Necessary changes to the values files for upgrading the Renku chart version are listed here. For changes that require manual steps other than changing values, please check out the chart readme.
Please follow this convention when adding a new row
<type: NEW|EDIT|DELETE> - *<resource name>*: <details>
- DELETE
gitlab.*- all values related to the bundled GitLab have been removed. GitLab must from now on be provided as an external service and is no longer supplied as a part of the Renku Helm chart. - NEW
search.sentry.environment|dsn|enabledto set the sentry environment for the search services
- NEW
networkPolicies.allowAllIngressFromPodsspecify pod selectors that will allow the selected pods to access all other services in the Renku release namespace. - NEW
networkPolicies.allowAllIngressFromNamespacesspecify a list of namespaces that should be allowed to access all other services in the Renku release namespace.
- NEW
gateway.idleSessionTTLSecondsto set the session idle TTL in seconds. - NEW
gateway.maxSessionTTLSecondsto set the session max TTL in seconds. - NEW
gateway.debugto enable debug logs from the gateway.
- NEW
notebooks.bypassCacheOnFailurehas been added. Setting this to false prevents renku-notebooks to call the k8s api directly if its k8s cache has issues or is not running.
- DELETE
gateway.image.authhas been removed. - EDIT
gateway.reverseProxysettings have been moved togateway:
Old
gateway:
reverseProxy:
image:
repository: renku/renku-revproxy
tag: "0.24.0"
pullPolicy: IfNotPresent
metrics:
enabled: true
port: 8765
replicaCount: 2
podAnnotations: {}
resources: {}
autoscaling:
enabled: false
minReplicas: 2
maxReplicas: 5
targetMemoryUtilizationPercentage: 75
targetCPUUtilizationPercentage: 75
updateStrategy: {}
New
gateway:
image:
repository: renku/renku-gateway
tag: "1.0.0"
pullPolicy: IfNotPresent
metrics:
enabled: true
port: 8765
replicaCount: 2
podAnnotations: {}
resources: {}
autoscaling:
enabled: false
minReplicas: 2
maxReplicas: 5
targetMemoryUtilizationPercentage: 75
targetCPUUtilizationPercentage: 75
updateStrategy: {}
-
NEW
global.platformConfig: The YAML string can now contain a new key,secretServicePreviousPrivateKeywhich allows for rotating the secret-storage private key. To rotate keys, set this to the previoussecretServicePrivateKeyvalue and set a new key forsecretServicePrivateKey. Secrets-storage will then rotate all secrets once its started. You can monitor the progress of the rotation in prometheus using thesecrets_rotation_count(for total secrets rotated so far) andsecrets_rotation_state(eitherrunning,finishedorerrored) for the overall state of the rotation. Please make sure to unsetsecretServicePreviousPrivateKeyonce rotation is finished as a matter of best practice.NOTE: Make sure that you do not redeploy or rollback the Renku Helm chart while a key rotation is underway. Even if the deployment is broken it is best to wait for the key rotation to finish before attempting another deployment or a rollback.
The data-service configuration has been updated to support trusting reverse proxies.
- NEW
dataService.trustedProxies.proxiesCountto set the reverse proxy count - NEW
dataService.trustedProxies.realIpHeaderto set the real IP header value
- EDIT
dataService.keycloakSynchas been renamed todataService.backgroundJobs - NEW
dataService.backgroundJobs.events.resourcesto set the resources for the users short period synchronization job - NEW
dataService.backgroundJobs.total.resourcesto set the resources for the users long period synchronization job
- NEW
global.platformConfiga YAML string that contains the secret keys used by renku-data-services and secrets storage. In the future we plan to also consolidate other platform specific configuration here. The YAML string should contain the following keys:secretServicePrivateKey: An RSA private key, generated byssh-keygen -m PKCS8 -t rsa -b 4096without a password. You can leave this empty to have one automatically generated but we recommend setting it manually.dataServiceEncryptionKey: A 32 byte random string, used for encryption at rest.
- NEW
ui.client.sessionClassEmailUsto customize the content of the Email Us button on the Session class option.
The gitlab configuration has been unified in the global section of the values, which requires modifications for existing deployments.
- EDIT - notebooks.gitlab.registry.host -> global.gitlab.registry.host
- DELETE - notebooks.gitlab has been removed.
- NEW - solr: solr has been added to support searching. It is run as single node mode and required by new search services. The size of the persistent volume is set to 8G. Details can be found in the respective values section
- NEW - search: Renku introduces a new search service consisting of
search-apiandsearch-provision. The first is responsible for reading from solr, providing a http api to search across renku. The latter is responsible for populating solr with appropriate data.
The PostgreSQL chart dependency has been upgraded, which requires modification of the postgres data volume of existing deployments. See these instructions for more details.
-
NEW/EDIT - postgresql.persistence.existingClaim: Renku
0.49.0upgrades the postgres chart dependency, which requires modification of the postgres data volume of existing deployments. See these instructions -
EDIT - postgresql: The upgrade of the postgres chart dependency requires some restructuring of the postgres subchart values to match those of bitnami/postgresql chart version 14.0.1, namely:
-
EDIT - postgresql.postgresqlPassword -> postgresql.auth.postgresPassword: Note that the new key does not have
qlanymore in it.
Old
postgresql:
postgresqlDatabase: <string>
postgresqlUsername: <string>
postgresqlPassword: <string>
existingSecret: <string>
persistence:
enabled: <bool>
size: <string>
existingClaim: <string>
replication:
enabled: <bool>
user: <string>
password: <string>
slaveReplicas: <int>
New
postgresql:
auth:
username: <string>
database: <string>
postgresPassword: <string>
existingSecret: <string>
replicationUsername: <string>
replicationPassword: <string>
primary:
persistence:
enabled: <bool>
size: <string>
existingClaim: <string>
readReplicas:
enabled: <bool>
replicaCount: <int>
The handling of privacy policy and terms of service content has been fine tuned.
- DELETE
ui.client.privacy.page.configMapNamehas been removed. - DELETE
ui.client.privacy.page.configMapPolicyKeyhas been removed. - DELETE
ui.client.privacy.page.configMapTermsKeyhas been removed. - NEW
ui.client.privacy.page.privacyPolicyContentto customize the content of the Privacy Policy page (supports Markdown). - NEW
ui.client.privacy.page.termsContentto customize the content of the Terms of Use page (supports Markdown).
The handling of privacy policy and terms of service content has been slightly changed to make it more flexible.
- DELETE
ui.privacy.enabledhas been removed to make the privacy policy and cookie banner configurable independently. - NEW
ui.privacy.banner.enabledallows turning on the cookie banner (defaults to false). - DELETE
ui.client.privacy.page.configMapKeywhich has been renamed toui.client.privacy.page.configMapPolicyKey. - NEW
ui.client.privacy.page.configMapPolicyKeythe key in the ConfigMap where the content for the privacy policy is located. - NEW
ui.client.privacy.page.configMapTermsKeythe key in the ConfigMap where the content for the terms of use is located.
We completely overhauled how mounting cloud storage in sessions works, relying on a new CSI driver based on RClone which has to be installed in the cluster for things to work. Either install it as part of Renku using the flag mentioned below or install the csi-rclone chart manually and set the correct storage class in the values for the notebooks service.
- NEW
noteboks.cloudstorage.enabled- set totrueto enable mounting cloud storage in sessions. - DELETE
notebooks.cloudstorage.s3.enabed- superseeded by previous property. - NEW
notebooks.cloudstorage.storageClass- the storage class for the CSI Rclone chart, needed for new cloudstorage to work. The defaultcsi-rcloneshould be fine unless already in use. - NEW
global.csi-rclone.install- iftrueinstalls the csi-rclone chart alongside Renku. The chart is needed for cloud storage in sessions to work. - NEW
csi-rclone.storageClassName- the storage class name the CSI drivers uses, should match what is configured in thestorageClassproperty mentioned above. - NEW
csi-rclone.csiNodePlugin.tolerations- Tolerations for the node plugin part of the CSI driver. Need to be set in a way that allows it to be scheduled on user session nodes. By default this would meankey=renku.io/dedicated,operator=Equal,value=userandeffect=NoSchedule
- DELETE
graph.gitlab.urlhas been removed as graph services uses theglobal.gitlab.url.
The encryption keys used by the Webhook service and Token Repository have been moved around and now they do not have to be base64 encoded in the values file anymore. Although the Helm chart will take care of generating a new secret in the correct form from the old one (for existing deployment being upgraded), we suggest to also store those secrets in the value file.
To cleanup the old secrets, please remove the following fields:
- DELETE
graph.tokenRepository.tokenEncryption.secret - DELETE
graph.webhookService.hookToken.secret
Then extract the content of the old secrets for the Token Repository service using kubectl:
kubectl -n renku get secrets renku-token-repository -o jsonpath="{.data['tokenRepository-tokenEncryption-secret']}" | base64 -d | base64 -dAnd add it to the following new field in the value file:
- NEW
graph.tokenRepository.aesEncryptionKey
Similarly extract the content of the old secret for the Webhook service:
kubectl -n renku get secrets renku-webhook-service -o jsonpath="{.data['webhookService-hookToken-secret']}" | base64 -d | base64 -dAnd add it to the following new field in the value file:
- NEW
graph.webhookService.aesEncryptionKey
The UI includes a feature that allows projects to be displayed in the Showcase section of the RenkuLab home page. This is an improvement that has been planned for a while, and the ui.homepage.projects field was introduced into the values file with the intention of being used to configure this. Support for that field was never actually implemented, and as part of the implementation of this feature, the configuration structure was changed somewhat.
To clean up, please remove the following field:
- DELETE -
ui.homepage.projects
To keep the RenkuLab homepage as before, ensure that the following field/value has been added:
- NEW -
ui.homepage.showcase.enabled: false
Follow the Homepage section of the how-to guide for admins to learn how to configure this feature if you wish to highlight showcase projects.
The Amalthea scheduler (which is not enabled by default) has changes in the values file under amalthea.scheduler.
Please note that either of the two new Amalthea schedulers remain disabled by default (just as before) and by default
Amalthea will simply use your default Kubernetes scheduler.
- DELETE
amalthea.scheduler.image- deprecated will be ignored if provided - DELETE
amalthea.scheduler.enable- deprecated will be ignored if provided - DELETE
amalthea.scheduler.priorities- deprecated will be ignored if provided - NEW
amalthea.scheduler.packing- can be used to enable a preset scheduler that will try to pack sessions on the smallest number of nodes and favor the most used nodes - NEW
amalthea.scheduler.custom- can be used to add any custom scheduler for Amalthea, admins just have to provide the scheduler name - EDIT
crc- the field has been renamed todataService, all child fields and functionality remains the same - NEW
global.gitlab.urlhas been added and needs to be specified, this will be the single place where the Gitlab URL will be specified in future releases we will deprecated all the other Gitlab URL fields in the values file.
This is a big change to the Renku Helm chart. We have now combined all Renku components to be present
in a single Helm chart. This will allow us to gradually simplify the complicated and repetitive nature of
our values.yaml file. So now all Renku components have their templates in the https://github.com/SwissDataScienceCenter/renku
repository rather than having many separate helm charts for each component. This change does not
mean that the requirements.yaml file is not empty, but it does mean that it contains true third-party dependencies like
Redis, Postgres, Keycloak, Jena, Amalthea and Datashim (used to mount S3 buckets in sessions).
Furthermore, this change combines all relevant Renku configuration in a single values.yaml file with
all defaults for Renku components now located in a single file. Prior to this if someone had issues with
for example the gateway component they would have to go to the gateway helm chart to understand what
configuration is possible from its values.yaml file.
- EDIT -
graph.jena.*moved tojena.* - EDIT -
notebooks.amalthea.*moved toamalthea.* - EDIT -
notebooks.dlf-chart.*moved todlf-chart.*
In addition going forward we will follow a much stricter versioning scheme that will distinguish changes to the Renku Helm chart as opposed to changes to the application. Notably:
- Patch changes (i.e.
0.50.1->0.50.2) indicate that there are NO changes in the Helm chart and that only appplication level bug fixes are present in the new release. - Minor version changes (i.e.
0.50.2->0.51.0) indicate that there are NO changes in the Helm chart and that only application level new features and/or application level breaking changes are present. - Major version changes (i.e.
0.50.0->1.0.0) will be reserved for changes in the Helm chart, either when the values file changes or when the Helm templates change.
- EDIT -
notebooks.culling.idleThresholdSecondsin the notebooks' values file was renamed tonotebooks.culling.idleSecondsThreshold. This needs to be acted upon once the corresponding PR in Renku repository is merged.
- NEW - ingress.className is now available to select a specific IngressClass to be used for the ingress. While often supporting both, current ingress controllers uses this value over the deprecated kubernetes.io/ingress.class annotation. Existing instances of Renku do not need to be changed unless their administrators wish to take advantage of the IngressClass.
For more information about the move to IngressClass see this Kubernetes blog entry.
To make use of it:
ingress:
className: nginx
# optional
annotations:
kubernetes.io/ingress.class: null
- NEW - global.graph.triplesGenerator.postgresPassword.value should be specified. If it is not specified, a password will be generated automatically when the database is initialized. It is strongly recommended, however, to specify it here such that the password is explicitly managed and can be restored in disaster scenarios. Generate through
openssl rand -hex 32.
- EDIT - The keycloak chart has been replaced with keycloakx, if any values are specified under
keycloak, now they need to be underkeycloakx. NOTE: the values underglobal.keycloakremain unchanged.
Old
keycloak:
enabled: true
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 1000m
memory: 1Gi
New
keycloakx:
enabled: true
resources:
limits:
cpu: 1000m
memory: 1Gi
requests:
cpu: 1000m
memory: 1Gi
- EDIT - the
redischart was upgraded from10.7.11to17.4.2; the values in the newerredischart differ from those in the older chart. As therenkuvalues.yamlpasses some values to the dependentredischart, some values need to be changed.
In summary, the main differences are that the newer redis chart no longer has
notions of masters and slaves; nodes are simply replicas. The default
deployment is one in which Redis Sentinel is enabled and 3 replicas are
deployed. There are also changes to where secrets are located in the helm
chart.
For reference to the redis values.yaml, for version 17.4.2 of the bitnami
redis helm chart see:
Also, see the default renku values.yaml file for more comments relating to
the impact of these settings.
Old
redis:
# If set to true, a HA redis will be included in the Renku release.
install: true
# If set to true, we'll create a k8s secret to be used as existingSecret
# for password auth.
createSecret: true
# The actual password, ignored if createSecret is false.
password: # openssl rand -hex 32
fullnameOverride: renku-redis
redisPort: 6379
usePassword: true
existingSecret: redis-secret
existingSecretPasswordKey: redis-password
master:
persistence:
enabled: false
resources:
requests:
cpu: 200m
memory: 256Mi
slave:
persistence:
enabled: false
resources:
requests:
cpu: 200m
memory: 256Mi
sentinel:
port: 26379
enabled: true
resources:
requests:
cpu: 200m
memory: 64Mi
downAfterMilliseconds: 1000
failoverTimeout: 2000
networkPolicy:
enabled: true
allowExternal: false
New
redis:
###########################################################################
### Configuration that is unknown to the redis chart but picked up ###
### by the renku chart. ###
###########################################################################
# If set to true, a HA redis will be included in the Renku release.
install: true
# If set to true, we'll create a k8s secret to be used as existingSecret
# for password auth.
createSecret: true
# The actual password, ignored if createSecret is false.
password: # openssl rand -hex 32
fullnameOverride: renku-redis
architecture: replication
auth:
enabled: true
sentinel: true
existingSecret: redis-secret
existingSecretPasswordKey: redis-password
commonConfiguration: |-
appendonly no
save ""
replica:
replicaCount: 3
resources:
limits:
cpu: 250m
memory: 256Mi
requests:
cpu: 250m
memory: 256Mi
updateStrategy:
type: RollingUpdate
persistence:
enabled: false
autoscaling:
enabled: false
sentinel:
enabled: true
quorum: 2
service:
sentinel: 26379
resources:
requests:
cpu: 200m
memory: 64Mi
downAfterMilliseconds: 1000
failoverTimeout: 2000
networkPolicy:
enabled: true
allowExternal: false
metrics:
enabled: true
- EDIT - the ui chart was simplified and given a more regular structure.
Old
ui:
baseUrl: <string>
gatewayUrl: <string>
New
ui:
client:
url: [old baseUrl]
[... other client properties]
gateway:
url: <string>
- DELETE - renku graph's Jena does not need the dataset property anymore so global.graph.jena.dataset property can be removed.
- EDIT - the ui and ui-server charts were unified, requiring that the values be merged.
The new structure looks like
ui:
baseUrl: <string>
gatewayUrl: <string>
gitlabUrl: <string>
ingress: <object>
client: <object> # the remaining old ui values
server: <object> # the old uiserver values
Specifically, for property not in [baseUrl, gatewayUrl, gitlabUrl, ingress]:
- rename ui.[property] to ui.client.[property]
- rename uiserver.[property] to ui.server.[property]
- NEW/EDIT - sentry values across the repositories were changed to follow this pattern:
Specifically:
sentry: enabled: <bool> dsn: <string> environment: <string> sampleRate: <number> # available only for some repos- rename ui.sentry.url and uiserver.sentry.url to ui.sentry.dsn and uiserver.sentry.dsn
- rename ui.sentry.namespace and uiserver.sentry.namespace to ui.sentry.environment and uiserver.sentry.environment
- add ui.sentry.sampleRate and uiserver.sentry.sampleRate
- add core.sentry.enabled and core.sentry.sampleRate
- add gateway.sentry.enabled
- rename graph.sentry.url to graph.sentry.dsn and graph.sentry.environmentName to graph.sentry.environment
- add notebooks.sentry.enabled
- rename notebooks.sentry.env to notebooks.sentry.environment
- NEW/EDIT postgresql.persistence.existingClaim might need to be modified in the course of upgrading your PostgreSQL version. See these instructions
- NEW/EDIT/DELETE gitlab.image.tag might have to be adjusted as we do a GitLab major version bump in with this release. See these instructions
- NEW - redis-password Generate through
openssl rand -hex 32.
- NEW - uiserver has been added with the required values for the ui-server component.
- NEW - global.uiserver.clientSecret has been added when introducing a new
renku-uiclient application in keycloak. Generate throughopenssl rand -hex 32. - NEW - notebooks.amalthea.resourceUsageCheck.enabled needs to be set to false for the time being.
- NEW - notebooks.sessionTolerations and notebooks.sessionAffinity is now configurable in order to have user session dedicated nodes.
The use of Amalthea and removal of Jupyterhub require some changes. This version is not backward compatible with the user sessions from older versions. During the deployment the admin should clean up all remaining user sessions and then deploy this version.
- NEW - notebooks.amalthea several new sections have been added to the
values.yamlfile which are required by Amalthea. Please refer to the renku values file for more details. - DELETE - notebooks.jupyter and all references to Jupyterhub in the values have been removed and are not required anymore.
- DELETE - anonymous sessions do not require a separate namespace and renku-notebooks deployment, if enabled in the values file they now run in the same namespace as regular user sessions.
- NEW - ui.homepage has been added for customizing the content on the RenkuLab home page. See the values.yml file for more detailed documentation.
- NEW notebooks.serverDefaults has been added with default values that will be used to create a session when specific server options are left out of the request to launch a session. See the values.yaml file for more details.
- NEW notebooks.userSessionPersistentVolumes has been added which enables the use of persistent volumes for user sessions. The use of persistent volumes is disabled by default however. To turn this feature on set the
enabledflag and specify a storage class that should be used. We strongly recommend using a storage class with aDeleteretain policy because otherwise the persistent volumes from the user sessions will keep accumulating and will require manual intervention for cleanup.
- NEW/EDIT postgresql.persistence.existingClaim will most likely need to be modified in the course of upgrading your postgresql version. See these instructions
- NEW/EDIT/DELETE gitlab.image.tag might have to be adjusted as we do a GitLab major version bump in with this release. See these instructions
- NEW - global.gateway.cliClientSecret has been added when introducing a new "renku-cli" client application in keycloak. Generate through
openssl rand -hex 32.
- NEW - ui.uiserverUrl has been added. The default value is
<domain>/ui-server.
- Keycloak chart dependency upgraded from
4.10.2to9.8.1, check out the instructions on how to upgrade aspects not covered by default in the Renku chart. Most notably, keycloak values are less nested, so at the level of the Renku chart values, keycloak.keycloak.X.Y becomes keycloak.X.Y. - EDIT - the section keycloak.keycloak.persistence has been removed. Database connection details are specified through the keycloak.extraEnv and keycloak.extraEnvFrom blocks. See the Renku values file for reference.
- EDIT - keycloak.keycloak.username has been moved to global.keycloak.user.
- EDIT - postgresql.persistence.existingClaim: Renku
0.7.0upgrades the postgres chart dependency, which requires modification of the postgres data volume of existing deployments. See this helper job manifest. - EDIT - postgresql.postgresPassword renamed to postgresql.postgresqlPassword.
- DELETE - minio.enabled: minio has been removed from the Renku dependencies, deploy minio as a standalone service if you need it.
- DELETE - ui.templatesRepository
- NEW - ui.templates: the UI project creation has been overhauled and can be configured here.
- NEW - ui.templates.repositories - list of renku templates repositories to be used in the ui. Each object contains a
urlpointing to the repository, arefspecifying the target tag or commit, anameacting as a user friendly short name. - DELETE - global.gitlab.sudoToken - this is no longer needed.
- DELETE - notebooks.gitlab.registry.secret - this is no longer needed.
- DELETE - notebooks.gitlab.registry.token - this is no longer needed.
- DELETE - notebooks.gitlab.registry.username - this is no longer needed.
- DELETE - gateway.graph - this is no longer needed.
- NEW - ui.statuspage.id: the id for the statuspage.io instance. See the values.yml file for more detailed documentation.
Interactive sessions for logged-out users are now possible, see the docs.
- NEW - global.anonymousSessions.enabled: set to true to turn on notebook sessions for logged out users.
- NEW - global.anonymousSessions.postgresPassword.overwriteOnHelmUpgrade: set to
truewhen upgrading an existing deployment, then back tofalse(default value).
- NEW - ui.sentry: added Sentry information for logging runtime exceptions
- EDIT - notebooks.serverOptions: added
<resource>.orderto control ui rendering order. The default values defined in notebooks are now different. - DELETE - graph.knowledgeGraph.services.renku.url: no need for this anymore as it's linked to
global.renku.domaininternally. Ref: refactor KG remove services renku URL - DELETE - keycloak.keycloak.extraVolumes.-name:realm-secret : need to delete
renku-realm.jsonin order to work with remove realm template commit - EDIT - global.gitlab.postgresPassword: now split into
valueandoverwriteOnHelmUpgrade, set the latter to true to generate a password or set value to use an existing one. - EDIT - global.gitlab.sudoToken: now split into
valueandoverwriteOnHelmUpgrade, set the latter to true to generate a password or set value to use an existing one. - EDIT - global.keycloak.postgresPassword: now split into
valueandoverwriteOnHelmUpgrade, set the latter to true to generate a password or set value to use an existing one. - NEW - global.keycloak.password: split into
valueandoverwriteOnHelmUpgrade, set the latter to true to generate a password or set value to use an existing one. - DELETE - keycloak.keycloak.password: the admin password for keycloak is now provided through a k8s secret which is set in the global values section.
- EDIT - global.jupyterhub.postgresPassword: now split into
valueandoverwriteOnHelmUpgrade, set the latter to true to generate a password or set value to use an existing one. - EDIT - global.graph.dbEventLog.postgresPassword: now split into
valueandoverwriteOnHelmUpgrade, set the latter to true to generate a password or set value to use an existing one. - EDIT - global.graph.tokenRepository.postgresPassword: now split into
valueandoverwriteOnHelmUpgrade, set the latter to true to generate a password or set value to use an existing one. - EDIT - notebooks.jupyterhub.hub.db.url: remove the password (between ":" and "@" from the URL).
- EDIT - notebooks.jupyterhub.hub.db.extraEnv: due to the inability of helm to merge maps, all extra environment variables must be explicitly provided after the introduction of secrets auto-generation:
extraEnv:
- name: GITLAB_URL
value: <your-gitlab-url>
- name: JUPYTERHUB_SPAWNER_CLASS
value: spawners.RenkuKubeSpawner
- name: PGPASSWORD
valueFrom:
secretKeyRef:
name: renku-jupyterhub-postgres
key: jupyterhub-postgres-password