From a417772d56b089bfebade122abc45a0ebd168c0e Mon Sep 17 00:00:00 2001 From: Samuel Fernandes Date: Sun, 23 Jun 2024 12:09:42 +0100 Subject: [PATCH 1/5] fix(prepuller): Add dummy service accounts to hook-image-puller and continuous-image-puller pods --- jupyterhub/templates/_helpers-names.tpl | 18 ++++++++++++++++ .../image-puller/_helpers-daemonset.tpl | 9 ++++++++ .../serviceaccount-continuous.yaml | 17 +++++++++++++++ .../image-puller/serviceaccount-hook.yaml | 21 +++++++++++++++++++ jupyterhub/values.schema.yaml | 2 ++ jupyterhub/values.yaml | 10 +++++++++ 6 files changed, 77 insertions(+) create mode 100644 jupyterhub/templates/image-puller/serviceaccount-continuous.yaml create mode 100644 jupyterhub/templates/image-puller/serviceaccount-hook.yaml diff --git a/jupyterhub/templates/_helpers-names.tpl b/jupyterhub/templates/_helpers-names.tpl index f0fe1a51c7..2bc9f5bd6c 100644 --- a/jupyterhub/templates/_helpers-names.tpl +++ b/jupyterhub/templates/_helpers-names.tpl @@ -196,11 +196,29 @@ {{- include "jupyterhub.fullname.dash" . }}hook-image-puller {{- end }} +{{- /* hook-image-puller ServiceAccount */}} +{{- define "jupyterhub.hook-image-puller-serviceaccount.fullname" -}} + {{- if .Values.prePuller.hook.serviceAccountImagePuller.create }} + {{- .Values.prePuller.hook.serviceAccountImagePuller.name | default (include "jupyterhub.hook-image-puller.fullname" .) }} + {{- else }} + {{- .Values.prePuller.hook.serviceAccountImagePuller.name | default "default" }} + {{- end }} +{{- end }} + {{- /* continuous-image-puller DaemonSet */}} {{- define "jupyterhub.continuous-image-puller.fullname" -}} {{- include "jupyterhub.fullname.dash" . }}continuous-image-puller {{- end }} +{{- /* continuous-image-puller ServiceAccount */}} +{{- define "jupyterhub.continuous-image-puller-serviceaccount.fullname" -}} + {{- if .Values.prePuller.continuous.serviceAccount.create }} + {{- .Values.prePuller.continuous.serviceAccount.name | default (include "jupyterhub.continuous-image-puller.fullname" .) }} + {{- else }} + {{- .Values.prePuller.continuous.serviceAccount.name | default "default" }} + {{- end }} +{{- end }} + {{- /* singleuser NetworkPolicy */}} {{- define "jupyterhub.singleuser.fullname" -}} {{- include "jupyterhub.fullname.dash" . }}singleuser diff --git a/jupyterhub/templates/image-puller/_helpers-daemonset.tpl b/jupyterhub/templates/image-puller/_helpers-daemonset.tpl index 16213b09be..e20cb06e3a 100644 --- a/jupyterhub/templates/image-puller/_helpers-daemonset.tpl +++ b/jupyterhub/templates/image-puller/_helpers-daemonset.tpl @@ -70,6 +70,15 @@ spec: {{- include "jupyterhub.userNodeAffinityRequired" . | nindent 14 }} {{- end }} terminationGracePeriodSeconds: 0 + {{- if .hook }} + {{- with include "jupyterhub.hook-image-puller-serviceaccount.fullname" . }} + serviceAccountName: {{ . }} + {{- end }} + {{- else }} + {{- with include "jupyterhub.continuous-image-puller-serviceaccount.fullname" . }} + serviceAccountName: {{ . }} + {{- end }} + {{- end }} automountServiceAccountToken: false {{- with include "jupyterhub.imagePullSecrets" (dict "root" . "image" .Values.singleuser.image) }} imagePullSecrets: {{ . }} diff --git a/jupyterhub/templates/image-puller/serviceaccount-continuous.yaml b/jupyterhub/templates/image-puller/serviceaccount-continuous.yaml new file mode 100644 index 0000000000..16aaff3e12 --- /dev/null +++ b/jupyterhub/templates/image-puller/serviceaccount-continuous.yaml @@ -0,0 +1,17 @@ +{{- /* +ServiceAccount for the continuous image-puller daemonset +*/}} +{{- if .Values.prePuller.continuous.serviceAccount.create -}} +{{- if .Values.prePuller.continuous.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "jupyterhub.continuous-image-puller.fullname" . }} + labels: + {{- include "jupyterhub.labels" . | nindent 4 }} + annotations: + {{- with .Values.prePuller.continuous.serviceAccount.annotations }} + {{- . | toYaml | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/jupyterhub/templates/image-puller/serviceaccount-hook.yaml b/jupyterhub/templates/image-puller/serviceaccount-hook.yaml new file mode 100644 index 0000000000..d8bcd3c78b --- /dev/null +++ b/jupyterhub/templates/image-puller/serviceaccount-hook.yaml @@ -0,0 +1,21 @@ +{{- /* +ServiceAccount for the hook image-puller daemonset +*/}} +{{- if .Values.prePuller.hook.serviceAccountImagePuller.create -}} +{{- if (include "jupyterhub.imagePuller.daemonset.hook.install" .) -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "jupyterhub.hook-image-puller-serviceaccount.fullname" . }} + labels: + {{- include "jupyterhub.labels" . | nindent 4 }} + hub.jupyter.org/deletable: "true" + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + "helm.sh/hook-weight": "0" + {{- with .Values.prePuller.hook.serviceAccountImagePuller.annotations }} + {{- . | toYaml | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/jupyterhub/values.schema.yaml b/jupyterhub/values.schema.yaml index 25494f1c62..aec53ac0ee 100644 --- a/jupyterhub/values.schema.yaml +++ b/jupyterhub/values.schema.yaml @@ -2864,6 +2864,7 @@ properties: image: *image-spec resources: *resources-spec serviceAccount: *serviceAccount + serviceAccountImagePuller: *serviceAccount continuous: type: object additionalProperties: false @@ -2880,6 +2881,7 @@ properties: properties: enabled: type: boolean + serviceAccount: *serviceAccount pullProfileListImages: type: boolean description: | diff --git a/jupyterhub/values.yaml b/jupyterhub/values.yaml index d54a56bae5..1156f8a025 100644 --- a/jupyterhub/values.yaml +++ b/jupyterhub/values.yaml @@ -665,12 +665,22 @@ prePuller: nodeSelector: {} tolerations: [] resources: {} + # Service Account for the hook-image-awaiter Job serviceAccount: create: true name: annotations: {} + # Service Account for the hook-image-puller DaemonSet + serviceAccountImagePuller: + create: true + name: + annotations: {} continuous: enabled: true + serviceAccount: + create: true + name: + annotations: {} pullProfileListImages: true extraImages: {} pause: From 351cd2066f59f79223baaacb77006e15b0d70f5d Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Fri, 10 Jan 2025 20:39:08 +0100 Subject: [PATCH 2/5] Use the same hook weight on the SA as the DaemonSet that will need it --- jupyterhub/templates/image-puller/serviceaccount-hook.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jupyterhub/templates/image-puller/serviceaccount-hook.yaml b/jupyterhub/templates/image-puller/serviceaccount-hook.yaml index d8bcd3c78b..4e6d5f3a01 100644 --- a/jupyterhub/templates/image-puller/serviceaccount-hook.yaml +++ b/jupyterhub/templates/image-puller/serviceaccount-hook.yaml @@ -13,7 +13,7 @@ metadata: annotations: "helm.sh/hook": pre-install,pre-upgrade "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - "helm.sh/hook-weight": "0" + "helm.sh/hook-weight": "-10" {{- with .Values.prePuller.hook.serviceAccountImagePuller.annotations }} {{- . | toYaml | nindent 4 }} {{- end }} From 28b1db3dea647a316f9daa72e4fd923cd58d3343 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Fri, 10 Jan 2025 20:40:08 +0100 Subject: [PATCH 3/5] ci: test configuration of dummy SA for image pullers --- tools/templates/lint-and-validate-values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/templates/lint-and-validate-values.yaml b/tools/templates/lint-and-validate-values.yaml index ef64f82ee3..d580adc06c 100644 --- a/tools/templates/lint-and-validate-values.yaml +++ b/tools/templates/lint-and-validate-values.yaml @@ -563,8 +563,10 @@ prePuller: value: mock-taint-value-hook effect: NoSchedule serviceAccount: *serviceAccount + serviceAccountImagePuller: *serviceAccount continuous: enabled: true + serviceAccount: *serviceAccount extraImages: mockImage1: name: mock-user/mock-image1 From 69581cdf90ef1ca8dad00a91c457e4fe2acc9fe9 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Fri, 10 Jan 2025 20:58:22 +0100 Subject: [PATCH 4/5] Let helper functions for image puller SA names be relevant or empty --- jupyterhub/templates/_helpers-names.tpl | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/jupyterhub/templates/_helpers-names.tpl b/jupyterhub/templates/_helpers-names.tpl index 2bc9f5bd6c..ce91391b01 100644 --- a/jupyterhub/templates/_helpers-names.tpl +++ b/jupyterhub/templates/_helpers-names.tpl @@ -198,11 +198,7 @@ {{- /* hook-image-puller ServiceAccount */}} {{- define "jupyterhub.hook-image-puller-serviceaccount.fullname" -}} - {{- if .Values.prePuller.hook.serviceAccountImagePuller.create }} - {{- .Values.prePuller.hook.serviceAccountImagePuller.name | default (include "jupyterhub.hook-image-puller.fullname" .) }} - {{- else }} - {{- .Values.prePuller.hook.serviceAccountImagePuller.name | default "default" }} - {{- end }} + {{- .Values.prePuller.hook.serviceAccountImagePuller.name | default (include "jupyterhub.hook-image-puller.fullname" .) }} {{- end }} {{- /* continuous-image-puller DaemonSet */}} @@ -212,11 +208,7 @@ {{- /* continuous-image-puller ServiceAccount */}} {{- define "jupyterhub.continuous-image-puller-serviceaccount.fullname" -}} - {{- if .Values.prePuller.continuous.serviceAccount.create }} - {{- .Values.prePuller.continuous.serviceAccount.name | default (include "jupyterhub.continuous-image-puller.fullname" .) }} - {{- else }} - {{- .Values.prePuller.continuous.serviceAccount.name | default "default" }} - {{- end }} + {{- .Values.prePuller.continuous.serviceAccount.name | default (include "jupyterhub.continuous-image-puller.fullname" .) }} {{- end }} {{- /* singleuser NetworkPolicy */}} From 6ffc084649079e5a24657024dad339657cbd1404 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Fri, 10 Jan 2025 20:59:42 +0100 Subject: [PATCH 5/5] Add image puller SA names to the list of resource names --- jupyterhub/templates/_helpers-names.tpl | 2 ++ 1 file changed, 2 insertions(+) diff --git a/jupyterhub/templates/_helpers-names.tpl b/jupyterhub/templates/_helpers-names.tpl index ce91391b01..226e410620 100644 --- a/jupyterhub/templates/_helpers-names.tpl +++ b/jupyterhub/templates/_helpers-names.tpl @@ -308,7 +308,9 @@ image-puller-priority: {{ include "jupyterhub.image-puller-priority.fullname" . hook-image-awaiter: {{ include "jupyterhub.hook-image-awaiter.fullname" . | quote }} hook-image-awaiter-serviceaccount: {{ include "jupyterhub.hook-image-awaiter-serviceaccount.fullname" . | quote }} hook-image-puller: {{ include "jupyterhub.hook-image-puller.fullname" . | quote }} +hook-image-puller-serviceaccount: {{ include "jupyterhub.hook-image-puller-serviceaccount.fullname" . | quote }} continuous-image-puller: {{ include "jupyterhub.continuous-image-puller.fullname" . | quote }} +continuous-image-puller-serviceaccount: {{ include "jupyterhub.continuous-image-puller-serviceaccount.fullname" . | quote }} singleuser: {{ include "jupyterhub.singleuser.fullname" . | quote }} image-pull-secret: {{ include "jupyterhub.image-pull-secret.fullname" . | quote }} ingress: {{ include "jupyterhub.ingress.fullname" . | quote }}