Merge branch 'original-3.3.7' into feature/3.3.7

.circleci/config.yml

@@ -1,72 +1,70 @@
+# We use CircleCI to run a basic test for arm64.
+#
+# To reduce the complexity, we let this test verify our built images works with
+# arm64, but doesn't test the acquisition of HTTPS certificates (because it
+# requires a ACME server) or enforcement of the chart's NetworkPolicy resources
+# (because it requires Calico or similar to do it robustly).
+#
 version: 2.1
 
 orbs:
-  python: circleci/python@0.2.1
+  python: circleci/python@2.1.1
 
 jobs:
-  # Testing on ARM64
-  # https://circleci.com/docs/2.0/arm-resources/#using-arm-resources
+  # Testing on arm64
+  # https://circleci.com/docs/using-arm/#using-arm-resources
   test-arm:
     machine:
-      image: ubuntu-2004:2022.04.1
+      image: ubuntu-2204:current
     resource_class: arm.medium
     steps:
       - checkout
 
+      # The k3s setup should be kept similar to how we do it in
+      # https://github.com/jupyterhub/action-k3s-helm.
       - run:
-          command: uname -a
-          name: Check architecture
-
-      - run:
-          # NOTE: we can't use k3s 1.24 and --docker unless we also install for
-          #       example cri-dockerd as done in
-          #       https://github.com/jupyterhub/action-k3s-helm.
-          #
-          # NOTE: we declare --egress-selector-mode=disabled to workaround
-          #       intermittent issues in k3s introduced as a regression in k3s
-          #       1.22.10, 1.23.7, and 1.24.0. This is tracked in
-          #       https://github.com/k3s-io/k3s/issues/5633.
-          #
+          name: Setup k3s
           command: >-
             curl -sfL https://get.k3s.io |
-            INSTALL_K3S_CHANNEL=v1.23 sh -s -
+            INSTALL_K3S_CHANNEL=latest sh -s -
             --disable metrics-server
             --disable traefik
+            --disable-network-policy
             --docker
             --egress-selector-mode=disabled
-          name: Install K3S
 
       - run:
+          name: Prepare a kubeconfig in ~/.kube/config
           command: |
             mkdir -p ~/.kube
             sudo cat /etc/rancher/k3s/k3s.yaml > "$HOME/.kube/config"
             chmod 600 "$HOME/.kube/config"
-          name: Prepare a kubeconfig in ~/.kube/config
 
       - run:
+          name: Install dependencies
           command: |
             . ci/common
             setup_helm
             pip3 install --no-cache-dir -r dev-requirements.txt
-          name: Install dependencies
 
       - run:
+          name: Run chartpress
           command: |
             export DOCKER_BUILDKIT=1
             chartpress
-          name: Run chartpress
 
       - run:
+          name: Install local chart
           command: |
             export KUBECONFIG="$HOME/.kube/config"
             helm upgrade --install jupyterhub ./jupyterhub \
                 --wait \
                 --values dev-config.yaml \
                 --values dev-config-arm.yaml \
                 --values dev-config-local-chart-extra-config.yaml
-          name: Install local chart
 
       - run:
+          name: Run tests
           command: |
             export KUBECONFIG="$HOME/.kube/config"
             export HUB_URL=http://localhost:30080
@@ -80,19 +78,30 @@ jobs:
                  kubectl describe {} && \
                  kubectl logs --all-containers {} && \
                  echo --------------------------------"
-          name: Run tests
 
       - run:
-          name: k8s namespace report
+          name: k3s.service status
           when: on_fail
           command: |
-            export KUBECONFIG="$HOME/.kube/config"
-            wget https://raw.githubusercontent.com/jupyterhub/action-k8s-namespace-report/v1.1.0/k8s-namespace-report
-            bash k8s-namespace-report
+            systemctl status --no-pager --full k3s.service || true
+
+      - run:
+          name: k3s.service logs
+          when: on_fail
+          command: |
+            journalctl --no-pager -xu k3s.service
+
+      - run:
+          name: k8s namespace report
+          when: on_fail
           environment:
             NAMESPACE: ""
             POD_SELECTOR: ""
             IMPORTANT_WORKLOADS: ""
+          command: |
+            export KUBECONFIG="$HOME/.kube/config"
+            wget https://raw.githubusercontent.com/jupyterhub/action-k8s-namespace-report/v1.1.0/k8s-namespace-report
+            bash k8s-namespace-report
 
 workflows:
   main:

.github/workflows/publish.yml

@@ -42,7 +42,7 @@ jobs:
           # correctly
           fetch-depth: 0
 
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: "3.11"
 
@@ -144,7 +144,7 @@ jobs:
         run: helm package jupyterhub
 
       # ref: https://github.com/actions/upload-artifact
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         if: steps.publishing.outputs.publishing == ''
         with:
           name: jupyterhub-${{ github.sha }}

.github/workflows/release-tag.yml

@@ -15,7 +15,7 @@ jobs:
     steps:
       # https://github.com/actions/github-script
       # https://octokit.github.io/rest.js/v18#repos-create-release
-      - uses: actions/github-script@v6
+      - uses: actions/github-script@v7
         with:
           script: |
             if (!context.ref.startsWith('refs/tags/')) {

.github/workflows/support-bot.yml

@@ -12,7 +12,7 @@ jobs:
   action:
     runs-on: ubuntu-22.04
     steps:
-      - uses: dessant/support-requests@v3
+      - uses: dessant/support-requests@v4
         with:
           github-token: ${{ github.token }}
           support-label: "support"

.github/workflows/test-chart.yaml

@@ -31,7 +31,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: "3.11"
 
@@ -45,7 +45,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: "3.11"
 
@@ -78,7 +78,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: "3.11"
 
@@ -231,7 +231,7 @@ jobs:
           traefik-enabled: false
           docker-enabled: true
 
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: "3.11"
 
@@ -270,7 +270,7 @@ jobs:
       # jupyterhub and the autohttps pod is about to start, so for CI
       # performance we delayed this until now and did other things in between.
       - name: Await local ACME server
-        uses: jupyterhub/action-k8s-await-workloads@v2
+        uses: jupyterhub/action-k8s-await-workloads@v3
         with:
           timeout: 150
           max-restarts: 1
@@ -336,7 +336,7 @@ jobs:
 
       - name: "(Upgrade) Await ${{ matrix.upgrade-from }} chart"
         if: matrix.test == 'upgrade'
-        uses: jupyterhub/action-k8s-await-workloads@v2
+        uses: jupyterhub/action-k8s-await-workloads@v3
         with:
           timeout: 150
           max-restarts: 1
@@ -361,7 +361,7 @@ jobs:
               ${{ matrix.local-chart-extra-args }}
 
       - name: "Await local chart"
-        uses: jupyterhub/action-k8s-await-workloads@v2
+        uses: jupyterhub/action-k8s-await-workloads@v3
         with:
           timeout: 150
           max-restarts: 1

.github/workflows/test-docker-build.yaml

@@ -37,7 +37,7 @@ jobs:
           # correctly
           fetch-depth: 0
 
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: "3.11"
 

.github/workflows/test-docs.yaml

@@ -32,7 +32,7 @@ jobs:
           # chartpress, used by docs/conf.py, requires git history to set
           # chart version and image tags correctly
           fetch-depth: 0
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: "3.11"
 

.github/workflows/vuln-scan.yaml

@@ -57,7 +57,7 @@ jobs:
           # correctly
           fetch-depth: 0
 
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: "3.11"
 
@@ -87,7 +87,7 @@ jobs:
       # Action reference: https://github.com/aquasecurity/trivy-action
       - name: Scan latest published image
         id: scan_1
-        uses: aquasecurity/trivy-action@f78e9ecf42a1271402d4f484518b9313235990e1
+        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d
         with:
           image-ref: ${{ steps.image.outputs.spec }}
           format: json # ref: https://github.com/aquasecurity/trivy#save-the-results-as-json
@@ -112,7 +112,7 @@ jobs:
       - name: Scan rebuilt image
         id: scan_2
         if: steps.rebuild.outcome == 'success'
-        uses: aquasecurity/trivy-action@f78e9ecf42a1271402d4f484518b9313235990e1
+        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d
         with:
           image-ref: rebuilt-image
           format: json # ref: https://github.com/aquasecurity/trivy#save-the-results-as-json
@@ -171,7 +171,7 @@ jobs:
 
       - name: Describe vulnerabilities
         if: steps.rebuild.outcome == 'success'
-        uses: aquasecurity/trivy-action@f78e9ecf42a1271402d4f484518b9313235990e1
+        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d
         with:
           image-ref: rebuilt-image
           format: table
@@ -205,7 +205,7 @@ jobs:
       # ref: https://github.com/peter-evans/create-pull-request
       - name: Create or update a PR
         if: steps.analyze.outputs.proceed == 'yes' && github.event_name != 'pull_request'
-        uses: peter-evans/create-pull-request@v5
+        uses: peter-evans/create-pull-request@v6
         with:
           token: "${{ secrets.jupyterhub_bot_pat }}"
           author: JupterHub Bot Account <105740858+jupyterhub-bot@users.noreply.github.com>

.github/workflows/watch-dependencies.yaml

@@ -68,7 +68,7 @@ jobs:
             registry: registry.k8s.io
             repository: kube-scheduler
             values_path: scheduling.userScheduler.image.tag
-            version_startswith: "v1.26"
+            version_startswith: "v1.28"
             version_patch_regexp_group_suffix: ""
 
           - name: pause
@@ -114,7 +114,7 @@ jobs:
       # ref: https://github.com/peter-evans/create-pull-request
       - name: Create a PR
         if: steps.local.outputs.tag != steps.latest.outputs.tag
-        uses: peter-evans/create-pull-request@v5
+        uses: peter-evans/create-pull-request@v6
         with:
           token: "${{ secrets.jupyterhub_bot_pat }}"
           author: JupterHub Bot Account <105740858+jupyterhub-bot@users.noreply.github.com>
@@ -135,7 +135,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-python@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: "3.11"
 
@@ -183,7 +183,7 @@ jobs:
       # ref: https://github.com/peter-evans/create-pull-request
       - name: Create a PR
         if: steps.local.outputs.version != steps.latest.outputs.version
-        uses: peter-evans/create-pull-request@v5
+        uses: peter-evans/create-pull-request@v6
         with:
           token: "${{ secrets.jupyterhub_bot_pat }}"
           author: JupterHub Bot Account <105740858+jupyterhub-bot@users.noreply.github.com>
@@ -216,7 +216,7 @@ jobs:
 
       # ref: https://github.com/peter-evans/create-pull-request
       - name: Create a PR
-        uses: peter-evans/create-pull-request@v5
+        uses: peter-evans/create-pull-request@v6
         with:
           token: "${{ secrets.jupyterhub_bot_pat }}"
           author: JupyterHub Bot Account <105740858+jupyterhub-bot@users.noreply.github.com>

.pre-commit-config.yaml

@@ -29,7 +29,7 @@ repos:
 
   # Autoformat: Python code
   - repo: https://github.com/psf/black
-    rev: 23.10.1
+    rev: 24.1.1
     hooks:
       - id: black
         args:
@@ -41,7 +41,7 @@ repos:
 
   # Autoformat: Python code
   - repo: https://github.com/pycqa/isort
-    rev: 5.12.0
+    rev: 5.13.2
     hooks:
       - id: isort
         args:
@@ -55,24 +55,24 @@ repos:
 
   # Autoformat: markdown, yaml (but not helm templates)
   - repo: https://github.com/pre-commit/mirrors-prettier
-    rev: v3.0.3
+    rev: v4.0.0-alpha.8
     hooks:
       - id: prettier
 
   # Reset Chart.yaml version and values.yaml image tags
   - repo: https://github.com/jupyterhub/chartpress
-    rev: 2.1.0
+    rev: 2.2.0
     hooks:
       - id: chartpress
 
   # Linting: Python code (see the file .flake8)
   - repo: https://github.com/PyCQA/flake8
-    rev: "6.1.0"
+    rev: "7.0.0"
     hooks:
       - id: flake8
 
   - repo: https://github.com/gruntwork-io/pre-commit
-    rev: v0.1.22
+    rev: v0.1.23
     hooks:
       # This requires shellcheck to be installed manually so is disabled by default
       - id: shellcheck

chartpress.yaml

@@ -20,7 +20,7 @@ charts:
     #
     # baseVersion should be managed via tbump, see RELEASE.md for details
     #
-    baseVersion: "3.2.2"
+    baseVersion: "3.3.7"
     repo:
       git: RCOSDP/CS-jhub-helm-chart
       published: https://rcosdp.github.io/CS-jhub-helm-chart/