Skip to content

Commit

Permalink
Allow profiles to not mount secrets (#145)
Browse files Browse the repository at this point in the history
* Allow profiles to not mount secrets

A new option can be specified in the profile named "no_secrets",
when this is defined and not False, the volume mount for the existing
secrets will not be available in the main container of the pod. It
should still be there for sidecars

* Linting fixes

* Rename to `mount_secrets_volume`
  • Loading branch information
enolfc authored Nov 20, 2024
1 parent d406f98 commit 700fb34
Showing 1 changed file with 18 additions and 8 deletions.
26 changes: 18 additions & 8 deletions egi_notebooks_hub/egispawner.py
Original file line number Diff line number Diff line change
Expand Up @@ -52,18 +52,18 @@ def __init__(self, *args, **kwargs):
self.token_secret_name = self._expand_user_properties(
self.token_secret_name_template
)
token_secret_volume_name = self._expand_user_properties(
self._token_secret_volume_name = self._expand_user_properties(
self.token_secret_volume_name_template
)
self.volumes.append(
{
"name": token_secret_volume_name,
"name": self._token_secret_volume_name,
"secret": {"secretName": self.token_secret_name},
}
)
self.volume_mounts.append(
{
"name": token_secret_volume_name,
"name": self._token_secret_volume_name,
"mountPath": self.token_mount_path,
"readOnly": True,
}
Expand Down Expand Up @@ -173,15 +173,25 @@ async def pre_spawn_hook(self, spawner):
# ensure we have a secret
await self._update_secret({})

def _adjust_secret_volume(self, profile):
if profile.get("mount_secrets_volume", True):
return profile
volume_mounts = profile.get("volume_mounts", self.volume_mounts)
new_mounts = []
for mount in self._sorted_dict_values(volume_mounts):
if mount["name"] == self._token_secret_volume_name:
self.log.debug(f"Removing secret volume mount {mount['name']} from pod")
else:
new_mounts.append(mount)
profile["kubespawner_override"]["volume_mounts"] = new_mounts
return profile

def _profile_filter(self, spawner):
profile_list = []
if spawner._profile_config:
groups = [g.name for g in spawner.user.groups]
for profile in spawner._profile_config:
profile_vos = profile.get("vo_claims", [])
if not profile_vos:
profile_list.append(profile)
else:
if any(i in groups for i in profile_vos):
profile_list.append(profile)
if not profile_vos or any(i in groups for i in profile_vos):
profile_list.append(self._adjust_secret_volume(profile))
return profile_list

0 comments on commit 700fb34

Please sign in to comment.