-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: modify for custom CA certificates (#788)
- Loading branch information
Showing
20 changed files
with
784 additions
and
558 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
def main(): | ||
patches = [] | ||
patches.append( | ||
{ | ||
"type": "application/json-patch+json", | ||
"patch": [ | ||
{ | ||
"op": "add", | ||
"path": "/statefulset/spec/template/spec/containers/0/lifecycle", | ||
"value": { | ||
"preStop": { | ||
"exec": { | ||
"command": [ | ||
"/bin/sh", | ||
"-c", | ||
"/usr/local/bin/pre-stop.sh", | ||
"||", | ||
"true", | ||
] | ||
} | ||
} | ||
}, | ||
} | ||
], | ||
} | ||
) | ||
patches.append( | ||
{ | ||
"type": "application/json-patch+json", | ||
"patch": [ | ||
{ | ||
"op": "add", | ||
"path": "/statefulset/spec/template/spec/volumes/-", | ||
"value": { | ||
"name": "notebook-helper-scripts-volume", | ||
"configMap": { | ||
"name": "notebook-helper-scripts", | ||
"defaultMode": 493, | ||
}, | ||
}, | ||
} | ||
], | ||
} | ||
) | ||
patches.append( | ||
{ | ||
"type": "application/json-patch+json", | ||
"patch": [ | ||
{ | ||
"op": "add", | ||
"path": "/statefulset/spec/template/spec/containers/0/volumeMounts/-", | ||
"value": { | ||
"mountPath": "/usr/local/bin/pre-stop.sh", | ||
"name": "notebook-helper-scripts-volume", | ||
"subPath": "pre-stop.sh", | ||
}, | ||
} | ||
], | ||
} | ||
) | ||
return patches |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,111 @@ | ||
from flask import current_app | ||
|
||
from ..classes.user import RegisteredUser | ||
|
||
|
||
def session_tolerations(): | ||
patches = [] | ||
tolerations = [ | ||
{ | ||
"key": f"{current_app.config['RENKU_ANNOTATION_PREFIX']}dedicated", | ||
"operator": "Equal", | ||
"value": "user", | ||
"effect": "NoSchedule", | ||
}, | ||
*current_app.config["SESSION_TOLERATIONS"], | ||
] | ||
patches.append( | ||
{ | ||
"type": "application/json-patch+json", | ||
"patch": [ | ||
{ | ||
"op": "add", | ||
"path": "/statefulset/spec/template/spec/tolerations", | ||
"value": tolerations, | ||
} | ||
], | ||
} | ||
) | ||
return patches | ||
|
||
|
||
def session_affinity(): | ||
return [ | ||
{ | ||
"type": "application/json-patch+json", | ||
"patch": [ | ||
{ | ||
"op": "add", | ||
"path": "/statefulset/spec/template/spec/affinity", | ||
"value": current_app.config["SESSION_AFFINITY"], | ||
} | ||
], | ||
} | ||
] | ||
|
||
|
||
def session_node_selector(): | ||
return [ | ||
{ | ||
"type": "application/json-patch+json", | ||
"patch": [ | ||
{ | ||
"op": "add", | ||
"path": "/statefulset/spec/template/spec/nodeSelector", | ||
"value": current_app.config["SESSION_NODE_SELECTOR"], | ||
} | ||
], | ||
} | ||
] | ||
|
||
|
||
def test(server): | ||
"""RFC 6901 patches support test statements that will cause the whole patch | ||
to fail if the test statements are not correct. This is used to ensure that the | ||
order of containers in the amalthea manifests is what the notebook service expects.""" | ||
patches = [] | ||
container_names = ( | ||
current_app.config["AMALTHEA_CONTAINER_ORDER_REGISTERED_SESSION"] | ||
if type(server._user) is RegisteredUser | ||
else current_app.config["AMALTHEA_CONTAINER_ORDER_ANONYMOUS_SESSION"] | ||
) | ||
for container_ind, container_name in enumerate(container_names): | ||
patches.append( | ||
{ | ||
"type": "application/json-patch+json", | ||
"patch": [ | ||
{ | ||
"op": "test", | ||
"path": ( | ||
"/statefulset/spec/template/spec" | ||
f"/containers/{container_ind}/name" | ||
), | ||
"value": container_name, | ||
} | ||
], | ||
} | ||
) | ||
return patches | ||
|
||
|
||
def oidc_unverified_email(server): | ||
patches = [] | ||
if type(server._user) is RegisteredUser: | ||
# modify oauth2 proxy to accept users whose email has not been verified | ||
# usually enabled for dev purposes | ||
patches.append( | ||
{ | ||
"type": "application/json-patch+json", | ||
"patch": [ | ||
{ | ||
"op": "add", | ||
"path": "/statefulset/spec/template/spec/containers/1/env/-", | ||
"value": { | ||
"name": "OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL", | ||
"value": current_app.config["OIDC_ALLOW_UNVERIFIED_EMAIL"], | ||
}, | ||
}, | ||
], | ||
} | ||
) | ||
return patches |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
from flask import current_app | ||
|
||
from ..classes.user import RegisteredUser | ||
from .utils import get_certificates_volume_mounts | ||
|
||
|
||
def main(server): | ||
etc_cert_volume_mount = get_certificates_volume_mounts( | ||
custom_certs=False, | ||
etc_certs=True, | ||
read_only_etc_certs=True, | ||
) | ||
patches = [] | ||
patches.append( | ||
{ | ||
"type": "application/json-patch+json", | ||
"patch": [ | ||
{ | ||
"op": "add", | ||
"path": "/statefulset/spec/template/spec/containers/-", | ||
"value": { | ||
"image": current_app.config["GIT_HTTPS_PROXY_IMAGE"], | ||
"name": "git-proxy", | ||
"env": [ | ||
{ | ||
"name": "REPOSITORY_URL", | ||
"value": server.gl_project.http_url_to_repo, | ||
}, | ||
{"name": "MITM_PROXY_PORT", "value": "8080"}, | ||
{"name": "HEALTH_PORT", "value": "8081"}, | ||
{ | ||
"name": "GITLAB_OAUTH_TOKEN", | ||
"value": server._user.git_token, | ||
}, | ||
{ | ||
"name": "ANONYMOUS_SESSION", | ||
"value": ( | ||
"false" | ||
if type(server._user) is RegisteredUser | ||
else "true" | ||
), | ||
}, | ||
], | ||
"livenessProbe": { | ||
"httpGet": {"path": "/health", "port": 8081}, | ||
"initialDelaySeconds": 3, | ||
}, | ||
"readinessProbe": { | ||
"httpGet": {"path": "/health", "port": 8081}, | ||
"initialDelaySeconds": 3, | ||
}, | ||
"volumeMounts": etc_cert_volume_mount, | ||
}, | ||
} | ||
], | ||
} | ||
) | ||
return patches |
Oops, something went wrong.