Image configuration¶
The Nublado controller image configuration serves two purposes. It controls what images are listed and highlighted on the lab spawn form presented by JupyterHub. It also controls which images are prepulled to all Kubernetes nodes in the cluster to speed up lab start time.
Nublado currently only supports a single image repository. The tags in that repository must follow the rules in SQR-059.
Currently, Nublado depends on the features of the sciplat-lab Docker image and probably will only work on images derived from that image.
Image source¶
The image source is configured via controller.config.images.source.
Nublado supports two possible sources of images: a Docker registry, or Google Artifact Registry.
Each source takes different parameters.
controller.config.images.source.typeSet to either
dockerorgoogleto choose the type of source.
Using Google Artifact Repository as the image source is highly recommended if Nublado is running in a GKE cluster.
Docker registries¶
For a Docker registry image source type, also set the following parameters:
controller.config.images.source.registryHost name and optional port of the Docker registry from which to fetch images. For Docker Hub, use
docker.io.controller.config.images.source.repositoryThe repository within that Docker registry to use as an image source. For example,
lsstsqre/sciplat-lab.
Here is an example configuration fragment with a complete source specification:
controller:
config:
images:
source:
type: "docker"
registry: "docker.io"
repository: "lsstsqre/sciplat-lab"
Google Artifact Registry¶
If using Google Artifact Registry as the image source, also set the following settings:
controller.config.images.source.locationThe region of the Google Artifact Registry instance. For example,
us-central`.controller.config.images.source.projectIdThe Google Cloud Platform project ID of the Google Artifact Registry instance.
controller.config.images.source.repositoryThe name of the Google Artifact Repository instance. GAR uses slightly incompatible terminology that doesn’t map one-to-one to the Docker terminology. The repository is the name of a collection of images, similar to the part before the slash in the Docker repository name. For example,
sciplat.controller.config.images.source.imageThe name of the image within that Google Artifact Repository instance. For example,
sciplat-lab.
The Nublado controller uses workload identity to authenticate to Google Artifact Repository to list available images.
When using GAR, you must configure a Google service account with read access to this GAR instance and bind it to the Kubernetes service account nublado-controller in the nublado namespace.
Then, set the following additional configuration setting:
controller.googleServiceAccountThe name of the Google service account with read access to this GAR instance.
For step-by-step instructions on how to set up Google Artifact Registry for Nublado, see Set up Google Artifact Registry. For additional information about why Google Artifact Registry is preferred, see Google Artifact Registry (GAR).
Image cycles¶
Some Rubin Science Platform environments have an XML cycle associated with each release of the user lab image. The environment only supports one XML cycle version at a time. Running an image that uses a different XML cycle image is unsafe and must be blocked.
In such environments, set the following configuration setting:
controller.config.images.cycleRestrict images to only those images with this XML cycle. This is applied as a filter to all images, including releases, weeklies, and dailies. The image matching
controller.config.images.recommendedTagis not filtered, so make sure that it points to an image with the appropriate cycle. Usually the best way to do this is to have a new recommended tag for each cycle version, and update the recommended tag at the same time as the cycle number.