jupyterhub · hdimitriou · Sep 6, 2019 · Oct 25, 2019 · Nov 4, 2019 · Dec 11, 2019
diff --git a/dev-config.yaml b/dev-config.yaml
@@ -10,13 +10,36 @@ proxy:
       requests:
         memory: 0
         cpu: 0
-  networkPolicy:
+  imagePullSecret: &imagePullSecret
     enabled: true
+    registry: gcr.io
+    username: _json_key
+    password: |-
+      {
+        "type": "service_account",
+        "project_id": "dummy-gcp-project",
+        "private_key_id": "asdfasdfasdfasdfasdfasdfasdfasdfasdfasdf",
+        "private_key": "-----BEGIN PRIVATE KEY-----........-----END PRIVATE KEY-----\n",
+        "client_email": "sa-name@dummy-gcp-project.iam.gserviceaccount.com",
+        "client_id": "107124232533563852236",
+        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+        "token_uri": "https://oauth2.googleapis.com/token",
+        "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+        "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/sa-name%40dummy-gcp-project.iam.gserviceaccount.com"
+      }
+  secretToken: 97141abb55ea5321867979cb57bb2e6a86a2f4d6bb166fca45aedb07c212c42d
+  service:
+    type: NodePort
+    nodePorts:
+      http: 31212
 
 hub:
   cookieSecret: 1470700e01f77171c2c67b12130c25081dfbdf2697af8c2f2bd05621b31100bf
   db:
     type: sqlite-memory
+  imagePullSecret: *imagePullSecret
+  networkPolicy:
+    enabled: true
   resources:
     requests:
       memory: 0
@@ -25,13 +48,9 @@ hub:
     test:
       admin: true
       apiToken: 0cc05feaefeeb29179e924ffc6d3886ffacf0d1a28ab225f5c210436ffc5cfd5
-  networkPolicy:
-    enabled: true
-
 
 singleuser:
-  storage:
-    type: none
+  imagePullSecret: *imagePullSecret
   memory:
     guarantee: null
   networkPolicy:
@@ -51,6 +70,8 @@ singleuser:
             cidr: 104.28.9.110/32
         - ipBlock:
             cidr: 104.28.8.110/32
+  storage:
+    type: none
 
 prePuller:
   hook:
@@ -62,3 +83,4 @@ scheduling:
 
 debug:
   enabled: true
+
diff --git a/jupyterhub/schema.yaml b/jupyterhub/schema.yaml
@@ -38,18 +38,18 @@ properties:
 
           See the [Kubernetes docs](https://kubernetes.io/docs/concepts/containers/images/#updating-images)
           for more info on what the values mean.
-      imagePullSecret:
+      imagePullSecret: &imagePullSecretSchema
         type: object
         description: |
-          Creates an image pull secret for you and makes the hub pod utilize
-          it, allowing it to pull images from private image registries.
+          Creates an image pull secret for you and makes the related pods utilize
+          it, allowing them to pull images from private image registries.
 
           Using this configuration option automates the following steps that
           normally is required to pull from private image registries.
 
           ```sh
           # you won't need to run this manually...
-          kubectl create secret docker-registry hub-image-credentials \
+          kubectl create secret docker-registry <singleuser|hub|proxy>-image-credentials \
             --docker-server=<REGISTRY> \
             --docker-username=<USERNAME> \
             --docker-email=<EMAIL> \
@@ -60,7 +60,7 @@ properties:
           # you won't need to specify this manually...
           spec:
             imagePullSecrets:
-              - name: hub-image-credentials
+              - name: <singleuser|hub|proxy>-image-credentials
           ```
 
           To learn the username and password fields to access a gcr.io registry
@@ -73,8 +73,10 @@ properties:
             type: boolean
             description: |
               Enable the creation of a Kubernetes Secret containing credentials
-              to access a image registry. By enabling this, the hub pod will also be configured
-              to use these credentials when it pulls its container image.
+              to access a image registry. By enabling this, related pods will
+              also be configured to use these credentials when they pull their
+              container images.
+
           registry:
             type: string
             description: |
@@ -470,6 +472,7 @@ properties:
   proxy:
     type: object
     properties:
+      imagePullSecret: *imagePullSecretSchema
       secretToken:
         type: string
         description: |
@@ -707,91 +710,7 @@ properties:
               - "null"
             description: |
               Note that this field is referred to as *requests* by the Kubernetes API.
-      imagePullSecret:
-        type: object
-        description: |
-          Creates an image pull secret for you and makes the user pods utilize
-          it, allowing them to pull images from private image registries.
-
-          Using this configuration option automates the following steps that
-          normally is required to pull from private image registries.
-
-          ```sh
-          # you won't need to run this manually...
-          kubectl create secret docker-registry singleuser-image-credentials \
-            --docker-server=<REGISTRY> \
-            --docker-username=<USERNAME> \
-            --docker-email=<EMAIL> \
-            --docker-password=<PASSWORD>
-          ```
-
-          ```yaml
-          # you won't need to specify this manually...
-          spec:
-            imagePullSecrets:
-              - name: singleuser-image-credentials
-          ```
-
-          To learn the username and password fields to access a gcr.io registry
-          from a Kubernetes cluster not associated with the same google cloud
-          credentials, look into [this
-          guide](http://docs.heptio.com/content/private-registries/pr-gcr.html)
-          and read the notes about the password.
-        properties:
-          enabled:
-            type: boolean
-            description: |
-              Enable the creation of a Kubernetes Secret containing credentials
-              to access a image registry. By enabling this, user pods and image
-              puller pods will also be configured to use these credentials when
-              they pull their container images.
-
-          registry:
-            type: string
-            description: |
-              Name of the private registry you want to create a credential set
-              for. It will default to Docker Hub's image registry.
-
-              Examples:
-                - https://index.docker.io/v1/
-                - quay.io
-                - eu.gcr.io
-                - alexmorreale.privatereg.net
-          username:
-            type: string
-            description: |
-              Name of the user you want to use to connect to your private
-              registry. For external gcr.io, you will use the `_json_key`.
-
-              Examples:
-                - alexmorreale
-                - alex@pfc.com
-                - _json_key
-          password:
-            type: string
-            description: |
-              Password of the user you want to use to connect to your private
-              registry.
-
-              Examples:
-                - plaintextpassword
-                - abc123SECRETzyx098
-
-              For gcr.io registries the password will be a big JSON blob for a
-              Google cloud service account, it should look something like below.
-
-              ```yaml
-              password: |-
-                {
-                  "type": "service_account",
-                  "project_id": "jupyter-se",
-                  "private_key_id": "f2ba09118a8d3123b3321bd9a7d6d0d9dc6fdb85",
-                  ...
-                }
-              ```
-
-              Learn more in [this
-              guide](http://docs.heptio.com/content/private-registries/pr-gcr.html).
+      imagePullSecret: *imagePullSecretSchema
       image:
         type: object
         description: |

diff --git a/jupyterhub/templates/_helpers.tpl b/jupyterhub/templates/_helpers.tpl
@@ -163,52 +163,25 @@ component: {{ include "jupyterhub.componentLabel" . }}
 
 
 {{- /*
-  jupyterhub.dockersingleuserconfigjson:
+  jupyterhub.dockerconfigjson:
     Creates a base64 encoded docker registry json blob for use in a image pull
     secret, just like the `kubectl create secret docker-registry` command does
     for the generated secrets data.dockerconfigjson field. The output is
     verified to be exactly the same even if you have a password spanning
     multiple lines as you may need to use a private GCR registry.
 
-    - https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
-*/}}
-{{- define "jupyterhub.dockersingleuserconfigjson" -}}
-{{ include "jupyterhub.dockersingleuserconfigjson.yaml" . | b64enc }}
-{{- end }}
-
-{{- define "jupyterhub.dockersingleuserconfigjson.yaml" -}}
-{{- with .Values.singleuser.imagePullSecret -}}
-{
-  "auths": {
-    {{ .registry | default "https://index.docker.io/v1/" | quote }}: {
-      "username": {{ .username | quote }},
-      "password": {{ .password | quote }},
-      {{- if .email }}
-      "email": {{ .email | quote }},
-      {{- end }}
-      "auth": {{ (print .username ":" .password) | b64enc | quote }}
-    }
-  }
-}
-{{- end }}
-{{- end }}
-
-{{- /*
-  jupyterhub.dockerhubconfigjson:
-    Creates a base64 encoded docker registry json blob for use in a image pull
-    secret, just like the `kubectl create secret docker-registry` command does
-    for the generated secrets data.dockerhubconfigjson field. The output is
-    verified to be exactly the same even if you have a password spanning
-    multiple lines as you may need to use a private GCR registry.
+    This template expects to be passed a structure like in:
+    - .Values.singleuser.imagePullSecret
+    - .Values.hub.imagePullSecret
+    - .Values.proxy.imagePullSecret
 
     - https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
 */}}
-{{- define "jupyterhub.dockerhubconfigjson" -}}
-{{ include "jupyterhub.dockerhubconfigjson.yaml" . | b64enc }}
+{{- define "jupyterhub.dockerconfigjson" -}}
+{{ include "jupyterhub.dockerconfigjson.yaml" . | b64enc }}
 {{- end }}
 
-{{- define "jupyterhub.dockerhubconfigjson.yaml" -}}
-{{- with .Values.hub.imagePullSecret -}}
+{{- define "jupyterhub.dockerconfigjson.yaml" -}}
 {
   "auths": {
     {{ .registry | default "https://index.docker.io/v1/" | quote }}: {
@@ -222,7 +195,7 @@ component: {{ include "jupyterhub.componentLabel" . }}
   }
 }
 {{- end }}
-{{- end }}
+
 
 {{- /*
   jupyterhub.resources:

diff --git a/jupyterhub/templates/hub/image-credentials-secret.yaml b/jupyterhub/templates/hub/image-credentials-secret.yaml
@@ -8,5 +8,5 @@ metadata:
     {{- include "jupyterhub.labels" $_ | nindent 4 }}
 type: kubernetes.io/dockerconfigjson
 data:
-  .dockerconfigjson: {{ include "jupyterhub.dockerhubconfigjson" . }}
+  .dockerconfigjson: {{ include "jupyterhub.dockerconfigjson" .Values.hub.imagePullSecret }}
 {{- end }}
diff --git a/jupyterhub/templates/image-puller/_daemonset-helper.yaml b/jupyterhub/templates/image-puller/_daemonset-helper.yaml
@@ -52,11 +52,10 @@ spec:
       imagePullSecrets:
         {{- if .Values.singleuser.imagePullSecret.enabled }}
         - name: {{ if .hook -}} hook- {{- end -}} singleuser-image-credentials
-        {{ else }}
+        {{- end }}
         {{- range .Values.singleuser.image.pullSecrets }}
         - name: {{ . }}
         {{- end }}
-        {{ end }}
       {{- end }}
       initContainers:
         - name: image-pull-singleuser

diff --git a/jupyterhub/templates/proxy/deployment.yaml b/jupyterhub/templates/proxy/deployment.yaml
@@ -48,6 +48,15 @@ spec:
           secret:
             secretName: {{ .Values.proxy.https.secret.name }}
       {{- end }}
+      {{- if or .Values.proxy.imagePullSecret.enabled .Values.proxy.chp.image.pullSecrets }}
+      imagePullSecrets:
+        {{- if .Values.proxy.imagePullSecret.enabled }}
+        - name: proxy-image-credentials
+        {{- end }}
+        {{- range .Values.proxy.chp.image.pullSecrets }}
+        - name: {{ . }}
+        {{- end }}
+      {{- end }}
       containers:
         - name: chp
           image: {{ .Values.proxy.chp.image.name }}:{{ .Values.proxy.chp.image.tag }}

diff --git a/jupyterhub/templates/proxy/image-credentials-secret.yaml b/jupyterhub/templates/proxy/image-credentials-secret.yaml
@@ -0,0 +1,13 @@
+
+{{- if .Values.proxy.imagePullSecret.enabled }}
+kind: Secret
+apiVersion: v1
+metadata:
+  name: proxy-image-credentials
+  labels:
+    {{- $_ := merge (dict "componentSuffix" "-image-credentials") . }}
+    {{- include "jupyterhub.labels" $_ | nindent 4 }}
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: {{ include "jupyterhub.dockerconfigjson" .Values.proxy.imagePullSecret }}
+{{- end }}
diff --git a/jupyterhub/templates/singleuser/image-credentials-secret.yaml b/jupyterhub/templates/singleuser/image-credentials-secret.yaml
@@ -8,7 +8,7 @@ metadata:
     {{- include "jupyterhub.labels" $_ | nindent 4 }}
 type: kubernetes.io/dockerconfigjson
 data:
-  .dockerconfigjson: {{ include "jupyterhub.dockersingleuserconfigjson" . }}
+  .dockerconfigjson: {{ include "jupyterhub.dockerconfigjson" .Values.singleuser.imagePullSecret }}
 {{- if .Values.prePuller.hook.enabled }}
 ---
 kind: Secret
@@ -25,6 +25,6 @@ metadata:
     "helm.sh/hook-weight": "-20"
 type: kubernetes.io/dockerconfigjson
 data:
-  .dockerconfigjson: {{ include "jupyterhub.dockersingleuserconfigjson" . }}
+  .dockerconfigjson: {{ include "jupyterhub.dockerconfigjson" .Values.singleuser.imagePullSecret }}
 {{- end }}
 {{- end }}