From a46ad9c65e47e2ee2676229de82fe12914e0cede Mon Sep 17 00:00:00 2001 From: bbrauzzi Date: Fri, 28 Jul 2023 09:05:06 +0000 Subject: [PATCH] Commit triggered by a change on the main branch of helm-charts-dev --- charts/application-hub/Chart.yaml | 2 +- charts/application-hub/files/config.json | 24 - .../files/hub/jupyterhub_config.py | 490 ------------------ charts/application-hub/templates/NOTES.txt | 153 ------ .../templates/_helpers-names.tpl | 306 ----------- .../templates/_helpers-netpol.tpl | 86 --- .../templates/hub/_helpers-passwords.tpl | 92 ---- .../templates/hub/configmap.yaml | 30 -- .../templates/hub/deployment.yaml | 243 --------- .../application-hub/templates/hub/netpol.yaml | 84 --- charts/application-hub/templates/hub/pdb.yaml | 23 - charts/application-hub/templates/hub/pvc.yaml | 25 - .../application-hub/templates/hub/rbac.yaml | 30 -- .../application-hub/templates/hub/secret.yaml | 50 -- .../templates/hub/service.yaml | 37 -- .../templates/hub/serviceaccount.yaml | 12 - .../templates/image-pull-secret.yaml | 15 - .../image-puller/_helpers-daemonset.tpl | 251 --------- .../image-puller/daemonset-continuous.yaml | 8 - .../image-puller/daemonset-hook.yaml | 9 - .../templates/image-puller/job.yaml | 76 --- .../templates/image-puller/priorityclass.yaml | 18 - .../templates/image-puller/rbac.yaml | 45 -- .../image-puller/serviceaccount.yaml | 21 - .../templates/proxy/autohttps/_README.txt | 9 - .../proxy/autohttps/_configmap-dynamic.yaml | 109 ---- .../proxy/autohttps/_configmap-traefik.yaml | 68 --- .../templates/proxy/autohttps/configmap.yaml | 28 - .../templates/proxy/autohttps/deployment.yaml | 154 ------ .../templates/proxy/autohttps/netpol.yaml | 78 --- .../templates/proxy/autohttps/pdb.yaml | 23 - .../templates/proxy/autohttps/rbac.yaml | 35 -- .../templates/proxy/autohttps/service.yaml | 25 - .../proxy/autohttps/serviceaccount.yaml | 12 - .../templates/proxy/deployment.yaml | 178 ------- .../templates/proxy/netpol.yaml | 108 ---- .../application-hub/templates/proxy/pdb.yaml | 23 - .../templates/proxy/secret.yaml | 13 - .../templates/proxy/service.yaml | 80 --- .../scheduling/_scheduling-helpers.tpl | 138 ----- .../templates/scheduling/priorityclass.yaml | 15 - .../scheduling/user-placeholder/pdb.yaml | 22 - .../user-placeholder/priorityclass.yaml | 16 - .../user-placeholder/statefulset.yaml | 80 --- .../scheduling/user-scheduler/configmap.yaml | 95 ---- .../scheduling/user-scheduler/deployment.yaml | 109 ---- .../scheduling/user-scheduler/pdb.yaml | 23 - .../scheduling/user-scheduler/rbac.yaml | 233 --------- .../user-scheduler/serviceaccount.yaml | 14 - .../templates/singleuser/netpol.yaml | 99 ---- .../templates/singleuser/secret.yaml | 17 - 51 files changed, 1 insertion(+), 3933 deletions(-) delete mode 100644 charts/application-hub/files/config.json delete mode 100644 charts/application-hub/files/hub/jupyterhub_config.py delete mode 100644 charts/application-hub/templates/NOTES.txt delete mode 100644 charts/application-hub/templates/_helpers-names.tpl delete mode 100644 charts/application-hub/templates/_helpers-netpol.tpl delete mode 100644 charts/application-hub/templates/hub/_helpers-passwords.tpl delete mode 100644 charts/application-hub/templates/hub/configmap.yaml delete mode 100644 charts/application-hub/templates/hub/deployment.yaml delete mode 100644 charts/application-hub/templates/hub/netpol.yaml delete mode 100644 charts/application-hub/templates/hub/pdb.yaml delete mode 100644 charts/application-hub/templates/hub/pvc.yaml delete mode 100644 charts/application-hub/templates/hub/rbac.yaml delete mode 100644 charts/application-hub/templates/hub/secret.yaml delete mode 100644 charts/application-hub/templates/hub/service.yaml delete mode 100644 charts/application-hub/templates/hub/serviceaccount.yaml delete mode 100644 charts/application-hub/templates/image-pull-secret.yaml delete mode 100644 charts/application-hub/templates/image-puller/_helpers-daemonset.tpl delete mode 100644 charts/application-hub/templates/image-puller/daemonset-continuous.yaml delete mode 100644 charts/application-hub/templates/image-puller/daemonset-hook.yaml delete mode 100644 charts/application-hub/templates/image-puller/job.yaml delete mode 100644 charts/application-hub/templates/image-puller/priorityclass.yaml delete mode 100644 charts/application-hub/templates/image-puller/rbac.yaml delete mode 100644 charts/application-hub/templates/image-puller/serviceaccount.yaml delete mode 100644 charts/application-hub/templates/proxy/autohttps/_README.txt delete mode 100644 charts/application-hub/templates/proxy/autohttps/_configmap-dynamic.yaml delete mode 100644 charts/application-hub/templates/proxy/autohttps/_configmap-traefik.yaml delete mode 100644 charts/application-hub/templates/proxy/autohttps/configmap.yaml delete mode 100644 charts/application-hub/templates/proxy/autohttps/deployment.yaml delete mode 100644 charts/application-hub/templates/proxy/autohttps/netpol.yaml delete mode 100644 charts/application-hub/templates/proxy/autohttps/pdb.yaml delete mode 100644 charts/application-hub/templates/proxy/autohttps/rbac.yaml delete mode 100644 charts/application-hub/templates/proxy/autohttps/service.yaml delete mode 100644 charts/application-hub/templates/proxy/autohttps/serviceaccount.yaml delete mode 100644 charts/application-hub/templates/proxy/deployment.yaml delete mode 100644 charts/application-hub/templates/proxy/netpol.yaml delete mode 100644 charts/application-hub/templates/proxy/pdb.yaml delete mode 100644 charts/application-hub/templates/proxy/secret.yaml delete mode 100644 charts/application-hub/templates/proxy/service.yaml delete mode 100644 charts/application-hub/templates/scheduling/_scheduling-helpers.tpl delete mode 100644 charts/application-hub/templates/scheduling/priorityclass.yaml delete mode 100644 charts/application-hub/templates/scheduling/user-placeholder/pdb.yaml delete mode 100644 charts/application-hub/templates/scheduling/user-placeholder/priorityclass.yaml delete mode 100644 charts/application-hub/templates/scheduling/user-placeholder/statefulset.yaml delete mode 100644 charts/application-hub/templates/scheduling/user-scheduler/configmap.yaml delete mode 100644 charts/application-hub/templates/scheduling/user-scheduler/deployment.yaml delete mode 100644 charts/application-hub/templates/scheduling/user-scheduler/pdb.yaml delete mode 100644 charts/application-hub/templates/scheduling/user-scheduler/rbac.yaml delete mode 100644 charts/application-hub/templates/scheduling/user-scheduler/serviceaccount.yaml delete mode 100644 charts/application-hub/templates/singleuser/netpol.yaml delete mode 100644 charts/application-hub/templates/singleuser/secret.yaml diff --git a/charts/application-hub/Chart.yaml b/charts/application-hub/Chart.yaml index bc964e6..aeb5bd1 100644 --- a/charts/application-hub/Chart.yaml +++ b/charts/application-hub/Chart.yaml @@ -15,7 +15,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.0.44 +version: 2.0.45 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/charts/application-hub/files/config.json b/charts/application-hub/files/config.json deleted file mode 100644 index 08397d7..0000000 --- a/charts/application-hub/files/config.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "singleuser": { - "image": { - "name": "jupyter/minimal-notebook", - "tag": "2343e33dec46" - }, - "profileList": [ - { - "display_name": "Minimal environment", - "description": "To avoid too much bells and whistles: Python.", - "default": "True" - }, - { - "display_name": "PDE version 0.8", - "slug": "pde_coder_slug", - "default": "False", - "kubespawner_override": { - "cpu_limit": 4, - "mem_limit": "8G" - } - } - ] - } -} \ No newline at end of file diff --git a/charts/application-hub/files/hub/jupyterhub_config.py b/charts/application-hub/files/hub/jupyterhub_config.py deleted file mode 100644 index 1ce7412..0000000 --- a/charts/application-hub/files/hub/jupyterhub_config.py +++ /dev/null @@ -1,490 +0,0 @@ -import glob -import os -import re -import sys -from binascii import a2b_hex - -from jupyterhub.utils import url_path_join -from kubernetes_asyncio import client -from tornado.httpclient import AsyncHTTPClient - -# Make sure that modules placed in the same directory as the jupyterhub config are added to the pythonpath -configuration_directory = os.path.dirname(os.path.realpath(__file__)) -sys.path.insert(0, configuration_directory) - -from z2jh import ( - get_config, - get_name, - get_name_env, - get_secret_value, - set_config_if_not_none, -) - - -def camelCaseify(s): - """convert snake_case to camelCase - - For the common case where some_value is set from someValue - so we don't have to specify the name twice. - """ - return re.sub(r"_([a-z])", lambda m: m.group(1).upper(), s) - - -# Configure JupyterHub to use the curl backend for making HTTP requests, -# rather than the pure-python implementations. The default one starts -# being too slow to make a large number of requests to the proxy API -# at the rate required. -AsyncHTTPClient.configure("tornado.curl_httpclient.CurlAsyncHTTPClient") - -c.JupyterHub.spawner_class = "kubespawner.KubeSpawner" - -# Connect to a proxy running in a different pod. Note that *_SERVICE_* -# environment variables are set by Kubernetes for Services -c.ConfigurableHTTPProxy.api_url = ( - f'http://{get_name("proxy-api")}:{get_name_env("proxy-api", "_SERVICE_PORT")}' -) -c.ConfigurableHTTPProxy.should_start = False - -# Do not shut down user pods when hub is restarted -c.JupyterHub.cleanup_servers = False - -# Check that the proxy has routes appropriately setup -c.JupyterHub.last_activity_interval = 60 - -# Don't wait at all before redirecting a spawning user to the progress page -c.JupyterHub.tornado_settings = { - "slow_spawn_timeout": 0, -} - - -# configure the hub db connection -db_type = get_config("hub.db.type") -if db_type == "sqlite-pvc": - c.JupyterHub.db_url = "sqlite:///jupyterhub.sqlite" -elif db_type == "sqlite-memory": - c.JupyterHub.db_url = "sqlite://" -else: - set_config_if_not_none(c.JupyterHub, "db_url", "hub.db.url") -db_password = get_secret_value("hub.db.password", None) -if db_password is not None: - if db_type == "mysql": - os.environ["MYSQL_PWD"] = db_password - elif db_type == "postgres": - os.environ["PGPASSWORD"] = db_password - else: - print(f"Warning: hub.db.password is ignored for hub.db.type={db_type}") - - -# c.JupyterHub configuration from Helm chart's configmap -for trait, cfg_key in ( - ("concurrent_spawn_limit", None), - ("active_server_limit", None), - ("base_url", None), - ("allow_named_servers", None), - ("named_server_limit_per_user", None), - ("authenticate_prometheus", None), - ("redirect_to_server", None), - ("shutdown_on_logout", None), - ("template_paths", None), - ("template_vars", None), -): - if cfg_key is None: - cfg_key = camelCaseify(trait) - set_config_if_not_none(c.JupyterHub, trait, "hub." + cfg_key) - -# hub_bind_url configures what the JupyterHub process within the hub pod's -# container should listen to. -hub_container_port = 8081 -c.JupyterHub.hub_bind_url = f"http://:{hub_container_port}" - -# hub_connect_url is the URL for connecting to the hub for use by external -# JupyterHub services such as the proxy. Note that *_SERVICE_* environment -# variables are set by Kubernetes for Services. -c.JupyterHub.hub_connect_url = ( - f'http://{get_name("hub")}:{get_name_env("hub", "_SERVICE_PORT")}' -) - -# implement common labels -# this duplicates the jupyterhub.commonLabels helper -common_labels = c.KubeSpawner.common_labels = {} -common_labels["app"] = get_config( - "nameOverride", - default=get_config("Chart.Name", "jupyterhub"), -) -common_labels["heritage"] = "jupyterhub" -chart_name = get_config("Chart.Name") -chart_version = get_config("Chart.Version") -if chart_name and chart_version: - common_labels["chart"] = "{}-{}".format( - chart_name, - chart_version.replace("+", "_"), - ) -release = get_config("Release.Name") -if release: - common_labels["release"] = release - -c.KubeSpawner.namespace = os.environ.get("POD_NAMESPACE", "default") - -# Max number of consecutive failures before the Hub restarts itself -# requires jupyterhub 0.9.2 -set_config_if_not_none( - c.Spawner, - "consecutive_failure_limit", - "hub.consecutiveFailureLimit", -) - -for trait, cfg_key in ( - ("pod_name_template", None), - ("start_timeout", None), - ("image_pull_policy", "image.pullPolicy"), - # ('image_pull_secrets', 'image.pullSecrets'), # Managed manually below - ("events_enabled", "events"), - ("extra_labels", None), - ("extra_annotations", None), - # ("allow_privilege_escalation", None), # Managed manually below - ("uid", None), - ("fs_gid", None), - ("service_account", "serviceAccountName"), - ("storage_extra_labels", "storage.extraLabels"), - # ("tolerations", "extraTolerations"), # Managed manually below - ("node_selector", None), - ("node_affinity_required", "extraNodeAffinity.required"), - ("node_affinity_preferred", "extraNodeAffinity.preferred"), - ("pod_affinity_required", "extraPodAffinity.required"), - ("pod_affinity_preferred", "extraPodAffinity.preferred"), - ("pod_anti_affinity_required", "extraPodAntiAffinity.required"), - ("pod_anti_affinity_preferred", "extraPodAntiAffinity.preferred"), - ("lifecycle_hooks", None), - ("init_containers", None), - ("extra_containers", None), - ("mem_limit", "memory.limit"), - ("mem_guarantee", "memory.guarantee"), - ("cpu_limit", "cpu.limit"), - ("cpu_guarantee", "cpu.guarantee"), - ("extra_resource_limits", "extraResource.limits"), - ("extra_resource_guarantees", "extraResource.guarantees"), - ("environment", "extraEnv"), - ("profile_list", None), - ("extra_pod_config", None), -): - if cfg_key is None: - cfg_key = camelCaseify(trait) - set_config_if_not_none(c.KubeSpawner, trait, "singleuser." + cfg_key) - -image = get_config("singleuser.image.name") -if image: - tag = get_config("singleuser.image.tag") - if tag: - image = f"{image}:{tag}" - - c.KubeSpawner.image = image - -# allow_privilege_escalation defaults to False in KubeSpawner 2+. Since its a -# property where None, False, and True all are valid values that users of the -# Helm chart may want to set, we can't use the set_config_if_not_none helper -# function as someone may want to override the default False value to None. -# -c.KubeSpawner.allow_privilege_escalation = get_config( - "singleuser.allowPrivilegeEscalation" -) - -# Combine imagePullSecret.create (single), imagePullSecrets (list), and -# singleuser.image.pullSecrets (list). -image_pull_secrets = [] -if get_config("imagePullSecret.automaticReferenceInjection") and get_config( - "imagePullSecret.create" -): - image_pull_secrets.append(get_name("image-pull-secret")) -if get_config("imagePullSecrets"): - image_pull_secrets.extend(get_config("imagePullSecrets")) -if get_config("singleuser.image.pullSecrets"): - image_pull_secrets.extend(get_config("singleuser.image.pullSecrets")) -if image_pull_secrets: - c.KubeSpawner.image_pull_secrets = image_pull_secrets - -# scheduling: -if get_config("scheduling.userScheduler.enabled"): - c.KubeSpawner.scheduler_name = get_name("user-scheduler") -if get_config("scheduling.podPriority.enabled"): - c.KubeSpawner.priority_class_name = get_name("priority") - -# add node-purpose affinity -match_node_purpose = get_config("scheduling.userPods.nodeAffinity.matchNodePurpose") -if match_node_purpose: - node_selector = dict( - matchExpressions=[ - dict( - key="hub.jupyter.org/node-purpose", - operator="In", - values=["user"], - ) - ], - ) - if match_node_purpose == "prefer": - c.KubeSpawner.node_affinity_preferred.append( - dict( - weight=100, - preference=node_selector, - ), - ) - elif match_node_purpose == "require": - c.KubeSpawner.node_affinity_required.append(node_selector) - elif match_node_purpose == "ignore": - pass - else: - raise ValueError( - f"Unrecognized value for matchNodePurpose: {match_node_purpose}" - ) - -# Combine the common tolerations for user pods with singleuser tolerations -scheduling_user_pods_tolerations = get_config("scheduling.userPods.tolerations", []) -singleuser_extra_tolerations = get_config("singleuser.extraTolerations", []) -tolerations = scheduling_user_pods_tolerations + singleuser_extra_tolerations -if tolerations: - c.KubeSpawner.tolerations = tolerations - -# Configure dynamically provisioning pvc -storage_type = get_config("singleuser.storage.type") -if storage_type == "dynamic": - pvc_name_template = get_config("singleuser.storage.dynamic.pvcNameTemplate") - c.KubeSpawner.pvc_name_template = pvc_name_template - volume_name_template = get_config("singleuser.storage.dynamic.volumeNameTemplate") - c.KubeSpawner.storage_pvc_ensure = True - set_config_if_not_none( - c.KubeSpawner, "storage_class", "singleuser.storage.dynamic.storageClass" - ) - set_config_if_not_none( - c.KubeSpawner, - "storage_access_modes", - "singleuser.storage.dynamic.storageAccessModes", - ) - set_config_if_not_none( - c.KubeSpawner, "storage_capacity", "singleuser.storage.capacity" - ) - - # Add volumes to singleuser pods - c.KubeSpawner.volumes = [ - { - "name": volume_name_template, - "persistentVolumeClaim": {"claimName": pvc_name_template}, - } - ] - c.KubeSpawner.volume_mounts = [ - { - "mountPath": get_config("singleuser.storage.homeMountPath"), - "name": volume_name_template, - } - ] -elif storage_type == "static": - pvc_claim_name = get_config("singleuser.storage.static.pvcName") - c.KubeSpawner.volumes = [ - {"name": "home", "persistentVolumeClaim": {"claimName": pvc_claim_name}} - ] - - c.KubeSpawner.volume_mounts = [ - { - "mountPath": get_config("singleuser.storage.homeMountPath"), - "name": "home", - "subPath": get_config("singleuser.storage.static.subPath"), - } - ] - -# Inject singleuser.extraFiles as volumes and volumeMounts with data loaded from -# the dedicated k8s Secret prepared to hold the extraFiles actual content. -extra_files = get_config("singleuser.extraFiles", {}) -if extra_files: - volume = { - "name": "files", - } - items = [] - for file_key, file_details in extra_files.items(): - # Each item is a mapping of a key in the k8s Secret to a path in this - # abstract volume, the goal is to enable us to set the mode / - # permissions only though so we don't change the mapping. - item = { - "key": file_key, - "path": file_key, - } - if "mode" in file_details: - item["mode"] = file_details["mode"] - items.append(item) - volume["secret"] = { - "secretName": get_name("singleuser"), - "items": items, - } - c.KubeSpawner.volumes.append(volume) - - volume_mounts = [] - for file_key, file_details in extra_files.items(): - volume_mounts.append( - { - "mountPath": file_details["mountPath"], - "subPath": file_key, - "name": "files", - } - ) - c.KubeSpawner.volume_mounts.extend(volume_mounts) - -# Inject extraVolumes / extraVolumeMounts -c.KubeSpawner.volumes.extend(get_config("singleuser.storage.extraVolumes", [])) -c.KubeSpawner.volume_mounts.extend( - get_config("singleuser.storage.extraVolumeMounts", []) -) - -c.JupyterHub.services = [] -c.JupyterHub.load_roles = [] - -# jupyterhub-idle-culler's permissions are scoped to what it needs only, see -# https://github.com/jupyterhub/jupyterhub-idle-culler#permissions. -# -if get_config("cull.enabled", False): - jupyterhub_idle_culler_role = { - "name": "jupyterhub-idle-culler", - "scopes": [ - "list:users", - "read:users:activity", - "read:servers", - "delete:servers", - # "admin:users", # dynamically added if --cull-users is passed - ], - # assign the role to a jupyterhub service, so it gains these permissions - "services": ["jupyterhub-idle-culler"], - } - - cull_cmd = ["python3", "-m", "jupyterhub_idle_culler"] - base_url = c.JupyterHub.get("base_url", "/") - cull_cmd.append("--url=http://localhost:8081" + url_path_join(base_url, "hub/api")) - - cull_timeout = get_config("cull.timeout") - if cull_timeout: - cull_cmd.append(f"--timeout={cull_timeout}") - - cull_every = get_config("cull.every") - if cull_every: - cull_cmd.append(f"--cull-every={cull_every}") - - cull_concurrency = get_config("cull.concurrency") - if cull_concurrency: - cull_cmd.append(f"--concurrency={cull_concurrency}") - - if get_config("cull.users"): - cull_cmd.append("--cull-users") - jupyterhub_idle_culler_role["scopes"].append("admin:users") - - if not get_config("cull.adminUsers"): - cull_cmd.append("--cull-admin-users=false") - - if get_config("cull.removeNamedServers"): - cull_cmd.append("--remove-named-servers") - - cull_max_age = get_config("cull.maxAge") - if cull_max_age: - cull_cmd.append(f"--max-age={cull_max_age}") - - c.JupyterHub.services.append( - { - "name": "jupyterhub-idle-culler", - "command": cull_cmd, - } - ) - c.JupyterHub.load_roles.append(jupyterhub_idle_culler_role) - -for key, service in get_config("hub.services", {}).items(): - # c.JupyterHub.services is a list of dicts, but - # hub.services is a dict of dicts to make the config mergable - service.setdefault("name", key) - - # As the api_token could be exposed in hub.existingSecret, we need to read - # it it from there or fall back to the chart managed k8s Secret's value. - service.pop("apiToken", None) - service["api_token"] = get_secret_value(f"hub.services.{key}.apiToken") - - c.JupyterHub.services.append(service) - -for key, role in get_config("hub.loadRoles", {}).items(): - # c.JupyterHub.load_roles is a list of dicts, but - # hub.loadRoles is a dict of dicts to make the config mergable - role.setdefault("name", key) - - c.JupyterHub.load_roles.append(role) - -# respect explicit null command (distinct from unspecified) -# this avoids relying on KubeSpawner.cmd's default being None -_unspecified = object() -specified_cmd = get_config("singleuser.cmd", _unspecified) -if specified_cmd is not _unspecified: - c.Spawner.cmd = specified_cmd - -set_config_if_not_none(c.Spawner, "default_url", "singleuser.defaultUrl") - -cloud_metadata = get_config("singleuser.cloudMetadata", {}) - -if cloud_metadata.get("blockWithIptables") == True: - # Use iptables to block access to cloud metadata by default - network_tools_image_name = get_config("singleuser.networkTools.image.name") - network_tools_image_tag = get_config("singleuser.networkTools.image.tag") - network_tools_resources = get_config("singleuser.networkTools.resources") - ip_block_container = client.V1Container( - name="block-cloud-metadata", - image=f"{network_tools_image_name}:{network_tools_image_tag}", - command=[ - "iptables", - "-A", - "OUTPUT", - "-d", - cloud_metadata.get("ip", "169.254.169.254"), - "-j", - "DROP", - ], - security_context=client.V1SecurityContext( - privileged=True, - run_as_user=0, - capabilities=client.V1Capabilities(add=["NET_ADMIN"]), - ), - resources=network_tools_resources, - ) - - c.KubeSpawner.init_containers.append(ip_block_container) - - -if get_config("debug.enabled", False): - c.JupyterHub.log_level = "DEBUG" - c.Spawner.debug = True - -# load potentially seeded secrets -# -# NOTE: ConfigurableHTTPProxy.auth_token is set through an environment variable -# that is set using the chart managed secret. -c.JupyterHub.cookie_secret = get_secret_value("hub.config.JupyterHub.cookie_secret") -# NOTE: CryptKeeper.keys should be a list of strings, but we have encoded as a -# single string joined with ; in the k8s Secret. -# -c.CryptKeeper.keys = get_secret_value("hub.config.CryptKeeper.keys").split(";") - -# load hub.config values, except potentially seeded secrets already loaded -for app, cfg in get_config("hub.config", {}).items(): - if app == "JupyterHub": - cfg.pop("proxy_auth_token", None) - cfg.pop("cookie_secret", None) - cfg.pop("services", None) - elif app == "ConfigurableHTTPProxy": - cfg.pop("auth_token", None) - elif app == "CryptKeeper": - cfg.pop("keys", None) - c[app].update(cfg) - -# load /usr/local/etc/jupyterhub/jupyterhub_config.d config files -config_dir = "/usr/local/etc/jupyterhub/jupyterhub_config.d" -if os.path.isdir(config_dir): - for file_path in sorted(glob.glob(f"{config_dir}/*.py")): - file_name = os.path.basename(file_path) - print(f"Loading {config_dir} config: {file_name}") - with open(file_path) as f: - file_content = f.read() - # compiling makes debugging easier: https://stackoverflow.com/a/437857 - exec(compile(source=file_content, filename=file_name, mode="exec")) - -# execute hub.extraConfig entries -for key, config_py in sorted(get_config("hub.extraConfig", {}).items()): - print(f"Loading extra config: {key}") - exec(config_py) diff --git a/charts/application-hub/templates/NOTES.txt b/charts/application-hub/templates/NOTES.txt deleted file mode 100644 index e9a4edf..0000000 --- a/charts/application-hub/templates/NOTES.txt +++ /dev/null @@ -1,153 +0,0 @@ -{{- $proxy_service := include "jupyterhub.proxy-public.fullname" . -}} - -{{- /* Generated with https://patorjk.com/software/taag/#p=display&h=0&f=Slant&t=JupyterHub */}} -. __ __ __ __ __ - / / __ __ ____ __ __ / /_ ___ _____ / / / / __ __ / /_ - __ / / / / / / / __ \ / / / / / __/ / _ \ / ___/ / /_/ / / / / / / __ \ -/ /_/ / / /_/ / / /_/ / / /_/ / / /_ / __/ / / / __ / / /_/ / / /_/ / -\____/ \__,_/ / .___/ \__, / \__/ \___/ /_/ /_/ /_/ \__,_/ /_.___/ - /_/ /____/ - - You have successfully installed the official JupyterHub Helm chart! - -### Installation info - - - Kubernetes namespace: {{ .Release.Namespace }} - - Helm release name: {{ .Release.Name }} - - Helm chart version: {{ .Chart.Version }} - - JupyterHub version: {{ .Chart.AppVersion }} - - Hub pod packages: See https://github.com/jupyterhub/zero-to-jupyterhub-k8s/blob/{{ include "jupyterhub.chart-version-to-git-ref" .Chart.Version }}/images/hub/requirements.txt - -### Followup links - - - Documentation: https://z2jh.jupyter.org - - Help forum: https://discourse.jupyter.org - - Social chat: https://gitter.im/jupyterhub/jupyterhub - - Issue tracking: https://github.com/jupyterhub/zero-to-jupyterhub-k8s/issues - -### Post-installation checklist - - - Verify that created Pods enter a Running state: - - kubectl --namespace={{ .Release.Namespace }} get pod - - If a pod is stuck with a Pending or ContainerCreating status, diagnose with: - - kubectl --namespace={{ .Release.Namespace }} describe pod - - If a pod keeps restarting, diagnose with: - - kubectl --namespace={{ .Release.Namespace }} logs --previous - {{- println }} - - {{- if eq .Values.proxy.service.type "LoadBalancer" }} - - Verify an external IP is provided for the k8s Service {{ $proxy_service }}. - - kubectl --namespace={{ .Release.Namespace }} get service {{ $proxy_service }} - - If the external ip remains , diagnose with: - - kubectl --namespace={{ .Release.Namespace }} describe service {{ $proxy_service }} - {{- end }} - - - Verify web based access: - {{- println }} - {{- if .Values.ingress.enabled }} - {{- range $host := .Values.ingress.hosts }} - Try insecure HTTP access: http://{{ $host }}{{ $.Values.hub.baseUrl | trimSuffix "/" }}/ - {{- end }} - - {{- range $tls := .Values.ingress.tls }} - {{- range $host := $tls.hosts }} - Try secure HTTPS access: https://{{ $host }}{{ $.Values.hub.baseUrl | trimSuffix "/" }}/ - {{- end }} - {{- end }} - {{- else }} - You have not configured a k8s Ingress resource so you need to access the k8s - Service {{ $proxy_service }} directly. - {{- println }} - - {{- if eq .Values.proxy.service.type "NodePort" }} - The k8s Service {{ $proxy_service }} is exposed via NodePorts. That means - that all the k8s cluster's nodes are exposing the k8s Service via those - ports. - - Try insecure HTTP access: http://:{{ .Values.proxy.service.nodePorts.http | default "no-http-nodeport-set"}} - Try secure HTTPS access: https://:{{ .Values.proxy.service.nodePorts.https | default "no-https-nodeport-set" }} - - {{- else }} - If your computer is outside the k8s cluster, you can port-forward traffic to - the k8s Service {{ $proxy_service }} with kubectl to access it from your - computer. - - kubectl --namespace={{ .Release.Namespace }} port-forward service/{{ $proxy_service }} 8080:http - - Try insecure HTTP access: http://localhost:8080 - {{- end }} - {{- end }} - {{- println }} - - - - - -{{- /* - Warnings for likely misconfiguration -*/}} - -{{- if and (not .Values.scheduling.podPriority.enabled) (and .Values.scheduling.userPlaceholder.enabled .Values.scheduling.userPlaceholder.replicas) }} -################################################################################# -###### WARNING: You are using user placeholders without pod priority ##### -###### enabled*, either enable pod priority or stop using the ##### -###### user placeholders** to avoid having placeholders that ##### -###### refuse to make room for a real user. ##### -###### ##### -###### *scheduling.podPriority.enabled ##### -###### **scheduling.userPlaceholder.enabled ##### -###### **scheduling.userPlaceholder.replicas ##### -################################################################################# -{{- println }} -{{- end }} - - - - - -{{- /* - Breaking changes. -*/}} - -{{- $breaking := "" }} -{{- $breaking_title := "\n" }} -{{- $breaking_title = print $breaking_title "\n#################################################################################" }} -{{- $breaking_title = print $breaking_title "\n###### BREAKING: The config values passed contained no longer accepted #####" }} -{{- $breaking_title = print $breaking_title "\n###### options. See the messages below for more details. #####" }} -{{- $breaking_title = print $breaking_title "\n###### #####" }} -{{- $breaking_title = print $breaking_title "\n###### To verify your updated config is accepted, you can use #####" }} -{{- $breaking_title = print $breaking_title "\n###### the `helm template` command. #####" }} -{{- $breaking_title = print $breaking_title "\n#################################################################################" }} - - -{{- /* - This is an example (in a helm template comment) on how to detect and - communicate with regards to a breaking chart config change. - - {{- if hasKey .Values.singleuser.cloudMetadata "enabled" }} - {{- $breaking = print $breaking "\n\nCHANGED: singleuser.cloudMetadata.enabled must as of 1.0.0 be configured using singleuser.cloudMetadata.blockWithIptables with the opposite value." }} - {{- end }} -*/}} - - -{{- if hasKey .Values.rbac "enabled" }} -{{- $breaking = print $breaking "\n\nCHANGED: rbac.enabled must as of version 2.0.0 be configured via rbac.create and .serviceAccount.create." }} -{{- end }} - - -{{- if hasKey .Values.hub "fsGid" }} -{{- $breaking = print $breaking "\n\nCHANGED: hub.fsGid must as of version 2.0.0 be configured via hub.podSecurityContext.fsGroup." }} -{{- end }} - - -{{- if $breaking }} -{{- fail (print $breaking_title $breaking "\n\n") }} -{{- end }} diff --git a/charts/application-hub/templates/_helpers-names.tpl b/charts/application-hub/templates/_helpers-names.tpl deleted file mode 100644 index bbb5864..0000000 --- a/charts/application-hub/templates/_helpers-names.tpl +++ /dev/null @@ -1,306 +0,0 @@ -{{- /* - These helpers encapsulates logic on how we name resources. They also enable - parent charts to reference these dynamic resource names. - - To avoid duplicating documentation, for more information, please see the the - fullnameOverride entry in schema.yaml or the configuration reference that - schema.yaml renders to. - - https://z2jh.jupyter.org/en/latest/resources/reference.html#fullnameOverride -*/}} - - - -{{- /* - Utility templates -*/}} - -{{- /* - Renders to a prefix for the chart's resource names. This prefix is assumed to - make the resource name cluster unique. -*/}} -{{- define "jupyterhub.fullname" -}} - {{- /* - We have implemented a trick to allow a parent chart depending on this - chart to call these named templates. - - Caveats and notes: - - 1. While parent charts can reference these, grandparent charts can't. - 2. Parent charts must not use an alias for this chart. - 3. There is no failsafe workaround to above due to - https://github.com/helm/helm/issues/9214. - 4. .Chart is of its own type (*chart.Metadata) and needs to be casted - using "toYaml | fromYaml" in order to be able to use normal helm - template functions on it. - */}} - {{- $fullname_override := .Values.fullnameOverride }} - {{- $name_override := .Values.nameOverride }} - {{- if ne .Chart.Name "jupyterhub" }} - {{- if .Values.jupyterhub }} - {{- $fullname_override = .Values.jupyterhub.fullnameOverride }} - {{- $name_override = .Values.jupyterhub.nameOverride }} - {{- end }} - {{- end }} - - {{- if eq (typeOf $fullname_override) "string" }} - {{- $fullname_override }} - {{- else }} - {{- $name := $name_override | default .Chart.Name }} - {{- if contains $name .Release.Name }} - {{- .Release.Name }} - {{- else }} - {{- .Release.Name }}-{{ $name }} - {{- end }} - {{- end }} -{{- end }} - -{{- /* - Renders to a blank string or if the fullname template is truthy renders to it - with an appended dash. -*/}} -{{- define "jupyterhub.fullname.dash" -}} - {{- if (include "jupyterhub.fullname" .) }} - {{- include "jupyterhub.fullname" . }}- - {{- end }} -{{- end }} - - - -{{- /* - Namespaced resources -*/}} - -{{- /* hub Deployment */}} -{{- define "jupyterhub.hub.fullname" -}} - {{- include "jupyterhub.fullname.dash" . }}hub -{{- end }} - -{{- /* hub-serviceaccount ServiceAccount */}} -{{- define "jupyterhub.hub-serviceaccount.fullname" -}} - {{- if .Values.hub.serviceAccount.create }} - {{- .Values.hub.serviceAccount.name | default (include "jupyterhub.hub.fullname" .) }} - {{- else }} - {{- .Values.hub.serviceAccount.name | default "default" }} - {{- end }} -{{- end }} - -{{- /* hub-existing-secret Secret */}} -{{- define "jupyterhub.hub-existing-secret.fullname" -}} - {{- /* A hack to avoid issues from invoking this from a parent Helm chart. */}} - {{- $existing_secret := .Values.hub.existingSecret }} - {{- if ne .Chart.Name "jupyterhub" }} - {{- $existing_secret = .Values.jupyterhub.hub.existingSecret }} - {{- end }} - {{- if $existing_secret }} - {{- $existing_secret }} - {{- end }} -{{- end }} - -{{- /* hub-existing-secret-or-default Secret */}} -{{- define "jupyterhub.hub-existing-secret-or-default.fullname" -}} - {{- include "jupyterhub.hub-existing-secret.fullname" . | default (include "jupyterhub.hub.fullname" .) }} -{{- end }} - -{{- /* hub PVC */}} -{{- define "jupyterhub.hub-pvc.fullname" -}} - {{- include "jupyterhub.hub.fullname" . }}-db-dir -{{- end }} - -{{- /* proxy Deployment */}} -{{- define "jupyterhub.proxy.fullname" -}} - {{- include "jupyterhub.fullname.dash" . }}proxy -{{- end }} - -{{- /* proxy-api Service */}} -{{- define "jupyterhub.proxy-api.fullname" -}} - {{- include "jupyterhub.proxy.fullname" . }}-api -{{- end }} - -{{- /* proxy-http Service */}} -{{- define "jupyterhub.proxy-http.fullname" -}} - {{- include "jupyterhub.proxy.fullname" . }}-http -{{- end }} - -{{- /* proxy-public Service */}} -{{- define "jupyterhub.proxy-public.fullname" -}} - {{- include "jupyterhub.proxy.fullname" . }}-public -{{- end }} - -{{- /* proxy-public-tls Secret */}} -{{- define "jupyterhub.proxy-public-tls.fullname" -}} - {{- include "jupyterhub.proxy-public.fullname" . }}-tls-acme -{{- end }} - -{{- /* proxy-public-manual-tls Secret */}} -{{- define "jupyterhub.proxy-public-manual-tls.fullname" -}} - {{- include "jupyterhub.proxy-public.fullname" . }}-manual-tls -{{- end }} - -{{- /* autohttps Deployment */}} -{{- define "jupyterhub.autohttps.fullname" -}} - {{- include "jupyterhub.fullname.dash" . }}autohttps -{{- end }} - -{{- /* autohttps-serviceaccount ServiceAccount */}} -{{- define "jupyterhub.autohttps-serviceaccount.fullname" -}} - {{- if .Values.proxy.traefik.serviceAccount.create }} - {{- .Values.proxy.traefik.serviceAccount.name | default (include "jupyterhub.autohttps.fullname" .) }} - {{- else }} - {{- .Values.proxy.traefik.serviceAccount.name | default "default" }} - {{- end }} -{{- end }} - -{{- /* user-scheduler Deployment */}} -{{- define "jupyterhub.user-scheduler-deploy.fullname" -}} - {{- include "jupyterhub.fullname.dash" . }}user-scheduler -{{- end }} - -{{- /* user-scheduler-serviceaccount ServiceAccount */}} -{{- define "jupyterhub.user-scheduler-serviceaccount.fullname" -}} - {{- if .Values.scheduling.userScheduler.serviceAccount.create }} - {{- .Values.scheduling.userScheduler.serviceAccount.name | default (include "jupyterhub.user-scheduler-deploy.fullname" .) }} - {{- else }} - {{- .Values.scheduling.userScheduler.serviceAccount.name | default "default" }} - {{- end }} -{{- end }} - -{{- /* user-scheduler leader election lock resource */}} -{{- define "jupyterhub.user-scheduler-lock.fullname" -}} - {{- include "jupyterhub.user-scheduler-deploy.fullname" . }}-lock -{{- end }} - -{{- /* user-placeholder StatefulSet */}} -{{- define "jupyterhub.user-placeholder.fullname" -}} - {{- include "jupyterhub.fullname.dash" . }}user-placeholder -{{- end }} - -{{- /* image-awaiter Job */}} -{{- define "jupyterhub.hook-image-awaiter.fullname" -}} - {{- include "jupyterhub.fullname.dash" . }}hook-image-awaiter -{{- end }} - -{{- /* image-awaiter-serviceaccount ServiceAccount */}} -{{- define "jupyterhub.hook-image-awaiter-serviceaccount.fullname" -}} - {{- if .Values.prePuller.hook.serviceAccount.create }} - {{- .Values.prePuller.hook.serviceAccount.name | default (include "jupyterhub.hook-image-awaiter.fullname" .) }} - {{- else }} - {{- .Values.prePuller.hook.serviceAccount.name | default "default" }} - {{- end }} -{{- end }} - -{{- /* hook-image-puller DaemonSet */}} -{{- define "jupyterhub.hook-image-puller.fullname" -}} - {{- include "jupyterhub.fullname.dash" . }}hook-image-puller -{{- end }} - -{{- /* continuous-image-puller DaemonSet */}} -{{- define "jupyterhub.continuous-image-puller.fullname" -}} - {{- include "jupyterhub.fullname.dash" . }}continuous-image-puller -{{- end }} - -{{- /* singleuser NetworkPolicy */}} -{{- define "jupyterhub.singleuser.fullname" -}} - {{- include "jupyterhub.fullname.dash" . }}singleuser -{{- end }} - -{{- /* image-pull-secret Secret */}} -{{- define "jupyterhub.image-pull-secret.fullname" -}} - {{- include "jupyterhub.fullname.dash" . }}image-pull-secret -{{- end }} - -{{- /* Ingress */}} -{{- define "jupyterhub.ingress.fullname" -}} - {{- if (include "jupyterhub.fullname" .) }} - {{- include "jupyterhub.fullname" . }} - {{- else -}} - jupyterhub - {{- end }} -{{- end }} - - - -{{- /* - Cluster wide resources - - We enforce uniqueness of names for our cluster wide resources. We assume that - the prefix from setting fullnameOverride to null or a string will be cluster - unique. -*/}} - -{{- /* Priority */}} -{{- define "jupyterhub.priority.fullname" -}} - {{- if (include "jupyterhub.fullname" .) }} - {{- include "jupyterhub.fullname" . }} - {{- else }} - {{- .Release.Name }}-default-priority - {{- end }} -{{- end }} - -{{- /* user-placeholder Priority */}} -{{- define "jupyterhub.user-placeholder-priority.fullname" -}} - {{- if (include "jupyterhub.fullname" .) }} - {{- include "jupyterhub.user-placeholder.fullname" . }} - {{- else }} - {{- .Release.Name }}-user-placeholder-priority - {{- end }} -{{- end }} - -{{- /* image-puller Priority */}} -{{- define "jupyterhub.image-puller-priority.fullname" -}} - {{- if (include "jupyterhub.fullname" .) }} - {{- include "jupyterhub.fullname.dash" . }}image-puller - {{- else }} - {{- .Release.Name }}-image-puller-priority - {{- end }} -{{- end }} - -{{- /* user-scheduler's registered name */}} -{{- define "jupyterhub.user-scheduler.fullname" -}} - {{- if (include "jupyterhub.fullname" .) }} - {{- include "jupyterhub.user-scheduler-deploy.fullname" . }} - {{- else }} - {{- .Release.Name }}-user-scheduler - {{- end }} -{{- end }} - - - -{{- /* - A template to render all the named templates in this file for use in the - hub's ConfigMap. - - It is important we keep this in sync with the available templates. -*/}} -{{- define "jupyterhub.name-templates" -}} -fullname: {{ include "jupyterhub.fullname" . | quote }} -fullname-dash: {{ include "jupyterhub.fullname.dash" . | quote }} -hub: {{ include "jupyterhub.hub.fullname" . | quote }} -hub-serviceaccount: {{ include "jupyterhub.hub-serviceaccount.fullname" . | quote }} -hub-existing-secret: {{ include "jupyterhub.hub-existing-secret.fullname" . | quote }} -hub-existing-secret-or-default: {{ include "jupyterhub.hub-existing-secret-or-default.fullname" . | quote }} -hub-pvc: {{ include "jupyterhub.hub-pvc.fullname" . | quote }} -proxy: {{ include "jupyterhub.proxy.fullname" . | quote }} -proxy-api: {{ include "jupyterhub.proxy-api.fullname" . | quote }} -proxy-http: {{ include "jupyterhub.proxy-http.fullname" . | quote }} -proxy-public: {{ include "jupyterhub.proxy-public.fullname" . | quote }} -proxy-public-tls: {{ include "jupyterhub.proxy-public-tls.fullname" . | quote }} -proxy-public-manual-tls: {{ include "jupyterhub.proxy-public-manual-tls.fullname" . | quote }} -autohttps: {{ include "jupyterhub.autohttps.fullname" . | quote }} -autohttps-serviceaccount: {{ include "jupyterhub.autohttps-serviceaccount.fullname" . | quote }} -user-scheduler-deploy: {{ include "jupyterhub.user-scheduler-deploy.fullname" . | quote }} -user-scheduler-serviceaccount: {{ include "jupyterhub.user-scheduler-serviceaccount.fullname" . | quote }} -user-scheduler-lock: {{ include "jupyterhub.user-scheduler-lock.fullname" . | quote }} -user-placeholder: {{ include "jupyterhub.user-placeholder.fullname" . | quote }} -image-puller-priority: {{ include "jupyterhub.image-puller-priority.fullname" . | quote }} -hook-image-awaiter: {{ include "jupyterhub.hook-image-awaiter.fullname" . | quote }} -hook-image-awaiter-serviceaccount: {{ include "jupyterhub.hook-image-awaiter-serviceaccount.fullname" . | quote }} -hook-image-puller: {{ include "jupyterhub.hook-image-puller.fullname" . | quote }} -continuous-image-puller: {{ include "jupyterhub.continuous-image-puller.fullname" . | quote }} -singleuser: {{ include "jupyterhub.singleuser.fullname" . | quote }} -image-pull-secret: {{ include "jupyterhub.image-pull-secret.fullname" . | quote }} -ingress: {{ include "jupyterhub.ingress.fullname" . | quote }} -priority: {{ include "jupyterhub.priority.fullname" . | quote }} -user-placeholder-priority: {{ include "jupyterhub.user-placeholder-priority.fullname" . | quote }} -user-scheduler: {{ include "jupyterhub.user-scheduler.fullname" . | quote }} -{{- end }} diff --git a/charts/application-hub/templates/_helpers-netpol.tpl b/charts/application-hub/templates/_helpers-netpol.tpl deleted file mode 100644 index 5adbd3d..0000000 --- a/charts/application-hub/templates/_helpers-netpol.tpl +++ /dev/null @@ -1,86 +0,0 @@ -{{- /* - This named template renders egress rules for NetworkPolicy resources based on - common configuration. - - It is rendering based on the `egressAllowRules` and `egress` keys of the - passed networkPolicy config object. Each flag set to true under - `egressAllowRules` is rendered to a egress rule that next to any custom user - defined rules from the `egress` config. - - This named template needs to render based on a specific networkPolicy - resource, but also needs access to the root context. Due to that, it - accepts a list as its scope, where the first element is supposed to be the - root context and the second element is supposed to be the networkPolicy - configuration object. - - As an example, this is how you would render this named template from a - NetworkPolicy resource under its egress: - - egress: - # other rules here... - - {{- with (include "jupyterhub.networkPolicy.renderEgressRules" (list . .Values.hub.networkPolicy)) }} - {{- . | nindent 4 }} - {{- end }} - - Note that the reference to privateIPs and nonPrivateIPs relate to - https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses. -*/}} - -{{- define "jupyterhub.networkPolicy.renderEgressRules" -}} -{{- $root := index . 0 }} -{{- $netpol := index . 1 }} -{{- if $netpol.egressAllowRules.dnsPortsPrivateIPs }} -# Allow outbound connections to the DNS port in the private IP ranges -- ports: - - protocol: UDP - port: 53 - - protocol: TCP - port: 53 - to: - - ipBlock: - cidr: 10.0.0.0/8 - - ipBlock: - cidr: 172.16.0.0/12 - - ipBlock: - cidr: 192.168.0.0/16 -{{- end }} - -{{- if $netpol.egressAllowRules.nonPrivateIPs }} -# Allow outbound connections to non-private IP ranges -- to: - - ipBlock: - cidr: 0.0.0.0/0 - except: - # As part of this rule, don't: - # - allow outbound connections to private IP - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 - # - allow outbound connections to the cloud metadata server - - {{ $root.Values.singleuser.cloudMetadata.ip }}/32 -{{- end }} - -{{- if $netpol.egressAllowRules.privateIPs }} -# Allow outbound connections to private IP ranges -- to: - - ipBlock: - cidr: 10.0.0.0/8 - - ipBlock: - cidr: 172.16.0.0/12 - - ipBlock: - cidr: 192.168.0.0/16 -{{- end }} - -{{- if $netpol.egressAllowRules.cloudMetadataServer }} -# Allow outbound connections to the cloud metadata server -- to: - - ipBlock: - cidr: {{ $root.Values.singleuser.cloudMetadata.ip }}/32 -{{- end }} - -{{- with $netpol.egress }} -# Allow outbound connections based on user specified rules -{{ . | toYaml }} -{{- end }} -{{- end }} diff --git a/charts/application-hub/templates/hub/_helpers-passwords.tpl b/charts/application-hub/templates/hub/_helpers-passwords.tpl deleted file mode 100644 index 83edf70..0000000 --- a/charts/application-hub/templates/hub/_helpers-passwords.tpl +++ /dev/null @@ -1,92 +0,0 @@ -{{- /* - This file contains logic to lookup already - generated passwords or generate a new. - - proxy.secretToken / hub.config.ConfigurableHTTPProxy.auth_token - hub.cookieSecret / hub.config.JupyterHub.cookie_secret - auth.state.cryptoKey* / hub.config.CryptKeeper.keys - - *Note that the entire auth section is deprecated and users - are forced through "fail" in NOTES.txt to migrate to hub.config. - - Note that lookup logic returns falsy value when run with - `helm diff upgrade`, so it is a bit troublesome to test. -*/}} - -{{- /* - Returns given number of random Hex characters. - - - randNumeric 4 | atoi generates a random number in [0, 10^4) - This is a range range evenly divisble by 16, but even if off by one, - that last partial interval offsetting randomness is only 1 part in 625. - - mod N 16 maps to the range 0-15 - - printf "%x" represents a single number 0-15 as a single hex character -*/}} -{{- define "jupyterhub.randHex" -}} - {{- $result := "" }} - {{- range $i := until . }} - {{- $rand_hex_char := mod (randNumeric 4 | atoi) 16 | printf "%x" }} - {{- $result = print $result $rand_hex_char }} - {{- end }} - {{- $result }} -{{- end }} - -{{- define "jupyterhub.hub.config.ConfigurableHTTPProxy.auth_token" -}} - {{- if (.Values.hub.config | dig "ConfigurableHTTPProxy" "auth_token" "") }} - {{- .Values.hub.config.ConfigurableHTTPProxy.auth_token }} - {{- else if .Values.proxy.secretToken }} - {{- .Values.proxy.secretToken }} - {{- else }} - {{- $k8s_state := lookup "v1" "Secret" .Release.Namespace (include "jupyterhub.hub.fullname" .) | default (dict "data" (dict)) }} - {{- if hasKey $k8s_state.data "hub.config.ConfigurableHTTPProxy.auth_token" }} - {{- index $k8s_state.data "hub.config.ConfigurableHTTPProxy.auth_token" | b64dec }} - {{- else }} - {{- randAlphaNum 64 }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "jupyterhub.hub.config.JupyterHub.cookie_secret" -}} - {{- if (.Values.hub.config | dig "JupyterHub" "cookie_secret" "") }} - {{- .Values.hub.config.JupyterHub.cookie_secret }} - {{- else if .Values.hub.cookieSecret }} - {{- .Values.hub.cookieSecret }} - {{- else }} - {{- $k8s_state := lookup "v1" "Secret" .Release.Namespace (include "jupyterhub.hub.fullname" .) | default (dict "data" (dict)) }} - {{- if hasKey $k8s_state.data "hub.config.JupyterHub.cookie_secret" }} - {{- index $k8s_state.data "hub.config.JupyterHub.cookie_secret" | b64dec }} - {{- else }} - {{- include "jupyterhub.randHex" 64 }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "jupyterhub.hub.config.CryptKeeper.keys" -}} - {{- if (.Values.hub.config | dig "CryptKeeper" "keys" "") }} - {{- .Values.hub.config.CryptKeeper.keys | join ";" }} - {{- else }} - {{- $k8s_state := lookup "v1" "Secret" .Release.Namespace (include "jupyterhub.hub.fullname" .) | default (dict "data" (dict)) }} - {{- if hasKey $k8s_state.data "hub.config.CryptKeeper.keys" }} - {{- index $k8s_state.data "hub.config.CryptKeeper.keys" | b64dec }} - {{- else }} - {{- include "jupyterhub.randHex" 64 }} - {{- end }} - {{- end }} -{{- end }} - -{{- define "jupyterhub.hub.services.get_api_token" -}} - {{- $_ := index . 0 }} - {{- $service_key := index . 1 }} - {{- $explicitly_set_api_token := or ($_.Values.hub.services | dig $service_key "api_token" "") ($_.Values.hub.services | dig $service_key "apiToken" "") }} - {{- if $explicitly_set_api_token }} - {{- $explicitly_set_api_token }} - {{- else }} - {{- $k8s_state := lookup "v1" "Secret" $_.Release.Namespace (include "jupyterhub.hub.fullname" $_) | default (dict "data" (dict)) }} - {{- $k8s_secret_key := print "hub.services." $service_key ".apiToken" }} - {{- if hasKey $k8s_state.data $k8s_secret_key }} - {{- index $k8s_state.data $k8s_secret_key | b64dec }} - {{- else }} - {{- include "jupyterhub.randHex" 64 }} - {{- end }} - {{- end }} -{{- end }} diff --git a/charts/application-hub/templates/hub/configmap.yaml b/charts/application-hub/templates/hub/configmap.yaml deleted file mode 100644 index 128a6a0..0000000 --- a/charts/application-hub/templates/hub/configmap.yaml +++ /dev/null @@ -1,30 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: {{ include "jupyterhub.hub.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -data: - {{- /* - Resource names exposed to reliably reference them. - - user-scheduler: "my-helm-release-user-scheduler" - ... - */}} - {{- include "jupyterhub.name-templates" . | nindent 2 }} - - {{- /* - Glob files to allow them to be mounted by the hub pod - - jupyterhub_config: | - multi line string content... - z2jh.py: | - multi line string content... - */}} - {{- (.Files.Glob "files/hub/*").AsConfig | nindent 2 }} - - {{- /* - Store away a checksum of the hook-image-puller daemonset so future upgrades - can compare and decide if it should run or not using the `lookup` function. - */}} - checksum_hook-image-puller: {{ include "jupyterhub.imagePuller.daemonset.hook.checksum" . | quote }} diff --git a/charts/application-hub/templates/hub/deployment.yaml b/charts/application-hub/templates/hub/deployment.yaml deleted file mode 100644 index d6e1c63..0000000 --- a/charts/application-hub/templates/hub/deployment.yaml +++ /dev/null @@ -1,243 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "jupyterhub.hub.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -spec: - {{- if typeIs "int" .Values.hub.revisionHistoryLimit }} - revisionHistoryLimit: {{ .Values.hub.revisionHistoryLimit }} - {{- end }} - replicas: 1 - selector: - matchLabels: - {{- include "jupyterhub.matchLabels" . | nindent 6 }} - strategy: - {{- .Values.hub.deploymentStrategy | toYaml | nindent 4 }} - template: - metadata: - labels: - {{- /* Changes here will cause the Deployment to restart the pods. */}} - {{- include "jupyterhub.matchLabels" . | nindent 8 }} - hub.jupyter.org/network-access-proxy-api: "true" - hub.jupyter.org/network-access-proxy-http: "true" - hub.jupyter.org/network-access-singleuser: "true" - {{- with .Values.hub.labels }} - {{- . | toYaml | nindent 8 }} - {{- end }} - annotations: - {{- /* This lets us autorestart when the secret changes! */}} - checksum/config-map: {{ include (print .Template.BasePath "/hub/configmap.yaml") . | sha256sum }} - checksum/secret: {{ include (print .Template.BasePath "/hub/secret.yaml") . | sha256sum }} - {{- with .Values.hub.annotations }} - {{- . | toYaml | nindent 8 }} - {{- end }} - spec: - {{- if .Values.scheduling.podPriority.enabled }} - priorityClassName: {{ include "jupyterhub.priority.fullname" . }} - {{- end }} - {{- with .Values.hub.nodeSelector }} - nodeSelector: - {{- . | toYaml | nindent 8 }} - {{- end }} - {{- with concat .Values.scheduling.corePods.tolerations .Values.hub.tolerations }} - tolerations: - {{- . | toYaml | nindent 8 }} - {{- end }} - {{- include "jupyterhub.coreAffinity" . | nindent 6 }} - volumes: - - name: config - configMap: - name: {{ include "jupyterhub.hub.fullname" . }} - - name: secret - secret: - secretName: {{ include "jupyterhub.hub.fullname" . }} - {{- with (include "jupyterhub.hub-existing-secret.fullname" .) }} - - name: existing-secret - secret: - secretName: {{ . }} - {{- end }} - {{- if .Values.hub.extraFiles }} - - name: files - secret: - secretName: {{ include "jupyterhub.hub.fullname" . }} - items: - {{- range $file_key, $file_details := .Values.hub.extraFiles }} - - key: {{ $file_key | quote }} - path: {{ $file_key | quote }} - {{- with $file_details.mode }} - mode: {{ . }} - {{- end }} - {{- end }} - {{- end }} - {{- with .Values.hub.extraVolumes }} - {{- . | toYaml | nindent 8 }} - {{- end }} - {{- if eq .Values.hub.db.type "sqlite-pvc" }} - - name: pvc - persistentVolumeClaim: - claimName: {{ include "jupyterhub.hub-pvc.fullname" . }} - {{- end }} - {{- with include "jupyterhub.hub-serviceaccount.fullname" . }} - serviceAccountName: {{ . }} - {{- end }} - {{- with .Values.hub.podSecurityContext }} - securityContext: - {{- . | toYaml | nindent 8 }} - {{- end }} - {{- with include "jupyterhub.imagePullSecrets" (dict "root" . "image" .Values.hub.image) }} - imagePullSecrets: {{ . }} - {{- end }} - {{- with .Values.hub.initContainers }} - initContainers: - {{- . | toYaml | nindent 8 }} - {{- end }} - containers: - {{- with .Values.hub.extraContainers }} - {{- . | toYaml | nindent 8 }} - {{- end }} - - name: hub - image: {{ .Values.hub.image.name }}:{{ .Values.hub.image.tag }} - {{- with .Values.hub.command }} - command: - {{- range . }} - - {{ tpl . $ }} - {{- end }} - {{- end }} - args: - {{- /* .Values.hub.args overrides everything the Helm chart otherside would set */}} - {{- if .Values.hub.args }} - {{- range .Values.hub.args }} - - {{ tpl . $ }} - {{- end }} - - {{- /* .Values.hub.args didn't replace the default logic */}} - {{- else }} - - jupyterhub - - --config - - /usr/local/etc/jupyterhub/jupyterhub_config.py - {{- if .Values.debug.enabled }} - - --debug - {{- end }} - {{- /* NOTE: - We want to do automatic upgrades for sqlite-pvc by default, but - allow users to opt out of that if they want. Users using their own - db need to 'opt in' Go Templates treat nil and "" and false as - 'false', making this code complex. We can probably make this a - one-liner, but doing combinations of boolean vars in go templates - is very inelegant & hard to reason about. - */}} - {{- $upgradeType := typeOf .Values.hub.db.upgrade }} - {{- if eq $upgradeType "bool" }} - {{- /* .Values.hub.db.upgrade has been explicitly set to true or false */}} - {{- if .Values.hub.db.upgrade }} - - --upgrade-db - {{- end }} - {{- else if eq $upgradeType "" }} - {{- /* .Values.hub.db.upgrade is nil */}} - {{- if eq .Values.hub.db.type "sqlite-pvc" }} - - --upgrade-db - {{- end }} - {{- end }} - {{- end }} - volumeMounts: - - mountPath: /usr/local/etc/jupyterhub/jupyterhub_config.py - subPath: jupyterhub_config.py - name: config - - mountPath: /usr/local/etc/jupyterhub/z2jh.py - subPath: z2jh.py - name: config - - mountPath: /usr/local/etc/jupyterhub/config/ - name: config - - mountPath: /usr/local/etc/jupyterhub/secret/ - name: secret - {{- if (include "jupyterhub.hub-existing-secret.fullname" .) }} - - mountPath: /usr/local/etc/jupyterhub/existing-secret/ - name: existing-secret - {{- end }} - {{- range $file_key, $file_details := .Values.hub.extraFiles }} - - mountPath: {{ $file_details.mountPath }} - subPath: {{ $file_key | quote }} - name: files - {{- end }} - {{- with .Values.hub.extraVolumeMounts }} - {{- . | toYaml | nindent 12 }} - {{- end }} - {{- if eq .Values.hub.db.type "sqlite-pvc" }} - - mountPath: /srv/jupyterhub - name: pvc - {{- with .Values.hub.db.pvc.subPath }} - subPath: {{ . | quote }} - {{- end }} - {{- end }} - {{- with .Values.hub.resources }} - resources: - {{- . | toYaml | nindent 12 }} - {{- end }} - {{- with .Values.hub.image.pullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - {{- with .Values.hub.containerSecurityContext }} - securityContext: - {{- . | toYaml | nindent 12 }} - {{- end }} - {{- with .Values.hub.lifecycle }} - lifecycle: - {{- . | toYaml | nindent 12 }} - {{- end }} - env: - - name: PYTHONUNBUFFERED - value: "1" - - name: HELM_RELEASE_NAME - value: {{ .Release.Name | quote }} - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: CONFIGPROXY_AUTH_TOKEN - valueFrom: - secretKeyRef: - {{- /* NOTE: - References the chart managed k8s Secret even if - hub.existingSecret is specified to avoid using the lookup - function on the user managed k8s Secret which is assumed to - not be possible. - */}} - name: {{ include "jupyterhub.hub.fullname" . }} - key: hub.config.ConfigurableHTTPProxy.auth_token - {{- with .Values.hub.extraEnv }} - {{- include "jupyterhub.extraEnv" . | nindent 12 }} - {{- end }} - ports: - - name: http - containerPort: 8081 - {{- if .Values.hub.livenessProbe.enabled }} - {{- /* NOTE: - We don't know how long hub database upgrades could take so having a - liveness probe could be a bit risky unless we put a - initialDelaySeconds value with long enough margin for that to not be - an issue. If it is too short, we could end up aborting database - upgrades midway or ending up in an infinite restart loop. - */}} - livenessProbe: - initialDelaySeconds: {{ .Values.hub.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.hub.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.hub.livenessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.hub.livenessProbe.failureThreshold }} - httpGet: - path: {{ .Values.hub.baseUrl | trimSuffix "/" }}/hub/health - port: http - {{- end }} - {{- if .Values.hub.readinessProbe.enabled }} - readinessProbe: - initialDelaySeconds: {{ .Values.hub.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.hub.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.hub.readinessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.hub.readinessProbe.failureThreshold }} - httpGet: - path: {{ .Values.hub.baseUrl | trimSuffix "/" }}/hub/health - port: http - {{- end }} - {{- with .Values.hub.extraPodSpec }} - {{- . | toYaml | nindent 6 }} - {{- end }} diff --git a/charts/application-hub/templates/hub/netpol.yaml b/charts/application-hub/templates/hub/netpol.yaml deleted file mode 100644 index 904b2c3..0000000 --- a/charts/application-hub/templates/hub/netpol.yaml +++ /dev/null @@ -1,84 +0,0 @@ -{{- if .Values.hub.networkPolicy.enabled -}} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "jupyterhub.hub.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -spec: - podSelector: - matchLabels: - {{- include "jupyterhub.matchLabels" . | nindent 6 }} - policyTypes: - - Ingress - - Egress - - # IMPORTANT: - # NetworkPolicy's ingress "from" and egress "to" rule specifications require - # great attention to detail. A quick summary is: - # - # 1. You can provide "from"/"to" rules that provide access either ports or a - # subset of ports. - # 2. You can for each "from"/"to" rule provide any number of - # "sources"/"destinations" of four different kinds. - # - podSelector - targets pods with a certain label in the same namespace as the NetworkPolicy - # - namespaceSelector - targets all pods running in namespaces with a certain label - # - namespaceSelector and podSelector - targets pods with a certain label running in namespaces with a certain label - # - ipBlock - targets network traffic from/to a set of IP address ranges - # - # Read more at: https://kubernetes.io/docs/concepts/services-networking/network-policies/#behavior-of-to-and-from-selectors - # - ingress: - {{- with .Values.hub.networkPolicy.allowedIngressPorts }} - # allow incoming traffic to these ports independent of source - - ports: - {{- range $port := . }} - - port: {{ $port }} - {{- end }} - {{- end }} - - # allowed pods (hub.jupyter.org/network-access-hub) --> hub - - ports: - - port: http - from: - # source 1 - labeled pods - - podSelector: - matchLabels: - hub.jupyter.org/network-access-hub: "true" - {{- if eq .Values.hub.networkPolicy.interNamespaceAccessLabels "accept" }} - namespaceSelector: - matchLabels: {} # without this, the podSelector would only consider pods in the local namespace - # source 2 - pods in labeled namespaces - - namespaceSelector: - matchLabels: - hub.jupyter.org/network-access-hub: "true" - {{- end }} - - {{- with .Values.hub.networkPolicy.ingress }} - # depends, but default is nothing --> hub - {{- . | toYaml | nindent 4 }} - {{- end }} - - egress: - # hub --> proxy - - to: - - podSelector: - matchLabels: - {{- $_ := merge (dict "componentLabel" "proxy") . }} - {{- include "jupyterhub.matchLabels" $_ | nindent 14 }} - ports: - - port: 8001 - - # hub --> singleuser-server - - to: - - podSelector: - matchLabels: - {{- $_ := merge (dict "componentLabel" "singleuser-server") . }} - {{- include "jupyterhub.matchLabels" $_ | nindent 14 }} - ports: - - port: 8888 - - {{- with (include "jupyterhub.networkPolicy.renderEgressRules" (list . .Values.hub.networkPolicy)) }} - {{- . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/application-hub/templates/hub/pdb.yaml b/charts/application-hub/templates/hub/pdb.yaml deleted file mode 100644 index 3a22e39..0000000 --- a/charts/application-hub/templates/hub/pdb.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.hub.pdb.enabled -}} -{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} -{{- /* k8s 1.21+ required */ -}} -apiVersion: policy/v1 -{{- else }} -apiVersion: policy/v1beta1 -{{- end }} -kind: PodDisruptionBudget -metadata: - name: {{ include "jupyterhub.hub.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -spec: - {{- if not (typeIs "" .Values.hub.pdb.maxUnavailable) }} - maxUnavailable: {{ .Values.hub.pdb.maxUnavailable }} - {{- end }} - {{- if not (typeIs "" .Values.hub.pdb.minAvailable) }} - minAvailable: {{ .Values.hub.pdb.minAvailable }} - {{- end }} - selector: - matchLabels: - {{- include "jupyterhub.matchLabels" . | nindent 6 }} -{{- end }} diff --git a/charts/application-hub/templates/hub/pvc.yaml b/charts/application-hub/templates/hub/pvc.yaml deleted file mode 100644 index a433a97..0000000 --- a/charts/application-hub/templates/hub/pvc.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if eq .Values.hub.db.type "sqlite-pvc" -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ include "jupyterhub.hub-pvc.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} - {{- with .Values.hub.db.pvc.annotations }} - annotations: - {{- . | toYaml | nindent 4 }} - {{- end }} -spec: - {{- with .Values.hub.db.pvc.selector }} - selector: - {{- . | toYaml | nindent 4 }} - {{- end }} - {{- if typeIs "string" .Values.hub.db.pvc.storageClassName }} - storageClassName: {{ .Values.hub.db.pvc.storageClassName | quote }} - {{- end }} - accessModes: - {{- .Values.hub.db.pvc.accessModes | toYaml | nindent 4 }} - resources: - requests: - storage: {{ .Values.hub.db.pvc.storage | quote }} -{{- end }} diff --git a/charts/application-hub/templates/hub/rbac.yaml b/charts/application-hub/templates/hub/rbac.yaml deleted file mode 100644 index 3abf00e..0000000 --- a/charts/application-hub/templates/hub/rbac.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.rbac.create -}} -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "jupyterhub.hub.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -rules: - - apiGroups: [""] # "" indicates the core API group - resources: ["pods", "persistentvolumeclaims", "secrets", "services"] - verbs: ["get", "watch", "list", "create", "delete"] - - apiGroups: [""] # "" indicates the core API group - resources: ["events"] - verbs: ["get", "watch", "list"] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "jupyterhub.hub.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: {{ include "jupyterhub.hub-serviceaccount.fullname" . }} - namespace: "{{ .Release.Namespace }}" -roleRef: - kind: Role - name: {{ include "jupyterhub.hub.fullname" . }} - apiGroup: rbac.authorization.k8s.io -{{- end }} diff --git a/charts/application-hub/templates/hub/secret.yaml b/charts/application-hub/templates/hub/secret.yaml deleted file mode 100644 index 851bda0..0000000 --- a/charts/application-hub/templates/hub/secret.yaml +++ /dev/null @@ -1,50 +0,0 @@ -kind: Secret -apiVersion: v1 -metadata: - name: {{ include "jupyterhub.hub.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -type: Opaque -data: - {{- $values := merge dict .Values }} - {{- /* also passthrough subset of Chart / Release */}} - {{- $_ := set $values "Chart" (dict "Name" .Chart.Name "Version" .Chart.Version) }} - {{- $_ := set $values "Release" (pick .Release "Name" "Namespace" "Service") }} - values.yaml: {{ $values | toYaml | b64enc | quote }} - - {{- with .Values.hub.db.password }} - # Used to mount MYSQL_PWD or PGPASSWORD on hub pod, unless hub.existingSecret - # is set as then that k8s Secret's value must be specified instead. - hub.db.password: {{ . | b64enc | quote }} - {{- end }} - - # Any JupyterHub Services api_tokens are exposed in this k8s Secret as a - # convinience for external services running in the k8s cluster that could - # mount them directly from this k8s Secret. - {{- range $key, $service := .Values.hub.services }} - hub.services.{{ $key }}.apiToken: {{ include "jupyterhub.hub.services.get_api_token" (list $ $key) | b64enc | quote }} - {{- end }} - - # During Helm template rendering, these values that can be autogenerated for - # users are set using the following logic: - # - # 1. Use chart configuration's value - # 2. Use k8s Secret's value - # 3. Use a new autogenerated value - # - # hub.config.ConfigurableHTTPProxy.auth_token: for hub to proxy-api authorization (JupyterHub.proxy_auth_token is deprecated) - # hub.config.JupyterHub.cookie_secret: for cookie encryption - # hub.config.CryptKeeper.keys: for auth state encryption - # - hub.config.ConfigurableHTTPProxy.auth_token: {{ include "jupyterhub.hub.config.ConfigurableHTTPProxy.auth_token" . | required "This should not happen: blank output from 'jupyterhub.hub.config.ConfigurableHTTPProxy.auth_token' template" | b64enc | quote }} - hub.config.JupyterHub.cookie_secret: {{ include "jupyterhub.hub.config.JupyterHub.cookie_secret" . | required "This should not happen: blank output from 'jupyterhub.hub.config.JupyterHub.cookie_secret' template" | b64enc | quote }} - hub.config.CryptKeeper.keys: {{ include "jupyterhub.hub.config.CryptKeeper.keys" . | required "This should not happen: blank output from 'jupyterhub.hub.config.CryptKeeper.keys' template" | b64enc | quote }} - - {{- with include "jupyterhub.extraFiles.data" .Values.hub.extraFiles }} - {{- . | nindent 2 }} - {{- end }} - -{{- with include "jupyterhub.extraFiles.stringData" .Values.hub.extraFiles }} -stringData: - {{- . | nindent 2 }} -{{- end }} diff --git a/charts/application-hub/templates/hub/service.yaml b/charts/application-hub/templates/hub/service.yaml deleted file mode 100644 index 13f80b5..0000000 --- a/charts/application-hub/templates/hub/service.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "jupyterhub.hub.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} - annotations: - {{- if not (index .Values.hub.service.annotations "prometheus.io/scrape") }} - prometheus.io/scrape: "true" - {{- end }} - {{- if not (index .Values.hub.service.annotations "prometheus.io/path") }} - prometheus.io/path: {{ .Values.hub.baseUrl | trimSuffix "/" }}/hub/metrics - {{- end }} - {{- if not (index .Values.hub.service.annotations "prometheus.io/port") }} - prometheus.io/port: "8081" - {{- end }} - {{- with .Values.hub.service.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} -spec: - type: {{ .Values.hub.service.type }} - {{- with .Values.hub.service.loadBalancerIP }} - loadBalancerIP: {{ . }} - {{- end }} - selector: - {{- include "jupyterhub.matchLabels" . | nindent 4 }} - ports: - - name: hub - port: 8081 - targetPort: http - {{- with .Values.hub.service.ports.nodePort }} - nodePort: {{ . }} - {{- end }} - - {{- with .Values.hub.service.extraPorts }} - {{- . | toYaml | nindent 4 }} - {{- end }} diff --git a/charts/application-hub/templates/hub/serviceaccount.yaml b/charts/application-hub/templates/hub/serviceaccount.yaml deleted file mode 100644 index 06a5069..0000000 --- a/charts/application-hub/templates/hub/serviceaccount.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- if .Values.hub.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "jupyterhub.hub-serviceaccount.fullname" . }} - {{- with .Values.hub.serviceAccount.annotations }} - annotations: - {{- . | toYaml | nindent 4 }} - {{- end }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -{{- end }} diff --git a/charts/application-hub/templates/image-pull-secret.yaml b/charts/application-hub/templates/image-pull-secret.yaml deleted file mode 100644 index e033ec6..0000000 --- a/charts/application-hub/templates/image-pull-secret.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.imagePullSecret.create }} -kind: Secret -apiVersion: v1 -metadata: - name: {{ include "jupyterhub.image-pull-secret.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation - "helm.sh/hook-weight": "-20" -type: kubernetes.io/dockerconfigjson -data: - .dockerconfigjson: {{ include "jupyterhub.dockerconfigjson" . }} -{{- end }} diff --git a/charts/application-hub/templates/image-puller/_helpers-daemonset.tpl b/charts/application-hub/templates/image-puller/_helpers-daemonset.tpl deleted file mode 100644 index 1fe8276..0000000 --- a/charts/application-hub/templates/image-puller/_helpers-daemonset.tpl +++ /dev/null @@ -1,251 +0,0 @@ -{{- /* -Returns an image-puller daemonset. Two daemonsets will be created like this. -- hook-image-puller: for pre helm upgrade image pulling (lives temporarily) -- continuous-image-puller: for newly added nodes image pulling -*/}} -{{- define "jupyterhub.imagePuller.daemonset" -}} -apiVersion: apps/v1 -kind: DaemonSet -metadata: - {{- if .hook }} - name: {{ include "jupyterhub.hook-image-puller.fullname" . }} - {{- else }} - name: {{ include "jupyterhub.continuous-image-puller.fullname" . }} - {{- end }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} - {{- if .hook }} - hub.jupyter.org/deletable: "true" - {{- end }} - {{- if .hook }} - annotations: - {{- /* - Allows the daemonset to be deleted when the image-awaiter job is completed. - */}} - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - "helm.sh/hook-weight": "-10" - {{- end }} -spec: - selector: - matchLabels: - {{- include "jupyterhub.matchLabels" . | nindent 6 }} - updateStrategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 100% - {{- if typeIs "int" .Values.prePuller.revisionHistoryLimit }} - revisionHistoryLimit: {{ .Values.prePuller.revisionHistoryLimit }} - {{- end }} - template: - metadata: - labels: - {{- include "jupyterhub.matchLabels" . | nindent 8 }} - {{- with .Values.prePuller.annotations }} - annotations: - {{- . | toYaml | nindent 8 }} - {{- end }} - spec: - {{- /* - image-puller pods are made evictable to save on the k8s pods - per node limit all k8s clusters have and have a higher priority - than user-placeholder pods that could block an entire node. - */}} - {{- if .Values.scheduling.podPriority.enabled }} - priorityClassName: {{ include "jupyterhub.image-puller-priority.fullname" . }} - {{- end }} - {{- with .Values.singleuser.nodeSelector }} - nodeSelector: - {{- . | toYaml | nindent 8 }} - {{- end }} - {{- with concat .Values.scheduling.userPods.tolerations .Values.singleuser.extraTolerations .Values.prePuller.extraTolerations }} - tolerations: - {{- . | toYaml | nindent 8 }} - {{- end }} - {{- if include "jupyterhub.userNodeAffinityRequired" . }} - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - {{- include "jupyterhub.userNodeAffinityRequired" . | nindent 14 }} - {{- end }} - terminationGracePeriodSeconds: 0 - automountServiceAccountToken: false - {{- with include "jupyterhub.imagePullSecrets" (dict "root" . "image" .Values.singleuser.image) }} - imagePullSecrets: {{ . }} - {{- end }} - initContainers: - {{- /* --- Conditionally pull an image all user pods will use in an initContainer --- */}} - {{- $blockWithIptables := hasKey .Values.singleuser.cloudMetadata "enabled" | ternary (not .Values.singleuser.cloudMetadata.enabled) .Values.singleuser.cloudMetadata.blockWithIptables }} - {{- if $blockWithIptables }} - - name: image-pull-metadata-block - image: {{ .Values.singleuser.networkTools.image.name }}:{{ .Values.singleuser.networkTools.image.tag }} - {{- with .Values.singleuser.networkTools.image.pullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - command: - - /bin/sh - - -c - - echo "Pulling complete" - {{- with .Values.prePuller.resources }} - resources: - {{- . | toYaml | nindent 12 }} - {{- end }} - {{- with .Values.prePuller.containerSecurityContext }} - securityContext: - {{- . | toYaml | nindent 12 }} - {{- end }} - {{- end }} - - {{- /* --- Pull default image --- */}} - - name: image-pull-singleuser - image: {{ .Values.singleuser.image.name }}:{{ .Values.singleuser.image.tag }} - command: - - /bin/sh - - -c - - echo "Pulling complete" - {{- with .Values.prePuller.resources }} - resources: - {{- . | toYaml | nindent 12 }} - {{- end }} - {{- with .Values.prePuller.containerSecurityContext }} - securityContext: - {{- . | toYaml | nindent 12 }} - {{- end }} - - {{- /* --- Pull extra containers' images --- */}} - {{- range $k, $container := concat .Values.singleuser.initContainers .Values.singleuser.extraContainers }} - - name: image-pull-singleuser-init-and-extra-containers-{{ $k }} - image: {{ $container.image }} - command: - - /bin/sh - - -c - - echo "Pulling complete" - {{- with $.Values.prePuller.resources }} - resources: - {{- . | toYaml | nindent 12 }} - {{- end }} - {{- with $.Values.prePuller.containerSecurityContext }} - securityContext: - {{- . | toYaml | nindent 12 }} - {{- end }} - {{- end }} - - {{- /* --- Conditionally pull profileList images --- */}} - {{- if .Values.prePuller.pullProfileListImages }} - {{- range $k, $container := .Values.singleuser.profileList }} - {{- if $container.kubespawner_override }} - {{- if $container.kubespawner_override.image }} - - name: image-pull-singleuser-profilelist-{{ $k }} - image: {{ $container.kubespawner_override.image }} - command: - - /bin/sh - - -c - - echo "Pulling complete" - {{- with $.Values.prePuller.resources }} - resources: - {{- . | toYaml | nindent 12 }} - {{- end }} - {{- with $.Values.prePuller.containerSecurityContext }} - securityContext: - {{- . | toYaml | nindent 12 }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - {{- end }} - - {{- /* --- Pull extra images --- */}} - {{- range $k, $v := .Values.prePuller.extraImages }} - - name: image-pull-{{ $k }} - image: {{ $v.name }}:{{ $v.tag }} - command: - - /bin/sh - - -c - - echo "Pulling complete" - {{- with $.Values.prePuller.resources }} - resources: - {{- . | toYaml | nindent 12 }} - {{- end }} - {{- with $.Values.prePuller.containerSecurityContext }} - securityContext: - {{- . | toYaml | nindent 12 }} - {{- end }} - {{- end }} - containers: - - name: pause - image: {{ .Values.prePuller.pause.image.name }}:{{ .Values.prePuller.pause.image.tag }} - {{- with .Values.prePuller.resources }} - resources: - {{- . | toYaml | nindent 12 }} - {{- end }} - {{- with .Values.prePuller.pause.containerSecurityContext }} - securityContext: - {{- . | toYaml | nindent 12 }} - {{- end }} -{{- end }} - - -{{- /* - Returns a rendered k8s DaemonSet resource: continuous-image-puller -*/}} -{{- define "jupyterhub.imagePuller.daemonset.continuous" -}} - {{- $_ := merge (dict "hook" false "componentPrefix" "continuous-") . }} - {{- include "jupyterhub.imagePuller.daemonset" $_ }} -{{- end }} - - -{{- /* - Returns a rendered k8s DaemonSet resource: hook-image-puller -*/}} -{{- define "jupyterhub.imagePuller.daemonset.hook" -}} - {{- $_ := merge (dict "hook" true "componentPrefix" "hook-") . }} - {{- include "jupyterhub.imagePuller.daemonset" $_ }} -{{- end }} - - -{{- /* - Returns a checksum of the rendered k8s DaemonSet resource: hook-image-puller - - This checksum is used when prePuller.hook.pullOnlyOnChanges=true to decide if - it is worth creating the hook-image-puller associated resources. -*/}} -{{- define "jupyterhub.imagePuller.daemonset.hook.checksum" -}} - {{- /* - We pin componentLabel and Chart.Version as doing so can pin labels - of no importance if they would change. Chart.Name is also pinned as - a harmless technical workaround when we compute the checksum. - */}} - {{- $_ := merge (dict "componentLabel" "pinned" "Chart" (dict "Name" "jupyterhub" "Version" "pinned")) . -}} - {{- $yaml := include "jupyterhub.imagePuller.daemonset.hook" $_ }} - {{- $yaml | sha256sum }} -{{- end }} - - -{{- /* - Returns a truthy string or a blank string depending on if the - hook-image-puller should be installed. The truthy strings are comments - that summarize the state that led to returning a truthy string. - - - prePuller.hook.enabled must be true - - if prePuller.hook.pullOnlyOnChanges is true, the checksum of the - hook-image-puller daemonset must differ since last upgrade -*/}} -{{- define "jupyterhub.imagePuller.daemonset.hook.install" -}} - {{- if .Values.prePuller.hook.enabled }} - {{- if .Values.prePuller.hook.pullOnlyOnChanges }} - {{- $new_checksum := include "jupyterhub.imagePuller.daemonset.hook.checksum" . }} - {{- $k8s_state := lookup "v1" "ConfigMap" .Release.Namespace (include "jupyterhub.hub.fullname" .) | default (dict "data" (dict)) }} - {{- $old_checksum := index $k8s_state.data "checksum_hook-image-puller" | default "" }} - {{- if ne $new_checksum $old_checksum -}} -# prePuller.hook.enabled={{ .Values.prePuller.hook.enabled }} -# prePuller.hook.pullOnlyOnChanges={{ .Values.prePuller.hook.pullOnlyOnChanges }} -# post-upgrade checksum != pre-upgrade checksum (of the hook-image-puller DaemonSet) -# "{{ $new_checksum }}" != "{{ $old_checksum}}" - {{- end }} - {{- else -}} -# prePuller.hook.enabled={{ .Values.prePuller.hook.enabled }} -# prePuller.hook.pullOnlyOnChanges={{ .Values.prePuller.hook.pullOnlyOnChanges }} - {{- end }} - {{- end }} -{{- end }} diff --git a/charts/application-hub/templates/image-puller/daemonset-continuous.yaml b/charts/application-hub/templates/image-puller/daemonset-continuous.yaml deleted file mode 100644 index 85a572f..0000000 --- a/charts/application-hub/templates/image-puller/daemonset-continuous.yaml +++ /dev/null @@ -1,8 +0,0 @@ -{{- /* -The continuous-image-puller daemonset task is to pull required images to nodes -that are added in between helm upgrades, for example by manually adding a node -or by the cluster autoscaler. -*/}} -{{- if .Values.prePuller.continuous.enabled }} -{{- include "jupyterhub.imagePuller.daemonset.continuous" . }} -{{- end }} diff --git a/charts/application-hub/templates/image-puller/daemonset-hook.yaml b/charts/application-hub/templates/image-puller/daemonset-hook.yaml deleted file mode 100644 index 7e9c2d0..0000000 --- a/charts/application-hub/templates/image-puller/daemonset-hook.yaml +++ /dev/null @@ -1,9 +0,0 @@ -{{- /* -The hook-image-puller daemonset will be created with the highest priority during -helm upgrades. It's task is to pull the required images on all nodes. When the -image-awaiter job confirms the required images to be pulled, the daemonset is -deleted. Only then will the actual helm upgrade start. -*/}} -{{- if (include "jupyterhub.imagePuller.daemonset.hook.install" .) -}} -{{- include "jupyterhub.imagePuller.daemonset.hook" . }} -{{- end }} diff --git a/charts/application-hub/templates/image-puller/job.yaml b/charts/application-hub/templates/image-puller/job.yaml deleted file mode 100644 index 5509f13..0000000 --- a/charts/application-hub/templates/image-puller/job.yaml +++ /dev/null @@ -1,76 +0,0 @@ -{{- /* -This job has a part to play in a helm upgrade process. It simply waits for the -hook-image-puller daemonset which is started slightly before this job to get -its' pods running. If all those pods are running they must have pulled all the -required images on all nodes as they are used as init containers with a dummy -command. -*/}} -{{- if (include "jupyterhub.imagePuller.daemonset.hook.install" .) -}} -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "jupyterhub.hook-image-awaiter.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} - hub.jupyter.org/deletable: "true" - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - "helm.sh/hook-weight": "10" -spec: - template: - # The hook-image-awaiter Job and hook-image-puller DaemonSet was - # conditionally created based on this state: - # - {{- include "jupyterhub.imagePuller.daemonset.hook.install" . | nindent 4 }} - # - metadata: - labels: - {{- /* Changes here will cause the Job to restart the pods. */}} - {{- include "jupyterhub.matchLabels" . | nindent 8 }} - {{- with .Values.prePuller.labels }} - {{- . | toYaml | nindent 8 }} - {{- end }} - {{- with .Values.prePuller.annotations }} - annotations: - {{- . | toYaml | nindent 8 }} - {{- end }} - spec: - restartPolicy: Never - {{- with include "jupyterhub.hook-image-awaiter-serviceaccount.fullname" . }} - serviceAccountName: {{ . }} - {{- end }} - {{- with .Values.prePuller.hook.nodeSelector }} - nodeSelector: - {{- . | toYaml | nindent 8 }} - {{- end }} - {{- with concat .Values.scheduling.corePods.tolerations .Values.prePuller.hook.tolerations }} - tolerations: - {{- . | toYaml | nindent 8 }} - {{- end }} - {{- with include "jupyterhub.imagePullSecrets" (dict "root" . "image" .Values.prePuller.hook.image) }} - imagePullSecrets: {{ . }} - {{- end }} - containers: - - image: {{ .Values.prePuller.hook.image.name }}:{{ .Values.prePuller.hook.image.tag }} - name: {{ include "jupyterhub.hook-image-awaiter.fullname" . }} - {{- with .Values.prePuller.hook.image.pullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - command: - - /image-awaiter - - -ca-path=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt - - -auth-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token - - -api-server-address=https://kubernetes.default.svc:$(KUBERNETES_SERVICE_PORT) - - -namespace={{ .Release.Namespace }} - - -daemonset={{ include "jupyterhub.hook-image-puller.fullname" . }} - - -pod-scheduling-wait-duration={{ .Values.prePuller.hook.podSchedulingWaitDuration }} - {{- with .Values.prePuller.hook.containerSecurityContext }} - securityContext: - {{- . | toYaml | nindent 12 }} - {{- end }} - {{- with .Values.prePuller.hook.resources }} - resources: - {{- . | toYaml | nindent 12 }} - {{- end }} -{{- end }} diff --git a/charts/application-hub/templates/image-puller/priorityclass.yaml b/charts/application-hub/templates/image-puller/priorityclass.yaml deleted file mode 100644 index b2dbae0..0000000 --- a/charts/application-hub/templates/image-puller/priorityclass.yaml +++ /dev/null @@ -1,18 +0,0 @@ -{{- if .Values.scheduling.podPriority.enabled }} -{{- if or .Values.prePuller.hook.enabled .Values.prePuller.continuous.enabled -}} -apiVersion: scheduling.k8s.io/v1 -kind: PriorityClass -metadata: - name: {{ include "jupyterhub.image-puller-priority.fullname" . }} - annotations: - meta.helm.sh/release-name: "{{ .Release.Name }}" - meta.helm.sh/release-namespace: "{{ .Release.Namespace }}" - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -value: {{ .Values.scheduling.podPriority.imagePullerPriority }} -globalDefault: false -description: >- - Enables [hook|continuous]-image-puller pods to fit on nodes even though they - are clogged by user-placeholder pods, while not evicting normal user pods. -{{- end }} -{{- end }} diff --git a/charts/application-hub/templates/image-puller/rbac.yaml b/charts/application-hub/templates/image-puller/rbac.yaml deleted file mode 100644 index 996a59a..0000000 --- a/charts/application-hub/templates/image-puller/rbac.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- /* -Permissions to be used by the hook-image-awaiter job -*/}} -{{- if .Values.rbac.create -}} -{{- if (include "jupyterhub.imagePuller.daemonset.hook.install" .) -}} -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "jupyterhub.hook-image-awaiter.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} - hub.jupyter.org/deletable: "true" - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - "helm.sh/hook-weight": "0" -rules: - - apiGroups: ["apps"] # "" indicates the core API group - resources: ["daemonsets"] - verbs: ["get"] ---- -{{- /* -... as declared by this binding. -*/}} -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "jupyterhub.hook-image-awaiter.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} - hub.jupyter.org/deletable: "true" - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - "helm.sh/hook-weight": "0" -subjects: - - kind: ServiceAccount - name: {{ include "jupyterhub.hook-image-awaiter-serviceaccount.fullname" . }} - namespace: "{{ .Release.Namespace }}" -roleRef: - kind: Role - name: {{ include "jupyterhub.hook-image-awaiter.fullname" . }} - apiGroup: rbac.authorization.k8s.io -{{- end }} -{{- end }} diff --git a/charts/application-hub/templates/image-puller/serviceaccount.yaml b/charts/application-hub/templates/image-puller/serviceaccount.yaml deleted file mode 100644 index 8161101..0000000 --- a/charts/application-hub/templates/image-puller/serviceaccount.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- /* -ServiceAccount for the pre-puller hook's image-awaiter-job -*/}} -{{- if .Values.prePuller.hook.serviceAccount.create -}} -{{- if (include "jupyterhub.imagePuller.daemonset.hook.install" .) -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "jupyterhub.hook-image-awaiter-serviceaccount.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} - hub.jupyter.org/deletable: "true" - annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - "helm.sh/hook-weight": "0" - {{- with .Values.prePuller.hook.serviceAccount.annotations }} - {{- . | toYaml | nindent 4 }} - {{- end }} -{{- end }} -{{- end }} diff --git a/charts/application-hub/templates/proxy/autohttps/_README.txt b/charts/application-hub/templates/proxy/autohttps/_README.txt deleted file mode 100644 index 08bd7bb..0000000 --- a/charts/application-hub/templates/proxy/autohttps/_README.txt +++ /dev/null @@ -1,9 +0,0 @@ -# Automatic HTTPS Terminator - -This directory has Kubernetes objects for automatic Let's Encrypt Support. -When enabled, we create a new deployment object that has an nginx-ingress -and kube-lego container in it. This is responsible for requesting, -storing and renewing certificates as needed from Let's Encrypt. - -The only change required outside of this directory is in the `proxy-public` -service, which targets different hubs based on automatic HTTPS status. \ No newline at end of file diff --git a/charts/application-hub/templates/proxy/autohttps/_configmap-dynamic.yaml b/charts/application-hub/templates/proxy/autohttps/_configmap-dynamic.yaml deleted file mode 100644 index 0e2a8f4..0000000 --- a/charts/application-hub/templates/proxy/autohttps/_configmap-dynamic.yaml +++ /dev/null @@ -1,109 +0,0 @@ -{{- define "jupyterhub.dynamic.yaml" -}} -# Content of dynamic.yaml to be merged merged with -# proxy.traefik.extraDynamicConfig. -# ---------------------------------------------------------------------------- -http: - # Middlewares tweaks requests. We define them here and reference them in - # our routers. We use them to redirect http traffic and headers to proxied - # web requests. - # - # ref: https://docs.traefik.io/middlewares/overview/ - middlewares: - hsts: - # A middleware to add a HTTP Strict-Transport-Security (HSTS) response - # header, they function as a request for browsers to enforce HTTPS on - # their end in for a given time into the future, and optionally - # subdomains for requests to subdomains as well. - # - # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security - headers: - stsIncludeSubdomains: {{ .Values.proxy.traefik.hsts.includeSubdomains }} - stsPreload: {{ .Values.proxy.traefik.hsts.preload }} - stsSeconds: {{ .Values.proxy.traefik.hsts.maxAge }} - # A middleware to redirect to https - redirect: - redirectScheme: - permanent: true - scheme: https - # A middleware to add a X-Scheme (X-Forwarded-Proto) header that - # JupyterHub's Tornado web-server needs if expecting to serve https - # traffic. Without it we would run into issues like: - # https://github.com/jupyterhub/jupyterhub/issues/2284 - scheme: - headers: - customRequestHeaders: - # DISCUSS ME: Can we use the X-Forwarded-Proto header instead? It - # seems more recognized. Mozilla calls it the de-facto standard - # header for this purpose, and Tornado recognizes both. - # - # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto - # ref: https://www.tornadoweb.org/en/stable/httpserver.html#http-server - X-Scheme: https - - # Routers routes web requests to a service and optionally tweaks them with - # middleware. - # - # ref: https://docs.traefik.io/routing/routers/ - routers: - # Route secure https traffic to the configurable-http-proxy managed by - # JupyterHub. - default: - entrypoints: - - "https" - middlewares: - - "hsts" - - "scheme" - rule: PathPrefix(`/`) - service: default - # Use our predefined TLS options and certificate resolver, enabling - # this route to act as a TLS termination proxy with high security - # standards. - tls: - certResolver: default - domains: - {{- range $host := .Values.proxy.https.hosts }} - - main: {{ $host }} - {{- end }} - options: default - - # Route insecure http traffic to https - insecure: - entrypoints: - - "http" - middlewares: - - "redirect" - rule: PathPrefix(`/`) - service: default - - # Services represents the destinations we route traffic to. - # - # ref: https://docs.traefik.io/routing/services/ - services: - # Represents the configurable-http-proxy (chp) server that is managed by - # JupyterHub to route traffic both to itself and to user pods. - default: - loadBalancer: - servers: - - url: 'http://proxy-http:8000/' - -# Configure TLS to give us an A+ in the ssllabs.com test -# -# ref: https://www.ssllabs.com/ssltest/ -tls: - options: - default: - # Allowed ciphers adapted from Mozillas SSL Configuration Generator - # configured for Intermediate support which doesn't support very old - # systems but doesn't require very modern either. - # - # ref: https://ssl-config.mozilla.org/#server=traefik&version=2.1.2&config=intermediate&guideline=5.4 - cipherSuites: - - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 - minVersion: VersionTLS12 - sniStrict: true -{{- end }} diff --git a/charts/application-hub/templates/proxy/autohttps/_configmap-traefik.yaml b/charts/application-hub/templates/proxy/autohttps/_configmap-traefik.yaml deleted file mode 100644 index 7287a70..0000000 --- a/charts/application-hub/templates/proxy/autohttps/_configmap-traefik.yaml +++ /dev/null @@ -1,68 +0,0 @@ -{{- define "jupyterhub.traefik.yaml" -}} -# Content of traefik.yaml to be merged merged with -# proxy.traefik.extraStaticConfig. -# ---------------------------------------------------------------------------- - -# Config of logs about web requests -# -# ref: https://docs.traefik.io/observability/access-logs/ -accessLog: - # Redact commonly sensitive headers - fields: - headers: - names: - Authorization: redacted - Cookie: redacted - Set-Cookie: redacted - X-Xsrftoken: redacted - # Only log errors - filters: - statusCodes: - - 500-599 - -# Automatically acquire certificates certificates form a Certificate -# Authority (CA) like Let's Encrypt using the ACME protocol's HTTP-01 -# challenge. -# -# ref: https://docs.traefik.io/https/acme/#certificate-resolvers -certificatesResolvers: - default: - acme: - caServer: {{ .Values.proxy.https.letsencrypt.acmeServer }} - email: {{ .Values.proxy.https.letsencrypt.contactEmail }} - httpChallenge: - entryPoint: http - storage: /etc/acme/acme.json - -# Let Traefik listen to port 80 and port 443 -# -# ref: https://docs.traefik.io/routing/entrypoints/ -entryPoints: - # Port 80, used for: - # - ACME HTTP-01 challenges - # - Redirects to HTTPS - http: - address: ':8080' - # Port 443, used for: - # - TLS Termination Proxy, where HTTPS transitions to HTTP. - https: - address: ':8443' - # Configure a high idle timeout for our websockets connections - transport: - respondingTimeouts: - idleTimeout: 10m0s - -# Config of logs about what happens to Traefik itself (startup, -# configuration, events, shutdown, and so on). -# -# ref: https://docs.traefik.io/observability/logs -log: - level: {{ if .Values.debug.enabled -}} DEBUG {{- else -}} WARN {{- end }} - -# Let Traefik monitor another file we mount for dynamic configuration. As we -# mount this file through this configmap, we can make a `kubectl edit` on the -# configmap and have Traefik update on changes to dynamic.yaml. -providers: - file: - filename: /etc/traefik/dynamic.yaml -{{- end }} diff --git a/charts/application-hub/templates/proxy/autohttps/configmap.yaml b/charts/application-hub/templates/proxy/autohttps/configmap.yaml deleted file mode 100644 index 4804bf7..0000000 --- a/charts/application-hub/templates/proxy/autohttps/configmap.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- $HTTPS := (and .Values.proxy.https.hosts .Values.proxy.https.enabled) }} -{{- $autoHTTPS := (and $HTTPS (eq .Values.proxy.https.type "letsencrypt")) }} -{{- if $autoHTTPS -}} -{{- $_ := .Values.proxy.https.letsencrypt.contactEmail | required "proxy.https.letsencrypt.contactEmail is a required field" -}} - -# This configmap contains Traefik configuration files to be mounted. -# - traefik.yaml will only be read during startup (static configuration) -# - dynamic.yaml will be read on change (dynamic configuration) -# -# ref: https://docs.traefik.io/getting-started/configuration-overview/ -# -# The configuration files are first rendered with Helm templating to large YAML -# strings. Then we use the fromYAML function on these strings to get an object, -# that we in turn merge with user provided extra configuration. -# -kind: ConfigMap -apiVersion: v1 -metadata: - name: {{ include "jupyterhub.autohttps.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -data: - traefik.yaml: | - {{- include "jupyterhub.traefik.yaml" . | fromYaml | merge .Values.proxy.traefik.extraStaticConfig | toYaml | nindent 4 }} - dynamic.yaml: | - {{- include "jupyterhub.dynamic.yaml" . | fromYaml | merge .Values.proxy.traefik.extraDynamicConfig | toYaml | nindent 4 }} - -{{- end }} diff --git a/charts/application-hub/templates/proxy/autohttps/deployment.yaml b/charts/application-hub/templates/proxy/autohttps/deployment.yaml deleted file mode 100644 index f76f3ef..0000000 --- a/charts/application-hub/templates/proxy/autohttps/deployment.yaml +++ /dev/null @@ -1,154 +0,0 @@ -{{- $HTTPS := (and .Values.proxy.https.hosts .Values.proxy.https.enabled) }} -{{- $autoHTTPS := (and $HTTPS (eq .Values.proxy.https.type "letsencrypt")) }} -{{- if $autoHTTPS -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "jupyterhub.autohttps.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -spec: - {{- if typeIs "int" .Values.proxy.traefik.revisionHistoryLimit }} - revisionHistoryLimit: {{ .Values.proxy.traefik.revisionHistoryLimit }} - {{- end }} - replicas: 1 - selector: - matchLabels: - {{- include "jupyterhub.matchLabels" . | nindent 6 }} - template: - metadata: - labels: - {{- include "jupyterhub.matchLabels" . | nindent 8 }} - hub.jupyter.org/network-access-proxy-http: "true" - {{- with .Values.proxy.traefik.labels }} - {{- . | toYaml | nindent 8 }} - {{- end }} - annotations: - # Only force a restart through a change to this checksum when the static - # configuration is changed, as the dynamic can be updated after start. - # Any disruptions to this deployment impacts everything, it is the - # entrypoint of all network traffic. - checksum/static-config: {{ include "jupyterhub.traefik.yaml" . | fromYaml | merge .Values.proxy.traefik.extraStaticConfig | toYaml | sha256sum }} - spec: - {{- with include "jupyterhub.autohttps-serviceaccount.fullname" . }} - serviceAccountName: {{ . }} - {{- end }} - {{- if .Values.scheduling.podPriority.enabled }} - priorityClassName: {{ include "jupyterhub.priority.fullname" . }} - {{- end }} - {{- with .Values.proxy.traefik.nodeSelector }} - nodeSelector: - {{- . | toYaml | nindent 8 }} - {{- end }} - {{- with concat .Values.scheduling.corePods.tolerations .Values.proxy.traefik.tolerations }} - tolerations: - {{- . | toYaml | nindent 8 }} - {{- end }} - {{- include "jupyterhub.coreAffinity" . | nindent 6 }} - volumes: - - name: certificates - emptyDir: {} - - name: traefik-config - configMap: - name: {{ include "jupyterhub.autohttps.fullname" . }} - {{- with .Values.proxy.traefik.extraVolumes }} - {{- . | toYaml | nindent 8 }} - {{- end }} - {{- with include "jupyterhub.imagePullSecrets" (dict "root" . "image" .Values.proxy.traefik.image) }} - imagePullSecrets: {{ . }} - {{- end }} - initContainers: - - name: load-acme - image: "{{ .Values.proxy.secretSync.image.name }}:{{ .Values.proxy.secretSync.image.tag }}" - {{- with .Values.proxy.secretSync.image.pullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - args: - - load - - {{ include "jupyterhub.proxy-public-tls.fullname" . }} - - acme.json - - /etc/acme/acme.json - env: - # We need this to get logs immediately - - name: PYTHONUNBUFFERED - value: "True" - {{- with .Values.proxy.traefik.extraEnv }} - {{- include "jupyterhub.extraEnv" . | nindent 12 }} - {{- end }} - volumeMounts: - - name: certificates - mountPath: /etc/acme - {{- with .Values.proxy.secretSync.containerSecurityContext }} - securityContext: - {{- . | toYaml | nindent 12 }} - {{- end }} - {{- with .Values.proxy.traefik.extraInitContainers }} - {{- . | toYaml | nindent 8 }} - {{- end }} - containers: - - name: traefik - image: "{{ .Values.proxy.traefik.image.name }}:{{ .Values.proxy.traefik.image.tag }}" - {{- with .Values.proxy.traefik.image.pullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - {{- with .Values.proxy.traefik.resources }} - resources: - {{- . | toYaml | nindent 12 }} - {{- end }} - ports: - - name: http - containerPort: 8080 - - name: https - containerPort: 8443 - {{- with .Values.proxy.traefik.extraPorts }} - {{- . | toYaml | nindent 12 }} - {{- end }} - volumeMounts: - - name: traefik-config - mountPath: /etc/traefik - - name: certificates - mountPath: /etc/acme - {{- with .Values.proxy.traefik.extraVolumeMounts }} - {{- . | toYaml | nindent 12 }} - {{- end }} - {{- with .Values.proxy.traefik.extraEnv }} - env: - {{- include "jupyterhub.extraEnv" . | nindent 12 }} - {{- end }} - {{- with .Values.proxy.traefik.containerSecurityContext }} - securityContext: - {{- . | toYaml | nindent 12 }} - {{- end }} - - name: secret-sync - image: "{{ .Values.proxy.secretSync.image.name }}:{{ .Values.proxy.secretSync.image.tag }}" - {{- with .Values.proxy.secretSync.image.pullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - {{- with .Values.proxy.secretSync.resources }} - resources: - {{- . | toYaml | nindent 12 }} - {{- end }} - args: - - watch-save - - --label=app={{ include "jupyterhub.appLabel" . }} - - --label=release={{ .Release.Name }} - - --label=chart={{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} - - --label=heritage=secret-sync - - {{ include "jupyterhub.proxy-public-tls.fullname" . }} - - acme.json - - /etc/acme/acme.json - env: - # We need this to get logs immediately - - name: PYTHONUNBUFFERED - value: "True" - volumeMounts: - - name: certificates - mountPath: /etc/acme - {{- with .Values.proxy.secretSync.containerSecurityContext }} - securityContext: - {{- . | toYaml | nindent 12 }} - {{- end }} - {{- with .Values.proxy.traefik.extraPodSpec }} - {{- . | toYaml | nindent 6 }} - {{- end }} -{{- end }} diff --git a/charts/application-hub/templates/proxy/autohttps/netpol.yaml b/charts/application-hub/templates/proxy/autohttps/netpol.yaml deleted file mode 100644 index 78270b6..0000000 --- a/charts/application-hub/templates/proxy/autohttps/netpol.yaml +++ /dev/null @@ -1,78 +0,0 @@ -{{- $HTTPS := .Values.proxy.https.enabled -}} -{{- $autoHTTPS := and $HTTPS (and (eq .Values.proxy.https.type "letsencrypt") .Values.proxy.https.hosts) -}} -{{- if and $autoHTTPS .Values.proxy.traefik.networkPolicy.enabled -}} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "jupyterhub.autohttps.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -spec: - podSelector: - matchLabels: - {{- include "jupyterhub.matchLabels" . | nindent 6 }} - policyTypes: - - Ingress - - Egress - - # IMPORTANT: - # NetworkPolicy's ingress "from" and egress "to" rule specifications require - # great attention to detail. A quick summary is: - # - # 1. You can provide "from"/"to" rules that provide access either ports or a - # subset of ports. - # 2. You can for each "from"/"to" rule provide any number of - # "sources"/"destinations" of four different kinds. - # - podSelector - targets pods with a certain label in the same namespace as the NetworkPolicy - # - namespaceSelector - targets all pods running in namespaces with a certain label - # - namespaceSelector and podSelector - targets pods with a certain label running in namespaces with a certain label - # - ipBlock - targets network traffic from/to a set of IP address ranges - # - # Read more at: https://kubernetes.io/docs/concepts/services-networking/network-policies/#behavior-of-to-and-from-selectors - # - ingress: - {{- with .Values.proxy.traefik.networkPolicy.allowedIngressPorts }} - # allow incoming traffic to these ports independent of source - - ports: - {{- range $port := . }} - - port: {{ $port }} - {{- end }} - {{- end }} - - # allowed pods (hub.jupyter.org/network-access-proxy-http) --> proxy (http/https port) - - ports: - - port: http - - port: https - from: - # source 1 - labeled pods - - podSelector: - matchLabels: - hub.jupyter.org/network-access-proxy-http: "true" - {{- if eq .Values.proxy.traefik.networkPolicy.interNamespaceAccessLabels "accept" }} - namespaceSelector: - matchLabels: {} # without this, the podSelector would only consider pods in the local namespace - # source 2 - pods in labeled namespaces - - namespaceSelector: - matchLabels: - hub.jupyter.org/network-access-proxy-http: "true" - {{- end }} - - {{- with .Values.proxy.traefik.networkPolicy.ingress}} - # depends, but default is nothing --> proxy - {{- . | toYaml | nindent 4 }} - {{- end }} - - egress: - # autohttps --> proxy (http port) - - to: - - podSelector: - matchLabels: - {{- $_ := merge (dict "componentLabel" "proxy") . }} - {{- include "jupyterhub.matchLabels" $_ | nindent 14 }} - ports: - - port: 8000 - - {{- with (include "jupyterhub.networkPolicy.renderEgressRules" (list . .Values.proxy.traefik.networkPolicy)) }} - {{- . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/application-hub/templates/proxy/autohttps/pdb.yaml b/charts/application-hub/templates/proxy/autohttps/pdb.yaml deleted file mode 100644 index 074d0ac..0000000 --- a/charts/application-hub/templates/proxy/autohttps/pdb.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.proxy.traefik.pdb.enabled -}} -{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} -{{- /* k8s 1.21+ required */ -}} -apiVersion: policy/v1 -{{- else }} -apiVersion: policy/v1beta1 -{{- end }} -kind: PodDisruptionBudget -metadata: - name: proxy - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -spec: - {{- if not (typeIs "" .Values.proxy.traefik.pdb.maxUnavailable) }} - maxUnavailable: {{ .Values.proxy.traefik.pdb.maxUnavailable }} - {{- end }} - {{- if not (typeIs "" .Values.proxy.traefik.pdb.minAvailable) }} - minAvailable: {{ .Values.proxy.traefik.pdb.minAvailable }} - {{- end }} - selector: - matchLabels: - {{- include "jupyterhub.matchLabels" . | nindent 6 }} -{{- end }} diff --git a/charts/application-hub/templates/proxy/autohttps/rbac.yaml b/charts/application-hub/templates/proxy/autohttps/rbac.yaml deleted file mode 100644 index a0fd41a..0000000 --- a/charts/application-hub/templates/proxy/autohttps/rbac.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{- $HTTPS := (and .Values.proxy.https.hosts .Values.proxy.https.enabled) -}} -{{- $autoHTTPS := (and $HTTPS (eq .Values.proxy.https.type "letsencrypt")) -}} -{{- if $autoHTTPS -}} -{{- if .Values.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "jupyterhub.autohttps.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} - {{- with .Values.proxy.traefik.serviceAccount.annotations }} - annotations: - {{- . | toYaml | nindent 4 }} - {{- end }} -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "patch", "list", "create"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "jupyterhub.autohttps.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: {{ include "jupyterhub.autohttps-serviceaccount.fullname" . }} - apiGroup: -roleRef: - kind: Role - name: {{ include "jupyterhub.autohttps.fullname" . }} - apiGroup: rbac.authorization.k8s.io -{{- end }} -{{- end }} diff --git a/charts/application-hub/templates/proxy/autohttps/service.yaml b/charts/application-hub/templates/proxy/autohttps/service.yaml deleted file mode 100644 index 615e36d..0000000 --- a/charts/application-hub/templates/proxy/autohttps/service.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- $HTTPS := (and .Values.proxy.https.hosts .Values.proxy.https.enabled) }} -{{- $autoHTTPS := (and $HTTPS (eq .Values.proxy.https.type "letsencrypt")) }} -{{- if $autoHTTPS -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "jupyterhub.proxy-http.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} - {{- with .Values.proxy.service.labels }} - {{- . | toYaml | nindent 4 }} - {{- end }} - {{- with .Values.proxy.service.annotations }} - annotations: - {{- . | toYaml | nindent 4 }} - {{- end }} -spec: - type: ClusterIP - selector: - {{- $_ := merge (dict "componentLabel" "proxy") . }} - {{- include "jupyterhub.matchLabels" $_ | nindent 4 }} - ports: - - port: 8000 - targetPort: http -{{- end }} diff --git a/charts/application-hub/templates/proxy/autohttps/serviceaccount.yaml b/charts/application-hub/templates/proxy/autohttps/serviceaccount.yaml deleted file mode 100644 index 5b340bb..0000000 --- a/charts/application-hub/templates/proxy/autohttps/serviceaccount.yaml +++ /dev/null @@ -1,12 +0,0 @@ -{{- $HTTPS := (and .Values.proxy.https.hosts .Values.proxy.https.enabled) -}} -{{- $autoHTTPS := (and $HTTPS (eq .Values.proxy.https.type "letsencrypt")) -}} -{{- if $autoHTTPS -}} -{{- if .Values.proxy.traefik.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "jupyterhub.autohttps-serviceaccount.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -{{- end }} -{{- end }} diff --git a/charts/application-hub/templates/proxy/deployment.yaml b/charts/application-hub/templates/proxy/deployment.yaml deleted file mode 100644 index 2b35382..0000000 --- a/charts/application-hub/templates/proxy/deployment.yaml +++ /dev/null @@ -1,178 +0,0 @@ -{{- $manualHTTPS := and .Values.proxy.https.enabled (eq .Values.proxy.https.type "manual") -}} -{{- $manualHTTPSwithsecret := and .Values.proxy.https.enabled (eq .Values.proxy.https.type "secret") -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "jupyterhub.proxy.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -spec: - {{- if typeIs "int" .Values.proxy.chp.revisionHistoryLimit }} - revisionHistoryLimit: {{ .Values.proxy.chp.revisionHistoryLimit }} - {{- end }} - replicas: 1 - selector: - matchLabels: - {{- include "jupyterhub.matchLabels" . | nindent 6 }} - strategy: - {{- .Values.proxy.deploymentStrategy | toYaml | nindent 4 }} - template: - metadata: - labels: - {{- /* Changes here will cause the Deployment to restart the pods. */}} - {{- include "jupyterhub.matchLabels" . | nindent 8 }} - hub.jupyter.org/network-access-hub: "true" - hub.jupyter.org/network-access-singleuser: "true" - {{- with .Values.proxy.labels }} - {{- . | toYaml | nindent 8 }} - {{- end }} - annotations: - # We want to restart proxy only if the auth token changes - # Other changes to the hub config should not restart. - # We truncate to 4 chars to avoid leaking auth token info, - # since someone could brute force the hash to obtain the token - # - # Note that if auth_token has to be generated at random, it will be - # generated at random here separately from being generated at random in - # the k8s Secret template. This will cause this annotation to change to - # match the k8s Secret during the first upgrade following an auth_token - # was generated. - checksum/auth-token: {{ include "jupyterhub.hub.config.ConfigurableHTTPProxy.auth_token" . | sha256sum | trunc 4 | quote }} - checksum/proxy-secret: {{ include (print $.Template.BasePath "/proxy/secret.yaml") . | sha256sum | quote }} - {{- with .Values.proxy.annotations }} - {{- . | toYaml | nindent 8 }} - {{- end }} - spec: - terminationGracePeriodSeconds: 60 - {{- if .Values.scheduling.podPriority.enabled }} - priorityClassName: {{ include "jupyterhub.priority.fullname" . }} - {{- end }} - {{- with .Values.proxy.chp.nodeSelector }} - nodeSelector: - {{- . | toYaml | nindent 8 }} - {{- end }} - {{- with concat .Values.scheduling.corePods.tolerations .Values.proxy.chp.tolerations }} - tolerations: - {{- . | toYaml | nindent 8 }} - {{- end }} - {{- include "jupyterhub.coreAffinity" . | nindent 6 }} - {{- if $manualHTTPS }} - volumes: - - name: tls-secret - secret: - secretName: {{ include "jupyterhub.proxy-public-manual-tls.fullname" . }} - {{- else if $manualHTTPSwithsecret }} - volumes: - - name: tls-secret - secret: - secretName: {{ .Values.proxy.https.secret.name }} - {{- end }} - {{- with include "jupyterhub.imagePullSecrets" (dict "root" . "image" .Values.proxy.chp.image) }} - imagePullSecrets: {{ . }} - {{- end }} - containers: - - name: chp - image: {{ .Values.proxy.chp.image.name }}:{{ .Values.proxy.chp.image.tag }} - {{- $hubNameAsEnv := include "jupyterhub.hub.fullname" . | upper | replace "-" "_" }} - {{- $hubHost := printf "http://%s:$(%s_SERVICE_PORT)" (include "jupyterhub.hub.fullname" .) $hubNameAsEnv }} - command: - - configurable-http-proxy - - "--ip=" - - "--api-ip=" - - --api-port=8001 - - --default-target={{ .Values.proxy.chp.defaultTarget | default $hubHost }} - - --error-target={{ .Values.proxy.chp.errorTarget | default (printf "%s/hub/error" $hubHost) }} - {{- if $manualHTTPS }} - - --port=8443 - - --redirect-port=8000 - - --redirect-to=443 - - --ssl-key=/etc/chp/tls/tls.key - - --ssl-cert=/etc/chp/tls/tls.crt - {{- else if $manualHTTPSwithsecret }} - - --port=8443 - - --redirect-port=8000 - - --redirect-to=443 - - --ssl-key=/etc/chp/tls/{{ .Values.proxy.https.secret.key }} - - --ssl-cert=/etc/chp/tls/{{ .Values.proxy.https.secret.crt }} - {{- else }} - - --port=8000 - {{- end }} - {{- if .Values.debug.enabled }} - - --log-level=debug - {{- end }} - {{- range .Values.proxy.chp.extraCommandLineFlags }} - - {{ tpl . $ }} - {{- end }} - {{- if or $manualHTTPS $manualHTTPSwithsecret }} - volumeMounts: - - name: tls-secret - mountPath: /etc/chp/tls - readOnly: true - {{- end }} - {{- with .Values.proxy.chp.resources }} - resources: - {{- . | toYaml | nindent 12 }} - {{- end }} - env: - - name: CONFIGPROXY_AUTH_TOKEN - valueFrom: - secretKeyRef: - # NOTE: References the chart managed k8s Secret even if - # hub.existingSecret is specified to avoid using the - # lookup function on the user managed k8s Secret. - name: {{ include "jupyterhub.hub.fullname" . }} - key: hub.config.ConfigurableHTTPProxy.auth_token - {{- with .Values.proxy.chp.extraEnv }} - {{- include "jupyterhub.extraEnv" . | nindent 12 }} - {{- end }} - {{- with .Values.proxy.chp.image.pullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - ports: - {{- if or $manualHTTPS $manualHTTPSwithsecret }} - - name: https - containerPort: 8443 - {{- end }} - - name: http - containerPort: 8000 - - name: api - containerPort: 8001 - {{- if .Values.proxy.chp.livenessProbe.enabled }} - livenessProbe: - initialDelaySeconds: {{ .Values.proxy.chp.livenessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.proxy.chp.livenessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.proxy.chp.livenessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.proxy.chp.livenessProbe.failureThreshold }} - httpGet: - path: /_chp_healthz - {{- if or $manualHTTPS $manualHTTPSwithsecret }} - port: https - scheme: HTTPS - {{- else }} - port: http - scheme: HTTP - {{- end }} - {{- end }} - {{- if .Values.proxy.chp.readinessProbe.enabled }} - readinessProbe: - initialDelaySeconds: {{ .Values.proxy.chp.readinessProbe.initialDelaySeconds }} - periodSeconds: {{ .Values.proxy.chp.readinessProbe.periodSeconds }} - timeoutSeconds: {{ .Values.proxy.chp.readinessProbe.timeoutSeconds }} - failureThreshold: {{ .Values.proxy.chp.readinessProbe.failureThreshold }} - httpGet: - path: /_chp_healthz - {{- if or $manualHTTPS $manualHTTPSwithsecret }} - port: https - scheme: HTTPS - {{- else }} - port: http - scheme: HTTP - {{- end }} - {{- end }} - {{- with .Values.proxy.chp.containerSecurityContext }} - securityContext: - {{- . | toYaml | nindent 12 }} - {{- end }} - {{- with .Values.proxy.chp.extraPodSpec }} - {{- . | toYaml | nindent 6 }} - {{- end }} diff --git a/charts/application-hub/templates/proxy/netpol.yaml b/charts/application-hub/templates/proxy/netpol.yaml deleted file mode 100644 index 0af853a..0000000 --- a/charts/application-hub/templates/proxy/netpol.yaml +++ /dev/null @@ -1,108 +0,0 @@ -{{- $HTTPS := .Values.proxy.https.enabled -}} -{{- $autoHTTPS := and $HTTPS (and (eq .Values.proxy.https.type "letsencrypt") .Values.proxy.https.hosts) -}} -{{- $manualHTTPS := and $HTTPS (eq .Values.proxy.https.type "manual") -}} -{{- $manualHTTPSwithsecret := and $HTTPS (eq .Values.proxy.https.type "secret") -}} -{{- if .Values.proxy.chp.networkPolicy.enabled -}} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "jupyterhub.proxy.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -spec: - podSelector: - matchLabels: - {{- include "jupyterhub.matchLabels" . | nindent 6 }} - policyTypes: - - Ingress - - Egress - - # IMPORTANT: - # NetworkPolicy's ingress "from" and egress "to" rule specifications require - # great attention to detail. A quick summary is: - # - # 1. You can provide "from"/"to" rules that provide access either ports or a - # subset of ports. - # 2. You can for each "from"/"to" rule provide any number of - # "sources"/"destinations" of four different kinds. - # - podSelector - targets pods with a certain label in the same namespace as the NetworkPolicy - # - namespaceSelector - targets all pods running in namespaces with a certain label - # - namespaceSelector and podSelector - targets pods with a certain label running in namespaces with a certain label - # - ipBlock - targets network traffic from/to a set of IP address ranges - # - # Read more at: https://kubernetes.io/docs/concepts/services-networking/network-policies/#behavior-of-to-and-from-selectors - # - ingress: - {{- with .Values.proxy.chp.networkPolicy.allowedIngressPorts }} - # allow incoming traffic to these ports independent of source - - ports: - {{- range $port := . }} - - port: {{ $port }} - {{- end }} - {{- end }} - - # allowed pods (hub.jupyter.org/network-access-proxy-http) --> proxy (http/https port) - - ports: - - port: http - {{- if or $manualHTTPS $manualHTTPSwithsecret }} - - port: https - {{- end }} - from: - # source 1 - labeled pods - - podSelector: - matchLabels: - hub.jupyter.org/network-access-proxy-http: "true" - {{- if eq .Values.proxy.chp.networkPolicy.interNamespaceAccessLabels "accept" }} - namespaceSelector: - matchLabels: {} # without this, the podSelector would only consider pods in the local namespace - # source 2 - pods in labeled namespaces - - namespaceSelector: - matchLabels: - hub.jupyter.org/network-access-proxy-http: "true" - {{- end }} - - # allowed pods (hub.jupyter.org/network-access-proxy-api) --> proxy (api port) - - ports: - - port: api - from: - # source 1 - labeled pods - - podSelector: - matchLabels: - hub.jupyter.org/network-access-proxy-api: "true" - {{- if eq .Values.proxy.chp.networkPolicy.interNamespaceAccessLabels "accept" }} - namespaceSelector: - matchLabels: {} # without this, the podSelector would only consider pods in the local namespace - # source 2 - pods in labeled namespaces - - namespaceSelector: - matchLabels: - hub.jupyter.org/network-access-proxy-api: "true" - {{- end }} - - {{- with .Values.proxy.chp.networkPolicy.ingress}} - # depends, but default is nothing --> proxy - {{- . | toYaml | nindent 4 }} - {{- end }} - - egress: - # proxy --> hub - - to: - - podSelector: - matchLabels: - {{- $_ := merge (dict "componentLabel" "hub") . }} - {{- include "jupyterhub.matchLabels" $_ | nindent 14 }} - ports: - - port: 8081 - - # proxy --> singleuser-server - - to: - - podSelector: - matchLabels: - {{- $_ := merge (dict "componentLabel" "singleuser-server") . }} - {{- include "jupyterhub.matchLabels" $_ | nindent 14 }} - ports: - - port: 8888 - - {{- with (include "jupyterhub.networkPolicy.renderEgressRules" (list . .Values.proxy.chp.networkPolicy)) }} - {{- . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/application-hub/templates/proxy/pdb.yaml b/charts/application-hub/templates/proxy/pdb.yaml deleted file mode 100644 index d8651f5..0000000 --- a/charts/application-hub/templates/proxy/pdb.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.proxy.chp.pdb.enabled -}} -{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} -{{- /* k8s 1.21+ required */ -}} -apiVersion: policy/v1 -{{- else }} -apiVersion: policy/v1beta1 -{{- end }} -kind: PodDisruptionBudget -metadata: - name: {{ include "jupyterhub.proxy.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -spec: - {{- if not (typeIs "" .Values.proxy.chp.pdb.maxUnavailable) }} - maxUnavailable: {{ .Values.proxy.chp.pdb.maxUnavailable }} - {{- end }} - {{- if not (typeIs "" .Values.proxy.chp.pdb.minAvailable) }} - minAvailable: {{ .Values.proxy.chp.pdb.minAvailable }} - {{- end }} - selector: - matchLabels: - {{- include "jupyterhub.matchLabels" . | nindent 6 }} -{{- end }} diff --git a/charts/application-hub/templates/proxy/secret.yaml b/charts/application-hub/templates/proxy/secret.yaml deleted file mode 100644 index d9ff8ad..0000000 --- a/charts/application-hub/templates/proxy/secret.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- $manualHTTPS := and .Values.proxy.https.enabled (eq .Values.proxy.https.type "manual") -}} -{{- if $manualHTTPS -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "jupyterhub.proxy-public-manual-tls.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -type: kubernetes.io/tls -data: - tls.crt: {{ .Values.proxy.https.manual.cert | required "Required configuration missing: proxy.https.manual.cert" | b64enc }} - tls.key: {{ .Values.proxy.https.manual.key | required "Required configuration missing: proxy.https.manual.key" | b64enc }} -{{- end }} diff --git a/charts/application-hub/templates/proxy/service.yaml b/charts/application-hub/templates/proxy/service.yaml deleted file mode 100644 index 8a96eb1..0000000 --- a/charts/application-hub/templates/proxy/service.yaml +++ /dev/null @@ -1,80 +0,0 @@ -{{- $enabled := .Values.proxy.https.enabled -}} -{{- $autoHTTPS := and $enabled (and (eq .Values.proxy.https.type "letsencrypt") .Values.proxy.https.hosts) -}} -{{- $manualHTTPS := and $enabled (eq .Values.proxy.https.type "manual") -}} -{{- $manualHTTPSwithsecret := and $enabled (eq .Values.proxy.https.type "secret") -}} -{{- $offloadHTTPS := and $enabled (eq .Values.proxy.https.type "offload") -}} -{{- $valid := or $autoHTTPS (or $manualHTTPS (or $manualHTTPSwithsecret $offloadHTTPS)) -}} -{{- $HTTPS := and $enabled $valid -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ include "jupyterhub.proxy-api.fullname" . }} - labels: - {{- $_ := merge (dict "componentSuffix" "-api") . }} - {{- include "jupyterhub.labels" $_ | nindent 4 }} -spec: - selector: - {{- include "jupyterhub.matchLabels" . | nindent 4 }} - ports: - - port: 8001 - targetPort: api ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ include "jupyterhub.proxy-public.fullname" . }} - labels: - {{- $_ := merge (dict "componentSuffix" "-public") . }} - {{- include "jupyterhub.labels" $_ | nindent 4 }} - {{- with .Values.proxy.service.labels }} - {{- . | toYaml | nindent 4 }} - {{- end }} - {{- with .Values.proxy.service.annotations }} - annotations: - {{- . | toYaml | nindent 4 }} - {{- end }} -spec: - selector: - {{- if $autoHTTPS }} - component: autohttps - {{- else }} - component: proxy - {{- end }} - release: {{ .Release.Name }} - ports: - {{- if $HTTPS }} - - name: https - port: 443 - # When HTTPS termination is handled outside our helm chart, pass traffic - # coming in via this Service's port 443 to targeted pod's port meant for - # HTTP traffic. - {{- if $offloadHTTPS }} - targetPort: http - {{- else }} - targetPort: https - {{- end }} - {{- with .Values.proxy.service.nodePorts.https }} - nodePort: {{ . }} - {{- end }} - {{- end }} - {{- if ne .Values.proxy.service.disableHttpPort true }} - - name: http - port: 80 - targetPort: http - {{- with .Values.proxy.service.nodePorts.http }} - nodePort: {{ . }} - {{- end }} - {{- end }} - {{- with .Values.proxy.service.extraPorts }} - {{- . | toYaml | nindent 4 }} - {{- end }} - type: {{ .Values.proxy.service.type }} - {{- with .Values.proxy.service.loadBalancerIP }} - loadBalancerIP: {{ . }} - {{- end }} - {{- if eq .Values.proxy.service.type "LoadBalancer" }} - {{- with .Values.proxy.service.loadBalancerSourceRanges }} - loadBalancerSourceRanges: - {{- . | toYaml | nindent 4 }} - {{- end }} - {{- end }} diff --git a/charts/application-hub/templates/scheduling/_scheduling-helpers.tpl b/charts/application-hub/templates/scheduling/_scheduling-helpers.tpl deleted file mode 100644 index 0a1a741..0000000 --- a/charts/application-hub/templates/scheduling/_scheduling-helpers.tpl +++ /dev/null @@ -1,138 +0,0 @@ -{{- define "jupyterhub.userNodeAffinityRequired" -}} -{{- if eq .Values.scheduling.userPods.nodeAffinity.matchNodePurpose "require" -}} -- matchExpressions: - - key: hub.jupyter.org/node-purpose - operator: In - values: [user] -{{- end }} -{{- with .Values.singleuser.extraNodeAffinity.required }} -{{- . | toYaml | nindent 0 }} -{{- end }} -{{- end }} - -{{- define "jupyterhub.userNodeAffinityPreferred" -}} -{{- if eq .Values.scheduling.userPods.nodeAffinity.matchNodePurpose "prefer" -}} -- weight: 100 - preference: - matchExpressions: - - key: hub.jupyter.org/node-purpose - operator: In - values: [user] -{{- end }} -{{- with .Values.singleuser.extraNodeAffinity.preferred }} -{{- . | toYaml | nindent 0 }} -{{- end }} -{{- end }} - -{{- define "jupyterhub.userPodAffinityRequired" -}} -{{- with .Values.singleuser.extraPodAffinity.required -}} -{{ . | toYaml }} -{{- end }} -{{- end }} - -{{- define "jupyterhub.userPodAffinityPreferred" -}} -{{- with .Values.singleuser.extraPodAffinity.preferred -}} -{{ . | toYaml }} -{{- end }} -{{- end }} - -{{- define "jupyterhub.userPodAntiAffinityRequired" -}} -{{- with .Values.singleuser.extraPodAntiAffinity.required -}} -{{ . | toYaml }} -{{- end }} -{{- end }} - -{{- define "jupyterhub.userPodAntiAffinityPreferred" -}} -{{- with .Values.singleuser.extraPodAntiAffinity.preferred -}} -{{ . | toYaml }} -{{- end }} -{{- end }} - - - -{{- /* - jupyterhub.userAffinity: - It is used by user-placeholder to set the same affinity on them as the - spawned user pods spawned by kubespawner. -*/}} -{{- define "jupyterhub.userAffinity" -}} - -{{- $dummy := set . "nodeAffinityRequired" (include "jupyterhub.userNodeAffinityRequired" .) -}} -{{- $dummy := set . "podAffinityRequired" (include "jupyterhub.userPodAffinityRequired" .) -}} -{{- $dummy := set . "podAntiAffinityRequired" (include "jupyterhub.userPodAntiAffinityRequired" .) -}} -{{- $dummy := set . "nodeAffinityPreferred" (include "jupyterhub.userNodeAffinityPreferred" .) -}} -{{- $dummy := set . "podAffinityPreferred" (include "jupyterhub.userPodAffinityPreferred" .) -}} -{{- $dummy := set . "podAntiAffinityPreferred" (include "jupyterhub.userPodAntiAffinityPreferred" .) -}} -{{- $dummy := set . "hasNodeAffinity" (or .nodeAffinityRequired .nodeAffinityPreferred) -}} -{{- $dummy := set . "hasPodAffinity" (or .podAffinityRequired .podAffinityPreferred) -}} -{{- $dummy := set . "hasPodAntiAffinity" (or .podAntiAffinityRequired .podAntiAffinityPreferred) -}} - -{{- if .hasNodeAffinity -}} -nodeAffinity: - {{- if .nodeAffinityRequired }} - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - {{- .nodeAffinityRequired | nindent 6 }} - {{- end }} - - {{- if .nodeAffinityPreferred }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- .nodeAffinityPreferred | nindent 4 }} - {{- end }} -{{- end }} - -{{- if .hasPodAffinity }} -podAffinity: - {{- if .podAffinityRequired }} - requiredDuringSchedulingIgnoredDuringExecution: - {{- .podAffinityRequired | nindent 4 }} - {{- end }} - - {{- if .podAffinityPreferred }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- .podAffinityPreferred | nindent 4 }} - {{- end }} -{{- end }} - -{{- if .hasPodAntiAffinity }} -podAntiAffinity: - {{- if .podAntiAffinityRequired }} - requiredDuringSchedulingIgnoredDuringExecution: - {{- .podAntiAffinityRequired | nindent 4 }} - {{- end }} - - {{- if .podAntiAffinityPreferred }} - preferredDuringSchedulingIgnoredDuringExecution: - {{- .podAntiAffinityPreferred | nindent 4 }} - {{- end }} -{{- end }} - -{{- end }} - - - -{{- define "jupyterhub.coreAffinity" -}} -{{- $require := eq .Values.scheduling.corePods.nodeAffinity.matchNodePurpose "require" -}} -{{- $prefer := eq .Values.scheduling.corePods.nodeAffinity.matchNodePurpose "prefer" -}} -{{- if or $require $prefer -}} -affinity: - nodeAffinity: - {{- if $require }} - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: hub.jupyter.org/node-purpose - operator: In - values: [core] - {{- end }} - {{- if $prefer }} - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - preference: - matchExpressions: - - key: hub.jupyter.org/node-purpose - operator: In - values: [core] - {{- end }} -{{- end }} -{{- end }} diff --git a/charts/application-hub/templates/scheduling/priorityclass.yaml b/charts/application-hub/templates/scheduling/priorityclass.yaml deleted file mode 100644 index 77c84cb..0000000 --- a/charts/application-hub/templates/scheduling/priorityclass.yaml +++ /dev/null @@ -1,15 +0,0 @@ -{{- if .Values.scheduling.podPriority.enabled }} -apiVersion: scheduling.k8s.io/v1 -kind: PriorityClass -metadata: - name: {{ include "jupyterhub.priority.fullname" . }} - annotations: - meta.helm.sh/release-name: "{{ .Release.Name }}" - meta.helm.sh/release-namespace: "{{ .Release.Namespace }}" - labels: - {{- $_ := merge (dict "componentLabel" "default-priority") . }} - {{- include "jupyterhub.labels" $_ | nindent 4 }} -value: {{ .Values.scheduling.podPriority.defaultPriority }} -globalDefault: {{ .Values.scheduling.podPriority.globalDefault }} -description: "A default priority higher than user placeholders priority." -{{- end }} diff --git a/charts/application-hub/templates/scheduling/user-placeholder/pdb.yaml b/charts/application-hub/templates/scheduling/user-placeholder/pdb.yaml deleted file mode 100644 index ec84fb5..0000000 --- a/charts/application-hub/templates/scheduling/user-placeholder/pdb.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- /* -The cluster autoscaler should be allowed to evict and reschedule these pods if -it would help in order to scale down a node. -*/}} -{{- if .Values.scheduling.userPlaceholder.enabled -}} -{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} -{{- /* k8s 1.21+ required */ -}} -apiVersion: policy/v1 -{{- else }} -apiVersion: policy/v1beta1 -{{- end }} -kind: PodDisruptionBudget -metadata: - name: {{ include "jupyterhub.user-placeholder.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -spec: - minAvailable: 0 - selector: - matchLabels: - {{- include "jupyterhub.matchLabels" . | nindent 6 }} -{{- end }} diff --git a/charts/application-hub/templates/scheduling/user-placeholder/priorityclass.yaml b/charts/application-hub/templates/scheduling/user-placeholder/priorityclass.yaml deleted file mode 100644 index bdedbdd..0000000 --- a/charts/application-hub/templates/scheduling/user-placeholder/priorityclass.yaml +++ /dev/null @@ -1,16 +0,0 @@ -{{- if .Values.scheduling.podPriority.enabled }} -{{- if .Values.scheduling.userPlaceholder.enabled -}} -apiVersion: scheduling.k8s.io/v1 -kind: PriorityClass -metadata: - name: {{ include "jupyterhub.user-placeholder-priority.fullname" . }} - annotations: - meta.helm.sh/release-name: "{{ .Release.Name }}" - meta.helm.sh/release-namespace: "{{ .Release.Namespace }}" - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -value: {{ .Values.scheduling.podPriority.userPlaceholderPriority }} -globalDefault: false -description: "With a priority higher or eqaul to a cluster autoscalers priority cutoff, a pod can trigger a cluster scale up. At the same time, placeholder pods priority should be lower than other pods to make them evictable." -{{- end }} -{{- end }} diff --git a/charts/application-hub/templates/scheduling/user-placeholder/statefulset.yaml b/charts/application-hub/templates/scheduling/user-placeholder/statefulset.yaml deleted file mode 100644 index e0f6f59..0000000 --- a/charts/application-hub/templates/scheduling/user-placeholder/statefulset.yaml +++ /dev/null @@ -1,80 +0,0 @@ - -{{- /* -These user-placeholder pods can be used to test cluster autoscaling in a -controlled fashion. - -Example: -$ echo 'Simulating four users...' -$ kubectl scale sts/user-placeholder --replicas 4 -*/}} -{{- if .Values.scheduling.userPlaceholder.enabled -}} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: {{ include "jupyterhub.user-placeholder.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -spec: - podManagementPolicy: Parallel - {{- if typeIs "int" .Values.scheduling.userPlaceholder.revisionHistoryLimit }} - revisionHistoryLimit: {{ .Values.scheduling.userPlaceholder.revisionHistoryLimit }} - {{- end }} - replicas: {{ .Values.scheduling.userPlaceholder.replicas }} - selector: - matchLabels: - {{- include "jupyterhub.matchLabels" . | nindent 6 }} - serviceName: {{ include "jupyterhub.user-placeholder.fullname" . }} - template: - metadata: - {{- with .Values.scheduling.userPlaceholder.annotations }} - annotations: - {{- . | toYaml | nindent 8 }} - {{- end }} - labels: - {{- /* Changes here will cause the Deployment to restart the pods. */}} - {{- include "jupyterhub.matchLabels" . | nindent 8 }} - {{- with .Values.scheduling.userPlaceholder.labels }} - {{- . | toYaml | nindent 8 }} - {{- end }} - spec: - {{- if .Values.scheduling.podPriority.enabled }} - priorityClassName: {{ include "jupyterhub.user-placeholder-priority.fullname" . }} - {{- end }} - {{- if .Values.scheduling.userScheduler.enabled }} - schedulerName: {{ include "jupyterhub.user-scheduler.fullname" . }} - {{- end }} - {{- with .Values.singleuser.nodeSelector }} - nodeSelector: - {{- . | toYaml | nindent 8 }} - {{- end }} - {{- with concat .Values.scheduling.userPods.tolerations .Values.singleuser.extraTolerations }} - tolerations: - {{- . | toYaml | nindent 8 }} - {{- end }} - {{- if include "jupyterhub.userAffinity" . }} - affinity: - {{- include "jupyterhub.userAffinity" . | nindent 8 }} - {{- end }} - terminationGracePeriodSeconds: 0 - automountServiceAccountToken: false - {{- with include "jupyterhub.imagePullSecrets" (dict "root" . "image" .Values.scheduling.userPlaceholder.image) }} - imagePullSecrets: {{ . }} - {{- end }} - containers: - - name: pause - image: {{ .Values.scheduling.userPlaceholder.image.name }}:{{ .Values.scheduling.userPlaceholder.image.tag }} - {{- if .Values.scheduling.userPlaceholder.resources }} - resources: - {{- .Values.scheduling.userPlaceholder.resources | toYaml | nindent 12 }} - {{- else if (include "jupyterhub.singleuser.resources" .) }} - resources: - {{- include "jupyterhub.singleuser.resources" . | nindent 12 }} - {{- end }} - {{- with .Values.scheduling.userPlaceholder.image.pullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - {{- with .Values.scheduling.userPlaceholder.containerSecurityContext }} - securityContext: - {{- . | toYaml | nindent 12 }} - {{- end }} -{{- end }} diff --git a/charts/application-hub/templates/scheduling/user-scheduler/configmap.yaml b/charts/application-hub/templates/scheduling/user-scheduler/configmap.yaml deleted file mode 100644 index 22ea9a8..0000000 --- a/charts/application-hub/templates/scheduling/user-scheduler/configmap.yaml +++ /dev/null @@ -1,95 +0,0 @@ -{{- if .Values.scheduling.userScheduler.enabled -}} -kind: ConfigMap -apiVersion: v1 -metadata: - name: {{ include "jupyterhub.user-scheduler-deploy.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -data: - {{- /* - This is configuration of a k8s official kube-scheduler binary running in the - user-scheduler pod. - - ref: https://kubernetes.io/docs/reference/scheduling/config/ - ref: https://kubernetes.io/docs/reference/config-api/kube-scheduler-config.v1beta2/ - ref: https://kubernetes.io/docs/reference/config-api/kube-scheduler-config.v1beta3/ - - v1beta1 can be used with kube-scheduler binary version <=1.21 - v1beta2 requires kube-scheduler binary version >=1.22 - v1beta3 requires kube-scheduler binary version >=1.23 - - kube-scheduler binaries versioned >=1.21 will error in k8s clusters - versioned <=1.20. To support a modern version of kube-scheduler and k8s - versions <=1.20 upwards, we provide two scenarios: - - 1. For k8s >= 1.21 we use a modern version of kube-scheduler and Helm chart - configuration works as expected. - 2. For k8s <= 1.20 we use a hardcoded version of kube-scheduler (v1.20.15) - and configuration (v1beta1) of kube-scheduler. - */}} - config.yaml: | - {{- /* - FIXME: We have added a workaround for EKS where - .Capabilities.KubeVersion.Minor can return a - string like "22+" instead of just "22". - - See https://github.com/aws/eks-distro/issues/1128. - */}} - {{- if ge (atoi (.Capabilities.KubeVersion.Minor | replace "+" "")) 21 }} - apiVersion: kubescheduler.config.k8s.io/v1beta3 - kind: KubeSchedulerConfiguration - leaderElection: - resourceLock: endpoints - resourceName: {{ include "jupyterhub.user-scheduler-lock.fullname" . }} - resourceNamespace: "{{ .Release.Namespace }}" - profiles: - - schedulerName: {{ include "jupyterhub.user-scheduler.fullname" . }} - {{- with .Values.scheduling.userScheduler.plugins }} - plugins: - {{- . | toYaml | nindent 10 }} - {{- end }} - {{- with .Values.scheduling.userScheduler.pluginConfig }} - pluginConfig: - {{- . | toYaml | nindent 10 }} - {{- end }} - {{- else }} - # WARNING: The tag of this image is hardcoded, and the - # "scheduling.userScheduler.plugins" configuration of the Helm - # chart that generated this resource manifest wasn't respected. If - # you install the Helm chart in a k8s cluster versioned 1.21 or - # higher, your configuration will be respected. - apiVersion: kubescheduler.config.k8s.io/v1beta1 - kind: KubeSchedulerConfiguration - leaderElection: - resourceLock: endpoints - resourceName: {{ include "jupyterhub.user-scheduler-lock.fullname" . }} - resourceNamespace: "{{ .Release.Namespace }}" - profiles: - - schedulerName: {{ include "jupyterhub.user-scheduler.fullname" . }} - plugins: - score: - disabled: - - name: SelectorSpread - - name: TaintToleration - - name: PodTopologySpread - - name: NodeResourcesBalancedAllocation - - name: NodeResourcesLeastAllocated - # Disable plugins to be allowed to enable them again with a - # different weight and avoid an error. - - name: NodePreferAvoidPods - - name: NodeAffinity - - name: InterPodAffinity - - name: ImageLocality - enabled: - - name: NodePreferAvoidPods - weight: 161051 - - name: NodeAffinity - weight: 14631 - - name: InterPodAffinity - weight: 1331 - - name: NodeResourcesMostAllocated - weight: 121 - - name: ImageLocality - weight: 11 - {{- end }} -{{- end }} diff --git a/charts/application-hub/templates/scheduling/user-scheduler/deployment.yaml b/charts/application-hub/templates/scheduling/user-scheduler/deployment.yaml deleted file mode 100644 index 58bb23a..0000000 --- a/charts/application-hub/templates/scheduling/user-scheduler/deployment.yaml +++ /dev/null @@ -1,109 +0,0 @@ -{{- if .Values.scheduling.userScheduler.enabled -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "jupyterhub.user-scheduler-deploy.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -spec: - {{- if typeIs "int" .Values.scheduling.userScheduler.revisionHistoryLimit }} - revisionHistoryLimit: {{ .Values.scheduling.userScheduler.revisionHistoryLimit }} - {{- end }} - replicas: {{ .Values.scheduling.userScheduler.replicas }} - selector: - matchLabels: - {{- include "jupyterhub.matchLabels" . | nindent 6 }} - template: - metadata: - labels: - {{- include "jupyterhub.matchLabels" . | nindent 8 }} - {{- with .Values.scheduling.userScheduler.labels }} - {{- . | toYaml | nindent 8 }} - {{- end }} - annotations: - checksum/config-map: {{ include (print $.Template.BasePath "/scheduling/user-scheduler/configmap.yaml") . | sha256sum }} - {{- with .Values.scheduling.userScheduler.annotations }} - {{- . | toYaml | nindent 8 }} - {{- end }} - spec: - {{ with include "jupyterhub.user-scheduler-serviceaccount.fullname" . }} - serviceAccountName: {{ . }} - {{- end }} - {{- if .Values.scheduling.podPriority.enabled }} - priorityClassName: {{ include "jupyterhub.priority.fullname" . }} - {{- end }} - {{- with .Values.scheduling.userScheduler.nodeSelector }} - nodeSelector: - {{- . | toYaml | nindent 8 }} - {{- end }} - {{- with concat .Values.scheduling.corePods.tolerations .Values.scheduling.userScheduler.tolerations }} - tolerations: - {{- . | toYaml | nindent 8 }} - {{- end }} - {{- include "jupyterhub.coreAffinity" . | nindent 6 }} - volumes: - - name: config - configMap: - name: {{ include "jupyterhub.user-scheduler-deploy.fullname" . }} - {{- with include "jupyterhub.imagePullSecrets" (dict "root" . "image" .Values.scheduling.userScheduler.image) }} - imagePullSecrets: {{ . }} - {{- end }} - containers: - - name: kube-scheduler - {{- /* - FIXME: We have added a workaround for EKS where - .Capabilities.KubeVersion.Minor can return a - string like "22+" instead of just "22". - - See https://github.com/aws/eks-distro/issues/1128. - */}} - {{- if ge (atoi (.Capabilities.KubeVersion.Minor | replace "+" "")) 21 }} - image: {{ .Values.scheduling.userScheduler.image.name }}:{{ .Values.scheduling.userScheduler.image.tag }} - {{- else }} - # WARNING: The tag of this image is hardcoded, and the - # "scheduling.userScheduler.image.tag" configuration of the - # Helm chart that generated this resource manifest isn't - # respected. If you install the Helm chart in a k8s cluster - # versioned 1.21 or higher, your configuration will be - # respected. - image: {{ .Values.scheduling.userScheduler.image.name }}:v1.20.15 - {{- end }} - {{- with .Values.scheduling.userScheduler.image.pullPolicy }} - imagePullPolicy: {{ . }} - {{- end }} - command: - - /usr/local/bin/kube-scheduler - # NOTE: --authentication-skip-lookup=true is used to avoid a - # seemingly harmless error, if we need to not skip - # "authentication lookup" in the future, see the linked issue. - # - # ref: https://github.com/jupyterhub/zero-to-jupyterhub-k8s/issues/1894 - - --config=/etc/user-scheduler/config.yaml - - --authentication-skip-lookup=true - - --v={{ .Values.scheduling.userScheduler.logLevel }} - volumeMounts: - - mountPath: /etc/user-scheduler - name: config - livenessProbe: - httpGet: - path: /healthz - scheme: HTTPS - port: 10259 - initialDelaySeconds: 15 - readinessProbe: - httpGet: - path: /healthz - scheme: HTTPS - port: 10259 - {{- with .Values.scheduling.userScheduler.resources }} - resources: - {{- . | toYaml | nindent 12 }} - {{- end }} - {{- with .Values.scheduling.userScheduler.containerSecurityContext }} - securityContext: - {{- . | toYaml | nindent 12 }} - {{- end }} - {{- with .Values.scheduling.userScheduler.extraPodSpec }} - {{- . | toYaml | nindent 6 }} - {{- end }} -{{- end }} diff --git a/charts/application-hub/templates/scheduling/user-scheduler/pdb.yaml b/charts/application-hub/templates/scheduling/user-scheduler/pdb.yaml deleted file mode 100644 index 3a9544e..0000000 --- a/charts/application-hub/templates/scheduling/user-scheduler/pdb.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if and .Values.scheduling.userScheduler.enabled .Values.scheduling.userScheduler.pdb.enabled -}} -{{- if .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} -{{- /* k8s 1.21+ required */ -}} -apiVersion: policy/v1 -{{- else }} -apiVersion: policy/v1beta1 -{{- end }} -kind: PodDisruptionBudget -metadata: - name: {{ include "jupyterhub.user-scheduler-deploy.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -spec: - {{- if not (typeIs "" .Values.scheduling.userScheduler.pdb.maxUnavailable) }} - maxUnavailable: {{ .Values.scheduling.userScheduler.pdb.maxUnavailable }} - {{- end }} - {{- if not (typeIs "" .Values.scheduling.userScheduler.pdb.minAvailable) }} - minAvailable: {{ .Values.scheduling.userScheduler.pdb.minAvailable }} - {{- end }} - selector: - matchLabels: - {{- include "jupyterhub.matchLabels" . | nindent 6 }} -{{- end }} diff --git a/charts/application-hub/templates/scheduling/user-scheduler/rbac.yaml b/charts/application-hub/templates/scheduling/user-scheduler/rbac.yaml deleted file mode 100644 index f77640b..0000000 --- a/charts/application-hub/templates/scheduling/user-scheduler/rbac.yaml +++ /dev/null @@ -1,233 +0,0 @@ -{{- if .Values.scheduling.userScheduler.enabled -}} -{{- if .Values.rbac.create -}} -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "jupyterhub.user-scheduler.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -rules: - # Copied from the system:kube-scheduler ClusterRole of the k8s version - # matching the kube-scheduler binary we use. A modification has been made to - # resourceName fields to remain relevant for how we have named our resources - # in this Helm chart. - # - # NOTE: These rules have been: - # - unchanged between 1.12 and 1.15 - # - changed in 1.16 - # - changed in 1.17 - # - unchanged between 1.18 and 1.20 - # - changed in 1.21: get/list/watch permission for namespace, - # csidrivers, csistoragecapacities was added. - # - unchanged between 1.22 and 1.23 - # - # ref: https://github.com/kubernetes/kubernetes/blob/v1.23.0/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml#L705-L861 - - apiGroups: - - "" - - events.k8s.io - resources: - - events - verbs: - - create - - patch - - update - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - apiGroups: - - coordination.k8s.io - resourceNames: - - {{ include "jupyterhub.user-scheduler-lock.fullname" . }} - resources: - - leases - verbs: - - get - - update - - apiGroups: - - "" - resources: - - endpoints - verbs: - - create - - apiGroups: - - "" - resourceNames: - - {{ include "jupyterhub.user-scheduler-lock.fullname" . }} - resources: - - endpoints - verbs: - - get - - update - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - pods - verbs: - - delete - - get - - list - - watch - - apiGroups: - - "" - resources: - - bindings - - pods/binding - verbs: - - create - - apiGroups: - - "" - resources: - - pods/status - verbs: - - patch - - update - - apiGroups: - - "" - resources: - - replicationcontrollers - - services - verbs: - - get - - list - - watch - - apiGroups: - - apps - - extensions - resources: - - replicasets - verbs: - - get - - list - - watch - - apiGroups: - - apps - resources: - - statefulsets - verbs: - - get - - list - - watch - - apiGroups: - - policy - resources: - - poddisruptionbudgets - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - persistentvolumeclaims - - persistentvolumes - verbs: - - get - - list - - watch - - apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create - - apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create - - apiGroups: - - storage.k8s.io - resources: - - csinodes - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch - - apiGroups: - - storage.k8s.io - resources: - - csidrivers - verbs: - - get - - list - - watch - - apiGroups: - - storage.k8s.io - resources: - - csistoragecapacities - verbs: - - get - - list - - watch - - # Copied from the system:volume-scheduler ClusterRole of the k8s version - # matching the kube-scheduler binary we use. - # - # NOTE: These rules have not changed between 1.12 and 1.23. - # - # ref: https://github.com/kubernetes/kubernetes/blob/v1.23.0/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml#L1280-L1307 - - apiGroups: - - "" - resources: - - persistentvolumes - verbs: - - get - - list - - patch - - update - - watch - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - persistentvolumeclaims - verbs: - - get - - list - - patch - - update - - watch ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "jupyterhub.user-scheduler.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -subjects: - - kind: ServiceAccount - name: {{ include "jupyterhub.user-scheduler-serviceaccount.fullname" . }} - namespace: "{{ .Release.Namespace }}" -roleRef: - kind: ClusterRole - name: {{ include "jupyterhub.user-scheduler.fullname" . }} - apiGroup: rbac.authorization.k8s.io -{{- end }} -{{- end }} diff --git a/charts/application-hub/templates/scheduling/user-scheduler/serviceaccount.yaml b/charts/application-hub/templates/scheduling/user-scheduler/serviceaccount.yaml deleted file mode 100644 index f84ffc1..0000000 --- a/charts/application-hub/templates/scheduling/user-scheduler/serviceaccount.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.scheduling.userScheduler.enabled -}} -{{- if .Values.scheduling.userScheduler.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "jupyterhub.user-scheduler-serviceaccount.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} - {{- with .Values.scheduling.userScheduler.serviceAccount.annotations }} - annotations: - {{- . | toYaml | nindent 4 }} - {{- end }} -{{- end }} -{{- end }} diff --git a/charts/application-hub/templates/singleuser/netpol.yaml b/charts/application-hub/templates/singleuser/netpol.yaml deleted file mode 100644 index f388b81..0000000 --- a/charts/application-hub/templates/singleuser/netpol.yaml +++ /dev/null @@ -1,99 +0,0 @@ -{{- if and .Values.singleuser.networkPolicy.enabled -}} -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "jupyterhub.singleuser.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -spec: - podSelector: - matchLabels: - {{- $_ := merge (dict "componentLabel" "singleuser-server") . }} - {{- include "jupyterhub.matchLabels" $_ | nindent 6 }} - policyTypes: - - Ingress - - Egress - - # IMPORTANT: - # NetworkPolicy's ingress "from" and egress "to" rule specifications require - # great attention to detail. A quick summary is: - # - # 1. You can provide "from"/"to" rules that provide access either ports or a - # subset of ports. - # 2. You can for each "from"/"to" rule provide any number of - # "sources"/"destinations" of four different kinds. - # - podSelector - targets pods with a certain label in the same namespace as the NetworkPolicy - # - namespaceSelector - targets all pods running in namespaces with a certain label - # - namespaceSelector and podSelector - targets pods with a certain label running in namespaces with a certain label - # - ipBlock - targets network traffic from/to a set of IP address ranges - # - # Read more at: https://kubernetes.io/docs/concepts/services-networking/network-policies/#behavior-of-to-and-from-selectors - # - ingress: - {{- with .Values.singleuser.networkPolicy.allowedIngressPorts }} - # allow incoming traffic to these ports independent of source - - ports: - {{- range $port := . }} - - port: {{ $port }} - {{- end }} - {{- end }} - - # allowed pods (hub.jupyter.org/network-access-singleuser) --> singleuser-server - - ports: - - port: notebook-port - from: - # source 1 - labeled pods - - podSelector: - matchLabels: - hub.jupyter.org/network-access-singleuser: "true" - {{- if eq .Values.singleuser.networkPolicy.interNamespaceAccessLabels "accept" }} - namespaceSelector: - matchLabels: {} # without this, the podSelector would only consider pods in the local namespace - # source 2 - pods in labeled namespaces - - namespaceSelector: - matchLabels: - hub.jupyter.org/network-access-singleuser: "true" - {{- end }} - - {{- with .Values.singleuser.networkPolicy.ingress }} - # depends, but default is nothing --> singleuser-server - {{- . | toYaml | nindent 4 }} - {{- end }} - - egress: - # singleuser-server --> hub - - to: - - podSelector: - matchLabels: - {{- $_ := merge (dict "componentLabel" "hub") . }} - {{- include "jupyterhub.matchLabels" $_ | nindent 14 }} - ports: - - port: 8081 - - # singleuser-server --> proxy - # singleuser-server --> autohttps - # - # While not critical for core functionality, a user or library code may rely - # on communicating with the proxy or autohttps pods via a k8s Service it can - # detected from well known environment variables. - # - - to: - - podSelector: - matchLabels: - {{- $_ := merge (dict "componentLabel" "proxy") . }} - {{- include "jupyterhub.matchLabels" $_ | nindent 14 }} - ports: - - port: 8000 - - to: - - podSelector: - matchLabels: - {{- $_ := merge (dict "componentLabel" "autohttps") . }} - {{- include "jupyterhub.matchLabels" $_ | nindent 14 }} - ports: - - port: 8080 - - port: 8443 - - {{- with (include "jupyterhub.networkPolicy.renderEgressRules" (list . .Values.singleuser.networkPolicy)) }} - {{- . | nindent 4 }} - {{- end }} -{{- end }} diff --git a/charts/application-hub/templates/singleuser/secret.yaml b/charts/application-hub/templates/singleuser/secret.yaml deleted file mode 100644 index f4a5fe2..0000000 --- a/charts/application-hub/templates/singleuser/secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -{{- if .Values.singleuser.extraFiles }} -kind: Secret -apiVersion: v1 -metadata: - name: {{ include "jupyterhub.singleuser.fullname" . }} - labels: - {{- include "jupyterhub.labels" . | nindent 4 }} -type: Opaque -{{- with include "jupyterhub.extraFiles.data" .Values.singleuser.extraFiles }} -data: - {{- . | nindent 2 }} -{{- end }} -{{- with include "jupyterhub.extraFiles.stringData" .Values.singleuser.extraFiles }} -stringData: - {{- . | nindent 2 }} -{{- end }} -{{- end }}