Merge branch 'master' of lab.frogg.it:captnbp/codehub

Signed-off-by: Benoit Pourre <benoit.pourre@gmail.com>

Merge branch 'master' of lab.frogg.it:captnbp/codehub
03ff5fe1 · Benoît · f17d8d22 · 7f392d03 · 03ff5fe1 · 03ff5fe1
Verified Commit 03ff5fe1 authored 1 year ago by Benoît
--- a/codehub/Chart.lock
+++ b/codehub/Chart.lock
 dependencies:
 - name: postgresql
  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 12.12.4
+  version: 13.2.5
 - name: common
  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 2.11.1
-digest: sha256:8a0036d2cf58ed424b7d1711330c18e9298d0450248c77736d96d582030fa283
-generated: "2023-09-21T20:30:28.860794444+02:00"
+  version: 2.13.3
+digest: sha256:0f974725b0d52f5fca5aa341171693a2688d959a1bbb210ebcd03398c8f00a34
+generated: "2023-11-12T09:20:01.451626985+01:00"
--- a/codehub/Chart.yaml
+++ b/codehub/Chart.yaml
@@ -4,13 +4,15 @@ annotations:
    - name: code-server
      image: docker.io/captnbp/code-server:4.19.0-r0
    - name: jupyterhub
-      image: docker.io/bitnami/jupyterhub:4.0.2-debian-11-r55
+      image: docker.io/bitnami/jupyterhub:4.0.2-debian-11-r58
    - name: oauth
      image: docker.io/captnbp/oauth:4.19.0-r0
    - name: nginx
      image: docker.io/captnbp/nginx:4.19.0-r0
    - name: configurable-http-proxy
-      image: docker.io/bitnami/configurable-http-proxy:4.6.0-debian-11-r16
+      image: docker.io/bitnami/configurable-http-proxy:4.6.0-debian-11-r17
+    - name: os-shell
+      image: docker.io/bitnami/os-shell:11-debian-11-r90
  artifacthub.io/license: MIT
 apiVersion: v2
 appVersion: 4.19.0-r0
@@ -18,7 +20,7 @@ dependencies:
  - condition: postgresql.enabled
    name: postgresql
    repository: oci://registry-1.docker.io/bitnamicharts
-    version: 12.x.x
+    version: 13.x.x
  - name: common
    repository: oci://registry-1.docker.io/bitnamicharts
    tags:
@@ -40,4 +42,4 @@ sources:
  - https://github.com/bitnami/containers/tree/main/bitnami/jupyterhub
  - https://github.com/jupyterhub/jupyterhub
  - https://github.com/coder/code-server
-version: 4.1.14
+version: 5.0.0
--- a/codehub/README.md
+++ b/codehub/README.md
--- a/codehub/templates/_helpers.tpl
+++ b/codehub/templates/_helpers.tpl
@@ -30,6 +30,25 @@ Return the proper hub image name
 {{- printf "%s-hub" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" -}}
 {{- end -}}

+{{/*
+Return the apiToken value
+*/}}
+{{- define "codehub.hub.config.apiToken" -}}
+    {{ $hubConfiguration := include "common.tplvalues.render" ( dict "value" .Values.hub.configuration "context" $ ) | fromYaml }}
+    {{- if ($hubConfiguration | dig "hub" "config" "JupyterHub" "apiToken" "") }}
+        {{- $hubConfiguration.apiToken }}
+    {{- else if ($hubConfiguration | dig "hub" "apiToken" "") }}
+        {{- $hubConfiguration.hub.apiToken }}
+    {{- else }}
+        {{- $secretData := (lookup "v1" "Secret" $.Release.Namespace ( include "codehub.hub.name" . )).data }}
+        {{- if hasKey $secretData "apiToken" }}
+            {{- index $secretData "apiToken" | b64dec }}
+        {{- else }}
+            {{- include "codehub.randHex" 64 }}
+        {{- end }}
+    {{- end }}
+{{- end }}
+
 {{/*
 Return the cookie_secret value
 */}}
@@ -304,3 +323,24 @@ Compile all warnings into a single message.
 {{-   printf "\nVALUES VALIDATION:\n%s" $message -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Return true if a TLS credentials secret object should be created
+*/}}
+{{- define "codehub.proxy.createTlsSecret" -}}
+{{- if and .Values.tls.autoGenerated (not .Values.proxy.tls.existingSecret) .Values.tls.enabled }}
+    {{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the TLS secret name
+*/}}
+{{- define "codehub.issuerName" -}}
+{{- $issuerName := .Values.tls.issuerRef.existingIssuerName -}}
+{{- if $issuerName -}}
+    {{- printf "%s" (tpl $issuerName $) -}}
+{{- else -}}
+    {{- printf "%s-http" (include "common.names.fullname" .) -}}
+{{- end -}}
+{{- end -}}
\ No newline at end of file
--- a/codehub/templates/ca-issuer.yaml
+++ b/codehub/templates/ca-issuer.yaml
+{{- if and .Values.tls.enabled (not .Values.tls.issuerRef.existingIssuerName) }}
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "common.names.fullname" . }}-self-signed
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    app.kubernetes.io/component: self-signed-issuer
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "common.names.fullname" . }}-ca
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    app.kubernetes.io/component: http-ca
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  secretTemplate:
+    labels: {{- include "common.labels.matchLabels" . | nindent 6 }}
+      app.kubernetes.io/component: http-ca
+      {{- if .Values.commonLabels }}
+      {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 6 }}
+      {{- end }}
+    {{- if .Values.commonAnnotations }}
+    annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 6 }}
+    {{- end }}
+  subject:
+    organizationalUnits:
+      - {{ .Values.clusterName }}
+    organizations:
+      - {{ .Values.tls.subject.organizations }}
+    countries:
+      - {{ .Values.tls.subject.countries }}
+  isCA: true
+  commonName: {{ include "common.names.fullname" . }}-ca
+  secretName: {{ include "common.names.fullname" . }}-ca-crt
+  privateKey:
+    algorithm: RSA
+    size: 4096
+  duration: 87600h # 10y
+  issuerRef:
+    name: {{ include "common.names.fullname" . }}-self-signed
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "common.names.fullname" . }}-http
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    app.kubernetes.io/component: issuer
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  ca:
+    secretName: {{ include "common.names.fullname" . }}-ca-crt
+---
+{{- end }}
\ No newline at end of file
--- a/codehub/templates/hub/configmap-values.yaml
+++ b/codehub/templates/hub/configmap-values.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    app.kubernetes.io/component: hub
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  name: {{ include "codehub.hub.name" . }}-values
+  namespace: {{ .Release.Namespace | quote }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+data:
+  values.yaml: |
+    Chart:
+      Name: {{ .Chart.Name }}
+      Version: {{ .Chart.Version }}
+    Release:
+      Name: {{ .Release.Name }}
+      Namespace: {{ .Release.Namespace }}
+      Service: {{ .Release.Service }}
+    hub:
+      config:
+        JupyterHub:
+          admin_access: true
+          {{- if .Values.hub.auth.oauth.enabled }}
+          authenticator_class: generic-oauth
+          {{- else if .Values.hub.auth.gitlab.enabled }}
+          authenticator_class: gitlab
+          {{- else if .Values.hub.auth.dummy.enabled }}
+          authenticator_class: dummy
+          DummyAuthenticator:
+          {{- if .Values.hub.auth.dummy.password }}
+            password: {{ .Values.hub.auth.dummy.password | quote }}
+          {{- else }}
+            password: {{ randAlphaNum 10 | quote }}
+          {{- end }}
+          {{- end }}
+
+          {{- if .Values.hub.auth.gitlab.enabled }}
+          GitLabOAuthenticator:
+            gitlab_url: {{ .Values.hub.auth.gitlab.gitlabUrl }}
+            allowed_gitlab_groups: {{ .Values.hub.auth.gitlab.allowedGitlabGroups }}
+            allowed_project_ids: {{ .Values.hub.auth.gitlab.allowedProjectIds }}
+            client_id: {{ .Values.hub.auth.gitlab.clientId }}
+            client_secret: {{ .Values.hub.auth.gitlab.clientSecret }}
+          {{- end }}
+
+          {{- if .Values.hub.auth.oauth.enabled }}
+          GenericOAuthenticator:
+            client_id: {{ .Values.hub.auth.oauth.clientId }}
+            client_secret: {{ .Values.hub.auth.oauth.clientSecret }}
+            oauth_callback_url: {{ .Values.hub.auth.oauth.oauthCallbackUrl }}
+            authorize_url: {{ .Values.hub.auth.oauth.authorizeUrl }}
+            token_url: {{ .Values.hub.auth.oauth.tokenUrl }}
+            userdata_url: {{ .Values.hub.auth.oauth.userdataUrl }}
+            login_service: {{ .Values.hub.auth.oauth.loginService }}
+            username_key: {{ .Values.hub.auth.oauth.usernameKey }}
+            userdata_params:
+              state: state
+            {{- if .Values.hub.auth.oauth.adminUsers }}
+            adminUsers: {{- include "common.tplValues.render" ( dict "value" .Values.hub.auth.oauth.adminUsers "context" $ ) | nindent 10 }}
+            {{- end }}
+            {{- if .Values.hub.auth.oauth.adminGroups }}
+            admin_groups: {{- include "common.tplValues.render" ( dict "value" .Values.hub.auth.adminGroups "context" $ ) | nindent 10 }}
+            {{- end }}
+            {{- if .Values.hub.auth.oauth.allowedGroups }}
+            allowed_groups: {{- include "common.tplValues.render" ( dict "value" .Values.hub.auth.allowedGroups "context" $ ) | nindent 10 }}
+            {{- end }}
+            {{- if .Values.hub.auth.oauth.claimGroupsKey }}
+            claim_groups_key: {{ .Values.hub.auth.oauth.claimGroupsKey }}
+            {{- end }}
+          {{- end }}
+          {{- if and .Values.hub.auth.gitlab.enabled .Values.hub.auth.gitlab.adminUsers }}
+          Authenticator:
+            admin_users: {{- .Values.hub.auth.gitlab.adminUsers | toYaml | nindent 14 }}
+          {{- end }}
+          {{- if .Values.hub.auth.dummy.enabled }}
+          Authenticator:
+            admin_users:
+              - {{ .Values.hub.auth.dummy.adminUser }}
+          {{- end }}
+      cookieSecret:
+      concurrentSpawnLimit: 64
+      consecutiveFailureLimit: 5
+      activeServerLimit:
+      db:
+        type: postgres
+        url: postgresql://{{ ternary .Values.postgresql.auth.username .Values.externalDatabase.user .Values.postgresql.enabled }}@{{ ternary (include "codehub.postgresql.fullname" .) .Values.externalDatabase.host .Values.postgresql.enabled }}:{{ ternary "5432" .Values.externalDatabase.port .Values.postgresql.enabled }}/{{ ternary .Values.postgresql.auth.database .Values.externalDatabase.database .Values.postgresql.enabled }}
+      services: {}
+      allowNamedServers: false
+      namedServerLimitPerUser:
+      {{- if .Values.hub.metrics.serviceMonitor.enabled }}
+      authenticatePrometheus: {{ .Values.hub.metrics.authenticatePrometheus }}
+      {{- end }}
+      redirectToServer:
+      shutdownOnLogout:
+    singleuser:
+      podNameTemplate: {{ include "common.names.fullname" . }}-codehub-{username}
+      networkTools:
+        image:
+          name: {{ include "codehub.hubconfiguration.imageEntry" ( dict "imageRoot" .Values.auxiliaryImage "global" $) }}
+          tag: {{ .Values.auxiliaryImage.tag }}
+          digest: {{ .Values.auxiliaryImage.digest }}
+          pullPolicy: {{ .Values.auxiliaryImage.pullPolicy }}
+          pullSecrets: {{- include "codehub.imagePullSecrets.list" . | nindent 10 }}
+      cloudMetadata:
+        blockWithIptables: false
+      events: true
+      {{- if .extraEnvVars }}
+      extraEnv: {{- include "common.tplvalues.render" ( dict "value" .extraEnvVars "context" $ ) | nindent 4 }}
+      {{- end }}
+      profileList:
+        {{- range .Values.singleuser.profiles }}
+        - description: "{{ .description }}"
+          default: true
+          display_name: "{{ .name }}"
+          kubespawner_override:
+            {{- if .command }}
+            cmd: {{- include "common.tplvalues.render" ( dict "value" .command "context" $ ) | nindent 8 }}
+            {{- end }}
+            {{- if .args }}
+            args: {{- include "common.tplvalues.render" ( dict "value" .args "context" $ ) | nindent 8 }}
+            {{- end }}
+            image: {{ include "codehub.hubconfiguration.imageEntry" ( dict "imageRoot" .image "global" $) }}:{{ .image.tag }}
+            image_pull_policy: {{ .image.pullPolicy }}
+            {{- if $.Values.global.imagePullSecrets }}
+            image_pull_secrets: {{- include "codehub.imagePullSecrets.list" $ | nindent 14 }}
+            {{- end }}
+            {{- if .initContainers }}
+            init_containers: {{- include "common.tplvalues.render" ( dict "value" .initContainers "context" $ ) | nindent 14 }}
+            {{- end }}
+            {{- if .sidecars }}
+            extra_containers: {{- include "common.tplvalues.render" ( dict "value" .sidecars "context" $ ) | nindent 14 }}
+            {{- end }}
+            {{- if .containerSecurityContext.enabled }}
+            container_security_context: {{- omit .containerSecurityContext "enabled" | toYaml | nindent 14 }}
+            {{- end }}
+            {{- if .podSecurityContext.enabled }}
+            fsGid: {{ .podSecurityContext.fsGroup }}
+            {{- end }}
+            {{- /* We need to replace the Kubernetes memory/cpu terminology (e.g. 10Gi, 10Mi) with one compatible with Python (10G, 10M) */}}
+            mem_guarantee: {{ regexReplaceAll "([A-Za-z])i" (default "" .resources.requests.memory) "${1}" }}
+            mem_limit: {{ regexReplaceAll "([A-Za-z])i" (default "" .resources.limits.memory) "${1}" }}
+            cpu_guarantee: {{ regexReplaceAll "([A-Za-z])i" (default "" .resources.requests.cpu) "${1}" }}
+            cpu_limit: {{ regexReplaceAll "([A-Za-z])i" (default "" .resources.limits.cpu)  "${1}" }}
+            {{- if .extraResources.requests }}
+            extra_resource_guarantees: {{- include "common.tplvalues.render" ( dict "value" .extraResources.requests "context" $ ) | nindent 14 }}
+            {{- end }}
+            {{- if .extraResources.limits }}
+            extra_resource_limits: {{- include "common.tplvalues.render" ( dict "value" .extraResources.limits "context" $ ) | nindent 14 }}
+            {{- end }}
+            common_labels:
+              app.kubernetes.io/component: singleuser
+              {{- include "common.labels.standard" $ | nindent 14 }}
+              {{- if $.Values.commonLabels }}
+              {{- include "common.tplvalues.render" ( dict "value" $.Values.commonLabels "context" $ ) | nindent 14 }}
+              {{- end }}
+            extra_labels:
+              hub.jupyter.org/network-access-hub: "true"
+              {{- if .podLabels }}
+              {{- include "common.tplvalues.render" ( dict "value" .podLabels "context" $ ) | nindent 14 }}
+              {{- end }}
+            {{- if or $.Values.commonAnnotations .podAnnotations }}
+            extra_annotations:
+              {{- if $.Values.commonAnnotations }}
+              {{- include "common.tplvalues.render" ( dict "value" $.Values.commonAnnotations "context" $ ) | nindent 14 }}
+              {{- end }}
+              {{- if .podAnnotations }}
+              {{- include "common.tplvalues.render" ( dict "value" .podAnnotations "context" $ ) | nindent 14 }}
+              {{- end }}
+            {{- end }}
+            {{- if .lifecycleHooks }}
+            lifecycle_hooks: {{- include "common.tplvalues.render" ( dict "value" .lifecycleHooks "context" $ ) | nindent 14 }}
+            {{- end }}
+            {{- if .lifecycleHooks }}
+            priority_class_name: {{ .priorityClassName }}
+            {{- end }}
+            notebook_dir: {{ .notebookDir }}
+            port: {{ .containerPort }}
+            {{- if .extraVolumes }}
+            volumes: {{- include "common.tplvalues.render" ( dict "value" .extraVolumes "context" $ ) | nindent 14 }}
+            {{- end }}
+            {{- if .extraVolumeMounts }}
+            volumes_mounts: {{- include "common.tplvalues.render" ( dict "value" .extraVolumeMounts "context" $ ) | nindent 14 }}
+            {{- end }}
+            {{- if .tolerations }}
+            tolerations: {{- include "common.tplvalues.render" ( dict "value" .tolerations "context" $) | nindent 14 }}
+            {{- end }}
+            {{- if .nodeSelector }}
+            node_selector: {{- include "common.tplvalues.render" ( dict "value" .nodeSelector "context" $) | nindent 14 }}
+            {{- end }}
+            {{- if .extraEnvVars }}
+            environment:
+            {{ range .extraEnvVars }}
+              {{ .name }}: {{ .value }}
+            {{- end }}
+            {{- end }}
+            k8s_api_request_timeout: 10
+        {{- end }}
+      serviceAccountName: {{ template "codehub.singleuserServiceAccountName" . }}
+      storage:
+        {{- if .Values.singleuser.persistence.enabled }}
+        type: dynamic
+        {{- else }}
+        type: none
+        {{- end }}
+        extraLabels:
+          app.kubernetes.io/component: singleuser
+          {{- include "common.labels.standard" . | nindent 10 }}
+        capacity: {{ .Values.singleuser.persistence.size }}
+        homeMountPath: /home/coder
+        dynamic:
+          {{ include "codehub.storage.class" (dict "persistence" .Values.singleuser.persistence "global" .Values.global) }}
+          pvcNameTemplate: {{ include "common.names.fullname" . }}-claim-{username}{servername}
+          volumeNameTemplate: {{ include "common.names.fullname" . }}-volume-{username}{servername}
+          storageAccessModes: {{- include "common.tplvalues.render" ( dict "value" .Values.singleuser.persistence.accessModes "context" $ ) | nindent 12 }}
+      startTimeout: 300
+      defaultUrl:
+    cull:
+      enabled: true
+      users: false
+      removeNamedServers: false
+      timeout: 3600
+      every: 600
+      concurrency: 10
+      maxAge: 0
--- a/codehub/templates/hub/configmap.yaml
+++ b/codehub/templates/hub/configmap.yaml
@@ -75,7 +75,6 @@ data:
        "slow_spawn_timeout": 0,
    }

-
    # configure the hub db connection
    db_type = get_config("hub.db.type")
    if db_type == "sqlite-pvc":
@@ -155,37 +154,16 @@ data:
    for trait, cfg_key in (
        ("pod_name_template", None),
        ("start_timeout", None),
-        ("image_pull_policy", "image.pullPolicy"),
-        # ('image_pull_secrets', 'image.pullSecrets'), # Managed manually below
        ("events_enabled", "events"),
-        ("extra_labels", None),
-        ("extra_annotations", None),
-        ("uid", None),
-        ("fs_gid", None),
-        ("run_privileged", None),
-        ("privileged", "privileged"),
        ("container_security_context", "container_security_context"),
-        ("allow_privilege_escalation", "allow_privilege_escalation"),
        ("service_account", "serviceAccountName"),
        ("storage_extra_labels", "storage.extraLabels"),
-        # ("tolerations", "extraTolerations"), # Managed manually below
-        ("node_selector", None),
        ("node_affinity_required", "extraNodeAffinity.required"),
        ("node_affinity_preferred", "extraNodeAffinity.preferred"),
        ("pod_affinity_required", "extraPodAffinity.required"),
        ("pod_affinity_preferred", "extraPodAffinity.preferred"),
        ("pod_anti_affinity_required", "extraPodAntiAffinity.required"),
        ("pod_anti_affinity_preferred", "extraPodAntiAffinity.preferred"),
-        ("lifecycle_hooks", None),
-        ("init_containers", None),
-        ("extra_containers", None),
-        ("mem_limit", "memory.limit"),
-        ("mem_guarantee", "memory.guarantee"),
-        ("cpu_limit", "cpu.limit"),
-        ("cpu_guarantee", "cpu.guarantee"),
-        ("extra_resource_limits", "extraResource.limits"),
-        ("extra_resource_guarantees", "extraResource.guarantees"),
-        ("environment", "extraEnv"),
        ("profile_list", None),
        ("extra_pod_config", None),
    ):
@@ -193,28 +171,6 @@ data:
            cfg_key = camelCaseify(trait)
        set_config_if_not_none(c.KubeSpawner, trait, "singleuser." + cfg_key)

-    image = get_config("singleuser.image.name")
-    if image:
-        tag = get_config("singleuser.image.tag")
-        if tag:
-            image = f"{image}:{tag}"
-
-        c.KubeSpawner.image = image
-
-    # Combine imagePullSecret.create (single), imagePullSecrets (list), and
-    # singleuser.image.pullSecrets (list).
-    image_pull_secrets = []
-    if get_config("imagePullSecret.automaticReferenceInjection") and get_config(
-        "imagePullSecret.create"
-    ):
-        image_pull_secrets.append(get_name("image-pull-secret"))
-    if get_config("imagePullSecrets"):
-        image_pull_secrets.extend(get_config("imagePullSecrets"))
-    if get_config("singleuser.image.pullSecrets"):
-        image_pull_secrets.extend(get_config("singleuser.image.pullSecrets"))
-    if image_pull_secrets:
-        c.KubeSpawner.image_pull_secrets = image_pull_secrets
-
    # scheduling:
    if get_config("scheduling.userScheduler.enabled"):
        c.KubeSpawner.scheduler_name = get_name("user-scheduler")
@@ -249,13 +205,6 @@ data:
                f"Unrecognized value for matchNodePurpose: {match_node_purpose}"
            )

-    # Combine the common tolerations for user pods with singleuser tolerations
-    scheduling_user_pods_tolerations = get_config("scheduling.userPods.tolerations", [])
-    singleuser_extra_tolerations = get_config("singleuser.extraTolerations", [])
-    tolerations = scheduling_user_pods_tolerations + singleuser_extra_tolerations
-    if tolerations:
-        c.KubeSpawner.tolerations = tolerations
-
    # Configure dynamically provisioning pvc
    storage_type = get_config("singleuser.storage.type")
    if storage_type == "dynamic":
@@ -536,7 +485,7 @@ data:
        mounted secret (hub.existingSecret)."""

        cfg = {}
-        for source in ("secret/values.yaml", "existing-secret/values.yaml"):
+        for source in ("config/values.yaml", "secret/values.yaml", "existing-secret/values.yaml"):
            path = f"/usr/local/etc/jupyterhub/{source}"
            if os.path.exists(path):
                print(f"Loading {path}")

--- a/codehub/templates/hub/deployment.yaml
+++ b/codehub/templates/hub/deployment.yaml
@@ -24,6 +24,7 @@ spec:
        {{- if .Values.hub.podAnnotations }}
        {{- include "common.tplvalues.render" ( dict "value" .Values.hub.podAnnotations "context" $ ) | nindent 8 }}
        {{- end }}
+        checksum/hub-values: {{ include (print $.Template.BasePath "/hub/configmap-values.yaml") . | sha256sum }}
        {{- if empty .Values.hub.existingConfigmap }}
        checksum/hub-config: {{ include (print $.Template.BasePath "/hub/configmap.yaml") . | sha256sum }}
        {{- end }}
@@ -179,7 +180,7 @@ spec:
              valueFrom:
                secretKeyRef:
                  name: {{ include "codehub.hubSecretName" . }}
-                  key: proxy-token
+                  key: apiToken
            - name: PGPASSWORD
              valueFrom:
                secretKeyRef:
@@ -233,8 +234,14 @@ spec:
            - mountPath: /etc/jupyterhub/z2jh.py
              subPath: z2jh.py
              name: config
+            - mountPath: /usr/local/etc/jupyterhub/config/
+              name: values
            - mountPath: /usr/local/etc/jupyterhub/secret/
              name: secret
+            {{- if .Values.tls.enabled }}
+            - mountPath: /cert/
+              name: server-cert
+            {{- end }}
          {{- if .Values.hub.extraVolumeMounts }}
          {{- include "common.tplvalues.render" (dict "value" .Values.hub.extraVolumeMounts "context" $) | nindent 12 }}
          {{- end }}
@@ -242,12 +249,20 @@ spec:
        {{- include "common.tplvalues.render" ( dict "value" .Values.hub.sidecars "context" $) | nindent 8 }}
        {{- end }}
      volumes:
+        - name: values
+          configMap:
+            name: {{ include "codehub.hub.name" . }}-values
        - name: config
          configMap:
            name: {{ include "codehub.hubConfigmapName" . }}
        - name: secret
          secret:
            secretName: {{ include "codehub.hubSecretName" . }}
+        {{- if .Values.tls.enabled }}
+        - name: server-cert
+          secret:
+            secretName: {{ include "common.names.fullname" . }}-hub-crt
+        {{- end }}
        {{- if .Values.hub.extraVolumes }}
        {{- include "common.tplvalues.render" (dict "value" .Values.hub.extraVolumes "context" $) | nindent 8 }}
        {{- end }}
--- a/codehub/templates/hub/secret.yaml
+++ b/codehub/templates/hub/secret.yaml
@@ -14,8 +14,7 @@ metadata:
  {{- end }}
 type: Opaque
 data:
-  values.yaml: {{ include "common.tplvalues.render" ( dict "value" .Values.hub.configuration "context" $ ) | b64enc | quote }}
-  proxy-token: {{ default (randAlphaNum 32) .Values.proxy.secretToken | b64enc | quote }}
+  apiToken: {{ include "codehub.hub.config.apiToken" . | b64enc | quote }}
  hub.config.JupyterHub.cookie_secret: {{ include "codehub.hub.config.JupyterHub.cookie_secret" . | b64enc | quote }}
  hub.config.CryptKeeper.keys: {{ include "codehub.hub.config.CryptKeeper.keys" . | b64enc | quote }}
 {{- end }}
--- a/codehub/templates/image-puller/daemonset.yaml
+++ b/codehub/templates/image-puller/daemonset.yaml
@@ -64,10 +64,10 @@ spec:
      terminationGracePeriodSeconds: {{ .Values.imagePuller.terminationGracePeriodSeconds }}
      {{- end }}
      initContainers:
-      {{- range $index, $image := (list .Values.singleuser.image .Values.auxiliaryImage) }}
+      {{- range $index, $profile := .Values.singleuser.profiles }}
        - name: pull-{{ $index }}
-          image: {{ include "common.images.image" (dict "imageRoot" . "global" $.Values.global) }}
-          imagePullPolicy: {{ .pullPolicy }}
+          image: {{ include "common.images.image" (dict "imageRoot" .image "global" $.Values.global) }}
+          imagePullPolicy: {{ .image.pullPolicy }}
          {{- if $.Values.imagePuller.resources }}
          resources: {{- toYaml $.Values.imagePuller.resources | nindent 12 }}
          {{- end }}

--- a/codehub/templates/proxy/certificates.yaml
+++ b/codehub/templates/proxy/certificates.yaml
+{{- if (include "codehub.proxy.createTlsSecret" .) }}
+{{- $releaseNamespace := .Release.Namespace }}
+{{- $clusterDomain := .Values.clusterDomain }}
+{{- $fullname := include "common.names.fullname" . }}
+{{- $serviceName := include "common.names.fullname" . }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "common.names.fullname" . }}-proxy-crt
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    app.kubernetes.io/component: proxy
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  secretTemplate:
+    labels: {{- include "common.labels.matchLabels" . | nindent 6 }}
+      app.kubernetes.io/component: proxy
+      {{- if .Values.commonLabels }}
+      {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 6 }}
+      {{- end }}
+    {{- if .Values.commonAnnotations }}
+    annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 6 }}
+    {{- end }}
+  secretName: {{ include "common.names.fullname" . }}-proxy-crt
+  duration: 4320h # 180d
+  renewBefore: 2160h # 90d
+  commonName: "{{ $fullname }}"
+  subject:
+    organizationalUnits:
+      - {{ .Values.clusterName }}
+    organizations:
+      - {{ .Values.tls.subject.organizations }}
+    countries:
+      - {{ .Values.tls.subject.countries }}
+  dnsNames:
+    - "{{ printf "%s-proxy-api" $serviceName }}"
+    - "{{ printf "%s-proxy-api.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain }}"
+    - "{{ printf "%s-proxy-public.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain }}"
+    - "localhost"
+  ipAddresses:
+    - "127.0.0.1"
+    - "::1"
+  usages:
+    - server auth
+  privateKey:
+    algorithm: {{ .Values.tls.algorithm }}
+    encoding: PKCS1
+    size: {{ .Values.tls.size }}
+  issuerRef:
+    name: {{ include "codehub.issuerName" . }}
+    kind: {{ .Values.tls.issuerRef.kind }}
+    group: {{ .Values.tls.issuerRef.group }}
+
+---
+{{- end }}
\ No newline at end of file
--- a/codehub/templates/proxy/deployment.yaml
+++ b/codehub/templates/proxy/deployment.yaml
@@ -106,6 +106,11 @@ spec:
            {{- if .Values.proxy.image.debug }}
            - --log-level=debug
            {{- end }}
+            {{- if .Values.tls.enabled }}
+            - --ssl-key=/server-cert/tls.key
+            - --ssl-cert=/server-cert/tls.crt
+            - --ssl-protocol=TLSv1_2
+            {{- end }}
          {{- end }}
          ports:
            - name: http
@@ -124,7 +129,7 @@ spec:
              valueFrom:
                secretKeyRef:
                  name: {{ include "codehub.hubSecretName" . }}
-                  key: proxy-token
+                  key: apiToken
            {{- if .Values.proxy.extraEnvVars }}
            {{- include "common.tplvalues.render" (dict "value" .Values.proxy.extraEnvVars "context" $) | nindent 12 }}
            {{- end }}
@@ -167,12 +172,22 @@ spec:
          {{- end }}
          {{- end }}
          volumeMounts:
+            {{- if .Values.tls.enabled }}
+            - mountPath: /server-cert/
+              name: server-cert
+            {{- end }}
          {{- if .Values.proxy.extraVolumeMounts }}
          {{- include "common.tplvalues.render" (dict "value" .Values.proxy.extraVolumeMounts "context" $) | nindent 12 }}
          {{- end }}
        {{- if .Values.proxy.sidecars }}
        {{- include "common.tplvalues.render" ( dict "value" .Values.proxy.sidecars "context" $) | nindent 8 }}
        {{- end }}
+      volumes:
+      {{- if .Values.tls.enabled }}
+        - name: server-cert
+          secret:
+            secretName: {{ include "common.names.fullname" . }}-proxy-crt
+      {{- end }}
      {{- if .Values.proxy.extraVolumes }}
-      volumes: {{- include "common.tplvalues.render" (dict "value" .Values.proxy.extraVolumes "context" $) | nindent 8 }}
+      {{- include "common.tplvalues.render" (dict "value" .Values.proxy.extraVolumes "context" $) | nindent 8 }}
      {{- end }}
--- a/codehub/templates/proxy/ingress.yaml
+++ b/codehub/templates/proxy/ingress.yaml
@@ -10,8 +10,8 @@ metadata:
    app.kubernetes.io/component: proxy
  namespace: {{ .Release.Namespace | quote }}
  annotations:
-    {{- if .Values.proxy.ingress.certManager }}
-    kubernetes.io/tls-acme: "true"
+    {{- if .Values.tls.enabled }}
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    {{- end }}
    {{- if .Values.proxy.ingress.annotations }}
    {{- include "common.tplvalues.render" (dict "value" .Values.proxy.ingress.annotations "context" $) | nindent 4 }}

--- a/codehub/values.yaml
+++ b/codehub/values.yaml