SwissDataScienceCenter
diff --git a/‎components/renku_data_services/crc/api.spec.yaml‎
Lines changed: 32 additions & 3 deletions b/‎components/renku_data_services/crc/api.spec.yaml‎
Lines changed: 32 additions & 3 deletions
diff --git a/‎components/renku_data_services/crc/apispec.py‎
Lines changed: 11 additions & 8 deletions b/‎components/renku_data_services/crc/apispec.py‎
Lines changed: 11 additions & 8 deletions
diff --git a/‎components/renku_data_services/crc/core.py‎
Lines changed: 29 additions & 1 deletion b/‎components/renku_data_services/crc/core.py‎
Lines changed: 29 additions & 1 deletion
diff --git a/‎components/renku_data_services/crc/db.py‎
Lines changed: 34 additions & 0 deletions b/‎components/renku_data_services/crc/db.py‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎components/renku_data_services/crc/models.py‎
Lines changed: 5 additions & 39 deletions b/‎components/renku_data_services/crc/models.py‎
Lines changed: 5 additions & 39 deletions
@@ -996,7 +996,19 @@ components:
           $ref: "#/components/schemas/StorageClassName"
         service_account_name:
           $ref: "#/components/schemas/K8sResourceName"
-      required: [ "name", "config_name", "session_protocol", "session_host", "session_port", "session_path", "session_ingress_annotations", "session_tls_secret_name" ]
+        session_ingress_use_default_cluster_tls_cert:
+          type: boolean
+          default: false
+      required:
+        [
+          "name",
+          "config_name",
+          "session_protocol",
+          "session_host",
+          "session_port",
+          "session_path",
+          "session_ingress_annotations",
+        ]
     ClusterPatch:
       type: object
       additionalProperties: false
@@ -1018,11 +1030,15 @@ components:
         session_ingress_annotations:
           $ref: "#/components/schemas/IngressAnnotations"
         session_tls_secret_name:
-          $ref: "#/components/schemas/TlsSecretName"
+          allOf:
+            - $ref: "#/components/schemas/TlsSecretName"
+            - description: 'If you want to remove the secret name pass in an empty string ""'
         session_storage_class:
           $ref: "#/components/schemas/StorageClassName"
         service_account_name:
           $ref: "#/components/schemas/K8sResourceNamePatch"
+        session_ingress_use_default_cluster_tls_cert:
+          type: boolean
     ClusterWithId:
       type: object
       additionalProperties: false
@@ -1051,7 +1067,20 @@ components:
           $ref: "#/components/schemas/StorageClassName"
         service_account_name:
           type: string
-      required: [ "name", "config_name", "session_protocol", "session_host", "session_port", "session_path", "session_ingress_annotations", "session_tls_secret_name", "id" ]
+        session_ingress_use_default_cluster_tls_cert:
+          type: boolean
+      required:
+        [
+          "name",
+          "config_name",
+          "session_protocol",
+          "session_host",
+          "session_port",
+          "session_path",
+          "session_ingress_annotations",
+          "id",
+          "session_ingress_use_default_cluster_tls_cert",
+        ]
     ClustersWithId:
       type: array
       items:
 
@@ -1,6 +1,6 @@
 # generated by datamodel-codegen:
 #   filename:  api.spec.yaml
-#   timestamp: 2025-12-12T08:13:17+00:00
+#   timestamp: 2026-01-20T15:22:21+00:00
 
 from __future__ import annotations
 
@@ -238,7 +238,7 @@ class Cluster(BaseAPISpec):
     session_path: str
     session_ingress_class_name: Optional[str] = Field(None, max_length=256)
     session_ingress_annotations: IngressAnnotations
-    session_tls_secret_name: str = Field(..., max_length=256)
+    session_tls_secret_name: Optional[str] = Field(None, max_length=256)
     session_storage_class: Optional[str] = Field(None, max_length=256)
     service_account_name: Optional[str] = Field(
         None,
@@ -248,6 +248,7 @@ class Cluster(BaseAPISpec):
         min_length=1,
         pattern="^[a-z0-9][a-z0-9-]*[a-z0-9]$",
     )
+    session_ingress_use_default_cluster_tls_cert: bool = False
 
 
 class ClusterPatch(BaseAPISpec):
@@ -284,6 +285,7 @@ class ClusterPatch(BaseAPISpec):
         min_length=0,
         pattern="^[a-z0-9][a-z0-9-]*[a-z0-9]$",
     )
+    session_ingress_use_default_cluster_tls_cert: Optional[bool] = None
 
 
 class ClusterWithId(BaseAPISpec):
@@ -317,9 +319,10 @@ class ClusterWithId(BaseAPISpec):
     session_path: str
     session_ingress_class_name: Optional[str] = Field(None, max_length=256)
     session_ingress_annotations: IngressAnnotations
-    session_tls_secret_name: str = Field(..., max_length=256)
+    session_tls_secret_name: Optional[str] = Field(None, max_length=256)
     session_storage_class: Optional[str] = Field(None, max_length=256)
     service_account_name: Optional[str] = None
+    session_ingress_use_default_cluster_tls_cert: bool
 
 
 class ClustersWithId(RootModel[List[ClusterWithId]]):
@@ -824,7 +827,7 @@ class ResourcePoolPatch(BaseAPISpec):
     )
     hibernation_warning_period: Optional[int] = Field(
         None,
-        description="A duration in seconds, lower than `HibernationThreshold`,\nwhich indicates when to let the user know about a session that\nis going to be expired. If `0` is specified, some default\nvalue will be chosen. If no `HibernationThreshold` is defined,\nthis value is ignored.\n",
+        description="A duration in seconds, lower than `HibernationThreshold`,\nwhich indicates when to let the user know about a session that\nis going to be hibernated. If `0` is specified, some default\nvalue will be chosen. If no `HibernationThreshold` is defined,\nthis value is ignored.\n",
         ge=0,
         le=2147483647,
     )
@@ -878,7 +881,7 @@ class ResourcePool(BaseAPISpec):
     )
     hibernation_warning_period: Optional[int] = Field(
         None,
-        description="A duration in seconds, lower than `HibernationThreshold`,\nwhich indicates when to let the user know about a session that\nis going to be expired. If `0` is specified, some default\nvalue will be chosen. If no `HibernationThreshold` is defined,\nthis value is ignored.\n",
+        description="A duration in seconds, lower than `HibernationThreshold`,\nwhich indicates when to let the user know about a session that\nis going to be hibernated. If `0` is specified, some default\nvalue will be chosen. If no `HibernationThreshold` is defined,\nthis value is ignored.\n",
         ge=0,
         le=2147483647,
     )
@@ -958,7 +961,7 @@ class ResourcePoolPut(BaseAPISpec):
     )
     hibernation_warning_period: Optional[int] = Field(
         None,
-        description="A duration in seconds, lower than `HibernationThreshold`,\nwhich indicates when to let the user know about a session that\nis going to be expired. If `0` is specified, some default\nvalue will be chosen. If no `HibernationThreshold` is defined,\nthis value is ignored.\n",
+        description="A duration in seconds, lower than `HibernationThreshold`,\nwhich indicates when to let the user know about a session that\nis going to be hibernated. If `0` is specified, some default\nvalue will be chosen. If no `HibernationThreshold` is defined,\nthis value is ignored.\n",
         ge=0,
         le=2147483647,
     )
@@ -1018,7 +1021,7 @@ class ResourcePoolWithId(BaseAPISpec):
     )
     hibernation_warning_period: Optional[int] = Field(
         None,
-        description="A duration in seconds, lower than `HibernationThreshold`,\nwhich indicates when to let the user know about a session that\nis going to be expired. If `0` is specified, some default\nvalue will be chosen. If no `HibernationThreshold` is defined,\nthis value is ignored.\n",
+        description="A duration in seconds, lower than `HibernationThreshold`,\nwhich indicates when to let the user know about a session that\nis going to be hibernated. If `0` is specified, some default\nvalue will be chosen. If no `HibernationThreshold` is defined,\nthis value is ignored.\n",
         ge=0,
         le=2147483647,
     )
@@ -1072,7 +1075,7 @@ class ResourcePoolWithIdFiltered(BaseAPISpec):
     )
     hibernation_warning_period: Optional[int] = Field(
         None,
-        description="A duration in seconds, lower than `HibernationThreshold`,\nwhich indicates when to let the user know about a session that\nis going to be expired. If `0` is specified, some default\nvalue will be chosen. If no `HibernationThreshold` is defined,\nthis value is ignored.\n",
+        description="A duration in seconds, lower than `HibernationThreshold`,\nwhich indicates when to let the user know about a session that\nis going to be hibernated. If `0` is specified, some default\nvalue will be chosen. If no `HibernationThreshold` is defined,\nthis value is ignored.\n",
         ge=0,
         le=2147483647,
     )
 
@@ -388,6 +388,24 @@ def validate_resource_pool_update(existing: models.ResourcePool, update: models.
 
 def validate_cluster(body: apispec.Cluster) -> models.ClusterSettings:
     """Convert a REST API Cluster object to a model Cluster object."""
+    match (
+        body.session_protocol,
+        body.session_tls_secret_name,
+        body.session_ingress_use_default_cluster_tls_cert,
+    ):
+        case (apispec.Protocol.https, None, False) | (apispec.Protocol.https, "", False):
+            raise errors.ValidationError(
+                message=f"You have indicated that cluster {body.name} should use HTTPS for the ingress "
+                "but neither the TLS secret name nor the flag that indicates that the default cluster TLS secret "
+                "should be used are set. Please set only one of these two options."
+            )
+        case (apispec.Protocol.https, str(), True) if len(body.session_tls_secret_name) > 0:
+            raise errors.ValidationError(
+                message=f"You have indicated that cluster {body.name} should use HTTPS for the ingress "
+                "but you have set both the TLS secret name and the flag that indicates that the default "
+                "cluster TLS secret should be used. "
+                "Please set only one of these two options."
+            )
     return models.ClusterSettings(
         name=body.name,
         config_name=body.config_name,
@@ -406,6 +424,15 @@ def validate_cluster(body: apispec.Cluster) -> models.ClusterSettings:
 def validate_cluster_patch(patch: apispec.ClusterPatch) -> models.ClusterPatch:
     """Convert a REST API Cluster object patch to a model Cluster object."""
 
+    if patch.session_ingress_use_default_cluster_tls_cert and patch.session_tls_secret_name:
+        raise errors.ValidationError(
+            message="Setting both the TLS secret name and indicating you want to use the default cluster TLS cert "
+            "at the same time is not allowed."
+        )
+
+    session_tls_secret_name: None | ResetType | str = patch.session_tls_secret_name
+    if isinstance(patch.session_tls_secret_name, str) and len(patch.session_tls_secret_name) == 0:
+        session_tls_secret_name = RESET
     return models.ClusterPatch(
         name=patch.name,
         config_name=patch.config_name,
@@ -419,9 +446,10 @@ def validate_cluster_patch(patch: apispec.ClusterPatch) -> models.ClusterPatch:
         session_ingress_annotations=patch.session_ingress_annotations.model_dump()
         if patch.session_ingress_annotations is not None
         else None,
-        session_tls_secret_name=patch.session_tls_secret_name,
+        session_tls_secret_name=session_tls_secret_name,
         session_storage_class=patch.session_storage_class,
         service_account_name=patch.service_account_name,
+        session_ingress_use_default_cluster_tls_cert=patch.session_ingress_use_default_cluster_tls_cert,
     )
 
 
 
@@ -1043,6 +1043,36 @@ async def update(self, api_user: base_models.APIUser, cluster: ClusterPatch, clu
             if saved_cluster is None:
                 raise errors.MissingResourceError(message=f"Cluster definition id='{cluster_id}' does not exist.")
 
+            _new_session_protocol = cluster.session_protocol or saved_cluster.session_protocol
+            if isinstance(_new_session_protocol, SessionProtocol):
+                new_session_protocol = _new_session_protocol.value.lower()
+            else:
+                new_session_protocol = _new_session_protocol.lower()
+            new_session_tls_secret_name = cluster.session_tls_secret_name or saved_cluster.session_tls_secret_name
+            new_session_ingress_use_default_cluster_tls_cert = (
+                cluster.session_ingress_use_default_cluster_tls_cert
+                or saved_cluster.session_ingress_use_default_cluster_tls_cert
+            )
+            match (
+                new_session_protocol,
+                new_session_tls_secret_name,
+                new_session_ingress_use_default_cluster_tls_cert,
+            ):
+                case ("https", str(), True) if new_session_tls_secret_name:
+                    raise errors.ValidationError(
+                        message=f"You are patching cluster {saved_cluster.id} which uses or will use https but"
+                        "you are using or will use both the TLS secret name and the flag "
+                        "that indicates that the cluster default TLS secret should be used.",
+                        detail="Please only use only one of the two configuration options.",
+                    )
+                case ("https", ResetType.Reset, False) | ("https", "", False):
+                    raise errors.ValidationError(
+                        message=f"You are patching cluster {saved_cluster.id} which uses or will use https but"
+                        "you are also removing both the TLS secret name and the flag "
+                        "that indicates that the cluster default TLS secret should be used.",
+                        detail="Please only use only one of the two configuration options.",
+                    )
+
             for key, value in asdict(cluster).items():
                 match key, value:
                     case "session_protocol", SessionProtocol():
@@ -1054,6 +1084,10 @@ async def update(self, api_user: base_models.APIUser, cluster: ClusterPatch, clu
                     case "service_account_name", "":
                         # If we received an empty string in the service account name, set it back to None.
                         setattr(saved_cluster, key, None)
+                    case "session_tls_secret_name", "":
+                        setattr(saved_cluster, key, None)
+                    case "session_tls_secret_name", ResetType.Reset:
+                        setattr(saved_cluster, key, None)
                     case _, None:
                         # Do not modify a value which has not been set in the patch
                         pass
 
@@ -10,7 +10,6 @@
 from renku_data_services import errors
 from renku_data_services.base_models import ResetType
 from renku_data_services.k8s.constants import DEFAULT_K8S_CLUSTER, ClusterId
-from renku_data_services.notebooks.cr_amalthea_session import TlsSecret
 
 
 class ResourcesProtocol(Protocol):
@@ -196,9 +195,10 @@ class ClusterPatch:
     session_path: str | None
     session_ingress_class_name: str | None
     session_ingress_annotations: dict[str, Any] | None
-    session_tls_secret_name: str | None
+    session_tls_secret_name: str | None | ResetType
     session_storage_class: str | None
     service_account_name: str | None
+    session_ingress_use_default_cluster_tls_cert: bool | None = False
 
 
 @dataclass(frozen=True, eq=True, kw_only=True)
@@ -213,9 +213,10 @@ class ClusterSettings:
     session_path: str
     session_ingress_class_name: str | None = None
     session_ingress_annotations: dict[str, str]
-    session_tls_secret_name: str
+    session_tls_secret_name: str | None
     session_storage_class: str | None
     service_account_name: str | None = None
+    session_ingress_use_default_cluster_tls_cert: bool = False
 
     def to_cluster_patch(self) -> ClusterPatch:
         """Convert to ClusterPatch."""
@@ -232,49 +233,14 @@ def to_cluster_patch(self) -> ClusterPatch:
             session_tls_secret_name=self.session_tls_secret_name,
             session_storage_class=self.session_storage_class,
             service_account_name=self.service_account_name,
+            session_ingress_use_default_cluster_tls_cert=self.session_ingress_use_default_cluster_tls_cert,
         )
 
     def get_storage_class(self) -> str | None:
         """Get the default storage class for the cluster."""
 
         return self.session_storage_class
 
-    def get_ingress_parameters(
-        self, server_name: str
-    ) -> tuple[str, str, str, str, TlsSecret | None, str | None, dict[str, str]]:
-        """Returns the ingress parameters of the cluster."""
-
-        host = self.session_host
-        base_server_path = f"{self.session_path}/{server_name}"
-        if self.session_port in [80, 443]:
-            # No need to specify the port in these cases. If we specify the port on https or http
-            # when it is the usual port then the URL callbacks for authentication do not work.
-            # I.e. if the callback is registered as https://some.host/link it will not work when a redirect
-            # like https://some.host:443/link is used.
-            base_server_url = f"{self.session_protocol.value}://{host}{base_server_path}"
-        else:
-            base_server_url = f"{self.session_protocol.value}://{host}:{self.session_port}{base_server_path}"
-        base_server_https_url = base_server_url
-        ingress_class_name = self.session_ingress_class_name
-        ingress_annotations = self.session_ingress_annotations
-
-        if ingress_class_name is None:
-            ingress_class_name = ingress_annotations.get("kubernetes.io/ingress.class")
-
-        tls_secret = (
-            None if self.session_tls_secret_name is None else TlsSecret(adopt=False, name=self.session_tls_secret_name)
-        )
-
-        return (
-            base_server_path,
-            base_server_url,
-            base_server_https_url,
-            host,
-            tls_secret,
-            ingress_class_name,
-            ingress_annotations,
-        )
-
 
 @dataclass(frozen=True, eq=True, kw_only=True)
 class SavedClusterSettings(ClusterSettings):