Starting from version 2.x.x a newer version of JupyterHub is used. JupyterHub Chart version 1.2.0 is used including support for JupyterHub 1.5.0. With the new version of JupyterHub there are a number of changes needed in your values.yaml file. Below we highlight the specific sections requiring changes.
Add imagePullSecret key under jupyterhub section.
#########################################
# TileDB Cloud Hosted Notebook Settings #
#########################################
jupyterhub:
# REQUIRED: Set the private registry credentials, these are the same as the `imageCredentials` above
imagePullSecret:
password: ""
Remove imagePullSecret key from singleuser section.
singleuser:
# REQUIRED: Set the private registry credentials, these are the same as the `imageCredentials` above
imagePullSecret:
password: ""
Please copy and page in a notepad the contents of jupyterhub.auth key, then remove it completely. You will need the values in client_secret and cryptoKey fields.
auth:
type: custom
custom:
className: 'oauthenticator.tiledb.TileDBCloud'
config:
# REQUIRED: Set the oauth2 secret, this should be a secure value
# We recommend creating a random value with `openssl rand -hex 32`
client_secret: "Secret"
# REQUIRED: Set the domain for the jupyterhub and the oauth2 service
# it is likely you just need to replace `example.com` with your own internal domain
# This should match the ingress settings above and the hydra settings below
oauth_callback_url: "https://jupyterhub.tiledb.example.com/hub/oauth_callback"
token_url: "https://oauth2.tiledb.example.com/oauth2/token"
auth_url: "https://oauth2.tiledb.example.com/oauth2/auth"
userdata_url: "https://oauth2.tiledb.example.com/userinfo"
state:
# REQUIRED: Set the jupyterhub auth secret for persistence, this should be a secure value
# We recommend creating a random value with `openssl rand -hex 32`
cryptoKey: "Secret"
Replace jupyterhub.ingress.tls key with the following.
tls:
# REQUIRED: set the TLS information for hosted notebooks
- hosts:
- jupyterhub.tiledb.example.com
secretName: jupyterhub-tls
# optional TLS
tls: []
Replace initial contents of jupyterhub.hub key with the following:
hub:
# REQUIRED: Set the private registry credentials, these are the same as the `imageCredentials` above
imagePullSecret:
password: ""
config:
CryptKeeper:
# REQUIRED: Set the jupyterhub auth secret for persistence, this should be a secure value
# We recommend creating a random value with `openssl rand -hex 32`
keys:
- "Secret"
JupyterHub:
authenticator_class: oauthenticator.tiledb.TileDBCloud
TileDBCloud:
# REQUIRED: Set the oauth2 secret, this should be a secure value
# We recommend creating a random value with `openssl rand -hex
client_secret: "Secret"
# REQUIRED: Set the domain for the jupyterhub and the oauth2 service
# it is likely you just need to replace `example.com` with your own internal domain
# This should match the ingress settings above and the hydra settings below
oauth_callback_url: "http://jupyterhub.tiledb.example.com/hub/oauth_callback"
token_url: "http://oauth2.tiledb.example.com/oauth2/token"
auth_url: "http://oauth2.tiledb.example.com/oauth2/auth"
userdata_url: "http://oauth2.tiledb.example.com/userinfo"
In this step you need to fill-in the Keys and client_secret fields with values from the field jupyterhub.auth that earlier were saved in a notepad.
In hydra section please replace the following fields as noted here:
# tls:
# allow_termination_from:
# Set to cluster IP
# - 172.20.0.0/12
# serve:
# tls:
# allow_termination_from:
# Set to cluster IP
# - 172.20.0.0/12
secrets:
# REQUIRED: Set the oauth2 secret, this should be a secure value
# We recommend creating a random value with `openssl rand -hex 32`
system: secret
cookie: secret
system:
- "secret"
cookie:
- "Secret"
# Configure ingress for oauth2 service
ingress:
public:
annotations:
# Configure any needed annotations. For instance if you are using a different ingress besides nginx set that here
kubernetes.io/ingress.class: nginx
hosts:
# REQUIRED: set the ingress domain for oauth2 service
- host: "oauth2.tiledb.example.com"
paths: ["/"]
tls:
# REQUIRED: set the TLS information for oauth2 service
- hosts:
- "oauth2.tiledb.example.com"
secretName: hydra-tls
paths:
- path: /
pathType: ImplementationSpecific
# optional TLS
tls: []
Chart version 2.3.x - 2.4.x
Starting from version 2.4.x a newer version of JupyterHub is used. JupyterHub Chart version 2.0.0 is used including support for JupyterHub 3.0.0.
We also introduced a new version of JupyterHub Authenticator which is used automatically. This means that the authenticator_class is no longer needed in values.yaml.
Below we highlight the specific section that has to be removed.
Furthermore if https is not used, it must be disabled explicitly, as in the following example:
tiledb-cloud-ui:
config:
isHttps: false
As part of JupyterHub 3.0.0, new version of Kubespawner is used, 4.2.0. Users who have overridden jupyterhub.singleuser.profileList in values.yaml should update to latest structure. Here is and example usage of profileList section which is also used in TileDB Enterprise Helm Chart
jupyterhub:
singleuser:
profileList:
- display_name: "Basic Data Science"
slug: "basic_data_science"
description: "This image is based on the popular <a href='https://hub.docker.com/r/jupyter/tensorflow-notebook/' target='_blank'>jupyter/tensorflow-notebook</a> docker image with the TileDB libraries included. See the full list of <a href='https://docs.tiledb.com/cloud/concepts/tiledb-cloud-internals/jupyter-notebooks' target='_blank'>installed packages</a>."
package_list_url: "https://docs.tiledb.com/cloud/concepts/tiledb-cloud-internals/jupyter-notebooks"
kubespawner_override:
image: tiledbenterprise/notebook-python-r-julia:3.1.0
profile_options:
server:
display_name: 'Server profile'
choices:
small:
display_name: 'Small server'
description: Best for when you will be performing serverless operations or moderate analysis.
kubespawner_override:
mem_limit: "8G"
mem_guarantee: "8G"
memory_display: "8GB"
cpu_limit: 2
cpu_guarantee: 2
environment:
JUPYTER_IMAGE_NAME: "basic_data_science"
JUPYTER_IMAGE_SIZE: "small"
large:
display_name: 'Large server'
description: Best for when you need to perform large analysis in the notebook itself.
kubespawner_override:
mem_limit: "60G"
mem_guarantee: "60G"
memory_display: "60GB"
cpu_limit: 16
cpu_guarantee: 16
environment:
JUPYTER_IMAGE_NAME: "basic_data_science"
JUPYTER_IMAGE_SIZE: "large"
Chart version 2.6.x - 2.7.x
Starting with helm chart release 2.7, python is officially deprecated and scheduled for removal in January, 2024.
Replace
annotations:
kubernetes.io/ingress.class: nginx
with
classname: nginx
in all ingress sections. Annotations are formally deprecated since Kubernetes 1.18, like in the following example:
ingress:
# Following lines have to be removed:
# annotations:
# kubernetes.io/ingress.class: nginx
paths:
- /v1
- /v2
className: nginx
Support for GPUs is added in notebooks. Here is and example addition to the profileList section which is also used in TileDB Enterprise Helm Chart that includes a GPU entry:
jupyterhub:
singleuser:
profileList:
- display_name: "Basic Data Science"
slug: "basic_data_science"
description: "This image is based on the popular <a href='https://hub.docker.com/r/jupyter/tensorflow-notebook/' target='_blank'>jupyter/tensorflow-notebook</a> docker image with the TileDB libraries included. See the full list of <a href='https://docs.tiledb.com/cloud/concepts/tiledb-cloud-internals/jupyter-notebooks' target='_blank'>installed packages</a>."
package_list_url: "https://docs.tiledb.com/cloud/concepts/tiledb-cloud-internals/jupyter-notebooks"
kubespawner_override:
image: tiledbenterprise/notebook-python-r-julia:3.10.1
profile_options:
server:
display_name: 'Server profile'
choices:
small:
display_name: 'Small server'
description: Best for when you will be performing serverless operations or moderate analysis.
kubespawner_override:
mem_limit: "8G"
mem_guarantee: "8G"
memory_display: "8GB"
cpu_limit: 2
cpu_guarantee: 2
environment:
JUPYTER_IMAGE_NAME: "basic_data_science"
JUPYTER_IMAGE_SIZE: "small"
large:
display_name: 'Large server'
description: Best for when you need to perform large analysis in the notebook itself.
kubespawner_override:
mem_limit: "60G"
mem_guarantee: "60G"
memory_display: "60GB"
cpu_limit: 16
cpu_guarantee: 16
environment:
JUPYTER_IMAGE_NAME: "basic_data_science"
JUPYTER_IMAGE_SIZE: "large"
gpu_p2:
display_name: 'Nvidia V100 GPU server'
description: Best for when you need to perform ML or other CUDA enabled jobs in the notebook itself. A GPU instance might take an additional 5-10 minutes to launch.
kubespawner_override:
mem_limit: "60G"
mem_guarantee: "56G"
memory_display: "60GB"
cpu_limit: 3.5
cpu_guarantee: 3.5
cpu_display: "4"
extra_resource_limits:
nvidia.com/gpu: "1"
environment:
JUPYTER_IMAGE_NAME: "basic_data_science"
JUPYTER_IMAGE_SIZE: "gpu_p2_large"
Chart version 2.10.x
Corporate SSO Configuration values are supported starting from this version. Users can define a list of
# This configuration contains the necessary values to enable Single Sign-On (SSO) for # Company integration with TileDB Cloud. By configuring these settings, the OpenID # Connect (OIDC) component of the TileDB Cloud Rest Server is activated, thereby # facilitating SSO both in the TileDB Cloud UI and the backend services. Customize # the SSO parameters by replacing the placeholder values listed below with your # specific SSO details. Pass these values alongside `values.yaml` to enable SSOtiledb-cloud-rest:restConfig:SSO:OIDC: [] # List of SSO OIDC configurations. Replace placeholders with SSO details.# Example configuration:# - Domain: <SSO_Domain># OIDCIssuer: <SSO_OIDC_Issuer_URL># OIDCClientID: <SSO_Client_ID># OIDCClientSecret: <SSO_Client_Secret>tiledb-cloud-ui:config:EnableCompanySSO:true# Enable SSO for the TileDB Cloud UI.
