Architecture¶
Extension API server runs as part of the controller manager pod — not as a separate deployment.
Deployment¶
The Jupyter K8s Helm chart deploys a single manager pod in the jupyter-k8s-system namespace. This pod runs:
The controller (reconciliation loops)
The Extension API server (Connection APIs)
Extension API is a GenericAPIServer instance added to the controller-runtime manager as a Runnable. It starts alongside the controller and shares the same lifecycle.
TLS and API aggregation¶
Extension API serves over TLS (port 7443 by default) and registers with the Kubernetes API server via an APIService resource. This makes its endpoints available through the standard K8s API path:
/apis/connection.workspace.jupyter.org/v1alpha1/namespaces/{namespace}/{resource}
Clients use their existing kubeconfig credentials — the K8s API server proxies requests and provides authentication context via request headers.
Configuration¶
Key settings (set via Helm values under extensionApi):
Setting |
Default |
Description |
|---|---|---|
|
|
Enable the Extension API server |
|
|
TLS listen port |
|
|
Enable k8s-native JWT signing (creates a Secret and rotator CronJob) |
|
|
Name of the HMAC signing Secret |
Plugin endpoints¶
When the Helm chart configures plugins, Extension API creates HTTP clients for each plugin endpoint:
controller:
plugins:
aws: "http://localhost:8080"
These clients are shared across JWT signing and connection creation paths.