Support different container registry to push and pull

[rgaiacs]

This covers #1903.

[rgaiacs]

When I run locally and request a launch for https://github.com/binder-examples/requirements, the output was

Waiting for build to start...
Picked Git content provider.
Cloning into '/tmp/repo2dockersul_16w8'...
HEAD is now at 50533eb Merge pull request #21 from minrk/default-branch
Building conda environment for python=3.10
Using PythonBuildPack builder
Step 1/50 : FROM docker.io/library/buildpack-deps:jammy
 ---> 9c6387be7092
...
Step 50/50 : CMD ["jupyter", "notebook", "--ip", "0.0.0.0"]
 ---> Running in ee6ff4f7fcc2
 ---> Removed intermediate container ee6ff4f7fcc2
 ---> 6a38d51aece6
{"aux": {"ID": "sha256:6a38d51aece6f13a0a23116b2b4050ddd094a00a87eea438317bc298af4d5800"}}Successfully built 6a38d51aece6
Successfully tagged gesiscss/binder-binder-2dexamples-2drequirements-55ab5c:50533eb470ee6c24e872043d30b2fee463d6943f
Exception ignored in: <function Application.__del__ at 0x7fad6b188900>
Traceback (most recent call last):
  File "/opt/venv/lib/python3.11/site-packages/traitlets/config/application.py", line 1065, in __del__
  File "/opt/venv/lib/python3.11/site-packages/traitlets/config/application.py", line 1054, in close_handlers
  File "/opt/venv/lib/python3.11/site-packages/traitlets/traitlets.py", line 687, in __get__
  File "/opt/venv/lib/python3.11/site-packages/traitlets/traitlets.py", line 666, in get
TypeError: 'NoneType' object is not callable
Built image, launching...
Launching server...
Launch attempt 1 failed, retrying...
Launch attempt 2 failed, retrying...
Launch attempt 3 failed, retrying...
Failed to create temporary user for gesiscss/binder-binder-2dexamples-2drequirements-55ab5c:50533eb470ee6c24e872043d30b2fee463d6943f

There are a minor error related with traitlets. We should catch it during code review.

The launch attempt fail because I was not running Jupyter Hub locally.

[manics]

My initial thoughts are that most BinderHubs will use the same prefix for push and pull, so how about just have image_prefix as the default property as at present, and maybe add just one new property, image_prefix_pull?

I think it's fine to keep using the *_push and *_pull variables in builder.py if you want though, for clarity.

[manics]

Suggested change

	Prefix for built docker images push to container registry.
	Prefix for built docker images being pushed to the container registry.

[manics]

Suggested change

	Prefix for built docker images pull from container registry.
	Prefix for built docker images being pulled from container registry.

[rgaiacs]

My initial thoughts are that most BinderHubs will use the same prefix for push and pull

You are absolutely right. I think that 99% of BinderHubs will use a single registry. But there will be the 1% like GESIS that want to push to Docker Hub or GitHub Packages Registry and pull from a local Harbor that operates as proxy cache.

so how about just have image_prefix as the default property as at present, and maybe add just one new property, image_prefix_pull?

image_prefix is use as the default property, see https://github.com/rgaiacs/binderhub/blob/c322eabfdd78574e6b2ea03863f04ad4593060d7/binderhub/app.py#L460-L462 and https://github.com/rgaiacs/binderhub/blob/c322eabfdd78574e6b2ea03863f04ad4593060d7/binderhub/app.py#L478-L480. No change required to existing deployments.

[rgaiacs]

I forgot that the credentials to the registries might be different and must also be provided.

@manics @minrk @yuvipanda can I get a bit of help on how the registry credentials are handle? Thanks!

[rgaiacs]

I tested this PR.

2025-01-28.10-07-48.mp4

The launch log shows

{"aux": {"ID": "sha256:2d912e494879159e4f8696e38f0b01e042824f3b0e65f9c4c2bfe001b3e93a04"}}Successfully built 2d912e494879
Successfully tagged harbor.notebooks-test.gesis.org/gesiscss/binder-rgaiacs-2dbinderhubtest-f4c866:2be6db473d1d6c8e8bb111d8728548e1f5beb718
Successfully pushed harbor.notebooks-test.gesis.org/gesiscss/binder-rgaiacs-2dbinderhubtest-f4c866:2be6db473d1d6c8e8bb111d8728548e1f5beb718Exception ignored in: <function Application.__del__ at 0x7f0c10c807c0>
Traceback (most recent call last):
  File "/opt/venv/lib/python3.11/site-packages/traitlets/config/application.py", line 1065, in __del__
  File "/opt/venv/lib/python3.11/site-packages/traitlets/config/application.py", line 1054, in close_handlers
  File "/opt/venv/lib/python3.11/site-packages/traitlets/traitlets.py", line 687, in __get__
  File "/opt/venv/lib/python3.11/site-packages/traitlets/traitlets.py", line 666, in get
TypeError: 'NoneType' object is not callable
Built image, launching...
Launching server...
Server requested
2025-01-28T09:11:04.551221Z [Normal] Successfully assigned binderhub-test/jupyter-rgaiacs-binderhubtest-bojlrpvl to docker-desktop
2025-01-28T09:11:06Z [Normal] Container image "quay.io/jupyterhub/k8s-network-tools:4.0.0" already present on machine
2025-01-28T09:11:08Z [Normal] Created container block-cloud-metadata
2025-01-28T09:11:08Z [Normal] Started container block-cloud-metadata
2025-01-28T09:11:10Z [Normal] Pulling image "nexus.notebooks-test.gesis.org/gesiscss/binder-rgaiacs-2dbinderhubtest-f4c866:2be6db473d1d6c8e8bb111d8728548e1f5beb718"
2025-01-28T09:11:11Z [Normal] Successfully pulled image "nexus.notebooks-test.gesis.org/gesiscss/binder-rgaiacs-2dbinderhubtest-f4c866:2be6db473d1d6c8e8bb111d8728548e1f5beb718" in 531ms (531ms including waiting). Image size: 545867993 bytes.
2025-01-28T09:11:11Z [Normal] Created container notebook
2025-01-28T09:11:11Z [Normal] Started container notebook

The container image was pushed to harbor.notebooks-test.gesis.org and pulled from nexus.notebooks-test.gesis.org. nexus.notebooks-test.gesis.org is configured to operate as a cache proxy to harbor.notebooks-test.gesis.org.

The Helm deployment was configured with the following values

config:
  BinderHub:
    use_registry: true
    image_prefix_push: harbor.notebooks-test.gesis.org/gesiscss/binder-
    image_prefix_pull: nexus.notebooks-test.gesis.org/gesiscss/binder-
    hub_url: http://jupyterhub.binbderhub.10.6.46.141.nip.io

service:
  type: ClusterIP

ingress:
  enabled: true
  annotations:
    # use the shared ingress-nginx
    kubernetes.io/ingress.class: "nginx"
  https:
      # This is unsafe! Only se for local development
      enabled: false
  hosts:
    - binderhub.10.6.46.141.nip.io

jupyterhub:
  proxy:
    service:
     type: ClusterIP
  ingress:
    enabled: true
    annotations:
      # use the shared ingress-nginx
      kubernetes.io/ingress.class: "nginx"
    hosts:
      - jupyterhub.binbderhub.10.6.46.141.nip.io

The secrets were

# https://binderhub.readthedocs.io/en/latest/zero-to-binderhub/setup-binderhub.html#if-you-are-using-azure-container-registry
registry:
  url: https://harbor.notebooks-test.gesis.org
  username: methodshub
  password: REDACTED

# https://z2jh.jupyter.org/en/stable/resources/reference.html#imagepullsecrets
jupyterhub:
  imagePullSecrets:
    # Created using
    # 
    # kubectl \
    # create \
    # secret \
    # docker-registry \
    # nexus.notebooks-test.gesis.org \
    # --docker-server=<your-registry-server> \
    # --docker-username=<your-name> \
    # --docker-password=<your-pword> \
    # --docker-email=<your-email> \
    # --namespace='binderhub-test'
    # 
    # Source: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line
    - "nexus.notebooks-test.gesis.org"

On a second launch, BinderHub is not checking if the container image exists in the registry but starts a new build. I will try to fix this. If you can share the location in the code where BinderHub decides to do a build, I will appreciate.