Refactor to use Azimuth UI generators and mirror controls

azimuth-cloud · Nov 6, 2023 · 56b17a7 · 56b17a7
1 parent 3a484a0
commit 56b17a7
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 7 deletions.
diff --git a/binderhub-azimuth/azimuth-ui.schema.yaml b/binderhub-azimuth/azimuth-ui.schema.yaml
@@ -18,3 +18,21 @@ controls:
     minimum: 10
     step: 1
     displayUnits: GB
+  # Here we need the registry password to be set in the actually registry 
+  # pod and also to pass the same password to binderhub. We don't want this
+  # value visible in the chart UI or default values otherwise arbitrary 
+  # users would be able to modify the registry from within notebooks.
+  /registry/password:
+    visuallyHidden: true
+  # Make sure that the two password values are kept in sync using a mirror control
+  /binderhub/registry/password:
+    type: MirrorControl
+    path: /registry/password
+    visuallyHidden: true
+
+defaultGenerators:
+  # For new DaskHub instances, the API token should be generated as a long, random value
+  # The mirror control ensures that the two places it is needed are kept in sync
+  /registry/password:
+    type: random
+    length: 32
diff --git a/binderhub-azimuth/templates/registry.yml b/binderhub-azimuth/templates/registry.yml
@@ -85,5 +85,8 @@ metadata:
   name: binderhub-registry-image-pull
 type: kubernetes.io/dockerconfigjson
 data:
-  .dockerconfigjson: {{ printf "{\"auths\":{\"localhost:%d\":{\"auth\":\"%s\"}}}" (int .nodeport) (printf "%s:%s" .username .password | b64enc) | b64enc }}
+  .dockerconfigjson: >
+    {{ printf "{\"auths\":{\"localhost:%d\":{\"auth\":\"%s\"}}}"
+    (int .nodeport) (printf "%s:%s" .username .password | b64enc)
+    | b64enc }}
 {{- end }}
diff --git a/binderhub-azimuth/values.schema.json b/binderhub-azimuth/values.schema.json
@@ -55,9 +55,20 @@
                         }
                     },
                     "required": ["singleuser"]
+                },
+                "registry": {
+                    "type": "object",
+                    "properties": {
+                        "password": {
+                            "type": "string",
+                            "title": "Container registry password",
+                            "description": "The password used to authenticate with the in-cluster container registry. \nThis should be kept secret from Hub users otherwise they will be able to modify registry images from within notebooks!"
+                        }
+                    },
+                    "required": ["password"]
                 }
             },
-            "required": ["jupyterhub"]
+            "required": ["jupyterhub", "registry"]
         },
         "registry": {
             "type": "object",
@@ -74,9 +85,15 @@
                         }
                     },
                     "required": ["capacity"]
+                },
+                "password": {
+                    "type": "string",
+                    "title": "Password for the in-cluster container regi",
+                    "description": "Required for securing the local registry. \nShould be set to a long random value, e.g. `openssl rand -hex 32`.",
+                    "minLength": 8
                 }
             },
-            "required": ["storage"]
+            "required": ["storage", "password"]
         }
     },
     "required": ["binderhub", "registry"]

diff --git a/binderhub-azimuth/values.yaml b/binderhub-azimuth/values.yaml
@@ -13,8 +13,9 @@ registry:
   # This url domain name should match the Service 
   # resource which exposes the local container registry
   url: &registry-url http://binderhub-registry:80
-  username: &registry-username testuser
-  password: &registry-password testpassword
+  username: &registry-username registry-user
+  password: # Randomly generated within Azimuth UI (see azimuth-ui.schema.yaml)
+  # password: &registry-password testpassword
   nodeport: 31783
   storage:
     capacity: # Set in Azimuth UI
@@ -281,12 +282,21 @@ binderhub:
           binder_service_idx = [i for i, s in enumerate(c.JupyterHub.services) if s['name'] == 'binder'][0]
           c.JupyterHub.services[binder_service_idx]["oauth_redirect_uri"] = f'http://{binder_zenith_url}/oauth_callback'
 
+    # Don't cull user pods since we're limiting the number
+    # of allowed concurrent sessions per user instead. Also,
+    # culling would cause data loss since have to mount PVs
+    # at ~/data and instead of ~/ for binder-built images
+    # (see comments around homeMountPath value)
+    cull:
+      users: false
+
     singleuser:
       cmd: jupyterhub-singleuser
       storage:
         # Use PVCs
         type: dynamic
-        # NOTE: 
+        # NOTE: We can't mount the PVC at the user's home dir otherwise
+        # it will overwrite any files included in the binder repo
         homeMountPath: /home/jovyan/data
         dynamic:
           volumeNameTemplate: backing-volume
@@ -329,7 +339,8 @@ binderhub:
   registry:
     url: *registry-url
     username: *registry-username
-    password: *registry-password
+    password: # Set to mirror global registry.password value (see azimuth-ui.schema.yaml)
+    # password: *registry-password
 
   config:
     BinderHub: