Commit c690bae6 authored by Will JALLET's avatar Will JALLET 💸

Upgrade jupyterhub chart

parent d1c9fce2
Pipeline #4516 passed with stage
in 13 seconds
appVersion: v0.8.1
appVersion: 0.9.3
description: Multi-user Jupyter installation
home: https://z2jh.jupyter.org
icon: https://jupyter.org/assets/hublogo.svg
......@@ -6,5 +6,5 @@ kubeVersion: '>=1.8.0-0'
name: jupyterhub
sources:
- https://github.com/jupyterhub/zero-to-jupyterhub-k8s
tillerVersion: '>=2.7.0-0'
version: v0.7-560a7cd
tillerVersion: '>=2.9.1-0'
version: 0.8-c0b4dcf
This diff is collapsed.
......@@ -55,7 +55,7 @@
## Example usage
```yaml
# Excerpt from proxy/autohttps/deployment.yaml
apiVersion: apps/v1beta2
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "jupyterhub.nameField" . }}
......@@ -163,12 +163,77 @@ component: {{ include "jupyterhub.componentLabel" . }}
{{- /*
jupyterhub.podCullerSelector:
Used to by the pod-culler to select singleuser-server pods. It simply
reformats "jupyterhub.matchLabels" and sets the componentLabel value so
`component=singleuser-server` is output.
jupyterhub.dockerconfigjson:
Creates a base64 encoded docker registry json blob for use in a image pull
secret, just like the `kubectl create secret docker-registry` command does
for the generated secrets data.dockerconfigjson field. The output is
verified to be exactly the same even if you have a password spanning
multiple lines as you may need to use a private GCR registry.
- https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
*/}}
{{- define "jupyterhub.podCullerSelector" -}}
{{- $_ := merge (dict "componentLabel" "singleuser-server") . -}}
{{ include "jupyterhub.matchLabels" $_ | replace ": " "=" | replace "\n" "," | quote }}
{{- define "jupyterhub.dockerconfigjson" -}}
{{ include "jupyterhub.dockerconfigjson.yaml" . | b64enc }}
{{- end }}
{{- define "jupyterhub.dockerconfigjson.yaml" -}}
{{- with .Values.singleuser.imagePullSecret -}}
{
"auths": {
{{ .registry | default "https://index.docker.io/v1/" | quote }}: {
"username": {{ .username | quote }},
"password": {{ .password | quote }},
{{- if .email }}
"email": {{ .email | quote }},
{{- end }}
"auth": {{ (print .username ":" .password) | b64enc | quote }}
}
}
}
{{- end }}
{{- end }}
{{- /*
jupyterhub.resources:
The resource request of a singleuser.
*/}}
{{- define "jupyterhub.resources" -}}
{{- $r1 := .Values.singleuser.cpu.guarantee -}}
{{- $r2 := .Values.singleuser.memory.guarantee -}}
{{- $r3 := .Values.singleuser.extraResource.guarantees -}}
{{- $r := or $r1 $r2 $r3 -}}
{{- $l1 := .Values.singleuser.cpu.limit -}}
{{- $l2 := .Values.singleuser.memory.limit -}}
{{- $l3 := .Values.singleuser.extraResource.limits -}}
{{- $l := or $l1 $l2 $l3 -}}
{{- if $r -}}
requests:
{{- if $r1 }}
cpu: {{ .Values.singleuser.cpu.guarantee }}
{{- end }}
{{- if $r2 }}
memory: {{ .Values.singleuser.memory.guarantee }}
{{- end }}
{{- if $r3 }}
{{- range $key, $value := .Values.singleuser.extraResource.guarantees }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- if $l }}
limits:
{{- if $l1 }}
cpu: {{ .Values.singleuser.cpu.limit }}
{{- end }}
{{- if $l2 }}
memory: {{ .Values.singleuser.memory.limit }}
{{- end }}
{{- if $l3 }}
{{- range $key, $value := .Values.singleuser.extraResource.limits }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
......@@ -12,6 +12,7 @@ data:
cull.timeout: {{ .Values.cull.timeout | quote }}
cull.every: {{ .Values.cull.every | quote }}
cull.concurrency: {{ .Values.cull.concurrency | quote }}
cull.max-age: {{ .Values.cull.maxAge | quote }}
{{- end }}
......@@ -71,6 +72,7 @@ data:
{{- if eq .Values.auth.type "mediawiki" }}
auth.mediawiki.client-id: {{ .Values.auth.mediawiki.clientId | quote }}
auth.mediawiki.client-secret: {{ .Values.auth.mediawiki.clientSecret | quote }}
auth.mediawiki.callback-url: {{ .Values.auth.mediawiki.callbackUrl | quote }}
auth.mediawiki.index-url: {{ .Values.auth.mediawiki.indexUrl | quote }}
{{- end }}
......@@ -127,12 +129,19 @@ data:
{{- if .Values.singleuser.initContainers }}
singleuser.init-containers: {{ toJson .Values.singleuser.initContainers | quote }}
{{- end }}
{{- if .Values.singleuser.extraContainers }}
singleuser.extra-containers: {{ toJson .Values.singleuser.extraContainers | quote }}
{{- end }}
singleuser.network-tools.image.name: {{ .Values.singleuser.networkTools.image.name | quote }}
singleuser.network-tools.image.tag: {{ .Values.singleuser.networkTools.image.tag | quote }}
singleuser.cloud-metadata: |
{{- .Values.singleuser.cloudMetadata | toYaml | trimSuffix "\n" | nindent 4 }}
singleuser.start-timeout: {{ .Values.singleuser.startTimeout | quote }}
singleuser.image-spec: {{ .Values.singleuser.image.name }}:{{ .Values.singleuser.image.tag }}
singleuser.image-pull-policy: {{ .Values.singleuser.image.pullPolicy | quote }}
{{- if .Values.singleuser.imagePullSecret.enabled }}
singleuser.image-pull-secret-name: singleuser-image-credentials
{{- end }}
{{- if .Values.singleuser.cmd }}
singleuser.cmd: {{ .Values.singleuser.cmd | quote }}
{{- end }}
......@@ -146,9 +155,6 @@ data:
singleuser.service-account-name: {{ .Values.singleuser.serviceAccountName | quote }}
{{- end }}
singleuser.node-selector: {{ toJson .Values.singleuser.nodeSelector | quote }}
{{- if .Values.singleuser.schedulerStrategy }}
singleuser.scheduler-strategy: {{ .Values.singleuser.schedulerStrategy | quote }}
{{- end }}
singleuser.storage.type: {{ .Values.singleuser.storage.type | quote }}
singleuser.storage.home_mount_path: {{ .Values.singleuser.storage.homeMountPath | quote }}
singleuser.storage.extra-volumes: {{ toJson .Values.singleuser.storage.extraVolumes | quote }}
......@@ -179,11 +185,35 @@ data:
{{- if .Values.singleuser.cpu.guarantee }}
singleuser.cpu.guarantee: {{ .Values.singleuser.cpu.guarantee | quote }}
{{- end }}
{{- if .Values.singleuser.extraResource.limits }}
singleuser.extra-resource.limits: |
{{- range $key, $value := .Values.singleuser.extraResource.limits }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- if .Values.singleuser.extraResource.guarantees }}
singleuser.extra-resource.guarantees: |
{{- range $key, $value := .Values.singleuser.extraResource.guarantees }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- if .Values.singleuser.extraAnnotations }}
singleuser.extra-annotations: |
{{- range $key, $value := .Values.singleuser.extraAnnotations }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
singleuser.extra-labels: |
hub.jupyter.org/network-access-hub: "true"
{{- range $key, $value := .Values.singleuser.extraLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- if .Values.singleuser.storage.extraLabels }}
singleuser.storage-extra-labels: |
{{- range $key, $value := .Values.singleuser.storage.extraLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- if .Values.singleuser.extraEnv }}
singleuser.extra-env: |
{{- range $key, $value := .Values.singleuser.extraEnv }}
......@@ -191,6 +221,40 @@ data:
{{- end }}
{{- end }}
singleuser.tolerations: |
{{- include "jupyterhub.userTolerations" . | nindent 4 }}
{{- if include "jupyterhub.userNodeAffinityRequired" . }}
singleuser.node-affinity-required: |
{{- include "jupyterhub.userNodeAffinityRequired" . | nindent 4 }}
{{- end }}
{{- if include "jupyterhub.userNodeAffinityPreferred" . }}
singleuser.node-affinity-preferred: |
{{- include "jupyterhub.userNodeAffinityPreferred" . | nindent 4 }}
{{- end }}
{{- if include "jupyterhub.userPodAffinityRequired" . }}
singleuser.pod-affinity-required: |
{{- include "jupyterhub.userPodAffinityRequired" . | nindent 4 }}
{{- end }}
{{- if include "jupyterhub.userPodAffinityPreferred" . }}
singleuser.pod-affinity-preferred: |
{{- include "jupyterhub.userPodAffinityPreferred" . | nindent 4 }}
{{- end }}
{{- if include "jupyterhub.userPodAntiAffinityRequired" . }}
singleuser.pod-anti-affinity-required: |
{{- include "jupyterhub.userPodAntiAffinityRequired" . | nindent 4 }}
{{- end }}
{{- if include "jupyterhub.userPodAntiAffinityPreferred" . }}
singleuser.pod-anti-affinity-preferred: |
{{- include "jupyterhub.userPodAntiAffinityPreferred" . | nindent 4 }}
{{- end }}
{{- if .Values.scheduling.userScheduler.enabled }}
singleuser.scheduler-name: "{{ .Release.Name }}-user-scheduler"
{{- end }}
{{- if .Values.scheduling.podPriority.enabled }}
singleuser.priority_class_name: "{{ .Release.Name }}-default-priority"
{{- end }}
{{- /* KubeSpawner */}}
kubespawner.common-labels: |
......@@ -199,7 +263,9 @@ data:
{{- /* Hub */}}
hub.allow-named-servers: {{ .Values.hub.allowNamedServers | quote }}
hub.concurrent-spawn-limit: {{ .Values.hub.concurrentSpawnLimit | quote }}
hub.consecutive-failure-limit: {{ .Values.hub.consecutiveFailureLimit | quote }}
{{- if .Values.hub.activeServerLimit }}
hub.active-server-limit: {{ .Values.hub.activeServerLimit | quote }}
{{- end }}
......
apiVersion: apps/v1beta2
apiVersion: apps/v1
kind: Deployment
metadata:
name: hub
......@@ -30,21 +30,11 @@ spec:
{{- .Values.hub.annotations | toYaml | trimSuffix "\n" | nindent 8 }}
{{- end }}
spec:
{{- if .Values.scheduling.podPriority.enabled }}
priorityClassName: {{ .Release.Name }}-default-priority
{{- end }}
nodeSelector: {{ toJson .Values.hub.nodeSelector }}
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
topologyKey: kubernetes.io/hostname
labelSelector:
matchExpressions:
- key: component
operator: In
values: ['proxy']
- key: release
operator: In
values: [{{ .Release.Name | quote }}]
{{- include "jupyterhub.coreAffinity" . | nindent 6 }}
volumes:
- name: config
configMap:
......@@ -118,9 +108,6 @@ spec:
{{- .Values.hub.resources | toYaml | trimSuffix "\n" | nindent 12 }}
imagePullPolicy: {{ .Values.hub.imagePullPolicy }}
env:
{{- /* Put this here directly so hub will restart when we change this */}}
- name: SINGLEUSER_IMAGE
value: "{{ .Values.singleuser.image.name }}:{{ .Values.singleuser.image.tag }}"
{{- if .Values.hub.cookieSecret }}
- name: JPY_COOKIE_SECRET
valueFrom:
......
......@@ -2,7 +2,7 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: hub-network-policy
name: hub
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
spec:
......
......@@ -6,7 +6,7 @@ metadata:
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
spec:
minAvailable: 1
minAvailable: {{ .Values.hub.pdb.minAvailable }}
selector:
matchLabels:
{{- include "jupyterhub.matchLabels" . | nindent 6 }}
......
......@@ -7,7 +7,7 @@ metadata:
{{- include "jupyterhub.labels" . | nindent 4 }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hub
labels:
......@@ -21,7 +21,7 @@ rules:
verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hub
labels:
......
......@@ -4,11 +4,10 @@ Returns an image-puller daemonset. Two daemonsets will be created like this.
- continuous-image-puller: for newly added nodes image pulling
*/}}
{{- define "jupyterhub.imagePuller.daemonset" -}}
apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: DaemonSet
metadata:
{{- $label := print "-" .Release.Time.Seconds }}
name: {{ print .componentPrefix "image-puller" }}{{- if .hook }}{{ $label }}{{- end }}
name: {{ print .componentPrefix "image-puller" }}
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
{{- if .hook }}
......@@ -20,7 +19,7 @@ metadata:
Allows the daemonset to be deleted when the image-awaiter job is completed.
*/}}
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-10"
{{- end }}
spec:
......@@ -34,11 +33,25 @@ spec:
template:
metadata:
labels:
{{- /* Changes here will cause the Deployment to restart the pods. */}}
{{- /* Changes here will cause the DaemonSet to restart the pods. */}}
{{- include "jupyterhub.matchLabels" . | nindent 8 }}
spec:
tolerations:
{{- include "jupyterhub.userTolerations" . | nindent 8 }}
nodeSelector: {{ toJson .Values.singleuser.nodeSelector }}
{{- if include "jupyterhub.userNodeAffinityRequired" . }}
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
{{- include "jupyterhub.userNodeAffinityRequired" . | nindent 14 }}
{{- end }}
terminationGracePeriodSeconds: 0
automountServiceAccountToken: false
{{- if .Values.singleuser.imagePullSecret.enabled }}
imagePullSecrets:
- name: {{ if .hook -}} hook- {{- end -}} singleuser-image-credentials
{{- end }}
initContainers:
- name: image-pull-singleuser
image: {{ .Values.singleuser.image.name }}:{{ .Values.singleuser.image.tag }}
......@@ -59,6 +72,15 @@ spec:
{{- range $k, $v := .Values.prePuller.extraImages }}
- name: image-pull-{{ $k }}
image: {{ $v.name }}:{{ $v.tag }}
imagePullPolicy: {{ $v.policy | default "IfNotPresent" }}
command:
- /bin/sh
- -c
- echo "Pulling complete"
{{- end }}
{{- range $k, $container := .Values.singleuser.extraContainers }}
- name: image-pull-singleuser-extra-container-{{ $k }}
image: {{ $container.image }}
imagePullPolicy: IfNotPresent
command:
- /bin/sh
......
......@@ -9,24 +9,24 @@ command.
apiVersion: batch/v1
kind: Job
metadata:
name: hook-image-awaiter-{{ .Release.Time.Seconds }}
name: hook-image-awaiter
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
hub.jupyter.org/deletable: "true"
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "10"
spec:
template:
metadata:
labels:
{{- /* Changes here will cause the Deployment to restart the pods. */}}
{{- /* Changes here will cause the Job to restart the pods. */}}
{{- include "jupyterhub.matchLabels" . | nindent 8 }}
spec:
restartPolicy: Never
{{- if .Values.rbac.enabled }}
serviceAccountName: hook-image-awaiter-{{ .Release.Time.Seconds }}
serviceAccountName: hook-image-awaiter
{{- end }}
containers:
- image: {{ .Values.prePuller.hook.image.name }}:{{ .Values.prePuller.hook.image.tag }}
......@@ -38,5 +38,5 @@ spec:
- -auth-token-path=/var/run/secrets/kubernetes.io/serviceaccount/token
- -api-server-address=https://$(KUBERNETES_SERVICE_HOST):$(KUBERNETES_SERVICE_PORT)
- -namespace={{ .Release.Namespace }}
- -daemonset=hook-image-puller-{{ .Release.Time.Seconds }}
- -daemonset=hook-image-puller
{{- end }}
......@@ -9,28 +9,28 @@ This service account...
apiVersion: v1
kind: ServiceAccount
metadata:
name: hook-image-awaiter-{{ .Release.Time.Seconds }}
name: hook-image-awaiter
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
hub.jupyter.org/deletable: "true"
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "0"
---
{{- /*
... will be used by this role...
*/}}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hook-image-awaiter-{{ .Release.Time.Seconds }}
name: hook-image-awaiter
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
hub.jupyter.org/deletable: "true"
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "0"
rules:
- apiGroups: ["apps"] # "" indicates the core API group
......@@ -41,23 +41,23 @@ rules:
... as declared by this binding.
*/}}
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hook-image-awaiter-{{ .Release.Time.Seconds }}
name: hook-image-awaiter
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
hub.jupyter.org/deletable: "true"
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "0"
subjects:
- kind: ServiceAccount
name: hook-image-awaiter-{{ .Release.Time.Seconds }}
name: hook-image-awaiter
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: hook-image-awaiter-{{ .Release.Time.Seconds }}
name: hook-image-awaiter
apiGroup: rbac.authorization.k8s.io
{{- end }}
{{- end }}
{{- $HTTPS := (and .Values.proxy.https.hosts .Values.proxy.https.enabled) }}
{{- $autoHTTPS := (and $HTTPS (eq .Values.proxy.https.type "letsencrypt")) }}
{{- if $autoHTTPS -}}
apiVersion: apps/v1beta2
apiVersion: apps/v1
kind: Deployment
metadata:
name: autohttps
......@@ -35,22 +35,12 @@ spec:
{{- if .Values.rbac.enabled }}
serviceAccountName: autohttps
{{- end }}
nodeSelector: {{ toJson .Values.proxy.nodeSelector }}
{{- if .Values.scheduling.podPriority.enabled }}
priorityClassName: {{ .Release.Name }}-default-priority
{{- end }}
terminationGracePeriodSeconds: 60
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
topologyKey: kubernetes.io/hostname
labelSelector:
matchExpressions:
- key: component
operator: In
values: ['hub']
- key: release
operator: In
values: [{{ .Release.Name | quote }}]
nodeSelector: {{ toJson .Values.proxy.nodeSelector }}
{{- include "jupyterhub.coreAffinity" . | nindent 6 }}
containers:
- name: nginx
image: "{{ .Values.proxy.nginx.image.name }}:{{ .Values.proxy.nginx.image.tag }}"
......
......@@ -11,7 +11,7 @@ metadata:
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: nginx-{{ .Release.Name }}
......@@ -74,7 +74,7 @@ rules:
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: nginx-{{ .Release.Name }}
......@@ -89,7 +89,7 @@ subjects:
name: autohttps
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: nginx
......@@ -129,7 +129,7 @@ rules:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: kube-lego
......@@ -166,7 +166,7 @@ rules:
- create
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: nginx
......@@ -181,7 +181,7 @@ subjects:
name: autohttps
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: kube-lego
......
{{- $manualHTTPS := (and .Values.proxy.https.enabled (eq .Values.proxy.https.type "manual")) -}}
apiVersion: apps/v1beta2
{{- $manualHTTPSwithsecret := (and .Values.proxy.https.enabled (eq .Values.proxy.https.type "secret")) -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: proxy
......@@ -28,22 +29,18 @@ spec:
{{- .Values.proxy.annotations | toYaml | trimSuffix "\n" | nindent 8 }}
{{- end }}
spec:
nodeSelector: {{ toJson .Values.proxy.nodeSelector }}
terminationGracePeriodSeconds: 60
affinity:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
topologyKey: kubernetes.io/hostname
labelSelector:
matchExpressions:
- key: component
operator: In
values: ['hub']
- key: release
operator: In
values: [{{ .Release.Name | quote }}]
{{- if .Values.scheduling.podPriority.enabled }}
priorityClassName: {{ .Release.Name }}-default-priority
{{- end }}
nodeSelector: {{ toJson .Values.proxy.nodeSelector }}
{{- include "jupyterhub.coreAffinity" . | nindent 6 }}
{{- if $manualHTTPSwithsecret }}
volumes:
- name: tls-secret
secret:
secretName: {{ .Values.proxy.https.secret.name }}
{{- end }}
{{- if $manualHTTPS }}
volumes:
- name: tls-secret
......@@ -65,13 +62,18 @@ spec:
- --redirect-port=8000
- --ssl-key=/etc/chp/tls/tls.key
- --ssl-cert=/etc/chp/tls/tls.crt
{{- else if $manualHTTPSwithsecret }}
- --port=8443
- --redirect-port=8000
- --ssl-key=/etc/chp/tls/{{ .Values.proxy.https.secret.key }}
- --ssl-cert=/etc/chp/tls/{{ .Values.proxy.https.secret.crt }}
{{- else }}
- --port=8000
{{- end }}
{{- if .Values.debug.enabled }}
- --log-level=debug
{{- end }}
{{- if $manualHTTPS }}
{{- if or $manualHTTPS $manualHTTPSwithsecret }}
volumeMounts:
- name: tls-secret
mountPath: /etc/chp/tls
......@@ -87,7 +89,7 @@ spec:
key: proxy.token
imagePullPolicy: {{ .Values.proxy.chp.image.pullPolicy }}
ports:
{{- if $manualHTTPS }}
{{- if or $manualHTTPS $manualHTTPSwithsecret }}
- containerPort: 8443
name: proxy-https
{{- end }}
......
{{- $HTTPS := (and .Values.proxy.https.hosts .Values.proxy.https.enabled) }}
{{- $autoHTTPS := (and $HTTPS (eq .Values.proxy.https.type "letsencrypt")) }}
{{- $manualHTTPS := (and $HTTPS (eq .Values.proxy.https.type "manual")) }}
{{- $manualHTTPSwithsecret := (and .Values.proxy.https.enabled (eq .Values.proxy.https.type "secret")) -}}
{{- if and .Values.proxy.networkPolicy.enabled -}}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: proxy-network-policy
name: proxy
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
spec:
......@@ -25,7 +26,7 @@ spec:
- protocol: TCP
port: 8000
{{- end }}
{{- if $manualHTTPS }}
{{- if or $manualHTTPS $manualHTTPSwithsecret}}
- protocol: TCP
port: 8443
{{- end }}
......@@ -51,9 +52,9 @@ spec:
port: 8001
egress:
{{- /*
The default is to allow all egress for hub If you want to restrict it the
The default is to allow all egress for proxy If you want to restrict it the
following egress is required
- proxy:8001
- hub:8081
- singleuser:8888
- Kubernetes api-server
*/}}
......