Allow setting service account on build pods

[yuvipanda]

Proposed change

Currently, we pass in the username / password for the docker registry so we can push images to it. There are solutions like workload-identity and IRSA that allow using kubernetes service accounts to be used instead to authenticate to cloud services.

Currently, there's no way to configure which kubernetes service account the build pods should use. We'll need to expose that as an option to make use of it.

Alternative options

• Add an extra_pod_config and extra_container_config option instead that are more generic ways to customize the build pod.

Who would use this feature?

• Anyone running binderhubs on cloud providers

(Optional): Suggest a solution

• Add traitlet that allows configuring this
• Pass it on to the Builder object, so it can use it to construct the pod
• Add some unit tests

[thomas-bc]

An alternative solution to support AWS ECR as the docker registry was proposed (and just updated) in #1055. I will look into your proposed change and see if I can (and have time to) come up with something.

[manics]

I've commented on #1055 (comment)
but before you start work be aware I've made some big changes in #1518 and there's a follow-up PR in #1521 to switch the defaults.

If you want to add a service account I think you can just add a new traitlets config to

binderhub/binderhub/build.py

Lines 189 to 209 in c4af713

	class KubernetesBuildExecutor(BuildExecutor):
	"""Represents a build of a git repository into a docker image.
	This ultimately maps to a single pod on a kubernetes cluster. Many
	different build objects can point to this single pod and perform
	operations on the pod. The code in this class needs to be careful and take
	this into account.
	For example, operations a Build object tries might not succeed because
	another Build object pointing to the same pod might have done something
	else. This should be handled gracefully, and the build object should
	reflect the state of the pod as quickly as possible.
	``name``
	The ``name`` should be unique and immutable since it is used to
	sync to the pod. The ``name`` should be unique for a
	``(repo_url, ref)`` tuple, and the same tuple should correspond
	to the same ``name``. This allows use of the locking provided by k8s
	API instead of having to invent our own locking code.
	"""

and pass that into the pod creation method if it's set. Ignore the old Build class and most of the BinderHub.* settings- with the new Traitlets based class there's no need to pass parameters down through the whole BinderHub stack since Traitlets automatically passes them to the class.