Update main for 2024.3.2 (#2333)

.github/workflows/release.yaml

@@ -8,7 +8,8 @@ jobs:
   test-pypi:
     name: Test PyPi release
     runs-on: ubuntu-latest
-
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
     steps:
       - name: Set up python
         uses: actions/setup-python@v4
@@ -35,8 +36,6 @@ jobs:
       - name: Publish to test PyPI
         uses: pypa/gh-action-pypi-publish@release/v1
         with:
-          user: __token__
-          password: ${{ secrets.TEST_PYPI_API_TOKEN }}
           repository-url: https://test.pypi.org/legacy/
 
       - name: Sleep
@@ -74,19 +73,5 @@ jobs:
       - name: Build source and binary
         run: python -m build --sdist --wheel .
 
-      - name: Retrieve secret from Vault
-        uses: hashicorp/[email protected]
-        with:
-          method: jwt
-          url: "https://quansight-vault-public-vault-b2379fa7.d415e30e.z1.hashicorp.cloud:8200"
-          namespace: "admin/quansight"
-          role: "repository-nebari-dev-nebari-role"
-          secrets: |
-            kv/data/repository/nebari-dev/nebari/shared_secrets PYPI_USERNAME | PYPI_USERNAME;
-            kv/data/repository/nebari-dev/nebari/shared_secrets PYPI_PASSWORD | PYPI_PASSWORD;
-
       - name: Publish package
         uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          user: ${{ env.PYPI_USERNAME }}
-          password: ${{ env.PYPI_PASSWORD }}

.pre-commit-config.yaml

@@ -51,13 +51,13 @@ repos:
 
   # python
   - repo: https://github.com/psf/black
-    rev: 23.12.1
+    rev: 24.1.1
     hooks:
       - id: black
         args: ["--line-length=88", "--exclude=/src/_nebari/template/"]
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.1.9
+    rev: v0.2.0
     hooks:
       - id: ruff
         args: ["--fix"]

RELEASE.md

@@ -9,7 +9,18 @@ This file is copied to nebari-dev/nebari-docs using a GitHub Action. -->
 
 ---
 
-## Upcoming Release
+
+## Release 2024.3.2 - March 14, 2024
+
+### What's Changed
+* update max k8s versions and remove depreciated api usage in local deploy by @dcmcand in https://github.com/nebari-dev/nebari/pull/2276
+* update keycloak image repo by @Adam-D-Lewis in https://github.com/nebari-dev/nebari/pull/2312
+* Generate random password for Grafana by @aktech in https://github.com/nebari-dev/nebari/pull/2289
+* update conda store to 2024.3.1 by @Adam-D-Lewis in https://github.com/nebari-dev/nebari/pull/2316
+* Switch PyPI release workflow to use trusted publishing by @viniciusdc in https://github.com/nebari-dev/nebari/pull/2323
+
+
+**Full Changelog**: https://github.com/nebari-dev/nebari/compare/2024.3.1...2024.3.2
 
 ## Release 2024.3.1 - March 11, 2024
 

src/_nebari/constants.py

@@ -1,4 +1,4 @@
-CURRENT_RELEASE = "2024.3.1"
+CURRENT_RELEASE = "2024.3.2"
 
 # NOTE: Terraform cannot be upgraded further due to Hashicorp licensing changes
 # implemented in August 2023.
@@ -8,14 +8,14 @@
 # 04-kubernetes-ingress
 DEFAULT_TRAEFIK_IMAGE_TAG = "2.9.1"
 
-HIGHEST_SUPPORTED_K8S_VERSION = ("1", "26", "9")
+HIGHEST_SUPPORTED_K8S_VERSION = ("1", "29", "2")
 DEFAULT_GKE_RELEASE_CHANNEL = "UNSPECIFIED"
 
 DEFAULT_NEBARI_DASK_VERSION = CURRENT_RELEASE
 DEFAULT_NEBARI_IMAGE_TAG = CURRENT_RELEASE
 DEFAULT_NEBARI_WORKFLOW_CONTROLLER_IMAGE_TAG = CURRENT_RELEASE
 
-DEFAULT_CONDA_STORE_IMAGE_TAG = "2024.1.1"
+DEFAULT_CONDA_STORE_IMAGE_TAG = "2024.3.1"
 
 LATEST_SUPPORTED_PYTHON_VERSION = "3.10"
 

src/_nebari/stages/infrastructure/template/local/main.tf

@@ -1,8 +1,8 @@
 terraform {
   required_providers {
     kind = {
-      source  = "kyma-incubator/kind"
-      version = "0.0.11"
+      source  = "tehcyx/kind"
+      version = "0.4.0"
     }
     docker = {
       source  = "kreuzwerker/docker"
@@ -48,7 +48,7 @@ resource "kind_cluster" "default" {
 
     node {
       role  = "general"
-      image = "kindest/node:v1.23.13"
+      image = "kindest/node:v1.29.2"
     }
   }
 }

src/_nebari/stages/infrastructure/template/local/metallb.yaml

@@ -1,82 +1,3 @@
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  labels:
-    app: metallb
-  name: controller
-spec:
-  allowPrivilegeEscalation: false
-  allowedCapabilities: []
-  allowedHostPaths: []
-  defaultAddCapabilities: []
-  defaultAllowPrivilegeEscalation: false
-  fsGroup:
-    ranges:
-    - max: 65535
-      min: 1
-    rule: MustRunAs
-  hostIPC: false
-  hostNetwork: false
-  hostPID: false
-  privileged: false
-  readOnlyRootFilesystem: true
-  requiredDropCapabilities:
-  - ALL
-  runAsUser:
-    ranges:
-    - max: 65535
-      min: 1
-    rule: MustRunAs
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    ranges:
-    - max: 65535
-      min: 1
-    rule: MustRunAs
-  volumes:
-  - configMap
-  - secret
-  - emptyDir
----
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
-metadata:
-  labels:
-    app: metallb
-  name: speaker
-spec:
-  allowPrivilegeEscalation: false
-  allowedCapabilities:
-  - NET_RAW
-  allowedHostPaths: []
-  defaultAddCapabilities: []
-  defaultAllowPrivilegeEscalation: false
-  fsGroup:
-    rule: RunAsAny
-  hostIPC: false
-  hostNetwork: true
-  hostPID: false
-  hostPorts:
-  - max: 7472
-    min: 7472
-  - max: 7946
-    min: 7946
-  privileged: true
-  readOnlyRootFilesystem: true
-  requiredDropCapabilities:
-  - ALL
-  runAsUser:
-    rule: RunAsAny
-  seLinux:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  volumes:
-  - configMap
-  - secret
-  - emptyDir
----
 apiVersion: v1
 kind: ServiceAccount
 metadata:

src/_nebari/stages/kubernetes_ingress/__init__.py

@@ -181,9 +181,9 @@ def input_vars(self, stage_outputs: Dict[str, Dict[str, Any]]):
             cert_details["acme-email"] = self.config.certificate.acme_email
             cert_details["acme-server"] = self.config.certificate.acme_server
         elif cert_type == "existing":
-            cert_details[
-                "certificate-secret-name"
-            ] = self.config.certificate.secret_name
+            cert_details["certificate-secret-name"] = (
+                self.config.certificate.secret_name
+            )
 
         return {
             **{

src/_nebari/stages/kubernetes_keycloak/template/modules/kubernetes/keycloak-helm/values.yaml

@@ -4,6 +4,9 @@ ingress:
   # we will need to define our own IngressRoute elsewhere.
   enabled: false
 
+image:
+  repository: quay.io/keycloak/keycloak
+
 imagePullSecrets:
   - name: "extcrcreds"
 

src/_nebari/stages/kubernetes_services/__init__.py

@@ -51,9 +51,15 @@ class Storage(schema.Base):
 class JupyterHubTheme(schema.Base):
     hub_title: str = "Nebari"
     hub_subtitle: str = "Your open source data science platform"
-    welcome: str = """Welcome! Learn about Nebari's features and configurations in <a href="https://www.nebari.dev/docs">the documentation</a>. If you have any questions or feedback, reach the team on <a href="https://www.nebari.dev/docs/community#getting-support">Nebari's support forums</a>."""
-    logo: str = "https://raw.githubusercontent.com/nebari-dev/nebari-design/main/logo-mark/horizontal/Nebari-Logo-Horizontal-Lockup-White-text.svg"
-    favicon: str = "https://raw.githubusercontent.com/nebari-dev/nebari-design/main/symbol/favicon.ico"
+    welcome: str = (
+        """Welcome! Learn about Nebari's features and configurations in <a href="https://www.nebari.dev/docs">the documentation</a>. If you have any questions or feedback, reach the team on <a href="https://www.nebari.dev/docs/community#getting-support">Nebari's support forums</a>."""
+    )
+    logo: str = (
+        "https://raw.githubusercontent.com/nebari-dev/nebari-design/main/logo-mark/horizontal/Nebari-Logo-Horizontal-Lockup-White-text.svg"
+    )
+    favicon: str = (
+        "https://raw.githubusercontent.com/nebari-dev/nebari-design/main/symbol/favicon.ico"
+    )
     primary_color: str = "#4f4173"
     primary_color_dark: str = "#4f4173"
     secondary_color: str = "#957da6"

src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/files/jupyterhub/03-profiles.py

@@ -208,12 +208,14 @@ def base_profile_extra_mounts():
 
     extra_pod_config = {
         "volumes": [
-            {
-                "name": volume["name"],
-                "persistentVolumeClaim": {"claimName": volume["name"]},
-            }
-            if volume["kind"] == "persistentvolumeclaim"
-            else {"name": volume["name"], "configMap": {"name": volume["name"]}}
+            (
+                {
+                    "name": volume["name"],
+                    "persistentVolumeClaim": {"claimName": volume["name"]},
+                }
+                if volume["kind"] == "persistentvolumeclaim"
+                else {"name": volume["name"], "configMap": {"name": volume["name"]}}
+            )
             for mount_path, volume in extra_mounts.items()
         ]
     }
@@ -367,9 +369,11 @@ def configure_user(username, groups, uid=1000, gid=100):
             # mount the shared directories for user only if there are
             # shared folders (groups) that the user is a member of
             # else ensure that the `shared` folder symlink does not exist
-            f"ln -sfn /shared /home/{username}/shared"
-            if groups
-            else f"rm -f /home/{username}/shared",
+            (
+                f"ln -sfn /shared /home/{username}/shared"
+                if groups
+                else f"rm -f /home/{username}/shared"
+            ),
             # conda-store environment configuration
             f"printf '{condarc}' > /home/{username}/.condarc",
             # jupyter configuration

src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/main.tf

@@ -1,3 +1,8 @@
+resource "random_password" "grafana_admin_password" {
+  length  = 32
+  special = false
+}
+
 resource "helm_release" "prometheus-grafana" {
   name       = "nebari"
   namespace  = var.namespace
@@ -176,6 +181,9 @@ resource "helm_release" "prometheus-grafana" {
           "${var.node-group.key}" = var.node-group.value
         }
 
+        # Avoid using the default password, as that's a security risk
+        adminPassword : random_password.grafana_admin_password.result
+
         sidecar = {
           dashboards = {
             annotations = {

src/_nebari/upgrade.py

@@ -716,6 +716,17 @@ def _version_specific_upgrade(
         return config
 
 
+class Upgrade_2024_3_2(UpgradeStep):
+    version = "2024.3.2"
+
+    def _version_specific_upgrade(
+        self, config, start_version, config_filename: Path, *args, **kwargs
+    ):
+        rich.print("Ready to upgrade to Nebari version [green]2024.3.2[/green].")
+
+        return config
+
+
 __rounded_version__ = str(rounded_ver_parse(__version__))
 
 # Manually-added upgrade steps must go above this line

tests/tests_deployment/test_grafana_api.py

@@ -0,0 +1,18 @@
+import base64
+
+import pytest
+import requests
+
+from tests.tests_deployment import constants
+
+
+@pytest.mark.filterwarnings("ignore::urllib3.exceptions.InsecureRequestWarning")
+def test_grafana_api_not_accessible_with_default_credentials():
+    """Making sure that Grafana's API is not accessible on default user/pass"""
+    user_pass_b64_encoded = base64.b64encode(b"admin:prom-operator").decode()
+    response = requests.get(
+        f"https://{constants.NEBARI_HOSTNAME}/monitoring/api/datasources",
+        headers={"Authorization": f"Basic {user_pass_b64_encoded}"},
+        verify=False,
+    )
+    assert response.status_code == 401