search

2i2c-org / binderhub-service

https://2i2c.org/binderhub-service/
BSD 3-Clause "New" or "Revised" License
8 stars 3 forks source link

Add ability to pass docker config and included registry credentials to build pods' docker clients, test builds and pushes, and add dockerApi.[extraArgs|extraFiles] to help testing #36

Closed consideRatio closed 1 year ago

consideRatio commented 1 year ago

With binderhub-service being a Helm chart deploying to k8s, we absolutely require the ability to push the built artifact to a container registry somewhere. This enables the chart to create a k8s Secret with such credentials in a docker config format that can be mounted to the build pods via c.KubernetesBuildExecutor.push_secret. Users of the binderhub-service chart doesn't have to configure that manually, its instead set automatically.

buildPodsRegistryCredentials

buildPodsRegistryCredentials should be provided with server, username, and password for the container registry. For a GCP based artifact-registry, this can be for example...

config:
  BinderHub:
    use_registry: true
    image_prefix: europe-west1-docker.pkg.dev/binderhub-service-development/binderhub-service/
buildPodsRegistryCredentials:
  server: https://europe-west1-docker.pkg.dev
  # This GCP ServiceAccount is configured with:
  # - roles/artifactregistry.createOnPushWriter
  #
  username: _json_key
  password: |
    {
      "type": "service_account",
      "project_id": "binderhub-service-development",
      "private_key_id": "3ca6cb965bf9d8a23ee07220c6bfcdf70a2b4234",
      "private_key": "CENSORED",
      "client_email": "artifact-registry-push@binderhub-service-development.iam.gserviceaccount.com",
      "client_id": "101939388990083667377",
      "auth_uri": "https://accounts.google.com/o/oauth2/auth",
      "token_uri": "https://oauth2.googleapis.com/token",
      "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
      "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/artifact-registry-push%40binderhub-service-development.iam.gserviceaccount.com",
      "universe_domain": "googleapis.com"
    }

buildPodsDockerConfig

This may not be relevant for us to use, but was added for parity with binderhub chart to some degree.

buildPodsDockerConfig:
  someDockerConfigRecognizableKey: and-value

dockerApi.[extraArgs|extraFiles]

In order to setup tests with build/push, I needed to configure the docker daemon runnin on the host node to tolerate interacting with HTTP based docker registries like the one we have. Instead of doing like in jupyterhub/binderhub where a configmap is created and mounted etc in a way that is very hard to follow, I do something that is just quite hard to follow by introducing extraFiles taken from z2jh.

Tests build/push

consideRatio commented 1 year ago

@GeorgianaElena I think this is good to go finally, its quite a messy PR because it introduced dockerApi.extraFiles for example, but that is copy-pasted from z2jh where it has been very successfully used reliably to inject files into pods.

I suggest we go for a merge and iterating from there with fixes if needed.

GeorgianaElena commented 1 year ago

Thanks @consideRatio!