From ca0609ac6dc2e129b6d1a91dc417bb21bc58ef62 Mon Sep 17 00:00:00 2001 From: HighTier-dev Date: Wed, 25 Feb 2026 11:09:32 -0500 Subject: [PATCH 1/5] tjw2: qa-vectis --- .../dev-environments/qa-vectis/Chart.yaml | 23 + .../qa-vectis/templates/app.yaml | 32 + .../dev-environments/qa-vectis/values.yaml | 10 + .../qa-vectis/values/values.yaml | 710 ++++++++++++++++++ 4 files changed, 775 insertions(+) create mode 100644 devplanetv2/dev-environments/qa-vectis/Chart.yaml create mode 100644 devplanetv2/dev-environments/qa-vectis/templates/app.yaml create mode 100644 devplanetv2/dev-environments/qa-vectis/values.yaml create mode 100644 devplanetv2/dev-environments/qa-vectis/values/values.yaml diff --git a/devplanetv2/dev-environments/qa-vectis/Chart.yaml b/devplanetv2/dev-environments/qa-vectis/Chart.yaml new file mode 100644 index 00000000..0aaf0f71 --- /dev/null +++ b/devplanetv2/dev-environments/qa-vectis/Chart.yaml @@ -0,0 +1,23 @@ +apiVersion: v2 +name: main.dev.planx-pla.net +description: A template manifest for spinning up dev environments using gitops + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.4 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +appVersion: "1.0" diff --git a/devplanetv2/dev-environments/qa-vectis/templates/app.yaml b/devplanetv2/dev-environments/qa-vectis/templates/app.yaml new file mode 100644 index 00000000..b73b9e4f --- /dev/null +++ b/devplanetv2/dev-environments/qa-vectis/templates/app.yaml @@ -0,0 +1,32 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: gen3-dev-{{ .Values.name }} + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + sources: + - path: helm/gen3 + repoURL: https://github.com/uc-cdis/gen3-helm + targetRevision: {{ .Values.helmBranch }} + helm: + releaseName: {{ .Values.Name }} + valueFiles: + - $values/devplanetv2/dev-environments/{{ .Values.name }}/values/values.yaml + - repoURL: 'https://github.com/uc-cdis/gen3-gitops-dev.git' + targetRevision: {{ .Values.gitopsBranch }} + ref: values + destination: + server: "https://kubernetes.default.svc" + namespace: {{ .Values.name }} + ignoreDifferences: + - + kind: "Secret" + jsonPointers: + - /data + syncPolicy: + syncOptions: + - CreateNamespace=true + - RespectIgnoreDifferences=true diff --git a/devplanetv2/dev-environments/qa-vectis/values.yaml b/devplanetv2/dev-environments/qa-vectis/values.yaml new file mode 100644 index 00000000..db04d0b6 --- /dev/null +++ b/devplanetv2/dev-environments/qa-vectis/values.yaml @@ -0,0 +1,10 @@ +# Change this to your env. +# !!! Needs to match the folder name. +# F.ex qa-brh +name: qa-vectis + +# What branch of helm -- http://github.com/uc-cdis/gen3-helm +helmBranch: master + +# What branch of gitops -- http://github.com/uc-cdis/gen3-gitops-dev +gitopsBranch: master \ No newline at end of file diff --git a/devplanetv2/dev-environments/qa-vectis/values/values.yaml b/devplanetv2/dev-environments/qa-vectis/values/values.yaml new file mode 100644 index 00000000..97c4225c --- /dev/null +++ b/devplanetv2/dev-environments/qa-vectis/values/values.yaml @@ -0,0 +1,710 @@ +global: + # Disabling local Elasticasearch and Postgres. + dev: false + aws: + enabled: true + account: "707767160287" + scheme: "internal" + secretStoreServiceAccount: + enabled: true + name: secret-store-sa + netPolicy: + # TODO: Figure out netpols with local dbs + enabled: false + dbSubnet: "" + environment: qaplanetv1 + externalSecrets: + deploy: true + dbCreate: true + hostname: qa-vectis.dev.planx-pla.net + dictionaryUrl: https://s3.amazonaws.com/dictionary-artifacts/datadictionary/develop/schema.json + # We disable portal by default to save $$$ + frontendRoot: gen3ff + postgres: + dbCreate: true + externalSecret: "devplanetv2-aurora-master-password" + master: + host: "devplanetv2-aurora-cluster-new.cluster-cwvizkxhzjt8.us-east-1.rds.amazonaws.com" + # Wildcard cert for *.dev.planx-pla.net + revproxyArn: arn:aws:acm:us-east-1:707767160287:certificate/798e629d-05ee-4bc5-b51f-a86861f29b68 + crossplane: + # -- (bool) Set to true if deploying to AWS and want to use crossplane for AWS resources. + enabled: true + # The name of the crossplane provider config. + providerConfigName: provider-aws + # OIDC provider URL. This is used for authentication of roles/service accounts. + oidcProviderUrl: "oidc.eks.us-east-1.amazonaws.com/id/F057519C0E32B7DE2580904C4007BB21" + # The account ID of the AWS account. + accountId: "707767160287" + s3: + # The kms key id for the s3 bucket. + kmsKeyId: "387b8ebf-c8b8-4887-9b2c-639aee77654c" + topologySpread: + # -- (bool) Whether to enable topology spread constraints for all subcharts that support it. + enabled: true + # -- (string) The topology key to use for spreading. Defaults to "topology.kubernetes.io/zone". + topologyKey: "topology.kubernetes.io/zone" + # -- (int) The maxSkew to use for topology spread constraints. Defaults to 1. + maxSkew: 1 + +aws-es-proxy: + enabled: true + esEndpoint: vpc-devplanetv2-gen3-metadata-2-xkwr2f3gbxua5mqqi7rhnat4la.us-east-1.es.amazonaws.com +ambassador: + resources: + requests: + memory: "105Mi" + cpu: "15m" + +arborist: + image: + tag: master + resources: + requests: + memory: "105Mi" + cpu: "15m" + +audit: + externalSecrets: + createK8sAuditSecret: true + image: + tag: master + enabled: true + resources: + requests: + memory: "105Mi" + cpu: "15m" + # image: + # repository: audit + # tag: local + # pullPolicy: Never + +frontend-framework: + # image: + # tag: main + # repository: + customConfig: + enabled: true + enabled: true + resources: + requests: + memory: "256Mi" + cpu: "15m" + +hatchery: + externalSecrets: + createK8sStataSecret: true + resources: + requests: + memory: "105Mi" + cpu: "15m" + image: + tag: master + hatchery: + sidecarContainer: + image: quay.io/cdis/gen3fuse-sidecar:master + command: + - /bin/bash + - /sidecarDockerrun.sh + containers: + - target-port: 8888 + cpu-limit: "2" + memory-limit: 3Gi + name: "(Tutorials) Example Analysis Jupyter Lab Notebooks" + image: quay.io/cdis/jupyter-superslim:1.0.5 + env: + FRAME_ANCESTORS: https://{{ .Values.global.hostname }} + args: + - "--NotebookApp.base_url=/lw-workspace/proxy/" + - "--NotebookApp.default_url=/lab" + - "--NotebookApp.password=''" + - "--NotebookApp.token=''" + - "--NotebookApp.shutdown_no_activity_timeout=5400" + - "--NotebookApp.quit_button=False" + command: + - start-notebook.sh + path-rewrite: "/lw-workspace/proxy/" + use-tls: "false" + ready-probe: "/lw-workspace/proxy/" + lifecycle-post-start: + - "/bin/sh" + - "-c" + - export IAM=`whoami`; rm -rf /home/$IAM/pd/dockerHome; rm -rf /home/$IAM/pd/lost+found; + ln -s /data /home/$IAM/pd/; true + user-uid: 1000 + fs-gid: 100 + user-volume-location: "/home/jovyan/pd" + gen3-volume-location: "/home/jovyan/.gen3" + +portal: + # Disable portal by default + enabled: false + # + # resources: + # requests: + # cpu: "15m" + # memory: 100Mi + image: + repository: quay.io/cdis/data-portal + tag: master + +etl: + enabled: true + etlMapping: + mappings: + - name: data_source + doc_type: case + type: aggregator + root: case + props: + - name: project_id + - name: index_date + - name: log_data_file + doc_type: data_file + type: collector + root: None + category: data_file + props: + - name: source_node + - name: project_id + - name: object_id + - name: file_name + - name: file_size + - name: data_format + - name: data_type + - name: data_category + - name: experimental_strategy + - name: platform + + # image: + # tube: + #repository: tube + # tag: master + esEndpoint: "gen3-elasticsearch-master" + +guppy: + enabled: false + resources: + requests: + memory: "105Mi" + cpu: "15m" + image: + repository: quay.io/cdis/guppy + tag: master + esEndpoint: http://elasticsearch:9200 + +indexd: + image: + tag: master + resources: + requests: + memory: "105Mi" + cpu: "15m" + defaultPrefix: dev/ + externalSecrets: + createK8sServiceCredsSecret: true + +metadata: + esEndpoint: http://elasticsearch:9200 + externalSecrets: + createK8sMetadataSecret: true + resources: + requests: + memory: "105Mi" + cpu: "15m" + # image: + # repository: + # tag: + enabled: true + useAggMds: "True" + # -- (string) Namespace to use if AggMds is enabled. + aggMdsNamespace: default + aggMdsConfig: | + { + "gen3_commons": { + "HEAL": { + "mds_url": "https://data.midrc.org/", + "commons_url" : "data.midrc.org", + "adapter": "gen3", + "config" : { + "guid_type": "discovery_metadata", + "study_field": "gen3_discovery" + }, + "keep_original_fields": false, + "field_mappings" : { + "authz": "path:authz", + "tags": "path:tags", + "_unique_id": "path:_unique_id", + "study_id": "path:_unique_id", + "study_description": "path:data_description", + "full_name": "path:full_name", + "short_name": "path:short_name", + "commons": "Medical Imaging and Data Resource Center (MIDRC)", + "study_url": "path:data_url", + "_subjects_count" : {"path":"cases_count", "default" : 0 }, + "__manifest": "path:__manifest", + "commons_url" : "data.midrc.org" + } + } + }, + "adapter_commons": {} + } + +manifestservice: + resources: + requests: + memory: "105Mi" + cpu: "15m" + externalSecrets: + createK8sManifestServiceSecret: true + +ssjdispatcher: + enabled: false + +sower: + enabled: false + +peregrine: + resources: + requests: + memory: "105Mi" + cpu: "15m" + image: + +revproxy: + resources: + requests: + memory: "105Mi" + cpu: "15m" + ingress: + aws: + # Do not change- this will break DNS for your env. + group: devplanetv2-internal + +sheepdog: + resources: + requests: + memory: "105Mi" + cpu: "15m" + image: + tag: master + +requestor: + enabled: true + +wts: + image: + tag: master + resources: + requests: + memory: "105Mi" + cpu: "15m" + externalSecrets: + createWtsOidcClientSecret: true + createK8sWtsSecret: true + + +# Database configuration + +elasticsearch: + persistence: + enabled: true + +# -- (map) To configure postgresql subchart +postgresql: + primary: + persistence: + # -- (bool) Option to persist the dbs data. + enabled: true + +fence: + externalSecrets: + createK8sFenceConfigSecret: false + fenceGoogleAppCredsSecret: ci-fence-google-app-creds-secret + fenceGoogleStorageCredsSecret: ci-fence-google-storage-creds-secret + fenceConfig: "devplanetv2-generic-fence-config" + usersync: + usersync: true + userYamlS3Path: s3://cdis-gen3-users/dev/user.yaml + FENCE_CONFIG_PUBLIC: + # Prefix to namespace Google Groups on a single Cloud Identity + # This will be dynamically replaced by env_setup.sh script. + GOOGLE_GROUP_PREFIX: + + # Prefix to namespace Google Service Accounts in a single Google Cloud Platform Project. + # This will be dynamically replaced by env_setup.sh script. + GOOGLE_SERVICE_ACCOUNT_PREFIX: + + # -- (string) Name of the Fence app + APP_NAME: "fence" + + # -- (map) Debug and security settings + DEBUG: false + + # -- (bool) if true, will automatically login a user with username "test" + MOCK_AUTH: false + + # -- (bool) if true, will fake a successful login response from Google in /login/google + # NOTE: this will also modify the behavior of /link/google endpoints + # will login as the username set in cookie DEV_LOGIN_COOKIE_NAME + MOCK_GOOGLE_AUTH: true + + # -- (str) the name of the cookie set by mock authentication (used for testing only) + DEV_LOGIN_COOKIE_NAME: "dev_login" + + # -- (bool) if true, will ignore anything configured in STORAGE_CREDENTIALS + MOCK_STORAGE: false + + # -- (bool) allow OIDC traffic on http for development. By default it requires https. + AUTHLIB_INSECURE_TRANSPORT: true + + # -- (bool) enable Prometheus Metrics for observability purposes + ENABLE_PROMETHEUS_METRICS: false + + # -- (bool) set if you want browsers to only send cookies with requests over HTTPS + SESSION_COOKIE_SECURE: true + + # -- (bool) enable CSRF protection + ENABLE_CSRF_PROTECTION: true + + # -- (str) signing key for WTForms to sign CSRF tokens with + WTF_CSRF_SECRET_KEY: "{{ENCRYPTION_KEY}}" + + # -- (bool) fence (at the moment) attempts a migration on startup. setting this to false will disable that + ENABLE_DB_MIGRATION: true + + # -- (list) These are the *possible* scopes a client can be given, NOT scopes that are given to all clients. You can be more restrictive during client creation + CLIENT_ALLOWED_SCOPES: + - "openid" + - "user" + - "data" + - "google_credentials" + - "google_service_account" + - "google_link" + - "ga4gh_passport_v1" + + # -- (list) these are the scopes that CAN be included in a user's own access_token + USER_ALLOWED_SCOPES: + - "fence" + - "openid" + - "user" + - "data" + - "admin" + - "google_credentials" + - "google_service_account" + - "google_link" + - "ga4gh_passport_v1" + + # -- (list) these are the scopes that a browser session can create for a user (very similar to USER_ALLOWED_SCOPES, as the session will actually create access_tokens for an actively logged in user) + SESSION_ALLOWED_SCOPES: + - "openid" + - "user" + - "credentials" + - "data" + - "admin" + - "google_credentials" + - "google_service_account" + - "google_link" + - "ga4gh_passport_v1" + + # ////////////////////////////////////////////////////////////////////////////////////// + # LOGIN + # ////////////////////////////////////////////////////////////////////////////////////// + + # List of enabled login options (used by data-portal to display login buttons). + LOGIN_OPTIONS: + - name: 'Login from Google' + idp: google + + # -- (string) Default login provider. - must be configured in LOGIN_OPTIONS and OPENID_CONNECT - - if several options in LOGIN_OPTIONS are defined for this IDP, will default to the first one + DEFAULT_LOGIN_IDP: google + + # `LOGIN_REDIRECT_WHITELIST` is a list of extra whitelisted URLs which can be redirected + # to by the `/login/*` endpoints. + LOGIN_REDIRECT_WHITELIST: [".", "/login"] + + # ////////////////////////////////////////////////////////////////////////////////////// + # LIBRARY CONFIGURATION (authlib & flask) + # ////////////////////////////////////////////////////////////////////////////////////// + # authlib-specific configs for OIDC flow and JWTs + OAUTH2_JWT_ALG: "RS256" + OAUTH2_JWT_ENABLED: true + OAUTH2_JWT_ISS: "{{BASE_URL}}" + OAUTH2_PROVIDER_ERROR_URI: "/api/oauth2/errors" + + # used for flask, "path mounted under by the application / web server" + APPLICATION_ROOT: "/user" + + # ////////////////////////////////////////////////////////////////////////////////////// + # Tokens, Lifetimes, & Expirations + # ////////////////////////////////////////////////////////////////////////////////////// + # The name of the browser cookie in which the access token will be stored. + ACCESS_TOKEN_COOKIE_NAME: "access_token" + + # The name of the browser cookie in which the session token will be stored. + # Note that the session token also stores information for the + # ``flask.session`` in the ``context`` field of the token. + SESSION_COOKIE_NAME: "fence" + + # The domain of the browser cookie in which the session token will be stored. + # Leave unset (not empty string!) for normal single-site deployment. + SESSION_COOKIE_DOMAIN: + + OAUTH2_TOKEN_EXPIRES_IN: + "authorization_code": 1200 + "implicit": 1200 + + # The number of seconds after an access token is issued until it expires. + ACCESS_TOKEN_EXPIRES_IN: 1200 + + # The number of seconds after a refresh token is issued until it expires. + REFRESH_TOKEN_EXPIRES_IN: 2592000 + + # The number of seconds after which a browser session is considered stale. + SESSION_TIMEOUT: 1800 + + # The maximum session lifetime in seconds. + SESSION_LIFETIME: 28800 + + # The number of seconds the user's Google service account key used for + # url signing will last before being expired/rotated + # 30 days: 2592000 seconds + GOOGLE_SERVICE_ACCOUNT_KEY_FOR_URL_SIGNING_EXPIRES_IN: 2592000 + + # The number of seconds after a User's Google Service account is added to bucket + # access until it expires. + # 7 days: 604800 seconds + GOOGLE_USER_SERVICE_ACCOUNT_ACCESS_EXPIRES_IN: 604800 + + # The number of seconds after a User's Google account is added to bucket + # access until it expires. + GOOGLE_ACCOUNT_ACCESS_EXPIRES_IN: 86400 + + # The number of seconds after a pre-signed url is issued until it expires. + MAX_PRESIGNED_URL_TTL: 3600 + + # The number of seconds after an API KEY is issued until it expires. + MAX_API_KEY_TTL: 2592000 + + # The number of seconds after an access token is issued until it expires. + MAX_ACCESS_TOKEN_TTL: 3600 + + # TEMPORARY: The maximum number of projects allowed in token claims. + # This config var should be removed after sheepdog and peregrine support + # auth checks against Arborist, and no longer check the token. + TOKEN_PROJECTS_CUTOFF: 10 + + # If set to true, will generate an new access token each time when a browser session update happens + RENEW_ACCESS_TOKEN_BEFORE_EXPIRATION: false + + # The maximum lifetime of a Gen3 passport in seconds + GEN3_PASSPORT_EXPIRES_IN: 43200 + + ######################################################################################## + # OPTIONAL CONFIGURATIONS # + ######################################################################################## + + # For displaying a privacy policy to users, we can either link to the URL specified by + # PRIVACY_POLICY_URL, or default to the `static/privacy_policy.md` file in fence. + PRIVACY_POLICY_URL: null + + # ////////////////////////////////////////////////////////////////////////////////////// + # RELIABILITY OPTS + # ////////////////////////////////////////////////////////////////////////////////////// + # Configurations related to resiliency, fault-tolerance and availability + # This is the number of requests per second that the Nginx proxy will accept before reaching fence + # The value defined in fence-config-public.yaml takes precedence over this one + # In the absence of this OVERRIDE prefixed config, the legacy NGINX_RATE_LIMIT from the k8s deployment yaml is applied + OVERRIDE_NGINX_RATE_LIMIT: 18 + + # ////////////////////////////////////////////////////////////////////////////////////// + # SUPPORT INFO + # ////////////////////////////////////////////////////////////////////////////////////// + # If you want an email address to show up when an unhandled error occurs, provide one + # here. Something like: support@example.com + SUPPORT_EMAIL_FOR_ERRORS: null + + # ////////////////////////////////////////////////////////////////////////////////////// + # SHIBBOLETH + # - Support using `shibboleth` in LOGIN_OPTIONS + # - Contains defaults for using NIH's Login. + # ////////////////////////////////////////////////////////////////////////////////////// + # assumes shibboleth is deployed under {{BASE_URL}}/shibboleth + SHIBBOLETH_HEADER: "persistent_id" + SSO_URL: "https://auth.nih.gov/affwebservices/public/saml2sso?SPID={{BASE_URL}}/shibboleth&RelayState=" + ITRUST_GLOBAL_LOGOUT: "https://auth.nih.gov/siteminderagent/smlogout.asp?mode=nih&AppReturnUrl=" + + DBGAP_ACCESSION_WITH_CONSENT_REGEX: "(?Pphs[0-9]+)(.(?Pv[0-9]+)){0,1}(.(?Pp[0-9]+)){0,1}.(?Pc[0-9]+)" + + # ////////////////////////////////////////////////////////////////////////////////////// + # STORAGE BACKENDS AND CREDENTIALS + # - Optional: Used for `/admin` & `/credentials` endpoints for user management. + # Also used during User Syncing process to automate managing Storage + # access for users. + # ////////////////////////////////////////////////////////////////////////////////////// + # When true, this modifies usersync (not fence service itself) such that when syncing user + # access to a Google storage backend happens in "bulk" by doing a diff *per google group* + # between what's in Google and what's expected. + GOOGLE_BULK_UPDATES: true + + # Configuration for various storage systems for the backend + STORAGE_CREDENTIALS: + 'google': + backend: google + # this should be the project id where the Google Groups for data access are managed + google_project_id: dcf-integration + + # ////////////////////////////////////////////////////////////////////////////////////// + # AWS BUCKETS AND CREDENTIALS + # - Support `/data` endpoints + # ////////////////////////////////////////////////////////////////////////////////////// + # the cred values should be keys in section `AWS_CREDENTIALS`. + S3_BUCKETS: + cdis-presigned-url-test: + region: 'us-east-1' + cred: 'cdistest' + gen3-helm-data-upload-bucket: + region: 'us-east-1' + cred: 'cdistest' + DATA_UPLOAD_BUCKET: 'gen3-helm-data-upload-bucket' + + # ////////////////////////////////////////////////////////////////////////////////////// + # PROXY + # - Optional: If the api is behind firewall that needs to set http proxy + # ////////////////////////////////////////////////////////////////////////////////////// + # this is only used by the Google Oauth2Client at the moment if provided + HTTP_PROXY: + host: 'cloud-proxy.internal.io' + port: 3128 + + # ////////////////////////////////////////////////////////////////////////////////////// + # MICROSERVICE PATHS + # - Support `/data` endpoints & authz functionality + # ////////////////////////////////////////////////////////////////////////////////////// + # url where indexd microservice is running (for signed urls primarily) + INDEXD: http://indexd-service + # this is the username which fence uses to make authenticated requests to indexd + INDEXD_USERNAME: "fence" + # this is the password which fence uses to make authenticated requests to indexd + INDEXD_PASSWORD: "" + + # url where authz microservice is running + ARBORIST: http://arborist-service + + # url where the audit-service is running + # This will be dynamically replaced by env_setup.sh script. + AUDIT_SERVICE: "http://audit-service" + ENABLE_AUDIT_LOGS: + presigned_url: true + login: true + # `PUSH_AUDIT_LOGS_CONFIG.type` is one of: [api, aws_sqs]. + # - if type == api: logs are created by hitting the log creation endpoint. + # - if type == aws_sqs: logs are pushed to an SQS and `aws_sqs_config` fields + # `sqs_url` and `region` are required. Field `aws_cred` is optional and it + # should be a key in section `AWS_CREDENTIALS`. + PUSH_AUDIT_LOGS_CONFIG: + type: aws_sqs + aws_sqs_config: + # This will be dynamically replaced by env_setup.sh script. + sqs_url: https://sqs.us-east-1.amazonaws.com/707767160287/audit-service-sqs + region: us-east-1 + aws_cred: 'cdistest' + + # A Google Project identitifier representing the default project to bill to for + # accessing Google Requester Pays buckets (for signed urls and/or temporary service account + # credentials). + BILLING_PROJECT_FOR_SIGNED_URLS: + BILLING_PROJECT_FOR_SA_CREDS: + + # Setting this to `true` will make Fence automatically attempt to create a Custom Role + # in the billing project and give the necessary Google Service Account that role + # (which will allow it to bill to the project). + ENABLE_AUTOMATIC_BILLING_PERMISSION_SIGNED_URLS: false + ENABLE_AUTOMATIC_BILLING_PERMISSION_SA_CREDS: false + + # ////////////////////////////////////////////////////////////////////////////////////// + # DATA ACCESS: GOOGLE LINKING & SERVICE ACCOUNT REGISTRATION + # - Support `/google/service_accounts` endpoints + # ////////////////////////////////////////////////////////////////////////////////////// + # whether or not to allow access to the /link/google endpoints + ALLOW_GOOGLE_LINKING: true + + # A Google Project with controlled data access will be determined INVALID if + # if it has a parent organization UNLESS that parent organization's ID is in this + # whitelist. + WHITE_LISTED_GOOGLE_PARENT_ORGS: [] + + # Service account email domains that represent a service account that Google owns. + # These are usually created when a sepcific GCP service is enabled. + # This is used for Service Account Validation for Data Access. + GOOGLE_MANAGED_SERVICE_ACCOUNT_DOMAINS: + - "dataflow-service-producer-prod.iam.gserviceaccount.com" + - "cloudbuild.gserviceaccount.com" + - "cloud-ml.google.com.iam.gserviceaccount.com" + - "container-engine-robot.iam.gserviceaccount.com" + - "dataflow-service-producer-prod.iam.gserviceaccount.com" + - "sourcerepo-service-accounts.iam.gserviceaccount.com" + - "dataproc-accounts.iam.gserviceaccount.com" + - "gae-api-prod.google.com.iam.gserviceaccount.com" + - "genomics-api.google.com.iam.gserviceaccount.com" + - "containerregistry.iam.gserviceaccount.com" + - "container-analysis.iam.gserviceaccount.com" + - "cloudservices.gserviceaccount.com" + - "stackdriver-service.iam.gserviceaccount.com" + - "appspot.gserviceaccount.com" + - "partnercontent.gserviceaccount.com" + - "trifacta-gcloud-prod.iam.gserviceaccount.com" + - "gcf-admin-robot.iam.gserviceaccount.com" + - "compute-system.iam.gserviceaccount.com" + - "gcp-sa-websecurityscanner.iam.gserviceaccount.com" + - "storage-transfer-service.iam.gserviceaccount.com" + - "firebase-sa-management.iam.gserviceaccount.com" + - "firebase-rules.iam.gserviceaccount.com" + - "gcp-sa-cloudbuild.iam.gserviceaccount.com" + - "gcp-sa-automl.iam.gserviceaccount.com" + - "gcp-sa-datalabeling.iam.gserviceaccount.com" + - "gcp-sa-cloudscheduler.iam.gserviceaccount.com" + + # The types of service accounts that are allowed to be registered at + # /google/service_accounts endpoints + ALLOWED_USER_SERVICE_ACCOUNT_DOMAINS: + # compute engine default service account + - "developer.gserviceaccount.com" + # app engine default service account + - "appspot.gserviceaccount.com" + # user-managed service account + - "iam.gserviceaccount.com" + + # Role caching for generating presigned urls if max role session increase is true + # then we can increase the amount of time that a session is valid for + MAX_ROLE_SESSION_INCREASE: false + ASSUME_ROLE_CACHE_SECONDS: 1800 + + # Optional user registration feature: Ask users to register (provide firstname/lastname/org/email) on login. + # If user registers, add them to configured Arborist group; idea is that the Arborist group + # will have access to download data. + REGISTER_USERS_ON: true + REGISTERED_USERS_GROUP: "" + # RAS refresh_tokens expire in 15 days + RAS_REFRESH_EXPIRATION: 1296000 + # List of JWT issuers from which Fence will accept GA4GH visas + GA4GH_VISA_ISSUER_ALLOWLIST: + - "{{BASE_URL}}" + - "https://sts.nih.gov" + - "https://stsstg.nih.gov" + # Number of projects that can be registered to a Google Service Accont + SERVICE_ACCOUNT_LIMIT: 6 + + # Global sync visas during login + # None(Default): Allow per client i.e. a fence client can pick whether or not to sync their visas during login with parse_visas param in /authorization endpoint + # True: Parse for all clients i.e. a fence client will always sync their visas during login + # False: Parse for no clients i.e. a fence client will not be able to sync visas during login even with parse_visas param + GLOBAL_PARSE_VISAS_ON_LOGIN: false + # Settings for usersync with visas + USERSYNC: + sync_from_visas: false + # fallback to dbgap sftp when there are no valid visas for a user i.e. if they're expired or if they're malformed + fallback_to_dbgap_sftp: false + visa_types: + ras: ["https://ras.nih.gov/visas/v1", "https://ras.nih.gov/visas/v1.1"] + RAS_USERINFO_ENDPOINT: "/openid/connect/v1.1/userinfo" From 707188c00ef30ecbefff1aa03e040a765927b016 Mon Sep 17 00:00:00 2001 From: HighTier-dev Date: Fri, 20 Mar 2026 07:40:47 -0400 Subject: [PATCH 2/5] tjw2: update for qa-vectis --- devplanetv2/dev-environments/qa-vectis/values/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devplanetv2/dev-environments/qa-vectis/values/values.yaml b/devplanetv2/dev-environments/qa-vectis/values/values.yaml index 97c4225c..ec78919b 100644 --- a/devplanetv2/dev-environments/qa-vectis/values/values.yaml +++ b/devplanetv2/dev-environments/qa-vectis/values/values.yaml @@ -17,7 +17,7 @@ global: deploy: true dbCreate: true hostname: qa-vectis.dev.planx-pla.net - dictionaryUrl: https://s3.amazonaws.com/dictionary-artifacts/datadictionary/develop/schema.json + dictionaryUrl: https://s3.amazonaws.com/dictionary-artifacts/vectis_dictionary/v0.0.1/schema.json # We disable portal by default to save $$$ frontendRoot: gen3ff postgres: From 0137f63c2e34d3a311bb1afa15a6eddcaf14e415 Mon Sep 17 00:00:00 2001 From: HighTier-dev Date: Fri, 20 Mar 2026 08:01:52 -0400 Subject: [PATCH 3/5] tjw2: update for chart values --- devplanetv2/dev-environments/qa-vectis/Chart.yaml | 2 +- devplanetv2/dev-environments/qa-vectis/values/values.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/devplanetv2/dev-environments/qa-vectis/Chart.yaml b/devplanetv2/dev-environments/qa-vectis/Chart.yaml index 0aaf0f71..f97cd27b 100644 --- a/devplanetv2/dev-environments/qa-vectis/Chart.yaml +++ b/devplanetv2/dev-environments/qa-vectis/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -name: main.dev.planx-pla.net +name: qa-vectis.dev.planx-pla.net description: A template manifest for spinning up dev environments using gitops # A chart can be either an 'application' or a 'library' chart. diff --git a/devplanetv2/dev-environments/qa-vectis/values/values.yaml b/devplanetv2/dev-environments/qa-vectis/values/values.yaml index ec78919b..bc772a1a 100644 --- a/devplanetv2/dev-environments/qa-vectis/values/values.yaml +++ b/devplanetv2/dev-environments/qa-vectis/values/values.yaml @@ -239,11 +239,11 @@ metadata: "study_description": "path:data_description", "full_name": "path:full_name", "short_name": "path:short_name", - "commons": "Medical Imaging and Data Resource Center (MIDRC)", + "commons": "Vectis SOC", "study_url": "path:data_url", "_subjects_count" : {"path":"cases_count", "default" : 0 }, "__manifest": "path:__manifest", - "commons_url" : "data.midrc.org" + "commons_url" : "" } } }, From 916d762db81511d4d586b29b1c98696018407c3d Mon Sep 17 00:00:00 2001 From: HighTier-dev Date: Fri, 20 Mar 2026 09:23:39 -0400 Subject: [PATCH 4/5] tjw2: qa-vectis good to go --- devplanetv2/dev-environments/qa-vectis/values/values.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/devplanetv2/dev-environments/qa-vectis/values/values.yaml b/devplanetv2/dev-environments/qa-vectis/values/values.yaml index bc772a1a..8e669056 100644 --- a/devplanetv2/dev-environments/qa-vectis/values/values.yaml +++ b/devplanetv2/dev-environments/qa-vectis/values/values.yaml @@ -80,9 +80,10 @@ audit: # pullPolicy: Never frontend-framework: - # image: - # tag: main - # repository: + enabled: true + image: + repository: quay.io/cdis/gen3-vectis + tag: main customConfig: enabled: true enabled: true From a8d602ed7fd1f3b6494f6bfdfe4fcbd5e9463790 Mon Sep 17 00:00:00 2001 From: HighTier-dev Date: Fri, 20 Mar 2026 11:23:58 -0400 Subject: [PATCH 5/5] tjw2: added workspace container --- .../qa-vectis/values/values.yaml | 32 ++----------------- 1 file changed, 3 insertions(+), 29 deletions(-) diff --git a/devplanetv2/dev-environments/qa-vectis/values/values.yaml b/devplanetv2/dev-environments/qa-vectis/values/values.yaml index 8e669056..2bf07a60 100644 --- a/devplanetv2/dev-environments/qa-vectis/values/values.yaml +++ b/devplanetv2/dev-environments/qa-vectis/values/values.yaml @@ -107,35 +107,9 @@ hatchery: command: - /bin/bash - /sidecarDockerrun.sh - containers: - - target-port: 8888 - cpu-limit: "2" - memory-limit: 3Gi - name: "(Tutorials) Example Analysis Jupyter Lab Notebooks" - image: quay.io/cdis/jupyter-superslim:1.0.5 - env: - FRAME_ANCESTORS: https://{{ .Values.global.hostname }} - args: - - "--NotebookApp.base_url=/lw-workspace/proxy/" - - "--NotebookApp.default_url=/lab" - - "--NotebookApp.password=''" - - "--NotebookApp.token=''" - - "--NotebookApp.shutdown_no_activity_timeout=5400" - - "--NotebookApp.quit_button=False" - command: - - start-notebook.sh - path-rewrite: "/lw-workspace/proxy/" - use-tls: "false" - ready-probe: "/lw-workspace/proxy/" - lifecycle-post-start: - - "/bin/sh" - - "-c" - - export IAM=`whoami`; rm -rf /home/$IAM/pd/dockerHome; rm -rf /home/$IAM/pd/lost+found; - ln -s /data /home/$IAM/pd/; true - user-uid: 1000 - fs-gid: 100 - user-volume-location: "/home/jovyan/pd" - gen3-volume-location: "/home/jovyan/.gen3" + WorkspaceContainer: + repository: quay.io/cdis/gen3-vectis + tag: gen3-vectis-workspace-sidecar portal: # Disable portal by default