Upgrade jupyterhub chart

charts/jupyterhub/Chart.yaml

-appVersion: v0.8.1
+appVersion: 0.9.3
 description: Multi-user Jupyter installation
 home: https://z2jh.jupyter.org
 icon: https://jupyter.org/assets/hublogo.svg
@@ -6,5 +6,5 @@ kubeVersion: '>=1.8.0-0'
 name: jupyterhub
 sources:
 - https://github.com/jupyterhub/zero-to-jupyterhub-k8s
-tillerVersion: '>=2.7.0-0'
-version: v0.7-560a7cd
+tillerVersion: '>=2.9.1-0'
+version: 0.8-c0b4dcf

charts/jupyterhub/templates/_helpers.tpl

@@ -9,7 +9,7 @@
   generate some output based on one single dictionary of input that we call the
   helpers scope. When you are in helm, you access your current scope with a
   single a single punctuation (.).
-  
+
   When you ask a helper to render its content, one often forward the current
   scope to the helper in order to allow it to access .Release.Name,
   .Values.rbac.enabled and similar values.
@@ -27,7 +27,7 @@
   To let a helper access the current scope along with additional values we have
   opted to create dictionary containing additional values that is then populated
   with additional values from the current scope through a the merge function.
-  
+
   #### Example - Passing a new scope augmented with the old
   {{- $_ := merge (dict "appLabel" "kube-lego") . }}
   {{- include "jupyterhub.matchLabels" $_ | nindent 6 }}
@@ -55,7 +55,7 @@
   ## Example usage
   ```yaml
   # Excerpt from proxy/autohttps/deployment.yaml
-  apiVersion: apps/v1beta2
+  apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: {{ include "jupyterhub.nameField" . }}
@@ -97,7 +97,7 @@
     Used by "jupyterhub.labels" and "jupyterhub.nameField".
 
     NOTE: The component label is determined by either...
-    - 1: The provided scope's .componentLabel 
+    - 1: The provided scope's .componentLabel
     - 2: The template's filename if living in the root folder
     - 3: The template parent folder's name
     -  : ...and is combined with .componentPrefix and .componentSuffix
@@ -163,12 +163,77 @@ component: {{ include "jupyterhub.componentLabel" . }}
 
 
 {{- /*
-  jupyterhub.podCullerSelector:
-    Used to by the pod-culler to select singleuser-server pods. It simply
-    reformats "jupyterhub.matchLabels" and sets the componentLabel value so
-    `component=singleuser-server` is output.
+  jupyterhub.dockerconfigjson:
+    Creates a base64 encoded docker registry json blob for use in a image pull
+    secret, just like the `kubectl create secret docker-registry` command does
+    for the generated secrets data.dockerconfigjson field. The output is
+    verified to be exactly the same even if you have a password spanning
+    multiple lines as you may need to use a private GCR registry.
+
+    - https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
 */}}
-{{- define "jupyterhub.podCullerSelector" -}}
-{{- $_ := merge (dict "componentLabel" "singleuser-server") . -}}
-{{ include "jupyterhub.matchLabels" $_ | replace ": " "=" | replace "\n" "," | quote }}
+{{- define "jupyterhub.dockerconfigjson" -}}
+{{ include "jupyterhub.dockerconfigjson.yaml" . | b64enc }}
+{{- end }}
+
+{{- define "jupyterhub.dockerconfigjson.yaml" -}}
+{{- with .Values.singleuser.imagePullSecret -}}
+{
+  "auths": {
+    {{ .registry | default "https://index.docker.io/v1/" | quote }}: {
+      "username": {{ .username | quote }},
+      "password": {{ .password | quote }},
+      {{- if .email }}
+      "email": {{ .email | quote }},
+      {{- end }}
+      "auth": {{ (print .username ":" .password) | b64enc | quote }}
+    }
+  }
+}
+{{- end }}
+{{- end }}
+
+
+{{- /*
+  jupyterhub.resources:
+    The resource request of a singleuser.
+*/}}
+{{- define "jupyterhub.resources" -}}
+{{- $r1 := .Values.singleuser.cpu.guarantee -}}
+{{- $r2 := .Values.singleuser.memory.guarantee -}}
+{{- $r3 := .Values.singleuser.extraResource.guarantees -}}
+{{- $r := or $r1 $r2 $r3 -}}
+{{- $l1 := .Values.singleuser.cpu.limit -}}
+{{- $l2 := .Values.singleuser.memory.limit -}}
+{{- $l3 := .Values.singleuser.extraResource.limits -}}
+{{- $l := or $l1 $l2 $l3 -}}
+{{- if $r -}}
+requests:
+  {{- if $r1 }}
+  cpu: {{ .Values.singleuser.cpu.guarantee }}
+  {{- end }}
+  {{- if $r2 }}
+  memory: {{ .Values.singleuser.memory.guarantee }}
+  {{- end }}
+  {{- if $r3 }}
+  {{- range $key, $value := .Values.singleuser.extraResource.guarantees }}
+  {{ $key | quote }}: {{ $value | quote }}
+  {{- end }}
+  {{- end }}
+{{- end }}
+
+{{- if $l }}
+limits:
+  {{- if $l1 }}
+  cpu: {{ .Values.singleuser.cpu.limit }}
+  {{- end }}
+  {{- if $l2 }}
+  memory: {{ .Values.singleuser.memory.limit }}
+  {{- end }}
+  {{- if $l3 }}
+  {{- range $key, $value := .Values.singleuser.extraResource.limits }}
+  {{ $key | quote }}: {{ $value | quote }}
+  {{- end }}
+  {{- end }}
+{{- end }}
 {{- end }}

charts/jupyterhub/templates/hub/configmap.yaml

@@ -12,6 +12,7 @@ data:
   cull.timeout: {{ .Values.cull.timeout | quote }}
   cull.every: {{ .Values.cull.every | quote }}
   cull.concurrency: {{ .Values.cull.concurrency | quote }}
+  cull.max-age: {{ .Values.cull.maxAge | quote }}
   {{- end }}
 
 
@@ -67,10 +68,11 @@ data:
   auth.gitlab.client-secret: {{ .Values.auth.gitlab.clientSecret | quote }}
   auth.gitlab.callback-url: {{ .Values.auth.gitlab.callbackUrl | quote }}
   {{- end }}
-  
+
   {{- if eq .Values.auth.type "mediawiki" }}
   auth.mediawiki.client-id: {{ .Values.auth.mediawiki.clientId | quote }}
   auth.mediawiki.client-secret: {{ .Values.auth.mediawiki.clientSecret | quote }}
+  auth.mediawiki.callback-url: {{ .Values.auth.mediawiki.callbackUrl | quote }}
   auth.mediawiki.index-url: {{ .Values.auth.mediawiki.indexUrl | quote }}
   {{- end }}
 
@@ -80,7 +82,7 @@ data:
   auth.globus.callback-url: {{ .Values.auth.globus.callbackUrl | quote }}
   auth.globus.identity-provider: {{ .Values.auth.globus.identityProvider | quote }}
   {{- end }}
-  
+
   {{- if eq .Values.auth.type "lti" }}
   auth.lti.consumers: |
     {{- .Values.auth.lti.consumers | toYaml | trimSuffix "\n" | nindent 4 }}
@@ -108,7 +110,7 @@ data:
   auth.ldap.dn.user.search-base: {{ .Values.auth.ldap.dn.user.searchBase | quote }}
   auth.ldap.dn.user.attribute: {{ .Values.auth.ldap.dn.user.attribute | quote }}
   {{- end }}
-  
+
   {{- if eq .Values.auth.type "dummy" }}
   {{- if .Values.auth.dummy.password }}
   auth.dummy.password: {{ .Values.auth.dummy.password | quote }}
@@ -127,12 +129,19 @@ data:
   {{- if .Values.singleuser.initContainers }}
   singleuser.init-containers: {{ toJson .Values.singleuser.initContainers | quote }}
   {{- end }}
+  {{- if .Values.singleuser.extraContainers }}
+  singleuser.extra-containers: {{ toJson .Values.singleuser.extraContainers | quote }}
+  {{- end }}
   singleuser.network-tools.image.name: {{ .Values.singleuser.networkTools.image.name | quote }}
   singleuser.network-tools.image.tag: {{ .Values.singleuser.networkTools.image.tag | quote }}
   singleuser.cloud-metadata: |
     {{- .Values.singleuser.cloudMetadata | toYaml | trimSuffix "\n" | nindent 4 }}
   singleuser.start-timeout: {{ .Values.singleuser.startTimeout | quote }}
+  singleuser.image-spec: {{ .Values.singleuser.image.name }}:{{ .Values.singleuser.image.tag }}
   singleuser.image-pull-policy: {{ .Values.singleuser.image.pullPolicy | quote }}
+  {{- if .Values.singleuser.imagePullSecret.enabled }}
+  singleuser.image-pull-secret-name: singleuser-image-credentials
+  {{- end }}
   {{- if .Values.singleuser.cmd }}
   singleuser.cmd: {{ .Values.singleuser.cmd | quote }}
   {{- end }}
@@ -146,9 +155,6 @@ data:
   singleuser.service-account-name: {{ .Values.singleuser.serviceAccountName | quote }}
   {{- end }}
   singleuser.node-selector: {{ toJson .Values.singleuser.nodeSelector | quote }}
-  {{- if .Values.singleuser.schedulerStrategy }}
-  singleuser.scheduler-strategy: {{ .Values.singleuser.schedulerStrategy | quote }}
-  {{- end }}
   singleuser.storage.type: {{ .Values.singleuser.storage.type | quote }}
   singleuser.storage.home_mount_path: {{ .Values.singleuser.storage.homeMountPath | quote }}
   singleuser.storage.extra-volumes: {{ toJson .Values.singleuser.storage.extraVolumes | quote }}
@@ -179,19 +185,77 @@ data:
   {{- if .Values.singleuser.cpu.guarantee }}
   singleuser.cpu.guarantee: {{ .Values.singleuser.cpu.guarantee | quote }}
   {{- end }}
+  {{- if .Values.singleuser.extraResource.limits }}
+  singleuser.extra-resource.limits: |
+    {{- range $key, $value := .Values.singleuser.extraResource.limits }}
+    {{ $key | quote }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+  {{- if .Values.singleuser.extraResource.guarantees }}
+  singleuser.extra-resource.guarantees: |
+    {{- range $key, $value := .Values.singleuser.extraResource.guarantees }}
+    {{ $key | quote }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
+  {{- if .Values.singleuser.extraAnnotations }}
+  singleuser.extra-annotations: |
+    {{- range $key, $value := .Values.singleuser.extraAnnotations }}
+    {{ $key | quote }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
   singleuser.extra-labels: |
     hub.jupyter.org/network-access-hub: "true"
     {{- range $key, $value := .Values.singleuser.extraLabels }}
     {{ $key | quote }}: {{ $value | quote }}
     {{- end }}
+  {{- if .Values.singleuser.storage.extraLabels }}
+  singleuser.storage-extra-labels: |
+    {{- range $key, $value := .Values.singleuser.storage.extraLabels }}
+    {{ $key | quote }}: {{ $value | quote }}
+    {{- end }}
+  {{- end }}
   {{- if .Values.singleuser.extraEnv }}
   singleuser.extra-env: |
     {{- range $key, $value := .Values.singleuser.extraEnv }}
     {{ $key | quote }}: {{ $value | quote }}
     {{- end }}
   {{- end }}
-  
-  
+
+  singleuser.tolerations: |
+    {{- include "jupyterhub.userTolerations" . | nindent 4 }}
+
+  {{- if include "jupyterhub.userNodeAffinityRequired" . }}
+  singleuser.node-affinity-required: |
+    {{- include "jupyterhub.userNodeAffinityRequired" . | nindent 4 }}
+  {{- end }}
+  {{- if include "jupyterhub.userNodeAffinityPreferred" . }}
+  singleuser.node-affinity-preferred: |
+    {{- include "jupyterhub.userNodeAffinityPreferred" . | nindent 4 }}
+  {{- end }}
+  {{- if include "jupyterhub.userPodAffinityRequired" . }}
+  singleuser.pod-affinity-required: |
+    {{- include "jupyterhub.userPodAffinityRequired" . | nindent 4 }}
+  {{- end }}
+  {{- if include "jupyterhub.userPodAffinityPreferred" . }}
+  singleuser.pod-affinity-preferred: |
+    {{- include "jupyterhub.userPodAffinityPreferred" . | nindent 4 }}
+  {{- end }}
+  {{- if include "jupyterhub.userPodAntiAffinityRequired" . }}
+  singleuser.pod-anti-affinity-required: |
+    {{- include "jupyterhub.userPodAntiAffinityRequired" . | nindent 4 }}
+  {{- end }}
+  {{- if include "jupyterhub.userPodAntiAffinityPreferred" . }}
+  singleuser.pod-anti-affinity-preferred: |
+    {{- include "jupyterhub.userPodAntiAffinityPreferred" . | nindent 4 }}
+  {{- end }}
+
+  {{- if .Values.scheduling.userScheduler.enabled }}
+  singleuser.scheduler-name: "{{ .Release.Name }}-user-scheduler"
+  {{- end }}
+  {{- if .Values.scheduling.podPriority.enabled }}
+  singleuser.priority_class_name: "{{ .Release.Name }}-default-priority"
+  {{- end }}
+
   {{- /* KubeSpawner */}}
   kubespawner.common-labels: |
     {{- $_ := merge (dict "heritageLabel" "jupyterhub") . }}
@@ -199,7 +263,9 @@ data:
 
 
   {{- /* Hub */}}
+  hub.allow-named-servers: {{ .Values.hub.allowNamedServers | quote }}
   hub.concurrent-spawn-limit: {{ .Values.hub.concurrentSpawnLimit | quote }}
+  hub.consecutive-failure-limit: {{ .Values.hub.consecutiveFailureLimit | quote }}
   {{- if .Values.hub.activeServerLimit }}
   hub.active-server-limit: {{ .Values.hub.activeServerLimit | quote }}
   {{- end }}

charts/jupyterhub/templates/hub/deployment.yaml

-apiVersion: apps/v1beta2
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: hub
@@ -30,21 +30,11 @@ spec:
         {{- .Values.hub.annotations | toYaml | trimSuffix "\n" | nindent 8 }}
         {{- end }}
     spec:
+      {{- if .Values.scheduling.podPriority.enabled }}
+      priorityClassName: {{ .Release.Name }}-default-priority
+      {{- end }}
       nodeSelector: {{ toJson .Values.hub.nodeSelector }}
-      affinity:
-        podAffinity:
-          preferredDuringSchedulingIgnoredDuringExecution:
-            - weight: 1
-              podAffinityTerm:
-                topologyKey: kubernetes.io/hostname
-                labelSelector:
-                  matchExpressions:
-                    - key: component
-                      operator: In
-                      values: ['proxy']
-                    - key: release
-                      operator: In
-                      values: [{{ .Release.Name | quote }}]
+      {{- include "jupyterhub.coreAffinity" . | nindent 6 }}
       volumes:
         - name: config
           configMap:
@@ -118,9 +108,6 @@ spec:
             {{- .Values.hub.resources | toYaml | trimSuffix "\n" | nindent 12 }}
           imagePullPolicy: {{ .Values.hub.imagePullPolicy }}
           env:
-            {{- /* Put this here directly so hub will restart when we change this */}}
-            - name: SINGLEUSER_IMAGE
-              value: "{{ .Values.singleuser.image.name }}:{{ .Values.singleuser.image.tag }}"
             {{- if .Values.hub.cookieSecret }}
             - name: JPY_COOKIE_SECRET
               valueFrom:

charts/jupyterhub/templates/hub/netpol.yaml

@@ -2,7 +2,7 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: hub-network-policy
+  name: hub
   labels:
     {{- include "jupyterhub.labels" . | nindent 4 }}
 spec:

charts/jupyterhub/templates/hub/pdb.yaml

@@ -6,7 +6,7 @@ metadata:
   labels:
     {{- include "jupyterhub.labels" . | nindent 4 }}
 spec:
-  minAvailable: 1
+  minAvailable: {{ .Values.hub.pdb.minAvailable }}
   selector:
     matchLabels:
       {{- include "jupyterhub.matchLabels" . | nindent 6 }}

charts/jupyterhub/templates/hub/rbac.yaml

@@ -7,7 +7,7 @@ metadata:
     {{- include "jupyterhub.labels" . | nindent 4 }}
 ---
 kind: Role
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: hub
   labels:
@@ -21,7 +21,7 @@ rules:
     verbs: ["get", "watch", "list"]
 ---
 kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: hub
   labels:

charts/jupyterhub/templates/image-puller/_daemonset-helper.yaml

@@ -4,11 +4,10 @@ Returns an image-puller daemonset. Two daemonsets will be created like this.
 - continuous-image-puller: for newly added nodes image pulling
 */}}
 {{- define "jupyterhub.imagePuller.daemonset" -}}
-apiVersion: extensions/v1beta1
+apiVersion: apps/v1
 kind: DaemonSet
 metadata:
-  {{- $label := print "-" .Release.Time.Seconds }}
-  name: {{ print .componentPrefix "image-puller" }}{{- if .hook }}{{ $label }}{{- end }}
+  name: {{ print .componentPrefix "image-puller" }}
   labels:
     {{- include "jupyterhub.labels" . | nindent 4 }}
     {{- if .hook }}
@@ -20,7 +19,7 @@ metadata:
     Allows the daemonset to be deleted when the image-awaiter job is completed.
     */}}
     "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
     "helm.sh/hook-weight": "-10"
   {{- end }}
 spec:
@@ -34,11 +33,25 @@ spec:
   template:
     metadata:
       labels:
-        {{- /* Changes here will cause the Deployment to restart the pods. */}}
+        {{- /* Changes here will cause the DaemonSet to restart the pods. */}}
         {{- include "jupyterhub.matchLabels" . | nindent 8 }}
     spec:
+      tolerations:
+        {{- include "jupyterhub.userTolerations" . | nindent 8 }}
+      nodeSelector: {{ toJson .Values.singleuser.nodeSelector }}
+      {{- if include "jupyterhub.userNodeAffinityRequired" . }}
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              {{- include "jupyterhub.userNodeAffinityRequired" . | nindent 14 }}
+      {{- end }}
       terminationGracePeriodSeconds: 0
       automountServiceAccountToken: false
+      {{- if .Values.singleuser.imagePullSecret.enabled }}
+      imagePullSecrets:
+        - name: {{ if .hook -}} hook- {{- end -}} singleuser-image-credentials
+      {{- end }}
       initContainers:
         - name: image-pull-singleuser
           image: {{ .Values.singleuser.image.name }}:{{ .Values.singleuser.image.tag }}
@@ -59,6 +72,15 @@ spec:
         {{- range $k, $v := .Values.prePuller.extraImages }}
         - name: image-pull-{{ $k }}
           image: {{ $v.name }}:{{ $v.tag }}
+          imagePullPolicy: {{ $v.policy | default "IfNotPresent" }}
+          command:
+            - /bin/sh
+            - -c
+            - echo "Pulling complete"
+        {{- end }}
+        {{- range $k, $container := .Values.singleuser.extraContainers }}
+        - name: image-pull-singleuser-extra-container-{{ $k }}
+          image: {{ $container.image }}
           imagePullPolicy: IfNotPresent
           command:
             - /bin/sh

charts/jupyterhub/templates/image-puller/job.yaml

@@ -9,24 +9,24 @@ command.
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: hook-image-awaiter-{{ .Release.Time.Seconds }}
+  name: hook-image-awaiter
   labels:
     {{- include "jupyterhub.labels" . | nindent 4 }}
     hub.jupyter.org/deletable: "true"
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
     "helm.sh/hook-weight": "10"
 spec:
   template:
     metadata:
       labels:
-        {{- /* Changes here will cause the Deployment to restart the pods. */}}
+        {{- /* Changes here will cause the Job to restart the pods. */}}
         {{- include "jupyterhub.matchLabels" . | nindent 8 }}
     spec:
       restartPolicy: Never
       {{- if .Values.rbac.enabled }}
-      serviceAccountName: hook-image-awaiter-{{ .Release.Time.Seconds }}
+      serviceAccountName: hook-image-awaiter
       {{- end }}
       containers:
         - image: {{ .Values.prePuller.hook.image.name }}:{{ .Values.prePuller.hook.image.tag }}
@@ -38,5 +38,5 @@ spec:
             - -auth-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token
             - -api-server-address=https://$(KUBERNETES_SERVICE_HOST):$(KUBERNETES_SERVICE_PORT)
             - -namespace={{ .Release.Namespace }}
-            - -daemonset=hook-image-puller-{{ .Release.Time.Seconds }}
+            - -daemonset=hook-image-puller
 {{- end }}

charts/jupyterhub/templates/image-puller/rbac.yaml

@@ -9,28 +9,28 @@ This service account...
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: hook-image-awaiter-{{ .Release.Time.Seconds }}
+  name: hook-image-awaiter
   labels:
     {{- include "jupyterhub.labels" . | nindent 4 }}
     hub.jupyter.org/deletable: "true"
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
     "helm.sh/hook-weight": "0"
 ---
 {{- /*
 ... will be used by this role...
 */}}
 kind: Role
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: hook-image-awaiter-{{ .Release.Time.Seconds }}
+  name: hook-image-awaiter
   labels:
     {{- include "jupyterhub.labels" . | nindent 4 }}
     hub.jupyter.org/deletable: "true"
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
     "helm.sh/hook-weight": "0"
 rules:
   - apiGroups: ["apps"]       # "" indicates the core API group
@@ -41,23 +41,23 @@ rules:
 ... as declared by this binding.
 */}}
 kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: hook-image-awaiter-{{ .Release.Time.Seconds }}
+  name: hook-image-awaiter
   labels:
     {{- include "jupyterhub.labels" . | nindent 4 }}
     hub.jupyter.org/deletable: "true"
   annotations:
     "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
     "helm.sh/hook-weight": "0"
 subjects:
   - kind: ServiceAccount
-    name: hook-image-awaiter-{{ .Release.Time.Seconds }}
+    name: hook-image-awaiter
     namespace: {{ .Release.Namespace }}
 roleRef:
   kind: Role
-  name: hook-image-awaiter-{{ .Release.Time.Seconds }}
+  name: hook-image-awaiter
   apiGroup: rbac.authorization.k8s.io
 {{- end }}
 {{- end }}

charts/jupyterhub/templates/proxy/autohttps/deployment.yaml

 {{- $HTTPS := (and .Values.proxy.https.hosts .Values.proxy.https.enabled) }}
 {{- $autoHTTPS := (and $HTTPS (eq .Values.proxy.https.type "letsencrypt")) }}
 {{- if $autoHTTPS -}}
-apiVersion: apps/v1beta2
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: autohttps
@@ -35,22 +35,12 @@ spec:
       {{- if .Values.rbac.enabled }}
       serviceAccountName: autohttps
       {{- end }}
-      nodeSelector: {{ toJson .Values.proxy.nodeSelector }}
+      {{- if .Values.scheduling.podPriority.enabled }}
+      priorityClassName: {{ .Release.Name }}-default-priority
+      {{- end }}
       terminationGracePeriodSeconds: 60
-      affinity:
-        podAffinity:
-          preferredDuringSchedulingIgnoredDuringExecution:
-            - weight: 1
-              podAffinityTerm:
-                topologyKey: kubernetes.io/hostname
-                labelSelector:
-                  matchExpressions:
-                    - key: component
-                      operator: In
-                      values: ['hub']
-                    - key: release
-                      operator: In
-                      values: [{{ .Release.Name | quote }}]
+      nodeSelector: {{ toJson .Values.proxy.nodeSelector }}
+      {{- include "jupyterhub.coreAffinity" . | nindent 6 }}
       containers:
         - name: nginx
           image: "{{ .Values.proxy.nginx.image.name }}:{{ .Values.proxy.nginx.image.tag }}"

charts/jupyterhub/templates/proxy/autohttps/rbac.yaml

@@ -11,7 +11,7 @@ metadata:
   labels:
     {{- include "jupyterhub.labels" . | nindent 4 }}
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: nginx-{{ .Release.Name }}
@@ -74,7 +74,7 @@ rules:
     verbs:
       - update
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: nginx-{{ .Release.Name }}
@@ -89,7 +89,7 @@ subjects:
     name: autohttps
     namespace: {{ .Release.Namespace }}
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: nginx
@@ -129,7 +129,7 @@ rules:
       - get
       - update
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: kube-lego
@@ -166,7 +166,7 @@ rules:
   - create
   - update
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: nginx
@@ -181,7 +181,7 @@ subjects:
     name: autohttps
     namespace: {{ .Release.Namespace }}
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: kube-lego

charts/jupyterhub/templates/proxy/deployment.yaml

 {{- $manualHTTPS := (and .Values.proxy.https.enabled (eq .Values.proxy.https.type "manual")) -}}
-apiVersion: apps/v1beta2
+{{- $manualHTTPSwithsecret := (and .Values.proxy.https.enabled (eq .Values.proxy.https.type "secret")) -}}
+apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: proxy
@@ -28,22 +29,18 @@ spec:
         {{- .Values.proxy.annotations | toYaml | trimSuffix "\n" | nindent 8 }}
         {{- end }}
     spec:
-      nodeSelector: {{ toJson .Values.proxy.nodeSelector }}
       terminationGracePeriodSeconds: 60
-      affinity:
-        podAffinity:
-          preferredDuringSchedulingIgnoredDuringExecution:
-            - weight: 1
-              podAffinityTerm:
-                topologyKey: kubernetes.io/hostname
-                labelSelector:
-                  matchExpressions:
-                    - key: component
-                      operator: In
-                      values: ['hub']
-                    - key: release
-                      operator: In
-                      values: [{{ .Release.Name | quote }}]
+      {{- if .Values.scheduling.podPriority.enabled }}
+      priorityClassName: {{ .Release.Name }}-default-priority
+      {{- end }}
+      nodeSelector: {{ toJson .Values.proxy.nodeSelector }}
+      {{- include "jupyterhub.coreAffinity" . | nindent 6 }}
+      {{- if $manualHTTPSwithsecret }}
+      volumes:
+        - name: tls-secret
+          secret:
+            secretName: {{ .Values.proxy.https.secret.name }}
+      {{- end }}
       {{- if $manualHTTPS }}
       volumes:
         - name: tls-secret
@@ -65,13 +62,18 @@ spec:
             - --redirect-port=8000
             - --ssl-key=/etc/chp/tls/tls.key
             - --ssl-cert=/etc/chp/tls/tls.crt
+            {{- else if $manualHTTPSwithsecret }}
+            - --port=8443
+            - --redirect-port=8000
+            - --ssl-key=/etc/chp/tls/{{ .Values.proxy.https.secret.key }}
+            - --ssl-cert=/etc/chp/tls/{{ .Values.proxy.https.secret.crt }}
             {{- else }}
             - --port=8000
             {{- end }}
             {{- if .Values.debug.enabled }}
             - --log-level=debug
             {{- end }}
-          {{- if $manualHTTPS }}
+          {{- if or $manualHTTPS $manualHTTPSwithsecret }}
           volumeMounts:
             - name: tls-secret
               mountPath: /etc/chp/tls
@@ -87,7 +89,7 @@ spec:
                   key: proxy.token
           imagePullPolicy: {{ .Values.proxy.chp.image.pullPolicy }}
           ports:
-            {{- if $manualHTTPS }}
+            {{- if or $manualHTTPS $manualHTTPSwithsecret }}
             - containerPort: 8443
               name: proxy-https
             {{- end }}

charts/jupyterhub/templates/proxy/netpol.yaml

 {{- $HTTPS := (and .Values.proxy.https.hosts .Values.proxy.https.enabled) }}
 {{- $autoHTTPS := (and $HTTPS (eq .Values.proxy.https.type "letsencrypt")) }}
 {{- $manualHTTPS := (and $HTTPS (eq .Values.proxy.https.type "manual")) }}
+{{- $manualHTTPSwithsecret := (and .Values.proxy.https.enabled (eq .Values.proxy.https.type "secret")) -}}
 {{- if and .Values.proxy.networkPolicy.enabled -}}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: proxy-network-policy
+  name: proxy
   labels:
     {{- include "jupyterhub.labels" . | nindent 4 }}
 spec:
@@ -25,7 +26,7 @@ spec:
       - protocol: TCP
         port: 8000