diff --git a/.github/workflows/cron-jobs.yaml b/.github/workflows/cron-jobs.yaml index b4194ec918..4dd61e44cc 100644 --- a/.github/workflows/cron-jobs.yaml +++ b/.github/workflows/cron-jobs.yaml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: renku teardown - uses: SwissDataScienceCenter/renku-actions/cleanup-renku-ci-deployments@v1.11.3 + uses: SwissDataScienceCenter/renku-actions/cleanup-renku-ci-deployments@v1.12.3 env: GITLAB_TOKEN: ${{ secrets.DEV_GITLAB_TOKEN }} RENKUBOT_KUBECONFIG: ${{ secrets.RENKUBOT_DEV_KUBECONFIG }} diff --git a/.github/workflows/publish-helm-chart.yml b/.github/workflows/publish-helm-chart.yml index 30422141e1..fdeb0c5704 100644 --- a/.github/workflows/publish-helm-chart.yml +++ b/.github/workflows/publish-helm-chart.yml @@ -15,7 +15,7 @@ jobs: - name: Set version id: vars run: echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT - - uses: SwissDataScienceCenter/renku-actions/publish-chart@v1.11.3 + - uses: SwissDataScienceCenter/renku-actions/publish-chart@v1.12.3 env: CHART_DIR: helm-chart/ CHART_NAME: renku diff --git a/.github/workflows/publish-master-merges.yaml b/.github/workflows/publish-master-merges.yaml index df49c7c868..b0fe88420c 100644 --- a/.github/workflows/publish-master-merges.yaml +++ b/.github/workflows/publish-master-merges.yaml @@ -35,7 +35,7 @@ jobs: - id: set-version run: | echo "publish_version=${{ steps.bump-semver.outputs.new_version }}.$(echo ${{ github.sha }} | cut -c 1-7)" >> $GITHUB_ENV - - uses: SwissDataScienceCenter/renku-actions/publish-chart@v1.11.3 + - uses: SwissDataScienceCenter/renku-actions/publish-chart@v1.12.3 env: CHART_DIR: helm-chart/ CHART_TAG: "--tag ${{env.publish_version}}" diff --git a/.github/workflows/pull-request-test.yml b/.github/workflows/pull-request-test.yml index 5e5030fbfb..d626f5c72d 100644 --- a/.github/workflows/pull-request-test.yml +++ b/.github/workflows/pull-request-test.yml @@ -57,12 +57,13 @@ jobs: renku-notebooks: ${{ steps.deploy-comment.outputs.renku-notebooks}} renku-ui: ${{ steps.deploy-comment.outputs.renku-ui}} renku-data-services: ${{ steps.deploy-comment.outputs.renku-data-services}} + amalthea: ${{ steps.deploy-comment.outputs.amalthea}} test-enabled: ${{ steps.deploy-comment.outputs.test-enabled}} extra-values: ${{ steps.deploy-comment.outputs.extra-values}} steps: - uses: actions/checkout@v4.1.7 - id: deploy-comment - uses: SwissDataScienceCenter/renku-actions/check-pr-description@v1.11.3 + uses: SwissDataScienceCenter/renku-actions/check-pr-description@v1.12.3 with: string: /deploy pr_ref: ${{ github.event.number }} @@ -78,7 +79,7 @@ jobs: - uses: actions/checkout@v4.1.7 - name: renku build and deploy if: needs.check-deploy.outputs.pr-contains-string == 'true' - uses: SwissDataScienceCenter/renku-actions/deploy-renku@v1.11.3 + uses: SwissDataScienceCenter/renku-actions/deploy-renku@v1.12.3 env: DOCKER_PASSWORD: ${{ secrets.RENKU_DOCKER_PASSWORD }} DOCKER_USERNAME: ${{ secrets.RENKU_DOCKER_USERNAME }} @@ -97,6 +98,7 @@ jobs: renku_notebooks: "${{ needs.check-deploy.outputs.renku-notebooks }}" renku_ui: "${{ needs.check-deploy.outputs.renku-ui }}" renku_data_services: "${{ needs.check-deploy.outputs.renku-data-services }}" + amalthea: "${{ needs.check-deploy.outputs.amalthea }}" extra_values: "${{ needs.check-deploy.outputs.extra-values }}" - name: Check existing renkubot comment if: needs.check-deploy.outputs.pr-contains-string == 'true' @@ -120,7 +122,7 @@ jobs: needs: [check-deploy, deploy-pr] runs-on: ubuntu-22.04 steps: - - uses: SwissDataScienceCenter/renku-actions/test-renku@v1.11.3 + - uses: SwissDataScienceCenter/renku-actions/test-renku@v1.12.3 with: kubeconfig: ${{ secrets.RENKUBOT_DEV_KUBECONFIG }} renku-release: ci-renku-${{ github.event.number }} @@ -148,7 +150,7 @@ jobs: ] steps: - - uses: SwissDataScienceCenter/renku-actions/test-renku-cypress@v1.11.3 + - uses: SwissDataScienceCenter/renku-actions/test-renku-cypress@v1.12.3 if: github.event.action != 'closed' && needs.check-deploy.outputs.pr-contains-string == 'true' && needs.check-deploy.outputs.test-enabled == 'true' with: e2e-target: ${{ matrix.tests }} @@ -181,7 +183,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: renku teardown - uses: SwissDataScienceCenter/renku-actions/cleanup-renku-ci-deployments@v1.11.3 + uses: SwissDataScienceCenter/renku-actions/cleanup-renku-ci-deployments@v1.12.3 env: HELM_RELEASE_REGEX: "^ci-renku-${{ github.event.number }}$" GITLAB_TOKEN: ${{ secrets.DEV_GITLAB_TOKEN }} diff --git a/.github/workflows/renku-dev-test.yaml b/.github/workflows/renku-dev-test.yaml index 60074e2941..87dc26857a 100644 --- a/.github/workflows/renku-dev-test.yaml +++ b/.github/workflows/renku-dev-test.yaml @@ -8,7 +8,7 @@ jobs: github.event.client_payload.message == 'Helm test succeeded' }} runs-on: ubuntu-20.04 steps: - - uses: SwissDataScienceCenter/renku-actions/test-renku@v1.11.3 + - uses: SwissDataScienceCenter/renku-actions/test-renku@v1.12.3 with: kubeconfig: ${{ secrets.RENKUBOT_DEV_KUBECONFIG }} renku-release: renku diff --git a/CHANGELOG.rst b/CHANGELOG.rst index f7d693546f..8441811a8f 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,5 +1,334 @@ .. _changelog: +0.60.0 +------ + + + +0.57.2 +------ + +Renku ``0.57.2`` fixes several bugs in gateway and the `csi-rclone` driver. + +User-facing Changes +~~~~~~~~~~~~~~~~~~~ + +**Bug Fixes** + +- **UI**: show the correct repository access status +- **Sessions**: allow paused sessions with cloud storage secrets to resume normally + +Internal Changes +~~~~~~~~~~~~~~~~ + +**Bug Fixes** + +- **Gateway**: Fix path rewrite middleware when the path contains escaped characters (`#726 `__). +- **csi-rclone**: Correctly use OAuth2 tokens for cloud storage to enable mounting. +- **csi-rclone**: Remounting volumes created with older versions did not work. + +Individual Components +~~~~~~~~~~~~~~~~~~~~~ + +- `renku-gateway 1.0.4 `_ +- `csi-rclone 0.3.2 `__ +- `csi-rclone 0.3.3 `__ + +0.57.1 +------ + +Renku ``0.57.1`` fixes a bug in renku-ui-server where the service would be stuck in a crash loop when Sentry is enabled. +It also fixes two bugs in Notebooks related to the access token and shared memory in the user-sessions. + +User-Facing Changes +~~~~~~~~~~~~~~~~~~~ + +**🐞 Bug Fixes** + +- **UI**: Access mode defaults to read-only when adding a new data source in Renku 2.0 (`#3275 `__). +- **Notebooks**: Don't fail clone process if access token doesn't exist (`#1971 `__). +- **Notebooks**: Fix shared memory attached to the JupyterServer container to be half of the total requested memory (`#1984 `__). + +Internal Changes +~~~~~~~~~~~~~~~~ + +**Bug Fixes** + +- **UI**: Fix the UI server being stuck in a crash loop at startup when Sentry is enabled (`#3318 `__). +- **Gateway**: Fix getting HTTP error 500 when logging in (`#723 `__). + +Individual Components +~~~~~~~~~~~~~~~~~~~~~ + +- `renku-ui 3.35.1 `_ +- `renku-gateway 1.0.3 `_ +- `renku-notebooks 1.26.1 `_ + +0.57.0 +------ + +Renku `0.57.0` brings a suite of new features and improvements to the Renku 2.0 beta. As a main +highlight, you can now save and reuse the credentials for data sources. No more copy/paste on every +session launch! We have also made small improvements to sharing, search, and sessions in Renku 2.0. +For a full list of changes, see the list below. + + +NOTE to administrators: Upgrading the `csi-rclone` component will unmount all cloud storage for all +active or hibernated sessions. Therefore, we recommend notifying your users ahead of time when you +deploy this version of Renku and also if possible deploying the upgrade when there are fewer +sessions that use cloud storage or just fewer sessions in general. Once the upgrade is complete +users will be able to mount cloud storage as usual. + +User-Facing Changes +~~~~~~~~~~~~~~~~~~~ + +**🌟 New Features** + +- **UI**: Support saving and managing credentials for Renku 2.0 data sources (`#3266 `__). + +**✨ Improvements** + +- **Search Services**: Enable searching by prefix of indexed words +- **UI**: Add members to groups and projects in Renku 2.0 by username instead of email (`#3270 `__). +- **UI**: Enable sharing search URLs by reflecting the search query in the URL for Renku 2.0 (`#3245 `__). +- **UI**: Show the status of a session via a dynamic browser tab icon (`#3249 `__). +- **UI**: Display session details in session page in Renku 2.0 (`#3258 `__) +- **UI**: Set default namespace when creating a new Renku 2.0 project (`#3264 `__). + +**🐞 Bug Fixes** + +- **UI**: Fix issue in Renku 2.0 where launched sessions did not use the default storage size of the selected resource class (`#3295 `__). +- **UI**: Fix misnomers on the group creation page (`#3276 `__). +- **Data Services**: Fix connected services showing errors for anonymous users +- **Data Services**: Fix 500 error being raised when modifying a session launcher + +Internal Changes +~~~~~~~~~~~~~~~~ + +**New Features** + +- **csi-rclone**: Read credential secrets from PVC annotations +- **csi-rclone**: Update the CSI sidecar container versions +- **csi-rclone**: Add support for decrypting data storage secrets. +- **Gateway**: The API Gateway components have been refactored and simplified (`#709 `__). +- **Notebooks**: Add a component for liveness detection +- **Notebooks**: Support for saving cloud storage secrets + +**Improvements** + +- **Search Services**: Reading all data service events from a single Redis stream. Processing from individual streams is kept. +- **Data Services**: Do not show user emails and use usernames instead for all interactions +- **UI**: The UI server has been refactored following the changes in the gateway (`#3271 `__). + +**Bug Fixes** + +- **csi-rclone**: Do not crash on unmounting as it might block dependent resources +- **csi-rclone**: Use extra storage class when reading secrets from a PVC annotation +- **Data Services**: Fix group member changes not being sent to search +- **Data Services**: Fix Redis not being able to connect to the master node + +Individual Components +~~~~~~~~~~~~~~~~~~~~~ + +- `csi-rclone 0.1.8 `__ +- `csi-rclone 0.2.0 `__ +- `csi-rclone 0.3.0 `__ +- `csi-rclone 0.3.1 `__ +- `renku-gateway 1.0.0 `_ +- `renku-gateway 1.0.1 `_ +- `renku-gateway 1.0.2 `_ +- `renku-ui 3.34.0 `_ +- `renku-ui 3.35.0 `_ +- `renku-search 0.5.0 `_ +- `renku-notebooks 1.26.0 `__ +- `renku-data-services 0.20.0 `__ + + +0.56.3 +------ + +Renku ``0.56.3`` fixes a bug in renku-data-services where strict user email validation +was causing problems with the admin panel and listing users. + +Internal Changes +~~~~~~~~~~~~~~~~ + +**🐞 Bug Fixes** + +- **Data Services**: do not validate user emails because Keycloak can contain invalid emails + +Individual Components +~~~~~~~~~~~~~~~~~~~~~ + +- `renku-data-services 0.19.1 `__ + +0.56.2 +------ + +Renku ``0.56.2`` fixes a bug in renku-data-services where a background job would stop working +if a deleted project wasn't correctly removed from the authorization database. + +Internal Changes +~~~~~~~~~~~~~~~~ + +**🌟 New Features** + +- **Data Services**: Adds endpoint for saving storage credentials + + +**🐞 Bug Fixes** + +- **Data Services**: Fixes background job not working with Authzed db in inconsistent state +- **Data Services**: Fixes query args validation for /api/data/user/secrets endpoint +- **Data Services**: Splits error into 401 and 403 depending on the error + + +Individual Components +~~~~~~~~~~~~~~~~~~~~~ + +- `renku-data-services 0.19.0 `__ + + +0.56.1 +------ + +Renku ``0.56.1`` fixes a bug where Amalthea would not start when the prometheus metrics or the +audit log export functionality is enabled. + +Internal Changes +~~~~~~~~~~~~~~~~ + +**🐞 Bug Fixes** + +- * **Amalthea**: Fix failing startup when prometheus metrics or audit log is enabled. + +Individual Components +~~~~~~~~~~~~~~~~~~~~~ + +- `amalthea 0.12.3 `_ + +0.56.0 +------ + +Renku ``0.56.0`` adds new features and improvements to several components. + +User-Facing Changes +~~~~~~~~~~~~~~~~~~~ + +**🌟 New Features** + +- **UI**: Update incidents and maintenance banner and summary (`#3220 `__) +- **UI**: Add incidents and maintenance section in the admin panel (`#3220 `__) +- **Data Services**: Add platform configuration + +**✨ Improvements** + +- Revamp design for Renku 2.0 (`#3214 `__). + +**🐞 Bug Fixes** + +- Use standard HTML input fields for secret values (`#3233 `__). + +Internal Changes +~~~~~~~~~~~~~~~~ + +**Improvements** + +- * **Amalthea**: Sessions can now run correctly on Kubernetes version 1.29. + +**🐞 Bug Fixes** + +- * **Amalthea**: Fix the repository for the scheduler image in the Amalthea Helm chart. +- * **Amalthea**: Properly load the namespace configuration when starting the operator. +- * **Amalthea**: Fix the missing health check endpoint for the old operator. + +Individual Components +~~~~~~~~~~~~~~~~~~~~~ + +- `renku-data-services 0.18.0 `_ +- `renku-data-services 0.18.1 `_ +- `renku-ui 3.32.0 `_ +- `renku-ui 3.33.0 `_ +- `amalthea 0.12.0 `_ +- `amalthea 0.12.1 `_ +- `amalthea 0.12.2 `_ + +0.55.0 +------ + +Renku ``0.55.0`` introduces user and group pages in Renku 2.0, where you can see all projects owned +by those people. In addition, you can now fully take advantage of RenkuLab resources in Renku 2.0 by +setting a resource class for your session launchers. + +User-Facing Changes +~~~~~~~~~~~~~~~~~~~ + +**🌟 New Features** + +- **UI**: Renku 2.0: Add user pages that show all projects in the namespace (`#3198 `__) +- **UI**: Renku 2.0: Extend group pages to show all projects in the namespace (`#3198 `__) + +**✨ Improvements** + +- **UI**: Renku 2.0: Provide clickable links between projects and user/group namespace pages on the project page and in search results (`#3198 `__) +- **Search Services**: Renku 2.0: Show creator name and project namespace in search results, + where before only the respective ids were included (`#3198 `__) +- **UI**: Renku 2.0: Support setting a default resource class for a session launcher in Renku 2.0 (`#3196 `__) + +Internal Changes +~~~~~~~~~~~~~~~~ + +**Improvements** + +- **Search Services**: The search query is now accepted at ``/api/search/query`` url path + and a ``/api/search/version`` endpoint has been added +- **Data Services**: Change API to provide user and group pages in Renku 2.0 + +Individual Components +~~~~~~~~~~~~~~~~~~~~~ + +- `renku-data-services 0.17.0 `_ +- `renku-search 0.4.0 `_ +- `renku-ui 3.30.0 `_ +- `renku-ui 3.31.0 `_ + +0.54.2 +------ + +Renku ``0.54.2`` fixes a bug with testing the cloud storage connection for WebDAV. + +User-Facing Changes +~~~~~~~~~~~~~~~~~~~ + +**🐞 Bug Fixes** + +- **Data Services**: Fix verifying cloud storage connection not working with WebDAV by correctly obscuring RClone values. + +Individual components +~~~~~~~~~~~~~~~~~~~~~~ + +- `renku-data-services 0.16.1 `__ + +0.54.1 +------ + +Renku ``0.54.1`` introduces a few bug fixes in the notebooks and data services components. + +User-Facing Changes +~~~~~~~~~~~~~~~~~~~ + +**🐞 Bug Fixes** + +- **Notebooks**: Patch the correct environment variables when a session is resumed after being hibernated +- **Data Services**: Assign the correct project permissions to group members + +Individual components +~~~~~~~~~~~~~~~~~~~~~~ + +- `renku-data-services 0.15.1 `__ +- `renku-notebooks 1.25.3 `__ + + 0.54.0 ------ @@ -174,7 +503,7 @@ session on the Start with Options page. More details on this feature can be foun [documentation](https://renku.readthedocs.io/en/stable/topic-guides/secrets/secrets.html). Administrators can customize the culling times (the length of time before an idle session is paused -or a paused session is deleted) for different resource pools. +or a paused session is deleted) for different resource pools. This release also contains new features related to Renku 2.0. However, Renku 2.0 is still in early development and is not yet accessible to users. For more information, see our diff --git a/cypress-tests/cypress/e2e/useSession.cy.ts b/cypress-tests/cypress/e2e/useSession.cy.ts index 79b989c6e5..22b22d712c 100644 --- a/cypress-tests/cypress/e2e/useSession.cy.ts +++ b/cypress-tests/cypress/e2e/useSession.cy.ts @@ -166,9 +166,11 @@ describe("Basic public project functionality", () => { }); it("Start a new session as anonymous user.", () => { + // Do not re-use the logged-in session + cy.session("anonymous", () => {}); + // Log out and go to the project again cy.visit("/"); - cy.logout(); cy.visitAndLoadProject(projectIdentifier); // Check we show the appropriate message @@ -275,7 +277,7 @@ describe("Basic public project functionality", () => { cy.get("#mountPoint") .should("have.value", "external_storage/data_s3") .type("{selectAll}data_s3"); - cy.get("#readOnly").should("not.be.checked").check(); + cy.get("#readOnly").should("be.checked").check(); cy.getDataCy("cloud-storage-edit-update-button") .should("be.visible") diff --git a/cypress-tests/cypress/support/commands/login.ts b/cypress-tests/cypress/support/commands/login.ts index 0f7514ff66..6623084aad 100644 --- a/cypress-tests/cypress/support/commands/login.ts +++ b/cypress-tests/cypress/support/commands/login.ts @@ -140,6 +140,8 @@ function robustLogin(props?: RobustLoginProps) { function logout() { cy.get("#profile-dropdown").should("be.visible").click(); cy.get("#logout-link").should("be.visible").click(); + // Make sure we fully log out + cy.wait(1_000); } export default function registerLoginCommands() { diff --git a/docs/how-to-guides/admin/gitlab.rst b/docs/how-to-guides/admin/gitlab.rst index 541c2f3705..be3ef7cab1 100644 --- a/docs/how-to-guides/admin/gitlab.rst +++ b/docs/how-to-guides/admin/gitlab.rst @@ -50,7 +50,7 @@ Callback URLs: .. code-block:: console - https:///login/redirect/gitlab + https:///api/auth/callback https:///api/auth/gitlab/token Scopes: diff --git a/docs/index.rst b/docs/index.rst index f16e6824a6..d61c926703 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -31,6 +31,13 @@ Renku Documentation -- Wikipedia +.. note:: + + **We're building the next version of Renku!** For documentation related to Renku 2.0, please see + our `Community Portal + `_. To learn + more about the big changes coming in Renku, check out our `blog post `_. + .. include:: ../README.rst :start-after: renku: :end-before: documentation: diff --git a/docs/requirements.txt b/docs/requirements.txt index 3def945fdd..9cca5c1453 100644 --- a/docs/requirements.txt +++ b/docs/requirements.txt @@ -1,5 +1,5 @@ sphinxcontrib-plantuml==0.26 -sphinx>=4.1 +sphinx>=4.1,<7.0 sphinxcontrib-mermaid==0.9.2 sphinxcontrib-napoleon==0.7 sphinx-click==5.0.1 diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 4f2f806c5c..3c962635ef 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -152,6 +152,7 @@ kwargs ld lefthand lfs +liveness LocalClient localhost Lucene @@ -308,6 +309,7 @@ unmapped unmerged Unmount unmount +unmounting unpause unpushed unschedulable @@ -326,6 +328,7 @@ vertices viewmodel vis vm +WebDAV webhook webhooks wildcard diff --git a/docs/tutorials.rst b/docs/tutorials.rst index 13fad6a4a0..bafa5da4fd 100644 --- a/docs/tutorials.rst +++ b/docs/tutorials.rst @@ -3,6 +3,15 @@ Tutorials --------- +.. note:: + + **We're building the next version of Renku!** If you're looking for a tutorial for Renku 2.0, + please see the Renku 2.0 documentation on our `Community Portal + `_ instead. + The tutorial linked below is outdated and refers to the legacy version of Renku that is no + longer under active development. To learn more about the big changes coming in Renku, check out + our `blog post `_. + The following tutorials are available for getting acquainted with Renku. We recommend you start with :ref:`first_steps`! diff --git a/docs/tutorials/01_firststeps.rst b/docs/tutorials/01_firststeps.rst index cf47e216ea..7c8a553d28 100644 --- a/docs/tutorials/01_firststeps.rst +++ b/docs/tutorials/01_firststeps.rst @@ -3,6 +3,15 @@ Get Started on RenkuLab ======================= +.. note:: + + **We're building the next version of Renku!** If you're looking for a tutorial for Renku 2.0, + please see the Renku 2.0 documentation on our `Community Portal + `_ instead. + This tutorial is outdated and refers to the legacy version of Renku that is no longer under + active development. To learn more about the big changes coming in Renku, check out our `blog + post `_. + This tutorial will help you get started working on the Renkulab platform. We will use Renku to realize a very small data science project: counting the number of flights to Austin-Bergstrom International Airport in January, 2019. In this tutorial we will provide instructions for Python, Julia (in JupyterLab) and R (in RStudio). diff --git a/helm-chart/renku/requirements.yaml b/helm-chart/renku/requirements.yaml index 241fe30915..7a214673d5 100644 --- a/helm-chart/renku/requirements.yaml +++ b/helm-chart/renku/requirements.yaml @@ -23,14 +23,14 @@ dependencies: alias: jena - name: amalthea repository: "https://swissdatasciencecenter.github.io/helm-charts/" - version: "0.11.0" + version: "0.12.3" - name: dlf-chart repository: "https://swissdatasciencecenter.github.io/datashim/" version: "0.3.9-renku-2" condition: notebooks.cloudstorage.s3.installDatashim - name: csi-rclone repository: "https://swissdatasciencecenter.github.io/helm-charts/" - version: "0.1.7" + version: "0.3.3" condition: global.csi-rclone.install - name: solr repository: "oci://registry-1.docker.io/bitnamicharts" diff --git a/helm-chart/renku/templates/authz/deployment.yaml b/helm-chart/renku/templates/authz/deployment.yaml index 5e87f7434e..306f3ac814 100644 --- a/helm-chart/renku/templates/authz/deployment.yaml +++ b/helm-chart/renku/templates/authz/deployment.yaml @@ -108,6 +108,8 @@ spec: - -addr=127.0.0.1:50051 - -tls - -tls-server-name={{ template "renku.fullname" . }}-authz + timeoutSeconds: 3 + periodSeconds: 10 readinessProbe: exec: command: @@ -116,6 +118,8 @@ spec: - -addr=127.0.0.1:50051 - -tls - -tls-server-name={{ template "renku.fullname" . }}-authz + timeoutSeconds: 3 + periodSeconds: 10 resources: {{- toYaml .Values.authz.resources | nindent 12 }} {{- with .Values.nodeSelector }} diff --git a/helm-chart/renku/templates/gateway/_helpers.tpl b/helm-chart/renku/templates/gateway/_helpers.tpl index 9bc57ea9d2..fbe9d65ddb 100644 --- a/helm-chart/renku/templates/gateway/_helpers.tpl +++ b/helm-chart/renku/templates/gateway/_helpers.tpl @@ -1,7 +1,7 @@ {{/* Template core service paths as a comma separated list */}} -{{- define "gateway.core.paths" -}} +{{- define "gateway.core.pathsYaml" -}} {{- $paths := list -}} {{- range $i, $k := (keys .Values.global.core.versions | sortAlpha) -}} {{- $paths = mustAppend $paths (printf "/api/renku/%s" (get $.Values.global.core.versions $k).prefix) -}} @@ -9,13 +9,13 @@ Template core service paths as a comma separated list {{- $paths = mustAppend $paths "/api/renku" -}} {{- end -}} {{- end -}} -{{- join "," $paths | quote -}} +{{- $paths | toYaml -}} {{- end -}} {{/* Template core service names as a comma separated list */}} -{{- define "gateway.core.serviceNames" -}} +{{- define "gateway.core.serviceNamesYaml" -}} {{- $serviceNames := list -}} {{- $coreBaseName := printf "%s-core" .Release.Name -}} {{- range $i, $k := (keys .Values.global.core.versions | sortAlpha) -}} @@ -25,7 +25,7 @@ Template core service names as a comma separated list {{- $serviceNames = mustAppend $serviceNames $serviceName -}} {{- end -}} {{- end -}} -{{- join "," $serviceNames | quote -}} +{{- $serviceNames | toYaml -}} {{- end -}} {{/* diff --git a/helm-chart/renku/templates/gateway/configmap.yaml b/helm-chart/renku/templates/gateway/configmap.yaml new file mode 100644 index 0000000000..c163177252 --- /dev/null +++ b/helm-chart/renku/templates/gateway/configmap.yaml @@ -0,0 +1,89 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "renku.fullname" . }}-gateway + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: + config.yaml: | + server: + port: 8080 + host: 0.0.0.0 + rateLimits: + enabled: {{ .Values.gateway.rateLimits.general.enabled }} + rate: {{ .Values.gateway.rateLimits.general.average }} + burst: {{ .Values.gateway.rateLimits.general.burst }} + {{- with .Values.gateway.allowOrigin }} + allowOrigin: + {{- toYaml . | nindent 8 }} + {{- end }} + sessions: + authorizationVerifiers: + - issuer: {{ printf "%s/realms/%s" (include "renku.keycloakUrl" . | trimSuffix "/") (include "renku.keycloak.realm" .) }} + audience: renku + authorizedParty: renku + - issuer: {{ printf "%s/realms/%s" (include "renku.keycloakUrl" . | trimSuffix "/") (include "renku.keycloak.realm" .) }} + audience: renku + authorizedParty: renku-cli + revproxy: + renkuBaseUrl: {{ include "renku.baseUrl" . | quote }} + {{- if .Values.gitlab.enabled }} + externalGitlabUrl: "" + {{- else }} + externalGitlabUrl: {{ .Values.global.gitlab.url | default "" | quote }} + {{- end }} + k8sNamespace: {{ .Release.Namespace }} + renkuServices: + notebooks: {{ printf "http://%s-notebooks" .Release.Name | quote }} + kg: {{ printf "http://%s-knowledge-graph" .Release.Name | quote }} + webhook: {{ printf "http://%s-webhook-service" .Release.Name | quote }} + core: + serviceNames: + {{- include "gateway.core.serviceNamesYaml" . | nindent 12 }} + servicePaths: + {{- include "gateway.core.pathsYaml" . | nindent 12 }} + sticky: true + dataService: {{ printf "http://%s-data-service" .Release.Name | quote }} + keycloak: {{ include "renku.keycloakUrl" . | quote }} + uiserver: {{ printf "http://%s" (include "ui-server.fullname" .) | quote }} + search: {{ printf "http://%s-search-api" .Release.Name | quote }} + login: + renkuBaseUrl: {{ include "renku.baseUrl" . | quote }} + loginRoutesBasePath: "/api/auth" + defaultAppRedirectURL: {{ include "renku.baseUrl" . | quote }} + tokenEncryption: + enabled: true + providers: + renku: + issuer: {{ printf "%s/realms/%s" (include "renku.keycloakUrl" . | trimSuffix "/") (include "renku.keycloak.realm" .) }} + clientID: renku + scopes: ["profile", "email", "openid", "microprofile-jwt"] + callbackURI: {{ printf "%s/api/auth/callback" (include "renku.baseUrl" .) }} + usePKCE: false + gitlab: + issuer: {{ .Values.global.gitlab.url | quote }} + clientID: {{ .Values.gateway.gitlabClientId | default .Values.global.gateway.gitlabClientId | quote }} + scopes: ["openid", "api", "read_user", "read_repository"] + callbackURI: {{ printf "%s/api/auth/callback" (include "renku.baseUrl" .) }} + usePKCE: false + oldGitLabLogout: {{ .Values.gateway.oldGitLabLogout | default false }} + logoutGitLabUponRenkuLogout: {{ .Values.gateway.logoutGitLabUponRenkuLogout | default true }} + redis: + type: redis + addresses: + - {{ printf "%s:%d" .Values.global.redis.host (.Values.global.redis.port | int) | quote }} + isSentinel: {{ .Values.global.redis.sentinel.enabled }} + masterName: {{ .Values.global.redis.sentinel.masterSet | quote }} + dbIndex: {{ .Values.global.redis.dbIndex.gateway }} + monitoring: + sentry: + enabled: {{ .Values.gateway.sentry.enabled }} + environment: {{ .Values.gateway.sentry.environment }} + sampleRate: {{ .Values.gateway.sentry.sampleRate }} + prometheus: + enabled: {{ .Values.gateway.metrics.enabled }} + port: {{ .Values.gateway.metrics.port }} +--- diff --git a/helm-chart/renku/templates/gateway/deployment-revproxy.yaml b/helm-chart/renku/templates/gateway/deployment-revproxy.yaml index 1cf3cc3419..3fc1b30214 100644 --- a/helm-chart/renku/templates/gateway/deployment-revproxy.yaml +++ b/helm-chart/renku/templates/gateway/deployment-revproxy.yaml @@ -1,41 +1,49 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ template "renku.fullname" . }}-gateway-revproxy + name: {{ template "renku.fullname" . }}-gateway labels: - app: {{ template "gateway.name" . }}-revproxy + app: {{ template "gateway.name" . }} chart: {{ template "renku.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: - {{- if not .Values.gateway.reverseProxy.autoscaling.enabled }} - replicas: {{ .Values.gateway.reverseProxy.replicaCount }} + {{- if not .Values.gateway.autoscaling.enabled }} + replicas: {{ .Values.gateway.replicaCount }} {{- end }} strategy: - {{- toYaml .Values.gateway.reverseProxy.updateStrategy | nindent 4 }} + {{- toYaml .Values.gateway.updateStrategy | nindent 4 }} selector: matchLabels: - app: {{ template "gateway.name" . }}-revproxy + app: {{ template "gateway.name" . }} release: {{ .Release.Name }} template: metadata: labels: - app: {{ template "gateway.name" . }}-revproxy + app: {{ template "gateway.name" . }} release: {{ .Release.Name }} - {{- with .Values.gateway.reverseProxy.podAnnotations }} + # The label below enables the gateway to connect to redis + {{ .Values.global.redis.clientLabel | toYaml | nindent 8 }} + {{- if .Values.gateway.podAnnotations }} + {{- with .Values.gateway.podAnnotations }} annotations: + checksum/config: {{ include (print $.Template.BasePath "/gateway/configmap.yaml") . | sha256sum }} {{- toYaml . | nindent 8 }} {{- end }} + {{- else }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/gateway/configmap.yaml") . | sha256sum }} + {{- end }} spec: - serviceAccountName: "{{ template "renku.fullname" . }}-gateway-revproxy" + serviceAccountName: "{{ template "renku.fullname" . }}-gateway" securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} initContainers: {{- include "certificates.initContainer" . | nindent 8 }} containers: - - name: revproxy - image: "{{ .Values.gateway.reverseProxy.image.repository }}:{{ .Values.gateway.reverseProxy.image.tag }}" - imagePullPolicy: {{ .Values.gateway.reverseProxy.image.pullPolicy }} + - name: gateway + image: "{{ .Values.gateway.image.repository }}:{{ .Values.gateway.image.tag }}" + imagePullPolicy: {{ .Values.gateway.image.pullPolicy }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} ports: @@ -43,76 +51,68 @@ spec: containerPort: 8080 protocol: TCP env: - - name: REVPROXY_RENKU_BASE_URL - value: {{ include "renku.baseUrl" . | quote }} - - name: REVPROXY_EXTERNAL_GITLAB_URL - {{- if .Values.gitlab.enabled }} - value: "" - {{- else }} - value: {{ .Values.global.gitlab.url | default "" | quote }} - {{- end }} - - name: REVPROXY_ALLOW_ORIGIN - value: {{ join "," .Values.gateway.allowOrigin | quote }} - - name: REVPROXY_NAMESPACE - value: {{ .Release.Namespace }} - - name: REVPROXY_RENKU_SERVICES_WEBHOOK - value: {{ printf "http://%s-webhook-service" .Release.Name | quote }} - - name: REVPROXY_RENKU_SERVICES_KG - value: {{ printf "http://%s-knowledge-graph" .Release.Name | quote }} - - name: REVPROXY_RENKU_SERVICES_NOTEBOOKS - value: {{ printf "http://%s-notebooks" .Release.Name | quote }} - - name: REVPROXY_RENKU_SERVICES_CORE_SERVICE_PATHS - value: {{ template "gateway.core.paths" . }} - - name: REVPROXY_RENKU_SERVICES_CORE_SERVICE_NAMES - value: {{ template "gateway.core.serviceNames" . }} - - name: REVPROXY_RENKU_SERVICES_AUTH - value: {{ printf "http://%s-gateway-auth" .Release.Name }} - - name: REVPROXY_RENKU_SERVICES_DATA_SERVICE - value: {{ printf "http://%s-data-service" .Release.Name | quote }} - - name: REVPROXY_RENKU_SERVICES_SEARCH - value: {{ printf "http://%s-search-api" .Release.Name | quote }} - - name: REVPROXY_RENKU_SERVICES_KEYCLOAK - value: {{ include "renku.keycloakUrl" . | quote }} - - name: REVPROXY_PORT - value: "8080" - - name: REVPROXY_METRICS_ENABLED - value: {{ .Values.gateway.reverseProxy.metrics.enabled | quote }} - - name: REVPROXY_METRICS_PORT - value: {{ .Values.gateway.reverseProxy.metrics.port | quote }} - - name: REVPROXY_RATE_LIMITS_ENABLED - value: {{ .Values.gateway.rateLimits.general.enabled | quote }} - - name: REVPROXY_RATE_LIMITS_AVERAGE - value: {{ .Values.gateway.rateLimits.general.average | quote }} - - name: REVPROXY_RATE_LIMITS_BURST - value: {{ .Values.gateway.rateLimits.general.burst | quote }} - - name: REVPROXY_SENTRY_ENABLED - value: {{ .Values.gateway.sentry.enabled | quote }} - - name: REVPROXY_SENTRY_DSN + - name: GATEWAY_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.global.redis.existingSecret }} + key: {{ .Values.global.redis.existingSecretPasswordKey }} + - name: GATEWAY_LOGIN_PROVIDERS_RENKU_CLIENTSECRET + valueFrom: + secretKeyRef: + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} + key: oidcClientSecret + - name: GATEWAY_LOGIN_PROVIDERS_GITLAB_CLIENTSECRET + valueFrom: + secretKeyRef: + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} + key: gitlabClientSecret + - name: GATEWAY_LOGIN_TOKENENCRYPTION_SECRETKEY + valueFrom: + secretKeyRef: + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} + key: tokenEncryption + - name: GATEWAY_LOGIN_PROVIDERS_RENKU_COOKIEENCODINGKEY + valueFrom: + secretKeyRef: + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} + key: cookieEncodingKey + - name: GATEWAY_LOGIN_PROVIDERS_RENKU_COOKIEHASHKEY + valueFrom: + secretKeyRef: + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} + key: cookieHashKey + - name: GATEWAY_LOGIN_PROVIDERS_GITLAB_COOKIEENCODINGKEY + valueFrom: + secretKeyRef: + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} + key: cookieEncodingKey + - name: GATEWAY_LOGIN_PROVIDERS_GITLAB_COOKIEHASHKEY + valueFrom: + secretKeyRef: + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} + key: cookieHashKey + - name: GATEWAY_MONITORING_SENTRY_DSN value: {{ .Values.gateway.sentry.dsn }} - - name: REVPROXY_SENTRY_ENVIRONMENT - value: {{ .Values.gateway.sentry.environment }} - - name: REVPROXY_SENTRY_SAMPLE_RATE - value: {{ .Values.gateway.sentry.sampleRate | quote }} - - name: REVPROXY_DEBUG - value: {{ .Values.gateway.debug | default "false" | quote }} volumeMounts: {{- include "certificates.volumeMounts.system" . | nindent 12 }} + - mountPath: "/etc/gateway" + name: public-config livenessProbe: httpGet: - path: /revproxy/health + path: /health port: http initialDelaySeconds: 10 periodSeconds: 10 failureThreshold: 6 readinessProbe: httpGet: - path: /revproxy/health + path: /health port: http initialDelaySeconds: 10 periodSeconds: 2 failureThreshold: 2 resources: - {{ toYaml .Values.gateway.reverseProxy.resources | nindent 12 }} + {{ toYaml .Values.gateway.resources | nindent 12 }} {{- with .Values.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} @@ -127,3 +127,7 @@ spec: {{- end }} volumes: {{- include "certificates.volumes" . | nindent 8 }} + - name: public-config + configMap: + name: {{ template "renku.fullname" . }}-gateway + diff --git a/helm-chart/renku/templates/gateway/deployment.yaml b/helm-chart/renku/templates/gateway/deployment.yaml deleted file mode 100644 index 608f33326f..0000000000 --- a/helm-chart/renku/templates/gateway/deployment.yaml +++ /dev/null @@ -1,149 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "renku.fullname" . }}-gateway-auth - labels: - app: {{ template "gateway.name" . }}-auth - chart: {{ template "renku.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ template "gateway.name" . }}-auth - release: {{ .Release.Name }} - template: - metadata: - labels: - app: {{ template "gateway.name" . }}-auth - release: {{ .Release.Name }} - # The label below enables the gateway to connect to redis - {{ .Values.global.redis.clientLabel | toYaml | nindent 8 }} - spec: - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - automountServiceAccountToken: {{ .Values.global.debug }} - initContainers: - {{- include "certificates.initContainer" . | nindent 8 }} - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.gateway.image.auth.repository }}:{{ .Values.gateway.image.auth.tag }}" - imagePullPolicy: {{ .Values.gateway.image.auth.pullPolicy }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - ports: - - name: http - containerPort: 5000 - protocol: TCP - env: - - name: HOST_NAME - value: {{ include "renku.baseUrl" . | quote }} - - name: CLI_CLIENT_ID - value: "renku-cli" - - name: CLI_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway-revproxy" | nospace }} - key: cliClientSecret - - name: GITLAB_URL - value: {{ .Values.global.gitlab.url | quote }} - - name: GITLAB_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway-revproxy" | nospace }} - key: gitlabClientSecret - - name: GITLAB_CLIENT_ID - value: {{ .Values.gateway.gitlabClientId | default .Values.global.gateway.gitlabClientId | quote }} - - name: KEYCLOAK_URL - value: {{ include "renku.keycloakUrl" . | quote }} - - name: KEYCLOAK_REALM - value: {{ include "renku.keycloak.realm" . | quote }} - - name: GATEWAY_SERVICE_PREFIX - value: "/api/" - - name: REDIS_HOST - value: {{ .Values.global.redis.host | quote }} - - name: REDIS_IS_SENTINEL - value: {{ .Values.global.redis.sentinel.enabled | quote }} - - name: REDIS_MASTER_SET - value: {{ .Values.global.redis.sentinel.masterSet | quote }} - - name: REDIS_DB - value: {{ .Values.global.redis.dbIndex.gateway | quote }} - - name: REDIS_PORT - value: {{ .Values.global.redis.port | quote }} - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.global.redis.existingSecret }} - key: {{ .Values.global.redis.existingSecretPasswordKey }} - - name: GATEWAY_SECRET_KEY - valueFrom: - secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway-revproxy" | nospace }} - key: gatewaySecret - - name: GATEWAY_ALLOW_ORIGIN - value: {{ .Values.gateway.allowOrigin | quote }} - - name: OIDC_CLIENT_ID - value: {{ "renku" | quote }} - - name: OIDC_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway-revproxy" | nospace }} - key: oidcClientSecret - - name: OLD_GITLAB_LOGOUT - value: {{ .Values.gateway.oldGitLabLogout | quote }} - - name: LOGOUT_GITLAB_UPON_RENKU_LOGOUT - value: {{ .Values.gateway.logoutGitLabUponRenkuLogout | quote }} - - name: WEBHOOK_SERVICE_HOSTNAME - value: {{ printf "http://%s-graph-webhook-service" .Release.Name | quote }} - {{ if .Values.global.anonymousSessions.enabled }} - - name: ANONYMOUS_SESSIONS_ENABLED - value: "true" - {{ end }} - # Note that this is ok because we're enforcing HTTPS - # further up the processing chain. - - name: OAUTHLIB_INSECURE_TRANSPORT - value: "1" - - name: SENTRY_ENABLED - value: {{ .Values.gateway.sentry.enabled | quote }} - - name: SENTRY_DSN - value: {{ .Values.gateway.sentry.dsn }} - - name: SENTRY_ENVIRONMENT - value: {{ .Values.gateway.sentry.environment }} - - name: SENTRY_SAMPLE_RATE - value: {{ .Values.gateway.sentry.sampleRate | quote }} - - name: DEBUG - value: {{ .Values.global.debug | quote }} - {{- include "certificates.env.python" . | nindent 12 }} - volumeMounts: - {{- include "certificates.volumeMounts.system" . | nindent 12 }} - livenessProbe: - httpGet: - path: /health - port: http - initialDelaySeconds: 10 - periodSeconds: 10 - failureThreshold: 6 - readinessProbe: - httpGet: - path: /health - port: http - initialDelaySeconds: 10 - periodSeconds: 2 - failureThreshold: 2 - resources: - {{ toYaml .Values.gateway.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{ toYaml . | nindent 8 }} - {{- end }} - volumes: - {{- include "certificates.volumes" . | nindent 8 }} diff --git a/helm-chart/renku/templates/gateway/hpa-revproxy.yaml b/helm-chart/renku/templates/gateway/hpa-revproxy.yaml index 6030b49b3a..e81938e101 100644 --- a/helm-chart/renku/templates/gateway/hpa-revproxy.yaml +++ b/helm-chart/renku/templates/gateway/hpa-revproxy.yaml @@ -1,4 +1,4 @@ -{{- if .Values.gateway.reverseProxy.autoscaling.enabled }} +{{- if .Values.gateway.autoscaling.enabled }} {{- if semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.GitVersion -}} apiVersion: autoscaling/v2 {{- else -}} @@ -6,9 +6,9 @@ apiVersion: autoscaling/v2beta2 {{- end }} kind: HorizontalPodAutoscaler metadata: - name: {{ template "renku.fullname" . }}-gateway-revproxy + name: {{ template "renku.fullname" . }}-gateway labels: - app: {{ template "renku.name" . }}-gateway-revproxy + app: {{ template "renku.name" . }}-gateway chart: {{ template "renku.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -16,24 +16,24 @@ spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment - name: {{ template "renku.fullname" . }}-gateway-revproxy - minReplicas: {{ .Values.gateway.reverseProxy.autoscaling.minReplicas }} - maxReplicas: {{ .Values.gateway.reverseProxy.autoscaling.maxReplicas }} + name: {{ template "renku.fullname" . }}-gateway + minReplicas: {{ .Values.gateway.autoscaling.minReplicas }} + maxReplicas: {{ .Values.gateway.autoscaling.maxReplicas }} metrics: - {{- if .Values.gateway.reverseProxy.autoscaling.targetCPUUtilizationPercentage }} + {{- if .Values.gateway.autoscaling.targetCPUUtilizationPercentage }} - type: Resource resource: name: cpu target: type: Utilization - averageUtilization: {{ .Values.gateway.reverseProxy.autoscaling.targetCPUUtilizationPercentage }} + averageUtilization: {{ .Values.gateway.autoscaling.targetCPUUtilizationPercentage }} {{- end }} - {{- if .Values.gateway.reverseProxy.autoscaling.targetMemoryUtilizationPercentage }} + {{- if .Values.gateway.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: name: memory target: type: Utilization - averageUtilization: {{ .Values.gateway.reverseProxy.autoscaling.targetMemoryUtilizationPercentage }} + averageUtilization: {{ .Values.gateway.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} {{- end }} diff --git a/helm-chart/renku/templates/gateway/pdb.yaml b/helm-chart/renku/templates/gateway/pdb.yaml index 5b69a5c7c2..9a8fa63f43 100644 --- a/helm-chart/renku/templates/gateway/pdb.yaml +++ b/helm-chart/renku/templates/gateway/pdb.yaml @@ -1,10 +1,10 @@ -{{- if or (gt (int .Values.gateway.reverseProxy.replicaCount) 1) (and .Values.gateway.reverseProxy.autoscaling.enabled (gt (int .Values.gateway.reverseProxy.autoscaling.minReplicas) 1)) }} +{{- if or (gt (int .Values.gateway.replicaCount) 1) (and .Values.gateway.autoscaling.enabled (gt (int .Values.gateway.autoscaling.minReplicas) 1)) }} apiVersion: policy/v1 kind: PodDisruptionBudget metadata: - name: {{ template "renku.fullname" . }}-gateway-revproxy + name: {{ template "renku.fullname" . }}-gateway labels: - app: {{ template "renku.name" . }}-gateway-revproxy + app: {{ template "renku.name" . }}-gateway chart: {{ template "renku.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -12,6 +12,7 @@ spec: maxUnavailable: 50% selector: matchLabels: - app: {{ template "renku.name" . }}-gateway-revproxy + app: {{ template "renku.name" . }}-gateway release: {{ .Release.Name }} {{- end }} + diff --git a/helm-chart/renku/templates/gateway/role.yaml b/helm-chart/renku/templates/gateway/role.yaml index 518bedbae5..70e85938b8 100644 --- a/helm-chart/renku/templates/gateway/role.yaml +++ b/helm-chart/renku/templates/gateway/role.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ template "renku.fullname" . }}-gateway-revproxy + name: {{ template "renku.fullname" . }}-gateway labels: app: {{ template "renku.name" . }} chart: {{ template "renku.chart" . }} diff --git a/helm-chart/renku/templates/gateway/rolebinding.yaml b/helm-chart/renku/templates/gateway/rolebinding.yaml index d1c63c2c7e..2a65474505 100644 --- a/helm-chart/renku/templates/gateway/rolebinding.yaml +++ b/helm-chart/renku/templates/gateway/rolebinding.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "renku.fullname" . }}-gateway-revproxy + name: {{ template "renku.fullname" . }}-gateway labels: app: {{ template "renku.name" . }} chart: {{ template "renku.chart" . }} @@ -10,8 +10,8 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "renku.fullname" . }}-gateway-revproxy + name: {{ template "renku.fullname" . }}-gateway subjects: - kind: ServiceAccount - name: {{ template "renku.fullname" . }}-gateway-revproxy + name: {{ template "renku.fullname" . }}-gateway namespace: {{ .Release.Namespace }} diff --git a/helm-chart/renku/templates/gateway/secret.yaml b/helm-chart/renku/templates/gateway/secret.yaml index 677da8562e..02feb32174 100644 --- a/helm-chart/renku/templates/gateway/secret.yaml +++ b/helm-chart/renku/templates/gateway/secret.yaml @@ -14,7 +14,7 @@ {{- $gitlabClientInKeycloakSecret := .Values.global.gitlab.clientSecret | default (randAlphaNum 64) | b64enc | quote }} {{- $renkuFullname := include "renku.fullname" . -}} -{{- $secretName := cat $renkuFullname "-gateway-revproxy" | nospace }} +{{- $secretName := cat $renkuFullname "-gateway" | nospace }} {{- if not (or .Values.gateway.oidcClientSecret .Values.global.gateway.clientSecret) -}} {{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }} @@ -67,6 +67,24 @@ {{- end -}} {{- end }} +{{- $tokenEncryptionSecretKey := randAlphaNum 32 | b64enc | quote }} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }} +{{- if $secret }} +{{- $tokenEncryptionSecretKey = index $secret.data "tokenEncryption" }} +{{- end -}} + +{{- $csrfCookieEncodingKey := randAlphaNum 32 | b64enc | quote }} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }} +{{- if $secret }} +{{- $csrfCookieEncodingKey = index $secret.data "cookieEncodingKey" }} +{{- end -}} + +{{- $csrfCookieHashKey := randAlphaNum 32 | b64enc | quote }} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }} +{{- if $secret }} +{{- $csrfCookieHashKey = index $secret.data "cookieHashKey" }} +{{- end -}} + apiVersion: v1 kind: Secret metadata: @@ -98,3 +116,7 @@ data: # A secret for the Gitlab client in Keycloak if an internal Gitlab is used gitlabClientInKeycloakSecret: {{ $gitlabClientInKeycloakSecret }} {{- end }} + cookieEncodingKey: {{ $csrfCookieEncodingKey }} + cookieHashKey: {{ $csrfCookieHashKey }} + tokenEncryption: {{ $tokenEncryptionSecretKey }} + diff --git a/helm-chart/renku/templates/gateway/service.yaml b/helm-chart/renku/templates/gateway/service.yaml index 52cd631cd6..af32be3368 100644 --- a/helm-chart/renku/templates/gateway/service.yaml +++ b/helm-chart/renku/templates/gateway/service.yaml @@ -2,9 +2,9 @@ apiVersion: v1 kind: Service metadata: - name: {{ template "renku.fullname" . }}-gateway-auth + name: {{ template "renku.fullname" . }}-gateway labels: - app: {{ template "renku.name" . }}-gateway-auth + app: {{ template "renku.name" . }}-gateway chart: {{ template "renku.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -16,25 +16,6 @@ spec: protocol: TCP name: http selector: - app: {{ template "gateway.name" . }}-auth - release: {{ .Release.Name }} ---- -apiVersion: v1 -kind: Service -metadata: - name: renku-traefik - labels: - app: {{ template "renku.name" . }}-gateway-revproxy - chart: {{ template "renku.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.gateway.service.type }} - ports: - - port: {{ .Values.gateway.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - app: {{ template "gateway.name" . }}-revproxy + app: {{ template "gateway.name" . }} release: {{ .Release.Name }} + diff --git a/helm-chart/renku/templates/gateway/serviceaccount.yaml b/helm-chart/renku/templates/gateway/serviceaccount.yaml index 620874ce7b..8530d52ed1 100644 --- a/helm-chart/renku/templates/gateway/serviceaccount.yaml +++ b/helm-chart/renku/templates/gateway/serviceaccount.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "renku.fullname" . }}-gateway-revproxy + name: {{ template "renku.fullname" . }}-gateway labels: app: {{ template "renku.name" . }} chart: {{ template "renku.chart" . }} diff --git a/helm-chart/renku/templates/ingress.yaml b/helm-chart/renku/templates/ingress.yaml index f19b563b91..17cd9794ff 100644 --- a/helm-chart/renku/templates/ingress.yaml +++ b/helm-chart/renku/templates/ingress.yaml @@ -72,7 +72,7 @@ spec: port: number: {{ $gitlabServicePort }} {{ else }} - name: renku-traefik + name: {{ template "renku.fullname" $ }}-gateway port: number: 80 {{- end }} @@ -80,21 +80,21 @@ spec: pathType: Prefix backend: service: - name: renku-traefik + name: {{ template "renku.fullname" $ }}-gateway port: number: 80 - path: /api pathType: Prefix backend: service: - name: renku-traefik + name: {{ template "renku.fullname" $ }}-gateway port: number: 80 - path: /entities pathType: Prefix backend: service: - name: renku-traefik + name: {{ template "renku.fullname" $ }}-gateway port: number: 80 - path: / @@ -108,7 +108,7 @@ spec: pathType: Prefix backend: service: - name: {{ $uiserverFullname }} + name: {{ template "renku.fullname" $ }}-gateway port: number: {{ $uiserverServicePort }} {{- if $graphEnabled }} @@ -123,7 +123,7 @@ spec: pathType: Prefix backend: service: - name: {{ $knowledgeGraphFullname }} + name: {{ template "renku.fullname" $ }}-gateway port: number: 80 {{- end }} diff --git a/helm-chart/renku/templates/setup-job-gitlab.yaml b/helm-chart/renku/templates/setup-job-gitlab.yaml index 933a837099..9d8cb79b76 100644 --- a/helm-chart/renku/templates/setup-job-gitlab.yaml +++ b/helm-chart/renku/templates/setup-job-gitlab.yaml @@ -58,7 +58,7 @@ spec: - name: GITLAB_OAUTH_CLIENT_SECRET valueFrom: secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway-revproxy" | nospace }} + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} key: gitlabClientSecret - name: GITLAB_OAUTH_CLIENT_ID value: {{ .Values.gateway.gitlabClientId | default .Values.global.gateway.gitlabClientId | quote }} diff --git a/helm-chart/renku/templates/setup-job-keycloak-realms.yaml b/helm-chart/renku/templates/setup-job-keycloak-realms.yaml index 92e3176965..8c91721c55 100644 --- a/helm-chart/renku/templates/setup-job-keycloak-realms.yaml +++ b/helm-chart/renku/templates/setup-job-keycloak-realms.yaml @@ -72,7 +72,7 @@ spec: - name: INTERNAL_GITLAB_OIDC_CLIENT_SECRET valueFrom: secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway-revproxy" | nospace }} + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} key: gitlabClientInKeycloakSecret - name: INTERNAL_GITLAB_OIDC_CLIENT_ID value: "gitlab" @@ -82,7 +82,7 @@ spec: - name: RENKU_KC_CLIENT_SECRET valueFrom: secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway-revproxy" | nospace }} + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} key: oidcClientSecret - name: RENKU_KC_CLIENT_PUBLIC value: "false" @@ -93,7 +93,7 @@ spec: - name: CLI_KC_CLIENT_SECRET valueFrom: secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway-revproxy" | nospace }} + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} key: cliClientSecret - name: CLI_KC_CLIENT_PUBLIC value: "true" @@ -106,7 +106,7 @@ spec: - name: UI_KC_CLIENT_SECRET valueFrom: secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway-revproxy" | nospace }} + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} key: uiserverClientSecret - name: UI_KC_CLIENT_PUBLIC value: "false" @@ -117,7 +117,7 @@ spec: - name: NOTEBOOKS_KC_CLIENT_SECRET valueFrom: secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway-revproxy" | nospace }} + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} key: notebooksClientSecret - name: NOTEBOOKS_KC_CLIENT_PUBLIC value: "false" diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index 1d7d682495..ad6acfe9c0 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -103,6 +103,7 @@ global: groupMemberAdded: "groupMember.added" groupMemberUpdated: "groupMember.updated" groupMemberRemoved: "groupMember.removed" + dataServiceAllEvents: "data_service.all_events" ## Note that the graph will not turned on by default until renku 0.4.0 graph: dbEventLog: @@ -677,7 +678,7 @@ ui: replicaCount: 1 image: repository: renku/renku-ui - tag: "3.29.0" + tag: "3.35.1" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. @@ -866,7 +867,7 @@ ui: keepCookies: [] image: repository: renku/renku-ui-server - tag: "3.29.0" + tag: "3.35.1" pullPolicy: IfNotPresent imagePullSecrets: [] nameOverride: "" @@ -1006,7 +1007,7 @@ notebooks: targetCPUUtilizationPercentage: 50 image: repository: renku/renku-notebooks - tag: "1.25.2" + tag: "1.26.1" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. @@ -1124,15 +1125,15 @@ notebooks: gitRpcServer: image: name: renku/git-rpc-server - tag: "1.25.2" + tag: "1.25.3" gitHttpsProxy: image: name: renku/git-https-proxy - tag: "1.25.2" + tag: "1.25.3" gitClone: image: name: renku/git-clone - tag: "1.25.2" + tag: "1.25.3" service: type: ClusterIP port: 80 @@ -1185,12 +1186,12 @@ notebooks: sessionTypes: ["registered"] image: repository: renku/renku-notebooks-tests - tag: "1.25.2" + tag: "1.25.3" pullPolicy: IfNotPresent k8sWatcher: image: repository: renku/k8s-watcher - tag: "1.25.2" + tag: "1.25.3" pullPolicy: IfNotPresent resources: {} replicaCount: 1 @@ -1202,12 +1203,12 @@ notebooks: secretsMount: image: repository: renku/secrets-mount - tag: "1.25.2" + tag: "1.25.3" ssh: enabled: false image: repository: renku/ssh-jump-host - tag: "1.25.2" + tag: "1.25.3" pullPolicy: IfNotPresent resources: {} replicaCount: 1 @@ -1275,7 +1276,6 @@ gateway: allowOrigin: # - http://example.com # - https://foo.example.com - replicaCount: 1 ## Set to true to enable the developement mode. This has negative security ## implications and should never be done in a production setting. development: false @@ -1294,11 +1294,9 @@ gateway: ## Use `openssl rand -hex 32`. secretKey: image: - ## Define the image for the auth middleware - auth: - repository: renku/renku-gateway - tag: "0.24.0" - pullPolicy: IfNotPresent + repository: renku/renku-gateway + tag: "1.0.4" + pullPolicy: IfNotPresent service: type: ClusterIP port: 80 @@ -1330,24 +1328,18 @@ gateway: dsn: environment: sampleRate: 0.1 - reverseProxy: - image: - repository: renku/renku-revproxy - tag: "0.24.0" - pullPolicy: IfNotPresent - metrics: - enabled: true - port: 8765 - replicaCount: 2 - podAnnotations: {} - resources: {} - autoscaling: - enabled: false - minReplicas: 2 - maxReplicas: 5 - targetMemoryUtilizationPercentage: 75 - targetCPUUtilizationPercentage: 75 - updateStrategy: {} + metrics: + enabled: true + port: 8765 + replicaCount: 2 + podAnnotations: {} + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 5 + targetMemoryUtilizationPercentage: 75 + targetCPUUtilizationPercentage: 75 + updateStrategy: {} jena: image: repository: renku/renku-jena @@ -1396,7 +1388,7 @@ search: replicas: 1 image: repository: renku/search-api - tag: "0.3.0" + tag: "0.5.0" pullPolicy: IfNotPresent service: type: ClusterIP @@ -1409,7 +1401,7 @@ search: replicas: 1 image: repository: renku/search-provision - tag: "0.3.0" + tag: "0.5.0" pullPolicy: IfNotPresent service: type: ClusterIP @@ -1608,14 +1600,14 @@ platformInit: dataService: image: repository: renku/renku-data-service - tag: "0.15.0" + tag: "0.20.0" pullPolicy: IfNotPresent backgroundJobs: events: resources: {} image: repository: renku/data-service-background-jobs - tag: "0.15.0" + tag: "0.20.0" pullPolicy: IfNotPresent total: resources: {} @@ -1668,7 +1660,7 @@ authz: secretsStorage: image: repository: renku/secrets-storage - tag: "0.15.0" + tag: "0.20.0" pullPolicy: IfNotPresent service: type: ClusterIP diff --git a/helm-chart/values.yaml.changelog.md b/helm-chart/values.yaml.changelog.md index df3e0a8546..bb7064242f 100644 --- a/helm-chart/values.yaml.changelog.md +++ b/helm-chart/values.yaml.changelog.md @@ -5,6 +5,55 @@ For changes that require manual steps other than changing values, please check o Please follow this convention when adding a new row * ` - **:
` +## Upgrading to Renku 0.57.0 + +* DELETE ``gateway.image.auth`` has been removed. +* EDIT ``gateway.reverseProxy`` settings have been moved to ``gateway``: + +Old + ``` + gateway: + reverseProxy: + image: + repository: renku/renku-revproxy + tag: "0.24.0" + pullPolicy: IfNotPresent + metrics: + enabled: true + port: 8765 + replicaCount: 2 + podAnnotations: {} + resources: {} + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 5 + targetMemoryUtilizationPercentage: 75 + targetCPUUtilizationPercentage: 75 + updateStrategy: {} + ``` +New + ``` + gateway: + image: + repository: renku/renku-gateway + tag: "1.0.0" + pullPolicy: IfNotPresent + metrics: + enabled: true + port: 8765 + replicaCount: 2 + podAnnotations: {} + resources: {} + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 5 + targetMemoryUtilizationPercentage: 75 + targetCPUUtilizationPercentage: 75 + updateStrategy: {} + ``` + ## Upgrading to Renku 0.54.0 * NEW ``global.platformConfig``: The YAML string can now contain a new key, `secretServicePreviousPrivateKey` which allows for rotating the secret-storage private key.