feat: add support for session secrets in Renku 2.0 (#3837)

Closes #3832. Add support for session secret slots and session secrets in Renku 2.0. --------- Co-authored-by: Tasko Olevski <[email protected]>
SwissDataScienceCenter · Dec 18, 2024 · 9733df7 · 9733df7
1 parent 494a18d
commit 9733df7
Show file tree

Hide file tree

Showing 3 changed files with 65 additions and 5 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -3,6 +3,14 @@
 0.62.0
 ------
 
+This release introduces two new key features: session secrets and copying projects. 
+Session secrets make it possible to connect to protected resources, such as databases or
+external compute systems, from a Renku session in a standardized and shareable manner.
+Collaborating with secrets is easy too: configure a single session secret slot to ensure
+that the secret shows up the same way for everyone, and each person enters their own value.
+The copy projects feature makes it easy for course instructors to distribute course materials
+to students.
+
 This release removes the Gitlab omnibus Helm chart that we created and used to have as a dependency
 of the Renku Helm chart. We have been discouraging anyone from using
 this chart in production and we specified this in our documentation as well.
@@ -12,9 +20,26 @@ Gitlab deployment as specified in our `documentation <https://renku.readthedocs.
 before installing this or any subsequent Renku version. Gitlab publishes an official Helm chart and
 that is what should be used for deploying Gitlab with Helm.
 
+User-Facing Changes
+~~~~~~~~~~~~~~~~~~~
+
+**🌟 New Features**
+
+- **UI**: Configure and save session secrets in Renku 2.0 projects and use them in sessions (`#3413 <https://github.com/SwissDataScienceCenter/renku-ui/pull/3413>`__).
+
+**Improvements**
+
+- **UI**: Add a new simpler option for creating PolyBox and SwitchDrive data connectors (`#3396 <https://github.com/SwissDataScienceCenter/renku-ui/pull/3396>`__).
+- **UI**: Simplify the project and group creation interactions in Renku 2.0 to a simple modal (`#3399 <https://github.com/SwissDataScienceCenter/renku-ui/pull/3399>`__).
+- **UI**: Introduce a refreshed design for the dashboard in Renku 2.0 (`#3407 <https://github.com/SwissDataScienceCenter/renku-ui/pull/3407>`__).
+
 Internal Changes
 ~~~~~~~~~~~~~~~~
 
+**New Features**
+
+- **Data services**: Support saving session secrets in Renku 2.0 projects and mounting them in sessions.
+
 **Improvements**
 
 - **Infrastructure Components**: ``redis`` has been upgraded from version ``7.0.7`` to ``7.4.1``
@@ -30,7 +55,9 @@ Internal Changes
 Individual Components
 ~~~~~~~~~~~~~~~~~~~~~
 
+- `renku-data-services 0.28.0 <https://github.com/SwissDataScienceCenter/renku-data-services/releases/tag/v0.28.0>`_
 - `renku-search 0.7.0 <https://github.com/SwissDataScienceCenter/renku-search/releases/tag/v0.7.0>`_
+- `renku-ui 3.43.0 <https://github.com/SwissDataScienceCenter/renku-ui/releases/tag/3.43.0>`_
 
 0.61.2
 ------

diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml
@@ -991,6 +991,33 @@ spec:
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
+metadata:
+  # Needed for secret mounting
+  name: ingress-to-data-service-from-v2-sessions
+  labels:
+    app: {{ template "renku.name" . }}
+    chart: {{ template "renku.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+spec:
+  podSelector:
+    matchLabels:
+      app: renku-data-service
+      release: {{ .Release.Name }}
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/created-by: controller-manager
+              app.kubernetes.io/name: AmaltheaSession
+      ports:
+        - protocol: TCP
+          port: http
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
 metadata:
   name: egress-from-renku-v1-sessions
 spec:
@@ -1063,6 +1090,12 @@ spec:
           - 10.0.0.0/8
           - 172.16.0.0/12
           - 192.168.0.0/16
+    - to:
+      # Allow access to data service, needed for secret mounting
+      - podSelector:
+          matchLabels:
+            app: renku-data-service
+            release: {{ .Release.Name }}
   podSelector:
     matchLabels:
       app.kubernetes.io/created-by: controller-manager

diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml
@@ -519,7 +519,7 @@ ui:
     replicaCount: 1
     image:
       repository: renku/renku-ui
-      tag: "3.42.0"
+      tag: "3.43.0"
       pullPolicy: IfNotPresent
       ## Optionally specify an array of imagePullSecrets.
       ## Secrets must be manually created in the namespace.
@@ -708,7 +708,7 @@ ui:
     keepCookies: []
     image:
       repository: renku/renku-ui-server
-      tag: "3.42.0"
+      tag: "3.43.0"
       pullPolicy: IfNotPresent
     imagePullSecrets: []
     nameOverride: ""
@@ -1459,14 +1459,14 @@ dataService:
     create: true
   image:
     repository: renku/renku-data-service
-    tag: "0.27.1"
+    tag: "0.28.0"
     pullPolicy: IfNotPresent
   backgroundJobs:
     events:
       resources: {}
     image:
       repository: renku/data-service-background-jobs
-      tag: "0.27.1"
+      tag: "0.28.0"
       pullPolicy: IfNotPresent
     total:
       resources: {}
@@ -1519,7 +1519,7 @@ authz:
 secretsStorage:
   image:
     repository: renku/secrets-storage
-    tag: "0.27.1"
+    tag: "0.28.0"
     pullPolicy: IfNotPresent
   service:
     type: ClusterIP