basehub: update jupyterhub chart from 3.2.1 to 3.3.7 (Scheduled for 9nd April)

[consideRatio]

This update brings in jupyterhub 4.1.0 and oauthenticator 16.3.0.

Two bugfixes upstream

This early adoption of z2jh's new release led to catching two bugs.

• First 3.3.0 failed because of a pycurl regression (observed when using oauthenticator to sign in)
  Z2JH 3.3.0 is broken - pycurl issues with certificates jupyterhub/zero-to-jupyterhub-k8s#3366
• Then 3.3.1 failed because of a iptables regression (observed when starting a user pod)
  Regression for singleuser.cloudMetadata.blockWithIptables in z2jh 3.3.0 and 3.3.1 - workaround in 3.3.2 jupyterhub/zero-to-jupyterhub-k8s#3368

Compatibility fix in jupyterhub-configurator

• The jupyterhub-configurator's web-server made use of HubOAuthenticator that now requires xsrf tokens when receiving javascript fetch requests. This is resolved by Support jupyterhub 4.1 that require use of xsrf tokens yuvipanda/jupyterhub-configurator#19 which is backported to an old enough commit in a branch we now build from. This branch can be adopted without introducing breaking changes.
• Closes Update jupyterhub-configurator to a newer commit #3197, let's not try to migrate to use the latest jupyterhub-configurator commit as it has introduced breaking changes that we would need to migrate config to handle.

About JupyterHub 4.1.1 - 4.1.5 releases

Several (all?) of the issues patched related to jupyterhub code executed in the user servers, which are unaffected by this PRs upgrade of the server side part of jupyterhub.

• In 4.1.1, allow subclasses to override xsrf check jupyterhub/jupyterhub#4745
• In 4.1.2, rework handling of multiple xsrf tokens jupyterhub/jupyterhub#4750
• In 4.1.3, respect jupyter-server disable_check_xsrf setting jupyterhub/jupyterhub#4753
• In 4.1.4, avoid xsrf check on navigate GET requests jupyterhub/jupyterhub#4759
• In 4.1.5, singleuser mixin: include check_xsrf_cookie in overrides jupyterhub/jupyterhub#4771

Verifications

• jupyterhub-configurator works
• rstudio works
• nbgitpuller works (nbgitpuller 1.2.1+ is required if jupyterhub 4.1 is used in the user env)
• jupyter-resource-usage works
• jupyter-remote-desktop-proxy works (2.0.0+ is required if jupyterhub 4.1 is used in the user env)
• jupyter notebook 6
• jupyter notebook 7 (jupyter_server based, like jupyter lab)

Related

• z2jh changelog: https://z2jh.jupyter.org/en/stable/changelog.html
• jupyterhub changelog: https://jupyterhub.readthedocs.io/en/stable/reference/changelog.html
• oauthenticator changelog: https://oauthenticator.readthedocs.io/en/latest/reference/changelog.html

[consideRatio]

z2jh 3.3.0 is broken because pycurl is broken due to a regression in a patch release, working to fix it now.

EDIT: we are bumping to z2jh 3.3.1 instead now.

[yuvipanda]

Test in a staging environment and then this is good to go!

[consideRatio]

Okay, two z2jh patch releases later things work it seems!

Will merge tomorrow when I'm starting my workday. Thank you for reviewing this @yuvipanda!!

[consideRatio]

@yuvipanda I'm getting pulled into needing to understand how jupyterhub-configurator works etc since its broken against jupyterhub 4.1.0 - likely due to CORS related changes.

I'd like to bite the bullet and catch up with misc maintenance:

• Update jupyterhub-configurator to a newer commit #3197
• review stale PRs in https://github.com/yuvipanda/jupyterhub-configurator/pulls
• get it jupyterhub 4.1.0 compatible
• maybe make a 1.0.0 release to PyPI because its notable work to pin and communicate about commits compared to do releases with changelogs etc

Are you OK with granting me maintainer rights and going for it quite swiftly?

[yuvipanda]

@consideRatio I've added you as maintainer. However, there are no users of that outside of 2i2c (especially after it was taken out of tljh), and it is an architectural dead end. I think it's ok to do the work that unblocks z2jh upgrades, but i don't think it should have any other work done on it at all.

I've closed or merged PRs as appropriate.

[yuvipanda]

I'd also think it's appropriate to rollback jupyterhub-configurator to the commit that was known good and worked here, do whatever fix is needed for 4.1, and just get that going.

[yuvipanda]

Given the xsrf changes seem to be slightly bumpy, I suggest we hold off this for a week to let things shake out.

[consideRatio]

I'm planning this to be deployed next tuesday - 2nd April.

[consideRatio]

@yuvipanda I've verified that a server-side change doesn't cause issues in any of the things you listed.

---

Beyond this because its related, I've considered the user environments. I've concluded that jupyterhub 4.1.4, nbgitpuller 1.2.1, and jupyter-remote-desktop-proxy 2.0.0, jupyter-resource-usage 1.0.2 (no patch needed), and utoronto's classical UI from notebook 6, Lab UI, and RStudio UI works when jupyterhub-singleuser 4.1.4 is used in the user environment - use of jupyterhub 4.0 or 4.1 server side doesn't change this.

• jupyter/docker-stacks latest published images have jupyterhub 4.1.4
• pangeo/pangeo-docker-images latest tagged image has jupyterhub 4.0.2, and will when release is made go straight to 4.1.4 with nbgitpuller 1.2.1 as its part of the master branch already.
• rocker/binder images have jupyterhub 4.1.3 currently which makes rstudio work

---

OK to ship today? The option to this is next week if I'm to take responsibility and monitor this change without entering too much non-working hours.

[yuvipanda]

@consideRatio thanks for doing that. My suggestion is to do this next week, given we still have a bunch of things that we had committed to this sprint not done yet. We can schedule this during the sprint planning meeting for the next one.

[consideRatio]

@yuvipanda rescheduled to 9th april!

[damianavila]

Ask @GeorgianaElena to spend some cycles on this one next week.

[github-actions]

🎉🎉🎉🎉

Monitor the deployment of the hubs here 👉 https://github.com/2i2c-org/infrastructure/actions/runs/8613587954