Merge pull request #68 from rstudio/change-rsw-execution

Change rsw execution
rstudio · Nov 1, 2021 · 69de6f9 · 69de6f9
2 parents 0291491 + 4c48380
commit 69de6f9
Show file tree

Hide file tree

Showing 16 changed files with 698 additions and 212 deletions.
diff --git a/.github/workflows/chart-doc.yaml b/.github/workflows/chart-doc.yaml
@@ -56,7 +56,7 @@ jobs:
         run: |
           set -xe
           # pull latest updates (i.e. if the document step above updated things)
-          git pull
+          git pull origin $GITHUB_REF
           cd ./charts/rstudio-launcher-rbac && helm dependency build && cd -
           helm template -n rstudio rstudio-launcher-rbac ./charts/rstudio-launcher-rbac --set removeNamespaceReferences=true > examples/rbac/rstudio-launcher-rbac.yaml
           CHART_VERSION=$(helm show chart ./charts/rstudio-launcher-rbac | grep '^version' | cut -d ' ' -f 2)

diff --git a/charts/rstudio-workbench/Chart.yaml b/charts/rstudio-workbench/Chart.yaml
@@ -1,8 +1,8 @@
 name: rstudio-workbench
 description: Official Helm chart for RStudio Workbench
-version: 0.4.6
+version: 0.5.0-rc01
 apiVersion: v2
-appVersion: 1.4.1717-3
+appVersion: 2021.09.0-351.pro6
 icon: https://rstudio.com/wp-content/uploads/2018/10/RStudio-Logo-Flat.png
 home: https://www.rstudio.com
 sources:
@@ -18,9 +18,9 @@ dependencies:
 annotations:
   artifacthub.io/images: |
     - name: rstudio-workbench
-      image: rstudio/rstudio-workbench:1.4.1717-3
+      image: rstudio/rstudio-workbench:2021.09.0-351.pro6
     - name: r-session-complete
-      image: rstudio/r-session-complete:bionic-1.4.1717-3
+      image: rstudio/r-session-complete:bionic-2021.09.0-351.pro6
   artifacthub.io/license: MIT
   artifacthub.io/links: |
     - name: Docker Images

diff --git a/charts/rstudio-workbench/NEWS.md b/charts/rstudio-workbench/NEWS.md
@@ -1,3 +1,15 @@
+# 0.5.0
+
+- BREAKING: Bump RStudio version to Ghost Orchid (2021.09.0+351.pro6)
+  - This version of the chart is no longer compatible (by default) with older versions (1.4 and previous).
+  - Previous versions of the chart are not compatible (by default) with 2021.09 or later
+  - If you want to use charts across versions, you will need to change `command`, `args`, and some configmaps.
+- BREAKING: Change RStudio Workbench execution model to use supervisord
+- Add config-maps to configure startup behavior
+- Add a config setting for `sssd` (now in the container by default) - `config.userProvisioning`
+- Add a "secret" configmap for session components (useful for shared database credentials, `odbc.ini`, etc.)
+- Update README to make `job-json-overrides`, profiles, etc. more clear
+
 # 0.4.6
 
 - Updated svc.yml to remove hardcoded port 80 and add .Values.service.port in its place. Updated values.yaml to include .Values.service.port (previously missing).

diff --git a/charts/rstudio-workbench/README.md b/charts/rstudio-workbench/README.md
diff --git a/charts/rstudio-workbench/README.md.gotmpl b/charts/rstudio-workbench/README.md.gotmpl
diff --git a/charts/rstudio-workbench/ci/complex-values.yaml b/charts/rstudio-workbench/ci/complex-values.yaml
@@ -89,6 +89,10 @@ config:
         Path: /opt/R/3.6.3
       - Label: other
         Path: /opt/R/4.0.2
+  sessionSecret:
+    odbc.ini: |
+      [hello]
+      uid=someval
   secret:
     "database.conf": {}
   server:
@@ -134,3 +138,11 @@ config:
         Environment:
           TESTA: A
           TESTB: B
+  userProvisioning:
+    # fake .test ending to avoid killing the image
+    some-value.conf.test: |
+      some-value
+  startupCustom:
+    # fake .test ending to avoid killing the image
+    somefile.conf.test: |
+      some-value
diff --git a/charts/rstudio-workbench/prestart.bash → .../rstudio-workbench/prestart-launcher.bash b/charts/rstudio-workbench/prestart.bash → .../rstudio-workbench/prestart-launcher.bash
@@ -3,16 +3,13 @@ set -o errexit
 set -o pipefail
 
 main() {
-  local startup_script="${1:-/usr/local/bin/startup.sh}"
+  local startup_script="${1:-/usr/lib/rstudio-server/bin/rstudio-launcher}"
   local dyn_dir='/mnt/dynamic/rstudio'
 
   local cacert='/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
   local k8s_url="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}"
   local launcher_k8s_conf="${dyn_dir}/launcher.kubernetes.conf"
-  local launcher_pem='/mnt/secret-configmap/rstudio/launcher.pem'
-  local launcher_pub="${dyn_dir}/launcher.pub"
   local launcher_ns="${RSTUDIO_LAUNCHER_NAMESPACE:-rstudio}"
-  local lb_conf='/mnt/load-balancer/rstudio/load-balancer'
 
   _logf 'Loading service account token'
   local sa_token
@@ -25,30 +22,6 @@ main() {
   _logf 'Ensuring %s exists' "${dyn_dir}"
   mkdir -p "${dyn_dir}"
 
-  if [[ "${PRESTART_LOAD_BALANCER_CONFIGURATION}" == enabled ]]; then
-    _logf 'Generating %s' "${lb_conf}"
-    cat >"${lb_conf}" <<EOF
-
-[config]
-
-balancer = sessions
-
-[nodes]
-$(hostname -i)
-EOF
-    _logf 'Current load-balancer file:'
-    cat "${lb_conf}" | _indent
-  fi
-
-  if [[ ! -s "${launcher_pub}" ]] && [[ -f "${launcher_pem}" ]]; then
-    _logf 'Generating %s from %s' "${launcher_pub}" "${launcher_pem}"
-    openssl rsa -in "${launcher_pem}" -outform PEM -pubout -out "${launcher_pub}" 2>&1 | _indent
-    chmod -v 600 "${launcher_pub}" 2>&1 | _indent
-  else
-    _logf 'Ensuring %s does not exist' "${launcher_pub}"
-    rm -vf "${launcher_pub}" 2>&1 | _indent
-  fi
-
   _logf 'Checking kubernetes health via %s' "${k8s_url}"
   curl -fsSL \
     -H "Authorization: Bearer ${sa_token}" \
@@ -77,16 +50,12 @@ EOF
 
   _logf 'Preparing dirs'
   mkdir -p \
-    /var/lib/rstudio-server/monitor/log \
     /var/lib/rstudio-launcher/Local \
     /var/lib/rstudio-launcher/Kubernetes
   chown -v -R \
     rstudio-server:rstudio-server \
-    /var/lib/rstudio-server \
     /var/lib/rstudio-launcher 2>&1 | _indent
 
-  _writeEtcRstudioReadme
-
   _logf 'Replacing process with %s' "${startup_script}"
   exec "${startup_script}"
 }
@@ -97,7 +66,7 @@ _logf() {
   local now
   now="$(date -u +%Y-%m-%dT%H:%M:%S)"
   local format_string
-  format_string="$(printf '#----> prestart.bash %s: %s' "${now}" "${msg}")\\n"
+  format_string="$(printf '#----> prestart-launcher.bash %s: %s' "${now}" "${msg}")\\n"
   # shellcheck disable=SC2059
   printf "${format_string}" "${@}"
 }
@@ -106,17 +75,4 @@ _indent() {
   sed -u 's/^/       /'
 }
 
-_writeEtcRstudioReadme() {
-  _logf 'Writing README to empty /etc/rstudio directory'
-  (cat <<$HERE$
-The contents of this configuration directory have been moved to other directories
-in order to facilitate running in Kubernetes. The directories are specified via
-the XDG_CONFIG_DIRS environment variable defined in the Helm chart. The currently
-defined directories are:
-
-$(echo "$XDG_CONFIG_DIRS" | sed 's/:/\n/g')
-$HERE$
-  ) > /etc/rstudio/README
-}
-
 main "${@}"
diff --git a/charts/rstudio-workbench/prestart-workbench.bash b/charts/rstudio-workbench/prestart-workbench.bash
@@ -0,0 +1,65 @@
+#!/bin/bash
+set -o errexit
+set -o pipefail
+
+main() {
+  local startup_script="${1:-/usr/local/bin/startup.sh}"
+  local dyn_dir='/mnt/dynamic/rstudio'
+
+  local launcher_pem='/mnt/secret-configmap/rstudio/launcher.pem'
+  local launcher_pub="${dyn_dir}/launcher.pub"
+
+  _logf 'Ensuring %s exists' "${dyn_dir}"
+  mkdir -p "${dyn_dir}"
+
+  if [[ ! -s "${launcher_pub}" ]] && [[ -f "${launcher_pem}" ]]; then
+    _logf 'Generating %s from %s' "${launcher_pub}" "${launcher_pem}"
+    openssl rsa -in "${launcher_pem}" -outform PEM -pubout -out "${launcher_pub}" 2>&1 | _indent
+    chmod -v 600 "${launcher_pub}" 2>&1 | _indent
+  else
+    _logf 'Ensuring %s does not exist' "${launcher_pub}"
+    rm -vf "${launcher_pub}" 2>&1 | _indent
+  fi
+
+  _logf 'Preparing dirs'
+  mkdir -p \
+    /var/lib/rstudio-server/monitor/log
+  chown -v -R \
+    rstudio-server:rstudio-server \
+    /var/lib/rstudio-server 2>&1 | _indent
+
+  _writeEtcRstudioReadme
+
+  _logf 'Replacing process with %s' "${startup_script}"
+  exec "${startup_script}"
+}
+
+_logf() {
+  local msg="${1}"
+  shift
+  local now
+  now="$(date -u +%Y-%m-%dT%H:%M:%S)"
+  local format_string
+  format_string="$(printf '#----> prestart-workbench.bash %s: %s' "${now}" "${msg}")\\n"
+  # shellcheck disable=SC2059
+  printf "${format_string}" "${@}"
+}
+
+_indent() {
+  sed -u 's/^/       /'
+}
+
+_writeEtcRstudioReadme() {
+  _logf 'Writing README to empty /etc/rstudio directory'
+  (cat <<$HERE$
+The contents of this configuration directory have been moved to other directories
+in order to facilitate running in Kubernetes. The directories are specified via
+the XDG_CONFIG_DIRS environment variable defined in the Helm chart. The currently
+defined directories are:
+
+$(echo "$XDG_CONFIG_DIRS" | sed 's/:/\n/g')
+$HERE$
+  ) > /etc/rstudio/README
+}
+
+main "${@}"
diff --git a/charts/rstudio-workbench/templates/_helpers.tpl b/charts/rstudio-workbench/templates/_helpers.tpl
@@ -57,10 +57,6 @@ containers:
   {{- end }}
   - name: XDG_CONFIG_DIRS
     value: "{{ template "rstudio-workbench.xdg-config-dirs" .}}"
-  {{- if or ( gt (int .Values.replicas) 1 ) ( .Values.loadBalancer.forceEnabled ) }}
-  - name: PRESTART_LOAD_BALANCER_CONFIGURATION
-    value: enabled
-  {{- end }}
   {{- if .Values.pod.env }}
 {{ toYaml .Values.pod.env | indent 2 }}
   {{- end }}
@@ -92,12 +88,32 @@ containers:
       mountPath: "/mnt/configmap/rstudio/"
     - name: rstudio-session-config
       mountPath: "/mnt/session-configmap/rstudio/"
+    {{- if .Values.config.sessionSecret }}
+    - name: rstudio-session-secret
+      mountPath: {{ .Values.session.defaultSecretMountPath }}
+    {{- end }}
     - name: rstudio-secret
       mountPath: "/mnt/secret-configmap/rstudio/"
+    {{- if .Values.config.userProvisioning }}
+    - name: rstudio-user
+      mountPath: "/etc/sssd/conf.d/"
+    {{- end }}
     - name: etc-rstudio
       mountPath: "/etc/rstudio"
-    - name: shared-data
-      mountPath: "/mnt/load-balancer/rstudio"
+    - name: rstudio-rsw-startup
+      mountPath: "/startup/base"
+    {{- if .Values.launcher.enabled }}
+    - name: rstudio-launcher-startup
+      mountPath: "/startup/launcher"
+    {{- end }}
+    {{- if .Values.config.userProvisioning }}
+    - name: rstudio-user-startup
+      mountPath: "/startup/user-provisioning"
+    {{- end }}
+    {{- if .Values.config.startupCustom }}
+    - name: rstudio-custom-startup
+      mountPath: "/startup/custom"
+    {{- end }}
     {{- include "rstudio-library.license-mount" (dict "license" ( .Values.license )) | nindent 4 }}
     {{- /* TODO: path collision problems... would be ideal to not have to maintain both long term */}}
     {{- if .Values.jobJsonOverridesFiles }}
@@ -155,28 +171,6 @@ containers:
     successThreshold: {{ .Values.readinessProbe.successThreshold }}
     failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
   {{- end }}
-{{- if or (gt (int .Values.replicas) 1) (.Values.loadBalancer.forceEnabled) }}
-- name: sidecar
-  image: "{{ .Values.loadBalancer.image.repository }}:{{ .Values.loadBalancer.image.tag }}"
-  imagePullPolicy: "{{ .Values.loadBalancer.image.imagePullPolicy }}"
-  {{- if .Values.loadBalancer.env }}
-  env:
-    {{- toYaml .Values.loadBalancer.env | nindent 2 }}
-  {{- end }}
-  args:
-    - "{{ include "rstudio-workbench.name" . }}"
-    - "{{ $.Release.Namespace }}"
-    - "/mnt/load-balancer/rstudio/"
-    - "{{ .Values.loadBalancer.sleepDuration }}"
-    - "{{ .Values.loadBalancer.appLabelKey }}"
-  {{- if .Values.loadBalancer.securityContext }}
-  securityContext:
-    {{- toYaml .Values.loadBalancer.securityContext | nindent 4 }}
-  {{- end }}
-  volumeMounts:
-  - name: shared-data
-    mountPath: "/mnt/load-balancer/rstudio/"
-{{- end }}
 {{- if .Values.prometheusExporter.enabled }}
 - name: exporter
   image: "{{ .Values.prometheusExporter.image.repository }}:{{ .Values.prometheusExporter.image.tag }}"
@@ -215,8 +209,6 @@ volumes:
 {{- end }}
 - name: etc-rstudio
   emptyDir: {}
-- name: shared-data
-  emptyDir: {}
 - name: rstudio-config
   configMap:
     name: {{ include "rstudio-workbench.fullname" . }}-config
@@ -225,14 +217,47 @@ volumes:
   configMap:
     name: {{ include "rstudio-workbench.fullname" . }}-session
     defaultMode: 0644
+{{- if .Values.config.sessionSecret }}
+- name: rstudio-session-secret
+  secret:
+    name: {{ include "rstudio-workbench.fullname" . }}-session-secret
+{{- end }}
 - name: rstudio-prestart
   configMap:
     name: {{ include "rstudio-workbench.fullname" . }}-prestart
     defaultMode: 0755
+- name: rstudio-rsw-startup
+  configMap:
+    name: {{ include "rstudio-workbench.fullname" . }}-start-rsw
+    defaultMode: 0755
+{{- if .Values.launcher.enabled }}
+- name: rstudio-launcher-startup
+  configMap:
+    name: {{ include "rstudio-workbench.fullname" . }}-start-launcher
+    defaultMode: 0755
+{{- end }}
+{{- if .Values.config.userProvisioning }}
+- name: rstudio-user-startup
+  configMap:
+    name: {{ include "rstudio-workbench.fullname" . }}-start-user
+    defaultMode: 0755
+{{- end }}
+{{- if .Values.config.startupCustom }}
+- name: rstudio-custom-startup
+  configMap:
+    name: {{ include "rstudio-workbench.fullname" . }}-start-custom
+    defaultMode: 0755
+{{- end }}
 - name: rstudio-secret
   secret:
     secretName: {{ include "rstudio-workbench.fullname" . }}-secret
     defaultMode: 0600
+{{- if .Values.config.userProvisioning }}
+- name: rstudio-user
+  secret:
+    secretName: {{ include "rstudio-workbench.fullname" . }}-user
+    defaultMode: 0600
+{{- end }}
 {{ include "rstudio-library.license-volume" (dict "license" ( .Values.license ) "fullName" (include "rstudio-workbench.fullname" .)) }}
 {{- if .Values.prometheusExporter.enabled }}
 - name: graphite-exporter-config

diff --git a/charts/rstudio-workbench/templates/configmap-general.yaml b/charts/rstudio-workbench/templates/configmap-general.yaml
@@ -9,7 +9,17 @@
   {{- $sessionVolumeMount := dict "mountPath" "/mnt/session-configmap/rstudio" "name" "session-config" }}
   {{- $sessionVolumeOverride := dict "name" "defaultSessionVolume" "target" "/spec/template/spec/volumes/-" "json" $sessionVolume }}
   {{- $sessionVolumeMountOverride := dict "name" "defaultSessionVolumeMount" "target" "/spec/template/spec/containers/0/volumeMounts/-" "json" $sessionVolumeMount }}
+  {{/* build the actual overrides */}}
   {{- $defaultOverrides = concat $defaultOverrides ( list $sessionVolumeOverride $sessionVolumeMountOverride ) }}
+  {{- if .Values.config.sessionSecret}}
+    {{/* default session secret config mount */}}
+    {{- $sessionSecretVolume := dict "secret" ( dict "name" (printf "%s-session-secret" ( include "rstudio-workbench.fullname" . ) ) ) "secretName" "session-secret" }}
+    {{- $sessionSecretVolumeMount := dict "mountPath" .Values.session.defaultSecretMountPath "name" "session-secret" }}
+    {{- $sessionSecretVolumeOverride := dict "name" "defaultSessionSecretVolume" "target" "/spec/template/spec/volumes/-" "json" $sessionVolume }}
+    {{- $sessionSecretVolumeMountOverride := dict "name" "defaultSessionVolumeMount" "target" "/spec/template/spec/containers/0/volumeMounts/-" "json" $sessionVolumeMount }}
+    {{/* build the actual overrides */}}
+    {{- $defaultOverrides = concat $defaultOverrides ( list $sessionSecretVolumeOverride $sessionSecretVolumeMountOverride ) }}
+  {{- end }}
 {{- end }}
 {{- $defaultProfiles := dict "default-container-image" (first $defaultImages) "container-images" $defaultImages "allow-unknown-images" 1 }}
 {{- $defaultProfilesConfig := dict "*" $defaultProfiles }}

diff --git a/charts/rstudio-workbench/templates/configmap-prestart.yaml b/charts/rstudio-workbench/templates/configmap-prestart.yaml
@@ -5,5 +5,7 @@ metadata:
   name: {{ include "rstudio-workbench.fullname" . }}-prestart
   namespace: {{ $.Release.Namespace }}
 data:
-  prestart.bash: |
-    {{- .Files.Get "prestart.bash" | nindent 4 }}
+  prestart-workbench.bash: |
+    {{- .Files.Get "prestart-workbench.bash" | nindent 4 }}
+  prestart-launcher.bash: |
+    {{- .Files.Get "prestart-launcher.bash" | nindent 4 }}