From c4789dbf4a256f9488201c366f76ad68757f4b25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rok=20Ro=C5=A1kar?= Date: Wed, 26 Mar 2025 16:48:07 +0100 Subject: [PATCH 01/24] chore: update keycloak chart to 2.2.2 --- helm-chart/renku/requirements.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-chart/renku/requirements.yaml b/helm-chart/renku/requirements.yaml index 649a7c7ad8..8a60543599 100644 --- a/helm-chart/renku/requirements.yaml +++ b/helm-chart/renku/requirements.yaml @@ -4,7 +4,7 @@ dependencies: repository: "oci://registry-1.docker.io/bitnamicharts" condition: postgresql.enabled - name: keycloakx - version: 2.1.0 + version: 2.2.2 repository: "https://codecentric.github.io/helm-charts" condition: keycloakx.enabled - name: redis From a93ce9741b245200c839dcd04198c89b4a6e017a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rok=20Ro=C5=A1kar?= Date: Wed, 26 Mar 2025 17:24:26 +0100 Subject: [PATCH 02/24] restore current keycloakx --- helm-chart/renku/requirements.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-chart/renku/requirements.yaml b/helm-chart/renku/requirements.yaml index 8a60543599..649a7c7ad8 100644 --- a/helm-chart/renku/requirements.yaml +++ b/helm-chart/renku/requirements.yaml @@ -4,7 +4,7 @@ dependencies: repository: "oci://registry-1.docker.io/bitnamicharts" condition: postgresql.enabled - name: keycloakx - version: 2.2.2 + version: 2.1.0 repository: "https://codecentric.github.io/helm-charts" condition: keycloakx.enabled - name: redis From b969e871f16f4ed2ac6155a2b1d0f29a59775ed7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rok=20Ro=C5=A1kar?= Date: Wed, 26 Mar 2025 17:38:42 +0100 Subject: [PATCH 03/24] chore: bump chart to 2.2.2, kc to 21.1.1 --- helm-chart/renku/requirements.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-chart/renku/requirements.yaml b/helm-chart/renku/requirements.yaml index 649a7c7ad8..8a60543599 100644 --- a/helm-chart/renku/requirements.yaml +++ b/helm-chart/renku/requirements.yaml @@ -4,7 +4,7 @@ dependencies: repository: "oci://registry-1.docker.io/bitnamicharts" condition: postgresql.enabled - name: keycloakx - version: 2.1.0 + version: 2.2.2 repository: "https://codecentric.github.io/helm-charts" condition: keycloakx.enabled - name: redis From f3b66dab72e3aa56d5fc77493cd377c39470a3a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rok=20Ro=C5=A1kar?= Date: Wed, 26 Mar 2025 17:55:02 +0100 Subject: [PATCH 04/24] chore: update keycloak chart to 2.3.0 and kc to 22.0.4 --- helm-chart/renku/requirements.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-chart/renku/requirements.yaml b/helm-chart/renku/requirements.yaml index 8a60543599..de4246cb24 100644 --- a/helm-chart/renku/requirements.yaml +++ b/helm-chart/renku/requirements.yaml @@ -4,7 +4,7 @@ dependencies: repository: "oci://registry-1.docker.io/bitnamicharts" condition: postgresql.enabled - name: keycloakx - version: 2.2.2 + version: 2.3.0 repository: "https://codecentric.github.io/helm-charts" condition: keycloakx.enabled - name: redis From 0b6c95e9058594561e9190721f4923b7bf816f42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rok=20Ro=C5=A1kar?= Date: Wed, 26 Mar 2025 18:09:04 +0100 Subject: [PATCH 05/24] chore: updating keycloak chart to 2.4.4 kc version 25.0.0 --- helm-chart/renku/requirements.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-chart/renku/requirements.yaml b/helm-chart/renku/requirements.yaml index de4246cb24..ab0068dc1b 100644 --- a/helm-chart/renku/requirements.yaml +++ b/helm-chart/renku/requirements.yaml @@ -4,7 +4,7 @@ dependencies: repository: "oci://registry-1.docker.io/bitnamicharts" condition: postgresql.enabled - name: keycloakx - version: 2.3.0 + version: 2.4.4 repository: "https://codecentric.github.io/helm-charts" condition: keycloakx.enabled - name: redis From 8b5429a077558b3d29dbd1cbe61e1cc320c4aa8f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rok=20Ro=C5=A1kar?= Date: Wed, 26 Mar 2025 18:19:52 +0100 Subject: [PATCH 06/24] chore: remove the auto-build flag - not recognized --- helm-chart/renku/values.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index 7387f2ab22..7019d7bd8a 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -258,7 +258,6 @@ keycloakx: - "--http-port=8080" - "--hostname-strict=false" - "--hostname-strict-https=false" - - "--auto-build" # The following environment variables are provided to keycloak # as extraEnvFrom secrets. # renku-keycloak-postgres From 70f87d1a672aba207a22df65660e683526ea979d Mon Sep 17 00:00:00 2001 From: Renku Bot Date: Tue, 25 Mar 2025 16:53:55 +0000 Subject: [PATCH 07/24] chore: create release 0.68.0 --- CHANGELOG.rst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index f8dc02562d..dae9bac2cb 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -1,5 +1,8 @@ .. _changelog: +0.68.0 +------ + 0.67.2 ------ From 7e29077695649e96fad25fb6b3c3d7dae1624bc4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 27 Mar 2025 12:50:02 +0000 Subject: [PATCH 08/24] chore(deps): bump actions/checkout (#3963) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps the gh-actions group with 1 update in the / directory: [actions/checkout](https://github.com/actions/checkout). Updates `actions/checkout` from 4.1.7 to 4.2.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4.1.7...v4.2.2) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gh-actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Rok Roškar --- .github/workflows/check-acceptance-test-code.yml | 2 +- .github/workflows/check-acceptance-test-fmt.yml | 2 +- .github/workflows/create-release-branch.yml | 2 +- .github/workflows/publish-helm-chart.yml | 2 +- .github/workflows/publish-master-merges.yaml | 2 +- .github/workflows/pull-request-test.yml | 2 +- .github/workflows/renku-dev-test.yaml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/check-acceptance-test-code.yml b/.github/workflows/check-acceptance-test-code.yml index b7e13c3b04..28a0daf9de 100644 --- a/.github/workflows/check-acceptance-test-code.yml +++ b/.github/workflows/check-acceptance-test-code.yml @@ -12,7 +12,7 @@ jobs: name: Scala dependencies and code check runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@v4.2.2 - name: Setup JDK uses: actions/setup-java@v4 with: diff --git a/.github/workflows/check-acceptance-test-fmt.yml b/.github/workflows/check-acceptance-test-fmt.yml index 2a16017abf..2bca5503ea 100644 --- a/.github/workflows/check-acceptance-test-fmt.yml +++ b/.github/workflows/check-acceptance-test-fmt.yml @@ -12,7 +12,7 @@ jobs: name: Scala formatting check runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@v4.2.2 - name: Setup JDK uses: actions/setup-java@v4 with: diff --git a/.github/workflows/create-release-branch.yml b/.github/workflows/create-release-branch.yml index 07122e32ef..71d722f272 100644 --- a/.github/workflows/create-release-branch.yml +++ b/.github/workflows/create-release-branch.yml @@ -16,7 +16,7 @@ jobs: create-release-pr: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@v4.2.2 with: fetch-depth: 0 token: "${{ secrets.RENKUBOT_GITHUB_TOKEN }}" diff --git a/.github/workflows/publish-helm-chart.yml b/.github/workflows/publish-helm-chart.yml index 6edc56dcbf..4f34242a11 100644 --- a/.github/workflows/publish-helm-chart.yml +++ b/.github/workflows/publish-helm-chart.yml @@ -9,7 +9,7 @@ jobs: publish-chart: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@v4.2.2 with: fetch-depth: 0 - name: Set version diff --git a/.github/workflows/publish-master-merges.yaml b/.github/workflows/publish-master-merges.yaml index 355af66c71..2ebb22789f 100644 --- a/.github/workflows/publish-master-merges.yaml +++ b/.github/workflows/publish-master-merges.yaml @@ -14,7 +14,7 @@ jobs: publish-chart: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@v4.2.2 with: fetch-depth: 0 - uses: azure/setup-helm@v4 diff --git a/.github/workflows/pull-request-test.yml b/.github/workflows/pull-request-test.yml index aa718ee9f6..8211fc7575 100644 --- a/.github/workflows/pull-request-test.yml +++ b/.github/workflows/pull-request-test.yml @@ -23,7 +23,7 @@ jobs: runs-on: ubuntu-24.04 if: github.event.action != 'closed' steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@v4.2.2 - uses: actions/setup-java@v4 with: distribution: "temurin" diff --git a/.github/workflows/renku-dev-test.yaml b/.github/workflows/renku-dev-test.yaml index ec65221e5b..906bf12eea 100644 --- a/.github/workflows/renku-dev-test.yaml +++ b/.github/workflows/renku-dev-test.yaml @@ -22,7 +22,7 @@ jobs: github.event.client_payload.message == 'Helm test succeeded' }} runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@v4.2.2 - uses: cypress-io/github-action@v6 id: cypress env: From 48d4d7d5c752fb9a666864d5264025c1e8439ce1 Mon Sep 17 00:00:00 2001 From: Tasko Olevski Date: Wed, 9 Apr 2025 22:05:26 +0200 Subject: [PATCH 09/24] chore: update keycloak theme image to 4.1.6 (#3978) --- CHANGELOG.rst | 5 +++++ helm-chart/renku/values.yaml | 8 +++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index dae9bac2cb..b24b0228a3 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -3,6 +3,11 @@ 0.68.0 ------ +Internal Changes +~~~~~~~~~~~~~~~~ + +- **Helm chart**: Update the Keycloak theme image to use non-root user by default. + 0.67.2 ------ diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index 663aa4ec3d..1c8dd54e25 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -318,7 +318,7 @@ keycloakx: enabled: false extraInitContainers: | - name: theme-provider - image: renku/keycloak-theme:4.1.5 + image: renku/keycloak-theme:4.1.6 imagePullPolicy: IfNotPresent command: - sh @@ -330,6 +330,12 @@ keycloakx: volumeMounts: - name: theme mountPath: /theme + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL - name: init-certificates securityContext: allowPrivilegeEscalation: false From 77e6c84b63998c362e4dbee1d340f23f647dbeaa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rok=20Ro=C5=A1kar?= Date: Fri, 11 Apr 2025 11:53:05 +0200 Subject: [PATCH 10/24] chore: add citation information (#3970) --- CITATION.cff | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++ README.md | 4 ++++ 2 files changed, 65 insertions(+) create mode 100644 CITATION.cff diff --git a/CITATION.cff b/CITATION.cff new file mode 100644 index 0000000000..12872e4b2a --- /dev/null +++ b/CITATION.cff @@ -0,0 +1,61 @@ +cff-version: 1.2.0 +message: "If you use this software, please cite it as below." +title: "Renku: A platform for sustainable data science" +authors: + - family-names: "Roškar" + given-names: "Rok" + - family-names: "Ramakrishnan" + given-names: "Chandrasekhar" + - family-names: "Volpi" + given-names: "Michele" + - family-names: "Perez-Cruz" + given-names: "Fernando" + - family-names: "Gasser" + given-names: "Lilian" + - family-names: "Ozdemir" + given-names: "Firat" + - family-names: "Paitz" + given-names: "Patrick" + - family-names: "Alisafaee" + given-names: "Mohammad" + - family-names: "Fischer" + given-names: "Philipp" + - family-names: "Grubenmann" + given-names: "Ralf" + - family-names: "Harris" + given-names: "Eliza" + - family-names: "Olevski" + given-names: "Tasko" + - family-names: "Remlinger" + given-names: "Carl" + - family-names: "Salamanca" + given-names: "Luis" + - family-names: "Capon Garcia" + given-names: "Elisabet" + - family-names: "Cavazzi" + given-names: "Lorenzo" + - family-names: "Chrobasik" + given-names: "Jakub" + - family-names: "Cordoba Osnas" + given-names: "Darlin" + - family-names: "Degano" + given-names: "Alessandro" + - family-names: "Dupre" + given-names: "Jimena" + - family-names: "Johnson" + given-names: "Wesley" + - family-names: "Kettner" + given-names: "Eike" + - family-names: "Kinkead" + given-names: "Laura" + - family-names: "Murphy" + given-names: "Sean D." + - family-names: "Thiebaut" + given-names: "Flora" + - family-names: "Verscheure" + given-names: "Olivier" +date-released: "2023" +version: "36" +publisher: "Curran Associates, Inc." +url: "https://proceedings.neurips.cc/paper_files/paper/2023/file/838694e9ab6b0a193b84daaafcac0eed-Paper-Datasets_and_Benchmarks.pdf" +type: "conference-paper" diff --git a/README.md b/README.md index 35dd7c471b..1f2d57673f 100644 --- a/README.md +++ b/README.md @@ -94,3 +94,7 @@ Renku is built from several sub-repositories: operator for user session servers. - [renkulab-docker](https://github.com/SwissDataScienceCenter/renkulab-docker): base images for interactive sessions. + +## Citing Renku in research papers + +If you use the Renku platform for your research, please do cite our [paper](https://proceedings.neurips.cc/paper_files/paper/2023/hash/838694e9ab6b0a193b84daaafcac0eed-Abstract-Datasets_and_Benchmarks.html). See the citation information in the side panel of this repo for APA and BibTex formats. From 8c20dbf8d03e40186e2771136a92596d222fb940 Mon Sep 17 00:00:00 2001 From: Tasko Olevski Date: Fri, 11 Apr 2025 14:42:04 +0200 Subject: [PATCH 11/24] chore: consolidate security contexts (#3975) --- CHANGELOG.rst | 6 +++++ .../renku/templates/setup-job-authz-db.yaml | 7 +++-- .../templates/setup-job-keycloak-db.yaml | 7 +++-- .../templates/setup-job-keycloak-realms.yaml | 7 +++-- .../templates/setup-job-platform-init.yaml | 7 +++-- .../renku/templates/setup-job-renku-dbs.yaml | 7 +++-- helm-chart/renku/templates/swagger.yaml | 4 +++ .../ui/ui-client-deployment-template.yaml | 4 +-- .../templates/ui/ui-server-deployment.yaml | 4 +-- helm-chart/renku/values.yaml | 26 +++++++++++-------- helm-chart/values.yaml.changelog.md | 7 +++++ 11 files changed, 51 insertions(+), 35 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index b24b0228a3..4b595a9f8e 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -3,9 +3,15 @@ 0.68.0 ------ +Renku 0.68.0 introduces some improvements to the Helm chart. + Internal Changes ~~~~~~~~~~~~~~~~ +**Improvements** + +- **Helm chart**: Remove the custom security context from the UI server and client and use the common ones instead. + Please check (`the Helm chart values changelog `__) for more information about the Helm chart changes. - **Helm chart**: Update the Keycloak theme image to use non-root user by default. 0.67.2 diff --git a/helm-chart/renku/templates/setup-job-authz-db.yaml b/helm-chart/renku/templates/setup-job-authz-db.yaml index c11c079f00..980f72ff04 100644 --- a/helm-chart/renku/templates/setup-job-authz-db.yaml +++ b/helm-chart/renku/templates/setup-job-authz-db.yaml @@ -18,15 +18,14 @@ spec: chart: {{ template "renku.chart" . }} spec: restartPolicy: Never + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: initialize-postgres-authz image: "{{ .Values.initDb.image.repository }}:{{ .Values.initDb.image.tag }}" args: [ "authz_db_init.py" ] securityContext: - runAsUser: 1000 - runAsGroup: 1000 - allowPrivilegeEscalation: false - runAsNonRoot: true + {{- toYaml .Values.securityContext | nindent 12 }} env: - name: DB_HOST value: {{ template "postgresql.fullname" . }} diff --git a/helm-chart/renku/templates/setup-job-keycloak-db.yaml b/helm-chart/renku/templates/setup-job-keycloak-db.yaml index 68736d5441..a1ca53176f 100644 --- a/helm-chart/renku/templates/setup-job-keycloak-db.yaml +++ b/helm-chart/renku/templates/setup-job-keycloak-db.yaml @@ -19,15 +19,14 @@ spec: chart: {{ template "renku.chart" . }} spec: restartPolicy: Never + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: initialize-postgres-keycloak image: "{{ .Values.initDb.image.repository }}:{{ .Values.initDb.image.tag }}" args: [ "keycloak_db_init.py" ] securityContext: - runAsUser: 1000 - runAsGroup: 1000 - allowPrivilegeEscalation: false - runAsNonRoot: true + {{- toYaml .Values.securityContext | nindent 12 }} env: - name: DB_HOST value: {{ template "postgresql.fullname" . }} diff --git a/helm-chart/renku/templates/setup-job-keycloak-realms.yaml b/helm-chart/renku/templates/setup-job-keycloak-realms.yaml index 1971f576a1..72910a122a 100644 --- a/helm-chart/renku/templates/setup-job-keycloak-realms.yaml +++ b/helm-chart/renku/templates/setup-job-keycloak-realms.yaml @@ -22,14 +22,13 @@ spec: restartPolicy: Never initContainers: {{- include "certificates.initContainer" . | nindent 8 }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: init-keycloak image: "{{ .Values.keycloakx.initRealm.image.repository }}:{{ .Values.keycloakx.initRealm.image.tag }}" securityContext: - runAsUser: 1000 - runAsGroup: 1000 - allowPrivilegeEscalation: false - runAsNonRoot: true + {{- toYaml .Values.securityContext | nindent 12 }} command: ["python"] args: [ "/app/init-realm.py", diff --git a/helm-chart/renku/templates/setup-job-platform-init.yaml b/helm-chart/renku/templates/setup-job-platform-init.yaml index 053a4d3150..e714266b5b 100644 --- a/helm-chart/renku/templates/setup-job-platform-init.yaml +++ b/helm-chart/renku/templates/setup-job-platform-init.yaml @@ -20,15 +20,14 @@ spec: chart: {{ template "renku.chart" . }} spec: restartPolicy: Never + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: initialize-platform image: "{{ .Values.platformInit.image.repository }}:{{ .Values.platformInit.image.tag }}" args: [ "platform-init.py" ] securityContext: - runAsUser: 1000 - runAsGroup: 1000 - allowPrivilegeEscalation: false - runAsNonRoot: true + {{- toYaml .Values.securityContext | nindent 12 }} env: - name: K8S_NAMESPACE value: {{ .Release.Namespace }} diff --git a/helm-chart/renku/templates/setup-job-renku-dbs.yaml b/helm-chart/renku/templates/setup-job-renku-dbs.yaml index 45dda94363..433936b561 100644 --- a/helm-chart/renku/templates/setup-job-renku-dbs.yaml +++ b/helm-chart/renku/templates/setup-job-renku-dbs.yaml @@ -18,15 +18,14 @@ spec: chart: {{ template "renku.chart" . }} spec: restartPolicy: Never + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: initialize-postgres-renku image: "{{ .Values.initDb.image.repository }}:{{ .Values.initDb.image.tag }}" args: [ "renku_db_init.py" ] securityContext: - runAsUser: 1000 - runAsGroup: 1000 - allowPrivilegeEscalation: false - runAsNonRoot: true + {{- toYaml .Values.securityContext | nindent 12 }} env: - name: DB_HOST value: {{ template "postgresql.fullname" . }} diff --git a/helm-chart/renku/templates/swagger.yaml b/helm-chart/renku/templates/swagger.yaml index 17446ae4a8..40e3713937 100644 --- a/helm-chart/renku/templates/swagger.yaml +++ b/helm-chart/renku/templates/swagger.yaml @@ -17,9 +17,13 @@ spec: app.kubernetes.io/name: {{ include "renku.name" . }}-swagger app.kubernetes.io/instance: {{ .Release.Name }} spec: + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: swagger image: swaggerapi/swagger-ui + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} env: - name: BASE_URL value: /swagger diff --git a/helm-chart/renku/templates/ui/ui-client-deployment-template.yaml b/helm-chart/renku/templates/ui/ui-client-deployment-template.yaml index 094a4a6ec8..1693e9a2a2 100644 --- a/helm-chart/renku/templates/ui/ui-client-deployment-template.yaml +++ b/helm-chart/renku/templates/ui/ui-client-deployment-template.yaml @@ -141,7 +141,7 @@ spec: resources: {{ toYaml .Values.ui.client.resources | indent 12 }} securityContext: - {{- toYaml .Values.ui.client.securityContext | nindent 12 }} + {{- toYaml .Values.securityContext | nindent 12 }} {{- with .Values.ui.client.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} @@ -155,7 +155,7 @@ spec: {{ toYaml . | indent 8 }} {{- end }} securityContext: - {{- toYaml .Values.ui.client.podSecurityContext | nindent 8 }} + {{- toYaml .Values.podSecurityContext | nindent 8 }} {{- if .Values.ui.client.image.pullSecrets }} imagePullSecrets: {{- range .Values.ui.client.image.pullSecrets }} diff --git a/helm-chart/renku/templates/ui/ui-server-deployment.yaml b/helm-chart/renku/templates/ui/ui-server-deployment.yaml index a6318ceb5d..dcd38e919c 100644 --- a/helm-chart/renku/templates/ui/ui-server-deployment.yaml +++ b/helm-chart/renku/templates/ui/ui-server-deployment.yaml @@ -29,14 +29,14 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} securityContext: - {{- toYaml .Values.ui.server.podSecurityContext | nindent 8 }} + {{- toYaml .Values.podSecurityContext | nindent 8 }} automountServiceAccountToken: {{ .Values.global.debug }} initContainers: {{- include "certificates.initContainer" . | nindent 8 }} containers: - name: {{ .Chart.Name }} securityContext: - {{- toYaml .Values.ui.server.securityContext | nindent 12 }} + {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.ui.server.image.repository }}:{{ .Values.ui.server.image.tag }}" imagePullPolicy: {{ .Values.ui.server.image.pullPolicy }} ports: diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index 1c8dd54e25..7a05df33d6 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -327,6 +327,14 @@ keycloakx: - | echo "Copying theme..." cp -Rfv /renku_theme/* /theme + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsGroup: 65534 + runAsUser: 65534 + capabilities: + drop: + - ALL volumeMounts: - name: theme mountPath: /theme @@ -341,6 +349,10 @@ keycloakx: allowPrivilegeEscalation: false runAsGroup: 65534 runAsUser: 65534 + runAsNonRoot: true + capabilities: + drop: + - ALL image: "registry.access.redhat.com/ubi8/ubi:8.4" command: ["sh", "-c"] args: ["mkdir -p /etc/pki/ca-trust/extracted/openssl/ /etc/pki/ca-trust/extracted/pem/ /etc/pki/ca-trust/extracted/java/ /etc/pki/ca-trust/extracted/edk2 && update-ca-trust"] @@ -564,11 +576,6 @@ ui: nodeSelector: {} tolerations: [] affinity: {} - podSecurityContext: {} - securityContext: - runAsUser: 101 - runAsNonRoot: true - allowPrivilegeEscalation: false # This defines the message displayed on the home page of logged in users. dashboardMessage: enabled: false @@ -736,12 +743,6 @@ ui: # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" - podSecurityContext: {} - securityContext: - runAsUser: 1000 - runAsGroup: 1000 - runAsNonRoot: true - allowPrivilegeEscalation: false service: type: ClusterIP port: 80 @@ -1627,6 +1628,9 @@ securityContext: runAsGroup: 1000 runAsNonRoot: true allowPrivilegeEscalation: false + capabilities: + drop: + - ALL nodeSelector: {} tolerations: [] affinity: {} diff --git a/helm-chart/values.yaml.changelog.md b/helm-chart/values.yaml.changelog.md index 9170e6ec9c..334365c85e 100644 --- a/helm-chart/values.yaml.changelog.md +++ b/helm-chart/values.yaml.changelog.md @@ -5,6 +5,13 @@ For changes that require manual steps other than changing values, please check o Please follow this convention when adding a new row * ` - **:
` +## Upgrading to Renku 0.68.0 + +* DELETE ``ui.client.securityContext`` has been removed, replaced by ``securityContext``. +* DELETE ``ui.server.securityContext`` has been removed, replaced by ``securityContext``. +* DELETE ``ui.client.podSecurityContext`` has been removed, replaced by ``podSecurityContext``. +* DELETE ``ui.server.podSecurityContext`` has been removed, replaced by ``podSecurityContext``. + ## Upgrading to Renku 0.66.0 * NEW `dataService.imageBuilders` to configure session image builds using Shipwright. From 6514dc81a3cd23671618d473d1edfc910a136bd2 Mon Sep 17 00:00:00 2001 From: Ralf Grubenmann Date: Mon, 14 Apr 2025 13:39:35 +0200 Subject: [PATCH 12/24] feat: add data service based k8s watcher (#3979) --- CHANGELOG.rst | 6 ++ .../data-service/deployment_k8s_watcher.yaml | 85 +++++++++++++++++++ .../data-service/rbac_k8s_watcher.yaml | 78 +++++++++++++++++ .../renku/templates/network-policies.yaml | 6 ++ helm-chart/renku/values.yaml | 12 ++- 5 files changed, 184 insertions(+), 3 deletions(-) create mode 100644 helm-chart/renku/templates/data-service/deployment_k8s_watcher.yaml create mode 100644 helm-chart/renku/templates/data-service/rbac_k8s_watcher.yaml diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 4b595a9f8e..8924d62f9d 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -13,6 +13,12 @@ Internal Changes - **Helm chart**: Remove the custom security context from the UI server and client and use the common ones instead. Please check (`the Helm chart values changelog `__) for more information about the Helm chart changes. - **Helm chart**: Update the Keycloak theme image to use non-root user by default. +- **Data services**: Added k8s cache service that caches sessions in the data services database + +Individual Components +~~~~~~~~~~~~~~~~~~~~~ + +- `renku-data-services 0.39.0 `_ 0.67.2 ------ diff --git a/helm-chart/renku/templates/data-service/deployment_k8s_watcher.yaml b/helm-chart/renku/templates/data-service/deployment_k8s_watcher.yaml new file mode 100644 index 0000000000..29a343279e --- /dev/null +++ b/helm-chart/renku/templates/data-service/deployment_k8s_watcher.yaml @@ -0,0 +1,85 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "renku.fullname" . }}-k8s-watcher + labels: + app: renku-k8s-watcher + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +spec: + replicas: 1 + strategy: + {{- toYaml .Values.dataService.updateStrategy | nindent 4 }} + selector: + matchLabels: + app: renku-k8s-watcher + release: {{ .Release.Name }} + template: + metadata: + labels: + app: renku-k8s-watcher + release: {{ .Release.Name }} + annotations: + {{- with .Values.dataService.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + automountServiceAccountToken: {{ .Values.global.debug }} + initContainers: + {{- include "certificates.initContainer" . | nindent 8 }} + containers: + - name: k8s-watcher + image: "{{ .Values.dataService.k8sWatcher.image.repository }}:{{ .Values.dataService.k8sWatcher.image.tag }}" + imagePullPolicy: {{ .Values.dataService.k8sWatcher.image.pullPolicy }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + env: + - name: VERSION + value: {{ .Values.dataService.image.tag | quote }} + - name: DB_HOST + value: {{ template "postgresql.fullname" . }} + - name: DB_USER + value: {{ .Values.global.db.common.username }} + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.global.db.common.passwordSecretName }} + key: password + - name: K8S_NAMESPACE + value: {{ .Release.Namespace | quote }} + - name: KUBERNETES_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + {{- include "certificates.env.python" . | nindent 12 }} + volumeMounts: + {{- include "certificates.volumeMounts.system" . | nindent 12 }} + livenessProbe: + exec: + command: + - cat + - /tmp/cache_ready + initialDelaySeconds: 10 + periodSeconds: 10 + failureThreshold: 6 + resources: + {{ toYaml .Values.dataService.k8sWatcher.resources | nindent 12 }} + {{- with .Values.dataService.nodeSelector }} + nodeSelector: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.dataService.affinity }} + affinity: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.dataService.tolerations }} + tolerations: + {{ toYaml . | nindent 8 }} + {{- end }} + volumes: + {{- include "certificates.volumes" . | nindent 8 }} + serviceAccountName: {{ template "renku.fullname" . }}-k8s-watcher diff --git a/helm-chart/renku/templates/data-service/rbac_k8s_watcher.yaml b/helm-chart/renku/templates/data-service/rbac_k8s_watcher.yaml new file mode 100644 index 0000000000..3a3141dfb0 --- /dev/null +++ b/helm-chart/renku/templates/data-service/rbac_k8s_watcher.yaml @@ -0,0 +1,78 @@ +{{- if .Values.dataService.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "renku.fullname" . }}-k8s-watcher + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: + - apiGroups: + - {{ .Values.amalthea.crdApiGroup }} + resources: + - {{ .Values.amalthea.crdNames.plural }} + verbs: + - create + - update + - delete + - patch + - list + - get + - watch + - apiGroups: + - amalthea.dev + resources: + - amaltheasessions + verbs: + - create + - update + - delete + - patch + - list + - get + - watch + {{- if .Values.dataService.imageBuilders.enabled }} + - apiGroups: + - shipwright.io + resources: + - buildruns + verbs: + - create + - update + - delete + - patch + - list + - get + - watch + {{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "renku.fullname" . }}-k8s-watcher + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "renku.fullname" . }}-k8s-watcher + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "renku.fullname" . }}-k8s-watcher +subjects: + - kind: ServiceAccount + name: {{ template "renku.fullname" . }}-k8s-watcher + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/helm-chart/renku/templates/network-policies.yaml b/helm-chart/renku/templates/network-policies.yaml index 656b4390b3..9cd63a39e1 100644 --- a/helm-chart/renku/templates/network-policies.yaml +++ b/helm-chart/renku/templates/network-policies.yaml @@ -68,6 +68,12 @@ spec: namespaceSelector: matchLabels: kubernetes.io/metadata.name: {{ .Release.Namespace }} + - podSelector: + matchLabels: + app: renku-k8s-watcher + namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Release.Namespace }} - podSelector: matchLabels: app: keycloak-sync diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index 7a05df33d6..b78701a133 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -1517,17 +1517,23 @@ dataService: create: true image: repository: renku/renku-data-service - tag: "0.38.0" + tag: "0.39.0" pullPolicy: IfNotPresent backgroundJobs: events: resources: {} image: repository: renku/data-service-background-jobs - tag: "0.38.0" + tag: "0.39.0" pullPolicy: IfNotPresent total: resources: {} + k8sWatcher: + image: + repository: renku/data-service-k8s-watcher + tag: "0.39.0" + pullPolicy: IfNotPresent + resources: {} service: type: ClusterIP port: 80 @@ -1604,7 +1610,7 @@ authz: secretsStorage: image: repository: renku/secrets-storage - tag: "0.38.0" + tag: "0.39.0" pullPolicy: IfNotPresent service: type: ClusterIP From be9453e58cdfdb05909b1a2b9283147149ff4ed8 Mon Sep 17 00:00:00 2001 From: Tasko Olevski Date: Tue, 15 Apr 2025 15:31:58 +0200 Subject: [PATCH 13/24] Revert "chore: consolidate security contexts (#3975)" (#3986) This reverts commit 4f56c743e318bcb512af551c6409924bb10ef220. --- CHANGELOG.rst | 6 ----- .../renku/templates/setup-job-authz-db.yaml | 7 ++--- .../templates/setup-job-keycloak-db.yaml | 7 ++--- .../templates/setup-job-keycloak-realms.yaml | 7 ++--- .../templates/setup-job-platform-init.yaml | 7 ++--- .../renku/templates/setup-job-renku-dbs.yaml | 7 ++--- helm-chart/renku/templates/swagger.yaml | 4 --- .../ui/ui-client-deployment-template.yaml | 4 +-- .../templates/ui/ui-server-deployment.yaml | 4 +-- helm-chart/renku/values.yaml | 26 ++++++++----------- helm-chart/values.yaml.changelog.md | 7 ----- 11 files changed, 35 insertions(+), 51 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 8924d62f9d..f40d5f3dd4 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -3,15 +3,9 @@ 0.68.0 ------ -Renku 0.68.0 introduces some improvements to the Helm chart. - Internal Changes ~~~~~~~~~~~~~~~~ -**Improvements** - -- **Helm chart**: Remove the custom security context from the UI server and client and use the common ones instead. - Please check (`the Helm chart values changelog `__) for more information about the Helm chart changes. - **Helm chart**: Update the Keycloak theme image to use non-root user by default. - **Data services**: Added k8s cache service that caches sessions in the data services database diff --git a/helm-chart/renku/templates/setup-job-authz-db.yaml b/helm-chart/renku/templates/setup-job-authz-db.yaml index 980f72ff04..c11c079f00 100644 --- a/helm-chart/renku/templates/setup-job-authz-db.yaml +++ b/helm-chart/renku/templates/setup-job-authz-db.yaml @@ -18,14 +18,15 @@ spec: chart: {{ template "renku.chart" . }} spec: restartPolicy: Never - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: initialize-postgres-authz image: "{{ .Values.initDb.image.repository }}:{{ .Values.initDb.image.tag }}" args: [ "authz_db_init.py" ] securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: false + runAsNonRoot: true env: - name: DB_HOST value: {{ template "postgresql.fullname" . }} diff --git a/helm-chart/renku/templates/setup-job-keycloak-db.yaml b/helm-chart/renku/templates/setup-job-keycloak-db.yaml index a1ca53176f..68736d5441 100644 --- a/helm-chart/renku/templates/setup-job-keycloak-db.yaml +++ b/helm-chart/renku/templates/setup-job-keycloak-db.yaml @@ -19,14 +19,15 @@ spec: chart: {{ template "renku.chart" . }} spec: restartPolicy: Never - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: initialize-postgres-keycloak image: "{{ .Values.initDb.image.repository }}:{{ .Values.initDb.image.tag }}" args: [ "keycloak_db_init.py" ] securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: false + runAsNonRoot: true env: - name: DB_HOST value: {{ template "postgresql.fullname" . }} diff --git a/helm-chart/renku/templates/setup-job-keycloak-realms.yaml b/helm-chart/renku/templates/setup-job-keycloak-realms.yaml index 72910a122a..1971f576a1 100644 --- a/helm-chart/renku/templates/setup-job-keycloak-realms.yaml +++ b/helm-chart/renku/templates/setup-job-keycloak-realms.yaml @@ -22,13 +22,14 @@ spec: restartPolicy: Never initContainers: {{- include "certificates.initContainer" . | nindent 8 }} - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: init-keycloak image: "{{ .Values.keycloakx.initRealm.image.repository }}:{{ .Values.keycloakx.initRealm.image.tag }}" securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: false + runAsNonRoot: true command: ["python"] args: [ "/app/init-realm.py", diff --git a/helm-chart/renku/templates/setup-job-platform-init.yaml b/helm-chart/renku/templates/setup-job-platform-init.yaml index e714266b5b..053a4d3150 100644 --- a/helm-chart/renku/templates/setup-job-platform-init.yaml +++ b/helm-chart/renku/templates/setup-job-platform-init.yaml @@ -20,14 +20,15 @@ spec: chart: {{ template "renku.chart" . }} spec: restartPolicy: Never - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: initialize-platform image: "{{ .Values.platformInit.image.repository }}:{{ .Values.platformInit.image.tag }}" args: [ "platform-init.py" ] securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: false + runAsNonRoot: true env: - name: K8S_NAMESPACE value: {{ .Release.Namespace }} diff --git a/helm-chart/renku/templates/setup-job-renku-dbs.yaml b/helm-chart/renku/templates/setup-job-renku-dbs.yaml index 433936b561..45dda94363 100644 --- a/helm-chart/renku/templates/setup-job-renku-dbs.yaml +++ b/helm-chart/renku/templates/setup-job-renku-dbs.yaml @@ -18,14 +18,15 @@ spec: chart: {{ template "renku.chart" . }} spec: restartPolicy: Never - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: initialize-postgres-renku image: "{{ .Values.initDb.image.repository }}:{{ .Values.initDb.image.tag }}" args: [ "renku_db_init.py" ] securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: false + runAsNonRoot: true env: - name: DB_HOST value: {{ template "postgresql.fullname" . }} diff --git a/helm-chart/renku/templates/swagger.yaml b/helm-chart/renku/templates/swagger.yaml index 40e3713937..17446ae4a8 100644 --- a/helm-chart/renku/templates/swagger.yaml +++ b/helm-chart/renku/templates/swagger.yaml @@ -17,13 +17,9 @@ spec: app.kubernetes.io/name: {{ include "renku.name" . }}-swagger app.kubernetes.io/instance: {{ .Release.Name }} spec: - securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: swagger image: swaggerapi/swagger-ui - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} env: - name: BASE_URL value: /swagger diff --git a/helm-chart/renku/templates/ui/ui-client-deployment-template.yaml b/helm-chart/renku/templates/ui/ui-client-deployment-template.yaml index 1693e9a2a2..094a4a6ec8 100644 --- a/helm-chart/renku/templates/ui/ui-client-deployment-template.yaml +++ b/helm-chart/renku/templates/ui/ui-client-deployment-template.yaml @@ -141,7 +141,7 @@ spec: resources: {{ toYaml .Values.ui.client.resources | indent 12 }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml .Values.ui.client.securityContext | nindent 12 }} {{- with .Values.ui.client.nodeSelector }} nodeSelector: {{ toYaml . | indent 8 }} @@ -155,7 +155,7 @@ spec: {{ toYaml . | indent 8 }} {{- end }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml .Values.ui.client.podSecurityContext | nindent 8 }} {{- if .Values.ui.client.image.pullSecrets }} imagePullSecrets: {{- range .Values.ui.client.image.pullSecrets }} diff --git a/helm-chart/renku/templates/ui/ui-server-deployment.yaml b/helm-chart/renku/templates/ui/ui-server-deployment.yaml index dcd38e919c..a6318ceb5d 100644 --- a/helm-chart/renku/templates/ui/ui-server-deployment.yaml +++ b/helm-chart/renku/templates/ui/ui-server-deployment.yaml @@ -29,14 +29,14 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} securityContext: - {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- toYaml .Values.ui.server.podSecurityContext | nindent 8 }} automountServiceAccountToken: {{ .Values.global.debug }} initContainers: {{- include "certificates.initContainer" . | nindent 8 }} containers: - name: {{ .Chart.Name }} securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} + {{- toYaml .Values.ui.server.securityContext | nindent 12 }} image: "{{ .Values.ui.server.image.repository }}:{{ .Values.ui.server.image.tag }}" imagePullPolicy: {{ .Values.ui.server.image.pullPolicy }} ports: diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index b78701a133..6a011f46bb 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -327,14 +327,6 @@ keycloakx: - | echo "Copying theme..." cp -Rfv /renku_theme/* /theme - securityContext: - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsGroup: 65534 - runAsUser: 65534 - capabilities: - drop: - - ALL volumeMounts: - name: theme mountPath: /theme @@ -349,10 +341,6 @@ keycloakx: allowPrivilegeEscalation: false runAsGroup: 65534 runAsUser: 65534 - runAsNonRoot: true - capabilities: - drop: - - ALL image: "registry.access.redhat.com/ubi8/ubi:8.4" command: ["sh", "-c"] args: ["mkdir -p /etc/pki/ca-trust/extracted/openssl/ /etc/pki/ca-trust/extracted/pem/ /etc/pki/ca-trust/extracted/java/ /etc/pki/ca-trust/extracted/edk2 && update-ca-trust"] @@ -576,6 +564,11 @@ ui: nodeSelector: {} tolerations: [] affinity: {} + podSecurityContext: {} + securityContext: + runAsUser: 101 + runAsNonRoot: true + allowPrivilegeEscalation: false # This defines the message displayed on the home page of logged in users. dashboardMessage: enabled: false @@ -743,6 +736,12 @@ ui: # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template name: "" + podSecurityContext: {} + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false service: type: ClusterIP port: 80 @@ -1634,9 +1633,6 @@ securityContext: runAsGroup: 1000 runAsNonRoot: true allowPrivilegeEscalation: false - capabilities: - drop: - - ALL nodeSelector: {} tolerations: [] affinity: {} diff --git a/helm-chart/values.yaml.changelog.md b/helm-chart/values.yaml.changelog.md index 334365c85e..9170e6ec9c 100644 --- a/helm-chart/values.yaml.changelog.md +++ b/helm-chart/values.yaml.changelog.md @@ -5,13 +5,6 @@ For changes that require manual steps other than changing values, please check o Please follow this convention when adding a new row * ` - **:
` -## Upgrading to Renku 0.68.0 - -* DELETE ``ui.client.securityContext`` has been removed, replaced by ``securityContext``. -* DELETE ``ui.server.securityContext`` has been removed, replaced by ``securityContext``. -* DELETE ``ui.client.podSecurityContext`` has been removed, replaced by ``podSecurityContext``. -* DELETE ``ui.server.podSecurityContext`` has been removed, replaced by ``podSecurityContext``. - ## Upgrading to Renku 0.66.0 * NEW `dataService.imageBuilders` to configure session image builds using Shipwright. From aeba01987a86d7cf09b28a5064a264b4b0efa886 Mon Sep 17 00:00:00 2001 From: Lorenzo Cavazzi <43481553+lorenzo-cavazzi@users.noreply.github.com> Date: Tue, 15 Apr 2025 17:02:29 +0200 Subject: [PATCH 14/24] chore: bump renku core and templates versions (#3987) Co-authored-by: Mohammad Alisafaee --- CHANGELOG.rst | 17 +++++++++++++---- helm-chart/renku/values.yaml | 10 +++------- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/CHANGELOG.rst b/CHANGELOG.rst index f40d5f3dd4..9d0ab0fb7e 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -3,21 +3,30 @@ 0.68.0 ------ +User-Facing Changes +~~~~~~~~~~~~~~~~~~~ + +**🐞 Bug Fixes** + +- **Core Service**: Fix a bug where removing activities wouldn't actually remove them. + Internal Changes ~~~~~~~~~~~~~~~~ - **Helm chart**: Update the Keycloak theme image to use non-root user by default. -- **Data services**: Added k8s cache service that caches sessions in the data services database +- **Data services**: Added k8s cache service that caches sessions in the data services database. Individual Components ~~~~~~~~~~~~~~~~~~~~~ - `renku-data-services 0.39.0 `_ +- `renku-python 2.9.4 `_ +- `renku-python 2.9.3 `_ 0.67.2 ------ -Renku ``0.67.2`` fixes several bugs in the data services backend. +Renku ``0.67.2`` fixes several bugs in the data services backend. User-Facing Changes ~~~~~~~~~~~~~~~~~~~ @@ -25,7 +34,7 @@ User-Facing Changes **🐞 Bug Fixes** - **Data services**: Surface more specific message when Git integrations expire. -- **Data services**: Fix a bug where modifying the resource class of a hibernated +- **Data services**: Fix a bug where modifying the resource class of a hibernated session would cause it to not start back up when resumed. - **Data services**: Data connectors were failing to copy when copying projects. @@ -1615,7 +1624,7 @@ Internal Changes Individual Components ~~~~~~~~~~~~~~~~~~~~~ -- `renku-python 2.9.2 `_ +- `renku-python 2.9.2 `_ - `renku-data-services 0.5.0 `_ - `csi-rclone 0.1.7 `_ diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index 6a011f46bb..3f82610677 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -72,7 +72,7 @@ global: fullnameOverride: "" image: repository: renku/renku-core - tag: "v2.9.2" + tag: "v2.9.4" pullPolicy: IfNotPresent uiserver: ## The client secret for the renku-ui client application registered in keycloak. @@ -593,10 +593,10 @@ ui: custom: true repositories: - url: https://github.com/SwissDataScienceCenter/renku-project-template - ref: 0.7.2 + ref: 0.9.0 name: Renku - url: https://github.com/SwissDataScienceCenter/contributed-project-templates - ref: 0.7.0 + ref: 0.10.0 name: Community # This defines the threshold for automatically showing a preview when browsing projects' files. # Above the soft limit, the user receives a warning. Above the hard limit, no preview is available. @@ -1636,7 +1636,3 @@ securityContext: nodeSelector: {} tolerations: [] affinity: {} -versions: - latest: - image: - tag: v2.9.2 From d321097489979a737cdd6b3c7ab236891fbf909b Mon Sep 17 00:00:00 2001 From: Alessandro Degano Date: Fri, 21 Mar 2025 15:59:34 +0100 Subject: [PATCH 15/24] feat: Add init script for Harbor. This commit adds an initialization script to configure a Harbor instance to be used as image registry for Renkulab v2. --- CHANGELOG.rst | 1 + scripts/harbor-init/README.md | 34 +++++ scripts/harbor-init/go.mod | 3 + scripts/harbor-init/harbor-init.go | 236 +++++++++++++++++++++++++++++ 4 files changed, 274 insertions(+) create mode 100644 scripts/harbor-init/README.md create mode 100644 scripts/harbor-init/go.mod create mode 100644 scripts/harbor-init/harbor-init.go diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 9d0ab0fb7e..bd2cebdd15 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -15,6 +15,7 @@ Internal Changes - **Helm chart**: Update the Keycloak theme image to use non-root user by default. - **Data services**: Added k8s cache service that caches sessions in the data services database. +- **Admin tools**: Add Harbor initialization script to setup a registry for RenkuLab v2. Individual Components ~~~~~~~~~~~~~~~~~~~~~ diff --git a/scripts/harbor-init/README.md b/scripts/harbor-init/README.md new file mode 100644 index 0000000000..fe65d57a4c --- /dev/null +++ b/scripts/harbor-init/README.md @@ -0,0 +1,34 @@ +# Harbor initialization for Renkulab script + +This script can be used to initialize a Harbor registry for usage with Renkulab: it will create a project, a robot account in that project that uses the specified secret for authentication. + +## Prerequisite + +1. A Harbor deployment +2. Admin credentials +3. Project name +4. Robot account name and secret +5. Access to the Renkulab namespace in Kubernetes + +## Usage + +With `go` installed, the script can be simply run: + +```bash +go run harbor-init.go --url https:// --admin --password --project --robot --secret +``` + +The script is idem-potent, so if the project or robot already exist the script will move on, additionally the robot's secret will always be updated (NOTE: it will overwrite the previous one!). + +## Kubernetes secret for Renkulab + +The secret for Renkulab can now be created so that container images build can be uploaded to the Harbor project. Using the and the Kubernetes secret can be created using `kubectl` as following: + +```bash +kubectl --namespace create secret docker-registry renku-build-docker-secret --docker-server --docker-username 'robot$+' --docker-password '' +``` + +Note: the username of the robot account is composed by harbor combining the project and its username, e.g. if the project is `foo` and the robot account `bar` then the resulting username would be `robot$foo+bar`. +To make sure that the terminal respects the special characters, the string should be surrounded by single quotes ''. + +The name of the secret should be matched in the Renku Helm chart values file under `dataService.imageBuilders.pushSecretName`. diff --git a/scripts/harbor-init/go.mod b/scripts/harbor-init/go.mod new file mode 100644 index 0000000000..eb403ce848 --- /dev/null +++ b/scripts/harbor-init/go.mod @@ -0,0 +1,3 @@ +module harbor-init + +go 1.21.4 diff --git a/scripts/harbor-init/harbor-init.go b/scripts/harbor-init/harbor-init.go new file mode 100644 index 0000000000..09450540b1 --- /dev/null +++ b/scripts/harbor-init/harbor-init.go @@ -0,0 +1,236 @@ +package main + +import ( + "bytes" + "encoding/json" + "flag" + "io" + "log" + "net/http" + "os" + "strconv" +) + +const ( + // Harbor API version + HARBOR_API_ENDPOINT = "/api/v2.0" +) + +type Login struct { + Url string + Username string + Password string +} + +type Projects []struct { + Name string `json:"name"` +} + +type ProjectRobots []struct { + Name string `json:"name"` + Id int `json:"id"` + Permissions []struct { + Namespace string `json:"namespace"` + } `json:"permissions"` +} + +type ResponseRobot struct { + Id int `json:"id"` +} + +func request(method string, login Login, endpoint string, body []byte) (*http.Response, []byte, error) { + client := &http.Client{} + req, err := http.NewRequest(method, login.Url+endpoint, bytes.NewBuffer(body)) + if err != nil { + return nil, nil, err + } + req.SetBasicAuth(login.Username, login.Password) + req.Header.Set("Content-Type", "application/json") + + resp, err := client.Do(req) + if err != nil { + return nil, nil, err + } + defer resp.Body.Close() + respBody, err := io.ReadAll(resp.Body) + if err != nil { + return nil, nil, err + } + return resp, respBody, nil +} + +func main() { + urlFlag := flag.String("url", "https://harbor.example.com", "Harbor URL") + adminFlag := flag.String("admin", "admin", "Harbor admin username") + passwordFlag := flag.String("password", "", "Harbor admin password") + projectNameFlag := flag.String("project", "renku-build", "Project name") + robotAccountNameFlag := flag.String("robot", "renku-registry-robot", "Robot account name") + robotSecretFlag := flag.String("secret", "", "Robot account secret") + flag.Parse() + // Initialize logger to print to stdout + logger := log.New(os.Stdout, "INFO: ", log.Ldate|log.Ltime) + login := Login{} + // Get login from environment variable + if *urlFlag == "" { + logger.Fatal("url flag is not set") + } + login.Url = *urlFlag + HARBOR_API_ENDPOINT + login.Username = *adminFlag + if login.Username == "" { + logger.Fatal("admin flag is not set") + } + login.Password = *passwordFlag + if login.Password == "" { + logger.Fatal("password flag is not set") + } + projectName := *projectNameFlag + if projectName == "" { + logger.Fatal("project flag is not set") + } + robotAccountName := *robotAccountNameFlag + if robotAccountName == "" { + logger.Fatal("robot flag is not set") + } + robotSecret := *robotSecretFlag + if robotSecret == "" { + logger.Fatal("secret flag is not set") + } + + // Authenticate and get a session cookie + logger.Println("Authenticating with Harbor server") + resp, body, err := request("GET", login, "/audit-logs", nil) + if err != nil { + logger.Fatal("Error connecting to Harbor: ", err) + } + if resp.StatusCode != http.StatusOK { + logger.Fatal("Failed to authenticate:", resp.Status, err, string(body)) + return + } + logger.Println("Authenticated successfully") + + // Check if project already exists + logger.Println("Checking if project exists:", projectName) + resp, body, err = request("GET", login, "/projects?name="+projectName, nil) + if err != nil { + logger.Fatal("Error getting project Harbor: ", err) + } + if resp.StatusCode != http.StatusOK { + logger.Println("Failed to get project:", err) + return + } + var projects Projects + err = json.Unmarshal(body, &projects) + if err != nil { + logger.Println("Error unmarshaling projects data:", err) + return + } + if len(projects) == 0 { + logger.Println("The project does not exist yet, creating: ", projectName) + project := map[string]interface{}{ + "project_name": projectName, + "public": false, + } + projectData, err := json.Marshal(project) + if err != nil { + logger.Fatal("Error marshaling project data:", err) + } + + resp, _, err = request("POST", login, "/projects", projectData) + if err != nil { + logger.Fatal("Error creating project: ", err) + } + if resp.StatusCode != http.StatusCreated { + logger.Fatal("Failed to create project:", resp.Status, err) + } + logger.Println("Project created successfully") + } else { + logger.Println("Project already exists") + } + + // Check if robot account already exists + logger.Println("Checking if robot account exists:", robotAccountName) + resp, body, err = request("GET", login, "/projects/"+projectName+"/robots", nil) + if err != nil { + logger.Fatal("Error creating robot account: ", err) + } + if resp.StatusCode != http.StatusOK { + logger.Fatal("Failed to get robot account:", err) + return + } + var robots ProjectRobots + err = json.Unmarshal(body, &robots) + if err != nil { + logger.Fatal("Error unmarshaling robots account data:", err) + } + robotId := "" + for _, robot := range robots { + if robot.Name != "robot$"+projectName+"+"+robotAccountName { + continue + } + for _, permission := range robot.Permissions { + if permission.Namespace != projectName { + continue + } + logger.Println("Robot account already exists") + robotId = strconv.Itoa(robot.Id) + break + } + } + + robotData := map[string]interface{}{} + if robotId == "" { + // Create a robot account + logger.Println("Creating robot account:", robotAccountName) + robotData = map[string]interface{}{ + "name": robotAccountName, + "permissions": []map[string]interface{}{ + { + "access": []map[string]string{ + {"resource": "repository", "action": "list"}, + {"resource": "repository", "action": "pull"}, + {"resource": "repository", "action": "push"}, + {"resource": "repository", "action": "read"}, + }, + "kind": "project", + "namespace": projectName, + }, + }, + "duration": -1, + "level": "project", + } + robotAccountData, err := json.Marshal(robotData) + if err != nil { + logger.Fatal("Error marshaling robot account data:", err) + } + resp, respBody, err := request("POST", login, "/robots/"+robotId, robotAccountData) + if err != nil { + logger.Fatal("Error creating robot account: ", err) + } + createdRobot := ResponseRobot{} + json.Unmarshal(respBody, &createdRobot) + robotId = strconv.Itoa(createdRobot.Id) + if resp.StatusCode != http.StatusCreated { + logger.Fatal("Failed to create robot account:", resp.Status, string(respBody), err) + } + } + + // Update the robot account secret + logger.Println("Setting the secret for the robot account:", robotAccountName) + robotData = map[string]interface{}{ + "secret": robotSecret, + } + robotAccountData, err := json.Marshal(robotData) + if err != nil { + logger.Fatal("Error marshaling robot account data:", err) + } + + resp, respBody, err := request("PATCH", login, "/robots/"+robotId, robotAccountData) + if err != nil { + logger.Fatal("Error updating robot secret: ", err) + } + if resp.StatusCode != http.StatusOK { + logger.Fatal("Failed to update the secret of the robot account:", resp.Status, string(respBody), err) + } + + logger.Println("Robot account secret updated successfully.") +} From 8c00a62033154412f6a4a484e1e48f3f07a20477 Mon Sep 17 00:00:00 2001 From: Alessandro Degano Date: Tue, 15 Apr 2025 15:35:39 +0200 Subject: [PATCH 16/24] address PR comments --- scripts/harbor-init/harbor-init.go | 58 +++++++++++++++++++++++------- 1 file changed, 46 insertions(+), 12 deletions(-) diff --git a/scripts/harbor-init/harbor-init.go b/scripts/harbor-init/harbor-init.go index 09450540b1..767082e810 100644 --- a/scripts/harbor-init/harbor-init.go +++ b/scripts/harbor-init/harbor-init.go @@ -4,11 +4,13 @@ import ( "bytes" "encoding/json" "flag" + "fmt" "io" "log" "net/http" "os" "strconv" + "strings" ) const ( @@ -16,10 +18,41 @@ const ( HARBOR_API_ENDPOINT = "/api/v2.0" ) +type SensitiveString string + +func (s SensitiveString) String() string { + return "" +} + +func (s SensitiveString) Format(w fmt.State, v rune) { + _, err := w.Write([]byte(s.String())) + if err != nil { + panic(err) + } +} + +func (s *SensitiveString) Set(value string) error { + // Set the sensitive string value + *s = SensitiveString(value) + return nil +} + type Login struct { + Client *http.Client Url string Username string - Password string + Password SensitiveString +} + +func (l *Login) String() string { + return l.Url + " " + l.Username + " " + "" +} + +func (l *Login) Format(w fmt.State, v rune) { + _, err := w.Write([]byte(l.String())) + if err != nil { + panic(err) + } } type Projects []struct { @@ -39,15 +72,14 @@ type ResponseRobot struct { } func request(method string, login Login, endpoint string, body []byte) (*http.Response, []byte, error) { - client := &http.Client{} req, err := http.NewRequest(method, login.Url+endpoint, bytes.NewBuffer(body)) if err != nil { return nil, nil, err } - req.SetBasicAuth(login.Username, login.Password) + req.SetBasicAuth(login.Username, string(login.Password)) req.Header.Set("Content-Type", "application/json") - resp, err := client.Do(req) + resp, err := login.Client.Do(req) if err != nil { return nil, nil, err } @@ -62,24 +94,27 @@ func request(method string, login Login, endpoint string, body []byte) (*http.Re func main() { urlFlag := flag.String("url", "https://harbor.example.com", "Harbor URL") adminFlag := flag.String("admin", "admin", "Harbor admin username") - passwordFlag := flag.String("password", "", "Harbor admin password") + var passwordFlag SensitiveString = "" + flag.Var(&passwordFlag, "password", "Harbor admin password") projectNameFlag := flag.String("project", "renku-build", "Project name") robotAccountNameFlag := flag.String("robot", "renku-registry-robot", "Robot account name") - robotSecretFlag := flag.String("secret", "", "Robot account secret") + var robotSecretFlag SensitiveString = "" + flag.Var(&robotSecretFlag, "secret", "Robot account secret") flag.Parse() // Initialize logger to print to stdout logger := log.New(os.Stdout, "INFO: ", log.Ldate|log.Ltime) login := Login{} + login.Client = &http.Client{} // Get login from environment variable if *urlFlag == "" { logger.Fatal("url flag is not set") } - login.Url = *urlFlag + HARBOR_API_ENDPOINT + login.Url = strings.TrimRight(*urlFlag, "/") + HARBOR_API_ENDPOINT login.Username = *adminFlag if login.Username == "" { logger.Fatal("admin flag is not set") } - login.Password = *passwordFlag + login.Password = passwordFlag if login.Password == "" { logger.Fatal("password flag is not set") } @@ -91,7 +126,7 @@ func main() { if robotAccountName == "" { logger.Fatal("robot flag is not set") } - robotSecret := *robotSecretFlag + robotSecret := robotSecretFlag if robotSecret == "" { logger.Fatal("secret flag is not set") } @@ -151,11 +186,10 @@ func main() { logger.Println("Checking if robot account exists:", robotAccountName) resp, body, err = request("GET", login, "/projects/"+projectName+"/robots", nil) if err != nil { - logger.Fatal("Error creating robot account: ", err) + logger.Fatal("Error getting robot account: ", err) } if resp.StatusCode != http.StatusOK { logger.Fatal("Failed to get robot account:", err) - return } var robots ProjectRobots err = json.Unmarshal(body, &robots) @@ -217,7 +251,7 @@ func main() { // Update the robot account secret logger.Println("Setting the secret for the robot account:", robotAccountName) robotData = map[string]interface{}{ - "secret": robotSecret, + "secret": string(robotSecret), } robotAccountData, err := json.Marshal(robotData) if err != nil { From 31f06914c007b0f9e75705cf9b3245d769798bf5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rok=20Ro=C5=A1kar?= Date: Thu, 24 Apr 2025 00:11:12 +0200 Subject: [PATCH 17/24] chore: add hostname configmap --- .../renku/templates/keycloak-hostname-configmap.yaml | 11 +++++++++++ helm-chart/renku/values.yaml | 4 ++-- 2 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 helm-chart/renku/templates/keycloak-hostname-configmap.yaml diff --git a/helm-chart/renku/templates/keycloak-hostname-configmap.yaml b/helm-chart/renku/templates/keycloak-hostname-configmap.yaml new file mode 100644 index 0000000000..9b8b407a34 --- /dev/null +++ b/helm-chart/renku/templates/keycloak-hostname-configmap.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: keycloak-hostname + labels: + app: {{ template "renku.name" . }} + chart: {{ template "renku.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +data: + KC_HOSTNAME: "https://{{ .Values.global.renku.domain }}/auth" diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index 74dc230c8c..1a365df579 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -256,8 +256,6 @@ keycloakx: - "start" - "--http-enabled=true" - "--http-port=8080" - - "--hostname-strict=false" - - "--hostname-strict-https=false" # The following environment variables are provided to keycloak # as extraEnvFrom secrets. # renku-keycloak-postgres @@ -273,6 +271,8 @@ keycloakx: name: renku-keycloak-postgres - secretRef: name: keycloak-password-secret + - configMapRef: + name: keycloak-hostname extraVolumeMounts: | - name: theme mountPath: /opt/keycloak/themes/renku-theme From 23c928a8f3c97132ed37bca0791f23a2d1e3ada3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rok=20Ro=C5=A1kar?= Date: Thu, 24 Apr 2025 00:47:36 +0200 Subject: [PATCH 18/24] chore: bump kc chart to 2.5.1 --- helm-chart/renku/requirements.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-chart/renku/requirements.yaml b/helm-chart/renku/requirements.yaml index ab0068dc1b..a34d2ec625 100644 --- a/helm-chart/renku/requirements.yaml +++ b/helm-chart/renku/requirements.yaml @@ -4,7 +4,7 @@ dependencies: repository: "oci://registry-1.docker.io/bitnamicharts" condition: postgresql.enabled - name: keycloakx - version: 2.4.4 + version: 2.5.1 repository: "https://codecentric.github.io/helm-charts" condition: keycloakx.enabled - name: redis From 0931d8311581214173337386cdc1cf525e9e7fd3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rok=20Ro=C5=A1kar?= Date: Thu, 24 Apr 2025 01:11:45 +0200 Subject: [PATCH 19/24] chore: bump kc chart to 5.0.0 --- helm-chart/renku/requirements.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-chart/renku/requirements.yaml b/helm-chart/renku/requirements.yaml index a34d2ec625..ddb8dc6462 100644 --- a/helm-chart/renku/requirements.yaml +++ b/helm-chart/renku/requirements.yaml @@ -4,7 +4,7 @@ dependencies: repository: "oci://registry-1.docker.io/bitnamicharts" condition: postgresql.enabled - name: keycloakx - version: 2.5.1 + version: 5.0.0 repository: "https://codecentric.github.io/helm-charts" condition: keycloakx.enabled - name: redis From eb8a4fa028803a8e84aa4408c76d9a5f81ae8edb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rok=20Ro=C5=A1kar?= Date: Thu, 24 Apr 2025 01:32:10 +0200 Subject: [PATCH 20/24] chore: bump kc chart to 6.0.0 --- helm-chart/renku/requirements.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-chart/renku/requirements.yaml b/helm-chart/renku/requirements.yaml index ddb8dc6462..e12a5ae8ac 100644 --- a/helm-chart/renku/requirements.yaml +++ b/helm-chart/renku/requirements.yaml @@ -4,7 +4,7 @@ dependencies: repository: "oci://registry-1.docker.io/bitnamicharts" condition: postgresql.enabled - name: keycloakx - version: 5.0.0 + version: 6.0.0 repository: "https://codecentric.github.io/helm-charts" condition: keycloakx.enabled - name: redis From 980f087a911e72c407903b01645c0e3df6ce0722 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rok=20Ro=C5=A1kar?= Date: Thu, 24 Apr 2025 10:12:24 +0200 Subject: [PATCH 21/24] chore: handle the error if client has no service account --- scripts/init-realm/init-realm.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/scripts/init-realm/init-realm.py b/scripts/init-realm/init-realm.py index 0e283cae9d..8f4dab1d8c 100644 --- a/scripts/init-realm/init-realm.py +++ b/scripts/init-realm/init-realm.py @@ -129,14 +129,18 @@ def _check_and_create_client(keycloak_admin, new_client: OIDCClient, force: bool keycloak_admin.delete_client(realm_client["id"]) created_client_id = keycloak_admin.create_client(new_client.to_dict()) - service_account_user = keycloak_admin.get_client_service_account_user(created_client_id) + logging.info(f"Created client {created_client_id}") - if isinstance(service_account_user, dict) and service_account_user.get("id"): + # if a client does not have a service account, calling get_client_service_account_user raises a KeycloakGetError + try: + service_account_user = keycloak_admin.get_client_service_account_user(created_client_id) logging.info(f"Reassigning service account roles {new_client.service_account_roles}") realm_management_roles = keycloak_admin.get_client_roles(realm_management_client_id) matching_roles = [{"name": role["name"], "id": role["id"]} for role in realm_management_roles if role["name"] in new_client.service_account_roles ] logging.info(f"Found and assigning matching roles: {matching_roles}") keycloak_admin.assign_client_role(service_account_user["id"], realm_management_client_id, matching_roles) + except KeycloakGetError: + logging.info(f"Client {created_client_id} does not use a service account.") logging.info("done") From 810b3abc786c39fa0452b5a6a68b7e6c6a6b0358 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rok=20Ro=C5=A1kar?= Date: Thu, 24 Apr 2025 10:29:51 +0200 Subject: [PATCH 22/24] chore: update kc chart to 7.0.1 --- helm-chart/renku/requirements.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-chart/renku/requirements.yaml b/helm-chart/renku/requirements.yaml index e12a5ae8ac..f5e045056b 100644 --- a/helm-chart/renku/requirements.yaml +++ b/helm-chart/renku/requirements.yaml @@ -4,7 +4,7 @@ dependencies: repository: "oci://registry-1.docker.io/bitnamicharts" condition: postgresql.enabled - name: keycloakx - version: 6.0.0 + version: 7.0.1 repository: "https://codecentric.github.io/helm-charts" condition: keycloakx.enabled - name: redis From 8c22c8023f9bcbcda316f4f8a9b248240dfd5d00 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 25 Apr 2025 13:30:11 +0000 Subject: [PATCH 23/24] chore(deps): bump the gh-actions group with 2 updates (#3968) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps the gh-actions group with 2 updates: [actions/checkout](https://github.com/actions/checkout) and [SwissDataScienceCenter/renku-actions](https://github.com/swissdatasciencecenter/renku-actions). Updates `actions/checkout` from 4.1.7 to 4.2.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4.1.7...v4.2.2) Updates `SwissDataScienceCenter/renku-actions` from 1.17.0 to 1.18.0 - [Release notes](https://github.com/swissdatasciencecenter/renku-actions/releases) - [Commits](https://github.com/swissdatasciencecenter/renku-actions/compare/v1.17.0...v1.18.0) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gh-actions - dependency-name: SwissDataScienceCenter/renku-actions dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gh-actions ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Rok Roškar --- .github/workflows/cron-jobs.yaml | 2 +- .github/workflows/publish-helm-chart.yml | 2 +- .github/workflows/publish-master-merges.yaml | 2 +- .github/workflows/pull-request-test.yml | 20 ++++++++++---------- .github/workflows/renku-dev-test.yaml | 2 +- 5 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/cron-jobs.yaml b/.github/workflows/cron-jobs.yaml index 8c771e10b3..9138f2b4c7 100644 --- a/.github/workflows/cron-jobs.yaml +++ b/.github/workflows/cron-jobs.yaml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-24.04 steps: - name: renku teardown - uses: SwissDataScienceCenter/renku-actions/cleanup-renku-ci-deployments@v1.17.0 + uses: SwissDataScienceCenter/renku-actions/cleanup-renku-ci-deployments@v1.18.2 env: GITLAB_TOKEN: ${{ secrets.DEV_GITLAB_TOKEN }} RENKUBOT_KUBECONFIG: ${{ secrets.RENKUBOT_DEV_KUBECONFIG }} diff --git a/.github/workflows/publish-helm-chart.yml b/.github/workflows/publish-helm-chart.yml index 4f34242a11..8e67bad766 100644 --- a/.github/workflows/publish-helm-chart.yml +++ b/.github/workflows/publish-helm-chart.yml @@ -15,7 +15,7 @@ jobs: - name: Set version id: vars run: echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT - - uses: SwissDataScienceCenter/renku-actions/publish-chart@v1.17.0 + - uses: SwissDataScienceCenter/renku-actions/publish-chart@v1.18.2 env: CHART_DIR: helm-chart/ CHART_NAME: renku diff --git a/.github/workflows/publish-master-merges.yaml b/.github/workflows/publish-master-merges.yaml index 2ebb22789f..200d5b9a8a 100644 --- a/.github/workflows/publish-master-merges.yaml +++ b/.github/workflows/publish-master-merges.yaml @@ -35,7 +35,7 @@ jobs: - id: set-version run: | echo "publish_version=${{ steps.bump-semver.outputs.new_version }}.$(echo ${{ github.sha }} | cut -c 1-7)" >> $GITHUB_ENV - - uses: SwissDataScienceCenter/renku-actions/publish-chart@v1.17.0 + - uses: SwissDataScienceCenter/renku-actions/publish-chart@v1.18.2 env: CHART_DIR: helm-chart/ CHART_TAG: "--tag ${{env.publish_version}}" diff --git a/.github/workflows/pull-request-test.yml b/.github/workflows/pull-request-test.yml index 8211fc7575..7226f65af6 100644 --- a/.github/workflows/pull-request-test.yml +++ b/.github/workflows/pull-request-test.yml @@ -71,11 +71,11 @@ jobs: extra-values: ${{ steps.deploy-comment.outputs.extra-values || steps.deploy-comment-azure.outputs.extra-values }} steps: - id: deploy-comment - uses: SwissDataScienceCenter/renku-actions/check-pr-description@v1.18.1 + uses: SwissDataScienceCenter/renku-actions/check-pr-description@v1.18.2 with: pr_ref: ${{ github.event.number }} - id: deploy-comment-azure - uses: SwissDataScienceCenter/renku-actions/check-pr-description@v1.18.1 + uses: SwissDataScienceCenter/renku-actions/check-pr-description@v1.18.2 with: string: /AzureDeploy pr_ref: ${{ github.event.number }} @@ -91,7 +91,7 @@ jobs: name: ci-renku-${{ github.event.number }} url: https://ci-renku-${{ github.event.number }}.dev.renku.ch steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@v4.2.2 - name: Find deployment url if: needs.check-deploy.outputs.switch-deploy == 'true' uses: peter-evans/find-comment@v3 @@ -111,7 +111,7 @@ jobs: You can access the deployment of this PR at https://ci-renku-${{ github.event.number }}.dev.renku.ch - name: renku build and deploy if: needs.check-deploy.outputs.switch-deploy == 'true' - uses: SwissDataScienceCenter/renku-actions/deploy-renku@v1.18.1 + uses: SwissDataScienceCenter/renku-actions/deploy-renku@v1.18.2 env: DOCKER_PASSWORD: ${{ secrets.RENKU_DOCKER_PASSWORD }} DOCKER_USERNAME: ${{ secrets.RENKU_DOCKER_USERNAME }} @@ -143,7 +143,7 @@ jobs: id-token: write if: github.event.action != 'closed' steps: - - uses: actions/checkout@v4.1.7 + - uses: actions/checkout@v4.2.2 - name: Find deployment url if: needs.check-deploy.outputs.azure-deploy == 'true' uses: peter-evans/find-comment@v3 @@ -188,7 +188,7 @@ jobs: - name: renku build and deploy if: needs.check-deploy.outputs.azure-deploy == 'true' - uses: SwissDataScienceCenter/renku-actions/deploy-renku@v1.18.1 + uses: SwissDataScienceCenter/renku-actions/deploy-renku@v1.18.2 env: DOCKER_PASSWORD: ${{ secrets.RENKU_DOCKER_PASSWORD }} DOCKER_USERNAME: ${{ secrets.RENKU_DOCKER_USERNAME }} @@ -246,7 +246,7 @@ jobs: cat "${{ github.workspace }}/renkubot-kube.config" >> $GITHUB_ENV echo "EOF" >> $GITHUB_ENV - - uses: SwissDataScienceCenter/renku-actions/test-renku@v1.18.1 + - uses: SwissDataScienceCenter/renku-actions/test-renku@v1.18.2 with: kubeconfig: ${{ needs.check-deploy.outputs.azure-deploy == 'true' && env.RENKUBOT_KUBECONFIG || secrets.RENKUBOT_DEV_KUBECONFIG }} renku-release: ci-renku-${{ github.event.number }} @@ -273,7 +273,7 @@ jobs: rstudioSession, ] steps: - - uses: SwissDataScienceCenter/renku-actions/test-renku-cypress@v1.18.1 + - uses: SwissDataScienceCenter/renku-actions/test-renku-cypress@v1.18.2 if: github.event.action != 'closed' && (needs.check-deploy.outputs.switch-deploy == 'true' || needs.check-deploy.outputs.azure-deploy == 'true') && needs.check-deploy.outputs.test-legacy-enabled == 'true' with: e2e-target: ${{ matrix.tests }} @@ -300,7 +300,7 @@ jobs: sessionBasics, ] steps: - - uses: SwissDataScienceCenter/renku-actions/test-renku-cypress@v1.18.1 + - uses: SwissDataScienceCenter/renku-actions/test-renku-cypress@v1.18.2 if: github.event.action != 'closed' && (needs.check-deploy.outputs.switch-deploy == 'true' || needs.check-deploy.outputs.azure-deploy == 'true') && needs.check-deploy.outputs.test-enabled == 'true' with: e2e-folder: cypress/e2e/v2/ @@ -385,7 +385,7 @@ jobs: # Cleanup for both standard and Azure deployments - name: renku teardown - uses: SwissDataScienceCenter/renku-actions/cleanup-renku-ci-deployments@v1.18.1 + uses: SwissDataScienceCenter/renku-actions/cleanup-renku-ci-deployments@v1.18.2 env: HELM_RELEASE_REGEX: "^ci-renku-${{ github.event.number }}$" GITLAB_TOKEN: ${{ secrets.DEV_GITLAB_TOKEN }} diff --git a/.github/workflows/renku-dev-test.yaml b/.github/workflows/renku-dev-test.yaml index 906bf12eea..80e8655d6a 100644 --- a/.github/workflows/renku-dev-test.yaml +++ b/.github/workflows/renku-dev-test.yaml @@ -8,7 +8,7 @@ jobs: github.event.client_payload.message == 'Helm test succeeded' }} runs-on: ubuntu-24.04 steps: - - uses: SwissDataScienceCenter/renku-actions/test-renku@v1.17.0 + - uses: SwissDataScienceCenter/renku-actions/test-renku@v1.18.2 with: kubeconfig: ${{ secrets.RENKUBOT_DEV_KUBECONFIG }} renku-release: renku From ef32a92ac2cf31c73a71b74e21e1d519f6b8a53c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rok=20Ro=C5=A1kar?= Date: Mon, 5 May 2025 14:13:06 +0200 Subject: [PATCH 24/24] chore: try modified theme --- helm-chart/renku/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index f9e95a2233..fd2738d641 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -317,7 +317,7 @@ keycloakx: enabled: false extraInitContainers: | - name: theme-provider - image: renku/keycloak-theme:4.1.6 + image: renku/keycloak-theme:fa8d7f3 imagePullPolicy: IfNotPresent command: - sh