Merge branch 'jupyterhub:main' into main

.github/dependabot.yaml

@@ -15,3 +15,15 @@ updates:
       interval: monthly
       time: "05:00"
       timezone: Etc/UTC
+  - package-ecosystem: pip
+    directory: /images/hub/unfrozen
+    labels: [breaking]
+    groups:
+      major-versions:
+        update-types: [major]
+        exclude-patterns:
+          - jupyterhub # bumped by other automation
+    schedule:
+      interval: daily
+      time: "05:00"
+      timezone: Etc/UTC

.github/workflows/test-chart.yaml

@@ -137,13 +137,14 @@ jobs:
               --set hub.image.name=quay.io/jupyterhub/k8s-hub-slim
               --set prePuller.hook.enabled=true
               --set prePuller.hook.pullOnlyOnChanges=true
-          - k3s-channel: v1.29 # also test hub.existingSecret
+          - k3s-channel: v1.31 # also test hub.existingSecret and subdomain_host
             test: install
             local-chart-extra-args: >-
               --set hub.existingSecret=test-hub-existing-secret
               --set proxy.secretToken=aaaa1111
               --set hub.cookieSecret=bbbb2222
               --set hub.config.CryptKeeper.keys[0]=cccc3333
+              --set hub.config.JupyterHub.subdomain_host=jupyterhub.example.org
             create-k8s-test-resources: true
 
           # We run three upgrade tests where we first install an already released
@@ -160,7 +161,7 @@ jobs:
           # information from
           # https://hub.jupyter.org/helm-chart/info.json
           #
-          - k3s-channel: v1.28
+          - k3s-channel: v1.30
             test: upgrade
             upgrade-from: stable
             upgrade-from-extra-args: >-
@@ -173,7 +174,7 @@ jobs:
               --set hub.db.type=sqlite-pvc
               --set singleuser.storage.type=dynamic
             create-k8s-test-resources: true
-          - k3s-channel: v1.27
+          - k3s-channel: v1.29
             test: upgrade
             upgrade-from: dev
             upgrade-from-extra-args: >-
@@ -183,7 +184,7 @@ jobs:
             local-chart-extra-args: >-
               --set hub.db.type=sqlite-pvc
               --set singleuser.storage.type=dynamic
-          - k3s-channel: v1.26
+          - k3s-channel: v1.28
             test: upgrade
             # We're testing hub.db.upgrade with PostgreSQL so this version must be old
             # enough to require a DB upgrade
@@ -203,7 +204,7 @@ jobs:
             create-k8s-test-resources: true
             # https://artifacthub.io/packages/helm/bitnami/postgresql
             setup-postgresql-args: >-
-              --version=11.6.13
+              --version=16.0.5
               --set auth.enablePostgresUser=true
               --set auth.postgresPassword=postgres
               --set auth.database=jupyterhub
@@ -368,6 +369,9 @@ jobs:
         continue-on-error: ${{ matrix.accept-failure == true }}
         run: |
           . ./ci/common
+          if [ "${{ contains(matrix.local-chart-extra-args, 'subdomain_host') }}" = "true" ]; then
+            export CI_SUBDOMAIN_HOST=jupyterhub.example.org
+          fi
           # If you have problems with the tests add '--capture=no' to show stdout
           pytest --verbose --maxfail=2 --color=yes ./tests
 

.github/workflows/vuln-scan.yaml

@@ -87,7 +87,7 @@ jobs:
       # Action reference: https://github.com/aquasecurity/trivy-action
       - name: Scan latest published image
         id: scan_1
-        uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
         with:
           image-ref: ${{ steps.image.outputs.spec }}
           format: json # ref: https://github.com/aquasecurity/trivy#save-the-results-as-json
@@ -112,7 +112,7 @@ jobs:
       - name: Scan rebuilt image
         id: scan_2
         if: steps.rebuild.outcome == 'success'
-        uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
         with:
           image-ref: rebuilt-image
           format: json # ref: https://github.com/aquasecurity/trivy#save-the-results-as-json
@@ -171,7 +171,7 @@ jobs:
 
       - name: Describe vulnerabilities
         if: steps.rebuild.outcome == 'success'
-        uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
         with:
           image-ref: rebuilt-image
           format: table
@@ -205,7 +205,7 @@ jobs:
       # ref: https://github.com/peter-evans/create-pull-request
       - name: Create or update a PR
         if: steps.analyze.outputs.proceed == 'yes' && github.event_name != 'pull_request'
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           token: "${{ secrets.jupyterhub_bot_pat }}"
           author: JupterHub Bot Account <[email protected]>

.github/workflows/watch-dependencies.yaml

@@ -4,7 +4,7 @@
 # - Watch multiple images tags referenced in values.yaml to match the latest
 #   image tag.
 #
-# - Watch the jupyterhub pinning in images/*/requirements.in to match the
+# - Watch the jupyterhub pinning in images/*/unfrozen/requirements.txt to match the
 #   latest jupyterhub version available on PyPI, and if doing this, also
 #   refreeze images/*/requirements.txt.
 #
@@ -20,7 +20,7 @@ name: Watch dependencies
 on:
   push:
     paths:
-      - "images/*/requirements.in"
+      - "images/*/unfrozen/requirements.txt"
       - ".github/workflows/watch-dependencies.yaml"
     branches: ["main"]
   schedule:
@@ -68,7 +68,7 @@ jobs:
             registry: registry.k8s.io
             repository: kube-scheduler
             values_path: scheduling.userScheduler.image.tag
-            version_startswith: "v1.28"
+            version_startswith: "v1.30"
             version_patch_regexp_group_suffix: ""
 
           - name: pause
@@ -114,13 +114,13 @@ jobs:
       # ref: https://github.com/peter-evans/create-pull-request
       - name: Create a PR
         if: steps.local.outputs.tag != steps.latest.outputs.tag
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           token: "${{ secrets.jupyterhub_bot_pat }}"
           author: JupterHub Bot Account <[email protected]>
           committer: JupterHub Bot Account <[email protected]>
           branch: update-image-${{ matrix.name }}
-          labels: maintenance,dependencies
+          labels: dependencies
           commit-message: Update ${{ matrix.repository }} version from ${{ steps.local.outputs.tag }} to ${{ steps.latest.outputs.tag }}
           title: Update ${{ matrix.repository }} version from ${{ steps.local.outputs.tag }} to ${{ steps.latest.outputs.tag }}
           body: >-
@@ -142,10 +142,10 @@ jobs:
       - name: Install Python dependencies
         run: pip install packaging requests
 
-      - name: Get images/hub/requirements.in pinned version of jupyterhub
+      - name: Get images/hub/unfrozen/requirements.txt pinned version of jupyterhub
         id: local
         run: |
-          local_version=$(cat images/hub/requirements.in | grep 'jupyterhub==' | sed 's/jupyterhub==//')
+          local_version=$(cat images/hub/unfrozen/requirements.txt | grep 'jupyterhub==' | sed 's/jupyterhub==//')
           echo "version=$local_version" >> $GITHUB_OUTPUT
 
       - name: Get latest version of jupyterhub
@@ -168,11 +168,11 @@ jobs:
         if: steps.local.outputs.version != steps.latest.outputs.version
         run: |
           for img in hub singleuser-sample; do
-            sed --in-place 's/jupyterhub==${{ steps.local.outputs.version }}/jupyterhub==${{ steps.latest.outputs.version }}/g' images/$img/requirements.in
+            sed --in-place 's/jupyterhub==${{ steps.local.outputs.version }}/jupyterhub==${{ steps.latest.outputs.version }}/g' images/$img/unfrozen/requirements.txt
           done
           sed --in-place 's/appVersion: "${{ steps.local.outputs.version }}"/appVersion: "${{ steps.latest.outputs.version }}"/g' jupyterhub/Chart.yaml
 
-      - name: Refreeze images/*/requirements.txt based on images/*/requirements.in
+      - name: Refreeze images/*/requirements.txt based on images/*/unfrozen/requirements.txt
         if: steps.local.outputs.version != steps.latest.outputs.version
         run: ci/refreeze
 
@@ -183,13 +183,13 @@ jobs:
       # ref: https://github.com/peter-evans/create-pull-request
       - name: Create a PR
         if: steps.local.outputs.version != steps.latest.outputs.version
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           token: "${{ secrets.jupyterhub_bot_pat }}"
           author: JupterHub Bot Account <[email protected]>
           committer: JupterHub Bot Account <[email protected]>
           branch: update-jupyterhub
-          labels: maintenance,dependencies
+          labels: dependencies
           commit-message: Update jupyterhub from ${{ steps.local.outputs.version }} to ${{ steps.latest.outputs.version }}
           title: Update jupyterhub from ${{ steps.local.outputs.version }} to ${{ steps.latest.outputs.version }}
           body: >-
@@ -208,15 +208,15 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Refreeze images/*/requirements.txt based on images/*/requirements.in
+      - name: Refreeze images/*/requirements.txt based on images/*/unfrozen/requirements.txt
         run: ci/refreeze
 
       - name: git diff
         run: git --no-pager diff --color=always
 
       # ref: https://github.com/peter-evans/create-pull-request
       - name: Create a PR
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@v7
         with:
           token: "${{ secrets.jupyterhub_bot_pat }}"
           author: JupyterHub Bot Account <[email protected]>
@@ -227,4 +227,4 @@ jobs:
           title: "hub image: refreeze requirements.txt"
           body: >-
             The hub image's requirements.txt has been refrozen based on
-            requirements.in.
+            unfrozen/requirements.txt.

.pre-commit-config.yaml

@@ -21,15 +21,15 @@
 repos:
   # Autoformat: Python code, syntax patterns are modernized
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.15.2
+    rev: v3.19.0
     hooks:
       - id: pyupgrade
         args:
           - --py38-plus
 
   # Autoformat: Python code
   - repo: https://github.com/psf/black
-    rev: 24.4.2
+    rev: 24.10.0
     hooks:
       - id: black
         args:
@@ -67,12 +67,12 @@ repos:
 
   # Linting: Python code (see the file .flake8)
   - repo: https://github.com/PyCQA/flake8
-    rev: "7.0.0"
+    rev: "7.1.1"
     hooks:
       - id: flake8
 
   - repo: https://github.com/gruntwork-io/pre-commit
-    rev: v0.1.23
+    rev: v0.1.24
     hooks:
       # This requires shellcheck to be installed manually so is disabled by default
       - id: shellcheck

chartpress.yaml

@@ -20,7 +20,7 @@ charts:
     #
     # baseVersion should be managed via tbump, see RELEASE.md for details
     #
-    baseVersion: "4.0.0-0.dev"
+    baseVersion: "4.0.1-0.dev"
     repo:
       git: jupyterhub/helm-chart
       published: https://jupyterhub.github.io/helm-chart

ci/refreeze

@@ -13,7 +13,7 @@ for img in ${IMAGES}; do
         --volume="$PWD:/io" \
         --workdir=/io \
         --user=root \
-        python:3.11-bullseye \
-        sh -c 'pip install pip-tools==6.* && pip-compile --resolver=backtracking --upgrade'
+        python:3.12-bookworm \
+        sh -c 'pip install pip-tools==7.* && pip-compile --allow-unsafe --strip-extras --upgrade --output-file=requirements.txt unfrozen/requirements.txt'
     popd
 done

docs/source/administrator/authentication.md

@@ -444,11 +444,9 @@ hub:
       username_claim: preferred_username
       userdata_params:
         state: state
-      # In order to use keycloak client's roles as authorization layer
-      claim_groups_key: roles
-      allowed_groups:
-        - user
-      admin_groups:
+      # Allow all Keycloak users
+      allow_all: true
+      admin_users:
         - admin
     JupyterHub:
       authenticator_class: generic-oauth

docs/source/administrator/debug.md

@@ -74,19 +74,6 @@ settings for the pod. The final section you'll see is a list of recent
 events. These can be particularly informative, as often an error will
 show up in this section.
 
-**Real world scenario:** In our case, one of the lines in the events page
-displays an error:
-
-```
-$ kubectl describe pod jupyter-choldgraf --namespace <k8s-namespace>
-...
-2m            52s             4       kubelet, gke-jhubtest-default-pool-52c36683-jv6r        spec.containers{notebook}       Warning         Failed           Failed to pull image "jupyter/scipy-notebook:v0.4": rpc error: code = 2 desc = Error response from daemon: {"message":"manifest for jupyter/scipy-notebook:v0.4 not found"}
-...
-```
-
-It seems there is indeed something wrong with the Docker image. Let's confirm
-this by getting another view on the events that have transpired in the pod.
-
 ### `kubectl logs`
 
 If you only want to see the latest logs for a pod, use the following command:
@@ -99,37 +86,7 @@ This will show you the logs from the pod, which often contain useful
 information about what is going wrong. Parse these logs
 to see if something is generating an error.
 
-**Real world scenario:** In our case, we get this line back:
-
-```
-$ kubectl logs jupyter-choldgraf --namespace <k8s-namespace>
-Error from server (BadRequest): container "notebook" in pod "jupyter-choldgraf" is waiting to start: trying and failing to pull image
-```
-
-Now we are sure that something is wrong with our Dockerfile. Let's check
-our `config.yaml` file for the section where we specify the user's
-Docker image. Here we see our problem:
-
-```yaml
-singleuser:
-  image:
-    name: jupyter/scipy-notebook
-```
-
-We haven't specified a `tag` for our Docker image! Not specifying a tag
-will cause it to default to `v0.4`, which isn't what we want and is causing
-the pod to fail.
-
-To fix this, let's add a tag to our `config.yaml` file:
-
-```yaml
-singleuser:
-  image:
-    name: jupyter/scipy-notebook
-    tag: ae885c0a6226
-```
-
-Then run a helm upgrade:
+When you have identified the error edit your `config.yaml` if necessary, then run a helm upgrade:
 
 ```
 helm upgrade --cleanup-on-fail jhub jupyterhub/jupyterhub --version=<chart-version> -f config.yaml

docs/source/administrator/security.md

@@ -489,3 +489,44 @@ proxy:
 ```
 
 This would restrict the access to only two IP addresses: `111.111.111.111` and `222.222.222.222`.
+
+(jupyterhub_subdomains)=
+
+## Host user servers on a subdomain
+
+You can reduce the chance of cross-origin attacks by giving each user
+their own subdomain `<user>.jupyter.example.org`.
+This requires setting [`subdomain_host`](schema_hub.config.JupyterHub.subdomain_host), creating a wildcard DNS record `*.jupyter.example.org`, and creating a wildcard SSL certificate.
+
+```yaml
+hub:
+  config:
+    JupyterHub:
+      subdomain_host: jupyter.example.org
+```
+
+If you are using a Kubernetes ingress this must include hosts
+`jupyter.example.org` and `*.jupyter.example.org`.
+For example:
+
+```yaml
+ingress:
+  enabled: true
+  hosts:
+    - jupyter.example.org
+    - "*.jupyter.example.org"
+  tls:
+    - hosts:
+        - jupyter.example.org
+        - "*.jupyter.example.org"
+      secretName: example-tls
+```
+
+where `example-tls` is the name of a Kubernetes secret containing the wildcard certificate and key.
+
+The chart does not support the automatic creation of wildcard HTTPS certificates.
+You must obtain a certificate from an external source,
+for example by using an ACME client such as [cert-manager with the DNS-01 challenge](https://cert-manager.io/docs/configuration/acme/dns01/),
+and ensure the certificate and key are stored in the secret.
+
+See {ref}`jupyterhub:subdomains` in the JupyterHub documentation for more information.