diff --git a/devplanetv2/dev-environments/qa-vectis/Chart.yaml b/devplanetv2/dev-environments/qa-vectis/Chart.yaml index f97cd27..77e4cf1 100644 --- a/devplanetv2/dev-environments/qa-vectis/Chart.yaml +++ b/devplanetv2/dev-environments/qa-vectis/Chart.yaml @@ -21,3 +21,9 @@ version: 0.1.4 # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. appVersion: "1.0" + +dependencies: + - name: jeg + version: "0.1.0" + - name: workspace-proxy + version: "0.1.0" diff --git a/devplanetv2/dev-environments/qa-vectis/charts/jeg/Chart.yaml b/devplanetv2/dev-environments/qa-vectis/charts/jeg/Chart.yaml new file mode 100644 index 0000000..39e6ee4 --- /dev/null +++ b/devplanetv2/dev-environments/qa-vectis/charts/jeg/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: jeg +description: > + Jupyter Enterprise Gateway for gen3 vectis workspaces. + Launches ephemeral kernel pods in the workspace namespace on behalf of + user Jupyter sessions proxied through workspace-proxy. +type: application +version: 0.1.0 +appVersion: "3.2.3" diff --git a/devplanetv2/dev-environments/qa-vectis/charts/jeg/templates/deployment.yaml b/devplanetv2/dev-environments/qa-vectis/charts/jeg/templates/deployment.yaml new file mode 100644 index 0000000..903c599 --- /dev/null +++ b/devplanetv2/dev-environments/qa-vectis/charts/jeg/templates/deployment.yaml @@ -0,0 +1,59 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: jupyter-enterprise-gateway + namespace: {{ .Values.workspaceNamespace }} + labels: + app: enterprise-gateway +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: enterprise-gateway + template: + metadata: + labels: + app: enterprise-gateway + spec: + serviceAccountName: enterprise-gateway + automountServiceAccountToken: true + containers: + - name: enterprise-gateway + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 8888 + protocol: TCP + env: + {{- range $key, $val := .Values.env }} + - name: {{ $key }} + value: {{ $val | quote }} + {{- end }} + livenessProbe: + httpGet: + path: /api + port: http + initialDelaySeconds: 15 + periodSeconds: 30 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: /api + port: http + initialDelaySeconds: 10 + periodSeconds: 15 + timeoutSeconds: 5 + resources: + {{- toYaml .Values.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/devplanetv2/dev-environments/qa-vectis/charts/jeg/templates/rbac.yaml b/devplanetv2/dev-environments/qa-vectis/charts/jeg/templates/rbac.yaml new file mode 100644 index 0000000..c620fcf --- /dev/null +++ b/devplanetv2/dev-environments/qa-vectis/charts/jeg/templates/rbac.yaml @@ -0,0 +1,35 @@ +# JEG needs permission to create/delete kernel pods and services in the +# workspace namespace. Scoped to a Role (not ClusterRole) for least-privilege. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: enterprise-gateway + namespace: {{ .Values.workspaceNamespace }} + labels: + app: enterprise-gateway +rules: + - apiGroups: [""] + resources: ["pods", "pods/log", "services", "configmaps", "secrets"] + verbs: ["get", "list", "watch", "create", "delete", "patch", "update"] + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["create"] + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "list", "watch", "create", "delete", "patch", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: enterprise-gateway + namespace: {{ .Values.workspaceNamespace }} + labels: + app: enterprise-gateway +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: enterprise-gateway +subjects: + - kind: ServiceAccount + name: enterprise-gateway + namespace: {{ .Values.workspaceNamespace }} diff --git a/devplanetv2/dev-environments/qa-vectis/charts/jeg/templates/service.yaml b/devplanetv2/dev-environments/qa-vectis/charts/jeg/templates/service.yaml new file mode 100644 index 0000000..1c01796 --- /dev/null +++ b/devplanetv2/dev-environments/qa-vectis/charts/jeg/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: jupyter-enterprise-gateway + namespace: {{ .Values.workspaceNamespace }} + labels: + app: enterprise-gateway +spec: + type: ClusterIP + selector: + app: enterprise-gateway + ports: + - name: http + port: 8888 + targetPort: http + protocol: TCP diff --git a/devplanetv2/dev-environments/qa-vectis/charts/jeg/templates/serviceaccount.yaml b/devplanetv2/dev-environments/qa-vectis/charts/jeg/templates/serviceaccount.yaml new file mode 100644 index 0000000..793d0b2 --- /dev/null +++ b/devplanetv2/dev-environments/qa-vectis/charts/jeg/templates/serviceaccount.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: enterprise-gateway + namespace: {{ .Values.workspaceNamespace }} + labels: + app: enterprise-gateway diff --git a/devplanetv2/dev-environments/qa-vectis/charts/jeg/values.yaml b/devplanetv2/dev-environments/qa-vectis/charts/jeg/values.yaml new file mode 100644 index 0000000..a0313fa --- /dev/null +++ b/devplanetv2/dev-environments/qa-vectis/charts/jeg/values.yaml @@ -0,0 +1,34 @@ +# Jupyter Enterprise Gateway default values. +# Override via qa-vectis/values/jeg-values.yaml + +# Namespace where JEG pod runs AND where it launches kernel pods. +# CRITICAL: must match hatchery user-namespace and workspace-proxy WORKSPACE_NAMESPACE. +workspaceNamespace: jupyter-pods-qa-vectis + +replicaCount: 1 + +image: + repository: elyra/enterprise-gateway + tag: "3.2.3" + pullPolicy: IfNotPresent + +env: + EG_NAMESPACE: jupyter-pods-qa-vectis + EG_KERNEL_LAUNCH_TIMEOUT: "120" + EG_MAX_KERNELS_PER_USER: "2" + EG_CULL_IDLE_TIMEOUT: "14400" + EG_CULL_CONNECTED: "True" + EG_AUTH_TOKEN: "" + EG_DEFAULT_KERNEL_NAME: python3 + EG_LIST_KERNELS: "True" + EG_KERNEL_IMAGE_PULL_POLICY: IfNotPresent + EG_SHARED_NAMESPACE: "False" + EG_MIRROR_WORKING_DIRS: "False" + +resources: + requests: + cpu: "100m" + memory: "256Mi" + limits: + cpu: "500m" + memory: "512Mi" diff --git a/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/Chart.yaml b/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/Chart.yaml new file mode 100644 index 0000000..ccb7cf9 --- /dev/null +++ b/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/Chart.yaml @@ -0,0 +1,9 @@ +apiVersion: v2 +name: workspace-proxy +description: > + Per-user workspace HTTP/WebSocket router for gen3 vectis. + Replaces Emissary/Ambassador. Reads Service annotations written by Hatchery + to resolve each user's workspace upstream, then proxies traffic from revproxy. +type: application +version: 0.1.0 +appVersion: "1.0" diff --git a/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/ambassador-externalname.yaml b/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/ambassador-externalname.yaml new file mode 100644 index 0000000..3243809 --- /dev/null +++ b/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/ambassador-externalname.yaml @@ -0,0 +1,3 @@ +# REMOVED: No Ambassador/Emissary. Revproxy routes directly to +# workspace-proxy-service via additionalConfigs ambassador-service.conf +# in the main values.yaml. This file is intentionally empty. diff --git a/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/deployment.yaml b/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/deployment.yaml new file mode 100644 index 0000000..6df9e1d --- /dev/null +++ b/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/deployment.yaml @@ -0,0 +1,61 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: workspace-proxy + namespace: {{ .Values.deploymentNamespace }} + labels: + app: workspace-proxy +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: workspace-proxy + template: + metadata: + labels: + app: workspace-proxy + spec: + serviceAccountName: workspace-proxy + automountServiceAccountToken: true + containers: + - name: workspace-proxy + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - --listen={{ .Values.listenAddr }} + - --workspace-namespace={{ .Values.workspaceNamespace }} + env: + - name: JEG_GATEWAY_URL + value: "http://jupyter-enterprise-gateway.{{ .Values.workspaceNamespace }}.svc.cluster.local:8888" + - name: WORKSPACE_NAMESPACE + value: "{{ .Values.workspaceNamespace }}" + ports: + - name: http + containerPort: 8080 + protocol: TCP + livenessProbe: + httpGet: + path: /healthz + port: http + initialDelaySeconds: 5 + periodSeconds: 15 + readinessProbe: + httpGet: + path: /healthz + port: http + initialDelaySeconds: 3 + periodSeconds: 10 + resources: + {{- toYaml .Values.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault diff --git a/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/namespace.yaml b/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/namespace.yaml new file mode 100644 index 0000000..e9aaef5 --- /dev/null +++ b/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/namespace.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: {{ .Values.workspaceNamespace }} + labels: + app: workspace + # Allows NetworkPolicy selectors to target this namespace. + kubernetes.io/metadata.name: {{ .Values.workspaceNamespace }} diff --git a/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/netpol.yaml b/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/netpol.yaml new file mode 100644 index 0000000..a9fc61c --- /dev/null +++ b/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/netpol.yaml @@ -0,0 +1,53 @@ +{{- if .Values.networkPolicy.enabled }} +# Ingress: only allow traffic from revproxy pods in the gen3 namespace. +# Egress: DNS (kube-system:53) + workspace pod services (workspaceNamespace:80). +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: workspace-proxy + namespace: {{ .Values.deploymentNamespace }} + labels: + app: workspace-proxy +spec: + podSelector: + matchLabels: + app: workspace-proxy + policyTypes: + - Ingress + - Egress + + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Values.deploymentNamespace }} + podSelector: + matchLabels: + app: revproxy + ports: + - protocol: TCP + port: 8080 + + egress: + # DNS resolution via kube-dns (kube-system namespace) + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + ports: + - protocol: UDP + port: 53 + - protocol: TCP + port: 53 + # Workspace pod services in the workspace namespace + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ .Values.workspaceNamespace }} + ports: + - protocol: TCP + port: 80 + # JEG listens on 8888 — workspace-proxy proxies /jeg-proxy/* to it + - protocol: TCP + port: 8888 +{{- end }} diff --git a/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/rbac.yaml b/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/rbac.yaml new file mode 100644 index 0000000..e6c4931 --- /dev/null +++ b/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/rbac.yaml @@ -0,0 +1,29 @@ +# Role in the workspace namespace — workspace-proxy needs to read Services +# written by Hatchery (one per user session) to resolve proxy upstreams. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: workspace-proxy + namespace: {{ .Values.workspaceNamespace }} + labels: + app: workspace-proxy +rules: + - apiGroups: [""] + resources: ["services"] + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: workspace-proxy + namespace: {{ .Values.workspaceNamespace }} + labels: + app: workspace-proxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: workspace-proxy +subjects: + - kind: ServiceAccount + name: workspace-proxy + namespace: {{ .Values.deploymentNamespace }} diff --git a/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/service.yaml b/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/service.yaml new file mode 100644 index 0000000..51cf72d --- /dev/null +++ b/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + name: workspace-proxy-service + namespace: {{ .Values.deploymentNamespace }} + labels: + app: workspace-proxy +spec: + type: ClusterIP + selector: + app: workspace-proxy + ports: + - name: http + port: 80 + targetPort: http + protocol: TCP diff --git a/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/serviceaccount.yaml b/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/serviceaccount.yaml new file mode 100644 index 0000000..d9d0ff5 --- /dev/null +++ b/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/templates/serviceaccount.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: workspace-proxy + namespace: {{ .Values.deploymentNamespace }} + labels: + app: workspace-proxy diff --git a/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/values.yaml b/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/values.yaml new file mode 100644 index 0000000..a0ee52e --- /dev/null +++ b/devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy/values.yaml @@ -0,0 +1,32 @@ +# workspace-proxy default values. +# Override via qa-vectis/values/workspace-proxy-values.yaml + +# Namespace where the workspace-proxy pod runs (same as gen3 helm release). +deploymentNamespace: qa-vectis + +# Namespace where Hatchery creates user workspace pods and services. +# CRITICAL: must match hatchery user-namespace and jeg EG_NAMESPACE exactly. +workspaceNamespace: jupyter-pods-qa-vectis + +replicaCount: 2 + +image: + # Fill in your registry after implementation. + repository: PLACEHOLDER_REGISTRY/workspace-proxy + tag: latest + pullPolicy: Always + +listenAddr: ":8080" + +resources: + requests: + cpu: "50m" + memory: "64Mi" + limits: + cpu: "500m" + memory: "256Mi" + +# NetworkPolicy: restrict ingress to revproxy only. +# Requires a CNI that enforces NetworkPolicy (Calico is enabled in cluster-values). +networkPolicy: + enabled: true diff --git a/devplanetv2/dev-environments/qa-vectis/templates/app.yaml b/devplanetv2/dev-environments/qa-vectis/templates/app.yaml index b73b9e4..8c68e04 100644 --- a/devplanetv2/dev-environments/qa-vectis/templates/app.yaml +++ b/devplanetv2/dev-environments/qa-vectis/templates/app.yaml @@ -5,6 +5,8 @@ metadata: namespace: argocd finalizers: - resources-finalizer.argocd.argoproj.io + annotations: + argocd.argoproj.io/sync-wave: "0" spec: project: default sources: diff --git a/devplanetv2/dev-environments/qa-vectis/templates/jeg-app.yaml b/devplanetv2/dev-environments/qa-vectis/templates/jeg-app.yaml new file mode 100644 index 0000000..d007db5 --- /dev/null +++ b/devplanetv2/dev-environments/qa-vectis/templates/jeg-app.yaml @@ -0,0 +1,31 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: qa-vectis-jeg + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io + annotations: + # Deploy JEG after workspace-proxy (which creates the shared namespace). + argocd.argoproj.io/sync-wave: "2" +spec: + project: default + sources: + - path: devplanetv2/dev-environments/qa-vectis/charts/jeg + repoURL: https://github.com/uc-cdis/gen3-gitops-dev.git + targetRevision: {{ .Values.gitopsBranch }} + helm: + releaseName: jupyter-enterprise-gateway + valueFiles: + - $values/devplanetv2/dev-environments/qa-vectis/values/jeg-values.yaml + - repoURL: https://github.com/uc-cdis/gen3-gitops-dev.git + targetRevision: {{ .Values.gitopsBranch }} + ref: values + destination: + server: "https://kubernetes.default.svc" + namespace: jupyter-pods-qa-vectis + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + selfHeal: true diff --git a/devplanetv2/dev-environments/qa-vectis/templates/workspace-proxy-app.yaml b/devplanetv2/dev-environments/qa-vectis/templates/workspace-proxy-app.yaml new file mode 100644 index 0000000..8201779 --- /dev/null +++ b/devplanetv2/dev-environments/qa-vectis/templates/workspace-proxy-app.yaml @@ -0,0 +1,33 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: qa-vectis-workspace-proxy + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io + annotations: + # Deploy workspace-proxy after gen3 core services are up. + argocd.argoproj.io/sync-wave: "1" +spec: + project: default + sources: + - path: devplanetv2/dev-environments/qa-vectis/charts/workspace-proxy + repoURL: https://github.com/uc-cdis/gen3-gitops-dev.git + targetRevision: {{ .Values.gitopsBranch }} + helm: + releaseName: workspace-proxy + valueFiles: + - $values/devplanetv2/dev-environments/qa-vectis/values/workspace-proxy-values.yaml + - repoURL: https://github.com/uc-cdis/gen3-gitops-dev.git + targetRevision: {{ .Values.gitopsBranch }} + ref: values + destination: + server: "https://kubernetes.default.svc" + # ArgoCD uses qa-vectis as default namespace; templates with + # explicit namespace metadata target jupyter-pods-qa-vectis. + namespace: qa-vectis + syncPolicy: + syncOptions: + - CreateNamespace=true + automated: + selfHeal: true diff --git a/devplanetv2/dev-environments/qa-vectis/values/jeg-values.yaml b/devplanetv2/dev-environments/qa-vectis/values/jeg-values.yaml new file mode 100644 index 0000000..d0a5911 --- /dev/null +++ b/devplanetv2/dev-environments/qa-vectis/values/jeg-values.yaml @@ -0,0 +1,33 @@ +# Overrides for the JEG Helm chart. +# These values are merged on top of charts/jeg/values.yaml. + +workspaceNamespace: jupyter-pods-qa-vectis + +replicaCount: 1 + +image: + repository: quay.io/cdis/gen3-vectis + tag: "qa-jeg" + pullPolicy: Always + +env: + # CRITICAL: must match hatchery user-namespace and workspace-proxy WORKSPACE_NAMESPACE. + EG_NAMESPACE: jupyter-pods-qa-vectis + EG_KERNEL_LAUNCH_TIMEOUT: "120" + EG_MAX_KERNELS_PER_USER: "2" + EG_CULL_IDLE_TIMEOUT: "14400" + EG_CULL_CONNECTED: "True" + EG_AUTH_TOKEN: "" + EG_DEFAULT_KERNEL_NAME: python3 + EG_LIST_KERNELS: "True" + EG_KERNEL_IMAGE_PULL_POLICY: IfNotPresent + EG_SHARED_NAMESPACE: "False" + EG_MIRROR_WORKING_DIRS: "False" + +resources: + requests: + cpu: "100m" + memory: "256Mi" + limits: + cpu: "500m" + memory: "512Mi" diff --git a/devplanetv2/dev-environments/qa-vectis/values/values.yaml b/devplanetv2/dev-environments/qa-vectis/values/values.yaml index 70c1791..a4e3b1e 100644 --- a/devplanetv2/dev-environments/qa-vectis/values/values.yaml +++ b/devplanetv2/dev-environments/qa-vectis/values/values.yaml @@ -52,10 +52,7 @@ aws-es-proxy: enabled: true esEndpoint: vpc-devplanetv2-gen3-metadata-2-xkwr2f3gbxua5mqqi7rhnat4la.us-east-1.es.amazonaws.com ambassador: - resources: - requests: - memory: "105Mi" - cpu: "15m" + enabled: false arborist: image: @@ -84,14 +81,30 @@ frontend-framework: enabled: true image: repository: quay.io/cdis/gen3-vectis - tag: main + tag: qa-vectis + pullPolicy: Always customConfig: enabled: false - enabled: true + env: + NODE_ENV: production + PORT: "3000" + NEXT_PUBLIC_GEN3_COMMONS_NAME: qa-vectis + NEXT_PUBLIC_DATACOMMONS: commons_frontend_app + HATCHERY_URL: "http://hatchery-service.qa-vectis.svc.cluster.local" + GEN3_FENCE_SERVICE: "http://fence-service.qa-vectis.svc.cluster.local" + GEN3_ARBORIST_SERVICE: "http://arborist-service.qa-vectis.svc.cluster.local" + GEN3_INDEXD_SERVICE: "http://indexd-service.qa-vectis.svc.cluster.local" + JUPYTER_GATEWAY_URL: "http://jupyter-enterprise-gateway.jupyter-pods-qa-vectis.svc.cluster.local:8888" + KERNEL_SPEC_POLICY: "{}" + ENABLE_JEG: "true" + replicaCount: 2 resources: requests: memory: "256Mi" cpu: "15m" + limits: + cpu: "1000m" + memory: "1Gi" hatchery: externalSecrets: @@ -103,14 +116,56 @@ hatchery: image: tag: master hatchery: - sidecarContainer: - image: quay.io/cdis/gen3fuse-sidecar:master - command: - - /bin/bash - - /sidecarDockerrun.sh - WorkspaceContainer: - repository: quay.io/cdis/gen3-vectis - tag: gen3-vectis-workspace-sidecar + json: |- + { + "user-namespace": "jupyter-pods-qa-vectis", + "sub-dir": "/lw-workspace", + "user-volume-size": "10Gi", + "jeg-gateway-proxy-url": "http://workspace-proxy-service.qa-vectis.svc.cluster.local:8080/jeg-proxy", + "sidecar": { + "cpu-limit": "1.0", + "memory-limit": "256Mi", + "image": "quay.io/cdis/gen3fuse-sidecar:2024.07", + "env": { + "NAMESPACE": "qa-vectis", + "HOSTNAME": "qa-vectis.planx-pla.net" + }, + "args": [], + "command": ["/bin/bash", "/sidecar.sh"], + "lifecycle-pre-stop": ["/bin/bash", "-c", "fusermount -u /data || true"] + }, + "containers": [ + { + "target-port": 8888, + "cpu-limit": "2.0", + "memory-limit": "4Gi", + "name": "Jupyter Notebook (Python 3) - Vectis QA", + "image": "quay.io/cdis/jupyter-superslim:2024.07", + "env": { + "FRAME_ANCESTORS": "qa-vectis.planx-pla.net" + }, + "args": [ + "--ServerApp.base_url=/lw-workspace/proxy/", + "--ServerApp.default_url=/lab", + "--ServerApp.password=''", + "--ServerApp.token=''", + "--ServerApp.ip='*'", + "--ServerApp.disable_check_xsrf=True", + "--ServerApp.allow_origin='https://qa-vectis.planx-pla.net'", + "--ServerApp.root_dir='/home/jovyan'", + "--ServerApp.shutdown_no_activity_timeout=5400", + "--ServerApp.quit_button=False" + ], + "path-rewrite": "/lw-workspace/proxy/", + "use-tls": false, + "ready-probe": "/lw-workspace/proxy/", + "user-uid": 1000, + "fs-gid": 100, + "user-volume-location": "/home/jovyan", + "gen3-volume-location": "/home/jovyan/.gen3" + } + ] + } portal: # Disable portal by default @@ -256,6 +311,61 @@ revproxy: aws: # Do not change- this will break DNS for your env. group: devplanetv2 + additionalConfigs: + ambassador-service.conf: |- + location = /lw-workspace/proxy { + return 308 $scheme://$http_host/lw-workspace/proxy/; + } + + location /lw-workspace/proxy/ { + set $authz_resource "/workspace"; + set $authz_method "access"; + set $authz_service "jupyterhub"; + auth_request_set $remoteUser $upstream_http_REMOTE_USER; + auth_request_set $saved_set_cookie $upstream_http_set_cookie; + auth_request /gen3-authz; + + if ($saved_set_cookie != "") { + add_header Set-Cookie $saved_set_cookie always; + } + add_header Cache-Control "no-store"; + + proxy_set_header REMOTE_USER $remoteUser; + error_page 403 = @errorworkspace; + + set $proxy_service "workspace-proxy"; + set $upstream http://workspace-proxy-service.qa-vectis.svc.cluster.local; + rewrite ^/lw-workspace/proxy/(.*) /$1 break; + proxy_pass $upstream; + proxy_redirect http://$http_host/ https://$http_host/lw-workspace/proxy/; + proxy_http_version 1.1; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header X-URL-SCHEME https; + client_max_body_size 0; + proxy_read_timeout 36000s; + } + workspace-api.conf: |- + location ^~ /workspace-api/ { + set $authz_resource "/workspace"; + set $authz_method "access"; + set $authz_service "jupyterhub"; + auth_request /gen3-authz; + error_page 403 = @errorworkspace; + set $upstream http://gen3ff-service.qa-vectis.svc.cluster.local; + rewrite ^/workspace-api/(.*) /$1 break; + proxy_pass $upstream; + proxy_http_version 1.1; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-URL-SCHEME https; + client_max_body_size 0; + proxy_read_timeout 600s; + } sheepdog: resources: @@ -278,6 +388,11 @@ wts: externalSecrets: createWtsOidcClientSecret: true createK8sWtsSecret: true + networkPolicy: + enabled: true + ingressNamespaces: + - qa-vectis + - jupyter-pods-qa-vectis # Database configuration diff --git a/devplanetv2/dev-environments/qa-vectis/values/workspace-proxy-values.yaml b/devplanetv2/dev-environments/qa-vectis/values/workspace-proxy-values.yaml new file mode 100644 index 0000000..84ebb59 --- /dev/null +++ b/devplanetv2/dev-environments/qa-vectis/values/workspace-proxy-values.yaml @@ -0,0 +1,25 @@ +# Overrides for the workspace-proxy Helm chart. +# These values are merged on top of charts/workspace-proxy/values.yaml. + +replicaCount: 2 + +image: + repository: quay.io/cdis/gen3-vectis + tag: qa-goproxy + pullPolicy: Always + +deploymentNamespace: qa-vectis +workspaceNamespace: jupyter-pods-qa-vectis + +listenAddr: ":8080" + +resources: + requests: + cpu: "50m" + memory: "64Mi" + limits: + cpu: "500m" + memory: "256Mi" + +networkPolicy: + enabled: true