From 17434b05eba2eda8846f6862e5f9b04e4b6968c0 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Mon, 1 Jul 2024 14:42:20 +0200 Subject: [PATCH] binderhub and daskhub: scheduler/worker pods to have permission to pull built images --- docs/howto/features/binderhub-ui.md | 12 ++++++++++++ docs/howto/features/dask.md | 8 +++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/docs/howto/features/binderhub-ui.md b/docs/howto/features/binderhub-ui.md index 30b5aa7ae8..9235384136 100644 --- a/docs/howto/features/binderhub-ui.md +++ b/docs/howto/features/binderhub-ui.md @@ -409,6 +409,7 @@ binderhub-service: password: ``` +(features:binderhub-service:private-registry)= ### 4. If pushing to quay.io registry, also setup the credentials for image pulling When pushing to the quay registry, the images are pushed as `private` by default (even if the plan doesn't allow it). @@ -423,3 +424,14 @@ jupyterhub: username: password: ``` + +If dask-gateway is enabled, the scheduler and worker pods needs to be configured +to reference the k8s Secret created by the JupyterHub chart through the config +above. This is done like below: + +```yaml +dask-gateway: + gateway: + backend: + imagePullSecrets: [{name: image-pull-secret}] +``` diff --git a/docs/howto/features/dask.md b/docs/howto/features/dask.md index 1dad6a239a..e11f6f4d57 100644 --- a/docs/howto/features/dask.md +++ b/docs/howto/features/dask.md @@ -23,7 +23,7 @@ To enable dask-gateway support on a hub, the following configuration changes nee enabled: true ``` -1. set `jupyterhub.singleuser.cloudMetadata.blockWithIptables` to false +1. set `jupyterhub.singleuser.cloudMetadata.blockWithIptables` to false: This is to don't block access to the cloud provider's metadata server! If we do the coupling between the cloud providers IAM permissions and @@ -39,6 +39,12 @@ To enable dask-gateway support on a hub, the following configuration changes nee blockWithIptables: false ``` +1. if binderhub is enabled to work against a private container registry: + + Then dask-gateway's scheduler and worker pods need to pull from that + registry, so follow steps in [](features:binderhub-service:private-registry) + to set up permissions for that. + (howto:features:daskhub)= ## To an existing cluster