Allow profiles to not mount secrets

A new option can be specified in the profile named "no_secrets", when this is defined and not False, the volume mount for the existing secrets will not be available in the main container of the pod. It should still be there for sidecars
EGI-Federation · Nov 20, 2024 · d4a9eb9 · d4a9eb9
1 parent d406f98
commit d4a9eb9
Showing 1 changed file with 18 additions and 8 deletions.
diff --git a/egi_notebooks_hub/egispawner.py b/egi_notebooks_hub/egispawner.py
@@ -52,18 +52,18 @@ def __init__(self, *args, **kwargs):
         self.token_secret_name = self._expand_user_properties(
             self.token_secret_name_template
         )
-        token_secret_volume_name = self._expand_user_properties(
+        self._token_secret_volume_name = self._expand_user_properties(
             self.token_secret_volume_name_template
         )
         self.volumes.append(
             {
-                "name": token_secret_volume_name,
+                "name": self._token_secret_volume_name,
                 "secret": {"secretName": self.token_secret_name},
             }
         )
         self.volume_mounts.append(
             {
-                "name": token_secret_volume_name,
+                "name": self._token_secret_volume_name,
                 "mountPath": self.token_mount_path,
                 "readOnly": True,
             }
@@ -173,15 +173,25 @@ async def pre_spawn_hook(self, spawner):
         # ensure we have a secret
         await self._update_secret({})
 
+    def _adjust_secret_volume(self, profile):
+        if not profile.get("no_secrets", False):
+            return profile
+        volume_mounts = profile.get("volume_mounts", self.volume_mounts)
+        new_mounts = []
+        for mount in self._sorted_dict_values(volume_mounts):
+            if mount["name"] == self._token_secret_volume_name:
+                log.debug(f"Removing secret volume mount {mount['name']} from pod")
+            else:
+                new_mounts.append(mount)
+        profile["kubespawner_override"]["volume_mounts"] = new_mounts
+        return profile
+
     def _profile_filter(self, spawner):
         profile_list = []
         if spawner._profile_config:
             groups = [g.name for g in spawner.user.groups]
             for profile in spawner._profile_config:
                 profile_vos = profile.get("vo_claims", [])
-                if not profile_vos:
-                    profile_list.append(profile)
-                else:
-                    if any(i in groups for i in profile_vos):
-                        profile_list.append(profile)
+                if not profile_vos or any(i in groups for i in profile_vos):
+                    profile_list.append(self._adjust_secret_volume(profile))
         return profile_list