Drive/k8s-manifests
8
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Add jupyterhub v4.0.0 and vr-test

Browse source
This commit is contained in:
Micke Nordin 2024-11-11 15:12:48 +01:00
parent a69449ede1
commit 2a2325e109
Signed by untrusted user: Micke
GPG key ID: 0DA0A7A5708FE257
20 changed files with 183 additions and 115 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
jupyter/base/charts/jupyterhub/Chart.yaml
View file

@ -1,27 +1,27 @@
annotations:
artifacthub.io/images: |
- image: quay.io/jupyterhub/configurable-http-proxy:4.6.1
- image: quay.io/jupyterhub/configurable-http-proxy:4.6.2
name: configurable-http-proxy
- image: quay.io/jupyterhub/k8s-hub:3.2.1
- image: quay.io/jupyterhub/k8s-hub:4.0.0
name: k8s-hub
- image: quay.io/jupyterhub/k8s-image-awaiter:3.2.1
- image: quay.io/jupyterhub/k8s-image-awaiter:4.0.0
name: k8s-image-awaiter
- image: quay.io/jupyterhub/k8s-network-tools:3.2.1
- image: quay.io/jupyterhub/k8s-network-tools:4.0.0
name: k8s-network-tools
- image: quay.io/jupyterhub/k8s-secret-sync:3.2.1
- image: quay.io/jupyterhub/k8s-secret-sync:4.0.0
name: k8s-secret-sync
- image: quay.io/jupyterhub/k8s-singleuser-sample:3.2.1
- image: quay.io/jupyterhub/k8s-singleuser-sample:4.0.0
name: k8s-singleuser-sample
- image: registry.k8s.io/kube-scheduler:v1.26.11
- image: registry.k8s.io/kube-scheduler:v1.30.6
name: kube-scheduler
- image: registry.k8s.io/pause:3.9
- image: registry.k8s.io/pause:3.10
name: pause
- image: registry.k8s.io/pause:3.9
- image: registry.k8s.io/pause:3.10
name: pause
- image: traefik:v2.10.5
- image: traefik:v3.2.0
name: traefik
apiVersion: v2
appVersion: 4.0.2
appVersion: 5.2.1
description: Multi-user Jupyter installation
home: https://z2jh.jupyter.org
icon: https://hub.jupyter.org/helm-chart/images/hublogo.svg
@ -29,7 +29,7 @@ keywords:
- jupyter
- jupyterhub
- z2jh
kubeVersion: '>=1.23.0-0'
kubeVersion: '>=1.28.0-0'
maintainers:
- email: erik@sundellopensource.se
name: Erik Sundell
@ -38,4 +38,4 @@ maintainers:
name: jupyterhub
sources:
- https://github.com/jupyterhub/zero-to-jupyterhub-k8s
version: 3.2.1
version: 4.0.0

31
jupyter/base/charts/jupyterhub/files/hub/jupyterhub_config.py
View file

@ -107,28 +107,35 @@ c.JupyterHub.hub_connect_url = (
)
# implement common labels
# this duplicates the jupyterhub.commonLabels helper
# This mimics the jupyterhub.commonLabels helper, but declares managed-by to
# kubespawner instead of helm.
#
# The labels app and release are old labels enabled to be deleted in z2jh 5, but
# for now retained to avoid a breaking change in z2jh 4 that would force user
# server restarts. Restarts would be required because NetworkPolicy resources
# must select old/new pods with labels that then needs to be seen on both
# old/new pods, and we want these resources to keep functioning for old/new user
# server pods during an upgrade.
#
common_labels = c.KubeSpawner.common_labels = {}
common_labels["app"] = get_config(
common_labels["app.kubernetes.io/name"] = common_labels["app"] = get_config(
"nameOverride",
default=get_config("Chart.Name", "jupyterhub"),
)
common_labels["heritage"] = "jupyterhub"
release = get_config("Release.Name")
if release:
common_labels["app.kubernetes.io/instance"] = common_labels["release"] = release
chart_name = get_config("Chart.Name")
chart_version = get_config("Chart.Version")
if chart_name and chart_version:
common_labels["chart"] = "{}-{}".format(
chart_name,
chart_version.replace("+", "_"),
common_labels["helm.sh/chart"] = common_labels["chart"] = (
f"{chart_name}-{chart_version.replace('+', '_')}"
)
release = get_config("Release.Name")
if release:
common_labels["release"] = release
common_labels["app.kubernetes.io/managed-by"] = "kubespawner"
c.KubeSpawner.namespace = os.environ.get("POD_NAMESPACE", "default")
# Max number of consecutive failures before the Hub restarts itself
# requires jupyterhub 0.9.2
set_config_if_not_none(
c.Spawner,
"consecutive_failure_limit",
@ -249,6 +256,7 @@ if tolerations:
storage_type = get_config("singleuser.storage.type")
if storage_type == "dynamic":
pvc_name_template = get_config("singleuser.storage.dynamic.pvcNameTemplate")
if pvc_name_template:
c.KubeSpawner.pvc_name_template = pvc_name_template
volume_name_template = get_config("singleuser.storage.dynamic.volumeNameTemplate")
c.KubeSpawner.storage_pvc_ensure = True
@ -268,13 +276,14 @@ if storage_type == "dynamic":
c.KubeSpawner.volumes = [
{
"name": volume_name_template,
"persistentVolumeClaim": {"claimName": pvc_name_template},
"persistentVolumeClaim": {"claimName": "{pvc_name}"},
}
]
c.KubeSpawner.volume_mounts = [
{
"mountPath": get_config("singleuser.storage.homeMountPath"),
"name": volume_name_template,
"subPath": get_config("singleuser.storage.dynamic.subPath"),
}
]
elif storage_type == "static":

1
jupyter/base/charts/jupyterhub/files/hub/z2jh.py
View file

@ -3,6 +3,7 @@ Utility methods for use in jupyterhub_config.py and dynamic subconfigs.
Methods here can be imported by extraConfig in values.yaml
"""
import os
from collections.abc import Mapping
from functools import lru_cache

44
jupyter/base/charts/jupyterhub/templates/_helpers.tpl
View file

@ -48,7 +48,6 @@
- commonLabels | uses appLabel
- labels | uses commonLabels
- matchLabels | uses labels
- podCullerSelector | uses matchLabels
## Example usage
@ -112,31 +111,62 @@
{{- /*
jupyterhub.commonLabels:
Foundation for "jupyterhub.labels".
Provides labels: app, release, (chart and heritage).
Provides old labels:
app
release
chart (omitted for matchLabels)
heritage (omitted for matchLabels)
Provides modern labels (omitted for matchLabels):
app.kubernetes.io/name ("app")
app.kubernetes.io/instance ("release")
helm.sh/chart ("chart")
app.kubernetes.io/managed-by ("heritage")
*/}}
{{- define "jupyterhub.commonLabels" -}}
app: {{ .appLabel | default (include "jupyterhub.appLabel" .) }}
release: {{ .Release.Name }}
app: {{ .appLabel | default (include "jupyterhub.appLabel" .) | quote }}
release: {{ .Release.Name | quote }}
{{- if not .matchLabels }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
heritage: {{ .heritageLabel | default .Release.Service }}
heritage: {{ .Release.Service }}
app.kubernetes.io/name: {{ .appLabel | default (include "jupyterhub.appLabel" .) | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{- end }}
{{- /*
jupyterhub.labels:
Provides labels: component, app, release, (chart and heritage).
Provides old labels:
component
app
release
chart (omitted for matchLabels)
heritage (omitted for matchLabels)
Provides modern labels (omitted for matchLabels):
app.kubernetes.io/component ("component")
app.kubernetes.io/name ("app")
app.kubernetes.io/instance release ("release")
helm.sh/chart ("chart")
app.kubernetes.io/managed-by ("heritage")
*/}}
{{- define "jupyterhub.labels" -}}
component: {{ include "jupyterhub.componentLabel" . }}
{{- if not .matchLabels }}
app.kubernetes.io/component: {{ include "jupyterhub.componentLabel" . }}
{{- end }}
{{ include "jupyterhub.commonLabels" . }}
{{- end }}
{{- /*
jupyterhub.matchLabels:
Used to provide pod selection labels: component, app, release.
Provides old labels:
component
app
release
*/}}
{{- define "jupyterhub.matchLabels" -}}
{{- $_ := merge (dict "matchLabels" true) . -}}

8
jupyter/base/charts/jupyterhub/templates/hub/deployment.yaml
View file

@ -5,7 +5,7 @@ metadata:
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
spec:
{{- if typeIs "int" .Values.hub.revisionHistoryLimit }}
{{- if not (typeIs "<nil>" .Values.hub.revisionHistoryLimit) }}
revisionHistoryLimit: {{ .Values.hub.revisionHistoryLimit }}
{{- end }}
replicas: 1
@ -97,9 +97,6 @@ spec:
{{- . | toYaml | nindent 8 }}
{{- end }}
containers:
{{- with .Values.hub.extraContainers }}
{{- . | toYaml | nindent 8 }}
{{- end }}
- name: hub
image: {{ .Values.hub.image.name }}:{{ .Values.hub.image.tag }}
{{- with .Values.hub.command }}
@ -244,6 +241,9 @@ spec:
path: {{ .Values.hub.baseUrl | trimSuffix "/" }}/hub/health
port: http
{{- end }}
{{- with .Values.hub.extraContainers }}
{{- . | toYaml | nindent 8 }}
{{- end }}
{{- with .Values.hub.extraPodSpec }}
{{- . | toYaml | nindent 6 }}
{{- end }}

2
jupyter/base/charts/jupyterhub/templates/hub/secret.yaml
View file

@ -8,7 +8,7 @@ type: Opaque
data:
{{- $values := merge dict .Values }}
{{- /* also passthrough subset of Chart / Release */}}
{{- $_ := set $values "Chart" (dict "Name" .Chart.Name "Version" .Chart.Version) }}
{{- $_ := set $values "Chart" (dict "Name" .Chart.Name "Version" .Chart.Version "AppVersion" .Chart.AppVersion) }}
{{- $_ := set $values "Release" (pick .Release "Name" "Namespace" "Service") }}
values.yaml: {{ $values | toYaml | b64enc | quote }}

3
jupyter/base/charts/jupyterhub/templates/hub/service.yaml
View file

@ -31,6 +31,9 @@ spec:
{{- with .Values.hub.service.ports.nodePort }}
nodePort: {{ . }}
{{- end }}
{{- with .Values.hub.service.ports.appProtocol }}
appProtocol: {{ . }}
{{- end }}
{{- with .Values.hub.service.extraPorts }}
{{- . | toYaml | nindent 4 }}

2
jupyter/base/charts/jupyterhub/templates/image-puller/_helpers-daemonset.tpl
View file

@ -34,7 +34,7 @@ spec:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 100%
{{- if typeIs "int" .Values.prePuller.revisionHistoryLimit }}
{{- if not (typeIs "<nil>" .Values.prePuller.revisionHistoryLimit) }}
revisionHistoryLimit: {{ .Values.prePuller.revisionHistoryLimit }}
{{- end }}
template:

3
jupyter/base/charts/jupyterhub/templates/ingress.yaml
View file

@ -24,6 +24,9 @@ spec:
name: {{ include "jupyterhub.proxy-public.fullname" $ }}
port:
name: http
{{- with $.Values.ingress.extraPaths }}
{{- . | toYaml | nindent 10 }}
{{- end }}
{{- if $host }}
host: {{ $host | quote }}
{{- end }}

10
jupyter/base/charts/jupyterhub/templates/proxy/autohttps/deployment.yaml
View file

@ -8,7 +8,7 @@ metadata:
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
spec:
{{- if typeIs "int" .Values.proxy.traefik.revisionHistoryLimit }}
{{- if not (typeIs "<nil>" .Values.proxy.traefik.revisionHistoryLimit) }}
revisionHistoryLimit: {{ .Values.proxy.traefik.revisionHistoryLimit }}
{{- end }}
replicas: 1
@ -130,10 +130,10 @@ spec:
{{- end }}
args:
- watch-save
- --label=app={{ include "jupyterhub.appLabel" . }}
- --label=release={{ .Release.Name }}
- --label=chart={{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- --label=heritage=secret-sync
- --label=app.kubernetes.io/name={{ include "jupyterhub.appLabel" . }}
- --label=app.kubernetes.io/instance={{ .Release.Name }}
- --label=helm.sh/chart={{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
- --label=app.kubernetes.io/managed-by=secret-sync
- {{ include "jupyterhub.proxy-public-tls.fullname" . }}
- acme.json
- /etc/acme/acme.json

5
jupyter/base/charts/jupyterhub/templates/proxy/deployment.yaml
View file

@ -7,7 +7,7 @@ metadata:
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
spec:
{{- if typeIs "int" .Values.proxy.chp.revisionHistoryLimit }}
{{- if not (typeIs "<nil>" .Values.proxy.chp.revisionHistoryLimit) }}
revisionHistoryLimit: {{ .Values.proxy.chp.revisionHistoryLimit }}
{{- end }}
replicas: 1
@ -100,6 +100,9 @@ spec:
{{- if .Values.debug.enabled }}
- --log-level=debug
{{- end }}
{{- if .Values.hub.config.JupyterHub.subdomain_host }}
- --host-routing
{{- end }}
{{- range .Values.proxy.chp.extraCommandLineFlags }}
- {{ tpl . $ }}
{{- end }}

2
jupyter/base/charts/jupyterhub/templates/scheduling/user-placeholder/statefulset.yaml
View file

@ -16,7 +16,7 @@ metadata:
{{- include "jupyterhub.labels" . | nindent 4 }}
spec:
podManagementPolicy: Parallel
{{- if typeIs "int" .Values.scheduling.userPlaceholder.revisionHistoryLimit }}
{{- if not (typeIs "<nil>" .Values.scheduling.userPlaceholder.revisionHistoryLimit) }}
revisionHistoryLimit: {{ .Values.scheduling.userPlaceholder.revisionHistoryLimit }}
{{- end }}
replicas: {{ .Values.scheduling.userPlaceholder.replicas }}

14
jupyter/base/charts/jupyterhub/templates/scheduling/user-scheduler/configmap.yaml
View file

@ -10,26 +10,14 @@ data:
This is configuration of a k8s official kube-scheduler binary running in the
user-scheduler.
The config version and kube-scheduler binary version has a fallback for k8s
clusters versioned v1.23 or lower because:
- v1 / v1beta3 config requires kube-scheduler binary >=1.25 / >=1.23
- kube-scheduler binary >=1.25 requires storage.k8s.io/v1/CSIStorageCapacity
available first in k8s >=1.24
ref: https://kubernetes.io/docs/reference/scheduling/config/
ref: https://kubernetes.io/docs/reference/config-api/kube-scheduler-config.v1/
ref: https://kubernetes.io/docs/reference/config-api/kube-scheduler-config.v1beta3/
*/}}
config.yaml: |
{{- if semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version }}
apiVersion: kubescheduler.config.k8s.io/v1
{{- else }}
apiVersion: kubescheduler.config.k8s.io/v1beta3
{{- end }}
kind: KubeSchedulerConfiguration
leaderElection:
resourceLock: endpointsleases
resourceLock: leases
resourceName: {{ include "jupyterhub.user-scheduler-lock.fullname" . }}
resourceNamespace: "{{ .Release.Namespace }}"
profiles:

12
jupyter/base/charts/jupyterhub/templates/scheduling/user-scheduler/deployment.yaml
View file

@ -6,7 +6,7 @@ metadata:
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
spec:
{{- if typeIs "int" .Values.scheduling.userScheduler.revisionHistoryLimit }}
{{- if not (typeIs "<nil>" .Values.scheduling.userScheduler.revisionHistoryLimit) }}
revisionHistoryLimit: {{ .Values.scheduling.userScheduler.revisionHistoryLimit }}
{{- end }}
replicas: {{ .Values.scheduling.userScheduler.replicas }}
@ -50,17 +50,7 @@ spec:
{{- end }}
containers:
- name: kube-scheduler
{{- if semverCompare ">=1.24.0-0" .Capabilities.KubeVersion.Version }}
image: {{ .Values.scheduling.userScheduler.image.name }}:{{ .Values.scheduling.userScheduler.image.tag }}
{{- else }}
# WARNING: The tag of this image is hardcoded, and the
# "scheduling.userScheduler.image.tag" configuration of the
# Helm chart that generated this resource manifest isn't
# respected. If you install the Helm chart in a k8s cluster
# versioned 1.24 or higher, your configuration will be
# respected.
image: {{ .Values.scheduling.userScheduler.image.name }}:v1.23.14
{{- end }}
{{- with .Values.scheduling.userScheduler.image.pullPolicy }}
imagePullPolicy: {{ . }}
{{- end }}

25
jupyter/base/charts/jupyterhub/templates/scheduling/user-scheduler/rbac.yaml
View file

@ -20,8 +20,12 @@ rules:
# - changed in 1.21: get/list/watch permission for namespace,
# csidrivers, csistoragecapacities was added.
# - unchanged between 1.22 and 1.27
# - changed in 1.28: permissions to get/update lock endpoint resource
# removed
# - unchanged between 1.28 and 1.30
# - (1.31 is known to bring some changes below)
#
# ref: https://github.com/kubernetes/kubernetes/blob/v1.27.0/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml#L736-L892
# ref: https://github.com/kubernetes/kubernetes/blob/v1.30.0/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml#L721-L862
- apiGroups:
- ""
- events.k8s.io
@ -46,21 +50,6 @@ rules:
verbs:
- get
- update
- apiGroups:
- ""
resources:
- endpoints
verbs:
- create
- apiGroups:
- ""
resourceNames:
- {{ include "jupyterhub.user-scheduler-lock.fullname" . }}
resources:
- endpoints
verbs:
- get
- update
- apiGroups:
- ""
resources:
@ -183,9 +172,9 @@ rules:
# Copied from the system:volume-scheduler ClusterRole of the k8s version
# matching the kube-scheduler binary we use.
#
# NOTE: These rules have not changed between 1.12 and 1.27.
# NOTE: These rules have not changed between 1.12 and 1.29.
#
# ref: https://github.com/kubernetes/kubernetes/blob/v1.27.0/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml#L1311-L1338
# ref: https://github.com/kubernetes/kubernetes/blob/v1.29.0/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml#L1283-L1310
- apiGroups:
- ""
resources:

2
jupyter/base/charts/jupyterhub/values.schema.json
View file

File diff suppressed because one or more lines are too long

91
jupyter/base/charts/jupyterhub/values.yaml
View file

@ -41,6 +41,7 @@ hub:
annotations: {}
ports:
nodePort:
appProtocol:
extraPorts: []
loadBalancerIP:
baseUrl: /
@ -84,16 +85,21 @@ hub:
extraVolumeMounts: []
image:
name: quay.io/jupyterhub/k8s-hub
tag: "3.2.1"
tag: "4.0.0"
pullPolicy:
pullSecrets: []
resources: {}
podSecurityContext:
runAsNonRoot: true
fsGroup: 1000
seccompProfile:
type: "RuntimeDefault"
containerSecurityContext:
runAsUser: 1000
runAsGroup: 1000
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
lifecycle: {}
loadRoles: {}
services: {}
@ -197,15 +203,20 @@ proxy:
chp:
revisionHistoryLimit:
containerSecurityContext:
runAsNonRoot: true
runAsUser: 65534 # nobody user
runAsGroup: 65534 # nobody group
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
image:
name: quay.io/jupyterhub/configurable-http-proxy
# tag is automatically bumped to new patch versions by the
# watch-dependencies.yaml workflow.
#
tag: "4.6.1" # https://github.com/jupyterhub/configurable-http-proxy/tags
tag: "4.6.2" # https://github.com/jupyterhub/configurable-http-proxy/tags
pullPolicy:
pullSecrets: []
extraCommandLineFlags: []
@ -250,15 +261,20 @@ proxy:
traefik:
revisionHistoryLimit:
containerSecurityContext:
runAsNonRoot: true
runAsUser: 65534 # nobody user
runAsGroup: 65534 # nobody group
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
image:
name: traefik
# tag is automatically bumped to new patch versions by the
# watch-dependencies.yaml workflow.
#
tag: "v2.10.5" # ref: https://hub.docker.com/_/traefik?tab=tags
tag: "v3.2.0" # ref: https://hub.docker.com/_/traefik?tab=tags
pullPolicy:
pullSecrets: []
hsts:
@ -300,12 +316,17 @@ proxy:
extraPodSpec: {}
secretSync:
containerSecurityContext:
runAsNonRoot: true
runAsUser: 65534 # nobody user
runAsGroup: 65534 # nobody group
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
image:
name: quay.io/jupyterhub/k8s-secret-sync
tag: "3.2.1"
tag: "4.0.0"
pullPolicy:
pullSecrets: []
resources: {}
@ -345,7 +366,7 @@ singleuser:
networkTools:
image:
name: quay.io/jupyterhub/k8s-network-tools
tag: "3.2.1"
tag: "4.0.0"
pullPolicy:
pullSecrets: []
resources: {}
@ -392,12 +413,13 @@ singleuser:
homeMountPath: /home/jovyan
dynamic:
storageClass:
pvcNameTemplate: claim-{username}{servername}
volumeNameTemplate: volume-{username}{servername}
pvcNameTemplate:
volumeNameTemplate: volume-{user_server}
storageAccessModes: [ReadWriteOnce]
subPath:
image:
name: quay.io/jupyterhub/k8s-singleuser-sample
tag: "3.2.1"
tag: "4.0.0"
pullPolicy:
pullSecrets: []
startTimeout: 300
@ -432,19 +454,24 @@ scheduling:
#
plugins:
score:
# These scoring plugins are enabled by default according to
# https://kubernetes.io/docs/reference/scheduling/config/#scheduling-plugins
# 2022-02-22.
# We make use of the default scoring plugins, but we re-enable some with
# a new priority, leave some enabled with their lower default priority,
# and disable some.
#
# Enabled with high priority:
# Below are the default scoring plugins as of 2024-09-23 according to
# https://kubernetes.io/docs/reference/scheduling/config/#scheduling-plugins.
#
# Re-enabled with high priority:
# - NodeAffinity
# - InterPodAffinity
# - NodeResourcesFit
# - ImageLocality
#
# Remains enabled with low default priority:
# - TaintToleration
# - PodTopologySpread
# - VolumeBinding
#
# Disabled for scoring:
# - NodeResourcesBalancedAllocation
#
@ -473,20 +500,25 @@ scheduling:
- name: NodeResourcesFit
args:
scoringStrategy:
type: MostAllocated
resources:
- name: cpu
weight: 1
- name: memory
weight: 1
type: MostAllocated
containerSecurityContext:
runAsNonRoot: true
runAsUser: 65534 # nobody user
runAsGroup: 65534 # nobody group
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
image:
# IMPORTANT: Bumping the minor version of this binary should go hand in
# hand with an inspection of the user-scheduelrs RBAC resources
# that we have forked in
# hand with an inspection of the user-scheduelr's RBAC
# resources that we have forked in
# templates/scheduling/user-scheduler/rbac.yaml.
#
# Debugging advice:
@ -519,7 +551,7 @@ scheduling:
# here. We aim to stay around 1 minor version behind the latest k8s
# version.
#
tag: "v1.26.11" # ref: https://github.com/kubernetes/kubernetes/tree/master/CHANGELOG
tag: "v1.30.6" # ref: https://github.com/kubernetes/kubernetes/tree/master/CHANGELOG
pullPolicy:
pullSecrets: []
nodeSelector: {}
@ -551,7 +583,7 @@ scheduling:
#
# If you update this, also update prePuller.pause.image.tag
#
tag: "3.9"
tag: "3.10"
pullPolicy:
pullSecrets: []
revisionHistoryLimit:
@ -559,9 +591,14 @@ scheduling:
labels: {}
annotations: {}
containerSecurityContext:
runAsNonRoot: true
runAsUser: 65534 # nobody user
runAsGroup: 65534 # nobody group
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
resources: {}
corePods:
tolerations:
@ -595,9 +632,14 @@ prePuller:
annotations: {}
resources: {}
containerSecurityContext:
runAsNonRoot: true
runAsUser: 65534 # nobody user
runAsGroup: 65534 # nobody group
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
extraTolerations: []
# hook relates to the hook-image-awaiter Job and hook-image-puller DaemonSet
hook:
@ -606,13 +648,18 @@ prePuller:
# image and the configuration below relates to the hook-image-awaiter Job
image:
name: quay.io/jupyterhub/k8s-image-awaiter
tag: "3.2.1"
tag: "4.0.0"
pullPolicy:
pullSecrets: []
containerSecurityContext:
runAsNonRoot: true
runAsUser: 65534 # nobody user
runAsGroup: 65534 # nobody group
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
podSchedulingWaitDuration: 10
nodeSelector: {}
tolerations: []
@ -627,9 +674,14 @@ prePuller:
extraImages: {}
pause:
containerSecurityContext:
runAsNonRoot: true
runAsUser: 65534 # nobody user
runAsGroup: 65534 # nobody group
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
seccompProfile:
type: "RuntimeDefault"
image:
name: registry.k8s.io/pause
# tag is automatically bumped to new patch versions by the
@ -637,7 +689,7 @@ prePuller:
#
# If you update this, also update scheduling.userPlaceholder.image.tag
#
tag: "3.9"
tag: "3.10"
pullPolicy:
pullSecrets: []
@ -649,6 +701,7 @@ ingress:
pathSuffix:
pathType: Prefix
tls: []
extraPaths: []
# cull relates to the jupyterhub-idle-culler service, responsible for evicting
# inactive singleuser pods.

1
jupyter/base/jupyterhub-ingress.yml
View file

@ -4,7 +4,6 @@ kind: Ingress
metadata:
name: jupyterhub-ingress
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
spec:

6
jupyter/overlays/test/vr/kustomization.yaml
View file

@ -5,10 +5,10 @@ resources: [../../../base/]
helmCharts:
- includeCRDs: true
name: jupyterhub
releaseName: uu-jupyterhub
releaseName: vr-jupyterhub
valuesFile: ./values/values.yaml
version: 3.2.1
namespace: uu-jupyterhub
version: 4.0.0
namespace: vr-jupyterhub
helmGlobals:
chartHome: ../../../base/charts/
patches:

8
jupyter/overlays/test/vr/values/values.yaml
View file

@ -277,8 +277,8 @@ hub:
name: refresh-token
extraEnv:
NEXTCLOUD_DEBUG_OAUTH: "no"
NEXTCLOUD_HOST: uu.drive.test.sunet.se
JUPYTER_HOST: uu-jupyter.drive.test.sunet.se
NEXTCLOUD_HOST: vr.drive.test.sunet.se
JUPYTER_HOST: vr-jupyter.drive.test.sunet.se
JUPYTERHUB_API_KEY:
valueFrom:
secretKeyRef:
@ -321,8 +321,8 @@ singleuser:
storageClass: csi-sc-cinderplugin
extraEnv:
JUPYTER_ENABLE_LAB: "yes"
JUPYTER_HOST: uu-jupyter.drive.test.sunet.se
NEXTCLOUD_HOST: uu.drive.test.sunet.se
JUPYTER_HOST: vr-jupyter.drive.test.sunet.se
NEXTCLOUD_HOST: vr.drive.test.sunet.se
extraFiles:
jupyter_notebook_config:
mountPath: /home/jovyan/.jupyter/jupyter_server_config.py