diff --git a/charts/jupyter-pyspark/Chart.yaml b/charts/jupyter-pyspark/Chart.yaml index fd072ab1..4cdc31e1 100644 --- a/charts/jupyter-pyspark/Chart.yaml +++ b/charts/jupyter-pyspark/Chart.yaml @@ -24,9 +24,9 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.1.4 +version: 2.1.14 dependencies: - name: library-chart - version: 1.5.25 + version: 1.5.30 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/jupyter-pyspark/README.md b/charts/jupyter-pyspark/README.md index b11e4893..3cd1dc86 100644 --- a/charts/jupyter-pyspark/README.md +++ b/charts/jupyter-pyspark/README.md @@ -1,6 +1,6 @@ # jupyter-pyspark -![Version: 2.1.4](https://img.shields.io/badge/Version-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 2.1.14](https://img.shields.io/badge/Version-2.1.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) The JupyterLab IDE with PySpark, an interface to use Apache Spark from Python. @@ -15,7 +15,7 @@ The JupyterLab IDE with PySpark, an interface to use Apache Spark from Python. | Repository | Name | Version | |------------|------|---------| -| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.25 | +| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.30 | ## Values @@ -26,12 +26,14 @@ The JupyterLab IDE with PySpark, an interface to use Apache Spark from Python. | autoscaling.maxReplicas | int | `100` | | | autoscaling.minReplicas | int | `1` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| certificates | object | `{}` | | | coresite.configMapName | string | `""` | | | discovery.hive | bool | `true` | | | discovery.metaflow | bool | `true` | | | discovery.mlflow | bool | `true` | | | environment.group | string | `"users"` | | | environment.user | string | `"onyxia"` | | +| extraEnvVars | list | `[]` | | | fullnameOverride | string | `""` | | | git.branch | string | `""` | | | git.cache | string | `""` | | @@ -51,6 +53,7 @@ The JupyterLab IDE with PySpark, an interface to use Apache Spark from Python. | ingress.ingressClassName | string | `""` | | | ingress.tls | bool | `true` | | | ingress.useCertManager | bool | `false` | | +| ingress.useTlsSecret | bool | `false` | | | ingress.userHostname | string | `"chart-example-user.local"` | | | init.personalInit | string | `""` | | | init.personalInitArgs | string | `""` | | @@ -105,9 +108,9 @@ The JupyterLab IDE with PySpark, an interface to use Apache Spark from Python. | security.password | string | `"changeme"` | | | securityContext | object | `{}` | | | service.image.custom.enabled | bool | `false` | | -| service.image.custom.version | string | `"inseefrlab/onyxia-jupyter-pyspark:py3.12.6-spark3.5.2"` | | +| service.image.custom.version | string | `"inseefrlab/onyxia-jupyter-pyspark:py3.12.6-spark3.5.3"` | | | service.image.pullPolicy | string | `"IfNotPresent"` | | -| service.image.version | string | `"inseefrlab/onyxia-jupyter-pyspark:py3.12.6-spark3.5.2"` | | +| service.image.version | string | `"inseefrlab/onyxia-jupyter-pyspark:py3.12.6-spark3.5.3"` | | | serviceAccount.annotations | object | `{}` | | | serviceAccount.create | bool | `true` | | | serviceAccount.name | string | `""` | | diff --git a/charts/jupyter-pyspark/templates/secret-cacerts.yaml b/charts/jupyter-pyspark/templates/secret-cacerts.yaml new file mode 100644 index 00000000..71c878fb --- /dev/null +++ b/charts/jupyter-pyspark/templates/secret-cacerts.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretCacerts" . }} diff --git a/charts/jupyter-pyspark/templates/secret-extraenv.yaml b/charts/jupyter-pyspark/templates/secret-extraenv.yaml new file mode 100644 index 00000000..63fa9428 --- /dev/null +++ b/charts/jupyter-pyspark/templates/secret-extraenv.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretExtraEnv" . }} \ No newline at end of file diff --git a/charts/jupyter-pyspark/templates/statefulset.yaml b/charts/jupyter-pyspark/templates/statefulset.yaml index bbbb02b8..cc2cf38c 100644 --- a/charts/jupyter-pyspark/templates/statefulset.yaml +++ b/charts/jupyter-pyspark/templates/statefulset.yaml @@ -44,19 +44,24 @@ spec: {{- if .Values.s3.enabled }} checksum/s3: {{ include (print $.Template.BasePath "/secret-s3.yaml") . | sha256sum }} {{- end }} - {{- with .Values.podAnnotations }} - {{- toYaml . | nindent 8 }} - {{- end }} {{- if not (empty (trim (include "library-chart.secretSparkConf" .)))}} checksum/sparkconf: {{ include (print $.Template.BasePath "/secret-sparkconf.yaml") . | sha256sum }} {{- end }} {{- if .Values.vault.enabled }} checksum/vault: {{ include (print $.Template.BasePath "/secret-vault.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} labels: {{- include "library-chart.selectorLabels" . | nindent 8 }} spec: volumes: + - name: config-files + emptyDir: {} - name: home {{- if .Values.persistence.enabled }} persistentVolumeClaim: @@ -99,8 +104,11 @@ spec: secretName: {{ include "library-chart.secretNameCoreSite" . }} defaultMode: 0664 {{- end }} - - name: config-files - emptyDir: {} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -114,10 +122,10 @@ spec: - name: make-configmaps-writable image: inseefrlab/onyxia-base:latest imagePullPolicy: IfNotPresent - command: + command: - sh - - -c - - | + - -c + - | echo 'initContainer make-configmaps-writable is started'; {{- if .Values.s3.enabled }} mkdir /dest/coresite; @@ -132,14 +140,29 @@ spec: cp /src/ivysettings/ivysettings.xml /dest/ivysettings/ivysettings.xml; {{- end }} {{- if .Values.discovery.hive }} - mkdir /dest/hive; + mkdir /dest/hive; cp /src/hive/hive-site.xml /dest/hive/hive-site.xml; {{- end }} {{- if .Values.discovery.metaflow }} mkdir /dest/metaflow; cp /src/metaflow/config.json /dest/metaflow/config.json; {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} volumeMounts: + - name: config-files + mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} {{- if .Values.s3.enabled }} - name: secret-coresite mountPath: /src/coresite @@ -148,8 +171,6 @@ spec: - name: secret-ivysettings mountPath: /src/ivysettings {{- end }} - - name: config-files - mountPath: /dest {{- if .Values.spark.default }} - name: secret-sparkconf mountPath: /src/spark @@ -218,8 +239,8 @@ spec: {{- if .Values.userPreferences.darkMode }} - name: DARK_MODE value: "true" - {{- end }} - envFrom: + {{- end }} + envFrom: - secretRef: name: {{ include "library-chart.secretNameToken" . }} {{- if .Values.s3.enabled }} @@ -246,6 +267,10 @@ spec: - secretRef: name: {{ include "library-chart.secretNameMLFlow" . }} {{- end }} + {{- if .Values.extraEnvVars }} + - secretRef: + name: {{ include "library-chart.secretNameExtraEnv" . }} + {{- end }} livenessProbe: httpGet: path: / @@ -296,6 +321,11 @@ spec: mountPath: /home/{{ .Values.environment.user}}/.metaflowconfig subPath: metaflow {{- end }} + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/jupyter-pyspark/values.schema.json b/charts/jupyter-pyspark/values.schema.json index 48e5aca1..b9b1778e 100644 --- a/charts/jupyter-pyspark/values.schema.json +++ b/charts/jupyter-pyspark/values.schema.json @@ -24,15 +24,15 @@ "description": "supported versions", "type": "string", "listEnum": [ - "inseefrlab/onyxia-jupyter-pyspark:py3.12.6-spark3.5.2", - "inseefrlab/onyxia-jupyter-pyspark:py3.11.10-spark3.5.2" + "inseefrlab/onyxia-jupyter-pyspark:py3.12.6-spark3.5.3", + "inseefrlab/onyxia-jupyter-pyspark:py3.11.10-spark3.5.3" ], "render": "list", "hidden": { "value": true, "path": "service/image/custom/enabled" }, - "default": "inseefrlab/onyxia-jupyter-pyspark:py3.12.6-spark3.5.2" + "default": "inseefrlab/onyxia-jupyter-pyspark:py3.12.6-spark3.5.3" }, "custom": { "description": "use a custom jupyter docker image", @@ -50,7 +50,7 @@ "version": { "description": "jupyter unsupported version", "type": "string", - "default": "inseefrlab/onyxia-jupyter-pyspark:py3.12.6-spark3.5.2", + "default": "inseefrlab/onyxia-jupyter-pyspark:py3.12.6-spark3.5.3", "hidden": { "value": false, "path": "service/image/custom/enabled" @@ -264,6 +264,29 @@ } } }, + "extraEnvVars": { + "description": "environment variables available within your service", + "type": "array", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/extraenv.json" + }, + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "default": "", + "pattern": "^[a-zA-Z0-9_]+$" + }, + "value": { + "type": "string", + "default": "" + } + } + } + }, "kubernetes": { "description": "configuration of your kubernetes access", "type": "object", @@ -691,6 +714,14 @@ "hidden": true, "overwriteDefaultWith": "k8s.certManagerClusterIssuer" } + }, + "useTlsSecret": { + "type": "boolean", + "description": "Whether you want to use the specified secretName in ingress tls", + "default": false, + "x-onyxia": { + "hidden": true + } } } }, @@ -779,41 +810,41 @@ "description": "It can be used to inject proxy settings in the services", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "proxy.json" + "overwriteSchemaWith": "proxy.json" }, "properties": { - "enabled": { - "type": "boolean", - "description": "Inject proxy settings", - "default": false - }, - "httpProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTP.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "httpsProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTPS.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "noProxy": { - "type": "string", - "description": "enterprise local domain that should not take proxy comma separated", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } + "enabled": { + "type": "boolean", + "description": "Inject proxy settings", + "default": false + }, + "httpProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTP.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + }, + "httpsProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTPS.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" } + }, + "noProxy": { + "type": "string", + "description": "enterprise local domain that should not take proxy comma separated", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + } } }, "startupProbe": { @@ -866,6 +897,32 @@ } } }, + "certificates": { + "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "certificates.json" + }, + "default": {}, + "properties": { + "cacerts": { + "type": "string", + "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.", + "default": "", + "x-onyxia": { + "hidden": true + } + }, + "pathToCaBundle": { + "type": "string", + "description": "String path where a bundle is made or injected by third party solution", + "default": "/usr/local/share/ca-certificates/", + "x-onyxia": { + "hidden": true + } + } + } + }, "message": { "type": "object", "description": "Warning message", @@ -887,4 +944,4 @@ } } } -} +} \ No newline at end of file diff --git a/charts/jupyter-pyspark/values.yaml b/charts/jupyter-pyspark/values.yaml index 1efa25e9..6fbf4142 100644 --- a/charts/jupyter-pyspark/values.yaml +++ b/charts/jupyter-pyspark/values.yaml @@ -4,11 +4,11 @@ global: service: image: - version: "inseefrlab/onyxia-jupyter-pyspark:py3.12.6-spark3.5.2" + version: "inseefrlab/onyxia-jupyter-pyspark:py3.12.6-spark3.5.3" pullPolicy: IfNotPresent custom: enabled: false - version: "inseefrlab/onyxia-jupyter-pyspark:py3.12.6-spark3.5.2" + version: "inseefrlab/onyxia-jupyter-pyspark:py3.12.6-spark3.5.3" spark: sparkui: false @@ -49,6 +49,13 @@ init: personalInit: "" personalInitArgs: "" +# Array with (templated) extra environment variables to be made accessible within the service +# e.g: +# extraEnvVars: +# - name: FOO +# value: "bar" +extraEnvVars: [] + environment: user: onyxia group: users @@ -65,7 +72,6 @@ s3: secretAccessKey: "" sessionToken: "" - vault: # Specifies whether a config map should be created enabled: false @@ -180,6 +186,7 @@ ingress: # - chart-example.local useCertManager: false certManagerClusterIssuer: "" + useTlsSecret: false route: enabled: false @@ -245,6 +252,10 @@ userPreferences: darkMode: false language: "en" +certificates: {} + # pathToCaBundle: /usr/local/share/ca-certificates/ + # cacerts: "" + message: fr: "" en: "" diff --git a/charts/jupyter-python-gpu/Chart.yaml b/charts/jupyter-python-gpu/Chart.yaml index 9224d2a4..9da0c5f7 100644 --- a/charts/jupyter-python-gpu/Chart.yaml +++ b/charts/jupyter-python-gpu/Chart.yaml @@ -11,8 +11,8 @@ sources: - https://github.com/InseeFrLab/images-datascience - https://github.com/InseeFrLab/helm-charts-interactive-services type: application -version: 2.1.4 +version: 2.1.13 dependencies: - name: library-chart - version: 1.5.25 + version: 1.5.30 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/jupyter-python-gpu/README.md b/charts/jupyter-python-gpu/README.md index 02859a9b..bb0f81b1 100644 --- a/charts/jupyter-python-gpu/README.md +++ b/charts/jupyter-python-gpu/README.md @@ -1,6 +1,6 @@ # jupyter-python-gpu -![Version: 2.1.4](https://img.shields.io/badge/Version-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 2.1.13](https://img.shields.io/badge/Version-2.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) The JupyterLab IDE with Python, Julia, and a collection of standard data science packages, with GPU support. @@ -15,7 +15,7 @@ The JupyterLab IDE with Python, Julia, and a collection of standard data science | Repository | Name | Version | |------------|------|---------| -| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.25 | +| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.30 | ## Values @@ -26,12 +26,14 @@ The JupyterLab IDE with Python, Julia, and a collection of standard data science | autoscaling.maxReplicas | int | `100` | | | autoscaling.minReplicas | int | `1` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| certificates | object | `{}` | | | coresite.configMapName | string | `""` | | | discovery.hive | bool | `true` | | | discovery.metaflow | bool | `true` | | | discovery.mlflow | bool | `true` | | | environment.group | string | `"users"` | | | environment.user | string | `"onyxia"` | | +| extraEnvVars | list | `[]` | | | fullnameOverride | string | `""` | | | git.branch | string | `""` | | | git.cache | string | `""` | | @@ -51,6 +53,7 @@ The JupyterLab IDE with Python, Julia, and a collection of standard data science | ingress.ingressClassName | string | `""` | | | ingress.tls | bool | `true` | | | ingress.useCertManager | bool | `false` | | +| ingress.useTlsSecret | bool | `false` | | | ingress.userHostname | string | `"chart-example-user.local"` | | | init.personalInit | string | `""` | | | init.personalInitArgs | string | `""` | | diff --git a/charts/jupyter-python-gpu/templates/secret-cacerts.yaml b/charts/jupyter-python-gpu/templates/secret-cacerts.yaml new file mode 100644 index 00000000..71c878fb --- /dev/null +++ b/charts/jupyter-python-gpu/templates/secret-cacerts.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretCacerts" . }} diff --git a/charts/jupyter-python-gpu/templates/secret-extraenv.yaml b/charts/jupyter-python-gpu/templates/secret-extraenv.yaml new file mode 100644 index 00000000..63fa9428 --- /dev/null +++ b/charts/jupyter-python-gpu/templates/secret-extraenv.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretExtraEnv" . }} \ No newline at end of file diff --git a/charts/jupyter-python-gpu/templates/statefulset.yaml b/charts/jupyter-python-gpu/templates/statefulset.yaml index 71e5a95d..97e719aa 100644 --- a/charts/jupyter-python-gpu/templates/statefulset.yaml +++ b/charts/jupyter-python-gpu/templates/statefulset.yaml @@ -41,6 +41,9 @@ spec: {{- if .Values.vault.enabled }} checksum/vault: {{ include (print $.Template.BasePath "/secret-vault.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -76,6 +79,11 @@ spec: secret: secretName: {{ include "library-chart.secretNameMetaflow" . }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -89,9 +97,9 @@ spec: - name: make-secrets-writable image: inseefrlab/onyxia-base:latest imagePullPolicy: IfNotPresent - command: + command: - sh - - -c + - -c - | echo 'initContainer make-secrets-writable is started'; {{- if .Values.discovery.hive }} @@ -102,9 +110,22 @@ spec: mkdir /dest/metaflow/; cp /src/metaflow/config.json /dest/metaflow/config.json; {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} volumeMounts: - name: config-files mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} {{- if .Values.discovery.hive }} - name: secret-hive mountPath: /src/hive @@ -170,7 +191,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: - secretRef: name: {{ include "library-chart.secretNameToken" . }} {{- if .Values.s3.enabled }} @@ -197,6 +218,10 @@ spec: - secretRef: name: {{ include "library-chart.secretNameMLFlow" . }} {{- end }} + {{- if .Values.extraEnvVars }} + - secretRef: + name: {{ include "library-chart.secretNameExtraEnv" . }} + {{- end }} livenessProbe: httpGet: path: / @@ -226,12 +251,17 @@ spec: - name: config-files mountPath: /opt/hive/conf/hive-site.xml subPath: hive/hive-site.xml - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} - name: config-files mountPath: /home/{{ .Values.environment.user}}/.metaflowconfig subPath: metaflow - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/jupyter-python-gpu/values.schema.json b/charts/jupyter-python-gpu/values.schema.json index 76799482..35630e4a 100644 --- a/charts/jupyter-python-gpu/values.schema.json +++ b/charts/jupyter-python-gpu/values.schema.json @@ -231,6 +231,29 @@ } } }, + "extraEnvVars": { + "description": "environment variables available within your service", + "type": "array", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/extraenv.json" + }, + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "default": "", + "pattern": "^[a-zA-Z0-9_]+$" + }, + "value": { + "type": "string", + "default": "" + } + } + } + }, "kubernetes": { "description": "configuration of your kubernetes access", "type": "object", @@ -675,6 +698,14 @@ "hidden": true, "overwriteDefaultWith": "k8s.certManagerClusterIssuer" } + }, + "useTlsSecret": { + "type": "boolean", + "description": "Whether you want to use the specified secretName in ingress tls", + "default": false, + "x-onyxia": { + "hidden": true + } } } }, @@ -841,6 +872,32 @@ } } }, + "certificates": { + "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "certificates.json" + }, + "default": {}, + "properties": { + "cacerts": { + "type": "string", + "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.", + "default": "", + "x-onyxia": { + "hidden": true + } + }, + "pathToCaBundle": { + "type": "string", + "description": "String path where a bundle is made or injected by third party solution", + "default": "/usr/local/share/ca-certificates/", + "x-onyxia": { + "hidden": true + } + } + } + }, "message": { "type": "object", "description": "Warning message", diff --git a/charts/jupyter-python-gpu/values.yaml b/charts/jupyter-python-gpu/values.yaml index e5f60790..ec317375 100644 --- a/charts/jupyter-python-gpu/values.yaml +++ b/charts/jupyter-python-gpu/values.yaml @@ -20,6 +20,7 @@ init: regionInit: '' personalInit: '' personalInitArgs: '' +extraEnvVars: [] environment: user: onyxia group: users @@ -98,6 +99,7 @@ ingress: userHostname: chart-example-user.local useCertManager: false certManagerClusterIssuer: '' + useTlsSecret: false route: enabled: false annotations: [] @@ -136,6 +138,7 @@ proxy: noProxy: '' httpProxy: '' httpsProxy: '' +certificates: {} message: fr: '' en: '' diff --git a/charts/jupyter-python/Chart.yaml b/charts/jupyter-python/Chart.yaml index bdac60a4..0dbe5b4f 100644 --- a/charts/jupyter-python/Chart.yaml +++ b/charts/jupyter-python/Chart.yaml @@ -22,9 +22,9 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.1.4 +version: 2.1.13 dependencies: - name: library-chart - version: 1.5.25 + version: 1.5.30 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/jupyter-python/README.md b/charts/jupyter-python/README.md index 8dd45542..dbbae174 100644 --- a/charts/jupyter-python/README.md +++ b/charts/jupyter-python/README.md @@ -1,6 +1,6 @@ # jupyter-python -![Version: 2.1.4](https://img.shields.io/badge/Version-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 2.1.13](https://img.shields.io/badge/Version-2.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) The JupyterLab IDE with Python, Julia, and a collection of standard data science packages. @@ -15,7 +15,7 @@ The JupyterLab IDE with Python, Julia, and a collection of standard data science | Repository | Name | Version | |------------|------|---------| -| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.25 | +| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.30 | ## Values @@ -26,12 +26,14 @@ The JupyterLab IDE with Python, Julia, and a collection of standard data science | autoscaling.maxReplicas | int | `100` | | | autoscaling.minReplicas | int | `1` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| certificates | object | `{}` | | | coresite.configMapName | string | `""` | | | discovery.hive | bool | `true` | | | discovery.metaflow | bool | `true` | | | discovery.mlflow | bool | `true` | | | environment.group | string | `"users"` | | | environment.user | string | `"onyxia"` | | +| extraEnvVars | list | `[]` | | | fullnameOverride | string | `""` | | | git.branch | string | `""` | | | git.cache | string | `""` | | @@ -51,6 +53,7 @@ The JupyterLab IDE with Python, Julia, and a collection of standard data science | ingress.ingressClassName | string | `""` | | | ingress.tls | bool | `true` | | | ingress.useCertManager | bool | `false` | | +| ingress.useTlsSecret | bool | `false` | | | ingress.userHostname | string | `"chart-example-user.local"` | | | init.personalInit | string | `""` | | | init.personalInitArgs | string | `""` | | diff --git a/charts/jupyter-python/templates/secret-cacerts.yaml b/charts/jupyter-python/templates/secret-cacerts.yaml new file mode 100644 index 00000000..71c878fb --- /dev/null +++ b/charts/jupyter-python/templates/secret-cacerts.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretCacerts" . }} diff --git a/charts/jupyter-python/templates/secret-extraenv.yaml b/charts/jupyter-python/templates/secret-extraenv.yaml new file mode 100644 index 00000000..63fa9428 --- /dev/null +++ b/charts/jupyter-python/templates/secret-extraenv.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretExtraEnv" . }} \ No newline at end of file diff --git a/charts/jupyter-python/templates/statefulset.yaml b/charts/jupyter-python/templates/statefulset.yaml index 71e5a95d..97e719aa 100644 --- a/charts/jupyter-python/templates/statefulset.yaml +++ b/charts/jupyter-python/templates/statefulset.yaml @@ -41,6 +41,9 @@ spec: {{- if .Values.vault.enabled }} checksum/vault: {{ include (print $.Template.BasePath "/secret-vault.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -76,6 +79,11 @@ spec: secret: secretName: {{ include "library-chart.secretNameMetaflow" . }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -89,9 +97,9 @@ spec: - name: make-secrets-writable image: inseefrlab/onyxia-base:latest imagePullPolicy: IfNotPresent - command: + command: - sh - - -c + - -c - | echo 'initContainer make-secrets-writable is started'; {{- if .Values.discovery.hive }} @@ -102,9 +110,22 @@ spec: mkdir /dest/metaflow/; cp /src/metaflow/config.json /dest/metaflow/config.json; {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} volumeMounts: - name: config-files mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} {{- if .Values.discovery.hive }} - name: secret-hive mountPath: /src/hive @@ -170,7 +191,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: - secretRef: name: {{ include "library-chart.secretNameToken" . }} {{- if .Values.s3.enabled }} @@ -197,6 +218,10 @@ spec: - secretRef: name: {{ include "library-chart.secretNameMLFlow" . }} {{- end }} + {{- if .Values.extraEnvVars }} + - secretRef: + name: {{ include "library-chart.secretNameExtraEnv" . }} + {{- end }} livenessProbe: httpGet: path: / @@ -226,12 +251,17 @@ spec: - name: config-files mountPath: /opt/hive/conf/hive-site.xml subPath: hive/hive-site.xml - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} - name: config-files mountPath: /home/{{ .Values.environment.user}}/.metaflowconfig subPath: metaflow - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/jupyter-python/values.schema.json b/charts/jupyter-python/values.schema.json index a580775c..8930b068 100644 --- a/charts/jupyter-python/values.schema.json +++ b/charts/jupyter-python/values.schema.json @@ -1,852 +1,909 @@ { - "$schema": "http://json-schema.org/draft-07/schema", - "type": "object", - "properties": { - "service": { - "description": "Service specific configuration", - "type": "object", - "properties": { - "image": { - "description": "image docker", - "type": "object", - "properties": { - "pullPolicy": { - "type": "string", - "description": "option when pulling the docker image", - "default": "IfNotPresent", - "enum": [ - "IfNotPresent", - "Always", - "Never" - ] - }, - "version": { - "description": "supported versions", - "type": "string", - "listEnum": [ - "inseefrlab/onyxia-jupyter-python:py3.12.6", - "inseefrlab/onyxia-jupyter-python:py3.11.10" - ], - "render": "list", - "hidden": { - "value": true, - "path": "service/image/custom/enabled" - }, - "default": "inseefrlab/onyxia-jupyter-python:py3.12.6" - }, - "custom": { - "description": "use a custom jupyter docker image", - "type": "object", - "properties": { - "enabled": { - "title": "custom image", - "type": "boolean", - "description": "use a custom jupyter docker image", - "default": false, - "x-onyxia": { - "overwriteSchemaWith": "ide/customImage.json" - } - }, - "version": { - "description": "jupyter unsupported version", - "type": "string", - "default": "inseefrlab/onyxia-jupyter-python:py3.12.6", - "hidden": { - "value": false, - "path": "service/image/custom/enabled" - } - } - } - } - } - } - } - }, - "resources": { - "description": "Your service will have at least the requested resources and never more than its limits. No limit for a resource and you can consume everything left on the host machine.", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/resources.json" + "$schema": "http://json-schema.org/draft-07/schema", + "type": "object", + "properties": { + "service": { + "description": "Service specific configuration", + "type": "object", + "properties": { + "image": { + "description": "image docker", + "type": "object", + "properties": { + "pullPolicy": { + "type": "string", + "description": "option when pulling the docker image", + "default": "IfNotPresent", + "enum": [ + "IfNotPresent", + "Always", + "Never" + ] }, - "properties": { - "requests": { - "description": "Guaranteed resources", - "type": "object", - "properties": { - "cpu": { - "description": "The amount of cpu guaranteed", - "title": "CPU", - "type": "string", - "default": "100m", - "render": "slider", - "sliderMin": 50, - "sliderMax": 40000, - "sliderStep": 50, - "sliderUnit": "m", - "sliderExtremity": "down", - "sliderExtremitySemantic": "guaranteed", - "sliderRangeId": "cpu", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.cpuRequest", - "useRegionSliderConfig": "cpu" - } - }, - "memory": { - "description": "The amount of memory guaranteed", - "title": "memory", - "type": "string", - "default": "2Gi", - "render": "slider", - "sliderMin": 1, - "sliderMax": 200, - "sliderStep": 1, - "sliderUnit": "Gi", - "sliderExtremity": "down", - "sliderExtremitySemantic": "guaranteed", - "sliderRangeId": "memory", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.memoryRequest", - "useRegionSliderConfig": "memory" - } - } - } - }, - "limits": { - "description": "max resources", - "type": "object", - "properties": { - "cpu": { - "description": "The maximum amount of cpu", - "title": "CPU", - "type": "string", - "default": "30000m", - "render": "slider", - "sliderMin": 50, - "sliderMax": 40000, - "sliderStep": 50, - "sliderUnit": "m", - "sliderExtremity": "up", - "sliderExtremitySemantic": "Maximum", - "sliderRangeId": "cpu", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.cpuLimit", - "useRegionSliderConfig": "cpu" - } - }, - "memory": { - "description": "The maximum amount of memory", - "title": "Memory", - "type": "string", - "default": "50Gi", - "render": "slider", - "sliderMin": 1, - "sliderMax": 200, - "sliderStep": 1, - "sliderUnit": "Gi", - "sliderExtremity": "up", - "sliderExtremitySemantic": "Maximum", - "sliderRangeId": "memory", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.memoryLimit", - "useRegionSliderConfig": "memory" - } - } - } - } - } - }, - "persistence": { - "description": "Configuration for persistence", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/persistence.json" + "version": { + "description": "supported versions", + "type": "string", + "listEnum": [ + "inseefrlab/onyxia-jupyter-python:py3.12.6", + "inseefrlab/onyxia-jupyter-python:py3.11.10" + ], + "render": "list", + "hidden": { + "value": true, + "path": "service/image/custom/enabled" + }, + "default": "inseefrlab/onyxia-jupyter-python:py3.12.6" }, - "properties": { + "custom": { + "description": "use a custom jupyter docker image", + "type": "object", + "properties": { "enabled": { - "type": "boolean", - "description": "Create a persistent volume", - "default": true - }, - "size": { - "type": "string", - "title": "Persistent volume size", - "description": "Size of the persistent volume", - "default": "10Gi", - "form": true, - "render": "slider", - "sliderMin": 1, - "sliderMax": 100, - "sliderStep": 1, - "sliderUnit": "Gi", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.disk", - "useRegionSliderConfig": "disk" - }, - "hidden": { - "value": false, - "path": "persistence/enabled" - } + "title": "custom image", + "type": "boolean", + "description": "use a custom jupyter docker image", + "default": false, + "x-onyxia": { + "overwriteSchemaWith": "ide/customImage.json" + } + }, + "version": { + "description": "jupyter unsupported version", + "type": "string", + "default": "inseefrlab/onyxia-jupyter-python:py3.12.6", + "hidden": { + "value": false, + "path": "service/image/custom/enabled" + } } + } } - }, - "init": { - "description": "Init parameters", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/init.json" + } + } + } + }, + "resources": { + "description": "Your service will have at least the requested resources and never more than its limits. No limit for a resource and you can consume everything left on the host machine.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/resources.json" + }, + "properties": { + "requests": { + "description": "Guaranteed resources", + "type": "object", + "properties": { + "cpu": { + "description": "The amount of cpu guaranteed", + "title": "CPU", + "type": "string", + "default": "100m", + "render": "slider", + "sliderMin": 50, + "sliderMax": 40000, + "sliderStep": 50, + "sliderUnit": "m", + "sliderExtremity": "down", + "sliderExtremitySemantic": "guaranteed", + "sliderRangeId": "cpu", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.cpuRequest", + "useRegionSliderConfig": "cpu" + } }, - "properties": { - "regionInit": { - "type": "string", - "description": "region initialization script", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{k8s.initScriptUrl}}" - } - }, - "personalInit": { - "type": "string", - "description": "user initialization script", - "default": "" - }, - "personalInitArgs": { - "type": "string", - "description": "args for user initialization script", - "default": "" - } + "memory": { + "description": "The amount of memory guaranteed", + "title": "memory", + "type": "string", + "default": "2Gi", + "render": "slider", + "sliderMin": 1, + "sliderMax": 200, + "sliderStep": 1, + "sliderUnit": "Gi", + "sliderExtremity": "down", + "sliderExtremitySemantic": "guaranteed", + "sliderRangeId": "memory", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.memoryRequest", + "useRegionSliderConfig": "memory" + } } + } }, - "kubernetes": { - "description": "configuration of your kubernetes access", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/role.json" + "limits": { + "description": "max resources", + "type": "object", + "properties": { + "cpu": { + "description": "The maximum amount of cpu", + "title": "CPU", + "type": "string", + "default": "30000m", + "render": "slider", + "sliderMin": 50, + "sliderMax": 40000, + "sliderStep": 50, + "sliderUnit": "m", + "sliderExtremity": "up", + "sliderExtremitySemantic": "Maximum", + "sliderRangeId": "cpu", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.cpuLimit", + "useRegionSliderConfig": "cpu" + } }, - "properties": { - "enabled": { - "type": "boolean", - "description": "allow your service to access your namespace ressources", - "default": true - }, - "role": { - "type": "string", - "description": "bind your service account to this kubernetes default role", - "default": "view", - "hidden": { - "value": false, - "path": "kubernetes/enabled" - }, - "listEnum": [ - "view", - "edit", - "admin" - ], - "render": "list" - } + "memory": { + "description": "The maximum amount of memory", + "title": "Memory", + "type": "string", + "default": "50Gi", + "render": "slider", + "sliderMin": 1, + "sliderMax": 200, + "sliderStep": 1, + "sliderUnit": "Gi", + "sliderExtremity": "up", + "sliderExtremitySemantic": "Maximum", + "sliderRangeId": "memory", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.memoryLimit", + "useRegionSliderConfig": "memory" + } } + } + } + } + }, + "persistence": { + "description": "Configuration for persistence", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/persistence.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Create a persistent volume", + "default": true }, - "vault": { - "description": "Configuration of vault client", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/vault.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add vault temporary identity inside your environment", - "default": true - }, - "token": { - "description": "token vault", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_TOKEN}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "url": { - "description": "url of vault server", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_ADDR}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "mount": { - "description": "mount of the v2 secret engine", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_MOUNT}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "directory": { - "description": "top level directory", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_TOP_DIR}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "secret": { - "description": "the path of the secret to convert into a list of environment variables", - "type": "string", - "default": "", - "hidden": { - "value": false, - "path": "vault/enabled" - } - } - } + "size": { + "type": "string", + "title": "Persistent volume size", + "description": "Size of the persistent volume", + "default": "10Gi", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderStep": 1, + "sliderUnit": "Gi", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.disk", + "useRegionSliderConfig": "disk" + }, + "hidden": { + "value": false, + "path": "persistence/enabled" + } + } + } + }, + "init": { + "description": "Init parameters", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/init.json" + }, + "properties": { + "regionInit": { + "type": "string", + "description": "region initialization script", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{k8s.initScriptUrl}}" + } }, - "s3": { - "description": "Configuration of temporary identity", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/s3.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add S3 temporary identity inside your environment", - "default": true - }, - "accessKeyId": { - "description": "AWS Access Key", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_ACCESS_KEY_ID}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "endpoint": { - "description": "AWS S3 Endpoint", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_S3_ENDPOINT}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "defaultRegion": { - "description": "AWS S3 default region", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_DEFAULT_REGION}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "secretAccessKey": { - "description": "AWS S3 secret access key", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_SECRET_ACCESS_KEY}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "sessionToken": { - "description": "AWS S3 session Token", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_SESSION_TOKEN}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - } - } + "personalInit": { + "type": "string", + "description": "user initialization script", + "default": "" }, - "git": { - "description": "Git user configuration", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/git.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add git config inside your environment", - "default": true - }, - "name": { - "type": "string", - "description": "user name for git", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.name}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "email": { - "type": "string", - "description": "user email for git", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.email}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "cache": { - "type": "string", - "description": "duration in seconds of the credentials cache duration", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.credentials_cache_duration}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "token": { - "type": "string", - "description": "personal access token", - "default": "", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{git.token}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "repository": { - "type": "string", - "description": "Repository url", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.project}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "branch": { - "type": "string", - "description": "Branch automatically checked out", - "default": "", - "hidden": { - "value": "", - "path": "git/repository" - } - } - } + "personalInitArgs": { + "type": "string", + "description": "args for user initialization script", + "default": "" + } + } + }, + "extraEnvVars": { + "description": "environment variables available within your service", + "type": "array", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/extraenv.json" + }, + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "default": "", + "pattern": "^[a-zA-Z0-9_]+$" + }, + "value": { + "type": "string", + "default": "" + } + } + } + }, + "kubernetes": { + "description": "configuration of your kubernetes access", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/role.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "allow your service to access your namespace ressources", + "default": true }, - "networking": { - "type": "object", - "form": true, - "title": "Networking detail", - "properties": { - "user": { - "type": "object", - "description": "user defined port", - "properties": { - "enabled": { - "type": "boolean", - "title": "Enable a custom service port", - "description": "Enable a custom service port", - "default": false - }, - "port": { - "type": "integer", - "description": "port of the custom service", - "title": "Custom service port", - "hidden": { - "value": false, - "path": "networking/user/enabled" - }, - "default": 5000 - } - } - } - } + "role": { + "type": "string", + "description": "bind your service account to this kubernetes default role", + "default": "view", + "hidden": { + "value": false, + "path": "kubernetes/enabled" + }, + "listEnum": [ + "view", + "edit", + "admin" + ], + "render": "list" + } + } + }, + "vault": { + "description": "Configuration of vault client", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/vault.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add vault temporary identity inside your environment", + "default": true }, - "discovery": { - "description": "configure your service to autodetect some ressources.", - "type": "object", - "properties": { - "hive": { - "type": "boolean", - "title": "Enable hive metastore discovery", - "description": "discover your hive metastore service", - "default": true - }, - "mlflow": { - "type": "boolean", - "title": "Enable mlflow discovery", - "description": "discover your mlflow service", - "default": true - }, - "metaflow": { - "type": "boolean", - "title": "Enable metaflow discovery", - "description": "discover your metaflow service", - "default": true - } - } + "token": { + "description": "token vault", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_TOKEN}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } }, - "security": { - "description": "security specific configuration", - "type": "object", - "properties": { - "password": { - "type": "string", - "description": "Password", - "default": "changeme", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{service.oneTimePassword}}", - "overwriteSchemaWith": "ide/password" - } - }, - "networkPolicy": { - "type": "object", - "description": "Define access policy to the service", - "x-onyxia": { - "overwriteSchemaWith": "network-policy.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "title": "Enable network policy", - "description": "Only pod from the same namespace will be allowed", - "default": false, - "x-onyxia": { - "overwriteDefaultWith": "region.defaultNetworkPolicy" - } - }, - "from": { - "type": "array", - "description": "Array of source allowed to have network access to your service", - "default": [], - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.from" - } - } - } - } - } + "url": { + "description": "url of vault server", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_ADDR}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } }, - "nodeSelector": { - "type": "object", - "description": "NodeSelector", - "default": {}, - "x-onyxia": { - "hidden": false, - "overwriteDefaultWith": "region.nodeSelector", - "overwriteSchemaWith": "nodeSelector.json" - } + "mount": { + "description": "mount of the v2 secret engine", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_MOUNT}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } }, - "openshiftSCC": { - "description": "configuration for openshift compatibility", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/openshiftSCC.json" - }, - "properties": { - "enabled": { - "description": "enable rolebinding with openshift scc", - "type": "boolean", - "default": false, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.openshiftSCC.enabled" - } - }, - "scc": { - "type": "string", - "description": "name of scc for rolebinding", - "default": "anyuid", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.openshiftSCC.scc" - } - } - } + "directory": { + "description": "top level directory", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_TOP_DIR}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } }, - "ingress": { - "type": "object", - "form": true, - "title": "Ingress Details", - "properties": { - "enabled": { - "description": "Enable Ingress", - "type": "boolean", - "default": true, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.ingress" - } - }, - "hostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" - } - }, - "userHostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" - } - }, - "ingressClassName": { - "type": "string", - "form": true, - "title": "ingressClassName", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{k8s.ingressClassName}}" - } - }, - "useCertManager": { - "type": "boolean", - "description": "Whether CertManager should be used to generate a certificate", - "default": false, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.useCertManager" - } - }, - "certManagerClusterIssuer": { - "type": "string", - "description": "certManager cluster issuer", - "title": "CertManager Cluster Issuer", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.certManagerClusterIssuer" - } - } - } + "secret": { + "description": "the path of the secret to convert into a list of environment variables", + "type": "string", + "default": "", + "hidden": { + "value": false, + "path": "vault/enabled" + } + } + } + }, + "s3": { + "description": "Configuration of temporary identity", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/s3.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add S3 temporary identity inside your environment", + "default": true }, - "route": { - "type": "object", - "form": true, - "title": "Route details", - "properties": { - "enabled": { - "description": "Enable route", - "type": "boolean", - "default": false, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.route" - } - }, - "hostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" - } - }, - "userHostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" - } - } - } + "accessKeyId": { + "description": "AWS Access Key", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_ACCESS_KEY_ID}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "endpoint": { + "description": "AWS S3 Endpoint", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_S3_ENDPOINT}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "defaultRegion": { + "description": "AWS S3 default region", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_DEFAULT_REGION}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "secretAccessKey": { + "description": "AWS S3 secret access key", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_SECRET_ACCESS_KEY}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "sessionToken": { + "description": "AWS S3 session Token", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_SESSION_TOKEN}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + } + } + }, + "git": { + "description": "Git user configuration", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/git.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add git config inside your environment", + "default": true + }, + "name": { + "type": "string", + "description": "user name for git", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.name}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "email": { + "type": "string", + "description": "user email for git", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.email}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "cache": { + "type": "string", + "description": "duration in seconds of the credentials cache duration", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.credentials_cache_duration}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "token": { + "type": "string", + "description": "personal access token", + "default": "", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{git.token}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } }, "repository": { - "description": "python repositories for pip and conda", - "type": "object", - "properties": { - "pipRepository": { - "type": "string", - "description": "python repository for pip", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{packageRepositoryInjection.pypiProxyUrl}}" - } - }, - "condaRepository": { - "type": "string", - "description": "python repository for pip", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{packageRepositoryInjection.condaProxyUrl}}" - } - } - } + "type": "string", + "description": "Repository url", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.project}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } }, - "startupProbe": { - "type": "object", - "description": "Startup probe", - "default": { - "failureThreshold": 60, - "initialDelaySeconds": 10, - "periodSeconds": 10, - "successThreshold": 1, - "timeoutSeconds": 2 + "branch": { + "type": "string", + "description": "Branch automatically checked out", + "default": "", + "hidden": { + "value": "", + "path": "git/repository" + } + } + } + }, + "networking": { + "type": "object", + "form": true, + "title": "Networking detail", + "properties": { + "user": { + "type": "object", + "description": "user defined port", + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable a custom service port", + "description": "Enable a custom service port", + "default": false }, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.startupProbe", - "overwriteSchemaWith": "ide/startupProbe.json" + "port": { + "type": "integer", + "description": "port of the custom service", + "title": "Custom service port", + "hidden": { + "value": false, + "path": "networking/user/enabled" + }, + "default": 5000 } + } + } + } + }, + "discovery": { + "description": "configure your service to autodetect some ressources.", + "type": "object", + "properties": { + "hive": { + "type": "boolean", + "title": "Enable hive metastore discovery", + "description": "discover your hive metastore service", + "default": true + }, + "mlflow": { + "type": "boolean", + "title": "Enable mlflow discovery", + "description": "discover your mlflow service", + "default": true + }, + "metaflow": { + "type": "boolean", + "title": "Enable metaflow discovery", + "description": "discover your metaflow service", + "default": true + } + } + }, + "security": { + "description": "security specific configuration", + "type": "object", + "properties": { + "password": { + "type": "string", + "description": "Password", + "default": "changeme", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{service.oneTimePassword}}", + "overwriteSchemaWith": "ide/password" + } + }, + "networkPolicy": { + "type": "object", + "description": "Define access policy to the service", + "x-onyxia": { + "overwriteSchemaWith": "network-policy.json" }, - "tolerations": { - "type": "array", - "description": "Array of tolerations", - "default": [], - "x-onyxia": { + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable network policy", + "description": "Only pod from the same namespace will be allowed", + "default": false, + "x-onyxia": { + "overwriteDefaultWith": "region.defaultNetworkPolicy" + } + }, + "from": { + "type": "array", + "description": "Array of source allowed to have network access to your service", + "default": [], + "x-onyxia": { "hidden": true, - "overwriteDefaultWith": "region.tolerations", - "overwriteSchemaWith": "tolerations.json" + "overwriteDefaultWith": "region.from" + } } + } + } + } + }, + "nodeSelector": { + "type": "object", + "description": "NodeSelector", + "default": {}, + "x-onyxia": { + "hidden": false, + "overwriteDefaultWith": "region.nodeSelector", + "overwriteSchemaWith": "nodeSelector.json" + } + }, + "openshiftSCC": { + "description": "configuration for openshift compatibility", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/openshiftSCC.json" + }, + "properties": { + "enabled": { + "description": "enable rolebinding with openshift scc", + "type": "boolean", + "default": false, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.openshiftSCC.enabled" + } }, - "userPreferences": { - "description": "User Preferences", - "type": "object", - "properties": { - "darkMode": { - "type": "boolean", - "description": "dark mode is or is not enabled", - "default": false, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "user.darkMode" - } - }, - "language": { - "type": "string", - "description": "Preferred language", - "default": "en", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "user.lang" - } - } - } + "scc": { + "type": "string", + "description": "name of scc for rolebinding", + "default": "anyuid", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.openshiftSCC.scc" + } + } + } + }, + "ingress": { + "type": "object", + "form": true, + "title": "Ingress Details", + "properties": { + "enabled": { + "description": "Enable Ingress", + "type": "boolean", + "default": true, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.ingress" + } }, - "global": { - "description": "Suspend", - "type": "object", - "properties": { - "suspend": { - "type": "boolean", - "description": "Suspend this service", - "default": false, - "x-onyxia": { - "hidden": true - } - } - } + "hostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" + } }, - "proxy": { - "description": "It can be used to inject proxy settings in the services", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "proxy.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Inject proxy settings", - "default": false - }, - "httpProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTP.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "httpsProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTPS.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "noProxy": { - "type": "string", - "description": "enterprise local domain that should not take proxy comma separated", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - } - } + "userHostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" + } }, - "message": { - "type": "object", - "description": "Warning message", - "x-onyxia": { - "hidden": true, - "overwriteSchemaWith": "ide/message.json" - }, - "properties": { - "fr": { - "type": "string", - "description": "message à ajouter dans les notes", - "default": "" - }, - "en": { - "type": "string", - "description": "message to add in notes", - "default": "" - } - } + "ingressClassName": { + "type": "string", + "form": true, + "title": "ingressClassName", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{k8s.ingressClassName}}" + } + }, + "useCertManager": { + "type": "boolean", + "description": "Whether CertManager should be used to generate a certificate", + "default": false, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.useCertManager" + } + }, + "certManagerClusterIssuer": { + "type": "string", + "description": "certManager cluster issuer", + "title": "CertManager Cluster Issuer", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.certManagerClusterIssuer" + } + }, + "useTlsSecret": { + "type": "boolean", + "description": "Whether you want to use the specified secretName in ingress tls", + "default": false, + "x-onyxia": { + "hidden": true + } + } + } + }, + "route": { + "type": "object", + "form": true, + "title": "Route details", + "properties": { + "enabled": { + "description": "Enable route", + "type": "boolean", + "default": false, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.route" + } + }, + "hostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" + } + }, + "userHostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" + } + } + } + }, + "repository": { + "description": "python repositories for pip and conda", + "type": "object", + "properties": { + "pipRepository": { + "type": "string", + "description": "python repository for pip", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{packageRepositoryInjection.pypiProxyUrl}}" + } + }, + "condaRepository": { + "type": "string", + "description": "python repository for pip", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{packageRepositoryInjection.condaProxyUrl}}" + } + } + } + }, + "startupProbe": { + "type": "object", + "description": "Startup probe", + "default": { + "failureThreshold": 60, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 2 + }, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.startupProbe", + "overwriteSchemaWith": "ide/startupProbe.json" + } + }, + "tolerations": { + "type": "array", + "description": "Array of tolerations", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.tolerations", + "overwriteSchemaWith": "tolerations.json" + } + }, + "userPreferences": { + "description": "User Preferences", + "type": "object", + "properties": { + "darkMode": { + "type": "boolean", + "description": "dark mode is or is not enabled", + "default": false, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "user.darkMode" + } + }, + "language": { + "type": "string", + "description": "Preferred language", + "default": "en", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "user.lang" + } + } + } + }, + "global": { + "description": "Suspend", + "type": "object", + "properties": { + "suspend": { + "type": "boolean", + "description": "Suspend this service", + "default": false, + "x-onyxia": { + "hidden": true + } + } + } + }, + "proxy": { + "description": "It can be used to inject proxy settings in the services", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "proxy.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Inject proxy settings", + "default": false + }, + "httpProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTP.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + }, + "httpsProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTPS.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + }, + "noProxy": { + "type": "string", + "description": "enterprise local domain that should not take proxy comma separated", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + } + } + }, + "certificates": { + "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "certificates.json" + }, + "default": {}, + "properties": { + "cacerts": { + "type": "string", + "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.", + "default": "", + "x-onyxia": { + "hidden": true + } + }, + "pathToCaBundle": { + "type": "string", + "description": "String path where a bundle is made or injected by third party solution", + "default": "/usr/local/share/ca-certificates/", + "x-onyxia": { + "hidden": true + } + } + } + }, + "message": { + "type": "object", + "description": "Warning message", + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/message.json" + }, + "properties": { + "fr": { + "type": "string", + "description": "message à ajouter dans les notes", + "default": "" + }, + "en": { + "type": "string", + "description": "message to add in notes", + "default": "" } + } } -} + } +} \ No newline at end of file diff --git a/charts/jupyter-python/values.yaml b/charts/jupyter-python/values.yaml index 84824014..cc8b3951 100644 --- a/charts/jupyter-python/values.yaml +++ b/charts/jupyter-python/values.yaml @@ -25,6 +25,13 @@ init: personalInit: "" personalInitArgs: "" +# Array with (templated) extra environment variables to be made accessible within the service +# e.g: +# extraEnvVars: +# - name: FOO +# value: "bar" +extraEnvVars: [] + environment: user: onyxia group: users @@ -41,7 +48,6 @@ s3: secretAccessKey: "" sessionToken: "" - vault: # Specifies whether a config map should be created enabled: false @@ -149,6 +155,7 @@ ingress: # - chart-example.local useCertManager: false certManagerClusterIssuer: "" + useTlsSecret: false route: enabled: false @@ -224,6 +231,10 @@ proxy: httpProxy: "" httpsProxy: "" +certificates: {} + # pathToCaBundle: /usr/local/share/ca-certificates/ + # cacerts: "" + message: fr: "" en: "" diff --git a/charts/jupyter-pytorch-gpu/Chart.yaml b/charts/jupyter-pytorch-gpu/Chart.yaml index 6398bb24..3435a36e 100644 --- a/charts/jupyter-pytorch-gpu/Chart.yaml +++ b/charts/jupyter-pytorch-gpu/Chart.yaml @@ -11,8 +11,8 @@ sources: - https://github.com/InseeFrLab/images-datascience - https://github.com/InseeFrLab/helm-charts-interactive-services type: application -version: 2.1.4 +version: 2.1.13 dependencies: - name: library-chart - version: 1.5.25 + version: 1.5.30 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/jupyter-pytorch-gpu/README.md b/charts/jupyter-pytorch-gpu/README.md index 623b0c00..5a3808ac 100644 --- a/charts/jupyter-pytorch-gpu/README.md +++ b/charts/jupyter-pytorch-gpu/README.md @@ -1,6 +1,6 @@ # jupyter-pytorch-gpu -![Version: 2.1.4](https://img.shields.io/badge/Version-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 2.1.13](https://img.shields.io/badge/Version-2.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) The JupyterLab IDE with Python and the deep-learning framework PyTorch, with GPU support. @@ -15,7 +15,7 @@ The JupyterLab IDE with Python and the deep-learning framework PyTorch, with GPU | Repository | Name | Version | |------------|------|---------| -| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.25 | +| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.30 | ## Values @@ -26,12 +26,14 @@ The JupyterLab IDE with Python and the deep-learning framework PyTorch, with GPU | autoscaling.maxReplicas | int | `100` | | | autoscaling.minReplicas | int | `1` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| certificates | object | `{}` | | | coresite.configMapName | string | `""` | | | discovery.hive | bool | `true` | | | discovery.metaflow | bool | `true` | | | discovery.mlflow | bool | `true` | | | environment.group | string | `"users"` | | | environment.user | string | `"onyxia"` | | +| extraEnvVars | list | `[]` | | | fullnameOverride | string | `""` | | | git.branch | string | `""` | | | git.cache | string | `""` | | @@ -51,6 +53,7 @@ The JupyterLab IDE with Python and the deep-learning framework PyTorch, with GPU | ingress.ingressClassName | string | `""` | | | ingress.tls | bool | `true` | | | ingress.useCertManager | bool | `false` | | +| ingress.useTlsSecret | bool | `false` | | | ingress.userHostname | string | `"chart-example-user.local"` | | | init.personalInit | string | `""` | | | init.personalInitArgs | string | `""` | | diff --git a/charts/jupyter-pytorch-gpu/templates/secret-cacerts.yaml b/charts/jupyter-pytorch-gpu/templates/secret-cacerts.yaml new file mode 100644 index 00000000..71c878fb --- /dev/null +++ b/charts/jupyter-pytorch-gpu/templates/secret-cacerts.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretCacerts" . }} diff --git a/charts/jupyter-pytorch-gpu/templates/secret-extraenv.yaml b/charts/jupyter-pytorch-gpu/templates/secret-extraenv.yaml new file mode 100644 index 00000000..63fa9428 --- /dev/null +++ b/charts/jupyter-pytorch-gpu/templates/secret-extraenv.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretExtraEnv" . }} \ No newline at end of file diff --git a/charts/jupyter-pytorch-gpu/templates/statefulset.yaml b/charts/jupyter-pytorch-gpu/templates/statefulset.yaml index 71e5a95d..97e719aa 100644 --- a/charts/jupyter-pytorch-gpu/templates/statefulset.yaml +++ b/charts/jupyter-pytorch-gpu/templates/statefulset.yaml @@ -41,6 +41,9 @@ spec: {{- if .Values.vault.enabled }} checksum/vault: {{ include (print $.Template.BasePath "/secret-vault.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -76,6 +79,11 @@ spec: secret: secretName: {{ include "library-chart.secretNameMetaflow" . }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -89,9 +97,9 @@ spec: - name: make-secrets-writable image: inseefrlab/onyxia-base:latest imagePullPolicy: IfNotPresent - command: + command: - sh - - -c + - -c - | echo 'initContainer make-secrets-writable is started'; {{- if .Values.discovery.hive }} @@ -102,9 +110,22 @@ spec: mkdir /dest/metaflow/; cp /src/metaflow/config.json /dest/metaflow/config.json; {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} volumeMounts: - name: config-files mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} {{- if .Values.discovery.hive }} - name: secret-hive mountPath: /src/hive @@ -170,7 +191,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: - secretRef: name: {{ include "library-chart.secretNameToken" . }} {{- if .Values.s3.enabled }} @@ -197,6 +218,10 @@ spec: - secretRef: name: {{ include "library-chart.secretNameMLFlow" . }} {{- end }} + {{- if .Values.extraEnvVars }} + - secretRef: + name: {{ include "library-chart.secretNameExtraEnv" . }} + {{- end }} livenessProbe: httpGet: path: / @@ -226,12 +251,17 @@ spec: - name: config-files mountPath: /opt/hive/conf/hive-site.xml subPath: hive/hive-site.xml - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} - name: config-files mountPath: /home/{{ .Values.environment.user}}/.metaflowconfig subPath: metaflow - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/jupyter-pytorch-gpu/values.schema.json b/charts/jupyter-pytorch-gpu/values.schema.json index 4f82724f..b03fe3a7 100644 --- a/charts/jupyter-pytorch-gpu/values.schema.json +++ b/charts/jupyter-pytorch-gpu/values.schema.json @@ -231,6 +231,29 @@ } } }, + "extraEnvVars": { + "description": "environment variables available within your service", + "type": "array", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/extraenv.json" + }, + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "default": "", + "pattern": "^[a-zA-Z0-9_]+$" + }, + "value": { + "type": "string", + "default": "" + } + } + } + }, "kubernetes": { "description": "configuration of your kubernetes access", "type": "object", @@ -675,6 +698,14 @@ "hidden": true, "overwriteDefaultWith": "k8s.certManagerClusterIssuer" } + }, + "useTlsSecret": { + "type": "boolean", + "description": "Whether you want to use the specified secretName in ingress tls", + "default": false, + "x-onyxia": { + "hidden": true + } } } }, @@ -841,6 +872,32 @@ } } }, + "certificates": { + "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "certificates.json" + }, + "default": {}, + "properties": { + "cacerts": { + "type": "string", + "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.", + "default": "", + "x-onyxia": { + "hidden": true + } + }, + "pathToCaBundle": { + "type": "string", + "description": "String path where a bundle is made or injected by third party solution", + "default": "/usr/local/share/ca-certificates/", + "x-onyxia": { + "hidden": true + } + } + } + }, "message": { "type": "object", "description": "Warning message", diff --git a/charts/jupyter-pytorch-gpu/values.yaml b/charts/jupyter-pytorch-gpu/values.yaml index 4f8b499a..3fcfb153 100644 --- a/charts/jupyter-pytorch-gpu/values.yaml +++ b/charts/jupyter-pytorch-gpu/values.yaml @@ -20,6 +20,7 @@ init: regionInit: '' personalInit: '' personalInitArgs: '' +extraEnvVars: [] environment: user: onyxia group: users @@ -98,6 +99,7 @@ ingress: userHostname: chart-example-user.local useCertManager: false certManagerClusterIssuer: '' + useTlsSecret: false route: enabled: false annotations: [] @@ -136,6 +138,7 @@ proxy: noProxy: '' httpProxy: '' httpsProxy: '' +certificates: {} message: fr: '' en: '' diff --git a/charts/jupyter-pytorch/Chart.yaml b/charts/jupyter-pytorch/Chart.yaml index 02b9582e..9d7192a2 100644 --- a/charts/jupyter-pytorch/Chart.yaml +++ b/charts/jupyter-pytorch/Chart.yaml @@ -10,8 +10,8 @@ sources: - https://github.com/InseeFrLab/images-datascience - https://github.com/InseeFrLab/helm-charts-interactive-services type: application -version: 2.1.4 +version: 2.1.13 dependencies: - name: library-chart - version: 1.5.25 + version: 1.5.30 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/jupyter-pytorch/README.md b/charts/jupyter-pytorch/README.md index 45fbba91..cb55d159 100644 --- a/charts/jupyter-pytorch/README.md +++ b/charts/jupyter-pytorch/README.md @@ -1,6 +1,6 @@ # jupyter-pytorch -![Version: 2.1.4](https://img.shields.io/badge/Version-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 2.1.13](https://img.shields.io/badge/Version-2.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) The JupyterLab IDE with Python and the deep-learning framework PyTorch. @@ -15,7 +15,7 @@ The JupyterLab IDE with Python and the deep-learning framework PyTorch. | Repository | Name | Version | |------------|------|---------| -| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.25 | +| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.30 | ## Values @@ -26,12 +26,14 @@ The JupyterLab IDE with Python and the deep-learning framework PyTorch. | autoscaling.maxReplicas | int | `100` | | | autoscaling.minReplicas | int | `1` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| certificates | object | `{}` | | | coresite.configMapName | string | `""` | | | discovery.hive | bool | `true` | | | discovery.metaflow | bool | `true` | | | discovery.mlflow | bool | `true` | | | environment.group | string | `"users"` | | | environment.user | string | `"onyxia"` | | +| extraEnvVars | list | `[]` | | | fullnameOverride | string | `""` | | | git.branch | string | `""` | | | git.cache | string | `""` | | @@ -51,6 +53,7 @@ The JupyterLab IDE with Python and the deep-learning framework PyTorch. | ingress.ingressClassName | string | `""` | | | ingress.tls | bool | `true` | | | ingress.useCertManager | bool | `false` | | +| ingress.useTlsSecret | bool | `false` | | | ingress.userHostname | string | `"chart-example-user.local"` | | | init.personalInit | string | `""` | | | init.personalInitArgs | string | `""` | | diff --git a/charts/jupyter-pytorch/templates/secret-cacerts.yaml b/charts/jupyter-pytorch/templates/secret-cacerts.yaml new file mode 100644 index 00000000..71c878fb --- /dev/null +++ b/charts/jupyter-pytorch/templates/secret-cacerts.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretCacerts" . }} diff --git a/charts/jupyter-pytorch/templates/secret-extraenv.yaml b/charts/jupyter-pytorch/templates/secret-extraenv.yaml new file mode 100644 index 00000000..63fa9428 --- /dev/null +++ b/charts/jupyter-pytorch/templates/secret-extraenv.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretExtraEnv" . }} \ No newline at end of file diff --git a/charts/jupyter-pytorch/templates/statefulset.yaml b/charts/jupyter-pytorch/templates/statefulset.yaml index 71e5a95d..97e719aa 100644 --- a/charts/jupyter-pytorch/templates/statefulset.yaml +++ b/charts/jupyter-pytorch/templates/statefulset.yaml @@ -41,6 +41,9 @@ spec: {{- if .Values.vault.enabled }} checksum/vault: {{ include (print $.Template.BasePath "/secret-vault.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -76,6 +79,11 @@ spec: secret: secretName: {{ include "library-chart.secretNameMetaflow" . }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -89,9 +97,9 @@ spec: - name: make-secrets-writable image: inseefrlab/onyxia-base:latest imagePullPolicy: IfNotPresent - command: + command: - sh - - -c + - -c - | echo 'initContainer make-secrets-writable is started'; {{- if .Values.discovery.hive }} @@ -102,9 +110,22 @@ spec: mkdir /dest/metaflow/; cp /src/metaflow/config.json /dest/metaflow/config.json; {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} volumeMounts: - name: config-files mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} {{- if .Values.discovery.hive }} - name: secret-hive mountPath: /src/hive @@ -170,7 +191,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: - secretRef: name: {{ include "library-chart.secretNameToken" . }} {{- if .Values.s3.enabled }} @@ -197,6 +218,10 @@ spec: - secretRef: name: {{ include "library-chart.secretNameMLFlow" . }} {{- end }} + {{- if .Values.extraEnvVars }} + - secretRef: + name: {{ include "library-chart.secretNameExtraEnv" . }} + {{- end }} livenessProbe: httpGet: path: / @@ -226,12 +251,17 @@ spec: - name: config-files mountPath: /opt/hive/conf/hive-site.xml subPath: hive/hive-site.xml - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} - name: config-files mountPath: /home/{{ .Values.environment.user}}/.metaflowconfig subPath: metaflow - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/jupyter-pytorch/values.schema.json b/charts/jupyter-pytorch/values.schema.json index 23be1165..9420a8dd 100644 --- a/charts/jupyter-pytorch/values.schema.json +++ b/charts/jupyter-pytorch/values.schema.json @@ -217,6 +217,29 @@ } } }, + "extraEnvVars": { + "description": "environment variables available within your service", + "type": "array", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/extraenv.json" + }, + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "default": "", + "pattern": "^[a-zA-Z0-9_]+$" + }, + "value": { + "type": "string", + "default": "" + } + } + } + }, "kubernetes": { "description": "configuration of your kubernetes access", "type": "object", @@ -662,6 +685,14 @@ "hidden": true, "overwriteDefaultWith": "k8s.certManagerClusterIssuer" } + }, + "useTlsSecret": { + "type": "boolean", + "description": "Whether you want to use the specified secretName in ingress tls", + "default": false, + "x-onyxia": { + "hidden": true + } } } }, @@ -828,6 +859,32 @@ } } }, + "certificates": { + "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "certificates.json" + }, + "default": {}, + "properties": { + "cacerts": { + "type": "string", + "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.", + "default": "", + "x-onyxia": { + "hidden": true + } + }, + "pathToCaBundle": { + "type": "string", + "description": "String path where a bundle is made or injected by third party solution", + "default": "/usr/local/share/ca-certificates/", + "x-onyxia": { + "hidden": true + } + } + } + }, "message": { "type": "object", "description": "Warning message", diff --git a/charts/jupyter-pytorch/values.yaml b/charts/jupyter-pytorch/values.yaml index cc078838..583e2ab2 100644 --- a/charts/jupyter-pytorch/values.yaml +++ b/charts/jupyter-pytorch/values.yaml @@ -20,6 +20,7 @@ init: regionInit: '' personalInit: '' personalInitArgs: '' +extraEnvVars: [] environment: user: onyxia group: users @@ -98,6 +99,7 @@ ingress: userHostname: chart-example-user.local useCertManager: false certManagerClusterIssuer: '' + useTlsSecret: false route: enabled: false annotations: [] @@ -136,6 +138,7 @@ proxy: noProxy: '' httpProxy: '' httpsProxy: '' +certificates: {} message: fr: '' en: '' diff --git a/charts/jupyter-r/Chart.yaml b/charts/jupyter-r/Chart.yaml index 28d5f741..3eabc589 100644 --- a/charts/jupyter-r/Chart.yaml +++ b/charts/jupyter-r/Chart.yaml @@ -10,8 +10,8 @@ sources: - https://github.com/InseeFrLab/images-datascience - https://github.com/InseeFrLab/helm-charts-interactive-services type: application -version: 2.1.4 +version: 2.1.13 dependencies: - name: library-chart - version: 1.5.25 + version: 1.5.30 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/jupyter-r/README.md b/charts/jupyter-r/README.md index d87cfd5e..1d15fcf1 100644 --- a/charts/jupyter-r/README.md +++ b/charts/jupyter-r/README.md @@ -1,6 +1,6 @@ # jupyter-r -![Version: 2.1.4](https://img.shields.io/badge/Version-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 2.1.13](https://img.shields.io/badge/Version-2.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) The JupyterLab IDE with R and a collection of standard data science packages. @@ -15,7 +15,7 @@ The JupyterLab IDE with R and a collection of standard data science packages. | Repository | Name | Version | |------------|------|---------| -| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.25 | +| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.30 | ## Values @@ -26,12 +26,14 @@ The JupyterLab IDE with R and a collection of standard data science packages. | autoscaling.maxReplicas | int | `100` | | | autoscaling.minReplicas | int | `1` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| certificates | object | `{}` | | | coresite.configMapName | string | `""` | | | discovery.hive | bool | `true` | | | discovery.metaflow | bool | `true` | | | discovery.mlflow | bool | `true` | | | environment.group | string | `"users"` | | | environment.user | string | `"onyxia"` | | +| extraEnvVars | list | `[]` | | | fullnameOverride | string | `""` | | | git.branch | string | `""` | | | git.cache | string | `""` | | @@ -51,6 +53,7 @@ The JupyterLab IDE with R and a collection of standard data science packages. | ingress.ingressClassName | string | `""` | | | ingress.tls | bool | `true` | | | ingress.useCertManager | bool | `false` | | +| ingress.useTlsSecret | bool | `false` | | | ingress.userHostname | string | `"chart-example-user.local"` | | | init.personalInit | string | `""` | | | init.personalInitArgs | string | `""` | | diff --git a/charts/jupyter-r/templates/secret-cacerts.yaml b/charts/jupyter-r/templates/secret-cacerts.yaml new file mode 100644 index 00000000..71c878fb --- /dev/null +++ b/charts/jupyter-r/templates/secret-cacerts.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretCacerts" . }} diff --git a/charts/jupyter-r/templates/secret-extraenv.yaml b/charts/jupyter-r/templates/secret-extraenv.yaml new file mode 100644 index 00000000..63fa9428 --- /dev/null +++ b/charts/jupyter-r/templates/secret-extraenv.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretExtraEnv" . }} \ No newline at end of file diff --git a/charts/jupyter-r/templates/statefulset.yaml b/charts/jupyter-r/templates/statefulset.yaml index 71e5a95d..97e719aa 100644 --- a/charts/jupyter-r/templates/statefulset.yaml +++ b/charts/jupyter-r/templates/statefulset.yaml @@ -41,6 +41,9 @@ spec: {{- if .Values.vault.enabled }} checksum/vault: {{ include (print $.Template.BasePath "/secret-vault.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -76,6 +79,11 @@ spec: secret: secretName: {{ include "library-chart.secretNameMetaflow" . }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -89,9 +97,9 @@ spec: - name: make-secrets-writable image: inseefrlab/onyxia-base:latest imagePullPolicy: IfNotPresent - command: + command: - sh - - -c + - -c - | echo 'initContainer make-secrets-writable is started'; {{- if .Values.discovery.hive }} @@ -102,9 +110,22 @@ spec: mkdir /dest/metaflow/; cp /src/metaflow/config.json /dest/metaflow/config.json; {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} volumeMounts: - name: config-files mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} {{- if .Values.discovery.hive }} - name: secret-hive mountPath: /src/hive @@ -170,7 +191,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: - secretRef: name: {{ include "library-chart.secretNameToken" . }} {{- if .Values.s3.enabled }} @@ -197,6 +218,10 @@ spec: - secretRef: name: {{ include "library-chart.secretNameMLFlow" . }} {{- end }} + {{- if .Values.extraEnvVars }} + - secretRef: + name: {{ include "library-chart.secretNameExtraEnv" . }} + {{- end }} livenessProbe: httpGet: path: / @@ -226,12 +251,17 @@ spec: - name: config-files mountPath: /opt/hive/conf/hive-site.xml subPath: hive/hive-site.xml - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} - name: config-files mountPath: /home/{{ .Values.environment.user}}/.metaflowconfig subPath: metaflow - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/jupyter-r/values.schema.json b/charts/jupyter-r/values.schema.json index fe0d568b..3471dea6 100644 --- a/charts/jupyter-r/values.schema.json +++ b/charts/jupyter-r/values.schema.json @@ -217,6 +217,29 @@ } } }, + "extraEnvVars": { + "description": "environment variables available within your service", + "type": "array", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/extraenv.json" + }, + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "default": "", + "pattern": "^[a-zA-Z0-9_]+$" + }, + "value": { + "type": "string", + "default": "" + } + } + } + }, "kubernetes": { "description": "configuration of your kubernetes access", "type": "object", @@ -662,6 +685,14 @@ "hidden": true, "overwriteDefaultWith": "k8s.certManagerClusterIssuer" } + }, + "useTlsSecret": { + "type": "boolean", + "description": "Whether you want to use the specified secretName in ingress tls", + "default": false, + "x-onyxia": { + "hidden": true + } } } }, @@ -828,6 +859,32 @@ } } }, + "certificates": { + "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "certificates.json" + }, + "default": {}, + "properties": { + "cacerts": { + "type": "string", + "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.", + "default": "", + "x-onyxia": { + "hidden": true + } + }, + "pathToCaBundle": { + "type": "string", + "description": "String path where a bundle is made or injected by third party solution", + "default": "/usr/local/share/ca-certificates/", + "x-onyxia": { + "hidden": true + } + } + } + }, "message": { "type": "object", "description": "Warning message", diff --git a/charts/jupyter-r/values.yaml b/charts/jupyter-r/values.yaml index 76734597..3ba80120 100644 --- a/charts/jupyter-r/values.yaml +++ b/charts/jupyter-r/values.yaml @@ -20,6 +20,7 @@ init: regionInit: '' personalInit: '' personalInitArgs: '' +extraEnvVars: [] environment: user: onyxia group: users @@ -98,6 +99,7 @@ ingress: userHostname: chart-example-user.local useCertManager: false certManagerClusterIssuer: '' + useTlsSecret: false route: enabled: false annotations: [] @@ -136,6 +138,7 @@ proxy: noProxy: '' httpProxy: '' httpsProxy: '' +certificates: {} message: fr: '' en: '' diff --git a/charts/jupyter-tensorflow-gpu/Chart.yaml b/charts/jupyter-tensorflow-gpu/Chart.yaml index b05d309e..05eff7a5 100644 --- a/charts/jupyter-tensorflow-gpu/Chart.yaml +++ b/charts/jupyter-tensorflow-gpu/Chart.yaml @@ -11,8 +11,8 @@ sources: - https://github.com/InseeFrLab/images-datascience - https://github.com/InseeFrLab/helm-charts-interactive-services type: application -version: 2.1.4 +version: 2.1.13 dependencies: - name: library-chart - version: 1.5.25 + version: 1.5.30 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/jupyter-tensorflow-gpu/README.md b/charts/jupyter-tensorflow-gpu/README.md index ddb1eb71..c4d03b60 100644 --- a/charts/jupyter-tensorflow-gpu/README.md +++ b/charts/jupyter-tensorflow-gpu/README.md @@ -1,6 +1,6 @@ # jupyter-tensorflow-gpu -![Version: 2.1.4](https://img.shields.io/badge/Version-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 2.1.13](https://img.shields.io/badge/Version-2.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) The JupyterLab IDE with Python and the deep-learning framework TensorFlow, with GPU support. @@ -15,7 +15,7 @@ The JupyterLab IDE with Python and the deep-learning framework TensorFlow, with | Repository | Name | Version | |------------|------|---------| -| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.25 | +| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.30 | ## Values @@ -26,12 +26,14 @@ The JupyterLab IDE with Python and the deep-learning framework TensorFlow, with | autoscaling.maxReplicas | int | `100` | | | autoscaling.minReplicas | int | `1` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| certificates | object | `{}` | | | coresite.configMapName | string | `""` | | | discovery.hive | bool | `true` | | | discovery.metaflow | bool | `true` | | | discovery.mlflow | bool | `true` | | | environment.group | string | `"users"` | | | environment.user | string | `"onyxia"` | | +| extraEnvVars | list | `[]` | | | fullnameOverride | string | `""` | | | git.branch | string | `""` | | | git.cache | string | `""` | | @@ -51,6 +53,7 @@ The JupyterLab IDE with Python and the deep-learning framework TensorFlow, with | ingress.ingressClassName | string | `""` | | | ingress.tls | bool | `true` | | | ingress.useCertManager | bool | `false` | | +| ingress.useTlsSecret | bool | `false` | | | ingress.userHostname | string | `"chart-example-user.local"` | | | init.personalInit | string | `""` | | | init.personalInitArgs | string | `""` | | diff --git a/charts/jupyter-tensorflow-gpu/templates/secret-cacerts.yaml b/charts/jupyter-tensorflow-gpu/templates/secret-cacerts.yaml new file mode 100644 index 00000000..71c878fb --- /dev/null +++ b/charts/jupyter-tensorflow-gpu/templates/secret-cacerts.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretCacerts" . }} diff --git a/charts/jupyter-tensorflow-gpu/templates/secret-extraenv.yaml b/charts/jupyter-tensorflow-gpu/templates/secret-extraenv.yaml new file mode 100644 index 00000000..63fa9428 --- /dev/null +++ b/charts/jupyter-tensorflow-gpu/templates/secret-extraenv.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretExtraEnv" . }} \ No newline at end of file diff --git a/charts/jupyter-tensorflow-gpu/templates/statefulset.yaml b/charts/jupyter-tensorflow-gpu/templates/statefulset.yaml index 71e5a95d..97e719aa 100644 --- a/charts/jupyter-tensorflow-gpu/templates/statefulset.yaml +++ b/charts/jupyter-tensorflow-gpu/templates/statefulset.yaml @@ -41,6 +41,9 @@ spec: {{- if .Values.vault.enabled }} checksum/vault: {{ include (print $.Template.BasePath "/secret-vault.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -76,6 +79,11 @@ spec: secret: secretName: {{ include "library-chart.secretNameMetaflow" . }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -89,9 +97,9 @@ spec: - name: make-secrets-writable image: inseefrlab/onyxia-base:latest imagePullPolicy: IfNotPresent - command: + command: - sh - - -c + - -c - | echo 'initContainer make-secrets-writable is started'; {{- if .Values.discovery.hive }} @@ -102,9 +110,22 @@ spec: mkdir /dest/metaflow/; cp /src/metaflow/config.json /dest/metaflow/config.json; {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} volumeMounts: - name: config-files mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} {{- if .Values.discovery.hive }} - name: secret-hive mountPath: /src/hive @@ -170,7 +191,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: - secretRef: name: {{ include "library-chart.secretNameToken" . }} {{- if .Values.s3.enabled }} @@ -197,6 +218,10 @@ spec: - secretRef: name: {{ include "library-chart.secretNameMLFlow" . }} {{- end }} + {{- if .Values.extraEnvVars }} + - secretRef: + name: {{ include "library-chart.secretNameExtraEnv" . }} + {{- end }} livenessProbe: httpGet: path: / @@ -226,12 +251,17 @@ spec: - name: config-files mountPath: /opt/hive/conf/hive-site.xml subPath: hive/hive-site.xml - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} - name: config-files mountPath: /home/{{ .Values.environment.user}}/.metaflowconfig subPath: metaflow - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/jupyter-tensorflow-gpu/values.schema.json b/charts/jupyter-tensorflow-gpu/values.schema.json index 992cc7a7..98336d97 100644 --- a/charts/jupyter-tensorflow-gpu/values.schema.json +++ b/charts/jupyter-tensorflow-gpu/values.schema.json @@ -231,6 +231,29 @@ } } }, + "extraEnvVars": { + "description": "environment variables available within your service", + "type": "array", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/extraenv.json" + }, + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "default": "", + "pattern": "^[a-zA-Z0-9_]+$" + }, + "value": { + "type": "string", + "default": "" + } + } + } + }, "kubernetes": { "description": "configuration of your kubernetes access", "type": "object", @@ -675,6 +698,14 @@ "hidden": true, "overwriteDefaultWith": "k8s.certManagerClusterIssuer" } + }, + "useTlsSecret": { + "type": "boolean", + "description": "Whether you want to use the specified secretName in ingress tls", + "default": false, + "x-onyxia": { + "hidden": true + } } } }, @@ -841,6 +872,32 @@ } } }, + "certificates": { + "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "certificates.json" + }, + "default": {}, + "properties": { + "cacerts": { + "type": "string", + "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.", + "default": "", + "x-onyxia": { + "hidden": true + } + }, + "pathToCaBundle": { + "type": "string", + "description": "String path where a bundle is made or injected by third party solution", + "default": "/usr/local/share/ca-certificates/", + "x-onyxia": { + "hidden": true + } + } + } + }, "message": { "type": "object", "description": "Warning message", diff --git a/charts/jupyter-tensorflow-gpu/values.yaml b/charts/jupyter-tensorflow-gpu/values.yaml index 8b45a10b..956a031a 100644 --- a/charts/jupyter-tensorflow-gpu/values.yaml +++ b/charts/jupyter-tensorflow-gpu/values.yaml @@ -20,6 +20,7 @@ init: regionInit: '' personalInit: '' personalInitArgs: '' +extraEnvVars: [] environment: user: onyxia group: users @@ -98,6 +99,7 @@ ingress: userHostname: chart-example-user.local useCertManager: false certManagerClusterIssuer: '' + useTlsSecret: false route: enabled: false annotations: [] @@ -136,6 +138,7 @@ proxy: noProxy: '' httpProxy: '' httpsProxy: '' +certificates: {} message: fr: '' en: '' diff --git a/charts/jupyter-tensorflow/Chart.yaml b/charts/jupyter-tensorflow/Chart.yaml index 7694630b..15ed2c2d 100644 --- a/charts/jupyter-tensorflow/Chart.yaml +++ b/charts/jupyter-tensorflow/Chart.yaml @@ -10,8 +10,8 @@ sources: - https://github.com/InseeFrLab/images-datascience - https://github.com/InseeFrLab/helm-charts-interactive-services type: application -version: 2.1.4 +version: 2.1.13 dependencies: - name: library-chart - version: 1.5.25 + version: 1.5.30 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/jupyter-tensorflow/README.md b/charts/jupyter-tensorflow/README.md index 0f224027..720d36db 100644 --- a/charts/jupyter-tensorflow/README.md +++ b/charts/jupyter-tensorflow/README.md @@ -1,6 +1,6 @@ # jupyter-tensorflow -![Version: 2.1.4](https://img.shields.io/badge/Version-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 2.1.13](https://img.shields.io/badge/Version-2.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) The JupyterLab IDE with Python and the deep-learning framework TensorFlow. @@ -15,7 +15,7 @@ The JupyterLab IDE with Python and the deep-learning framework TensorFlow. | Repository | Name | Version | |------------|------|---------| -| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.25 | +| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.30 | ## Values @@ -26,12 +26,14 @@ The JupyterLab IDE with Python and the deep-learning framework TensorFlow. | autoscaling.maxReplicas | int | `100` | | | autoscaling.minReplicas | int | `1` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| certificates | object | `{}` | | | coresite.configMapName | string | `""` | | | discovery.hive | bool | `true` | | | discovery.metaflow | bool | `true` | | | discovery.mlflow | bool | `true` | | | environment.group | string | `"users"` | | | environment.user | string | `"onyxia"` | | +| extraEnvVars | list | `[]` | | | fullnameOverride | string | `""` | | | git.branch | string | `""` | | | git.cache | string | `""` | | @@ -51,6 +53,7 @@ The JupyterLab IDE with Python and the deep-learning framework TensorFlow. | ingress.ingressClassName | string | `""` | | | ingress.tls | bool | `true` | | | ingress.useCertManager | bool | `false` | | +| ingress.useTlsSecret | bool | `false` | | | ingress.userHostname | string | `"chart-example-user.local"` | | | init.personalInit | string | `""` | | | init.personalInitArgs | string | `""` | | diff --git a/charts/jupyter-tensorflow/templates/secret-cacerts.yaml b/charts/jupyter-tensorflow/templates/secret-cacerts.yaml new file mode 100644 index 00000000..71c878fb --- /dev/null +++ b/charts/jupyter-tensorflow/templates/secret-cacerts.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretCacerts" . }} diff --git a/charts/jupyter-tensorflow/templates/secret-extraenv.yaml b/charts/jupyter-tensorflow/templates/secret-extraenv.yaml new file mode 100644 index 00000000..63fa9428 --- /dev/null +++ b/charts/jupyter-tensorflow/templates/secret-extraenv.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretExtraEnv" . }} \ No newline at end of file diff --git a/charts/jupyter-tensorflow/templates/statefulset.yaml b/charts/jupyter-tensorflow/templates/statefulset.yaml index 71e5a95d..97e719aa 100644 --- a/charts/jupyter-tensorflow/templates/statefulset.yaml +++ b/charts/jupyter-tensorflow/templates/statefulset.yaml @@ -41,6 +41,9 @@ spec: {{- if .Values.vault.enabled }} checksum/vault: {{ include (print $.Template.BasePath "/secret-vault.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -76,6 +79,11 @@ spec: secret: secretName: {{ include "library-chart.secretNameMetaflow" . }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -89,9 +97,9 @@ spec: - name: make-secrets-writable image: inseefrlab/onyxia-base:latest imagePullPolicy: IfNotPresent - command: + command: - sh - - -c + - -c - | echo 'initContainer make-secrets-writable is started'; {{- if .Values.discovery.hive }} @@ -102,9 +110,22 @@ spec: mkdir /dest/metaflow/; cp /src/metaflow/config.json /dest/metaflow/config.json; {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} volumeMounts: - name: config-files mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} {{- if .Values.discovery.hive }} - name: secret-hive mountPath: /src/hive @@ -170,7 +191,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: - secretRef: name: {{ include "library-chart.secretNameToken" . }} {{- if .Values.s3.enabled }} @@ -197,6 +218,10 @@ spec: - secretRef: name: {{ include "library-chart.secretNameMLFlow" . }} {{- end }} + {{- if .Values.extraEnvVars }} + - secretRef: + name: {{ include "library-chart.secretNameExtraEnv" . }} + {{- end }} livenessProbe: httpGet: path: / @@ -226,12 +251,17 @@ spec: - name: config-files mountPath: /opt/hive/conf/hive-site.xml subPath: hive/hive-site.xml - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} - name: config-files mountPath: /home/{{ .Values.environment.user}}/.metaflowconfig subPath: metaflow - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/jupyter-tensorflow/values.schema.json b/charts/jupyter-tensorflow/values.schema.json index d96df287..0d2c41a5 100644 --- a/charts/jupyter-tensorflow/values.schema.json +++ b/charts/jupyter-tensorflow/values.schema.json @@ -217,6 +217,29 @@ } } }, + "extraEnvVars": { + "description": "environment variables available within your service", + "type": "array", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/extraenv.json" + }, + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "default": "", + "pattern": "^[a-zA-Z0-9_]+$" + }, + "value": { + "type": "string", + "default": "" + } + } + } + }, "kubernetes": { "description": "configuration of your kubernetes access", "type": "object", @@ -662,6 +685,14 @@ "hidden": true, "overwriteDefaultWith": "k8s.certManagerClusterIssuer" } + }, + "useTlsSecret": { + "type": "boolean", + "description": "Whether you want to use the specified secretName in ingress tls", + "default": false, + "x-onyxia": { + "hidden": true + } } } }, @@ -828,6 +859,32 @@ } } }, + "certificates": { + "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "certificates.json" + }, + "default": {}, + "properties": { + "cacerts": { + "type": "string", + "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.", + "default": "", + "x-onyxia": { + "hidden": true + } + }, + "pathToCaBundle": { + "type": "string", + "description": "String path where a bundle is made or injected by third party solution", + "default": "/usr/local/share/ca-certificates/", + "x-onyxia": { + "hidden": true + } + } + } + }, "message": { "type": "object", "description": "Warning message", diff --git a/charts/jupyter-tensorflow/values.yaml b/charts/jupyter-tensorflow/values.yaml index 0ace645f..028bd320 100644 --- a/charts/jupyter-tensorflow/values.yaml +++ b/charts/jupyter-tensorflow/values.yaml @@ -20,6 +20,7 @@ init: regionInit: '' personalInit: '' personalInitArgs: '' +extraEnvVars: [] environment: user: onyxia group: users @@ -98,6 +99,7 @@ ingress: userHostname: chart-example-user.local useCertManager: false certManagerClusterIssuer: '' + useTlsSecret: false route: enabled: false annotations: [] @@ -136,6 +138,7 @@ proxy: noProxy: '' httpProxy: '' httpsProxy: '' +certificates: {} message: fr: '' en: '' diff --git a/charts/library-chart/Chart.yaml b/charts/library-chart/Chart.yaml index 0fd4a31e..4b8b9de4 100644 --- a/charts/library-chart/Chart.yaml +++ b/charts/library-chart/Chart.yaml @@ -1,4 +1,4 @@ apiVersion: v2 name: library-chart -version: 1.5.25 +version: 1.5.31 type: library diff --git a/charts/library-chart/README.md b/charts/library-chart/README.md index 1894f545..b16aee4f 100644 --- a/charts/library-chart/README.md +++ b/charts/library-chart/README.md @@ -1,6 +1,6 @@ # library-chart -![Version: 1.5.25](https://img.shields.io/badge/Version-1.5.25-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) +![Version: 1.5.31](https://img.shields.io/badge/Version-1.5.31-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) diff --git a/charts/library-chart/templates/_ingress.tpl b/charts/library-chart/templates/_ingress.tpl index e5b5b31b..92b57983 100644 --- a/charts/library-chart/templates/_ingress.tpl +++ b/charts/library-chart/templates/_ingress.tpl @@ -57,7 +57,7 @@ spec: tls: - hosts: - {{ .Values.ingress.hostname | quote }} - {{- if .Values.ingress.useCertManager }} + {{- if or .Values.ingress.useCertManager .Values.ingress.useTlsSecret}} secretName: tls-cert-{{ include "library-chart.fullname" . }} {{- end }} {{- end }} @@ -70,7 +70,7 @@ spec: backend: service: name: {{ $fullName }} - port: + port: number: {{ $svcPort }} {{- end }} {{- end }} @@ -78,9 +78,13 @@ spec: {{/* Template to generate a custom Ingress */}} {{- define "library-chart.ingressUser" -}} {{- if .Values.ingress.enabled -}} -{{ if .Values.networking.user.enabled }} +{{- if and .Values.networking.user .Values.networking.user.enabled -}} +{{- $userPorts := list -}} +{{- if or .Values.networking.user.ports .Values.networking.user.port -}} +{{- $userPorts = .Values.networking.user.ports | default (list .Values.networking.user.port) -}} +{{- end -}} +{{- if $userPorts -}} {{- $fullName := include "library-chart.fullname" . -}} -{{- $svcPort := .Values.networking.user.port -}} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -96,13 +100,25 @@ spec: {{- if .Values.ingress.tls }} tls: - hosts: - - {{ .Values.ingress.userHostname | quote }} - {{- if .Values.ingress.useCertManager }} + {{- range $userPort := $userPorts }} + {{- if eq (len $userPorts) 1 }} + - {{ $.Values.ingress.userHostname | quote }} + {{- else }} + - {{ regexReplaceAll "([^\\.]+)\\.(.*)" $.Values.ingress.userHostname (printf "${1}-%d.${2}" (int $userPort)) | quote }} + {{- end }} + {{- end }} + {{- if or .Values.ingress.useCertManager .Values.ingress.useTlsSecret }} secretName: tls-cert-{{ include "library-chart.fullname" . }} - {{- end }} + {{- end }} {{- end }} rules: + {{- range $userPort := $userPorts }} + {{- with $ }} + {{- if eq (len $userPorts) 1 }} - host: {{ .Values.ingress.userHostname | quote }} + {{- else }} + - host: {{ regexReplaceAll "([^\\.]+)\\.(.*)" .Values.ingress.userHostname (printf "${1}-%d.${2}" (int $userPort)) | quote }} + {{- end }} http: paths: - path: / @@ -110,8 +126,11 @@ spec: backend: service: name: {{ $fullName }} - port: - number: {{ $svcPort }} + port: + number: {{ $userPort }} + {{- end }} + {{- end }} +{{- end }} {{- end }} {{- end }} {{- end }} @@ -138,7 +157,7 @@ spec: tls: - hosts: - {{ .Values.ingress.sparkHostname | quote }} - {{- if .Values.ingress.useCertManager }} + {{- if or .Values.ingress.useCertManager .Values.ingress.useTlsSecret }} secretName: tls-cert-{{ include "library-chart.fullname" . }} {{- end }} {{- end }} @@ -151,7 +170,7 @@ spec: backend: service: name: {{ $fullName }} - port: + port: number: {{ $svcPort }} {{- end }} {{- end }} diff --git a/charts/library-chart/templates/_route.tpl b/charts/library-chart/templates/_route.tpl index 456ff5d3..b51595a7 100644 --- a/charts/library-chart/templates/_route.tpl +++ b/charts/library-chart/templates/_route.tpl @@ -38,7 +38,7 @@ spec: to: kind: Service name: {{ $fullName }} - port: + port: targetPort: {{ $svcPort }} tls: termination: {{ .Values.route.tls.termination }} @@ -61,9 +61,11 @@ spec: {{/* Template to generate a custom Route */}} {{- define "library-chart.routeUser" -}} {{- if .Values.route.enabled -}} -{{ if .Values.networking.user.enabled }} +{{- if and .Values.networking.user .Values.networking.user.enabled (or .Values.networking.user.ports .Values.networking.user.port) -}} {{- $fullName := include "library-chart.fullname" . -}} -{{- $svcPort := .Values.networking.user.port -}} +{{- $userPorts := .Values.networking.user.ports | default (list .Values.networking.user.port) -}} +{{- range $userPort := $userPorts -}} +{{- with $ -}} apiVersion: route.openshift.io/v1 kind: Route metadata: @@ -73,13 +75,17 @@ metadata: annotations: {{- include "library-chart.route.annotations" . | nindent 4 }} spec: +{{- if eq (len $userPorts) 1 }} host: {{ .Values.route.userHostname | quote }} +{{- else }} + host: {{ regexReplaceAll "([^\\.]+)\\.(.*)" .Values.route.userHostname (printf "${1}-d.${2}" $userPort) | quote }} +{{- end }} path: / to: kind: Service name: {{ $fullName }} - port: - targetPort: {{ $svcPort }} + port: + targetPort: {{ $userPort }} tls: termination: {{ .Values.route.tls.termination }} {{- if .Values.route.tls.key }} @@ -92,9 +98,12 @@ spec: caCertificate: {{- .Values.route.tls.caCertificate }} {{- end }} {{- if .Values.route.tls.destinationCACertificate }} - destinationCACertificate: {{- .Values.route.tls.destinationCACertificate }} + destinationCACertificate: {{ .Values.route.tls.destinationCACertificate }} {{- end }} wildcardPolicy: {{ .Values.route.wildcardPolicy }} +--- +{{- end }} +{{- end }} {{- end }} {{- end }} {{- end }} @@ -119,7 +128,7 @@ spec: to: kind: Service name: {{ $fullName }} - port: + port: targetPort: {{ $svcPort }} tls: termination: {{ .Values.route.tls.termination }} diff --git a/charts/library-chart/templates/_secret.tpl b/charts/library-chart/templates/_secret.tpl index caa8ab0c..ea62738a 100644 --- a/charts/library-chart/templates/_secret.tpl +++ b/charts/library-chart/templates/_secret.tpl @@ -178,8 +178,8 @@ stringData: {{/* Secret for CoreSite.xml Metastore */}} {{- define "library-chart.coreSite" -}} {{ printf "" }} -{{ printf "" }} -{{ printf ""}} +{{ printf "" }} +{{ printf ""}} {{ printf ""}} {{ printf "fs.s3a.connection.ssl.enabled" | indent 4}} {{ printf "true" | indent 4}} @@ -255,8 +255,8 @@ stringData: {{/* Secret for Hive Metastore */}} {{- define "hiveMetastore.secret" -}} {{- printf "\n" }} -{{- printf "\n" }} -{{- printf "\n"}} +{{- printf "\n" }} +{{- printf "\n"}} {{- range $index, $secret := (lookup "v1" "Secret" .Release.Namespace "").items }} {{- if (index $secret "metadata" "annotations") }} {{- if and (index $secret "metadata" "annotations" "onyxia/discovery") (eq "hive" (index $secret "metadata" "annotations" "onyxia/discovery" | toString)) }} @@ -395,12 +395,9 @@ Flag to disable certificate checking for Spark {{/* Build a spark (or java) oriented non proxy hosts list from the linux based noProxy variable */}} {{- if (.Values.proxy).enabled -}} -{{- if .Values.proxy.httpProxy }} -{{- printf " -Dhttp.nonProxyHosts=%v" .Values.proxy.httpProxy }} -{{- end }} -{{- if .Values.proxy.httpsProxy }} -{{- printf " -Dhttps.nonProxyHosts=%v" .Values.proxy.httpsProxy }} -{{- end }} +{{- $nonProxyHosts := regexReplaceAllLiteral "\\|\\." (regexReplaceAllLiteral "^(\\.)" (replace "," "|" (default "localhost" .Values.proxy.noProxy)) "*.") "|*." -}} +{{- printf " -Dhttp.nonProxyHosts=%v" $nonProxyHosts }} +{{- printf " -Dhttps.nonProxyHosts=%v" $nonProxyHosts }} {{- end -}} {{- end }} @@ -425,7 +422,6 @@ Flag to disable certificate checking for Spark {{- end }} {{- end }} - {{/* Template to generate a Secret for SparkConf */}} {{- define "library-chart.secretSparkConf" -}} {{- if .Values.spark.default -}} @@ -444,4 +440,59 @@ stringData: {{- end }} {{- end }} {{- end }} -{{- end }} \ No newline at end of file +{{- end }} + + +{{/* Name of the CA certificates secret */}} +{{- define "library-chart.secretNameCacerts" -}} +{{- if .Values.certificates }} +{{- $name:= (printf "%s-secretcacerts" (include "library-chart.fullname" .) ) }} +{{- default $name .Values.certificates.secretName }} +{{- else }} +{{- default "default" .Values.certificates.secretName }} +{{- end }} +{{- end }} + +{{/* Template to generate a secret for CA certificates */}} +{{- define "library-chart.secretCacerts" -}} +{{- if and .Values.certificates .Values.certificates.cacerts }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "library-chart.secretNameCacerts" . }} + labels: + {{- include "library-chart.labels" . | nindent 4 }} +type: Opaque +stringData: + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + ca-certs.url: {{ .Values.certificates.cacerts }} + {{- else }} + ca.pem: | + {{- .Values.certificates.cacerts | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} + + + +{{/* Name of the extraEnv secret */}} +{{- define "library-chart.secretNameExtraEnv" -}} +{{- printf "%s-secretextraenv" (include "library-chart.fullname" .) }} +{{- end }} + +{{/* Template to generate a secret for extra environment variables */}} +{{- define "library-chart.secretExtraEnv" -}} +{{- if .Values.extraEnvVars }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "library-chart.secretNameExtraEnv" . }} + labels: + {{- include "library-chart.labels" . | nindent 4 }} +type: Opaque +stringData: + {{- range .Values.extraEnvVars }} + {{ .name | trim }}: {{ tpl .value $.Values | quote }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/library-chart/templates/_service.tpl b/charts/library-chart/templates/_service.tpl index c9c540cf..389a44e7 100644 --- a/charts/library-chart/templates/_service.tpl +++ b/charts/library-chart/templates/_service.tpl @@ -2,6 +2,10 @@ {{/* Template to generate a Service */}} {{- define "library-chart.service" -}} +{{- $userPorts := list -}} +{{- if and .Values.networking.user .Values.networking.user.enabled (or .Values.networking.user.ports .Values.networking.user.port) -}} +{{- $userPorts = .Values.networking.user.ports | default (list .Values.networking.user.port) -}} +{{- end -}} apiVersion: v1 kind: Service metadata: @@ -18,13 +22,11 @@ spec: targetPort: {{ default .Values.networking.service.port .Values.networking.service.targetPort }} protocol: TCP name: main - {{ if .Values.networking.user }} - {{ if .Values.networking.user.enabled }} - - port: {{ .Values.networking.user.port }} - targetPort: {{ .Values.networking.user.port }} + {{- range $userPort := $userPorts }} + - port: {{ $userPort }} + targetPort: {{ $userPort }} protocol: TCP - name: user - {{- end }} + name: {{ printf "user-%d" (int $userPort) | quote }} {{- end }} {{ if .Values.spark }} {{ if .Values.spark.sparkui }} diff --git a/charts/library-chart/values.yaml b/charts/library-chart/values.yaml index 8b137891..e69de29b 100644 --- a/charts/library-chart/values.yaml +++ b/charts/library-chart/values.yaml @@ -1 +0,0 @@ - diff --git a/charts/rstudio-gpu/Chart.yaml b/charts/rstudio-gpu/Chart.yaml index 933d815f..dc8bb2c8 100644 --- a/charts/rstudio-gpu/Chart.yaml +++ b/charts/rstudio-gpu/Chart.yaml @@ -11,8 +11,8 @@ sources: - https://github.com/InseeFrLab/images-datascience - https://github.com/InseeFrLab/helm-charts-interactive-services type: application -version: 2.1.1 +version: 2.1.10 dependencies: - name: library-chart - version: 1.5.25 + version: 1.5.30 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/rstudio-gpu/README.md b/charts/rstudio-gpu/README.md index 98a7cb61..d8c7275a 100644 --- a/charts/rstudio-gpu/README.md +++ b/charts/rstudio-gpu/README.md @@ -1,6 +1,6 @@ # rstudio-gpu -![Version: 2.1.1](https://img.shields.io/badge/Version-2.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 2.1.10](https://img.shields.io/badge/Version-2.1.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) The RStudio IDE with a collection of standard data science packages, with GPU support. @@ -15,7 +15,7 @@ The RStudio IDE with a collection of standard data science packages, with GPU su | Repository | Name | Version | |------------|------|---------| -| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.25 | +| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.30 | ## Values @@ -28,6 +28,7 @@ The RStudio IDE with a collection of standard data science packages, with GPU su | autoscaling.targetCPUUtilizationPercentage | int | `80` | | | environment.group | string | `"users"` | | | environment.user | string | `"onyxia"` | | +| extraEnvVars | list | `[]` | | | fullnameOverride | string | `""` | | | git.branch | string | `""` | | | git.cache | string | `""` | | @@ -45,6 +46,7 @@ The RStudio IDE with a collection of standard data science packages, with GPU su | ingress.hostname | string | `"chart-example.local"` | | | ingress.tls | bool | `true` | | | ingress.useCertManager | bool | `false` | | +| ingress.useTlsSecret | bool | `false` | | | ingress.userHostname | string | `"chart-example-user.local"` | | | init.personalInit | string | `""` | | | init.personalInitArgs | string | `""` | | diff --git a/charts/rstudio-gpu/templates/secret-extraenv.yaml b/charts/rstudio-gpu/templates/secret-extraenv.yaml new file mode 100644 index 00000000..63fa9428 --- /dev/null +++ b/charts/rstudio-gpu/templates/secret-extraenv.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretExtraEnv" . }} \ No newline at end of file diff --git a/charts/rstudio-gpu/templates/statefulset.yaml b/charts/rstudio-gpu/templates/statefulset.yaml index 3992d909..8999247f 100644 --- a/charts/rstudio-gpu/templates/statefulset.yaml +++ b/charts/rstudio-gpu/templates/statefulset.yaml @@ -32,6 +32,9 @@ spec: {{- if (include "library-chart.repository.enabled" .) }} checksum/repository: {{ include (print $.Template.BasePath "/configmap-repository.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -39,22 +42,29 @@ spec: {{- include "library-chart.selectorLabels" . | nindent 8 }} spec: volumes: + - name: config-files + emptyDir: {} - name: home - {{- if .Values.persistence.enabled }} + {{- if .Values.persistence.enabled }} persistentVolumeClaim: claimName: {{ .Values.persistence.existingClaim | default (include "library-chart.fullname" .) }} - {{- else }} + {{- else }} emptyDir: {} - {{- end }} + {{- end }} - name: dshm emptyDir: medium: Memory sizeLimit: 10Gi - {{- if (.Values.proxy).enabled }} + {{- if (.Values.proxy).enabled }} - name: secret-proxy secret: secretName: {{ include "library-chart.secretNameProxy" . }} - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -64,6 +74,37 @@ spec: {{- toYaml .Values.podSecurityContext | nindent 8 }} subdomain: {{ include "library-chart.fullname" . }} hostname: rstudio + initContainers: + - name: make-secrets-writable + image: inseefrlab/onyxia-base:latest + imagePullPolicy: IfNotPresent + command: + - sh + - -c + - | + echo 'initContainer make-secrets-writable is started'; + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} + volumeMounts: + - name: config-files + mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} + resources: + limits: + cpu: 50m + memory: 50Mi + securityContext: + {{- toYaml .Values.initContainerSecurityContext | nindent 12 }} containers: - name: {{ .Chart.Name }} securityContext: @@ -109,7 +150,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: {{- if .Values.s3.enabled }} - secretRef: name: {{ include "library-chart.secretNameS3" . }} @@ -132,6 +173,10 @@ spec: {{- end }} - secretRef: name: {{ include "library-chart.secretNameToken" . }} + {{- if .Values.extraEnvVars }} + - secretRef: + name: {{ include "library-chart.secretNameExtraEnv" . }} + {{- end }} livenessProbe: httpGet: path: / @@ -154,9 +199,14 @@ spec: volumeMounts: - mountPath: /home/{{ .Values.environment.user }}/work subPath: work - name: home + name: home - mountPath: /dev/shm - name: dshm + name: dshm + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/rstudio-gpu/values.schema.json b/charts/rstudio-gpu/values.schema.json index daa1d85f..a7959eb4 100644 --- a/charts/rstudio-gpu/values.schema.json +++ b/charts/rstudio-gpu/values.schema.json @@ -231,6 +231,29 @@ } } }, + "extraEnvVars": { + "description": "environment variables available within your service", + "type": "array", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/extraenv.json" + }, + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "default": "", + "pattern": "^[a-zA-Z0-9_]+$" + }, + "value": { + "type": "string", + "default": "" + } + } + } + }, "kubernetes": { "description": "configuration of your kubernetes access", "type": "object", @@ -624,6 +647,14 @@ "hidden": true, "overwriteDefaultWith": "k8s.certManagerClusterIssuer" } + }, + "useTlsSecret": { + "type": "boolean", + "description": "Whether you want to use the specified secretName in ingress tls", + "default": false, + "x-onyxia": { + "hidden": true + } } } }, diff --git a/charts/rstudio-gpu/values.yaml b/charts/rstudio-gpu/values.yaml index b859bbac..1f88da2f 100644 --- a/charts/rstudio-gpu/values.yaml +++ b/charts/rstudio-gpu/values.yaml @@ -20,6 +20,7 @@ init: regionInit: '' personalInit: '' personalInitArgs: '' +extraEnvVars: [] environment: user: onyxia group: users @@ -81,6 +82,7 @@ ingress: userHostname: chart-example-user.local useCertManager: false certManagerClusterIssuer: '' + useTlsSecret: false route: enabled: false annotations: [] diff --git a/charts/rstudio-sparkr/Chart.yaml b/charts/rstudio-sparkr/Chart.yaml index a066affa..b249f7bd 100644 --- a/charts/rstudio-sparkr/Chart.yaml +++ b/charts/rstudio-sparkr/Chart.yaml @@ -23,8 +23,8 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.1.2 +version: 2.1.13 dependencies: - name: library-chart - version: 1.5.25 + version: 1.5.30 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/rstudio-sparkr/README.md b/charts/rstudio-sparkr/README.md index bcb6afb0..3473304d 100644 --- a/charts/rstudio-sparkr/README.md +++ b/charts/rstudio-sparkr/README.md @@ -1,6 +1,6 @@ # rstudio-sparkr -![Version: 2.1.2](https://img.shields.io/badge/Version-2.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 2.1.13](https://img.shields.io/badge/Version-2.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) The RStudio IDE with a collection of standard data science packages. It includes SparkR, an R package that provides an interface to use Apache Spark from R. @@ -15,7 +15,7 @@ The RStudio IDE with a collection of standard data science packages. It includes | Repository | Name | Version | |------------|------|---------| -| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.25 | +| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.30 | ## Values @@ -26,11 +26,13 @@ The RStudio IDE with a collection of standard data science packages. It includes | autoscaling.maxReplicas | int | `100` | | | autoscaling.minReplicas | int | `1` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| certificates | object | `{}` | | | coresite.configMapName | string | `""` | | | discovery.hive | bool | `true` | | | environment.group | string | `"users"` | | | environment.root | bool | `true` | | | environment.user | string | `"onyxia"` | | +| extraEnvVars | list | `[]` | | | fullnameOverride | string | `""` | | | git.branch | string | `""` | | | git.cache | string | `""` | | @@ -49,6 +51,7 @@ The RStudio IDE with a collection of standard data science packages. It includes | ingress.hostname | string | `"chart-example.local"` | | | ingress.tls | bool | `true` | | | ingress.useCertManager | bool | `false` | | +| ingress.useTlsSecret | bool | `false` | | | ingress.userHostname | string | `"chart-example-user.local"` | | | init.personalInit | string | `""` | | | init.personalInitArgs | string | `""` | | @@ -102,9 +105,9 @@ The RStudio IDE with a collection of standard data science packages. It includes | security.password | string | `"changeme"` | | | securityContext | object | `{}` | | | service.image.custom.enabled | bool | `false` | | -| service.image.custom.version | string | `"inseefrlab/onyxia-rstudio-sparkr:r4.4.1-spark3.5.2"` | | +| service.image.custom.version | string | `"inseefrlab/onyxia-rstudio-sparkr:r4.4.1-spark3.5.3"` | | | service.image.pullPolicy | string | `"IfNotPresent"` | | -| service.image.version | string | `"inseefrlab/onyxia-rstudio-sparkr:r4.4.1-spark3.5.2"` | | +| service.image.version | string | `"inseefrlab/onyxia-rstudio-sparkr:r4.4.1-spark3.5.3"` | | | serviceAccount.annotations | object | `{}` | | | serviceAccount.create | bool | `true` | | | serviceAccount.name | string | `""` | | diff --git a/charts/rstudio-sparkr/templates/secret-cacerts.yaml b/charts/rstudio-sparkr/templates/secret-cacerts.yaml new file mode 100644 index 00000000..71c878fb --- /dev/null +++ b/charts/rstudio-sparkr/templates/secret-cacerts.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretCacerts" . }} diff --git a/charts/rstudio-sparkr/templates/secret-extraenv.yaml b/charts/rstudio-sparkr/templates/secret-extraenv.yaml new file mode 100644 index 00000000..63fa9428 --- /dev/null +++ b/charts/rstudio-sparkr/templates/secret-extraenv.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretExtraEnv" . }} \ No newline at end of file diff --git a/charts/rstudio-sparkr/templates/statefulset.yaml b/charts/rstudio-sparkr/templates/statefulset.yaml index 1b42555f..43156e36 100644 --- a/charts/rstudio-sparkr/templates/statefulset.yaml +++ b/charts/rstudio-sparkr/templates/statefulset.yaml @@ -41,6 +41,9 @@ spec: {{- if (include "library-chart.repository.enabled" .) }} checksum/repository: {{ include (print $.Template.BasePath "/configmap-repository.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -86,6 +89,11 @@ spec: secret: secretName: {{ include "library-chart.secretNameHive" . }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -99,9 +107,9 @@ spec: - name: make-secrets-writable image: inseefrlab/onyxia-base:latest imagePullPolicy: IfNotPresent - command: + command: - sh - - -c + - -c - | echo 'initContainer make-secrets-writable is started'; {{- if .Values.s3.enabled }} @@ -119,8 +127,23 @@ spec: {{- if .Values.discovery.hive }} mkdir /dest/hive; cp /src/hive/hive-site.xml /dest/hive/hive-site.xml; - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} volumeMounts: + - name: config-files + mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} {{- if .Values.s3.enabled }} - name: secret-coresite mountPath: /src/coresite @@ -129,8 +152,6 @@ spec: - name: secret-ivysettings mountPath: /src/ivysettings {{- end }} - - name: config-files - mountPath: /dest {{- if .Values.spark.default }} - name: secret-sparkconf mountPath: /src/spark @@ -194,7 +215,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: - secretRef: name: {{ include "library-chart.secretNameToken" . }} {{- if .Values.s3.enabled }} @@ -217,6 +238,10 @@ spec: - configMapRef: name: {{ include "library-chart.configMapNameRepository" . }} {{- end }} + {{- if .Values.extraEnvVars }} + - secretRef: + name: {{ include "library-chart.secretNameExtraEnv" . }} + {{- end }} livenessProbe: httpGet: path: / @@ -261,7 +286,12 @@ spec: - name: config-files mountPath: /opt/hive/conf/hive-site.xml subPath: hive/hive-site.xml - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/rstudio-sparkr/values.schema.json b/charts/rstudio-sparkr/values.schema.json index 27498bb3..3e0be2b7 100644 --- a/charts/rstudio-sparkr/values.schema.json +++ b/charts/rstudio-sparkr/values.schema.json @@ -1,881 +1,940 @@ { - "$schema": "http://json-schema.org/draft-07/schema", - "type": "object", - "properties": { - "service": { - "description": "Service specific configuration", - "type": "object", - "properties": { - "image": { - "description": "image docker", - "type": "object", - "properties": { - "pullPolicy": { - "type": "string", - "description": "option when pulling the docker image", - "default": "IfNotPresent", - "enum": [ - "IfNotPresent", - "Always", - "Never" - ] - }, - "version": { - "description": "supported versions", - "type": "string", - "listEnum": [ - "inseefrlab/onyxia-rstudio-sparkr:r4.4.1-spark3.5.2", - "inseefrlab/onyxia-rstudio-sparkr:r4.3.3-spark3.5.2" - ], - "render": "list", - "hidden": { - "value": true, - "path": "service/image/custom/enabled" - }, - "default": "inseefrlab/onyxia-rstudio-sparkr:r4.4.1-spark3.5.2" - }, - "custom": { - "description": "use a custom RStudio docker image", - "type": "object", - "properties": { - "enabled": { - "title": "custom image", - "type": "boolean", - "description": "use a custom RStudio docker image", - "default": false, - "x-onyxia": { - "overwriteSchemaWith": "ide/customImage.json" - } - }, - "version": { - "description": "RStudio unsupported version", - "type": "string", - "default": "inseefrlab/onyxia-rstudio-sparkr:r4.4.1-spark3.5.2", - "hidden": { - "value": false, - "path": "service/image/custom/enabled" - } - } - } - } - } - } - } - }, - "spark": { - "description": "spark specific configuration", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "spark.json" + "$schema": "http://json-schema.org/draft-07/schema", + "type": "object", + "properties": { + "service": { + "description": "Service specific configuration", + "type": "object", + "properties": { + "image": { + "description": "image docker", + "type": "object", + "properties": { + "pullPolicy": { + "type": "string", + "description": "option when pulling the docker image", + "default": "IfNotPresent", + "enum": [ + "IfNotPresent", + "Always", + "Never" + ] }, - "properties": { - "sparkui": { - "type": "boolean", - "title": "SparkUI", - "description": "Enable Spark monitoring interface", - "default": true - }, - "default": { - "type": "boolean", - "title": "Create a spark config", - "description": "Create a default spark config in spark-default.conf", - "default": true - } - } - }, - "resources": { - "description": "Your service will have at least the requested resources and never more than its limits. No limit for a resource and you can consume everything left on the host machine.", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/resources.json" + "version": { + "description": "supported versions", + "type": "string", + "listEnum": [ + "inseefrlab/onyxia-rstudio-sparkr:r4.4.1-spark3.5.3", + "inseefrlab/onyxia-rstudio-sparkr:r4.3.3-spark3.5.3" + ], + "render": "list", + "hidden": { + "value": true, + "path": "service/image/custom/enabled" + }, + "default": "inseefrlab/onyxia-rstudio-sparkr:r4.4.1-spark3.5.3" }, - "properties": { - "requests": { - "description": "Guaranteed resources", - "type": "object", - "properties": { - "cpu": { - "description": "The amount of cpu guaranteed", - "title": "CPU", - "type": "string", - "default": "100m", - "render": "slider", - "sliderMin": 50, - "sliderMax": 40000, - "sliderStep": 50, - "sliderUnit": "m", - "sliderExtremity": "down", - "sliderExtremitySemantic": "guaranteed", - "sliderRangeId": "cpu" - }, - "memory": { - "description": "The amount of memory guaranteed", - "title": "memory", - "type": "string", - "default": "2Gi", - "render": "slider", - "sliderMin": 1, - "sliderMax": 200, - "sliderStep": 1, - "sliderUnit": "Gi", - "sliderExtremity": "down", - "sliderExtremitySemantic": "guaranteed", - "sliderRangeId": "memory" - } - } - }, - "limits": { - "description": "max resources", - "type": "object", - "properties": { - "cpu": { - "description": "The maximum amount of cpu", - "title": "CPU", - "type": "string", - "default": "30000m", - "render": "slider", - "sliderMin": 50, - "sliderMax": 40000, - "sliderStep": 50, - "sliderUnit": "m", - "sliderExtremity": "up", - "sliderExtremitySemantic": "Maximum", - "sliderRangeId": "cpu" - }, - "memory": { - "description": "The maximum amount of memory", - "title": "Memory", - "type": "string", - "default": "50Gi", - "render": "slider", - "sliderMin": 1, - "sliderMax": 200, - "sliderStep": 1, - "sliderUnit": "Gi", - "sliderExtremity": "up", - "sliderExtremitySemantic": "Maximum", - "sliderRangeId": "memory" - } - } - } - } - }, - "persistence": { - "description": "Configuration for persistence", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/persistence.json" - }, - "properties": { + "custom": { + "description": "use a custom RStudio docker image", + "type": "object", + "properties": { "enabled": { - "type": "boolean", - "description": "Create a persistent volume", - "default": true - }, - "size": { - "type": "string", - "title": "Persistent volume size", - "description": "Size of the persistent volume", - "default": "10Gi", - "form": true, - "render": "slider", - "sliderMin": 1, - "sliderMax": 100, - "sliderStep": 1, - "sliderUnit": "Gi", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.disk", - "useRegionSliderConfig": "disk" - }, - "hidden": { - "value": false, - "path": "persistence/enabled" - } + "title": "custom image", + "type": "boolean", + "description": "use a custom RStudio docker image", + "default": false, + "x-onyxia": { + "overwriteSchemaWith": "ide/customImage.json" + } + }, + "version": { + "description": "RStudio unsupported version", + "type": "string", + "default": "inseefrlab/onyxia-rstudio-sparkr:r4.4.1-spark3.5.3", + "hidden": { + "value": false, + "path": "service/image/custom/enabled" + } } + } } + } + } + } + }, + "spark": { + "description": "spark specific configuration", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "spark.json" + }, + "properties": { + "sparkui": { + "type": "boolean", + "title": "SparkUI", + "description": "Enable Spark monitoring interface", + "default": true }, - "init": { - "description": "Init parameters", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/init.json" + "default": { + "type": "boolean", + "title": "Create a spark config", + "description": "Create a default spark config in spark-default.conf", + "default": true + } + } + }, + "resources": { + "description": "Your service will have at least the requested resources and never more than its limits. No limit for a resource and you can consume everything left on the host machine.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/resources.json" + }, + "properties": { + "requests": { + "description": "Guaranteed resources", + "type": "object", + "properties": { + "cpu": { + "description": "The amount of cpu guaranteed", + "title": "CPU", + "type": "string", + "default": "100m", + "render": "slider", + "sliderMin": 50, + "sliderMax": 40000, + "sliderStep": 50, + "sliderUnit": "m", + "sliderExtremity": "down", + "sliderExtremitySemantic": "guaranteed", + "sliderRangeId": "cpu" }, - "properties": { - "regionInit": { - "type": "string", - "description": "region initialization script", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{k8s.initScriptUrl}}" - } - }, - "personalInit": { - "type": "string", - "description": "user initialization script", - "default": "" - }, - "personalInitArgs": { - "type": "string", - "description": "args for user initialization script", - "default": "" - } + "memory": { + "description": "The amount of memory guaranteed", + "title": "memory", + "type": "string", + "default": "2Gi", + "render": "slider", + "sliderMin": 1, + "sliderMax": 200, + "sliderStep": 1, + "sliderUnit": "Gi", + "sliderExtremity": "down", + "sliderExtremitySemantic": "guaranteed", + "sliderRangeId": "memory" } + } }, - "kubernetes": { - "description": "configuration of your kubernetes access", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "role-spark.json" + "limits": { + "description": "max resources", + "type": "object", + "properties": { + "cpu": { + "description": "The maximum amount of cpu", + "title": "CPU", + "type": "string", + "default": "30000m", + "render": "slider", + "sliderMin": 50, + "sliderMax": 40000, + "sliderStep": 50, + "sliderUnit": "m", + "sliderExtremity": "up", + "sliderExtremitySemantic": "Maximum", + "sliderRangeId": "cpu" }, - "properties": { - "enabled": { - "type": "boolean", - "description": "allow your service to access your namespace ressources", - "default": true - }, - "role": { - "type": "string", - "description": "bind your service account to this kubernetes default role", - "default": "admin", - "hidden": { - "value": false, - "path": "kubernetes/enabled" - }, - "listEnum": [ - "view", - "edit", - "admin" - ], - "render": "list" - } + "memory": { + "description": "The maximum amount of memory", + "title": "Memory", + "type": "string", + "default": "50Gi", + "render": "slider", + "sliderMin": 1, + "sliderMax": 200, + "sliderStep": 1, + "sliderUnit": "Gi", + "sliderExtremity": "up", + "sliderExtremitySemantic": "Maximum", + "sliderRangeId": "memory" } + } + } + } + }, + "persistence": { + "description": "Configuration for persistence", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/persistence.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Create a persistent volume", + "default": true }, - "vault": { - "description": "Configuration of vault client", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/vault.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add vault temporary identity inside your environment", - "default": true - }, - "token": { - "description": "token vault", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_TOKEN}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "url": { - "description": "url of vault server", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_ADDR}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "mount": { - "description": "mount of the v2 secret engine", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_MOUNT}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "directory": { - "description": "top level directory", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_TOP_DIR}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "secret": { - "description": "the path of the secret to convert into a list of environment variables", - "type": "string", - "default": "", - "hidden": { - "value": false, - "path": "vault/enabled" - } - } - } + "size": { + "type": "string", + "title": "Persistent volume size", + "description": "Size of the persistent volume", + "default": "10Gi", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderStep": 1, + "sliderUnit": "Gi", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.disk", + "useRegionSliderConfig": "disk" + }, + "hidden": { + "value": false, + "path": "persistence/enabled" + } + } + } + }, + "init": { + "description": "Init parameters", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/init.json" + }, + "properties": { + "regionInit": { + "type": "string", + "description": "region initialization script", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{k8s.initScriptUrl}}" + } }, - "s3": { - "description": "Configuration of temporary identity", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/s3.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add S3 temporary identity inside your environment", - "default": true - }, - "accessKeyId": { - "description": "AWS Access Key", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_ACCESS_KEY_ID}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "endpoint": { - "description": "AWS S3 Endpoint", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_S3_ENDPOINT}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "defaultRegion": { - "description": "AWS S3 default region", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_DEFAULT_REGION}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "secretAccessKey": { - "description": "AWS S3 secret access key", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_SECRET_ACCESS_KEY}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "sessionToken": { - "description": "AWS S3 session Token", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_SESSION_TOKEN}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - } - } + "personalInit": { + "type": "string", + "description": "user initialization script", + "default": "" }, - "git": { - "description": "Git user configuration", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/git.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add git config inside your environment", - "default": true - }, - "name": { - "type": "string", - "description": "user name for git", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.name}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "email": { - "type": "string", - "description": "user email for git", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.email}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "cache": { - "type": "string", - "description": "duration in seconds of the credentials cache duration", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.credentials_cache_duration}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "token": { - "type": "string", - "description": "personal access token", - "default": "", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{git.token}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "repository": { - "type": "string", - "description": "Repository url", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.project}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "branch": { - "type": "string", - "description": "Branch automatically checked out", - "default": "", - "hidden": { - "value": "", - "path": "git/repository" - } - } - } + "personalInitArgs": { + "type": "string", + "description": "args for user initialization script", + "default": "" + } + } + }, + "extraEnvVars": { + "description": "environment variables available within your service", + "type": "array", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/extraenv.json" + }, + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "default": "", + "pattern": "^[a-zA-Z0-9_]+$" + }, + "value": { + "type": "string", + "default": "" + } + } + } + }, + "kubernetes": { + "description": "configuration of your kubernetes access", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "role-spark.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "allow your service to access your namespace ressources", + "default": true }, - "networking": { - "type": "object", - "form": true, - "title": "Networking detail", - "properties": { - "user": { - "type": "object", - "description": "user defined port", - "properties": { - "enabled": { - "type": "boolean", - "title": "Enable a custom service port", - "description": "Enable a custom service port", - "default": false - }, - "port": { - "type": "integer", - "description": "port of the custom service", - "title": "Custom service port", - "hidden": { - "value": false, - "path": "networking/user/enabled" - }, - "default": 5000 - } - } - } - } + "role": { + "type": "string", + "description": "bind your service account to this kubernetes default role", + "default": "admin", + "hidden": { + "value": false, + "path": "kubernetes/enabled" + }, + "listEnum": [ + "view", + "edit", + "admin" + ], + "render": "list" + } + } + }, + "vault": { + "description": "Configuration of vault client", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/vault.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add vault temporary identity inside your environment", + "default": true }, - "discovery": { - "description": "configure your service to autodetect some ressources.", - "type": "object", - "properties": { - "hive": { - "type": "boolean", - "title": "Enable hive metastore discovery", - "description": "discover your hive metastore service", - "default": true - } - } + "token": { + "description": "token vault", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_TOKEN}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } }, - "security": { - "description": "security specific configuration", - "type": "object", - "properties": { - "password": { - "type": "string", - "description": "Password", - "default": "changeme", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{service.oneTimePassword}}", - "overwriteSchemaWith": "ide/password" - } - }, - "networkPolicy": { - "type": "object", - "description": "Define access policy to the service", - "x-onyxia": { - "overwriteSchemaWith": "network-policy.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "title": "Enable network policy", - "description": "Only pod from the same namespace will be allowed", - "default": false, - "x-onyxia": { - "overwriteDefaultWith": "region.defaultNetworkPolicy" - } - }, - "from": { - "type": "array", - "description": "Array of source allowed to have network access to your service", - "default": [], - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.from" - } - } - } - } - } + "url": { + "description": "url of vault server", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_ADDR}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } }, - "nodeSelector": { - "type": "object", - "description": "NodeSelector", - "default": {}, - "x-onyxia": { - "hidden": false, - "overwriteDefaultWith": "region.nodeSelector", - "overwriteSchemaWith": "nodeSelector.json" - } + "mount": { + "description": "mount of the v2 secret engine", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_MOUNT}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } }, - "ingress": { - "type": "object", - "form": true, - "title": "Ingress Details", - "properties": { - "enabled": { - "description": "Enable Ingress", - "type": "boolean", - "default": true, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.ingress" - } - }, - "hostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" - } - }, - "sparkHostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-spark.{{k8s.domain}}" - } - }, - "userHostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" - } - }, - "ingressClassName": { - "type": "string", - "form": true, - "title": "ingressClassName", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{k8s.ingressClassName}}" - } - }, - "useCertManager": { - "type": "boolean", - "description": "Whether CertManager should be used to generate a certificate", - "default": false, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.useCertManager" - } - }, - "certManagerClusterIssuer":{ - "type": "string", - "description": "certManager cluster issuer", - "title": "CertManager Cluster Issuer", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.certManagerClusterIssuer" - } - } - } + "directory": { + "description": "top level directory", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_TOP_DIR}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } }, - "route": { - "type": "object", - "form": true, - "title": "Route details", - "properties": { - "enabled": { - "description": "Enable route", - "type": "boolean", - "default": false, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.route" - } - }, - "hostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" - } - }, - "sparkHostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-spark.{{k8s.domain}}" - } - }, - "userHostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" - } - } - } + "secret": { + "description": "the path of the secret to convert into a list of environment variables", + "type": "string", + "default": "", + "hidden": { + "value": false, + "path": "vault/enabled" + } + } + } + }, + "s3": { + "description": "Configuration of temporary identity", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/s3.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add S3 temporary identity inside your environment", + "default": true + }, + "accessKeyId": { + "description": "AWS Access Key", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_ACCESS_KEY_ID}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "endpoint": { + "description": "AWS S3 Endpoint", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_S3_ENDPOINT}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "defaultRegion": { + "description": "AWS S3 default region", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_DEFAULT_REGION}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "secretAccessKey": { + "description": "AWS S3 secret access key", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_SECRET_ACCESS_KEY}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "sessionToken": { + "description": "AWS S3 session Token", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_SESSION_TOKEN}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + } + } + }, + "git": { + "description": "Git user configuration", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/git.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add git config inside your environment", + "default": true + }, + "name": { + "type": "string", + "description": "user name for git", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.name}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "email": { + "type": "string", + "description": "user email for git", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.email}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "cache": { + "type": "string", + "description": "duration in seconds of the credentials cache duration", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.credentials_cache_duration}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "token": { + "type": "string", + "description": "personal access token", + "default": "", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{git.token}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } }, "repository": { - "description": "r repository (eg : cran mirrors or proxy caches)", - "type": "object", - "properties": { - "rRepository": { - "type": "string", - "description": "r repository", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{packageRepositoryInjection.cranProxyUrl}}" - } - }, - "packageManagerUrl": { - "type": "string", - "description": "Posit Package Manager URL", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{packageRepositoryInjection.packageManagerUrl}}" - } - } - } + "type": "string", + "description": "Repository url", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.project}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } }, - "proxy": { - "description": "It can be used to inject proxy settings in the services", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "proxy.json" + "branch": { + "type": "string", + "description": "Branch automatically checked out", + "default": "", + "hidden": { + "value": "", + "path": "git/repository" + } + } + } + }, + "networking": { + "type": "object", + "form": true, + "title": "Networking detail", + "properties": { + "user": { + "type": "object", + "description": "user defined port", + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable a custom service port", + "description": "Enable a custom service port", + "default": false }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Inject proxy settings", - "default": false - }, - "httpProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTP.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "httpsProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTPS.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "noProxy": { - "type": "string", - "description": "enterprise local domain that should not take proxy comma separated", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - } + "port": { + "type": "integer", + "description": "port of the custom service", + "title": "Custom service port", + "hidden": { + "value": false, + "path": "networking/user/enabled" + }, + "default": 5000 } + } + } + } + }, + "discovery": { + "description": "configure your service to autodetect some ressources.", + "type": "object", + "properties": { + "hive": { + "type": "boolean", + "title": "Enable hive metastore discovery", + "description": "discover your hive metastore service", + "default": true + } + } + }, + "security": { + "description": "security specific configuration", + "type": "object", + "properties": { + "password": { + "type": "string", + "description": "Password", + "default": "changeme", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{service.oneTimePassword}}", + "overwriteSchemaWith": "ide/password" + } }, - "startupProbe": { - "type": "object", - "description": "Startup probe", - "default": { - "failureThreshold": 60, - "initialDelaySeconds": 10, - "periodSeconds": 10, - "successThreshold": 1, - "timeoutSeconds": 2 + "networkPolicy": { + "type": "object", + "description": "Define access policy to the service", + "x-onyxia": { + "overwriteSchemaWith": "network-policy.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable network policy", + "description": "Only pod from the same namespace will be allowed", + "default": false, + "x-onyxia": { + "overwriteDefaultWith": "region.defaultNetworkPolicy" + } }, - "x-onyxia": { + "from": { + "type": "array", + "description": "Array of source allowed to have network access to your service", + "default": [], + "x-onyxia": { "hidden": true, - "overwriteDefaultWith": "region.startupProbe", - "overwriteSchemaWith": "ide/startupProbe.json" + "overwriteDefaultWith": "region.from" + } } + } + } + } + }, + "nodeSelector": { + "type": "object", + "description": "NodeSelector", + "default": {}, + "x-onyxia": { + "hidden": false, + "overwriteDefaultWith": "region.nodeSelector", + "overwriteSchemaWith": "nodeSelector.json" + } + }, + "ingress": { + "type": "object", + "form": true, + "title": "Ingress Details", + "properties": { + "enabled": { + "description": "Enable Ingress", + "type": "boolean", + "default": true, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.ingress" + } }, - "tolerations": { - "type": "array", - "description": "Array of tolerations", - "default": [], - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.tolerations", - "overwriteSchemaWith": "tolerations.json" - } + "hostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" + } }, - "userPreferences": { - "description": "User Preferences", - "type": "object", - "properties": { - "darkMode": { - "type": "boolean", - "description": "dark mode is or is not enabled", - "default": false, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "user.darkMode" - } - }, - "language": { - "type": "string", - "description": "Preferred language", - "default": "en", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "user.lang" - } - } - } + "sparkHostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-spark.{{k8s.domain}}" + } }, - "global": { - "description": "Suspend", - "type": "object", - "properties": { - "suspend": { - "type": "boolean", - "description": "Suspend this service", - "default": false, - "x-onyxia": { - "hidden": true - } - } + "userHostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" + } + }, + "ingressClassName": { + "type": "string", + "form": true, + "title": "ingressClassName", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{k8s.ingressClassName}}" + } + }, + "useCertManager": { + "type": "boolean", + "description": "Whether CertManager should be used to generate a certificate", + "default": false, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.useCertManager" + } + }, + "certManagerClusterIssuer": { + "type": "string", + "description": "certManager cluster issuer", + "title": "CertManager Cluster Issuer", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.certManagerClusterIssuer" + } + }, + "useTlsSecret": { + "type": "boolean", + "description": "Whether you want to use the specified secretName in ingress tls", + "default": false, + "x-onyxia": { + "hidden": true + } + } + } + }, + "route": { + "type": "object", + "form": true, + "title": "Route details", + "properties": { + "enabled": { + "description": "Enable route", + "type": "boolean", + "default": false, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.route" + } + }, + "hostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" + } + }, + "sparkHostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-spark.{{k8s.domain}}" + } + }, + "userHostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" + } + } + } + }, + "repository": { + "description": "r repository (eg : cran mirrors or proxy caches)", + "type": "object", + "properties": { + "rRepository": { + "type": "string", + "description": "r repository", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{packageRepositoryInjection.cranProxyUrl}}" + } + }, + "packageManagerUrl": { + "type": "string", + "description": "Posit Package Manager URL", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{packageRepositoryInjection.packageManagerUrl}}" + } + } + } + }, + "proxy": { + "description": "It can be used to inject proxy settings in the services", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "proxy.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Inject proxy settings", + "default": false + }, + "httpProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTP.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + }, + "httpsProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTPS.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + }, + "noProxy": { + "type": "string", + "description": "enterprise local domain that should not take proxy comma separated", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + } + } + }, + "startupProbe": { + "type": "object", + "description": "Startup probe", + "default": { + "failureThreshold": 60, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 2 + }, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.startupProbe", + "overwriteSchemaWith": "ide/startupProbe.json" + } + }, + "tolerations": { + "type": "array", + "description": "Array of tolerations", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.tolerations", + "overwriteSchemaWith": "tolerations.json" + } + }, + "userPreferences": { + "description": "User Preferences", + "type": "object", + "properties": { + "darkMode": { + "type": "boolean", + "description": "dark mode is or is not enabled", + "default": false, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "user.darkMode" + } + }, + "language": { + "type": "string", + "description": "Preferred language", + "default": "en", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "user.lang" + } + } + } + }, + "global": { + "description": "Suspend", + "type": "object", + "properties": { + "suspend": { + "type": "boolean", + "description": "Suspend this service", + "default": false, + "x-onyxia": { + "hidden": true + } + } + } + }, + "proxy": { + "description": "It can be used to inject proxy settings in the services", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "proxy.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Inject proxy settings", + "default": "false" + }, + "httpProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTP.", + "default": "", + "x-onyxia": { + "hidden": { + "value": true, + "path": "proxy/enabled" } + } }, - "proxy": { - "description": "It can be used to inject proxy settings in the services", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "proxy.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Inject proxy settings", - "default": "false" - }, - "httpProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTP.", - "default": "", - "x-onyxia": { - "hidden": { - "value": true, - "path": "proxy/enabled" - } - } - }, - "httpsProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTPS.", - "default": "", - "x-onyxia": { - "hidden": { - "value": true, - "path": "proxy/enabled" - } - } - }, - "noProxy": { - "type": "string", - "description": "enterprise local domain that should not take proxy comma separated", - "default": "", - "x-onyxia": { - "hidden": { - "value": true, - "path": "proxy/enabled" - } - } - } + "httpsProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTPS.", + "default": "", + "x-onyxia": { + "hidden": { + "value": true, + "path": "proxy/enabled" } + } }, - "message": { - "type": "object", - "description": "Warning message", - "x-onyxia": { - "hidden": true, - "overwriteSchemaWith": "ide/message.json" - }, - "properties":{ - "fr": { - "type": "string", - "description": "message à ajouter dans les notes", - "default": ""}, - "en": { - "type": "string", - "description": "message to add in notes", - "default": ""} + "noProxy": { + "type": "string", + "description": "enterprise local domain that should not take proxy comma separated", + "default": "", + "x-onyxia": { + "hidden": { + "value": true, + "path": "proxy/enabled" } + } + } + } + }, + "certificates": { + "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "certificates.json" + }, + "default": {}, + "properties": { + "cacerts": { + "type": "string", + "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.", + "default": "", + "x-onyxia": { + "hidden": true + } + }, + "pathToCaBundle": { + "type": "string", + "description": "String path where a bundle is made or injected by third party solution", + "default": "/usr/local/share/ca-certificates/", + "x-onyxia": { + "hidden": true + } + } + } + }, + "message": { + "type": "object", + "description": "Warning message", + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/message.json" + }, + "properties": { + "fr": { + "type": "string", + "description": "message à ajouter dans les notes", + "default": "" + }, + "en": { + "type": "string", + "description": "message to add in notes", + "default": "" } + } } + } } \ No newline at end of file diff --git a/charts/rstudio-sparkr/values.yaml b/charts/rstudio-sparkr/values.yaml index f0d1541e..4e007ac2 100644 --- a/charts/rstudio-sparkr/values.yaml +++ b/charts/rstudio-sparkr/values.yaml @@ -4,11 +4,11 @@ global: service: image: - version: "inseefrlab/onyxia-rstudio-sparkr:r4.4.1-spark3.5.2" + version: "inseefrlab/onyxia-rstudio-sparkr:r4.4.1-spark3.5.3" pullPolicy: IfNotPresent custom: enabled: false - version: "inseefrlab/onyxia-rstudio-sparkr:r4.4.1-spark3.5.2" + version: "inseefrlab/onyxia-rstudio-sparkr:r4.4.1-spark3.5.3" spark: sparkui: false @@ -49,6 +49,13 @@ init: personalInit: "" personalInitArgs: "" +# Array with (templated) extra environment variables to be made accessible within the service +# e.g: +# extraEnvVars: +# - name: FOO +# value: "bar" +extraEnvVars: [] + environment: root: true user: onyxia @@ -75,7 +82,6 @@ s3: secretAccessKey: "" sessionToken: "" - vault: # Specifies whether a config map should be created enabled: true @@ -105,7 +111,6 @@ git: # Declare variables to be passed into your templates. replicaCount: 1 - imagePullSecrets: [] nameOverride: "" fullnameOverride: "" @@ -167,6 +172,7 @@ ingress: # - chart-example.local useCertManager: false certManagerClusterIssuer: "" + useTlsSecret: false route: enabled: false @@ -243,6 +249,10 @@ userPreferences: darkMode: false language: "en" +certificates: {} + # pathToCaBundle: /usr/local/share/ca-certificates/ + # cacerts: "" + message: fr: "" en: "" diff --git a/charts/rstudio/Chart.yaml b/charts/rstudio/Chart.yaml index c6ea735e..397266e4 100644 --- a/charts/rstudio/Chart.yaml +++ b/charts/rstudio/Chart.yaml @@ -22,8 +22,8 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.1.1 +version: 2.1.10 dependencies: - name: library-chart - version: 1.5.25 + version: 1.5.30 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/rstudio/README.md b/charts/rstudio/README.md index 41868cd0..5fc364d3 100644 --- a/charts/rstudio/README.md +++ b/charts/rstudio/README.md @@ -1,6 +1,6 @@ # rstudio -![Version: 2.1.1](https://img.shields.io/badge/Version-2.1.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 2.1.10](https://img.shields.io/badge/Version-2.1.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) The RStudio IDE with a collection of standard data science packages. @@ -15,7 +15,7 @@ The RStudio IDE with a collection of standard data science packages. | Repository | Name | Version | |------------|------|---------| -| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.25 | +| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.30 | ## Values @@ -28,6 +28,7 @@ The RStudio IDE with a collection of standard data science packages. | autoscaling.targetCPUUtilizationPercentage | int | `80` | | | environment.group | string | `"users"` | | | environment.user | string | `"onyxia"` | | +| extraEnvVars | list | `[]` | | | fullnameOverride | string | `""` | | | git.branch | string | `""` | | | git.cache | string | `""` | | @@ -45,6 +46,7 @@ The RStudio IDE with a collection of standard data science packages. | ingress.hostname | string | `"chart-example.local"` | | | ingress.tls | bool | `true` | | | ingress.useCertManager | bool | `false` | | +| ingress.useTlsSecret | bool | `false` | | | ingress.userHostname | string | `"chart-example-user.local"` | | | init.personalInit | string | `""` | | | init.personalInitArgs | string | `""` | | diff --git a/charts/rstudio/templates/secret-extraenv.yaml b/charts/rstudio/templates/secret-extraenv.yaml new file mode 100644 index 00000000..63fa9428 --- /dev/null +++ b/charts/rstudio/templates/secret-extraenv.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretExtraEnv" . }} \ No newline at end of file diff --git a/charts/rstudio/templates/statefulset.yaml b/charts/rstudio/templates/statefulset.yaml index 3992d909..8999247f 100644 --- a/charts/rstudio/templates/statefulset.yaml +++ b/charts/rstudio/templates/statefulset.yaml @@ -32,6 +32,9 @@ spec: {{- if (include "library-chart.repository.enabled" .) }} checksum/repository: {{ include (print $.Template.BasePath "/configmap-repository.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -39,22 +42,29 @@ spec: {{- include "library-chart.selectorLabels" . | nindent 8 }} spec: volumes: + - name: config-files + emptyDir: {} - name: home - {{- if .Values.persistence.enabled }} + {{- if .Values.persistence.enabled }} persistentVolumeClaim: claimName: {{ .Values.persistence.existingClaim | default (include "library-chart.fullname" .) }} - {{- else }} + {{- else }} emptyDir: {} - {{- end }} + {{- end }} - name: dshm emptyDir: medium: Memory sizeLimit: 10Gi - {{- if (.Values.proxy).enabled }} + {{- if (.Values.proxy).enabled }} - name: secret-proxy secret: secretName: {{ include "library-chart.secretNameProxy" . }} - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -64,6 +74,37 @@ spec: {{- toYaml .Values.podSecurityContext | nindent 8 }} subdomain: {{ include "library-chart.fullname" . }} hostname: rstudio + initContainers: + - name: make-secrets-writable + image: inseefrlab/onyxia-base:latest + imagePullPolicy: IfNotPresent + command: + - sh + - -c + - | + echo 'initContainer make-secrets-writable is started'; + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} + volumeMounts: + - name: config-files + mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} + resources: + limits: + cpu: 50m + memory: 50Mi + securityContext: + {{- toYaml .Values.initContainerSecurityContext | nindent 12 }} containers: - name: {{ .Chart.Name }} securityContext: @@ -109,7 +150,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: {{- if .Values.s3.enabled }} - secretRef: name: {{ include "library-chart.secretNameS3" . }} @@ -132,6 +173,10 @@ spec: {{- end }} - secretRef: name: {{ include "library-chart.secretNameToken" . }} + {{- if .Values.extraEnvVars }} + - secretRef: + name: {{ include "library-chart.secretNameExtraEnv" . }} + {{- end }} livenessProbe: httpGet: path: / @@ -154,9 +199,14 @@ spec: volumeMounts: - mountPath: /home/{{ .Values.environment.user }}/work subPath: work - name: home + name: home - mountPath: /dev/shm - name: dshm + name: dshm + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/rstudio/values.schema.json b/charts/rstudio/values.schema.json index dd5ee7a4..2b9de146 100644 --- a/charts/rstudio/values.schema.json +++ b/charts/rstudio/values.schema.json @@ -1,799 +1,832 @@ { - "$schema": "http://json-schema.org/draft-07/schema", - "type": "object", - "properties": { - "service": { - "description": "Service specific configuration", - "type": "object", - "properties": { - "image": { - "description": "image docker", - "type": "object", - "properties": { - "pullPolicy": { - "type": "string", - "description": "option when pulling the docker image", - "default": "IfNotPresent", - "enum": [ - "IfNotPresent", - "Always", - "Never" - ] - }, - "version": { - "description": "supported versions", - "type": "string", - "listEnum": [ - "inseefrlab/onyxia-rstudio:r4.4.1", - "inseefrlab/onyxia-rstudio:r4.3.3" - ], - "render": "list", - "hidden": { - "value": true, - "path": "service/image/custom/enabled" - }, - "default": "inseefrlab/onyxia-rstudio:r4.4.1" - }, - "custom": { - "description": "use a custom RStudio docker image", - "type": "object", - "properties": { - "enabled": { - "title": "custom image", - "type": "boolean", - "description": "use a custom RStudio docker image", - "default": false, - "x-onyxia": { - "overwriteSchemaWith": "ide/customImage.json" - } - }, - "version": { - "description": "RStudio unsupported version", - "type": "string", - "default": "inseefrlab/onyxia-rstudio:r4.4.1", - "hidden": { - "value": false, - "path": "service/image/custom/enabled" - } - } - } - } - } - } - } - }, - "resources": { - "description": "Your service will have at least the requested resources and never more than its limits. No limit for a resource and you can consume everything left on the host machine.", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/resources.json" + "$schema": "http://json-schema.org/draft-07/schema", + "type": "object", + "properties": { + "service": { + "description": "Service specific configuration", + "type": "object", + "properties": { + "image": { + "description": "image docker", + "type": "object", + "properties": { + "pullPolicy": { + "type": "string", + "description": "option when pulling the docker image", + "default": "IfNotPresent", + "enum": [ + "IfNotPresent", + "Always", + "Never" + ] }, - "properties": { - "requests": { - "description": "Guaranteed resources", - "type": "object", - "properties": { - "cpu": { - "description": "The amount of cpu guaranteed", - "title": "CPU", - "type": "string", - "default": "100m", - "render": "slider", - "sliderMin": 50, - "sliderMax": 40000, - "sliderStep": 50, - "sliderUnit": "m", - "sliderExtremity": "down", - "sliderExtremitySemantic": "guaranteed", - "sliderRangeId": "cpu", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.cpuRequest", - "useRegionSliderConfig": "cpu" - } - }, - "memory": { - "description": "The amount of memory guaranteed", - "title": "memory", - "type": "string", - "default": "2Gi", - "render": "slider", - "sliderMin": 1, - "sliderMax": 200, - "sliderStep": 1, - "sliderUnit": "Gi", - "sliderExtremity": "down", - "sliderExtremitySemantic": "guaranteed", - "sliderRangeId": "memory", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.memoryRequest", - "useRegionSliderConfig": "memory" - } - } - } - }, - "limits": { - "description": "max resources", - "type": "object", - "properties": { - "cpu": { - "description": "The maximum amount of cpu", - "title": "CPU", - "type": "string", - "default": "30000m", - "render": "slider", - "sliderMin": 50, - "sliderMax": 40000, - "sliderStep": 50, - "sliderUnit": "m", - "sliderExtremity": "up", - "sliderExtremitySemantic": "Maximum", - "sliderRangeId": "cpu", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.cpuLimit", - "useRegionSliderConfig": "cpu" - } - }, - "memory": { - "description": "The maximum amount of memory", - "title": "Memory", - "type": "string", - "default": "50Gi", - "render": "slider", - "sliderMin": 1, - "sliderMax": 200, - "sliderStep": 1, - "sliderUnit": "Gi", - "sliderExtremity": "up", - "sliderExtremitySemantic": "Maximum", - "sliderRangeId": "memory", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.memoryLimit", - "useRegionSliderConfig": "memory" - } - } - } - } - } - }, - "persistence": { - "description": "Configuration for persistence", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/persistence.json" + "version": { + "description": "supported versions", + "type": "string", + "listEnum": [ + "inseefrlab/onyxia-rstudio:r4.4.1", + "inseefrlab/onyxia-rstudio:r4.3.3" + ], + "render": "list", + "hidden": { + "value": true, + "path": "service/image/custom/enabled" + }, + "default": "inseefrlab/onyxia-rstudio:r4.4.1" }, - "properties": { + "custom": { + "description": "use a custom RStudio docker image", + "type": "object", + "properties": { "enabled": { - "type": "boolean", - "description": "Create a persistent volume", - "default": true - }, - "size": { - "type": "string", - "title": "Persistent volume size", - "description": "Size of the persistent volume", - "default": "10Gi", - "form": true, - "render": "slider", - "sliderMin": 1, - "sliderMax": 100, - "sliderStep": 1, - "sliderUnit": "Gi", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.disk", - "useRegionSliderConfig": "disk" - }, - "hidden": { - "value": false, - "path": "persistence/enabled" - } + "title": "custom image", + "type": "boolean", + "description": "use a custom RStudio docker image", + "default": false, + "x-onyxia": { + "overwriteSchemaWith": "ide/customImage.json" + } + }, + "version": { + "description": "RStudio unsupported version", + "type": "string", + "default": "inseefrlab/onyxia-rstudio:r4.4.1", + "hidden": { + "value": false, + "path": "service/image/custom/enabled" + } } + } } - }, - "init": { - "description": "Init parameters", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/init.json" + } + } + } + }, + "resources": { + "description": "Your service will have at least the requested resources and never more than its limits. No limit for a resource and you can consume everything left on the host machine.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/resources.json" + }, + "properties": { + "requests": { + "description": "Guaranteed resources", + "type": "object", + "properties": { + "cpu": { + "description": "The amount of cpu guaranteed", + "title": "CPU", + "type": "string", + "default": "100m", + "render": "slider", + "sliderMin": 50, + "sliderMax": 40000, + "sliderStep": 50, + "sliderUnit": "m", + "sliderExtremity": "down", + "sliderExtremitySemantic": "guaranteed", + "sliderRangeId": "cpu", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.cpuRequest", + "useRegionSliderConfig": "cpu" + } }, - "properties": { - "regionInit": { - "type": "string", - "description": "region initialization script", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{k8s.initScriptUrl}}" - } - }, - "personalInit": { - "type": "string", - "description": "user initialization script", - "default": "" - }, - "personalInitArgs": { - "type": "string", - "description": "args for user initialization script", - "default": "" - } + "memory": { + "description": "The amount of memory guaranteed", + "title": "memory", + "type": "string", + "default": "2Gi", + "render": "slider", + "sliderMin": 1, + "sliderMax": 200, + "sliderStep": 1, + "sliderUnit": "Gi", + "sliderExtremity": "down", + "sliderExtremitySemantic": "guaranteed", + "sliderRangeId": "memory", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.memoryRequest", + "useRegionSliderConfig": "memory" + } } + } }, - "kubernetes": { - "description": "configuration of your kubernetes access", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/role.json" + "limits": { + "description": "max resources", + "type": "object", + "properties": { + "cpu": { + "description": "The maximum amount of cpu", + "title": "CPU", + "type": "string", + "default": "30000m", + "render": "slider", + "sliderMin": 50, + "sliderMax": 40000, + "sliderStep": 50, + "sliderUnit": "m", + "sliderExtremity": "up", + "sliderExtremitySemantic": "Maximum", + "sliderRangeId": "cpu", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.cpuLimit", + "useRegionSliderConfig": "cpu" + } }, - "properties": { - "enabled": { - "type": "boolean", - "description": "allow your service to access your namespace ressources", - "default": true - }, - "role": { - "type": "string", - "description": "bind your service account to this kubernetes default role", - "default": "view", - "hidden": { - "value": false, - "path": "kubernetes/enabled" - }, - "listEnum": [ - "view", - "edit", - "admin" - ], - "render": "list" - } + "memory": { + "description": "The maximum amount of memory", + "title": "Memory", + "type": "string", + "default": "50Gi", + "render": "slider", + "sliderMin": 1, + "sliderMax": 200, + "sliderStep": 1, + "sliderUnit": "Gi", + "sliderExtremity": "up", + "sliderExtremitySemantic": "Maximum", + "sliderRangeId": "memory", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.memoryLimit", + "useRegionSliderConfig": "memory" + } } + } + } + } + }, + "persistence": { + "description": "Configuration for persistence", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/persistence.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Create a persistent volume", + "default": true }, - "vault": { - "description": "Configuration of vault client", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/vault.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add vault temporary identity inside your environment", - "default": true - }, - "token": { - "description": "token vault", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_TOKEN}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "url": { - "description": "url of vault server", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_ADDR}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "mount": { - "description": "mount of the v2 secret engine", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_MOUNT}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "directory": { - "description": "top level directory", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_TOP_DIR}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "secret": { - "description": "the path of the secret to convert into a list of environment variables", - "type": "string", - "default": "", - "hidden": { - "value": false, - "path": "vault/enabled" - } - } - } + "size": { + "type": "string", + "title": "Persistent volume size", + "description": "Size of the persistent volume", + "default": "10Gi", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderStep": 1, + "sliderUnit": "Gi", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.disk", + "useRegionSliderConfig": "disk" + }, + "hidden": { + "value": false, + "path": "persistence/enabled" + } + } + } + }, + "init": { + "description": "Init parameters", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/init.json" + }, + "properties": { + "regionInit": { + "type": "string", + "description": "region initialization script", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{k8s.initScriptUrl}}" + } }, - "s3": { - "description": "Configuration of temporary identity", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/s3.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add S3 temporary identity inside your environment", - "default": true - }, - "accessKeyId": { - "description": "AWS Access Key", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_ACCESS_KEY_ID}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "endpoint": { - "description": "AWS S3 Endpoint", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_S3_ENDPOINT}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "defaultRegion": { - "description": "AWS S3 default region", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_DEFAULT_REGION}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "secretAccessKey": { - "description": "AWS S3 secret access key", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_SECRET_ACCESS_KEY}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "sessionToken": { - "description": "AWS S3 session Token", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_SESSION_TOKEN}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - } - } + "personalInit": { + "type": "string", + "description": "user initialization script", + "default": "" }, - "git": { - "description": "Git user configuration", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/git.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add git config inside your environment", - "default": true - }, - "name": { - "type": "string", - "description": "user name for git", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.name}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "email": { - "type": "string", - "description": "user email for git", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.email}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "cache": { - "type": "string", - "description": "duration in seconds of the credentials cache duration", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.credentials_cache_duration}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "token": { - "type": "string", - "description": "personal access token", - "default": "", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{git.token}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "repository": { - "type": "string", - "description": "Repository url", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.project}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "branch": { - "type": "string", - "description": "Branch automatically checked out", - "default": "", - "hidden": { - "value": "", - "path": "git/repository" - } - } - } + "personalInitArgs": { + "type": "string", + "description": "args for user initialization script", + "default": "" + } + } + }, + "extraEnvVars": { + "description": "environment variables available within your service", + "type": "array", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/extraenv.json" + }, + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "default": "", + "pattern": "^[a-zA-Z0-9_]+$" + }, + "value": { + "type": "string", + "default": "" + } + } + } + }, + "kubernetes": { + "description": "configuration of your kubernetes access", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/role.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "allow your service to access your namespace ressources", + "default": true }, - "networking": { - "type": "object", - "form": true, - "title": "Networking detail", - "properties": { - "user": { - "type": "object", - "description": "user defined port", - "properties": { - "enabled": { - "type": "boolean", - "title": "Enable a custom service port", - "description": "Enable a custom service port", - "default": false - }, - "port": { - "type": "integer", - "description": "port of the custom service", - "title": "Custom service port", - "hidden": { - "value": false, - "path": "networking/user/enabled" - }, - "default": 5000 - } - } - } - } + "role": { + "type": "string", + "description": "bind your service account to this kubernetes default role", + "default": "view", + "hidden": { + "value": false, + "path": "kubernetes/enabled" + }, + "listEnum": [ + "view", + "edit", + "admin" + ], + "render": "list" + } + } + }, + "vault": { + "description": "Configuration of vault client", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/vault.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add vault temporary identity inside your environment", + "default": true }, - "security": { - "description": "security specific configuration", - "type": "object", - "properties": { - "password": { - "type": "string", - "description": "Password", - "default": "changeme", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{service.oneTimePassword}}", - "overwriteSchemaWith": "ide/password" - } - }, - "networkPolicy": { - "type": "object", - "description": "Define access policy to the service", - "x-onyxia": { - "overwriteSchemaWith": "network-policy.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "title": "Enable network policy", - "description": "Only pod from the same namespace will be allowed", - "default": false, - "x-onyxia": { - "overwriteDefaultWith": "region.defaultNetworkPolicy" - } - }, - "from": { - "type": "array", - "description": "Array of source allowed to have network access to your service", - "default": [], - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.from" - } - } - } - } - } + "token": { + "description": "token vault", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_TOKEN}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } }, - "nodeSelector": { - "type": "object", - "description": "NodeSelector", - "default": {}, - "x-onyxia": { - "hidden": false, - "overwriteDefaultWith": "region.nodeSelector", - "overwriteSchemaWith": "nodeSelector.json" - } + "url": { + "description": "url of vault server", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_ADDR}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } }, - "ingress": { - "type": "object", - "form": true, - "title": "Ingress Details", - "properties": { - "enabled": { - "description": "Enable Ingress", - "type": "boolean", - "default": true, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.ingress" - } - }, - "hostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" - } - }, - "userHostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" - } - }, - "ingressClassName": { - "type": "string", - "form": true, - "title": "ingressClassName", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{k8s.ingressClassName}}" - } - }, - "useCertManager": { - "type": "boolean", - "description": "Whether CertManager should be used to generate a certificate", - "default": false, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.useCertManager" - } - }, - "certManagerClusterIssuer": { - "type": "string", - "description": "certManager cluster issuer", - "title": "CertManager Cluster Issuer", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.certManagerClusterIssuer" - } - } - } + "mount": { + "description": "mount of the v2 secret engine", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_MOUNT}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } }, - "route": { - "type": "object", - "form": true, - "title": "Route details", - "properties": { - "enabled": { - "description": "Enable route", - "type": "boolean", - "default": false, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.route" - } - }, - "hostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" - } - }, - "userHostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" - } - } - } + "directory": { + "description": "top level directory", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_TOP_DIR}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } + }, + "secret": { + "description": "the path of the secret to convert into a list of environment variables", + "type": "string", + "default": "", + "hidden": { + "value": false, + "path": "vault/enabled" + } + } + } + }, + "s3": { + "description": "Configuration of temporary identity", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/s3.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add S3 temporary identity inside your environment", + "default": true + }, + "accessKeyId": { + "description": "AWS Access Key", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_ACCESS_KEY_ID}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "endpoint": { + "description": "AWS S3 Endpoint", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_S3_ENDPOINT}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "defaultRegion": { + "description": "AWS S3 default region", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_DEFAULT_REGION}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "secretAccessKey": { + "description": "AWS S3 secret access key", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_SECRET_ACCESS_KEY}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "sessionToken": { + "description": "AWS S3 session Token", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_SESSION_TOKEN}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + } + } + }, + "git": { + "description": "Git user configuration", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/git.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add git config inside your environment", + "default": true + }, + "name": { + "type": "string", + "description": "user name for git", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.name}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "email": { + "type": "string", + "description": "user email for git", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.email}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "cache": { + "type": "string", + "description": "duration in seconds of the credentials cache duration", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.credentials_cache_duration}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "token": { + "type": "string", + "description": "personal access token", + "default": "", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{git.token}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } }, "repository": { - "description": "r repository (eg : cran mirrors or proxy caches)", - "type": "object", - "properties": { - "rRepository": { - "type": "string", - "description": "r repository", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{packageRepositoryInjection.cranProxyUrl}}" - } - }, - "packageManagerUrl": { - "type": "string", - "description": "Posit Package Manager URL", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{packageRepositoryInjection.packageManagerUrl}}" - } - } - } + "type": "string", + "description": "Repository url", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.project}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } }, - "startupProbe": { - "type": "object", - "description": "Startup probe", - "default": { - "failureThreshold": 60, - "initialDelaySeconds": 10, - "periodSeconds": 10, - "successThreshold": 1, - "timeoutSeconds": 2 + "branch": { + "type": "string", + "description": "Branch automatically checked out", + "default": "", + "hidden": { + "value": "", + "path": "git/repository" + } + } + } + }, + "networking": { + "type": "object", + "form": true, + "title": "Networking detail", + "properties": { + "user": { + "type": "object", + "description": "user defined port", + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable a custom service port", + "description": "Enable a custom service port", + "default": false }, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.startupProbe", - "overwriteSchemaWith": "ide/startupProbe.json" + "port": { + "type": "integer", + "description": "port of the custom service", + "title": "Custom service port", + "hidden": { + "value": false, + "path": "networking/user/enabled" + }, + "default": 5000 } + } + } + } + }, + "security": { + "description": "security specific configuration", + "type": "object", + "properties": { + "password": { + "type": "string", + "description": "Password", + "default": "changeme", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{service.oneTimePassword}}", + "overwriteSchemaWith": "ide/password" + } }, - "tolerations": { - "type": "array", - "description": "Array of tolerations", - "default": [], - "x-onyxia": { + "networkPolicy": { + "type": "object", + "description": "Define access policy to the service", + "x-onyxia": { + "overwriteSchemaWith": "network-policy.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable network policy", + "description": "Only pod from the same namespace will be allowed", + "default": false, + "x-onyxia": { + "overwriteDefaultWith": "region.defaultNetworkPolicy" + } + }, + "from": { + "type": "array", + "description": "Array of source allowed to have network access to your service", + "default": [], + "x-onyxia": { "hidden": true, - "overwriteDefaultWith": "region.tolerations", - "overwriteSchemaWith": "tolerations.json" + "overwriteDefaultWith": "region.from" + } } + } + } + } + }, + "nodeSelector": { + "type": "object", + "description": "NodeSelector", + "default": {}, + "x-onyxia": { + "hidden": false, + "overwriteDefaultWith": "region.nodeSelector", + "overwriteSchemaWith": "nodeSelector.json" + } + }, + "ingress": { + "type": "object", + "form": true, + "title": "Ingress Details", + "properties": { + "enabled": { + "description": "Enable Ingress", + "type": "boolean", + "default": true, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.ingress" + } }, - "userPreferences": { - "description": "User Preferences", - "type": "object", - "properties": { - "darkMode": { - "type": "boolean", - "description": "dark mode is or is not enabled", - "default": false, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "user.darkMode" - } - }, - "language": { - "type": "string", - "description": "Preferred language", - "default": "en", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "user.lang" - } - } - } + "hostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" + } }, - "global": { - "description": "Suspend", - "type": "object", - "properties": { - "suspend": { - "type": "boolean", - "description": "Suspend this service", - "default": false, - "x-onyxia": { - "hidden": true - } - } - } + "userHostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" + } }, - "proxy": { - "description": "It can be used to inject proxy settings in the services", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "proxy.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Inject proxy settings", - "default": false - }, - "httpProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTP.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "httpsProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTPS.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "noProxy": { - "type": "string", - "description": "enterprise local domain that should not take proxy comma separated", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - } - } + "ingressClassName": { + "type": "string", + "form": true, + "title": "ingressClassName", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{k8s.ingressClassName}}" + } }, - "message": { - "type": "object", - "description": "Warning message", - "x-onyxia": { - "hidden": true, - "overwriteSchemaWith": "ide/message.json" - }, - "properties":{ - "fr": { - "type": "string", - "description": "message à ajouter dans les notes", - "default": ""}, - "en": { - "type": "string", - "description": "message to add in notes", - "default": ""} - } + "useCertManager": { + "type": "boolean", + "description": "Whether CertManager should be used to generate a certificate", + "default": false, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.useCertManager" + } + }, + "certManagerClusterIssuer": { + "type": "string", + "description": "certManager cluster issuer", + "title": "CertManager Cluster Issuer", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.certManagerClusterIssuer" + } + }, + "useTlsSecret": { + "type": "boolean", + "description": "Whether you want to use the specified secretName in ingress tls", + "default": false, + "x-onyxia": { + "hidden": true + } + } + } + }, + "route": { + "type": "object", + "form": true, + "title": "Route details", + "properties": { + "enabled": { + "description": "Enable route", + "type": "boolean", + "default": false, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.route" + } + }, + "hostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" + } + }, + "userHostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" + } + } + } + }, + "repository": { + "description": "r repository (eg : cran mirrors or proxy caches)", + "type": "object", + "properties": { + "rRepository": { + "type": "string", + "description": "r repository", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{packageRepositoryInjection.cranProxyUrl}}" + } + }, + "packageManagerUrl": { + "type": "string", + "description": "Posit Package Manager URL", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{packageRepositoryInjection.packageManagerUrl}}" + } + } + } + }, + "startupProbe": { + "type": "object", + "description": "Startup probe", + "default": { + "failureThreshold": 60, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 2 + }, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.startupProbe", + "overwriteSchemaWith": "ide/startupProbe.json" + } + }, + "tolerations": { + "type": "array", + "description": "Array of tolerations", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.tolerations", + "overwriteSchemaWith": "tolerations.json" + } + }, + "userPreferences": { + "description": "User Preferences", + "type": "object", + "properties": { + "darkMode": { + "type": "boolean", + "description": "dark mode is or is not enabled", + "default": false, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "user.darkMode" + } + }, + "language": { + "type": "string", + "description": "Preferred language", + "default": "en", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "user.lang" + } + } + } + }, + "global": { + "description": "Suspend", + "type": "object", + "properties": { + "suspend": { + "type": "boolean", + "description": "Suspend this service", + "default": false, + "x-onyxia": { + "hidden": true + } + } + } + }, + "proxy": { + "description": "It can be used to inject proxy settings in the services", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "proxy.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Inject proxy settings", + "default": false + }, + "httpProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTP.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + }, + "httpsProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTPS.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + }, + "noProxy": { + "type": "string", + "description": "enterprise local domain that should not take proxy comma separated", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + } + } + }, + "message": { + "type": "object", + "description": "Warning message", + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/message.json" + }, + "properties": { + "fr": { + "type": "string", + "description": "message à ajouter dans les notes", + "default": "" + }, + "en": { + "type": "string", + "description": "message to add in notes", + "default": "" } + } } + } } \ No newline at end of file diff --git a/charts/rstudio/values.yaml b/charts/rstudio/values.yaml index 93ed9e22..b2fc2ea8 100644 --- a/charts/rstudio/values.yaml +++ b/charts/rstudio/values.yaml @@ -25,6 +25,13 @@ init: personalInit: "" personalInitArgs: "" +# Array with (templated) extra environment variables to be made accessible within the service +# e.g: +# extraEnvVars: +# - name: FOO +# value: "bar" +extraEnvVars: [] + environment: user: onyxia group: users @@ -41,7 +48,6 @@ s3: secretAccessKey: "" sessionToken: "" - vault: # Specifies whether a config map should be created enabled: true @@ -71,7 +77,6 @@ git: # Declare variables to be passed into your templates. replicaCount: 1 - imagePullSecrets: [] nameOverride: "" fullnameOverride: "" @@ -125,6 +130,7 @@ ingress: # - chart-example.local useCertManager: false certManagerClusterIssuer: "" + useTlsSecret: false route: enabled: false diff --git a/charts/vscode-pyspark/Chart.yaml b/charts/vscode-pyspark/Chart.yaml index 9c81cd87..e5ac3171 100644 --- a/charts/vscode-pyspark/Chart.yaml +++ b/charts/vscode-pyspark/Chart.yaml @@ -24,9 +24,9 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.1.4 +version: 2.1.15 dependencies: - name: library-chart - version: 1.5.25 + version: 1.5.30 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/vscode-pyspark/README.md b/charts/vscode-pyspark/README.md index e419a811..3ac43a2f 100644 --- a/charts/vscode-pyspark/README.md +++ b/charts/vscode-pyspark/README.md @@ -1,6 +1,6 @@ # vscode-pyspark -![Version: 2.1.4](https://img.shields.io/badge/Version-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 2.1.15](https://img.shields.io/badge/Version-2.1.15-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) The Visual Studio Code IDE with PySpark, an interface to use Apache Spark from Python. @@ -15,7 +15,7 @@ The Visual Studio Code IDE with PySpark, an interface to use Apache Spark from P | Repository | Name | Version | |------------|------|---------| -| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.25 | +| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.30 | ## Values @@ -26,12 +26,14 @@ The Visual Studio Code IDE with PySpark, an interface to use Apache Spark from P | autoscaling.maxReplicas | int | `100` | | | autoscaling.minReplicas | int | `1` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| certificates | object | `{}` | | | coresite.configMapName | string | `""` | | | discovery.hive | bool | `true` | | | discovery.metaflow | bool | `true` | | | discovery.mlflow | bool | `true` | | | environment.group | string | `"users"` | | | environment.user | string | `"onyxia"` | | +| extraEnvVars | list | `[]` | | | fullnameOverride | string | `""` | | | git.branch | string | `""` | | | git.cache | string | `""` | | @@ -51,6 +53,7 @@ The Visual Studio Code IDE with PySpark, an interface to use Apache Spark from P | ingress.ingressClassName | string | `""` | | | ingress.tls | bool | `true` | | | ingress.useCertManager | bool | `false` | | +| ingress.useTlsSecret | bool | `false` | | | ingress.userHostname | string | `"chart-example-user.local"` | | | init.personalInit | string | `""` | | | init.personalInitArgs | string | `""` | | @@ -105,9 +108,9 @@ The Visual Studio Code IDE with PySpark, an interface to use Apache Spark from P | security.password | string | `"changeme"` | | | securityContext | object | `{}` | | | service.image.custom.enabled | bool | `false` | | -| service.image.custom.version | string | `"inseefrlab/onyxia-vscode-pyspark:py3.12.6-spark3.5.2"` | | +| service.image.custom.version | string | `"inseefrlab/onyxia-vscode-pyspark:py3.12.6-spark3.5.3"` | | | service.image.pullPolicy | string | `"IfNotPresent"` | | -| service.image.version | string | `"inseefrlab/onyxia-vscode-pyspark:py3.12.6-spark3.5.2"` | | +| service.image.version | string | `"inseefrlab/onyxia-vscode-pyspark:py3.12.6-spark3.5.3"` | | | serviceAccount.annotations | object | `{}` | | | serviceAccount.create | bool | `true` | | | serviceAccount.name | string | `""` | | diff --git a/charts/vscode-pyspark/templates/secret-cacerts.yaml b/charts/vscode-pyspark/templates/secret-cacerts.yaml new file mode 100644 index 00000000..71c878fb --- /dev/null +++ b/charts/vscode-pyspark/templates/secret-cacerts.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretCacerts" . }} diff --git a/charts/vscode-pyspark/templates/secret-extraenv.yaml b/charts/vscode-pyspark/templates/secret-extraenv.yaml new file mode 100644 index 00000000..63fa9428 --- /dev/null +++ b/charts/vscode-pyspark/templates/secret-extraenv.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretExtraEnv" . }} \ No newline at end of file diff --git a/charts/vscode-pyspark/templates/statefulset.yaml b/charts/vscode-pyspark/templates/statefulset.yaml index c40dc5c0..d6200f1b 100644 --- a/charts/vscode-pyspark/templates/statefulset.yaml +++ b/charts/vscode-pyspark/templates/statefulset.yaml @@ -50,6 +50,9 @@ spec: {{- if .Values.vault.enabled }} checksum/vault: {{ include (print $.Template.BasePath "/secret-vault.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -100,6 +103,11 @@ spec: secret: secretName: {{ include "library-chart.secretNameCoreSite" . }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -111,9 +119,9 @@ spec: - name: make-secrets-writable image: inseefrlab/onyxia-base:latest imagePullPolicy: IfNotPresent - command: + command: - sh - - -c + - -c - | echo 'initContainer make-secrets-writable is started'; {{- if .Values.s3.enabled }} @@ -121,7 +129,7 @@ spec: cp /src/coresite/core-site.xml /dest/coresite/core-site.xml; {{- end }} {{- if .Values.spark.default }} - mdir /dest/spark; + mkdir /dest/spark; cp /src/spark/spark-defaults.conf /dest/spark/spark-defaults.conf; {{- end }} {{- if and (.Values.spark.default) (.Values.repository.mavenRepository) }} @@ -131,14 +139,27 @@ spec: {{- if .Values.discovery.hive }} mkdir /dest/hive; cp /src/hive/hive-site.xml /dest/hive/hive-site.xml; - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} mkdir /dest/metaflow; cp /src/metaflow/config.json /dest/metaflow/config.json; - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} volumeMounts: - name: config-files mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} {{- if .Values.s3.enabled }} - name: secret-coresite mountPath: /src/coresite @@ -216,7 +237,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: - secretRef: name: {{ include "library-chart.secretNameToken" . }} {{- if .Values.s3.enabled }} @@ -243,6 +264,10 @@ spec: - secretRef: name: {{ include "library-chart.secretNameMLFlow" . }} {{- end }} + {{- if .Values.extraEnvVars }} + - secretRef: + name: {{ include "library-chart.secretNameExtraEnv" . }} + {{- end }} livenessProbe: httpGet: path: / @@ -287,12 +312,17 @@ spec: - name: config-files mountPath: /opt/hive/conf/hive-site.xml subPath: hive/hive-site.xml - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} - name: config-files mountPath: /home/{{ .Values.environment.user}}/.metaflowconfig subPath: metaflow - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/vscode-pyspark/values.schema.json b/charts/vscode-pyspark/values.schema.json index 11740b2d..f438a5e6 100644 --- a/charts/vscode-pyspark/values.schema.json +++ b/charts/vscode-pyspark/values.schema.json @@ -24,15 +24,15 @@ "description": "supported versions", "type": "string", "listEnum": [ - "inseefrlab/onyxia-vscode-pyspark:py3.12.6-spark3.5.2", - "inseefrlab/onyxia-vscode-pyspark:py3.11.10-spark3.5.2" + "inseefrlab/onyxia-vscode-pyspark:py3.12.6-spark3.5.3", + "inseefrlab/onyxia-vscode-pyspark:py3.11.10-spark3.5.3" ], "render": "list", "hidden": { "value": true, "path": "service/image/custom/enabled" }, - "default": "inseefrlab/onyxia-vscode-pyspark:py3.12.6-spark3.5.2" + "default": "inseefrlab/onyxia-vscode-pyspark:py3.12.6-spark3.5.3" }, "custom": { "description": "use a custom vscode docker image", @@ -44,13 +44,13 @@ "description": "use a custom vscode docker image", "default": false, "x-onyxia": { - "overwriteSchemaWith": "ide/customImage.json" + "overwriteSchemaWith": "ide/customImage.json" } }, "version": { "description": "vscode unsupported version", "type": "string", - "default": "inseefrlab/onyxia-vscode-pyspark:py3.12.6-spark3.5.2", + "default": "inseefrlab/onyxia-vscode-pyspark:py3.12.6-spark3.5.3", "hidden": { "value": false, "path": "service/image/custom/enabled" @@ -66,7 +66,7 @@ "description": "spark specific configuration", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "spark.json" + "overwriteSchemaWith": "spark.json" }, "properties": { "sparkui": { @@ -113,392 +113,415 @@ "description": "Your service will have at least the requested resources and never more than its limits. No limit for a resource and you can consume everything left on the host machine.", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "ide/resources.json" + "overwriteSchemaWith": "ide/resources.json" }, "properties": { - "requests": { - "description": "Guaranteed resources", - "type": "object", - "properties": { - "cpu": { - "description": "The amount of cpu guaranteed", - "title": "CPU", - "type": "string", - "default": "100m", - "render": "slider", - "sliderMin": 50, - "sliderMax": 40000, - "sliderStep": 50, - "sliderUnit": "m", - "sliderExtremity": "down", - "sliderExtremitySemantic": "guaranteed", - "sliderRangeId": "cpu" - }, - "memory": { - "description": "The amount of memory guaranteed", - "title": "memory", - "type": "string", - "default": "2Gi", - "render": "slider", - "sliderMin": 1, - "sliderMax": 200, - "sliderStep": 1, - "sliderUnit": "Gi", - "sliderExtremity": "down", - "sliderExtremitySemantic": "guaranteed", - "sliderRangeId": "memory" - } - } - }, - "limits": { - "description": "max resources", - "type": "object", - "properties": { - "cpu": { - "description": "The maximum amount of cpu", - "title": "CPU", - "type": "string", - "default": "30000m", - "render": "slider", - "sliderMin": 50, - "sliderMax": 40000, - "sliderStep": 50, - "sliderUnit": "m", - "sliderExtremity": "up", - "sliderExtremitySemantic": "Maximum", - "sliderRangeId": "cpu" - }, - "memory": { - "description": "The maximum amount of memory", - "title": "Memory", - "type": "string", - "default": "50Gi", - "render": "slider", - "sliderMin": 1, - "sliderMax": 200, - "sliderStep": 1, - "sliderUnit": "Gi", - "sliderExtremity": "up", - "sliderExtremitySemantic": "Maximum", - "sliderRangeId": "memory" - } - } + "requests": { + "description": "Guaranteed resources", + "type": "object", + "properties": { + "cpu": { + "description": "The amount of cpu guaranteed", + "title": "CPU", + "type": "string", + "default": "100m", + "render": "slider", + "sliderMin": 50, + "sliderMax": 40000, + "sliderStep": 50, + "sliderUnit": "m", + "sliderExtremity": "down", + "sliderExtremitySemantic": "guaranteed", + "sliderRangeId": "cpu" + }, + "memory": { + "description": "The amount of memory guaranteed", + "title": "memory", + "type": "string", + "default": "2Gi", + "render": "slider", + "sliderMin": 1, + "sliderMax": 200, + "sliderStep": 1, + "sliderUnit": "Gi", + "sliderExtremity": "down", + "sliderExtremitySemantic": "guaranteed", + "sliderRangeId": "memory" + } + } + }, + "limits": { + "description": "max resources", + "type": "object", + "properties": { + "cpu": { + "description": "The maximum amount of cpu", + "title": "CPU", + "type": "string", + "default": "30000m", + "render": "slider", + "sliderMin": 50, + "sliderMax": 40000, + "sliderStep": 50, + "sliderUnit": "m", + "sliderExtremity": "up", + "sliderExtremitySemantic": "Maximum", + "sliderRangeId": "cpu" + }, + "memory": { + "description": "The maximum amount of memory", + "title": "Memory", + "type": "string", + "default": "50Gi", + "render": "slider", + "sliderMin": 1, + "sliderMax": 200, + "sliderStep": 1, + "sliderUnit": "Gi", + "sliderExtremity": "up", + "sliderExtremitySemantic": "Maximum", + "sliderRangeId": "memory" + } } + } } }, "persistence": { - "description": "Configuration for persistence", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/persistence.json" + "description": "Configuration for persistence", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/persistence.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Create a persistent volume", + "default": true }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Create a persistent volume", - "default": true - }, - "size": { - "type": "string", - "title": "Persistent volume size", - "description": "Size of the persistent volume", - "default": "10Gi", - "form": true, - "render": "slider", - "sliderMin": 1, - "sliderMax": 100, - "sliderStep": 1, - "sliderUnit": "Gi", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.disk", - "useRegionSliderConfig": "disk" - }, - "hidden": { - "value": false, - "path": "persistence/enabled" - } - } + "size": { + "type": "string", + "title": "Persistent volume size", + "description": "Size of the persistent volume", + "default": "10Gi", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderStep": 1, + "sliderUnit": "Gi", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.disk", + "useRegionSliderConfig": "disk" + }, + "hidden": { + "value": false, + "path": "persistence/enabled" + } } + } }, "init": { - "description": "Init parameters", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/init.json" + "description": "Init parameters", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/init.json" + }, + "properties": { + "regionInit": { + "type": "string", + "description": "region initialization script", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{k8s.initScriptUrl}}" + } + }, + "personalInit": { + "type": "string", + "description": "user initialization script", + "default": "" }, + "personalInitArgs": { + "type": "string", + "description": "args for user initialization script", + "default": "" + } + } + }, + "extraEnvVars": { + "description": "environment variables available within your service", + "type": "array", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/extraenv.json" + }, + "items": { + "type": "object", "properties": { - "regionInit": { - "type": "string", - "description": "region initialization script", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{k8s.initScriptUrl}}" - } - }, - "personalInit": { - "type": "string", - "description": "user initialization script", - "default": "" - }, - "personalInitArgs": { - "type": "string", - "description": "args for user initialization script", - "default": "" - } + "name": { + "type": "string", + "default": "", + "pattern": "^[a-zA-Z0-9_]+$" + }, + "value": { + "type": "string", + "default": "" + } } + } }, "kubernetes": { - "description": "configuration of your kubernetes access", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "role-spark.json" + "description": "configuration of your kubernetes access", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "role-spark.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "allow your service to access your namespace ressources", + "default": true }, - "properties": { - "enabled": { - "type": "boolean", - "description": "allow your service to access your namespace ressources", - "default": true - }, - "role": { - "type": "string", - "description": "bind your service account to this kubernetes default role", - "default": "admin", - "hidden": { - "value": false, - "path": "kubernetes/enabled" - }, - "listEnum": [ - "view", - "edit", - "admin" - ], - "render":"list" - } + "role": { + "type": "string", + "description": "bind your service account to this kubernetes default role", + "default": "admin", + "hidden": { + "value": false, + "path": "kubernetes/enabled" + }, + "listEnum": [ + "view", + "edit", + "admin" + ], + "render": "list" } + } }, "vault": { - "description": "Configuration of vault client", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/vault.json" + "description": "Configuration of vault client", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/vault.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add vault temporary identity inside your environment", + "default": true }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add vault temporary identity inside your environment", - "default": true - }, - "token": { - "description": "token vault", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_TOKEN}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "url": { - "description": "url of vault server", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_ADDR}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "mount": { - "description": "mount of the v2 secret engine", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_MOUNT}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "directory": { - "description": "top level directory", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_TOP_DIR}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "secret": { - "description": "the path of the secret to convert into a list of environment variables", - "type": "string", - "default": "", - "hidden": { - "value": false, - "path": "vault/enabled" - } - } + "token": { + "description": "token vault", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_TOKEN}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } + }, + "url": { + "description": "url of vault server", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_ADDR}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } + }, + "mount": { + "description": "mount of the v2 secret engine", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_MOUNT}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } + }, + "directory": { + "description": "top level directory", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_TOP_DIR}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } + }, + "secret": { + "description": "the path of the secret to convert into a list of environment variables", + "type": "string", + "default": "", + "hidden": { + "value": false, + "path": "vault/enabled" + } } + } }, "s3": { - "description": "Configuration of temporary identity", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/s3.json" + "description": "Configuration of temporary identity", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/s3.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add S3 temporary identity inside your environment", + "default": true }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add S3 temporary identity inside your environment", - "default": true - }, - "accessKeyId": { - "description": "AWS Access Key", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_ACCESS_KEY_ID}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "endpoint": { - "description": "AWS S3 Endpoint", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_S3_ENDPOINT}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "defaultRegion": { - "description": "AWS S3 default region", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_DEFAULT_REGION}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "secretAccessKey": { - "description": "AWS S3 secret access key", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_SECRET_ACCESS_KEY}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "sessionToken": { - "description": "AWS S3 session Token", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_SESSION_TOKEN}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - } + "accessKeyId": { + "description": "AWS Access Key", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_ACCESS_KEY_ID}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "endpoint": { + "description": "AWS S3 Endpoint", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_S3_ENDPOINT}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "defaultRegion": { + "description": "AWS S3 default region", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_DEFAULT_REGION}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "secretAccessKey": { + "description": "AWS S3 secret access key", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_SECRET_ACCESS_KEY}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "sessionToken": { + "description": "AWS S3 session Token", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_SESSION_TOKEN}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } } + } }, "git": { - "description": "Git user configuration", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/git.json" + "description": "Git user configuration", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/git.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add git config inside your environment", + "default": true }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add git config inside your environment", - "default": true - }, - "name": { - "type": "string", - "description": "user name for git", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.name}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "email": { - "type": "string", - "description": "user email for git", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.email}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "cache": { - "type": "string", - "description": "duration in seconds of the credentials cache duration", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.credentials_cache_duration}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "token": { - "type": "string", - "description": "personal access token", - "default": "", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{git.token}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "repository": { - "type": "string", - "description": "Repository url", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.project}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "branch": { - "type": "string", - "description": "Branch automatically checked out", - "default": "", - "hidden": { - "value": "", - "path": "git/repository" - } - } + "name": { + "type": "string", + "description": "user name for git", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.name}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "email": { + "type": "string", + "description": "user email for git", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.email}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "cache": { + "type": "string", + "description": "duration in seconds of the credentials cache duration", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.credentials_cache_duration}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "token": { + "type": "string", + "description": "personal access token", + "default": "", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{git.token}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "repository": { + "type": "string", + "description": "Repository url", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.project}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "branch": { + "type": "string", + "description": "Branch automatically checked out", + "default": "", + "hidden": { + "value": "", + "path": "git/repository" + } } + } }, "networking": { "type": "object", @@ -554,47 +577,47 @@ } }, "security": { - "description": "security specific configuration", - "type": "object", - "properties": { - "password": { - "type": "string", - "description": "Password", - "default": "changeme", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{service.oneTimePassword}}", - "overwriteSchemaWith": "ide/password" - } + "description": "security specific configuration", + "type": "object", + "properties": { + "password": { + "type": "string", + "description": "Password", + "default": "changeme", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{service.oneTimePassword}}", + "overwriteSchemaWith": "ide/password" + } + }, + "networkPolicy": { + "type": "object", + "description": "Define access policy to the service", + "x-onyxia": { + "overwriteSchemaWith": "network-policy.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable network policy", + "description": "Only pod from the same namespace will be allowed", + "default": false, + "x-onyxia": { + "overwriteDefaultWith": "region.defaultNetworkPolicy" + } }, - "networkPolicy": { - "type": "object", - "description": "Define access policy to the service", - "x-onyxia": { - "overwriteSchemaWith": "network-policy.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "title": "Enable network policy", - "description": "Only pod from the same namespace will be allowed", - "default": false, - "x-onyxia": { - "overwriteDefaultWith": "region.defaultNetworkPolicy" - } - }, - "from": { - "type": "array", - "description": "Array of source allowed to have network access to your service", - "default": [], - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.from" - } - } - } + "from": { + "type": "array", + "description": "Array of source allowed to have network access to your service", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.from" + } } + } } + } }, "nodeSelector": { "type": "object", @@ -665,7 +688,7 @@ "overwriteDefaultWith": "k8s.useCertManager" } }, - "certManagerClusterIssuer":{ + "certManagerClusterIssuer": { "type": "string", "description": "certManager cluster issuer", "title": "CertManager Cluster Issuer", @@ -674,6 +697,14 @@ "hidden": true, "overwriteDefaultWith": "k8s.certManagerClusterIssuer" } + }, + "useTlsSecret": { + "type": "boolean", + "description": "Whether you want to use the specified secretName in ingress tls", + "default": false, + "x-onyxia": { + "hidden": true + } } } }, @@ -748,44 +779,44 @@ "description": "It can be used to inject proxy settings in the services", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "proxy.json" + "overwriteSchemaWith": "proxy.json" }, "properties": { - "enabled": { - "type": "boolean", - "description": "Inject proxy settings", - "default": false - }, - "httpProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTP.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "httpsProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTPS.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "noProxy": { - "type": "string", - "description": "enterprise local domain that should not take proxy comma separated", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } + "enabled": { + "type": "boolean", + "description": "Inject proxy settings", + "default": false + }, + "httpProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTP.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + }, + "httpsProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTPS.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + }, + "noProxy": { + "type": "string", + "description": "enterprise local domain that should not take proxy comma separated", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" } + } } - }, - "startupProbe": { + }, + "startupProbe": { "type": "object", "description": "Startup probe", "default": { @@ -796,20 +827,20 @@ "timeoutSeconds": 2 }, "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.startupProbe", - "overwriteSchemaWith": "ide/startupProbe.json" + "hidden": true, + "overwriteDefaultWith": "region.startupProbe", + "overwriteSchemaWith": "ide/startupProbe.json" } }, "tolerations": { - "type": "array", - "description": "Array of tolerations", - "default": [], - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.tolerations", - "overwriteSchemaWith": "tolerations.json" - } + "type": "array", + "description": "Array of tolerations", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.tolerations", + "overwriteSchemaWith": "tolerations.json" + } }, "userPreferences": { "description": "User Preferences", @@ -849,6 +880,32 @@ } } }, + "certificates": { + "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "certificates.json" + }, + "default": {}, + "properties": { + "cacerts": { + "type": "string", + "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.", + "default": "", + "x-onyxia": { + "hidden": true + } + }, + "pathToCaBundle": { + "type": "string", + "description": "String path where a bundle is made or injected by third party solution", + "default": "/usr/local/share/ca-certificates/", + "x-onyxia": { + "hidden": true + } + } + } + }, "message": { "type": "object", "description": "Warning message", @@ -856,16 +913,18 @@ "hidden": true, "overwriteSchemaWith": "ide/message.json" }, - "properties":{ + "properties": { "fr": { "type": "string", "description": "message à ajouter dans les notes", - "default": ""}, + "default": "" + }, "en": { "type": "string", "description": "message to add in notes", - "default": ""} + "default": "" + } } } } -} +} \ No newline at end of file diff --git a/charts/vscode-pyspark/values.yaml b/charts/vscode-pyspark/values.yaml index 83ccafe2..fc61a839 100644 --- a/charts/vscode-pyspark/values.yaml +++ b/charts/vscode-pyspark/values.yaml @@ -4,11 +4,11 @@ global: service: image: - version: "inseefrlab/onyxia-vscode-pyspark:py3.12.6-spark3.5.2" + version: "inseefrlab/onyxia-vscode-pyspark:py3.12.6-spark3.5.3" pullPolicy: IfNotPresent custom: enabled: false - version: "inseefrlab/onyxia-vscode-pyspark:py3.12.6-spark3.5.2" + version: "inseefrlab/onyxia-vscode-pyspark:py3.12.6-spark3.5.3" spark: sparkui: false @@ -49,6 +49,13 @@ init: personalInit: "" personalInitArgs: "" +# Array with (templated) extra environment variables to be made accessible within the service +# e.g: +# extraEnvVars: +# - name: FOO +# value: "bar" +extraEnvVars: [] + environment: user: onyxia group: users @@ -125,7 +132,6 @@ metaflow: # Declare variables to be passed into your templates. replicaCount: 1 - imagePullSecrets: [] nameOverride: "" fullnameOverride: "" @@ -180,6 +186,7 @@ ingress: # - chart-example.local useCertManager: false certManagerClusterIssuer: "" + useTlsSecret: false route: enabled: false @@ -245,6 +252,10 @@ userPreferences: darkMode: false language: "en" +certificates: {} + # pathToCaBundle: /usr/local/share/ca-certificates/ + # cacerts: "" + message: fr: "" en: "" diff --git a/charts/vscode-python-gpu/Chart.yaml b/charts/vscode-python-gpu/Chart.yaml index 7da5075f..2d3032ce 100644 --- a/charts/vscode-python-gpu/Chart.yaml +++ b/charts/vscode-python-gpu/Chart.yaml @@ -11,8 +11,8 @@ sources: - https://github.com/InseeFrLab/images-datascience - https://github.com/InseeFrLab/helm-charts-interactive-services type: application -version: 2.1.4 +version: 2.1.14 dependencies: - name: library-chart - version: 1.5.25 + version: 1.5.30 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/vscode-python-gpu/README.md b/charts/vscode-python-gpu/README.md index b7ce7451..1ce34813 100644 --- a/charts/vscode-python-gpu/README.md +++ b/charts/vscode-python-gpu/README.md @@ -1,6 +1,6 @@ # vscode-python-gpu -![Version: 2.1.4](https://img.shields.io/badge/Version-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 2.1.14](https://img.shields.io/badge/Version-2.1.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) The VSCOde IDE with Python, Julia, and a collection of standard data science packages, with GPU support. @@ -15,7 +15,7 @@ The VSCOde IDE with Python, Julia, and a collection of standard data science pac | Repository | Name | Version | |------------|------|---------| -| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.25 | +| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.30 | ## Values @@ -26,12 +26,14 @@ The VSCOde IDE with Python, Julia, and a collection of standard data science pac | autoscaling.maxReplicas | int | `100` | | | autoscaling.minReplicas | int | `1` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| certificates | object | `{}` | | | coresite.configMapName | string | `""` | | | discovery.hive | bool | `true` | | | discovery.metaflow | bool | `true` | | | discovery.mlflow | bool | `true` | | | environment.group | string | `"users"` | | | environment.user | string | `"onyxia"` | | +| extraEnvVars | list | `[]` | | | fullnameOverride | string | `""` | | | git.branch | string | `""` | | | git.cache | string | `""` | | @@ -49,6 +51,7 @@ The VSCOde IDE with Python, Julia, and a collection of standard data science pac | ingress.ingressClassName | string | `""` | | | ingress.tls | bool | `true` | | | ingress.useCertManager | bool | `false` | | +| ingress.useTlsSecret | bool | `false` | | | ingress.userHostname | string | `"chart-example-user.local"` | | | init.personalInit | string | `""` | | | init.personalInitArgs | string | `""` | | diff --git a/charts/vscode-python-gpu/templates/secret-cacerts.yaml b/charts/vscode-python-gpu/templates/secret-cacerts.yaml new file mode 100644 index 00000000..71c878fb --- /dev/null +++ b/charts/vscode-python-gpu/templates/secret-cacerts.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretCacerts" . }} diff --git a/charts/vscode-python-gpu/templates/secret-extraenv.yaml b/charts/vscode-python-gpu/templates/secret-extraenv.yaml new file mode 100644 index 00000000..63fa9428 --- /dev/null +++ b/charts/vscode-python-gpu/templates/secret-extraenv.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretExtraEnv" . }} \ No newline at end of file diff --git a/charts/vscode-python-gpu/templates/statefulset.yaml b/charts/vscode-python-gpu/templates/statefulset.yaml index 294e7d4a..2213a404 100644 --- a/charts/vscode-python-gpu/templates/statefulset.yaml +++ b/charts/vscode-python-gpu/templates/statefulset.yaml @@ -41,6 +41,9 @@ spec: {{- if .Values.vault.enabled }} checksum/vault: {{ include (print $.Template.BasePath "/secret-vault.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -76,6 +79,11 @@ spec: secret: secretName: {{ include "library-chart.secretNameMetaflow" . }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -83,26 +91,39 @@ spec: serviceAccountName: {{ include "library-chart.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} - initContainers: + initContainers: - name: make-secrets-writable image: inseefrlab/onyxia-base:latest imagePullPolicy: IfNotPresent - command: + command: - sh - - -c + - -c - | echo 'initContainer make-secrets-writable is started'; {{- if .Values.discovery.hive }} mkdir /dest/hive; cp /src/hive/hive-site.xml /dest/hive/hive-site.xml; - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} mkdir /dest/metaflow; cp /src/metaflow/config.json /dest/metaflow/config.json; {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} volumeMounts: - name: config-files mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} {{- if .Values.discovery.hive }} - name: secret-hive mountPath: /src/hive @@ -125,7 +146,7 @@ spec: image: "{{ .Values.service.image.custom.version }}" {{- else }} image: "{{ .Values.service.image.version }}" - {{- end }} + {{- end }} command: ["/bin/sh","-c"] args: ["{{ .Values.init.standardInitPath }} /usr/bin/code-server --host 0.0.0.0 /home/{{ .Values.environment.user }}/work"] imagePullPolicy: {{ .Values.service.image.pullPolicy }} @@ -156,7 +177,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: - secretRef: name : {{ include "library-chart.secretNameToken" . }} {{- if .Values.s3.enabled }} @@ -183,10 +204,14 @@ spec: - secretRef: name: {{ include "library-chart.secretNameMLFlow" . }} {{- end }} + {{- if .Values.extraEnvVars }} + - secretRef: + name: {{ include "library-chart.secretNameExtraEnv" . }} + {{- end }} livenessProbe: httpGet: path: / - port: {{ .Values.networking.service.port }} + port: {{ .Values.networking.service.port }} timeoutSeconds: 2 failureThreshold: 6 readinessProbe: @@ -212,12 +237,17 @@ spec: - name: config-files mountPath: /opt/hive/conf/hive-site.xml subPath: hive/hive-site.xml - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} - name: config-files mountPath: /home/{{ .Values.environment.user}}/.metaflowconfig subPath: metaflow - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/vscode-python-gpu/values.schema.json b/charts/vscode-python-gpu/values.schema.json index b4696be2..2d9f1af9 100644 --- a/charts/vscode-python-gpu/values.schema.json +++ b/charts/vscode-python-gpu/values.schema.json @@ -240,6 +240,29 @@ } } }, + "extraEnvVars": { + "description": "environment variables available within your service", + "type": "array", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/extraenv.json" + }, + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "default": "", + "pattern": "^[a-zA-Z0-9_]+$" + }, + "value": { + "type": "string", + "default": "" + } + } + } + }, "kubernetes": { "description": "configuration of your kubernetes access", "type": "object", @@ -684,6 +707,14 @@ "hidden": true, "overwriteDefaultWith": "k8s.certManagerClusterIssuer" } + }, + "useTlsSecret": { + "type": "boolean", + "description": "Whether you want to use the specified secretName in ingress tls", + "default": false, + "x-onyxia": { + "hidden": true + } } } }, @@ -850,6 +881,32 @@ } } }, + "certificates": { + "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "certificates.json" + }, + "default": {}, + "properties": { + "cacerts": { + "type": "string", + "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.", + "default": "", + "x-onyxia": { + "hidden": true + } + }, + "pathToCaBundle": { + "type": "string", + "description": "String path where a bundle is made or injected by third party solution", + "default": "/usr/local/share/ca-certificates/", + "x-onyxia": { + "hidden": true + } + } + } + }, "message": { "type": "object", "description": "Warning message", diff --git a/charts/vscode-python-gpu/values.yaml b/charts/vscode-python-gpu/values.yaml index 099cc5ee..8b45e822 100644 --- a/charts/vscode-python-gpu/values.yaml +++ b/charts/vscode-python-gpu/values.yaml @@ -21,6 +21,7 @@ init: regionInitCheckSum: '' personalInit: '' personalInitArgs: '' +extraEnvVars: [] s3: enabled: true configMapName: '' @@ -95,6 +96,7 @@ ingress: userHostname: chart-example-user.local useCertManager: false certManagerClusterIssuer: '' + useTlsSecret: false route: enabled: false annotations: [] @@ -133,6 +135,7 @@ proxy: noProxy: '' httpProxy: '' httpsProxy: '' +certificates: {} message: fr: '' en: '' diff --git a/charts/vscode-python/Chart.yaml b/charts/vscode-python/Chart.yaml index 3fb84c64..3712c33d 100644 --- a/charts/vscode-python/Chart.yaml +++ b/charts/vscode-python/Chart.yaml @@ -22,9 +22,9 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.1.4 +version: 2.1.14 dependencies: - name: library-chart - version: 1.5.25 + version: 1.5.30 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/vscode-python/README.md b/charts/vscode-python/README.md index 42d8edc7..ddbd2846 100644 --- a/charts/vscode-python/README.md +++ b/charts/vscode-python/README.md @@ -1,6 +1,6 @@ # vscode-python -![Version: 2.1.4](https://img.shields.io/badge/Version-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 2.1.14](https://img.shields.io/badge/Version-2.1.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) The Visual Studio Code IDE with Python, Julia, and a collection of standard data science packages. @@ -15,7 +15,7 @@ The Visual Studio Code IDE with Python, Julia, and a collection of standard data | Repository | Name | Version | |------------|------|---------| -| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.25 | +| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.30 | ## Values @@ -26,12 +26,14 @@ The Visual Studio Code IDE with Python, Julia, and a collection of standard data | autoscaling.maxReplicas | int | `100` | | | autoscaling.minReplicas | int | `1` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| certificates | object | `{}` | | | coresite.configMapName | string | `""` | | | discovery.hive | bool | `true` | | | discovery.metaflow | bool | `true` | | | discovery.mlflow | bool | `true` | | | environment.group | string | `"users"` | | | environment.user | string | `"onyxia"` | | +| extraEnvVars | list | `[]` | | | fullnameOverride | string | `""` | | | git.branch | string | `""` | | | git.cache | string | `""` | | @@ -49,6 +51,7 @@ The Visual Studio Code IDE with Python, Julia, and a collection of standard data | ingress.ingressClassName | string | `""` | | | ingress.tls | bool | `true` | | | ingress.useCertManager | bool | `false` | | +| ingress.useTlsSecret | bool | `false` | | | ingress.userHostname | string | `"chart-example-user.local"` | | | init.personalInit | string | `""` | | | init.personalInitArgs | string | `""` | | diff --git a/charts/vscode-python/templates/secret-cacerts.yaml b/charts/vscode-python/templates/secret-cacerts.yaml new file mode 100644 index 00000000..71c878fb --- /dev/null +++ b/charts/vscode-python/templates/secret-cacerts.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretCacerts" . }} diff --git a/charts/vscode-python/templates/secret-extraenv.yaml b/charts/vscode-python/templates/secret-extraenv.yaml new file mode 100644 index 00000000..63fa9428 --- /dev/null +++ b/charts/vscode-python/templates/secret-extraenv.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretExtraEnv" . }} \ No newline at end of file diff --git a/charts/vscode-python/templates/statefulset.yaml b/charts/vscode-python/templates/statefulset.yaml index 294e7d4a..2213a404 100644 --- a/charts/vscode-python/templates/statefulset.yaml +++ b/charts/vscode-python/templates/statefulset.yaml @@ -41,6 +41,9 @@ spec: {{- if .Values.vault.enabled }} checksum/vault: {{ include (print $.Template.BasePath "/secret-vault.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -76,6 +79,11 @@ spec: secret: secretName: {{ include "library-chart.secretNameMetaflow" . }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -83,26 +91,39 @@ spec: serviceAccountName: {{ include "library-chart.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} - initContainers: + initContainers: - name: make-secrets-writable image: inseefrlab/onyxia-base:latest imagePullPolicy: IfNotPresent - command: + command: - sh - - -c + - -c - | echo 'initContainer make-secrets-writable is started'; {{- if .Values.discovery.hive }} mkdir /dest/hive; cp /src/hive/hive-site.xml /dest/hive/hive-site.xml; - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} mkdir /dest/metaflow; cp /src/metaflow/config.json /dest/metaflow/config.json; {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} volumeMounts: - name: config-files mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} {{- if .Values.discovery.hive }} - name: secret-hive mountPath: /src/hive @@ -125,7 +146,7 @@ spec: image: "{{ .Values.service.image.custom.version }}" {{- else }} image: "{{ .Values.service.image.version }}" - {{- end }} + {{- end }} command: ["/bin/sh","-c"] args: ["{{ .Values.init.standardInitPath }} /usr/bin/code-server --host 0.0.0.0 /home/{{ .Values.environment.user }}/work"] imagePullPolicy: {{ .Values.service.image.pullPolicy }} @@ -156,7 +177,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: - secretRef: name : {{ include "library-chart.secretNameToken" . }} {{- if .Values.s3.enabled }} @@ -183,10 +204,14 @@ spec: - secretRef: name: {{ include "library-chart.secretNameMLFlow" . }} {{- end }} + {{- if .Values.extraEnvVars }} + - secretRef: + name: {{ include "library-chart.secretNameExtraEnv" . }} + {{- end }} livenessProbe: httpGet: path: / - port: {{ .Values.networking.service.port }} + port: {{ .Values.networking.service.port }} timeoutSeconds: 2 failureThreshold: 6 readinessProbe: @@ -212,12 +237,17 @@ spec: - name: config-files mountPath: /opt/hive/conf/hive-site.xml subPath: hive/hive-site.xml - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} - name: config-files mountPath: /home/{{ .Values.environment.user}}/.metaflowconfig subPath: metaflow - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/vscode-python/values.schema.json b/charts/vscode-python/values.schema.json index 660e97b6..c6f196cb 100644 --- a/charts/vscode-python/values.schema.json +++ b/charts/vscode-python/values.schema.json @@ -44,7 +44,7 @@ "description": "use a custom vscode docker images", "default": false, "x-onyxia": { - "overwriteSchemaWith": "ide/customImage.json" + "overwriteSchemaWith": "ide/customImage.json" } }, "version": { @@ -66,7 +66,7 @@ "description": "Your service will have at least the requested resources and never more than its limits. No limit for a resource and you can consume everything left on the host machine.", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "ide/resources.json" + "overwriteSchemaWith": "ide/resources.json" }, "properties": { "requests": { @@ -159,7 +159,7 @@ "description": "Configuration for persistence", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "ide/persistence.json" + "overwriteSchemaWith": "ide/persistence.json" }, "properties": { "enabled": { @@ -193,7 +193,7 @@ "description": "Init parameters", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "ide/init.json" + "overwriteSchemaWith": "ide/init.json" }, "properties": { "regionInit": { @@ -226,11 +226,34 @@ } } }, + "extraEnvVars": { + "description": "environment variables available within your service", + "type": "array", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/extraenv.json" + }, + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "default": "", + "pattern": "^[a-zA-Z0-9_]+$" + }, + "value": { + "type": "string", + "default": "" + } + } + } + }, "kubernetes": { "description": "configuration of your kubernetes access", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "ide/role.json" + "overwriteSchemaWith": "ide/role.json" }, "properties": { "enabled": { @@ -259,34 +282,34 @@ "description": "configuration for openshift compatibility", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "ide/openshiftSCC.json" + "overwriteSchemaWith": "ide/openshiftSCC.json" }, "properties": { - "enabled": { + "enabled": { "description": "enable rolebinding with openshift scc", "type": "boolean", "default": false, "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.openshiftSCC.enabled" - } - }, - "scc": { - "type": "string", - "description": "name of scc for rolebinding", - "default": "anyuid", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.openshiftSCC.scc" - } + "hidden": true, + "overwriteDefaultWith": "region.openshiftSCC.enabled" + } + }, + "scc": { + "type": "string", + "description": "name of scc for rolebinding", + "default": "anyuid", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.openshiftSCC.scc" } } + } }, "vault": { "description": "Configuration of vault client", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "ide/vault.json" + "overwriteSchemaWith": "ide/vault.json" }, "properties": { "enabled": { @@ -354,7 +377,7 @@ "description": "Configuration of temporary identity", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "ide/s3.json" + "overwriteSchemaWith": "ide/s3.json" }, "properties": { "enabled": { @@ -425,7 +448,7 @@ "description": "Git user configuration", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "ide/git.json" + "overwriteSchemaWith": "ide/git.json" }, "properties": { "enabled": { @@ -559,56 +582,56 @@ } }, "security": { - "description": "security specific configuration", - "type": "object", - "properties": { - "password": { - "type": "string", - "description": "Password", - "default": "changeme", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{service.oneTimePassword}}", - "overwriteSchemaWith": "ide/password" - } + "description": "security specific configuration", + "type": "object", + "properties": { + "password": { + "type": "string", + "description": "Password", + "default": "changeme", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{service.oneTimePassword}}", + "overwriteSchemaWith": "ide/password" + } + }, + "networkPolicy": { + "type": "object", + "description": "Define access policy to the service", + "x-onyxia": { + "overwriteSchemaWith": "network-policy.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable network policy", + "description": "Only pod from the same namespace will be allowed", + "default": false, + "x-onyxia": { + "overwriteDefaultWith": "region.defaultNetworkPolicy" + } }, - "networkPolicy": { - "type": "object", - "description": "Define access policy to the service", - "x-onyxia": { - "overwriteSchemaWith": "network-policy.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "title": "Enable network policy", - "description": "Only pod from the same namespace will be allowed", - "default": false, - "x-onyxia": { - "overwriteDefaultWith": "region.defaultNetworkPolicy" - } - }, - "from": { - "type": "array", - "description": "Array of source allowed to have network access to your service", - "default": [], - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.from" - } - } - } + "from": { + "type": "array", + "description": "Array of source allowed to have network access to your service", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.from" + } } + } } + } }, "nodeSelector": { "type": "object", "description": "NodeSelector", "default": {}, "x-onyxia": { - "hidden": false, - "overwriteDefaultWith": "region.nodeSelector", - "overwriteSchemaWith": "nodeSelector.json" + "hidden": false, + "overwriteDefaultWith": "region.nodeSelector", + "overwriteSchemaWith": "nodeSelector.json" } }, "ingress": { @@ -662,7 +685,7 @@ "overwriteDefaultWith": "k8s.useCertManager" } }, - "certManagerClusterIssuer":{ + "certManagerClusterIssuer": { "type": "string", "description": "certManager cluster issuer", "title": "CertManager Cluster Issuer", @@ -671,6 +694,14 @@ "hidden": true, "overwriteDefaultWith": "k8s.certManagerClusterIssuer" } + }, + "useTlsSecret": { + "type": "boolean", + "description": "Whether you want to use the specified secretName in ingress tls", + "default": false, + "x-onyxia": { + "hidden": true + } } } }, @@ -743,9 +774,9 @@ "timeoutSeconds": 2 }, "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.startupProbe", - "overwriteSchemaWith": "ide/startupProbe.json" + "hidden": true, + "overwriteDefaultWith": "region.startupProbe", + "overwriteSchemaWith": "ide/startupProbe.json" } }, "tolerations": { @@ -753,9 +784,9 @@ "description": "Array of tolerations", "default": [], "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.tolerations", - "overwriteSchemaWith": "tolerations.json" + "hidden": true, + "overwriteDefaultWith": "region.tolerations", + "overwriteSchemaWith": "tolerations.json" } }, "userPreferences": { @@ -800,43 +831,69 @@ "description": "It can be used to inject proxy settings in the services", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "proxy.json" + "overwriteSchemaWith": "proxy.json" }, "properties": { - "enabled": { - "type": "boolean", - "description": "Inject proxy settings", - "default": false - }, - "httpProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTP.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "httpsProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTPS.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "noProxy": { - "type": "string", - "description": "enterprise local domain that should not take proxy comma separated", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } + "enabled": { + "type": "boolean", + "description": "Inject proxy settings", + "default": false + }, + "httpProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTP.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + }, + "httpsProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTPS.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" } + }, + "noProxy": { + "type": "string", + "description": "enterprise local domain that should not take proxy comma separated", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + } + } + }, + "certificates": { + "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "certificates.json" + }, + "default": {}, + "properties": { + "cacerts": { + "type": "string", + "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.", + "default": "", + "x-onyxia": { + "hidden": true + } + }, + "pathToCaBundle": { + "type": "string", + "description": "String path where a bundle is made or injected by third party solution", + "default": "/usr/local/share/ca-certificates/", + "x-onyxia": { + "hidden": true + } + } } - }, + }, "message": { "type": "object", "description": "Warning message", @@ -844,16 +901,18 @@ "hidden": true, "overwriteSchemaWith": "ide/message.json" }, - "properties":{ + "properties": { "fr": { "type": "string", "description": "message à ajouter dans les notes", - "default": ""}, + "default": "" + }, "en": { "type": "string", "description": "message to add in notes", - "default": ""} + "default": "" + } } } } -} +} \ No newline at end of file diff --git a/charts/vscode-python/values.yaml b/charts/vscode-python/values.yaml index bdc20548..1e447688 100644 --- a/charts/vscode-python/values.yaml +++ b/charts/vscode-python/values.yaml @@ -26,6 +26,13 @@ init: personalInit: "" personalInitArgs: "" +# Array with (templated) extra environment variables to be made accessible within the service +# e.g: +# extraEnvVars: +# - name: FOO +# value: "bar" +extraEnvVars: [] + s3: # Specifies whether a config map should be created enabled: true @@ -144,6 +151,7 @@ ingress: # - chart-example.local useCertManager: false certManagerClusterIssuer: "" + useTlsSecret: false route: @@ -221,6 +229,10 @@ proxy: httpProxy: "" httpsProxy: "" +certificates: {} + # pathToCaBundle: /usr/local/share/ca-certificates/ + # cacerts: "" + message: fr: "" en: "" diff --git a/charts/vscode-pytorch-gpu/Chart.yaml b/charts/vscode-pytorch-gpu/Chart.yaml index c8d0c7d9..bbb9b0d9 100644 --- a/charts/vscode-pytorch-gpu/Chart.yaml +++ b/charts/vscode-pytorch-gpu/Chart.yaml @@ -11,8 +11,8 @@ sources: - https://github.com/InseeFrLab/images-datascience - https://github.com/InseeFrLab/helm-charts-interactive-services type: application -version: 2.1.4 +version: 2.1.14 dependencies: - name: library-chart - version: 1.5.25 + version: 1.5.30 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/vscode-pytorch-gpu/README.md b/charts/vscode-pytorch-gpu/README.md index 63b6b2b7..a8a7512f 100644 --- a/charts/vscode-pytorch-gpu/README.md +++ b/charts/vscode-pytorch-gpu/README.md @@ -1,6 +1,6 @@ # vscode-pytorch-gpu -![Version: 2.1.4](https://img.shields.io/badge/Version-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 2.1.14](https://img.shields.io/badge/Version-2.1.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) The VSCode IDE with Python and the deep-learning framework PyTorch, with GPU support. @@ -15,7 +15,7 @@ The VSCode IDE with Python and the deep-learning framework PyTorch, with GPU sup | Repository | Name | Version | |------------|------|---------| -| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.25 | +| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.30 | ## Values @@ -26,12 +26,14 @@ The VSCode IDE with Python and the deep-learning framework PyTorch, with GPU sup | autoscaling.maxReplicas | int | `100` | | | autoscaling.minReplicas | int | `1` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| certificates | object | `{}` | | | coresite.configMapName | string | `""` | | | discovery.hive | bool | `true` | | | discovery.metaflow | bool | `true` | | | discovery.mlflow | bool | `true` | | | environment.group | string | `"users"` | | | environment.user | string | `"onyxia"` | | +| extraEnvVars | list | `[]` | | | fullnameOverride | string | `""` | | | git.branch | string | `""` | | | git.cache | string | `""` | | @@ -49,6 +51,7 @@ The VSCode IDE with Python and the deep-learning framework PyTorch, with GPU sup | ingress.ingressClassName | string | `""` | | | ingress.tls | bool | `true` | | | ingress.useCertManager | bool | `false` | | +| ingress.useTlsSecret | bool | `false` | | | ingress.userHostname | string | `"chart-example-user.local"` | | | init.personalInit | string | `""` | | | init.personalInitArgs | string | `""` | | diff --git a/charts/vscode-pytorch-gpu/templates/secret-cacerts.yaml b/charts/vscode-pytorch-gpu/templates/secret-cacerts.yaml new file mode 100644 index 00000000..71c878fb --- /dev/null +++ b/charts/vscode-pytorch-gpu/templates/secret-cacerts.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretCacerts" . }} diff --git a/charts/vscode-pytorch-gpu/templates/secret-extraenv.yaml b/charts/vscode-pytorch-gpu/templates/secret-extraenv.yaml new file mode 100644 index 00000000..63fa9428 --- /dev/null +++ b/charts/vscode-pytorch-gpu/templates/secret-extraenv.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretExtraEnv" . }} \ No newline at end of file diff --git a/charts/vscode-pytorch-gpu/templates/statefulset.yaml b/charts/vscode-pytorch-gpu/templates/statefulset.yaml index 294e7d4a..2213a404 100644 --- a/charts/vscode-pytorch-gpu/templates/statefulset.yaml +++ b/charts/vscode-pytorch-gpu/templates/statefulset.yaml @@ -41,6 +41,9 @@ spec: {{- if .Values.vault.enabled }} checksum/vault: {{ include (print $.Template.BasePath "/secret-vault.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -76,6 +79,11 @@ spec: secret: secretName: {{ include "library-chart.secretNameMetaflow" . }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -83,26 +91,39 @@ spec: serviceAccountName: {{ include "library-chart.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} - initContainers: + initContainers: - name: make-secrets-writable image: inseefrlab/onyxia-base:latest imagePullPolicy: IfNotPresent - command: + command: - sh - - -c + - -c - | echo 'initContainer make-secrets-writable is started'; {{- if .Values.discovery.hive }} mkdir /dest/hive; cp /src/hive/hive-site.xml /dest/hive/hive-site.xml; - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} mkdir /dest/metaflow; cp /src/metaflow/config.json /dest/metaflow/config.json; {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} volumeMounts: - name: config-files mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} {{- if .Values.discovery.hive }} - name: secret-hive mountPath: /src/hive @@ -125,7 +146,7 @@ spec: image: "{{ .Values.service.image.custom.version }}" {{- else }} image: "{{ .Values.service.image.version }}" - {{- end }} + {{- end }} command: ["/bin/sh","-c"] args: ["{{ .Values.init.standardInitPath }} /usr/bin/code-server --host 0.0.0.0 /home/{{ .Values.environment.user }}/work"] imagePullPolicy: {{ .Values.service.image.pullPolicy }} @@ -156,7 +177,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: - secretRef: name : {{ include "library-chart.secretNameToken" . }} {{- if .Values.s3.enabled }} @@ -183,10 +204,14 @@ spec: - secretRef: name: {{ include "library-chart.secretNameMLFlow" . }} {{- end }} + {{- if .Values.extraEnvVars }} + - secretRef: + name: {{ include "library-chart.secretNameExtraEnv" . }} + {{- end }} livenessProbe: httpGet: path: / - port: {{ .Values.networking.service.port }} + port: {{ .Values.networking.service.port }} timeoutSeconds: 2 failureThreshold: 6 readinessProbe: @@ -212,12 +237,17 @@ spec: - name: config-files mountPath: /opt/hive/conf/hive-site.xml subPath: hive/hive-site.xml - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} - name: config-files mountPath: /home/{{ .Values.environment.user}}/.metaflowconfig subPath: metaflow - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/vscode-pytorch-gpu/values.schema.json b/charts/vscode-pytorch-gpu/values.schema.json index ebf2e177..10c5495e 100644 --- a/charts/vscode-pytorch-gpu/values.schema.json +++ b/charts/vscode-pytorch-gpu/values.schema.json @@ -240,6 +240,29 @@ } } }, + "extraEnvVars": { + "description": "environment variables available within your service", + "type": "array", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/extraenv.json" + }, + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "default": "", + "pattern": "^[a-zA-Z0-9_]+$" + }, + "value": { + "type": "string", + "default": "" + } + } + } + }, "kubernetes": { "description": "configuration of your kubernetes access", "type": "object", @@ -684,6 +707,14 @@ "hidden": true, "overwriteDefaultWith": "k8s.certManagerClusterIssuer" } + }, + "useTlsSecret": { + "type": "boolean", + "description": "Whether you want to use the specified secretName in ingress tls", + "default": false, + "x-onyxia": { + "hidden": true + } } } }, @@ -850,6 +881,32 @@ } } }, + "certificates": { + "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "certificates.json" + }, + "default": {}, + "properties": { + "cacerts": { + "type": "string", + "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.", + "default": "", + "x-onyxia": { + "hidden": true + } + }, + "pathToCaBundle": { + "type": "string", + "description": "String path where a bundle is made or injected by third party solution", + "default": "/usr/local/share/ca-certificates/", + "x-onyxia": { + "hidden": true + } + } + } + }, "message": { "type": "object", "description": "Warning message", diff --git a/charts/vscode-pytorch-gpu/values.yaml b/charts/vscode-pytorch-gpu/values.yaml index abcaf41b..f0d7c31f 100644 --- a/charts/vscode-pytorch-gpu/values.yaml +++ b/charts/vscode-pytorch-gpu/values.yaml @@ -21,6 +21,7 @@ init: regionInitCheckSum: '' personalInit: '' personalInitArgs: '' +extraEnvVars: [] s3: enabled: true configMapName: '' @@ -95,6 +96,7 @@ ingress: userHostname: chart-example-user.local useCertManager: false certManagerClusterIssuer: '' + useTlsSecret: false route: enabled: false annotations: [] @@ -133,6 +135,7 @@ proxy: noProxy: '' httpProxy: '' httpsProxy: '' +certificates: {} message: fr: '' en: '' diff --git a/charts/vscode-pytorch/Chart.yaml b/charts/vscode-pytorch/Chart.yaml index 465765e1..940d3b66 100644 --- a/charts/vscode-pytorch/Chart.yaml +++ b/charts/vscode-pytorch/Chart.yaml @@ -10,8 +10,8 @@ sources: - https://github.com/InseeFrLab/images-datascience - https://github.com/InseeFrLab/helm-charts-interactive-services type: application -version: 2.1.4 +version: 2.1.14 dependencies: - name: library-chart - version: 1.5.25 + version: 1.5.30 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/vscode-pytorch/README.md b/charts/vscode-pytorch/README.md index 72db5c6d..f561cd42 100644 --- a/charts/vscode-pytorch/README.md +++ b/charts/vscode-pytorch/README.md @@ -1,6 +1,6 @@ # vscode-pytorch -![Version: 2.1.4](https://img.shields.io/badge/Version-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 2.1.14](https://img.shields.io/badge/Version-2.1.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) The VSCode IDE with Python and the deep-learning framework PyTorch. @@ -15,7 +15,7 @@ The VSCode IDE with Python and the deep-learning framework PyTorch. | Repository | Name | Version | |------------|------|---------| -| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.25 | +| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.30 | ## Values @@ -26,12 +26,14 @@ The VSCode IDE with Python and the deep-learning framework PyTorch. | autoscaling.maxReplicas | int | `100` | | | autoscaling.minReplicas | int | `1` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| certificates | object | `{}` | | | coresite.configMapName | string | `""` | | | discovery.hive | bool | `true` | | | discovery.metaflow | bool | `true` | | | discovery.mlflow | bool | `true` | | | environment.group | string | `"users"` | | | environment.user | string | `"onyxia"` | | +| extraEnvVars | list | `[]` | | | fullnameOverride | string | `""` | | | git.branch | string | `""` | | | git.cache | string | `""` | | @@ -49,6 +51,7 @@ The VSCode IDE with Python and the deep-learning framework PyTorch. | ingress.ingressClassName | string | `""` | | | ingress.tls | bool | `true` | | | ingress.useCertManager | bool | `false` | | +| ingress.useTlsSecret | bool | `false` | | | ingress.userHostname | string | `"chart-example-user.local"` | | | init.personalInit | string | `""` | | | init.personalInitArgs | string | `""` | | diff --git a/charts/vscode-pytorch/templates/secret-cacerts.yaml b/charts/vscode-pytorch/templates/secret-cacerts.yaml new file mode 100644 index 00000000..71c878fb --- /dev/null +++ b/charts/vscode-pytorch/templates/secret-cacerts.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretCacerts" . }} diff --git a/charts/vscode-pytorch/templates/secret-extraenv.yaml b/charts/vscode-pytorch/templates/secret-extraenv.yaml new file mode 100644 index 00000000..63fa9428 --- /dev/null +++ b/charts/vscode-pytorch/templates/secret-extraenv.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretExtraEnv" . }} \ No newline at end of file diff --git a/charts/vscode-pytorch/templates/statefulset.yaml b/charts/vscode-pytorch/templates/statefulset.yaml index 294e7d4a..2213a404 100644 --- a/charts/vscode-pytorch/templates/statefulset.yaml +++ b/charts/vscode-pytorch/templates/statefulset.yaml @@ -41,6 +41,9 @@ spec: {{- if .Values.vault.enabled }} checksum/vault: {{ include (print $.Template.BasePath "/secret-vault.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -76,6 +79,11 @@ spec: secret: secretName: {{ include "library-chart.secretNameMetaflow" . }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -83,26 +91,39 @@ spec: serviceAccountName: {{ include "library-chart.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} - initContainers: + initContainers: - name: make-secrets-writable image: inseefrlab/onyxia-base:latest imagePullPolicy: IfNotPresent - command: + command: - sh - - -c + - -c - | echo 'initContainer make-secrets-writable is started'; {{- if .Values.discovery.hive }} mkdir /dest/hive; cp /src/hive/hive-site.xml /dest/hive/hive-site.xml; - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} mkdir /dest/metaflow; cp /src/metaflow/config.json /dest/metaflow/config.json; {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} volumeMounts: - name: config-files mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} {{- if .Values.discovery.hive }} - name: secret-hive mountPath: /src/hive @@ -125,7 +146,7 @@ spec: image: "{{ .Values.service.image.custom.version }}" {{- else }} image: "{{ .Values.service.image.version }}" - {{- end }} + {{- end }} command: ["/bin/sh","-c"] args: ["{{ .Values.init.standardInitPath }} /usr/bin/code-server --host 0.0.0.0 /home/{{ .Values.environment.user }}/work"] imagePullPolicy: {{ .Values.service.image.pullPolicy }} @@ -156,7 +177,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: - secretRef: name : {{ include "library-chart.secretNameToken" . }} {{- if .Values.s3.enabled }} @@ -183,10 +204,14 @@ spec: - secretRef: name: {{ include "library-chart.secretNameMLFlow" . }} {{- end }} + {{- if .Values.extraEnvVars }} + - secretRef: + name: {{ include "library-chart.secretNameExtraEnv" . }} + {{- end }} livenessProbe: httpGet: path: / - port: {{ .Values.networking.service.port }} + port: {{ .Values.networking.service.port }} timeoutSeconds: 2 failureThreshold: 6 readinessProbe: @@ -212,12 +237,17 @@ spec: - name: config-files mountPath: /opt/hive/conf/hive-site.xml subPath: hive/hive-site.xml - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} - name: config-files mountPath: /home/{{ .Values.environment.user}}/.metaflowconfig subPath: metaflow - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/vscode-pytorch/values.schema.json b/charts/vscode-pytorch/values.schema.json index 49ac8dc8..2a3fa19e 100644 --- a/charts/vscode-pytorch/values.schema.json +++ b/charts/vscode-pytorch/values.schema.json @@ -226,6 +226,29 @@ } } }, + "extraEnvVars": { + "description": "environment variables available within your service", + "type": "array", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/extraenv.json" + }, + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "default": "", + "pattern": "^[a-zA-Z0-9_]+$" + }, + "value": { + "type": "string", + "default": "" + } + } + } + }, "kubernetes": { "description": "configuration of your kubernetes access", "type": "object", @@ -671,6 +694,14 @@ "hidden": true, "overwriteDefaultWith": "k8s.certManagerClusterIssuer" } + }, + "useTlsSecret": { + "type": "boolean", + "description": "Whether you want to use the specified secretName in ingress tls", + "default": false, + "x-onyxia": { + "hidden": true + } } } }, @@ -837,6 +868,32 @@ } } }, + "certificates": { + "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "certificates.json" + }, + "default": {}, + "properties": { + "cacerts": { + "type": "string", + "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.", + "default": "", + "x-onyxia": { + "hidden": true + } + }, + "pathToCaBundle": { + "type": "string", + "description": "String path where a bundle is made or injected by third party solution", + "default": "/usr/local/share/ca-certificates/", + "x-onyxia": { + "hidden": true + } + } + } + }, "message": { "type": "object", "description": "Warning message", diff --git a/charts/vscode-pytorch/values.yaml b/charts/vscode-pytorch/values.yaml index b8ca7798..3595a712 100644 --- a/charts/vscode-pytorch/values.yaml +++ b/charts/vscode-pytorch/values.yaml @@ -21,6 +21,7 @@ init: regionInitCheckSum: '' personalInit: '' personalInitArgs: '' +extraEnvVars: [] s3: enabled: true configMapName: '' @@ -95,6 +96,7 @@ ingress: userHostname: chart-example-user.local useCertManager: false certManagerClusterIssuer: '' + useTlsSecret: false route: enabled: false annotations: [] @@ -133,6 +135,7 @@ proxy: noProxy: '' httpProxy: '' httpsProxy: '' +certificates: {} message: fr: '' en: '' diff --git a/charts/vscode-r-python-julia/Chart.yaml b/charts/vscode-r-python-julia/Chart.yaml index 09892fd5..3b401dda 100644 --- a/charts/vscode-r-python-julia/Chart.yaml +++ b/charts/vscode-r-python-julia/Chart.yaml @@ -10,8 +10,8 @@ sources: - https://github.com/InseeFrLab/images-datascience - https://github.com/InseeFrLab/helm-charts-interactive-services type: application -version: 2.1.4 +version: 2.1.14 dependencies: - name: library-chart - version: 1.5.25 + version: 1.5.30 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/vscode-r-python-julia/README.md b/charts/vscode-r-python-julia/README.md index bafb121c..fbc6e1f6 100644 --- a/charts/vscode-r-python-julia/README.md +++ b/charts/vscode-r-python-julia/README.md @@ -1,6 +1,6 @@ # vscode-r-python-julia -![Version: 2.1.4](https://img.shields.io/badge/Version-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 2.1.14](https://img.shields.io/badge/Version-2.1.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) The VSCode IDE with minimal installations of R, Python and Julia. @@ -15,7 +15,7 @@ The VSCode IDE with minimal installations of R, Python and Julia. | Repository | Name | Version | |------------|------|---------| -| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.25 | +| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.30 | ## Values @@ -26,12 +26,14 @@ The VSCode IDE with minimal installations of R, Python and Julia. | autoscaling.maxReplicas | int | `100` | | | autoscaling.minReplicas | int | `1` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| certificates | object | `{}` | | | coresite.configMapName | string | `""` | | | discovery.hive | bool | `true` | | | discovery.metaflow | bool | `true` | | | discovery.mlflow | bool | `true` | | | environment.group | string | `"users"` | | | environment.user | string | `"onyxia"` | | +| extraEnvVars | list | `[]` | | | fullnameOverride | string | `""` | | | git.branch | string | `""` | | | git.cache | string | `""` | | @@ -49,6 +51,7 @@ The VSCode IDE with minimal installations of R, Python and Julia. | ingress.ingressClassName | string | `""` | | | ingress.tls | bool | `true` | | | ingress.useCertManager | bool | `false` | | +| ingress.useTlsSecret | bool | `false` | | | ingress.userHostname | string | `"chart-example-user.local"` | | | init.personalInit | string | `""` | | | init.personalInitArgs | string | `""` | | diff --git a/charts/vscode-r-python-julia/templates/secret-cacerts.yaml b/charts/vscode-r-python-julia/templates/secret-cacerts.yaml new file mode 100644 index 00000000..71c878fb --- /dev/null +++ b/charts/vscode-r-python-julia/templates/secret-cacerts.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretCacerts" . }} diff --git a/charts/vscode-r-python-julia/templates/secret-extraenv.yaml b/charts/vscode-r-python-julia/templates/secret-extraenv.yaml new file mode 100644 index 00000000..63fa9428 --- /dev/null +++ b/charts/vscode-r-python-julia/templates/secret-extraenv.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretExtraEnv" . }} \ No newline at end of file diff --git a/charts/vscode-r-python-julia/templates/statefulset.yaml b/charts/vscode-r-python-julia/templates/statefulset.yaml index 294e7d4a..2213a404 100644 --- a/charts/vscode-r-python-julia/templates/statefulset.yaml +++ b/charts/vscode-r-python-julia/templates/statefulset.yaml @@ -41,6 +41,9 @@ spec: {{- if .Values.vault.enabled }} checksum/vault: {{ include (print $.Template.BasePath "/secret-vault.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -76,6 +79,11 @@ spec: secret: secretName: {{ include "library-chart.secretNameMetaflow" . }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -83,26 +91,39 @@ spec: serviceAccountName: {{ include "library-chart.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} - initContainers: + initContainers: - name: make-secrets-writable image: inseefrlab/onyxia-base:latest imagePullPolicy: IfNotPresent - command: + command: - sh - - -c + - -c - | echo 'initContainer make-secrets-writable is started'; {{- if .Values.discovery.hive }} mkdir /dest/hive; cp /src/hive/hive-site.xml /dest/hive/hive-site.xml; - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} mkdir /dest/metaflow; cp /src/metaflow/config.json /dest/metaflow/config.json; {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} volumeMounts: - name: config-files mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} {{- if .Values.discovery.hive }} - name: secret-hive mountPath: /src/hive @@ -125,7 +146,7 @@ spec: image: "{{ .Values.service.image.custom.version }}" {{- else }} image: "{{ .Values.service.image.version }}" - {{- end }} + {{- end }} command: ["/bin/sh","-c"] args: ["{{ .Values.init.standardInitPath }} /usr/bin/code-server --host 0.0.0.0 /home/{{ .Values.environment.user }}/work"] imagePullPolicy: {{ .Values.service.image.pullPolicy }} @@ -156,7 +177,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: - secretRef: name : {{ include "library-chart.secretNameToken" . }} {{- if .Values.s3.enabled }} @@ -183,10 +204,14 @@ spec: - secretRef: name: {{ include "library-chart.secretNameMLFlow" . }} {{- end }} + {{- if .Values.extraEnvVars }} + - secretRef: + name: {{ include "library-chart.secretNameExtraEnv" . }} + {{- end }} livenessProbe: httpGet: path: / - port: {{ .Values.networking.service.port }} + port: {{ .Values.networking.service.port }} timeoutSeconds: 2 failureThreshold: 6 readinessProbe: @@ -212,12 +237,17 @@ spec: - name: config-files mountPath: /opt/hive/conf/hive-site.xml subPath: hive/hive-site.xml - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} - name: config-files mountPath: /home/{{ .Values.environment.user}}/.metaflowconfig subPath: metaflow - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/vscode-r-python-julia/values.schema.json b/charts/vscode-r-python-julia/values.schema.json index 2c0f9494..2f7e019b 100644 --- a/charts/vscode-r-python-julia/values.schema.json +++ b/charts/vscode-r-python-julia/values.schema.json @@ -225,6 +225,29 @@ } } }, + "extraEnvVars": { + "description": "environment variables available within your service", + "type": "array", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/extraenv.json" + }, + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "default": "", + "pattern": "^[a-zA-Z0-9_]+$" + }, + "value": { + "type": "string", + "default": "" + } + } + } + }, "kubernetes": { "description": "configuration of your kubernetes access", "type": "object", @@ -670,6 +693,14 @@ "hidden": true, "overwriteDefaultWith": "k8s.certManagerClusterIssuer" } + }, + "useTlsSecret": { + "type": "boolean", + "description": "Whether you want to use the specified secretName in ingress tls", + "default": false, + "x-onyxia": { + "hidden": true + } } } }, @@ -836,6 +867,32 @@ } } }, + "certificates": { + "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "certificates.json" + }, + "default": {}, + "properties": { + "cacerts": { + "type": "string", + "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.", + "default": "", + "x-onyxia": { + "hidden": true + } + }, + "pathToCaBundle": { + "type": "string", + "description": "String path where a bundle is made or injected by third party solution", + "default": "/usr/local/share/ca-certificates/", + "x-onyxia": { + "hidden": true + } + } + } + }, "message": { "type": "object", "description": "Warning message", diff --git a/charts/vscode-r-python-julia/values.yaml b/charts/vscode-r-python-julia/values.yaml index 1364427c..282dc1cc 100644 --- a/charts/vscode-r-python-julia/values.yaml +++ b/charts/vscode-r-python-julia/values.yaml @@ -21,6 +21,7 @@ init: regionInitCheckSum: '' personalInit: '' personalInitArgs: '' +extraEnvVars: [] s3: enabled: true configMapName: '' @@ -95,6 +96,7 @@ ingress: userHostname: chart-example-user.local useCertManager: false certManagerClusterIssuer: '' + useTlsSecret: false route: enabled: false annotations: [] @@ -133,6 +135,7 @@ proxy: noProxy: '' httpProxy: '' httpsProxy: '' +certificates: {} message: fr: '' en: '' diff --git a/charts/vscode-r/Chart.yaml b/charts/vscode-r/Chart.yaml index 84c8e2f2..dd6afff3 100644 --- a/charts/vscode-r/Chart.yaml +++ b/charts/vscode-r/Chart.yaml @@ -10,8 +10,8 @@ sources: - https://github.com/InseeFrLab/images-datascience - https://github.com/InseeFrLab/helm-charts-interactive-services type: application -version: 2.1.4 +version: 2.1.14 dependencies: - name: library-chart - version: 1.5.25 + version: 1.5.30 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/vscode-r/README.md b/charts/vscode-r/README.md index 12edec89..9716b10c 100644 --- a/charts/vscode-r/README.md +++ b/charts/vscode-r/README.md @@ -1,6 +1,6 @@ # vscode-r -![Version: 2.1.4](https://img.shields.io/badge/Version-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 2.1.14](https://img.shields.io/badge/Version-2.1.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) The VSCode IDE with R and a collection of standard data science packages. @@ -15,7 +15,7 @@ The VSCode IDE with R and a collection of standard data science packages. | Repository | Name | Version | |------------|------|---------| -| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.25 | +| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.30 | ## Values @@ -26,12 +26,14 @@ The VSCode IDE with R and a collection of standard data science packages. | autoscaling.maxReplicas | int | `100` | | | autoscaling.minReplicas | int | `1` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| certificates | object | `{}` | | | coresite.configMapName | string | `""` | | | discovery.hive | bool | `true` | | | discovery.metaflow | bool | `true` | | | discovery.mlflow | bool | `true` | | | environment.group | string | `"users"` | | | environment.user | string | `"onyxia"` | | +| extraEnvVars | list | `[]` | | | fullnameOverride | string | `""` | | | git.branch | string | `""` | | | git.cache | string | `""` | | @@ -49,6 +51,7 @@ The VSCode IDE with R and a collection of standard data science packages. | ingress.ingressClassName | string | `""` | | | ingress.tls | bool | `true` | | | ingress.useCertManager | bool | `false` | | +| ingress.useTlsSecret | bool | `false` | | | ingress.userHostname | string | `"chart-example-user.local"` | | | init.personalInit | string | `""` | | | init.personalInitArgs | string | `""` | | diff --git a/charts/vscode-r/templates/secret-cacerts.yaml b/charts/vscode-r/templates/secret-cacerts.yaml new file mode 100644 index 00000000..71c878fb --- /dev/null +++ b/charts/vscode-r/templates/secret-cacerts.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretCacerts" . }} diff --git a/charts/vscode-r/templates/secret-extraenv.yaml b/charts/vscode-r/templates/secret-extraenv.yaml new file mode 100644 index 00000000..63fa9428 --- /dev/null +++ b/charts/vscode-r/templates/secret-extraenv.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretExtraEnv" . }} \ No newline at end of file diff --git a/charts/vscode-r/templates/statefulset.yaml b/charts/vscode-r/templates/statefulset.yaml index 294e7d4a..2213a404 100644 --- a/charts/vscode-r/templates/statefulset.yaml +++ b/charts/vscode-r/templates/statefulset.yaml @@ -41,6 +41,9 @@ spec: {{- if .Values.vault.enabled }} checksum/vault: {{ include (print $.Template.BasePath "/secret-vault.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -76,6 +79,11 @@ spec: secret: secretName: {{ include "library-chart.secretNameMetaflow" . }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -83,26 +91,39 @@ spec: serviceAccountName: {{ include "library-chart.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} - initContainers: + initContainers: - name: make-secrets-writable image: inseefrlab/onyxia-base:latest imagePullPolicy: IfNotPresent - command: + command: - sh - - -c + - -c - | echo 'initContainer make-secrets-writable is started'; {{- if .Values.discovery.hive }} mkdir /dest/hive; cp /src/hive/hive-site.xml /dest/hive/hive-site.xml; - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} mkdir /dest/metaflow; cp /src/metaflow/config.json /dest/metaflow/config.json; {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} volumeMounts: - name: config-files mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} {{- if .Values.discovery.hive }} - name: secret-hive mountPath: /src/hive @@ -125,7 +146,7 @@ spec: image: "{{ .Values.service.image.custom.version }}" {{- else }} image: "{{ .Values.service.image.version }}" - {{- end }} + {{- end }} command: ["/bin/sh","-c"] args: ["{{ .Values.init.standardInitPath }} /usr/bin/code-server --host 0.0.0.0 /home/{{ .Values.environment.user }}/work"] imagePullPolicy: {{ .Values.service.image.pullPolicy }} @@ -156,7 +177,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: - secretRef: name : {{ include "library-chart.secretNameToken" . }} {{- if .Values.s3.enabled }} @@ -183,10 +204,14 @@ spec: - secretRef: name: {{ include "library-chart.secretNameMLFlow" . }} {{- end }} + {{- if .Values.extraEnvVars }} + - secretRef: + name: {{ include "library-chart.secretNameExtraEnv" . }} + {{- end }} livenessProbe: httpGet: path: / - port: {{ .Values.networking.service.port }} + port: {{ .Values.networking.service.port }} timeoutSeconds: 2 failureThreshold: 6 readinessProbe: @@ -212,12 +237,17 @@ spec: - name: config-files mountPath: /opt/hive/conf/hive-site.xml subPath: hive/hive-site.xml - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} - name: config-files mountPath: /home/{{ .Values.environment.user}}/.metaflowconfig subPath: metaflow - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/vscode-r/values.schema.json b/charts/vscode-r/values.schema.json index e836f71f..5fb29159 100644 --- a/charts/vscode-r/values.schema.json +++ b/charts/vscode-r/values.schema.json @@ -226,6 +226,29 @@ } } }, + "extraEnvVars": { + "description": "environment variables available within your service", + "type": "array", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/extraenv.json" + }, + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "default": "", + "pattern": "^[a-zA-Z0-9_]+$" + }, + "value": { + "type": "string", + "default": "" + } + } + } + }, "kubernetes": { "description": "configuration of your kubernetes access", "type": "object", @@ -671,6 +694,14 @@ "hidden": true, "overwriteDefaultWith": "k8s.certManagerClusterIssuer" } + }, + "useTlsSecret": { + "type": "boolean", + "description": "Whether you want to use the specified secretName in ingress tls", + "default": false, + "x-onyxia": { + "hidden": true + } } } }, @@ -837,6 +868,32 @@ } } }, + "certificates": { + "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "certificates.json" + }, + "default": {}, + "properties": { + "cacerts": { + "type": "string", + "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.", + "default": "", + "x-onyxia": { + "hidden": true + } + }, + "pathToCaBundle": { + "type": "string", + "description": "String path where a bundle is made or injected by third party solution", + "default": "/usr/local/share/ca-certificates/", + "x-onyxia": { + "hidden": true + } + } + } + }, "message": { "type": "object", "description": "Warning message", diff --git a/charts/vscode-r/values.yaml b/charts/vscode-r/values.yaml index 9eeb0be8..d8d467d5 100644 --- a/charts/vscode-r/values.yaml +++ b/charts/vscode-r/values.yaml @@ -21,6 +21,7 @@ init: regionInitCheckSum: '' personalInit: '' personalInitArgs: '' +extraEnvVars: [] s3: enabled: true configMapName: '' @@ -95,6 +96,7 @@ ingress: userHostname: chart-example-user.local useCertManager: false certManagerClusterIssuer: '' + useTlsSecret: false route: enabled: false annotations: [] @@ -133,6 +135,7 @@ proxy: noProxy: '' httpProxy: '' httpsProxy: '' +certificates: {} message: fr: '' en: '' diff --git a/charts/vscode-tensorflow-gpu/Chart.yaml b/charts/vscode-tensorflow-gpu/Chart.yaml index 865bf44a..178691fe 100644 --- a/charts/vscode-tensorflow-gpu/Chart.yaml +++ b/charts/vscode-tensorflow-gpu/Chart.yaml @@ -11,8 +11,8 @@ sources: - https://github.com/InseeFrLab/images-datascience - https://github.com/InseeFrLab/helm-charts-interactive-services type: application -version: 2.1.4 +version: 2.1.14 dependencies: - name: library-chart - version: 1.5.25 + version: 1.5.30 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/vscode-tensorflow-gpu/README.md b/charts/vscode-tensorflow-gpu/README.md index 81a21127..8bb4cd02 100644 --- a/charts/vscode-tensorflow-gpu/README.md +++ b/charts/vscode-tensorflow-gpu/README.md @@ -1,6 +1,6 @@ # vscode-tensorflow-gpu -![Version: 2.1.4](https://img.shields.io/badge/Version-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 2.1.14](https://img.shields.io/badge/Version-2.1.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) The VSCode IDE with Python and the deep-learning framework TensorFlow, with GPU support. @@ -15,7 +15,7 @@ The VSCode IDE with Python and the deep-learning framework TensorFlow, with GPU | Repository | Name | Version | |------------|------|---------| -| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.25 | +| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.30 | ## Values @@ -26,12 +26,14 @@ The VSCode IDE with Python and the deep-learning framework TensorFlow, with GPU | autoscaling.maxReplicas | int | `100` | | | autoscaling.minReplicas | int | `1` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| certificates | object | `{}` | | | coresite.configMapName | string | `""` | | | discovery.hive | bool | `true` | | | discovery.metaflow | bool | `true` | | | discovery.mlflow | bool | `true` | | | environment.group | string | `"users"` | | | environment.user | string | `"onyxia"` | | +| extraEnvVars | list | `[]` | | | fullnameOverride | string | `""` | | | git.branch | string | `""` | | | git.cache | string | `""` | | @@ -49,6 +51,7 @@ The VSCode IDE with Python and the deep-learning framework TensorFlow, with GPU | ingress.ingressClassName | string | `""` | | | ingress.tls | bool | `true` | | | ingress.useCertManager | bool | `false` | | +| ingress.useTlsSecret | bool | `false` | | | ingress.userHostname | string | `"chart-example-user.local"` | | | init.personalInit | string | `""` | | | init.personalInitArgs | string | `""` | | diff --git a/charts/vscode-tensorflow-gpu/templates/secret-cacerts.yaml b/charts/vscode-tensorflow-gpu/templates/secret-cacerts.yaml new file mode 100644 index 00000000..71c878fb --- /dev/null +++ b/charts/vscode-tensorflow-gpu/templates/secret-cacerts.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretCacerts" . }} diff --git a/charts/vscode-tensorflow-gpu/templates/secret-extraenv.yaml b/charts/vscode-tensorflow-gpu/templates/secret-extraenv.yaml new file mode 100644 index 00000000..63fa9428 --- /dev/null +++ b/charts/vscode-tensorflow-gpu/templates/secret-extraenv.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretExtraEnv" . }} \ No newline at end of file diff --git a/charts/vscode-tensorflow-gpu/templates/statefulset.yaml b/charts/vscode-tensorflow-gpu/templates/statefulset.yaml index 294e7d4a..2213a404 100644 --- a/charts/vscode-tensorflow-gpu/templates/statefulset.yaml +++ b/charts/vscode-tensorflow-gpu/templates/statefulset.yaml @@ -41,6 +41,9 @@ spec: {{- if .Values.vault.enabled }} checksum/vault: {{ include (print $.Template.BasePath "/secret-vault.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -76,6 +79,11 @@ spec: secret: secretName: {{ include "library-chart.secretNameMetaflow" . }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -83,26 +91,39 @@ spec: serviceAccountName: {{ include "library-chart.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} - initContainers: + initContainers: - name: make-secrets-writable image: inseefrlab/onyxia-base:latest imagePullPolicy: IfNotPresent - command: + command: - sh - - -c + - -c - | echo 'initContainer make-secrets-writable is started'; {{- if .Values.discovery.hive }} mkdir /dest/hive; cp /src/hive/hive-site.xml /dest/hive/hive-site.xml; - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} mkdir /dest/metaflow; cp /src/metaflow/config.json /dest/metaflow/config.json; {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} volumeMounts: - name: config-files mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} {{- if .Values.discovery.hive }} - name: secret-hive mountPath: /src/hive @@ -125,7 +146,7 @@ spec: image: "{{ .Values.service.image.custom.version }}" {{- else }} image: "{{ .Values.service.image.version }}" - {{- end }} + {{- end }} command: ["/bin/sh","-c"] args: ["{{ .Values.init.standardInitPath }} /usr/bin/code-server --host 0.0.0.0 /home/{{ .Values.environment.user }}/work"] imagePullPolicy: {{ .Values.service.image.pullPolicy }} @@ -156,7 +177,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: - secretRef: name : {{ include "library-chart.secretNameToken" . }} {{- if .Values.s3.enabled }} @@ -183,10 +204,14 @@ spec: - secretRef: name: {{ include "library-chart.secretNameMLFlow" . }} {{- end }} + {{- if .Values.extraEnvVars }} + - secretRef: + name: {{ include "library-chart.secretNameExtraEnv" . }} + {{- end }} livenessProbe: httpGet: path: / - port: {{ .Values.networking.service.port }} + port: {{ .Values.networking.service.port }} timeoutSeconds: 2 failureThreshold: 6 readinessProbe: @@ -212,12 +237,17 @@ spec: - name: config-files mountPath: /opt/hive/conf/hive-site.xml subPath: hive/hive-site.xml - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} - name: config-files mountPath: /home/{{ .Values.environment.user}}/.metaflowconfig subPath: metaflow - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/vscode-tensorflow-gpu/values.schema.json b/charts/vscode-tensorflow-gpu/values.schema.json index cbdbef0c..89bf9188 100644 --- a/charts/vscode-tensorflow-gpu/values.schema.json +++ b/charts/vscode-tensorflow-gpu/values.schema.json @@ -240,6 +240,29 @@ } } }, + "extraEnvVars": { + "description": "environment variables available within your service", + "type": "array", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/extraenv.json" + }, + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "default": "", + "pattern": "^[a-zA-Z0-9_]+$" + }, + "value": { + "type": "string", + "default": "" + } + } + } + }, "kubernetes": { "description": "configuration of your kubernetes access", "type": "object", @@ -684,6 +707,14 @@ "hidden": true, "overwriteDefaultWith": "k8s.certManagerClusterIssuer" } + }, + "useTlsSecret": { + "type": "boolean", + "description": "Whether you want to use the specified secretName in ingress tls", + "default": false, + "x-onyxia": { + "hidden": true + } } } }, @@ -850,6 +881,32 @@ } } }, + "certificates": { + "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "certificates.json" + }, + "default": {}, + "properties": { + "cacerts": { + "type": "string", + "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.", + "default": "", + "x-onyxia": { + "hidden": true + } + }, + "pathToCaBundle": { + "type": "string", + "description": "String path where a bundle is made or injected by third party solution", + "default": "/usr/local/share/ca-certificates/", + "x-onyxia": { + "hidden": true + } + } + } + }, "message": { "type": "object", "description": "Warning message", diff --git a/charts/vscode-tensorflow-gpu/values.yaml b/charts/vscode-tensorflow-gpu/values.yaml index 93bac749..bb8c9a86 100644 --- a/charts/vscode-tensorflow-gpu/values.yaml +++ b/charts/vscode-tensorflow-gpu/values.yaml @@ -21,6 +21,7 @@ init: regionInitCheckSum: '' personalInit: '' personalInitArgs: '' +extraEnvVars: [] s3: enabled: true configMapName: '' @@ -95,6 +96,7 @@ ingress: userHostname: chart-example-user.local useCertManager: false certManagerClusterIssuer: '' + useTlsSecret: false route: enabled: false annotations: [] @@ -133,6 +135,7 @@ proxy: noProxy: '' httpProxy: '' httpsProxy: '' +certificates: {} message: fr: '' en: '' diff --git a/charts/vscode-tensorflow/Chart.yaml b/charts/vscode-tensorflow/Chart.yaml index 9c9a948f..255ee47e 100644 --- a/charts/vscode-tensorflow/Chart.yaml +++ b/charts/vscode-tensorflow/Chart.yaml @@ -10,8 +10,8 @@ sources: - https://github.com/InseeFrLab/images-datascience - https://github.com/InseeFrLab/helm-charts-interactive-services type: application -version: 2.1.4 +version: 2.1.14 dependencies: - name: library-chart - version: 1.5.25 + version: 1.5.30 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/vscode-tensorflow/README.md b/charts/vscode-tensorflow/README.md index bf1d9090..1d0fe64c 100644 --- a/charts/vscode-tensorflow/README.md +++ b/charts/vscode-tensorflow/README.md @@ -1,6 +1,6 @@ # vscode-tensorflow -![Version: 2.1.4](https://img.shields.io/badge/Version-2.1.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 2.1.14](https://img.shields.io/badge/Version-2.1.14-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) The VSCode IDE with Python and the deep-learning framework TensorFlow. @@ -15,7 +15,7 @@ The VSCode IDE with Python and the deep-learning framework TensorFlow. | Repository | Name | Version | |------------|------|---------| -| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.25 | +| https://inseefrlab.github.io/helm-charts-interactive-services | library-chart | 1.5.30 | ## Values @@ -26,12 +26,14 @@ The VSCode IDE with Python and the deep-learning framework TensorFlow. | autoscaling.maxReplicas | int | `100` | | | autoscaling.minReplicas | int | `1` | | | autoscaling.targetCPUUtilizationPercentage | int | `80` | | +| certificates | object | `{}` | | | coresite.configMapName | string | `""` | | | discovery.hive | bool | `true` | | | discovery.metaflow | bool | `true` | | | discovery.mlflow | bool | `true` | | | environment.group | string | `"users"` | | | environment.user | string | `"onyxia"` | | +| extraEnvVars | list | `[]` | | | fullnameOverride | string | `""` | | | git.branch | string | `""` | | | git.cache | string | `""` | | @@ -49,6 +51,7 @@ The VSCode IDE with Python and the deep-learning framework TensorFlow. | ingress.ingressClassName | string | `""` | | | ingress.tls | bool | `true` | | | ingress.useCertManager | bool | `false` | | +| ingress.useTlsSecret | bool | `false` | | | ingress.userHostname | string | `"chart-example-user.local"` | | | init.personalInit | string | `""` | | | init.personalInitArgs | string | `""` | | diff --git a/charts/vscode-tensorflow/templates/secret-cacerts.yaml b/charts/vscode-tensorflow/templates/secret-cacerts.yaml new file mode 100644 index 00000000..71c878fb --- /dev/null +++ b/charts/vscode-tensorflow/templates/secret-cacerts.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretCacerts" . }} diff --git a/charts/vscode-tensorflow/templates/secret-extraenv.yaml b/charts/vscode-tensorflow/templates/secret-extraenv.yaml new file mode 100644 index 00000000..63fa9428 --- /dev/null +++ b/charts/vscode-tensorflow/templates/secret-extraenv.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretExtraEnv" . }} \ No newline at end of file diff --git a/charts/vscode-tensorflow/templates/statefulset.yaml b/charts/vscode-tensorflow/templates/statefulset.yaml index 294e7d4a..2213a404 100644 --- a/charts/vscode-tensorflow/templates/statefulset.yaml +++ b/charts/vscode-tensorflow/templates/statefulset.yaml @@ -41,6 +41,9 @@ spec: {{- if .Values.vault.enabled }} checksum/vault: {{ include (print $.Template.BasePath "/secret-vault.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -76,6 +79,11 @@ spec: secret: secretName: {{ include "library-chart.secretNameMetaflow" . }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -83,26 +91,39 @@ spec: serviceAccountName: {{ include "library-chart.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} - initContainers: + initContainers: - name: make-secrets-writable image: inseefrlab/onyxia-base:latest imagePullPolicy: IfNotPresent - command: + command: - sh - - -c + - -c - | echo 'initContainer make-secrets-writable is started'; {{- if .Values.discovery.hive }} mkdir /dest/hive; cp /src/hive/hive-site.xml /dest/hive/hive-site.xml; - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} mkdir /dest/metaflow; cp /src/metaflow/config.json /dest/metaflow/config.json; {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} volumeMounts: - name: config-files mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} {{- if .Values.discovery.hive }} - name: secret-hive mountPath: /src/hive @@ -125,7 +146,7 @@ spec: image: "{{ .Values.service.image.custom.version }}" {{- else }} image: "{{ .Values.service.image.version }}" - {{- end }} + {{- end }} command: ["/bin/sh","-c"] args: ["{{ .Values.init.standardInitPath }} /usr/bin/code-server --host 0.0.0.0 /home/{{ .Values.environment.user }}/work"] imagePullPolicy: {{ .Values.service.image.pullPolicy }} @@ -156,7 +177,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: - secretRef: name : {{ include "library-chart.secretNameToken" . }} {{- if .Values.s3.enabled }} @@ -183,10 +204,14 @@ spec: - secretRef: name: {{ include "library-chart.secretNameMLFlow" . }} {{- end }} + {{- if .Values.extraEnvVars }} + - secretRef: + name: {{ include "library-chart.secretNameExtraEnv" . }} + {{- end }} livenessProbe: httpGet: path: / - port: {{ .Values.networking.service.port }} + port: {{ .Values.networking.service.port }} timeoutSeconds: 2 failureThreshold: 6 readinessProbe: @@ -212,12 +237,17 @@ spec: - name: config-files mountPath: /opt/hive/conf/hive-site.xml subPath: hive/hive-site.xml - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} - name: config-files mountPath: /home/{{ .Values.environment.user}}/.metaflowconfig subPath: metaflow - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/vscode-tensorflow/values.schema.json b/charts/vscode-tensorflow/values.schema.json index 00a5166e..c4d8f836 100644 --- a/charts/vscode-tensorflow/values.schema.json +++ b/charts/vscode-tensorflow/values.schema.json @@ -226,6 +226,29 @@ } } }, + "extraEnvVars": { + "description": "environment variables available within your service", + "type": "array", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/extraenv.json" + }, + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "default": "", + "pattern": "^[a-zA-Z0-9_]+$" + }, + "value": { + "type": "string", + "default": "" + } + } + } + }, "kubernetes": { "description": "configuration of your kubernetes access", "type": "object", @@ -671,6 +694,14 @@ "hidden": true, "overwriteDefaultWith": "k8s.certManagerClusterIssuer" } + }, + "useTlsSecret": { + "type": "boolean", + "description": "Whether you want to use the specified secretName in ingress tls", + "default": false, + "x-onyxia": { + "hidden": true + } } } }, @@ -837,6 +868,32 @@ } } }, + "certificates": { + "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "certificates.json" + }, + "default": {}, + "properties": { + "cacerts": { + "type": "string", + "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.", + "default": "", + "x-onyxia": { + "hidden": true + } + }, + "pathToCaBundle": { + "type": "string", + "description": "String path where a bundle is made or injected by third party solution", + "default": "/usr/local/share/ca-certificates/", + "x-onyxia": { + "hidden": true + } + } + } + }, "message": { "type": "object", "description": "Warning message", diff --git a/charts/vscode-tensorflow/values.yaml b/charts/vscode-tensorflow/values.yaml index 727093bd..22d3a4d8 100644 --- a/charts/vscode-tensorflow/values.yaml +++ b/charts/vscode-tensorflow/values.yaml @@ -21,6 +21,7 @@ init: regionInitCheckSum: '' personalInit: '' personalInitArgs: '' +extraEnvVars: [] s3: enabled: true configMapName: '' @@ -95,6 +96,7 @@ ingress: userHostname: chart-example-user.local useCertManager: false certManagerClusterIssuer: '' + useTlsSecret: false route: enabled: false annotations: [] @@ -133,6 +135,7 @@ proxy: noProxy: '' httpProxy: '' httpsProxy: '' +certificates: {} message: fr: '' en: '' diff --git a/utils/prepull_images.py b/utils/prepull_images.py index 24f8d78a..84c8f0da 100644 --- a/utils/prepull_images.py +++ b/utils/prepull_images.py @@ -221,7 +221,8 @@ def prepull_daemon(namespace: str, raise TimeoutError("Timed out waiting for DaemonSet rollout to complete.") daemon_info = kube_apps_api.list_namespaced_daemon_set(namespace=namespace, - label_selector=f"name={label_name}" + label_selector=f"name={label_name}", + timeout_seconds = 10 ) # Get total number of daemons that will be launched