From b45d15e57a52c16b1bfa65d7011994fa93325b99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gaspard=20F=C3=A9rey?= Date: Wed, 23 Oct 2024 16:44:16 +0200 Subject: [PATCH] [ALL] Use a secret for CA certificates (#168) * Storing CA certs in a secret and adding checksum for easy upgrade * Applied modifications to all charts --- charts/jupyter-pyspark/Chart.yaml | 4 +- .../templates/secret-cacerts.yaml | 1 + .../templates/statefulset.yaml | 52 +- charts/jupyter-pyspark/values.schema.json | 94 +- charts/jupyter-pyspark/values.yaml | 5 +- charts/jupyter-python/Chart.yaml | 4 +- .../templates/secret-cacerts.yaml | 1 + .../jupyter-python/templates/statefulset.yaml | 36 +- charts/jupyter-python/values.schema.json | 1676 ++++++++-------- charts/jupyter-python/values.yaml | 5 +- charts/rstudio-sparkr/Chart.yaml | 4 +- .../templates/secret-cacerts.yaml | 1 + .../rstudio-sparkr/templates/statefulset.yaml | 40 +- charts/rstudio-sparkr/values.schema.json | 1724 +++++++++-------- charts/rstudio-sparkr/values.yaml | 4 + charts/rstudio/Chart.yaml | 4 +- charts/rstudio/templates/statefulset.yaml | 62 +- charts/rstudio/values.schema.json | 1548 +++++++-------- charts/rstudio/values.yaml | 2 - charts/vscode-pyspark/Chart.yaml | 4 +- .../templates/secret-cacerts.yaml | 1 + .../vscode-pyspark/templates/statefulset.yaml | 40 +- charts/vscode-pyspark/values.schema.json | 928 ++++----- charts/vscode-pyspark/values.yaml | 4 + charts/vscode-python/Chart.yaml | 4 +- .../templates/secret-cacerts.yaml | 1 + .../vscode-python/templates/statefulset.yaml | 52 +- charts/vscode-python/values.schema.json | 262 +-- 28 files changed, 3424 insertions(+), 3139 deletions(-) create mode 100644 charts/jupyter-pyspark/templates/secret-cacerts.yaml create mode 100644 charts/jupyter-python/templates/secret-cacerts.yaml create mode 100644 charts/rstudio-sparkr/templates/secret-cacerts.yaml create mode 100644 charts/vscode-pyspark/templates/secret-cacerts.yaml create mode 100644 charts/vscode-python/templates/secret-cacerts.yaml diff --git a/charts/jupyter-pyspark/Chart.yaml b/charts/jupyter-pyspark/Chart.yaml index 8ca46ab3..06c2c21e 100644 --- a/charts/jupyter-pyspark/Chart.yaml +++ b/charts/jupyter-pyspark/Chart.yaml @@ -24,9 +24,9 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.1.7 +version: 2.1.8 dependencies: - name: library-chart - version: 1.5.27 + version: 1.5.28 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/jupyter-pyspark/templates/secret-cacerts.yaml b/charts/jupyter-pyspark/templates/secret-cacerts.yaml new file mode 100644 index 00000000..71c878fb --- /dev/null +++ b/charts/jupyter-pyspark/templates/secret-cacerts.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretCacerts" . }} diff --git a/charts/jupyter-pyspark/templates/statefulset.yaml b/charts/jupyter-pyspark/templates/statefulset.yaml index bbbb02b8..493d66a7 100644 --- a/charts/jupyter-pyspark/templates/statefulset.yaml +++ b/charts/jupyter-pyspark/templates/statefulset.yaml @@ -44,19 +44,24 @@ spec: {{- if .Values.s3.enabled }} checksum/s3: {{ include (print $.Template.BasePath "/secret-s3.yaml") . | sha256sum }} {{- end }} - {{- with .Values.podAnnotations }} - {{- toYaml . | nindent 8 }} - {{- end }} {{- if not (empty (trim (include "library-chart.secretSparkConf" .)))}} checksum/sparkconf: {{ include (print $.Template.BasePath "/secret-sparkconf.yaml") . | sha256sum }} {{- end }} {{- if .Values.vault.enabled }} checksum/vault: {{ include (print $.Template.BasePath "/secret-vault.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} labels: {{- include "library-chart.selectorLabels" . | nindent 8 }} spec: volumes: + - name: config-files + emptyDir: {} - name: home {{- if .Values.persistence.enabled }} persistentVolumeClaim: @@ -99,8 +104,11 @@ spec: secretName: {{ include "library-chart.secretNameCoreSite" . }} defaultMode: 0664 {{- end }} - - name: config-files - emptyDir: {} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -114,10 +122,10 @@ spec: - name: make-configmaps-writable image: inseefrlab/onyxia-base:latest imagePullPolicy: IfNotPresent - command: + command: - sh - - -c - - | + - -c + - | echo 'initContainer make-configmaps-writable is started'; {{- if .Values.s3.enabled }} mkdir /dest/coresite; @@ -132,14 +140,29 @@ spec: cp /src/ivysettings/ivysettings.xml /dest/ivysettings/ivysettings.xml; {{- end }} {{- if .Values.discovery.hive }} - mkdir /dest/hive; + mkdir /dest/hive; cp /src/hive/hive-site.xml /dest/hive/hive-site.xml; {{- end }} {{- if .Values.discovery.metaflow }} mkdir /dest/metaflow; cp /src/metaflow/config.json /dest/metaflow/config.json; {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} volumeMounts: + - name: config-files + mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} {{- if .Values.s3.enabled }} - name: secret-coresite mountPath: /src/coresite @@ -148,8 +171,6 @@ spec: - name: secret-ivysettings mountPath: /src/ivysettings {{- end }} - - name: config-files - mountPath: /dest {{- if .Values.spark.default }} - name: secret-sparkconf mountPath: /src/spark @@ -218,8 +239,8 @@ spec: {{- if .Values.userPreferences.darkMode }} - name: DARK_MODE value: "true" - {{- end }} - envFrom: + {{- end }} + envFrom: - secretRef: name: {{ include "library-chart.secretNameToken" . }} {{- if .Values.s3.enabled }} @@ -296,6 +317,11 @@ spec: mountPath: /home/{{ .Values.environment.user}}/.metaflowconfig subPath: metaflow {{- end }} + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/jupyter-pyspark/values.schema.json b/charts/jupyter-pyspark/values.schema.json index 6cf044b6..ecf92590 100644 --- a/charts/jupyter-pyspark/values.schema.json +++ b/charts/jupyter-pyspark/values.schema.json @@ -692,7 +692,7 @@ "overwriteDefaultWith": "k8s.certManagerClusterIssuer" } }, - "useTlsSecret":{ + "useTlsSecret": { "type": "boolean", "description": "Whether you want to use the specified secretName in ingress tls", "default": false, @@ -787,41 +787,41 @@ "description": "It can be used to inject proxy settings in the services", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "proxy.json" + "overwriteSchemaWith": "proxy.json" }, "properties": { - "enabled": { - "type": "boolean", - "description": "Inject proxy settings", - "default": false - }, - "httpProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTP.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "httpsProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTPS.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "noProxy": { - "type": "string", - "description": "enterprise local domain that should not take proxy comma separated", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } + "enabled": { + "type": "boolean", + "description": "Inject proxy settings", + "default": false + }, + "httpProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTP.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" } + }, + "httpsProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTPS.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + }, + "noProxy": { + "type": "string", + "description": "enterprise local domain that should not take proxy comma separated", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + } } }, "startupProbe": { @@ -874,6 +874,32 @@ } } }, + "certificates": { + "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "certificates.json" + }, + "default": {}, + "properties": { + "cacerts": { + "type": "string", + "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.", + "default": "", + "x-onyxia": { + "hidden": true + } + }, + "pathToCaBundle": { + "type": "string", + "description": "String path where a bundle is made or injected by third party solution", + "default": "/usr/local/share/ca-certificates/", + "x-onyxia": { + "hidden": true + } + } + } + }, "message": { "type": "object", "description": "Warning message", @@ -895,4 +921,4 @@ } } } -} +} \ No newline at end of file diff --git a/charts/jupyter-pyspark/values.yaml b/charts/jupyter-pyspark/values.yaml index 901f72e1..5a920322 100644 --- a/charts/jupyter-pyspark/values.yaml +++ b/charts/jupyter-pyspark/values.yaml @@ -65,7 +65,6 @@ s3: secretAccessKey: "" sessionToken: "" - vault: # Specifies whether a config map should be created enabled: false @@ -246,6 +245,10 @@ userPreferences: darkMode: false language: "en" +certificates: {} + # pathToCaBundle: /usr/local/share/ca-certificates/ + # cacerts: "" + message: fr: "" en: "" diff --git a/charts/jupyter-python/Chart.yaml b/charts/jupyter-python/Chart.yaml index 8f7bafc7..659714df 100644 --- a/charts/jupyter-python/Chart.yaml +++ b/charts/jupyter-python/Chart.yaml @@ -22,9 +22,9 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.1.6 +version: 2.1.7 dependencies: - name: library-chart - version: 1.5.27 + version: 1.5.28 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/jupyter-python/templates/secret-cacerts.yaml b/charts/jupyter-python/templates/secret-cacerts.yaml new file mode 100644 index 00000000..71c878fb --- /dev/null +++ b/charts/jupyter-python/templates/secret-cacerts.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretCacerts" . }} diff --git a/charts/jupyter-python/templates/statefulset.yaml b/charts/jupyter-python/templates/statefulset.yaml index 71e5a95d..bf02d975 100644 --- a/charts/jupyter-python/templates/statefulset.yaml +++ b/charts/jupyter-python/templates/statefulset.yaml @@ -41,6 +41,9 @@ spec: {{- if .Values.vault.enabled }} checksum/vault: {{ include (print $.Template.BasePath "/secret-vault.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -76,6 +79,11 @@ spec: secret: secretName: {{ include "library-chart.secretNameMetaflow" . }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -89,9 +97,9 @@ spec: - name: make-secrets-writable image: inseefrlab/onyxia-base:latest imagePullPolicy: IfNotPresent - command: + command: - sh - - -c + - -c - | echo 'initContainer make-secrets-writable is started'; {{- if .Values.discovery.hive }} @@ -102,9 +110,22 @@ spec: mkdir /dest/metaflow/; cp /src/metaflow/config.json /dest/metaflow/config.json; {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} volumeMounts: - name: config-files mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} {{- if .Values.discovery.hive }} - name: secret-hive mountPath: /src/hive @@ -170,7 +191,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: - secretRef: name: {{ include "library-chart.secretNameToken" . }} {{- if .Values.s3.enabled }} @@ -226,12 +247,17 @@ spec: - name: config-files mountPath: /opt/hive/conf/hive-site.xml subPath: hive/hive-site.xml - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} - name: config-files mountPath: /home/{{ .Values.environment.user}}/.metaflowconfig subPath: metaflow - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/jupyter-python/values.schema.json b/charts/jupyter-python/values.schema.json index cbb205f5..895afbf6 100644 --- a/charts/jupyter-python/values.schema.json +++ b/charts/jupyter-python/values.schema.json @@ -1,860 +1,886 @@ { - "$schema": "http://json-schema.org/draft-07/schema", - "type": "object", - "properties": { - "service": { - "description": "Service specific configuration", - "type": "object", - "properties": { - "image": { - "description": "image docker", - "type": "object", - "properties": { - "pullPolicy": { - "type": "string", - "description": "option when pulling the docker image", - "default": "IfNotPresent", - "enum": [ - "IfNotPresent", - "Always", - "Never" - ] - }, - "version": { - "description": "supported versions", - "type": "string", - "listEnum": [ - "inseefrlab/onyxia-jupyter-python:py3.12.6", - "inseefrlab/onyxia-jupyter-python:py3.11.10" - ], - "render": "list", - "hidden": { - "value": true, - "path": "service/image/custom/enabled" - }, - "default": "inseefrlab/onyxia-jupyter-python:py3.12.6" - }, - "custom": { - "description": "use a custom jupyter docker image", - "type": "object", - "properties": { - "enabled": { - "title": "custom image", - "type": "boolean", - "description": "use a custom jupyter docker image", - "default": false, - "x-onyxia": { - "overwriteSchemaWith": "ide/customImage.json" - } - }, - "version": { - "description": "jupyter unsupported version", - "type": "string", - "default": "inseefrlab/onyxia-jupyter-python:py3.12.6", - "hidden": { - "value": false, - "path": "service/image/custom/enabled" - } - } - } - } - } - } - } - }, - "resources": { - "description": "Your service will have at least the requested resources and never more than its limits. No limit for a resource and you can consume everything left on the host machine.", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/resources.json" + "$schema": "http://json-schema.org/draft-07/schema", + "type": "object", + "properties": { + "service": { + "description": "Service specific configuration", + "type": "object", + "properties": { + "image": { + "description": "image docker", + "type": "object", + "properties": { + "pullPolicy": { + "type": "string", + "description": "option when pulling the docker image", + "default": "IfNotPresent", + "enum": [ + "IfNotPresent", + "Always", + "Never" + ] }, - "properties": { - "requests": { - "description": "Guaranteed resources", - "type": "object", - "properties": { - "cpu": { - "description": "The amount of cpu guaranteed", - "title": "CPU", - "type": "string", - "default": "100m", - "render": "slider", - "sliderMin": 50, - "sliderMax": 40000, - "sliderStep": 50, - "sliderUnit": "m", - "sliderExtremity": "down", - "sliderExtremitySemantic": "guaranteed", - "sliderRangeId": "cpu", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.cpuRequest", - "useRegionSliderConfig": "cpu" - } - }, - "memory": { - "description": "The amount of memory guaranteed", - "title": "memory", - "type": "string", - "default": "2Gi", - "render": "slider", - "sliderMin": 1, - "sliderMax": 200, - "sliderStep": 1, - "sliderUnit": "Gi", - "sliderExtremity": "down", - "sliderExtremitySemantic": "guaranteed", - "sliderRangeId": "memory", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.memoryRequest", - "useRegionSliderConfig": "memory" - } - } - } - }, - "limits": { - "description": "max resources", - "type": "object", - "properties": { - "cpu": { - "description": "The maximum amount of cpu", - "title": "CPU", - "type": "string", - "default": "30000m", - "render": "slider", - "sliderMin": 50, - "sliderMax": 40000, - "sliderStep": 50, - "sliderUnit": "m", - "sliderExtremity": "up", - "sliderExtremitySemantic": "Maximum", - "sliderRangeId": "cpu", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.cpuLimit", - "useRegionSliderConfig": "cpu" - } - }, - "memory": { - "description": "The maximum amount of memory", - "title": "Memory", - "type": "string", - "default": "50Gi", - "render": "slider", - "sliderMin": 1, - "sliderMax": 200, - "sliderStep": 1, - "sliderUnit": "Gi", - "sliderExtremity": "up", - "sliderExtremitySemantic": "Maximum", - "sliderRangeId": "memory", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.memoryLimit", - "useRegionSliderConfig": "memory" - } - } - } - } - } - }, - "persistence": { - "description": "Configuration for persistence", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/persistence.json" + "version": { + "description": "supported versions", + "type": "string", + "listEnum": [ + "inseefrlab/onyxia-jupyter-python:py3.12.6", + "inseefrlab/onyxia-jupyter-python:py3.11.10" + ], + "render": "list", + "hidden": { + "value": true, + "path": "service/image/custom/enabled" + }, + "default": "inseefrlab/onyxia-jupyter-python:py3.12.6" }, - "properties": { + "custom": { + "description": "use a custom jupyter docker image", + "type": "object", + "properties": { "enabled": { - "type": "boolean", - "description": "Create a persistent volume", - "default": true - }, - "size": { - "type": "string", - "title": "Persistent volume size", - "description": "Size of the persistent volume", - "default": "10Gi", - "form": true, - "render": "slider", - "sliderMin": 1, - "sliderMax": 100, - "sliderStep": 1, - "sliderUnit": "Gi", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.disk", - "useRegionSliderConfig": "disk" - }, - "hidden": { - "value": false, - "path": "persistence/enabled" - } + "title": "custom image", + "type": "boolean", + "description": "use a custom jupyter docker image", + "default": false, + "x-onyxia": { + "overwriteSchemaWith": "ide/customImage.json" + } + }, + "version": { + "description": "jupyter unsupported version", + "type": "string", + "default": "inseefrlab/onyxia-jupyter-python:py3.12.6", + "hidden": { + "value": false, + "path": "service/image/custom/enabled" + } } + } } - }, - "init": { - "description": "Init parameters", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/init.json" + } + } + } + }, + "resources": { + "description": "Your service will have at least the requested resources and never more than its limits. No limit for a resource and you can consume everything left on the host machine.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/resources.json" + }, + "properties": { + "requests": { + "description": "Guaranteed resources", + "type": "object", + "properties": { + "cpu": { + "description": "The amount of cpu guaranteed", + "title": "CPU", + "type": "string", + "default": "100m", + "render": "slider", + "sliderMin": 50, + "sliderMax": 40000, + "sliderStep": 50, + "sliderUnit": "m", + "sliderExtremity": "down", + "sliderExtremitySemantic": "guaranteed", + "sliderRangeId": "cpu", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.cpuRequest", + "useRegionSliderConfig": "cpu" + } }, - "properties": { - "regionInit": { - "type": "string", - "description": "region initialization script", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{k8s.initScriptUrl}}" - } - }, - "personalInit": { - "type": "string", - "description": "user initialization script", - "default": "" - }, - "personalInitArgs": { - "type": "string", - "description": "args for user initialization script", - "default": "" - } + "memory": { + "description": "The amount of memory guaranteed", + "title": "memory", + "type": "string", + "default": "2Gi", + "render": "slider", + "sliderMin": 1, + "sliderMax": 200, + "sliderStep": 1, + "sliderUnit": "Gi", + "sliderExtremity": "down", + "sliderExtremitySemantic": "guaranteed", + "sliderRangeId": "memory", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.memoryRequest", + "useRegionSliderConfig": "memory" + } } + } }, - "kubernetes": { - "description": "configuration of your kubernetes access", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/role.json" + "limits": { + "description": "max resources", + "type": "object", + "properties": { + "cpu": { + "description": "The maximum amount of cpu", + "title": "CPU", + "type": "string", + "default": "30000m", + "render": "slider", + "sliderMin": 50, + "sliderMax": 40000, + "sliderStep": 50, + "sliderUnit": "m", + "sliderExtremity": "up", + "sliderExtremitySemantic": "Maximum", + "sliderRangeId": "cpu", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.cpuLimit", + "useRegionSliderConfig": "cpu" + } }, - "properties": { - "enabled": { - "type": "boolean", - "description": "allow your service to access your namespace ressources", - "default": true - }, - "role": { - "type": "string", - "description": "bind your service account to this kubernetes default role", - "default": "view", - "hidden": { - "value": false, - "path": "kubernetes/enabled" - }, - "listEnum": [ - "view", - "edit", - "admin" - ], - "render": "list" - } + "memory": { + "description": "The maximum amount of memory", + "title": "Memory", + "type": "string", + "default": "50Gi", + "render": "slider", + "sliderMin": 1, + "sliderMax": 200, + "sliderStep": 1, + "sliderUnit": "Gi", + "sliderExtremity": "up", + "sliderExtremitySemantic": "Maximum", + "sliderRangeId": "memory", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.memoryLimit", + "useRegionSliderConfig": "memory" + } } + } + } + } + }, + "persistence": { + "description": "Configuration for persistence", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/persistence.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Create a persistent volume", + "default": true }, - "vault": { - "description": "Configuration of vault client", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/vault.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add vault temporary identity inside your environment", - "default": true - }, - "token": { - "description": "token vault", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_TOKEN}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "url": { - "description": "url of vault server", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_ADDR}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "mount": { - "description": "mount of the v2 secret engine", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_MOUNT}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "directory": { - "description": "top level directory", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_TOP_DIR}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "secret": { - "description": "the path of the secret to convert into a list of environment variables", - "type": "string", - "default": "", - "hidden": { - "value": false, - "path": "vault/enabled" - } - } - } + "size": { + "type": "string", + "title": "Persistent volume size", + "description": "Size of the persistent volume", + "default": "10Gi", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderStep": 1, + "sliderUnit": "Gi", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.disk", + "useRegionSliderConfig": "disk" + }, + "hidden": { + "value": false, + "path": "persistence/enabled" + } + } + } + }, + "init": { + "description": "Init parameters", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/init.json" + }, + "properties": { + "regionInit": { + "type": "string", + "description": "region initialization script", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{k8s.initScriptUrl}}" + } }, - "s3": { - "description": "Configuration of temporary identity", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/s3.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add S3 temporary identity inside your environment", - "default": true - }, - "accessKeyId": { - "description": "AWS Access Key", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_ACCESS_KEY_ID}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "endpoint": { - "description": "AWS S3 Endpoint", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_S3_ENDPOINT}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "defaultRegion": { - "description": "AWS S3 default region", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_DEFAULT_REGION}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "secretAccessKey": { - "description": "AWS S3 secret access key", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_SECRET_ACCESS_KEY}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "sessionToken": { - "description": "AWS S3 session Token", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_SESSION_TOKEN}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - } - } + "personalInit": { + "type": "string", + "description": "user initialization script", + "default": "" }, - "git": { - "description": "Git user configuration", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/git.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add git config inside your environment", - "default": true - }, - "name": { - "type": "string", - "description": "user name for git", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.name}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "email": { - "type": "string", - "description": "user email for git", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.email}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "cache": { - "type": "string", - "description": "duration in seconds of the credentials cache duration", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.credentials_cache_duration}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "token": { - "type": "string", - "description": "personal access token", - "default": "", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{git.token}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "repository": { - "type": "string", - "description": "Repository url", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.project}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "branch": { - "type": "string", - "description": "Branch automatically checked out", - "default": "", - "hidden": { - "value": "", - "path": "git/repository" - } - } - } + "personalInitArgs": { + "type": "string", + "description": "args for user initialization script", + "default": "" + } + } + }, + "kubernetes": { + "description": "configuration of your kubernetes access", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/role.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "allow your service to access your namespace ressources", + "default": true }, - "networking": { - "type": "object", - "form": true, - "title": "Networking detail", - "properties": { - "user": { - "type": "object", - "description": "user defined port", - "properties": { - "enabled": { - "type": "boolean", - "title": "Enable a custom service port", - "description": "Enable a custom service port", - "default": false - }, - "port": { - "type": "integer", - "description": "port of the custom service", - "title": "Custom service port", - "hidden": { - "value": false, - "path": "networking/user/enabled" - }, - "default": 5000 - } - } - } - } + "role": { + "type": "string", + "description": "bind your service account to this kubernetes default role", + "default": "view", + "hidden": { + "value": false, + "path": "kubernetes/enabled" + }, + "listEnum": [ + "view", + "edit", + "admin" + ], + "render": "list" + } + } + }, + "vault": { + "description": "Configuration of vault client", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/vault.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add vault temporary identity inside your environment", + "default": true }, - "discovery": { - "description": "configure your service to autodetect some ressources.", - "type": "object", - "properties": { - "hive": { - "type": "boolean", - "title": "Enable hive metastore discovery", - "description": "discover your hive metastore service", - "default": true - }, - "mlflow": { - "type": "boolean", - "title": "Enable mlflow discovery", - "description": "discover your mlflow service", - "default": true - }, - "metaflow": { - "type": "boolean", - "title": "Enable metaflow discovery", - "description": "discover your metaflow service", - "default": true - } - } + "token": { + "description": "token vault", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_TOKEN}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } }, - "security": { - "description": "security specific configuration", - "type": "object", - "properties": { - "password": { - "type": "string", - "description": "Password", - "default": "changeme", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{service.oneTimePassword}}", - "overwriteSchemaWith": "ide/password" - } - }, - "networkPolicy": { - "type": "object", - "description": "Define access policy to the service", - "x-onyxia": { - "overwriteSchemaWith": "network-policy.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "title": "Enable network policy", - "description": "Only pod from the same namespace will be allowed", - "default": false, - "x-onyxia": { - "overwriteDefaultWith": "region.defaultNetworkPolicy" - } - }, - "from": { - "type": "array", - "description": "Array of source allowed to have network access to your service", - "default": [], - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.from" - } - } - } - } - } + "url": { + "description": "url of vault server", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_ADDR}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } }, - "nodeSelector": { - "type": "object", - "description": "NodeSelector", - "default": {}, - "x-onyxia": { - "hidden": false, - "overwriteDefaultWith": "region.nodeSelector", - "overwriteSchemaWith": "nodeSelector.json" - } + "mount": { + "description": "mount of the v2 secret engine", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_MOUNT}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } }, - "openshiftSCC": { - "description": "configuration for openshift compatibility", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/openshiftSCC.json" - }, - "properties": { - "enabled": { - "description": "enable rolebinding with openshift scc", - "type": "boolean", - "default": false, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.openshiftSCC.enabled" - } - }, - "scc": { - "type": "string", - "description": "name of scc for rolebinding", - "default": "anyuid", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.openshiftSCC.scc" - } - } - } + "directory": { + "description": "top level directory", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_TOP_DIR}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } }, - "ingress": { - "type": "object", - "form": true, - "title": "Ingress Details", - "properties": { - "enabled": { - "description": "Enable Ingress", - "type": "boolean", - "default": true, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.ingress" - } - }, - "hostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" - } - }, - "userHostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" - } - }, - "ingressClassName": { - "type": "string", - "form": true, - "title": "ingressClassName", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{k8s.ingressClassName}}" - } - }, - "useCertManager": { - "type": "boolean", - "description": "Whether CertManager should be used to generate a certificate", - "default": false, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.useCertManager" - } - }, - "certManagerClusterIssuer": { - "type": "string", - "description": "certManager cluster issuer", - "title": "CertManager Cluster Issuer", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.certManagerClusterIssuer" - } - }, - "useTlsSecret":{ - "type": "boolean", - "description": "Whether you want to use the specified secretName in ingress tls", - "default": false, - "x-onyxia": { - "hidden": true - } - } - } + "secret": { + "description": "the path of the secret to convert into a list of environment variables", + "type": "string", + "default": "", + "hidden": { + "value": false, + "path": "vault/enabled" + } + } + } + }, + "s3": { + "description": "Configuration of temporary identity", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/s3.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add S3 temporary identity inside your environment", + "default": true }, - "route": { - "type": "object", - "form": true, - "title": "Route details", - "properties": { - "enabled": { - "description": "Enable route", - "type": "boolean", - "default": false, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.route" - } - }, - "hostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" - } - }, - "userHostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" - } - } - } + "accessKeyId": { + "description": "AWS Access Key", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_ACCESS_KEY_ID}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "endpoint": { + "description": "AWS S3 Endpoint", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_S3_ENDPOINT}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "defaultRegion": { + "description": "AWS S3 default region", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_DEFAULT_REGION}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "secretAccessKey": { + "description": "AWS S3 secret access key", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_SECRET_ACCESS_KEY}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "sessionToken": { + "description": "AWS S3 session Token", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_SESSION_TOKEN}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + } + } + }, + "git": { + "description": "Git user configuration", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/git.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add git config inside your environment", + "default": true + }, + "name": { + "type": "string", + "description": "user name for git", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.name}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "email": { + "type": "string", + "description": "user email for git", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.email}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "cache": { + "type": "string", + "description": "duration in seconds of the credentials cache duration", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.credentials_cache_duration}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "token": { + "type": "string", + "description": "personal access token", + "default": "", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{git.token}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } }, "repository": { - "description": "python repositories for pip and conda", - "type": "object", - "properties": { - "pipRepository": { - "type": "string", - "description": "python repository for pip", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{packageRepositoryInjection.pypiProxyUrl}}" - } - }, - "condaRepository": { - "type": "string", - "description": "python repository for pip", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{packageRepositoryInjection.condaProxyUrl}}" - } - } - } + "type": "string", + "description": "Repository url", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.project}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } }, - "startupProbe": { - "type": "object", - "description": "Startup probe", - "default": { - "failureThreshold": 60, - "initialDelaySeconds": 10, - "periodSeconds": 10, - "successThreshold": 1, - "timeoutSeconds": 2 + "branch": { + "type": "string", + "description": "Branch automatically checked out", + "default": "", + "hidden": { + "value": "", + "path": "git/repository" + } + } + } + }, + "networking": { + "type": "object", + "form": true, + "title": "Networking detail", + "properties": { + "user": { + "type": "object", + "description": "user defined port", + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable a custom service port", + "description": "Enable a custom service port", + "default": false }, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.startupProbe", - "overwriteSchemaWith": "ide/startupProbe.json" + "port": { + "type": "integer", + "description": "port of the custom service", + "title": "Custom service port", + "hidden": { + "value": false, + "path": "networking/user/enabled" + }, + "default": 5000 } + } + } + } + }, + "discovery": { + "description": "configure your service to autodetect some ressources.", + "type": "object", + "properties": { + "hive": { + "type": "boolean", + "title": "Enable hive metastore discovery", + "description": "discover your hive metastore service", + "default": true + }, + "mlflow": { + "type": "boolean", + "title": "Enable mlflow discovery", + "description": "discover your mlflow service", + "default": true + }, + "metaflow": { + "type": "boolean", + "title": "Enable metaflow discovery", + "description": "discover your metaflow service", + "default": true + } + } + }, + "security": { + "description": "security specific configuration", + "type": "object", + "properties": { + "password": { + "type": "string", + "description": "Password", + "default": "changeme", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{service.oneTimePassword}}", + "overwriteSchemaWith": "ide/password" + } + }, + "networkPolicy": { + "type": "object", + "description": "Define access policy to the service", + "x-onyxia": { + "overwriteSchemaWith": "network-policy.json" }, - "tolerations": { - "type": "array", - "description": "Array of tolerations", - "default": [], - "x-onyxia": { + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable network policy", + "description": "Only pod from the same namespace will be allowed", + "default": false, + "x-onyxia": { + "overwriteDefaultWith": "region.defaultNetworkPolicy" + } + }, + "from": { + "type": "array", + "description": "Array of source allowed to have network access to your service", + "default": [], + "x-onyxia": { "hidden": true, - "overwriteDefaultWith": "region.tolerations", - "overwriteSchemaWith": "tolerations.json" + "overwriteDefaultWith": "region.from" + } } + } + } + } + }, + "nodeSelector": { + "type": "object", + "description": "NodeSelector", + "default": {}, + "x-onyxia": { + "hidden": false, + "overwriteDefaultWith": "region.nodeSelector", + "overwriteSchemaWith": "nodeSelector.json" + } + }, + "openshiftSCC": { + "description": "configuration for openshift compatibility", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/openshiftSCC.json" + }, + "properties": { + "enabled": { + "description": "enable rolebinding with openshift scc", + "type": "boolean", + "default": false, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.openshiftSCC.enabled" + } }, - "userPreferences": { - "description": "User Preferences", - "type": "object", - "properties": { - "darkMode": { - "type": "boolean", - "description": "dark mode is or is not enabled", - "default": false, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "user.darkMode" - } - }, - "language": { - "type": "string", - "description": "Preferred language", - "default": "en", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "user.lang" - } - } - } + "scc": { + "type": "string", + "description": "name of scc for rolebinding", + "default": "anyuid", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.openshiftSCC.scc" + } + } + } + }, + "ingress": { + "type": "object", + "form": true, + "title": "Ingress Details", + "properties": { + "enabled": { + "description": "Enable Ingress", + "type": "boolean", + "default": true, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.ingress" + } }, - "global": { - "description": "Suspend", - "type": "object", - "properties": { - "suspend": { - "type": "boolean", - "description": "Suspend this service", - "default": false, - "x-onyxia": { - "hidden": true - } - } - } + "hostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" + } }, - "proxy": { - "description": "It can be used to inject proxy settings in the services", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "proxy.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Inject proxy settings", - "default": false - }, - "httpProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTP.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "httpsProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTPS.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "noProxy": { - "type": "string", - "description": "enterprise local domain that should not take proxy comma separated", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - } - } + "userHostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" + } }, - "message": { - "type": "object", - "description": "Warning message", - "x-onyxia": { - "hidden": true, - "overwriteSchemaWith": "ide/message.json" - }, - "properties": { - "fr": { - "type": "string", - "description": "message à ajouter dans les notes", - "default": "" - }, - "en": { - "type": "string", - "description": "message to add in notes", - "default": "" - } - } + "ingressClassName": { + "type": "string", + "form": true, + "title": "ingressClassName", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{k8s.ingressClassName}}" + } + }, + "useCertManager": { + "type": "boolean", + "description": "Whether CertManager should be used to generate a certificate", + "default": false, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.useCertManager" + } + }, + "certManagerClusterIssuer": { + "type": "string", + "description": "certManager cluster issuer", + "title": "CertManager Cluster Issuer", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.certManagerClusterIssuer" + } + }, + "useTlsSecret": { + "type": "boolean", + "description": "Whether you want to use the specified secretName in ingress tls", + "default": false, + "x-onyxia": { + "hidden": true + } + } + } + }, + "route": { + "type": "object", + "form": true, + "title": "Route details", + "properties": { + "enabled": { + "description": "Enable route", + "type": "boolean", + "default": false, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.route" + } + }, + "hostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" + } + }, + "userHostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" + } + } + } + }, + "repository": { + "description": "python repositories for pip and conda", + "type": "object", + "properties": { + "pipRepository": { + "type": "string", + "description": "python repository for pip", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{packageRepositoryInjection.pypiProxyUrl}}" + } + }, + "condaRepository": { + "type": "string", + "description": "python repository for pip", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{packageRepositoryInjection.condaProxyUrl}}" + } + } + } + }, + "startupProbe": { + "type": "object", + "description": "Startup probe", + "default": { + "failureThreshold": 60, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 2 + }, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.startupProbe", + "overwriteSchemaWith": "ide/startupProbe.json" + } + }, + "tolerations": { + "type": "array", + "description": "Array of tolerations", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.tolerations", + "overwriteSchemaWith": "tolerations.json" + } + }, + "userPreferences": { + "description": "User Preferences", + "type": "object", + "properties": { + "darkMode": { + "type": "boolean", + "description": "dark mode is or is not enabled", + "default": false, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "user.darkMode" + } + }, + "language": { + "type": "string", + "description": "Preferred language", + "default": "en", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "user.lang" + } + } + } + }, + "global": { + "description": "Suspend", + "type": "object", + "properties": { + "suspend": { + "type": "boolean", + "description": "Suspend this service", + "default": false, + "x-onyxia": { + "hidden": true + } + } + } + }, + "proxy": { + "description": "It can be used to inject proxy settings in the services", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "proxy.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Inject proxy settings", + "default": false + }, + "httpProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTP.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + }, + "httpsProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTPS.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + }, + "noProxy": { + "type": "string", + "description": "enterprise local domain that should not take proxy comma separated", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + } + } + }, + "certificates": { + "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "certificates.json" + }, + "default": {}, + "properties": { + "cacerts": { + "type": "string", + "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.", + "default": "", + "x-onyxia": { + "hidden": true + } + }, + "pathToCaBundle": { + "type": "string", + "description": "String path where a bundle is made or injected by third party solution", + "default": "/usr/local/share/ca-certificates/", + "x-onyxia": { + "hidden": true + } + } + } + }, + "message": { + "type": "object", + "description": "Warning message", + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/message.json" + }, + "properties": { + "fr": { + "type": "string", + "description": "message à ajouter dans les notes", + "default": "" + }, + "en": { + "type": "string", + "description": "message to add in notes", + "default": "" } + } } -} + } +} \ No newline at end of file diff --git a/charts/jupyter-python/values.yaml b/charts/jupyter-python/values.yaml index e0eff885..6d563077 100644 --- a/charts/jupyter-python/values.yaml +++ b/charts/jupyter-python/values.yaml @@ -41,7 +41,6 @@ s3: secretAccessKey: "" sessionToken: "" - vault: # Specifies whether a config map should be created enabled: false @@ -225,6 +224,10 @@ proxy: httpProxy: "" httpsProxy: "" +certificates: {} + # pathToCaBundle: /usr/local/share/ca-certificates/ + # cacerts: "" + message: fr: "" en: "" diff --git a/charts/rstudio-sparkr/Chart.yaml b/charts/rstudio-sparkr/Chart.yaml index 372aeea6..754d4dbd 100644 --- a/charts/rstudio-sparkr/Chart.yaml +++ b/charts/rstudio-sparkr/Chart.yaml @@ -23,8 +23,8 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.1.5 +version: 2.1.6 dependencies: - name: library-chart - version: 1.5.27 + version: 1.5.28 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/rstudio-sparkr/templates/secret-cacerts.yaml b/charts/rstudio-sparkr/templates/secret-cacerts.yaml new file mode 100644 index 00000000..71c878fb --- /dev/null +++ b/charts/rstudio-sparkr/templates/secret-cacerts.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretCacerts" . }} diff --git a/charts/rstudio-sparkr/templates/statefulset.yaml b/charts/rstudio-sparkr/templates/statefulset.yaml index 1b42555f..e1fb55b8 100644 --- a/charts/rstudio-sparkr/templates/statefulset.yaml +++ b/charts/rstudio-sparkr/templates/statefulset.yaml @@ -41,6 +41,9 @@ spec: {{- if (include "library-chart.repository.enabled" .) }} checksum/repository: {{ include (print $.Template.BasePath "/configmap-repository.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -86,6 +89,11 @@ spec: secret: secretName: {{ include "library-chart.secretNameHive" . }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -99,9 +107,9 @@ spec: - name: make-secrets-writable image: inseefrlab/onyxia-base:latest imagePullPolicy: IfNotPresent - command: + command: - sh - - -c + - -c - | echo 'initContainer make-secrets-writable is started'; {{- if .Values.s3.enabled }} @@ -119,8 +127,23 @@ spec: {{- if .Values.discovery.hive }} mkdir /dest/hive; cp /src/hive/hive-site.xml /dest/hive/hive-site.xml; - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} volumeMounts: + - name: config-files + mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} {{- if .Values.s3.enabled }} - name: secret-coresite mountPath: /src/coresite @@ -129,8 +152,6 @@ spec: - name: secret-ivysettings mountPath: /src/ivysettings {{- end }} - - name: config-files - mountPath: /dest {{- if .Values.spark.default }} - name: secret-sparkconf mountPath: /src/spark @@ -194,7 +215,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: - secretRef: name: {{ include "library-chart.secretNameToken" . }} {{- if .Values.s3.enabled }} @@ -261,7 +282,12 @@ spec: - name: config-files mountPath: /opt/hive/conf/hive-site.xml subPath: hive/hive-site.xml - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/rstudio-sparkr/values.schema.json b/charts/rstudio-sparkr/values.schema.json index bc13e6ed..40f55806 100644 --- a/charts/rstudio-sparkr/values.schema.json +++ b/charts/rstudio-sparkr/values.schema.json @@ -1,889 +1,917 @@ { - "$schema": "http://json-schema.org/draft-07/schema", - "type": "object", - "properties": { - "service": { - "description": "Service specific configuration", - "type": "object", - "properties": { - "image": { - "description": "image docker", - "type": "object", - "properties": { - "pullPolicy": { - "type": "string", - "description": "option when pulling the docker image", - "default": "IfNotPresent", - "enum": [ - "IfNotPresent", - "Always", - "Never" - ] - }, - "version": { - "description": "supported versions", - "type": "string", - "listEnum": [ - "inseefrlab/onyxia-rstudio-sparkr:r4.4.1-spark3.5.3", - "inseefrlab/onyxia-rstudio-sparkr:r4.3.3-spark3.5.3" - ], - "render": "list", - "hidden": { - "value": true, - "path": "service/image/custom/enabled" - }, - "default": "inseefrlab/onyxia-rstudio-sparkr:r4.4.1-spark3.5.3" - }, - "custom": { - "description": "use a custom RStudio docker image", - "type": "object", - "properties": { - "enabled": { - "title": "custom image", - "type": "boolean", - "description": "use a custom RStudio docker image", - "default": false, - "x-onyxia": { - "overwriteSchemaWith": "ide/customImage.json" - } - }, - "version": { - "description": "RStudio unsupported version", - "type": "string", - "default": "inseefrlab/onyxia-rstudio-sparkr:r4.4.1-spark3.5.3", - "hidden": { - "value": false, - "path": "service/image/custom/enabled" - } - } - } - } - } - } - } - }, - "spark": { - "description": "spark specific configuration", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "spark.json" + "$schema": "http://json-schema.org/draft-07/schema", + "type": "object", + "properties": { + "service": { + "description": "Service specific configuration", + "type": "object", + "properties": { + "image": { + "description": "image docker", + "type": "object", + "properties": { + "pullPolicy": { + "type": "string", + "description": "option when pulling the docker image", + "default": "IfNotPresent", + "enum": [ + "IfNotPresent", + "Always", + "Never" + ] }, - "properties": { - "sparkui": { - "type": "boolean", - "title": "SparkUI", - "description": "Enable Spark monitoring interface", - "default": true - }, - "default": { - "type": "boolean", - "title": "Create a spark config", - "description": "Create a default spark config in spark-default.conf", - "default": true - } - } - }, - "resources": { - "description": "Your service will have at least the requested resources and never more than its limits. No limit for a resource and you can consume everything left on the host machine.", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/resources.json" + "version": { + "description": "supported versions", + "type": "string", + "listEnum": [ + "inseefrlab/onyxia-rstudio-sparkr:r4.4.1-spark3.5.3", + "inseefrlab/onyxia-rstudio-sparkr:r4.3.3-spark3.5.3" + ], + "render": "list", + "hidden": { + "value": true, + "path": "service/image/custom/enabled" + }, + "default": "inseefrlab/onyxia-rstudio-sparkr:r4.4.1-spark3.5.3" }, - "properties": { - "requests": { - "description": "Guaranteed resources", - "type": "object", - "properties": { - "cpu": { - "description": "The amount of cpu guaranteed", - "title": "CPU", - "type": "string", - "default": "100m", - "render": "slider", - "sliderMin": 50, - "sliderMax": 40000, - "sliderStep": 50, - "sliderUnit": "m", - "sliderExtremity": "down", - "sliderExtremitySemantic": "guaranteed", - "sliderRangeId": "cpu" - }, - "memory": { - "description": "The amount of memory guaranteed", - "title": "memory", - "type": "string", - "default": "2Gi", - "render": "slider", - "sliderMin": 1, - "sliderMax": 200, - "sliderStep": 1, - "sliderUnit": "Gi", - "sliderExtremity": "down", - "sliderExtremitySemantic": "guaranteed", - "sliderRangeId": "memory" - } - } - }, - "limits": { - "description": "max resources", - "type": "object", - "properties": { - "cpu": { - "description": "The maximum amount of cpu", - "title": "CPU", - "type": "string", - "default": "30000m", - "render": "slider", - "sliderMin": 50, - "sliderMax": 40000, - "sliderStep": 50, - "sliderUnit": "m", - "sliderExtremity": "up", - "sliderExtremitySemantic": "Maximum", - "sliderRangeId": "cpu" - }, - "memory": { - "description": "The maximum amount of memory", - "title": "Memory", - "type": "string", - "default": "50Gi", - "render": "slider", - "sliderMin": 1, - "sliderMax": 200, - "sliderStep": 1, - "sliderUnit": "Gi", - "sliderExtremity": "up", - "sliderExtremitySemantic": "Maximum", - "sliderRangeId": "memory" - } - } - } - } - }, - "persistence": { - "description": "Configuration for persistence", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/persistence.json" - }, - "properties": { + "custom": { + "description": "use a custom RStudio docker image", + "type": "object", + "properties": { "enabled": { - "type": "boolean", - "description": "Create a persistent volume", - "default": true - }, - "size": { - "type": "string", - "title": "Persistent volume size", - "description": "Size of the persistent volume", - "default": "10Gi", - "form": true, - "render": "slider", - "sliderMin": 1, - "sliderMax": 100, - "sliderStep": 1, - "sliderUnit": "Gi", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.disk", - "useRegionSliderConfig": "disk" - }, - "hidden": { - "value": false, - "path": "persistence/enabled" - } + "title": "custom image", + "type": "boolean", + "description": "use a custom RStudio docker image", + "default": false, + "x-onyxia": { + "overwriteSchemaWith": "ide/customImage.json" + } + }, + "version": { + "description": "RStudio unsupported version", + "type": "string", + "default": "inseefrlab/onyxia-rstudio-sparkr:r4.4.1-spark3.5.3", + "hidden": { + "value": false, + "path": "service/image/custom/enabled" + } } + } } + } + } + } + }, + "spark": { + "description": "spark specific configuration", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "spark.json" + }, + "properties": { + "sparkui": { + "type": "boolean", + "title": "SparkUI", + "description": "Enable Spark monitoring interface", + "default": true }, - "init": { - "description": "Init parameters", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/init.json" + "default": { + "type": "boolean", + "title": "Create a spark config", + "description": "Create a default spark config in spark-default.conf", + "default": true + } + } + }, + "resources": { + "description": "Your service will have at least the requested resources and never more than its limits. No limit for a resource and you can consume everything left on the host machine.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/resources.json" + }, + "properties": { + "requests": { + "description": "Guaranteed resources", + "type": "object", + "properties": { + "cpu": { + "description": "The amount of cpu guaranteed", + "title": "CPU", + "type": "string", + "default": "100m", + "render": "slider", + "sliderMin": 50, + "sliderMax": 40000, + "sliderStep": 50, + "sliderUnit": "m", + "sliderExtremity": "down", + "sliderExtremitySemantic": "guaranteed", + "sliderRangeId": "cpu" }, - "properties": { - "regionInit": { - "type": "string", - "description": "region initialization script", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{k8s.initScriptUrl}}" - } - }, - "personalInit": { - "type": "string", - "description": "user initialization script", - "default": "" - }, - "personalInitArgs": { - "type": "string", - "description": "args for user initialization script", - "default": "" - } + "memory": { + "description": "The amount of memory guaranteed", + "title": "memory", + "type": "string", + "default": "2Gi", + "render": "slider", + "sliderMin": 1, + "sliderMax": 200, + "sliderStep": 1, + "sliderUnit": "Gi", + "sliderExtremity": "down", + "sliderExtremitySemantic": "guaranteed", + "sliderRangeId": "memory" } + } }, - "kubernetes": { - "description": "configuration of your kubernetes access", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "role-spark.json" + "limits": { + "description": "max resources", + "type": "object", + "properties": { + "cpu": { + "description": "The maximum amount of cpu", + "title": "CPU", + "type": "string", + "default": "30000m", + "render": "slider", + "sliderMin": 50, + "sliderMax": 40000, + "sliderStep": 50, + "sliderUnit": "m", + "sliderExtremity": "up", + "sliderExtremitySemantic": "Maximum", + "sliderRangeId": "cpu" }, - "properties": { - "enabled": { - "type": "boolean", - "description": "allow your service to access your namespace ressources", - "default": true - }, - "role": { - "type": "string", - "description": "bind your service account to this kubernetes default role", - "default": "admin", - "hidden": { - "value": false, - "path": "kubernetes/enabled" - }, - "listEnum": [ - "view", - "edit", - "admin" - ], - "render": "list" - } + "memory": { + "description": "The maximum amount of memory", + "title": "Memory", + "type": "string", + "default": "50Gi", + "render": "slider", + "sliderMin": 1, + "sliderMax": 200, + "sliderStep": 1, + "sliderUnit": "Gi", + "sliderExtremity": "up", + "sliderExtremitySemantic": "Maximum", + "sliderRangeId": "memory" } + } + } + } + }, + "persistence": { + "description": "Configuration for persistence", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/persistence.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Create a persistent volume", + "default": true }, - "vault": { - "description": "Configuration of vault client", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/vault.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add vault temporary identity inside your environment", - "default": true - }, - "token": { - "description": "token vault", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_TOKEN}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "url": { - "description": "url of vault server", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_ADDR}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "mount": { - "description": "mount of the v2 secret engine", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_MOUNT}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "directory": { - "description": "top level directory", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_TOP_DIR}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "secret": { - "description": "the path of the secret to convert into a list of environment variables", - "type": "string", - "default": "", - "hidden": { - "value": false, - "path": "vault/enabled" - } - } - } + "size": { + "type": "string", + "title": "Persistent volume size", + "description": "Size of the persistent volume", + "default": "10Gi", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderStep": 1, + "sliderUnit": "Gi", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.disk", + "useRegionSliderConfig": "disk" + }, + "hidden": { + "value": false, + "path": "persistence/enabled" + } + } + } + }, + "init": { + "description": "Init parameters", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/init.json" + }, + "properties": { + "regionInit": { + "type": "string", + "description": "region initialization script", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{k8s.initScriptUrl}}" + } }, - "s3": { - "description": "Configuration of temporary identity", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/s3.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add S3 temporary identity inside your environment", - "default": true - }, - "accessKeyId": { - "description": "AWS Access Key", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_ACCESS_KEY_ID}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "endpoint": { - "description": "AWS S3 Endpoint", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_S3_ENDPOINT}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "defaultRegion": { - "description": "AWS S3 default region", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_DEFAULT_REGION}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "secretAccessKey": { - "description": "AWS S3 secret access key", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_SECRET_ACCESS_KEY}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "sessionToken": { - "description": "AWS S3 session Token", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_SESSION_TOKEN}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - } - } + "personalInit": { + "type": "string", + "description": "user initialization script", + "default": "" }, - "git": { - "description": "Git user configuration", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/git.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add git config inside your environment", - "default": true - }, - "name": { - "type": "string", - "description": "user name for git", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.name}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "email": { - "type": "string", - "description": "user email for git", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.email}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "cache": { - "type": "string", - "description": "duration in seconds of the credentials cache duration", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.credentials_cache_duration}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "token": { - "type": "string", - "description": "personal access token", - "default": "", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{git.token}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "repository": { - "type": "string", - "description": "Repository url", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.project}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "branch": { - "type": "string", - "description": "Branch automatically checked out", - "default": "", - "hidden": { - "value": "", - "path": "git/repository" - } - } - } + "personalInitArgs": { + "type": "string", + "description": "args for user initialization script", + "default": "" + } + } + }, + "kubernetes": { + "description": "configuration of your kubernetes access", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "role-spark.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "allow your service to access your namespace ressources", + "default": true }, - "networking": { - "type": "object", - "form": true, - "title": "Networking detail", - "properties": { - "user": { - "type": "object", - "description": "user defined port", - "properties": { - "enabled": { - "type": "boolean", - "title": "Enable a custom service port", - "description": "Enable a custom service port", - "default": false - }, - "port": { - "type": "integer", - "description": "port of the custom service", - "title": "Custom service port", - "hidden": { - "value": false, - "path": "networking/user/enabled" - }, - "default": 5000 - } - } - } - } + "role": { + "type": "string", + "description": "bind your service account to this kubernetes default role", + "default": "admin", + "hidden": { + "value": false, + "path": "kubernetes/enabled" + }, + "listEnum": [ + "view", + "edit", + "admin" + ], + "render": "list" + } + } + }, + "vault": { + "description": "Configuration of vault client", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/vault.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add vault temporary identity inside your environment", + "default": true }, - "discovery": { - "description": "configure your service to autodetect some ressources.", - "type": "object", - "properties": { - "hive": { - "type": "boolean", - "title": "Enable hive metastore discovery", - "description": "discover your hive metastore service", - "default": true - } - } + "token": { + "description": "token vault", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_TOKEN}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } }, - "security": { - "description": "security specific configuration", - "type": "object", - "properties": { - "password": { - "type": "string", - "description": "Password", - "default": "changeme", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{service.oneTimePassword}}", - "overwriteSchemaWith": "ide/password" - } - }, - "networkPolicy": { - "type": "object", - "description": "Define access policy to the service", - "x-onyxia": { - "overwriteSchemaWith": "network-policy.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "title": "Enable network policy", - "description": "Only pod from the same namespace will be allowed", - "default": false, - "x-onyxia": { - "overwriteDefaultWith": "region.defaultNetworkPolicy" - } - }, - "from": { - "type": "array", - "description": "Array of source allowed to have network access to your service", - "default": [], - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.from" - } - } - } - } - } + "url": { + "description": "url of vault server", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_ADDR}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } }, - "nodeSelector": { - "type": "object", - "description": "NodeSelector", - "default": {}, - "x-onyxia": { - "hidden": false, - "overwriteDefaultWith": "region.nodeSelector", - "overwriteSchemaWith": "nodeSelector.json" - } + "mount": { + "description": "mount of the v2 secret engine", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_MOUNT}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } }, - "ingress": { - "type": "object", - "form": true, - "title": "Ingress Details", - "properties": { - "enabled": { - "description": "Enable Ingress", - "type": "boolean", - "default": true, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.ingress" - } - }, - "hostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" - } - }, - "sparkHostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-spark.{{k8s.domain}}" - } - }, - "userHostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" - } - }, - "ingressClassName": { - "type": "string", - "form": true, - "title": "ingressClassName", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{k8s.ingressClassName}}" - } - }, - "useCertManager": { - "type": "boolean", - "description": "Whether CertManager should be used to generate a certificate", - "default": false, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.useCertManager" - } - }, - "certManagerClusterIssuer":{ - "type": "string", - "description": "certManager cluster issuer", - "title": "CertManager Cluster Issuer", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.certManagerClusterIssuer" - } - }, - "useTlsSecret":{ - "type": "boolean", - "description": "Whether you want to use the specified secretName in ingress tls", - "default": false, - "x-onyxia": { - "hidden": true - } - } - } + "directory": { + "description": "top level directory", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_TOP_DIR}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } }, - "route": { - "type": "object", - "form": true, - "title": "Route details", - "properties": { - "enabled": { - "description": "Enable route", - "type": "boolean", - "default": false, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.route" - } - }, - "hostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" - } - }, - "sparkHostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-spark.{{k8s.domain}}" - } - }, - "userHostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" - } - } - } + "secret": { + "description": "the path of the secret to convert into a list of environment variables", + "type": "string", + "default": "", + "hidden": { + "value": false, + "path": "vault/enabled" + } + } + } + }, + "s3": { + "description": "Configuration of temporary identity", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/s3.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add S3 temporary identity inside your environment", + "default": true + }, + "accessKeyId": { + "description": "AWS Access Key", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_ACCESS_KEY_ID}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "endpoint": { + "description": "AWS S3 Endpoint", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_S3_ENDPOINT}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "defaultRegion": { + "description": "AWS S3 default region", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_DEFAULT_REGION}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "secretAccessKey": { + "description": "AWS S3 secret access key", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_SECRET_ACCESS_KEY}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "sessionToken": { + "description": "AWS S3 session Token", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_SESSION_TOKEN}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + } + } + }, + "git": { + "description": "Git user configuration", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/git.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add git config inside your environment", + "default": true + }, + "name": { + "type": "string", + "description": "user name for git", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.name}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "email": { + "type": "string", + "description": "user email for git", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.email}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "cache": { + "type": "string", + "description": "duration in seconds of the credentials cache duration", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.credentials_cache_duration}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "token": { + "type": "string", + "description": "personal access token", + "default": "", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{git.token}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } }, "repository": { - "description": "r repository (eg : cran mirrors or proxy caches)", - "type": "object", - "properties": { - "rRepository": { - "type": "string", - "description": "r repository", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{packageRepositoryInjection.cranProxyUrl}}" - } - }, - "packageManagerUrl": { - "type": "string", - "description": "Posit Package Manager URL", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{packageRepositoryInjection.packageManagerUrl}}" - } - } - } + "type": "string", + "description": "Repository url", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.project}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } }, - "proxy": { - "description": "It can be used to inject proxy settings in the services", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "proxy.json" + "branch": { + "type": "string", + "description": "Branch automatically checked out", + "default": "", + "hidden": { + "value": "", + "path": "git/repository" + } + } + } + }, + "networking": { + "type": "object", + "form": true, + "title": "Networking detail", + "properties": { + "user": { + "type": "object", + "description": "user defined port", + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable a custom service port", + "description": "Enable a custom service port", + "default": false }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Inject proxy settings", - "default": false - }, - "httpProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTP.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "httpsProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTPS.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "noProxy": { - "type": "string", - "description": "enterprise local domain that should not take proxy comma separated", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - } + "port": { + "type": "integer", + "description": "port of the custom service", + "title": "Custom service port", + "hidden": { + "value": false, + "path": "networking/user/enabled" + }, + "default": 5000 } + } + } + } + }, + "discovery": { + "description": "configure your service to autodetect some ressources.", + "type": "object", + "properties": { + "hive": { + "type": "boolean", + "title": "Enable hive metastore discovery", + "description": "discover your hive metastore service", + "default": true + } + } + }, + "security": { + "description": "security specific configuration", + "type": "object", + "properties": { + "password": { + "type": "string", + "description": "Password", + "default": "changeme", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{service.oneTimePassword}}", + "overwriteSchemaWith": "ide/password" + } }, - "startupProbe": { - "type": "object", - "description": "Startup probe", - "default": { - "failureThreshold": 60, - "initialDelaySeconds": 10, - "periodSeconds": 10, - "successThreshold": 1, - "timeoutSeconds": 2 + "networkPolicy": { + "type": "object", + "description": "Define access policy to the service", + "x-onyxia": { + "overwriteSchemaWith": "network-policy.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable network policy", + "description": "Only pod from the same namespace will be allowed", + "default": false, + "x-onyxia": { + "overwriteDefaultWith": "region.defaultNetworkPolicy" + } }, - "x-onyxia": { + "from": { + "type": "array", + "description": "Array of source allowed to have network access to your service", + "default": [], + "x-onyxia": { "hidden": true, - "overwriteDefaultWith": "region.startupProbe", - "overwriteSchemaWith": "ide/startupProbe.json" + "overwriteDefaultWith": "region.from" + } } + } + } + } + }, + "nodeSelector": { + "type": "object", + "description": "NodeSelector", + "default": {}, + "x-onyxia": { + "hidden": false, + "overwriteDefaultWith": "region.nodeSelector", + "overwriteSchemaWith": "nodeSelector.json" + } + }, + "ingress": { + "type": "object", + "form": true, + "title": "Ingress Details", + "properties": { + "enabled": { + "description": "Enable Ingress", + "type": "boolean", + "default": true, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.ingress" + } }, - "tolerations": { - "type": "array", - "description": "Array of tolerations", - "default": [], - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.tolerations", - "overwriteSchemaWith": "tolerations.json" - } + "hostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" + } }, - "userPreferences": { - "description": "User Preferences", - "type": "object", - "properties": { - "darkMode": { - "type": "boolean", - "description": "dark mode is or is not enabled", - "default": false, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "user.darkMode" - } - }, - "language": { - "type": "string", - "description": "Preferred language", - "default": "en", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "user.lang" - } - } - } + "sparkHostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-spark.{{k8s.domain}}" + } }, - "global": { - "description": "Suspend", - "type": "object", - "properties": { - "suspend": { - "type": "boolean", - "description": "Suspend this service", - "default": false, - "x-onyxia": { - "hidden": true - } - } + "userHostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" + } + }, + "ingressClassName": { + "type": "string", + "form": true, + "title": "ingressClassName", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{k8s.ingressClassName}}" + } + }, + "useCertManager": { + "type": "boolean", + "description": "Whether CertManager should be used to generate a certificate", + "default": false, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.useCertManager" + } + }, + "certManagerClusterIssuer": { + "type": "string", + "description": "certManager cluster issuer", + "title": "CertManager Cluster Issuer", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.certManagerClusterIssuer" + } + }, + "useTlsSecret": { + "type": "boolean", + "description": "Whether you want to use the specified secretName in ingress tls", + "default": false, + "x-onyxia": { + "hidden": true + } + } + } + }, + "route": { + "type": "object", + "form": true, + "title": "Route details", + "properties": { + "enabled": { + "description": "Enable route", + "type": "boolean", + "default": false, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.route" + } + }, + "hostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" + } + }, + "sparkHostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-spark.{{k8s.domain}}" + } + }, + "userHostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" + } + } + } + }, + "repository": { + "description": "r repository (eg : cran mirrors or proxy caches)", + "type": "object", + "properties": { + "rRepository": { + "type": "string", + "description": "r repository", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{packageRepositoryInjection.cranProxyUrl}}" + } + }, + "packageManagerUrl": { + "type": "string", + "description": "Posit Package Manager URL", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{packageRepositoryInjection.packageManagerUrl}}" + } + } + } + }, + "proxy": { + "description": "It can be used to inject proxy settings in the services", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "proxy.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Inject proxy settings", + "default": false + }, + "httpProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTP.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + }, + "httpsProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTPS.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + }, + "noProxy": { + "type": "string", + "description": "enterprise local domain that should not take proxy comma separated", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + } + } + }, + "startupProbe": { + "type": "object", + "description": "Startup probe", + "default": { + "failureThreshold": 60, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 2 + }, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.startupProbe", + "overwriteSchemaWith": "ide/startupProbe.json" + } + }, + "tolerations": { + "type": "array", + "description": "Array of tolerations", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.tolerations", + "overwriteSchemaWith": "tolerations.json" + } + }, + "userPreferences": { + "description": "User Preferences", + "type": "object", + "properties": { + "darkMode": { + "type": "boolean", + "description": "dark mode is or is not enabled", + "default": false, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "user.darkMode" + } + }, + "language": { + "type": "string", + "description": "Preferred language", + "default": "en", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "user.lang" + } + } + } + }, + "global": { + "description": "Suspend", + "type": "object", + "properties": { + "suspend": { + "type": "boolean", + "description": "Suspend this service", + "default": false, + "x-onyxia": { + "hidden": true + } + } + } + }, + "proxy": { + "description": "It can be used to inject proxy settings in the services", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "proxy.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Inject proxy settings", + "default": "false" + }, + "httpProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTP.", + "default": "", + "x-onyxia": { + "hidden": { + "value": true, + "path": "proxy/enabled" } + } }, - "proxy": { - "description": "It can be used to inject proxy settings in the services", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "proxy.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Inject proxy settings", - "default": "false" - }, - "httpProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTP.", - "default": "", - "x-onyxia": { - "hidden": { - "value": true, - "path": "proxy/enabled" - } - } - }, - "httpsProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTPS.", - "default": "", - "x-onyxia": { - "hidden": { - "value": true, - "path": "proxy/enabled" - } - } - }, - "noProxy": { - "type": "string", - "description": "enterprise local domain that should not take proxy comma separated", - "default": "", - "x-onyxia": { - "hidden": { - "value": true, - "path": "proxy/enabled" - } - } - } + "httpsProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTPS.", + "default": "", + "x-onyxia": { + "hidden": { + "value": true, + "path": "proxy/enabled" } + } }, - "message": { - "type": "object", - "description": "Warning message", - "x-onyxia": { - "hidden": true, - "overwriteSchemaWith": "ide/message.json" - }, - "properties":{ - "fr": { - "type": "string", - "description": "message à ajouter dans les notes", - "default": ""}, - "en": { - "type": "string", - "description": "message to add in notes", - "default": ""} + "noProxy": { + "type": "string", + "description": "enterprise local domain that should not take proxy comma separated", + "default": "", + "x-onyxia": { + "hidden": { + "value": true, + "path": "proxy/enabled" } + } + } + } + }, + "certificates": { + "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "certificates.json" + }, + "default": {}, + "properties": { + "cacerts": { + "type": "string", + "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.", + "default": "", + "x-onyxia": { + "hidden": true + } + }, + "pathToCaBundle": { + "type": "string", + "description": "String path where a bundle is made or injected by third party solution", + "default": "/usr/local/share/ca-certificates/", + "x-onyxia": { + "hidden": true + } + } + } + }, + "message": { + "type": "object", + "description": "Warning message", + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/message.json" + }, + "properties": { + "fr": { + "type": "string", + "description": "message à ajouter dans les notes", + "default": "" + }, + "en": { + "type": "string", + "description": "message to add in notes", + "default": "" } + } } + } } \ No newline at end of file diff --git a/charts/rstudio-sparkr/values.yaml b/charts/rstudio-sparkr/values.yaml index 8790c40b..705e9a03 100644 --- a/charts/rstudio-sparkr/values.yaml +++ b/charts/rstudio-sparkr/values.yaml @@ -244,6 +244,10 @@ userPreferences: darkMode: false language: "en" +certificates: {} + # pathToCaBundle: /usr/local/share/ca-certificates/ + # cacerts: "" + message: fr: "" en: "" diff --git a/charts/rstudio/Chart.yaml b/charts/rstudio/Chart.yaml index aa2358ed..a12e6e1c 100644 --- a/charts/rstudio/Chart.yaml +++ b/charts/rstudio/Chart.yaml @@ -22,8 +22,8 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.1.3 +version: 2.1.4 dependencies: - name: library-chart - version: 1.5.27 + version: 1.5.28 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/rstudio/templates/statefulset.yaml b/charts/rstudio/templates/statefulset.yaml index 3992d909..ebee21ea 100644 --- a/charts/rstudio/templates/statefulset.yaml +++ b/charts/rstudio/templates/statefulset.yaml @@ -32,6 +32,9 @@ spec: {{- if (include "library-chart.repository.enabled" .) }} checksum/repository: {{ include (print $.Template.BasePath "/configmap-repository.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -39,22 +42,29 @@ spec: {{- include "library-chart.selectorLabels" . | nindent 8 }} spec: volumes: + - name: config-files + emptyDir: {} - name: home - {{- if .Values.persistence.enabled }} + {{- if .Values.persistence.enabled }} persistentVolumeClaim: claimName: {{ .Values.persistence.existingClaim | default (include "library-chart.fullname" .) }} - {{- else }} + {{- else }} emptyDir: {} - {{- end }} + {{- end }} - name: dshm emptyDir: medium: Memory sizeLimit: 10Gi - {{- if (.Values.proxy).enabled }} + {{- if (.Values.proxy).enabled }} - name: secret-proxy secret: secretName: {{ include "library-chart.secretNameProxy" . }} - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -64,6 +74,37 @@ spec: {{- toYaml .Values.podSecurityContext | nindent 8 }} subdomain: {{ include "library-chart.fullname" . }} hostname: rstudio + initContainers: + - name: make-secrets-writable + image: inseefrlab/onyxia-base:latest + imagePullPolicy: IfNotPresent + command: + - sh + - -c + - | + echo 'initContainer make-secrets-writable is started'; + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} + volumeMounts: + - name: config-files + mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} + resources: + limits: + cpu: 50m + memory: 50Mi + securityContext: + {{- toYaml .Values.initContainerSecurityContext | nindent 12 }} containers: - name: {{ .Chart.Name }} securityContext: @@ -109,7 +150,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: {{- if .Values.s3.enabled }} - secretRef: name: {{ include "library-chart.secretNameS3" . }} @@ -154,9 +195,14 @@ spec: volumeMounts: - mountPath: /home/{{ .Values.environment.user }}/work subPath: work - name: home + name: home - mountPath: /dev/shm - name: dshm + name: dshm + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/rstudio/values.schema.json b/charts/rstudio/values.schema.json index 7ca621fe..a97c3d56 100644 --- a/charts/rstudio/values.schema.json +++ b/charts/rstudio/values.schema.json @@ -1,807 +1,809 @@ { - "$schema": "http://json-schema.org/draft-07/schema", - "type": "object", - "properties": { - "service": { - "description": "Service specific configuration", - "type": "object", - "properties": { - "image": { - "description": "image docker", - "type": "object", - "properties": { - "pullPolicy": { - "type": "string", - "description": "option when pulling the docker image", - "default": "IfNotPresent", - "enum": [ - "IfNotPresent", - "Always", - "Never" - ] - }, - "version": { - "description": "supported versions", - "type": "string", - "listEnum": [ - "inseefrlab/onyxia-rstudio:r4.4.1", - "inseefrlab/onyxia-rstudio:r4.3.3" - ], - "render": "list", - "hidden": { - "value": true, - "path": "service/image/custom/enabled" - }, - "default": "inseefrlab/onyxia-rstudio:r4.4.1" - }, - "custom": { - "description": "use a custom RStudio docker image", - "type": "object", - "properties": { - "enabled": { - "title": "custom image", - "type": "boolean", - "description": "use a custom RStudio docker image", - "default": false, - "x-onyxia": { - "overwriteSchemaWith": "ide/customImage.json" - } - }, - "version": { - "description": "RStudio unsupported version", - "type": "string", - "default": "inseefrlab/onyxia-rstudio:r4.4.1", - "hidden": { - "value": false, - "path": "service/image/custom/enabled" - } - } - } - } - } - } - } - }, - "resources": { - "description": "Your service will have at least the requested resources and never more than its limits. No limit for a resource and you can consume everything left on the host machine.", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/resources.json" + "$schema": "http://json-schema.org/draft-07/schema", + "type": "object", + "properties": { + "service": { + "description": "Service specific configuration", + "type": "object", + "properties": { + "image": { + "description": "image docker", + "type": "object", + "properties": { + "pullPolicy": { + "type": "string", + "description": "option when pulling the docker image", + "default": "IfNotPresent", + "enum": [ + "IfNotPresent", + "Always", + "Never" + ] }, - "properties": { - "requests": { - "description": "Guaranteed resources", - "type": "object", - "properties": { - "cpu": { - "description": "The amount of cpu guaranteed", - "title": "CPU", - "type": "string", - "default": "100m", - "render": "slider", - "sliderMin": 50, - "sliderMax": 40000, - "sliderStep": 50, - "sliderUnit": "m", - "sliderExtremity": "down", - "sliderExtremitySemantic": "guaranteed", - "sliderRangeId": "cpu", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.cpuRequest", - "useRegionSliderConfig": "cpu" - } - }, - "memory": { - "description": "The amount of memory guaranteed", - "title": "memory", - "type": "string", - "default": "2Gi", - "render": "slider", - "sliderMin": 1, - "sliderMax": 200, - "sliderStep": 1, - "sliderUnit": "Gi", - "sliderExtremity": "down", - "sliderExtremitySemantic": "guaranteed", - "sliderRangeId": "memory", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.memoryRequest", - "useRegionSliderConfig": "memory" - } - } - } - }, - "limits": { - "description": "max resources", - "type": "object", - "properties": { - "cpu": { - "description": "The maximum amount of cpu", - "title": "CPU", - "type": "string", - "default": "30000m", - "render": "slider", - "sliderMin": 50, - "sliderMax": 40000, - "sliderStep": 50, - "sliderUnit": "m", - "sliderExtremity": "up", - "sliderExtremitySemantic": "Maximum", - "sliderRangeId": "cpu", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.cpuLimit", - "useRegionSliderConfig": "cpu" - } - }, - "memory": { - "description": "The maximum amount of memory", - "title": "Memory", - "type": "string", - "default": "50Gi", - "render": "slider", - "sliderMin": 1, - "sliderMax": 200, - "sliderStep": 1, - "sliderUnit": "Gi", - "sliderExtremity": "up", - "sliderExtremitySemantic": "Maximum", - "sliderRangeId": "memory", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.memoryLimit", - "useRegionSliderConfig": "memory" - } - } - } - } - } - }, - "persistence": { - "description": "Configuration for persistence", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/persistence.json" + "version": { + "description": "supported versions", + "type": "string", + "listEnum": [ + "inseefrlab/onyxia-rstudio:r4.4.1", + "inseefrlab/onyxia-rstudio:r4.3.3" + ], + "render": "list", + "hidden": { + "value": true, + "path": "service/image/custom/enabled" + }, + "default": "inseefrlab/onyxia-rstudio:r4.4.1" }, - "properties": { + "custom": { + "description": "use a custom RStudio docker image", + "type": "object", + "properties": { "enabled": { - "type": "boolean", - "description": "Create a persistent volume", - "default": true - }, - "size": { - "type": "string", - "title": "Persistent volume size", - "description": "Size of the persistent volume", - "default": "10Gi", - "form": true, - "render": "slider", - "sliderMin": 1, - "sliderMax": 100, - "sliderStep": 1, - "sliderUnit": "Gi", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.disk", - "useRegionSliderConfig": "disk" - }, - "hidden": { - "value": false, - "path": "persistence/enabled" - } + "title": "custom image", + "type": "boolean", + "description": "use a custom RStudio docker image", + "default": false, + "x-onyxia": { + "overwriteSchemaWith": "ide/customImage.json" + } + }, + "version": { + "description": "RStudio unsupported version", + "type": "string", + "default": "inseefrlab/onyxia-rstudio:r4.4.1", + "hidden": { + "value": false, + "path": "service/image/custom/enabled" + } } + } } - }, - "init": { - "description": "Init parameters", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/init.json" + } + } + } + }, + "resources": { + "description": "Your service will have at least the requested resources and never more than its limits. No limit for a resource and you can consume everything left on the host machine.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/resources.json" + }, + "properties": { + "requests": { + "description": "Guaranteed resources", + "type": "object", + "properties": { + "cpu": { + "description": "The amount of cpu guaranteed", + "title": "CPU", + "type": "string", + "default": "100m", + "render": "slider", + "sliderMin": 50, + "sliderMax": 40000, + "sliderStep": 50, + "sliderUnit": "m", + "sliderExtremity": "down", + "sliderExtremitySemantic": "guaranteed", + "sliderRangeId": "cpu", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.cpuRequest", + "useRegionSliderConfig": "cpu" + } }, - "properties": { - "regionInit": { - "type": "string", - "description": "region initialization script", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{k8s.initScriptUrl}}" - } - }, - "personalInit": { - "type": "string", - "description": "user initialization script", - "default": "" - }, - "personalInitArgs": { - "type": "string", - "description": "args for user initialization script", - "default": "" - } + "memory": { + "description": "The amount of memory guaranteed", + "title": "memory", + "type": "string", + "default": "2Gi", + "render": "slider", + "sliderMin": 1, + "sliderMax": 200, + "sliderStep": 1, + "sliderUnit": "Gi", + "sliderExtremity": "down", + "sliderExtremitySemantic": "guaranteed", + "sliderRangeId": "memory", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.memoryRequest", + "useRegionSliderConfig": "memory" + } } + } }, - "kubernetes": { - "description": "configuration of your kubernetes access", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/role.json" + "limits": { + "description": "max resources", + "type": "object", + "properties": { + "cpu": { + "description": "The maximum amount of cpu", + "title": "CPU", + "type": "string", + "default": "30000m", + "render": "slider", + "sliderMin": 50, + "sliderMax": 40000, + "sliderStep": 50, + "sliderUnit": "m", + "sliderExtremity": "up", + "sliderExtremitySemantic": "Maximum", + "sliderRangeId": "cpu", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.cpuLimit", + "useRegionSliderConfig": "cpu" + } }, - "properties": { - "enabled": { - "type": "boolean", - "description": "allow your service to access your namespace ressources", - "default": true - }, - "role": { - "type": "string", - "description": "bind your service account to this kubernetes default role", - "default": "view", - "hidden": { - "value": false, - "path": "kubernetes/enabled" - }, - "listEnum": [ - "view", - "edit", - "admin" - ], - "render": "list" - } + "memory": { + "description": "The maximum amount of memory", + "title": "Memory", + "type": "string", + "default": "50Gi", + "render": "slider", + "sliderMin": 1, + "sliderMax": 200, + "sliderStep": 1, + "sliderUnit": "Gi", + "sliderExtremity": "up", + "sliderExtremitySemantic": "Maximum", + "sliderRangeId": "memory", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.memoryLimit", + "useRegionSliderConfig": "memory" + } } + } + } + } + }, + "persistence": { + "description": "Configuration for persistence", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/persistence.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Create a persistent volume", + "default": true }, - "vault": { - "description": "Configuration of vault client", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/vault.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add vault temporary identity inside your environment", - "default": true - }, - "token": { - "description": "token vault", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_TOKEN}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "url": { - "description": "url of vault server", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_ADDR}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "mount": { - "description": "mount of the v2 secret engine", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_MOUNT}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "directory": { - "description": "top level directory", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_TOP_DIR}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "secret": { - "description": "the path of the secret to convert into a list of environment variables", - "type": "string", - "default": "", - "hidden": { - "value": false, - "path": "vault/enabled" - } - } - } + "size": { + "type": "string", + "title": "Persistent volume size", + "description": "Size of the persistent volume", + "default": "10Gi", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderStep": 1, + "sliderUnit": "Gi", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.disk", + "useRegionSliderConfig": "disk" + }, + "hidden": { + "value": false, + "path": "persistence/enabled" + } + } + } + }, + "init": { + "description": "Init parameters", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/init.json" + }, + "properties": { + "regionInit": { + "type": "string", + "description": "region initialization script", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{k8s.initScriptUrl}}" + } }, - "s3": { - "description": "Configuration of temporary identity", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/s3.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add S3 temporary identity inside your environment", - "default": true - }, - "accessKeyId": { - "description": "AWS Access Key", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_ACCESS_KEY_ID}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "endpoint": { - "description": "AWS S3 Endpoint", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_S3_ENDPOINT}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "defaultRegion": { - "description": "AWS S3 default region", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_DEFAULT_REGION}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "secretAccessKey": { - "description": "AWS S3 secret access key", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_SECRET_ACCESS_KEY}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "sessionToken": { - "description": "AWS S3 session Token", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_SESSION_TOKEN}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - } - } + "personalInit": { + "type": "string", + "description": "user initialization script", + "default": "" }, - "git": { - "description": "Git user configuration", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/git.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add git config inside your environment", - "default": true - }, - "name": { - "type": "string", - "description": "user name for git", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.name}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "email": { - "type": "string", - "description": "user email for git", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.email}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "cache": { - "type": "string", - "description": "duration in seconds of the credentials cache duration", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.credentials_cache_duration}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "token": { - "type": "string", - "description": "personal access token", - "default": "", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{git.token}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "repository": { - "type": "string", - "description": "Repository url", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.project}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "branch": { - "type": "string", - "description": "Branch automatically checked out", - "default": "", - "hidden": { - "value": "", - "path": "git/repository" - } - } - } + "personalInitArgs": { + "type": "string", + "description": "args for user initialization script", + "default": "" + } + } + }, + "kubernetes": { + "description": "configuration of your kubernetes access", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/role.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "allow your service to access your namespace ressources", + "default": true }, - "networking": { - "type": "object", - "form": true, - "title": "Networking detail", - "properties": { - "user": { - "type": "object", - "description": "user defined port", - "properties": { - "enabled": { - "type": "boolean", - "title": "Enable a custom service port", - "description": "Enable a custom service port", - "default": false - }, - "port": { - "type": "integer", - "description": "port of the custom service", - "title": "Custom service port", - "hidden": { - "value": false, - "path": "networking/user/enabled" - }, - "default": 5000 - } - } - } - } + "role": { + "type": "string", + "description": "bind your service account to this kubernetes default role", + "default": "view", + "hidden": { + "value": false, + "path": "kubernetes/enabled" + }, + "listEnum": [ + "view", + "edit", + "admin" + ], + "render": "list" + } + } + }, + "vault": { + "description": "Configuration of vault client", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/vault.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add vault temporary identity inside your environment", + "default": true }, - "security": { - "description": "security specific configuration", - "type": "object", - "properties": { - "password": { - "type": "string", - "description": "Password", - "default": "changeme", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{service.oneTimePassword}}", - "overwriteSchemaWith": "ide/password" - } - }, - "networkPolicy": { - "type": "object", - "description": "Define access policy to the service", - "x-onyxia": { - "overwriteSchemaWith": "network-policy.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "title": "Enable network policy", - "description": "Only pod from the same namespace will be allowed", - "default": false, - "x-onyxia": { - "overwriteDefaultWith": "region.defaultNetworkPolicy" - } - }, - "from": { - "type": "array", - "description": "Array of source allowed to have network access to your service", - "default": [], - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.from" - } - } - } - } - } + "token": { + "description": "token vault", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_TOKEN}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } }, - "nodeSelector": { - "type": "object", - "description": "NodeSelector", - "default": {}, - "x-onyxia": { - "hidden": false, - "overwriteDefaultWith": "region.nodeSelector", - "overwriteSchemaWith": "nodeSelector.json" - } + "url": { + "description": "url of vault server", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_ADDR}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } }, - "ingress": { - "type": "object", - "form": true, - "title": "Ingress Details", - "properties": { - "enabled": { - "description": "Enable Ingress", - "type": "boolean", - "default": true, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.ingress" - } - }, - "hostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" - } - }, - "userHostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" - } - }, - "ingressClassName": { - "type": "string", - "form": true, - "title": "ingressClassName", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{k8s.ingressClassName}}" - } - }, - "useCertManager": { - "type": "boolean", - "description": "Whether CertManager should be used to generate a certificate", - "default": false, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.useCertManager" - } - }, - "certManagerClusterIssuer": { - "type": "string", - "description": "certManager cluster issuer", - "title": "CertManager Cluster Issuer", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.certManagerClusterIssuer" - } - }, - "useTlsSecret":{ - "type": "boolean", - "description": "Whether you want to use the specified secretName in ingress tls", - "default": false, - "x-onyxia": { - "hidden": true - } - } - } + "mount": { + "description": "mount of the v2 secret engine", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_MOUNT}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } }, - "route": { - "type": "object", - "form": true, - "title": "Route details", - "properties": { - "enabled": { - "description": "Enable route", - "type": "boolean", - "default": false, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "k8s.route" - } - }, - "hostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" - } - }, - "userHostname": { - "type": "string", - "form": true, - "title": "Hostname", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" - } - } - } + "directory": { + "description": "top level directory", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_TOP_DIR}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } + }, + "secret": { + "description": "the path of the secret to convert into a list of environment variables", + "type": "string", + "default": "", + "hidden": { + "value": false, + "path": "vault/enabled" + } + } + } + }, + "s3": { + "description": "Configuration of temporary identity", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/s3.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add S3 temporary identity inside your environment", + "default": true + }, + "accessKeyId": { + "description": "AWS Access Key", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_ACCESS_KEY_ID}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "endpoint": { + "description": "AWS S3 Endpoint", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_S3_ENDPOINT}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "defaultRegion": { + "description": "AWS S3 default region", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_DEFAULT_REGION}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "secretAccessKey": { + "description": "AWS S3 secret access key", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_SECRET_ACCESS_KEY}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "sessionToken": { + "description": "AWS S3 session Token", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_SESSION_TOKEN}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + } + } + }, + "git": { + "description": "Git user configuration", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/git.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add git config inside your environment", + "default": true + }, + "name": { + "type": "string", + "description": "user name for git", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.name}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "email": { + "type": "string", + "description": "user email for git", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.email}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "cache": { + "type": "string", + "description": "duration in seconds of the credentials cache duration", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.credentials_cache_duration}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "token": { + "type": "string", + "description": "personal access token", + "default": "", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{git.token}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } }, "repository": { - "description": "r repository (eg : cran mirrors or proxy caches)", - "type": "object", - "properties": { - "rRepository": { - "type": "string", - "description": "r repository", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{packageRepositoryInjection.cranProxyUrl}}" - } - }, - "packageManagerUrl": { - "type": "string", - "description": "Posit Package Manager URL", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{packageRepositoryInjection.packageManagerUrl}}" - } - } - } + "type": "string", + "description": "Repository url", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.project}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } }, - "startupProbe": { - "type": "object", - "description": "Startup probe", - "default": { - "failureThreshold": 60, - "initialDelaySeconds": 10, - "periodSeconds": 10, - "successThreshold": 1, - "timeoutSeconds": 2 + "branch": { + "type": "string", + "description": "Branch automatically checked out", + "default": "", + "hidden": { + "value": "", + "path": "git/repository" + } + } + } + }, + "networking": { + "type": "object", + "form": true, + "title": "Networking detail", + "properties": { + "user": { + "type": "object", + "description": "user defined port", + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable a custom service port", + "description": "Enable a custom service port", + "default": false }, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.startupProbe", - "overwriteSchemaWith": "ide/startupProbe.json" + "port": { + "type": "integer", + "description": "port of the custom service", + "title": "Custom service port", + "hidden": { + "value": false, + "path": "networking/user/enabled" + }, + "default": 5000 } + } + } + } + }, + "security": { + "description": "security specific configuration", + "type": "object", + "properties": { + "password": { + "type": "string", + "description": "Password", + "default": "changeme", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{service.oneTimePassword}}", + "overwriteSchemaWith": "ide/password" + } }, - "tolerations": { - "type": "array", - "description": "Array of tolerations", - "default": [], - "x-onyxia": { + "networkPolicy": { + "type": "object", + "description": "Define access policy to the service", + "x-onyxia": { + "overwriteSchemaWith": "network-policy.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable network policy", + "description": "Only pod from the same namespace will be allowed", + "default": false, + "x-onyxia": { + "overwriteDefaultWith": "region.defaultNetworkPolicy" + } + }, + "from": { + "type": "array", + "description": "Array of source allowed to have network access to your service", + "default": [], + "x-onyxia": { "hidden": true, - "overwriteDefaultWith": "region.tolerations", - "overwriteSchemaWith": "tolerations.json" + "overwriteDefaultWith": "region.from" + } } + } + } + } + }, + "nodeSelector": { + "type": "object", + "description": "NodeSelector", + "default": {}, + "x-onyxia": { + "hidden": false, + "overwriteDefaultWith": "region.nodeSelector", + "overwriteSchemaWith": "nodeSelector.json" + } + }, + "ingress": { + "type": "object", + "form": true, + "title": "Ingress Details", + "properties": { + "enabled": { + "description": "Enable Ingress", + "type": "boolean", + "default": true, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.ingress" + } }, - "userPreferences": { - "description": "User Preferences", - "type": "object", - "properties": { - "darkMode": { - "type": "boolean", - "description": "dark mode is or is not enabled", - "default": false, - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "user.darkMode" - } - }, - "language": { - "type": "string", - "description": "Preferred language", - "default": "en", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "user.lang" - } - } - } + "hostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" + } }, - "global": { - "description": "Suspend", - "type": "object", - "properties": { - "suspend": { - "type": "boolean", - "description": "Suspend this service", - "default": false, - "x-onyxia": { - "hidden": true - } - } - } + "userHostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" + } }, - "proxy": { - "description": "It can be used to inject proxy settings in the services", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "proxy.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Inject proxy settings", - "default": false - }, - "httpProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTP.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "httpsProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTPS.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "noProxy": { - "type": "string", - "description": "enterprise local domain that should not take proxy comma separated", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - } - } + "ingressClassName": { + "type": "string", + "form": true, + "title": "ingressClassName", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{k8s.ingressClassName}}" + } }, - "message": { - "type": "object", - "description": "Warning message", - "x-onyxia": { - "hidden": true, - "overwriteSchemaWith": "ide/message.json" - }, - "properties":{ - "fr": { - "type": "string", - "description": "message à ajouter dans les notes", - "default": ""}, - "en": { - "type": "string", - "description": "message to add in notes", - "default": ""} - } + "useCertManager": { + "type": "boolean", + "description": "Whether CertManager should be used to generate a certificate", + "default": false, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.useCertManager" + } + }, + "certManagerClusterIssuer": { + "type": "string", + "description": "certManager cluster issuer", + "title": "CertManager Cluster Issuer", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.certManagerClusterIssuer" + } + }, + "useTlsSecret": { + "type": "boolean", + "description": "Whether you want to use the specified secretName in ingress tls", + "default": false, + "x-onyxia": { + "hidden": true + } + } + } + }, + "route": { + "type": "object", + "form": true, + "title": "Route details", + "properties": { + "enabled": { + "description": "Enable route", + "type": "boolean", + "default": false, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "k8s.route" + } + }, + "hostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-0.{{k8s.domain}}" + } + }, + "userHostname": { + "type": "string", + "form": true, + "title": "Hostname", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{project.id}}-{{k8s.randomSubdomain}}-user.{{k8s.domain}}" + } + } + } + }, + "repository": { + "description": "r repository (eg : cran mirrors or proxy caches)", + "type": "object", + "properties": { + "rRepository": { + "type": "string", + "description": "r repository", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{packageRepositoryInjection.cranProxyUrl}}" + } + }, + "packageManagerUrl": { + "type": "string", + "description": "Posit Package Manager URL", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{packageRepositoryInjection.packageManagerUrl}}" + } + } + } + }, + "startupProbe": { + "type": "object", + "description": "Startup probe", + "default": { + "failureThreshold": 60, + "initialDelaySeconds": 10, + "periodSeconds": 10, + "successThreshold": 1, + "timeoutSeconds": 2 + }, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.startupProbe", + "overwriteSchemaWith": "ide/startupProbe.json" + } + }, + "tolerations": { + "type": "array", + "description": "Array of tolerations", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.tolerations", + "overwriteSchemaWith": "tolerations.json" + } + }, + "userPreferences": { + "description": "User Preferences", + "type": "object", + "properties": { + "darkMode": { + "type": "boolean", + "description": "dark mode is or is not enabled", + "default": false, + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "user.darkMode" + } + }, + "language": { + "type": "string", + "description": "Preferred language", + "default": "en", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "user.lang" + } + } + } + }, + "global": { + "description": "Suspend", + "type": "object", + "properties": { + "suspend": { + "type": "boolean", + "description": "Suspend this service", + "default": false, + "x-onyxia": { + "hidden": true + } + } + } + }, + "proxy": { + "description": "It can be used to inject proxy settings in the services", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "proxy.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Inject proxy settings", + "default": false + }, + "httpProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTP.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + }, + "httpsProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTPS.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + }, + "noProxy": { + "type": "string", + "description": "enterprise local domain that should not take proxy comma separated", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + } + } + }, + "message": { + "type": "object", + "description": "Warning message", + "x-onyxia": { + "hidden": true, + "overwriteSchemaWith": "ide/message.json" + }, + "properties": { + "fr": { + "type": "string", + "description": "message à ajouter dans les notes", + "default": "" + }, + "en": { + "type": "string", + "description": "message to add in notes", + "default": "" } + } } + } } \ No newline at end of file diff --git a/charts/rstudio/values.yaml b/charts/rstudio/values.yaml index f58763e6..6eb185ae 100644 --- a/charts/rstudio/values.yaml +++ b/charts/rstudio/values.yaml @@ -41,7 +41,6 @@ s3: secretAccessKey: "" sessionToken: "" - vault: # Specifies whether a config map should be created enabled: true @@ -71,7 +70,6 @@ git: # Declare variables to be passed into your templates. replicaCount: 1 - imagePullSecrets: [] nameOverride: "" fullnameOverride: "" diff --git a/charts/vscode-pyspark/Chart.yaml b/charts/vscode-pyspark/Chart.yaml index b7f873d0..260888da 100644 --- a/charts/vscode-pyspark/Chart.yaml +++ b/charts/vscode-pyspark/Chart.yaml @@ -24,9 +24,9 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.1.8 +version: 2.1.9 dependencies: - name: library-chart - version: 1.5.27 + version: 1.5.28 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/vscode-pyspark/templates/secret-cacerts.yaml b/charts/vscode-pyspark/templates/secret-cacerts.yaml new file mode 100644 index 00000000..71c878fb --- /dev/null +++ b/charts/vscode-pyspark/templates/secret-cacerts.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretCacerts" . }} diff --git a/charts/vscode-pyspark/templates/statefulset.yaml b/charts/vscode-pyspark/templates/statefulset.yaml index ecf26d80..bf201a3a 100644 --- a/charts/vscode-pyspark/templates/statefulset.yaml +++ b/charts/vscode-pyspark/templates/statefulset.yaml @@ -50,6 +50,9 @@ spec: {{- if .Values.vault.enabled }} checksum/vault: {{ include (print $.Template.BasePath "/secret-vault.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -100,6 +103,11 @@ spec: secret: secretName: {{ include "library-chart.secretNameCoreSite" . }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -111,9 +119,9 @@ spec: - name: make-secrets-writable image: inseefrlab/onyxia-base:latest imagePullPolicy: IfNotPresent - command: + command: - sh - - -c + - -c - | echo 'initContainer make-secrets-writable is started'; {{- if .Values.s3.enabled }} @@ -131,14 +139,27 @@ spec: {{- if .Values.discovery.hive }} mkdir /dest/hive; cp /src/hive/hive-site.xml /dest/hive/hive-site.xml; - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} mkdir /dest/metaflow; cp /src/metaflow/config.json /dest/metaflow/config.json; - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem + {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; + {{- end }} volumeMounts: - name: config-files mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} {{- if .Values.s3.enabled }} - name: secret-coresite mountPath: /src/coresite @@ -216,7 +237,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: - secretRef: name: {{ include "library-chart.secretNameToken" . }} {{- if .Values.s3.enabled }} @@ -287,12 +308,17 @@ spec: - name: config-files mountPath: /opt/hive/conf/hive-site.xml subPath: hive/hive-site.xml - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} - name: config-files mountPath: /home/{{ .Values.environment.user}}/.metaflowconfig subPath: metaflow - {{- end }} + {{- end }} + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} + - name: config-files + mountPath: {{ .Values.certificates.pathToCaBundle }} + subPath: cacerts + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/vscode-pyspark/values.schema.json b/charts/vscode-pyspark/values.schema.json index 27433cc9..a4abfdae 100644 --- a/charts/vscode-pyspark/values.schema.json +++ b/charts/vscode-pyspark/values.schema.json @@ -44,7 +44,7 @@ "description": "use a custom vscode docker image", "default": false, "x-onyxia": { - "overwriteSchemaWith": "ide/customImage.json" + "overwriteSchemaWith": "ide/customImage.json" } }, "version": { @@ -66,7 +66,7 @@ "description": "spark specific configuration", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "spark.json" + "overwriteSchemaWith": "spark.json" }, "properties": { "sparkui": { @@ -113,392 +113,392 @@ "description": "Your service will have at least the requested resources and never more than its limits. No limit for a resource and you can consume everything left on the host machine.", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "ide/resources.json" + "overwriteSchemaWith": "ide/resources.json" }, "properties": { - "requests": { - "description": "Guaranteed resources", - "type": "object", - "properties": { - "cpu": { - "description": "The amount of cpu guaranteed", - "title": "CPU", - "type": "string", - "default": "100m", - "render": "slider", - "sliderMin": 50, - "sliderMax": 40000, - "sliderStep": 50, - "sliderUnit": "m", - "sliderExtremity": "down", - "sliderExtremitySemantic": "guaranteed", - "sliderRangeId": "cpu" - }, - "memory": { - "description": "The amount of memory guaranteed", - "title": "memory", - "type": "string", - "default": "2Gi", - "render": "slider", - "sliderMin": 1, - "sliderMax": 200, - "sliderStep": 1, - "sliderUnit": "Gi", - "sliderExtremity": "down", - "sliderExtremitySemantic": "guaranteed", - "sliderRangeId": "memory" - } - } - }, - "limits": { - "description": "max resources", - "type": "object", - "properties": { - "cpu": { - "description": "The maximum amount of cpu", - "title": "CPU", - "type": "string", - "default": "30000m", - "render": "slider", - "sliderMin": 50, - "sliderMax": 40000, - "sliderStep": 50, - "sliderUnit": "m", - "sliderExtremity": "up", - "sliderExtremitySemantic": "Maximum", - "sliderRangeId": "cpu" - }, - "memory": { - "description": "The maximum amount of memory", - "title": "Memory", - "type": "string", - "default": "50Gi", - "render": "slider", - "sliderMin": 1, - "sliderMax": 200, - "sliderStep": 1, - "sliderUnit": "Gi", - "sliderExtremity": "up", - "sliderExtremitySemantic": "Maximum", - "sliderRangeId": "memory" - } - } + "requests": { + "description": "Guaranteed resources", + "type": "object", + "properties": { + "cpu": { + "description": "The amount of cpu guaranteed", + "title": "CPU", + "type": "string", + "default": "100m", + "render": "slider", + "sliderMin": 50, + "sliderMax": 40000, + "sliderStep": 50, + "sliderUnit": "m", + "sliderExtremity": "down", + "sliderExtremitySemantic": "guaranteed", + "sliderRangeId": "cpu" + }, + "memory": { + "description": "The amount of memory guaranteed", + "title": "memory", + "type": "string", + "default": "2Gi", + "render": "slider", + "sliderMin": 1, + "sliderMax": 200, + "sliderStep": 1, + "sliderUnit": "Gi", + "sliderExtremity": "down", + "sliderExtremitySemantic": "guaranteed", + "sliderRangeId": "memory" + } + } + }, + "limits": { + "description": "max resources", + "type": "object", + "properties": { + "cpu": { + "description": "The maximum amount of cpu", + "title": "CPU", + "type": "string", + "default": "30000m", + "render": "slider", + "sliderMin": 50, + "sliderMax": 40000, + "sliderStep": 50, + "sliderUnit": "m", + "sliderExtremity": "up", + "sliderExtremitySemantic": "Maximum", + "sliderRangeId": "cpu" + }, + "memory": { + "description": "The maximum amount of memory", + "title": "Memory", + "type": "string", + "default": "50Gi", + "render": "slider", + "sliderMin": 1, + "sliderMax": 200, + "sliderStep": 1, + "sliderUnit": "Gi", + "sliderExtremity": "up", + "sliderExtremitySemantic": "Maximum", + "sliderRangeId": "memory" + } } + } } }, "persistence": { - "description": "Configuration for persistence", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/persistence.json" + "description": "Configuration for persistence", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/persistence.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Create a persistent volume", + "default": true }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Create a persistent volume", - "default": true - }, - "size": { - "type": "string", - "title": "Persistent volume size", - "description": "Size of the persistent volume", - "default": "10Gi", - "form": true, - "render": "slider", - "sliderMin": 1, - "sliderMax": 100, - "sliderStep": 1, - "sliderUnit": "Gi", - "x-onyxia": { - "overwriteDefaultWith": "region.resources.disk", - "useRegionSliderConfig": "disk" - }, - "hidden": { - "value": false, - "path": "persistence/enabled" - } - } + "size": { + "type": "string", + "title": "Persistent volume size", + "description": "Size of the persistent volume", + "default": "10Gi", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderStep": 1, + "sliderUnit": "Gi", + "x-onyxia": { + "overwriteDefaultWith": "region.resources.disk", + "useRegionSliderConfig": "disk" + }, + "hidden": { + "value": false, + "path": "persistence/enabled" + } } + } }, "init": { - "description": "Init parameters", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/init.json" - }, - "properties": { - "regionInit": { - "type": "string", - "description": "region initialization script", - "default": "", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "{{k8s.initScriptUrl}}" - } - }, - "personalInit": { - "type": "string", - "description": "user initialization script", - "default": "" - }, - "personalInitArgs": { - "type": "string", - "description": "args for user initialization script", - "default": "" - } + "description": "Init parameters", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/init.json" + }, + "properties": { + "regionInit": { + "type": "string", + "description": "region initialization script", + "default": "", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "{{k8s.initScriptUrl}}" + } + }, + "personalInit": { + "type": "string", + "description": "user initialization script", + "default": "" + }, + "personalInitArgs": { + "type": "string", + "description": "args for user initialization script", + "default": "" } + } }, "kubernetes": { - "description": "configuration of your kubernetes access", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "role-spark.json" + "description": "configuration of your kubernetes access", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "role-spark.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "allow your service to access your namespace ressources", + "default": true }, - "properties": { - "enabled": { - "type": "boolean", - "description": "allow your service to access your namespace ressources", - "default": true - }, - "role": { - "type": "string", - "description": "bind your service account to this kubernetes default role", - "default": "admin", - "hidden": { - "value": false, - "path": "kubernetes/enabled" - }, - "listEnum": [ - "view", - "edit", - "admin" - ], - "render":"list" - } + "role": { + "type": "string", + "description": "bind your service account to this kubernetes default role", + "default": "admin", + "hidden": { + "value": false, + "path": "kubernetes/enabled" + }, + "listEnum": [ + "view", + "edit", + "admin" + ], + "render": "list" } + } }, "vault": { - "description": "Configuration of vault client", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/vault.json" + "description": "Configuration of vault client", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/vault.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add vault temporary identity inside your environment", + "default": true }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add vault temporary identity inside your environment", - "default": true - }, - "token": { - "description": "token vault", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_TOKEN}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "url": { - "description": "url of vault server", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_ADDR}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "mount": { - "description": "mount of the v2 secret engine", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_MOUNT}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "directory": { - "description": "top level directory", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{vault.VAULT_TOP_DIR}}" - }, - "hidden": { - "value": false, - "path": "vault/enabled" - } - }, - "secret": { - "description": "the path of the secret to convert into a list of environment variables", - "type": "string", - "default": "", - "hidden": { - "value": false, - "path": "vault/enabled" - } - } + "token": { + "description": "token vault", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_TOKEN}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } + }, + "url": { + "description": "url of vault server", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_ADDR}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } + }, + "mount": { + "description": "mount of the v2 secret engine", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_MOUNT}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } + }, + "directory": { + "description": "top level directory", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{vault.VAULT_TOP_DIR}}" + }, + "hidden": { + "value": false, + "path": "vault/enabled" + } + }, + "secret": { + "description": "the path of the secret to convert into a list of environment variables", + "type": "string", + "default": "", + "hidden": { + "value": false, + "path": "vault/enabled" + } } + } }, "s3": { - "description": "Configuration of temporary identity", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/s3.json" + "description": "Configuration of temporary identity", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/s3.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add S3 temporary identity inside your environment", + "default": true }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add S3 temporary identity inside your environment", - "default": true - }, - "accessKeyId": { - "description": "AWS Access Key", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_ACCESS_KEY_ID}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "endpoint": { - "description": "AWS S3 Endpoint", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_S3_ENDPOINT}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "defaultRegion": { - "description": "AWS S3 default region", - "type": "string", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_DEFAULT_REGION}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "secretAccessKey": { - "description": "AWS S3 secret access key", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_SECRET_ACCESS_KEY}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - }, - "sessionToken": { - "description": "AWS S3 session Token", - "type": "string", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{s3.AWS_SESSION_TOKEN}}" - }, - "hidden": { - "value": false, - "path": "s3/enabled" - } - } + "accessKeyId": { + "description": "AWS Access Key", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_ACCESS_KEY_ID}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "endpoint": { + "description": "AWS S3 Endpoint", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_S3_ENDPOINT}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "defaultRegion": { + "description": "AWS S3 default region", + "type": "string", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_DEFAULT_REGION}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "secretAccessKey": { + "description": "AWS S3 secret access key", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_SECRET_ACCESS_KEY}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } + }, + "sessionToken": { + "description": "AWS S3 session Token", + "type": "string", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{s3.AWS_SESSION_TOKEN}}" + }, + "hidden": { + "value": false, + "path": "s3/enabled" + } } + } }, "git": { - "description": "Git user configuration", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "ide/git.json" + "description": "Git user configuration", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "ide/git.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "description": "Add git config inside your environment", + "default": true }, - "properties": { - "enabled": { - "type": "boolean", - "description": "Add git config inside your environment", - "default": true - }, - "name": { - "type": "string", - "description": "user name for git", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.name}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "email": { - "type": "string", - "description": "user email for git", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.email}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "cache": { - "type": "string", - "description": "duration in seconds of the credentials cache duration", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.credentials_cache_duration}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "token": { - "type": "string", - "description": "personal access token", - "default": "", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{git.token}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "repository": { - "type": "string", - "description": "Repository url", - "default": "", - "x-onyxia": { - "overwriteDefaultWith": "{{git.project}}" - }, - "hidden": { - "value": false, - "path": "git/enabled" - } - }, - "branch": { - "type": "string", - "description": "Branch automatically checked out", - "default": "", - "hidden": { - "value": "", - "path": "git/repository" - } - } + "name": { + "type": "string", + "description": "user name for git", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.name}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "email": { + "type": "string", + "description": "user email for git", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.email}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "cache": { + "type": "string", + "description": "duration in seconds of the credentials cache duration", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.credentials_cache_duration}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "token": { + "type": "string", + "description": "personal access token", + "default": "", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{git.token}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "repository": { + "type": "string", + "description": "Repository url", + "default": "", + "x-onyxia": { + "overwriteDefaultWith": "{{git.project}}" + }, + "hidden": { + "value": false, + "path": "git/enabled" + } + }, + "branch": { + "type": "string", + "description": "Branch automatically checked out", + "default": "", + "hidden": { + "value": "", + "path": "git/repository" + } } + } }, "networking": { "type": "object", @@ -554,47 +554,47 @@ } }, "security": { - "description": "security specific configuration", - "type": "object", - "properties": { - "password": { - "type": "string", - "description": "Password", - "default": "changeme", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{service.oneTimePassword}}", - "overwriteSchemaWith": "ide/password" - } + "description": "security specific configuration", + "type": "object", + "properties": { + "password": { + "type": "string", + "description": "Password", + "default": "changeme", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{service.oneTimePassword}}", + "overwriteSchemaWith": "ide/password" + } + }, + "networkPolicy": { + "type": "object", + "description": "Define access policy to the service", + "x-onyxia": { + "overwriteSchemaWith": "network-policy.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable network policy", + "description": "Only pod from the same namespace will be allowed", + "default": false, + "x-onyxia": { + "overwriteDefaultWith": "region.defaultNetworkPolicy" + } }, - "networkPolicy": { - "type": "object", - "description": "Define access policy to the service", - "x-onyxia": { - "overwriteSchemaWith": "network-policy.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "title": "Enable network policy", - "description": "Only pod from the same namespace will be allowed", - "default": false, - "x-onyxia": { - "overwriteDefaultWith": "region.defaultNetworkPolicy" - } - }, - "from": { - "type": "array", - "description": "Array of source allowed to have network access to your service", - "default": [], - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.from" - } - } - } + "from": { + "type": "array", + "description": "Array of source allowed to have network access to your service", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.from" + } } + } } + } }, "nodeSelector": { "type": "object", @@ -665,7 +665,7 @@ "overwriteDefaultWith": "k8s.useCertManager" } }, - "certManagerClusterIssuer":{ + "certManagerClusterIssuer": { "type": "string", "description": "certManager cluster issuer", "title": "CertManager Cluster Issuer", @@ -675,7 +675,7 @@ "overwriteDefaultWith": "k8s.certManagerClusterIssuer" } }, - "useTlsSecret":{ + "useTlsSecret": { "type": "boolean", "description": "Whether you want to use the specified secretName in ingress tls", "default": false, @@ -756,44 +756,44 @@ "description": "It can be used to inject proxy settings in the services", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "proxy.json" + "overwriteSchemaWith": "proxy.json" }, "properties": { - "enabled": { - "type": "boolean", - "description": "Inject proxy settings", - "default": false - }, - "httpProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTP.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "httpsProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTPS.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "noProxy": { - "type": "string", - "description": "enterprise local domain that should not take proxy comma separated", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } + "enabled": { + "type": "boolean", + "description": "Inject proxy settings", + "default": false + }, + "httpProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTP.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + }, + "httpsProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTPS.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" } + }, + "noProxy": { + "type": "string", + "description": "enterprise local domain that should not take proxy comma separated", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + } } - }, - "startupProbe": { + }, + "startupProbe": { "type": "object", "description": "Startup probe", "default": { @@ -804,20 +804,20 @@ "timeoutSeconds": 2 }, "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.startupProbe", - "overwriteSchemaWith": "ide/startupProbe.json" + "hidden": true, + "overwriteDefaultWith": "region.startupProbe", + "overwriteSchemaWith": "ide/startupProbe.json" } }, "tolerations": { - "type": "array", - "description": "Array of tolerations", - "default": [], - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.tolerations", - "overwriteSchemaWith": "tolerations.json" - } + "type": "array", + "description": "Array of tolerations", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.tolerations", + "overwriteSchemaWith": "tolerations.json" + } }, "userPreferences": { "description": "User Preferences", @@ -857,6 +857,32 @@ } } }, + "certificates": { + "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "certificates.json" + }, + "default": {}, + "properties": { + "cacerts": { + "type": "string", + "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.", + "default": "", + "x-onyxia": { + "hidden": true + } + }, + "pathToCaBundle": { + "type": "string", + "description": "String path where a bundle is made or injected by third party solution", + "default": "/usr/local/share/ca-certificates/", + "x-onyxia": { + "hidden": true + } + } + } + }, "message": { "type": "object", "description": "Warning message", @@ -864,16 +890,18 @@ "hidden": true, "overwriteSchemaWith": "ide/message.json" }, - "properties":{ + "properties": { "fr": { "type": "string", "description": "message à ajouter dans les notes", - "default": ""}, + "default": "" + }, "en": { "type": "string", "description": "message to add in notes", - "default": ""} + "default": "" + } } } } -} +} \ No newline at end of file diff --git a/charts/vscode-pyspark/values.yaml b/charts/vscode-pyspark/values.yaml index fc52181b..c954802b 100644 --- a/charts/vscode-pyspark/values.yaml +++ b/charts/vscode-pyspark/values.yaml @@ -246,6 +246,10 @@ userPreferences: darkMode: false language: "en" +certificates: {} + # pathToCaBundle: /usr/local/share/ca-certificates/ + # cacerts: "" + message: fr: "" en: "" diff --git a/charts/vscode-python/Chart.yaml b/charts/vscode-python/Chart.yaml index 8fbc8ab0..96fd32a8 100644 --- a/charts/vscode-python/Chart.yaml +++ b/charts/vscode-python/Chart.yaml @@ -22,9 +22,9 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 2.1.7 +version: 2.1.8 dependencies: - name: library-chart - version: 1.5.27 + version: 1.5.28 repository: https://inseefrlab.github.io/helm-charts-interactive-services diff --git a/charts/vscode-python/templates/secret-cacerts.yaml b/charts/vscode-python/templates/secret-cacerts.yaml new file mode 100644 index 00000000..71c878fb --- /dev/null +++ b/charts/vscode-python/templates/secret-cacerts.yaml @@ -0,0 +1 @@ +{{ include "library-chart.secretCacerts" . }} diff --git a/charts/vscode-python/templates/statefulset.yaml b/charts/vscode-python/templates/statefulset.yaml index 482ddfc0..8a991f53 100644 --- a/charts/vscode-python/templates/statefulset.yaml +++ b/charts/vscode-python/templates/statefulset.yaml @@ -41,6 +41,9 @@ spec: {{- if .Values.vault.enabled }} checksum/vault: {{ include (print $.Template.BasePath "/secret-vault.yaml") . | sha256sum }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + checksum/cacerts: {{ .Values.certificates.cacerts | sha256sum }} + {{- end }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -76,6 +79,11 @@ spec: secret: secretName: {{ include "library-chart.secretNameMetaflow" . }} {{- end }} + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + secret: + secretName: {{ include "library-chart.secretNameCacerts" . }} + {{- end }} {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} @@ -83,39 +91,39 @@ spec: serviceAccountName: {{ include "library-chart.serviceAccountName" . }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} - initContainers: + initContainers: - name: make-secrets-writable image: inseefrlab/onyxia-base:latest imagePullPolicy: IfNotPresent - command: + command: - sh - - -c + - -c - | echo 'initContainer make-secrets-writable is started'; {{- if .Values.discovery.hive }} mkdir /dest/hive; cp /src/hive/hive-site.xml /dest/hive/hive-site.xml; - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} mkdir /dest/metaflow; cp /src/metaflow/config.json /dest/metaflow/config.json; {{- end }} - {{- if .Values.certificates }} - {{- if .Values.certificates.cacerts }} - mkdir /dest/certs; - if [[ {{ .Values.certificates.cacerts }} =~ ^https?://.+$ ]]; - then - curl -s {{ .Values.certificates.cacerts }} -o /tmp/ca.pem - else - echo -n {{ .Values.certificates.cacerts }} | base64 -d > /tmp/ca.pem; - fi - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/tmp/cert." c ".crt"}' < /tmp/ca.pem; - cp /tmp/*.crt /dest/certs/; + {{- if and .Values.certificates .Values.certificates.cacerts }} + mkdir /dest/cacerts; + {{- if regexMatch "^https?://" .Values.certificates.cacerts }} + curl -s $(cat /cacerts/ca-certs.url) -o /tmp/ca.pem + {{- else }} + cp /cacerts/ca.pem /tmp/ca.pem {{- end }} + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "/dest/cacerts/cert." c ".crt"}' < /tmp/ca.pem; {{- end }} volumeMounts: - name: config-files mountPath: /dest + {{- if and .Values.certificates .Values.certificates.cacerts }} + - name: cacerts + mountPath: /cacerts + {{- end }} {{- if .Values.discovery.hive }} - name: secret-hive mountPath: /src/hive @@ -138,7 +146,7 @@ spec: image: "{{ .Values.service.image.custom.version }}" {{- else }} image: "{{ .Values.service.image.version }}" - {{- end }} + {{- end }} command: ["/bin/sh","-c"] args: ["{{ .Values.init.standardInitPath }} /usr/bin/code-server --host 0.0.0.0 /home/{{ .Values.environment.user }}/work"] imagePullPolicy: {{ .Values.service.image.pullPolicy }} @@ -169,7 +177,7 @@ spec: - name: DARK_MODE value: "true" {{- end }} - envFrom: + envFrom: - secretRef: name : {{ include "library-chart.secretNameToken" . }} {{- if .Values.s3.enabled }} @@ -199,7 +207,7 @@ spec: livenessProbe: httpGet: path: / - port: {{ .Values.networking.service.port }} + port: {{ .Values.networking.service.port }} timeoutSeconds: 2 failureThreshold: 6 readinessProbe: @@ -225,19 +233,17 @@ spec: - name: config-files mountPath: /opt/hive/conf/hive-site.xml subPath: hive/hive-site.xml - {{- end }} + {{- end }} {{- if .Values.discovery.metaflow }} - name: config-files mountPath: /home/{{ .Values.environment.user}}/.metaflowconfig subPath: metaflow {{- end }} - {{- if .Values.certificates }} - {{- if .Values.certificates.pathToCaBundle }} + {{- if and .Values.certificates .Values.certificates.pathToCaBundle }} - name: config-files mountPath: {{ .Values.certificates.pathToCaBundle }} - subPath: certs + subPath: cacerts {{- end }} - {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/vscode-python/values.schema.json b/charts/vscode-python/values.schema.json index 65d9c57b..6a6e1a6b 100644 --- a/charts/vscode-python/values.schema.json +++ b/charts/vscode-python/values.schema.json @@ -44,7 +44,7 @@ "description": "use a custom vscode docker images", "default": false, "x-onyxia": { - "overwriteSchemaWith": "ide/customImage.json" + "overwriteSchemaWith": "ide/customImage.json" } }, "version": { @@ -66,7 +66,7 @@ "description": "Your service will have at least the requested resources and never more than its limits. No limit for a resource and you can consume everything left on the host machine.", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "ide/resources.json" + "overwriteSchemaWith": "ide/resources.json" }, "properties": { "requests": { @@ -159,7 +159,7 @@ "description": "Configuration for persistence", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "ide/persistence.json" + "overwriteSchemaWith": "ide/persistence.json" }, "properties": { "enabled": { @@ -193,7 +193,7 @@ "description": "Init parameters", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "ide/init.json" + "overwriteSchemaWith": "ide/init.json" }, "properties": { "regionInit": { @@ -230,7 +230,7 @@ "description": "configuration of your kubernetes access", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "ide/role.json" + "overwriteSchemaWith": "ide/role.json" }, "properties": { "enabled": { @@ -259,34 +259,34 @@ "description": "configuration for openshift compatibility", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "ide/openshiftSCC.json" + "overwriteSchemaWith": "ide/openshiftSCC.json" }, "properties": { - "enabled": { + "enabled": { "description": "enable rolebinding with openshift scc", "type": "boolean", "default": false, "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.openshiftSCC.enabled" - } - }, - "scc": { - "type": "string", - "description": "name of scc for rolebinding", - "default": "anyuid", - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.openshiftSCC.scc" - } + "hidden": true, + "overwriteDefaultWith": "region.openshiftSCC.enabled" + } + }, + "scc": { + "type": "string", + "description": "name of scc for rolebinding", + "default": "anyuid", + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.openshiftSCC.scc" } } + } }, "vault": { "description": "Configuration of vault client", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "ide/vault.json" + "overwriteSchemaWith": "ide/vault.json" }, "properties": { "enabled": { @@ -354,7 +354,7 @@ "description": "Configuration of temporary identity", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "ide/s3.json" + "overwriteSchemaWith": "ide/s3.json" }, "properties": { "enabled": { @@ -425,7 +425,7 @@ "description": "Git user configuration", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "ide/git.json" + "overwriteSchemaWith": "ide/git.json" }, "properties": { "enabled": { @@ -559,56 +559,56 @@ } }, "security": { - "description": "security specific configuration", - "type": "object", - "properties": { - "password": { - "type": "string", - "description": "Password", - "default": "changeme", - "render": "password", - "x-onyxia": { - "overwriteDefaultWith": "{{service.oneTimePassword}}", - "overwriteSchemaWith": "ide/password" - } + "description": "security specific configuration", + "type": "object", + "properties": { + "password": { + "type": "string", + "description": "Password", + "default": "changeme", + "render": "password", + "x-onyxia": { + "overwriteDefaultWith": "{{service.oneTimePassword}}", + "overwriteSchemaWith": "ide/password" + } + }, + "networkPolicy": { + "type": "object", + "description": "Define access policy to the service", + "x-onyxia": { + "overwriteSchemaWith": "network-policy.json" + }, + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable network policy", + "description": "Only pod from the same namespace will be allowed", + "default": false, + "x-onyxia": { + "overwriteDefaultWith": "region.defaultNetworkPolicy" + } }, - "networkPolicy": { - "type": "object", - "description": "Define access policy to the service", - "x-onyxia": { - "overwriteSchemaWith": "network-policy.json" - }, - "properties": { - "enabled": { - "type": "boolean", - "title": "Enable network policy", - "description": "Only pod from the same namespace will be allowed", - "default": false, - "x-onyxia": { - "overwriteDefaultWith": "region.defaultNetworkPolicy" - } - }, - "from": { - "type": "array", - "description": "Array of source allowed to have network access to your service", - "default": [], - "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.from" - } - } - } + "from": { + "type": "array", + "description": "Array of source allowed to have network access to your service", + "default": [], + "x-onyxia": { + "hidden": true, + "overwriteDefaultWith": "region.from" + } } + } } + } }, "nodeSelector": { "type": "object", "description": "NodeSelector", "default": {}, "x-onyxia": { - "hidden": false, - "overwriteDefaultWith": "region.nodeSelector", - "overwriteSchemaWith": "nodeSelector.json" + "hidden": false, + "overwriteDefaultWith": "region.nodeSelector", + "overwriteSchemaWith": "nodeSelector.json" } }, "ingress": { @@ -662,7 +662,7 @@ "overwriteDefaultWith": "k8s.useCertManager" } }, - "certManagerClusterIssuer":{ + "certManagerClusterIssuer": { "type": "string", "description": "certManager cluster issuer", "title": "CertManager Cluster Issuer", @@ -672,7 +672,7 @@ "overwriteDefaultWith": "k8s.certManagerClusterIssuer" } }, - "useTlsSecret":{ + "useTlsSecret": { "type": "boolean", "description": "Whether you want to use the specified secretName in ingress tls", "default": false, @@ -751,9 +751,9 @@ "timeoutSeconds": 2 }, "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.startupProbe", - "overwriteSchemaWith": "ide/startupProbe.json" + "hidden": true, + "overwriteDefaultWith": "region.startupProbe", + "overwriteSchemaWith": "ide/startupProbe.json" } }, "tolerations": { @@ -761,9 +761,9 @@ "description": "Array of tolerations", "default": [], "x-onyxia": { - "hidden": true, - "overwriteDefaultWith": "region.tolerations", - "overwriteSchemaWith": "tolerations.json" + "hidden": true, + "overwriteDefaultWith": "region.tolerations", + "overwriteSchemaWith": "tolerations.json" } }, "userPreferences": { @@ -808,69 +808,69 @@ "description": "It can be used to inject proxy settings in the services", "type": "object", "x-onyxia": { - "overwriteSchemaWith": "proxy.json" + "overwriteSchemaWith": "proxy.json" }, "properties": { - "enabled": { - "type": "boolean", - "description": "Inject proxy settings", - "default": false - }, - "httpProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTP.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "httpsProxy": { - "type": "string", - "description": "URL of the enterprise proxy for the region for HTTPS.", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } - }, - "noProxy": { - "type": "string", - "description": "enterprise local domain that should not take proxy comma separated", - "default": "", - "hidden": { - "value": false, - "path": "proxy/enabled" - } + "enabled": { + "type": "boolean", + "description": "Inject proxy settings", + "default": false + }, + "httpProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTP.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + }, + "httpsProxy": { + "type": "string", + "description": "URL of the enterprise proxy for the region for HTTPS.", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" + } + }, + "noProxy": { + "type": "string", + "description": "enterprise local domain that should not take proxy comma separated", + "default": "", + "hidden": { + "value": false, + "path": "proxy/enabled" } + } } - }, - "certificates": { - "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", - "type": "object", - "x-onyxia": { - "overwriteSchemaWith": "certificates.json" }, - "default": {}, - "properties": { - "cacerts": { - "type": "string", - "description": "String of crts concatenated in base64, can be a url", - "default": "", - "x-onyxia": { - "hidden": true - } + "certificates": { + "description": "It can be used to inject certificate authority into the services, if the Helm chart in the catalog allows it you can bind this value to the Helm chart value to add some certificate authorities in the pod.", + "type": "object", + "x-onyxia": { + "overwriteSchemaWith": "certificates.json" }, - "pathToCaBundle": { - "type": "string", - "description": "String path where a bundle is made or injected by third party solution", - "default": "/usr/local/share/ca-certificates/", - "x-onyxia": { - "hidden": true + "default": {}, + "properties": { + "cacerts": { + "type": "string", + "description": "String of concatenated CA certificates. Alternatively a target URL can be provided.", + "default": "", + "x-onyxia": { + "hidden": true + } + }, + "pathToCaBundle": { + "type": "string", + "description": "String path where a bundle is made or injected by third party solution", + "default": "/usr/local/share/ca-certificates/", + "x-onyxia": { + "hidden": true + } } } - } - }, + }, "message": { "type": "object", "description": "Warning message", @@ -878,16 +878,18 @@ "hidden": true, "overwriteSchemaWith": "ide/message.json" }, - "properties":{ + "properties": { "fr": { "type": "string", "description": "message à ajouter dans les notes", - "default": ""}, + "default": "" + }, "en": { "type": "string", "description": "message to add in notes", - "default": ""} + "default": "" + } } } } -} +} \ No newline at end of file