Open yuvipanda opened 2 years ago
An alternative solution to support AWS ECR as the docker registry was proposed (and just updated) in https://github.com/jupyterhub/binderhub/pull/1055. I will look into your proposed change and see if I can (and have time to) come up with something.
I've commented on https://github.com/jupyterhub/binderhub/pull/1055#issuecomment-1220812609 but before you start work be aware I've made some big changes in https://github.com/jupyterhub/binderhub/pull/1518 and there's a follow-up PR in https://github.com/jupyterhub/binderhub/pull/1521 to switch the defaults.
If you want to add a service account I think you can just add a new traitlets config to
https://github.com/jupyterhub/binderhub/blob/c4af713bb20ed90606e9795834d160bd8a332578/binderhub/build.py#L189-L209
and pass that into the pod creation method if it's set. Ignore the old Build
class and most of the BinderHub.*
settings- with the new Traitlets based class there's no need to pass parameters down through the whole BinderHub stack since Traitlets automatically passes them to the class.
Proposed change
Currently, we pass in the username / password for the docker registry so we can push images to it. There are solutions like workload-identity and IRSA that allow using kubernetes service accounts to be used instead to authenticate to cloud services.
Currently, there's no way to configure which kubernetes service account the build pods should use. We'll need to expose that as an option to make use of it.
Alternative options
Who would use this feature?
(Optional): Suggest a solution
Builder
object, so it can use it to construct the pod