canonical/notebook-operators

jupyter-ui: Allow for using private custom images (e.g. Artifactory-based) with credentials

Closed this issue · 4 comments

Vultaire commented

I have a customer who would like to leverage a private image repository together with Kubeflow. We see the custom image deployment option when creating a new notebook, but it is unclear what, or whether, there is a proper procedure in Charmed Kubeflow for allowing use of custom images in a private repository, e.g. Artifactory.

I would guess that fully-qualified container names can likely be simply typed in if the DNS names resolve appropriately and if credentials aren't required, but the customer is specifically asking about the case where credentials are required to access the images. Can this be done?

kimwnasptd commented

Hey @Vultaire, currently this can be done but needs K8s objects to be manually applied to the user's namesapce.

The upstream Kubeflow project supports this use-case by:

  1. Creating a K8s Secret in the user namespace, that contains credentials for fetching the image from the private registry
  2. Creating a PodDefault CustomResource in the user namespace, for using that secret as imagePullSecret
  3. When creating the notebook select the PodDefault from the Configurations section

The PodDefault you'd need to apply would be:

apiVersion: kubeflow.org/v1alpha1
kind: PodDefault
metadata:
  name: inject-registry-credentials
  namespace: <user-namespace
spec:
  desc: Inject credentials to pull image from private registry
  selector:
    matchLabels:
      kubeflow.org/private-registry-credentials: "true"
  imagePullSecrets:
  - credentials-secret

And of course you'd need to manually create the K8s Secret as well https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials

kimwnasptd commented

I'll leave this open for now though. I'd like to discuss with the team on how could we try to provide some automation from Charmed Kubeflow side for managing these resources (Secret/PodDefault).

kimwnasptd commented

Marking this as closed, as we provided a manual way to deploy images with credentials.

syncronize-issues-to-jira commented

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/KF-5154.

This message was autogenerated