jupyterhub · yuvipanda · Feb 17, 2021 · Feb 13, 2021 · Feb 13, 2021 · Feb 13, 2021
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -77,4 +77,5 @@ jobs:
         env:
           GITHUB_REPOSITORY: "${{ github.repository }}"
         run: |
+          ./tools/generate-json-schema.py
           ./ci/publish
diff --git a/.github/workflows/test-chart.yaml b/.github/workflows/test-chart.yaml
@@ -24,7 +24,7 @@ on:
   workflow_dispatch:
 
 jobs:
-  lint_and_validate:
+  lint_and_validate_rendered_templates:
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/checkout@v2
@@ -50,6 +50,39 @@ jobs:
         run: tools/templates/lint-and-validate.py --strict
         continue-on-error: true
 
+  lint_and_validate_templates_with_schema:
+    runs-on: ubuntu-20.04
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+        with:
+          python-version: "3.8"
+
+      - name: Install dependencies
+        run: |
+          . ci/common
+          setup_helm
+          pip install pyyaml
+
+      - name: Generate values.schema.json
+        run: tools/generate-json-schema.py
+
+      - name: Helm lint (values.yaml)
+        run: helm lint ./jupyterhub
+
+      - name: Helm lint (lint-and-validate-values.yaml)
+        run: helm lint ./jupyterhub --values tools/templates/lint-and-validate-values.yaml
+
+      # FIXME: We can probably emit a GitHub workflow warning if these fail
+      #        instead having them show as green without a warning or similar
+      - name: Helm lint --strict (values.yaml)
+        run: helm lint --strict ./jupyterhub
+        continue-on-error: true
+
+      - name: Helm lint --strict (lint-and-validate-values.yaml)
+        run: helm lint --strict ./jupyterhub
+        continue-on-error: true
+
   test:
     runs-on: ubuntu-20.04
     timeout-minutes: 20
@@ -138,6 +171,11 @@ jobs:
           pip3 install --no-cache-dir -r dev-requirements.txt
           chartpress
 
+      # Generate values.schema.json from schema.yaml
+      - name: Generate values.schema.json from schema.yaml
+        run: |
+          tools/generate-json-schema.py
+
       # Validate rendered helm templates against the k8s api-server with the
       # dedicated lint-and-validate-values.yaml config.
       - name: "Helm template --validate (with lint and validate config)"

diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,5 @@
 ### Zero to JupyterHub Kubernetes ###
+jupyterhub/values.schema.json
 tools/templates/rendered-templates/
 bin/
 .vagrant/

diff --git a/doc/source/administrator/advanced.md b/doc/source/administrator/advanced.md
@@ -19,7 +19,7 @@ resource](https://kubernetes.io/docs/concepts/services-networking/ingress/) to
 expose JupyterHub using an [Ingress
 controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/).
 
-```note
+```{note}
 Not all k8s clusters are setup with an Ingress controller by default. If you need to
 install one manually, we recommend using
 [ingress-nginx](https://github.com/kubernetes/ingress-nginx/blob/master/docs/deploy/index.md#using-helm).

diff --git a/doc/source/administrator/security.md b/doc/source/administrator/security.md
@@ -255,6 +255,8 @@ provides more information on the dangers presented by this attack.
 This Helm chart blocks access to this metadata in two ways by default, but you
 only need one.
 
+(block-metadata-netpol)=
+
 ### Block metadata with a NetworkPolicy enforced by a NetworkPolicy controller
 
 If you have _NetworkPolicy controller_ such as Calico in the Kubernetes cluster,
@@ -263,6 +265,8 @@ it will enforce the NetworkPolicy resource created by this chart
 We recommend relying on this approach if you you had a NetworkPolicy controller,
 and then you can disable the other option.
 
+(block-metadata-iptables)=
+
 ### Block metadata with a privileged initContainer running `iptables`
 
 If you can't rely on the NetworkPolicy approach to block access to the metadata

diff --git a/doc/source/conf.py b/doc/source/conf.py
@@ -213,6 +213,9 @@ def parse_schema(d, md=[], depth=0, pre=""):
     Generate markdown headers from a passed python dictionary created by
     parsing a schema.yaml file.
     """
+    if "then" in d:
+        d = d["then"]
+
     if "properties" in d:
         depth += 1
         # Create markdown headers for each schema level

diff --git a/jupyterhub/.helmignore b/jupyterhub/.helmignore
@@ -7,7 +7,6 @@
 # Here are files that we intentionally ignore to avoid them being packaged,
 # because we don't want to reference them from our templates anyhow.
 schema.yaml
-validate.py
 
 # Patterns to ignore when building packages.
 # This supports shell glob matching, relative path matching, and