Nublado is versioned with semver. Dependencies are updated to the latest available version during each release. Those changes are not noted here explicitly.
Find changes for the upcoming release in the project's changelog.d directory.
- Add a
servicelabel toGafaelfawrIngressresources created for user file servers for proper Gafaelfawr metrics reporting.
- Change the base image for JupyterHub to
quay.io/jupyterhub/k8s-hubfromjupyterhub/jupyterhub. This means the JupyterHub image now uses Python 3.12.
- Remove the
Tokenlink from the JupyterHub page template, since user tokens for JupyterHub are not supported on the Rubin Science Platform.
- Update to JupyterHub 5.2.1.
- When reporting HTTP errors from the Nublado client, truncate the response body at the start rather than at the end. This makes it more likely that the error message from JupyterHub will appear in the truncated response.
- Drop the XSRF token and cookies before performing a JupyterHub login in the Nublado client. The client previously hung on to the XSRF token indefinitely, which resulted in errors if the token was expired in JupyterHub, such as by user session expiration.
- Fix broken formatting in error messages reported by the Nublado client.
- Improve error reporting of exceptions in the Nublado client and sanitize the reported body to remove some security tokens.
- Refactor exception handling in
NubladoClientto incorporate optional code context information (used by mobu) and additional exception metadata.
- Provide
JupyterLabSessionas an exported class fromrubin.nublado.client. This class represents an open WebSocket session with a Jupyter lab. - Add support for artificial Gafaeflawr tokens to the
MockJuyptermock of the JupyterHub and JupyterLab API. This allows the mock to extract a username from mock tokens sent by the code under test to the mocked APIs, rather than requiring the test client send anX-Auth-Request-Userheader. - Use the most recent Nublado release tag as the default base image for sciplat-lab container builds.
- Add a Docker image build for a
jupyterlab-baseimage, which provides a basic image that can be spawned as a lab container by Nublado and can be used as the basis for more complex images. - Add the Docker image build for
sciplat-lab, an image built on top ofjupyterlab-basethat provides a JupyterLab kernel that includes the Rubin Science Pipelines Python stack.
- Revert canonical PyPI module name back to
rubin-nublado-clientfor consistency with other projects. As before, this change should not affectpip install; either form of the name should work.
- Rename PyPI module for the Nublado client to
rubin.nublado.client. Either name should work forpip install.
- Push the new
rubin-nublado-clientmodule to PyPI on release.
- Add the Python module
rubin-nublado-client, which provides a client library for interacting with the Nublado-modified JupyterHub and JupyterLab services.
- The
/tmpdirectory in a lab pod now defaults to a tmpfs file system capped at 25% of the pod memory. Add a new configuration option to select between this default and the previous default of uncapped node-local storage.
- All timeout configuration options now support the syntax parsed by Safir's
parse_timedeltaand therefore support human-friendly durations such as6hor5m.
- Fix crash of the controller during startup if a Kubernetes node reports a cached image with no names.
- Fix bootstrapping of a development environment in an existing virtualenv. Previously, uv was not installed before nox attempted to use it.
- Work around a bug in sphinxcontrib-redoc that prevented building the documentation twice without errors.
- Add configuration settings for the lab launch command and configuration directory.
- Add limits and requests to prepulled pods.
- Update the underlying JupyterHub implementation to JupyterHub 5.0.0.
- Switch to uv for package management.
- Update JupyterHub to 4.1.5, which fixes more issues with XSRF handling.
- Move the
.eupsdirectory when performing user environment resets.
- Update JupyterHub to 4.1.4, which fixes more XSRF cookie issues.
- Move the admin route for deleting a user's file server from
/nublado/fileserver/v1/<username>to/nublado/fileserver/v1/users/<username>to better align with other routes and REST semantics.
- Add an admin-authenticated
/nublado/fileserver/v1/users/<username>GET route to get the status of a user's running file server (currently only 404 if not running or 200 with trivial content if running). - Add a
/nublado/fileserver/v1/user-statusroute a user to get the status of their own file server, which similarly returns 404 or 200 with trivial content.
- Update JupyterHub to 4.1.3, which includes several fixes for XSRF handling.
- Update to JupyterHub 4.1.0. This release has tighter XSRF handling than previous versions. Clients that talk directly to JupyterHub rather than using a browser, such as mobu or Noteburst, will need to be updated to support the stricter XSRF requirements.
- Nublado now uses uv to maintain frozen dependencies.
- Update to Safir 5.2.0, which rewrites the middleware to avoid the Starlette
BaseHTTPMiddlewareclass. This should hopefully produce better error reporting in some cases where exceptions were being mangled and lost by theBaseHTTPMiddlewarelogic.
- All user file servers are now protected by a
NetworkPolicythat prevents connections except via Gafaelfawr, ensuring that authentication is properly enforced. - Stop returning the requested lab environment from the lab status API. Nothing uses this information and it may contain secrets that should not be this readily accessible.
- Return the actual running Docker image reference from the lab status API rather than the form parameters the user sent when requesting a lab.
- Return prepuller configuration in the API response with snake-case fields rather than camel-case fields, as was originally intended.
- Restrict access to controller routes via the
admin:jupyterlabscope to only those routes that JupyterHub needs to use. Access to other administrative routes is now controlled withexec:admin. - Fix the response type for the
/spawner/v1/labs/{username}/eventsroute in the OpenAPI schema. - Quietly retry the file server pod watch after 410 errors, since under some circumstances they appear to happen every five minutes. Remove the delay when restarting after a 410 error without a resource version, since this appears to be a normal Kubernetes API response and the delay could miss events.
- Change the default Argo CD application for user file servers to
nublado-fileservers. Continue to usefileserversas the default namespace, since thenublado-fileserversnamespace would conflict with the reserved namespace pattern for user labs. - Classify the JSON API routes with tags that reflect who has access to that API.
- Add documentation on how to set up Google Artifact Registry as an image source for Nublado, and on why this is the recommended configuration when Nublado is running on Google Kubernetes Engine.
This is the first release of the new merged Nublado release. It contains the Nubaldo controller, a JupyterHub spawner implementation that uses the controller to create user labs, a JupyterHub authenticator implementation to use Gafaelfawr, and the Docker configuration to build a custom JupyterHub image containing that spawner and authenticator.
In previous versions of Nublado, the equivalents of these components were maintained in separate repositories with independent version numbers. As of this release, all of these components are maintained and released together using semver versioning. Further changes will be documented in this unified change log.