[bitnami/jupyterhub] Fix imagePullSecrets format for singleuser configuration, add security options for singleuser pods (#7713)

* Add Prometheus monitoring with serviceMonitors for hub and proxy components

* Increase version number

* Update README

* Fix values

* Add missing containerPort for metrics

* Fix typo

* Disable serviceMonitors by default

* Use dual stack ipv6/ipv4 binding for metrics

* Increase version

* Improve first bootstrap delay while waiting for DB to be ready

* Make tests work

* Fix imagePullSecrets in hub config

* Add singleuser security options

* Fix comments

* Increase minor version number

* Use right helper for singleuser and network imagePullSecrets

bitnami/jupyterhub/Chart.yaml

@@ -26,4 +26,4 @@ name: jupyterhub
 sources:
   - https://github.com/bitnami/bitnami-docker-jupyterhub
   - https://github.com/jupyterhub/jupyterhub
-version: 0.2.0
+version: 0.2.1

bitnami/jupyterhub/templates/_helpers.tpl

@@ -59,6 +59,39 @@ Return the proper Docker Image Registry Secret Names
 {{- include "common.images.pullSecrets" (dict "images" (list .Values.hub.image .Values.proxy.image .Values.auxiliaryImage) "global" .Values.global) -}}
 {{- end -}}
 
+{{/*
+Return the proper Docker Image Registry Secret Names
+{{ include "jupyterhub.imagePullSecretsList" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }}
+*/}}
+{{- define "jupyterhub.imagePullSecretsList" -}}
+  {{- $pullSecrets := list }}
+
+  {{- if .global }}
+    {{- range .global.imagePullSecrets -}}
+      {{- $pullSecrets = append $pullSecrets . -}}
+    {{- end -}}
+  {{- end -}}
+
+  {{- range .images -}}
+    {{- range .pullSecrets -}}
+      {{- $pullSecrets = append $pullSecrets . -}}
+    {{- end -}}
+  {{- end -}}
+
+  {{- if (not (empty $pullSecrets)) }}
+    {{- range $pullSecrets }}
+  - {{ . }}
+    {{- end }}
+  {{- end }}
+{{- end -}}
+
+{{/*
+Return the proper Docker Image Registry Secret Names list
+*/}}
+{{- define "jupyterhub.imagePullSecrets.list" -}}
+{{- include "jupyterhub.imagePullSecretsList" (dict "images" (list .Values.hub.image .Values.proxy.image .Values.auxiliaryImage) "global" .Values.global) -}}
+{{- end -}}
+
 {{/*
 Create the name of the service account to use
 */}}

bitnami/jupyterhub/templates/hub/configmap.yaml

@@ -151,6 +151,8 @@ data:
         ("extra_annotations", None),
         ("uid", None),
         ("fs_gid", None),
+        ("run_privileged", None),
+        ("allow_privilege_escalation", None),
         ("service_account", "serviceAccountName"),
         ("storage_extra_labels", "storage.extraLabels"),
         ("tolerations", "extraTolerations"),

bitnami/jupyterhub/values.yaml

@@ -180,7 +180,7 @@ hub:
           name: {{ include "jupyterhub.hubconfiguration.imageEntry" ( dict "imageRoot" .Values.auxiliaryImage "global" $) }}
           tag: {{ .Values.auxiliaryImage.tag }}
           pullPolicy: {{ .Values.auxiliaryImage.pullPolicy }}
-          pullSecrets: {{- include "jupyterhub.imagePullSecrets" . | nindent 8 }}
+          pullSecrets: {{- include "jupyterhub.imagePullSecrets.list" . | nindent 8 }}
       cloudMetadata:
         blockWithIptables: false
       events: true
@@ -246,7 +246,7 @@ hub:
         name: {{ include "jupyterhub.hubconfiguration.imageEntry" ( dict "imageRoot" .Values.singleuser.image "global" $) }}
         tag: {{ .Values.singleuser.image.tag }}
         pullPolicy: {{ .Values.singleuser.image.pullPolicy }}
-        pullSecrets: {{- include "jupyterhub.imagePullSecrets" . | nindent 8 }}
+        pullSecrets: {{- include "jupyterhub.imagePullSecrets.list" . | nindent 8 }}
       startTimeout: 300
       {{- /* We need to replace the Kubernetes memory/cpu terminology (e.g. 10Gi, 10Mi) with one compatible with Python (10G, 10M) */}}
       cpu: