Seed hub.services apiTokens

dev-config.yaml

@@ -43,6 +43,13 @@ hub:
       apiToken: give-pytest-control
     test-hub-existing-secret:
       apiToken: dddd4444
+    test-explicit-name:
+      name: some-explicitly-set-name
+      apiToken: eeee5555
+    # FIXME: add this test at a later time, after 1.1.0, when upgrade tests
+    #        won't break because previous versions doesn't have support for this
+    #        config when this was added.
+    # test-generation-of-apiToken: {}
   networkPolicy:
     egress: # overrides allowance of 0.0.0.0/0
       # In kind/k3s clusters the Kubernetes API server is exposing this port

jupyterhub/files/hub/jupyterhub_config.py

@@ -359,17 +359,15 @@ def camelCaseify(s):
         }
     )
 
-for name, service in get_config("hub.services", {}).items():
+for key, service in get_config("hub.services", {}).items():
     # c.JupyterHub.services is a list of dicts, but
     # hub.services is a dict of dicts to make the config mergable
-    service.setdefault("name", name)
+    service.setdefault("name", key)
 
     # As the api_token could be exposed in hub.existingSecret, we need to read
     # it it from there or fall back to the chart managed k8s Secret's value.
     service.pop("apiToken", None)
-    api_token = get_secret_value(f"hub.services.{service['name']}.apiToken", None)
-    if api_token:
-        service["api_token"] = api_token
+    service["api_token"] = get_secret_value(f"hub.services.{service['name']}.apiToken")
 
     c.JupyterHub.services.append(service)
 

jupyterhub/templates/hub/_helpers-passwords.tpl

@@ -73,3 +73,21 @@
         {{- end }}
     {{- end }}
 {{- end }}
+
+{{- define "jupyterhub.hub.services.get_api_token" -}}
+    {{- $_ := index . 0 }}
+    {{- $service_key := index . 1 }}
+    {{- $service_name_or_key := index . 2 }}
+    {{- $explicitly_set_api_token := or ($_.Values.hub.services | dig $service_key "api_token" "") ($_.Values.hub.services | dig $service_key "apiToken" "") }}
+    {{- if $explicitly_set_api_token }}
+        {{- $explicitly_set_api_token }}
+    {{- else }}
+        {{- $k8s_state := lookup "v1" "Secret" $_.Release.Namespace (include "jupyterhub.hub.fullname" $_) | default (dict "data" (dict)) }}
+        {{- $k8s_secret_key := print "hub.services." $service_name_or_key ".apiToken" }}
+        {{- if hasKey $k8s_state.data $k8s_secret_key }}
+            {{- index $k8s_state.data $k8s_secret_key | b64dec }}
+        {{- else }}
+            {{- include "jupyterhub.randHex" 64 }}
+        {{- end }}
+    {{- end }}
+{{- end }}

jupyterhub/templates/hub/secret.yaml

@@ -22,9 +22,8 @@ data:
   # convinience for external services running in the k8s cluster that could
   # mount them directly from this k8s Secret.
   {{- range $key, $service := .Values.hub.services }}
-  {{- if or $service.api_token $service.apiToken }}
-  hub.services.{{ $service.name | default $key }}.apiToken: {{ $service.api_token | default $service.apiToken | b64enc | quote }}
-  {{- end }}
+  {{- $services_name_or_key := $service.name | default $key }}
+  hub.services.{{ $services_name_or_key }}.apiToken: {{ include "jupyterhub.hub.services.get_api_token" (list $ $key $services_name_or_key) | b64enc | quote }}
   {{- end }}
 
   # During Helm template rendering, these values that can be autogenerated for

tools/templates/lint-and-validate-values.yaml

@@ -143,8 +143,12 @@ hub:
           - "-c"
           - "echo Hello from the preStart handler >> /usr/share/message"
   services:
-    tests:
+    test-service-1:
       apiToken: mocked-api-token
+    test-service-2-key:
+      name: test-service-2-name
+      apiToken: mocked-api-token
+    test-service-3: {}
   pdb:
     enabled: true
     maxUnavailable: 1