Merge pull request #82 from pangeo-data/daskhub-upgrade

Upgrade DaskHub from 2023.1.0 to 2024.1.1

providers/kubernetes/daskhub/Chart.yaml

@@ -1,25 +1,26 @@
 apiVersion: v2
-appVersion: jh2.0.0-dg2023.1.1
-dependencies:
-- import-values:
-  - child: rbac
-    parent: rbac
-  name: jupyterhub
-  repository: https://jupyterhub.github.io/helm-chart/
-  version: 2.0.0
-- name: dask-gateway
-  repository: https://helm.dask.org/
-  version: 2023.1.1
-description: Multi-user JupyterHub and Dask deployment.
+name: daskhub
 icon: https://avatars3.githubusercontent.com/u/17131925?v=3&s=200
+version: 2024.1.1
+# appVersion is set to be a combination of the dependencies
+appVersion: "jh3.2.1-dg2024.1.0"
+description: Multi-user JupyterHub and Dask deployment.
+dependencies:
+  - name: jupyterhub
+    version: "3.2.1"
+    repository: https://jupyterhub.github.io/helm-chart/
+    import-values:
+      - child: rbac
+        parent: rbac
+  - name: dask-gateway
+    version: "2024.1.0"
+    repository: https://helm.dask.org/
 maintainers:
-- email: [email protected]
-  name: Jacob Tomlinson (Nvidia)
-- email: [email protected]
-  name: Joe Hamman (NCAR)
-- email: [email protected]
-  name: Erik Sundell
-- email: [email protected]
-  name: Tom Augspurger
-name: daskhub
-version: 2023.1.0
+  - name: Jacob Tomlinson (Nvidia)
+    email: [email protected]
+  - name: Joe Hamman (NCAR)
+    email: [email protected]
+  - name: Erik Sundell
+    email: [email protected]
+  - name: Tom Augspurger
+    email: [email protected]

providers/kubernetes/daskhub/charts/dask-gateway/Chart.yaml

@@ -1,10 +1,10 @@
 apiVersion: v2
-appVersion: 2023.1.1
+appVersion: 2024.1.0
 description: A multi-tenant server for deploying and managing Dask clusters
 home: https://gateway.dask.org/
 icon: https://avatars3.githubusercontent.com/u/17131925?v=3&s=200
-kubeVersion: '>=1.20.0-0'
+kubeVersion: '>=1.25.0-0'
 name: dask-gateway
 sources:
 - https://github.com/dask/dask-gateway/
-version: 2023.1.1
+version: 2024.1.0

providers/kubernetes/daskhub/charts/dask-gateway/templates/controller/rbac.yaml

@@ -18,7 +18,7 @@ rules:
   - apiGroups: ["gateway.dask.org"]
     resources: ["daskclusters", "daskclusters/status"]
     verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
-  - apiGroups: ["traefik.containo.us"]
+  - apiGroups: ["traefik.io"]
     resources: ["ingressroutes", "ingressroutetcps"]
     verbs: ["get", "create", "delete"]
   - apiGroups: [""]

providers/kubernetes/daskhub/charts/dask-gateway/templates/gateway/deployment.yaml

@@ -65,6 +65,9 @@ spec:
             - mountPath: /etc/dask-gateway/
               name: configmap
           env:
+            {{- with .Values.gateway.env }}
+            {{- . | toYaml | nindent 12 }}
+            {{- end }}
             {{- if (eq .Values.gateway.auth.type "jupyterhub") }}
             - name: JUPYTERHUB_API_TOKEN
               valueFrom:

providers/kubernetes/daskhub/charts/dask-gateway/templates/gateway/ingressroute.yaml

@@ -1,4 +1,4 @@
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   name: {{ include "dask-gateway.apiName" . }}

providers/kubernetes/daskhub/charts/dask-gateway/templates/gateway/middleware.yaml

@@ -1,4 +1,4 @@
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
   name: {{ include "dask-gateway.fullname" . | printf "clusters-prefix-%s" | trunc 63 | trimSuffix "-" }}
@@ -10,7 +10,7 @@ spec:
       - '{{ .Values.gateway.prefix | trimSuffix "/" }}/clusters/[a-zA-Z0-9.-]+'
 {{- if ne .Values.gateway.prefix "/" }}
 ---
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
   name: {{ include "dask-gateway.fullname" . | printf "api-prefix-%s" | trunc 63 | trimSuffix "-" }}

providers/kubernetes/daskhub/charts/dask-gateway/templates/traefik/dashboard.yaml

@@ -1,5 +1,5 @@
 {{- if .Values.traefik.dashboard -}}
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   name: {{ include "dask-gateway.fullname" . | printf "traefik-dashboard-%s" | trunc 63 | trimSuffix "-" }}

providers/kubernetes/daskhub/charts/dask-gateway/templates/traefik/rbac.yaml

@@ -30,6 +30,7 @@ rules:
       - list
       - watch
   - apiGroups:
+      - traefik.io
       - traefik.containo.us
     resources:
       - ingressroutes

providers/kubernetes/daskhub/charts/dask-gateway/values.schema.yaml

@@ -108,6 +108,24 @@ properties:
           See [the Kubernetes
           documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/)
           for more details about annotations.
+      env:
+        type: array
+        items:
+          type: object
+          additionalProperties: false
+          properties:
+            name:
+              type: string
+            value:
+              type: string
+            valueFrom:
+              type: object
+              additionalProperties: true
+          required:
+            - name
+        description: |
+          A k8s specification for passing additional environment variables
+          to the gateway. See [the documentation](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#envvar-v1-core)
       resources: &resources-spec
         type: object
         additionalProperties: true

providers/kubernetes/daskhub/charts/dask-gateway/values.yaml

@@ -31,8 +31,15 @@ gateway:
   # The image to use for the dask-gateway-server pod (api pod)
   image:
     name: ghcr.io/dask/dask-gateway-server
-    tag: "2023.1.1"
-    pullPolicy: IfNotPresent
+    tag: "2024.1.0"
+    pullPolicy:
+
+  # Add additional environment variables to the gateway pod
+  # e.g.
+  # env:
+  # - name: MYENV
+  #   value: "my value"
+  env: []
 
   # Image pull secrets for gateway-server pod
   imagePullSecrets: []
@@ -114,8 +121,8 @@ gateway:
     # The image to use for both schedulers and workers.
     image:
       name: ghcr.io/dask/dask-gateway
-      tag: "2023.1.1"
-      pullPolicy: IfNotPresent
+      tag: "2024.1.0"
+      pullPolicy:
 
     # Image pull secrets for a dask cluster's scheduler and worker pods
     imagePullSecrets: []
@@ -213,8 +220,8 @@ controller:
   # The image to use for the controller pod.
   image:
     name: ghcr.io/dask/dask-gateway-server
-    tag: "2023.1.1"
-    pullPolicy: IfNotPresent
+    tag: "2024.1.0"
+    pullPolicy:
 
   # Settings for nodeSelector, affinity, and tolerations for the controller pods
   nodeSelector: {}
@@ -239,8 +246,8 @@ traefik:
   # The image to use for the proxy pod
   image:
     name: traefik
-    tag: "2.9.4"
-    pullPolicy: IfNotPresent
+    tag: "2.10.6"
+    pullPolicy:
   imagePullSecrets: []
 
   # Any additional arguments to forward to traefik

providers/kubernetes/daskhub/charts/jupyterhub/.helmignore

@@ -6,7 +6,7 @@
 #
 # Here are files that we intentionally ignore to avoid them being packaged,
 # because we don't want to reference them from our templates anyhow.
-schema.yaml
+values.schema.yaml
 
 # Patterns to ignore when building packages.
 # This supports shell glob matching, relative path matching, and

providers/kubernetes/daskhub/charts/jupyterhub/Chart.yaml

@@ -1,35 +1,35 @@
 annotations:
   artifacthub.io/images: |
-    - image: jupyterhub/configurable-http-proxy:4.5.3
+    - image: quay.io/jupyterhub/configurable-http-proxy:4.6.1
       name: configurable-http-proxy
-    - image: jupyterhub/k8s-hub:2.0.0
+    - image: quay.io/jupyterhub/k8s-hub:3.2.1
       name: k8s-hub
-    - image: jupyterhub/k8s-image-awaiter:2.0.0
+    - image: quay.io/jupyterhub/k8s-image-awaiter:3.2.1
       name: k8s-image-awaiter
-    - image: jupyterhub/k8s-network-tools:2.0.0
+    - image: quay.io/jupyterhub/k8s-network-tools:3.2.1
       name: k8s-network-tools
-    - image: jupyterhub/k8s-secret-sync:2.0.0
+    - image: quay.io/jupyterhub/k8s-secret-sync:3.2.1
       name: k8s-secret-sync
-    - image: jupyterhub/k8s-singleuser-sample:2.0.0
+    - image: quay.io/jupyterhub/k8s-singleuser-sample:3.2.1
       name: k8s-singleuser-sample
-    - image: k8s.gcr.io/kube-scheduler:v1.23.10
+    - image: registry.k8s.io/kube-scheduler:v1.26.11
       name: kube-scheduler
-    - image: k8s.gcr.io/pause:3.8
+    - image: registry.k8s.io/pause:3.9
       name: pause
-    - image: k8s.gcr.io/pause:3.8
+    - image: registry.k8s.io/pause:3.9
       name: pause
-    - image: traefik:v2.8.4
+    - image: traefik:v2.10.5
       name: traefik
 apiVersion: v2
-appVersion: 3.0.0
+appVersion: 4.0.2
 description: Multi-user Jupyter installation
 home: https://z2jh.jupyter.org
-icon: https://jupyterhub.github.io/helm-chart/images/hublogo.svg
+icon: https://hub.jupyter.org/helm-chart/images/hublogo.svg
 keywords:
 - jupyter
 - jupyterhub
 - z2jh
-kubeVersion: '>=1.20.0-0'
+kubeVersion: '>=1.23.0-0'
 maintainers:
 - email: [email protected]
   name: Erik Sundell
@@ -38,4 +38,4 @@ maintainers:
 name: jupyterhub
 sources:
 - https://github.com/jupyterhub/zero-to-jupyterhub-k8s
-version: 2.0.0
+version: 3.2.1

providers/kubernetes/daskhub/charts/jupyterhub/README.md

@@ -5,9 +5,9 @@
 [![Discourse](https://img.shields.io/badge/Help_forum-discourse-blue?logo=discourse&logoColor=white)](https://discourse.jupyter.org/c/jupyterhub/z2jh-k8s)
 [![Gitter](https://img.shields.io/badge/Social_chat-gitter-blue?logo=gitter&logoColor=white)](https://gitter.im/jupyterhub/jupyterhub)
 <br>
-[![Latest stable release of the Helm chart](https://img.shields.io/badge/dynamic/json.svg?label=Latest%20stable%20release&url=https://jupyterhub.github.io/helm-chart/info.json&query=$.jupyterhub.stable&logo=helm&logoColor=white)](https://jupyterhub.github.io/helm-chart#jupyterhub)
-[![Latest pre-release of the Helm chart](https://img.shields.io/badge/dynamic/json.svg?label=Latest%20pre-release&url=https://jupyterhub.github.io/helm-chart/info.json&query=$.jupyterhub.pre&logo=helm&logoColor=white)](https://jupyterhub.github.io/helm-chart#development-releases-jupyterhub)
-[![Latest development release of the Helm chart](https://img.shields.io/badge/dynamic/json.svg?label=Latest%20dev%20release&url=https://jupyterhub.github.io/helm-chart/info.json&query=$.jupyterhub.latest&logo=helm&logoColor=white)](https://jupyterhub.github.io/helm-chart#development-releases-jupyterhub)
+[![Latest stable release of the Helm chart](https://img.shields.io/badge/dynamic/json.svg?label=Latest%20stable%20release&url=https://hub.jupyter.org/helm-chart/info.json&query=$.jupyterhub.stable&logo=helm&logoColor=white)](https://jupyterhub.github.io/helm-chart#jupyterhub)
+[![Latest pre-release of the Helm chart](https://img.shields.io/badge/dynamic/json.svg?label=Latest%20pre-release&url=https://hub.jupyter.org/helm-chart/info.json&query=$.jupyterhub.pre&logo=helm&logoColor=white)](https://jupyterhub.github.io/helm-chart#development-releases-jupyterhub)
+[![Latest development release of the Helm chart](https://img.shields.io/badge/dynamic/json.svg?label=Latest%20dev%20release&url=https://hub.jupyter.org/helm-chart/info.json&query=$.jupyterhub.latest&logo=helm&logoColor=white)](https://jupyterhub.github.io/helm-chart#development-releases-jupyterhub)
 
 The JupyterHub Helm chart is accompanied with an installation guide at [z2jh.jupyter.org](https://z2jh.jupyter.org). Together they enable you to deploy [JupyterHub](https://jupyterhub.readthedocs.io) in a Kubernetes cluster that can make Jupyter environments available to several thousands of simultaneous users.
 

providers/kubernetes/daskhub/charts/jupyterhub/files/hub/jupyterhub_config.py

@@ -1,8 +1,10 @@
+# load the config object (satisfies linters)
+c = get_config()  # noqa
+
 import glob
 import os
 import re
 import sys
-from binascii import a2b_hex
 
 from jupyterhub.utils import url_path_join
 from kubernetes_asyncio import client
@@ -417,23 +419,28 @@ def camelCaseify(s):
 
 set_config_if_not_none(c.Spawner, "default_url", "singleuser.defaultUrl")
 
-cloud_metadata = get_config("singleuser.cloudMetadata", {})
+cloud_metadata = get_config("singleuser.cloudMetadata")
 
 if cloud_metadata.get("blockWithIptables") == True:
     # Use iptables to block access to cloud metadata by default
     network_tools_image_name = get_config("singleuser.networkTools.image.name")
     network_tools_image_tag = get_config("singleuser.networkTools.image.tag")
     network_tools_resources = get_config("singleuser.networkTools.resources")
+    ip = cloud_metadata["ip"]
     ip_block_container = client.V1Container(
         name="block-cloud-metadata",
         image=f"{network_tools_image_name}:{network_tools_image_tag}",
         command=[
             "iptables",
-            "-A",
+            "--append",
             "OUTPUT",
-            "-d",
-            cloud_metadata.get("ip", "169.254.169.254"),
-            "-j",
+            "--protocol",
+            "tcp",
+            "--destination",
+            ip,
+            "--destination-port",
+            "80",
+            "--jump",
             "DROP",
         ],
         security_context=client.V1SecurityContext(

providers/kubernetes/daskhub/charts/jupyterhub/templates/NOTES.txt

@@ -92,7 +92,7 @@
 
 
 {{- /*
-  Warnings for likely misconfiguration
+  Warnings for likely misconfigurations
 */}}
 
 {{- if and (not .Values.scheduling.podPriority.enabled) (and .Values.scheduling.userPlaceholder.enabled .Values.scheduling.userPlaceholder.replicas) }}
@@ -114,7 +114,7 @@
 
 
 {{- /*
-  Breaking changes.
+  Breaking changes and failures for likely misconfigurations.
 */}}
 
 {{- $breaking := "" }}
@@ -148,6 +148,11 @@
 {{- end }}
 
 
+{{- if and .Values.singleuser.cloudMetadata.blockWithIptables (and .Values.singleuser.networkPolicy.enabled .Values.singleuser.networkPolicy.egressAllowRules.cloudMetadataServer) }}
+{{- $breaking = print $breaking "\n\nCHANGED: singleuser.cloudMetadata.blockWithIptables must as of version 3.0.0 not be configured together with singleuser.networkPolicy.egressAllowRules.cloudMetadataServer as it leads to an ambiguous configuration." }}
+{{- end }}
+
+
 {{- if $breaking }}
 {{- fail (print $breaking_title $breaking "\n\n") }}
 {{- end }}

providers/kubernetes/daskhub/charts/jupyterhub/templates/_helpers-names.tpl

@@ -3,8 +3,8 @@
     parent charts to reference these dynamic resource names.
 
     To avoid duplicating documentation, for more information, please see the the
-    fullnameOverride entry in schema.yaml or the configuration reference that
-    schema.yaml renders to.
+    fullnameOverride entry in values.schema.yaml or the configuration reference
+    that values.schema.yaml renders to.
 
     https://z2jh.jupyter.org/en/latest/resources/reference.html#fullnameOverride
 */}}
@@ -90,7 +90,9 @@
     {{- /* A hack to avoid issues from invoking this from a parent Helm chart. */}}
     {{- $existing_secret := .Values.hub.existingSecret }}
     {{- if ne .Chart.Name "jupyterhub" }}
-        {{- $existing_secret = .Values.jupyterhub.hub.existingSecret }}
+        {{- if .Values.jupyterhub }}
+            {{- $existing_secret = .Values.jupyterhub.hub.existingSecret }}
+        {{- end }}
     {{- end }}
     {{- if $existing_secret }}
         {{- $existing_secret }}