Merge pull request #759 from yuvipanda/get-env-expand

Expand only environment variables set via Spawner.environment
jupyterhub · Jul 26, 2023 · cd17869 · cd17869
2 parents 05624ab + 19dac8b
commit cd17869
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/kubespawner/spawner.py b/kubespawner/spawner.py
@@ -2014,7 +2014,7 @@ async def get_pod_manifest(self):
             allow_privilege_escalation=self.allow_privilege_escalation,
             container_security_context=csc,
             pod_security_context=psc,
-            env=self._expand_all(self.get_env()),
+            env=self.get_env(),  # Expansion is handled by get_env
             volumes=self._expand_all(self.volumes),
             volume_mounts=self._expand_all(self.volume_mounts),
             working_dir=self.working_dir,
@@ -2169,6 +2169,11 @@ def get_env(self):
         env['JUPYTER_IMAGE_SPEC'] = self.image
         env['JUPYTER_IMAGE'] = self.image
 
+        # Explicitly expand *and* set all the admin specified variables only.
+        # This allows JSON-like strings set by JupyterHub itself to not be
+        # expanded. https://github.com/jupyterhub/kubespawner/issues/743
+        env.update(self._expand_all(self.environment))
+
         return env
 
     def load_state(self, state):

diff --git a/tests/test_spawner.py b/tests/test_spawner.py
@@ -11,6 +11,7 @@
 from kubernetes_asyncio.client.models import (
     V1Capabilities,
     V1Container,
+    V1EnvVar,
     V1PersistentVolumeClaim,
     V1Pod,
     V1SecurityContext,
@@ -1290,6 +1291,23 @@ async def test_pod_name_no_named_servers():
     assert spawner.pod_name == "jupyter-user"
 
 
+async def test_jupyterhub_supplied_env():
+    cookie_options = {"samesite": "None", "secure": True}
+    c = Config()
+
+    c.KubeSpawner.environment = {"HELLO": "It's {username}"}
+    spawner = KubeSpawner(config=c, _mock=True, cookie_options=cookie_options)
+
+    pod_manifest = await spawner.get_pod_manifest()
+
+    env = pod_manifest.spec.containers[0].env
+
+    # Set via .environment, must be expanded
+    assert V1EnvVar("HELLO", "It's mock-5fname") in env
+    # Set by JupyterHub itself, must not be expanded
+    assert V1EnvVar("JUPYTERHUB_COOKIE_OPTIONS", json.dumps(cookie_options)) in env
+
+
 async def test_pod_name_named_servers():
     c = Config()
     c.JupyterHub.allow_named_servers = True