Allow setting service account on build pods

[yuvipanda]

Proposed change

Currently, we pass in the username / password for the docker registry so we can push images to it. There are solutions like workload-identity and IRSA that allow using kubernetes service accounts to be used instead to authenticate to cloud services.

Currently, there's no way to configure which kubernetes service account the build pods should use. We'll need to expose that as an option to make use of it.

Alternative options

• Add an extra_pod_config and extra_container_config option instead that are more generic ways to customize the build pod.

Who would use this feature?

• Anyone running binderhubs on cloud providers

(Optional): Suggest a solution

• Add traitlet that allows configuring this
• Pass it on to the Builder object, so it can use it to construct the pod
• Add some unit tests

[thomas-bc]

An alternative solution to support AWS ECR as the docker registry was proposed (and just updated) in https://github.com/jupyterhub/binderhub/pull/1055. I will look into your proposed change and see if I can (and have time to) come up with something.

[manics]

I've commented on https://github.com/jupyterhub/binderhub/pull/1055#issuecomment-1220812609 but before you start work be aware I've made some big changes in https://github.com/jupyterhub/binderhub/pull/1518 and there's a follow-up PR in https://github.com/jupyterhub/binderhub/pull/1521 to switch the defaults.

If you want to add a service account I think you can just add a new traitlets config to https://github.com/jupyterhub/binderhub/blob/c4af713bb20ed90606e9795834d160bd8a332578/binderhub/build.py#L189-L209 and pass that into the pod creation method if it's set. Ignore the old Build class and most of the BinderHub.* settings- with the new Traitlets based class there's no need to pass parameters down through the whole BinderHub stack since Traitlets automatically passes them to the class.