{{- /*
Returns an image-puller daemonset. Two daemonsets will be created like this.
- hook-image-puller: for pre helm upgrade image pulling (lives temporarily)
- continuous-image-puller: for newly added nodes image pulling
*/}}
{{- define "jupyterhub.imagePuller.daemonset" -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
{{- if .hook }}
name: {{ include "jupyterhub.hook-image-puller.fullname" . }}
{{- else }}
name: {{ include "jupyterhub.continuous-image-puller.fullname" . }}
{{- end }}
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
{{- if .hook }}
hub.jupyter.org/deletable: "true"
{{- end }}
{{- if .hook }}
annotations:
{{- /*
Allows the daemonset to be deleted when the image-awaiter job is completed.
*/}}
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-10"
{{- end }}
spec:
selector:
matchLabels:
{{- include "jupyterhub.matchLabels" . | nindent 6 }}
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 100%
{{- if typeIs "int" .Values.prePuller.revisionHistoryLimit }}
revisionHistoryLimit: {{ .Values.prePuller.revisionHistoryLimit }}
{{- end }}
template:
metadata:
labels:
{{- include "jupyterhub.matchLabels" . | nindent 8 }}
{{- with .Values.prePuller.annotations }}
annotations:
{{- . | toYaml | nindent 8 }}
{{- end }}
spec:
{{- /*
image-puller pods are made evictable to save on the k8s pods
per node limit all k8s clusters have and have a higher priority
than user-placeholder pods that could block an entire node.
*/}}
{{- if .Values.scheduling.podPriority.enabled }}
priorityClassName: {{ include "jupyterhub.image-puller-priority.fullname" . }}
{{- end }}
{{- with .Values.singleuser.nodeSelector }}
nodeSelector:
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- with concat .Values.scheduling.userPods.tolerations .Values.singleuser.extraTolerations .Values.prePuller.extraTolerations }}
tolerations:
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- if include "jupyterhub.userNodeAffinityRequired" . }}
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
{{- include "jupyterhub.userNodeAffinityRequired" . | nindent 14 }}
{{- end }}
terminationGracePeriodSeconds: 0
automountServiceAccountToken: false
{{- with include "jupyterhub.imagePullSecrets" (dict "root" . "image" .Values.singleuser.image) }}
imagePullSecrets: {{ . }}
{{- end }}
initContainers:
{{- /* --- Conditionally pull an image all user pods will use in an initContainer --- */}}
{{- $blockWithIptables := hasKey .Values.singleuser.cloudMetadata "enabled" | ternary (not .Values.singleuser.cloudMetadata.enabled) .Values.singleuser.cloudMetadata.blockWithIptables }}
{{- if $blockWithIptables }}
- name: image-pull-metadata-block
image: {{ .Values.singleuser.networkTools.image.name }}:{{ .Values.singleuser.networkTools.image.tag }}
{{- with .Values.singleuser.networkTools.image.pullPolicy }}
imagePullPolicy: {{ . }}
{{- end }}
command:
- /bin/sh
- -c
- echo "Pulling complete"
{{- with .Values.prePuller.resources }}
resources:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with .Values.prePuller.containerSecurityContext }}
securityContext:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- end }}
{{- /* --- Pull default image --- */}}
- name: image-pull-singleuser
image: {{ .Values.singleuser.image.name }}:{{ .Values.singleuser.image.tag }}
command:
- /bin/sh
- -c
- echo "Pulling complete"
{{- with .Values.prePuller.resources }}
resources:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with .Values.prePuller.containerSecurityContext }}
securityContext:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- /* --- Pull extra containers' images --- */}}
{{- range $k, $container := concat .Values.singleuser.initContainers .Values.singleuser.extraContainers }}
- name: image-pull-singleuser-init-and-extra-containers-{{ $k }}
image: {{ $container.image }}
command:
- /bin/sh
- -c
- echo "Pulling complete"
{{- with $.Values.prePuller.resources }}
resources:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with $.Values.prePuller.containerSecurityContext }}
securityContext:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- end }}
{{- /* --- Conditionally pull profileList images --- */}}
{{- if .Values.prePuller.pullProfileListImages }}
{{- range $k, $container := .Values.singleuser.profileList }}
{{- /* profile's kubespawner_override */}}
{{- if $container.kubespawner_override }}
{{- if $container.kubespawner_override.image }}
- name: image-pull-singleuser-profilelist-{{ $k }}
image: {{ $container.kubespawner_override.image }}
command:
- /bin/sh
- -c
- echo "Pulling complete"
{{- with $.Values.prePuller.resources }}
resources:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with $.Values.prePuller.containerSecurityContext }}
securityContext:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
{{- /* kubespawner_override in profile's profile_options */}}
{{- if $container.profile_options }}
{{- range $option, $option_spec := $container.profile_options }}
{{- if $option_spec.choices }}
{{- range $choice, $choice_spec := $option_spec.choices }}
{{- if $choice_spec.kubespawner_override }}
{{- if $choice_spec.kubespawner_override.image }}
- name: image-pull-profile-{{ $k }}-option-{{ $option }}-{{ $choice }}
image: {{ $choice_spec.kubespawner_override.image }}
command:
- /bin/sh
- -c
- echo "Pulling complete"
{{- with $.Values.prePuller.resources }}
resources:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with $.Values.prePuller.containerSecurityContext }}
securityContext:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- /* --- Pull extra images --- */}}
{{- range $k, $v := .Values.prePuller.extraImages }}
- name: image-pull-{{ $k }}
image: {{ $v.name }}:{{ $v.tag }}
command:
- /bin/sh
- -c
- echo "Pulling complete"
{{- with $.Values.prePuller.resources }}
resources:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with $.Values.prePuller.containerSecurityContext }}
securityContext:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- end }}
containers:
- name: pause
image: {{ .Values.prePuller.pause.image.name }}:{{ .Values.prePuller.pause.image.tag }}
{{- with .Values.prePuller.resources }}
resources:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- with .Values.prePuller.pause.containerSecurityContext }}
securityContext:
{{- . | toYaml | nindent 12 }}
{{- end }}
{{- end }}
{{- /*
Returns a rendered k8s DaemonSet resource: continuous-image-puller
*/}}
{{- define "jupyterhub.imagePuller.daemonset.continuous" -}}
{{- $_ := merge (dict "hook" false "componentPrefix" "continuous-") . }}
{{- include "jupyterhub.imagePuller.daemonset" $_ }}
{{- end }}
{{- /*
Returns a rendered k8s DaemonSet resource: hook-image-puller
*/}}
{{- define "jupyterhub.imagePuller.daemonset.hook" -}}
{{- $_ := merge (dict "hook" true "componentPrefix" "hook-") . }}
{{- include "jupyterhub.imagePuller.daemonset" $_ }}
{{- end }}
{{- /*
Returns a checksum of the rendered k8s DaemonSet resource: hook-image-puller
This checksum is used when prePuller.hook.pullOnlyOnChanges=true to decide if
it is worth creating the hook-image-puller associated resources.
*/}}
{{- define "jupyterhub.imagePuller.daemonset.hook.checksum" -}}
{{- /*
We pin componentLabel and Chart.Version as doing so can pin labels
of no importance if they would change. Chart.Name is also pinned as
a harmless technical workaround when we compute the checksum.
*/}}
{{- $_ := merge (dict "componentLabel" "pinned" "Chart" (dict "Name" "jupyterhub" "Version" "pinned")) . -}}
{{- $yaml := include "jupyterhub.imagePuller.daemonset.hook" $_ }}
{{- $yaml | sha256sum }}
{{- end }}
{{- /*
Returns a truthy string or a blank string depending on if the
hook-image-puller should be installed. The truthy strings are comments
that summarize the state that led to returning a truthy string.
- prePuller.hook.enabled must be true
- if prePuller.hook.pullOnlyOnChanges is true, the checksum of the
hook-image-puller daemonset must differ since last upgrade
*/}}
{{- define "jupyterhub.imagePuller.daemonset.hook.install" -}}
{{- if .Values.prePuller.hook.enabled }}
{{- if .Values.prePuller.hook.pullOnlyOnChanges }}
{{- $new_checksum := include "jupyterhub.imagePuller.daemonset.hook.checksum" . }}
{{- $k8s_state := lookup "v1" "ConfigMap" .Release.Namespace (include "jupyterhub.hub.fullname" .) | default (dict "data" (dict)) }}
{{- $old_checksum := index $k8s_state.data "checksum_hook-image-puller" | default "" }}
{{- if ne $new_checksum $old_checksum -}}
# prePuller.hook.enabled={{ .Values.prePuller.hook.enabled }}
# prePuller.hook.pullOnlyOnChanges={{ .Values.prePuller.hook.pullOnlyOnChanges }}
# post-upgrade checksum != pre-upgrade checksum (of the hook-image-puller DaemonSet)
# "{{ $new_checksum }}" != "{{ $old_checksum}}"
{{- end }}
{{- else -}}
# prePuller.hook.enabled={{ .Values.prePuller.hook.enabled }}
# prePuller.hook.pullOnlyOnChanges={{ .Values.prePuller.hook.pullOnlyOnChanges }}
{{- end }}
{{- end }}
{{- end }}