JupyterHub Helm chart 0.11.0 released!

JupyterHub the Helm chart version 0.11.0 is now released! :tada:

Thank you all contributors to this release! Here are those that specifically contributed in the Z2JH repository, while many more have also contributed in project this JupyterHub distribution depends on, such as JupyterHub, KubeSpawner, OAuthenticator, Configurable-HTTP-proxy, and open source projects outside the JupyterHub organization. This is made possible by a large collaboration, thank you everyone! :heart: :tada:

Contributors to this release

@arokem | @betatim | @chicocvenancio | @choldgraf | @consideRatio | @DArtagan | @manics | @minrk | @naterush | @rokroskar | @yuvipanda

0.11.0 - Changelog

Please read the security announcement and the breaking changes below, and
also note that this is the last release supporting Helm 2 and k8s versions lower
than 1.16.

Security announcement

This release contains the patched version of jupyterhub/oauthenticator which contained a security issue that influenced version 0.10.0 - 0.10.5 (but not 0.10.6) of this Helm chart.

Please don’t use versions 0.10.0 - 0.10.5 and upgrade to 0.10.6 or later. If you are using OAuthenticator, please check your list of users and delete any unauthorized users who may have logged in during usage of version 0.10.0 - 10.10.5.

See the published security advisory for more information, and refer to this forum post to share insights that can be useful to others.

Breaking changes

  • auth configuration moves to hub.config - #1943

    Helm chart configuration under auth is now no longer supported. If you make a helm upgrade using auth configuration, the upgrade will abort before any changes are made to the k8s cluster and you will be provided with the equivalent configuration using the new system under hub.config.

    By default, the printed equivalent configuration is censored as it can contain secrets that shouldn’t be exposed. By passing --global.safeToShowValues=true you can get an uncensored version.

  • Pod Disruption Budget’s now disabled by default - #1938

    A Pod Disruption Budget (PDB) for the hub and proxy pods were created by default before, but will by default not be created from now on. The consequence of this is that the pods now can get evicted.

    Eviction will happen as part of kubectl drain on a node, or by a cluster autoscaler removing a underused node.

Notable dependencies updated

Dependency Version in 0.10.6 Version in 0.11.0 Changelog link Note
jupyterhub 1.2.2 1.3.0 Changelog Run in the hub pod
kubespawner 0.14.1 0.15.0 Changelog Run in the hub pod
oauthenticator 0.12.1 0.12.3 Changelog Run in the hub pod
ldapauthenticator 1.3.2 1.3.2 Changelog Run in the hub pod
ltiauthenticator 0.4.0 1.0.0 Changelog Run in the hub pod
nativeauthenticator 0.0.6 0.0.6 Changelog Run in the hub pod
jupyterhub-idle-culler 1.0 1.0 - Run in the hub pod
configurable-http-proxy 4.2.2 4.2.2 Changelog Run in the proxy pod
traefik v2.3.2 v2.3.7 Changelog Run in the autohttps pod
kube-scheduler v1.19.2 v1.19.7 - Run in the user-scheduler pod(s)

For a detailed list of how Python dependencies have change in the hub Pod’s Docker image, inspect the images/hub/requirements.txt file.

Enhancements made

  • ci: automatically scan and patch our images for known vulnerabilities #1942 (@consideRatio)

Bugs fixed

  • Fix failure to block insecure metadata server IP #1950 (@consideRatio)
  • Enable hub livenessProbe by default and relax hub/proxy probes #1941 (@consideRatio)
  • Disable PDBs for hub/proxy, add PDB for autohttps, and relocate config proxy.pdb to proxy.chp.pdb #1938 (@consideRatio)

This post left out some PRs about maintenance, documentation, and continuous integration. The full changelog is available here.