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} containers: - name: chp image: {{ .Values.proxy.chp.image.name }}:{{ .Values.proxy.chp.image.tag }} diff --git a/jupyterhub/templates/proxy/image-credentials-secret.yaml b/jupyterhub/templates/proxy/image-credentials-secret.yaml new file mode 100644 index 0000000000..e7fbf5ce7d --- /dev/null +++ b/jupyterhub/templates/proxy/image-credentials-secret.yaml @@ -0,0 +1,13 @@ + +{{- if .Values.proxy.imagePullSecret.enabled }} +kind: Secret +apiVersion: v1 +metadata: + name: proxy-image-credentials + labels: + {{- $_ := merge (dict "componentSuffix" "-image-credentials") . }} + {{- include "jupyterhub.labels" $_ | nindent 4 }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ include "jupyterhub.dockerconfigjson" .Values.proxy.imagePullSecret }} +{{- end }} diff --git a/jupyterhub/templates/singleuser/image-credentials-secret.yaml b/jupyterhub/templates/singleuser/image-credentials-secret.yaml index 342f16ca73..34d63338ab 100644 --- a/jupyterhub/templates/singleuser/image-credentials-secret.yaml +++ b/jupyterhub/templates/singleuser/image-credentials-secret.yaml @@ -8,7 +8,7 @@ metadata: {{- include "jupyterhub.labels" $_ | nindent 4 }} type: kubernetes.io/dockerconfigjson data: - .dockerconfigjson: {{ include "jupyterhub.dockersingleuserconfigjson" . }} + .dockerconfigjson: {{ include "jupyterhub.dockerconfigjson" .Values.singleuser.imagePullSecret }} {{- if .Values.prePuller.hook.enabled }} --- kind: Secret @@ -25,6 +25,6 @@ metadata: "helm.sh/hook-weight": "-20" type: kubernetes.io/dockerconfigjson data: - .dockerconfigjson: {{ include "jupyterhub.dockersingleuserconfigjson" . }} + .dockerconfigjson: {{ include "jupyterhub.dockerconfigjson" .Values.singleuser.imagePullSecret }} {{- end }} {{- end }} diff --git a/jupyterhub/values.yaml b/jupyterhub/values.yaml index 78edb1e730..f5c577c00f 100644 --- a/jupyterhub/values.yaml +++ b/jupyterhub/values.yaml @@ -49,8 +49,7 @@ hub: image: name: jupyterhub/k8s-hub tag: 'set-by-chartpress' - # pullSecrets: - # - secretName + pullSecrets: [] resources: requests: cpu: 200m @@ -59,8 +58,8 @@ hub: imagePullSecret: enabled: false registry: - username: email: + username: password: pdb: enabled: true @@ -121,6 +120,12 @@ proxy: ## Error: Deployment.apps "proxy" is invalid: spec.strategy.rollingUpdate: Forbidden: may not be specified when strategy `type` is 'Recreate' ## Error: UPGRADE FAILED: Deployment.apps "proxy" is invalid: spec.strategy.rollingUpdate: Forbidden: may not be specified when strategy `type` is 'Recreate' rollingUpdate: + imagePullSecret: + enabled: false + registry: + username: + email: + password: service: type: LoadBalancer labels: {} @@ -134,6 +139,7 @@ proxy: image: name: jupyterhub/configurable-http-proxy tag: 4.2.1 + pullSecrets: [] livenessProbe: enabled: true initialDelaySeconds: 30 @@ -270,8 +276,7 @@ singleuser: name: jupyterhub/k8s-singleuser-sample tag: 'set-by-chartpress' pullPolicy: IfNotPresent - # pullSecrets: - # - secretName + pullSecrets: [] imagePullSecret: enabled: false registry: