I manage a JupyterHub instance (on kubernetes) that is used by multiple classes. Each class, and some specific users, needs different configurations for things like docker image, resource requests, and pre spawn setup. Right now, I’ve written some custom code in the JupyterHub config file that takes in a dict that includes things like the class specific configurations and implements a significant amount of merging logic. This works, but a) it’s super messy to maintain all of this in the JupyterHub config file and it’s unlikely to be directly useable by others, and b) anytime anything is updated, the hub has to be restarted, leading to periods where users can’t log in. As the number of users of this system grows, this will become an increasingly significant problem.
Therefore, I’m currently considering writing a hub managed service that will implement a REST api. This REST api will allow the hub to query the service for the custom configuration (likely in the pre_spawn_hook to make it spawner agnostic) that can then be used to affect the spawner. I would also intend to implement a page where an administrator can upload a yaml file containing the current state of the user/class configuration. I would need this service to authenticated to keep data from being accessible to any user. I have found clear documentation on how to restrict the authentication to a subset of users, subset of groups, subset of other services, and administrators by subclassing HubAuthenticated with my tornado handler.
However, the hub itself will have to query the REST api to get the custom configuration. I cannot figure out a mechanism to allow the hub to authenticate itself. I assume that there have been other cases where the hub needed to communicate directly with a service (instead of the service using the hub’s REST api), but I cannot find them. Is there any way for the hub to authenticate itself? I guess, is the hub itself a service that I can whitelist?
Thanks for any help you can provide!