We are able to deploy our jupyterhub with an external service to manage user interaction. However, this currently requires us to add the “api_token” to the values of the chart. Our project is using externalsecrets to create kubernetes secrets. I would like to put the “token” into the vault and have the chart reference the kubernetes secret created from the external secret.
I tried using the following:
juputerhub:
hub:
services:
my-service:
name: my-service
admin: True
api_token:
valueFrom:
secretKeyRef:
name: my-secret
key: token
however, when this is rendered into the hub secret as hub.services.my-service.api_token, the value decodes to map[valueFrom:map[secretKeyRef:map[key:token name:my-secret]]].
Is there a way, using the zero2JupyterHub chart to have the external service api_token pulled from a kubernetes secret?
This is especially important for 2 reasons. 1) If you are using a gitops flow like ArgoCD, leaving the api_token in the values.yaml would mean checking the secret into your git repository(gitlab or github). 2) If your external service is running in a different namespace or cluster it would not have access to the secret created when jupyterhub is deployed. Using vault and externalsecrets, applications in different namespaces and clusters can use the same secret.
I just need someone to tell me if I am wasting my time trying to get this working or if I am missing something obvious.