From 3e24593025389f674807dc06196b33bd193fe843 Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Thu, 23 Sep 2021 10:00:06 -0400 Subject: [PATCH 01/32] add placeholders for startup and sssd config --- .../templates/configmap-startup.yaml | 29 +++++++++++++++++++ .../templates/secret-sssd.yaml | 0 2 files changed, 29 insertions(+) create mode 100644 charts/rstudio-workbench/templates/configmap-startup.yaml create mode 100644 charts/rstudio-workbench/templates/secret-sssd.yaml diff --git a/charts/rstudio-workbench/templates/configmap-startup.yaml b/charts/rstudio-workbench/templates/configmap-startup.yaml new file mode 100644 index 00000000..b07061cc --- /dev/null +++ b/charts/rstudio-workbench/templates/configmap-startup.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "rstudio-workbench.fullname" . }}-start-rsw + namespace: {{ $.Release.Namespace }} +data: +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "rstudio-workbench.fullname" . }}-start-launcher + namespace: {{ $.Release.Namespace }} +data: + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "rstudio-workbench.fullname" . }}-start-sssd + namespace: {{ $.Release.Namespace }} +data: + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "rstudio-workbench.fullname" . }}-start-custom + namespace: {{ $.Release.Namespace }} +data: diff --git a/charts/rstudio-workbench/templates/secret-sssd.yaml b/charts/rstudio-workbench/templates/secret-sssd.yaml new file mode 100644 index 00000000..e69de29b From e29aa4e4d83f915ca04d8d35044a5258cf49c6c4 Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Fri, 1 Oct 2021 16:27:00 -0400 Subject: [PATCH 02/32] add a bunch of values --- .../rstudio-workbench/templates/deployment.yaml | 16 ++++++++++++++++ charts/rstudio-workbench/values.yaml | 5 +++++ 2 files changed, 21 insertions(+) diff --git a/charts/rstudio-workbench/templates/deployment.yaml b/charts/rstudio-workbench/templates/deployment.yaml index 9f7c7b30..220077f9 100644 --- a/charts/rstudio-workbench/templates/deployment.yaml +++ b/charts/rstudio-workbench/templates/deployment.yaml @@ -40,6 +40,22 @@ spec: serviceAccountName: {{ .Values.serviceAccountName }} {{- end }} shareProcessNamespace: {{ .Values.shareProcessNamespace }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.priorityClassName }} + priorityClassName: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} {{- if .Values.initContainers }} initContainers: {{ toYaml .Values.initContainers | indent 8 }} diff --git a/charts/rstudio-workbench/values.yaml b/charts/rstudio-workbench/values.yaml index 576dc5fa..ff42eee5 100644 --- a/charts/rstudio-workbench/values.yaml +++ b/charts/rstudio-workbench/values.yaml @@ -204,6 +204,11 @@ xdgConfigDirsExtra: [] securityContext: {} +priorityClassName: null +affinity: {} +nodeSelector: {} +tolerations: [] + pod: # -- env is an array of maps that is injected as-is into the "env:" component of the pod.container spec env: [] From 87890f0bed708e41dd62edfae096562c66c1ea37 Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Tue, 26 Oct 2021 10:13:57 -0400 Subject: [PATCH 03/32] add sssd configuration --- charts/rstudio-workbench/templates/configmap-secret.yaml | 9 +++++++++ charts/rstudio-workbench/templates/secret-sssd.yaml | 0 charts/rstudio-workbench/values.yaml | 1 + 3 files changed, 10 insertions(+) delete mode 100644 charts/rstudio-workbench/templates/secret-sssd.yaml diff --git a/charts/rstudio-workbench/templates/configmap-secret.yaml b/charts/rstudio-workbench/templates/configmap-secret.yaml index 846701c5..0b7bce26 100644 --- a/charts/rstudio-workbench/templates/configmap-secret.yaml +++ b/charts/rstudio-workbench/templates/configmap-secret.yaml @@ -16,3 +16,12 @@ stringData: {{ .Values.launcherPub | indent 4 }} {{- end }} --- +{{- if .Values.config.sssd }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "rstudio-workbench.fullname" . }}-sssd + namespace: {{ $.Release.Namespace }} +stringData: +{{- include "rstudio-library.config.ini" .Values.config.sssd | indent 2 }} +{{- end }} diff --git a/charts/rstudio-workbench/templates/secret-sssd.yaml b/charts/rstudio-workbench/templates/secret-sssd.yaml deleted file mode 100644 index e69de29b..00000000 diff --git a/charts/rstudio-workbench/values.yaml b/charts/rstudio-workbench/values.yaml index fa647634..d37f0e90 100644 --- a/charts/rstudio-workbench/values.yaml +++ b/charts/rstudio-workbench/values.yaml @@ -266,6 +266,7 @@ config: notifications.conf: {} secret: "database.conf": {} + sssd: {} server: rserver.conf: server-health-check-enabled: 1 From 0c36353c8f3e289207ac8e5658467208885cb176 Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Tue, 26 Oct 2021 10:14:04 -0400 Subject: [PATCH 04/32] mount sssd configuration --- charts/rstudio-workbench/templates/_helpers.tpl | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/charts/rstudio-workbench/templates/_helpers.tpl b/charts/rstudio-workbench/templates/_helpers.tpl index b58e0c2c..89ad7d15 100644 --- a/charts/rstudio-workbench/templates/_helpers.tpl +++ b/charts/rstudio-workbench/templates/_helpers.tpl @@ -94,6 +94,10 @@ containers: mountPath: "/mnt/session-configmap/rstudio/" - name: rstudio-secret mountPath: "/mnt/secret-configmap/rstudio/" + {{- if .Values.config.sssd }} + - name: rstudio-sssd + mountPath: "/etc/sssd/conf.d/" + {{- end }} - name: etc-rstudio mountPath: "/etc/rstudio" - name: shared-data @@ -233,6 +237,12 @@ volumes: secret: secretName: {{ include "rstudio-workbench.fullname" . }}-secret defaultMode: 0600 +{{- if .Values.config.sssd }} +- name: rstudio-sssd + secret: + secretName: {{ include "rstudio-workbench.fullname" . }}-sssd + defaultMode: 0600 +{{- end }} {{ include "rstudio-library.license-volume" (dict "license" ( .Values.license ) "fullName" (include "rstudio-workbench.fullname" .)) }} {{- if .Values.prometheusExporter.enabled }} - name: graphite-exporter-config From 4e961584ad1a3562a180e5b7aea723f4598a3cff Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Wed, 27 Oct 2021 14:10:32 -0400 Subject: [PATCH 05/32] set up startup configmaps --- .../templates/configmap-startup.yaml | 43 +++++++++++++++++-- 1 file changed, 40 insertions(+), 3 deletions(-) diff --git a/charts/rstudio-workbench/templates/configmap-startup.yaml b/charts/rstudio-workbench/templates/configmap-startup.yaml index b07061cc..95ac943a 100644 --- a/charts/rstudio-workbench/templates/configmap-startup.yaml +++ b/charts/rstudio-workbench/templates/configmap-startup.yaml @@ -4,6 +4,15 @@ metadata: name: {{ include "rstudio-workbench.fullname" . }}-start-rsw namespace: {{ $.Release.Namespace }} data: + rstudio-workbench.conf: | + [program:rstudio-workbench] + command=/usr/local/bin/startup.sh + autorestart=false + numprocs=1 + stdout_logfile=/dev/stdout + stdout_logfile_maxbytes=0 + stderr_logfile=/dev/stderr + stderr_logfile_maxbytes=0 --- apiVersion: v1 kind: ConfigMap @@ -11,15 +20,39 @@ metadata: name: {{ include "rstudio-workbench.fullname" . }}-start-launcher namespace: {{ $.Release.Namespace }} data: - + empty.txt: '' + {{- if .Values.launcher.enabled }} + rstudio-launcher.conf: | + [program:rstudio-launcher] + command=/usr/lib/rstudio-server/bin/rstudio-launcher + autorestart=false + numprocs=1 + stdout_logfile=/dev/stdout + stdout_logfile_maxbytes=0 + stderr_logfile=/dev/stderr + stderr_logfile_maxbytes=0 + {{- end }} --- apiVersion: v1 kind: ConfigMap metadata: - name: {{ include "rstudio-workbench.fullname" . }}-start-sssd + name: {{ include "rstudio-workbench.fullname" . }}-start-user namespace: {{ $.Release.Namespace }} data: - + .empty.txt: '' + {{- if .Values.config.sssd }} + sssd.conf: | + [program:sssd] + command=/usr/sbin/sssd -i -c /etc/sssd/sssd.conf --logger=stderr + autorestart=false + numprocs=1 + stdout_logfile=/dev/stdout + stdout_logfile_maxbytes=0 + stdout_logfile_backups=0 + stderr_logfile=/dev/stderr + stderr_logfile_maxbytes=0 + stderr_logfile_backups=0 + {{- end }} --- apiVersion: v1 kind: ConfigMap @@ -27,3 +60,7 @@ metadata: name: {{ include "rstudio-workbench.fullname" . }}-start-custom namespace: {{ $.Release.Namespace }} data: + .empty.txt: '' + {{- if .Values.config.startup }} + {{- include "rstudio-library.config.ini" .Values.config.startup | nindent 2}} + {{- end }} From 008280dab2c37486fd2db3017a618dee5fd479c4 Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Wed, 27 Oct 2021 14:10:50 -0400 Subject: [PATCH 06/32] change values to be consistent with new startups --- charts/rstudio-workbench/values.yaml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/charts/rstudio-workbench/values.yaml b/charts/rstudio-workbench/values.yaml index d37f0e90..288a7ca9 100644 --- a/charts/rstudio-workbench/values.yaml +++ b/charts/rstudio-workbench/values.yaml @@ -159,12 +159,10 @@ loadBalancer: # -- the imagePullPolicy to use for the side-car pod image imagePullPolicy: IfNotPresent -# -- command is the pod container's run command. -command: [tini, -s, --] -# -- args is the pod container's run arguments. By default, it uses a kubernetes-specific prestart script that exec's the default container startup script. -args: - - /scripts/prestart.bash - - /usr/local/bin/startup.sh +# -- command is the pod container's run command. By default, it uses the container's default. However, the chart expects a container using `supervisord` for startup +command: [] +# -- args is the pod container's run arguments. +args: [] license: # -- key is the license to use @@ -302,3 +300,4 @@ config: profiles: {} serverDcf: launcher-mounts: [] + startup: {} From b269facf559cd279f1abcf12f7623f7c9d0c4569 Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Wed, 27 Oct 2021 14:55:55 -0400 Subject: [PATCH 07/32] rename sssd to userProvisioning --- .../templates/configmap-startup.yaml | 17 +++++++---------- charts/rstudio-workbench/values.yaml | 2 +- 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/charts/rstudio-workbench/templates/configmap-startup.yaml b/charts/rstudio-workbench/templates/configmap-startup.yaml index 95ac943a..f65be3b6 100644 --- a/charts/rstudio-workbench/templates/configmap-startup.yaml +++ b/charts/rstudio-workbench/templates/configmap-startup.yaml @@ -6,13 +6,14 @@ metadata: data: rstudio-workbench.conf: | [program:rstudio-workbench] - command=/usr/local/bin/startup.sh + command=/scripts/prestart.bash /usr/local/bin/startup.sh autorestart=false numprocs=1 stdout_logfile=/dev/stdout stdout_logfile_maxbytes=0 stderr_logfile=/dev/stderr stderr_logfile_maxbytes=0 +{{- if .Values.launcher.enabled }} --- apiVersion: v1 kind: ConfigMap @@ -20,8 +21,6 @@ metadata: name: {{ include "rstudio-workbench.fullname" . }}-start-launcher namespace: {{ $.Release.Namespace }} data: - empty.txt: '' - {{- if .Values.launcher.enabled }} rstudio-launcher.conf: | [program:rstudio-launcher] command=/usr/lib/rstudio-server/bin/rstudio-launcher @@ -31,7 +30,8 @@ data: stdout_logfile_maxbytes=0 stderr_logfile=/dev/stderr stderr_logfile_maxbytes=0 - {{- end }} +{{- end }} +{{- if .Values.config.userProvisioning }} --- apiVersion: v1 kind: ConfigMap @@ -39,8 +39,6 @@ metadata: name: {{ include "rstudio-workbench.fullname" . }}-start-user namespace: {{ $.Release.Namespace }} data: - .empty.txt: '' - {{- if .Values.config.sssd }} sssd.conf: | [program:sssd] command=/usr/sbin/sssd -i -c /etc/sssd/sssd.conf --logger=stderr @@ -52,7 +50,8 @@ data: stderr_logfile=/dev/stderr stderr_logfile_maxbytes=0 stderr_logfile_backups=0 - {{- end }} +{{- end }} +{{- if .Values.config.startup }} --- apiVersion: v1 kind: ConfigMap @@ -60,7 +59,5 @@ metadata: name: {{ include "rstudio-workbench.fullname" . }}-start-custom namespace: {{ $.Release.Namespace }} data: - .empty.txt: '' - {{- if .Values.config.startup }} {{- include "rstudio-library.config.ini" .Values.config.startup | nindent 2}} - {{- end }} +{{- end }} diff --git a/charts/rstudio-workbench/values.yaml b/charts/rstudio-workbench/values.yaml index 288a7ca9..01b6b61d 100644 --- a/charts/rstudio-workbench/values.yaml +++ b/charts/rstudio-workbench/values.yaml @@ -264,7 +264,7 @@ config: notifications.conf: {} secret: "database.conf": {} - sssd: {} + userProvisioning: {} server: rserver.conf: server-health-check-enabled: 1 From 054b5b09f27a0769fcd182055bcb70f58ccdf2af Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Wed, 27 Oct 2021 14:56:09 -0400 Subject: [PATCH 08/32] add volumes and volume mounts --- .../rstudio-workbench/templates/_helpers.tpl | 39 ++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/charts/rstudio-workbench/templates/_helpers.tpl b/charts/rstudio-workbench/templates/_helpers.tpl index 89ad7d15..1454c13a 100644 --- a/charts/rstudio-workbench/templates/_helpers.tpl +++ b/charts/rstudio-workbench/templates/_helpers.tpl @@ -94,12 +94,27 @@ containers: mountPath: "/mnt/session-configmap/rstudio/" - name: rstudio-secret mountPath: "/mnt/secret-configmap/rstudio/" - {{- if .Values.config.sssd }} + {{- if .Values.config.userProvisioning }} - name: rstudio-sssd mountPath: "/etc/sssd/conf.d/" {{- end }} - name: etc-rstudio mountPath: "/etc/rstudio" + - name: rstudio-rsw-startup + mountPath: "/startup/base" + {{- if .Values.launcher.enabled }} + - name: rstudio-launcher-startup + mountPath: "/startup/launcher" + {{- end }} + {{- if .Values.config.userProvisioning }} + - name: rstudio-user-startup + mountPath: "/startup/user-provisioning" + {{- end }} + {{- if .Values.config.startup }} + - name: rstudio-custom-startup + mountPath: "/startup/custom" + {{- end }} + - name: rstudio-rsw-startup - name: shared-data mountPath: "/mnt/load-balancer/rstudio" {{- include "rstudio-library.license-mount" (dict "license" ( .Values.license )) | nindent 4 }} @@ -233,6 +248,28 @@ volumes: configMap: name: {{ include "rstudio-workbench.fullname" . }}-prestart defaultMode: 0755 +- name: rstudio-rsw-startup + configMap: + name: {{ include "rstudio-workbench.fullname" . }}-start-rsw + defaultMode: 0755 +{{- if .Values.launcher.enabled }} +- name: rstudio-launcher-startup + configMap: + name: {{ include "rstudio-workbench.fullname" . }}-start-launcher + defaultMode: 0755 +{{- end }} +{{-if .Values.config.userProvisioning }} +- name: rstudio-user-startup + configMap: + name: {{ include "rstudio-workbench.fullname" . }}-start-sssd + defaultMode: 0755 +{{- end }} +{{- if .Values.config.startup }} +- name: rstudio-custom-startup + configMap: + name: {{ include "rstudio-workbench.fullname" . }}-start-custom + defaultMode: 0755 +{{- end }} - name: rstudio-secret secret: secretName: {{ include "rstudio-workbench.fullname" . }}-secret From 98d420b196af3da3eb6374a976745e0ff68082e2 Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Wed, 27 Oct 2021 14:57:42 -0400 Subject: [PATCH 09/32] fix typo --- charts/rstudio-workbench/templates/_helpers.tpl | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/rstudio-workbench/templates/_helpers.tpl b/charts/rstudio-workbench/templates/_helpers.tpl index 1454c13a..dbedafdc 100644 --- a/charts/rstudio-workbench/templates/_helpers.tpl +++ b/charts/rstudio-workbench/templates/_helpers.tpl @@ -114,7 +114,6 @@ containers: - name: rstudio-custom-startup mountPath: "/startup/custom" {{- end }} - - name: rstudio-rsw-startup - name: shared-data mountPath: "/mnt/load-balancer/rstudio" {{- include "rstudio-library.license-mount" (dict "license" ( .Values.license )) | nindent 4 }} From ed366ee254bf3a6957793e63be5ac62af2b887e4 Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Wed, 27 Oct 2021 15:02:11 -0400 Subject: [PATCH 10/32] burn the sidecar with :fire:!!! WOOHOO!! --- charts/rstudio-workbench/prestart.bash | 16 ---------- .../rstudio-workbench/templates/_helpers.tpl | 30 ------------------- 2 files changed, 46 deletions(-) diff --git a/charts/rstudio-workbench/prestart.bash b/charts/rstudio-workbench/prestart.bash index 44aff387..7ed93235 100644 --- a/charts/rstudio-workbench/prestart.bash +++ b/charts/rstudio-workbench/prestart.bash @@ -12,7 +12,6 @@ main() { local launcher_pem='/mnt/secret-configmap/rstudio/launcher.pem' local launcher_pub="${dyn_dir}/launcher.pub" local launcher_ns="${RSTUDIO_LAUNCHER_NAMESPACE:-rstudio}" - local lb_conf='/mnt/load-balancer/rstudio/load-balancer' _logf 'Loading service account token' local sa_token @@ -25,21 +24,6 @@ main() { _logf 'Ensuring %s exists' "${dyn_dir}" mkdir -p "${dyn_dir}" - if [[ "${PRESTART_LOAD_BALANCER_CONFIGURATION}" == enabled ]]; then - _logf 'Generating %s' "${lb_conf}" - cat >"${lb_conf}" <&1 | _indent diff --git a/charts/rstudio-workbench/templates/_helpers.tpl b/charts/rstudio-workbench/templates/_helpers.tpl index dbedafdc..9da60695 100644 --- a/charts/rstudio-workbench/templates/_helpers.tpl +++ b/charts/rstudio-workbench/templates/_helpers.tpl @@ -57,10 +57,6 @@ containers: {{- end }} - name: XDG_CONFIG_DIRS value: "{{ template "rstudio-workbench.xdg-config-dirs" .}}" - {{- if or ( gt (int .Values.replicas) 1 ) ( .Values.loadBalancer.forceEnabled ) }} - - name: PRESTART_LOAD_BALANCER_CONFIGURATION - value: enabled - {{- end }} {{- if .Values.pod.env }} {{ toYaml .Values.pod.env | indent 2 }} {{- end }} @@ -114,8 +110,6 @@ containers: - name: rstudio-custom-startup mountPath: "/startup/custom" {{- end }} - - name: shared-data - mountPath: "/mnt/load-balancer/rstudio" {{- include "rstudio-library.license-mount" (dict "license" ( .Values.license )) | nindent 4 }} {{- /* TODO: path collision problems... would be ideal to not have to maintain both long term */}} {{- if .Values.jobJsonOverridesFiles }} @@ -173,28 +167,6 @@ containers: successThreshold: {{ .Values.readinessProbe.successThreshold }} failureThreshold: {{ .Values.readinessProbe.failureThreshold }} {{- end }} -{{- if or (gt (int .Values.replicas) 1) (.Values.loadBalancer.forceEnabled) }} -- name: sidecar - image: "{{ .Values.loadBalancer.image.repository }}:{{ .Values.loadBalancer.image.tag }}" - imagePullPolicy: "{{ .Values.loadBalancer.image.imagePullPolicy }}" - {{- if .Values.loadBalancer.env }} - env: - {{- toYaml .Values.loadBalancer.env | nindent 2 }} - {{- end }} - args: - - "{{ include "rstudio-workbench.name" . }}" - - "{{ $.Release.Namespace }}" - - "/mnt/load-balancer/rstudio/" - - "{{ .Values.loadBalancer.sleepDuration }}" - - "{{ .Values.loadBalancer.appLabelKey }}" - {{- if .Values.loadBalancer.securityContext }} - securityContext: - {{- toYaml .Values.loadBalancer.securityContext | nindent 4 }} - {{- end }} - volumeMounts: - - name: shared-data - mountPath: "/mnt/load-balancer/rstudio/" -{{- end }} {{- if .Values.prometheusExporter.enabled }} - name: exporter image: "{{ .Values.prometheusExporter.image.repository }}:{{ .Values.prometheusExporter.image.tag }}" @@ -233,8 +205,6 @@ volumes: {{- end }} - name: etc-rstudio emptyDir: {} -- name: shared-data - emptyDir: {} - name: rstudio-config configMap: name: {{ include "rstudio-workbench.fullname" . }}-config From 3e8e4ae5711723cf8d2e3518dd04b10985a79895 Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Wed, 27 Oct 2021 15:03:25 -0400 Subject: [PATCH 11/32] bump app and chart versions --- charts/rstudio-workbench/Chart.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/rstudio-workbench/Chart.yaml b/charts/rstudio-workbench/Chart.yaml index d454c9b5..09634744 100644 --- a/charts/rstudio-workbench/Chart.yaml +++ b/charts/rstudio-workbench/Chart.yaml @@ -1,8 +1,8 @@ name: rstudio-workbench description: Official Helm chart for RStudio Workbench -version: 0.4.6 +version: 0.5.0-rc01 apiVersion: v2 -appVersion: 1.4.1717-3 +appVersion: 2021.09.0-351.pro6 icon: https://rstudio.com/wp-content/uploads/2018/10/RStudio-Logo-Flat.png home: https://www.rstudio.com sources: @@ -18,9 +18,9 @@ dependencies: annotations: artifacthub.io/images: | - name: rstudio-workbench - image: rstudio/rstudio-workbench:1.4.1717-3 + image: rstudio/rstudio-workbench:2021.09.0-351.pro6 - name: r-session-complete - image: rstudio/r-session-complete:bionic-1.4.1717-3 + image: rstudio/r-session-complete:bionic-2021.09.0-351.pro6 artifacthub.io/license: MIT artifacthub.io/links: | - name: Docker Images From 1b064ed964becb83587bcb43e036cea00146067d Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Wed, 27 Oct 2021 16:13:47 -0400 Subject: [PATCH 12/32] split prestart.bash into launcher and workbench components --- .../{prestart.bash => prestart-launcher.bash} | 30 +-------- .../rstudio-workbench/prestart-workbench.bash | 65 +++++++++++++++++++ .../templates/configmap-prestart.yaml | 6 +- 3 files changed, 70 insertions(+), 31 deletions(-) rename charts/rstudio-workbench/{prestart.bash => prestart-launcher.bash} (64%) create mode 100644 charts/rstudio-workbench/prestart-workbench.bash diff --git a/charts/rstudio-workbench/prestart.bash b/charts/rstudio-workbench/prestart-launcher.bash similarity index 64% rename from charts/rstudio-workbench/prestart.bash rename to charts/rstudio-workbench/prestart-launcher.bash index 7ed93235..6e708c26 100644 --- a/charts/rstudio-workbench/prestart.bash +++ b/charts/rstudio-workbench/prestart-launcher.bash @@ -9,8 +9,6 @@ main() { local cacert='/var/run/secrets/kubernetes.io/serviceaccount/ca.crt' local k8s_url="https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}" local launcher_k8s_conf="${dyn_dir}/launcher.kubernetes.conf" - local launcher_pem='/mnt/secret-configmap/rstudio/launcher.pem' - local launcher_pub="${dyn_dir}/launcher.pub" local launcher_ns="${RSTUDIO_LAUNCHER_NAMESPACE:-rstudio}" _logf 'Loading service account token' @@ -24,15 +22,6 @@ main() { _logf 'Ensuring %s exists' "${dyn_dir}" mkdir -p "${dyn_dir}" - if [[ ! -s "${launcher_pub}" ]] && [[ -f "${launcher_pem}" ]]; then - _logf 'Generating %s from %s' "${launcher_pub}" "${launcher_pem}" - openssl rsa -in "${launcher_pem}" -outform PEM -pubout -out "${launcher_pub}" 2>&1 | _indent - chmod -v 600 "${launcher_pub}" 2>&1 | _indent - else - _logf 'Ensuring %s does not exist' "${launcher_pub}" - rm -vf "${launcher_pub}" 2>&1 | _indent - fi - _logf 'Checking kubernetes health via %s' "${k8s_url}" curl -fsSL \ -H "Authorization: Bearer ${sa_token}" \ @@ -61,16 +50,12 @@ EOF _logf 'Preparing dirs' mkdir -p \ - /var/lib/rstudio-server/monitor/log \ /var/lib/rstudio-launcher/Local \ /var/lib/rstudio-launcher/Kubernetes chown -v -R \ rstudio-server:rstudio-server \ - /var/lib/rstudio-server \ /var/lib/rstudio-launcher 2>&1 | _indent - _writeEtcRstudioReadme - _logf 'Replacing process with %s' "${startup_script}" exec "${startup_script}" } @@ -81,7 +66,7 @@ _logf() { local now now="$(date -u +%Y-%m-%dT%H:%M:%S)" local format_string - format_string="$(printf '#----> prestart.bash %s: %s' "${now}" "${msg}")\\n" + format_string="$(printf '#----> prestart-launcher.bash %s: %s' "${now}" "${msg}")\\n" # shellcheck disable=SC2059 printf "${format_string}" "${@}" } @@ -90,17 +75,4 @@ _indent() { sed -u 's/^/ /' } -_writeEtcRstudioReadme() { - _logf 'Writing README to empty /etc/rstudio directory' - (cat <<$HERE$ -The contents of this configuration directory have been moved to other directories -in order to facilitate running in Kubernetes. The directories are specified via -the XDG_CONFIG_DIRS environment variable defined in the Helm chart. The currently -defined directories are: - -$(echo "$XDG_CONFIG_DIRS" | sed 's/:/\n/g') -$HERE$ - ) > /etc/rstudio/README -} - main "${@}" diff --git a/charts/rstudio-workbench/prestart-workbench.bash b/charts/rstudio-workbench/prestart-workbench.bash new file mode 100644 index 00000000..7d1d0a10 --- /dev/null +++ b/charts/rstudio-workbench/prestart-workbench.bash @@ -0,0 +1,65 @@ +#!/bin/bash +set -o errexit +set -o pipefail + +main() { + local startup_script="${1:-/usr/local/bin/startup.sh}" + local dyn_dir='/mnt/dynamic/rstudio' + + local launcher_pem='/mnt/secret-configmap/rstudio/launcher.pem' + local launcher_pub="${dyn_dir}/launcher.pub" + + _logf 'Ensuring %s exists' "${dyn_dir}" + mkdir -p "${dyn_dir}" + + if [[ ! -s "${launcher_pub}" ]] && [[ -f "${launcher_pem}" ]]; then + _logf 'Generating %s from %s' "${launcher_pub}" "${launcher_pem}" + openssl rsa -in "${launcher_pem}" -outform PEM -pubout -out "${launcher_pub}" 2>&1 | _indent + chmod -v 600 "${launcher_pub}" 2>&1 | _indent + else + _logf 'Ensuring %s does not exist' "${launcher_pub}" + rm -vf "${launcher_pub}" 2>&1 | _indent + fi + + _logf 'Preparing dirs' + mkdir -p \ + /var/lib/rstudio-server/monitor/log \ + chown -v -R \ + rstudio-server:rstudio-server \ + /var/lib/rstudio-server 2>&1 | _indent + + _writeEtcRstudioReadme + + _logf 'Replacing process with %s' "${startup_script}" + exec "${startup_script}" +} + +_logf() { + local msg="${1}" + shift + local now + now="$(date -u +%Y-%m-%dT%H:%M:%S)" + local format_string + format_string="$(printf '#----> prestart-workbench.bash %s: %s' "${now}" "${msg}")\\n" + # shellcheck disable=SC2059 + printf "${format_string}" "${@}" +} + +_indent() { + sed -u 's/^/ /' +} + +_writeEtcRstudioReadme() { + _logf 'Writing README to empty /etc/rstudio directory' + (cat <<$HERE$ +The contents of this configuration directory have been moved to other directories +in order to facilitate running in Kubernetes. The directories are specified via +the XDG_CONFIG_DIRS environment variable defined in the Helm chart. The currently +defined directories are: + +$(echo "$XDG_CONFIG_DIRS" | sed 's/:/\n/g') +$HERE$ + ) > /etc/rstudio/README +} + +main "${@}" diff --git a/charts/rstudio-workbench/templates/configmap-prestart.yaml b/charts/rstudio-workbench/templates/configmap-prestart.yaml index 0da81b63..69d55157 100644 --- a/charts/rstudio-workbench/templates/configmap-prestart.yaml +++ b/charts/rstudio-workbench/templates/configmap-prestart.yaml @@ -5,5 +5,7 @@ metadata: name: {{ include "rstudio-workbench.fullname" . }}-prestart namespace: {{ $.Release.Namespace }} data: - prestart.bash: | - {{- .Files.Get "prestart.bash" | nindent 4 }} + prestart-workbench.bash: | + {{- .Files.Get "prestart-workbench.bash" | nindent 4 }} + prestart-launcher.bash: | + {{- .Files.Get "prestart-launcher.bash" | nindent 4 }} From 7092429929d53d50075c57922492055265068f60 Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Wed, 27 Oct 2021 23:29:40 -0400 Subject: [PATCH 13/32] change default launcher script --- charts/rstudio-workbench/prestart-launcher.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/rstudio-workbench/prestart-launcher.bash b/charts/rstudio-workbench/prestart-launcher.bash index 6e708c26..47eedcc8 100644 --- a/charts/rstudio-workbench/prestart-launcher.bash +++ b/charts/rstudio-workbench/prestart-launcher.bash @@ -3,7 +3,7 @@ set -o errexit set -o pipefail main() { - local startup_script="${1:-/usr/local/bin/startup.sh}" + local startup_script="${1:-/usr/lib/rstudio-server/bin/rstudio-launcher}" local dyn_dir='/mnt/dynamic/rstudio' local cacert='/var/run/secrets/kubernetes.io/serviceaccount/ca.crt' From 3569568cc2d2b3618548d53796d769aa04947b86 Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Wed, 27 Oct 2021 23:39:06 -0400 Subject: [PATCH 14/32] add session secret placeholder (for odbc.ini or similar needed for client behavior) --- .../templates/configmap-session.yaml | 20 +++++++++++++++++++ charts/rstudio-workbench/values.yaml | 1 + 2 files changed, 21 insertions(+) diff --git a/charts/rstudio-workbench/templates/configmap-session.yaml b/charts/rstudio-workbench/templates/configmap-session.yaml index cacf7c1f..a6c4c0e6 100644 --- a/charts/rstudio-workbench/templates/configmap-session.yaml +++ b/charts/rstudio-workbench/templates/configmap-session.yaml @@ -6,6 +6,16 @@ metadata: namespace: {{ $.Release.Namespace }} data: {{- include "rstudio-library.config.ini" .Values.config.session | nindent 2 }} +{{- if .Values.config.sessionSecret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "rstudio-workbench.fullname" . }}-session-secret + namespace: {{ $.Release.Namespace }} +stringData: + {{- include "rstudio-library.config.ini" .Values.config.sessionSecret | nindent 2 }} +{{- end }} {{- /* if session/target namespace differs - duplicate session configuration there @@ -24,4 +34,14 @@ metadata: namespace: {{ $targetNamespace }} data: {{- include "rstudio-library.config.ini" .Values.config.session | nindent 2 }} +{{- if .Values.config.sessionSecret }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "rstudio-workbench.fullname" . }}-session-secret + namespace: {{ $targetNamespace }} +stringData: + {{- include "rstudio-library.config.ini" .Values.config.sessionSecret | nindent 2 }} +{{- end }} {{- end }} diff --git a/charts/rstudio-workbench/values.yaml b/charts/rstudio-workbench/values.yaml index 01b6b61d..5eb84d62 100644 --- a/charts/rstudio-workbench/values.yaml +++ b/charts/rstudio-workbench/values.yaml @@ -262,6 +262,7 @@ config: CRAN: https://packagemanager.rstudio.com/cran/__linux__/bionic/latest rsession.conf: {} notifications.conf: {} + sessionSecret: {} secret: "database.conf": {} userProvisioning: {} From ec3e42fc9259d8f1e9c6cc4baa1a7aecb4b6286c Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Thu, 28 Oct 2021 08:27:19 -0400 Subject: [PATCH 15/32] fix startup commands --- charts/rstudio-workbench/templates/configmap-startup.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/rstudio-workbench/templates/configmap-startup.yaml b/charts/rstudio-workbench/templates/configmap-startup.yaml index f65be3b6..236ae9f3 100644 --- a/charts/rstudio-workbench/templates/configmap-startup.yaml +++ b/charts/rstudio-workbench/templates/configmap-startup.yaml @@ -6,7 +6,7 @@ metadata: data: rstudio-workbench.conf: | [program:rstudio-workbench] - command=/scripts/prestart.bash /usr/local/bin/startup.sh + command=/scripts/prestart-workbench.bash /usr/local/bin/startup.sh autorestart=false numprocs=1 stdout_logfile=/dev/stdout @@ -23,7 +23,7 @@ metadata: data: rstudio-launcher.conf: | [program:rstudio-launcher] - command=/usr/lib/rstudio-server/bin/rstudio-launcher + command=/scripts/prestart-launcher.bash /usr/lib/rstudio-server/bin/rstudio-launcher autorestart=false numprocs=1 stdout_logfile=/dev/stdout From 3c62b71727d6d9d51198591666b7c458be97be21 Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Thu, 28 Oct 2021 08:27:29 -0400 Subject: [PATCH 16/32] update NEWS --- charts/rstudio-workbench/NEWS.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/charts/rstudio-workbench/NEWS.md b/charts/rstudio-workbench/NEWS.md index adf516ea..7e701c26 100644 --- a/charts/rstudio-workbench/NEWS.md +++ b/charts/rstudio-workbench/NEWS.md @@ -1,3 +1,11 @@ +# 0.5.0 + +- Bump RStudio version to Ghost Orchid (2021.09.0+351.pro6) +- Change RStudio Workbench execution model to use supervisord +- Add config-maps to configure startup behavior +- Add a config setting for `sssd` (now in the container by default) +- Add a "secret" configmap for session components (useful for shared database credentials, etc.) + # 0.4.6 - Updated svc.yml to remove hardcoded port 80 and add .Values.service.port in its place. Updated values.yaml to include .Values.service.port (previously missing). From 59d6cea4c2cfe26bec93e4f0e8d4f61df3d37230 Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Thu, 28 Oct 2021 08:33:37 -0400 Subject: [PATCH 17/32] fix typo --- charts/rstudio-workbench/templates/_helpers.tpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/rstudio-workbench/templates/_helpers.tpl b/charts/rstudio-workbench/templates/_helpers.tpl index 9da60695..1bd7701a 100644 --- a/charts/rstudio-workbench/templates/_helpers.tpl +++ b/charts/rstudio-workbench/templates/_helpers.tpl @@ -227,7 +227,7 @@ volumes: name: {{ include "rstudio-workbench.fullname" . }}-start-launcher defaultMode: 0755 {{- end }} -{{-if .Values.config.userProvisioning }} +{{- if .Values.config.userProvisioning }} - name: rstudio-user-startup configMap: name: {{ include "rstudio-workbench.fullname" . }}-start-sssd From ce3d1ec47af7931812d71de457e876760ab5ee68 Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Thu, 28 Oct 2021 08:42:47 -0400 Subject: [PATCH 18/32] update news --- charts/rstudio-workbench/NEWS.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/charts/rstudio-workbench/NEWS.md b/charts/rstudio-workbench/NEWS.md index 7e701c26..b95c354b 100644 --- a/charts/rstudio-workbench/NEWS.md +++ b/charts/rstudio-workbench/NEWS.md @@ -1,10 +1,13 @@ # 0.5.0 - Bump RStudio version to Ghost Orchid (2021.09.0+351.pro6) + - This version of the chart is no longer compatible (by default) with older versions (1.4 and previous). + - Previous versions of the chart are not compatible (by default) with 2021.09 or later + - If you want to use charts across versions, you will need to change `command`, `args`, and some configmaps. - Change RStudio Workbench execution model to use supervisord - Add config-maps to configure startup behavior - Add a config setting for `sssd` (now in the container by default) -- Add a "secret" configmap for session components (useful for shared database credentials, etc.) +- Add a "secret" configmap for session components (useful for shared database credentials, `odbc.ini`, etc.) # 0.4.6 From a15e0d1359076cbd9a7b6f23733e505c375ca1ae Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Thu, 28 Oct 2021 08:45:22 -0400 Subject: [PATCH 19/32] mount session secret onto server mount session secret onto sessions --- charts/rstudio-workbench/templates/_helpers.tpl | 9 +++++++++ .../rstudio-workbench/templates/configmap-general.yaml | 10 ++++++++++ 2 files changed, 19 insertions(+) diff --git a/charts/rstudio-workbench/templates/_helpers.tpl b/charts/rstudio-workbench/templates/_helpers.tpl index 1bd7701a..4fd4da83 100644 --- a/charts/rstudio-workbench/templates/_helpers.tpl +++ b/charts/rstudio-workbench/templates/_helpers.tpl @@ -88,6 +88,10 @@ containers: mountPath: "/mnt/configmap/rstudio/" - name: rstudio-session-config mountPath: "/mnt/session-configmap/rstudio/" + {{- if .Values.config.sessionSecret }} + - name: rstudio-session-secret + mountPath: "/mnt/session-secret/" + {{- end }} - name: rstudio-secret mountPath: "/mnt/secret-configmap/rstudio/" {{- if .Values.config.userProvisioning }} @@ -213,6 +217,11 @@ volumes: configMap: name: {{ include "rstudio-workbench.fullname" . }}-session defaultMode: 0644 +{{- if .Values.config.sessionSecret }} +- name: rstudio-session-secret + secret: + name: {{ include "rstudio-workbench.fullname" . }}-session-secret +{{- end }} - name: rstudio-prestart configMap: name: {{ include "rstudio-workbench.fullname" . }}-prestart diff --git a/charts/rstudio-workbench/templates/configmap-general.yaml b/charts/rstudio-workbench/templates/configmap-general.yaml index 81ec524b..d9546952 100644 --- a/charts/rstudio-workbench/templates/configmap-general.yaml +++ b/charts/rstudio-workbench/templates/configmap-general.yaml @@ -9,7 +9,17 @@ {{- $sessionVolumeMount := dict "mountPath" "/mnt/session-configmap/rstudio" "name" "session-config" }} {{- $sessionVolumeOverride := dict "name" "defaultSessionVolume" "target" "/spec/template/spec/volumes/-" "json" $sessionVolume }} {{- $sessionVolumeMountOverride := dict "name" "defaultSessionVolumeMount" "target" "/spec/template/spec/containers/0/volumeMounts/-" "json" $sessionVolumeMount }} + {{/* build the actual overrides */}} {{- $defaultOverrides = concat $defaultOverrides ( list $sessionVolumeOverride $sessionVolumeMountOverride ) }} + {{- if .Values.config.sessionSecret}} + {{/* default session secret config mount */}} + {{- $sessionSecretVolume := dict "secret" ( dict "name" (printf "%s-session-secret" ( include "rstudio-workbench.fullname" . ) ) ) "secretName" "session-secret" }} + {{- $sessionSecretVolumeMount := dict "mountPath" "/mnt/session-secret/" "name" "session-secret" }} + {{- $sessionSecretVolumeOverride := dict "name" "defaultSessionSecretVolume" "target" "/spec/template/spec/volumes/-" "json" $sessionVolume }} + {{- $sessionSecretVolumeMountOverride := dict "name" "defaultSessionVolumeMount" "target" "/spec/template/spec/containers/0/volumeMounts/-" "json" $sessionVolumeMount }} + {{/* build the actual overrides */}} + {{- $defaultOverrides = concat $defaultOverrides ( list $sessionSecretVolumeOverride $sessionSecretVolumeMountOverride ) }} + {{- end }} {{- end }} {{- $defaultProfiles := dict "default-container-image" (first $defaultImages) "container-images" $defaultImages "allow-unknown-images" 1 }} {{- $defaultProfilesConfig := dict "*" $defaultProfiles }} From 2ef0f664a0d25b00adf6bad8b9f2d797d42c2c56 Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Thu, 28 Oct 2021 08:48:08 -0400 Subject: [PATCH 20/32] make session secret mount path configurable --- charts/rstudio-workbench/templates/_helpers.tpl | 2 +- charts/rstudio-workbench/templates/configmap-general.yaml | 2 +- charts/rstudio-workbench/values.yaml | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/charts/rstudio-workbench/templates/_helpers.tpl b/charts/rstudio-workbench/templates/_helpers.tpl index 4fd4da83..b026e25a 100644 --- a/charts/rstudio-workbench/templates/_helpers.tpl +++ b/charts/rstudio-workbench/templates/_helpers.tpl @@ -90,7 +90,7 @@ containers: mountPath: "/mnt/session-configmap/rstudio/" {{- if .Values.config.sessionSecret }} - name: rstudio-session-secret - mountPath: "/mnt/session-secret/" + mountPath: {{ .Values.session.defaultSecretMountPath }} {{- end }} - name: rstudio-secret mountPath: "/mnt/secret-configmap/rstudio/" diff --git a/charts/rstudio-workbench/templates/configmap-general.yaml b/charts/rstudio-workbench/templates/configmap-general.yaml index d9546952..9fbca3ee 100644 --- a/charts/rstudio-workbench/templates/configmap-general.yaml +++ b/charts/rstudio-workbench/templates/configmap-general.yaml @@ -14,7 +14,7 @@ {{- if .Values.config.sessionSecret}} {{/* default session secret config mount */}} {{- $sessionSecretVolume := dict "secret" ( dict "name" (printf "%s-session-secret" ( include "rstudio-workbench.fullname" . ) ) ) "secretName" "session-secret" }} - {{- $sessionSecretVolumeMount := dict "mountPath" "/mnt/session-secret/" "name" "session-secret" }} + {{- $sessionSecretVolumeMount := dict "mountPath" .Values.session.defaultSecretMountPath "name" "session-secret" }} {{- $sessionSecretVolumeOverride := dict "name" "defaultSessionSecretVolume" "target" "/spec/template/spec/volumes/-" "json" $sessionVolume }} {{- $sessionSecretVolumeMountOverride := dict "name" "defaultSessionVolumeMount" "target" "/spec/template/spec/containers/0/volumeMounts/-" "json" $sessionVolumeMount }} {{/* build the actual overrides */}} diff --git a/charts/rstudio-workbench/values.yaml b/charts/rstudio-workbench/values.yaml index 5eb84d62..1f69c9cf 100644 --- a/charts/rstudio-workbench/values.yaml +++ b/charts/rstudio-workbench/values.yaml @@ -9,6 +9,8 @@ versionOverride: "" session: # -- Whether to automatically mount the config.session configuration into session pods. If launcher.namespace is different from Release Namespace, then the chart will duplicate the session configmap in both namespaces to facilitate this defaultConfigMount: true + # -- The path to mount the sessionSecret (from `config.sessionSecret`) onto the server and session pods + defaultSecretMountPath: /mnt/session-secret/ image: # -- A tag prefix for session images (common selections: bionic-, centos-). Only used if tag is not defined tagPrefix: bionic- From c3e37b8b51f8257d672b6aadc6d7ea87f0512b30 Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Thu, 28 Oct 2021 08:49:04 -0400 Subject: [PATCH 21/32] fix line continuation --- charts/rstudio-workbench/prestart-workbench.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/rstudio-workbench/prestart-workbench.bash b/charts/rstudio-workbench/prestart-workbench.bash index 7d1d0a10..571afd27 100644 --- a/charts/rstudio-workbench/prestart-workbench.bash +++ b/charts/rstudio-workbench/prestart-workbench.bash @@ -23,7 +23,7 @@ main() { _logf 'Preparing dirs' mkdir -p \ - /var/lib/rstudio-server/monitor/log \ + /var/lib/rstudio-server/monitor/log chown -v -R \ rstudio-server:rstudio-server \ /var/lib/rstudio-server 2>&1 | _indent From 5b49ec1b6af3b76ab4c29f242beaecd5b2a8dba1 Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Thu, 28 Oct 2021 08:53:54 -0400 Subject: [PATCH 22/32] rename config.startup to config.startupCustom --- charts/rstudio-workbench/templates/_helpers.tpl | 4 ++-- charts/rstudio-workbench/templates/configmap-startup.yaml | 4 ++-- charts/rstudio-workbench/values.yaml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/charts/rstudio-workbench/templates/_helpers.tpl b/charts/rstudio-workbench/templates/_helpers.tpl index b026e25a..6c4b5ccb 100644 --- a/charts/rstudio-workbench/templates/_helpers.tpl +++ b/charts/rstudio-workbench/templates/_helpers.tpl @@ -110,7 +110,7 @@ containers: - name: rstudio-user-startup mountPath: "/startup/user-provisioning" {{- end }} - {{- if .Values.config.startup }} + {{- if .Values.config.startupCustom }} - name: rstudio-custom-startup mountPath: "/startup/custom" {{- end }} @@ -242,7 +242,7 @@ volumes: name: {{ include "rstudio-workbench.fullname" . }}-start-sssd defaultMode: 0755 {{- end }} -{{- if .Values.config.startup }} +{{- if .Values.config.startupCustom }} - name: rstudio-custom-startup configMap: name: {{ include "rstudio-workbench.fullname" . }}-start-custom diff --git a/charts/rstudio-workbench/templates/configmap-startup.yaml b/charts/rstudio-workbench/templates/configmap-startup.yaml index 236ae9f3..fac4a08f 100644 --- a/charts/rstudio-workbench/templates/configmap-startup.yaml +++ b/charts/rstudio-workbench/templates/configmap-startup.yaml @@ -51,7 +51,7 @@ data: stderr_logfile_maxbytes=0 stderr_logfile_backups=0 {{- end }} -{{- if .Values.config.startup }} +{{- if .Values.config.startupCustom }} --- apiVersion: v1 kind: ConfigMap @@ -59,5 +59,5 @@ metadata: name: {{ include "rstudio-workbench.fullname" . }}-start-custom namespace: {{ $.Release.Namespace }} data: - {{- include "rstudio-library.config.ini" .Values.config.startup | nindent 2}} + {{- include "rstudio-library.config.ini" .Values.config.startupCustom | nindent 2}} {{- end }} diff --git a/charts/rstudio-workbench/values.yaml b/charts/rstudio-workbench/values.yaml index 1f69c9cf..4d71f58f 100644 --- a/charts/rstudio-workbench/values.yaml +++ b/charts/rstudio-workbench/values.yaml @@ -303,4 +303,4 @@ config: profiles: {} serverDcf: launcher-mounts: [] - startup: {} + startupCustom: {} From 6971587a89d4e0c51bcdb1fce3b66618f558caf5 Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Thu, 28 Oct 2021 08:58:56 -0400 Subject: [PATCH 23/32] rename sssd to userProvisioning configuration --- charts/rstudio-workbench/templates/_helpers.tpl | 10 +++++----- .../rstudio-workbench/templates/configmap-secret.yaml | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/charts/rstudio-workbench/templates/_helpers.tpl b/charts/rstudio-workbench/templates/_helpers.tpl index 6c4b5ccb..8e874017 100644 --- a/charts/rstudio-workbench/templates/_helpers.tpl +++ b/charts/rstudio-workbench/templates/_helpers.tpl @@ -95,7 +95,7 @@ containers: - name: rstudio-secret mountPath: "/mnt/secret-configmap/rstudio/" {{- if .Values.config.userProvisioning }} - - name: rstudio-sssd + - name: rstudio-user mountPath: "/etc/sssd/conf.d/" {{- end }} - name: etc-rstudio @@ -239,7 +239,7 @@ volumes: {{- if .Values.config.userProvisioning }} - name: rstudio-user-startup configMap: - name: {{ include "rstudio-workbench.fullname" . }}-start-sssd + name: {{ include "rstudio-workbench.fullname" . }}-start-user defaultMode: 0755 {{- end }} {{- if .Values.config.startupCustom }} @@ -252,10 +252,10 @@ volumes: secret: secretName: {{ include "rstudio-workbench.fullname" . }}-secret defaultMode: 0600 -{{- if .Values.config.sssd }} -- name: rstudio-sssd +{{- if .Values.config.userProvisioning }} +- name: rstudio-user secret: - secretName: {{ include "rstudio-workbench.fullname" . }}-sssd + secretName: {{ include "rstudio-workbench.fullname" . }}-user defaultMode: 0600 {{- end }} {{ include "rstudio-library.license-volume" (dict "license" ( .Values.license ) "fullName" (include "rstudio-workbench.fullname" .)) }} diff --git a/charts/rstudio-workbench/templates/configmap-secret.yaml b/charts/rstudio-workbench/templates/configmap-secret.yaml index 0b7bce26..e5fe067e 100644 --- a/charts/rstudio-workbench/templates/configmap-secret.yaml +++ b/charts/rstudio-workbench/templates/configmap-secret.yaml @@ -16,12 +16,12 @@ stringData: {{ .Values.launcherPub | indent 4 }} {{- end }} --- -{{- if .Values.config.sssd }} +{{- if .Values.config.userProvisioning }} apiVersion: v1 kind: Secret metadata: - name: {{ include "rstudio-workbench.fullname" . }}-sssd + name: {{ include "rstudio-workbench.fullname" . }}-user namespace: {{ $.Release.Namespace }} stringData: -{{- include "rstudio-library.config.ini" .Values.config.sssd | indent 2 }} +{{- include "rstudio-library.config.ini" .Values.config.userProvisioning | indent 2 }} {{- end }} From b342b56d77a6e9f34e7ac4de0ba86db23205adac Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Thu, 28 Oct 2021 09:14:08 -0400 Subject: [PATCH 24/32] add more doc strings for config explanation --- charts/rstudio-workbench/values.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/charts/rstudio-workbench/values.yaml b/charts/rstudio-workbench/values.yaml index 4d71f58f..85ead66e 100644 --- a/charts/rstudio-workbench/values.yaml +++ b/charts/rstudio-workbench/values.yaml @@ -37,6 +37,8 @@ sharedStorage: # -- the volume of storage to request for this persistent volume claim storage: "10Gi" +# -- How to handle updates to the service. RollingUpdate (the default) minimizes downtime, but +# will not work well if your license only allows a single activation. strategy: type: "RollingUpdate" rollingUpdate: @@ -249,25 +251,34 @@ rbac: # -- jobJsonOverridesFiles is a map of maps. Each item in the map will become a file (named by the key), and the underlying object will be converted to JSON as the file's contents jobJsonOverridesFiles: {} +# -- An inline launcher.pem key. If not provided, one will be auto-generated. See README for more details. launcherPem: '' +# -- An inline launcher.pub key to pair with launcher.pem. If `false` (the default), we will try to generate a `launcher.pub` from the provided `launcher.pem` launcherPub: false + secureCookieKey: '' + dangerRegenerateAutomatedValues: false global: secureCookieKey: '' config: + # -- a map of session-scoped config files. Mounted to `/mnt/session-configmap/rstudio/` on both server and session, by default. session: repos.conf: RSPM: https://packagemanager.rstudio.com/cran/__linux__/bionic/latest CRAN: https://packagemanager.rstudio.com/cran/__linux__/bionic/latest rsession.conf: {} notifications.conf: {} + # -- a map of secret, session-scoped config files (odbc.ini, etc.). Mounted to `/mnt/session-secret/` on both server and session, by default sessionSecret: {} + # -- a map of secret, server-scoped config files. Mounted to `/mnt/secret-configmap/rstudio/` with 0600 permissions secret: "database.conf": {} + # -- a map of sssd config files, used for user provisioning. Mounted to `/etc/sssd/conf.d/` with 0600 permissions userProvisioning: {} + # -- a map of server config files. Mounted to `/mnt/configmap/rstudio/` server: rserver.conf: server-health-check-enabled: 1 @@ -300,7 +311,10 @@ config: labs-enabled: 1 default-session-cluster: Kubernetes logging.conf: {} + # -- a map of server-scoped config files (akin to `config.server`), but with specific behavior that supports profiles. See README for more information. profiles: {} + # -- a map of server-scoped config files (akin to `config.server`), but with .dcf file formatting (i.e. `launcher-mounts`, `launcher-env`, etc.) serverDcf: launcher-mounts: [] + # -- a map of supervisord .conf files to define custom services. Mounted into the container at /startup/custom/ startupCustom: {} From b58b9ab15752ce5e86470cc2038f6f641716863e Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Thu, 28 Oct 2021 10:30:42 -0400 Subject: [PATCH 25/32] refactor readme a bunch --- charts/rstudio-workbench/README.md.gotmpl | 197 +++++++++++++++++----- 1 file changed, 157 insertions(+), 40 deletions(-) diff --git a/charts/rstudio-workbench/README.md.gotmpl b/charts/rstudio-workbench/README.md.gotmpl index 9afb2e15..ec04966c 100644 --- a/charts/rstudio-workbench/README.md.gotmpl +++ b/charts/rstudio-workbench/README.md.gotmpl @@ -13,21 +13,38 @@ This chart requires the following in order to function: * A license key, license file, or address of a running license server. See the `license` configuration below. -* A Kubernetes [PersistentVolume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) that contains the home directory for users. - * If `homeStorage.create` is set, a PVC that relies on the default storage class will be created to generate the PersistentVolume. - Most Kubernetes environments do not have a default storage class that you can use with `ReadWriteMany` access mode out-of-the-box. - In this case, we recommend you disable `homeStorage.create` and create your own `PersistentVolume` and `PersistentVolumeClaim`, then mount them - into the container by specifying the `pod.volumes` and `pod.volumeMounts` parameters, or by specifying your `PersistentVolumeClaim` using `homeStorage.name` and `homeStorage.mount`. - * If you cannot use a `PersistentVolume` to properly mount your users' home directories, you'll need to mount your data in the container - by using a regular [Kubernetes Volume](https://kubernetes.io/docs/concepts/storage/volumes/#nfs), specified in `pod.volumes` and `pod.volumeMounts`. - * If you cannot use a `Volume` to mount the directories, you'll need to manually mount them during container startup with a mechanism similar to what - is described below for joining to auth domains. +* A Kubernetes [PersistentVolume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) that contains the + home directory for users. + * If `homeStorage.create` is set, a PVC that relies on the default storage class will be created to generate the + PersistentVolume. Most Kubernetes environments do not have a default storage class that you can use + with `ReadWriteMany` access mode out-of-the-box. In this case, we recommend you disable `homeStorage.create` and + create your own `PersistentVolume` and `PersistentVolumeClaim`, then mount them into the container by specifying + the `pod.volumes` and `pod.volumeMounts` parameters, or by specifying your `PersistentVolumeClaim` + using `homeStorage.name` and `homeStorage.mount`. + * If you cannot use a `PersistentVolume` to properly mount your users' home directories, you'll need to mount your + data in the container by using a + regular [Kubernetes Volume](https://kubernetes.io/docs/concepts/storage/volumes/#nfs), specified in `pod.volumes` + and `pod.volumeMounts`. + * If you cannot use a `Volume` to mount the directories, you'll need to manually mount them during container startup + with a mechanism similar to what is described below for joining to auth domains. * If not using `homeStorage.create`, you'll need to configure `config.serverDcf.launcher-mounts` to ensure that the correct mounts are used when users create new sessions. -* If using load balancing (by setting `replicas > 1`), you will need similar storage defined for `sharedStorage` to store shared project configuration. -* A method to join the deployed `rstudio-workbench` container to your auth domain. The default `rstudio/rstudio-server-pro` image does not contain a way to join domains. - We recommend creating your own Docker image that derives from this base image to provide domain joining that fits your needs. Your image can then use a process supervisor - like [supervisord](http://supervisord.org/) to run multiple processes: in the most common case, `rstudio-server`, `rstudio-launcher`, and `sssd`. See - [here](https://github.com/rstudio/sol-eng-demo-server/tree/main/helper/workbench) for an example of this. +* If using load balancing (by setting `replicas > 1`), you will need similar storage defined for `sharedStorage` to + store shared project configuration. However, you can also configure the product to store its shared data underneath `/home` by + setting `config.server.rserver\.conf.server-shared-storage-path=/home/some-shared-dir`. +* A method to join the deployed `rstudio-workbench` container to your auth domain. The default `rstudio/rstudio-workbench` image has `sssd` installed and started by default. + You can include `sssd` configuration in `config.userProvisioning` like so: +```yaml +config: + userProvisioning: + mysssd.conf: + sssd: + config_file_version: 2 + services: nss, pam + domains: rstudio.com + domain/rstudio.com: + id_provider: ldap + auth_provider: ldap +``` ## Recommended Configuration @@ -39,23 +56,22 @@ In addition to the above required configuration, we recommend setting the follow * Set the `global.secureCookieKey` so that user authentication continues to work between deployments. A valid value can be obtained by simply running the `uuid` command. * Some use-cases may require special PAM profiles to run. By default, no PAM profiles other than the basic `auth` profile will be used to authenticate users. - If this is not sufficient then you will need to add your PAM profiles into the container (similar to adding `sssd.conf` as specified above). + If this is not sufficient then you will need to add your PAM profiles into the container using a volume and volumeMount. ## General Principles -- In most places, we opt to pass Helm values directly into ConfigMaps. We translate these into the valid `.ini` or `.dcf` file formats -required by RStudio Workbench. Those config files and their mount locations are below. +- In most places, we opt to pass Helm values directly into ConfigMaps. We automatically translate these into the + valid `.ini` or `.dcf` file formats required by RStudio Workbench. Those config files and their mount locations are + below. - If you need to modify the jobs launched by RStudio Workbench, you want to use `job-json-overrides`. There is a section on this below and [a support article](https://support.rstudio.com/hc/en-us/articles/360051652094-Using-Job-Json-Overrides-with-RStudio-Server-Pro-and-Kubernetes) on the topic in general. -- If you are running in an HA environment, there is [an experimental sidecar container](https://hub.docker.com/r/colearendt/rstudio-load-balancer-manager) - that maintains the `load-balancer` file and HUPs the rstudio-server service. -- The prestart script for RStudio Workbench is highly customized to: +- The prestart scripts for RStudio Workbench and RStudio Launcher are highly customized to: - Get the service account information off of the RStudio Workbench pod for use in launching jobs - - Generate `launcher.pub` as needed (if `launcher.pem` is provided). If it is not provided, - the Helm chart will generate it automatically but this information will be lost for subsequent deployments and - can cause users to be locked out sessions started by a previous deployment. + - Generate `launcher.pub` as needed (if `launcher.pem` is provided). If it is not provided, the Helm chart will + generate it automatically but this information can be lost if deleting the chart or moving to a new cluster. This + can cause users to be locked out sessions started by a previous deployment. - RStudio Workbench does not export prometheus metrics on its own. Instead, we run a sidecar graphite exporter [as described here](https://support.rstudio.com/hc/en-us/articles/360044800273-Monitoring-RStudio-Team-Using-Prometheus-and-Graphite) @@ -68,26 +84,38 @@ so you can set the database password with something like: ... --set config.secret.database\.conf.password=mypassword ... ``` -The files are converted into configuration files in the necessary format via go-templating. +The files are converted into configuration files in the necessary format via go-templating. If you want to "in-line" a config file or mount it verbatim, you can use a pattern like: + +```yaml +config: + server: + rserver.conf: | + verbatim-file=format +``` -The names of files are dynamically used, so you can usually add new files as needed. Beware that -some files have default values, so moving them can have adverse effects. Also, if you use a different -mounting paradigm, you will need to change the `XDG_CONFIG_DIRS` environment variable +The names of files are dynamically used, so you can add new files as needed. Beware that some files have default values, +so moving them can have adverse effects. Also, if you use a different mounting paradigm, you will need to change +the `XDG_CONFIG_DIRS` environment variable - Session Configuration - These configuration files are mounted into the server and - will ideally be mounted into the session pods as well. + are mounted into the session pods as well. - `repos.conf`, `rsession.conf`, `notifications.conf` - located in the `config.session.<< name of file >>` helm values - mounted at `/mnt/session-configmap/rstudio/` +- Session Secret Configuration + - These configuration files are mounted into the server and session pods as well + - `odbc.ini` and other similar shared secrets + - located in `config.sessionSecret.<< name of file>>` helm values + - mounted at `/mnt/session-secret/` - Secret Configuration - - These configuration files are mounted into the server with more restrictive permissions - - `database.conf`, `launcher.pem` + - These configuration files are mounted into the server with more restrictive permissions (0600) + - `database.conf`, `openid-client-secret`, etc. - They are located in the `config.secret.<< name of file >>` helm values - mounted at `/mnt/secret-configmap/rstudio/` - Server Configuration - These configuration files are mounted into the server (.ini file format) - - `rserver.conf`, `launcher.conf`, `jupyter.conf`, `launcher.kubernetes.profiles.conf`, `logging.conf` + - `rserver.conf`, `launcher.conf`, `jupyter.conf`, `logging.conf` - They are located at `config.server.<< name of file >>` helm values - mounted at `/mnt/configmap/rstudio/` - Server DCF Configuration @@ -95,18 +123,107 @@ mounting paradigm, you will need to change the `XDG_CONFIG_DIRS` environment var - `launcher-mounts`, `launcher-env` - They are located at `config.serverDcf.<< name of file >>` helm values - included at `/mnt/configmap/rstudio/` -- Load Balancer file - - If `replicas > 1` then we create and maintain a load balancer file at `/mnt/load-balancer/rstudio/` - - This is maintained by [a sidecar](https://hub.docker.com/r/rstudio/rstudio-server-load-balancer-manager) - that queries the Kubernetes API for other RStudio pods +- Profiles Configuration + - These configuration files are mounted into the server (.ini file format) + - `launcher.kubernetes.profiles.conf` + - They are located at `config.profiles.<< name of file >>` helm values + - included at `/mnt/configmap/rstudio/` + - See the `Profiles` section below for more information - Prestart - This is provided by the helm chart in a configmap - It is mounted into the pod at `/scripts/` -- Job Json Overrides - - If you want to customize the job launch process, you will need to edit a few items: - - Set the `job-json-overrides` config values in `config.server.launcher\.kubernetes\.profiles\.conf` - - Set the `jobJsonOverridesFiles` helm value to be a map of files, which are translated verbatim from YAML to JSON - - These are written to `/mnt/job-json-overrides/<< key / file name >>` + - `prestart-workbench.bash` is used to start workbench + - `prestart-launcher.bash` is used to start launcher +- User Provisioning Configuration + - These configuration files are used for configuring user provisioning (i.e. `sssd`) + - Located at `config.userProvisioning.<< name of file >>` helm values + - Mounted onto `/etc/sssd/conf.d/` with `0600` permissions by default +- Custom Startup Configuration + - `supervisord` service / unit definition `.conf` files + - Located at `config.startupCustom.<< name of file >>` helm values + - Will use the `.ini` file format, by default + - + +## RStudio Profiles + +Profiles are used to define product behavior (in `.ini` file format) based on user and group membership. + +Sections define whether a set of configuration is applied to a user's jobs based on the following criteria: + +- if section header is `[*]`, it applies to all users +- if a user's username is `myusername`, the section `[myusername]` will apply to them +- if a user is in the `allusers` group, then the section `[@allusers]` will applly to them + +The product reads configuration from top-to-bottom, and "last-in-wins" for a given configuration value. + +However, the `config.profiles` section has a couple of niceties that are added in by default. + +- YAML arrays like the following will be "comma-joined." For instance, the following will become: `some-key=value1,value2` +```yaml +some-key: + - value1 + - value2 +``` +- The `[*]` section will have arrays "appended" to user and group sections, along with "defaults" defined by the chart. + +### A Full Example + +```yaml +config: + profiles: + launcher.kubernetes.profiles.conf: + "*": + some-key: + - value1 + - value2 +- myuser: + some-key: + - value4 + - value5 +``` + +Becomes: + +```ini +[*] +some-key: value1,value2 +[myuser] +some-key: value1,value2,value3,value4 +``` + +> NOTE: this appending / concatenation / array translation behavior only works with the helm chart + +### Job Json Overrides + +If you want to customize the job launch process (i.e. how sessions are defined), you will need to edit the following +configuration: + - modify `config.profiles.launcher.kubernetes.profiles.conf.<< some selector >>.job-json-overrides` + - create an array of maps with the following keys: + - `target`: the "target" part of the job spec to replace + - `name`: a unique identifier (ideally with no spaces) that will become a config filename on disk + - `json`: a YAML value that will be translated directly to JSON and injected into the job spec at `target` + +Note that several examples are provided +in [this support article](https://support.rstudio.com/hc/en-us/articles/360051652094-Using-Job-Json-Overrides-with-RStudio-Server-Pro-and-Kubernetes) +(however, examples do not use the helm chart syntax there). + +```yaml +config: + profiles: + launcher.kubernetes.profiles.conf: + "*": + job-json-overrides: + - target: "/spec/template/spec/containers/0/imagePullPolicy" + json: "Always" + name: imagePullPolicy + - target: "/spec/template/spec/imagePullSecrets" + json: + name: my-pull-secret + name: imagePullSecrets + container-images: + - "one-image:tag" + - "two-image:tag +``` {{ template "chart.valuesSection" . }} From c9c034378eb91735974bca307cd994ae4052a0d9 Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Thu, 28 Oct 2021 10:40:20 -0400 Subject: [PATCH 26/32] update readme --- charts/rstudio-workbench/README.md | 261 ++++++++++++++++++++--------- 1 file changed, 178 insertions(+), 83 deletions(-) diff --git a/charts/rstudio-workbench/README.md b/charts/rstudio-workbench/README.md index b89ad9c1..e2794fec 100644 --- a/charts/rstudio-workbench/README.md +++ b/charts/rstudio-workbench/README.md @@ -1,6 +1,6 @@ # RStudio Workbench -![Version: 0.4.6](https://img.shields.io/badge/Version-0.4.6-informational?style=flat-square) ![AppVersion: 1.4.1717-3](https://img.shields.io/badge/AppVersion-1.4.1717--3-informational?style=flat-square) +![Version: 0.5.0-rc01](https://img.shields.io/badge/Version-0.5.0--rc01-informational?style=flat-square) ![AppVersion: 2021.09.0-351.pro6](https://img.shields.io/badge/AppVersion-2021.09.0--351.pro6-informational?style=flat-square) #### _Official Helm chart for RStudio Workbench_ @@ -23,11 +23,11 @@ As a result, please: ## Installing the Chart -To install the chart with the release name `my-release` at version 0.4.6: +To install the chart with the release name `my-release` at version 0.5.0-rc01: ```bash helm repo add rstudio https://helm.rstudio.com -helm install my-release rstudio/rstudio-workbench --version=0.4.6 +helm install my-release rstudio/rstudio-workbench --version=0.5.0-rc01 ``` ## Required Configuration @@ -35,21 +35,38 @@ helm install my-release rstudio/rstudio-workbench --version=0.4.6 This chart requires the following in order to function: * A license key, license file, or address of a running license server. See the `license` configuration below. -* A Kubernetes [PersistentVolume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) that contains the home directory for users. - * If `homeStorage.create` is set, a PVC that relies on the default storage class will be created to generate the PersistentVolume. - Most Kubernetes environments do not have a default storage class that you can use with `ReadWriteMany` access mode out-of-the-box. - In this case, we recommend you disable `homeStorage.create` and create your own `PersistentVolume` and `PersistentVolumeClaim`, then mount them - into the container by specifying the `pod.volumes` and `pod.volumeMounts` parameters, or by specifying your `PersistentVolumeClaim` using `homeStorage.name` and `homeStorage.mount`. - * If you cannot use a `PersistentVolume` to properly mount your users' home directories, you'll need to mount your data in the container - by using a regular [Kubernetes Volume](https://kubernetes.io/docs/concepts/storage/volumes/#nfs), specified in `pod.volumes` and `pod.volumeMounts`. - * If you cannot use a `Volume` to mount the directories, you'll need to manually mount them during container startup with a mechanism similar to what - is described below for joining to auth domains. +* A Kubernetes [PersistentVolume](https://kubernetes.io/docs/concepts/storage/persistent-volumes/) that contains the + home directory for users. + * If `homeStorage.create` is set, a PVC that relies on the default storage class will be created to generate the + PersistentVolume. Most Kubernetes environments do not have a default storage class that you can use + with `ReadWriteMany` access mode out-of-the-box. In this case, we recommend you disable `homeStorage.create` and + create your own `PersistentVolume` and `PersistentVolumeClaim`, then mount them into the container by specifying + the `pod.volumes` and `pod.volumeMounts` parameters, or by specifying your `PersistentVolumeClaim` + using `homeStorage.name` and `homeStorage.mount`. + * If you cannot use a `PersistentVolume` to properly mount your users' home directories, you'll need to mount your + data in the container by using a + regular [Kubernetes Volume](https://kubernetes.io/docs/concepts/storage/volumes/#nfs), specified in `pod.volumes` + and `pod.volumeMounts`. + * If you cannot use a `Volume` to mount the directories, you'll need to manually mount them during container startup + with a mechanism similar to what is described below for joining to auth domains. * If not using `homeStorage.create`, you'll need to configure `config.serverDcf.launcher-mounts` to ensure that the correct mounts are used when users create new sessions. -* If using load balancing (by setting `replicas > 1`), you will need similar storage defined for `sharedStorage` to store shared project configuration. -* A method to join the deployed `rstudio-workbench` container to your auth domain. The default `rstudio/rstudio-server-pro` image does not contain a way to join domains. - We recommend creating your own Docker image that derives from this base image to provide domain joining that fits your needs. Your image can then use a process supervisor - like [supervisord](http://supervisord.org/) to run multiple processes: in the most common case, `rstudio-server`, `rstudio-launcher`, and `sssd`. See - [here](https://github.com/rstudio/sol-eng-demo-server/tree/main/helper/workbench) for an example of this. +* If using load balancing (by setting `replicas > 1`), you will need similar storage defined for `sharedStorage` to + store shared project configuration. However, you can also configure the product to store its shared data underneath `/home` by + setting `config.server.rserver\.conf.server-shared-storage-path=/home/some-shared-dir`. +* A method to join the deployed `rstudio-workbench` container to your auth domain. The default `rstudio/rstudio-workbench` image has `sssd` installed and started by default. + You can include `sssd` configuration in `config.userProvisioning` like so: +```yaml +config: + userProvisioning: + mysssd.conf: + sssd: + config_file_version: 2 + services: nss, pam + domains: rstudio.com + domain/rstudio.com: + id_provider: ldap + auth_provider: ldap +``` ## Recommended Configuration @@ -61,22 +78,21 @@ In addition to the above required configuration, we recommend setting the follow * Set the `global.secureCookieKey` so that user authentication continues to work between deployments. A valid value can be obtained by simply running the `uuid` command. * Some use-cases may require special PAM profiles to run. By default, no PAM profiles other than the basic `auth` profile will be used to authenticate users. - If this is not sufficient then you will need to add your PAM profiles into the container (similar to adding `sssd.conf` as specified above). + If this is not sufficient then you will need to add your PAM profiles into the container using a volume and volumeMount. ## General Principles -- In most places, we opt to pass Helm values directly into ConfigMaps. We translate these into the valid `.ini` or `.dcf` file formats -required by RStudio Workbench. Those config files and their mount locations are below. +- In most places, we opt to pass Helm values directly into ConfigMaps. We automatically translate these into the + valid `.ini` or `.dcf` file formats required by RStudio Workbench. Those config files and their mount locations are + below. - If you need to modify the jobs launched by RStudio Workbench, you want to use `job-json-overrides`. There is a section on this below and [a support article](https://support.rstudio.com/hc/en-us/articles/360051652094-Using-Job-Json-Overrides-with-RStudio-Server-Pro-and-Kubernetes) on the topic in general. -- If you are running in an HA environment, there is [an experimental sidecar container](https://hub.docker.com/r/colearendt/rstudio-load-balancer-manager) - that maintains the `load-balancer` file and HUPs the rstudio-server service. -- The prestart script for RStudio Workbench is highly customized to: +- The prestart scripts for RStudio Workbench and RStudio Launcher are highly customized to: - Get the service account information off of the RStudio Workbench pod for use in launching jobs - - Generate `launcher.pub` as needed (if `launcher.pem` is provided). If it is not provided, - the Helm chart will generate it automatically but this information will be lost for subsequent deployments and - can cause users to be locked out sessions started by a previous deployment. + - Generate `launcher.pub` as needed (if `launcher.pem` is provided). If it is not provided, the Helm chart will + generate it automatically but this information can be lost if deleting the chart or moving to a new cluster. This + can cause users to be locked out sessions started by a previous deployment. - RStudio Workbench does not export prometheus metrics on its own. Instead, we run a sidecar graphite exporter [as described here](https://support.rstudio.com/hc/en-us/articles/360044800273-Monitoring-RStudio-Team-Using-Prometheus-and-Graphite) @@ -89,26 +105,38 @@ so you can set the database password with something like: ... --set config.secret.database\.conf.password=mypassword ... ``` -The files are converted into configuration files in the necessary format via go-templating. +The files are converted into configuration files in the necessary format via go-templating. If you want to "in-line" a config file or mount it verbatim, you can use a pattern like: + +```yaml +config: + server: + rserver.conf: | + verbatim-file=format +``` -The names of files are dynamically used, so you can usually add new files as needed. Beware that -some files have default values, so moving them can have adverse effects. Also, if you use a different -mounting paradigm, you will need to change the `XDG_CONFIG_DIRS` environment variable +The names of files are dynamically used, so you can add new files as needed. Beware that some files have default values, +so moving them can have adverse effects. Also, if you use a different mounting paradigm, you will need to change +the `XDG_CONFIG_DIRS` environment variable - Session Configuration - These configuration files are mounted into the server and - will ideally be mounted into the session pods as well. + are mounted into the session pods as well. - `repos.conf`, `rsession.conf`, `notifications.conf` - located in the `config.session.<< name of file >>` helm values - mounted at `/mnt/session-configmap/rstudio/` +- Session Secret Configuration + - These configuration files are mounted into the server and session pods as well + - `odbc.ini` and other similar shared secrets + - located in `config.sessionSecret.<< name of file>>` helm values + - mounted at `/mnt/session-secret/` - Secret Configuration - - These configuration files are mounted into the server with more restrictive permissions - - `database.conf`, `launcher.pem` + - These configuration files are mounted into the server with more restrictive permissions (0600) + - `database.conf`, `openid-client-secret`, etc. - They are located in the `config.secret.<< name of file >>` helm values - mounted at `/mnt/secret-configmap/rstudio/` - Server Configuration - These configuration files are mounted into the server (.ini file format) - - `rserver.conf`, `launcher.conf`, `jupyter.conf`, `launcher.kubernetes.profiles.conf`, `logging.conf` + - `rserver.conf`, `launcher.conf`, `jupyter.conf`, `logging.conf` - They are located at `config.server.<< name of file >>` helm values - mounted at `/mnt/configmap/rstudio/` - Server DCF Configuration @@ -116,58 +144,123 @@ mounting paradigm, you will need to change the `XDG_CONFIG_DIRS` environment var - `launcher-mounts`, `launcher-env` - They are located at `config.serverDcf.<< name of file >>` helm values - included at `/mnt/configmap/rstudio/` -- Load Balancer file - - If `replicas > 1` then we create and maintain a load balancer file at `/mnt/load-balancer/rstudio/` - - This is maintained by [a sidecar](https://hub.docker.com/r/rstudio/rstudio-server-load-balancer-manager) - that queries the Kubernetes API for other RStudio pods +- Profiles Configuration + - These configuration files are mounted into the server (.ini file format) + - `launcher.kubernetes.profiles.conf` + - They are located at `config.profiles.<< name of file >>` helm values + - included at `/mnt/configmap/rstudio/` + - See the `Profiles` section below for more information - Prestart - This is provided by the helm chart in a configmap - It is mounted into the pod at `/scripts/` -- Job Json Overrides - - If you want to customize the job launch process, you will need to edit a few items: - - Set the `job-json-overrides` config values in `config.server.launcher\.kubernetes\.profiles\.conf` - - Set the `jobJsonOverridesFiles` helm value to be a map of files, which are translated verbatim from YAML to JSON - - These are written to `/mnt/job-json-overrides/<< key / file name >>` + - `prestart-workbench.bash` is used to start workbench + - `prestart-launcher.bash` is used to start launcher +- User Provisioning Configuration + - These configuration files are used for configuring user provisioning (i.e. `sssd`) + - Located at `config.userProvisioning.<< name of file >>` helm values + - Mounted onto `/etc/sssd/conf.d/` with `0600` permissions by default +- Custom Startup Configuration + - `supervisord` service / unit definition `.conf` files + - Located at `config.startupCustom.<< name of file >>` helm values + - Will use the `.ini` file format, by default + - + +## RStudio Profiles + +Profiles are used to define product behavior (in `.ini` file format) based on user and group membership. + +Sections define whether a set of configuration is applied to a user's jobs based on the following criteria: + +- if section header is `[*]`, it applies to all users +- if a user's username is `myusername`, the section `[myusername]` will apply to them +- if a user is in the `allusers` group, then the section `[@allusers]` will applly to them + +The product reads configuration from top-to-bottom, and "last-in-wins" for a given configuration value. + +However, the `config.profiles` section has a couple of niceties that are added in by default. + +- YAML arrays like the following will be "comma-joined." For instance, the following will become: `some-key=value1,value2` +```yaml +some-key: + - value1 + - value2 +``` +- The `[*]` section will have arrays "appended" to user and group sections, along with "defaults" defined by the chart. + +### A Full Example + +```yaml +config: + profiles: + launcher.kubernetes.profiles.conf: + "*": + some-key: + - value1 + - value2 +- myuser: + some-key: + - value4 + - value5 +``` + +Becomes: + +```ini +[*] +some-key: value1,value2 +[myuser] +some-key: value1,value2,value3,value4 +``` + +> NOTE: this appending / concatenation / array translation behavior only works with the helm chart + +### Job Json Overrides + +If you want to customize the job launch process (i.e. how sessions are defined), you will need to edit the following +configuration: + - modify `config.profiles.launcher.kubernetes.profiles.conf.<< some selector >>.job-json-overrides` + - create an array of maps with the following keys: + - `target`: the "target" part of the job spec to replace + - `name`: a unique identifier (ideally with no spaces) that will become a config filename on disk + - `json`: a YAML value that will be translated directly to JSON and injected into the job spec at `target` + +Note that several examples are provided +in [this support article](https://support.rstudio.com/hc/en-us/articles/360051652094-Using-Job-Json-Overrides-with-RStudio-Server-Pro-and-Kubernetes) +(however, examples do not use the helm chart syntax there). + +```yaml +config: + profiles: + launcher.kubernetes.profiles.conf: + "*": + job-json-overrides: + - target: "/spec/template/spec/containers/0/imagePullPolicy" + json: "Always" + name: imagePullPolicy + - target: "/spec/template/spec/imagePullSecrets" + json: + name: my-pull-secret + name: imagePullSecrets + container-images: + - "one-image:tag" + - "two-image:tag +``` ## Values | Key | Type | Default | Description | |-----|------|---------|-------------| -| args | list | `["/scripts/prestart.bash","/usr/local/bin/startup.sh"]` | args is the pod container's run arguments. By default, it uses a kubernetes-specific prestart script that exec's the default container startup script. | -| command | list | `["tini","-s","--"]` | command is the pod container's run command. | -| config.profiles | object | `{}` | | -| config.secret."database.conf" | object | `{}` | | -| config.server."jupyter.conf".default-session-cluster | string | `"Kubernetes"` | | -| config.server."jupyter.conf".jupyter-exe | string | `"/opt/python/3.6.5/bin/jupyter"` | | -| config.server."jupyter.conf".labs-enabled | int | `1` | | -| config.server."jupyter.conf".notebooks-enabled | int | `1` | | -| config.server."launcher.conf".cluster.name | string | `"Kubernetes"` | | -| config.server."launcher.conf".cluster.type | string | `"Kubernetes"` | | -| config.server."launcher.conf".server.address | string | `"127.0.0.1"` | | -| config.server."launcher.conf".server.admin-group | string | `"rstudio-server"` | | -| config.server."launcher.conf".server.authorization-enabled | int | `1` | | -| config.server."launcher.conf".server.enable-debug-logging | int | `0` | | -| config.server."launcher.conf".server.port | int | `5559` | | -| config.server."launcher.conf".server.server-user | string | `"rstudio-server"` | | -| config.server."launcher.conf".server.thread-pool-size | int | `4` | | -| config.server."logging.conf" | object | `{}` | | -| config.server."rserver.conf".admin-enabled | int | `1` | | -| config.server."rserver.conf".launcher-address | string | `"127.0.0.1"` | | -| config.server."rserver.conf".launcher-default-cluster | string | `"Kubernetes"` | | -| config.server."rserver.conf".launcher-port | int | `5559` | | -| config.server."rserver.conf".launcher-sessions-enabled | int | `1` | | -| config.server."rserver.conf".monitor-graphite-client-id | string | `"rstudio"` | | -| config.server."rserver.conf".monitor-graphite-enabled | int | `1` | | -| config.server."rserver.conf".monitor-graphite-host | string | `"127.0.0.1"` | | -| config.server."rserver.conf".monitor-graphite-port | int | `9109` | | -| config.server."rserver.conf".server-health-check-enabled | int | `1` | | -| config.server."rserver.conf".server-project-sharing | int | `1` | | -| config.server."rserver.conf".www-port | int | `8787` | | -| config.serverDcf.launcher-mounts | list | `[]` | | -| config.session."notifications.conf" | object | `{}` | | -| config.session."repos.conf".CRAN | string | `"https://packagemanager.rstudio.com/cran/__linux__/bionic/latest"` | | -| config.session."repos.conf".RSPM | string | `"https://packagemanager.rstudio.com/cran/__linux__/bionic/latest"` | | -| config.session."rsession.conf" | object | `{}` | | +| affinity | object | `{}` | | +| args | list | `[]` | args is the pod container's run arguments. | +| command | list | `[]` | command is the pod container's run command. By default, it uses the container's default. However, the chart expects a container using `supervisord` for startup | +| config.profiles | object | `{}` | a map of server-scoped config files (akin to `config.server`), but with specific behavior that supports profiles. See README for more information. | +| config.secret | object | `{"database.conf":{}}` | a map of secret, server-scoped config files. Mounted to `/mnt/secret-configmap/rstudio/` with 0600 permissions | +| config.server | object | `{"jupyter.conf":{"default-session-cluster":"Kubernetes","jupyter-exe":"/opt/python/3.6.5/bin/jupyter","labs-enabled":1,"notebooks-enabled":1},"launcher.conf":{"cluster":{"name":"Kubernetes","type":"Kubernetes"},"server":{"address":"127.0.0.1","admin-group":"rstudio-server","authorization-enabled":1,"enable-debug-logging":0,"port":5559,"server-user":"rstudio-server","thread-pool-size":4}},"logging.conf":{},"rserver.conf":{"admin-enabled":1,"launcher-address":"127.0.0.1","launcher-default-cluster":"Kubernetes","launcher-port":5559,"launcher-sessions-enabled":1,"monitor-graphite-client-id":"rstudio","monitor-graphite-enabled":1,"monitor-graphite-host":"127.0.0.1","monitor-graphite-port":9109,"server-health-check-enabled":1,"server-project-sharing":1,"www-port":8787}}` | a map of server config files. Mounted to `/mnt/configmap/rstudio/` | +| config.serverDcf | object | `{"launcher-mounts":[]}` | a map of server-scoped config files (akin to `config.server`), but with .dcf file formatting (i.e. `launcher-mounts`, `launcher-env`, etc.) | +| config.session | object | `{"notifications.conf":{},"repos.conf":{"CRAN":"https://packagemanager.rstudio.com/cran/__linux__/bionic/latest","RSPM":"https://packagemanager.rstudio.com/cran/__linux__/bionic/latest"},"rsession.conf":{}}` | a map of session-scoped config files. Mounted to `/mnt/session-configmap/rstudio/` on both server and session, by default. | +| config.sessionSecret | object | `{}` | a map of secret, session-scoped config files (odbc.ini, etc.). Mounted to `/mnt/session-secret/` on both server and session, by default | +| config.startupCustom | object | `{}` | a map of supervisord .conf files to define custom services. Mounted into the container at /startup/custom/ | +| config.userProvisioning | object | `{}` | a map of sssd config files, used for user provisioning. Mounted to `/etc/sssd/conf.d/` with 0600 permissions | | dangerRegenerateAutomatedValues | bool | `false` | | | fullnameOverride | string | `""` | the full name of the release (can be overridden) | | global.secureCookieKey | string | `""` | | @@ -189,8 +282,8 @@ mounting paradigm, you will need to change the `XDG_CONFIG_DIRS` environment var | jobJsonOverridesFiles | object | `{}` | jobJsonOverridesFiles is a map of maps. Each item in the map will become a file (named by the key), and the underlying object will be converted to JSON as the file's contents | | launcher.enabled | bool | `true` | determines whether the launcher should be started in the container | | launcher.namespace | string | `""` | allow customizing the namespace that sessions are launched into. Note RBAC and some config issues today | -| launcherPem | string | `""` | | -| launcherPub | bool | `false` | | +| launcherPem | string | `""` | An inline launcher.pem key. If not provided, one will be auto-generated. See README for more details. | +| launcherPub | bool | `false` | An inline launcher.pub key to pair with launcher.pem. If `false` (the default), we will try to generate a `launcher.pub` from the provided `launcher.pem` | | license.file | object | `{"contents":false,"mountPath":"/etc/rstudio-licensing","mountSubPath":false,"secret":false,"secretKey":"license.lic"}` | the file section is used for licensing with a license file | | license.file.contents | bool | `false` | contents is an in-line license file | | license.file.mountPath | string | `"/etc/rstudio-licensing"` | mountPath is the place the license file will be mounted into the container | @@ -209,11 +302,13 @@ mounting paradigm, you will need to change the `XDG_CONFIG_DIRS` environment var | loadBalancer.securityContext.capabilities.add[0] | string | `"SYS_PTRACE"` | | | loadBalancer.sleepDuration | int | `15` | | | nameOverride | string | `""` | the name of the chart deployment (can be overridden) | +| nodeSelector | object | `{}` | | | pod.annotations | object | `{}` | podAnnotations is a map of keys / values that will be added as annotations to the rstudio-pm pods | | pod.env | list | `[]` | env is an array of maps that is injected as-is into the "env:" component of the pod.container spec | | pod.sidecar | bool | `false` | sidecar is an array of containers that will be run alongside the main container | | pod.volumeMounts | list | `[]` | volumeMounts is injected as-is into the "volumeMounts:" component of the pod.container spec | | pod.volumes | list | `[]` | volumes is injected as-is into the "volumes:" component of the pod.container spec | +| priorityClassName | string | `nil` | | | prometheusExporter.enabled | bool | `true` | whether the prometheus exporter sidecar should be enabled | | prometheusExporter.image.imagePullPolicy | string | `"IfNotPresent"` | | | prometheusExporter.image.repository | string | `"prom/graphite-exporter"` | | @@ -232,6 +327,7 @@ mounting paradigm, you will need to change the `XDG_CONFIG_DIRS` environment var | service.port | int | `80` | The Service port. This is the port your service will run under. | | service.type | string | `"NodePort"` | the service type (i.e. NodePort, LoadBalancer, etc.) | | session.defaultConfigMount | bool | `true` | Whether to automatically mount the config.session configuration into session pods. If launcher.namespace is different from Release Namespace, then the chart will duplicate the session configmap in both namespaces to facilitate this | +| session.defaultSecretMountPath | string | `"/mnt/session-secret/"` | The path to mount the sessionSecret (from `config.sessionSecret`) onto the server and session pods | | session.image.repository | string | `"rstudio/r-session-complete"` | The repository to use for the session image | | session.image.tag | string | `""` | A tag override for the session image. Overrides the "tagPrefix" above, if set. Default tag is `{{ tagPrefix }}{{ version }}` | | session.image.tagPrefix | string | `"bionic-"` | A tag prefix for session images (common selections: bionic-, centos-). Only used if tag is not defined | @@ -245,9 +341,8 @@ mounting paradigm, you will need to change the `XDG_CONFIG_DIRS` environment var | sharedStorage.storageClassName | bool | `false` | storageClassName - the type of storage to use. Must allow ReadWriteMany | | startupProbe | object | `{"enabled":false,"failureThreshold":30,"initialDelaySeconds":10,"periodSeconds":10,"timeoutSeconds":1}` | startupProbe is used to configure the container's startupProbe | | startupProbe.failureThreshold | int | `30` | failureThreshold * periodSeconds should be strictly > worst case startup time | -| strategy.rollingUpdate.maxSurge | string | `"100%"` | | -| strategy.rollingUpdate.maxUnavailable | int | `0` | | -| strategy.type | string | `"RollingUpdate"` | | +| strategy | object | `{"rollingUpdate":{"maxSurge":"100%","maxUnavailable":0},"type":"RollingUpdate"}` | How to handle updates to the service. RollingUpdate (the default) minimizes downtime, but will not work well if your license only allows a single activation. | +| tolerations | list | `[]` | | | userCreate | bool | `false` | userCreate determines whether a user should be created at startup (if true) | | userName | string | `"rstudio"` | userName determines the username of the created user | | userPassword | string | `"rstudio"` | userPassword determines the password of the created user | From f2d162d3c5cf166cae52618e440a9c4641e3d0ff Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Sat, 30 Oct 2021 15:34:31 -0400 Subject: [PATCH 27/32] add a few breaking notes --- charts/rstudio-workbench/NEWS.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/charts/rstudio-workbench/NEWS.md b/charts/rstudio-workbench/NEWS.md index b95c354b..6e16c308 100644 --- a/charts/rstudio-workbench/NEWS.md +++ b/charts/rstudio-workbench/NEWS.md @@ -1,13 +1,14 @@ # 0.5.0 -- Bump RStudio version to Ghost Orchid (2021.09.0+351.pro6) +- BREAKING: Bump RStudio version to Ghost Orchid (2021.09.0+351.pro6) - This version of the chart is no longer compatible (by default) with older versions (1.4 and previous). - Previous versions of the chart are not compatible (by default) with 2021.09 or later - If you want to use charts across versions, you will need to change `command`, `args`, and some configmaps. -- Change RStudio Workbench execution model to use supervisord +- BREAKING: Change RStudio Workbench execution model to use supervisord - Add config-maps to configure startup behavior -- Add a config setting for `sssd` (now in the container by default) +- Add a config setting for `sssd` (now in the container by default) - `config.userProvisioning` - Add a "secret" configmap for session components (useful for shared database credentials, `odbc.ini`, etc.) +- Update README to make `job-json-overrides`, profiles, etc. more clear # 0.4.6 From 419d6512bd6a47c6c76c36c5f0f9b9cc56649496 Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Mon, 1 Nov 2021 13:34:19 -0400 Subject: [PATCH 28/32] update helm chart readme (again) --- charts/rstudio-workbench/README.md | 32 ++++++++++++++++++++++- charts/rstudio-workbench/README.md.gotmpl | 32 ++++++++++++++++++++++- 2 files changed, 62 insertions(+), 2 deletions(-) diff --git a/charts/rstudio-workbench/README.md b/charts/rstudio-workbench/README.md index e2794fec..6a46f4b6 100644 --- a/charts/rstudio-workbench/README.md +++ b/charts/rstudio-workbench/README.md @@ -163,7 +163,37 @@ the `XDG_CONFIG_DIRS` environment variable - `supervisord` service / unit definition `.conf` files - Located at `config.startupCustom.<< name of file >>` helm values - Will use the `.ini` file format, by default - - + - As with all config files above, can override with a verbatim string if desired, like so: +```yaml +config: + startupCustom: + myfile.conf: | + file-used-verbatim +``` + +## User Provisioning + +Provisioning users in RStudio Workbench containers is challenging. Session images have users created automatically (with +consistent UIDs / GIDs), but creating users in the Workbench containers is a responsibility that falls to the +administrator today. + +The most common way to provision users is via `sssd`. The [latest RStudio Workbench container]() has `sssd` included and +running by default (see `userProvisioning` configuration files above). + +The other way that this can be managed is via a lightweight "startup service" (runs once at startup and then sleeps forever) +or a polling service (checks at regular intervals). Either can be written easily in `bash` or another programming language. +However, it is important to be careful of a few points: + +- UID / GID consistency: linux usernames and their matching to UID/GID must be consistent across all nodes and across + time. Failing this can cause security issues and access by some users to files they should not be allowed to see +- usernames cannot have `@`. The `@` sign (often used in emails with SSO) is a problem for RStudio Workbench because + some operating systems disallow `@` signs in linux usernames +- `supervisord` is configured by default to exit if any of its child processes exit. If you use `config.startupCustom` + to configure a user management service, be careful that it does not exist unnecessarily + +We do not provide such a service out of the box because we intend for RStudio Workbench to solve this problem in a +future release. Please get in touch with your account representative if you have feedback or questions about this +workflow. ## RStudio Profiles diff --git a/charts/rstudio-workbench/README.md.gotmpl b/charts/rstudio-workbench/README.md.gotmpl index ec04966c..9903b31a 100644 --- a/charts/rstudio-workbench/README.md.gotmpl +++ b/charts/rstudio-workbench/README.md.gotmpl @@ -142,7 +142,37 @@ the `XDG_CONFIG_DIRS` environment variable - `supervisord` service / unit definition `.conf` files - Located at `config.startupCustom.<< name of file >>` helm values - Will use the `.ini` file format, by default - - + - As with all config files above, can override with a verbatim string if desired, like so: +```yaml +config: + startupCustom: + myfile.conf: | + file-used-verbatim +``` + +## User Provisioning + +Provisioning users in RStudio Workbench containers is challenging. Session images have users created automatically (with +consistent UIDs / GIDs), but creating users in the Workbench containers is a responsibility that falls to the +administrator today. + +The most common way to provision users is via `sssd`. The [latest RStudio Workbench container]() has `sssd` included and +running by default (see `userProvisioning` configuration files above). + +The other way that this can be managed is via a lightweight "startup service" (runs once at startup and then sleeps forever) +or a polling service (checks at regular intervals). Either can be written easily in `bash` or another programming language. +However, it is important to be careful of a few points: + +- UID / GID consistency: linux usernames and their matching to UID/GID must be consistent across all nodes and across + time. Failing this can cause security issues and access by some users to files they should not be allowed to see +- usernames cannot have `@`. The `@` sign (often used in emails with SSO) is a problem for RStudio Workbench because + some operating systems disallow `@` signs in linux usernames +- `supervisord` is configured by default to exit if any of its child processes exit. If you use `config.startupCustom` + to configure a user management service, be careful that it does not exist unnecessarily + +We do not provide such a service out of the box because we intend for RStudio Workbench to solve this problem in a +future release. Please get in touch with your account representative if you have feedback or questions about this +workflow. ## RStudio Profiles From e37a0b57b7807dc7a2ae595d0f710c89bfde21e4 Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Mon, 1 Nov 2021 13:35:11 -0400 Subject: [PATCH 29/32] add link to sssd --- charts/rstudio-workbench/README.md | 5 +++-- charts/rstudio-workbench/README.md.gotmpl | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/charts/rstudio-workbench/README.md b/charts/rstudio-workbench/README.md index 6a46f4b6..0caecff8 100644 --- a/charts/rstudio-workbench/README.md +++ b/charts/rstudio-workbench/README.md @@ -177,8 +177,9 @@ Provisioning users in RStudio Workbench containers is challenging. Session image consistent UIDs / GIDs), but creating users in the Workbench containers is a responsibility that falls to the administrator today. -The most common way to provision users is via `sssd`. The [latest RStudio Workbench container]() has `sssd` included and -running by default (see `userProvisioning` configuration files above). +The most common way to provision users is via `sssd`. +The [latest RStudio Workbench container](https://github.com/rstudio/rstudio-docker-products/tree/main/workbench#user-provisioning) +has `sssd` included and running by default (see `userProvisioning` configuration files above). The other way that this can be managed is via a lightweight "startup service" (runs once at startup and then sleeps forever) or a polling service (checks at regular intervals). Either can be written easily in `bash` or another programming language. diff --git a/charts/rstudio-workbench/README.md.gotmpl b/charts/rstudio-workbench/README.md.gotmpl index 9903b31a..2fa7e12f 100644 --- a/charts/rstudio-workbench/README.md.gotmpl +++ b/charts/rstudio-workbench/README.md.gotmpl @@ -156,8 +156,9 @@ Provisioning users in RStudio Workbench containers is challenging. Session image consistent UIDs / GIDs), but creating users in the Workbench containers is a responsibility that falls to the administrator today. -The most common way to provision users is via `sssd`. The [latest RStudio Workbench container]() has `sssd` included and -running by default (see `userProvisioning` configuration files above). +The most common way to provision users is via `sssd`. +The [latest RStudio Workbench container](https://github.com/rstudio/rstudio-docker-products/tree/main/workbench#user-provisioning) +has `sssd` included and running by default (see `userProvisioning` configuration files above). The other way that this can be managed is via a lightweight "startup service" (runs once at startup and then sleeps forever) or a polling service (checks at regular intervals). Either can be written easily in `bash` or another programming language. From a228a4ec2726bf35abdccb6c5a3190a28e069a9c Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Mon, 1 Nov 2021 13:56:17 -0400 Subject: [PATCH 30/32] add test values --- charts/rstudio-workbench/ci/complex-values.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/charts/rstudio-workbench/ci/complex-values.yaml b/charts/rstudio-workbench/ci/complex-values.yaml index a9390725..88a96afe 100644 --- a/charts/rstudio-workbench/ci/complex-values.yaml +++ b/charts/rstudio-workbench/ci/complex-values.yaml @@ -89,6 +89,10 @@ config: Path: /opt/R/3.6.3 - Label: other Path: /opt/R/4.0.2 + sessionSecret: + odbc.ini: | + [hello] + uid=someval secret: "database.conf": {} server: @@ -134,3 +138,11 @@ config: Environment: TESTA: A TESTB: B + userProvisioning: + # fake .test ending to avoid killing the image + some-value.conf.test: | + some-value + startupCustom: + # fake .test ending to avoid killing the image + somefile.conf.test: | + some-value From 7b29b111fc034c681da5104cb69af364121169bb Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Mon, 1 Nov 2021 14:04:01 -0400 Subject: [PATCH 31/32] try pulling the origin --- .github/workflows/chart-doc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/chart-doc.yaml b/.github/workflows/chart-doc.yaml index 000b33a4..6b5f31fa 100644 --- a/.github/workflows/chart-doc.yaml +++ b/.github/workflows/chart-doc.yaml @@ -56,7 +56,7 @@ jobs: run: | set -xe # pull latest updates (i.e. if the document step above updated things) - git pull + git pull origin cd ./charts/rstudio-launcher-rbac && helm dependency build && cd - helm template -n rstudio rstudio-launcher-rbac ./charts/rstudio-launcher-rbac --set removeNamespaceReferences=true > examples/rbac/rstudio-launcher-rbac.yaml CHART_VERSION=$(helm show chart ./charts/rstudio-launcher-rbac | grep '^version' | cut -d ' ' -f 2) From 4c483807c614003ae0e90f41541f7a5981dcd03c Mon Sep 17 00:00:00 2001 From: Cole Arendt Date: Mon, 1 Nov 2021 14:22:37 -0400 Subject: [PATCH 32/32] try to pull the ref directly --- .github/workflows/chart-doc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/chart-doc.yaml b/.github/workflows/chart-doc.yaml index 6b5f31fa..3248272d 100644 --- a/.github/workflows/chart-doc.yaml +++ b/.github/workflows/chart-doc.yaml @@ -56,7 +56,7 @@ jobs: run: | set -xe # pull latest updates (i.e. if the document step above updated things) - git pull origin + git pull origin $GITHUB_REF cd ./charts/rstudio-launcher-rbac && helm dependency build && cd - helm template -n rstudio rstudio-launcher-rbac ./charts/rstudio-launcher-rbac --set removeNamespaceReferences=true > examples/rbac/rstudio-launcher-rbac.yaml CHART_VERSION=$(helm show chart ./charts/rstudio-launcher-rbac | grep '^version' | cut -d ' ' -f 2)