Merge pull request #138 from pat-s/profiles

Update information on defining "profiles" in README

charts/rstudio-workbench/Chart.yaml

@@ -1,6 +1,6 @@
 name: rstudio-workbench
 description: Official Helm chart for RStudio Workbench
-version: 0.5.7
+version: 0.5.8
 apiVersion: v2
 appVersion: 2021.09.2-382.pro1
 icon: https://rstudio.com/wp-content/uploads/2018/10/RStudio-Logo-Flat.png

charts/rstudio-workbench/NEWS.md

@@ -1,3 +1,9 @@
+# 0.5.8
+
+- Update README docs
+- Add `selector` for storage definition ([#136](https://github.com/rstudio/helm/issues/136))
+- Fix default permissions (0644) on pam mounts ([#141](https://github.com/rstudio/helm/issues/141))
+
 # 0.5.7
 
 - Update `logging.conf` to default to output logs on `stderr`

charts/rstudio-workbench/README.md

@@ -1,6 +1,6 @@
 # RStudio Workbench
 
-![Version: 0.5.7](https://img.shields.io/badge/Version-0.5.7-informational?style=flat-square) ![AppVersion: 2021.09.2-382.pro1](https://img.shields.io/badge/AppVersion-2021.09.2--382.pro1-informational?style=flat-square)
+![Version: 0.5.8](https://img.shields.io/badge/Version-0.5.8-informational?style=flat-square) ![AppVersion: 2021.09.2-382.pro1](https://img.shields.io/badge/AppVersion-2021.09.2--382.pro1-informational?style=flat-square)
 
 #### _Official Helm chart for RStudio Workbench_
 
@@ -23,11 +23,11 @@ As a result, please:
 
 ## Installing the Chart
 
-To install the chart with the release name `my-release` at version 0.5.7:
+To install the chart with the release name `my-release` at version 0.5.8:
 
 ```bash
 helm repo add rstudio https://helm.rstudio.com
-helm install my-release rstudio/rstudio-workbench --version=0.5.7
+helm install my-release rstudio/rstudio-workbench --version=0.5.8
 ```
 
 ## Required Configuration
@@ -126,7 +126,7 @@ the `XDG_CONFIG_DIRS` environment variable
   - mounted at `/mnt/session-configmap/rstudio/`
 - Session Secret Configuration
   - These configuration files are mounted into the server and session pods as well
-  - `odbc.ini` and other similar shared secrets 
+  - `odbc.ini` and other similar shared secrets
   - located in `config.sessionSecret.<< name of file>>` helm values
   - mounted at `/mnt/session-secret/`
 - Secret Configuration
@@ -144,7 +144,7 @@ the `XDG_CONFIG_DIRS` environment variable
   - `launcher-mounts`, `launcher-env`
   - They are located at `config.serverDcf.<< name of file >>` helm values
   - included at `/mnt/configmap/rstudio/`
-- Profiles Configuration 
+- Profiles Configuration
   - These configuration files are mounted into the server (.ini file format)
   - `launcher.kubernetes.profiles.conf`
   - They are located at `config.profiles.<< name of file >>` helm values
@@ -157,7 +157,7 @@ the `XDG_CONFIG_DIRS` environment variable
   - `prestart-launcher.bash` is used to start launcher
 - User Provisioning Configuration
   - These configuration files are used for configuring user provisioning (i.e. `sssd`)
-  - Located at `config.userProvisioning.<< name of file >>` helm values 
+  - Located at `config.userProvisioning.<< name of file >>` helm values
   - Mounted onto `/etc/sssd/conf.d/` with `0600` permissions by default
 - Custom Startup Configuration
   - `supervisord` service / unit definition `.conf` files
@@ -220,7 +220,7 @@ config:
       # the rstudio-session PAM config file
       # will be used verbatim
 ```
-   
+
 ## RStudio Profiles
 
 Profiles are used to define product behavior (in `.ini` file format) based on user and group membership.
@@ -243,6 +243,7 @@ some-key:
 ```
 - The `[*]` section will have arrays "appended" to user and group sections, along with "defaults" defined by the chart.
 
+Note that if you want to set user limits which are usually defined in `/etc/rstudio/profiles`, you would need to configure `config.profiles.profiles` as shown below.
 ### A Full Example
 
 ```yaml
@@ -257,17 +258,28 @@ config:
         some-key:
           - value4
           - value5
+    profiles:
+      "*":
+        some-key: value1
+        some-key2: value2
 ```
 
 Becomes:
 
+_/etc/rstudio/launcher.kubernetes.profiles.conf_
 ```ini
 [*]
 some-key: value1,value2
 [myuser]
 some-key: value1,value2,value3,value4
 ```
 
+_/etc/rstudio/profiles_
+```ini
+[*]
+some-key: value1
+some-key2: value2
+```
 > NOTE: this appending / concatenation / array translation behavior only works with the helm chart
 
 ### Job Json Overrides
@@ -330,6 +342,7 @@ config:
 | homeStorage.name | string | `""` | The name of the pvc. By default, computes a value from the release name |
 | homeStorage.path | string | `"/home"` | the path to mount the homeStorage claim within the pod |
 | homeStorage.requests.storage | string | `"10Gi"` | the volume of storage to request for this persistent volume claim |
+| homeStorage.selector | object | `{}` | selector for PVC definition |
 | homeStorage.storageClassName | bool | `false` | storageClassName - the type of storage to use. Must allow ReadWriteMany |
 | image.imagePullPolicy | string | `"IfNotPresent"` | the imagePullPolicy for the main pod image |
 | image.imagePullSecrets | list | `[]` | an array of kubernetes secrets for pulling the main pod image from private registries |
@@ -395,6 +408,7 @@ config:
 | sharedStorage.name | string | `""` | The name of the pvc. By default, computes a value from the release name |
 | sharedStorage.path | string | `"/var/lib/rstudio-server"` | the path to mount the sharedStorage claim within the pod |
 | sharedStorage.requests.storage | string | `"10Gi"` | the volume of storage to request for this persistent volume claim |
+| sharedStorage.selector | object | `{}` | selector for PVC definition |
 | sharedStorage.storageClassName | bool | `false` | storageClassName - the type of storage to use. Must allow ReadWriteMany |
 | startupProbe | object | `{"enabled":false,"failureThreshold":30,"httpGet":{"path":"/health-check","port":8787},"initialDelaySeconds":10,"periodSeconds":10,"timeoutSeconds":1}` | startupProbe is used to configure the container's startupProbe |
 | startupProbe.failureThreshold | int | `30` | failureThreshold * periodSeconds should be strictly > worst case startup time |

charts/rstudio-workbench/README.md.gotmpl

@@ -51,14 +51,13 @@ config:
 In addition to the above required configuration, we recommend setting the following to ensure a reliable deployment:
 
 * Set the `launcherPem` value to ensure that it stays the same between releases.
-  This will ensure that users can continue to properly connect to older sessions even after a redeployment of the chart. See the 
+  This will ensure that users can continue to properly connect to older sessions even after a redeployment of the chart. See the
   [RSW Admin Guide](https://docs.rstudio.com/ide/server-pro/job-launcher.html#authentication) for details on generating the file.
 * Set the `global.secureCookieKey` so that user authentication continues to work between deployments. A valid value can be obtained
   by simply running the `uuid` command.
 * Some use-cases may require special PAM profiles to run. By default, no PAM profiles other than the basic `auth` profile will be used to authenticate users.
   If this is not sufficient then you will need to add your PAM profiles into the container using a volume and volumeMount.
 
-
 ## General Principles
 
 - In most places, we opt to pass Helm values directly into ConfigMaps. We automatically translate these into the
@@ -105,7 +104,7 @@ the `XDG_CONFIG_DIRS` environment variable
   - mounted at `/mnt/session-configmap/rstudio/`
 - Session Secret Configuration
   - These configuration files are mounted into the server and session pods as well
-  - `odbc.ini` and other similar shared secrets  
+  - `odbc.ini` and other similar shared secrets
   - located in `config.sessionSecret.<< name of file>>` helm values
   - mounted at `/mnt/session-secret/`
 - Secret Configuration
@@ -123,7 +122,7 @@ the `XDG_CONFIG_DIRS` environment variable
   - `launcher-mounts`, `launcher-env`
   - They are located at `config.serverDcf.<< name of file >>` helm values
   - included at `/mnt/configmap/rstudio/`
-- Profiles Configuration  
+- Profiles Configuration
   - These configuration files are mounted into the server (.ini file format)
   - `launcher.kubernetes.profiles.conf`
   - They are located at `config.profiles.<< name of file >>` helm values
@@ -136,7 +135,7 @@ the `XDG_CONFIG_DIRS` environment variable
   - `prestart-launcher.bash` is used to start launcher
 - User Provisioning Configuration
   - These configuration files are used for configuring user provisioning (i.e. `sssd`)
-  - Located at `config.userProvisioning.<< name of file >>` helm values  
+  - Located at `config.userProvisioning.<< name of file >>` helm values
   - Mounted onto `/etc/sssd/conf.d/` with `0600` permissions by default
 - Custom Startup Configuration
   - `supervisord` service / unit definition `.conf` files
@@ -199,7 +198,7 @@ config:
       # the rstudio-session PAM config file
       # will be used verbatim
 ```
-    
+
 ## RStudio Profiles
 
 Profiles are used to define product behavior (in `.ini` file format) based on user and group membership.
@@ -222,6 +221,7 @@ some-key:
 ```
 - The `[*]` section will have arrays "appended" to user and group sections, along with "defaults" defined by the chart.
 
+Note that if you want to set user limits which are usually defined in `/etc/rstudio/profiles`, you would need to configure `config.profiles.profiles` as shown below.
 ### A Full Example
 
 ```yaml
@@ -236,17 +236,28 @@ config:
         some-key:
           - value4
           - value5
+    profiles:
+      "*":
+        some-key: value1
+        some-key2: value2
 ```
 
 Becomes:
 
+_/etc/rstudio/launcher.kubernetes.profiles.conf_
 ```ini
 [*]
 some-key: value1,value2
 [myuser]
 some-key: value1,value2,value3,value4
 ```
 
+_/etc/rstudio/profiles_
+```ini
+[*]
+some-key: value1
+some-key2: value2
+```
 > NOTE: this appending / concatenation / array translation behavior only works with the helm chart
 
 ### Job Json Overrides
@@ -273,7 +284,7 @@ config:
             json: "Always"
             name: imagePullPolicy
           - target: "/spec/template/spec/imagePullSecrets"
-            json: 
+            json:
               name: my-pull-secret
             name: imagePullSecrets
         container-images:

charts/rstudio-workbench/templates/_helpers.tpl

@@ -261,7 +261,7 @@ volumes:
 - name: rstudio-pam
   configMap:
     name: {{ include "rstudio-workbench.fullname" . }}-pam
-    defaultMode: 0755
+    defaultMode: 0644
 {{- end }}
 - name: rstudio-secret
   secret:

charts/rstudio-workbench/templates/pvc.yaml

@@ -16,6 +16,10 @@ spec:
   resources:
     requests:
       storage: {{ .Values.sharedStorage.requests.storage }}
+  {{- with .Values.sharedStorage.selector }}
+  selector:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 ---
 {{- end }}
 {{- if .Values.homeStorage.create }}
@@ -36,5 +40,9 @@ spec:
   resources:
     requests:
       storage: {{ .Values.homeStorage.requests.storage }}
+  {{- with .Values.homeStorage.selector }}
+  selector:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 ---
 {{- end }}

charts/rstudio-workbench/values.yaml

@@ -41,6 +41,8 @@ sharedStorage:
   requests:
     # -- the volume of storage to request for this persistent volume claim
     storage: "10Gi"
+  # -- selector for PVC definition
+  selector: {}
 
 # -- How to handle updates to the service. RollingUpdate (the default) minimizes downtime, but
 # will not work well if your license only allows a single activation.
@@ -77,6 +79,8 @@ homeStorage:
   requests:
     # -- the volume of storage to request for this persistent volume claim
     storage: "10Gi"
+  # -- selector for PVC definition
+  selector: {}
 
 image:
   # -- the repository to use for the main pod image