-
Notifications
You must be signed in to change notification settings - Fork 389
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support dynamic push credentials obtained from registry #1724
Conversation
binderhub/build.py
Outdated
env.append( | ||
client.V1EnvVar( | ||
name="CONTAINER_ENGINE_REGISTRY_CREDENTIALS", | ||
value=self.push_secret_content, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is less secure than the push_secret
option I think, because kubectl get pod
can reveal content while when using a dedicated k8s Secret to house the content only kubectl get secret
can reveal the content.
KubeSpawner has ended up dynamically creating also a k8s Secret for user pods to house misc information, for example info relevant for internal_ssl. It certainly adds complexity to do that, and this is far less complicated.
I think it may be acceptable to do this if we describe it clearly in the help string of the config.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree it's not as good as using a secret, however we had a long discussion in #1577 over the pros and cons of dynamically creating secrets attached to pods, as the same problem arises with dynamic Git credentials.
binderhub/build.py
Outdated
push_secret_content = Unicode( | ||
"", | ||
help=( | ||
"Content of an implementation dependent secret for pushing image to a registry. " | ||
"For example, if push tokens are temporary this can be used to pass the token " | ||
"as an environment variable CONTAINER_ENGINE_REGISTRY_CREDENTIALS to " | ||
"repo2docker." | ||
"If provided this will be used instead of push_secret." | ||
), | ||
config=True, | ||
) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall, the push_secret
config has been challenging for me to understand well. Here are some notes on what I think can help.
- Its not obvious that its a
push_secret
references a name (k8s Secret resource for example) as compared to content to put inside one. - Its not obvious that its going to be created or needs to be created manually
- Its not obvious what kind of content to put in the referenced secret created manually
Thinking about what I'd appreciate from docs to understand this good enough, I'd say something like the following, where its not obvious whats in scope and not for this PR:
- I think "implementation dependant" could be written more verbosively to clarify that: its dependant on the BuildExecutor implementation, and no base implemention exist.
push_secret
andpush_secret_content
's help strings are both are updated to reflect that there are separate ways of providing container registry credentials to the builder, wherepush_secret
references something existing by name, andpush_secret_content
is content.push_secret
andpush_secret_content
's help strings are both are updated on how to know what kind of resource to reference and what content to provide. This may be implementation dependent and not something BuildExecutor can know, but I think we can declare here where to find that kind of details.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll update the docs. AFAIK it should be fine to duplicate the traitlet in the subclass to have more specialist documentation?
If it's easier (I'm not sure whether it is), we could switch push_secret
to be of type (Unicode, Dict)
. where Dict would for example take the form {content: <secret>}
or {secret_name: <k8s-secret-name>}
. Unicode
would support the current default behaviour.
e42f040
to
f381eb3
Compare
What do you think of the updated docs? I've renamed the new property. Do you think it's worth switching to a dynamic secret instead, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've googled on CONTAINER_ENGINE_REGISTRY_CREDENTIALS
and understand the name to be defined by us and not an env var name respected by another project already, right?
What do you think about transition to prefixing it with BINDERHUB_
as this is the software project that defines them and sets them?
I've grown opinionated about this after seeing env vars respected by jupyter/docker-stacks images show up in z2jh and other places, where its very hard to understand they won't work for other images.
Reviewing this PR, I've googled the internet to find if CONTAINER_ENGINE_REGISTRY_CREDENTIALS
and GIT_CREDENTIAL_ENV
was used elsewhere, for example is GIT_CREDENTAL_ENV
an env variable respected by git? I suspected it was because of its name, but it probably isn't as its not listed in git documentation. If it was named BINDERHUB_GIT_CREDENTIALS
it would be obvious to me git
wouldn't respect them, so then I could understand that it had to be consumed by something else. Searching in repo2docker, it seems that it isn't respected by that either but that there was some legacy notes about it leaving me confused if it will be respected by repo2docker.
I'd like to see us not lock into defining another env variable name that isn't obviously defined by this project by not prefixing it, but besides that I think we should merge this.
Both of these environment variables are used by repo2docker:
In hindsight prefixing them with |
jupyterhub/binderhub#1724 Merge pull request #1724 from manics/registry-dynamic-token-2
Use manual build of jupyterhub/binderhub#1724
Use manual build of jupyterhub/binderhub#1724
Use manual build of jupyterhub/binderhub#1724
Use manual build of jupyterhub/binderhub#1724
Use manual build of jupyterhub/binderhub#1724
Extracted from #1637
This is required to support time-limited registry credentials, as required by AWS ECR.
Required for jupyterhub/mybinder.org-deploy#2629