release 2.3.0 (#4072)

* chore: remove old search deployments and values (#4069)

* fix: make the legacy services flag work (#4067)

* feat: upgrade ui to 4.2.0 (#4075)

* chore: simplify ui config for openshift (#4065)

* feat: upgrade amalthea to 0.20.0 (#4076)

* refactor: harmonize security context handling (#4077)

securityContext content was defined in multiple
different manifests. Their content being hard coded
there made them unsuitable for modifications such as
required for OpenShift deployment.

This patch makes them all use the content coming from
the values file since they were mostly all using the
same values.

* chore: reconcile the two security contexts PRs (#4074)

---------

Co-authored-by: Tasko Olevski <tasko.olevski@sdsc.ethz.ch>

* refactor: move service account creation to own template (#4080)

* feat: upgrade ui to 4.2.1 (#4082)

---------

Co-authored-by: Renku Bot <renku@datascience.ch>
Co-authored-by: Samuel Gaist <samuel.gaist@idiap.ch>
Co-authored-by: Chandrasekhar Ramakrishnan <ciyer@users.noreply.github.com>

Author: 4 people

cypress-tests/cypress/e2e/v2/verifyInfrastructure.cy.ts

@@ -36,7 +36,6 @@ function retryRequest(
 describe("Verify the infrastructure is ready", () => {
   it("Can interact with the backend components", () => {
     retryRequest("api/data/version", "Data services");
-    retryRequest("api/search/version", "Search");
     retryRequest("api/auth/login", "Gateway");
     retryRequest("config.json", "UI client");
 
@@ -48,7 +47,7 @@ describe("Verify the infrastructure is ready", () => {
     });
 
     // Search should return a list of items
-    const searchUrl = "/api/search/query";
+    const searchUrl = "/api/data/search/query";
     cy.request(searchUrl).then((resp) => {
       if (resp.status >= 400 || !("items" in resp.body))
         throw new Error("Search endpoints not working as expected.");

cypress-tests/cypress/support/utils/search.utils.ts

@@ -16,7 +16,7 @@ export function verifySearchIndexing(
   );
 
   function attempt(tries: number): Cypress.Chainable<boolean> {
-    return cy.request(`/api/search/query?q=${query}`).then((response) => {
+    return cy.request(`/api/data/search/query?q=${query}`).then((response) => {
       const success =
         matcher === "eq"
           ? response.body.items && response.body.items.length === expectedItems

helm-chart/renku/requirements.yaml

@@ -18,10 +18,11 @@ dependencies:
     condition: enableV1Services
   - name: amalthea
     repository: "https://swissdatasciencecenter.github.io/helm-charts/"
-    version: "0.19.2"
+    version: "0.20.0"
+    condition: enableV1Services
   - name: amalthea-sessions
     repository: "https://swissdatasciencecenter.github.io/helm-charts/"
-    version: "0.19.2"
+    version: "0.20.0"
   - name: dlf-chart
     repository: "https://swissdatasciencecenter.github.io/datashim/"
     version: "0.3.9-renku-2"

helm-chart/renku/templates/_certificates-init-container.tpl

@@ -3,10 +3,7 @@
 - name: init-certificates
   image: "{{ .Values.global.certificates.image.repository }}:{{ .Values.global.certificates.image.tag }}"
   securityContext:
-    allowPrivilegeEscalation: false
-    runAsUser: 1000
-    runAsGroup: 1000
-    runAsNonRoot: true
+    {{- toYaml .Values.securityContext | nindent 4 }}
   volumeMounts:
     - name: etc-ssl-certs
       mountPath: /etc/ssl/certs/

helm-chart/renku/templates/authz/deployment.yaml

@@ -36,6 +36,8 @@ spec:
           # and the database migration will not read the db connection uri string from an env variable
           image: "{{ .Values.authz.image.repository }}:{{ .Values.authz.image.tag }}-debug"
           imagePullPolicy: {{ .Values.authz.image.pullPolicy }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
           env:
             - name: "SPICEDB_DATASTORE_CONN_URI"
               valueFrom:

helm-chart/renku/templates/data-service/rbac.yaml

@@ -118,16 +118,6 @@ rules:
       - delete
       - create
 ---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ template "renku.fullname" . }}-data-service
-  labels:
-    app: {{ template "renku.name" . }}
-    chart: {{ template "renku.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:

helm-chart/renku/templates/data-service/rbac_k8s_watcher.yaml

@@ -9,6 +9,7 @@ metadata:
     release: {{ .Release.Name }}
     heritage: {{ .Release.Service }}
 rules:
+  {{- if .Values.enableV1Services }}
   - apiGroups:
       - {{ .Values.amalthea.crdApiGroup }}
     resources:
@@ -21,6 +22,7 @@ rules:
       - list
       - get
       - watch
+  {{- end }}
   - apiGroups:
       - amalthea.dev
     resources:
@@ -56,16 +58,6 @@ rules:
       - watch
   {{- end }}
 ---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ template "renku.fullname" . }}-k8s-watcher
-  labels:
-    app: {{ template "renku.name" . }}
-    chart: {{ template "renku.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:

helm-chart/renku/templates/data-service/serviceaccounts.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "renku.fullname" . }}-data-service
+  labels:
+    app: {{ template "renku.name" . }}
+    chart: {{ template "renku.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "renku.fullname" . }}-k8s-watcher
+  labels:
+    app: {{ template "renku.name" . }}
+    chart: {{ template "renku.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}

helm-chart/renku/templates/ingress.yaml

@@ -2,18 +2,11 @@
 {{- $keycloakEnabled := .Values.keycloakx.enabled -}}
 {{- $keycloakFullname := include "keycloak.fullname" . -}}
 {{- $keycloakServicePort := .Values.keycloakx.ingress.servicePort -}}
-{{- $gitlabFullname := include "gitlab.fullname" . -}}
-{{- $gitlabServicePort := 80 -}}
 {{- $uiFullname := include "ui.fullname" . -}}
 {{- $uiServicePort := .Values.ui.client.service.port -}}
 {{- $uiserverFullname := include "uiserver.fullname" . -}}
 {{- $uiserverServicePort := .Values.ui.server.service.port -}}
-{{- $webhookServiceFullname := include "renku.graph.webhookService.fullname" . -}}
-{{- $knowledgeGraphFullname := include "renku.graph.knowledgeGraph.fullname" . -}}
-{{- $searchApiFullname := include "renku.search.searchApi.fullname" . -}}
 {{- $renkuFullname := include "renku.fullname" . -}}
-{{- $jenaFullname := include "renku-jena.fullname" . -}}
-{{- $jenaServicePort := .Values.jena.service.port -}}
 {{- $swaggerEnabled := .Values.swagger.enabled -}}
 ---
 apiVersion: networking.k8s.io/v1
@@ -59,53 +52,54 @@ spec:
             port:
               name: {{ $keycloakServicePort }}
       {{- end }}
-      - path: /gitlab
+      - path: /api
         pathType: Prefix
         backend:
           service:
             name: {{ template "renku.fullname" $ }}-gateway
             port:
               number: 80
-      - path: /repos
+      - path: /
         pathType: Prefix
         backend:
           service:
-            name: {{ template "renku.fullname" $ }}-gateway
+            name: {{ $uiFullname }}
             port:
-              number: 80
-      - path: /api
+              number: {{ $uiServicePort }}
+      - path: /ui-server
         pathType: Prefix
         backend:
           service:
             name: {{ template "renku.fullname" $ }}-gateway
             port:
-              number: 80
-      - path: /entities
+              number: {{ $uiserverServicePort }}
+      {{- if $.Values.enableV1Services }}
+      - path: /gitlab
         pathType: Prefix
         backend:
           service:
             name: {{ template "renku.fullname" $ }}-gateway
             port:
               number: 80
-      - path: /
+      - path: /repos
         pathType: Prefix
         backend:
           service:
-            name: {{ $uiFullname }}
+            name: {{ template "renku.fullname" $ }}-gateway
             port:
-              number: {{ $uiServicePort }}
-      - path: /ui-server
+              number: 80
+      - path: /entities
         pathType: Prefix
         backend:
           service:
             name: {{ template "renku.fullname" $ }}-gateway
             port:
-              number: {{ $uiserverServicePort }}
+              number: 80
       - path: /webhooks/events
         pathType: Prefix
         backend:
           service:
-            name: {{ $webhookServiceFullname }}
+            name: {{ template "renku.graph.webhookService.fullname" $ }}
             port:
               number: 80
       - path: /knowledge-graph
@@ -115,6 +109,7 @@ spec:
             name: {{ template "renku.fullname" $ }}-gateway
             port:
               number: 80
+      {{- end }}
       {{- if $swaggerEnabled }}
       - path: /swagger
         pathType: Prefix

helm-chart/renku/templates/network-policies.yaml

@@ -38,6 +38,7 @@ spec:
             matchLabels:
               kubernetes.io/metadata.name: {{ .Release.Namespace }}
         {{- end }}
+        {{- if .Values.enableV1Services }}
         - podSelector:
             matchLabels:
               app: event-log
@@ -56,6 +57,7 @@ spec:
           namespaceSelector:
             matchLabels:
               kubernetes.io/metadata.name: {{ .Release.Namespace }}
+        {{- end }}
         - podSelector:
             matchLabels:
               app: post-install-postgres
@@ -288,6 +290,7 @@ spec:
       ports:
         - protocol: TCP
           port: http
+{{- if .Values.enableV1Services }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -366,33 +369,7 @@ spec:
       ports:
         - protocol: TCP
           port: http-kg
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: ingress-to-search-service-from-gateway
-  labels:
-    app: {{ template "renku.name" . }}
-    chart: {{ template "renku.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-spec:
-  podSelector:
-    matchLabels:
-      app: {{ template "renku.search.searchApi.name" . }}
-      release: {{ .Release.Name }}
-  policyTypes:
-    - Ingress
-  ingress:
-    - from:
-        - podSelector:
-            matchLabels:
-              app: {{ template "gateway.name" . }}
-              release: {{ .Release.Name }}
-      ports:
-        - protocol: TCP
-          port: http-search-api
-
+{{- end }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -494,6 +471,7 @@ spec:
         - protocol: TCP
           port: http
 {{- end }}
+{{- if .Values.enableV1Services }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -518,6 +496,7 @@ spec:
       ports:
         - protocol: TCP
           port: http-webhook-sv
+{{- end }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -573,6 +552,7 @@ spec:
           port: http
         - protocol: TCP
           port: grpc
+{{- if .Values.enableV1Services }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -598,6 +578,7 @@ spec:
       ports:
         - protocol: TCP
           port: http
+{{- end }}
 {{- if .Values.redis.install }}
 ---
 apiVersion: networking.k8s.io/v1
@@ -637,10 +618,6 @@ spec:
             matchLabels:
               app: renku-data-tasks
               release: {{ .Release.Name }}
-        - podSelector:
-            matchLabels:
-              app: {{ template "renku.search.searchApi.name" . }}
-              release: {{ .Release.Name }}
       ports:
         - protocol: TCP
           port: redis
@@ -673,12 +650,6 @@ spec:
             matchLabels:
               app: renku-data-tasks
               release: {{ .Release.Name }}
-        - podSelector:
-            matchLabels:
-              app: search-api
-        - podSelector:
-            matchLabels:
-              app: search-provision
       ports:
         - protocol: TCP
           port: http
@@ -750,6 +721,7 @@ spec:
     - from:
         - ipBlock:
             cidr: 0.0.0.0/0
+{{- if .Values.enableV1Services }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -962,6 +934,7 @@ spec:
       ports:
         - protocol: TCP
           port: http
+{{- end }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -991,6 +964,7 @@ spec:
       ports:
         - protocol: TCP
           port: http
+{{- if .Values.enableV1Services }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -1019,6 +993,7 @@ spec:
       ports:
         - protocol: TCP
           port: http
+{{- end }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -1046,6 +1021,7 @@ spec:
       ports:
         - protocol: TCP
           port: http
+{{- if .Values.enableV1Services }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -1090,6 +1066,7 @@ spec:
       app.kubernetes.io/name: amalthea
   policyTypes:
   - Egress
+{{- end }}
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy