feat: modify for custom CA certificates (#788)

SwissDataScienceCenter · Jan 28, 2022 · 1a7f15c · 1a7f15c
1 parent 808e767
commit 1a7f15c
Show file tree

Hide file tree

Showing 20 changed files with 784 additions and 558 deletions.
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
@@ -95,7 +95,7 @@ jobs:
     - name: Install Helm Chart
       run: |
         helm dep update helm-chart/renku-notebooks
-        helm install renku-notebooks helm-chart/renku-notebooks -f test-values.yaml --wait --timeout 5m0s
+        helm install renku-notebooks helm-chart/renku-notebooks -f test-values.yaml --wait --timeout 15m0s
     - name: Helm Test
       run: |
         helm test renku-notebooks --timeout 60m0s --logs
diff --git a/git-clone/clone.sh b/git-clone/clone.sh
@@ -24,12 +24,12 @@ pat='p\/([^\/]*?)\.git'
 REPOSITORY_NAME="${BASH_REMATCH[1]}"
 
 # Wait in case gitlab is temporarily unavailable
-curl $GIT_HOST
+curl $GIT_URL
 while [ $? != 0 ]
 do
-  echo "Waiting for git server to become visible at $GIT_HOST"
+  echo "Waiting for git server to become visible at $GIT_URL"
   sleep 5
-  curl $GIT_HOST
+  curl $GIT_URL
 done
 
 echo "Git server found"

diff --git a/git-https-proxy/Dockerfile b/git-https-proxy/Dockerfile
@@ -5,4 +5,4 @@ LABEL maintainer="Swiss Data Science Center <info@datascience.ch>"
 COPY package.json package-lock.json mitmproxy.js ./
 RUN npm ci && npm cache clean --force
 
-CMD ["node", "/mitmproxy.js"]
+CMD ["node", "--use-openssl-ca", "/mitmproxy.js"]
diff --git a/helm-chart/renku-notebooks/requirements.lock b/helm-chart/renku-notebooks/requirements.lock
@@ -2,8 +2,11 @@ dependencies:
 - name: amalthea
   repository: https://swissdatasciencecenter.github.io/helm-charts/
   version: 0.2.2
+- name: certificates
+  repository: https://swissdatasciencecenter.github.io/helm-charts/
+  version: 0.0.1
 - name: dlf-chart
   repository: https://swissdatasciencecenter.github.io/datashim/
   version: 0.1.1-renku-1
-digest: sha256:2623679a03eb93eedafd5149fcea45e1fcaf7b14b3ad18d0e12a24f47280fa90
-generated: "2022-01-19T17:41:34.437304+01:00"
+digest: sha256:6e0f563928d013dab0568ef4e23a6b761a8fd39c6eda22797d17e759320bac1b
+generated: "2022-01-25T22:59:52.005894+01:00"
diff --git a/helm-chart/renku-notebooks/requirements.yaml b/helm-chart/renku-notebooks/requirements.yaml
@@ -1,7 +1,10 @@
 dependencies:
 - name: amalthea
   repository: "https://swissdatasciencecenter.github.io/helm-charts/"
-  version: "0.2.2"
+  version: 0.2.2
+- name: certificates
+  version: "0.0.1"
+  repository: "https://swissdatasciencecenter.github.io/helm-charts/"
 - name: dlf-chart
   repository: "https://swissdatasciencecenter.github.io/datashim/"
   version: "0.1.1-renku-1"

diff --git a/helm-chart/renku-notebooks/templates/configmap.yaml b/helm-chart/renku-notebooks/templates/configmap.yaml
@@ -16,20 +16,6 @@ data:
 ---
 apiVersion: v1
 kind: ConfigMap
-metadata:
-  name: hub-config-spawner
-  labels:
-    app: {{ template "notebooks.name" . }}
-    chart: {{ template "notebooks.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-data:
-{{- if .Values.sentry.dsn }}
-  SENTRY_DSN: {{ .Values.sentry.dsn | quote }}
-{{- end }}
----
-apiVersion: v1
-kind: ConfigMap
 metadata:
   name: notebook-helper-scripts
   labels:

diff --git a/helm-chart/renku-notebooks/templates/statefulset.yaml b/helm-chart/renku-notebooks/templates/statefulset.yaml
@@ -104,6 +104,11 @@ spec:
             - name: SENTRY_ENV
               value: {{ .Values.sentry.env | quote }}
             {{ end }}
+            - name: CERTIFICATES_IMAGE
+              value: "{{ .Values.global.certificates.image.repository }}:{{ .Values.global.certificates.image.tag }}"
+            - name: CUSTOM_CA_CERTS_SECRETS
+              value: |
+                {{- .Values.global.certificates.customCAs | toYaml | nindent 16 }}
             {{- with .Values.sessionNodeSelector }}
             - name: SESSION_NODE_SELECTOR
               value: |
@@ -124,6 +129,7 @@ spec:
                 fieldRef:
                   apiVersion: v1
                   fieldPath: metadata.namespace
+            {{- include "certificates.env.python" . | nindent 12 }}
             - name: ENFORCE_CPU_LIMITS
               value: {{ .Values.enforceCPULimits | quote }}
             - name: S3_MOUNTS_ENABLED
@@ -135,6 +141,7 @@ spec:
           volumeMounts:
             - name: server-options
               mountPath: /etc/renku-notebooks/server_options
+            {{- include "certificates.volumeMounts.system" . | nindent 12 }}
           livenessProbe:
             httpGet:
               path: /health
@@ -148,6 +155,7 @@ spec:
           resources:
 {{ toYaml .Values.resources | indent 12 }}
       initContainers:
+        {{- include "certificates.initContainer" . | nindent 8 }}
         - name: k8s-resource-schema-migrations
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -173,6 +181,7 @@ spec:
         - name: server-options
           configMap:
             name: {{ template "notebooks.fullname" . }}-options
+        {{- include "certificates.volumes" . | nindent 8 }}
 
       serviceAccountName: {{ if .Values.rbac.create }}"{{ template "notebooks.fullname" . }}"{{ else }}"{{ .Values.rbac.serviceAccountName }}"{{ end }}
     {{- with .Values.nodeSelector }}

diff --git a/helm-chart/renku-notebooks/values.yaml b/helm-chart/renku-notebooks/values.yaml
@@ -10,6 +10,17 @@ global:
     domain:
   anonymousSessions:
     enabled: false
+  ## Specify a secret that containes the certificate
+  ## if you would like to use a custom CA. The key for the secret
+  ## should have the .crt extension otherwise it is ignored. The
+  ## keys across all secrets are mounted as files in one location so
+  ## the keys across all secrets have to be unique.
+  certificates:
+    image:
+      repository: renku/certificates
+      tag: "0.0.1"
+    customCAs: []
+      # - secret:
 
 amalthea:
   scope:

diff --git a/renku_notebooks/api/amalthea_patches/__init__.py b/renku_notebooks/api/amalthea_patches/__init__.py
diff --git a/renku_notebooks/api/amalthea_patches/autosave.py b/renku_notebooks/api/amalthea_patches/autosave.py
@@ -0,0 +1,61 @@
+def main():
+    patches = []
+    patches.append(
+        {
+            "type": "application/json-patch+json",
+            "patch": [
+                {
+                    "op": "add",
+                    "path": "/statefulset/spec/template/spec/containers/0/lifecycle",
+                    "value": {
+                        "preStop": {
+                            "exec": {
+                                "command": [
+                                    "/bin/sh",
+                                    "-c",
+                                    "/usr/local/bin/pre-stop.sh",
+                                    "||",
+                                    "true",
+                                ]
+                            }
+                        }
+                    },
+                }
+            ],
+        }
+    )
+    patches.append(
+        {
+            "type": "application/json-patch+json",
+            "patch": [
+                {
+                    "op": "add",
+                    "path": "/statefulset/spec/template/spec/volumes/-",
+                    "value": {
+                        "name": "notebook-helper-scripts-volume",
+                        "configMap": {
+                            "name": "notebook-helper-scripts",
+                            "defaultMode": 493,
+                        },
+                    },
+                }
+            ],
+        }
+    )
+    patches.append(
+        {
+            "type": "application/json-patch+json",
+            "patch": [
+                {
+                    "op": "add",
+                    "path": "/statefulset/spec/template/spec/containers/0/volumeMounts/-",
+                    "value": {
+                        "mountPath": "/usr/local/bin/pre-stop.sh",
+                        "name": "notebook-helper-scripts-volume",
+                        "subPath": "pre-stop.sh",
+                    },
+                }
+            ],
+        }
+    )
+    return patches
diff --git a/renku_notebooks/api/amalthea_patches/general.py b/renku_notebooks/api/amalthea_patches/general.py
@@ -0,0 +1,111 @@
+from flask import current_app
+
+from ..classes.user import RegisteredUser
+
+
+def session_tolerations():
+    patches = []
+    tolerations = [
+        {
+            "key": f"{current_app.config['RENKU_ANNOTATION_PREFIX']}dedicated",
+            "operator": "Equal",
+            "value": "user",
+            "effect": "NoSchedule",
+        },
+        *current_app.config["SESSION_TOLERATIONS"],
+    ]
+    patches.append(
+        {
+            "type": "application/json-patch+json",
+            "patch": [
+                {
+                    "op": "add",
+                    "path": "/statefulset/spec/template/spec/tolerations",
+                    "value": tolerations,
+                }
+            ],
+        }
+    )
+    return patches
+
+
+def session_affinity():
+    return [
+        {
+            "type": "application/json-patch+json",
+            "patch": [
+                {
+                    "op": "add",
+                    "path": "/statefulset/spec/template/spec/affinity",
+                    "value": current_app.config["SESSION_AFFINITY"],
+                }
+            ],
+        }
+    ]
+
+
+def session_node_selector():
+    return [
+        {
+            "type": "application/json-patch+json",
+            "patch": [
+                {
+                    "op": "add",
+                    "path": "/statefulset/spec/template/spec/nodeSelector",
+                    "value": current_app.config["SESSION_NODE_SELECTOR"],
+                }
+            ],
+        }
+    ]
+
+
+def test(server):
+    """RFC 6901 patches support test statements that will cause the whole patch
+    to fail if the test statements are not correct. This is used to ensure that the
+    order of containers in the amalthea manifests is what the notebook service expects."""
+    patches = []
+    container_names = (
+        current_app.config["AMALTHEA_CONTAINER_ORDER_REGISTERED_SESSION"]
+        if type(server._user) is RegisteredUser
+        else current_app.config["AMALTHEA_CONTAINER_ORDER_ANONYMOUS_SESSION"]
+    )
+    for container_ind, container_name in enumerate(container_names):
+        patches.append(
+            {
+                "type": "application/json-patch+json",
+                "patch": [
+                    {
+                        "op": "test",
+                        "path": (
+                            "/statefulset/spec/template/spec"
+                            f"/containers/{container_ind}/name"
+                        ),
+                        "value": container_name,
+                    }
+                ],
+            }
+        )
+    return patches
+
+
+def oidc_unverified_email(server):
+    patches = []
+    if type(server._user) is RegisteredUser:
+        # modify oauth2 proxy to accept users whose email has not been verified
+        # usually enabled for dev purposes
+        patches.append(
+            {
+                "type": "application/json-patch+json",
+                "patch": [
+                    {
+                        "op": "add",
+                        "path": "/statefulset/spec/template/spec/containers/1/env/-",
+                        "value": {
+                            "name": "OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL",
+                            "value": current_app.config["OIDC_ALLOW_UNVERIFIED_EMAIL"],
+                        },
+                    },
+                ],
+            }
+        )
+    return patches
diff --git a/renku_notebooks/api/amalthea_patches/git_proxy.py b/renku_notebooks/api/amalthea_patches/git_proxy.py
@@ -0,0 +1,58 @@
+from flask import current_app
+
+from ..classes.user import RegisteredUser
+from .utils import get_certificates_volume_mounts
+
+
+def main(server):
+    etc_cert_volume_mount = get_certificates_volume_mounts(
+        custom_certs=False,
+        etc_certs=True,
+        read_only_etc_certs=True,
+    )
+    patches = []
+    patches.append(
+        {
+            "type": "application/json-patch+json",
+            "patch": [
+                {
+                    "op": "add",
+                    "path": "/statefulset/spec/template/spec/containers/-",
+                    "value": {
+                        "image": current_app.config["GIT_HTTPS_PROXY_IMAGE"],
+                        "name": "git-proxy",
+                        "env": [
+                            {
+                                "name": "REPOSITORY_URL",
+                                "value": server.gl_project.http_url_to_repo,
+                            },
+                            {"name": "MITM_PROXY_PORT", "value": "8080"},
+                            {"name": "HEALTH_PORT", "value": "8081"},
+                            {
+                                "name": "GITLAB_OAUTH_TOKEN",
+                                "value": server._user.git_token,
+                            },
+                            {
+                                "name": "ANONYMOUS_SESSION",
+                                "value": (
+                                    "false"
+                                    if type(server._user) is RegisteredUser
+                                    else "true"
+                                ),
+                            },
+                        ],
+                        "livenessProbe": {
+                            "httpGet": {"path": "/health", "port": 8081},
+                            "initialDelaySeconds": 3,
+                        },
+                        "readinessProbe": {
+                            "httpGet": {"path": "/health", "port": 8081},
+                            "initialDelaySeconds": 3,
+                        },
+                        "volumeMounts": etc_cert_volume_mount,
+                    },
+                }
+            ],
+        }
+    )
+    return patches