From 2929f533eb5ea0cb6dcfdfa409350a3aae44f2c4 Mon Sep 17 00:00:00 2001 From: RenkuBot <53332360+RenkuBot@users.noreply.github.com> Date: Mon, 16 Sep 2024 14:48:50 +0200 Subject: [PATCH] release 0.57.0 (#3732) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * chore: create release 0.57.0 * feat!: gateway refactor (#3721) The previous gateway components are replaced with a single API Gateway responsible for login and reverse proxying requests. Details: * Remove the `gateway-auth` Python component * Update the `gateway-revproxy` Go component (now `gateway`) * Update the `ui-server` to remove login responsibilities --------- Co-authored-by: Tasko Olevski * feat: upgrade csi-rclone to 0.3.0 (#3753) Release notes from csi-rclone: - feat: get secret from pvc annotation by @olevski in #20 - feat: add support for decrypting storage credentials by @m-alisafaee in #17 - fix: don't error out if unmounting fails, as it might block dependent resources by @Panaetius in #16 * feat: Update search services to 0.5.0 (#3754) * feat: update notebooks to 1.26.0 (#3757) * fix: add environment variable for new redis stream to search (#3756) * (docs) redirect to Community portal for Renku 2.0 docs (#3758) * fix: bump csi rclone to 0.3.1 (#3759) This fixes an error where the new version of the csi rclone was failing when a secret annotation was not used to define the secret. This was supposed to work but the storage class that is marked to use the PVC annotation will fail if the annotation is not present. So we had to use 2 storage classes one that requires a PVC annotation for the secret and another that is the same as the current one - which expects that the PVC name and secret is the same. * chore(ci): Update renku actions to v1.12.3 (#3766) Co-authored-by: Rok Roškar * fix: implement browser logout from the gateway (#3764) Add browser-based logout for Keycloak and Gitlab. Previously, the logout flow would not end the Keycloak nor the GitLab browser session. This prevented users from switching accounts because their existing Keycloak and GitLab sessions would be re-used when logging in with the renku gateway. * feat: update renku-data-services to v0.20.0 and renku-ui to 3.35.0 (#3765) * data svc release v0.20.0 * bump UI -> 3.35.0 * update changelog * Update CHANGELOG.rst Co-authored-by: Laura * apply CHANGELOG suggestions --------- Co-authored-by: Flora Thiebaut Co-authored-by: Rok Roškar Co-authored-by: Laura Co-authored-by: Andrea Cordoba * fix: bump gateway to 1.0.2 (#3767) Fixes the `Authorization` header for the Renku 2.0 search service. * chore: add general release wording * chore: polish release 0.57.0 changelog --------- Co-authored-by: Flora Thiebaut Co-authored-by: Tasko Olevski Co-authored-by: eikek <701128+eikek@users.noreply.github.com> Co-authored-by: M. Alisafaee Co-authored-by: Laura Co-authored-by: Rok Roškar Co-authored-by: Ralf Grubenmann Co-authored-by: Andrea Cordoba Co-authored-by: Rok Roškar --- .github/workflows/cron-jobs.yaml | 2 +- .github/workflows/publish-helm-chart.yml | 2 +- .github/workflows/publish-master-merges.yaml | 2 +- .github/workflows/pull-request-test.yml | 10 +- .github/workflows/renku-dev-test.yaml | 2 +- CHANGELOG.rst | 82 +++++++++- cypress-tests/cypress/e2e/useSession.cy.ts | 2 + .../cypress/support/commands/login.ts | 2 + docs/index.rst | 7 + docs/spelling_wordlist.txt | 2 + docs/tutorials.rst | 9 ++ docs/tutorials/01_firststeps.rst | 9 ++ helm-chart/renku/requirements.yaml | 2 +- .../renku/templates/gateway/_helpers.tpl | 8 +- .../renku/templates/gateway/configmap.yaml | 89 +++++++++++ .../gateway/deployment-revproxy.yaml | 136 ++++++++-------- .../renku/templates/gateway/deployment.yaml | 149 ------------------ .../renku/templates/gateway/hpa-revproxy.yaml | 20 +-- helm-chart/renku/templates/gateway/pdb.yaml | 9 +- helm-chart/renku/templates/gateway/role.yaml | 2 +- .../renku/templates/gateway/rolebinding.yaml | 6 +- .../renku/templates/gateway/secret.yaml | 24 ++- .../renku/templates/gateway/service.yaml | 27 +--- .../templates/gateway/serviceaccount.yaml | 2 +- helm-chart/renku/templates/ingress.yaml | 12 +- .../renku/templates/setup-job-gitlab.yaml | 2 +- .../templates/setup-job-keycloak-realms.yaml | 10 +- helm-chart/renku/values.yaml | 56 +++---- helm-chart/values.yaml.changelog.md | 49 ++++++ 29 files changed, 417 insertions(+), 317 deletions(-) create mode 100644 helm-chart/renku/templates/gateway/configmap.yaml delete mode 100644 helm-chart/renku/templates/gateway/deployment.yaml diff --git a/.github/workflows/cron-jobs.yaml b/.github/workflows/cron-jobs.yaml index b4194ec918..4dd61e44cc 100644 --- a/.github/workflows/cron-jobs.yaml +++ b/.github/workflows/cron-jobs.yaml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: renku teardown - uses: SwissDataScienceCenter/renku-actions/cleanup-renku-ci-deployments@v1.11.3 + uses: SwissDataScienceCenter/renku-actions/cleanup-renku-ci-deployments@v1.12.3 env: GITLAB_TOKEN: ${{ secrets.DEV_GITLAB_TOKEN }} RENKUBOT_KUBECONFIG: ${{ secrets.RENKUBOT_DEV_KUBECONFIG }} diff --git a/.github/workflows/publish-helm-chart.yml b/.github/workflows/publish-helm-chart.yml index 30422141e1..fdeb0c5704 100644 --- a/.github/workflows/publish-helm-chart.yml +++ b/.github/workflows/publish-helm-chart.yml @@ -15,7 +15,7 @@ jobs: - name: Set version id: vars run: echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT - - uses: SwissDataScienceCenter/renku-actions/publish-chart@v1.11.3 + - uses: SwissDataScienceCenter/renku-actions/publish-chart@v1.12.3 env: CHART_DIR: helm-chart/ CHART_NAME: renku diff --git a/.github/workflows/publish-master-merges.yaml b/.github/workflows/publish-master-merges.yaml index df49c7c868..b0fe88420c 100644 --- a/.github/workflows/publish-master-merges.yaml +++ b/.github/workflows/publish-master-merges.yaml @@ -35,7 +35,7 @@ jobs: - id: set-version run: | echo "publish_version=${{ steps.bump-semver.outputs.new_version }}.$(echo ${{ github.sha }} | cut -c 1-7)" >> $GITHUB_ENV - - uses: SwissDataScienceCenter/renku-actions/publish-chart@v1.11.3 + - uses: SwissDataScienceCenter/renku-actions/publish-chart@v1.12.3 env: CHART_DIR: helm-chart/ CHART_TAG: "--tag ${{env.publish_version}}" diff --git a/.github/workflows/pull-request-test.yml b/.github/workflows/pull-request-test.yml index f5fb0e8624..d626f5c72d 100644 --- a/.github/workflows/pull-request-test.yml +++ b/.github/workflows/pull-request-test.yml @@ -63,7 +63,7 @@ jobs: steps: - uses: actions/checkout@v4.1.7 - id: deploy-comment - uses: SwissDataScienceCenter/renku-actions/check-pr-description@v1.11.3 + uses: SwissDataScienceCenter/renku-actions/check-pr-description@v1.12.3 with: string: /deploy pr_ref: ${{ github.event.number }} @@ -79,7 +79,7 @@ jobs: - uses: actions/checkout@v4.1.7 - name: renku build and deploy if: needs.check-deploy.outputs.pr-contains-string == 'true' - uses: SwissDataScienceCenter/renku-actions/deploy-renku@v1.11.3 + uses: SwissDataScienceCenter/renku-actions/deploy-renku@v1.12.3 env: DOCKER_PASSWORD: ${{ secrets.RENKU_DOCKER_PASSWORD }} DOCKER_USERNAME: ${{ secrets.RENKU_DOCKER_USERNAME }} @@ -122,7 +122,7 @@ jobs: needs: [check-deploy, deploy-pr] runs-on: ubuntu-22.04 steps: - - uses: SwissDataScienceCenter/renku-actions/test-renku@v1.11.3 + - uses: SwissDataScienceCenter/renku-actions/test-renku@v1.12.3 with: kubeconfig: ${{ secrets.RENKUBOT_DEV_KUBECONFIG }} renku-release: ci-renku-${{ github.event.number }} @@ -150,7 +150,7 @@ jobs: ] steps: - - uses: SwissDataScienceCenter/renku-actions/test-renku-cypress@v1.11.3 + - uses: SwissDataScienceCenter/renku-actions/test-renku-cypress@v1.12.3 if: github.event.action != 'closed' && needs.check-deploy.outputs.pr-contains-string == 'true' && needs.check-deploy.outputs.test-enabled == 'true' with: e2e-target: ${{ matrix.tests }} @@ -183,7 +183,7 @@ jobs: runs-on: ubuntu-22.04 steps: - name: renku teardown - uses: SwissDataScienceCenter/renku-actions/cleanup-renku-ci-deployments@v1.11.3 + uses: SwissDataScienceCenter/renku-actions/cleanup-renku-ci-deployments@v1.12.3 env: HELM_RELEASE_REGEX: "^ci-renku-${{ github.event.number }}$" GITLAB_TOKEN: ${{ secrets.DEV_GITLAB_TOKEN }} diff --git a/.github/workflows/renku-dev-test.yaml b/.github/workflows/renku-dev-test.yaml index 60074e2941..87dc26857a 100644 --- a/.github/workflows/renku-dev-test.yaml +++ b/.github/workflows/renku-dev-test.yaml @@ -8,7 +8,7 @@ jobs: github.event.client_payload.message == 'Helm test succeeded' }} runs-on: ubuntu-20.04 steps: - - uses: SwissDataScienceCenter/renku-actions/test-renku@v1.11.3 + - uses: SwissDataScienceCenter/renku-actions/test-renku@v1.12.3 with: kubeconfig: ${{ secrets.RENKUBOT_DEV_KUBECONFIG }} renku-release: renku diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 76c0e527e5..a730d2ad3b 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,5 +1,85 @@ .. _changelog: +0.57.0 +------ + +Renku `0.57.0` brings a suite of new features and improvements to the Renku 2.0 beta. As a main +highlight, you can now save and reuse the credentials for data sources. No more copy/paste on every +session launch! We have also made small improvements to sharing, search, and sessions in Renku 2.0. +For a full list of changes, see the list below. + + +NOTE to administrators: Upgrading the `csi-rclone` component will unmount all cloud storage for all +active or hibernated sessions. Therefore, we recommend notifying your users ahead of time when you +deploy this version of Renku and also if possible deploying the upgrade when there are fewer +sessions that use cloud storage or just fewer sessions in general. Once the upgrade is complete +users will be able to mount cloud storage as usual. + +User-Facing Changes +~~~~~~~~~~~~~~~~~~~ + +**🌟 New Features** + +- **UI**: Support saving and managing credentials for Renku 2.0 data sources (`#3266 `__). + +**✨ Improvements** + +- **Search Services**: Enable searching by prefix of indexed words +- **UI**: Add members to groups and projects in Renku 2.0 by username instead of email (`#3270 `__). +- **UI**: Enable sharing search URLs by reflecting the search query in the URL for Renku 2.0 (`#3245 `__). +- **UI**: Show the status of a session via a dynamic browser tab icon (`#3249 `__). +- **UI**: Display session details in session page in Renku 2.0 (`#3258 `__) +- **UI**: Set default namespace when creating a new Renku 2.0 project (`#3264 `__). + +**🐞 Bug Fixes** + +- **UI**: Fix issue in Renku 2.0 where launched sessions did not use the default storage size of the selected resource class (`#3295 `__). +- **UI**: Fix misnomers on the group creation page (`#3276 `__). +- **Data Services**: Fix connected services showing errors for anonymous users +- **Data Services**: Fix 500 error being raised when modifying a session launcher + +Internal Changes +~~~~~~~~~~~~~~~~ + +**New Features** + +- **csi-rclone**: Read credential secrets from PVC annotations +- **csi-rclone**: Update the CSI sidecar container versions +- **csi-rclone**: Add support for decrypting data storage secrets. +- **Gateway**: The API Gateway components have been refactored and simplified (`#709 `__). +- **Notebooks**: Add a component for liveness detection +- **Notebooks**: Support for saving cloud storage secrets + +**Improvements** + +- **Search Services**: Reading all data service events from a single Redis stream. Processing from individual streams is kept. +- **Data Services**: Do not show user emails and use usernames instead for all interactions +- **UI**: The UI server has been refactored following the changes in the gateway (`#3271 `__). + +**Bug Fixes** + +- **csi-rclone**: Do not crash on unmounting as it might block dependent resources +- **csi-rclone**: Use extra storage class when reading secrets from a PVC annotation +- **Data Services**: Fix group member changes not being sent to search +- **Data Services**: Fix Redis not being able to connect to the master node + +Individual Components +~~~~~~~~~~~~~~~~~~~~~ + +- `csi-rclone 0.1.8 `__ +- `csi-rclone 0.2.0 `__ +- `csi-rclone 0.3.0 `__ +- `csi-rclone 0.3.1 `__ +- `renku-gateway 1.0.0 `_ +- `renku-gateway 1.0.1 `_ +- `renku-gateway 1.0.2 `_ +- `renku-ui 3.34.0 `_ +- `renku-ui 3.35.0 `_ +- `renku-search 0.5.0 `_ +- `renku-notebooks 1.26.0 `__ +- `renku-data-services 0.20.0 `__ + + 0.56.3 ------ @@ -48,7 +128,7 @@ Individual Components 0.56.1 ------ -Renku ``0.56.1`` fixes a bug where Amalthea would not start when the prometheus metrics or the +Renku ``0.56.1`` fixes a bug where Amalthea would not start when the prometheus metrics or the audit log export functionality is enabled. Internal Changes diff --git a/cypress-tests/cypress/e2e/useSession.cy.ts b/cypress-tests/cypress/e2e/useSession.cy.ts index 79b989c6e5..11119f6529 100644 --- a/cypress-tests/cypress/e2e/useSession.cy.ts +++ b/cypress-tests/cypress/e2e/useSession.cy.ts @@ -187,6 +187,8 @@ describe("Basic public project functionality", () => { // Stop the session -- mind that anonymous users cannot pause sessions cy.deleteSession({ fromSessionPage: true }); + + cy.robustLogin(); }); it("Start a new session on a project without permissions.", () => { diff --git a/cypress-tests/cypress/support/commands/login.ts b/cypress-tests/cypress/support/commands/login.ts index 0f7514ff66..6623084aad 100644 --- a/cypress-tests/cypress/support/commands/login.ts +++ b/cypress-tests/cypress/support/commands/login.ts @@ -140,6 +140,8 @@ function robustLogin(props?: RobustLoginProps) { function logout() { cy.get("#profile-dropdown").should("be.visible").click(); cy.get("#logout-link").should("be.visible").click(); + // Make sure we fully log out + cy.wait(1_000); } export default function registerLoginCommands() { diff --git a/docs/index.rst b/docs/index.rst index f16e6824a6..d61c926703 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -31,6 +31,13 @@ Renku Documentation -- Wikipedia +.. note:: + + **We're building the next version of Renku!** For documentation related to Renku 2.0, please see + our `Community Portal + `_. To learn + more about the big changes coming in Renku, check out our `blog post `_. + .. include:: ../README.rst :start-after: renku: :end-before: documentation: diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt index 35101ec4d3..3c962635ef 100644 --- a/docs/spelling_wordlist.txt +++ b/docs/spelling_wordlist.txt @@ -152,6 +152,7 @@ kwargs ld lefthand lfs +liveness LocalClient localhost Lucene @@ -308,6 +309,7 @@ unmapped unmerged Unmount unmount +unmounting unpause unpushed unschedulable diff --git a/docs/tutorials.rst b/docs/tutorials.rst index 13fad6a4a0..bafa5da4fd 100644 --- a/docs/tutorials.rst +++ b/docs/tutorials.rst @@ -3,6 +3,15 @@ Tutorials --------- +.. note:: + + **We're building the next version of Renku!** If you're looking for a tutorial for Renku 2.0, + please see the Renku 2.0 documentation on our `Community Portal + `_ instead. + The tutorial linked below is outdated and refers to the legacy version of Renku that is no + longer under active development. To learn more about the big changes coming in Renku, check out + our `blog post `_. + The following tutorials are available for getting acquainted with Renku. We recommend you start with :ref:`first_steps`! diff --git a/docs/tutorials/01_firststeps.rst b/docs/tutorials/01_firststeps.rst index cf47e216ea..7c8a553d28 100644 --- a/docs/tutorials/01_firststeps.rst +++ b/docs/tutorials/01_firststeps.rst @@ -3,6 +3,15 @@ Get Started on RenkuLab ======================= +.. note:: + + **We're building the next version of Renku!** If you're looking for a tutorial for Renku 2.0, + please see the Renku 2.0 documentation on our `Community Portal + `_ instead. + This tutorial is outdated and refers to the legacy version of Renku that is no longer under + active development. To learn more about the big changes coming in Renku, check out our `blog + post `_. + This tutorial will help you get started working on the Renkulab platform. We will use Renku to realize a very small data science project: counting the number of flights to Austin-Bergstrom International Airport in January, 2019. In this tutorial we will provide instructions for Python, Julia (in JupyterLab) and R (in RStudio). diff --git a/helm-chart/renku/requirements.yaml b/helm-chart/renku/requirements.yaml index df8744a33c..d120749bf9 100644 --- a/helm-chart/renku/requirements.yaml +++ b/helm-chart/renku/requirements.yaml @@ -30,7 +30,7 @@ dependencies: condition: notebooks.cloudstorage.s3.installDatashim - name: csi-rclone repository: "https://swissdatasciencecenter.github.io/helm-charts/" - version: "0.1.7" + version: "0.3.1" condition: global.csi-rclone.install - name: solr repository: "oci://registry-1.docker.io/bitnamicharts" diff --git a/helm-chart/renku/templates/gateway/_helpers.tpl b/helm-chart/renku/templates/gateway/_helpers.tpl index 9bc57ea9d2..fbe9d65ddb 100644 --- a/helm-chart/renku/templates/gateway/_helpers.tpl +++ b/helm-chart/renku/templates/gateway/_helpers.tpl @@ -1,7 +1,7 @@ {{/* Template core service paths as a comma separated list */}} -{{- define "gateway.core.paths" -}} +{{- define "gateway.core.pathsYaml" -}} {{- $paths := list -}} {{- range $i, $k := (keys .Values.global.core.versions | sortAlpha) -}} {{- $paths = mustAppend $paths (printf "/api/renku/%s" (get $.Values.global.core.versions $k).prefix) -}} @@ -9,13 +9,13 @@ Template core service paths as a comma separated list {{- $paths = mustAppend $paths "/api/renku" -}} {{- end -}} {{- end -}} -{{- join "," $paths | quote -}} +{{- $paths | toYaml -}} {{- end -}} {{/* Template core service names as a comma separated list */}} -{{- define "gateway.core.serviceNames" -}} +{{- define "gateway.core.serviceNamesYaml" -}} {{- $serviceNames := list -}} {{- $coreBaseName := printf "%s-core" .Release.Name -}} {{- range $i, $k := (keys .Values.global.core.versions | sortAlpha) -}} @@ -25,7 +25,7 @@ Template core service names as a comma separated list {{- $serviceNames = mustAppend $serviceNames $serviceName -}} {{- end -}} {{- end -}} -{{- join "," $serviceNames | quote -}} +{{- $serviceNames | toYaml -}} {{- end -}} {{/* diff --git a/helm-chart/renku/templates/gateway/configmap.yaml b/helm-chart/renku/templates/gateway/configmap.yaml new file mode 100644 index 0000000000..c163177252 --- /dev/null +++ b/helm-chart/renku/templates/gateway/configmap.yaml @@ -0,0 +1,89 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "renku.fullname" . }}-gateway + labels: + app: {{ template "gateway.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: + config.yaml: | + server: + port: 8080 + host: 0.0.0.0 + rateLimits: + enabled: {{ .Values.gateway.rateLimits.general.enabled }} + rate: {{ .Values.gateway.rateLimits.general.average }} + burst: {{ .Values.gateway.rateLimits.general.burst }} + {{- with .Values.gateway.allowOrigin }} + allowOrigin: + {{- toYaml . | nindent 8 }} + {{- end }} + sessions: + authorizationVerifiers: + - issuer: {{ printf "%s/realms/%s" (include "renku.keycloakUrl" . | trimSuffix "/") (include "renku.keycloak.realm" .) }} + audience: renku + authorizedParty: renku + - issuer: {{ printf "%s/realms/%s" (include "renku.keycloakUrl" . | trimSuffix "/") (include "renku.keycloak.realm" .) }} + audience: renku + authorizedParty: renku-cli + revproxy: + renkuBaseUrl: {{ include "renku.baseUrl" . | quote }} + {{- if .Values.gitlab.enabled }} + externalGitlabUrl: "" + {{- else }} + externalGitlabUrl: {{ .Values.global.gitlab.url | default "" | quote }} + {{- end }} + k8sNamespace: {{ .Release.Namespace }} + renkuServices: + notebooks: {{ printf "http://%s-notebooks" .Release.Name | quote }} + kg: {{ printf "http://%s-knowledge-graph" .Release.Name | quote }} + webhook: {{ printf "http://%s-webhook-service" .Release.Name | quote }} + core: + serviceNames: + {{- include "gateway.core.serviceNamesYaml" . | nindent 12 }} + servicePaths: + {{- include "gateway.core.pathsYaml" . | nindent 12 }} + sticky: true + dataService: {{ printf "http://%s-data-service" .Release.Name | quote }} + keycloak: {{ include "renku.keycloakUrl" . | quote }} + uiserver: {{ printf "http://%s" (include "ui-server.fullname" .) | quote }} + search: {{ printf "http://%s-search-api" .Release.Name | quote }} + login: + renkuBaseUrl: {{ include "renku.baseUrl" . | quote }} + loginRoutesBasePath: "/api/auth" + defaultAppRedirectURL: {{ include "renku.baseUrl" . | quote }} + tokenEncryption: + enabled: true + providers: + renku: + issuer: {{ printf "%s/realms/%s" (include "renku.keycloakUrl" . | trimSuffix "/") (include "renku.keycloak.realm" .) }} + clientID: renku + scopes: ["profile", "email", "openid", "microprofile-jwt"] + callbackURI: {{ printf "%s/api/auth/callback" (include "renku.baseUrl" .) }} + usePKCE: false + gitlab: + issuer: {{ .Values.global.gitlab.url | quote }} + clientID: {{ .Values.gateway.gitlabClientId | default .Values.global.gateway.gitlabClientId | quote }} + scopes: ["openid", "api", "read_user", "read_repository"] + callbackURI: {{ printf "%s/api/auth/callback" (include "renku.baseUrl" .) }} + usePKCE: false + oldGitLabLogout: {{ .Values.gateway.oldGitLabLogout | default false }} + logoutGitLabUponRenkuLogout: {{ .Values.gateway.logoutGitLabUponRenkuLogout | default true }} + redis: + type: redis + addresses: + - {{ printf "%s:%d" .Values.global.redis.host (.Values.global.redis.port | int) | quote }} + isSentinel: {{ .Values.global.redis.sentinel.enabled }} + masterName: {{ .Values.global.redis.sentinel.masterSet | quote }} + dbIndex: {{ .Values.global.redis.dbIndex.gateway }} + monitoring: + sentry: + enabled: {{ .Values.gateway.sentry.enabled }} + environment: {{ .Values.gateway.sentry.environment }} + sampleRate: {{ .Values.gateway.sentry.sampleRate }} + prometheus: + enabled: {{ .Values.gateway.metrics.enabled }} + port: {{ .Values.gateway.metrics.port }} +--- diff --git a/helm-chart/renku/templates/gateway/deployment-revproxy.yaml b/helm-chart/renku/templates/gateway/deployment-revproxy.yaml index 1cf3cc3419..3fc1b30214 100644 --- a/helm-chart/renku/templates/gateway/deployment-revproxy.yaml +++ b/helm-chart/renku/templates/gateway/deployment-revproxy.yaml @@ -1,41 +1,49 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: {{ template "renku.fullname" . }}-gateway-revproxy + name: {{ template "renku.fullname" . }}-gateway labels: - app: {{ template "gateway.name" . }}-revproxy + app: {{ template "gateway.name" . }} chart: {{ template "renku.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: - {{- if not .Values.gateway.reverseProxy.autoscaling.enabled }} - replicas: {{ .Values.gateway.reverseProxy.replicaCount }} + {{- if not .Values.gateway.autoscaling.enabled }} + replicas: {{ .Values.gateway.replicaCount }} {{- end }} strategy: - {{- toYaml .Values.gateway.reverseProxy.updateStrategy | nindent 4 }} + {{- toYaml .Values.gateway.updateStrategy | nindent 4 }} selector: matchLabels: - app: {{ template "gateway.name" . }}-revproxy + app: {{ template "gateway.name" . }} release: {{ .Release.Name }} template: metadata: labels: - app: {{ template "gateway.name" . }}-revproxy + app: {{ template "gateway.name" . }} release: {{ .Release.Name }} - {{- with .Values.gateway.reverseProxy.podAnnotations }} + # The label below enables the gateway to connect to redis + {{ .Values.global.redis.clientLabel | toYaml | nindent 8 }} + {{- if .Values.gateway.podAnnotations }} + {{- with .Values.gateway.podAnnotations }} annotations: + checksum/config: {{ include (print $.Template.BasePath "/gateway/configmap.yaml") . | sha256sum }} {{- toYaml . | nindent 8 }} {{- end }} + {{- else }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/gateway/configmap.yaml") . | sha256sum }} + {{- end }} spec: - serviceAccountName: "{{ template "renku.fullname" . }}-gateway-revproxy" + serviceAccountName: "{{ template "renku.fullname" . }}-gateway" securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} initContainers: {{- include "certificates.initContainer" . | nindent 8 }} containers: - - name: revproxy - image: "{{ .Values.gateway.reverseProxy.image.repository }}:{{ .Values.gateway.reverseProxy.image.tag }}" - imagePullPolicy: {{ .Values.gateway.reverseProxy.image.pullPolicy }} + - name: gateway + image: "{{ .Values.gateway.image.repository }}:{{ .Values.gateway.image.tag }}" + imagePullPolicy: {{ .Values.gateway.image.pullPolicy }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} ports: @@ -43,76 +51,68 @@ spec: containerPort: 8080 protocol: TCP env: - - name: REVPROXY_RENKU_BASE_URL - value: {{ include "renku.baseUrl" . | quote }} - - name: REVPROXY_EXTERNAL_GITLAB_URL - {{- if .Values.gitlab.enabled }} - value: "" - {{- else }} - value: {{ .Values.global.gitlab.url | default "" | quote }} - {{- end }} - - name: REVPROXY_ALLOW_ORIGIN - value: {{ join "," .Values.gateway.allowOrigin | quote }} - - name: REVPROXY_NAMESPACE - value: {{ .Release.Namespace }} - - name: REVPROXY_RENKU_SERVICES_WEBHOOK - value: {{ printf "http://%s-webhook-service" .Release.Name | quote }} - - name: REVPROXY_RENKU_SERVICES_KG - value: {{ printf "http://%s-knowledge-graph" .Release.Name | quote }} - - name: REVPROXY_RENKU_SERVICES_NOTEBOOKS - value: {{ printf "http://%s-notebooks" .Release.Name | quote }} - - name: REVPROXY_RENKU_SERVICES_CORE_SERVICE_PATHS - value: {{ template "gateway.core.paths" . }} - - name: REVPROXY_RENKU_SERVICES_CORE_SERVICE_NAMES - value: {{ template "gateway.core.serviceNames" . }} - - name: REVPROXY_RENKU_SERVICES_AUTH - value: {{ printf "http://%s-gateway-auth" .Release.Name }} - - name: REVPROXY_RENKU_SERVICES_DATA_SERVICE - value: {{ printf "http://%s-data-service" .Release.Name | quote }} - - name: REVPROXY_RENKU_SERVICES_SEARCH - value: {{ printf "http://%s-search-api" .Release.Name | quote }} - - name: REVPROXY_RENKU_SERVICES_KEYCLOAK - value: {{ include "renku.keycloakUrl" . | quote }} - - name: REVPROXY_PORT - value: "8080" - - name: REVPROXY_METRICS_ENABLED - value: {{ .Values.gateway.reverseProxy.metrics.enabled | quote }} - - name: REVPROXY_METRICS_PORT - value: {{ .Values.gateway.reverseProxy.metrics.port | quote }} - - name: REVPROXY_RATE_LIMITS_ENABLED - value: {{ .Values.gateway.rateLimits.general.enabled | quote }} - - name: REVPROXY_RATE_LIMITS_AVERAGE - value: {{ .Values.gateway.rateLimits.general.average | quote }} - - name: REVPROXY_RATE_LIMITS_BURST - value: {{ .Values.gateway.rateLimits.general.burst | quote }} - - name: REVPROXY_SENTRY_ENABLED - value: {{ .Values.gateway.sentry.enabled | quote }} - - name: REVPROXY_SENTRY_DSN + - name: GATEWAY_REDIS_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.global.redis.existingSecret }} + key: {{ .Values.global.redis.existingSecretPasswordKey }} + - name: GATEWAY_LOGIN_PROVIDERS_RENKU_CLIENTSECRET + valueFrom: + secretKeyRef: + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} + key: oidcClientSecret + - name: GATEWAY_LOGIN_PROVIDERS_GITLAB_CLIENTSECRET + valueFrom: + secretKeyRef: + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} + key: gitlabClientSecret + - name: GATEWAY_LOGIN_TOKENENCRYPTION_SECRETKEY + valueFrom: + secretKeyRef: + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} + key: tokenEncryption + - name: GATEWAY_LOGIN_PROVIDERS_RENKU_COOKIEENCODINGKEY + valueFrom: + secretKeyRef: + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} + key: cookieEncodingKey + - name: GATEWAY_LOGIN_PROVIDERS_RENKU_COOKIEHASHKEY + valueFrom: + secretKeyRef: + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} + key: cookieHashKey + - name: GATEWAY_LOGIN_PROVIDERS_GITLAB_COOKIEENCODINGKEY + valueFrom: + secretKeyRef: + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} + key: cookieEncodingKey + - name: GATEWAY_LOGIN_PROVIDERS_GITLAB_COOKIEHASHKEY + valueFrom: + secretKeyRef: + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} + key: cookieHashKey + - name: GATEWAY_MONITORING_SENTRY_DSN value: {{ .Values.gateway.sentry.dsn }} - - name: REVPROXY_SENTRY_ENVIRONMENT - value: {{ .Values.gateway.sentry.environment }} - - name: REVPROXY_SENTRY_SAMPLE_RATE - value: {{ .Values.gateway.sentry.sampleRate | quote }} - - name: REVPROXY_DEBUG - value: {{ .Values.gateway.debug | default "false" | quote }} volumeMounts: {{- include "certificates.volumeMounts.system" . | nindent 12 }} + - mountPath: "/etc/gateway" + name: public-config livenessProbe: httpGet: - path: /revproxy/health + path: /health port: http initialDelaySeconds: 10 periodSeconds: 10 failureThreshold: 6 readinessProbe: httpGet: - path: /revproxy/health + path: /health port: http initialDelaySeconds: 10 periodSeconds: 2 failureThreshold: 2 resources: - {{ toYaml .Values.gateway.reverseProxy.resources | nindent 12 }} + {{ toYaml .Values.gateway.resources | nindent 12 }} {{- with .Values.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} @@ -127,3 +127,7 @@ spec: {{- end }} volumes: {{- include "certificates.volumes" . | nindent 8 }} + - name: public-config + configMap: + name: {{ template "renku.fullname" . }}-gateway + diff --git a/helm-chart/renku/templates/gateway/deployment.yaml b/helm-chart/renku/templates/gateway/deployment.yaml deleted file mode 100644 index 608f33326f..0000000000 --- a/helm-chart/renku/templates/gateway/deployment.yaml +++ /dev/null @@ -1,149 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ template "renku.fullname" . }}-gateway-auth - labels: - app: {{ template "gateway.name" . }}-auth - chart: {{ template "renku.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - replicas: {{ .Values.replicaCount }} - selector: - matchLabels: - app: {{ template "gateway.name" . }}-auth - release: {{ .Release.Name }} - template: - metadata: - labels: - app: {{ template "gateway.name" . }}-auth - release: {{ .Release.Name }} - # The label below enables the gateway to connect to redis - {{ .Values.global.redis.clientLabel | toYaml | nindent 8 }} - spec: - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} - automountServiceAccountToken: {{ .Values.global.debug }} - initContainers: - {{- include "certificates.initContainer" . | nindent 8 }} - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.gateway.image.auth.repository }}:{{ .Values.gateway.image.auth.tag }}" - imagePullPolicy: {{ .Values.gateway.image.auth.pullPolicy }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} - ports: - - name: http - containerPort: 5000 - protocol: TCP - env: - - name: HOST_NAME - value: {{ include "renku.baseUrl" . | quote }} - - name: CLI_CLIENT_ID - value: "renku-cli" - - name: CLI_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway-revproxy" | nospace }} - key: cliClientSecret - - name: GITLAB_URL - value: {{ .Values.global.gitlab.url | quote }} - - name: GITLAB_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway-revproxy" | nospace }} - key: gitlabClientSecret - - name: GITLAB_CLIENT_ID - value: {{ .Values.gateway.gitlabClientId | default .Values.global.gateway.gitlabClientId | quote }} - - name: KEYCLOAK_URL - value: {{ include "renku.keycloakUrl" . | quote }} - - name: KEYCLOAK_REALM - value: {{ include "renku.keycloak.realm" . | quote }} - - name: GATEWAY_SERVICE_PREFIX - value: "/api/" - - name: REDIS_HOST - value: {{ .Values.global.redis.host | quote }} - - name: REDIS_IS_SENTINEL - value: {{ .Values.global.redis.sentinel.enabled | quote }} - - name: REDIS_MASTER_SET - value: {{ .Values.global.redis.sentinel.masterSet | quote }} - - name: REDIS_DB - value: {{ .Values.global.redis.dbIndex.gateway | quote }} - - name: REDIS_PORT - value: {{ .Values.global.redis.port | quote }} - - name: REDIS_PASSWORD - valueFrom: - secretKeyRef: - name: {{ .Values.global.redis.existingSecret }} - key: {{ .Values.global.redis.existingSecretPasswordKey }} - - name: GATEWAY_SECRET_KEY - valueFrom: - secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway-revproxy" | nospace }} - key: gatewaySecret - - name: GATEWAY_ALLOW_ORIGIN - value: {{ .Values.gateway.allowOrigin | quote }} - - name: OIDC_CLIENT_ID - value: {{ "renku" | quote }} - - name: OIDC_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway-revproxy" | nospace }} - key: oidcClientSecret - - name: OLD_GITLAB_LOGOUT - value: {{ .Values.gateway.oldGitLabLogout | quote }} - - name: LOGOUT_GITLAB_UPON_RENKU_LOGOUT - value: {{ .Values.gateway.logoutGitLabUponRenkuLogout | quote }} - - name: WEBHOOK_SERVICE_HOSTNAME - value: {{ printf "http://%s-graph-webhook-service" .Release.Name | quote }} - {{ if .Values.global.anonymousSessions.enabled }} - - name: ANONYMOUS_SESSIONS_ENABLED - value: "true" - {{ end }} - # Note that this is ok because we're enforcing HTTPS - # further up the processing chain. - - name: OAUTHLIB_INSECURE_TRANSPORT - value: "1" - - name: SENTRY_ENABLED - value: {{ .Values.gateway.sentry.enabled | quote }} - - name: SENTRY_DSN - value: {{ .Values.gateway.sentry.dsn }} - - name: SENTRY_ENVIRONMENT - value: {{ .Values.gateway.sentry.environment }} - - name: SENTRY_SAMPLE_RATE - value: {{ .Values.gateway.sentry.sampleRate | quote }} - - name: DEBUG - value: {{ .Values.global.debug | quote }} - {{- include "certificates.env.python" . | nindent 12 }} - volumeMounts: - {{- include "certificates.volumeMounts.system" . | nindent 12 }} - livenessProbe: - httpGet: - path: /health - port: http - initialDelaySeconds: 10 - periodSeconds: 10 - failureThreshold: 6 - readinessProbe: - httpGet: - path: /health - port: http - initialDelaySeconds: 10 - periodSeconds: 2 - failureThreshold: 2 - resources: - {{ toYaml .Values.gateway.resources | nindent 12 }} - {{- with .Values.nodeSelector }} - nodeSelector: - {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{ toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{ toYaml . | nindent 8 }} - {{- end }} - volumes: - {{- include "certificates.volumes" . | nindent 8 }} diff --git a/helm-chart/renku/templates/gateway/hpa-revproxy.yaml b/helm-chart/renku/templates/gateway/hpa-revproxy.yaml index 6030b49b3a..e81938e101 100644 --- a/helm-chart/renku/templates/gateway/hpa-revproxy.yaml +++ b/helm-chart/renku/templates/gateway/hpa-revproxy.yaml @@ -1,4 +1,4 @@ -{{- if .Values.gateway.reverseProxy.autoscaling.enabled }} +{{- if .Values.gateway.autoscaling.enabled }} {{- if semverCompare ">=1.23.0-0" .Capabilities.KubeVersion.GitVersion -}} apiVersion: autoscaling/v2 {{- else -}} @@ -6,9 +6,9 @@ apiVersion: autoscaling/v2beta2 {{- end }} kind: HorizontalPodAutoscaler metadata: - name: {{ template "renku.fullname" . }}-gateway-revproxy + name: {{ template "renku.fullname" . }}-gateway labels: - app: {{ template "renku.name" . }}-gateway-revproxy + app: {{ template "renku.name" . }}-gateway chart: {{ template "renku.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -16,24 +16,24 @@ spec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment - name: {{ template "renku.fullname" . }}-gateway-revproxy - minReplicas: {{ .Values.gateway.reverseProxy.autoscaling.minReplicas }} - maxReplicas: {{ .Values.gateway.reverseProxy.autoscaling.maxReplicas }} + name: {{ template "renku.fullname" . }}-gateway + minReplicas: {{ .Values.gateway.autoscaling.minReplicas }} + maxReplicas: {{ .Values.gateway.autoscaling.maxReplicas }} metrics: - {{- if .Values.gateway.reverseProxy.autoscaling.targetCPUUtilizationPercentage }} + {{- if .Values.gateway.autoscaling.targetCPUUtilizationPercentage }} - type: Resource resource: name: cpu target: type: Utilization - averageUtilization: {{ .Values.gateway.reverseProxy.autoscaling.targetCPUUtilizationPercentage }} + averageUtilization: {{ .Values.gateway.autoscaling.targetCPUUtilizationPercentage }} {{- end }} - {{- if .Values.gateway.reverseProxy.autoscaling.targetMemoryUtilizationPercentage }} + {{- if .Values.gateway.autoscaling.targetMemoryUtilizationPercentage }} - type: Resource resource: name: memory target: type: Utilization - averageUtilization: {{ .Values.gateway.reverseProxy.autoscaling.targetMemoryUtilizationPercentage }} + averageUtilization: {{ .Values.gateway.autoscaling.targetMemoryUtilizationPercentage }} {{- end }} {{- end }} diff --git a/helm-chart/renku/templates/gateway/pdb.yaml b/helm-chart/renku/templates/gateway/pdb.yaml index 5b69a5c7c2..9a8fa63f43 100644 --- a/helm-chart/renku/templates/gateway/pdb.yaml +++ b/helm-chart/renku/templates/gateway/pdb.yaml @@ -1,10 +1,10 @@ -{{- if or (gt (int .Values.gateway.reverseProxy.replicaCount) 1) (and .Values.gateway.reverseProxy.autoscaling.enabled (gt (int .Values.gateway.reverseProxy.autoscaling.minReplicas) 1)) }} +{{- if or (gt (int .Values.gateway.replicaCount) 1) (and .Values.gateway.autoscaling.enabled (gt (int .Values.gateway.autoscaling.minReplicas) 1)) }} apiVersion: policy/v1 kind: PodDisruptionBudget metadata: - name: {{ template "renku.fullname" . }}-gateway-revproxy + name: {{ template "renku.fullname" . }}-gateway labels: - app: {{ template "renku.name" . }}-gateway-revproxy + app: {{ template "renku.name" . }}-gateway chart: {{ template "renku.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -12,6 +12,7 @@ spec: maxUnavailable: 50% selector: matchLabels: - app: {{ template "renku.name" . }}-gateway-revproxy + app: {{ template "renku.name" . }}-gateway release: {{ .Release.Name }} {{- end }} + diff --git a/helm-chart/renku/templates/gateway/role.yaml b/helm-chart/renku/templates/gateway/role.yaml index 518bedbae5..70e85938b8 100644 --- a/helm-chart/renku/templates/gateway/role.yaml +++ b/helm-chart/renku/templates/gateway/role.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ template "renku.fullname" . }}-gateway-revproxy + name: {{ template "renku.fullname" . }}-gateway labels: app: {{ template "renku.name" . }} chart: {{ template "renku.chart" . }} diff --git a/helm-chart/renku/templates/gateway/rolebinding.yaml b/helm-chart/renku/templates/gateway/rolebinding.yaml index d1c63c2c7e..2a65474505 100644 --- a/helm-chart/renku/templates/gateway/rolebinding.yaml +++ b/helm-chart/renku/templates/gateway/rolebinding.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "renku.fullname" . }}-gateway-revproxy + name: {{ template "renku.fullname" . }}-gateway labels: app: {{ template "renku.name" . }} chart: {{ template "renku.chart" . }} @@ -10,8 +10,8 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "renku.fullname" . }}-gateway-revproxy + name: {{ template "renku.fullname" . }}-gateway subjects: - kind: ServiceAccount - name: {{ template "renku.fullname" . }}-gateway-revproxy + name: {{ template "renku.fullname" . }}-gateway namespace: {{ .Release.Namespace }} diff --git a/helm-chart/renku/templates/gateway/secret.yaml b/helm-chart/renku/templates/gateway/secret.yaml index 677da8562e..02feb32174 100644 --- a/helm-chart/renku/templates/gateway/secret.yaml +++ b/helm-chart/renku/templates/gateway/secret.yaml @@ -14,7 +14,7 @@ {{- $gitlabClientInKeycloakSecret := .Values.global.gitlab.clientSecret | default (randAlphaNum 64) | b64enc | quote }} {{- $renkuFullname := include "renku.fullname" . -}} -{{- $secretName := cat $renkuFullname "-gateway-revproxy" | nospace }} +{{- $secretName := cat $renkuFullname "-gateway" | nospace }} {{- if not (or .Values.gateway.oidcClientSecret .Values.global.gateway.clientSecret) -}} {{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }} @@ -67,6 +67,24 @@ {{- end -}} {{- end }} +{{- $tokenEncryptionSecretKey := randAlphaNum 32 | b64enc | quote }} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }} +{{- if $secret }} +{{- $tokenEncryptionSecretKey = index $secret.data "tokenEncryption" }} +{{- end -}} + +{{- $csrfCookieEncodingKey := randAlphaNum 32 | b64enc | quote }} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }} +{{- if $secret }} +{{- $csrfCookieEncodingKey = index $secret.data "cookieEncodingKey" }} +{{- end -}} + +{{- $csrfCookieHashKey := randAlphaNum 32 | b64enc | quote }} +{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) }} +{{- if $secret }} +{{- $csrfCookieHashKey = index $secret.data "cookieHashKey" }} +{{- end -}} + apiVersion: v1 kind: Secret metadata: @@ -98,3 +116,7 @@ data: # A secret for the Gitlab client in Keycloak if an internal Gitlab is used gitlabClientInKeycloakSecret: {{ $gitlabClientInKeycloakSecret }} {{- end }} + cookieEncodingKey: {{ $csrfCookieEncodingKey }} + cookieHashKey: {{ $csrfCookieHashKey }} + tokenEncryption: {{ $tokenEncryptionSecretKey }} + diff --git a/helm-chart/renku/templates/gateway/service.yaml b/helm-chart/renku/templates/gateway/service.yaml index 52cd631cd6..af32be3368 100644 --- a/helm-chart/renku/templates/gateway/service.yaml +++ b/helm-chart/renku/templates/gateway/service.yaml @@ -2,9 +2,9 @@ apiVersion: v1 kind: Service metadata: - name: {{ template "renku.fullname" . }}-gateway-auth + name: {{ template "renku.fullname" . }}-gateway labels: - app: {{ template "renku.name" . }}-gateway-auth + app: {{ template "renku.name" . }}-gateway chart: {{ template "renku.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} @@ -16,25 +16,6 @@ spec: protocol: TCP name: http selector: - app: {{ template "gateway.name" . }}-auth - release: {{ .Release.Name }} ---- -apiVersion: v1 -kind: Service -metadata: - name: renku-traefik - labels: - app: {{ template "renku.name" . }}-gateway-revproxy - chart: {{ template "renku.chart" . }} - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} -spec: - type: {{ .Values.gateway.service.type }} - ports: - - port: {{ .Values.gateway.service.port }} - targetPort: http - protocol: TCP - name: http - selector: - app: {{ template "gateway.name" . }}-revproxy + app: {{ template "gateway.name" . }} release: {{ .Release.Name }} + diff --git a/helm-chart/renku/templates/gateway/serviceaccount.yaml b/helm-chart/renku/templates/gateway/serviceaccount.yaml index 620874ce7b..8530d52ed1 100644 --- a/helm-chart/renku/templates/gateway/serviceaccount.yaml +++ b/helm-chart/renku/templates/gateway/serviceaccount.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: {{ template "renku.fullname" . }}-gateway-revproxy + name: {{ template "renku.fullname" . }}-gateway labels: app: {{ template "renku.name" . }} chart: {{ template "renku.chart" . }} diff --git a/helm-chart/renku/templates/ingress.yaml b/helm-chart/renku/templates/ingress.yaml index f19b563b91..17cd9794ff 100644 --- a/helm-chart/renku/templates/ingress.yaml +++ b/helm-chart/renku/templates/ingress.yaml @@ -72,7 +72,7 @@ spec: port: number: {{ $gitlabServicePort }} {{ else }} - name: renku-traefik + name: {{ template "renku.fullname" $ }}-gateway port: number: 80 {{- end }} @@ -80,21 +80,21 @@ spec: pathType: Prefix backend: service: - name: renku-traefik + name: {{ template "renku.fullname" $ }}-gateway port: number: 80 - path: /api pathType: Prefix backend: service: - name: renku-traefik + name: {{ template "renku.fullname" $ }}-gateway port: number: 80 - path: /entities pathType: Prefix backend: service: - name: renku-traefik + name: {{ template "renku.fullname" $ }}-gateway port: number: 80 - path: / @@ -108,7 +108,7 @@ spec: pathType: Prefix backend: service: - name: {{ $uiserverFullname }} + name: {{ template "renku.fullname" $ }}-gateway port: number: {{ $uiserverServicePort }} {{- if $graphEnabled }} @@ -123,7 +123,7 @@ spec: pathType: Prefix backend: service: - name: {{ $knowledgeGraphFullname }} + name: {{ template "renku.fullname" $ }}-gateway port: number: 80 {{- end }} diff --git a/helm-chart/renku/templates/setup-job-gitlab.yaml b/helm-chart/renku/templates/setup-job-gitlab.yaml index 933a837099..9d8cb79b76 100644 --- a/helm-chart/renku/templates/setup-job-gitlab.yaml +++ b/helm-chart/renku/templates/setup-job-gitlab.yaml @@ -58,7 +58,7 @@ spec: - name: GITLAB_OAUTH_CLIENT_SECRET valueFrom: secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway-revproxy" | nospace }} + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} key: gitlabClientSecret - name: GITLAB_OAUTH_CLIENT_ID value: {{ .Values.gateway.gitlabClientId | default .Values.global.gateway.gitlabClientId | quote }} diff --git a/helm-chart/renku/templates/setup-job-keycloak-realms.yaml b/helm-chart/renku/templates/setup-job-keycloak-realms.yaml index 92e3176965..8c91721c55 100644 --- a/helm-chart/renku/templates/setup-job-keycloak-realms.yaml +++ b/helm-chart/renku/templates/setup-job-keycloak-realms.yaml @@ -72,7 +72,7 @@ spec: - name: INTERNAL_GITLAB_OIDC_CLIENT_SECRET valueFrom: secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway-revproxy" | nospace }} + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} key: gitlabClientInKeycloakSecret - name: INTERNAL_GITLAB_OIDC_CLIENT_ID value: "gitlab" @@ -82,7 +82,7 @@ spec: - name: RENKU_KC_CLIENT_SECRET valueFrom: secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway-revproxy" | nospace }} + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} key: oidcClientSecret - name: RENKU_KC_CLIENT_PUBLIC value: "false" @@ -93,7 +93,7 @@ spec: - name: CLI_KC_CLIENT_SECRET valueFrom: secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway-revproxy" | nospace }} + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} key: cliClientSecret - name: CLI_KC_CLIENT_PUBLIC value: "true" @@ -106,7 +106,7 @@ spec: - name: UI_KC_CLIENT_SECRET valueFrom: secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway-revproxy" | nospace }} + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} key: uiserverClientSecret - name: UI_KC_CLIENT_PUBLIC value: "false" @@ -117,7 +117,7 @@ spec: - name: NOTEBOOKS_KC_CLIENT_SECRET valueFrom: secretKeyRef: - name: {{ cat (include "renku.fullname" .) "-gateway-revproxy" | nospace }} + name: {{ cat (include "renku.fullname" .) "-gateway" | nospace }} key: notebooksClientSecret - name: NOTEBOOKS_KC_CLIENT_PUBLIC value: "false" diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index c2a80e6b2d..1e210db427 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -103,6 +103,7 @@ global: groupMemberAdded: "groupMember.added" groupMemberUpdated: "groupMember.updated" groupMemberRemoved: "groupMember.removed" + dataServiceAllEvents: "data_service.all_events" ## Note that the graph will not turned on by default until renku 0.4.0 graph: dbEventLog: @@ -672,7 +673,7 @@ ui: replicaCount: 1 image: repository: renku/renku-ui - tag: "3.33.0" + tag: "3.35.0" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. @@ -861,7 +862,7 @@ ui: keepCookies: [] image: repository: renku/renku-ui-server - tag: "3.33.0" + tag: "3.35.0" pullPolicy: IfNotPresent imagePullSecrets: [] nameOverride: "" @@ -1001,7 +1002,7 @@ notebooks: targetCPUUtilizationPercentage: 50 image: repository: renku/renku-notebooks - tag: "1.25.3" + tag: "1.26.0" pullPolicy: IfNotPresent ## Optionally specify an array of imagePullSecrets. ## Secrets must be manually created in the namespace. @@ -1270,7 +1271,6 @@ gateway: allowOrigin: # - http://example.com # - https://foo.example.com - replicaCount: 1 ## Set to true to enable the developement mode. This has negative security ## implications and should never be done in a production setting. development: false @@ -1289,11 +1289,9 @@ gateway: ## Use `openssl rand -hex 32`. secretKey: image: - ## Define the image for the auth middleware - auth: - repository: renku/renku-gateway - tag: "0.24.0" - pullPolicy: IfNotPresent + repository: renku/renku-gateway + tag: "1.0.2" + pullPolicy: IfNotPresent service: type: ClusterIP port: 80 @@ -1325,24 +1323,18 @@ gateway: dsn: environment: sampleRate: 0.1 - reverseProxy: - image: - repository: renku/renku-revproxy - tag: "0.24.0" - pullPolicy: IfNotPresent - metrics: - enabled: true - port: 8765 - replicaCount: 2 - podAnnotations: {} - resources: {} - autoscaling: - enabled: false - minReplicas: 2 - maxReplicas: 5 - targetMemoryUtilizationPercentage: 75 - targetCPUUtilizationPercentage: 75 - updateStrategy: {} + metrics: + enabled: true + port: 8765 + replicaCount: 2 + podAnnotations: {} + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 5 + targetMemoryUtilizationPercentage: 75 + targetCPUUtilizationPercentage: 75 + updateStrategy: {} jena: image: repository: renku/renku-jena @@ -1391,7 +1383,7 @@ search: replicas: 1 image: repository: renku/search-api - tag: "0.4.0" + tag: "0.5.0" pullPolicy: IfNotPresent service: type: ClusterIP @@ -1404,7 +1396,7 @@ search: replicas: 1 image: repository: renku/search-provision - tag: "0.4.0" + tag: "0.5.0" pullPolicy: IfNotPresent service: type: ClusterIP @@ -1603,14 +1595,14 @@ platformInit: dataService: image: repository: renku/renku-data-service - tag: "0.19.1" + tag: "0.20.0" pullPolicy: IfNotPresent backgroundJobs: events: resources: {} image: repository: renku/data-service-background-jobs - tag: "0.19.1" + tag: "0.20.0" pullPolicy: IfNotPresent total: resources: {} @@ -1663,7 +1655,7 @@ authz: secretsStorage: image: repository: renku/secrets-storage - tag: "0.19.1" + tag: "0.20.0" pullPolicy: IfNotPresent service: type: ClusterIP diff --git a/helm-chart/values.yaml.changelog.md b/helm-chart/values.yaml.changelog.md index df3e0a8546..bb7064242f 100644 --- a/helm-chart/values.yaml.changelog.md +++ b/helm-chart/values.yaml.changelog.md @@ -5,6 +5,55 @@ For changes that require manual steps other than changing values, please check o Please follow this convention when adding a new row * ` - **:
` +## Upgrading to Renku 0.57.0 + +* DELETE ``gateway.image.auth`` has been removed. +* EDIT ``gateway.reverseProxy`` settings have been moved to ``gateway``: + +Old + ``` + gateway: + reverseProxy: + image: + repository: renku/renku-revproxy + tag: "0.24.0" + pullPolicy: IfNotPresent + metrics: + enabled: true + port: 8765 + replicaCount: 2 + podAnnotations: {} + resources: {} + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 5 + targetMemoryUtilizationPercentage: 75 + targetCPUUtilizationPercentage: 75 + updateStrategy: {} + ``` +New + ``` + gateway: + image: + repository: renku/renku-gateway + tag: "1.0.0" + pullPolicy: IfNotPresent + metrics: + enabled: true + port: 8765 + replicaCount: 2 + podAnnotations: {} + resources: {} + autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 5 + targetMemoryUtilizationPercentage: 75 + targetCPUUtilizationPercentage: 75 + updateStrategy: {} + ``` + ## Upgrading to Renku 0.54.0 * NEW ``global.platformConfig``: The YAML string can now contain a new key, `secretServicePreviousPrivateKey` which allows for rotating the secret-storage private key.