From d4a9eb9b9bbae39e5f5fbcd347b791a980389075 Mon Sep 17 00:00:00 2001
From: Enol Fernandez <enol.fernandez@egi.eu>
Date: Wed, 20 Nov 2024 12:45:14 +0000
Subject: [PATCH] Allow profiles to not mount secrets

A new option can be specified in the profile named "no_secrets",
when this is defined and not False, the volume mount for the existing
secrets will not be available in the main container of the pod. It
should still be there for sidecars
---
 egi_notebooks_hub/egispawner.py | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/egi_notebooks_hub/egispawner.py b/egi_notebooks_hub/egispawner.py
index 36259e0..d5bee8c 100644
--- a/egi_notebooks_hub/egispawner.py
+++ b/egi_notebooks_hub/egispawner.py
@@ -52,18 +52,18 @@ def __init__(self, *args, **kwargs):
         self.token_secret_name = self._expand_user_properties(
             self.token_secret_name_template
         )
-        token_secret_volume_name = self._expand_user_properties(
+        self._token_secret_volume_name = self._expand_user_properties(
             self.token_secret_volume_name_template
         )
         self.volumes.append(
             {
-                "name": token_secret_volume_name,
+                "name": self._token_secret_volume_name,
                 "secret": {"secretName": self.token_secret_name},
             }
         )
         self.volume_mounts.append(
             {
-                "name": token_secret_volume_name,
+                "name": self._token_secret_volume_name,
                 "mountPath": self.token_mount_path,
                 "readOnly": True,
             }
@@ -173,15 +173,25 @@ async def pre_spawn_hook(self, spawner):
         # ensure we have a secret
         await self._update_secret({})
 
+    def _adjust_secret_volume(self, profile):
+        if not profile.get("no_secrets", False):
+            return profile
+        volume_mounts = profile.get("volume_mounts", self.volume_mounts)
+        new_mounts = []
+        for mount in self._sorted_dict_values(volume_mounts):
+            if mount["name"] == self._token_secret_volume_name:
+                log.debug(f"Removing secret volume mount {mount['name']} from pod")
+            else:
+                new_mounts.append(mount)
+        profile["kubespawner_override"]["volume_mounts"] = new_mounts
+        return profile
+
     def _profile_filter(self, spawner):
         profile_list = []
         if spawner._profile_config:
             groups = [g.name for g in spawner.user.groups]
             for profile in spawner._profile_config:
                 profile_vos = profile.get("vo_claims", [])
-                if not profile_vos:
-                    profile_list.append(profile)
-                else:
-                    if any(i in groups for i in profile_vos):
-                        profile_list.append(profile)
+                if not profile_vos or any(i in groups for i in profile_vos):
+                    profile_list.append(self._adjust_secret_volume(profile))
         return profile_list