Add ability to pass registry credentials to build pods' docker clients

.gitignore

@@ -3,9 +3,10 @@
 binderhub-service/values.schema.json
 tools/templates/rendered-templates/
 
+# convenience for storing production config in the repo while developing
+prod-config.yaml
 
-### Other misc things
-
+# Other misc things
 .vscode
 *.DS_Store
 

binderhub-service/templates/build-pods-docker-config/secret.yaml

@@ -0,0 +1,50 @@
+# This Secret is mounted by BinderHub's managed build pods because
+# c.KubernetesBuildExecutor.push_secret is configured with this Secret's name.
+#
+# IMPORTANT: This is _not_ a Kubernetes imagePullSecrets formatted Secret, it
+#            instead provides a config file for a docker client.
+#
+kind: Secret
+apiVersion: v1
+metadata:
+  name: {{ include "binderhub-service.fullname" . }}-build-pods-docker-config
+  labels:
+    {{- include "binderhub-service.labels" . | nindent 4 }}
+type: Opaque
+stringData:
+  # config.json refers to docker config that should house credentials for the
+  # docker client in a build pod to use against the docker-api.
+  #
+  # Docker's config.json expects something like below, where the xx...xx= string
+  # is "<username>:<password>" base64 encoded.
+  #
+  # {
+  #   "auths": {
+  #     "https://index.docker.io/v1/": {
+  #       "auth": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx="
+  #     }
+  #   }
+  # }
+  #
+  # ref: https://github.com/jupyterhub/binderhub/blob/79c5f61a992010f108637e3c434d9e606a3c8f72/binderhub/build.py#L397-L406
+  #
+  {{- /* initialize a dict to represent a docker client config */}}
+  {{- $dockerConfig := dict }}
+
+  {{- $server := .Values.buildPodsRegistryCredentials.server }}
+  {{- $username := .Values.buildPodsRegistryCredentials.username }}
+  {{- $password := .Values.buildPodsRegistryCredentials.password }}
+  {{- $blob := printf "%s:%s" $username $password | b64enc }}
+  {{- $credentials := dict "auths" (dict $server (dict "auth" $blob)) }}
+
+  {{- /* merge docker client config with registry credentials */}}
+  {{- if .Values.config.BinderHub.use_registry }}
+  {{- $dockerConfig = merge $dockerConfig $credentials }}
+  {{- end }}
+
+  {{- /* merge docker client config of any kind */}}
+  {{- if .Values.buildPodsDockerConfig }}
+  {{- $dockerConfig = merge $dockerConfig .Values.buildPodsDockerConfig }}
+  {{- end }}
+  config.json: |
+    {{- $dockerConfig | toPrettyJson | nindent 4 }}

binderhub-service/templates/deployment.yaml

@@ -38,6 +38,9 @@ spec:
             - name: secret
               mountPath: /etc/binderhub/mounted-secret/
               readOnly: true
+          env:
+            - name: HELM_RELEASE_NAME
+              value: {{ .Release.Name }}
           resources:
             {{- .Values.resources | toYaml | nindent 12 }}
           securityContext:

binderhub-service/values.schema.yaml

@@ -19,6 +19,8 @@ required:
   - nameOverride
   - fullnameOverride
   - global
+  # Resources for the BinderHub created build pods
+  - buildPodsRegistryCredentials
   # Deployment resource
   - image
   # Other resources
@@ -46,6 +48,27 @@ properties:
     type: object
     additionalProperties: true
 
+  # Resources for the BinderHub created build pods
+  # ---------------------------------------------------------------------------
+  #
+  buildPodsDockerConfig:
+    type: object
+    additionalProperties: true
+  buildPodsRegistryCredentials:
+    type: object
+    additionalProperties: false
+    required:
+      - server
+      - username
+      - password
+    properties:
+      server:
+        type: string
+      username:
+        type: string
+      password:
+        type: string
+
   # Deployment resource
   # ---------------------------------------------------------------------------
   #

binderhub-service/values.yaml

@@ -5,6 +5,15 @@ nameOverride: ""
 fullnameOverride: ""
 global: {}
 
+# Resources for the BinderHub created build pods
+# -----------------------------------------------------------------------------
+#
+buildPodsDockerConfig: {}
+buildPodsRegistryCredentials:
+  server: ""
+  username: ""
+  password: ""
+
 # Deployment resource
 # -----------------------------------------------------------------------------
 #
@@ -28,13 +37,18 @@ config:
   BinderHub:
     base_url: /
     port: 8585
-    use_registry: true
     require_build_only: true
   KubernetesBuildExecutor:
     # docker_host must not be updated, assumptions about it are hardcoded in
     # docker-api/daemonset.yaml
     docker_host: /var/run/docker-api/docker-api.sock
-extraConfig: {}
+extraConfig:
+  # binderhub-service creates a k8s Secret with a docker config.json file
+  # including registry credentials.
+  binderhub_service_00_build_pods_docker_config: |
+    import os
+    helm_release_name = os.environ["HELM_RELEASE_NAME"]
+    c.KubernetesBuildExecutor.push_secret = f"{helm_release_name}-build-pods-docker-config"
 
 replicas: 1
 image:

dev-config.yaml

@@ -0,0 +1,11 @@
+# FIXME: When running tests, we will need a local container registry to test
+#        pushing images to that can be reached from the build pods.
+#
+config:
+  BinderHub:
+    use_registry: false
+    image_prefix: localhost/binderhub-service/
+buildPodsRegistryCredentials:
+  server: "localhost"
+  username: "dummy-username"
+  password: "dummy-password"

tools/templates/lint-and-validate-values.yaml

@@ -5,6 +5,16 @@ nameOverride: ""
 fullnameOverride: ""
 global: {}
 
+# Resources for the BinderHub created build pods
+# -----------------------------------------------------------------------------
+#
+buildPodsDockerConfig:
+  dummy: dummy-value
+buildPodsRegistryCredentials:
+  server: "quay.io"
+  username: "dummy-username"
+  password: "dummy-password"
+
 # Deployment resource
 # -----------------------------------------------------------------------------
 #