Reduce complexity by merging configmap/secret into secret

helm-chart/binderhub/files/binderhub_config.py

@@ -1,46 +1,24 @@
-from collections.abc import Mapping
 import os
+
+from collections.abc import Mapping
 from functools import lru_cache
 from urllib.parse import urlparse
+
 import yaml
 
 c.BinderHub.hub_api_token = os.environ['JUPYTERHUB_API_TOKEN']
 
-
-def _merge_dictionaries(a, b):
-    """Merge two dictionaries recursively.
-
-    Simplified From https://stackoverflow.com/a/7205107
-    """
-    merged = a.copy()
-    for key in b:
-        if key in a:
-            if isinstance(a[key], Mapping) and isinstance(b[key], Mapping):
-                merged[key] = _merge_dictionaries(a[key], b[key])
-            else:
-                merged[key] = b[key]
-        else:
-            merged[key] = b[key]
-    return merged
-
 # memoize so we only load config once
 @lru_cache()
 def _load_values():
     """Load configuration from disk
 
     Memoized to only load once
     """
-    cfg = {}
-    for source in ('config', 'secret'):
-        path = f"/etc/binderhub/{source}/values.yaml"
-        if os.path.exists(path):
-            print(f"Loading {path}")
-            with open(path) as f:
-                values = yaml.safe_load(f)
-            cfg = _merge_dictionaries(cfg, values)
-        else:
-            print(f"No config at {path}")
-    return cfg
+    path = "/etc/binderhub/config/values.yaml"
+    print(f"Loading {path}")
+    with open(path) as f:
+        return yaml.safe_load(f)
 
 def get_value(key, default=None):
     """

helm-chart/binderhub/templates/deployment.yaml

@@ -30,9 +30,9 @@ spec:
         {{- end }}
         {{- end }}
       annotations:
-        # This lets us autorestart when the configmap changes!
-        checksum/config-map: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
-        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+        # A change to our Deployment's pod template, like this checksum as an
+        # annotation, will trigger a rolling update by the Deployment.
+        checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
         {{- with .Values.podAnnotations }}
         {{- . | toYaml | trimSuffix "\n" | nindent 8 }}
         {{- end }}
@@ -47,9 +47,6 @@ spec:
       {{- end }}
       volumes:
       - name: config
-        configMap:
-          name: binder-config
-      - name: secret-config
         secret:
           secretName: binder-secret
       {{- if .Values.config.BinderHub.use_registry }}
@@ -73,8 +70,7 @@ spec:
         volumeMounts:
           - mountPath: /etc/binderhub/config/
             name: config
-          - mountPath: /etc/binderhub/secret/
-            name: secret-config
+            readOnly: true
           {{- if .Values.config.BinderHub.use_registry }}
           - mountPath: /root/.docker
             name: docker-secret

helm-chart/binderhub/templates/secret.yaml

@@ -3,18 +3,17 @@ apiVersion: v1
 metadata:
   name: binder-secret
 type: Opaque
-data:
-  {{- $values :=  dict "config" dict }}
-  {{- $cfg := .Values.config }}
-  binder.hub-token: {{ .Values.jupyterhub.hub.services.binder.apiToken | b64enc | quote }}
-  {{- /* every 'pick' here should be matched with a corresponding 'omit' in secret.yaml */ -}}
-  {{- if $cfg.GitHubRepoProvider }}
-  {{- $_ := set $values.config "GitHubRepoProvider" (pick $cfg.GitHubRepoProvider "client_id" "client_secret" "access_token") }}
-  {{- end }}
-  {{- if $cfg.GitLabRepoProvider }}
-  {{- $_ := set $values.config "GitLabRepoProvider" (pick $cfg.GitLabRepoProvider "access_token" "private_token") }}
-  {{- end }}
-  values.yaml: {{ $values | toYaml | b64enc | quote }}
+stringData:
+  {{- /* Make it easy to mount certain parts without traversing YAML */}}
+  binder.hub-token: {{ .Values.jupyterhub.hub.services.binder.apiToken | quote }}
+
+  {{- /* Stash away all Helm template values */}}
+  values.yaml: |
+    {{- .Values | toYaml | nindent 4 }}
+
+  {{- /* Glob files to allow them to be mounted by the binderhub pod */}}
+  {{- /* key=filename: value=content */}}
+  {{- (.Files.Glob "files/*").AsConfig | nindent 2 }}
 ---
 {{- if .Values.config.BinderHub.use_registry }}
 kind: Secret