Skip to content

Latest commit

 

History

History
3273 lines (2749 loc) · 241 KB

CHANGELOG.md

File metadata and controls

3273 lines (2749 loc) · 241 KB

Changelog

Here you can find upgrade changes in between releases and upgrade instructions.

UNRELEASED

[1.1]

[1.1.3] - 2021-08-25

Maintenance and upkeep improvements

  • refactor: remove redundant trimSuffix of new lines after toYaml #2358 (@consideRatio)
  • build(deps): bump pycurl from 7.44.0 to 7.44.1 in /images/hub #2352 (@dependabot)
  • build(deps): bump oauthenticator from 14.1.0 to 14.2.0 in /images/hub #2350 (@dependabot)
  • build(deps): bump pycurl from 7.43.0.6 to 7.44.0 in /images/hub #2347 (@dependabot)

Documentation improvements

Contributors to this release

(GitHub contributors page for this release)

@consideRatio | @j0nnyr0berts | @manics

[1.1.2] - 2021-08-05

Bugs fixed

  • fix schema: hub.templateVars didn't accept configuration #2343 (@MridulS)

Documentation improvements

Contributors to this release

(GitHub contributors page for this release)

@consideRatio | @hiroki-sawano | @manics | @MridulS

[1.1.1] - 2021-07-22

Bugs fixed

Continuous integration improvements

[1.1.0] - 2021-07-21

Highlights

  • hub.services api tokens are now generated

    The Helm chart now automatically seeds registered services under hub.services with an api token. This is especially helpful for Helm charts depending on this Helm chart such as binderhub or daskhub, for more details see the hub.services entry in the configuration reference.

  • Full arm64 compatebility

    The Helm chart is fully arm64 compatible, even the singleuser.image that previously wasn't.

Breaking changes

This breaking change only concerns someone that has configured hub.services.<some-key>.name=<some-name> so that <some-key> is different from <some-name>. In that case, the key in the k8s Secret exposing the registered service's api token is now named hub.services.<some-key>.apiToken instead of hub.services.<some-name>.apiToken.

Notable dependencies updated

Dependency Version in 1.0.0 Version in 1.1.0 Changelog link Note
jupyterhub 1.4.1 1.4.2 Changelog Run in the hub pod
kubespawner 1.0.0 1.1.0 Changelog Run in the hub pod
oauthenticator 14.0.0 14.1.0 Changelog Run in the hub pod
ldapauthenticator 1.3.2 1.3.2 Changelog Run in the hub pod
ltiauthenticator 1.0.0 1.0.0 Changelog Run in the hub pod
nativeauthenticator 0.0.7 0.0.7 Changelog Run in the hub pod
jupyterhub-idle-culler 1.1 1.1 - Run in the hub pod
configurable-http-proxy 4.4.0 4.5.0 Changelog Run in the proxy pod
traefik v2.4.8 v2.4.11 Changelog Run in the autohttps pod
kube-scheduler v1.19.11 v1.19.13 - Run in the user-scheduler pod(s)

For a detailed list of how Python dependencies have change in the hub Pod's Docker image, inspect the images/hub/requirements.txt file.

New features added

  • Add configuration for arbitrary extra pod spec #2306 (@mallman)

Enhancements made

Bugs fixed

  • Allow CHP to function in a IPv4 only and/or IPv6 only context #2318 (@consideRatio)
  • fix schema: accept proxy.traefik.extra[Static|Dynamic]Config #2317 (@consideRatio)
  • fix: bug if z2jh is used as a dependency with an alias #2310 (@consideRatio)
  • Fix failure to set imagePullSecrets for user-placeholder pods (scheduling.userPlaceholder.image config added) #2293 (@michaellzc)

Maintenance and upkeep improvements

Documentation improvements

Continuous integration improvements

Contributors to this release

(GitHub contributors page for this release)

@cdibble | @consideRatio | @jtrouth | @mallman | @manics | @michaellzc | @minrk | @yuvipanda

[1.0]

[1.0.1] - 2021-06-25

Bugs fixed

Maintenance and upkeep improvements

Documentation improvements

Continuous integration improvements

Contributors to this release

(GitHub contributors page for this release)

@cdibble | @consideRatio | @dependabot | @enolfc | @manics | @minrk | @sgibson91 | @v1r7u | @weisdd

[1.0.0] - 2021-06-09

This release includes a security announcement, breaking changes, several new features, and more. Please read through this to be able to help yourself and others upgrade successfully.

As of the 1.0.0 version of this Helm chart, we aim to follow SemVer 2 versioning scheme where breaking changes, new features, and small bugfixes will increment the three version numbers.

Highlights

  • arm64 compatible images

    All images except the user image (singleuser.image) now support the arm64 architecture. This allows this Helm chart to be installable on a RaspberryPi based k8s cluster.

  • hub.extraFiles and singleuser.extraFiles

    Have you wanted to mount various files to the hub pod or the user pods, such as a configuration file or similar? While this could be done by creating a dedicated ConfigMap that was mounted etc before, you don't need to go through that trouble.

    Read more in the configuration reference.

  • Automatic secret generation

    Are you explicitly passing proxy.secretToken, hub.config.CryptKeeper.keys, hub.config.JupyterHub.cookie_secret? Do it one more time when upgrading to 1.0.0! After that, they will be stored away in a k8s Secret and reused.

    If you install 1.0.0 from scratch, those will be automatically generated for you if you don't specify them.

  • Smoother helm upgrades

    • prePuller.hook.pullOnlyOnChanges is now available and enabled by default, which only intercepts a helm upgrade by pulling images if they have changed since the last upgrade.

    • The proxy pod were sometimes restarted when it wasn't needed and that could cause needless disruptions for users. This is now fixed.

  • fullnameOverride and nameOverride

    These options let you control the naming of the k8s resources created by the Helm chart, but should not be used unless you install from scratch.

    Read more in the configuration reference.

  • Referencing resources from a parent Helm chart's templates

    Are you a developer of a Helm chart that depends on this Helm chart, and you want to reference a k8s resource by name from one of your Helm templates?

    Learn how to do it the recommended way by reading this documentation.

Security announcement

The documentation for how to setup a Amazon EKS cluster included an insecure step that would give anyone access to the Kubernetes cluster. If you have followed these instructions between 0.7.0-beta.1 and 0.11.1, please see the this post in the Jupyter forum.

Breaking changes

  • Kubernetes 1.17+ and Helm 3.5+ are now required

    Helm 3 (3.5+) is now required. Helm 2 reached end of life last year and we have started relying on Helm 3.5 specific features.

    Kubernetes 1.17+ is now required. It helped us avoid maintaining two separate sets of implementations for the the user-scheduler.

  • Schema validation of chart config (#2033, #2200)

    The Helm chart now bundles with a values.schema.json file that will validate all use of the Helm chart during template rendering. If the Helm chart's passed values doesn't comply with the schema, then helm will error before the k8s api-server has become involved and anything has changed in the k8s cluster.

    The most common validation errors are:

    • Unrecognized config values

      For example if you have misspelled something.

      Note that if you want to pass your custom values for inspection by custom logic in the hub pod, then you should pass these values via the custom config section where anything will be accepted.

    • Recognized config values with the wrong type

      For example if you have passed a numerical value to a configuration that expected a string.

  • Breaking changes to config (#2211)

    As the Helm chart has evolved over time, configuration options have been renamed and changed in various ways. With the release of 1.0.0, we enforce a transition from various old configuration options to new that have previously been ignored or accepted.

    If you are using outdated configuration options you will be informed about it before any changes have been made to your deployment of the Helm chart.

  • Default resource requests are no longer set (#2034, #2226)

    The helm chart now follows a common Helm chart practice by not setting default resource requests or limits.

    To help in this transition, there is documentation with some guidance on setting explicit resource requests available here.

    If you want to restore the previous behavior, you can explicitly set the resource requests like below.

    hub:
      resources:
        requests:
          cpu: 200m
          memory: 512Mi
    
    proxy:
      chp:
        resources:
          requests:
            cpu: 200m
            memory: 512Mi
    
    scheduling:
      userScheduler:
        resources:
          requests:
            cpu: 50m
            memory: 256Mi
    
    prePuller:
      resources:
        requests:
          cpu: 0
          memory: 0
      hook:
        resources:
          requests:
            cpu: 0
            memory: 0
  • KubeSpawner and deletion of PVCs (jupyterhub#3337, kubespawner#475)

    Deleting a user in JupyterHub's admin interface (/hub/admin) or removing a named server will now lead to the deletion of the user's or named server's dynamically created PVC resource if there was one.

    To opt out of this behavior and retain the current behavior where dynamically created PVC resources will remain, set KubeSpawner.delete_pvc to false.

    hub:
      config:
        KubeSpawner:
          delete_pvc: false

    Note that this feature relies on both KubeSpawner 1.0.0+ and JupyterHub 1.4.1+ which are included in this release.

  • hub.existingSecret is reworked (#2042)

    See the documentation and pull request #2042 for more details.

  • configurable-http-proxy statsd metrics removed (#2231)

    statsd metrics have been removed in configurable-http-proxy. This will only affect administrators who have overridden the CHP command line arguments as statsd is not supported in the Helm chart. Support for Prometheus metrics will be added in a future release.

Notable dependencies updated

Dependency Version in 0.11.0 Version in 1.0.0 Changelog link Note
jupyterhub 1.3.0 1.4.1 Changelog Run in the hub pod
kubespawner 0.15.0 1.0.0 Changelog Run in the hub pod
oauthenticator 0.12.3 14.0.0 Changelog Run in the hub pod
ldapauthenticator 1.3.2 1.3.2 Changelog Run in the hub pod
ltiauthenticator 1.0.0 1.0.0 Changelog Run in the hub pod
nativeauthenticator 0.0.6 0.0.7 Changelog Run in the hub pod
jupyterhub-idle-culler 1.0 1.1 - Run in the hub pod
configurable-http-proxy 4.2.2 4.4.0 Changelog Run in the proxy pod
traefik v2.3.7 v2.4.8 Changelog Run in the autohttps pod
kube-scheduler v1.19.7 v1.19.11 - Run in the user-scheduler pod(s)

For a detailed list of how Python dependencies have change in the hub Pod's Docker image, inspect the images/hub/requirements.txt file.

New features added

  • hub.service.extraPorts config option #2148 (@kafonek)
  • Publish Arm64 compatible images #2125 (@manics)
  • Enable opt-out of hub.jupyter.org/dedicated tolerations #2101 (@kafonek)
  • Add prePuller.hook.pullOnlyOnChanges flag #2066 (@consideRatio)
  • values.schema.json ships with chart and configuration reference now covers all options #2033 (@consideRatio)
  • Allow extraFiles to be injected to hub / singleuser pods and automatically load config in /usr/local/etc/jupyterhub_config.d #2006 (@consideRatio)
  • Seed secrets (proxy.secretToken, etc) so they don't have to be manually generated #1993 (@consideRatio)
  • Support fullnameOverride / nameOverride and reference resources by named templates #1923 (@consideRatio)

Enhancements made

Bugs fixed

Maintenance and upkeep improvements

Documentation improvements

Continuous integration improvements

Contributors to this release

(GitHub contributors page for this release)

@agnewp | @bbockelm | @betatim | @choldgraf | @consideRatio | @damianavila | @danielballan | @dependabot | @dhirschfeld | @github-actions | @jabbera | @jgwerner | @kafonek | @manics | @meeseeksmachine | @mhwasil | @michzimny | @MickeyShnaiderman-RecoLabs | @minrk | @mriedem | @NerdSec | @pcfens | @pvanliefland | @remche | @roelbaz | @rommeld | @RyanQuey | @spenczar | @support | @thomasv314 | @tkislan | @willingc | @yobome | @yuvipanda

[0.11]

[0.11.1] - 2021-01-15

This release fixes a regression in the Ingress resource and a bump of jupyterhub-nativeauthenticator from 0.0.6 to 0.0.7.

Bugs fixed

  • fix: fix of ingress regression and improved testing (@consideRatio)

Maintenance and upkeep improvements

  • build(deps): bump jupyterhub-nativeauthenticator from 0.0.6 to 0.0.7 in /images/hub #1988 (@dependabot)

[0.11.0] - 2021-01-14

Please read the security announcement and the breaking changes below, and also note that this is the last release supporting Helm 2 and k8s versions lower than 1.16.

Security announcement

This release contains the patched version of jupyterhub/oauthenticator which contained a security issue that influenced version 0.10.0 - 0.10.5 (but not 0.10.6) of this Helm chart.

Please don't use versions 0.10.0 - 0.10.5 and upgrade to 0.10.6 or later. If you are using OAuthenticator, please check your list of users and delete any unauthorized users who may have logged in during usage of version 0.10.0 - 10.10.5.

See the published security advisory for more information, and refer to this forum post to share insights that can be useful to others.

Breaking changes

  • auth configuration moves to hub.config - #1943

    Helm chart configuration under auth is now no longer supported. If you make a helm upgrade using auth configuration, the upgrade will abort before any changes are made to the k8s cluster and you will be provided with the equivalent configuration using the new system under hub.config.

    By default, the printed equivalent configuration is censored as it can contain secrets that shouldn't be exposed. By passing --global.safeToShowValues=true you can get an uncensored version.

  • Pod Disruption Budget's now disabled by default - #1938

    A Pod Disruption Budget (PDB) for the hub and proxy pods were created by default before, but will by default not be created from now on. The consequence of this is that the pods now can get evicted.

    Eviction will happen as part of kubectl drain on a node, or by a cluster autoscaler removing a underused node.

Notable dependencies updated

Dependency Version in 0.10.6 Version in 0.11.0 Changelog link Note
jupyterhub 1.2.2 1.3.0 Changelog Run in the hub pod
kubespawner 0.14.1 0.15.0 Changelog Run in the hub pod
oauthenticator 0.12.1 0.12.3 Changelog Run in the hub pod
ldapauthenticator 1.3.2 1.3.2 Changelog Run in the hub pod
ltiauthenticator 0.4.0 1.0.0 Changelog Run in the hub pod
nativeauthenticator 0.0.6 0.0.6 Changelog Run in the hub pod
jupyterhub-idle-culler 1.0 1.0 - Run in the hub pod
configurable-http-proxy 4.2.2 4.2.2 Changelog Run in the proxy pod
traefik v2.3.2 v2.3.7 Changelog Run in the autohttps pod
kube-scheduler v1.19.2 v1.19.7 - Run in the user-scheduler pod(s)

For a detailed list of how Python dependencies have change in the hub Pod's Docker image, inspect the images/hub/requirements.txt file.

Enhancements made

  • ci: automatically scan and patch our images for known vulnerabilities #1942 (@consideRatio)

Bugs fixed

  • Fix failure to block insecure metadata server IP #1950 (@consideRatio)
  • Enable hub livenessProbe by default and relax hub/proxy probes #1941 (@consideRatio)
  • Disable PDBs for hub/proxy, add PDB for autohttps, and relocate config proxy.pdb to proxy.chp.pdb #1938 (@consideRatio)

Maintenance and upkeep improvements

Documentation improvements

Continuous integration improvements

Contributors to this release

(GitHub contributors page for this release)

@arokem | @betatim | @chicocvenancio | @choldgraf | @consideRatio | @DArtagan | @dependabot | @github-actions | @manics | @minrk | @naterush | @rokroskar | @yuvipanda

[0.10]

[0.10.6] - 2020-11-27

This release is a security workaround for jupyterhub/oauthenticator described in https://github.com/jupyterhub/oauthenticator/security/advisories/GHSA-384w-5v3f-q499.

Please don't use versions 0.10.0 - 0.10.5 and upgrade to 0.10.6 or later. If any users have been authorized during usage of 0.10.0 - 0.10.5 who should not have been, they must be deleted via the API or admin interface, per the documentation.

[0.10.5] - 2020-11-27

This release bumps the JupyterHub version from 1.2.1 to 1.2.2. See JupyterHub's changelog for more information.

Bugs fixed

Maintenance and upkeep improvements

Contributors to this release

(GitHub contributors page for this release)

@consideRatio | @manics

[0.10.4] - 2020-11-21

A patch release to patch a bug in the dependency oauthenticator that made users have their servers spawn before they had the chance to choose a server configuration if c.KubeSpawner.profile_list was configured.

Bugs fixed

Contributors to this release

(GitHub contributors page for this release)

@consideRatio | @manics

[0.10.3] - 2020-11-16

This release contain minor enhancements and bugfix in a dependency that could have resulted in unwanted hub pod restarts. Helm 2.16+ has been explicitly required, which it should had been already in 0.10.0.

Please be aware that Helm 2 has reached its end of life and won't get any security patches any more. We aim to drop support of Helm 2 soon to be able to rely on Helm 3 features.

Enhancements made

  • Configurable resource requests for hook-image-awaiter #1906 (@consideRatio)
  • Add use_lookup_dn_username parameter for LDAP #1903 (@JarnoRFB)
  • Allow exposing extra ports in autohttps/traefik deployment #1901 (@yuvipanda)
  • prePuller.extraTolerations added for the image-puller daemonsets #1883 (@jerkern)

Bugs fixed

Maintenance and upkeep improvements

Documentation improvements

Contributors to this release

(GitHub contributors page for this release)

@betatim | @choldgraf | @consideRatio | @JarnoRFB | @jerkern | @manics | @minrk | @plant99 | @tirumerla | @yuvipanda

[0.10.2] - 2020-10-30

A bugfix release to add securityContext configuration on all the containers in the image-puller pods, which can be needed when a k8s PodSecurityPolicy is forcing pods to startup as non-root users.

Note that whoever need to comply with a strict PodSecurityPolicy will also need to --set singleuser.cloudMetadata.blockWithIptables=false, but should read this documentation before doing so.

Bugs fixed

Documentation improvements

Contributors to this release

(GitHub contributors page for this release)

@consideRatio | @jatinder91

[0.10.1] - 2020-10-30

A bugfix release simply updating JupyterHub to 1.2.1. JupyterHub 1.2.1 fixes a regression related to registered JupyterHub services using the oauth_no_confirm configuration.

Bugs fixed

  • Use JupyterHub 1.2.1 - fixes regression for external JH services' oauth_no_confirm config #1889 (@minrk)

Maintenance and upkeep improvements

  • Fix CI that broke as assumptions changed about latest published version #1887 (@consideRatio)

Documentation improvements

Contributors to this release

(GitHub contributors page for this release)

@consideRatio | @minrk

[0.10.0] - 2020-10-29

This release makes the deployment more robust, and enhances users ability to configure the Helm chart in general. Some defaults have been changed allowing the Helm chart to easier comply with PodSecurityPolicies by default.

Breaking changes:

  • KubeSpawner was updated to include a breaking change influencing users of named servers.

    Security fix: CVE-2020-15110 / GHSA-v7m9-9497-p9gr. When named-servers are enabled, certain username patterns, depending on authenticator, could allow collisions. The default named-server template is changed to prevent collisions, meaning that upgrading will lose associations of named-servers with their PVCs if the default templates are used. Data should not be lost (old PVCs will be ignored, not deleted), but will need manual migration to new PVCs prior to deletion of old PVCs.

  • Anyone relying on configuration in the proxy.https section are now explicitly required to set proxy.https.enabled to true.

  • Anyone using hub.imagePullSecret or singleuser.imagePullSecret should now instead use the chart wide imagePullSecret with the same syntax which will be helping all the JupyterHub pod's get images from a private image registry. For more information, see the configuration reference.

  • Predefined Kubernetes NetworkPolicies are now created by default, explicitly describing allowed incoming (ingress) and outgoing (egress) network communication for the hub, proxy, and user pods. These NetworkPolicy resources are very permissive on the outgoing traffic (egress), but is limiting the incoming traffic to what is known to be needed.

    Note that these NetworkPolicies only influence network communication in a Kubernetes cluster if a NetworkPolicy controller enforce them, such as Calico.

    Also note that if network policies are enforced, you can safely stop actively blocking access to so called cloud metadata servers for the user pods by setting singleuser.cloudMetadata.blockWithIptables=false.

    See the security documentation and the configuration reference for more details.

  • The Helm chart configuration proxy.networkPolicy has been removed, proxy.chp.networkPolicy (proxy pod) and proxy.traefik.networkPolicy (autohttps pod) must be used instead.

  • The Helm chart configuration proxy.containerSecurityContext is renamed to proxy.chp.containerSecurityContext.

  • The k8s ConfigMap hub-config k8s Secret hub-secret are now merged into hub-secret, which will affect anyone who use the hub.existingSecret option.

Release highlights

  • Environment variables in pods with K8S config. An ability to configure environment variables in pods with a k8s native syntax has been added. This allows you to reference and mount a field in a k8s Secret as an environment variable for example. For more information, read about extraEnv in the configuration reference.
  • Configure secrets for all pods via the helm chart. imagePullSecrets for all the pods in the Helm chart can now be configured chart wide. See the configuration reference about imagePullSecret and imagePullSecrets for more details.
  • Pod security is easier to use and configure. Deploying the Helm chart in a cluster with a PodSecurityPolicy active is now easier, because the pods' containers now have securityContext set on them to run with relatively low permissions which are also configurable if needed.
  • More reliable TLS certificates. The autohttps pod that is running to acquire TLS certificates if proxy.https.type=letsencrypt is now more reliably acquiring certificates. If you currently have such issue, do kubectl delete deploy/autohttps and kubectl delete secret proxy-public-tls-acme and then deploy the Helm chart again with helm upgrade.

Notable dependencies updated

Dependency Version in previous release Version in this release Changelog link Note
jupyterhub 1.1.0 1.2.0 Changelog Run in the hub pod
kubespawner 0.11.1 0.14.1 Changelog Run in the hub pod
oauthenticator 0.11.0 0.12.0 Changelog Run in the hub pod
ldapauthenticator 1.3.0 1.3.2 Changelog Run in the hub pod
ltiauthenticator 0.4.0 0.4.0 Changelog Run in the hub pod
nativeauthenticator 0.0.5 0.0.5 Changelog Run in the hub pod
jupyterhub-idle-culler - v1.0 - Run in the hub pod
configurable-http-proxy 4.2.1 4.2.2 Changelog Run in the proxy pod
traefik v2.1 v2.3.2 Changelog Run in the autohttps pod
kube-scheduler v1.13.12 v1.19.2 - Run in the user-scheduler pod(s)

For a detailed list of how Python dependencies have change in the hub Pod's Docker image, inspect the images/hub/requirements.txt file.

Enhancements made

Bugs fixed

Maintenance and upkeep improvements

Documentation improvements

Contributors to this release

A huge warm thank you for the collaborative effort in this release! Below we celebrate this specific GitHub repositories contributors, but we have reason to be thankful to soo many other contributors in the projects we depend on! Thank you everyone!

(GitHub contributors page for this release)

@01100010011001010110010101110000 | @ablekh | @aculich | @adi413 | @agrahamlincoln | @aguinaldoabbj | @Aisuko | @akaszynski | @albertmichaelj | @alexmorley | @amanda-tan | @arpitsri3 | @asubb | @aydintd | @bebosudo | @BertR | @betatim | @betolink | @bibz | @bleggett | @cam72cam | @carat64 | @cbanek | @cboettig | @chancez | @chicocvenancio | @choldgraf | @chrisroat | @clkao | @conet | @consideRatio | @craig-willis | @cslovell | @dalonlobo | @dalssaso | @danroliver | @DarkBlaez | @davidsmf | @deinal | @dimm0 | @dkipping | @dmpe | @donotpush | @duongnt | @easel | @echarles | @Edward-liang | @eric-leblouch | @erinfry6 | @etheleon | @farzadz | @filippo82 | @frankgu968 | @frouzbeh | @GeorgianaElena | @GergelyKalmar | @gsemet | @Guanzhou-Ke | @Gungo | @h4gen | @harsimranmaan | @hdimitriou | @hickst | @hnykda | @hqwl159 | @IamViditAgarwal | @ilhaan | @ivanpokupec | @jacobtomlinson | @jahstreet | @JarnoRFB | @jeremievallee | @jgerardsimcock | @jgwerner | @josibake | @JPMoresmau | @jreadey | @jtlz2 | @jtpio | @julienchastang | @jzf2101 | @kinow | @kristofmartens | @kyprifog | @leolb-aphp | @loki1978 | @ltupin | @lxylxy123456 | @manics | @mathematicalmichael | @meeseeksmachine | @meneal | @metonymic-smokey | @mhwasil | @minrk | @mjuric | @moorepants | @mpolatcan | @mriedem | @mrocklin | @NerdSec | @nscozzaro | @openthings | @pcfens | @perllaghu | @petebachant | @peterrmah | @philvarner | @prateekkhera | @rabernat | @RAbraham | @remche | @rkdarst | @rkevin-arch | @rmoe | @rnestler | @rschroll | @rubdos | @ryanlovett | @salvis2 | @sampathkethineedi | @scivm | @Sefriol | @sgibson91 | @sgloutnikov | @shenghu | @snickell | @sstarcher | @stefansedich | @stevenstetzler | @stv0g | @subwaymatch | @summerswallow-whi | @superyaniv | @support | @suryag10 | @TiemenSch | @tirumerla | @tjcrone | @tmshn | @TomasBeuzen | @tracek | @verdurin | @vindvaki | @vishwesh5 | @welcome | @willingc | @yuvipanda | @zxcGrace

[0.9]

[0.9.0] - 2020-04-15

Release summary

This Helm chart release is mainly a maintenance release featuring the latest JupyterHub (1.1.0) and authenticators along with bug fixes and some additional helpful configuration options.

Noteworthy:

  • An issue with automatic acquisition of HTTPS certificates has been resolved since 0.9.0-beta.3.
  • Fixed a compatibility issue with Kubernetes 1.16+
  • The images/hub/requirements.txt file in this repo can now be used to track what specific version has been used at any point in time.
  • jupyterhub-nativeauthenticator added to the JupyterHub Docker image.

Bumped dependencies:

  • jupyterhub version 1.1.0
  • jupyterhub-ldapauthenticator version 1.3.0
  • jupyterhub-kubespawner version 0.11.1
  • oauthenticator version 0.11.0
  • kubernetes version 10.0.1

Upgrade instructions (IMPORTANT)

  1. If you are using Helm 2, upgrade to the latest Helm 2 version. And if you are using Helm 3, upgrade to the latest Helm 3 version.

    Upgrading to Helm 3 from Helm 2 requires additional steps not covered here, so for now please stay with your current major version of helm (2 or 3).

    # Figure out what version you currently have locally, you should use
    # release of the same major version you have used before.
    helm version
    

    Install either the latest Helm 2 or Helm 3 depending on what major version you currently had worked with.

    # verify you successfully upgraded helm
    helm version
    
    # if you just upgraded helm 2, also upgrade tiller
    helm init --upgrade --service-account=tiller
    
  2. Use --cleanup-on-fail when using helm upgrade.

    Helm can enter a problematic state by a helm install or upgrade process which started creating Kubernetes resources, but then didn't finish at all or didn't finish successfully. It can cause resources created that helm will later come in conflict with.

    To mitigate this, we suggest always using --cleanup-on-fail with this Helm chart, it is a solid behavior that reduce a lot of head ache.

  3. If you use --wait, or --atomic which implies --wait: do not manually cancel the upgrade!

    If you would abort the upgrade when using --wait and Kubernetes resources has been created, resources will have been created that can cause conflict with future upgrades and require you to manually clean them up.

  4. Delete resources that could cause issues before upgrading.

    # replace <NAMESPACE> below with where jupyterhub is installed
    kubectl delete -n <NAMESPACE> clusterrole,clusterrolebinding,role,rolebinding,serviceaccount,deployment,configmap,service -l component=autohttps

Troubleshooting upgrade

If you get an error similar to the one below, it is a symptom of having attempted a helm upgrade that failed where helm lost track of some newly created resources. A good solution is to delete all of these resources and try again.

# replace <NAMESPACE> below with where jupyterhub is installed
kubectl delete -n <NAMESPACE> clusterrole,clusterrolebinding,role,rolebinding,serviceaccount,deployment,configmap,service -l component=autohttps

To avoid this in the future, use --cleanup-on-fail with the helm upgrade command. It is not a fool proof way to avoid it, but . And note that even if that flag is used, an interupption for example during --wait or --atomic which implies --wait, be aware of an interruption while waiting can very likely cause this to arise on the following upgrade attempt.

error: kind ConfigMap with the name "traefik-proxy-config" already exists in
the cluster and wasn't defined in the previous release. Before upgrading,
please either delete the resource from the cluster or remove it from the chart

Dependency updates

Maintenance

[0.9.0-beta.4] - 2020-02-26

Added

Dependency updates

Fixed

Maintenance

[0.9.0-beta.3] - 2020-01-17

Dependency updates

Fixed

Maintenance

[0.9.0-beta.2] - 2019-12-26

Fixed

  • Fix major breaking change if all HTTPS options was disabled introduced just before beta.1 #1534 (@dirkcgrunwald)

[0.9.0-beta.1] - 2019-12-26

Some highlights of relevance for this release are:

  • The default configuration is now catering to autoscaling clusters where nodes can be added and removed, as compared to fixed clusters where there is only a fixed amount of nodes. Set scheduling.userScheduler.enabled to false if you are on a fixed size cluster.
  • Kubernetes 1.16 compatibility achieved
  • Updated dependencies
    • jupyterhub==1.1.0b1
    • kubernetes==0.10.1
    • kubespawner==0.11.1
    • oauthenticator==0.10.0

Added

  • Added ability to configure liveness/readiness probes on the hub/proxy #1480 (@mrow4a)
  • Added ability to use an existing/shared image pull secret for hub and image pullers #1426 (@LaurentGoderre)
  • Added ability to configure the proxy's load balancer service's access restrictions (loadBalancerSourceRanges) #1418 (@GergelyKalmar)
  • Added user-scheduler pod->node scheduling policy configuration #1409 (@yuvipanda)
  • Added ability to add additional ingress rules to k8s NetworkPolicy resources #1380 (@yuvipanda)
  • Enabled the continuous image puller by default #1276 (@consideRatio)
  • Added ability to configure initContainers of the hub pod #1274 (@scottyhq)
  • Enabled the user-scheduler by default #1272 (@minrk)
  • Added ability to use an existing jupyterhub configuration k8s secret for hub (not recommended) #1142 (@koen92)
  • Added use of liveness/readinessProbe by default #1004 (@tmshn)

Dependency updates

Fixed

  • Workaround upstream kubernetes issue regarding https health check #1531 (@sstarcher)
  • User-scheduler RBAC permissions for local-path-provisioner + increase robustness of hub.baseUrl interaction with the hub deployments health endpoint #1530 (@cutiechi)
  • Fixing #1300 User-scheduler doesn't work with rancher/local-path-provisioner #1516 (@cgiraldo)
  • Move z2jh.py to a python and linux distribution agnostic path #1478 (@mrow4a)
  • Bugfix for proxy upgrade strategy in PR #1401 #1404 (@consideRatio)
  • Use recreate CHP proxy pod's deployment strategy #1401 (@consideRatio)
  • Proxy deployment: Change probes to https port #1378 (@chicocvenancio)
  • Readiness and liveness probes re-added #1361 (@consideRatio)
  • Use 443 as https port or redirection. FIX #806 #1341 (@chicocvenancio)
  • Revert "Configure liveness/readinessProbe" #1356 (@consideRatio)
  • Ensure helm chart configuration is passed to JupyterHub where needed #1338 (@bitnik)
  • Make proxy redirect to the service port 443 instead of the container port 8443 #1337 (@LucidNeko)
  • Disable becoming root inside hub and proxy containers #1280 (@yuvipanda)
  • Configure KubeSpawner with the singleuser.image.pullPolicy properly #1248 (@vmarkovtsev)
  • Supply hub.runAsUser for the hub at the container level instead of the pod level #1240 (@tmc)
  • Relax HSTS requirement on subdomains #1219 (@yuvipanda)

Maintenance

[0.8]

[0.8.2] - 2019-04-01

Bumped the underlying JupyterHub to 0.9.6.

[0.8.1] - 2019-03-28

Bumped the underlying JupyterHub to 0.9.5.

[0.8.0] - Richie Benaud - 2019-01-24

This release contains JupyterHub version 0.9.4. It requires Kubernetes >= 1.11 and Helm >= 2.11.0. See the Helm Chart repository for a list of relevant dependencies for all Helm Chart versions.

It contains new features, additional configuration options, and bug fixes.

Upgrading from 0.7

To upgrade your cluster:

  1. backup your hub-db-dir persistent volume and previous configuration files, to be safe

  2. read changes here and make any needed updates to your configuration

  3. upgrade the chart:

    helm repo update helm upgrade $RELEASE --force --version 0.8.0 --values config.yaml

The --force flag allows deletion and recreation of objects that have certain changes, such as different labels, which are forbidden otherwise.

Breaking changes

  • Github organisation OAuth: auth.github.org_whitelist has been renamed to auth.github.orgWhitelist to be consistent with helm's camelCase style

Troubleshooting

If you encounter issues with upgrades, check for changed configuration in this document, and make sure your config is up to date.

If you aren't able to get the upgrade to work, you can rollback to a previous version with:

helm rollback $RELEASE

Feel free to ping us on gitter if you have problems or questions.

New Features

Easier user-selectable profiles upon login

Profile information is now passed through to KubeSpawner. This means you can specify multiple user profiles that users can select from when they log in. (#402)

Configurable image pull secrets

Improvements to the Helm Chart to let users specify private information that lets the Hub pull from private Docker registries. New information includes Kubernetes Secrets, an email field, large JSON blobs in the password field (required in order to pull from a private gcr.io registry from an external cluster).

It also ensures that the image puller DaemonSets have the same credentials to pull the images.

(thanks to @AlexMorreale) #851

Improved user scheduling and resource management

#891

Want to make your autoscheduler work efficiently? Then you should schedule pods to pack tight instead of spread out. The user scheduler accomplishes this.

  • Pod priority and User placeholders - #929

Want to scale up before users arrive so they don't end up waiting for the node to pull an image of several gigabytes in size? By adding a configurable fixed amount of user placeholder pods with a lower pod priority than real user pods, we can accomplish this. It requires k8s v1.11 though.

  • preferScheduleNextToRealUsers - improves autoscaling - #930 This setting slightly improves the ability for a cluster autoscaler to scale down by increasing the likelihood of user placeholders being left alone on a node rather than real users. Real users can't be moved around while user placeholder pods can

Minor upgrades and development improvements

  • Update jupyterhub to 0.9.4
  • Update kubespawner to 0.10.1
  • Allow setting of storage labels - #924
  • Tolerations for node taints - #925
  • Making the core and user pods affinity have configurable presets - #927
  • Improved linting and validation + CI integration - #844
  • Improved CI tests - #846
  • Cleanup of orphaned files - #842 Two files were left unused in the repo.
  • cull.maxAge bugfix - #853 cull.maxAge previously didn't influence the culler service, as the value was never consumed. This is fixed by a single one line commit in a PR.
  • No more duplicates of puller pods - #854 Nobody wants pods running that does nothing. By using the new before-hook-creation value for the deletion-policy Helm hook together with a single name for our Helm hook resources, we can ensure never having orphaned image pullers.
  • Remove pod-culler image - #890 #919 Before JupyterHub 0.9 the pod-culler was a standalone pod with a custom image. But now it is a internal service of the JupyterHub pod, so in this PR we slim the remnant code.
  • Upgrade to k8s 1.9 APIs - #920 Migrate to more stable K8s resource APIs from beta.
  • Update of the singleuser-sample image - #888 git and nbgitpuller are now available by default
  • Switch to using a StatefulSet for the Hub * The Hub should perhaps be a StatefulSet rather than a Deployment as it tends to be tied to a PV that can only be mounted by one single Hub. See this issue: helm/charts#1863
  • Show users deprecation and error messages when they use certain deprecated configuration (e.g. hub.extraConfig as a single string) or incompatible combinations.
  • Updates to the guide - #850
  • Updates to inline documentation - #939

(excerpt from https://www.cricket.com.au/players/richie-benaud/gvp5xSjUp0q6Qd7IM5TbCg)

Possibly the most iconic man in Australian cricket, Richie Benaud enjoyed a career spanning nearly 70 years in the game. On the field, he scored 767 runs at 19.66 in his 27 matches against England, while he also picked up 83 wickets. Off the field, he has been just as important. His commentary has been second to none since making his radio debut in 1960.

While playing for Australia, fans flocked to the cricket to watch Benaud led sides dominate whoever they played. The late 1950’s to early 1960’s was a golden period in Australian cricket, with players such as Simpson, Lawry and Harvey scoring runs, while Benaud and Davidson did the damage with the ball.

Richie Benaud was responsible for resurrecting cricket in this country. The world was changing at that time, and so was cricket. It was being shown on television for the first time, while radio coverage was becoming more advanced. Benaud felt he had a duty to the Australian public to make the game more entertaining. Sure, you could argue that the 1961 series was dull, but at least Australia retained the Ashes. Nobody will forget the tied Test against the West Indies, or Benaud’s audacious move to bowl around the wicket in Manchester.

Benaud is credited with popularising the tactics we see today. Huddles after a wicket were born in the Benaud era. Declaring just before stumps in a bid to steal a late wicket was something he thrived upon. Bowling into the rough is now seen as common practice.

Benaud was also prepared to try new things with the ball. He worked very hard on perfecting his wrong’un, the flipper and the top-spinner. His leg-spinner even had variety to it, making him one of the most complete tweakers at the time.

His leadership earned him respect immediately. Players loved being guided the likeable larrikin from Penrith. He looked after everyone both as a team, but also on an individual basis. His teammates trusted his innovative ideas, while he trusted them to execute them to the fullest.

For most Australians, summer means cricket. And cricket means hearing the dulcet tones of their favourite commentator, Richie Benaud. From the cream coloured suit, to the witty repartee with his colleagues, Benaud is the complete package

Contributors

This release wouldn't have been possible without the wonderful contributors to the zero-to-jupyterhub, and KubeSpawner repos. We'd like to thank everyone who contributed in any form - Issues, commenting on issues, PRs and reviews since the last Zero to JupyterHub release.

(Frank) Yu Cheng Gu 1160300422-RenQJ 1kastner 2efper A. Tan Aadi Deshpande abremirata28 AcademicAdmin Adam Huffman Adrian Wilke Akanksha Bhardwaj Akhil Lawrence Al Johri AlbanWende Alejandro del Castillo Aleksandr Blekh Alex Morreale Alex Newman Alexander Comerford Alexander Sadleir amangarg96 Amirahmad Khordadi Andreas Hilboll andregouveiasantana Andrew Andrew Catellier angelikamukhina Anton Khodak arcady-genkin Ariel Rokem Arne Küderle atne2008 awalther Ben Zipperer Beneath Benjamin Egelund-Müller BertR bharathwgl bing-he bjyxmas bpoettinger Brad Skaggs Braden Brian E. Granger Bruno P. Kinoshita brynjsmith Calvin Canh Tran camer314 Carol Willing Caspian cfoisy-osisoft ChanakyaBandara chang-zhijie Chao Wang Chen Zhiwei Chester Li Chia-liang Kao Chris Holdgraf Chris Seal Christian Alis Christian Mesh chrlunden Clancy Childs Clemens Tolboom cmw2196 Cody Scott Craig Willis cristofercri Curtis Maves cybertony Daisuke Taniwaki Dalon Lobo danamer Daniel Bachler Daniel Chalef Daniel Hnyk danielpcs Danny H DataVictorEngineer Dave Hirschfeld Dave Porter David Andersen David John Gagne Davide Deleted user Denis Shestakov Dennis Kipping Derek Ludwig DerekHeldtWerle DewinGoh Diogo djknight1 DmitrII Gerasimenko Doug Blank Dr. Di Prodi Dr. Zoltán Katona Dylan Nelson ebebpl Eliran Bivas eode Eran Pinhas eric-leblouch ericblau Erik LaBianca Erik Sundell Ermakov Petr erolosty Evan Savage Evert Rol Ezequiel Gioia fahadabbas91 farzadz foxlisimulation frouzbeh Félix-Antoine Fortin Gabriel Abdalla Cavalcante Gabriel Fair Gaetan Semet Gang Chen Gary Lucas Georgiana Elena gerroon Giuseppe Attardi Glen A Knight Gonzalo Fernandez ordas Guilherme Oenning Guo Zhang gweis Gábor Lipták Hagen Hoferichter hani1814 Hans Permana hhuuggoo hichemken HT-Moh HuangHenghua HuiWang Ian Carroll Ian Stuart Ivan Brezina J Forde J Gerard j08rebelo Jacob Matuskey Jacob Tomlinson Jaime Ferrando Huertas James Swineson jameshgrn Jan Niederau Jason Belsky Jason Hu Jason Rigby jason4zhu Jeff Whitworth Jeffrey Bush jeffwji Jessica B. Hamrick jfleury-eidos Ji Ma Jiren Jin jiyer2016 jlc175 jmabry jmchandonia jmf Joe Hamman Joerg Klein John Chase John Readey John Shojaei Jonathan Terhorst Jordan Miller Josh Bode Joshua Milas JP Moresmau jpays Juan Cruz-Benito Julian Rüth Julien Chastang Justin Ray Vrooman Jürgen Hermann Kah Mun kangzebin Kelly L. Rowland Kenan Erdogan Kerwin Sun kevbutler Kevin Bates khawarhere kide007 Kim-Seonghyeon kishitaku0630 Koshmaar Koustuv Sinha krinsman Kristian Gregorius Hustad Kristiyan KSHITIJA SAHARAN Kuriakin Zeng Kyla Harper Lachlan Musicman Laurent Abbal Leo Gallucci Leopold Talirz Li-Xian Chen Lisa Stillwell ljb445300387 Loïc Antoine Gombeaud Loïc Estève Lucas Durand Lukasz Tracewski m.fab Ma mangecoeur Manish Kushwaha Marc Illien marinalopez2110 Mark Mirmelstein Marlene Silva Marchena Martin Gergov Martin Zugnoni Marvin Solano Marwan Baghdad Matthias Bussonnier Matthias Klan Matthias Lee Matthieu Boileau Max Mensing mdivk Meesam Shah Michael Carroll Michael Huttner Michael Lovci Michael McCarthy Michael Milligan Michael Pilosov michec81 Mike Croucher MikeSpark Min RK MisterZ Moritz Kirschner Moritz Schlarb moskiGithub mpolidori mrclttnz MubashirullahD Muhammad-Imtiaz mxcheng2011 myidealab Naineel Shah narala558 newturok Ney Torres Nic Wayand Nico Bellack nifuki Nils Werner not4everybody NotSharath nschiraldi Nujjy oscar6echo Paperone80 Patafix Paul Mazzuca Paul Shealy Paulo Roberto de Oliveira Castro Pav K payalbhatia Peter Parente Peter Reid Phil Elson Phil Fenstermacher Philipp Kats phpdistiller phxedmond Piotr Pouria Hadjibagheri powerLeePlus Pratik Lal pydeepak Qcy R. C. Thomas raghav130593 Rahul Sharma Rama Krishna Jinka RBALAJI5 rbq Richard C Gerkin Richard Darst Richard Huntrods richyanicky Rob Nagler robin robotsp rothwewi rushikeshraut777 Ryan Ryan Abernathey Ryan Lovett Ryan McGuire rzuidhof Saiprasad Balasubramanian Sam Manzer samRddhimat Santosh Saranya411 Scott Crooks sdementen SeaDude SergeyK1 Shannon Shi Pengcheng shibbas Shinichi TAMURA Shiva1789 sidebo Sigurður Baldursson Simon Li Sindre Gulseth SivaMaplelabs sjillidimudi skruse smoulderme Solaris Spencer Ogden sreekanthmg Steven B Steven Silvester StudyQuant Subhash Suchit summerswallow summerswallow-whi Søren Fuglede Jørgensen Taewon Tania Allard Taposh Dutta Roy techie879 ThibTrip Thomas Mendoza thomas-rabiller-azimut Thong Kuah thongnnguyen Tim Crone Tim Head Timothy Griffiths Timothy Liu Todd Gamblin Tom Tomer Leibovich tregin Tren Huang Tuhina Chatterjee Tyler Gregory Uday Udit Arora Vasu Gaur Victor Lopez Vidit Agarwal VidJa Vincent Feng vishal49naik49 Vivek Vivek Rai vivekbiet Vlad-Mihai Sima Volker Braun wangcong Wangsoo Kim whositwhatnow Will Will Starms Willem Pienaar Xavier Lange YborBorn YizTian Yoav Tzelnick YoongHM yugushihuang Yuvi Panda Yuze Ma Zac Flamig Zach Day Zachary Sailer Zafer Cesur zmkhazi zneudl 田进 邱雨波 高彦涛

0.7.0 - Alex Blackwell - 2018-09-03

This release contains JupyterHub version 0.9.2, additional configuration options and various bug fixes.

IMPORTANT: This upgrade will require your users to stop their work at some point and have their pod restarted. You may want to give them a heads up ahead of time or do it during nighttime if none are active then.

Upgrading from v0.6

If you are running v0.5 of the chart, you should upgrade to v0.6 first before upgrading to 0.7.0. You can find out what version you are using by running helm list.

Follow the steps below to upgrade from v0.6 to 0.7.0.

1. (Optional) Ensure the hub's and users' data isn't lost

This step is optional, but a recommended safeguard when the hub's and users' data is considered important. The changes makes the PersistentVolumes (PVs), which represent storage (user data and hub database) remain even if the PersistentVolumeClaims (PVCs) are deleted. The downside of this is that it requires you to perform manual cleanup of PVs when you want to stop spending money for the storage.

# The script is a saftey measure and patches your PersistentVolumes (PV) to
# not be garbage collected if the PersistentVolumeClaim (PVC) are deleted.
NAMESPACE=<YOUR-NAMESPACE>

# Ensure the hub's and users' data isn't lost
hub_and_user_pvs=($(kubectl get persistentvolumeclaim --no-headers --namespace $NAMESPACE | awk '{print $3}'))
for pv in ${hub_and_user_pvs[@]};
do
    kubectl patch persistentvolume $pv --patch '{"spec":{"persistentVolumeReclaimPolicy":"Retain"}}'
done

2. Update Helm (v2.9.1+ required)

# Update helm
curl https://raw.githubusercontent.com/kubernetes/helm/HEAD/scripts/get | bash

# Update tiller (on the cluster)
helm init --upgrade --service-account=tiller

# Verify the update
# NOTE: you may need to cancel and re-run the command, it should work within 30
#       seconds.
helm version
# VERIFY: Did it return both the client and server version?
# Client: &version.Version{SemVer:"v2.10.0", GitCommit:"9ad53aac42165a5fadc6c87be0dea6b115f93090", GitTreeState:"clean"}
# Server: &version.Version{SemVer:"v2.10.0", GitCommit:"9ad53aac42165a5fadc6c87be0dea6b115f93090", GitTreeState:"clean"}

3. (Optional) Clean up pre-puller resources

The pre-puller component of v0.6 could leave leftover resources after it finished, instead of cleaning up after itself. This script removes the pre-puller resources created by v0.6.

# This script will delete resources that were meant to be temporary
# The bug that caused this is fixed in version 0.7.0 of the Helm chart
NAMESPACE=<YOUR-NAMESPACE>

resource_types="daemonset,serviceaccount,clusterrole,clusterrolebinding,job"
for bad_resource in $(kubectl get $resource_types --namespace $NAMESPACE | grep '/pre-pull' | awk '{print $1}');
do
    kubectl delete $bad_resource --namespace $NAMESPACE --now
done

kubectl delete $resource_types --selector hub.jupyter.org/deletable=true --namespace $NAMESPACE --now

4. (Recommended) Clean up problematic revisions in your Helm release

This step is recommended due to bugs in Helm that could cause your JupyterHub Helm chart installation (release) to get stuck in an invalid state. The symptoms are often that helm upgrade commands fail with the reason that some resource does or doesn't exist.

# Look up the name of your Helm release (installation of a Helm chart)
helm list

# Store the name of the Helm release
RELEASE_NAME=<YOUR-RELEASE-NAME>

# Give yourself an overview of this release's revisions
helm history $RELEASE_NAME

# Check if you have multiple revisions in a DEPLOYED status (a bug), or if you
# have old PENDING_UPGRADES or FAILED revisions (may be problematic).
helm history $RELEASE_NAME | grep --extended-regexp "DEPLOYED|FAILED|PENDING_UPGRADE"

# If you have multiple revisions in DEPLOYED status, this script will clean up
# all configmaps except the latest with DEPLOYED status.
deployed_revisions=($(helm history $RELEASE_NAME | grep DEPLOYED | awk '{print $1}'))
for revision in ${deployed_revisions[@]::${#deployed_revisions[@]}-1};
do
    kubectl delete configmap $RELEASE_NAME.v$revision --namespace kube-system
done

# It seems plausible that upgrade failures could have to do with revisions
# having a PENDING_UPGRADE or FAILED status in the revision history. To delete
# them run the following command.
kubectl delete configmap --selector "NAME=$RELEASE_NAME,STATUS in (FAILED,PENDING_UPGRADE)" --namespace kube-system

5. Perform the upgrade

IMPORTANT: Do not miss out on the --force flag! --force is required due to changes in labelling of jupyterhub resources in 0.7. Helm cannot upgrade from the labelling scheme in 0.6 to that in 0.7 without --force, which deletes and recreates the deployments.

RELEASE_NAME=<YOUR-RELEASE-NAME>
NAMESPACE=<YOUR-NAMESPACE>

helm repo add jupyterhub https://jupyterhub.github.io/helm-chart/
helm repo update

# NOTE: We need the --force flag to allow recreation of resources that can't be
#       upgraded to the new state by a patch.
helm upgrade $RELEASE_NAME jupyterhub/jupyterhub --install \
    --force \
    --version=0.7.0 \
    --namespace=$NAMESPACE \
    --values config.yaml \
    --timeout 1800

6. Manage active users

Active users with running pods must restart their pods. If they don't the next time they attempt to access their server they may end up with {“error”: “invalid_redirect_uri”, “error_description”: “Invalid redirect URI”}.

You have the power to force this to happen, but it will abort what they are doing right now. If you want them to be able to do it in their own pace, you could use the /hub/admin path and shut them down manually when they are done.

NAMESPACE=<YOUR-NAMESPACE>

# Inspect what users are currently running
kubectl get pod --selector component=singleuser-server --namespace $NAMESPACE

# Force all of them to shutdown their servers, and ensure the hub gets to
# realize that happened through a restart.
kubectl delete pod --selector component=singleuser-server --namespace $NAMESPACE
kubectl delete pod --selector component=hub --namespace $NAMESPACE

Troubleshooting - Cleanup of cluster

If things fail, you can try the following before installing the chart. If you decide to take these steps, we recommend step 1 is taken first in order to not loose data and that you ensure the old data is made available by the troubleshooting step below.

RELEASE_NAME=<YOUR-RELEASE-NAME>

# WARNING: Deletes everything installed by the Helm chart!
# WARNING: If you have not changed the reclaim policy of the hub in step 1, the
#          hub never be able to remember anything about past users. Also note
#          that even if you have taken step 1, you must also make the PVs become
#          `Available` again before the hub starts up again.
# NOTE: This does not include user pods or user storage PVCs as they have been
#       indirectly created by KubeSpawner
helm delete $RELEASE_NAME --purge

# WARNING: Deletes everything within the namespace!
# WARNING: If you have not changed the reclaim policy of the hub and users in
#          step 1, the hub's stored information about the users and the user's
#          storage will be lost forever. Also note that even if you have taken
#          step 1, you must also make the hub and users PVs become `Available`
#          before the hub and users startup again.
kubectl delete namespace <YOUR-NAMESPACE>

If you took these steps and step 1, you should probably right now continue with the next troubleshooting section about making Released PVs Available for reuse.

Troubleshooting - Make Released PVs Available for reuse

If you followed step 1 and 2, you can after cleanup of a cluster reuse the old hub's and users' storage if you do this step before you installs the Helm chart again.

In more technical words: if you have deleted PVCs such as hub-db-dir or claim-anyusername, their PVs will end in a Released state assuming they had a reclaimPolicy set to Retain. To make use of these PVs again, we must make them Available for the to future PVCs that needs a PV to bind to.

NAMESPACE=<YOUR-NAMESPACE>

# Ensure the hub's and users' PVs are made `Available` again
hub_and_user_pvs=($(kubectl get persistentvolume | grep -E "Released.+$NAMESPACE/(hub-db-dir|claim-)" | awk '{print $1}'))
for pv in ${hub_and_user_pvs[@]};
do
    kubectl patch persistentvolume $pv --patch '{"spec":{"claimRef":{"uid":null}}}}'
done

# Ensure you don't have any PVCs in the lost state
lost_pvcs=($(kubectl get persistentvolumeclaim --namespace $NAMESPACE | grep -E "(hub-db-dir|claim-).+Lost" | awk '{print $1}'))
for pvc in ${lost_pvcs[@]};
do
    echo kubectl delete persistentvolumeclaim $pvc --namespace $NAMESPACE
done

Contributors

A. Tan Aaron Culich abhismvit AC AcademicAdmin Adam Grant Adam Huffman Adam Thornton Adam Tilghman Adam-Origamiiris Afreen Rahman agustaf agustiin aisensiy Ajay Changulani Akhil Lawrence akkibatra Alan King Albert J. de Vera Alejandro del Castillo Alejandro Gastón Alvarez Aleksandr Blekh Alex Leith Alex Marandon Alex Mellnik Alex Moore Alex Morreale Alex Tasioulis Alexander Alexander Hendorf Alexander Kruzhkov Alexander Morley Alexander Schwartzberg Allen Downey AlphaSRE Alramzey amangarg96 Amirahmad Khordadi Amit Rathi Analect anasos Andre Celere Andrea Abelli Andrea Turrini Andrea Zonca Andreas Heider Andrew Berger Andrew Melo andrewcheny András Tóth André Luiz Diniz Andy Berner Andy Doddington angus evans Anirudh Vyas Ankit Ankit Sharma ankit2894 Anthony Suen Anton Akhmerov Antonino Ingargiola Antonio Serrano AranVinkItility Arda Aytekin Ariel Balter Ariel Rokem arkroop Arthur arthur Arthur Koziel ArvinSiChuan aseishas at-cchaloux atullo2 Bastian Greshake Tzovaras bbarney213 bbrauns Ben Chuanlong Du Benjamin Paz Benoit Rospars BerserkerTroll BhagyasriYella bhavybarca Birgetit bitnik Borislav Aymaliev Botty Dimanov Brad Skaggs Brandon Sharitt Brent Brian E. Granger Brian Ray Bruce Beauchamp Bruce Chiarelli Byă Camilla Camilo Núñez Fernández Cara carluri Carol Willing Caspian chack05 chang-zhijie chaomaer chaoyue729 Charles Forelle chenyg0911 Chester Li Chia-liang Kao Chico Venancio Chris Fournier Chris Holdgraf Chris Seal Chris Van Pelt Christiaan Swanepoel Christian Alis Christian Hotz-Behofsits Christian Mesh Christian Moscardi Christine Banek Christopher Hench ckbhatt Claudius Mbemba cloud-science Cody Scott Cord Cory Johns cqzlxl Craig Willis Curtis Maves cyberquasar cybertony cyberyor Daisuke Taniwaki daleshsd Dan Allan Dan Hoerst Dan Lidral-Porter Daniel Daniel Morrison danielmaitre danielrychel Dario Romero darky2004 DataVictorEngineer Dave Aitken Dave Hirschfeld David Bath David Doherty David Kügler David Maxson David Napier David Pérez Comendador David Pérez-Suárez David Sanftenberg Davide deep-42-thought Deleted user DerekHeldtWerle Dhawal Patel disimone DmitrII Gerasimenko Dmitry Mishin Dominic Suciu Don Kelly Doug Holt Dragos Cojocari dturaev Dwight Townsend Dylan Lentini Eamon Keane Eddy Elbrink Emmanuel Gomez Enol Fernández epoch1970 Eric Charles Erik Sundell Ermakov Petr ernestmartinez EtienneDesticourt Evan Evan Van Dam Evert Rol eylenth Ezequiel Gioia fahadabbas91 Faras Sadek forbxy Francisco Zamora-Martinez FU Zhipeng Fyodor Félix-Antoine Fortin G YASHASVI Gaetan Semet Gaëtan Lehmann gbrahmi George Jose Gerben Welter Gerhard Burger GladysNalvarte Glen A Knight Graham Dumpleton grant-guo GRC Guillaume EB guimou Guo Zhang gweis Hagen Hoferichter hanbeibei hani1814 Hans Petter Bieker happytest143 Hassan Mudassir Helder Rodrigues hemantasingh Henddher Pedroza hjclub123 huhuhang Hunter Jackson Ian Indrajeet Singh ironv IssacPan Ivan Grbavac J Forde J Gerard Jacob Tomlinson James Curtin James Davidheiser James Londal James Veitch Jan Kalo Jason Kuruzovich Jason Williams jason4zhu javin-gn Jeremie Vallee Jeremy Lewi Jeremy Tuloup Jerry Schuman Jesse Cai Jesse Kinkead Jesse Zhang Jessica Wong Jim Basney Jim Hendricks Jiri Kuncar jlsimms jm2004 Joakim JocelynDelalande Joe Hamman Joel Pfaff John Kaltenbach John Readey johnbotsis johnkpark johnpaulantony Jonas Adler Jonathan Jonathan Brant Jonathan Wheeler jonny86 Joost W. Döbken Jose Manuel Monsalve Diaz Josh Barnes Josh Temple João Barreto jpolchlo JPUnD Juan Cabanela Julien Chastang Jurian Kuyvenhoven Justin Holmes Justin Moen justkar4u JYang25 Jürgen Hermann kakzhetak kaliko Kam Kasravi Kannan Kumar karthikpitchaimani Kenneth Lyons Kevin P. Fleming kevkid Kirill Dubovikov Knarfux Ko Ohashi krinsman KrisL Kristiyan lambertjosh Lars Biemans Leo Gallucci leolurunhe Leopold Talirz LeoPsidom lfzyx lgc019 Lifubang liusztc09 liuzhliang llancellotti lmerli84 loginoff Louis Garman Luca De Feo Luca Grazioli Lucas Durand Lucas Kushner Lukasz Lempart Lukasz Tracewski Lutz Behnke M Pacer Maciej Sawicki madsi1m mak-aravind Malin Aandahl Manjukb Marc BUFFAT marciocourense Marco Pleines Marcus Hunger Marcus Levine Mario Campos Marius van Niekerk Mark Mirmelstein marmaduke woodman Martin Forde Martín Anzorena maryamdev Mas mascarom Mathew Blonc Matt Hansen Matteo Ipri matthdan Matthew Bray Matthew Rocklin Matthias Bussonnier Matthias Klan mattvw Max Joseph Maxim Moinat mdivk Mereep merlin1608 Micah Micah Smith Michael Huttner Michael Milligan Michael Ransley michec81 Michele Bertasi Miguel Caballer Mike Hamer Min RK MincingWords MisterZ mohanamurali7 Mohit Monica Dessole moskiGithub mrkjones1979 mzilinski n3f Naeem Rashid Naineel Shah NaizEra nauhpc ndiy Neelanshu92 Nehemiah I. Dacres Neth Six ngokhoa96 Nick Brown Nickolaus D. Saint nickray Nico Bellack Nicolas M. Thiéry Nikolay Dandanov Nikolay Voronchikhin niveau0 Norman Gray ogre0403 Ola Tarkowska oneklc OpenThings ormskirk77 P.J. Little Pat W Patafix Paul Adams Paul Laskowski Paul Mazzuca Paulo Roberto de Oliveira Castro Pav K pedrovgp pekosro Peter Majchrak pgarapon Phil Fenstermacher philippschw Phuong Cao picca Pierre Accorsi Pinakibiswasdevops Pius Nyakoojo pjamason Pouria Hadjibagheri Prabhu Kasinathan Pramod Rizal Pranay Hasan Yerra Prateek prateek2408 Prerak Mody Przybyszo psnx pydo pyjones1 R. C. Thomas Rachidramadan1990 radudragusin Rafael Ladislau Rafael Mejia raghu20ram raja Ramin Ranjit Raphael Nestler RaRam Raviraju Vysyaraju reddyvenu Ricardo Rocha Rich Signell Richard Caunt Richard Darst Richard England Richard Ting Rizwan Saeed Rob Robert Casey Robert Drysdale Robert Jiang Robert Schroll robin Robin Robin Scheibler roemer2201 Rok Roškar Roman Gorodeckij roversne Roy Wedge Royi Rui Zhang Ruslan Usifov Ryan Abernathey Ryan Lovett rydeng sabarnwa sabyasm sadanand25 Sam Manzer Sambaiah Kilaru samy Sangram Gaikwad sanjaydatasciencedojo Sanmati Jain saransha Saranya411 sarath145p Satendra Kumar saurav maharjan saurs saurav SB sbailey-auro Scott Crooks Scott Sanderson SeaDude semanticyongjia serlina Seshadri Ramaswami shalan7 Shana Matthews Shannon Shantanu Singh Shengxin Huang shilpam11 Shiva Prasanth shreddd Shuo YU Sigurður Baldursson Simon Li Sirawit Pongnakintr SivaMaplelabs smiller5678 srican srini_b Stanislav Nazmutdinov stczwd Stefano Nicotri Stefano Taschini Stephanie Gott Stephen Lecrenski Stephen Pascoe Stephen Sackett Steven Silvester Stéphane Pouyllau sudheer0553 Sugu Sougoumarane Suman Addanki summerswallow summerswallow-whi sundeepChandhoke Sunip Mukherjee svzdvdoptum swgong Sylvain Desroziers syutbai T. George tankeryang TapasSpark Tassos Sarbanes teddy Kossoko tgamal Thomas Ashish Cherian Thomas Kluyver Thomas Mendoza thongnnguyen Thoralf Gutierrez Tim Crone Tim Freund Tim Head Tim Kennell Jr. Tim Klever Tim Shi TimKreuzer Tirthankar Chakravarty titansmc Tobias Morville tobiaskaestner Tom Davidson Tom Kwong Tom O'Connor Tomas Barton Tommaso Fabbri Tyler Erickson tzujan uday2002 Umar Sikander UsDAnDreS Vaclav Pavlin Varun M S Victor Paraschiv vishwesh5 Vladimir Kozhukalov vpvijay87 W. wangaiwudi Wei Hao weih1121 weimindong2016 whitebluecloud whositwhatnow will Will Starms William H William Hosford wtsyang XIAHUALOU xuhuijun Y-L-18 yee379 yeisonseverinopucv Yiding Yifan Li yougha54 Youri Noel Nelson yuandongfang Yueqi Wang yugushihuang Yuhi Ishikura Yuval Kalugny Yuvi Panda Zac Flamig Zachary Sailer Zachary Zhao ZachGlassman zaf Zafer Cesur zearaujo07 Zeb Nicholls Zelphir Kaltstahl ZenRay zero zeusal Zhongyi Zhou (Joe) Yuan ziedbouf zlshi zmkhazi Zoltan Fedor zyc Øystein Efterdal 孙永乐 张旭 武晨光 陈镇秋

[0.6] - Ellyse Perry - 2017-01-29

This release is primarily focused on better support for Autoscaling, Microsoft Azure support & better default security. There are also a number of bug fixes and configurability improvements!

Breaking changes

Pre-puller configuration

In prior versions (v0.5), if you wanted to disable the pre-puller, you would use:

prePuller:
  enabled: false

Now, to disable the pre-puller, you need to use:

prePuller:
  hook:
    enabled: false

See the pre-puller docs for more info!

Upgrading from 0.5

This release does not require any special steps to upgrade from v0.5. See the upgrade documentation for general upgrading steps.

If you are running v0.4 of the chart, you should upgrade to v0.5 first before upgrading to v0.6. You can find out what version you are using by running helm list.

Troubleshooting

If your helm upgrade fails due to the error no Ingress with the name "jupyterhub-internal" found, you may be experiencing a helm bug. To work around this, run kubectl --namespace=<YOUR-NAMESPACE> delete ingress jupyterhub-internal and re-run the helm upgrade command. Note that this will cause a short unavailability of your hub over HTTPS, which will resume normal availability once the deployment upgrade completes.

New Features

More secure by default

z2jh is more secure by default with 0.6. We now block access to cloud security metadata endpoints by default.

See the security documentation for more details. It has seen a number of improvements, and we recommend you read through it!

Autoscaling improvements

Some cloud providers support the kubernetes node autoscaler, which can add / remove nodes depending on how much your cluster is being used. In this release, we made a few changes to let z2jh interact better with the autoscaler!

  • Configure z2jh to 'pack' your users onto nodes, rather than 'spread' them across nodes.
  • A 'continuous' pre-puller that allows user images to be pulled on new nodes easily, leading to faster startup times for users on new nodes. ([link])
  • Hub and Proxy pod will not be disrupted by autoscaler, by using PodDisruptionBudgets. The Hub & Proxy will also stick together if possible, thus minimizing the number of nodes that can not be downsized by the autoscaler.

There is more work to be done for good autoscaling support, but this is a good start!

Better Azure support

Azure's new managed Kubernetes service (AKS) is much better supported by this version!

  • We have much better documentation on using z2jh with Azure!
  • We rewrote our pre-puller so it works on Azure (previously it did not)

Azure AKS is still in preview mode, so be aware of that before using it in any production workloads!

See the setting up Kubernetes on Microsoft AKS section for more information.

Better configurability

We now have better documentation and bug fixes for configurability!

  • extraConfig can be a dictionary instead of just a string. This helps when you have to split your config.yaml into multiple files for complex deployments
  • How user storage works by default is better documented
  • Reading config in extraConfig from extraConfigMap now actually works!
  • You can configure the URL that users are directed to after they log in. This allows defaulting users to JupyterLab
  • You can pre-pull multiple images now, for custom configuration that needs multiple images
  • Better instructions on pre-populating your user's filesystem using nbgitpuller

(excerpt from https://www.cricket.com.au/players/ellyse-perry/1aMxKNyEOUiJqhq7N5Tlwg)

Arguably the best athlete in Australia, Ellyse Perry’s profile continues to rise with the dual cricket and soccer international having played World Cups for both sports.

Perry became the youngest Australian ever to play senior international cricket when she made her debut in the second ODI of the Rose Bowl Series in Darwin in July 2007 before her 17th birthday.

She went on to make her domestic debut in the 2007-08 Women’s National Cricket League season, taking 2-29 from 10 overs in her first match.

Since her national debut, Perry has become a regular fixture for the Southern Stars, playing in the 2009 ICC Women’s World Cup and the ICC Women’s World Twenty20 in the same year.

Leading Australia’s bowling attack, Perry played a crucial role in the ICC Women’s World Twenty20 Final in the West Indies in 2010.

The match came down to the wire, with New Zealand requiring five runs off the last ball to claim the title. Under immense pressure, Perry bowled the final ball of the tournament, which New Zealand’s Sophie Devine struck straight off the bat.

The talented footballer stuck out her boot to deflect the ball to Lisa Sthalekar at mid-on, securing the trophy for Australia. Perry’s figures of 3-18 in the final saw her take home the Player of the Match award.

Perry featured prominently in Australia's three-peat of World T20 victories, selected for the Team of the Tournament in 2012 and 2014.

She was named ICC Female Cricketer of the Year in 2017.

Contributors

This release wouldn't have been possible without the wonderful contributors to the zero-to-jupyterhub, and KubeSpawner repos. We'd like to thank everyone who contributed in any form - Issues, commenting on issues, PRs and reviews since the last Zero to JupyterHub release.

In alphabetical order,

[0.5] - Hamid Hassan - 2017-12-05

JupyterHub 0.8, HTTPS & scalability.

Upgrading from 0.4

See the upgrade documentation for upgrade steps.

New Features

JupyterHub 0.8

JupyterHub 0.8 is full of new features - see CHANGELOG for more details. Specific features made to benefit this chart are:

  1. No more 'too many redirects' errors at scale.
  2. Lots of performance improvements, we now know we can handle up to 4k active users
  3. Concurrent spawn limits (set via hub.concurrentSpawnLimit) can be used to limit the concurrent number of users who can try to launch on the hub at any given time. This can be tuned to avoid crashes when hundreds of users try to launch at the same time. It gives them a friendly error message + asks them to try later, rather than spinning forever.
  4. Active Server limit (set via hub.activeServerLimit) can be used to limit the total number of active users that can be using the hub at any given time. This allows admins to control the size of their clusters.
  5. Memory limits & guarantees (set via singleuser.memory) can now contain fractional units. So you can say 0.5G instead of having to use 512M.

And lots more!

Much easier HTTPS

It is our responsibility as software authors to make it very easy for admins to set up HTTPS for their users. v0.5 makes this much easier than v0.4. You can find the new instructions here and they are much simpler!

You can also now use your own HTTPS certificates & keys rather than using Let's Encrypt.

More authenticators supported

The following new authentication providers have been added:

  1. GitLab
  2. CILogon
  3. Globus

You can also set up a whitelist of users by adding to the list in auth.whitelist.users.

Easier customization of jupyterhub_config.py

You can always put extra snippets of jupyterhub_config.py configuration in hub.extraConfig. Now you can also add extra environment variables to the hub in hub.extraEnv and extra configmap items via hub.extraConfigMap. ConfigMap items can be arbitrary YAML, and you can read them via the get_config function in your hub.extraConfig. This makes it cleaner to customize the hub's config in ways that's not yet possible with config.yaml.

Hub Services support

You can also add external JupyterHub Services by adding them to hub.services. Note that you are still responsible for actually running the service somewhere (perhaps as a deployment object).

More customization options for user server environments

More options have been added under singleuser to help you customize the environment that the user is spawned in. You can change the uid / gid of the user with singleuser.uid and singleuser.fsGid, mount extra volumes with singleuser.storage.extraVolumes & singleuser.storage.extraVolumeMounts and provide extra environment variables with singleuser.extraEnv.

Hamid Hassan

Hamid Hassan is a fast bowler who currently plays for the Afghanistan National Cricket Team. With nicknames ranging from "Afghanistan's David Beckham" to "Rambo", he is considered by many to be Afghanistan's first Cricket Superhero. Currently known for fast (145km/h+) deliveries, cartwheeling celebrations, war painted face and having had to flee Afghanistan as a child to escape from war. He says he plays because "We are ambassadors for our country and we want to show the world that Afghanistan is not like people recognise it by terrorists and these things. We want them to know that we have a lot of talent as well"

Contributors

This release wouldn't have been possible without the wonderful contributors to the zero-to-jupyterhub, JupyterHub, KubeSpawner and OAuthenticator repos. We'd like to thank everyone who contributed in any form - Issues, commenting on issues, PRs and reviews since the last Zero to JupyterHub release.

In alphabetical order,

[0.4] - Akram - 2017-06-23

Stability, HTTPS & breaking changes.

Installation and upgrades

We recommend that you delete prior versions of the package and install the latest version. If you are very familiar with Kubernetes, you can upgrade from an older version, but we still suggest deleting and recreating your installation.

Breaking changes

  • The name of a user pod and a dynamically created home directory PVC (PersistentVolumeClaim) no longer include the userid in them by default. If you are using dynamic PVCs for home directories (which is the default), you will need to manually rename these directories before upgrading. Otherwise, new PVCs will be created, and users might freak out when viewing the newly created directory and think that their home directory appears empty.

    See PR #56 on what needs to change.

  • A StorageClass is no longer created by default. This shouldn't affect most new installs, since most cloud provider installations have a default (as of Kubernetes 1.6). If you are using an older version of Kubernetes, the easiest thing to do is to upgrade to a newer version. If not, you can create a StorageClass manually and everything should continue to work.

  • token.proxy is removed. Use proxy.secretToken instead. If your config.yaml contains something that looks like the following:

    token:
      proxy: <some-secret>

    you should change that to:

    proxy:
      secretToken: <some-secret>

Added

  • Added GitHub Authentication support, thanks to Jason Kuruzovich.
  • Added Ingress support! If your cluster already has Ingress support (with automatic Let's Encrypt support, perhaps), you can easily use that now.
  • We now add a label to user pods / PVCs with their usernames.
  • Support using a static PVC for user home directories or for the hub database. This makes this release usable with clusters where you only have one NFS share that must be used for the whole hub.
  • PostgreSQL is now a supported hub database backend provider.
  • You can set annotations & labels on the proxy-public service now.

Changed

  • We now use the official configurable http proxy (CHP) as the proxy, rather than the unofficial nchp. This should be a no-op (or require no changes) for the most part. JupyterHub errors might display a nicer error page.
  • The version of KubeSpawner uses the official Kubernetes python client rather than pycurl. This helps with scalability a little.

Removed

  • The deprecated createNamespace parameter no longer works, alongside the deprecated name parameter. You probably weren't using these anyway - they were kept only for backwards compatibility with very early versions.

Contributors

This release made possible by the awesome work of the following contributors (in alphabetical order):

<3

Akram

Wasim Akram (وسیم اکرم) is considered by many to be the greatest pace bowler of all time and a founder of the fine art of reverse swing bowling.

0.3

[0.3.1] - 2017-05-19

KubeSpawner updates. Release note

[0.3] - 2017-05-15

Deployer UX fixes. Release note

[0.2] - 2017-05-01

Minor cleanups and features. Release note

[0.1] - 2017-04-10

Initial Public Release. Release note