From 479a2da405699b639e610270dc230015f13fe752 Mon Sep 17 00:00:00 2001 From: RenkuBot <53332360+RenkuBot@users.noreply.github.com> Date: Tue, 22 Oct 2024 10:48:30 +0200 Subject: [PATCH 01/12] release 0.59.0 (#3778) * chore: create release 0.59.0 * feat: bump renku-gateway to 1.2.0 (#3808) Add support for signing cookie in the gateway. * refactor: use cy.session for anonymous user checks (#3802) Remove the `logout()` command and use `cy.session()` instead. This makes the tests less flaky. * feat: update renku-ui to 3.38.0 (#3815) * feat!:add support for data connectors in Renku 2.0 (#3793) Closes #3751. Add support for data connectors in Renku 2.0. * fix: update permission checks in Renku 2.0 (#3819) See: https://github.com/SwissDataScienceCenter/renku-ui/issues/3350. Fixes permission check in the Renku 2.0 UI. Notably, group owners can update projects in the group even if they are not direct project members. * fix: bump renku-ui to 3.40.1 (#3821) Fixes a bug with data connectors where typing a slug would not be taken into account and using uppercase letter in the name would cause issues. * fix changelog versions --------- Co-authored-by: Flora Thiebaut Co-authored-by: Andrea Cordoba <43388408+andre-code@users.noreply.github.com> Co-authored-by: Ralf Grubenmann --- CHANGELOG.rst | 60 +++++++++++++++++++ .../cypress/e2e/privateProject.cy.ts | 17 ++++-- cypress-tests/cypress/e2e/publicProject.cy.ts | 6 +- cypress-tests/cypress/e2e/useSession.cy.ts | 2 +- .../cypress/support/commands/login.ts | 23 +++---- .../gateway/deployment-revproxy.yaml | 10 ++++ helm-chart/renku/values.yaml | 28 ++++----- 7 files changed, 107 insertions(+), 39 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 5e8eac694c..afb87fedf5 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,5 +1,65 @@ .. _changelog: +0.59.0 +------ + +Renku ``0.59.0`` introduces the ability to reuse data connectors in multiple projects! +When you add a data connector (previously called a data source) to your project, you now have the new option to select other data connectors on RenkuLab, +for example those shared in your group, rather than having to re-enter the data connection details. + +User-Facing Changes +~~~~~~~~~~~~~~~~~~~ + +**🌟 New Features** + +- **UI**: Add and re-use data connectors in Renku 2.0 projects (`#3323 `__). + +**✨ Improvements** + +- **UI**: Add a playful design for the 404 and application error pages (`#3248 `__). +- **UI**: Update redirect page styles (`#3257 `__). +- **UI**: Remove Renku 2.0 beta warning alert from dashboard (`#3357 `__). + +**🐞 Bug Fixes** + +- **UI**: Fix how permissions are checked in Renku 2.0, notably group members can perform actions according to their role in projects. (`#3351 `__). +- **UI**: Fix styles for the edit launcher environment list (`#3360 `__). +- **UI**: Allow opening a project from Renku 2.0 search if the namespace is missing in the result (`#3353 `__). +- **UI**: Fix update file and download buttons in Renku 1.0 (`#3363 `__). + +Internal Changes +~~~~~~~~~~~~~~~~ + +**New Features** + +- **Data services**: Add support for data connectors (`#407 `__). +- **Data services**: Do not synchronize blocked users from Keycloak (`#393 `__). +- **Data services**: Support getting permissions (`#454 `__). +- **Notebooks**: Add support for data connectors (`#1991 `__). +- **Notebooks**: Cache Amalthea sessions (`#1983 `__). + +**Improvements** + +- **Data services**: Handle errors in background jobs nicely (`#463 `__). +- **Gateway**: Add support for signing cookies (`#734 `__). + +**Bug Fixes** + +- **Data services**: Treat invalid JWT as 401 HTTP error. +- **Data services**: Change user preferences id sequence to proper value. + +Individual Components +~~~~~~~~~~~~~~~~~~~~~ + +- `renku-data-services 0.23.0 `__ +- `renku-data-services 0.24.0 `__ +- `renku-gateway 1.2.0 `_ +- `renku-notebooks 1.27.0 `_ +- `renku-ui 3.38.0 `_ +- `renku-ui 3.39.0 `_ +- `renku-ui 3.40.0 `_ +- `renku-ui 3.40.1 `_ + 0.58.1 ------ diff --git a/cypress-tests/cypress/e2e/privateProject.cy.ts b/cypress-tests/cypress/e2e/privateProject.cy.ts index 19e5ba1b9b..d62b67468e 100644 --- a/cypress-tests/cypress/e2e/privateProject.cy.ts +++ b/cypress-tests/cypress/e2e/privateProject.cy.ts @@ -38,7 +38,11 @@ describe("Basic public project functionality", () => { }, validateLogin ); - cy.createProjectIfMissing({templateName: "Python", ...projectIdentifier, visibility: "private"}); + cy.createProjectIfMissing({ + templateName: "Python", + ...projectIdentifier, + visibility: "private", + }); cy.visitAndLoadProject(projectIdentifier); }); @@ -50,11 +54,11 @@ describe("Basic public project functionality", () => { .should("be.checked"); cy.searchForProject(projectIdentifier, true); - // logout and search for the project and log back in - cy.logout(); + // Check as an anonymous user + cy.session(["anonymous", getRandomString()], () => {}); + cy.visit("/"); cy.get("#nav-hamburger").should("be.visible").click(); cy.searchForProject(projectIdentifier, false); - cy.robustLogin(); }); it("Can always search for project after changing the visibility", () => { @@ -86,10 +90,11 @@ describe("Basic public project functionality", () => { // Search the project as both logged in and logged out. cy.searchForProject(projectIdentifier, true); - cy.logout(); + // Check as an anonymous user + cy.session(["anonymous", getRandomString()], () => {}); + cy.visit("/"); cy.get("#nav-hamburger").should("be.visible").click(); cy.searchForProject(projectIdentifier, false); - cy.robustLogin(); }); it("Deleting the project removes it from the search page", () => { diff --git a/cypress-tests/cypress/e2e/publicProject.cy.ts b/cypress-tests/cypress/e2e/publicProject.cy.ts index a0a78b206b..e8ad88cd34 100644 --- a/cypress-tests/cypress/e2e/publicProject.cy.ts +++ b/cypress-tests/cypress/e2e/publicProject.cy.ts @@ -48,11 +48,11 @@ describe("Basic public project functionality", () => { cy.waitMetadataIndexing(); cy.searchForProject(projectIdentifier); - // logout and search for the project and log back in - cy.logout(); + // Check as an anonymous user + cy.session(["anonymous", getRandomString()], () => {}); + cy.visit("/"); cy.get("#nav-hamburger").should("be.visible").click(); cy.searchForProject(projectIdentifier); - cy.robustLogin(); }); it("Can see overview content and check the clone URLs", () => { diff --git a/cypress-tests/cypress/e2e/useSession.cy.ts b/cypress-tests/cypress/e2e/useSession.cy.ts index 22b22d712c..30d7662e7d 100644 --- a/cypress-tests/cypress/e2e/useSession.cy.ts +++ b/cypress-tests/cypress/e2e/useSession.cy.ts @@ -167,7 +167,7 @@ describe("Basic public project functionality", () => { it("Start a new session as anonymous user.", () => { // Do not re-use the logged-in session - cy.session("anonymous", () => {}); + cy.session(["anonymous", getRandomString()], () => {}); // Log out and go to the project again cy.visit("/"); diff --git a/cypress-tests/cypress/support/commands/login.ts b/cypress-tests/cypress/support/commands/login.ts index 087d123d55..c31d9e2613 100644 --- a/cypress-tests/cypress/support/commands/login.ts +++ b/cypress-tests/cypress/support/commands/login.ts @@ -1,9 +1,11 @@ const renkuLogin = (credentials: { username: string; password: string }[]) => { - cy.wrap(credentials, { log: false }).each((credential: {password: string, username: string}) => { - cy.get("#username").type(credential.username); - cy.get("#password").type(credential.password, { log: false }); - cy.get("#kc-login").click() - }) + cy.wrap(credentials, { log: false }).each( + (credential: { password: string; username: string }) => { + cy.get("#username").type(credential.username); + cy.get("#password").type(credential.password, { log: false }); + cy.get("#kc-login").click(); + } + ); cy.url().then((url) => { const parsedUrl = new URL(url); if ( @@ -93,7 +95,7 @@ function registerAndVerify(props: RegisterAndVerifyProps) { expect(["/", ""]).to.include(loc.pathname); expect(loc.search).to.eq(""); expect(loc.hostname).to.eq(baseURL.hostname); - }) + }); cy.get("header").should("be.visible"); cy.get("footer").should("be.visible"); // If we send a request to the user endpoint on Gitlab too quickly after we log in then @@ -137,15 +139,7 @@ function robustLogin(props?: RobustLoginProps) { ); } -function logout() { - cy.get("#profile-dropdown").should("be.visible").click(); - cy.get("#logout-link").should("be.visible").click(); - // Make sure we fully log out - cy.wait(15_000); -} - export default function registerLoginCommands() { - Cypress.Commands.add("logout", logout); Cypress.Commands.add("renkuLogin", renkuLogin); Cypress.Commands.add("register", register); Cypress.Commands.add("registerAndVerify", registerAndVerify); @@ -156,7 +150,6 @@ declare global { // eslint-disable-next-line @typescript-eslint/no-namespace namespace Cypress { interface Chainable { - logout(); renkuLogin(credentials: { username: string; password: string }[]); register( email: string, diff --git a/helm-chart/renku/templates/gateway/deployment-revproxy.yaml b/helm-chart/renku/templates/gateway/deployment-revproxy.yaml index 3fc1b30214..a16e20590f 100644 --- a/helm-chart/renku/templates/gateway/deployment-revproxy.yaml +++ b/helm-chart/renku/templates/gateway/deployment-revproxy.yaml @@ -56,6 +56,16 @@ spec: secretKeyRef: name: {{ .Values.global.redis.existingSecret }} key: {{ .Values.global.redis.existingSecretPasswordKey }} + - name: GATEWAY_SESSIONS_COOKIEENCODINGKEY + valueFrom: + secretKeyRef: + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} + key: cookieEncodingKey + - name: GATEWAY_SESSIONS_COOKIEHASHKEY + valueFrom: + secretKeyRef: + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} + key: cookieHashKey - name: GATEWAY_LOGIN_PROVIDERS_RENKU_CLIENTSECRET valueFrom: secretKeyRef: diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index 8a75fb54b8..ce5033349d 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -654,7 +654,7 @@ ui: replicaCount: 1 image: repository: renku/renku-ui - tag: "3.37.1" + tag: "3.40.1" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. @@ -843,7 +843,7 @@ ui: keepCookies: [] image: repository: renku/renku-ui-server - tag: "3.37.1" + tag: "3.40.1" pullPolicy: IfNotPresent imagePullSecrets: [] nameOverride: "" @@ -983,7 +983,7 @@ notebooks: targetCPUUtilizationPercentage: 50 image: repository: renku/renku-notebooks - tag: "1.26.2" + tag: "1.27.0" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. @@ -1101,15 +1101,15 @@ notebooks: gitRpcServer: image: name: renku/git-rpc-server - tag: "1.26.2" + tag: "1.27.0" gitHttpsProxy: image: name: renku/git-https-proxy - tag: "1.26.2" + tag: "1.27.0" gitClone: image: name: renku/git-clone - tag: "1.26.2" + tag: "1.27.0" service: type: ClusterIP port: 80 @@ -1162,12 +1162,12 @@ notebooks: sessionTypes: ["registered"] image: repository: renku/renku-notebooks-tests - tag: "1.26.2" + tag: "1.27.0" pullPolicy: IfNotPresent k8sWatcher: image: repository: renku/k8s-watcher - tag: "1.26.2" + tag: "1.27.0" pullPolicy: IfNotPresent resources: {} replicaCount: 1 @@ -1179,12 +1179,12 @@ notebooks: secretsMount: image: repository: renku/secrets-mount - tag: "1.26.2" + tag: "1.27.0" ssh: enabled: false image: repository: renku/ssh-jump-host - tag: "1.26.2" + tag: "1.27.0" pullPolicy: IfNotPresent resources: {} replicaCount: 1 @@ -1271,7 +1271,7 @@ gateway: secretKey: image: repository: renku/renku-gateway - tag: "1.1.0" + tag: "1.2.0" pullPolicy: IfNotPresent service: type: ClusterIP @@ -1578,14 +1578,14 @@ dataService: create: true image: repository: renku/renku-data-service - tag: "0.22.0" + tag: "0.24.0" pullPolicy: IfNotPresent backgroundJobs: events: resources: {} image: repository: renku/data-service-background-jobs - tag: "0.22.0" + tag: "0.24.0" pullPolicy: IfNotPresent total: resources: {} @@ -1638,7 +1638,7 @@ authz: secretsStorage: image: repository: renku/secrets-storage - tag: "0.22.0" + tag: "0.24.0" pullPolicy: IfNotPresent service: type: ClusterIP From ba04c4e329c0c832a60559154549338ecea1daa8 Mon Sep 17 00:00:00 2001 From: RenkuBot <53332360+RenkuBot@users.noreply.github.com> Date: Thu, 24 Oct 2024 16:08:05 +0200 Subject: [PATCH 02/12] release 0.59.1 (#3823) * chore: create release 0.59.1 * notebooks release 1.27.1 (#3822) --------- Co-authored-by: Ralf Grubenmann --- CHANGELOG.rst | 17 +++++++++++++++++ docs/spelling_wordlist.txt | 1 + .../renku/templates/notebooks/statefulset.yaml | 2 ++ helm-chart/renku/values.yaml | 17 +++++++++-------- helm-chart/values.yaml.changelog.md | 5 +++++ 5 files changed, 34 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index afb87fedf5..f5ea1ede88 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,5 +1,22 @@ .. _changelog: +0.59.1 +------ + +Renku ``0.59.1`` is a bugfix release that improves stability and performance with renku notebooks when under heavy load. + +Internal Changes +~~~~~~~~~~~~~~~~ + +**Improvements** + +- **Notebooks**: Use gevent methods in notebooks api (`#1996 `__). + +Individual Components +~~~~~~~~~~~~~~~~~~~~~ + +- `renku-notebooks 1.27.1 `_ + 0.59.0 ------ diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 0b4a298299..c180ea1dee 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -98,6 +98,7 @@ findable Fortran Frontend gapped +gevent git-lfs githooks github diff --git a/helm-chart/renku/templates/notebooks/statefulset.yaml b/helm-chart/renku/templates/notebooks/statefulset.yaml index f800651ec3..a8de45596e 100644 --- a/helm-chart/renku/templates/notebooks/statefulset.yaml +++ b/helm-chart/renku/templates/notebooks/statefulset.yaml @@ -166,6 +166,8 @@ spec: - name: NB_K8S__SESSIONS_NAMESPACE value: {{ .Values.notebooks.sessionsNamespace | quote }} {{ end }} + - name: NB_K8S__BYPASS_CACHE_ON_FAILURE + value: {{ .Values.notebooks.bypassCacheOnFailure | quote }} - name: NB_K8S__RENKU_NAMESPACE value: {{ .Release.Namespace | quote }} - name: NB_SESSIONS__GIT_PROXY__RENKU_CLIENT_ID diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index ce5033349d..2d5769a9ad 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -983,7 +983,7 @@ notebooks: targetCPUUtilizationPercentage: 50 image: repository: renku/renku-notebooks - tag: "1.27.0" + tag: "1.27.1" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. @@ -1012,6 +1012,7 @@ notebooks: ## If left null then sessions will be launched in the same namespace ## as where the chart is installed. sessionsNamespace: + bypassCacheOnFailure: false sessionAutosave: ## Any file higher than the minimum will be added to LFS minimumLFSFileSizeBytes: 1000000 @@ -1101,15 +1102,15 @@ notebooks: gitRpcServer: image: name: renku/git-rpc-server - tag: "1.27.0" + tag: "1.27.1" gitHttpsProxy: image: name: renku/git-https-proxy - tag: "1.27.0" + tag: "1.27.1" gitClone: image: name: renku/git-clone - tag: "1.27.0" + tag: "1.27.1" service: type: ClusterIP port: 80 @@ -1162,12 +1163,12 @@ notebooks: sessionTypes: ["registered"] image: repository: renku/renku-notebooks-tests - tag: "1.27.0" + tag: "1.27.1" pullPolicy: IfNotPresent k8sWatcher: image: repository: renku/k8s-watcher - tag: "1.27.0" + tag: "1.27.1" pullPolicy: IfNotPresent resources: {} replicaCount: 1 @@ -1179,12 +1180,12 @@ notebooks: secretsMount: image: repository: renku/secrets-mount - tag: "1.27.0" + tag: "1.27.1" ssh: enabled: false image: repository: renku/ssh-jump-host - tag: "1.27.0" + tag: "1.27.1" pullPolicy: IfNotPresent resources: {} replicaCount: 1 diff --git a/helm-chart/values.yaml.changelog.md b/helm-chart/values.yaml.changelog.md index bb7064242f..756465bed9 100644 --- a/helm-chart/values.yaml.changelog.md +++ b/helm-chart/values.yaml.changelog.md @@ -5,6 +5,11 @@ For changes that require manual steps other than changing values, please check o Please follow this convention when adding a new row * ` - **:
` +## Upgrading to Renku 0.59.1 + +* NEW ``notebooks.bypassCacheOnFailure`` has been added. Setting this to false prevents renku-notebooks to call + the k8s api directly if its k8s cache has issues or is not running. + ## Upgrading to Renku 0.57.0 * DELETE ``gateway.image.auth`` has been removed. From 92e30db3eafb0efa51d24f914ac783fff6f5e9f6 Mon Sep 17 00:00:00 2001 From: RenkuBot <53332360+RenkuBot@users.noreply.github.com> Date: Mon, 28 Oct 2024 14:35:24 +0100 Subject: [PATCH 03/12] release 0.59.2 (#3824) * chore: create release 0.59.2 * fix: bump data-services to 0.24.2 (#3825) Fixes an issue where project editors could not edit projects in Renku 2.0 (from the "General Settings" form). --------- Co-authored-by: Flora Thiebaut --- CHANGELOG.rst | 31 +++++++++++++++++++++++++++++++ helm-chart/renku/values.yaml | 6 +++--- 2 files changed, 34 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index f5ea1ede88..da523aa781 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,5 +1,36 @@ .. _changelog: +0.59.2 +------ + +Renku ``0.59.2`` is a bugfix release that fixes a bug in Renku 2.0 where project editors could not edit project information. + +User-Facing Changes +~~~~~~~~~~~~~~~~~~~ + +**🐞 Bug Fixes** + +- **Data services**: Allow project editors to send patches with the current namespace (`#483 `__). +- **Data services**: Allow project editors to send patches with the current visibility (`#484 `__). + +Internal Changes +~~~~~~~~~~~~~~~~ + +**Improvements** + +- **Data services**: Return 409 error when creating a project with a conflicting slug (`#471 `__). +- **Data services**: Change all serial id columns to be GENERATED AS IDENTITY (`#461 `__). +- **Data services**: Include ``is_admin`` in the self ``/user`` endpoint (`#472 `__). + +**Bug Fixes** + +- **Data services**: Handle spaces in ``provider_id`` for connected services (`#482 `__). + +Individual Components +~~~~~~~~~~~~~~~~~~~~~ + +- `renku-data-services 0.24.2 `__ + 0.59.1 ------ diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index 2d5769a9ad..a7dc199d25 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -1579,14 +1579,14 @@ dataService: create: true image: repository: renku/renku-data-service - tag: "0.24.0" + tag: "0.24.2" pullPolicy: IfNotPresent backgroundJobs: events: resources: {} image: repository: renku/data-service-background-jobs - tag: "0.24.0" + tag: "0.24.2" pullPolicy: IfNotPresent total: resources: {} @@ -1639,7 +1639,7 @@ authz: secretsStorage: image: repository: renku/secrets-storage - tag: "0.24.0" + tag: "0.24.2" pullPolicy: IfNotPresent service: type: ClusterIP From 075788eb2892d9ed10db78fd1224284e817316eb Mon Sep 17 00:00:00 2001 From: RenkuBot <53332360+RenkuBot@users.noreply.github.com> Date: Tue, 5 Nov 2024 09:27:54 +0100 Subject: [PATCH 04/12] release 0.60.0 (#3803) * chore: create release 0.60.0 * chore: Mute selenium dependency updates (#3574) * feat: allow session TTL values to be set (#3826) * feat: improve UX and better support GitHub connections (#3830) * fix: updgrade csi rclone to 0.3.5 (#3831) * feat: bump renku-gateway to 1.3.0 (#3827) Bump `renku-gateway` to `1.3.0` which adds the option to enable debug logs. This option can be enabled in development environments to help debug issues. * chore: update changelog * chore: update changelog --------- Co-authored-by: eikek <701128+eikek@users.noreply.github.com> Co-authored-by: Flora Thiebaut Co-authored-by: Lorenzo Cavazzi <43481553+lorenzo-cavazzi@users.noreply.github.com> Co-authored-by: Tasko Olevski Co-authored-by: Laura Co-authored-by: Tasko Olevski --- .scala-steward.conf | 3 ++ CHANGELOG.rst | 49 +++++++++++++++++++ helm-chart/renku/requirements.yaml | 2 +- .../renku/templates/gateway/configmap.yaml | 7 +++ helm-chart/renku/values.yaml | 23 ++++++--- helm-chart/values.yaml.changelog.md | 6 +++ 6 files changed, 83 insertions(+), 7 deletions(-) diff --git a/.scala-steward.conf b/.scala-steward.conf index 0d337b2c64..14bb7f406d 100644 --- a/.scala-steward.conf +++ b/.scala-steward.conf @@ -7,3 +7,6 @@ # directory itself also contains a build.sbt the dot can be used to # specify it. Default: ["."] buildRoots = [ "acceptance-tests" ] +updates.ignore = [ + { groupId = "org.seleniumhq.selenium", artifactId = "selenium-java" } +] diff --git a/CHANGELOG.rst b/CHANGELOG.rst index da523aa781..2df2a8c35b 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,5 +1,54 @@ .. _changelog: +0.60.0 +------ + +Renku 0.60.0 squashes an issue that has been tripping up many users when connecting their GitHub +account, as well as various UX polish and bug fixes. + +NOTE to administrators: Upgrading the `csi-rclone` component will unmount all cloud storage for all +active or hibernated sessions. Therefore, we recommend notifying your users ahead of time when you +deploy this version of Renku and also if possible deploying the upgrade when there are fewer +sessions that use cloud storage or just fewer sessions in general. Once the upgrade is complete +users will be able to mount cloud storage as usual. + +User-Facing Changes +~~~~~~~~~~~~~~~~~~~ + +**✨ Improvements** + +- **UI**: Allow for changing the role of members of groups, and hide membership edit buttons for + users with insufficient permissions on project and group settings pages (`#3374 + `__). +- **UI**: Improve UX for data connector side sheets and modals (`#3368 `__). + +**🐞 Bug Fixes** + +- **UI & Data services**: Direct users to complete the GitHub integration by installing the Renku app in the desired namespace (`#3332 `__). +- **UI**: Avoid unexpected redirects when clicking on the 2.0 dashboard session buttons (`#3378 `__). + +Internal Changes +~~~~~~~~~~~~~~~~ + +**Improvements** + +- **UI**: Update the Admin page to set up Connected services (`#3332 `__). +- **Gateway**: Add support for enabling debug logs from the gateway (`#730 `__). + +**Bug Fixes** + +- **csi-rclone**: Do not log potentially sensitive data in error messages. +- **csi-rclone**: Properly handle encrypted secrets with the new annotation-based storage class. + +Individual Components +~~~~~~~~~~~~~~~~~~~~~ + +- `renku-data-services 0.25.0 `_ +- `renku-gateway 1.3.0 `_ +- `renku-ui 3.41.0 `_ +- `csi-rclone 0.3.4 `__ +- `csi-rclone 0.3.5 `__ + 0.59.2 ------ diff --git a/helm-chart/renku/requirements.yaml b/helm-chart/renku/requirements.yaml index 7a214673d5..c1c773a880 100644 --- a/helm-chart/renku/requirements.yaml +++ b/helm-chart/renku/requirements.yaml @@ -30,7 +30,7 @@ dependencies: condition: notebooks.cloudstorage.s3.installDatashim - name: csi-rclone repository: "https://swissdatasciencecenter.github.io/helm-charts/" - version: "0.3.3" + version: "0.3.5" condition: global.csi-rclone.install - name: solr repository: "oci://registry-1.docker.io/bitnamicharts" diff --git a/helm-chart/renku/templates/gateway/configmap.yaml b/helm-chart/renku/templates/gateway/configmap.yaml index c163177252..164e045a53 100644 --- a/helm-chart/renku/templates/gateway/configmap.yaml +++ b/helm-chart/renku/templates/gateway/configmap.yaml @@ -9,6 +9,7 @@ metadata: heritage: {{ .Release.Service }} data: config.yaml: | + debugMode: {{ .Values.gateway.debug | default false }} server: port: 8080 host: 0.0.0.0 @@ -21,6 +22,12 @@ data: {{- toYaml . | nindent 8 }} {{- end }} sessions: + {{- if .Values.gateway.idleSessionTTLSeconds }} + idleSessionTTLSeconds: {{ .Values.gateway.idleSessionTTLSeconds }} + {{- end }} + {{- if .Values.gateway.maxSessionTTLSeconds }} + maxSessionTTLSeconds: {{ .Values.gateway.maxSessionTTLSeconds }} + {{- end }} authorizationVerifiers: - issuer: {{ printf "%s/realms/%s" (include "renku.keycloakUrl" . | trimSuffix "/") (include "renku.keycloak.realm" .) }} audience: renku diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index a7dc199d25..faefc3ea32 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -654,7 +654,7 @@ ui: replicaCount: 1 image: repository: renku/renku-ui - tag: "3.40.1" + tag: "3.41.0" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. @@ -843,7 +843,7 @@ ui: keepCookies: [] image: repository: renku/renku-ui-server - tag: "3.40.1" + tag: "3.41.0" pullPolicy: IfNotPresent imagePullSecrets: [] nameOverride: "" @@ -1266,13 +1266,22 @@ gateway: ## average rate units are requests per second average: 20 burst: 100 + ## How long a session will be kept alive if it is idle. + ## If set to 0 then there is no TTL. + ## If not set, defaults to 14400 (4 hours). + idleSessionTTLSeconds: + ## The maximum duration a session can be kept alive. + ## If set to 0 then there is no TTL. + ## If this value is set to a value other than 0 then it must be greater than idleSessionTTLSeconds. + ## If not set, defaults to 86400 (24 hours). + maxSessionTTLSeconds: ## For production deployment, you will need to define the secret key. ## This is a random string, used for cryptographic operations on cookies and sensitive information. ## Use `openssl rand -hex 32`. secretKey: image: repository: renku/renku-gateway - tag: "1.2.0" + tag: "1.3.0" pullPolicy: IfNotPresent service: type: ClusterIP @@ -1299,6 +1308,8 @@ gateway: # dedicated GitLab instance is deployed, so, logging out from Renku should # trigger a logout from GitLab. logoutGitLabUponRenkuLogout: true + # Turns on debug logs from the gateway + debug: false # sentry configuration sentry: enabled: false @@ -1579,14 +1590,14 @@ dataService: create: true image: repository: renku/renku-data-service - tag: "0.24.2" + tag: "0.25.0" pullPolicy: IfNotPresent backgroundJobs: events: resources: {} image: repository: renku/data-service-background-jobs - tag: "0.24.2" + tag: "0.25.0" pullPolicy: IfNotPresent total: resources: {} @@ -1639,7 +1650,7 @@ authz: secretsStorage: image: repository: renku/secrets-storage - tag: "0.24.2" + tag: "0.25.0" pullPolicy: IfNotPresent service: type: ClusterIP diff --git a/helm-chart/values.yaml.changelog.md b/helm-chart/values.yaml.changelog.md index 756465bed9..54f4107b49 100644 --- a/helm-chart/values.yaml.changelog.md +++ b/helm-chart/values.yaml.changelog.md @@ -5,6 +5,12 @@ For changes that require manual steps other than changing values, please check o Please follow this convention when adding a new row * ` - **:
` +## Upgrading to Renku 0.60.0 + +* NEW ``gateway.idleSessionTTLSeconds`` to set the session idle TTL in seconds. +* NEW ``gateway.maxSessionTTLSeconds`` to set the session max TTL in seconds. +* NEW ``gateway.debug`` to enable debug logs from the gateway. + ## Upgrading to Renku 0.59.1 * NEW ``notebooks.bypassCacheOnFailure`` has been added. Setting this to false prevents renku-notebooks to call From 866dcef2313e9fac424cda3480ac1070108d9754 Mon Sep 17 00:00:00 2001 From: RenkuBot <53332360+RenkuBot@users.noreply.github.com> Date: Tue, 26 Nov 2024 10:58:58 +0100 Subject: [PATCH 05/12] release 0.61.0 (#3834) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * chore: create release 0.61.0 * feat: jupyter free sessions in Renku v2 (#3712) * feat: consolidate network policies (#3839) * feat: update data service to 0.27.0 and amalthea to 0.14.4 (#3842) * feat: update data service to 0.27.0 * feat: update amalthea to 0.14.4 --------- Co-authored-by: Tasko Olevski Co-authored-by: Andrea Cordoba Co-authored-by: Alessandro Degano Co-authored-by: Flora Thiebaut Co-authored-by: Rok Roškar Co-authored-by: Laura Co-authored-by: eikek <701128+eikek@users.noreply.github.com> Co-authored-by: Ralf Grubenmann --- .github/workflows/pull-request-test.yml | 2 + CHANGELOG.rst | 80 ++ cypress-tests/cypress/e2e/useSession.cy.ts | 2 + .../cypress/support/utils/projectsV2.utils.ts | 2 +- helm-chart/renku/requirements.yaml | 5 +- helm-chart/renku/templates/_helpers.tpl | 4 + .../templates/core/cache-cleanup-job.yaml | 3 + .../templates/data-service/deployment.yaml | 19 +- .../renku/templates/data-service/rbac.yaml | 61 + .../renku/templates/network-policies.yaml | 1000 ++++++++++++++++- .../renku/templates/notebooks/deployment.yaml | 6 + .../renku/templates/notebooks/env-secret.yaml | 89 ++ .../templates/notebooks/network-policy.yaml | 104 -- .../templates/notebooks/statefulset.yaml | 138 +-- .../secrets-storage/network-policy.yaml | 22 - .../templates/setup-job-network-policy.yaml | 35 - helm-chart/renku/values.yaml | 17 +- helm-chart/values.yaml.changelog.md | 5 + scripts/init-db/Dockerfile | 1 + scripts/init-db/generate_ulid_func.sql | 83 ++ scripts/init-db/renku_db_init.py | 5 +- scripts/init-db/utils.py | 10 + 22 files changed, 1378 insertions(+), 315 deletions(-) create mode 100644 helm-chart/renku/templates/notebooks/env-secret.yaml delete mode 100644 helm-chart/renku/templates/notebooks/network-policy.yaml delete mode 100644 helm-chart/renku/templates/secrets-storage/network-policy.yaml delete mode 100644 helm-chart/renku/templates/setup-job-network-policy.yaml create mode 100644 scripts/init-db/generate_ulid_func.sql diff --git a/.github/workflows/pull-request-test.yml b/.github/workflows/pull-request-test.yml index fc442dbb79..40113afcf1 100644 --- a/.github/workflows/pull-request-test.yml +++ b/.github/workflows/pull-request-test.yml @@ -58,6 +58,7 @@ jobs: renku-ui: ${{ steps.deploy-comment.outputs.renku-ui}} renku-data-services: ${{ steps.deploy-comment.outputs.renku-data-services}} amalthea: ${{ steps.deploy-comment.outputs.amalthea}} + amalthea-sessions: ${{ steps.deploy-comment.outputs.amalthea-sessions}} test-enabled: ${{ steps.deploy-comment.outputs.test-enabled}} extra-values: ${{ steps.deploy-comment.outputs.extra-values}} steps: @@ -99,6 +100,7 @@ jobs: renku_ui: "${{ needs.check-deploy.outputs.renku-ui }}" renku_data_services: "${{ needs.check-deploy.outputs.renku-data-services }}" amalthea: "${{ needs.check-deploy.outputs.amalthea }}" + amalthea_sessions: "${{ needs.check-deploy.outputs.amalthea-sessions }}" extra_values: "${{ needs.check-deploy.outputs.extra-values }}" - name: Check existing renkubot comment if: needs.check-deploy.outputs.pr-contains-string == 'true' diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 2df2a8c35b..35588e4c0c 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,5 +1,80 @@ .. _changelog: +0.61.0 +------ + +Renku 0.61.0 introduces a new version of Amalthea that supports running sessions with Docker images +that do not contain Jupyter server. + +NOTES to administrators: + +- This upgrade introduces a brand new CRD for sessions. All services that support + sessions for Renku v2 will switch to this new CRD. Renku v1 sessions remain unchanged. + Therefore any old sessions for Renku v2 will not be visible to users after this upgrade. The sessions + themselves will not be immediately deleted and as long as users have saved links to their old sessions they + should be able to access their sessions and save data. However we recommend that administrators + notify users of the change and allow for enough time so that existing Renku v2 sessions can be saved and + cleaned up, rather than asking users to save the url to their sessions. In addition to users not being able + to see old Renku v2 sessions, they will also not be able to pause, resume or delete old Renku v2 sessions. + Therefore it's best if most sessions are properly saved and cleaned up before this update is rolled out. In order + to support the new CRD we have also created a new operator that will manage the new `amaltheasession` resources. + +- The network policies for Renku have been consolidated and revamped. The most notable change here is the + removal of the egress policy that prevented egress to internal IP addresses from sessions. Now we disallow + all ingress in the Renku release namespace by default and explicitly grant permissions to any pods that need + to access other pods inside the Renku release namespace. Two properties relevant to this have been added to the + Helm chart values file that allows administrators to grant access to all Renku services from a specific namespace + or to do the same for specific pods within the Renku namespace. These are not needed for Renku to function and the + default network policies should be sufficient, they have been added so that administrators can allow ingress for + other services that may not come with the Renku Helm chart such as logging or monitoring. This change will result in + the removal of some network policies and the creation of several new policies. + +User-Facing Changes +~~~~~~~~~~~~~~~~~~~ + +**✨ Improvements** + +- **UI**: Enable the use of custom images that don’t contain Jupyter, streamlining the image-building process and allowing for the use of “off-the-shelf” images (`#3341 `__). +- **Sessions**: Enable running session images that do not contain Jupyter in them. + +Internal Changes +~~~~~~~~~~~~~~~~ + +**Improvements** + +- **Data services**: Add support for OAuth storage providers +- **Data services**: Move notebooks code to data services +- **Helm chart**: Consolidate and revamp network policies +- **Data services**: Add support for project documentation +- **Data services**: Add support for cloning projects + +**Bug Fixes** + +- **Gateway**: Pass on session cookie to data services for anonymous session authentication +- **Data services**: Correct pagination for namespaces +- **Data services**: Add creation date and created_by for namespaces +- **Data services**: Pin RClone version in data services image +- **Data services**: Properly handle multi-architecture docker images when getting working directory +- **Data services**: Make environment working directory and mount directory optional +- **Amalthea**: Add readiness and health checks to sessions. +- **Amalthea**: Do not authenticate the authentication proxy health check +- **Amalthea**: Do not mount the Kubernetes service account in sessions +- **Amalthea**: Do not add Kubernetes specific environment variables in sessions + +Individual Components +~~~~~~~~~~~~~~~~~~~~~ + +- `renku-gateway 1.3.1 `_ +- `renku-ui 3.42.0 `_ +- `renku-data-services 0.26.0 `_ +- `renku-data-services 0.27.0 `_ +- `amalthea 0.13.0 `_ +- `amalthea 0.14.0 `_ +- `amalthea 0.14.1 `_ +- `amalthea 0.14.2 `_ +- `amalthea 0.14.3 `_ +- `amalthea 0.14.4 `_ + 0.60.0 ------ @@ -74,11 +149,16 @@ Internal Changes **Bug Fixes** - **Data services**: Handle spaces in ``provider_id`` for connected services (`#482 `__). +- **csi-rclone**: Do not log potentially sensitive data in error messages. +- **csi-rclone**: Properly handle encrypted secrets with the new annotation-based storage class. + Individual Components ~~~~~~~~~~~~~~~~~~~~~ - `renku-data-services 0.24.2 `__ +- `csi-rclone 0.3.4 `__ +- `csi-rclone 0.3.5 `__ 0.59.1 ------ diff --git a/cypress-tests/cypress/e2e/useSession.cy.ts b/cypress-tests/cypress/e2e/useSession.cy.ts index 30d7662e7d..537e7f6bf2 100644 --- a/cypress-tests/cypress/e2e/useSession.cy.ts +++ b/cypress-tests/cypress/e2e/useSession.cy.ts @@ -189,6 +189,8 @@ describe("Basic public project functionality", () => { // Stop the session -- mind that anonymous users cannot pause sessions cy.deleteSession({ fromSessionPage: true }); + + cy.robustLogin(); }); it("Start a new session on a project without permissions.", () => { diff --git a/cypress-tests/cypress/support/utils/projectsV2.utils.ts b/cypress-tests/cypress/support/utils/projectsV2.utils.ts index 1770aaff91..e55665f105 100644 --- a/cypress-tests/cypress/support/utils/projectsV2.utils.ts +++ b/cypress-tests/cypress/support/utils/projectsV2.utils.ts @@ -23,7 +23,7 @@ export function getUserNamespaceAPIV2(): Cypress.Chainable { /** Get a project by using only the API. */ export function getProjectByNamespaceAPIV2(newProjectProps: ProjectIdentifierV2): Cypress.Chainable { - return cy.request({ failOnStatusCode: false, method: "GET", url: `api/data/projects/${newProjectProps.namespace}/${newProjectProps.slug}` }); + return cy.request({ failOnStatusCode: false, method: "GET", url: `api/data/namespaces/${newProjectProps.namespace}/projects/${newProjectProps.slug}` }); } /** Create a project (if the project is missing) by using only the API. */ diff --git a/helm-chart/renku/requirements.yaml b/helm-chart/renku/requirements.yaml index c1c773a880..0de1c14601 100644 --- a/helm-chart/renku/requirements.yaml +++ b/helm-chart/renku/requirements.yaml @@ -23,7 +23,10 @@ dependencies: alias: jena - name: amalthea repository: "https://swissdatasciencecenter.github.io/helm-charts/" - version: "0.12.3" + version: "0.14.3" + - name: amalthea-sessions + repository: "https://swissdatasciencecenter.github.io/helm-charts/" + version: "0.14.4" - name: dlf-chart repository: "https://swissdatasciencecenter.github.io/datashim/" version: "0.3.9-renku-2" diff --git a/helm-chart/renku/templates/_helpers.tpl b/helm-chart/renku/templates/_helpers.tpl index c7d07db31d..f7660399d1 100644 --- a/helm-chart/renku/templates/_helpers.tpl +++ b/helm-chart/renku/templates/_helpers.tpl @@ -149,6 +149,10 @@ KC_DB_PASSWORD: {{ default (randAlphaNum 64) .Values.global.keycloak.postgresPas {{- end -}} {{- end -}} +{{- define "renku.keycloakIssuerUrl" -}} +{{- printf "%s/realms/%s" (include "renku.keycloakUrl" . | trimSuffix "/") (include "renku.keycloak.realm" .) -}} +{{- end -}} + {{/* Common labels */}} diff --git a/helm-chart/renku/templates/core/cache-cleanup-job.yaml b/helm-chart/renku/templates/core/cache-cleanup-job.yaml index ea665eab0c..b851a1bb51 100644 --- a/helm-chart/renku/templates/core/cache-cleanup-job.yaml +++ b/helm-chart/renku/templates/core/cache-cleanup-job.yaml @@ -13,6 +13,9 @@ spec: jobTemplate: spec: template: + metadata: + labels: + app: core-cache-cleanup spec: containers: - name: {{ include "renku-core.fullname" $ }}-cache-cleanup-{{ $version.name }} diff --git a/helm-chart/renku/templates/data-service/deployment.yaml b/helm-chart/renku/templates/data-service/deployment.yaml index a0620c6f78..e657cd9b4f 100644 --- a/helm-chart/renku/templates/data-service/deployment.yaml +++ b/helm-chart/renku/templates/data-service/deployment.yaml @@ -43,6 +43,9 @@ spec: - name: http containerPort: 8000 protocol: TCP + envFrom: + - secretRef: + name: {{ template "renku.notebooks.fullname" . }} env: - name: VERSION value: {{ .Values.dataService.image.tag | quote }} @@ -70,10 +73,6 @@ spec: value: /secrets/encryptionKey/encryptionKey - name: SECRETS_SERVICE_PUBLIC_KEY_PATH value: /secrets/publicKey/publicKey - - name: SERVER_DEFAULTS - value: /etc/renku-data-service/server_options/server_defaults.json - - name: SERVER_OPTIONS - value: /etc/renku-data-service/server_options/server_options.json - name: K8S_NAMESPACE value: {{ .Release.Namespace | quote }} - name: GITLAB_URL @@ -116,11 +115,21 @@ spec: value: {{ .Values.dataService.trustedProxies.proxiesCount | default "" | quote }} - name: REAL_IP_HEADER value: {{ .Values.dataService.trustedProxies.realIpHeader | default "" | quote }} + - name: KUBERNETES_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: SESSIONS_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace {{- include "certificates.env.python" . | nindent 12 }} {{- include "certificates.env.grpc" . | nindent 12 }} volumeMounts: - name: server-options - mountPath: /etc/renku-data-service/server_options + mountPath: /etc/renku-notebooks/server_options - mountPath: "/secrets/encryptionKey" name: encryption-key readOnly: true diff --git a/helm-chart/renku/templates/data-service/rbac.yaml b/helm-chart/renku/templates/data-service/rbac.yaml index c242893a24..2e8266a050 100644 --- a/helm-chart/renku/templates/data-service/rbac.yaml +++ b/helm-chart/renku/templates/data-service/rbac.yaml @@ -19,6 +19,67 @@ rules: - patch - delete - create + - apiGroups: + - "" + resources: + - pods + - pods/log + - services + - endpoints + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - pods + - secrets + verbs: + - delete + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch + - patch + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - update + - delete + - patch + - apiGroups: + - {{ .Values.amalthea.crdApiGroup }} + resources: + - {{ .Values.amalthea.crdNames.plural }} + verbs: + - create + - update + - delete + - patch + - list + - get + - watch + - apiGroups: + - amalthea.dev + resources: + - amaltheasessions + verbs: + - create + - update + - delete + - patch + - list + - get + - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml index 3aa0a88615..6dc5ac286e 100644 --- a/helm-chart/renku/templates/network-policies.yaml +++ b/helm-chart/renku/templates/network-policies.yaml @@ -1,3 +1,16 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-all-ingress + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: {} + policyTypes: + - Ingress {{- if not .Values.global.externalServices.postgresql.enabled }} --- apiVersion: networking.k8s.io/v1 @@ -81,13 +94,992 @@ spec: namespaceSelector: matchLabels: kubernetes.io/metadata.name: {{ .Release.Namespace }} + - podSelector: + matchLabels: + app: postgres-setup + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Release.Namespace }} ports: - protocol: TCP port: 5432 - - from: - - podSelector: {} - namespaceSelector: {} - ports: - protocol: TCP port: 9187 {{- end }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "renku.notebooks.fullname" . }}-k8s-watcher + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.notebooks.name" . }}-k8s-watcher + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + # Allow ingress to the k8s watcher from data services and notebooks + - podSelector: + matchLabels: + app: {{ template "renku.notebooks.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "renku.notebooks.fullname" . }}-sessions + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/component: jupyterserver + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/name: amalthea + policyTypes: + - Ingress + ingress: + - from: + # Allow ssh ingress to sessions only for the ssh jump host + - podSelector: + matchLabels: + app: {{ template "renku.notebooks.name" . }}-ssh + ports: + - port: ssh + protocol: TCP + - from: + # Allow ingress to the oauth2proxy for anyone + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: 4180 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "renku.notebooks.fullname" . }}-sessions-v2 + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: AmaltheaSession + app.kubernetes.io/part-of: amaltheasession-operator + policyTypes: + - Ingress + ingress: + - from: + # Allow ingress to the authentication proxy port on a v2 session from anywhere + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + # This port is hardcoded in Amalthea as the port for the authentication proxy + port: 65535 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "renku.fullname" . }}-secrets-storage + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: renku-secrets-storage + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + # Only allow ingress to secrets storage from notebooks and data services + - podSelector: + matchLabels: + app: {{ template "renku.notebooks.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-data-service-from-gateway + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "gateway.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-notebooks-from-gateway + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.notebooks.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "gateway.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-core-service-from-gateway + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "renku-core.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "gateway.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-core-service-from-graph + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "renku-core.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "renku.graph.knowledgeGraph.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-knowledge-graph-from-gateway + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.graph.knowledgeGraph.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "gateway.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http-kg +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-search-service-from-gateway + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.search.searchApi.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "gateway.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http-search-api + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-uiserver-from-anywhere + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: "uiserver" + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-gateway-from-anywhere + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "gateway.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: http +{{- if .Values.keycloakx.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-keycloak-from-anywhere + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: keycloakx + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: http + - protocol: TCP + port: https +{{- end }} +{{- if .Values.swagger.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-swagger-from-anywhere + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "renku.name" . }}-swagger + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: http +{{- end }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-webhook-service-from-anywhere + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.graph.webhookService.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: http-webhook-sv +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-ui-assets-from-anywhere + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: ui + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-authz-from-services + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: renku-authz + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: data-service-background-jobs + - podSelector: + matchLabels: + app: data-service-total-users-sync + ports: + - protocol: TCP + port: http + - protocol: TCP + port: grpc +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-core-service-from-core-cleanup-job + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "renku-core.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: core-cache-cleanup + ports: + - protocol: TCP + port: http +{{- if .Values.redis.install }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-redis-from-services + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: redis + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "gateway.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app.kubernetes.io/name: "uiserver" + app.kubernetes.io/instance: {{ .Release.Name }} + - podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "renku-core.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + - podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.search.searchApi.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: redis +{{- end }} +{{- if .Values.solr.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-solr-from-services + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/component: solr + app.kubernetes.io/name: solr + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: search-api + - podSelector: + matchLabels: + app: search-provision + ports: + - protocol: TCP + port: http +{{- end }} +{{- if gt (.Values.networkPolicies.allowAllIngressFromPods | len) 0 }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-all-ingress-from-some-pods + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + {{- toYaml .Values.networkPolicies.allowAllIngressFromPods | nindent 8 }} +{{- end }} +{{- if gt (.Values.networkPolicies.allowAllIngressFromNamespaces | len) 0 }} +{{- if has .Release.Namespace .Values.networkPolicies.allowAllIngressFromNamespaces }} +{{- fail "ERROR: You cannot allow all ingress from the Helm release namespace" }} +{{- end }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-all-ingress-from-some-namespaces + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchExpressions: + # The kubernetes.io/metadata.name label is automatically added by k8s to every namespace + - key: kubernetes.io/metadata.name + operator: In + values: + {{- toYaml .Values.networkPolicies.allowAllIngressFromNamespaces | nindent 16 }} +{{- end }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-all-ingress-to-acme-http-solver-from-anywhere + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + acme.cert-manager.io/http01-solver: "true" + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/0 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-jena-from-services + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: jena + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "renku.graph.knowledgeGraph.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.triplesGenerator.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: jena-http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-event-log-from-kg-services + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.graph.eventLog.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "renku.graph.triplesGenerator.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.webhookService.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.knowledgeGraph.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.tokenRepository.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.commitEventService.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + # The event log calls itself via a k8s service so if it is not allowed in the + # network policy like this then those requests fail. + app: {{ template "renku.graph.eventLog.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http-event-log +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-token-repository-from-kg-services + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.graph.tokenRepository.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "renku.graph.triplesGenerator.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.eventLog.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.webhookService.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.knowledgeGraph.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.commitEventService.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http-token-repo +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-triple-generator-from-kg-services + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.graph.triplesGenerator.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "renku.graph.eventLog.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.webhookService.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + app: {{ template "renku.graph.knowledgeGraph.name" . }} + release: {{ .Release.Name }} + - podSelector: + matchLabels: + # The triples generator calls itself via a k8s service so if it is not allowed in the + # network policy like this then those requests fail. + app: {{ template "renku.graph.triplesGenerator.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http-triples-gn +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-commit-events-from-kg-services + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: {{ template "renku.graph.commitEventService.name" . }} + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "renku.graph.eventLog.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http-commit-sv +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ingress-to-data-service-from-notebooks + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "renku.notebooks.name" . }} + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + # The notebooks code in data service calls data service via a K8s service + # and for this to succeed the network policy has to allow it. This can be + # removed when the notebooks code is completely migrated to the data service. + name: ingress-to-data-service-from-itself + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + # Needed for secret mounting + name: ingress-to-data-service-from-v1-sessions + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/component: jupyterserver + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/name: amalthea + ports: + - protocol: TCP + port: http +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: egress-from-renku-v1-sessions +spec: + egress: + - to: + # DNS resolution + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + - to: + # Allow access to any port/protocol as long as it is directed + # outside of the cluster. This is done by excluding + # IP ranges which are reserved for private networking from + # the allowed range. + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - to: + # Allow access to data service, needed for secret mounting + - podSelector: + matchLabels: + app: renku-data-service + release: {{ .Release.Name }} + podSelector: + matchLabels: + app.kubernetes.io/component: jupyterserver + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/name: amalthea + policyTypes: + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: egress-from-renku-v2-sessions +spec: + egress: + - to: + # DNS resolution + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + - to: + # Allow access to any port/protocol as long as it is directed + # outside of the cluster. This is done by excluding + # IP ranges which are reserved for private networking from + # the allowed range. + - ipBlock: + cidr: 0.0.0.0/0 + except: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + podSelector: + matchLabels: + app.kubernetes.io/created-by: controller-manager + app.kubernetes.io/name: AmaltheaSession + policyTypes: + - Egress diff --git a/helm-chart/renku/templates/notebooks/deployment.yaml b/helm-chart/renku/templates/notebooks/deployment.yaml index 8e65a6d313..978d466f12 100644 --- a/helm-chart/renku/templates/notebooks/deployment.yaml +++ b/helm-chart/renku/templates/notebooks/deployment.yaml @@ -43,6 +43,12 @@ spec: value: {{ .Values.amalthea.crdApiVersion }} - name: K8S_WATCHER_CR_PLURAL value: {{ .Values.amalthea.crdNames.plural }} + - name: K8S_WATCHER_AMALTHEA_SESSION_GROUP + value: amalthea.dev + - name: K8S_WATCHER_AMALTHEA_SESSION_VERSION + value: v1alpha1 + - name: K8S_WATCHER_AMALTHEA_SESSION_PLURAL + value: amaltheasessions - name: K8S_WATCHER_NAMESPACES {{ if .Values.notebooks.sessionsNamespace }} value: {{ list .Release.Namespace .Values.notebooks.sessionsNamespace | uniq | toJson | quote }} diff --git a/helm-chart/renku/templates/notebooks/env-secret.yaml b/helm-chart/renku/templates/notebooks/env-secret.yaml new file mode 100644 index 0000000000..c229aab657 --- /dev/null +++ b/helm-chart/renku/templates/notebooks/env-secret.yaml @@ -0,0 +1,89 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "renku.notebooks.fullname" . }} + labels: + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +type: Opaque +stringData: + NB_SESSIONS__STORAGE__PVS_ENABLED: {{ .Values.notebooks.userSessionPersistentVolumes.enabled | quote }} + {{ if .Values.notebooks.userSessionPersistentVolumes.enabled }} + NB_SESSIONS__STORAGE__PVS_STORAGE_CLASS: {{ .Values.notebooks.userSessionPersistentVolumes.storageClass | quote}} + {{ end }} + NB_SESSIONS__STORAGE__USE_EMPTY_DIR_SIZE_LIMIT: {{ .Values.notebooks.userSessionPersistentVolumes.useEmptyDirSizeLimit | quote }} + NB_SESSIONS__DEFAULT_IMAGE: "{{ .Values.notebooks.defaultSessionImage }}" + NB_SERVER_OPTIONS__DEFAULTS_PATH: /etc/renku-notebooks/server_options/server_defaults.json + NB_SERVER_OPTIONS__UI_CHOICES_PATH: /etc/renku-notebooks/server_options/server_options.json + NB_SESSIONS__OIDC__CLIENT_ID: {{ .Values.notebooks.oidc.clientId }} + NB_SESSIONS__OIDC__CLIENT_SECRET: {{ .Values.notebooks.oidc.clientSecret }} + NB_SESSIONS__OIDC__AUTH_URL: {{ .Values.notebooks.oidc.authUrl }} + NB_SESSIONS__OIDC__TOKEN_URL: {{ .Values.notebooks.oidc.tokenUrl }} + NB_SESSIONS__OIDC__ISSUER_URL: {{ template "renku.keycloakIssuerUrl" . }} + NB_SESSIONS__OIDC__ALLOW_UNVERIFIED_EMAIL: {{ .Values.notebooks.oidc.allowUnverifiedEmail | quote }} + NB_SESSIONS__INGRESS__HOST: {{ .Values.notebooks.sessionIngress.host }} + NB_SESSIONS__INGRESS__TLS_SECRET: {{ .Values.notebooks.sessionIngress.tlsSecret }} + NB_SESSIONS__INGRESS__ANNOTATIONS: | + {{- .Values.notebooks.sessionIngress.annotations | toYaml | nindent 4 }} + NB_GIT__URL: {{ .Values.global.gitlab.url | quote }} + NB_GIT__REGISTRY: {{ required "An image registry must be specified." .Values.global.gitlab.registry.host }} + NB_SESSIONS__GIT_RPC_SERVER__IMAGE: "{{ .Values.notebooks.gitRpcServer.image.name }}:{{ .Values.notebooks.gitRpcServer.image.tag }}" + NB_SESSIONS__GIT_PROXY__IMAGE: "{{ .Values.notebooks.gitHttpsProxy.image.name }}:{{ .Values.notebooks.gitHttpsProxy.image.tag }}" + NB_SESSIONS__GIT_CLONE__IMAGE: "{{ .Values.notebooks.gitClone.image.name }}:{{ .Values.notebooks.gitClone.image.tag }}" + NB_ANONYMOUS_SESSIONS_ENABLED: {{ .Values.global.anonymousSessions.enabled | quote }} + NB_SSH_ENABLED: {{ .Values.notebooks.ssh.enabled | quote }} + NB_SESSIONS__CULLING__REGISTERED__IDLE_SECONDS: {{ .Values.notebooks.culling.idleSecondsThreshold.registered | quote }} + NB_SESSIONS__CULLING__ANONYMOUS__IDLE_SECONDS: {{ .Values.notebooks.culling.idleSecondsThreshold.anonymous | quote }} + NB_SESSIONS__CULLING__REGISTERED__HIBERNATED_SECONDS: {{ .Values.notebooks.culling.hibernatedSecondsThreshold.registered | quote }} + NB_SESSIONS__CULLING__REGISTERED__MAX_AGE_SECONDS: {{ .Values.notebooks.culling.maxAgeSecondsThreshold.registered | quote }} + NB_SESSIONS__CULLING__ANONYMOUS__MAX_AGE_SECONDS: {{ .Values.notebooks.culling.maxAgeSecondsThreshold.anonymous | quote }} + NB_AMALTHEA__GROUP: {{ .Values.amalthea.crdApiGroup }} + NB_AMALTHEA__VERSION: {{ .Values.amalthea.crdApiVersion }} + NB_AMALTHEA__PLURAL: {{ .Values.amalthea.crdNames.plural }} + NB_AMALTHEA__CACHE_URL: "http://{{ template "renku.notebooks.fullname" . }}-k8s-watcher" + NB_AMALTHEA_V2__CACHE_URL: "http://{{ template "renku.notebooks.fullname" . }}-k8s-watcher" + NB_SESSIONS__GIT_CLONE__SENTRY__ENABLED: {{ .Values.notebooks.sessionSentry.gitClone.enabled | quote }} + NB_SESSIONS__GIT_CLONE__SENTRY__DSN: {{ .Values.notebooks.sessionSentry.gitClone.dsn | quote }} + NB_SESSIONS__GIT_CLONE__SENTRY__ENV: {{ .Values.notebooks.sessionSentry.gitClone.environment | quote }} + NB_SESSIONS__GIT_CLONE__SENTRY__SAMPLE_RATE: {{ .Values.notebooks.sessionSentry.gitClone.sampleRate | quote }} + NB_SESSIONS__GIT_RPC_SERVER__SENTRY__ENABLED: {{ .Values.notebooks.sessionSentry.sidecar.enabled | quote }} + NB_SESSIONS__GIT_RPC_SERVER__SENTRY__DSN: {{ .Values.notebooks.sessionSentry.sidecar.dsn | quote }} + NB_SESSIONS__GIT_RPC_SERVER__SENTRY__ENV: {{ .Values.notebooks.sessionSentry.sidecar.environment | quote }} + NB_SESSIONS__GIT_RPC_SERVER__SENTRY__SAMPLE_RATE: {{ .Values.notebooks.sessionSentry.sidecar.sampleRate | quote }} + NB_SESSIONS__CA_CERTS__IMAGE: "{{ .Values.global.certificates.image.repository }}:{{ .Values.global.certificates.image.tag }}" + NB_SESSIONS__CA_CERTS__SECRETS: | + {{- .Values.global.certificates.customCAs | toYaml | nindent 4 }} + {{- with .Values.notebooks.sessionNodeSelector }} + NB_SESSIONS__NODE_SELECTOR: | + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.notebooks.sessionAffinity }} + NB_SESSIONS__AFFINITY: | + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.notebooks.sessionTolerations }} + NB_SESSIONS__TOLERATIONS: | + {{- toYaml . | nindent 4 }} + {{- end }} + NB_SESSIONS__ENFORCE_CPU_LIMITS: {{ .Values.notebooks.enforceCPULimits | quote }} + NB_CLOUD_STORAGE__ENABLED: {{ .Values.notebooks.cloudstorage.enabled | quote }} + NB_CLOUD_STORAGE__STORAGE_CLASS: {{ .Values.notebooks.cloudstorage.storageClass | default "csi-rclone" | quote }} + NB_SESSIONS__TERMINATION_WARNING_DURATION_SECONDS: {{ .Values.notebooks.sessionAutosave.terminationWarningDurationSeconds | quote }} + NB_VERSION: {{ .Values.notebooks.image.tag | quote }} + {{ if .Values.notebooks.sessionsNamespace }} + NB_K8S__SESSIONS_NAMESPACE: {{ .Values.notebooks.sessionsNamespace | quote }} + {{ end }} + NB_K8S__RENKU_NAMESPACE: {{ .Release.Namespace | quote }} + NB_SESSIONS__GIT_PROXY__RENKU_CLIENT_ID: renku + NB_SESSIONS__GIT_PROXY__RENKU_CLIENT_SECRET: {{ .Values.global.gateway.clientSecret | quote }} + NB_KEYCLOAK_REALM: {{ include "renku.keycloak.realm" . | quote }} + NB_SESSIONS__SSH__ENABLED: {{ .Values.notebooks.ssh.enabled | quote }} + {{- if not (kindIs "invalid" .Values.notebooks.ssh.hostKeySecret) }} + NB_SESSIONS__SSH__HOST_KEY_SECRET: {{ .Values.notebooks.ssh.hostKeySecret | quote }} + {{- end }} + NB_DATA_SERVICE_URL: {{ printf "http://%s-data-service/api/data" .Release.Name }} + NB_USER_SECRETS__SECRETS_STORAGE_SERVICE_URL: {{ printf "http://%s-secrets-storage" .Release.Name }} + NB_USER_SECRETS__IMAGE: "{{ .Values.notebooks.secretsMount.image.repository}}:{{.Values.notebooks.secretsMount.image.tag }}" +--- + diff --git a/helm-chart/renku/templates/notebooks/network-policy.yaml b/helm-chart/renku/templates/notebooks/network-policy.yaml deleted file mode 100644 index 7de4810309..0000000000 --- a/helm-chart/renku/templates/notebooks/network-policy.yaml +++ /dev/null @@ -1,104 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ template "renku.notebooks.fullname" . }}-k8s-watcher -spec: - podSelector: - matchLabels: - app: {{ template "renku.notebooks.name" . }}-k8s-watcher - release: {{ .Release.Name }} - policyTypes: - - Ingress - ingress: - - from: - - podSelector: - matchLabels: - app: {{ template "renku.notebooks.name" . }} - release: {{ .Release.Name }} - ports: - - protocol: TCP - port: http ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ template "renku.notebooks.fullname" . }}-ssh-jumphost -spec: - podSelector: - matchLabels: - app: {{ template "renku.notebooks.name" . }}-ssh - policyTypes: - - Egress - egress: - - to: - - podSelector: - matchLabels: - app.kubernetes.io/component: jupyterserver - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/name: amalthea - ports: - - port: ssh - protocol: TCP - - ports: - - protocol: UDP - port: 53 - - protocol: TCP - port: 53 ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ template "renku.notebooks.fullname" . }}-sessions -spec: - podSelector: - matchLabels: - app.kubernetes.io/component: jupyterserver - app.kubernetes.io/instance: {{ .Release.Name }} - app.kubernetes.io/name: amalthea - policyTypes: - - Ingress - - Egress - ingress: - - from: - # Allow ssh ingress to sessions only for the ssh jump host - - podSelector: - matchLabels: - app: {{ template "renku.notebooks.name" . }}-ssh - ports: - - port: ssh - protocol: TCP - - from: - # Allow ingress to the oauth2proxy for anyone - - ipBlock: - cidr: 0.0.0.0/0 - ports: - - protocol: TCP - port: 4180 - egress: - - to: - # Allow DNS resolution (internal and external) - ports: - - port: 53 - protocol: UDP - - port: 53 - protocol: TCP - - to: - # Allow access to any port/protocol as long as it is directed - # outside of the cluster. This is done by excluding - # IP ranges which are reserved for private networking from - # the allowed range. - - ipBlock: - cidr: 0.0.0.0/0 - except: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 - - to: - # Allow access to data service - - podSelector: - matchLabels: - app: renku-data-service - ports: - - port: http - protocol: TCP - diff --git a/helm-chart/renku/templates/notebooks/statefulset.yaml b/helm-chart/renku/templates/notebooks/statefulset.yaml index a8de45596e..04a887f900 100644 --- a/helm-chart/renku/templates/notebooks/statefulset.yaml +++ b/helm-chart/renku/templates/notebooks/statefulset.yaml @@ -32,74 +32,14 @@ spec: imagePullPolicy: {{ .Values.notebooks.image.pullPolicy }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} + envFrom: + - secretRef: + name: {{ template "renku.notebooks.fullname" . }} env: - - name: NB_SESSIONS__STORAGE__PVS_ENABLED - value: {{ .Values.notebooks.userSessionPersistentVolumes.enabled | quote }} - {{ if .Values.notebooks.userSessionPersistentVolumes.enabled }} - - name: NB_SESSIONS__STORAGE__PVS_STORAGE_CLASS - value: {{ .Values.notebooks.userSessionPersistentVolumes.storageClass | quote}} - {{ end }} - - name: NB_SESSIONS__STORAGE__USE_EMPTY_DIR_SIZE_LIMIT - value: {{ .Values.notebooks.userSessionPersistentVolumes.useEmptyDirSizeLimit | quote }} - - name: NB_SESSIONS__DEFAULT_IMAGE - value: "{{ .Values.notebooks.defaultSessionImage }}" - - name: NB_SERVER_OPTIONS__DEFAULTS_PATH - value: /etc/renku-notebooks/server_options/server_defaults.json - - name: NB_SERVER_OPTIONS__UI_CHOICES_PATH - value: /etc/renku-notebooks/server_options/server_options.json {{ if eq .Values.global.debug true }} - name: FLASK_DEBUG value: "1" {{ end }} - - name: NB_SESSIONS__OIDC__CLIENT_ID - value: {{ .Values.notebooks.oidc.clientId }} - - name: NB_SESSIONS__OIDC__CLIENT_SECRET - value: {{ .Values.notebooks.oidc.clientSecret }} - - name: NB_SESSIONS__OIDC__AUTH_URL - value: {{ .Values.notebooks.oidc.authUrl }} - - name: NB_SESSIONS__OIDC__TOKEN_URL - value: {{ .Values.notebooks.oidc.tokenUrl }} - - name: NB_SESSIONS__OIDC__ALLOW_UNVERIFIED_EMAIL - value: {{ .Values.notebooks.oidc.allowUnverifiedEmail | quote }} - - name: NB_SESSIONS__INGRESS__HOST - value: {{ .Values.notebooks.sessionIngress.host }} - - name: NB_SESSIONS__INGRESS__TLS_SECRET - value: {{ .Values.notebooks.sessionIngress.tlsSecret }} - - name: NB_SESSIONS__INGRESS__ANNOTATIONS - value: | - {{- .Values.notebooks.sessionIngress.annotations | toYaml | nindent 16 }} - - name: NB_GIT__URL - value: {{ .Values.global.gitlab.url | quote }} - - name: NB_GIT__REGISTRY - value: {{ required "An image registry must be specified." .Values.global.gitlab.registry.host }} - - name: NB_SESSIONS__GIT_RPC_SERVER__IMAGE - value: "{{ .Values.notebooks.gitRpcServer.image.name }}:{{ .Values.notebooks.gitRpcServer.image.tag }}" - - name: NB_SESSIONS__GIT_PROXY__IMAGE - value: "{{ .Values.notebooks.gitHttpsProxy.image.name }}:{{ .Values.notebooks.gitHttpsProxy.image.tag }}" - - name: NB_SESSIONS__GIT_CLONE__IMAGE - value: "{{ .Values.notebooks.gitClone.image.name }}:{{ .Values.notebooks.gitClone.image.tag }}" - - name: NB_ANONYMOUS_SESSIONS_ENABLED - value: {{ .Values.global.anonymousSessions.enabled | quote }} - - name: NB_SSH_ENABLED - value: {{ .Values.notebooks.ssh.enabled | quote }} - - name: NB_SESSIONS__CULLING__REGISTERED__IDLE_SECONDS - value: {{ .Values.notebooks.culling.idleSecondsThreshold.registered | quote }} - - name: NB_SESSIONS__CULLING__ANONYMOUS__IDLE_SECONDS - value: {{ .Values.notebooks.culling.idleSecondsThreshold.anonymous | quote }} - - name: NB_SESSIONS__CULLING__REGISTERED__HIBERNATED_SECONDS - value: {{ .Values.notebooks.culling.hibernatedSecondsThreshold.registered | quote }} - - name: NB_SESSIONS__CULLING__REGISTERED__MAX_AGE_SECONDS - value: {{ .Values.notebooks.culling.maxAgeSecondsThreshold.registered | quote }} - - name: NB_SESSIONS__CULLING__ANONYMOUS__MAX_AGE_SECONDS - value: {{ .Values.notebooks.culling.maxAgeSecondsThreshold.anonymous | quote }} - - name: NB_AMALTHEA__GROUP - value: {{ .Values.amalthea.crdApiGroup }} - - name: NB_AMALTHEA__VERSION - value: {{ .Values.amalthea.crdApiVersion }} - - name: NB_AMALTHEA__PLURAL - value: {{ .Values.amalthea.crdNames.plural }} - - name: NB_AMALTHEA__CACHE_URL - value: http://{{ template "renku.notebooks.fullname" . }}-k8s-watcher - name: NB_SENTRY__ENABLED value: {{ .Values.notebooks.sentry.enabled | quote }} - name: NB_SENTRY__DSN @@ -110,86 +50,14 @@ spec: value: {{ .Values.notebooks.sentry.sampleRate | quote }} - name: SENTRY_RELEASE value: {{ .Chart.Version | quote }} - - name: NB_SESSIONS__GIT_CLONE__SENTRY__ENABLED - value: {{ .Values.notebooks.sessionSentry.gitClone.enabled | quote }} - - name: NB_SESSIONS__GIT_CLONE__SENTRY__DSN - value: {{ .Values.notebooks.sessionSentry.gitClone.dsn | quote }} - - name: NB_SESSIONS__GIT_CLONE__SENTRY__ENV - value: {{ .Values.notebooks.sessionSentry.gitClone.environment | quote }} - - name: NB_SESSIONS__GIT_CLONE__SENTRY__SAMPLE_RATE - value: {{ .Values.notebooks.sessionSentry.gitClone.sampleRate | quote }} - - name: NB_SESSIONS__GIT_RPC_SERVER__SENTRY__ENABLED - value: {{ .Values.notebooks.sessionSentry.sidecar.enabled | quote }} - - name: NB_SESSIONS__GIT_RPC_SERVER__SENTRY__DSN - value: {{ .Values.notebooks.sessionSentry.sidecar.dsn | quote }} - - name: NB_SESSIONS__GIT_RPC_SERVER__SENTRY__ENV - value: {{ .Values.notebooks.sessionSentry.sidecar.environment | quote }} - - name: NB_SESSIONS__GIT_RPC_SERVER__SENTRY__SAMPLE_RATE - value: {{ .Values.notebooks.sessionSentry.sidecar.sampleRate | quote }} - - name: NB_SESSIONS__CA_CERTS__IMAGE - value: "{{ .Values.global.certificates.image.repository }}:{{ .Values.global.certificates.image.tag }}" - - name: NB_SESSIONS__CA_CERTS__SECRETS - value: | - {{- .Values.global.certificates.customCAs | toYaml | nindent 16 }} - {{- with .Values.notebooks.sessionNodeSelector }} - - name: NB_SESSIONS__NODE_SELECTOR - value: | - {{- toYaml . | nindent 16 }} - {{- end }} - {{- with .Values.notebooks.sessionAffinity }} - - name: NB_SESSIONS__AFFINITY - value: | - {{- toYaml . | nindent 16 }} - {{- end }} - {{- with .Values.notebooks.sessionTolerations }} - - name: NB_SESSIONS__TOLERATIONS - value: | - {{- toYaml . | nindent 16 }} - {{- end }} - name: KUBERNETES_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace {{- include "certificates.env.python" . | nindent 12 }} - - name: NB_SESSIONS__ENFORCE_CPU_LIMITS - value: {{ .Values.notebooks.enforceCPULimits | quote }} - - name: NB_CLOUD_STORAGE__ENABLED - value: {{ .Values.notebooks.cloudstorage.enabled | quote }} - - name: NB_CLOUD_STORAGE__STORAGE_CLASS - value: {{ .Values.notebooks.cloudstorage.storageClass | default "csi-rclone" | quote }} - - name: NB_SESSIONS__TERMINATION_WARNING_DURATION_SECONDS - value: {{ .Values.notebooks.sessionAutosave.terminationWarningDurationSeconds | quote }} - - name: NB_VERSION - value: {{ .Values.notebooks.image.tag | quote }} - {{ if .Values.notebooks.sessionsNamespace }} - - name: NB_K8S__SESSIONS_NAMESPACE - value: {{ .Values.notebooks.sessionsNamespace | quote }} - {{ end }} - - name: NB_K8S__BYPASS_CACHE_ON_FAILURE - value: {{ .Values.notebooks.bypassCacheOnFailure | quote }} - - name: NB_K8S__RENKU_NAMESPACE - value: {{ .Release.Namespace | quote }} - - name: NB_SESSIONS__GIT_PROXY__RENKU_CLIENT_ID - value: renku - - name: NB_SESSIONS__GIT_PROXY__RENKU_CLIENT_SECRET - value: {{ .Values.global.gateway.clientSecret | quote }} - - name: NB_KEYCLOAK_REALM - value: {{ include "renku.keycloak.realm" . | quote }} - - name: NB_SESSIONS__SSH__ENABLED - value: {{ .Values.notebooks.ssh.enabled | quote }} - {{- if not (kindIs "invalid" .Values.notebooks.ssh.hostKeySecret) }} - - name: NB_SESSIONS__SSH__HOST_KEY_SECRET - value: {{ .Values.notebooks.ssh.hostKeySecret | quote }} - {{- end }} - name: NB_DUMMY_STORES value: {{ .Values.notebooks.dummyStores | quote }} - - name: NB_DATA_SERVICE_URL - value: {{ printf "http://%s-data-service/api/data" .Release.Name}} - - name: NB_USER_SECRETS__SECRETS_STORAGE_SERVICE_URL - value: {{ printf "http://%s-secrets-storage" .Release.Name}} - - name: NB_USER_SECRETS__IMAGE - value: "{{ .Values.notebooks.secretsMount.image.repository}}:{{.Values.notebooks.secretsMount.image.tag}}" ports: - name: http containerPort: 8000 diff --git a/helm-chart/renku/templates/secrets-storage/network-policy.yaml b/helm-chart/renku/templates/secrets-storage/network-policy.yaml deleted file mode 100644 index dbd2381cb3..0000000000 --- a/helm-chart/renku/templates/secrets-storage/network-policy.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ template "renku.fullname" . }}-secrets-storage -spec: - podSelector: - matchLabels: - app: {{ template "renku.fullname" . }}-secrets-storage - release: {{ .Release.Name }} - policyTypes: - - Ingress - ingress: - - from: - # Only allow ingress to secrets storage from notebooks - - podSelector: - matchLabels: - app: {{ template "renku.notebooks.name" . }} - release: {{ .Release.Name }} - ports: - - protocol: TCP - port: http - diff --git a/helm-chart/renku/templates/setup-job-network-policy.yaml b/helm-chart/renku/templates/setup-job-network-policy.yaml deleted file mode 100644 index 736a0713da..0000000000 --- a/helm-chart/renku/templates/setup-job-network-policy.yaml +++ /dev/null @@ -1,35 +0,0 @@ -{{- if not .Values.global.externalServices.postgresql.enabled }} ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ template "renku.fullname" . }}-setup-job - labels: - app: {{ template "renku.name" . }} - chart: {{ template "renku.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - podSelector: - matchLabels: - app.kubernetes.io/name: postgresql - policyTypes: - - Ingress - ingress: - - from: - - podSelector: - matchLabels: - app: postgres-setup - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: {{ .Release.Namespace }} - ports: - - protocol: TCP - port: 5432 - - from: - - podSelector: {} - namespaceSelector: {} - ports: - - protocol: TCP - port: 9187 -{{- end }} diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index faefc3ea32..3d3a1828e7 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -224,6 +224,11 @@ ingress: # - secretName: chart-example-tls # hosts: # - example.local +networkPolicies: + ## List of podSelector terms for pods in the release namespace that should be allowed all ingress to all services + allowAllIngressFromPods: [] + ## List of namespaces that should be allowed all ingress to all services + allowAllIngressFromNamespaces: [] ## Keycloak configuration keycloakx: ## Spawn a keycloak instance @@ -654,7 +659,7 @@ ui: replicaCount: 1 image: repository: renku/renku-ui - tag: "3.41.0" + tag: "3.42.0" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. @@ -843,7 +848,7 @@ ui: keepCookies: [] image: repository: renku/renku-ui-server - tag: "3.41.0" + tag: "3.42.0" pullPolicy: IfNotPresent imagePullSecrets: [] nameOverride: "" @@ -1281,7 +1286,7 @@ gateway: secretKey: image: repository: renku/renku-gateway - tag: "1.3.0" + tag: "1.3.1" pullPolicy: IfNotPresent service: type: ClusterIP @@ -1590,14 +1595,14 @@ dataService: create: true image: repository: renku/renku-data-service - tag: "0.25.0" + tag: "0.27.0" pullPolicy: IfNotPresent backgroundJobs: events: resources: {} image: repository: renku/data-service-background-jobs - tag: "0.25.0" + tag: "0.27.0" pullPolicy: IfNotPresent total: resources: {} @@ -1650,7 +1655,7 @@ authz: secretsStorage: image: repository: renku/secrets-storage - tag: "0.25.0" + tag: "0.27.0" pullPolicy: IfNotPresent service: type: ClusterIP diff --git a/helm-chart/values.yaml.changelog.md b/helm-chart/values.yaml.changelog.md index 54f4107b49..d65846f1c9 100644 --- a/helm-chart/values.yaml.changelog.md +++ b/helm-chart/values.yaml.changelog.md @@ -5,6 +5,11 @@ For changes that require manual steps other than changing values, please check o Please follow this convention when adding a new row * ` - **:
` +## Upgrading to Renku 0.61.0 + +* NEW ``networkPolicies.allowAllIngressFromPods`` specify pod selectors that will allow the selected pods to access all other services in the Renku release namespace. +* NEW ``networkPolicies.allowAllIngressFromNamespaces`` specify a list of namespaces that should be allowed to access all other services in the Renku release namespace. + ## Upgrading to Renku 0.60.0 * NEW ``gateway.idleSessionTTLSeconds`` to set the session idle TTL in seconds. diff --git a/scripts/init-db/Dockerfile b/scripts/init-db/Dockerfile index fb2b22deb4..e194593dd5 100644 --- a/scripts/init-db/Dockerfile +++ b/scripts/init-db/Dockerfile @@ -1,6 +1,7 @@ FROM python:3.11-slim-bullseye RUN apt-get update && apt-get install -y \ + postgresql-client \ tini && \ rm -rf /var/lib/apt/lists/* COPY . . diff --git a/scripts/init-db/generate_ulid_func.sql b/scripts/init-db/generate_ulid_func.sql new file mode 100644 index 0000000000..90b2aa8305 --- /dev/null +++ b/scripts/init-db/generate_ulid_func.sql @@ -0,0 +1,83 @@ +-- From https://github.com/geckoboard/pgulid/blob/master/pgulid.sql +-- Taken at commit sha b265253 +-- pgulid is based on OK Log's Go implementation of the ULID spec +-- +-- https://github.com/oklog/ulid +-- https://github.com/ulid/spec +-- +-- Copyright 2016 The Oklog Authors +-- Licensed under the Apache License, Version 2.0 (the "License"); +-- you may not use this file except in compliance with the License. +-- You may obtain a copy of the License at +-- +-- http://www.apache.org/licenses/LICENSE-2.0 +-- +-- Unless required by applicable law or agreed to in writing, software +-- distributed under the License is distributed on an "AS IS" BASIS, +-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +-- See the License for the specific language governing permissions and +-- limitations under the License. + +CREATE EXTENSION IF NOT EXISTS pgcrypto; + +-- NOTE: REPLACE will error if you change the name, args or return type of the function +-- There is no CREATE IF EXISTS, this is the closest thing that gives similar functionality +CREATE OR REPLACE FUNCTION generate_ulid() +RETURNS TEXT +AS $$ +DECLARE + -- Crockford's Base32 + encoding BYTEA = '0123456789ABCDEFGHJKMNPQRSTVWXYZ'; + timestamp BYTEA = E'\\000\\000\\000\\000\\000\\000'; + output TEXT = ''; + + unix_time BIGINT; + ulid BYTEA; +BEGIN + -- 6 timestamp bytes + unix_time = (EXTRACT(EPOCH FROM CLOCK_TIMESTAMP()) * 1000)::BIGINT; + timestamp = SET_BYTE(timestamp, 0, (unix_time >> 40)::BIT(8)::INTEGER); + timestamp = SET_BYTE(timestamp, 1, (unix_time >> 32)::BIT(8)::INTEGER); + timestamp = SET_BYTE(timestamp, 2, (unix_time >> 24)::BIT(8)::INTEGER); + timestamp = SET_BYTE(timestamp, 3, (unix_time >> 16)::BIT(8)::INTEGER); + timestamp = SET_BYTE(timestamp, 4, (unix_time >> 8)::BIT(8)::INTEGER); + timestamp = SET_BYTE(timestamp, 5, unix_time::BIT(8)::INTEGER); + + -- 10 entropy bytes + ulid = timestamp || gen_random_bytes(10); + + -- Encode the timestamp + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 0) & 224) >> 5)); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 0) & 31))); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 1) & 248) >> 3)); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 1) & 7) << 2) | ((GET_BYTE(ulid, 2) & 192) >> 6))); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 2) & 62) >> 1)); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 2) & 1) << 4) | ((GET_BYTE(ulid, 3) & 240) >> 4))); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 3) & 15) << 1) | ((GET_BYTE(ulid, 4) & 128) >> 7))); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 4) & 124) >> 2)); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 4) & 3) << 3) | ((GET_BYTE(ulid, 5) & 224) >> 5))); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 5) & 31))); + + -- Encode the entropy + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 6) & 248) >> 3)); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 6) & 7) << 2) | ((GET_BYTE(ulid, 7) & 192) >> 6))); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 7) & 62) >> 1)); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 7) & 1) << 4) | ((GET_BYTE(ulid, 8) & 240) >> 4))); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 8) & 15) << 1) | ((GET_BYTE(ulid, 9) & 128) >> 7))); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 9) & 124) >> 2)); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 9) & 3) << 3) | ((GET_BYTE(ulid, 10) & 224) >> 5))); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 10) & 31))); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 11) & 248) >> 3)); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 11) & 7) << 2) | ((GET_BYTE(ulid, 12) & 192) >> 6))); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 12) & 62) >> 1)); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 12) & 1) << 4) | ((GET_BYTE(ulid, 13) & 240) >> 4))); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 13) & 15) << 1) | ((GET_BYTE(ulid, 14) & 128) >> 7))); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 14) & 124) >> 2)); + output = output || CHR(GET_BYTE(encoding, ((GET_BYTE(ulid, 14) & 3) << 3) | ((GET_BYTE(ulid, 15) & 224) >> 5))); + output = output || CHR(GET_BYTE(encoding, (GET_BYTE(ulid, 15) & 31))); + + RETURN output; +END +$$ +LANGUAGE plpgsql +VOLATILE; diff --git a/scripts/init-db/renku_db_init.py b/scripts/init-db/renku_db_init.py index e4789b38e0..0e2bfc31c0 100644 --- a/scripts/init-db/renku_db_init.py +++ b/scripts/init-db/renku_db_init.py @@ -3,7 +3,7 @@ from dataclasses import dataclass, field from queries import DatabaseInit -from utils import get_db_connection +from utils import create_ulid_func, get_db_connection logging.basicConfig(level=logging.INFO) @@ -132,7 +132,7 @@ def main(): config.renku_db_name, config.renku_db_password, postgres_db_connection, - ["pg_trgm"], + ["pg_trgm", "pgcrypto"], config.db_admin_username, ) db_init.create_database() @@ -147,6 +147,7 @@ def main(): renku_conn.set_session(autocommit=True) db_init.set_connection(renku_conn) db_init.set_extensions_and_roles() + create_ulid_func(config.db_admin_username, config.db_admin_password, config.renku_db_name, config.db_host, config.db_port) if __name__ == "__main__": diff --git a/scripts/init-db/utils.py b/scripts/init-db/utils.py index 10355b8877..ffb09e8e5f 100644 --- a/scripts/init-db/utils.py +++ b/scripts/init-db/utils.py @@ -1,4 +1,5 @@ import logging +from subprocess import STDOUT, check_output import requests @@ -36,3 +37,12 @@ def gitlab_is_online(url: str) -> int: f"Gitlab is not available at {url}, status code is {res.status_code}" ) return res.status_code + + +def create_ulid_func(username: str, password: str, db_name: str, host: str, port: int): + output = check_output( + ["psql", "-U", username, "-d", db_name, "-h", host, "-p", str(port), "-f", "generate_ulid_func.sql"], + stderr=STDOUT, + env={"PGPASSWORD": password}, + ).decode("utf-8") + logging.info(f"Created the ulid generation function:\n{output}") From 1ebc662aa795126b32233a41e975926ad153c4ab Mon Sep 17 00:00:00 2001 From: Renku Bot Date: Tue, 5 Nov 2024 12:19:02 +0000 Subject: [PATCH 06/12] chore: create release 0.62.0 --- CHANGELOG.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 35588e4c0c..ace84fd39e 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,5 +1,10 @@ .. _changelog: +0.62.0 +------ + + + 0.61.0 ------ @@ -149,16 +154,11 @@ Internal Changes **Bug Fixes** - **Data services**: Handle spaces in ``provider_id`` for connected services (`#482 `__). -- **csi-rclone**: Do not log potentially sensitive data in error messages. -- **csi-rclone**: Properly handle encrypted secrets with the new annotation-based storage class. - Individual Components ~~~~~~~~~~~~~~~~~~~~~ - `renku-data-services 0.24.2 `__ -- `csi-rclone 0.3.4 `__ -- `csi-rclone 0.3.5 `__ 0.59.1 ------ From 98138a62fb9d71fc5a0b6ed15c341682d2c213b9 Mon Sep 17 00:00:00 2001 From: RenkuBot <53332360+RenkuBot@users.noreply.github.com> Date: Tue, 3 Dec 2024 09:56:19 +0100 Subject: [PATCH 07/12] release 0.61.1 (#3844) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: various amalthea, helm chart and data service fixes (#3846) * fix: upgrade amalthea to 0.14.5 * fix: upgrade data service to 0.27.1 * fix: storage class and restarts on secret update * fix: upgrade amalthea to 0.14.6 --------- Co-authored-by: Tasko Olevski Co-authored-by: Rok Roškar --- CHANGELOG.rst | 34 +++++++++++++++++++ helm-chart/renku/requirements.yaml | 4 +-- .../templates/data-service/deployment.yaml | 4 ++- .../renku/templates/notebooks/deployment.yaml | 3 ++ .../renku/templates/notebooks/env-secret.yaml | 4 +-- helm-chart/renku/values.yaml | 6 ++-- 6 files changed, 47 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 35588e4c0c..29046e2a1a 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,5 +1,39 @@ .. _changelog: +0.61.1 +------ + +Renku 0.61.1 introduces a few bug fixes for the previous release. + + +User-Facing Changes +~~~~~~~~~~~~~~~~~~~ + +**🐞 Bug Fixes** + +- **Sessions**: Correctly launch sessions that request dedicated resources classes + +Internal Changes +~~~~~~~~~~~~~~~~ + +**Bug Fixes** + +- **Amalthea**: Add resource requests for the authentication proxy containers +- **Amalthea**: Add support for setting priority classes for sessions +- **Data services**: Use the working directory to mount cloud storage if the mount path is relative +- **Data services**: Use HTTPS in the redirect URL for the authentication proxy +- **Data services**: Use GPU resource limits when GPUs are requested +- **Helm chart**: Do not set the default storage class to empty string if it is not set in the values file +- **Helm chart**: Restart the data services and notebooks pods when the mounted secret changes + +Individual components +~~~~~~~~~~~~~~~~~~~~~~ + +- `amalthea 0.14.5 `_ +- `amalthea 0.14.6 `_ +- `renku-data-services 0.27.1 `_ + + 0.61.0 ------ diff --git a/helm-chart/renku/requirements.yaml b/helm-chart/renku/requirements.yaml index 0de1c14601..061692e12b 100644 --- a/helm-chart/renku/requirements.yaml +++ b/helm-chart/renku/requirements.yaml @@ -23,10 +23,10 @@ dependencies: alias: jena - name: amalthea repository: "https://swissdatasciencecenter.github.io/helm-charts/" - version: "0.14.3" + version: "0.14.6" - name: amalthea-sessions repository: "https://swissdatasciencecenter.github.io/helm-charts/" - version: "0.14.4" + version: "0.14.6" - name: dlf-chart repository: "https://swissdatasciencecenter.github.io/datashim/" version: "0.3.9-renku-2" diff --git a/helm-chart/renku/templates/data-service/deployment.yaml b/helm-chart/renku/templates/data-service/deployment.yaml index e657cd9b4f..ec07eb2814 100644 --- a/helm-chart/renku/templates/data-service/deployment.yaml +++ b/helm-chart/renku/templates/data-service/deployment.yaml @@ -23,8 +23,10 @@ spec: app: renku-data-service release: {{ .Release.Name }} {{ .Values.global.redis.clientLabel | toYaml | nindent 8 }} - {{- with .Values.dataService.podAnnotations }} annotations: + # NOTE: Without this the pod will not restart when the secret values change. + checksum/config: {{ include (print $.Template.BasePath "/notebooks/env-secret.yaml") . | sha256sum }} + {{- with .Values.dataService.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} spec: diff --git a/helm-chart/renku/templates/notebooks/deployment.yaml b/helm-chart/renku/templates/notebooks/deployment.yaml index 978d466f12..be4b9ed1fa 100644 --- a/helm-chart/renku/templates/notebooks/deployment.yaml +++ b/helm-chart/renku/templates/notebooks/deployment.yaml @@ -17,6 +17,9 @@ spec: release: {{ .Release.Name }} template: metadata: + annotations: + # NOTE: Without this the pod will not restart when the secret values change. + checksum/config: {{ include (print $.Template.BasePath "/notebooks/env-secret.yaml") . | sha256sum }} labels: app: {{ template "renku.notebooks.name" . }}-k8s-watcher chart: {{ template "renku.chart" . }} diff --git a/helm-chart/renku/templates/notebooks/env-secret.yaml b/helm-chart/renku/templates/notebooks/env-secret.yaml index c229aab657..4c765cc9d7 100644 --- a/helm-chart/renku/templates/notebooks/env-secret.yaml +++ b/helm-chart/renku/templates/notebooks/env-secret.yaml @@ -9,9 +9,9 @@ metadata: type: Opaque stringData: NB_SESSIONS__STORAGE__PVS_ENABLED: {{ .Values.notebooks.userSessionPersistentVolumes.enabled | quote }} - {{ if .Values.notebooks.userSessionPersistentVolumes.enabled }} + {{- if and .Values.notebooks.userSessionPersistentVolumes.enabled .Values.notebooks.userSessionPersistentVolumes.storageClass }} NB_SESSIONS__STORAGE__PVS_STORAGE_CLASS: {{ .Values.notebooks.userSessionPersistentVolumes.storageClass | quote}} - {{ end }} + {{- end }} NB_SESSIONS__STORAGE__USE_EMPTY_DIR_SIZE_LIMIT: {{ .Values.notebooks.userSessionPersistentVolumes.useEmptyDirSizeLimit | quote }} NB_SESSIONS__DEFAULT_IMAGE: "{{ .Values.notebooks.defaultSessionImage }}" NB_SERVER_OPTIONS__DEFAULTS_PATH: /etc/renku-notebooks/server_options/server_defaults.json diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index 3d3a1828e7..4790c3d352 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -1595,14 +1595,14 @@ dataService: create: true image: repository: renku/renku-data-service - tag: "0.27.0" + tag: "0.27.1" pullPolicy: IfNotPresent backgroundJobs: events: resources: {} image: repository: renku/data-service-background-jobs - tag: "0.27.0" + tag: "0.27.1" pullPolicy: IfNotPresent total: resources: {} @@ -1655,7 +1655,7 @@ authz: secretsStorage: image: repository: renku/secrets-storage - tag: "0.27.0" + tag: "0.27.1" pullPolicy: IfNotPresent service: type: ClusterIP From 5e1748dd10bfb91b8af6d27054663465188e4d98 Mon Sep 17 00:00:00 2001 From: Lionel Sambuc Date: Tue, 3 Dec 2024 15:31:08 +0100 Subject: [PATCH 08/12] chore: update redis helm chart to latest revision (#3843) --- CHANGELOG.rst | 5 +++++ helm-chart/renku/requirements.yaml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index ace84fd39e..22c5314daa 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -3,7 +3,12 @@ 0.62.0 ------ +Internal Changes +~~~~~~~~~~~~~~~~ + +**Improvements** +* **Infrastructure Components**: ``redis`` has been upgraded from version ``7.0.7`` to ``7.4.1`` 0.61.0 ------ diff --git a/helm-chart/renku/requirements.yaml b/helm-chart/renku/requirements.yaml index 0de1c14601..d727c9e5a8 100644 --- a/helm-chart/renku/requirements.yaml +++ b/helm-chart/renku/requirements.yaml @@ -15,7 +15,7 @@ dependencies: # bitnami claims that this will always contain a full set of charts - let us pray... # this index was 19MB as of the date of this commit and contained redis 17.4.2 repository: "https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami" - version: 17.4.2 + version: 20.3.0 condition: redis.install - name: renku-jena version: "0.0.25" From 1c875afbf9c8bf56f61ed266ed5792c397634b53 Mon Sep 17 00:00:00 2001 From: Tasko Olevski Date: Wed, 4 Dec 2024 11:39:39 +0100 Subject: [PATCH 09/12] feat: remove internal gitlab (#3297) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Rok Roškar --- CHANGELOG.rst | 19 ++- docs/how-to-guides/admin/gitlab.rst | 15 +- helm-chart/gitlab/.helmignore | 21 --- helm-chart/gitlab/Chart.yaml | 5 - helm-chart/gitlab/requirements.yaml | 0 helm-chart/gitlab/templates/_gitlab.rb.tpl | 133 ----------------- helm-chart/gitlab/templates/_helpers.tpl | 24 --- helm-chart/gitlab/templates/configmap.yaml | 13 -- helm-chart/gitlab/templates/deployment.yaml | 136 ----------------- .../gitlab/templates/metrics-service.yaml | 25 ---- helm-chart/gitlab/templates/pvc.yaml | 29 ---- .../gitlab/templates/registry-ingress.yaml | 42 ------ .../gitlab/templates/registry-service.yaml | 25 ---- helm-chart/gitlab/templates/secret.yaml | 23 --- helm-chart/gitlab/templates/service.yaml | 31 ---- .../templates/ssh-nodeport-service.yaml | 24 --- helm-chart/gitlab/values.yaml | 115 -------------- helm-chart/renku/requirements.yaml | 4 - .../gateway/deployment-revproxy.yaml | 5 +- .../renku/templates/gateway/secret.yaml | 18 --- .../templates/gitlab-postgres-secret.yaml | 29 ---- helm-chart/renku/templates/ingress.yaml | 7 - .../renku/templates/network-policies.yaml | 14 -- .../templates/setup-job-keycloak-realms.yaml | 15 +- helm-chart/renku/values.yaml | 140 ------------------ helm-chart/values.yaml.changelog.md | 6 +- .../base-renku-values.yaml.template | 34 +---- 27 files changed, 33 insertions(+), 919 deletions(-) delete mode 100644 helm-chart/gitlab/.helmignore delete mode 100644 helm-chart/gitlab/Chart.yaml delete mode 100644 helm-chart/gitlab/requirements.yaml delete mode 100644 helm-chart/gitlab/templates/_gitlab.rb.tpl delete mode 100644 helm-chart/gitlab/templates/_helpers.tpl delete mode 100644 helm-chart/gitlab/templates/configmap.yaml delete mode 100644 helm-chart/gitlab/templates/deployment.yaml delete mode 100644 helm-chart/gitlab/templates/metrics-service.yaml delete mode 100644 helm-chart/gitlab/templates/pvc.yaml delete mode 100644 helm-chart/gitlab/templates/registry-ingress.yaml delete mode 100644 helm-chart/gitlab/templates/registry-service.yaml delete mode 100644 helm-chart/gitlab/templates/secret.yaml delete mode 100644 helm-chart/gitlab/templates/service.yaml delete mode 100644 helm-chart/gitlab/templates/ssh-nodeport-service.yaml delete mode 100644 helm-chart/gitlab/values.yaml delete mode 100644 helm-chart/renku/templates/gitlab-postgres-secret.yaml diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 22c5314daa..14363891c6 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -3,6 +3,15 @@ 0.62.0 ------ +This release removes the Gitlab omnibus Helm chart that we created and used to have as a dependency +of the Renku Helm chart. We have been discouraging anyone from using +this chart in production and we specified this in our documentation as well. + +If you are using the internal Gitlab Helm chart then ensure to migrate to a separate +Gitlab deployment as specified in our `documentation `_. +before installing this or any subsequent Renku version. Gitlab publishes an official Helm chart and +that is what should be used for deploying Gitlab with Helm. + Internal Changes ~~~~~~~~~~~~~~~~ @@ -10,13 +19,15 @@ Internal Changes * **Infrastructure Components**: ``redis`` has been upgraded from version ``7.0.7`` to ``7.4.1`` +* **Helm chart**: remove the custom-made Gitlab Omnibus Helm chart from Renku dependencies + 0.61.0 ------ Renku 0.61.0 introduces a new version of Amalthea that supports running sessions with Docker images that do not contain Jupyter server. -NOTES to administrators: +NOTES to administrators: - This upgrade introduces a brand new CRD for sessions. All services that support sessions for Renku v2 will switch to this new CRD. Renku v1 sessions remain unchanged. @@ -26,15 +37,15 @@ NOTES to administrators: notify users of the change and allow for enough time so that existing Renku v2 sessions can be saved and cleaned up, rather than asking users to save the url to their sessions. In addition to users not being able to see old Renku v2 sessions, they will also not be able to pause, resume or delete old Renku v2 sessions. - Therefore it's best if most sessions are properly saved and cleaned up before this update is rolled out. In order + Therefore it's best if most sessions are properly saved and cleaned up before this update is rolled out. In order to support the new CRD we have also created a new operator that will manage the new `amaltheasession` resources. -- The network policies for Renku have been consolidated and revamped. The most notable change here is the +- The network policies for Renku have been consolidated and revamped. The most notable change here is the removal of the egress policy that prevented egress to internal IP addresses from sessions. Now we disallow all ingress in the Renku release namespace by default and explicitly grant permissions to any pods that need to access other pods inside the Renku release namespace. Two properties relevant to this have been added to the Helm chart values file that allows administrators to grant access to all Renku services from a specific namespace - or to do the same for specific pods within the Renku namespace. These are not needed for Renku to function and the + or to do the same for specific pods within the Renku namespace. These are not needed for Renku to function and the default network policies should be sufficient, they have been added so that administrators can allow ingress for other services that may not come with the Renku Helm chart such as logging or monitoring. This change will result in the removal of some network policies and the creation of several new policies. diff --git a/docs/how-to-guides/admin/gitlab.rst b/docs/how-to-guides/admin/gitlab.rst index be3ef7cab1..9f1b76f3c6 100644 --- a/docs/how-to-guides/admin/gitlab.rst +++ b/docs/how-to-guides/admin/gitlab.rst @@ -81,19 +81,8 @@ and existing GitLab users can use Renku without creating a separate Renku accoun GitLab deployed as part of Renku -------------------------------- -We do *not* recommend deploying the Renku-bundled GitLab as part of a production Renku deployment, -and instead suggest deploying GitLab using the `official GitLab cloud-native Kubernetes chart -`_. Deploying GitLab as part of Renku may be deprecated in the future. - -If your Renku deployment includes GitLab you need to follow some additional steps to configure an admin user on GitLab. - -To grant a GitLab user the GitLab admin role without having access to the GitLab Web UI, the following steps can be taken in the GitLab container console. - -#. Run ``gitlab-rails console -e production`` (this might take a while). -#. Find the user you would like to grant the admin role, for example by running ``user = User.find_by(email: 'renku@renkulab.io')`` or ``user = User.find_by(username: 'renku')``. -#. Grant the user the administrator role by running ``user.admin = true``. -#. Save the user's profile by running ``user.save!``. -#. Leave the console by running ``exit``. +Deploying the GitLab Helm chart as part of the Renku Helm chart has been deprecated. If you have a Renku deployment that uses +the Gitlab version that used to come bundled with Renku, then please follow the instructions below to migrate. Migrate from Renku-bundled Omnibus GitLab to cloud-native Gitlab Helm chart --------------------------------------------------------------------------- diff --git a/helm-chart/gitlab/.helmignore b/helm-chart/gitlab/.helmignore deleted file mode 100644 index f0c1319444..0000000000 --- a/helm-chart/gitlab/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/helm-chart/gitlab/Chart.yaml b/helm-chart/gitlab/Chart.yaml deleted file mode 100644 index 596260baa4..0000000000 --- a/helm-chart/gitlab/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v1 -appVersion: "1.0" -description: A Helm chart for the Renku Gitlab server -name: gitlab -version: 0.8.0 diff --git a/helm-chart/gitlab/requirements.yaml b/helm-chart/gitlab/requirements.yaml deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/helm-chart/gitlab/templates/_gitlab.rb.tpl b/helm-chart/gitlab/templates/_gitlab.rb.tpl deleted file mode 100644 index 6c9d8880a5..0000000000 --- a/helm-chart/gitlab/templates/_gitlab.rb.tpl +++ /dev/null @@ -1,133 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -GitLab Omnibus configuration -*/}} -{{- define "gitlab.config" -}} -## GitLab configuration settings -##! Check out the latest version of this file to know about the different -##! settings that can be configured by this file, which may be found at: -##! https://gitlab.com/gitlab-org/omnibus-gitlab/raw/master/files/gitlab-config-template/gitlab.rb.template - - -## GitLab URL -##! URL on which GitLab will be reachable. -##! For more details on configuring external_url see: -##! https://docs.gitlab.com/omnibus/settings/configuration.html#configuring-the-external-url-for-gitlab -external_url '{{ template "renku.http" . }}://{{ .Values.global.renku.domain }}/gitlab' - -##! **Override only if you use a reverse proxy** -##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#setting-the-nginx-listen-port -nginx['listen_port'] = 80 - -##! **Override only if your reverse proxy internally communicates over HTTP** -##! Docs: https://docs.gitlab.com/omnibus/settings/nginx.html#supporting-proxied-ssl -nginx['listen_https'] = false - -## Configure SSH port to be displayed correctly -gitlab_rails['gitlab_shell_ssh_port'] = {{ default 22 .Values.ssh.externalPort }} - -### OmniAuth Settings -###! Docs: https://docs.gitlab.com/ce/integration/omniauth.html -gitlab_rails['omniauth_enabled'] = true -{{- if .Values.oauth.autoSignIn }} -gitlab_rails['omniauth_auto_sign_in_with_provider'] = 'oauth2_generic' -{{- end }} -gitlab_rails['omniauth_allow_single_sign_on'] = ['oauth2_generic'] -gitlab_rails['omniauth_block_auto_created_users'] = false -gitlab_rails['omniauth_providers'] = [ - { - 'name' => 'oauth2_generic', - 'app_id' => 'gitlab', - 'app_secret' => ENV['GITLAB_CLIENT_SECRET'], - 'args' => { - client_options: { - # Traefik maps keycloak to the URL below - # CAREFUL: This must be accessible from inside the keycloak container - # for server-to-server communication. - 'site' => '{{ template "renku.http" . }}://{{ .Values.global.renku.domain }}/auth/', - 'authorize_url' => '/auth/realms/Renku/protocol/openid-connect/auth', - 'user_info_url' => '/auth/realms/Renku/protocol/openid-connect/userinfo', - 'token_url' => '/auth/realms/Renku/protocol/openid-connect/token' - }, - user_response_structure: { - attributes: { email:'email', first_name:'given_name', last_name:'family_name', name:'name', nickname:'preferred_username' }, # if the nickname attribute of a user is called 'username' - id_path: 'sub' - }, - authorize_params: { - scope: "openid profile email" - } - }, - label: 'Renku Login' - } - ] - -gitlab_rails['initial_root_password'] = ENV['GITLAB_PASSWORD'] - -### GitLab database settings -###! Docs: https://docs.gitlab.com/omnibus/settings/database.html -###! **Only needed if you use an external database.** -postgresql['enable'] = false -gitlab_rails['db_adapter'] = "postgresql" -gitlab_rails['db_encoding'] = "utf-8" -gitlab_rails['db_database'] = ENV['POSTGRES_DATABASE'] -gitlab_rails['db_username'] = ENV['POSTGRES_USER'] -gitlab_rails['db_password'] = ENV['PGPASSWORD'] -gitlab_rails['db_host'] = '{{ template "postgresql.fullname" . }}' -gitlab_rails['db_port'] = 5432 - -### GitLab Redis settings -###! Connect to your own Redis instance -###! Docs: https://docs.gitlab.com/omnibus/settings/redis.html - -#### Redis TCP connection -# gitlab_rails['redis_host'] = localhost -# gitlab_rails['redis_port'] = 6379 -# gitlab_rails['redis_password'] = nil -# gitlab_rails['redis_database'] = 0 - -### GitLab LFS object store -### Docs: https://docs.gitlab.com/ce/workflow/lfs/lfs_administration.html -{{ if .Values.lfsObjects.enabled -}} -gitlab_rails['lfs_object_store_enabled'] = true -gitlab_rails['lfs_object_store_remote_directory'] = "{{ .Values.lfsObjects.bucketName }}" -gitlab_rails['lfs_object_store_direct_upload'] = {{ .Values.lfsObjects.directUpload }} -gitlab_rails['lfs_object_store_background_upload'] = {{ .Values.lfsObjects.backgroundUpload }} -gitlab_rails['lfs_object_store_proxy_download'] = {{ .Values.lfsObjects.proxyDownload }} -gitlab_rails['lfs_object_store_connection'] = eval(ENV['GITLAB_LFS_CONNECTION']) -{{- end }} - -prometheus['enable'] = false -gitlab_rails['monitoring_whitelist'] = ['127.0.0.0/8', '10.0.0.0/8'] -gitlab_rails['env'] = { 'prometheus_multiproc_dir' => '/dev/shm' } - -### GitLab Registry settings -registry_external_url '{{ .Values.registry.externalUrl }}' -gitlab_rails['registry_enabled'] = {{ .Values.registry.enabled }} -registry_nginx['enable'] = false -registry['registry_http_addr'] = '0.0.0.0:8105' -### Registry backend storage -###! Docs: https://docs.gitlab.com/ce/administration/container_registry.html#container-registry-storage-driver -{{- if .Values.registry.storage }} -registry['storage'] = eval(ENV['GITLAB_REGISTRY_STORAGE']) -{{- end }} -registry['health_storagedriver_enabled'] = {{ .Values.registry.backendHealthcheck }} - -### GitLab rack-attack -### See: https://docs.gitlab.com/ce/security/rack_attack.html -### Disabled, as it is banning ingress controller IPs -gitlab_rails['rack_attack_git_basic_auth'] = { - 'enabled' => false -} - -{{ if .Values.logging.useJson -}} -gitaly['logging_format'] = 'json' -gitlab_shell['log_format'] = 'json' -gitlab_workhorse['log_format'] = 'json' -registry['log_formatter'] = 'json' -sidekiq['log_format'] = 'json' -gitlab_pages['log_format'] = 'json' -{{- end }} - -{{ .Values.extraConfig }} - -{{- end -}} diff --git a/helm-chart/gitlab/templates/_helpers.tpl b/helm-chart/gitlab/templates/_helpers.tpl deleted file mode 100644 index 4244a185db..0000000000 --- a/helm-chart/gitlab/templates/_helpers.tpl +++ /dev/null @@ -1,24 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "gitlab.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "gitlab.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Hack for calling templates in a fake scope (until this is solved https://github.com/helm/helm/issues/4535) -*/}} -{{- define "call-nested" }} -{{- $dot := index . 0 }} -{{- $subchart := index . 1 }} -{{- $template := index . 2 }} -{{- include $template (dict "Chart" (dict "Name" $subchart) "Values" (index $dot.Values $subchart) "Release" $dot.Release "Capabilities" $dot.Capabilities) }} -{{- end }} diff --git a/helm-chart/gitlab/templates/configmap.yaml b/helm-chart/gitlab/templates/configmap.yaml deleted file mode 100644 index 6ab6774837..0000000000 --- a/helm-chart/gitlab/templates/configmap.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ template "gitlab.fullname" . }}-config - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -data: - gitlab.rb: |- -{{ include "gitlab.config" . | indent 4 }} diff --git a/helm-chart/gitlab/templates/deployment.yaml b/helm-chart/gitlab/templates/deployment.yaml deleted file mode 100644 index 271a586665..0000000000 --- a/helm-chart/gitlab/templates/deployment.yaml +++ /dev/null @@ -1,136 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "gitlab.fullname" . }} - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app: {{ template "gitlab.name" . }} - release: {{ .Release.Name }} - template: - metadata: - labels: - app: {{ template "gitlab.name" . }} - release: {{ .Release.Name }} - annotations: - checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - spec: - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - env: - - name: POSTGRES_DATABASE - value: {{ .Values.global.gitlab.postgresDatabase }} - - name: POSTGRES_USER - value: {{ .Values.global.gitlab.postgresUser }} - - name: PGPASSWORD - valueFrom: - secretKeyRef: - name: {{ template "gitlab.fullname" . }}-postgres - key: gitlab-postgres-password - - name: GITLAB_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ template "gitlab.fullname" . }} - key: gitlab-client-secret - - name: GITLAB_PASSWORD - valueFrom: - secretKeyRef: - name: {{ template "gitlab.fullname" . }} - key: gitlab-password - - name: RENKU_DOMAIN - value: {{ .Values.global.renku.domain }} - - name: GITLAB_SHARED_RUNNERS_REGISTRATION_TOKEN - valueFrom: - secretKeyRef: - name: {{ template "gitlab.fullname" . }} - key: shared-runners-registration-token - {{- if .Values.lfsObjects.enabled }} - - name: GITLAB_LFS_CONNECTION - valueFrom: - secretKeyRef: - name: {{ template "gitlab.fullname" . }} - key: gitlab-lfs-connection - {{- end }} - {{- if .Values.registry.storage }} - - name: GITLAB_REGISTRY_STORAGE - valueFrom: - secretKeyRef: - name: {{ template "gitlab.fullname" . }} - key: gitlab-registry-storage - {{- end }} - ports: - - name: ssh - containerPort: 22 - - name: http - containerPort: 80 - - name: registry - containerPort: 8105 - livenessProbe: - httpGet: - path: /gitlab/help - port: http - # This pod takes a very long time to start up. Be cautious when - # lowering this value to avoid Pod death during startup. - initialDelaySeconds: 600 - timeoutSeconds: 15 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 10 - readinessProbe: - httpGet: - path: /gitlab/help - port: http - initialDelaySeconds: 60 - timeoutSeconds: 15 - periodSeconds: 10 - successThreshold: 1 - failureThreshold: 3 - resources: -{{ toYaml .Values.resources | indent 10 }} - volumeMounts: - - name: gitlab-persistence - mountPath: {{ .Values.persistence.gitlab_data.mountPath }} - subPath: {{ .Values.persistence.gitlab_data.subPath }} - - name: gitlab-persistence - mountPath: {{ .Values.persistence.gitlab_config.mountPath }} - subPath: {{ .Values.persistence.gitlab_config.subPath }} - - name: gitlab-persistence - mountPath: {{ .Values.persistence.gitlab_logs.mountPath }} - subPath: {{ .Values.persistence.gitlab_logs.subPath }} - - name: config - mountPath: /etc/gitlab/gitlab.rb - subPath: gitlab.rb - volumes: - - name: gitlab-persistence - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ .Values.persistence.existingClaim | default (include "gitlab.fullname" .) }} - {{- else }} - emptyDir: {} - {{- end }} - - name: config - configMap: - name: {{ template "gitlab.fullname" . }}-config - - {{- with .Values.nodeSelector }} - nodeSelector: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: -{{ toYaml . | indent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: -{{ toYaml . | indent 8 }} - {{- end }} diff --git a/helm-chart/gitlab/templates/metrics-service.yaml b/helm-chart/gitlab/templates/metrics-service.yaml deleted file mode 100644 index 7c3cb5cf5f..0000000000 --- a/helm-chart/gitlab/templates/metrics-service.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if .Values.service.metrics.enabled }} -apiVersion: v1 -kind: Service -metadata: -{{- if.Values.service.metrics.annotations }} - annotations: -{{ toYaml .Values.service.metrics.annotations | indent 4 }} -{{- end }} - name: {{ template "gitlab.fullname" . }}-metrics - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - type: ClusterIP - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - app: {{ template "gitlab.name" . }} - release: {{ .Release.Name }} -{{- end }} diff --git a/helm-chart/gitlab/templates/pvc.yaml b/helm-chart/gitlab/templates/pvc.yaml deleted file mode 100644 index b508c61c3d..0000000000 --- a/helm-chart/gitlab/templates/pvc.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: {{ template "gitlab.fullname" . }} - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- if .Values.persistence.annotations }} - annotations: -{{ toYaml .Values.persistence.annotations | indent 4 }} -{{- end }} -spec: - accessModes: - - {{ .Values.persistence.accessMode | quote }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} -{{- if .Values.persistence.storageClass }} -{{- if (eq "-" .Values.persistence.storageClass) }} - storageClassName: "" -{{- else }} - storageClassName: "{{ .Values.persistence.storageClass }}" -{{- end }} -{{- end }} -{{- end -}} diff --git a/helm-chart/gitlab/templates/registry-ingress.yaml b/helm-chart/gitlab/templates/registry-ingress.yaml deleted file mode 100644 index 4f542363b2..0000000000 --- a/helm-chart/gitlab/templates/registry-ingress.yaml +++ /dev/null @@ -1,42 +0,0 @@ -{{- if not (empty .Values.registry.exposedAs) -}} -{{- if eq .Values.registry.exposedAs "Ingress" -}} -{{- $gitlabFullname := include "gitlab.fullname" . -}} -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ template "gitlab.fullname" . }}-registry - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: -{{- range $key, $value := .Values.registry.ingress.annotations }} - {{ $key }}: {{ $value | quote }} -{{- end }} -spec: -{{- if .Values.registry.ingress.tls }} - tls: - {{- range .Values.registry.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} -{{- end }} - rules: - {{- range .Values.registry.ingress.hosts }} - - host: {{ . }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: {{ $gitlabFullname }} - port: - number: {{ 8105 }} - {{- end }} -{{- end }} -{{- end }} diff --git a/helm-chart/gitlab/templates/registry-service.yaml b/helm-chart/gitlab/templates/registry-service.yaml deleted file mode 100644 index a5ca95c13f..0000000000 --- a/helm-chart/gitlab/templates/registry-service.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if not (empty .Values.registry.exposedAs) -}} -{{- if eq .Values.registry.exposedAs "NodePort" -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "gitlab.fullname" . }}-registry - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - clusterIP: 10.100.123.45 - type: NodePort - ports: - - port: 8105 - nodePort: 30105 - targetPort: registry - protocol: TCP - name: registry - selector: - app: {{ template "gitlab.name" . }} - release: {{ .Release.Name }} -{{- end -}} -{{- end -}} diff --git a/helm-chart/gitlab/templates/secret.yaml b/helm-chart/gitlab/templates/secret.yaml deleted file mode 100644 index 69d18b1284..0000000000 --- a/helm-chart/gitlab/templates/secret.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "gitlab.fullname" . }} - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -type: Opaque -data: - gitlab-password: {{ required "Fill in .Values.password with `openssl rand -hex 16`" .Values.password | b64enc | quote }} - gitlab-client-secret: {{ required "Fill in .Values.global.gitlab.clientSecret with `uuidgen -r`" .Values.global.gitlab.clientSecret | b64enc | quote }} - shared-runners-registration-token: {{ required "Fill in .Values.sharedRunnersRegistrationToken with `openssl rand -hex 32`" .Values.sharedRunnersRegistrationToken | b64enc | quote }} - -{{- if .Values.lfsObjects.enabled }} - gitlab-lfs-connection: {{ .Values.lfsObjects.connection | b64enc | quote }} -{{- end }} - -{{- if .Values.registry.storage }} - gitlab-registry-storage: {{ .Values.registry.storage | b64enc | quote }} -{{- end }} diff --git a/helm-chart/gitlab/templates/service.yaml b/helm-chart/gitlab/templates/service.yaml deleted file mode 100644 index 1fbe666f88..0000000000 --- a/helm-chart/gitlab/templates/service.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ template "gitlab.fullname" . }} - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -{{- if .Values.service.annotations }} - annotations: -{{ toYaml .Values.service.annotations | indent 4 }} -{{- end }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - targetPort: http - protocol: TCP - name: http - - port: 22 - targetPort: ssh - protocol: TCP - name: ssh - - port: 8105 - targetPort: registry - protocol: TCP - name: registry - selector: - app: {{ template "gitlab.name" . }} - release: {{ .Release.Name }} diff --git a/helm-chart/gitlab/templates/ssh-nodeport-service.yaml b/helm-chart/gitlab/templates/ssh-nodeport-service.yaml deleted file mode 100644 index 0a41ef4ce4..0000000000 --- a/helm-chart/gitlab/templates/ssh-nodeport-service.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- if not (empty .Values.ssh.nodePortService) -}} -{{- if .Values.ssh.nodePortService.enabled -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ template "gitlab.fullname" . }}-ssh - labels: - app: {{ template "gitlab.name" . }} - chart: {{ template "gitlab.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - type: NodePort - ports: - - port: 22 - nodePort: {{ .Values.ssh.nodePortService.nodePort }} - targetPort: ssh - protocol: TCP - name: ssh - selector: - app: {{ template "gitlab.name" . }} - release: {{ .Release.Name }} -{{- end -}} -{{- end -}} diff --git a/helm-chart/gitlab/values.yaml b/helm-chart/gitlab/values.yaml deleted file mode 100644 index b57f908fb9..0000000000 --- a/helm-chart/gitlab/values.yaml +++ /dev/null @@ -1,115 +0,0 @@ -# Default values for gitlab. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -image: - repository: gitlab/gitlab-ce - tag: 14.10.5-ce.0 - pullPolicy: IfNotPresent - -ssh: - externalPort: 22 - nodePortService: - enabled: false - nodePort: 30022 - -oauth: - autoSignIn: false - -## LFS objects in remote object storage -## Follows: https://docs.gitlab.com/ce/workflow/lfs/lfs_administration.html#storing-lfs-objects-in-remote-object-storage -lfsObjects: - enabled: false - bucketName: lfs-objects - directUpload: false - backgroundUpload: true - proxyDownload: false - # connection: |- - # { - # 'provider' => 'AWS', - # 'region' => 'eu-central-1', - # 'aws_access_key_id' => '1ABCD2EFGHI34JKLM567N', - # 'aws_secret_access_key' => 'abcdefhijklmnopQRSTUVwxyz0123456789ABCDE', - # # The below options configure an S3 compatible host instead of AWS - # 'host' => 'localhost', - # 'endpoint' => 'http://127.0.0.1:9000', - # 'path_style' => true - # } - -service: - type: ClusterIP - port: 80 - metrics: - enabled: true - annotations: - prometheus.io/scrape: "true" - prometheus.io/path: /gitlab/-/metrics - prometheus.io/port: "80" - -persistence: - enabled: true - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - - # storageClass: "-" - accessMode: ReadWriteOnce - size: 30Gi - - gitlab_data: - subPath: data - mountPath: /var/opt/gitlab - gitlab_config: - subPath: config - mountPath: /etc/gitlab - gitlab_logs: - subPath: logs - mountPath: /var/log/gitlab - - -registry: - enabled: false - exposedAs: Ingress - # exposedAs: NodePort - backendHealthcheck: true - # storage: |- - # { - # 's3' => { - # 'accesskey' => 's3-access-key', - # 'secretkey' => 's3-secret-key-for-access-key', - # 'bucket' => 'your-s3-bucket', - # 'region' => 'your-s3-region' - # } - # } - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -# Enable json logs for all services -logging: - useJson: true - -## Add some extra configuration to gitlab.rb -# extraConfig: | -# ## Fix number of unicorn workers -# unicorn['worker_processes'] = 7 - -# ## Fix something else -# ... diff --git a/helm-chart/renku/requirements.yaml b/helm-chart/renku/requirements.yaml index d727c9e5a8..db4226dd2e 100644 --- a/helm-chart/renku/requirements.yaml +++ b/helm-chart/renku/requirements.yaml @@ -1,8 +1,4 @@ dependencies: - - name: gitlab - repository: "https://swissdatasciencecenter.github.io/helm-charts/" - version: 0.8.0 - condition: gitlab.enabled - name: postgresql version: "14.2.4" repository: "oci://registry-1.docker.io/bitnamicharts" diff --git a/helm-chart/renku/templates/gateway/deployment-revproxy.yaml b/helm-chart/renku/templates/gateway/deployment-revproxy.yaml index a16e20590f..09c89e04bc 100644 --- a/helm-chart/renku/templates/gateway/deployment-revproxy.yaml +++ b/helm-chart/renku/templates/gateway/deployment-revproxy.yaml @@ -41,7 +41,7 @@ spec: initContainers: {{- include "certificates.initContainer" . | nindent 8 }} containers: - - name: gateway + - name: gateway image: "{{ .Values.gateway.image.repository }}:{{ .Values.gateway.image.tag }}" imagePullPolicy: {{ .Values.gateway.image.pullPolicy }} securityContext: @@ -66,7 +66,7 @@ spec: secretKeyRef: name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} key: cookieHashKey - - name: GATEWAY_LOGIN_PROVIDERS_RENKU_CLIENTSECRET + - name: GATEWAY_LOGIN_PROVIDERS_RENKU_CLIENTSECRET valueFrom: secretKeyRef: name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} @@ -140,4 +140,3 @@ spec: - name: public-config configMap: name: {{ template "renku.fullname" . }}-gateway - diff --git a/helm-chart/renku/templates/gateway/secret.yaml b/helm-chart/renku/templates/gateway/secret.yaml index 02feb32174..189c0638b4 100644 --- a/helm-chart/renku/templates/gateway/secret.yaml +++ b/helm-chart/renku/templates/gateway/secret.yaml @@ -2,11 +2,7 @@ {{- $oidcClientSecret := .Values.gateway.oidcClientSecret | default .Values.global.gateway.clientSecret | default (randAlphaNum 64) | b64enc | quote }} {{- $gitlabClientSecret := "" -}} -{{- if .Values.gitlab.enabled -}} -{{- $gitlabClientSecret = .Values.gateway.gitlabClientSecret | default .Values.global.gateway.gitlabClientSecret | default (randAlphaNum 64) | b64enc | quote }} -{{- else -}} {{- $gitlabClientSecret = required "Fill in .Values.gateway.gitlabClientSecret or .Values.global.gateway.gitlabClientSecret with the OIDC client secret you created in Gitlab" (.Values.gateway.gitlabClientSecret | default .Values.global.gateway.gitlabClientSecret) | b64enc | quote -}} -{{- end -}} {{- $gatewaySecret := .Values.gateway.secretKey | default (randAlphaNum 64) | b64enc | quote }} {{- $cliClientSecret := .Values.gateway.cliClientSecret | default .Values.global.gateway.cliClientSecret | default (randAlphaNum 64) | b64enc | quote }} {{- $notebooksClientSecret := .Values.notebooks.oidc.clientSecret | default (randAlphaNum 64) | b64enc | quote }} @@ -58,15 +54,6 @@ {{- end -}} {{- end -}} -{{- if .Values.gitlab.enabled -}} -{{- if not .Values.global.gitlab.clientSecret -}} -{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }} -{{- if $secret }} -{{- $gitlabClientInKeycloakSecret = index $secret.data "gitlabClientInKeycloakSecret" }} -{{- end -}} -{{- end -}} -{{- end }} - {{- $tokenEncryptionSecretKey := randAlphaNum 32 | b64enc | quote }} {{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }} {{- if $secret }} @@ -112,11 +99,6 @@ data: notebooksClientSecret: {{ $notebooksClientSecret }} # A secret for the UI server client in Keycloak uiserverClientSecret: {{ $uiserverClientSecret }} - {{- if .Values.gitlab.enabled }} - # A secret for the Gitlab client in Keycloak if an internal Gitlab is used - gitlabClientInKeycloakSecret: {{ $gitlabClientInKeycloakSecret }} - {{- end }} cookieEncodingKey: {{ $csrfCookieEncodingKey }} cookieHashKey: {{ $csrfCookieHashKey }} tokenEncryption: {{ $tokenEncryptionSecretKey }} - diff --git a/helm-chart/renku/templates/gitlab-postgres-secret.yaml b/helm-chart/renku/templates/gitlab-postgres-secret.yaml deleted file mode 100644 index b8ce7270e8..0000000000 --- a/helm-chart/renku/templates/gitlab-postgres-secret.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -{{- if .Values.gitlab.enabled }} -{{- $db_password := default (randAlphaNum 64) .Values.global.gitlab.postgresPassword.value | b64enc | quote }} - -{{- $renkuFullname := include "renku.fullname" . -}} - -{{- if not .Values.global.gitlab.postgresPassword.value -}} -{{- $secretName := cat $renkuFullname "-gitlab-postgres" | nospace }} -{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }} -{{- if $secret }} -{{- $db_password = index $secret.data "gitlab-postgres-password" }} -{{- end -}} -{{- end -}} - -apiVersion: v1 -kind: Secret -metadata: - name: {{ template "renku.fullname" . }}-gitlab-postgres - labels: - app: {{ template "renku.name" . }} - chart: {{ template "renku.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: - "helm.sh/hook": "pre-install,pre-upgrade,pre-rollback" -type: Opaque -data: - gitlab-postgres-password: {{ $db_password }} -{{- end }} diff --git a/helm-chart/renku/templates/ingress.yaml b/helm-chart/renku/templates/ingress.yaml index 17cd9794ff..5f52d16be2 100644 --- a/helm-chart/renku/templates/ingress.yaml +++ b/helm-chart/renku/templates/ingress.yaml @@ -2,7 +2,6 @@ {{- $keycloakEnabled := .Values.keycloakx.enabled -}} {{- $keycloakFullname := include "keycloak.fullname" . -}} {{- $keycloakServicePort := .Values.keycloakx.ingress.servicePort -}} -{{- $gitlabEnabled := .Values.gitlab.enabled -}} {{- $gitlabFullname := include "gitlab.fullname" . -}} {{- $gitlabServicePort := 80 -}} {{- $uiFullname := include "ui.fullname" . -}} @@ -67,15 +66,9 @@ spec: pathType: Prefix backend: service: - {{- if $gitlabEnabled }} - name: {{ $gitlabFullname }} - port: - number: {{ $gitlabServicePort }} - {{ else }} name: {{ template "renku.fullname" $ }}-gateway port: number: 80 - {{- end }} - path: /repos pathType: Prefix backend: diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml index 6dc5ac286e..48425c0ff0 100644 --- a/helm-chart/renku/templates/network-policies.yaml +++ b/helm-chart/renku/templates/network-policies.yaml @@ -38,20 +38,6 @@ spec: matchLabels: kubernetes.io/metadata.name: {{ .Release.Namespace }} {{- end }} - {{- if .Values.gitlab.enabled }} - - podSelector: - matchLabels: - app: gitlab - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: {{ .Release.Namespace }} - - podSelector: - matchLabels: - app: post-install-gitlab - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: {{ .Release.Namespace }} - {{- end }} - podSelector: matchLabels: app: event-log diff --git a/helm-chart/renku/templates/setup-job-keycloak-realms.yaml b/helm-chart/renku/templates/setup-job-keycloak-realms.yaml index 8c91721c55..1971f576a1 100644 --- a/helm-chart/renku/templates/setup-job-keycloak-realms.yaml +++ b/helm-chart/renku/templates/setup-job-keycloak-realms.yaml @@ -63,26 +63,17 @@ spec: - name: DEMO_USER_PASSWORD valueFrom: secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-kc-demo-user" | nospace }} + name: {{ cat (include "renku.fullname" .) "-kc-demo-user" | nospace }} key: keycloakDemoUserPassword {{- end }} - name: INTERNAL_GITLAB_ENABLED - value: {{ .Values.gitlab.enabled | toString | lower | quote }} - {{- if .Values.gitlab.enabled }} - - name: INTERNAL_GITLAB_OIDC_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} - key: gitlabClientInKeycloakSecret - - name: INTERNAL_GITLAB_OIDC_CLIENT_ID - value: "gitlab" - {{- end }} + value: "false" - name: RENKU_KC_CLIENT_ID value: renku - name: RENKU_KC_CLIENT_SECRET valueFrom: secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} key: oidcClientSecret - name: RENKU_KC_CLIENT_PUBLIC value: "false" diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index 3d3a1828e7..7d6aeff8fb 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -513,146 +513,6 @@ solr: size: 8Gi zookeeper: enabled: false -## Gitlab configuration -gitlab: - ## Spawn a gitlab instance - enabled: true - ## Password for the `root` user - password: gitlabadmin - ## Gitlab image - image: - # pullPolicy: IfNotPresent - repository: gitlab/gitlab-ce - # Check out the gitlab docs on upgrading versions before changing the image tag. - # https://docs.gitlab.com/ee/update/#upgrade-paths - # in particular major versions https://docs.gitlab.com/ce/update/#upgrading-to-a-new-major-version - tag: 14.10.5-ce.0 - ## automatically log in to gitlab - oauth: - autoSignIn: true - ## Pod affinity for Gitlab deployment - # affinity: {} - ## Node selector for Gitlab deployment - # nodeSelector: {} - ## Pod tolerations for Gitlab deployment - # tolerations: [] - - ## Resource requests/limits for Gitlab - # resources: {} - - ## Registration token for gitlab runners (initial value, can be regenerated from gitlab admin ui) - ## Generated using: `openssl rand -hex 32` - sharedRunnersRegistrationToken: - ## Set to true to make the user 'demo' a GitLab admin - demoUserIsAdmin: false - ## External port for git ssh protocol - ## This setting affects the copy-paste repo git+ssh URL - # sshPort: 22 - - ## LFS objects settings - ## Used to store git-lfs objects externally - ## Note: bucket must exist before use, GitLab won't do it - ## Follows: https://docs.gitlab.com/ce/workflow/lfs/lfs_administration.html#storing-lfs-objects-in-remote-object-storage - # lfsObjects: - ## Set to true to enable remote LFS objects - # enabled: false - ## Bucket name - # bucketName: lfs-objects - # directUpload: false - # backgroundUpload: true - # proxyDownload: false - # connection: |- - # { - # 'provider' => 'AWS', - # 'region' => 'eu-central-1', - # 'aws_access_key_id' => '1ABCD2EFGHI34JKLM567N', - # 'aws_secret_access_key' => 'abcdefhijklmnopQRSTUVwxyz0123456789ABCDE', - # # The below options configure an S3 compatible host instead of AWS - # 'host' => 'localhost', - # 'endpoint' => 'http://127.0.0.1:9000', - # 'path_style' => true - # } - - ## Persistent Volume settings - persistence: - # accessMode: ReadWriteOnce - size: 30Gi - ## Mount points for the PV - ## Setup according to the volumes declared in the Gitlab image - # gitlab_data: - # subPath: data - # mountPath: /var/opt/gitlab - # gitlab_config: - # subPath: config - # mountPath: /etc/gitlab - # gitlab_logs: - # subPath: logs - # mountPath: /var/log/gitlab - ## database data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: - - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - - ## Set to false to disable the use of Persistent Volume - ## The databases will be lost when the pod is terminated! - # enabled: true - - ## Service configuration for Gitlab - ## Modify service.type according to your setup - # service: - # port: 80 - # type: ClusterIP - - ## Container image registry settings - registry: - ## Set to true to enable Gitlab registry - enabled: false - ## The URL to access the registry - # externalUrl: - ## Set `exposedAs` to "NodePort" when deploying on minikube - ## Set `exposedAs` to "Ingress" to expose the registry on an alternate domain. - # exposedAs: NodePort - ## Storage driver configuration for the registry - ## See: https://docs.gitlab.com/ee/administration/container_registry.html#container-registry-storage-driver - # storage: |- - # { - # 's3' => { - # 'accesskey' => 's3-access-key', - # 'secretkey' => 's3-secret-key-for-access-key', - # 'bucket' => 'your-s3-bucket', - # 'region' => 'your-s3-region' - # } - # } - ## Registry ingress, when `exposedAs` is set to "Ingress" - ## Uses conventional settings for ingress - ## Find below an example of values - # ingress: - # annotations: - # cert-manager.io/cluster-issuer: letsencrypt-production - # kubernetes.io/ingress.class: nginx - # nginx.ingress.kubernetes.io/proxy-body-size: '0' - # hosts: - # - registry.example.com - # tls: - # - hosts: - # - registry.example.com - # secretName: registry-tls - ## Add some extra configuration to gitlab.rb - # extraConfig: | - # ## Fix number of unicorn workers - # unicorn['worker_processes'] = 7 -# ## Fix something else -# ... - ## Configuration for the UI service ui: client: diff --git a/helm-chart/values.yaml.changelog.md b/helm-chart/values.yaml.changelog.md index d65846f1c9..d559ad49e0 100644 --- a/helm-chart/values.yaml.changelog.md +++ b/helm-chart/values.yaml.changelog.md @@ -5,6 +5,10 @@ For changes that require manual steps other than changing values, please check o Please follow this convention when adding a new row * ` - **:
` +## Upgrading to Renku 0.62.0 + +* DELETE ``gitlab.*`` - all values related to the bundled GitLab have been removed. GitLab must from now on be provided as an external service and is no longer supplied as a part of the Renku Helm chart. + ## Upgrading to Renku 0.61.0 * NEW ``networkPolicies.allowAllIngressFromPods`` specify pod selectors that will allow the selected pods to access all other services in the Renku release namespace. @@ -78,7 +82,7 @@ New (either `running`, `finished` or `errored`) for the overall state of the rotation. Please make sure to unset `secretServicePreviousPrivateKey` once rotation is finished as a matter of best practice. - NOTE: Make sure that you do not redeploy or rollback the Renku Helm chart while a key rotation is underway. Even if the + NOTE: Make sure that you do not redeploy or rollback the Renku Helm chart while a key rotation is underway. Even if the deployment is broken it is best to wait for the key rotation to finish before attempting another deployment or a rollback. ## Upgrading to Renku 0.53.0 diff --git a/scripts/generate-values/base-renku-values.yaml.template b/scripts/generate-values/base-renku-values.yaml.template index 731296e5b5..d78ac6d1b9 100644 --- a/scripts/generate-values/base-renku-values.yaml.template +++ b/scripts/generate-values/base-renku-values.yaml.template @@ -18,29 +18,9 @@ global: useHTTPS: true gateway: secretKey: -gitlab: - enabled: false - password: - sharedRunnersRegistrationToken: - lfsObjects: - enabled: false - connection: {{}} - registry: - enabled: false - externalUrl: https://registry.{renku_domain} - storage: {{}} - ingress: - annotations: - cert-manager.io/cluster-issuer: letsencrypt-production - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/proxy-body-size: '0' - hosts: - - {gitlab_registry} - tls: - - hosts: - - {gitlab_registry} - secretName: registry-tls graph: + gitlab: + url: {gitlab_url} tokenRepository: tokenEncryption: secret: @@ -60,13 +40,11 @@ ingress: - hosts: - {renku_domain} secretName: {namespace}-renku-ch-tls -jena: - users: - admin: - password: - renku: - password: notebooks: + gitlab: + registry: + host: {gitlab_registry} + url: {gitlab_url} oidc: allowUnverifiedEmail: true authUrl: https://{renku_domain}/auth/realms/Renku/protocol/openid-connect/auth From 0d6a148b4823d1dc99d72b75a76488c06f90e8af Mon Sep 17 00:00:00 2001 From: eikek <701128+eikek@users.noreply.github.com> Date: Fri, 6 Dec 2024 15:26:24 +0100 Subject: [PATCH 10/12] Update search to release 0.7.0 (#3852) --- CHANGELOG.rst | 15 +++++++++++++-- .../templates/search/search-api-deployment.yaml | 6 ++++++ .../search/search-provision-deployment.yaml | 6 ++++++ helm-chart/renku/values.yaml | 8 ++++++-- helm-chart/values.yaml.changelog.md | 1 + 5 files changed, 32 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index a8e99abda3..7e455789c1 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -17,9 +17,20 @@ Internal Changes **Improvements** -* **Infrastructure Components**: ``redis`` has been upgraded from version ``7.0.7`` to ``7.4.1`` +- **Infrastructure Components**: ``redis`` has been upgraded from version ``7.0.7`` to ``7.4.1`` +- **Helm chart**: remove the custom-made Gitlab Omnibus Helm chart from Renku dependencies +- **Search services**: Add support for sentry -* **Helm chart**: remove the custom-made Gitlab Omnibus Helm chart from Renku dependencies + +**Bug Fixes** + +- **Search services**: Don't return results without linked namespaces + + +Individual Components +~~~~~~~~~~~~~~~~~~~~~ + +- `renku-search 0.7.0 `_ 0.61.1 diff --git a/helm-chart/renku/templates/search/search-api-deployment.yaml b/helm-chart/renku/templates/search/search-api-deployment.yaml index 55e7182525..48a0050304 100644 --- a/helm-chart/renku/templates/search/search-api-deployment.yaml +++ b/helm-chart/renku/templates/search/search-api-deployment.yaml @@ -50,6 +50,12 @@ spec: value: "false" - name: "RS_JWT_ALLOWED_ISSUER_URL_PATTERNS" value: "{{ include "renku.keycloakUrl" . }}*/*" + - name: "RS_SENTRY_DSN" + value: {{ .Values.search.sentry.dsn | quote }} + - name: "RS_SENTRY_ENV" + value: {{ .Values.search.sentry.environment | quote }} + - name: "RS_SENTRY_ENABLED" + value: {{ .Values.search.sentry.enabled | quote}} - name: JAVA_OPTS value: "-Xmx{{ .Values.search.searchApi.jvmXmx }} -XX:+UseZGC -XX:+ZGenerational" ports: diff --git a/helm-chart/renku/templates/search/search-provision-deployment.yaml b/helm-chart/renku/templates/search/search-provision-deployment.yaml index 946d6491b5..dcc676d2a6 100644 --- a/helm-chart/renku/templates/search/search-provision-deployment.yaml +++ b/helm-chart/renku/templates/search/search-provision-deployment.yaml @@ -66,6 +66,12 @@ spec: value: "500ms" - name: RS_SOLR_LOG_MESSAGE_BODIES value: "false" + - name: "RS_SENTRY_DSN" + value: {{ .Values.search.sentry.dsn | quote }} + - name: "RS_SENTRY_ENV" + value: {{ .Values.search.sentry.environment | quote }} + - name: "RS_SENTRY_ENABLED" + value: {{ .Values.search.sentry.enabled | quote }} - name: JAVA_OPTS value: "-Xmx{{ .Values.search.searchProvision.jvmXmx }} -XX:+UseZGC -XX:+ZGenerational" ports: diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index b5fa097d0d..9e95da9ed5 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -1237,11 +1237,15 @@ jena: enabled: false ## Configuration for renku-search services search: + sentry: + enabled: false + dsn: + environment: searchApi: replicas: 1 image: repository: renku/search-api - tag: "0.6.2" + tag: "0.7.0" pullPolicy: IfNotPresent service: type: ClusterIP @@ -1254,7 +1258,7 @@ search: replicas: 1 image: repository: renku/search-provision - tag: "0.6.2" + tag: "0.7.0" pullPolicy: IfNotPresent service: type: ClusterIP diff --git a/helm-chart/values.yaml.changelog.md b/helm-chart/values.yaml.changelog.md index d559ad49e0..3fd436c08b 100644 --- a/helm-chart/values.yaml.changelog.md +++ b/helm-chart/values.yaml.changelog.md @@ -8,6 +8,7 @@ Please follow this convention when adding a new row ## Upgrading to Renku 0.62.0 * DELETE ``gitlab.*`` - all values related to the bundled GitLab have been removed. GitLab must from now on be provided as an external service and is no longer supplied as a part of the Renku Helm chart. +* NEW `search.sentry.environment|dsn|enabled` to set the sentry environment for the search services ## Upgrading to Renku 0.61.0 From 8521a64fa971a1208a37f4c77c348f784a994559 Mon Sep 17 00:00:00 2001 From: Lionel Sambuc Date: Mon, 16 Dec 2024 14:29:23 +0100 Subject: [PATCH 11/12] fix: point redis helm chart to the oci URI (#3855) --- helm-chart/renku/requirements.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/helm-chart/renku/requirements.yaml b/helm-chart/renku/requirements.yaml index cbe7a7b41f..95376234d2 100644 --- a/helm-chart/renku/requirements.yaml +++ b/helm-chart/renku/requirements.yaml @@ -8,9 +8,7 @@ dependencies: repository: "https://codecentric.github.io/helm-charts" condition: keycloakx.enabled - name: redis - # bitnami claims that this will always contain a full set of charts - let us pray... - # this index was 19MB as of the date of this commit and contained redis 17.4.2 - repository: "https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami" + repository: "oci://registry-1.docker.io/bitnamicharts" version: 20.3.0 condition: redis.install - name: renku-jena @@ -39,5 +37,5 @@ dependencies: - name: common repository: oci://registry-1.docker.io/bitnamicharts tags: - - bitnami-common + - bitnami-common version: 2.x.x From 7550ef39827ac280365cd3dba4149ecb32c95e2a Mon Sep 17 00:00:00 2001 From: Andrea Cordoba <43388408+andre-code@users.noreply.github.com> Date: Mon, 16 Dec 2024 15:33:16 +0100 Subject: [PATCH 12/12] tests: remove check of project container for anonymous users (#3853) --- cypress-tests/cypress/e2e/dashboardV2.cy.ts | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/cypress-tests/cypress/e2e/dashboardV2.cy.ts b/cypress-tests/cypress/e2e/dashboardV2.cy.ts index 1bb9d6d7b9..df89a5174d 100644 --- a/cypress-tests/cypress/e2e/dashboardV2.cy.ts +++ b/cypress-tests/cypress/e2e/dashboardV2.cy.ts @@ -72,9 +72,7 @@ describe("Dashboard v2 - Authenticated user", () => { describe("Dashboard v2 - Non-Authenticated user", () => { it("Cannot see projects and groups on Dashboard when logged out", () => { cy.visit("v2"); - cy.getDataCy("projects-container").contains("No 2.0 projects."); - cy.getDataCy("view-other-projects-btn").should("be.visible"); - cy.getDataCy("groups-container").contains("No 2.0 groups."); - cy.getDataCy("view-other-groups-btn").should("be.visible"); + cy.getDataCy("user-container").should("be.visible"); + cy.getDataCy("user-container").should("contain.text", "You are not logged in."); }); });