diff --git a/.github/workflows/pull-request-test.yml b/.github/workflows/pull-request-test.yml index fc442dbb79..40113afcf1 100644 --- a/.github/workflows/pull-request-test.yml +++ b/.github/workflows/pull-request-test.yml @@ -58,6 +58,7 @@ jobs: renku-ui: ${{ steps.deploy-comment.outputs.renku-ui}} renku-data-services: ${{ steps.deploy-comment.outputs.renku-data-services}} amalthea: ${{ steps.deploy-comment.outputs.amalthea}} + amalthea-sessions: ${{ steps.deploy-comment.outputs.amalthea-sessions}} test-enabled: ${{ steps.deploy-comment.outputs.test-enabled}} extra-values: ${{ steps.deploy-comment.outputs.extra-values}} steps: @@ -99,6 +100,7 @@ jobs: renku_ui: "${{ needs.check-deploy.outputs.renku-ui }}" renku_data_services: "${{ needs.check-deploy.outputs.renku-data-services }}" amalthea: "${{ needs.check-deploy.outputs.amalthea }}" + amalthea_sessions: "${{ needs.check-deploy.outputs.amalthea-sessions }}" extra_values: "${{ needs.check-deploy.outputs.extra-values }}" - name: Check existing renkubot comment if: needs.check-deploy.outputs.pr-contains-string == 'true' diff --git a/CHANGELOG.rst b/CHANGELOG.rst index be0daa5a00..34d25d076e 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,13 +1,304 @@ .. _changelog: +0.62.0 +------ + +This release removes the Gitlab omnibus Helm chart that we created and used to have as a dependency +of the Renku Helm chart. We have been discouraging anyone from using +this chart in production and we specified this in our documentation as well. + +If you are using the internal Gitlab Helm chart then ensure to migrate to a separate +Gitlab deployment as specified in our `documentation `_. +before installing this or any subsequent Renku version. Gitlab publishes an official Helm chart and +that is what should be used for deploying Gitlab with Helm. + +Internal Changes +~~~~~~~~~~~~~~~~ + +**Improvements** + +- **Infrastructure Components**: ``redis`` has been upgraded from version ``7.0.7`` to ``7.4.1`` +- **Helm chart**: remove the custom-made Gitlab Omnibus Helm chart from Renku dependencies +- **Search services**: Add support for sentry + + +**Bug Fixes** + +- **Search services**: Don't return results without linked namespaces + + +Individual Components +~~~~~~~~~~~~~~~~~~~~~ + +- `renku-search 0.7.0 `_ + + +0.61.1 +------ + +Renku 0.61.1 introduces a few bug fixes for the previous release. + + +User-Facing Changes +~~~~~~~~~~~~~~~~~~~ + +**🐞 Bug Fixes** + +- **Sessions**: Correctly launch sessions that request dedicated resource classes + +Internal Changes +~~~~~~~~~~~~~~~~ + +**Bug Fixes** + +- **Amalthea**: Add resource requests for the authentication proxy containers +- **Amalthea**: Add support for setting priority classes for sessions +- **Data services**: Use the working directory to mount cloud storage if the mount path is relative +- **Data services**: Use HTTPS in the redirect URL for the authentication proxy +- **Data services**: Use GPU resource limits when GPUs are requested +- **Helm chart**: Do not set the default storage class to empty string if it is not set in the values file +- **Helm chart**: Restart the data services and notebooks pods when the mounted secret changes + +Individual components +~~~~~~~~~~~~~~~~~~~~~~ + +- `amalthea 0.14.5 `_ +- `amalthea 0.14.6 `_ +- `renku-data-services 0.27.1 `_ + + +0.61.0 +------ + +Renku 0.61.0 introduces a new version of Amalthea that supports running sessions with Docker images +that do not contain Jupyter server. + +NOTES to administrators: + +- This upgrade introduces a brand new CRD for sessions. All services that support + sessions for Renku v2 will switch to this new CRD. Renku v1 sessions remain unchanged. + Therefore any old sessions for Renku v2 will not be visible to users after this upgrade. The sessions + themselves will not be immediately deleted and as long as users have saved links to their old sessions they + should be able to access their sessions and save data. However we recommend that administrators + notify users of the change and allow for enough time so that existing Renku v2 sessions can be saved and + cleaned up, rather than asking users to save the url to their sessions. In addition to users not being able + to see old Renku v2 sessions, they will also not be able to pause, resume or delete old Renku v2 sessions. + Therefore it's best if most sessions are properly saved and cleaned up before this update is rolled out. In order + to support the new CRD we have also created a new operator that will manage the new `amaltheasession` resources. + +- The network policies for Renku have been consolidated and revamped. The most notable change here is the + removal of the egress policy that prevented egress to internal IP addresses from sessions. Now we disallow + all ingress in the Renku release namespace by default and explicitly grant permissions to any pods that need + to access other pods inside the Renku release namespace. Two properties relevant to this have been added to the + Helm chart values file that allows administrators to grant access to all Renku services from a specific namespace + or to do the same for specific pods within the Renku namespace. These are not needed for Renku to function and the + default network policies should be sufficient, they have been added so that administrators can allow ingress for + other services that may not come with the Renku Helm chart such as logging or monitoring. This change will result in + the removal of some network policies and the creation of several new policies. + +User-Facing Changes +~~~~~~~~~~~~~~~~~~~ + +**✨ Improvements** + +- **UI**: Enable the use of custom images that don’t contain Jupyter, streamlining the image-building process and allowing for the use of β€œoff-the-shelf” images (`#3341 `__). +- **Sessions**: Enable running session images that do not contain Jupyter in them. + +Internal Changes +~~~~~~~~~~~~~~~~ + +**Improvements** + +- **Data services**: Add support for OAuth storage providers +- **Data services**: Move notebooks code to data services +- **Helm chart**: Consolidate and revamp network policies +- **Data services**: Add support for project documentation +- **Data services**: Add support for cloning projects + +**Bug Fixes** + +- **Gateway**: Pass on session cookie to data services for anonymous session authentication +- **Data services**: Correct pagination for namespaces +- **Data services**: Add creation date and created_by for namespaces +- **Data services**: Pin RClone version in data services image +- **Data services**: Properly handle multi-architecture docker images when getting working directory +- **Data services**: Make environment working directory and mount directory optional +- **Amalthea**: Add readiness and health checks to sessions. +- **Amalthea**: Do not authenticate the authentication proxy health check +- **Amalthea**: Do not mount the Kubernetes service account in sessions +- **Amalthea**: Do not add Kubernetes specific environment variables in sessions + +Individual Components +~~~~~~~~~~~~~~~~~~~~~ + +- `renku-gateway 1.3.1 `_ +- `renku-ui 3.42.0 `_ +- `renku-data-services 0.26.0 `_ +- `renku-data-services 0.27.0 `_ +- `amalthea 0.13.0 `_ +- `amalthea 0.14.0 `_ +- `amalthea 0.14.1 `_ +- `amalthea 0.14.2 `_ +- `amalthea 0.14.3 `_ +- `amalthea 0.14.4 `_ + 0.60.0 ------ +Renku 0.60.0 squashes an issue that has been tripping up many users when connecting their GitHub +account, as well as various UX polish and bug fixes. + +NOTE to administrators: Upgrading the `csi-rclone` component will unmount all cloud storage for all +active or hibernated sessions. Therefore, we recommend notifying your users ahead of time when you +deploy this version of Renku and also if possible deploying the upgrade when there are fewer +sessions that use cloud storage or just fewer sessions in general. Once the upgrade is complete +users will be able to mount cloud storage as usual. + +User-Facing Changes +~~~~~~~~~~~~~~~~~~~ + +**✨ Improvements** + +- **UI**: Allow for changing the role of members of groups, and hide membership edit buttons for + users with insufficient permissions on project and group settings pages (`#3374 + `__). +- **UI**: Improve UX for data connector side sheets and modals (`#3368 `__). + +**🐞 Bug Fixes** + +- **UI & Data services**: Direct users to complete the GitHub integration by installing the Renku app in the desired namespace (`#3332 `__). +- **UI**: Avoid unexpected redirects when clicking on the 2.0 dashboard session buttons (`#3378 `__). + +Internal Changes +~~~~~~~~~~~~~~~~ + +**Improvements** + +- **UI**: Update the Admin page to set up Connected services (`#3332 `__). +- **Gateway**: Add support for enabling debug logs from the gateway (`#730 `__). + +**Bug Fixes** + +- **csi-rclone**: Do not log potentially sensitive data in error messages. +- **csi-rclone**: Properly handle encrypted secrets with the new annotation-based storage class. + +Individual Components +~~~~~~~~~~~~~~~~~~~~~ + +- `renku-data-services 0.25.0 `_ +- `renku-gateway 1.3.0 `_ +- `renku-ui 3.41.0 `_ +- `csi-rclone 0.3.4 `__ +- `csi-rclone 0.3.5 `__ + +0.59.2 +------ + +Renku ``0.59.2`` is a bugfix release that fixes a bug in Renku 2.0 where project editors could not edit project information. + +User-Facing Changes +~~~~~~~~~~~~~~~~~~~ + +**🐞 Bug Fixes** + +- **Data services**: Allow project editors to send patches with the current namespace (`#483 `__). +- **Data services**: Allow project editors to send patches with the current visibility (`#484 `__). + +Internal Changes +~~~~~~~~~~~~~~~~ + +**Improvements** + +- **Data services**: Return 409 error when creating a project with a conflicting slug (`#471 `__). +- **Data services**: Change all serial id columns to be GENERATED AS IDENTITY (`#461 `__). +- **Data services**: Include ``is_admin`` in the self ``/user`` endpoint (`#472 `__). + +**Bug Fixes** + +- **Data services**: Handle spaces in ``provider_id`` for connected services (`#482 `__). + +Individual Components +~~~~~~~~~~~~~~~~~~~~~ + +- `renku-data-services 0.24.2 `__ + +0.59.1 +------ + +Renku ``0.59.1`` is a bugfix release that improves stability and performance with renku notebooks when under heavy load. + +Internal Changes +~~~~~~~~~~~~~~~~ + +**Improvements** + +- **Notebooks**: Use gevent methods in notebooks api (`#1996 `__). + +Individual Components +~~~~~~~~~~~~~~~~~~~~~ + +- `renku-notebooks 1.27.1 `_ 0.59.0 ------ +Renku ``0.59.0`` introduces the ability to reuse data connectors in multiple projects! +When you add a data connector (previously called a data source) to your project, you now have the new option to select other data connectors on RenkuLab, +for example those shared in your group, rather than having to re-enter the data connection details. + +User-Facing Changes +~~~~~~~~~~~~~~~~~~~ + +**🌟 New Features** + +- **UI**: Add and re-use data connectors in Renku 2.0 projects (`#3323 `__). + +**✨ Improvements** + +- **UI**: Add a playful design for the 404 and application error pages (`#3248 `__). +- **UI**: Update redirect page styles (`#3257 `__). +- **UI**: Remove Renku 2.0 beta warning alert from dashboard (`#3357 `__). + +**🐞 Bug Fixes** + +- **UI**: Fix how permissions are checked in Renku 2.0, notably group members can perform actions according to their role in projects. (`#3351 `__). +- **UI**: Fix styles for the edit launcher environment list (`#3360 `__). +- **UI**: Allow opening a project from Renku 2.0 search if the namespace is missing in the result (`#3353 `__). +- **UI**: Fix update file and download buttons in Renku 1.0 (`#3363 `__). + +Internal Changes +~~~~~~~~~~~~~~~~ + +**New Features** + +- **Data services**: Add support for data connectors (`#407 `__). +- **Data services**: Do not synchronize blocked users from Keycloak (`#393 `__). +- **Data services**: Support getting permissions (`#454 `__). +- **Notebooks**: Add support for data connectors (`#1991 `__). +- **Notebooks**: Cache Amalthea sessions (`#1983 `__). + +**Improvements** + +- **Data services**: Handle errors in background jobs nicely (`#463 `__). +- **Gateway**: Add support for signing cookies (`#734 `__). + +**Bug Fixes** + +- **Data services**: Treat invalid JWT as 401 HTTP error. +- **Data services**: Change user preferences id sequence to proper value. + +Individual Components +~~~~~~~~~~~~~~~~~~~~~ + +- `renku-data-services 0.23.0 `__ +- `renku-data-services 0.24.0 `__ +- `renku-gateway 1.2.0 `_ +- `renku-notebooks 1.27.0 `_ +- `renku-ui 3.38.0 `_ +- `renku-ui 3.39.0 `_ +- `renku-ui 3.40.0 `_ +- `renku-ui 3.40.1 `_ 0.58.1 diff --git a/cypress-tests/cypress/e2e/dashboardV2.cy.ts b/cypress-tests/cypress/e2e/dashboardV2.cy.ts index 1bb9d6d7b9..df89a5174d 100644 --- a/cypress-tests/cypress/e2e/dashboardV2.cy.ts +++ b/cypress-tests/cypress/e2e/dashboardV2.cy.ts @@ -72,9 +72,7 @@ describe("Dashboard v2 - Authenticated user", () => { describe("Dashboard v2 - Non-Authenticated user", () => { it("Cannot see projects and groups on Dashboard when logged out", () => { cy.visit("v2"); - cy.getDataCy("projects-container").contains("No 2.0 projects."); - cy.getDataCy("view-other-projects-btn").should("be.visible"); - cy.getDataCy("groups-container").contains("No 2.0 groups."); - cy.getDataCy("view-other-groups-btn").should("be.visible"); + cy.getDataCy("user-container").should("be.visible"); + cy.getDataCy("user-container").should("contain.text", "You are not logged in."); }); }); diff --git a/cypress-tests/cypress/e2e/privateProject.cy.ts b/cypress-tests/cypress/e2e/privateProject.cy.ts index 19e5ba1b9b..d62b67468e 100644 --- a/cypress-tests/cypress/e2e/privateProject.cy.ts +++ b/cypress-tests/cypress/e2e/privateProject.cy.ts @@ -38,7 +38,11 @@ describe("Basic public project functionality", () => { }, validateLogin ); - cy.createProjectIfMissing({templateName: "Python", ...projectIdentifier, visibility: "private"}); + cy.createProjectIfMissing({ + templateName: "Python", + ...projectIdentifier, + visibility: "private", + }); cy.visitAndLoadProject(projectIdentifier); }); @@ -50,11 +54,11 @@ describe("Basic public project functionality", () => { .should("be.checked"); cy.searchForProject(projectIdentifier, true); - // logout and search for the project and log back in - cy.logout(); + // Check as an anonymous user + cy.session(["anonymous", getRandomString()], () => {}); + cy.visit("/"); cy.get("#nav-hamburger").should("be.visible").click(); cy.searchForProject(projectIdentifier, false); - cy.robustLogin(); }); it("Can always search for project after changing the visibility", () => { @@ -86,10 +90,11 @@ describe("Basic public project functionality", () => { // Search the project as both logged in and logged out. cy.searchForProject(projectIdentifier, true); - cy.logout(); + // Check as an anonymous user + cy.session(["anonymous", getRandomString()], () => {}); + cy.visit("/"); cy.get("#nav-hamburger").should("be.visible").click(); cy.searchForProject(projectIdentifier, false); - cy.robustLogin(); }); it("Deleting the project removes it from the search page", () => { diff --git a/cypress-tests/cypress/e2e/publicProject.cy.ts b/cypress-tests/cypress/e2e/publicProject.cy.ts index a0a78b206b..e8ad88cd34 100644 --- a/cypress-tests/cypress/e2e/publicProject.cy.ts +++ b/cypress-tests/cypress/e2e/publicProject.cy.ts @@ -48,11 +48,11 @@ describe("Basic public project functionality", () => { cy.waitMetadataIndexing(); cy.searchForProject(projectIdentifier); - // logout and search for the project and log back in - cy.logout(); + // Check as an anonymous user + cy.session(["anonymous", getRandomString()], () => {}); + cy.visit("/"); cy.get("#nav-hamburger").should("be.visible").click(); cy.searchForProject(projectIdentifier); - cy.robustLogin(); }); it("Can see overview content and check the clone URLs", () => { diff --git a/cypress-tests/cypress/e2e/useSession.cy.ts b/cypress-tests/cypress/e2e/useSession.cy.ts index 22b22d712c..537e7f6bf2 100644 --- a/cypress-tests/cypress/e2e/useSession.cy.ts +++ b/cypress-tests/cypress/e2e/useSession.cy.ts @@ -167,7 +167,7 @@ describe("Basic public project functionality", () => { it("Start a new session as anonymous user.", () => { // Do not re-use the logged-in session - cy.session("anonymous", () => {}); + cy.session(["anonymous", getRandomString()], () => {}); // Log out and go to the project again cy.visit("/"); @@ -189,6 +189,8 @@ describe("Basic public project functionality", () => { // Stop the session -- mind that anonymous users cannot pause sessions cy.deleteSession({ fromSessionPage: true }); + + cy.robustLogin(); }); it("Start a new session on a project without permissions.", () => { diff --git a/cypress-tests/cypress/support/commands/login.ts b/cypress-tests/cypress/support/commands/login.ts index 087d123d55..c31d9e2613 100644 --- a/cypress-tests/cypress/support/commands/login.ts +++ b/cypress-tests/cypress/support/commands/login.ts @@ -1,9 +1,11 @@ const renkuLogin = (credentials: { username: string; password: string }[]) => { - cy.wrap(credentials, { log: false }).each((credential: {password: string, username: string}) => { - cy.get("#username").type(credential.username); - cy.get("#password").type(credential.password, { log: false }); - cy.get("#kc-login").click() - }) + cy.wrap(credentials, { log: false }).each( + (credential: { password: string; username: string }) => { + cy.get("#username").type(credential.username); + cy.get("#password").type(credential.password, { log: false }); + cy.get("#kc-login").click(); + } + ); cy.url().then((url) => { const parsedUrl = new URL(url); if ( @@ -93,7 +95,7 @@ function registerAndVerify(props: RegisterAndVerifyProps) { expect(["/", ""]).to.include(loc.pathname); expect(loc.search).to.eq(""); expect(loc.hostname).to.eq(baseURL.hostname); - }) + }); cy.get("header").should("be.visible"); cy.get("footer").should("be.visible"); // If we send a request to the user endpoint on Gitlab too quickly after we log in then @@ -137,15 +139,7 @@ function robustLogin(props?: RobustLoginProps) { ); } -function logout() { - cy.get("#profile-dropdown").should("be.visible").click(); - cy.get("#logout-link").should("be.visible").click(); - // Make sure we fully log out - cy.wait(15_000); -} - export default function registerLoginCommands() { - Cypress.Commands.add("logout", logout); Cypress.Commands.add("renkuLogin", renkuLogin); Cypress.Commands.add("register", register); Cypress.Commands.add("registerAndVerify", registerAndVerify); @@ -156,7 +150,6 @@ declare global { // eslint-disable-next-line @typescript-eslint/no-namespace namespace Cypress { interface Chainable { - logout(); renkuLogin(credentials: { username: string; password: string }[]); register( email: string, diff --git a/cypress-tests/cypress/support/utils/projectsV2.utils.ts b/cypress-tests/cypress/support/utils/projectsV2.utils.ts index 1770aaff91..e55665f105 100644 --- a/cypress-tests/cypress/support/utils/projectsV2.utils.ts +++ b/cypress-tests/cypress/support/utils/projectsV2.utils.ts @@ -23,7 +23,7 @@ export function getUserNamespaceAPIV2(): Cypress.Chainable { /** Get a project by using only the API. */ export function getProjectByNamespaceAPIV2(newProjectProps: ProjectIdentifierV2): Cypress.Chainable { - return cy.request({ failOnStatusCode: false, method: "GET", url: `api/data/projects/${newProjectProps.namespace}/${newProjectProps.slug}` }); + return cy.request({ failOnStatusCode: false, method: "GET", url: `api/data/namespaces/${newProjectProps.namespace}/projects/${newProjectProps.slug}` }); } /** Create a project (if the project is missing) by using only the API. */ diff --git a/docs/how-to-guides/admin/gitlab.rst b/docs/how-to-guides/admin/gitlab.rst index be3ef7cab1..9f1b76f3c6 100644 --- a/docs/how-to-guides/admin/gitlab.rst +++ b/docs/how-to-guides/admin/gitlab.rst @@ -81,19 +81,8 @@ and existing GitLab users can use Renku without creating a separate Renku accoun GitLab deployed as part of Renku -------------------------------- -We do *not* recommend deploying the Renku-bundled GitLab as part of a production Renku deployment, -and instead suggest deploying GitLab using the `official GitLab cloud-native Kubernetes chart -`_. Deploying GitLab as part of Renku may be deprecated in the future. - -If your Renku deployment includes GitLab you need to follow some additional steps to configure an admin user on GitLab. - -To grant a GitLab user the GitLab admin role without having access to the GitLab Web UI, the following steps can be taken in the GitLab container console. - -#. Run ``gitlab-rails console -e production`` (this might take a while). -#. Find the user you would like to grant the admin role, for example by running ``user = User.find_by(email: 'renku@renkulab.io')`` or ``user = User.find_by(username: 'renku')``. -#. Grant the user the administrator role by running ``user.admin = true``. -#. Save the user's profile by running ``user.save!``. -#. Leave the console by running ``exit``. +Deploying the GitLab Helm chart as part of the Renku Helm chart has been deprecated. If you have a Renku deployment that uses +the Gitlab version that used to come bundled with Renku, then please follow the instructions below to migrate. Migrate from Renku-bundled Omnibus GitLab to cloud-native Gitlab Helm chart --------------------------------------------------------------------------- diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 0b4a298299..c180ea1dee 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -98,6 +98,7 @@ findable Fortran Frontend gapped +gevent git-lfs githooks github diff --git a/helm-chart/gitlab/.helmignore b/helm-chart/gitlab/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/helm-chart/gitlab/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/helm-chart/gitlab/Chart.yaml b/helm-chart/gitlab/Chart.yaml deleted file mode 100644 index 596260baa4..0000000000 --- a/helm-chart/gitlab/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -appVersion: "1.0" -description: A Helm chart for the Renku Gitlab server -name: gitlab -version: 0.8.0 diff --git a/helm-chart/gitlab/requirements.yaml b/helm-chart/gitlab/requirements.yaml deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/helm-chart/gitlab/templates/_gitlab.rb.tpl b/helm-chart/gitlab/templates/_gitlab.rb.tpl deleted file mode 100644 index 6c9d8880a5..0000000000 --- a/helm-chart/gitlab/templates/_gitlab.rb.tpl +++ /dev/null @@ -1,133 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -GitLab Omnibus configuration -*/}} -{{- define "gitlab.config" -}} -## GitLab configuration settings -##! Check out the latest version of this file to know about the different -##! settings that can be configured by this file, which may be found at: -##! https://gitlab.com/gitlab-org/omnibus-gitlab/raw/master/files/gitlab-config-template/gitlab.rb.template - - -## GitLab URL -##! URL on which GitLab will be reachable. -##! For more details on configuring external_url see: -##! https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-the-external-url-for-gitlab -external_url '{{ template "renku.http" . }}://{{ .Values.global.renku.domain }}/gitlab' - -##! **Override only if you use a reverse proxy** -##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-nginx-listen-port -nginx['listen_port'] = 80 - -##! **Override only if your reverse proxy internally communicates over HTTP** -##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl -nginx['listen_https'] = false - -## Configure SSH port to be displayed correctly -gitlab_rails['gitlab_shell_ssh_port'] = {{ default 22 .Values.ssh.externalPort }} - -### OmniAuth Settings -###! Docs: https://docs.gitlab.com/ce/integration/omniauth.html -gitlab_rails['omniauth_enabled'] = true -{{- if .Values.oauth.autoSignIn }} -gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'oauth2_generic' -{{- end }} -gitlab_rails['omniauth_allow_single_sign_on'] = ['oauth2_generic'] -gitlab_rails['omniauth_block_auto_created_users'] = false -gitlab_rails['omniauth_providers'] = [ - { - 'name' => 'oauth2_generic', - 'app_id' => 'gitlab', - 'app_secret' => ENV['GITLAB_CLIENT_SECRET'], - 'args' => { - client_options: { - # Traefik maps keycloak to the URL below - # CAREFUL: This must be accessible from inside the keycloak container - # for server-to-server communication. - 'site' => '{{ template "renku.http" . }}://{{ .Values.global.renku.domain }}/auth/', - 'authorize_url' => '/auth/realms/Renku/protocol/openid-connect/auth', - 'user_info_url' => '/auth/realms/Renku/protocol/openid-connect/userinfo', - 'token_url' => '/auth/realms/Renku/protocol/openid-connect/token' - }, - user_response_structure: { - attributes: { email:'email', first_name:'given_name', last_name:'family_name', name:'name', nickname:'preferred_username' }, # if the nickname attribute of a user is called 'username' - id_path: 'sub' - }, - authorize_params: { - scope: "openid profile email" - } - }, - label: 'Renku Login' - } - ] - -gitlab_rails['initial_root_password'] = ENV['GITLAB_PASSWORD'] - -### GitLab database settings -###! Docs: https://docs.gitlab.com/omnibus/settings/database.html -###! **Only needed if you use an external database.** -postgresql['enable'] = false -gitlab_rails['db_adapter'] = "postgresql" -gitlab_rails['db_encoding'] = "utf-8" -gitlab_rails['db_database'] = ENV['POSTGRES_DATABASE'] -gitlab_rails['db_username'] = ENV['POSTGRES_USER'] -gitlab_rails['db_password'] = ENV['PGPASSWORD'] -gitlab_rails['db_host'] = '{{ template "postgresql.fullname" . }}' -gitlab_rails['db_port'] = 5432 - -### GitLab Redis settings -###! Connect to your own Redis instance -###! Docs: https://docs.gitlab.com/omnibus/settings/redis.html - -#### Redis TCP connection -# gitlab_rails['redis_host'] = localhost -# gitlab_rails['redis_port'] = 6379 -# gitlab_rails['redis_password'] = nil -# gitlab_rails['redis_database'] = 0 - -### GitLab LFS object store -### Docs: https://docs.gitlab.com/ce/workflow/lfs/lfs_administration.html -{{ if .Values.lfsObjects.enabled -}} -gitlab_rails['lfs_object_store_enabled'] = true -gitlab_rails['lfs_object_store_remote_directory'] = "{{ .Values.lfsObjects.bucketName }}" -gitlab_rails['lfs_object_store_direct_upload'] = {{ .Values.lfsObjects.directUpload }} -gitlab_rails['lfs_object_store_background_upload'] = {{ .Values.lfsObjects.backgroundUpload }} -gitlab_rails['lfs_object_store_proxy_download'] = {{ .Values.lfsObjects.proxyDownload }} -gitlab_rails['lfs_object_store_connection'] = eval(ENV['GITLAB_LFS_CONNECTION']) -{{- end }} - -prometheus['enable'] = false -gitlab_rails['monitoring_whitelist'] = ['127.0.0.0/8', '10.0.0.0/8'] -gitlab_rails['env'] = { 'prometheus_multiproc_dir' => '/dev/shm' } - -### GitLab Registry settings -registry_external_url '{{ .Values.registry.externalUrl }}' -gitlab_rails['registry_enabled'] = {{ .Values.registry.enabled }} -registry_nginx['enable'] = false -registry['registry_http_addr'] = '0.0.0.0:8105' -### Registry backend storage -###! Docs: https://docs.gitlab.com/ce/administration/container_registry.html#container-registry-storage-driver -{{- if .Values.registry.storage }} -registry['storage'] = eval(ENV['GITLAB_REGISTRY_STORAGE']) -{{- end }} -registry['health_storagedriver_enabled'] = {{ .Values.registry.backendHealthcheck }} - -### GitLab rack-attack -### See: https://docs.gitlab.com/ce/security/rack_attack.html -### Disabled, as it is banning ingress controller IPs -gitlab_rails['rack_attack_git_basic_auth'] = { - 'enabled' => false -} - -{{ if .Values.logging.useJson -}} -gitaly['logging_format'] = 'json' -gitlab_shell['log_format'] = 'json' -gitlab_workhorse['log_format'] = 'json' -registry['log_formatter'] = 'json' -sidekiq['log_format'] = 'json' -gitlab_pages['log_format'] = 'json' -{{- end }} - -{{ .Values.extraConfig }} - -{{- end -}} diff --git a/helm-chart/gitlab/templates/_helpers.tpl b/helm-chart/gitlab/templates/_helpers.tpl deleted file mode 100644 index 4244a185db..0000000000 --- a/helm-chart/gitlab/templates/_helpers.tpl +++ /dev/null @@ -1,24 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "gitlab.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "gitlab.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Hack for calling templates in a fake scope (until this is solved https://github.com/helm/helm/issues/4535) -*/}} -{{- define "call-nested" }} -{{- $dot := index . 0 }} -{{- $subchart := index . 1 }} -{{- $template := index . 2 }} -{{- include $template (dict "Chart" (dict "Name" $subchart) "Values" (index $dot.Values $subchart) "Release" $dot.Release "Capabilities" $dot.Capabilities) }} -{{- end }} diff --git a/helm-chart/gitlab/templates/configmap.yaml b/helm-chart/gitlab/templates/configmap.yaml deleted file mode 100644 index 6ab6774837..0000000000 --- a/helm-chart/gitlab/templates/configmap.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "gitlab.fullname" . }}-config - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -data: - gitlab.rb: |- -{{ include "gitlab.config" . | indent 4 }} diff --git a/helm-chart/gitlab/templates/deployment.yaml b/helm-chart/gitlab/templates/deployment.yaml deleted file mode 100644 index 271a586665..0000000000 --- a/helm-chart/gitlab/templates/deployment.yaml +++ /dev/null @@ -1,136 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "gitlab.fullname" . }} - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app: {{ template "gitlab.name" . }} - release: {{ .Release.Name }} - template: - metadata: - labels: - app: {{ template "gitlab.name" . }} - release: {{ .Release.Name }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - spec: - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: POSTGRES_DATABASE - value: {{ .Values.global.gitlab.postgresDatabase }} - - name: POSTGRES_USER - value: {{ .Values.global.gitlab.postgresUser }} - - name: PGPASSWORD - valueFrom: - secretKeyRef: - name: {{ template "gitlab.fullname" . }}-postgres - key: gitlab-postgres-password - - name: GITLAB_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ template "gitlab.fullname" . }} - key: gitlab-client-secret - - name: GITLAB_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "gitlab.fullname" . }} - key: gitlab-password - - name: RENKU_DOMAIN - value: {{ .Values.global.renku.domain }} - - name: GITLAB_SHARED_RUNNERS_REGISTRATION_TOKEN - valueFrom: - secretKeyRef: - name: {{ template "gitlab.fullname" . }} - key: shared-runners-registration-token - {{- if .Values.lfsObjects.enabled }} - - name: GITLAB_LFS_CONNECTION - valueFrom: - secretKeyRef: - name: {{ template "gitlab.fullname" . }} - key: gitlab-lfs-connection - {{- end }} - {{- if .Values.registry.storage }} - - name: GITLAB_REGISTRY_STORAGE - valueFrom: - secretKeyRef: - name: {{ template "gitlab.fullname" . }} - key: gitlab-registry-storage - {{- end }} - ports: - - name: ssh - containerPort: 22 - - name: http - containerPort: 80 - - name: registry - containerPort: 8105 - livenessProbe: - httpGet: - path: /gitlab/help - port: http - # This pod takes a very long time to start up. Be cautious when - # lowering this value to avoid Pod death during startup. - initialDelaySeconds: 600 - timeoutSeconds: 15 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 10 - readinessProbe: - httpGet: - path: /gitlab/help - port: http - initialDelaySeconds: 60 - timeoutSeconds: 15 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - resources: -{{ toYaml .Values.resources | indent 10 }} - volumeMounts: - - name: gitlab-persistence - mountPath: {{ .Values.persistence.gitlab_data.mountPath }} - subPath: {{ .Values.persistence.gitlab_data.subPath }} - - name: gitlab-persistence - mountPath: {{ .Values.persistence.gitlab_config.mountPath }} - subPath: {{ .Values.persistence.gitlab_config.subPath }} - - name: gitlab-persistence - mountPath: {{ .Values.persistence.gitlab_logs.mountPath }} - subPath: {{ .Values.persistence.gitlab_logs.subPath }} - - name: config - mountPath: /etc/gitlab/gitlab.rb - subPath: gitlab.rb - volumes: - - name: gitlab-persistence - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.existingClaim | default (include "gitlab.fullname" .) }} - {{- else }} - emptyDir: {} - {{- end }} - - name: config - configMap: - name: {{ template "gitlab.fullname" . }}-config - - {{- with .Values.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} diff --git a/helm-chart/gitlab/templates/metrics-service.yaml b/helm-chart/gitlab/templates/metrics-service.yaml deleted file mode 100644 index 7c3cb5cf5f..0000000000 --- a/helm-chart/gitlab/templates/metrics-service.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if .Values.service.metrics.enabled }} -apiVersion: v1 -kind: Service -metadata: -{{- if.Values.service.metrics.annotations }} - annotations: -{{ toYaml .Values.service.metrics.annotations | indent 4 }} -{{- end }} - name: {{ template "gitlab.fullname" . }}-metrics - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - app: {{ template "gitlab.name" . }} - release: {{ .Release.Name }} -{{- end }} diff --git a/helm-chart/gitlab/templates/pvc.yaml b/helm-chart/gitlab/templates/pvc.yaml deleted file mode 100644 index b508c61c3d..0000000000 --- a/helm-chart/gitlab/templates/pvc.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "gitlab.fullname" . }} - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} -{{- if .Values.persistence.storageClass }} -{{- if (eq "-" .Values.persistence.storageClass) }} - storageClassName: "" -{{- else }} - storageClassName: "{{ .Values.persistence.storageClass }}" -{{- end }} -{{- end }} -{{- end -}} diff --git a/helm-chart/gitlab/templates/registry-ingress.yaml b/helm-chart/gitlab/templates/registry-ingress.yaml deleted file mode 100644 index 4f542363b2..0000000000 --- a/helm-chart/gitlab/templates/registry-ingress.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{- if not (empty .Values.registry.exposedAs) -}} -{{- if eq .Values.registry.exposedAs "Ingress" -}} -{{- $gitlabFullname := include "gitlab.fullname" . -}} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ template "gitlab.fullname" . }}-registry - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: -{{- range $key, $value := .Values.registry.ingress.annotations }} - {{ $key }}: {{ $value | quote }} -{{- end }} -spec: -{{- if .Values.registry.ingress.tls }} - tls: - {{- range .Values.registry.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} -{{- end }} - rules: - {{- range .Values.registry.ingress.hosts }} - - host: {{ . }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ $gitlabFullname }} - port: - number: {{ 8105 }} - {{- end }} -{{- end }} -{{- end }} diff --git a/helm-chart/gitlab/templates/registry-service.yaml b/helm-chart/gitlab/templates/registry-service.yaml deleted file mode 100644 index a5ca95c13f..0000000000 --- a/helm-chart/gitlab/templates/registry-service.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if not (empty .Values.registry.exposedAs) -}} -{{- if eq .Values.registry.exposedAs "NodePort" -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "gitlab.fullname" . }}-registry - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - clusterIP: 10.100.123.45 - type: NodePort - ports: - - port: 8105 - nodePort: 30105 - targetPort: registry - protocol: TCP - name: registry - selector: - app: {{ template "gitlab.name" . }} - release: {{ .Release.Name }} -{{- end -}} -{{- end -}} diff --git a/helm-chart/gitlab/templates/secret.yaml b/helm-chart/gitlab/templates/secret.yaml deleted file mode 100644 index 69d18b1284..0000000000 --- a/helm-chart/gitlab/templates/secret.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "gitlab.fullname" . }} - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -type: Opaque -data: - gitlab-password: {{ required "Fill in .Values.password with `openssl rand -hex 16`" .Values.password | b64enc | quote }} - gitlab-client-secret: {{ required "Fill in .Values.global.gitlab.clientSecret with `uuidgen -r`" .Values.global.gitlab.clientSecret | b64enc | quote }} - shared-runners-registration-token: {{ required "Fill in .Values.sharedRunnersRegistrationToken with `openssl rand -hex 32`" .Values.sharedRunnersRegistrationToken | b64enc | quote }} - -{{- if .Values.lfsObjects.enabled }} - gitlab-lfs-connection: {{ .Values.lfsObjects.connection | b64enc | quote }} -{{- end }} - -{{- if .Values.registry.storage }} - gitlab-registry-storage: {{ .Values.registry.storage | b64enc | quote }} -{{- end }} diff --git a/helm-chart/gitlab/templates/service.yaml b/helm-chart/gitlab/templates/service.yaml deleted file mode 100644 index 1fbe666f88..0000000000 --- a/helm-chart/gitlab/templates/service.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "gitlab.fullname" . }} - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- if .Values.service.annotations }} - annotations: -{{ toYaml .Values.service.annotations | indent 4 }} -{{- end }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - - port: 22 - targetPort: ssh - protocol: TCP - name: ssh - - port: 8105 - targetPort: registry - protocol: TCP - name: registry - selector: - app: {{ template "gitlab.name" . }} - release: {{ .Release.Name }} diff --git a/helm-chart/gitlab/templates/ssh-nodeport-service.yaml b/helm-chart/gitlab/templates/ssh-nodeport-service.yaml deleted file mode 100644 index 0a41ef4ce4..0000000000 --- a/helm-chart/gitlab/templates/ssh-nodeport-service.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if not (empty .Values.ssh.nodePortService) -}} -{{- if .Values.ssh.nodePortService.enabled -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "gitlab.fullname" . }}-ssh - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - type: NodePort - ports: - - port: 22 - nodePort: {{ .Values.ssh.nodePortService.nodePort }} - targetPort: ssh - protocol: TCP - name: ssh - selector: - app: {{ template "gitlab.name" . }} - release: {{ .Release.Name }} -{{- end -}} -{{- end -}} diff --git a/helm-chart/gitlab/values.yaml b/helm-chart/gitlab/values.yaml deleted file mode 100644 index b57f908fb9..0000000000 --- a/helm-chart/gitlab/values.yaml +++ /dev/null @@ -1,115 +0,0 @@ -# Default values for gitlab. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -image: - repository: gitlab/gitlab-ce - tag: 14.10.5-ce.0 - pullPolicy: IfNotPresent - -ssh: - externalPort: 22 - nodePortService: - enabled: false - nodePort: 30022 - -oauth: - autoSignIn: false - -## LFS objects in remote object storage -## Follows: https://docs.gitlab.com/ce/workflow/lfs/lfs_administration.html#storing-lfs-objects-in-remote-object-storage -lfsObjects: - enabled: false - bucketName: lfs-objects - directUpload: false - backgroundUpload: true - proxyDownload: false - # connection: |- - # { - # 'provider' => 'AWS', - # 'region' => 'eu-central-1', - # 'aws_access_key_id' => '1ABCD2EFGHI34JKLM567N', - # 'aws_secret_access_key' => 'abcdefhijklmnopQRSTUVwxyz0123456789ABCDE', - # # The below options configure an S3 compatible host instead of AWS - # 'host' => 'localhost', - # 'endpoint' => 'http://127.0.0.1:9000', - # 'path_style' => true - # } - -service: - type: ClusterIP - port: 80 - metrics: - enabled: true - annotations: - prometheus.io/scrape: "true" - prometheus.io/path: /gitlab/-/metrics - prometheus.io/port: "80" - -persistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - - # storageClass: "-" - accessMode: ReadWriteOnce - size: 30Gi - - gitlab_data: - subPath: data - mountPath: /var/opt/gitlab - gitlab_config: - subPath: config - mountPath: /etc/gitlab - gitlab_logs: - subPath: logs - mountPath: /var/log/gitlab - - -registry: - enabled: false - exposedAs: Ingress - # exposedAs: NodePort - backendHealthcheck: true - # storage: |- - # { - # 's3' => { - # 'accesskey' => 's3-access-key', - # 'secretkey' => 's3-secret-key-for-access-key', - # 'bucket' => 'your-s3-bucket', - # 'region' => 'your-s3-region' - # } - # } - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -# Enable json logs for all services -logging: - useJson: true - -## Add some extra configuration to gitlab.rb -# extraConfig: | -# ## Fix number of unicorn workers -# unicorn['worker_processes'] = 7 - -# ## Fix something else -# ... diff --git a/helm-chart/renku/requirements.yaml b/helm-chart/renku/requirements.yaml index 7a214673d5..95376234d2 100644 --- a/helm-chart/renku/requirements.yaml +++ b/helm-chart/renku/requirements.yaml @@ -1,8 +1,4 @@ dependencies: - - name: gitlab - repository: "https://swissdatasciencecenter.github.io/helm-charts/" - version: 0.8.0 - condition: gitlab.enabled - name: postgresql version: "14.2.4" repository: "oci://registry-1.docker.io/bitnamicharts" @@ -12,10 +8,8 @@ dependencies: repository: "https://codecentric.github.io/helm-charts" condition: keycloakx.enabled - name: redis - # bitnami claims that this will always contain a full set of charts - let us pray... - # this index was 19MB as of the date of this commit and contained redis 17.4.2 - repository: "https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami" - version: 17.4.2 + repository: "oci://registry-1.docker.io/bitnamicharts" + version: 20.3.0 condition: redis.install - name: renku-jena version: "0.0.25" @@ -23,14 +17,17 @@ dependencies: alias: jena - name: amalthea repository: "https://swissdatasciencecenter.github.io/helm-charts/" - version: "0.12.3" + version: "0.14.6" + - name: amalthea-sessions + repository: "https://swissdatasciencecenter.github.io/helm-charts/" + version: "0.14.6" - name: dlf-chart repository: "https://swissdatasciencecenter.github.io/datashim/" version: "0.3.9-renku-2" condition: notebooks.cloudstorage.s3.installDatashim - name: csi-rclone repository: "https://swissdatasciencecenter.github.io/helm-charts/" - version: "0.3.3" + version: "0.3.5" condition: global.csi-rclone.install - name: solr repository: "oci://registry-1.docker.io/bitnamicharts" @@ -40,5 +37,5 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts tags: - - bitnami-common + - bitnami-common version: 2.x.x diff --git a/helm-chart/renku/templates/_helpers.tpl b/helm-chart/renku/templates/_helpers.tpl index c7d07db31d..f7660399d1 100644 --- a/helm-chart/renku/templates/_helpers.tpl +++ b/helm-chart/renku/templates/_helpers.tpl @@ -149,6 +149,10 @@ KC_DB_PASSWORD: {{ default (randAlphaNum 64) .Values.global.keycloak.postgresPas {{- end -}} {{- end -}} +{{- define "renku.keycloakIssuerUrl" -}} +{{- printf "%s/realms/%s" (include "renku.keycloakUrl" . | trimSuffix "/") (include "renku.keycloak.realm" .) -}} +{{- end -}} + {{/* Common labels */}} diff --git a/helm-chart/renku/templates/core/cache-cleanup-job.yaml b/helm-chart/renku/templates/core/cache-cleanup-job.yaml index ea665eab0c..b851a1bb51 100644 --- a/helm-chart/renku/templates/core/cache-cleanup-job.yaml +++ b/helm-chart/renku/templates/core/cache-cleanup-job.yaml @@ -13,6 +13,9 @@ spec: jobTemplate: spec: template: + metadata: + labels: + app: core-cache-cleanup spec: containers: - name: {{ include "renku-core.fullname" $ }}-cache-cleanup-{{ $version.name }} diff --git a/helm-chart/renku/templates/data-service/deployment.yaml b/helm-chart/renku/templates/data-service/deployment.yaml index a0620c6f78..ec07eb2814 100644 --- a/helm-chart/renku/templates/data-service/deployment.yaml +++ b/helm-chart/renku/templates/data-service/deployment.yaml @@ -23,8 +23,10 @@ spec: app: renku-data-service release: {{ .Release.Name }} {{ .Values.global.redis.clientLabel | toYaml | nindent 8 }} - {{- with .Values.dataService.podAnnotations }} annotations: + # NOTE: Without this the pod will not restart when the secret values change. + checksum/config: {{ include (print $.Template.BasePath "/notebooks/env-secret.yaml") . | sha256sum }} + {{- with .Values.dataService.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} spec: @@ -43,6 +45,9 @@ spec: - name: http containerPort: 8000 protocol: TCP + envFrom: + - secretRef: + name: {{ template "renku.notebooks.fullname" . }} env: - name: VERSION value: {{ .Values.dataService.image.tag | quote }} @@ -70,10 +75,6 @@ spec: value: /secrets/encryptionKey/encryptionKey - name: SECRETS_SERVICE_PUBLIC_KEY_PATH value: /secrets/publicKey/publicKey - - name: SERVER_DEFAULTS - value: /etc/renku-data-service/server_options/server_defaults.json - - name: SERVER_OPTIONS - value: /etc/renku-data-service/server_options/server_options.json - name: K8S_NAMESPACE value: {{ .Release.Namespace | quote }} - name: GITLAB_URL @@ -116,11 +117,21 @@ spec: value: {{ .Values.dataService.trustedProxies.proxiesCount | default "" | quote }} - name: REAL_IP_HEADER value: {{ .Values.dataService.trustedProxies.realIpHeader | default "" | quote }} + - name: KUBERNETES_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SESSIONS_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace {{- include "certificates.env.python" . | nindent 12 }} {{- include "certificates.env.grpc" . | nindent 12 }} volumeMounts: - name: server-options - mountPath: /etc/renku-data-service/server_options + mountPath: /etc/renku-notebooks/server_options - mountPath: "/secrets/encryptionKey" name: encryption-key readOnly: true diff --git a/helm-chart/renku/templates/data-service/rbac.yaml b/helm-chart/renku/templates/data-service/rbac.yaml index c242893a24..2e8266a050 100644 --- a/helm-chart/renku/templates/data-service/rbac.yaml +++ b/helm-chart/renku/templates/data-service/rbac.yaml @@ -19,6 +19,67 @@ rules: - patch - delete - create + - apiGroups: + - "" + resources: + - pods + - pods/log + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - pods + - secrets + verbs: + - delete + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch + - patch + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - update + - delete + - patch + - apiGroups: + - {{ .Values.amalthea.crdApiGroup }} + resources: + - {{ .Values.amalthea.crdNames.plural }} + verbs: + - create + - update + - delete + - patch + - list + - get + - watch + - apiGroups: + - amalthea.dev + resources: + - amaltheasessions + verbs: + - create + - update + - delete + - patch + - list + - get + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/helm-chart/renku/templates/gateway/configmap.yaml b/helm-chart/renku/templates/gateway/configmap.yaml index c163177252..164e045a53 100644 --- a/helm-chart/renku/templates/gateway/configmap.yaml +++ b/helm-chart/renku/templates/gateway/configmap.yaml @@ -9,6 +9,7 @@ metadata: heritage: {{ .Release.Service }} data: config.yaml: | + debugMode: {{ .Values.gateway.debug | default false }} server: port: 8080 host: 0.0.0.0 @@ -21,6 +22,12 @@ data: {{- toYaml . | nindent 8 }} {{- end }} sessions: + {{- if .Values.gateway.idleSessionTTLSeconds }} + idleSessionTTLSeconds: {{ .Values.gateway.idleSessionTTLSeconds }} + {{- end }} + {{- if .Values.gateway.maxSessionTTLSeconds }} + maxSessionTTLSeconds: {{ .Values.gateway.maxSessionTTLSeconds }} + {{- end }} authorizationVerifiers: - issuer: {{ printf "%s/realms/%s" (include "renku.keycloakUrl" . | trimSuffix "/") (include "renku.keycloak.realm" .) }} audience: renku diff --git a/helm-chart/renku/templates/gateway/deployment-revproxy.yaml b/helm-chart/renku/templates/gateway/deployment-revproxy.yaml index 3fc1b30214..09c89e04bc 100644 --- a/helm-chart/renku/templates/gateway/deployment-revproxy.yaml +++ b/helm-chart/renku/templates/gateway/deployment-revproxy.yaml @@ -41,7 +41,7 @@ spec: initContainers: {{- include "certificates.initContainer" . | nindent 8 }} containers: - - name: gateway + - name: gateway image: "{{ .Values.gateway.image.repository }}:{{ .Values.gateway.image.tag }}" imagePullPolicy: {{ .Values.gateway.image.pullPolicy }} securityContext: @@ -56,7 +56,17 @@ spec: secretKeyRef: name: {{ .Values.global.redis.existingSecret }} key: {{ .Values.global.redis.existingSecretPasswordKey }} - - name: GATEWAY_LOGIN_PROVIDERS_RENKU_CLIENTSECRET + - name: GATEWAY_SESSIONS_COOKIEENCODINGKEY + valueFrom: + secretKeyRef: + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} + key: cookieEncodingKey + - name: GATEWAY_SESSIONS_COOKIEHASHKEY + valueFrom: + secretKeyRef: + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} + key: cookieHashKey + - name: GATEWAY_LOGIN_PROVIDERS_RENKU_CLIENTSECRET valueFrom: secretKeyRef: name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} @@ -130,4 +140,3 @@ spec: - name: public-config configMap: name: {{ template "renku.fullname" . }}-gateway - diff --git a/helm-chart/renku/templates/gateway/secret.yaml b/helm-chart/renku/templates/gateway/secret.yaml index 02feb32174..189c0638b4 100644 --- a/helm-chart/renku/templates/gateway/secret.yaml +++ b/helm-chart/renku/templates/gateway/secret.yaml @@ -2,11 +2,7 @@ {{- $oidcClientSecret := .Values.gateway.oidcClientSecret | default .Values.global.gateway.clientSecret | default (randAlphaNum 64) | b64enc | quote }} {{- $gitlabClientSecret := "" -}} -{{- if .Values.gitlab.enabled -}} -{{- $gitlabClientSecret = .Values.gateway.gitlabClientSecret | default .Values.global.gateway.gitlabClientSecret | default (randAlphaNum 64) | b64enc | quote }} -{{- else -}} {{- $gitlabClientSecret = required "Fill in .Values.gateway.gitlabClientSecret or .Values.global.gateway.gitlabClientSecret with the OIDC client secret you created in Gitlab" (.Values.gateway.gitlabClientSecret | default .Values.global.gateway.gitlabClientSecret) | b64enc | quote -}} -{{- end -}} {{- $gatewaySecret := .Values.gateway.secretKey | default (randAlphaNum 64) | b64enc | quote }} {{- $cliClientSecret := .Values.gateway.cliClientSecret | default .Values.global.gateway.cliClientSecret | default (randAlphaNum 64) | b64enc | quote }} {{- $notebooksClientSecret := .Values.notebooks.oidc.clientSecret | default (randAlphaNum 64) | b64enc | quote }} @@ -58,15 +54,6 @@ {{- end -}} {{- end -}} -{{- if .Values.gitlab.enabled -}} -{{- if not .Values.global.gitlab.clientSecret -}} -{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }} -{{- if $secret }} -{{- $gitlabClientInKeycloakSecret = index $secret.data "gitlabClientInKeycloakSecret" }} -{{- end -}} -{{- end -}} -{{- end }} - {{- $tokenEncryptionSecretKey := randAlphaNum 32 | b64enc | quote }} {{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }} {{- if $secret }} @@ -112,11 +99,6 @@ data: notebooksClientSecret: {{ $notebooksClientSecret }} # A secret for the UI server client in Keycloak uiserverClientSecret: {{ $uiserverClientSecret }} - {{- if .Values.gitlab.enabled }} - # A secret for the Gitlab client in Keycloak if an internal Gitlab is used - gitlabClientInKeycloakSecret: {{ $gitlabClientInKeycloakSecret }} - {{- end }} cookieEncodingKey: {{ $csrfCookieEncodingKey }} cookieHashKey: {{ $csrfCookieHashKey }} tokenEncryption: {{ $tokenEncryptionSecretKey }} - diff --git a/helm-chart/renku/templates/gitlab-postgres-secret.yaml b/helm-chart/renku/templates/gitlab-postgres-secret.yaml deleted file mode 100644 index b8ce7270e8..0000000000 --- a/helm-chart/renku/templates/gitlab-postgres-secret.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -{{- if .Values.gitlab.enabled }} -{{- $db_password := default (randAlphaNum 64) .Values.global.gitlab.postgresPassword.value | b64enc | quote }} - -{{- $renkuFullname := include "renku.fullname" . -}} - -{{- if not .Values.global.gitlab.postgresPassword.value -}} -{{- $secretName := cat $renkuFullname "-gitlab-postgres" | nospace }} -{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }} -{{- if $secret }} -{{- $db_password = index $secret.data "gitlab-postgres-password" }} -{{- end -}} -{{- end -}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "renku.fullname" . }}-gitlab-postgres - labels: - app: {{ template "renku.name" . }} - chart: {{ template "renku.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: - "helm.sh/hook": "pre-install,pre-upgrade,pre-rollback" -type: Opaque -data: - gitlab-postgres-password: {{ $db_password }} -{{- end }} diff --git a/helm-chart/renku/templates/ingress.yaml b/helm-chart/renku/templates/ingress.yaml index 17cd9794ff..5f52d16be2 100644 --- a/helm-chart/renku/templates/ingress.yaml +++ b/helm-chart/renku/templates/ingress.yaml @@ -2,7 +2,6 @@ {{- $keycloakEnabled := .Values.keycloakx.enabled -}} {{- $keycloakFullname := include "keycloak.fullname" . -}} {{- $keycloakServicePort := .Values.keycloakx.ingress.servicePort -}} -{{- $gitlabEnabled := .Values.gitlab.enabled -}} {{- $gitlabFullname := include "gitlab.fullname" . -}} {{- $gitlabServicePort := 80 -}} {{- $uiFullname := include "ui.fullname" . -}} @@ -67,15 +66,9 @@ spec: pathType: Prefix backend: service: - {{- if $gitlabEnabled }} - name: {{ $gitlabFullname }} - port: - number: {{ $gitlabServicePort }} - {{ else }} name: {{ template "renku.fullname" $ }}-gateway port: number: 80 - {{- end }} - path: /repos pathType: Prefix backend: diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml index 3aa0a88615..48425c0ff0 100644 --- a/helm-chart/renku/templates/network-policies.yaml +++ b/helm-chart/renku/templates/network-policies.yaml @@ -1,3 +1,16 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-all-ingress + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: {} + policyTypes: + - Ingress {{- if not .Values.global.externalServices.postgresql.enabled }} --- apiVersion: networking.k8s.io/v1 @@ -25,20 +38,6 @@ spec: matchLabels: kubernetes.io/metadata.name: {{ .Release.Namespace }} {{- end }} - {{- if .Values.gitlab.enabled }} - - podSelector: - matchLabels: - app: gitlab - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: {{ .Release.Namespace }} - - podSelector: - matchLabels: - app: post-install-gitlab - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: {{ .Release.Namespace }} - {{- end }} - podSelector: matchLabels: app: event-log @@ -81,13 +80,992 @@ spec: namespaceSelector: matchLabels: kubernetes.io/metadata.name: {{ .Release.Namespace }} + - podSelector: + matchLabels: + app: postgres-setup + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Release.Namespace }} ports: - protocol: TCP port: 5432 - - from: - - podSelector: {} - namespaceSelector: {} - ports: - protocol: TCP port: 9187 {{- end }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "renku.notebooks.fullname" . }}-k8s-watcher + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.notebooks.name" . }}-k8s-watcher + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + # Allow ingress to the k8s watcher from data services and notebooks + - podSelector: + matchLabels: + app: {{ template "renku.notebooks.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "renku.notebooks.fullname" . }}-sessions + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/component: jupyterserver + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/name: amalthea + policyTypes: + - Ingress + ingress: + - from: + # Allow ssh ingress to sessions only for the ssh jump host + - podSelector: + matchLabels: + app: {{ template "renku.notebooks.name" . }}-ssh + ports: + - port: ssh + protocol: TCP + - from: + # Allow ingress to the oauth2proxy for anyone + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: 4180 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "renku.notebooks.fullname" . }}-sessions-v2 + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: AmaltheaSession + app.kubernetes.io/part-of: amaltheasession-operator + policyTypes: + - Ingress + ingress: + - from: + # Allow ingress to the authentication proxy port on a v2 session from anywhere + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + # This port is hardcoded in Amalthea as the port for the authentication proxy + port: 65535 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "renku.fullname" . }}-secrets-storage + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: renku-secrets-storage + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + # Only allow ingress to secrets storage from notebooks and data services + - podSelector: + matchLabels: + app: {{ template "renku.notebooks.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-data-service-from-gateway + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "gateway.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-notebooks-from-gateway + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.notebooks.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "gateway.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-core-service-from-gateway + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "renku-core.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "gateway.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-core-service-from-graph + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "renku-core.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "renku.graph.knowledgeGraph.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-knowledge-graph-from-gateway + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.graph.knowledgeGraph.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "gateway.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http-kg +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-search-service-from-gateway + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.search.searchApi.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "gateway.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http-search-api + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-uiserver-from-anywhere + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: "uiserver" + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-gateway-from-anywhere + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "gateway.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: http +{{- if .Values.keycloakx.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-keycloak-from-anywhere + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: keycloakx + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: http + - protocol: TCP + port: https +{{- end }} +{{- if .Values.swagger.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-swagger-from-anywhere + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "renku.name" . }}-swagger + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: http +{{- end }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-webhook-service-from-anywhere + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.graph.webhookService.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: http-webhook-sv +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-ui-assets-from-anywhere + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: ui + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-authz-from-services + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: renku-authz + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: data-service-background-jobs + - podSelector: + matchLabels: + app: data-service-total-users-sync + ports: + - protocol: TCP + port: http + - protocol: TCP + port: grpc +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-core-service-from-core-cleanup-job + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "renku-core.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: core-cache-cleanup + ports: + - protocol: TCP + port: http +{{- if .Values.redis.install }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-redis-from-services + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: redis + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "gateway.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app.kubernetes.io/name: "uiserver" + app.kubernetes.io/instance: {{ .Release.Name }} + - podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "renku-core.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + - podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.search.searchApi.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: redis +{{- end }} +{{- if .Values.solr.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-solr-from-services + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/component: solr + app.kubernetes.io/name: solr + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: search-api + - podSelector: + matchLabels: + app: search-provision + ports: + - protocol: TCP + port: http +{{- end }} +{{- if gt (.Values.networkPolicies.allowAllIngressFromPods | len) 0 }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-all-ingress-from-some-pods + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + {{- toYaml .Values.networkPolicies.allowAllIngressFromPods | nindent 8 }} +{{- end }} +{{- if gt (.Values.networkPolicies.allowAllIngressFromNamespaces | len) 0 }} +{{- if has .Release.Namespace .Values.networkPolicies.allowAllIngressFromNamespaces }} +{{- fail "ERROR: You cannot allow all ingress from the Helm release namespace" }} +{{- end }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-all-ingress-from-some-namespaces + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchExpressions: + # The kubernetes.io/metadata.name label is automatically added by k8s to every namespace + - key: kubernetes.io/metadata.name + operator: In + values: + {{- toYaml .Values.networkPolicies.allowAllIngressFromNamespaces | nindent 16 }} +{{- end }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-all-ingress-to-acme-http-solver-from-anywhere + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + acme.cert-manager.io/http01-solver: "true" + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-jena-from-services + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: jena + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "renku.graph.knowledgeGraph.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.triplesGenerator.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: jena-http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-event-log-from-kg-services + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.graph.eventLog.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "renku.graph.triplesGenerator.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.webhookService.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.knowledgeGraph.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.tokenRepository.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.commitEventService.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + # The event log calls itself via a k8s service so if it is not allowed in the + # network policy like this then those requests fail. + app: {{ template "renku.graph.eventLog.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http-event-log +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-token-repository-from-kg-services + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.graph.tokenRepository.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "renku.graph.triplesGenerator.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.eventLog.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.webhookService.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.knowledgeGraph.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.commitEventService.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http-token-repo +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-triple-generator-from-kg-services + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.graph.triplesGenerator.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "renku.graph.eventLog.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.webhookService.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.knowledgeGraph.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + # The triples generator calls itself via a k8s service so if it is not allowed in the + # network policy like this then those requests fail. + app: {{ template "renku.graph.triplesGenerator.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http-triples-gn +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-commit-events-from-kg-services + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.graph.commitEventService.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "renku.graph.eventLog.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http-commit-sv +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-data-service-from-notebooks + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "renku.notebooks.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + # The notebooks code in data service calls data service via a K8s service + # and for this to succeed the network policy has to allow it. This can be + # removed when the notebooks code is completely migrated to the data service. + name: ingress-to-data-service-from-itself + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + # Needed for secret mounting + name: ingress-to-data-service-from-v1-sessions + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/component: jupyterserver + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/name: amalthea + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: egress-from-renku-v1-sessions +spec: + egress: + - to: + # DNS resolution + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + - to: + # Allow access to any port/protocol as long as it is directed + # outside of the cluster. This is done by excluding + # IP ranges which are reserved for private networking from + # the allowed range. + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - to: + # Allow access to data service, needed for secret mounting + - podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + podSelector: + matchLabels: + app.kubernetes.io/component: jupyterserver + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/name: amalthea + policyTypes: + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: egress-from-renku-v2-sessions +spec: + egress: + - to: + # DNS resolution + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + - to: + # Allow access to any port/protocol as long as it is directed + # outside of the cluster. This is done by excluding + # IP ranges which are reserved for private networking from + # the allowed range. + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + podSelector: + matchLabels: + app.kubernetes.io/created-by: controller-manager + app.kubernetes.io/name: AmaltheaSession + policyTypes: + - Egress diff --git a/helm-chart/renku/templates/notebooks/deployment.yaml b/helm-chart/renku/templates/notebooks/deployment.yaml index 8e65a6d313..be4b9ed1fa 100644 --- a/helm-chart/renku/templates/notebooks/deployment.yaml +++ b/helm-chart/renku/templates/notebooks/deployment.yaml @@ -17,6 +17,9 @@ spec: release: {{ .Release.Name }} template: metadata: + annotations: + # NOTE: Without this the pod will not restart when the secret values change. + checksum/config: {{ include (print $.Template.BasePath "/notebooks/env-secret.yaml") . | sha256sum }} labels: app: {{ template "renku.notebooks.name" . }}-k8s-watcher chart: {{ template "renku.chart" . }} @@ -43,6 +46,12 @@ spec: value: {{ .Values.amalthea.crdApiVersion }} - name: K8S_WATCHER_CR_PLURAL value: {{ .Values.amalthea.crdNames.plural }} + - name: K8S_WATCHER_AMALTHEA_SESSION_GROUP + value: amalthea.dev + - name: K8S_WATCHER_AMALTHEA_SESSION_VERSION + value: v1alpha1 + - name: K8S_WATCHER_AMALTHEA_SESSION_PLURAL + value: amaltheasessions - name: K8S_WATCHER_NAMESPACES {{ if .Values.notebooks.sessionsNamespace }} value: {{ list .Release.Namespace .Values.notebooks.sessionsNamespace | uniq | toJson | quote }} diff --git a/helm-chart/renku/templates/notebooks/env-secret.yaml b/helm-chart/renku/templates/notebooks/env-secret.yaml new file mode 100644 index 0000000000..4c765cc9d7 --- /dev/null +++ b/helm-chart/renku/templates/notebooks/env-secret.yaml @@ -0,0 +1,89 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "renku.notebooks.fullname" . }} + labels: + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +type: Opaque +stringData: + NB_SESSIONS__STORAGE__PVS_ENABLED: {{ .Values.notebooks.userSessionPersistentVolumes.enabled | quote }} + {{- if and .Values.notebooks.userSessionPersistentVolumes.enabled .Values.notebooks.userSessionPersistentVolumes.storageClass }} + NB_SESSIONS__STORAGE__PVS_STORAGE_CLASS: {{ .Values.notebooks.userSessionPersistentVolumes.storageClass | quote}} + {{- end }} + NB_SESSIONS__STORAGE__USE_EMPTY_DIR_SIZE_LIMIT: {{ .Values.notebooks.userSessionPersistentVolumes.useEmptyDirSizeLimit | quote }} + NB_SESSIONS__DEFAULT_IMAGE: "{{ .Values.notebooks.defaultSessionImage }}" + NB_SERVER_OPTIONS__DEFAULTS_PATH: /etc/renku-notebooks/server_options/server_defaults.json + NB_SERVER_OPTIONS__UI_CHOICES_PATH: /etc/renku-notebooks/server_options/server_options.json + NB_SESSIONS__OIDC__CLIENT_ID: {{ .Values.notebooks.oidc.clientId }} + NB_SESSIONS__OIDC__CLIENT_SECRET: {{ .Values.notebooks.oidc.clientSecret }} + NB_SESSIONS__OIDC__AUTH_URL: {{ .Values.notebooks.oidc.authUrl }} + NB_SESSIONS__OIDC__TOKEN_URL: {{ .Values.notebooks.oidc.tokenUrl }} + NB_SESSIONS__OIDC__ISSUER_URL: {{ template "renku.keycloakIssuerUrl" . }} + NB_SESSIONS__OIDC__ALLOW_UNVERIFIED_EMAIL: {{ .Values.notebooks.oidc.allowUnverifiedEmail | quote }} + NB_SESSIONS__INGRESS__HOST: {{ .Values.notebooks.sessionIngress.host }} + NB_SESSIONS__INGRESS__TLS_SECRET: {{ .Values.notebooks.sessionIngress.tlsSecret }} + NB_SESSIONS__INGRESS__ANNOTATIONS: | + {{- .Values.notebooks.sessionIngress.annotations | toYaml | nindent 4 }} + NB_GIT__URL: {{ .Values.global.gitlab.url | quote }} + NB_GIT__REGISTRY: {{ required "An image registry must be specified." .Values.global.gitlab.registry.host }} + NB_SESSIONS__GIT_RPC_SERVER__IMAGE: "{{ .Values.notebooks.gitRpcServer.image.name }}:{{ .Values.notebooks.gitRpcServer.image.tag }}" + NB_SESSIONS__GIT_PROXY__IMAGE: "{{ .Values.notebooks.gitHttpsProxy.image.name }}:{{ .Values.notebooks.gitHttpsProxy.image.tag }}" + NB_SESSIONS__GIT_CLONE__IMAGE: "{{ .Values.notebooks.gitClone.image.name }}:{{ .Values.notebooks.gitClone.image.tag }}" + NB_ANONYMOUS_SESSIONS_ENABLED: {{ .Values.global.anonymousSessions.enabled | quote }} + NB_SSH_ENABLED: {{ .Values.notebooks.ssh.enabled | quote }} + NB_SESSIONS__CULLING__REGISTERED__IDLE_SECONDS: {{ .Values.notebooks.culling.idleSecondsThreshold.registered | quote }} + NB_SESSIONS__CULLING__ANONYMOUS__IDLE_SECONDS: {{ .Values.notebooks.culling.idleSecondsThreshold.anonymous | quote }} + NB_SESSIONS__CULLING__REGISTERED__HIBERNATED_SECONDS: {{ .Values.notebooks.culling.hibernatedSecondsThreshold.registered | quote }} + NB_SESSIONS__CULLING__REGISTERED__MAX_AGE_SECONDS: {{ .Values.notebooks.culling.maxAgeSecondsThreshold.registered | quote }} + NB_SESSIONS__CULLING__ANONYMOUS__MAX_AGE_SECONDS: {{ .Values.notebooks.culling.maxAgeSecondsThreshold.anonymous | quote }} + NB_AMALTHEA__GROUP: {{ .Values.amalthea.crdApiGroup }} + NB_AMALTHEA__VERSION: {{ .Values.amalthea.crdApiVersion }} + NB_AMALTHEA__PLURAL: {{ .Values.amalthea.crdNames.plural }} + NB_AMALTHEA__CACHE_URL: "http://{{ template "renku.notebooks.fullname" . }}-k8s-watcher" + NB_AMALTHEA_V2__CACHE_URL: "http://{{ template "renku.notebooks.fullname" . }}-k8s-watcher" + NB_SESSIONS__GIT_CLONE__SENTRY__ENABLED: {{ .Values.notebooks.sessionSentry.gitClone.enabled | quote }} + NB_SESSIONS__GIT_CLONE__SENTRY__DSN: {{ .Values.notebooks.sessionSentry.gitClone.dsn | quote }} + NB_SESSIONS__GIT_CLONE__SENTRY__ENV: {{ .Values.notebooks.sessionSentry.gitClone.environment | quote }} + NB_SESSIONS__GIT_CLONE__SENTRY__SAMPLE_RATE: {{ .Values.notebooks.sessionSentry.gitClone.sampleRate | quote }} + NB_SESSIONS__GIT_RPC_SERVER__SENTRY__ENABLED: {{ .Values.notebooks.sessionSentry.sidecar.enabled | quote }} + NB_SESSIONS__GIT_RPC_SERVER__SENTRY__DSN: {{ .Values.notebooks.sessionSentry.sidecar.dsn | quote }} + NB_SESSIONS__GIT_RPC_SERVER__SENTRY__ENV: {{ .Values.notebooks.sessionSentry.sidecar.environment | quote }} + NB_SESSIONS__GIT_RPC_SERVER__SENTRY__SAMPLE_RATE: {{ .Values.notebooks.sessionSentry.sidecar.sampleRate | quote }} + NB_SESSIONS__CA_CERTS__IMAGE: "{{ .Values.global.certificates.image.repository }}:{{ .Values.global.certificates.image.tag }}" + NB_SESSIONS__CA_CERTS__SECRETS: | + {{- .Values.global.certificates.customCAs | toYaml | nindent 4 }} + {{- with .Values.notebooks.sessionNodeSelector }} + NB_SESSIONS__NODE_SELECTOR: | + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.notebooks.sessionAffinity }} + NB_SESSIONS__AFFINITY: | + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.notebooks.sessionTolerations }} + NB_SESSIONS__TOLERATIONS: | + {{- toYaml . | nindent 4 }} + {{- end }} + NB_SESSIONS__ENFORCE_CPU_LIMITS: {{ .Values.notebooks.enforceCPULimits | quote }} + NB_CLOUD_STORAGE__ENABLED: {{ .Values.notebooks.cloudstorage.enabled | quote }} + NB_CLOUD_STORAGE__STORAGE_CLASS: {{ .Values.notebooks.cloudstorage.storageClass | default "csi-rclone" | quote }} + NB_SESSIONS__TERMINATION_WARNING_DURATION_SECONDS: {{ .Values.notebooks.sessionAutosave.terminationWarningDurationSeconds | quote }} + NB_VERSION: {{ .Values.notebooks.image.tag | quote }} + {{ if .Values.notebooks.sessionsNamespace }} + NB_K8S__SESSIONS_NAMESPACE: {{ .Values.notebooks.sessionsNamespace | quote }} + {{ end }} + NB_K8S__RENKU_NAMESPACE: {{ .Release.Namespace | quote }} + NB_SESSIONS__GIT_PROXY__RENKU_CLIENT_ID: renku + NB_SESSIONS__GIT_PROXY__RENKU_CLIENT_SECRET: {{ .Values.global.gateway.clientSecret | quote }} + NB_KEYCLOAK_REALM: {{ include "renku.keycloak.realm" . | quote }} + NB_SESSIONS__SSH__ENABLED: {{ .Values.notebooks.ssh.enabled | quote }} + {{- if not (kindIs "invalid" .Values.notebooks.ssh.hostKeySecret) }} + NB_SESSIONS__SSH__HOST_KEY_SECRET: {{ .Values.notebooks.ssh.hostKeySecret | quote }} + {{- end }} + NB_DATA_SERVICE_URL: {{ printf "http://%s-data-service/api/data" .Release.Name }} + NB_USER_SECRETS__SECRETS_STORAGE_SERVICE_URL: {{ printf "http://%s-secrets-storage" .Release.Name }} + NB_USER_SECRETS__IMAGE: "{{ .Values.notebooks.secretsMount.image.repository}}:{{.Values.notebooks.secretsMount.image.tag }}" +--- + diff --git a/helm-chart/renku/templates/notebooks/network-policy.yaml b/helm-chart/renku/templates/notebooks/network-policy.yaml deleted file mode 100644 index 7de4810309..0000000000 --- a/helm-chart/renku/templates/notebooks/network-policy.yaml +++ /dev/null @@ -1,104 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ template "renku.notebooks.fullname" . }}-k8s-watcher -spec: - podSelector: - matchLabels: - app: {{ template "renku.notebooks.name" . }}-k8s-watcher - release: {{ .Release.Name }} - policyTypes: - - Ingress - ingress: - - from: - - podSelector: - matchLabels: - app: {{ template "renku.notebooks.name" . }} - release: {{ .Release.Name }} - ports: - - protocol: TCP - port: http ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ template "renku.notebooks.fullname" . }}-ssh-jumphost -spec: - podSelector: - matchLabels: - app: {{ template "renku.notebooks.name" . }}-ssh - policyTypes: - - Egress - egress: - - to: - - podSelector: - matchLabels: - app.kubernetes.io/component: jupyterserver - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/name: amalthea - ports: - - port: ssh - protocol: TCP - - ports: - - protocol: UDP - port: 53 - - protocol: TCP - port: 53 ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ template "renku.notebooks.fullname" . }}-sessions -spec: - podSelector: - matchLabels: - app.kubernetes.io/component: jupyterserver - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/name: amalthea - policyTypes: - - Ingress - - Egress - ingress: - - from: - # Allow ssh ingress to sessions only for the ssh jump host - - podSelector: - matchLabels: - app: {{ template "renku.notebooks.name" . }}-ssh - ports: - - port: ssh - protocol: TCP - - from: - # Allow ingress to the oauth2proxy for anyone - - ipBlock: - cidr: 0.0.0.0/0 - ports: - - protocol: TCP - port: 4180 - egress: - - to: - # Allow DNS resolution (internal and external) - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP - - to: - # Allow access to any port/protocol as long as it is directed - # outside of the cluster. This is done by excluding - # IP ranges which are reserved for private networking from - # the allowed range. - - ipBlock: - cidr: 0.0.0.0/0 - except: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 - - to: - # Allow access to data service - - podSelector: - matchLabels: - app: renku-data-service - ports: - - port: http - protocol: TCP - diff --git a/helm-chart/renku/templates/notebooks/statefulset.yaml b/helm-chart/renku/templates/notebooks/statefulset.yaml index f800651ec3..04a887f900 100644 --- a/helm-chart/renku/templates/notebooks/statefulset.yaml +++ b/helm-chart/renku/templates/notebooks/statefulset.yaml @@ -32,74 +32,14 @@ spec: imagePullPolicy: {{ .Values.notebooks.image.pullPolicy }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} + envFrom: + - secretRef: + name: {{ template "renku.notebooks.fullname" . }} env: - - name: NB_SESSIONS__STORAGE__PVS_ENABLED - value: {{ .Values.notebooks.userSessionPersistentVolumes.enabled | quote }} - {{ if .Values.notebooks.userSessionPersistentVolumes.enabled }} - - name: NB_SESSIONS__STORAGE__PVS_STORAGE_CLASS - value: {{ .Values.notebooks.userSessionPersistentVolumes.storageClass | quote}} - {{ end }} - - name: NB_SESSIONS__STORAGE__USE_EMPTY_DIR_SIZE_LIMIT - value: {{ .Values.notebooks.userSessionPersistentVolumes.useEmptyDirSizeLimit | quote }} - - name: NB_SESSIONS__DEFAULT_IMAGE - value: "{{ .Values.notebooks.defaultSessionImage }}" - - name: NB_SERVER_OPTIONS__DEFAULTS_PATH - value: /etc/renku-notebooks/server_options/server_defaults.json - - name: NB_SERVER_OPTIONS__UI_CHOICES_PATH - value: /etc/renku-notebooks/server_options/server_options.json {{ if eq .Values.global.debug true }} - name: FLASK_DEBUG value: "1" {{ end }} - - name: NB_SESSIONS__OIDC__CLIENT_ID - value: {{ .Values.notebooks.oidc.clientId }} - - name: NB_SESSIONS__OIDC__CLIENT_SECRET - value: {{ .Values.notebooks.oidc.clientSecret }} - - name: NB_SESSIONS__OIDC__AUTH_URL - value: {{ .Values.notebooks.oidc.authUrl }} - - name: NB_SESSIONS__OIDC__TOKEN_URL - value: {{ .Values.notebooks.oidc.tokenUrl }} - - name: NB_SESSIONS__OIDC__ALLOW_UNVERIFIED_EMAIL - value: {{ .Values.notebooks.oidc.allowUnverifiedEmail | quote }} - - name: NB_SESSIONS__INGRESS__HOST - value: {{ .Values.notebooks.sessionIngress.host }} - - name: NB_SESSIONS__INGRESS__TLS_SECRET - value: {{ .Values.notebooks.sessionIngress.tlsSecret }} - - name: NB_SESSIONS__INGRESS__ANNOTATIONS - value: | - {{- .Values.notebooks.sessionIngress.annotations | toYaml | nindent 16 }} - - name: NB_GIT__URL - value: {{ .Values.global.gitlab.url | quote }} - - name: NB_GIT__REGISTRY - value: {{ required "An image registry must be specified." .Values.global.gitlab.registry.host }} - - name: NB_SESSIONS__GIT_RPC_SERVER__IMAGE - value: "{{ .Values.notebooks.gitRpcServer.image.name }}:{{ .Values.notebooks.gitRpcServer.image.tag }}" - - name: NB_SESSIONS__GIT_PROXY__IMAGE - value: "{{ .Values.notebooks.gitHttpsProxy.image.name }}:{{ .Values.notebooks.gitHttpsProxy.image.tag }}" - - name: NB_SESSIONS__GIT_CLONE__IMAGE - value: "{{ .Values.notebooks.gitClone.image.name }}:{{ .Values.notebooks.gitClone.image.tag }}" - - name: NB_ANONYMOUS_SESSIONS_ENABLED - value: {{ .Values.global.anonymousSessions.enabled | quote }} - - name: NB_SSH_ENABLED - value: {{ .Values.notebooks.ssh.enabled | quote }} - - name: NB_SESSIONS__CULLING__REGISTERED__IDLE_SECONDS - value: {{ .Values.notebooks.culling.idleSecondsThreshold.registered | quote }} - - name: NB_SESSIONS__CULLING__ANONYMOUS__IDLE_SECONDS - value: {{ .Values.notebooks.culling.idleSecondsThreshold.anonymous | quote }} - - name: NB_SESSIONS__CULLING__REGISTERED__HIBERNATED_SECONDS - value: {{ .Values.notebooks.culling.hibernatedSecondsThreshold.registered | quote }} - - name: NB_SESSIONS__CULLING__REGISTERED__MAX_AGE_SECONDS - value: {{ .Values.notebooks.culling.maxAgeSecondsThreshold.registered | quote }} - - name: NB_SESSIONS__CULLING__ANONYMOUS__MAX_AGE_SECONDS - value: {{ .Values.notebooks.culling.maxAgeSecondsThreshold.anonymous | quote }} - - name: NB_AMALTHEA__GROUP - value: {{ .Values.amalthea.crdApiGroup }} - - name: NB_AMALTHEA__VERSION - value: {{ .Values.amalthea.crdApiVersion }} - - name: NB_AMALTHEA__PLURAL - value: {{ .Values.amalthea.crdNames.plural }} - - name: NB_AMALTHEA__CACHE_URL - value: http://{{ template "renku.notebooks.fullname" . }}-k8s-watcher - name: NB_SENTRY__ENABLED value: {{ .Values.notebooks.sentry.enabled | quote }} - name: NB_SENTRY__DSN @@ -110,84 +50,14 @@ spec: value: {{ .Values.notebooks.sentry.sampleRate | quote }} - name: SENTRY_RELEASE value: {{ .Chart.Version | quote }} - - name: NB_SESSIONS__GIT_CLONE__SENTRY__ENABLED - value: {{ .Values.notebooks.sessionSentry.gitClone.enabled | quote }} - - name: NB_SESSIONS__GIT_CLONE__SENTRY__DSN - value: {{ .Values.notebooks.sessionSentry.gitClone.dsn | quote }} - - name: NB_SESSIONS__GIT_CLONE__SENTRY__ENV - value: {{ .Values.notebooks.sessionSentry.gitClone.environment | quote }} - - name: NB_SESSIONS__GIT_CLONE__SENTRY__SAMPLE_RATE - value: {{ .Values.notebooks.sessionSentry.gitClone.sampleRate | quote }} - - name: NB_SESSIONS__GIT_RPC_SERVER__SENTRY__ENABLED - value: {{ .Values.notebooks.sessionSentry.sidecar.enabled | quote }} - - name: NB_SESSIONS__GIT_RPC_SERVER__SENTRY__DSN - value: {{ .Values.notebooks.sessionSentry.sidecar.dsn | quote }} - - name: NB_SESSIONS__GIT_RPC_SERVER__SENTRY__ENV - value: {{ .Values.notebooks.sessionSentry.sidecar.environment | quote }} - - name: NB_SESSIONS__GIT_RPC_SERVER__SENTRY__SAMPLE_RATE - value: {{ .Values.notebooks.sessionSentry.sidecar.sampleRate | quote }} - - name: NB_SESSIONS__CA_CERTS__IMAGE - value: "{{ .Values.global.certificates.image.repository }}:{{ .Values.global.certificates.image.tag }}" - - name: NB_SESSIONS__CA_CERTS__SECRETS - value: | - {{- .Values.global.certificates.customCAs | toYaml | nindent 16 }} - {{- with .Values.notebooks.sessionNodeSelector }} - - name: NB_SESSIONS__NODE_SELECTOR - value: | - {{- toYaml . | nindent 16 }} - {{- end }} - {{- with .Values.notebooks.sessionAffinity }} - - name: NB_SESSIONS__AFFINITY - value: | - {{- toYaml . | nindent 16 }} - {{- end }} - {{- with .Values.notebooks.sessionTolerations }} - - name: NB_SESSIONS__TOLERATIONS - value: | - {{- toYaml . | nindent 16 }} - {{- end }} - name: KUBERNETES_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace {{- include "certificates.env.python" . | nindent 12 }} - - name: NB_SESSIONS__ENFORCE_CPU_LIMITS - value: {{ .Values.notebooks.enforceCPULimits | quote }} - - name: NB_CLOUD_STORAGE__ENABLED - value: {{ .Values.notebooks.cloudstorage.enabled | quote }} - - name: NB_CLOUD_STORAGE__STORAGE_CLASS - value: {{ .Values.notebooks.cloudstorage.storageClass | default "csi-rclone" | quote }} - - name: NB_SESSIONS__TERMINATION_WARNING_DURATION_SECONDS - value: {{ .Values.notebooks.sessionAutosave.terminationWarningDurationSeconds | quote }} - - name: NB_VERSION - value: {{ .Values.notebooks.image.tag | quote }} - {{ if .Values.notebooks.sessionsNamespace }} - - name: NB_K8S__SESSIONS_NAMESPACE - value: {{ .Values.notebooks.sessionsNamespace | quote }} - {{ end }} - - name: NB_K8S__RENKU_NAMESPACE - value: {{ .Release.Namespace | quote }} - - name: NB_SESSIONS__GIT_PROXY__RENKU_CLIENT_ID - value: renku - - name: NB_SESSIONS__GIT_PROXY__RENKU_CLIENT_SECRET - value: {{ .Values.global.gateway.clientSecret | quote }} - - name: NB_KEYCLOAK_REALM - value: {{ include "renku.keycloak.realm" . | quote }} - - name: NB_SESSIONS__SSH__ENABLED - value: {{ .Values.notebooks.ssh.enabled | quote }} - {{- if not (kindIs "invalid" .Values.notebooks.ssh.hostKeySecret) }} - - name: NB_SESSIONS__SSH__HOST_KEY_SECRET - value: {{ .Values.notebooks.ssh.hostKeySecret | quote }} - {{- end }} - name: NB_DUMMY_STORES value: {{ .Values.notebooks.dummyStores | quote }} - - name: NB_DATA_SERVICE_URL - value: {{ printf "http://%s-data-service/api/data" .Release.Name}} - - name: NB_USER_SECRETS__SECRETS_STORAGE_SERVICE_URL - value: {{ printf "http://%s-secrets-storage" .Release.Name}} - - name: NB_USER_SECRETS__IMAGE - value: "{{ .Values.notebooks.secretsMount.image.repository}}:{{.Values.notebooks.secretsMount.image.tag}}" ports: - name: http containerPort: 8000 diff --git a/helm-chart/renku/templates/search/search-api-deployment.yaml b/helm-chart/renku/templates/search/search-api-deployment.yaml index 55e7182525..48a0050304 100644 --- a/helm-chart/renku/templates/search/search-api-deployment.yaml +++ b/helm-chart/renku/templates/search/search-api-deployment.yaml @@ -50,6 +50,12 @@ spec: value: "false" - name: "RS_JWT_ALLOWED_ISSUER_URL_PATTERNS" value: "{{ include "renku.keycloakUrl" . }}*/*" + - name: "RS_SENTRY_DSN" + value: {{ .Values.search.sentry.dsn | quote }} + - name: "RS_SENTRY_ENV" + value: {{ .Values.search.sentry.environment | quote }} + - name: "RS_SENTRY_ENABLED" + value: {{ .Values.search.sentry.enabled | quote}} - name: JAVA_OPTS value: "-Xmx{{ .Values.search.searchApi.jvmXmx }} -XX:+UseZGC -XX:+ZGenerational" ports: diff --git a/helm-chart/renku/templates/search/search-provision-deployment.yaml b/helm-chart/renku/templates/search/search-provision-deployment.yaml index 946d6491b5..dcc676d2a6 100644 --- a/helm-chart/renku/templates/search/search-provision-deployment.yaml +++ b/helm-chart/renku/templates/search/search-provision-deployment.yaml @@ -66,6 +66,12 @@ spec: value: "500ms" - name: RS_SOLR_LOG_MESSAGE_BODIES value: "false" + - name: "RS_SENTRY_DSN" + value: {{ .Values.search.sentry.dsn | quote }} + - name: "RS_SENTRY_ENV" + value: {{ .Values.search.sentry.environment | quote }} + - name: "RS_SENTRY_ENABLED" + value: {{ .Values.search.sentry.enabled | quote }} - name: JAVA_OPTS value: "-Xmx{{ .Values.search.searchProvision.jvmXmx }} -XX:+UseZGC -XX:+ZGenerational" ports: diff --git a/helm-chart/renku/templates/secrets-storage/network-policy.yaml b/helm-chart/renku/templates/secrets-storage/network-policy.yaml deleted file mode 100644 index dbd2381cb3..0000000000 --- a/helm-chart/renku/templates/secrets-storage/network-policy.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ template "renku.fullname" . }}-secrets-storage -spec: - podSelector: - matchLabels: - app: {{ template "renku.fullname" . }}-secrets-storage - release: {{ .Release.Name }} - policyTypes: - - Ingress - ingress: - - from: - # Only allow ingress to secrets storage from notebooks - - podSelector: - matchLabels: - app: {{ template "renku.notebooks.name" . }} - release: {{ .Release.Name }} - ports: - - protocol: TCP - port: http - diff --git a/helm-chart/renku/templates/setup-job-keycloak-realms.yaml b/helm-chart/renku/templates/setup-job-keycloak-realms.yaml index 8c91721c55..1971f576a1 100644 --- a/helm-chart/renku/templates/setup-job-keycloak-realms.yaml +++ b/helm-chart/renku/templates/setup-job-keycloak-realms.yaml @@ -63,26 +63,17 @@ spec: - name: DEMO_USER_PASSWORD valueFrom: secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-kc-demo-user" | nospace }} + name: {{ cat (include "renku.fullname" .) "-kc-demo-user" | nospace }} key: keycloakDemoUserPassword {{- end }} - name: INTERNAL_GITLAB_ENABLED - value: {{ .Values.gitlab.enabled | toString | lower | quote }} - {{- if .Values.gitlab.enabled }} - - name: INTERNAL_GITLAB_OIDC_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} - key: gitlabClientInKeycloakSecret - - name: INTERNAL_GITLAB_OIDC_CLIENT_ID - value: "gitlab" - {{- end }} + value: "false" - name: RENKU_KC_CLIENT_ID value: renku - name: RENKU_KC_CLIENT_SECRET valueFrom: secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} key: oidcClientSecret - name: RENKU_KC_CLIENT_PUBLIC value: "false" diff --git a/helm-chart/renku/templates/setup-job-network-policy.yaml b/helm-chart/renku/templates/setup-job-network-policy.yaml deleted file mode 100644 index 736a0713da..0000000000 --- a/helm-chart/renku/templates/setup-job-network-policy.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{- if not .Values.global.externalServices.postgresql.enabled }} ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ template "renku.fullname" . }}-setup-job - labels: - app: {{ template "renku.name" . }} - chart: {{ template "renku.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - podSelector: - matchLabels: - app.kubernetes.io/name: postgresql - policyTypes: - - Ingress - ingress: - - from: - - podSelector: - matchLabels: - app: postgres-setup - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: {{ .Release.Namespace }} - ports: - - protocol: TCP - port: 5432 - - from: - - podSelector: {} - namespaceSelector: {} - ports: - - protocol: TCP - port: 9187 -{{- end }} diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index 691f41e396..3acdb83936 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -224,6 +224,11 @@ ingress: # - secretName: chart-example-tls # hosts: # - example.local +networkPolicies: + ## List of podSelector terms for pods in the release namespace that should be allowed all ingress to all services + allowAllIngressFromPods: [] + ## List of namespaces that should be allowed all ingress to all services + allowAllIngressFromNamespaces: [] ## Keycloak configuration keycloakx: ## Spawn a keycloak instance @@ -508,153 +513,13 @@ solr: size: 8Gi zookeeper: enabled: false -## Gitlab configuration -gitlab: - ## Spawn a gitlab instance - enabled: true - ## Password for the `root` user - password: gitlabadmin - ## Gitlab image - image: - # pullPolicy: IfNotPresent - repository: gitlab/gitlab-ce - # Check out the gitlab docs on upgrading versions before changing the image tag. - # https://docs.gitlab.com/ee/update/#upgrade-paths - # in particular major versions https://docs.gitlab.com/ce/update/#upgrading-to-a-new-major-version - tag: 14.10.5-ce.0 - ## automatically log in to gitlab - oauth: - autoSignIn: true - ## Pod affinity for Gitlab deployment - # affinity: {} - ## Node selector for Gitlab deployment - # nodeSelector: {} - ## Pod tolerations for Gitlab deployment - # tolerations: [] - - ## Resource requests/limits for Gitlab - # resources: {} - - ## Registration token for gitlab runners (initial value, can be regenerated from gitlab admin ui) - ## Generated using: `openssl rand -hex 32` - sharedRunnersRegistrationToken: - ## Set to true to make the user 'demo' a GitLab admin - demoUserIsAdmin: false - ## External port for git ssh protocol - ## This setting affects the copy-paste repo git+ssh URL - # sshPort: 22 - - ## LFS objects settings - ## Used to store git-lfs objects externally - ## Note: bucket must exist before use, GitLab won't do it - ## Follows: https://docs.gitlab.com/ce/workflow/lfs/lfs_administration.html#storing-lfs-objects-in-remote-object-storage - # lfsObjects: - ## Set to true to enable remote LFS objects - # enabled: false - ## Bucket name - # bucketName: lfs-objects - # directUpload: false - # backgroundUpload: true - # proxyDownload: false - # connection: |- - # { - # 'provider' => 'AWS', - # 'region' => 'eu-central-1', - # 'aws_access_key_id' => '1ABCD2EFGHI34JKLM567N', - # 'aws_secret_access_key' => 'abcdefhijklmnopQRSTUVwxyz0123456789ABCDE', - # # The below options configure an S3 compatible host instead of AWS - # 'host' => 'localhost', - # 'endpoint' => 'http://127.0.0.1:9000', - # 'path_style' => true - # } - - ## Persistent Volume settings - persistence: - # accessMode: ReadWriteOnce - size: 30Gi - ## Mount points for the PV - ## Setup according to the volumes declared in the Gitlab image - # gitlab_data: - # subPath: data - # mountPath: /var/opt/gitlab - # gitlab_config: - # subPath: config - # mountPath: /etc/gitlab - # gitlab_logs: - # subPath: logs - # mountPath: /var/log/gitlab - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - - ## Set to false to disable the use of Persistent Volume - ## The databases will be lost when the pod is terminated! - # enabled: true - - ## Service configuration for Gitlab - ## Modify service.type according to your setup - # service: - # port: 80 - # type: ClusterIP - - ## Container image registry settings - registry: - ## Set to true to enable Gitlab registry - enabled: false - ## The URL to access the registry - # externalUrl: - ## Set `exposedAs` to "NodePort" when deploying on minikube - ## Set `exposedAs` to "Ingress" to expose the registry on an alternate domain. - # exposedAs: NodePort - ## Storage driver configuration for the registry - ## See: https://docs.gitlab.com/ee/administration/container_registry.html#container-registry-storage-driver - # storage: |- - # { - # 's3' => { - # 'accesskey' => 's3-access-key', - # 'secretkey' => 's3-secret-key-for-access-key', - # 'bucket' => 'your-s3-bucket', - # 'region' => 'your-s3-region' - # } - # } - ## Registry ingress, when `exposedAs` is set to "Ingress" - ## Uses conventional settings for ingress - ## Find below an example of values - # ingress: - # annotations: - # cert-manager.io/cluster-issuer: letsencrypt-production - # kubernetes.io/ingress.class: nginx - # nginx.ingress.kubernetes.io/proxy-body-size: '0' - # hosts: - # - registry.example.com - # tls: - # - hosts: - # - registry.example.com - # secretName: registry-tls - ## Add some extra configuration to gitlab.rb - # extraConfig: | - # ## Fix number of unicorn workers - # unicorn['worker_processes'] = 7 -# ## Fix something else -# ... - ## Configuration for the UI service ui: client: replicaCount: 1 image: repository: renku/renku-ui - tag: "3.37.1" + tag: "3.42.0" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. @@ -843,7 +708,7 @@ ui: keepCookies: [] image: repository: renku/renku-ui-server - tag: "3.37.1" + tag: "3.42.0" pullPolicy: IfNotPresent imagePullSecrets: [] nameOverride: "" @@ -983,7 +848,7 @@ notebooks: targetCPUUtilizationPercentage: 50 image: repository: renku/renku-notebooks - tag: "1.26.2" + tag: "1.27.1" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. @@ -1012,6 +877,7 @@ notebooks: ## If left null then sessions will be launched in the same namespace ## as where the chart is installed. sessionsNamespace: + bypassCacheOnFailure: false sessionAutosave: ## Any file higher than the minimum will be added to LFS minimumLFSFileSizeBytes: 1000000 @@ -1101,15 +967,15 @@ notebooks: gitRpcServer: image: name: renku/git-rpc-server - tag: "1.26.2" + tag: "1.27.1" gitHttpsProxy: image: name: renku/git-https-proxy - tag: "1.26.2" + tag: "1.27.1" gitClone: image: name: renku/git-clone - tag: "1.26.2" + tag: "1.27.1" service: type: ClusterIP port: 80 @@ -1162,12 +1028,12 @@ notebooks: sessionTypes: ["registered"] image: repository: renku/renku-notebooks-tests - tag: "1.26.2" + tag: "1.27.1" pullPolicy: IfNotPresent k8sWatcher: image: repository: renku/k8s-watcher - tag: "1.26.2" + tag: "1.27.1" pullPolicy: IfNotPresent resources: {} replicaCount: 1 @@ -1179,12 +1045,12 @@ notebooks: secretsMount: image: repository: renku/secrets-mount - tag: "1.26.2" + tag: "1.27.1" ssh: enabled: false image: repository: renku/ssh-jump-host - tag: "1.26.2" + tag: "1.27.1" pullPolicy: IfNotPresent resources: {} replicaCount: 1 @@ -1265,13 +1131,22 @@ gateway: ## average rate units are requests per second average: 20 burst: 100 + ## How long a session will be kept alive if it is idle. + ## If set to 0 then there is no TTL. + ## If not set, defaults to 14400 (4 hours). + idleSessionTTLSeconds: + ## The maximum duration a session can be kept alive. + ## If set to 0 then there is no TTL. + ## If this value is set to a value other than 0 then it must be greater than idleSessionTTLSeconds. + ## If not set, defaults to 86400 (24 hours). + maxSessionTTLSeconds: ## For production deployment, you will need to define the secret key. ## This is a random string, used for cryptographic operations on cookies and sensitive information. ## Use `openssl rand -hex 32`. secretKey: image: repository: renku/renku-gateway - tag: "1.1.0" + tag: "1.3.1" pullPolicy: IfNotPresent service: type: ClusterIP @@ -1298,6 +1173,8 @@ gateway: # dedicated GitLab instance is deployed, so, logging out from Renku should # trigger a logout from GitLab. logoutGitLabUponRenkuLogout: true + # Turns on debug logs from the gateway + debug: false # sentry configuration sentry: enabled: false @@ -1360,11 +1237,15 @@ jena: enabled: false ## Configuration for renku-search services search: + sentry: + enabled: false + dsn: + environment: searchApi: replicas: 1 image: repository: renku/search-api - tag: "0.6.2" + tag: "0.7.0" pullPolicy: IfNotPresent service: type: ClusterIP @@ -1377,7 +1258,7 @@ search: replicas: 1 image: repository: renku/search-provision - tag: "0.6.2" + tag: "0.7.0" pullPolicy: IfNotPresent service: type: ClusterIP @@ -1578,14 +1459,14 @@ dataService: create: true image: repository: renku/renku-data-service - tag: "0.22.0" + tag: "0.27.1" pullPolicy: IfNotPresent backgroundJobs: events: resources: {} image: repository: renku/data-service-background-jobs - tag: "0.22.0" + tag: "0.27.1" pullPolicy: IfNotPresent total: resources: {} @@ -1638,7 +1519,7 @@ authz: secretsStorage: image: repository: renku/secrets-storage - tag: "0.22.0" + tag: "0.27.1" pullPolicy: IfNotPresent service: type: ClusterIP diff --git a/helm-chart/values.yaml.changelog.md b/helm-chart/values.yaml.changelog.md index bb7064242f..3fd436c08b 100644 --- a/helm-chart/values.yaml.changelog.md +++ b/helm-chart/values.yaml.changelog.md @@ -5,6 +5,27 @@ For changes that require manual steps other than changing values, please check o Please follow this convention when adding a new row * ` - **:
` +## Upgrading to Renku 0.62.0 + +* DELETE ``gitlab.*`` - all values related to the bundled GitLab have been removed. GitLab must from now on be provided as an external service and is no longer supplied as a part of the Renku Helm chart. +* NEW `search.sentry.environment|dsn|enabled` to set the sentry environment for the search services + +## Upgrading to Renku 0.61.0 + +* NEW ``networkPolicies.allowAllIngressFromPods`` specify pod selectors that will allow the selected pods to access all other services in the Renku release namespace. +* NEW ``networkPolicies.allowAllIngressFromNamespaces`` specify a list of namespaces that should be allowed to access all other services in the Renku release namespace. + +## Upgrading to Renku 0.60.0 + +* NEW ``gateway.idleSessionTTLSeconds`` to set the session idle TTL in seconds. +* NEW ``gateway.maxSessionTTLSeconds`` to set the session max TTL in seconds. +* NEW ``gateway.debug`` to enable debug logs from the gateway. + +## Upgrading to Renku 0.59.1 + +* NEW ``notebooks.bypassCacheOnFailure`` has been added. Setting this to false prevents renku-notebooks to call + the k8s api directly if its k8s cache has issues or is not running. + ## Upgrading to Renku 0.57.0 * DELETE ``gateway.image.auth`` has been removed. @@ -62,7 +83,7 @@ New (either `running`, `finished` or `errored`) for the overall state of the rotation. Please make sure to unset `secretServicePreviousPrivateKey` once rotation is finished as a matter of best practice. - NOTE: Make sure that you do not redeploy or rollback the Renku Helm chart while a key rotation is underway. Even if the + NOTE: Make sure that you do not redeploy or rollback the Renku Helm chart while a key rotation is underway. Even if the deployment is broken it is best to wait for the key rotation to finish before attempting another deployment or a rollback. ## Upgrading to Renku 0.53.0 diff --git a/scripts/generate-values/base-renku-values.yaml.template b/scripts/generate-values/base-renku-values.yaml.template index 731296e5b5..d78ac6d1b9 100644 --- a/scripts/generate-values/base-renku-values.yaml.template +++ b/scripts/generate-values/base-renku-values.yaml.template @@ -18,29 +18,9 @@ global: useHTTPS: true gateway: secretKey: -gitlab: - enabled: false - password: - sharedRunnersRegistrationToken: - lfsObjects: - enabled: false - connection: {{}} - registry: - enabled: false - externalUrl: https://registry.{renku_domain} - storage: {{}} - ingress: - annotations: - cert-manager.io/cluster-issuer: letsencrypt-production - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/proxy-body-size: '0' - hosts: - - {gitlab_registry} - tls: - - hosts: - - {gitlab_registry} - secretName: registry-tls graph: + gitlab: + url: {gitlab_url} tokenRepository: tokenEncryption: secret: @@ -60,13 +40,11 @@ ingress: - hosts: - {renku_domain} secretName: {namespace}-renku-ch-tls -jena: - users: - admin: - password: - renku: - password: notebooks: + gitlab: + registry: + host: {gitlab_registry} + url: {gitlab_url} oidc: allowUnverifiedEmail: true authUrl: https://{renku_domain}/auth/realms/Renku/protocol/openid-connect/auth diff --git a/scripts/init-db/Dockerfile b/scripts/init-db/Dockerfile index fb2b22deb4..e194593dd5 100644 --- a/scripts/init-db/Dockerfile +++ b/scripts/init-db/Dockerfile @@ -1,6 +1,7 @@ FROM python:3.11-slim-bullseye RUN apt-get update && apt-get install -y \ + postgresql-client \ tini && \ rm -rf /var/lib/apt/lists/* COPY . . diff --git a/scripts/init-db/generate_ulid_func.sql b/scripts/init-db/generate_ulid_func.sql new file mode 100644 index 0000000000..90b2aa8305 --- /dev/null +++ b/scripts/init-db/generate_ulid_func.sql @@ -0,0 +1,83 @@ +-- From https://github.com/geckoboard/pgulid/blob/master/pgulid.sql +-- Taken at commit sha b265253 +-- pgulid is based on OK Log's Go implementation of the ULID spec +-- +-- https://github.com/oklog/ulid +-- https://github.com/ulid/spec +-- +-- Copyright 2016 The Oklog Authors +-- Licensed under the Apache License, Version 2.0 (the "License"); +-- you may not use this file except in compliance with the License. +-- You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. + +CREATE EXTENSION IF NOT EXISTS pgcrypto; + +-- NOTE: REPLACE will error if you change the name, args or return type of the function +-- There is no CREATE IF EXISTS, this is the closest thing that gives similar functionality +CREATE OR REPLACE FUNCTION generate_ulid() +RETURNS TEXT +AS $$ +DECLARE + -- Crockford's Base32 + encoding BYTEA = '0123456789ABCDEFGHJKMNPQRSTVWXYZ'; + timestamp BYTEA = E'\\000\\000\\000\\000\\000\\000'; + output TEXT = ''; + + unix_time BIGINT; + ulid BYTEA; +BEGIN + -- 6 timestamp bytes + unix_time = (EXTRACT(EPOCH FROM CLOCK_TIMESTAMP()) * 1000)::BIGINT; + timestamp = SET_BYTE(timestamp, 0, (unix_time >> 40)::BIT(8)::INTEGER); + timestamp = SET_BYTE(timestamp, 1, (unix_time >> 32)::BIT(8)::INTEGER); + timestamp = SET_BYTE(timestamp, 2, (unix_time >> 24)::BIT(8)::INTEGER); + timestamp = SET_BYTE(timestamp, 3, (unix_time >> 16)::BIT(8)::INTEGER); + timestamp = SET_BYTE(timestamp, 4, (unix_time >> 8)::BIT(8)::INTEGER); + timestamp = SET_BYTE(timestamp, 5, unix_time::BIT(8)::INTEGER); + + -- 10 entropy bytes + ulid = timestamp || gen_random_bytes(10); + + -- Encode the timestamp + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 0) & 224) >> 5)); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 0) & 31))); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 1) & 248) >> 3)); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 1) & 7) << 2) | ((GET_BYTE(ulid, 2) & 192) >> 6))); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 2) & 62) >> 1)); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 2) & 1) << 4) | ((GET_BYTE(ulid, 3) & 240) >> 4))); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 3) & 15) << 1) | ((GET_BYTE(ulid, 4) & 128) >> 7))); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 4) & 124) >> 2)); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 4) & 3) << 3) | ((GET_BYTE(ulid, 5) & 224) >> 5))); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 5) & 31))); + + -- Encode the entropy + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 6) & 248) >> 3)); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 6) & 7) << 2) | ((GET_BYTE(ulid, 7) & 192) >> 6))); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 7) & 62) >> 1)); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 7) & 1) << 4) | ((GET_BYTE(ulid, 8) & 240) >> 4))); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 8) & 15) << 1) | ((GET_BYTE(ulid, 9) & 128) >> 7))); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 9) & 124) >> 2)); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 9) & 3) << 3) | ((GET_BYTE(ulid, 10) & 224) >> 5))); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 10) & 31))); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 11) & 248) >> 3)); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 11) & 7) << 2) | ((GET_BYTE(ulid, 12) & 192) >> 6))); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 12) & 62) >> 1)); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 12) & 1) << 4) | ((GET_BYTE(ulid, 13) & 240) >> 4))); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 13) & 15) << 1) | ((GET_BYTE(ulid, 14) & 128) >> 7))); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 14) & 124) >> 2)); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 14) & 3) << 3) | ((GET_BYTE(ulid, 15) & 224) >> 5))); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 15) & 31))); + + RETURN output; +END +$$ +LANGUAGE plpgsql +VOLATILE; diff --git a/scripts/init-db/renku_db_init.py b/scripts/init-db/renku_db_init.py index e4789b38e0..0e2bfc31c0 100644 --- a/scripts/init-db/renku_db_init.py +++ b/scripts/init-db/renku_db_init.py @@ -3,7 +3,7 @@ from dataclasses import dataclass, field from queries import DatabaseInit -from utils import get_db_connection +from utils import create_ulid_func, get_db_connection logging.basicConfig(level=logging.INFO) @@ -132,7 +132,7 @@ def main(): config.renku_db_name, config.renku_db_password, postgres_db_connection, - ["pg_trgm"], + ["pg_trgm", "pgcrypto"], config.db_admin_username, ) db_init.create_database() @@ -147,6 +147,7 @@ def main(): renku_conn.set_session(autocommit=True) db_init.set_connection(renku_conn) db_init.set_extensions_and_roles() + create_ulid_func(config.db_admin_username, config.db_admin_password, config.renku_db_name, config.db_host, config.db_port) if __name__ == "__main__": diff --git a/scripts/init-db/utils.py b/scripts/init-db/utils.py index 10355b8877..ffb09e8e5f 100644 --- a/scripts/init-db/utils.py +++ b/scripts/init-db/utils.py @@ -1,4 +1,5 @@ import logging +from subprocess import STDOUT, check_output import requests @@ -36,3 +37,12 @@ def gitlab_is_online(url: str) -> int: f"Gitlab is not available at {url}, status code is {res.status_code}" ) return res.status_code + + +def create_ulid_func(username: str, password: str, db_name: str, host: str, port: int): + output = check_output( + ["psql", "-U", username, "-d", db_name, "-h", host, "-p", str(port), "-f", "generate_ulid_func.sql"], + stderr=STDOUT, + env={"PGPASSWORD": password}, + ).decode("utf-8") + logging.info(f"Created the ulid generation function:\n{output}")