From f568e5055d84df1c6a2e935b55358853d4d97cd4 Mon Sep 17 00:00:00 2001 From: Ian Pittwood Date: Tue, 1 Aug 2023 10:24:47 -0700 Subject: [PATCH] Revert "Update rstudio-connect ci Python and R paths" This reverts commit ac6c5018f3571d4d95a377e30ec062cf519b29f9. --- charts/rstudio-connect/ci/complex-values.yaml | 4 +- charts/rstudio-connect/ci/simple-values.yaml | 4 +- charts/rstudio-pm/README.md | 158 +++++++++--------- .../rbac/rstudio-launcher-rbac-0.2.17.yaml | 88 ---------- 4 files changed, 83 insertions(+), 171 deletions(-) delete mode 100644 examples/rbac/rstudio-launcher-rbac-0.2.17.yaml diff --git a/charts/rstudio-connect/ci/complex-values.yaml b/charts/rstudio-connect/ci/complex-values.yaml index b2151072..37f77cd8 100644 --- a/charts/rstudio-connect/ci/complex-values.yaml +++ b/charts/rstudio-connect/ci/complex-values.yaml @@ -137,7 +137,7 @@ config: Provider: password Python: Enabled: true - Executable: /opt/python/default/bin/python + Executable: /opt/python/3.6.5/bin/python 'RPackageRepository "CRAN"': URL: https://packagemanager.rstudio.com/cran/__linux__/bionic/latest 'RPackageRepository "RSPM"': @@ -147,4 +147,4 @@ config: DataDir: /var/lib/rstudio-connect RVersionScanning: false RVersion: - - /opt/R/default + - /opt/R/3.6.2 diff --git a/charts/rstudio-connect/ci/simple-values.yaml b/charts/rstudio-connect/ci/simple-values.yaml index 964d534b..0d8cacb2 100644 --- a/charts/rstudio-connect/ci/simple-values.yaml +++ b/charts/rstudio-connect/ci/simple-values.yaml @@ -13,7 +13,7 @@ config: Provider: password Python: Enabled: true - Executable: /opt/python/default/bin/python + Executable: /opt/python/3.6.5/bin/python 'RPackageRepository "CRAN"': URL: https://packagemanager.rstudio.com/cran/__linux__/bionic/latest 'RPackageRepository "RSPM"': @@ -23,4 +23,4 @@ config: DataDir: /var/lib/rstudio-connect RVersionScanning: false RVersion: - - /opt/R/default + - /opt/R/3.6.2 diff --git a/charts/rstudio-pm/README.md b/charts/rstudio-pm/README.md index 45f8904b..f2f01095 100644 --- a/charts/rstudio-pm/README.md +++ b/charts/rstudio-pm/README.md @@ -114,86 +114,86 @@ The Helm `config` values are converted into the `rstudio-pm.gcfg` service config ## Values -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| affinity | object | `{}` | A map used verbatim as the pod's "affinity" definition | -| args | bool | `false` | args is the pod's run arguments. By default, it uses the container's default | -| awsAccessKeyId | bool | `false` | awsAccessKeyId is the access key id for s3 access, used also to gate file creation | -| awsSecretAccessKey | string | `nil` | awsSecretAccessKey is the secret access key, needs to be filled if access_key_id is | -| command | bool | `false` | command is the pod's run command. By default, it uses the container's default | -| config | object | `{"HTTP":{"Listen":":4242"},"Metrics":{"Enabled":true},"Server":{"RVersion":"/opt/R/default/"}}` | config is a nested map of maps that generates the rstudio-pm.gcfg file | -| enableMigration | bool | `true` | Enable migrations for shared storage (if necessary) using Helm hooks. | -| enableSandboxing | bool | `true` | Enable sandboxing of Git builds, which requires elevated security privileges for the Package Manager container. | -| extraContainers | list | `[]` | sidecar container list | -| extraObjects | list | `[]` | Extra objects to deploy (value evaluated as a template) | -| fullnameOverride | string | `""` | the full name of the release (can be overridden) | -| image.imagePullPolicy | string | `"IfNotPresent"` | the imagePullPolicy for the main pod image | -| image.imagePullSecrets | list | `[]` | an array of kubernetes secrets for pulling the main pod image from private registries | -| image.repository | string | `"rstudio/rstudio-package-manager"` | the repository to use for the main pod image | -| image.tag | string | `""` | the tag to use for the main pod image | -| image.tagPrefix | string | `"bionic-"` | A tag prefix for the server image (common selections: bionic-, jammy-). Only used if tag is not defined | -| ingress.annotations | object | `{}` | | -| ingress.enabled | bool | `false` | | -| ingress.hosts | string | `nil` | | -| ingress.ingressClassName | string | `""` | The ingressClassName for the ingress resource. Only used for clusters that support networking.k8s.io/v1 Ingress resources | -| ingress.tls | list | `[]` | | -| initContainers | bool | `false` | the initContainer spec that will be used verbatim | -| license.file | object | `{"contents":false,"mountPath":"/etc/rstudio-licensing","mountSubPath":false,"secret":false,"secretKey":"license.lic"}` | the file section is used for licensing with a license file | -| license.file.contents | bool | `false` | contents is an in-line license file | -| license.file.mountPath | string | `"/etc/rstudio-licensing"` | mountPath is the place the license file will be mounted into the container | -| license.file.mountSubPath | bool | `false` | mountSubPath is whether to mount the subPath for the file secret. -- It can be preferable _not_ to enable this, because then updates propagate automatically | -| license.file.secret | bool | `false` | secret is an existing secret with a license file in it | -| license.file.secretKey | string | `"license.lic"` | secretKey is the key for the secret to use for the license file | -| license.key | string | `nil` | key is the license to use | -| license.server | bool | `false` | server is the : for a license server | -| livenessProbe | object | `{"enabled":false,"failureThreshold":10,"httpGet":{"path":"/__ping__","port":4242},"initialDelaySeconds":10,"periodSeconds":5,"timeoutSeconds":2}` | livenessProbe is used to configure the container's livenessProbe | -| nameOverride | string | `""` | the name of the chart deployment (can be overridden) | -| nodeSelector | object | `{}` | A map used verbatim as the pod's "nodeSelector" definition | -| pod.annotations | object | `{}` | annotations is a map of keys / values that will be added as annotations to the pods | +| Key | Type | Default | Description | +|-----|------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------| +| affinity | object | `{}` | A map used verbatim as the pod's "affinity" definition | +| args | bool | `false` | args is the pod's run arguments. By default, it uses the container's default | +| awsAccessKeyId | bool | `false` | awsAccessKeyId is the access key id for s3 access, used also to gate file creation | +| awsSecretAccessKey | string | `nil` | awsSecretAccessKey is the secret access key, needs to be filled if access_key_id is | +| command | bool | `false` | command is the pod's run command. By default, it uses the container's default | +| config | object | `{"HTTP":{"Listen":":4242"},"Metrics":{"Enabled":true},"Server":{"RVersion":"/opt/R/default/"}}` | config is a nested map of maps that generates the rstudio-pm.gcfg file | +| enableMigration | bool | `true` | Enable migrations for shared storage (if necessary) using Helm hooks. | +| enableSandboxing | bool | `true` | Enable sandboxing of Git builds, which requires elevated security privileges for the Package Manager container. | +| extraContainers | list | `[]` | sidecar container list | +| extraObjects | list | `[]` | Extra objects to deploy (value evaluated as a template) | +| fullnameOverride | string | `""` | the full name of the release (can be overridden) | +| image.imagePullPolicy | string | `"IfNotPresent"` | the imagePullPolicy for the main pod image | +| image.imagePullSecrets | list | `[]` | an array of kubernetes secrets for pulling the main pod image from private registries | +| image.repository | string | `"rstudio/rstudio-package-manager"` | the repository to use for the main pod image | +| image.tag | string | `""` | the tag to use for the main pod image | +| image.tagPrefix | string | `"bionic-"` | A tag prefix for the server image (common selections: bionic-, jammy-). Only used if tag is not defined | +| ingress.annotations | object | `{}` | | +| ingress.enabled | bool | `false` | | +| ingress.hosts | string | `nil` | | +| ingress.ingressClassName | string | `""` | The ingressClassName for the ingress resource. Only used for clusters that support networking.k8s.io/v1 Ingress resources | +| ingress.tls | list | `[]` | | +| initContainers | bool | `false` | the initContainer spec that will be used verbatim | +| license.file | object | `{"contents":false,"mountPath":"/etc/rstudio-licensing","mountSubPath":false,"secret":false,"secretKey":"license.lic"}` | the file section is used for licensing with a license file | +| license.file.contents | bool | `false` | contents is an in-line license file | +| license.file.mountPath | string | `"/etc/rstudio-licensing"` | mountPath is the place the license file will be mounted into the container | +| license.file.mountSubPath | bool | `false` | mountSubPath is whether to mount the subPath for the file secret. -- It can be preferable _not_ to enable this, because then updates propagate automatically | +| license.file.secret | bool | `false` | secret is an existing secret with a license file in it | +| license.file.secretKey | string | `"license.lic"` | secretKey is the key for the secret to use for the license file | +| license.key | string | `nil` | key is the license to use | +| license.server | bool | `false` | server is the : for a license server | +| livenessProbe | object | `{"enabled":false,"failureThreshold":10,"httpGet":{"path":"/__ping__","port":4242},"initialDelaySeconds":10,"periodSeconds":5,"timeoutSeconds":2}` | livenessProbe is used to configure the container's livenessProbe | +| nameOverride | string | `""` | the name of the chart deployment (can be overridden) | +| nodeSelector | object | `{}` | A map used verbatim as the pod's "nodeSelector" definition | +| pod.annotations | object | `{}` | annotations is a map of keys / values that will be added as annotations to the pods | | pod.containerSecurityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"runAsNonRoot":true,"runAsUser":999,"seccompProfile":{"type":"{{ if .Values.enableSandboxing }}Unconfined{{ else }}RuntimeDefault{{ end }}"}}` | the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the main Package Manager container. Evaluated as a template. | -| pod.env | list | `[]` | env is an array of maps that is injected as-is into the "env:" component of the pod.container spec | -| pod.labels | object | `{}` | Additional labels to add to the rstudio-pm pods | -| pod.lifecycle | object | `{}` | Container [lifecycle hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/) | -| pod.securityContext | object | `{}` | the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the pod | -| pod.serviceAccountName | string | `""` | Deprecated, use `serviceAccount.name` instead | -| pod.volumeMounts | list | `[]` | volumeMounts is an array of maps that is injected as-is into the "volumeMounts" component of the pod spec | -| pod.volumes | list | `[]` | volumes is an array of maps that is injected as-is into the "volumes:" component of the pod spec | -| podDisruptionBudget | object | `{}` | Pod disruption budget | -| priorityClassName | string | `""` | The pod's priorityClassName | -| readinessProbe | object | `{"enabled":true,"failureThreshold":3,"httpGet":{"path":"/__ping__","port":4242},"initialDelaySeconds":3,"periodSeconds":3,"successThreshold":1,"timeoutSeconds":1}` | readinessProbe is used to configure the container's readinessProbe | -| replicas | int | `1` | replicas is the number of replica pods to maintain for this service | -| resources | object | `{"limits":{"cpu":"2000m","enabled":false,"ephemeralStorage":"200Mi","memory":"4Gi"},"requests":{"cpu":"100m","enabled":false,"ephemeralStorage":"100Mi","memory":"2Gi"}}` | resources define requests and limits for the rstudio-pm pod | -| rootCheckIsFatal | bool | `true` | Whether the check for root accounts in the config file is fatal. This is meant to simplify migration to the new helm chart version. | -| rstudioPMKey | bool | `false` | rstudioPMKey is the rstudio-pm key used for the RStudio Package Manager service | -| service.annotations | object | `{}` | Annotations for the service, for example to specify [an internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer) | -| service.clusterIP | string | `""` | The cluster-internal IP to use with `service.type` ClusterIP | -| service.loadBalancerIP | string | `""` | The external IP to use with `service.type` LoadBalancer, when supported by the cloud provider | -| service.nodePort | bool | `false` | The explicit nodePort to use for `service.type` NodePort. If not provided, Kubernetes will choose one automatically | -| service.port | int | `80` | The Service port. This is the port your service will run under. | -| service.type | string | `"ClusterIP"` | The service type, usually ClusterIP (in-cluster only) or LoadBalancer (to expose the service using your cloud provider's load balancer) | -| serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount, if any | -| serviceAccount.create | bool | `true` | Whether to create a [Service Account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) | -| serviceAccount.labels | object | `{}` | | -| serviceAccount.name | string | When `serviceAccount.create` is `true` this defaults to the full name of the release | ServiceAccount to use, if any, or an explicit name for the one we create | -| serviceMonitor.additionalLabels | object | `{}` | additionalLabels normally includes the release name of the Prometheus Operator | -| serviceMonitor.enabled | bool | `false` | Whether to create a ServiceMonitor CRD for use with a Prometheus Operator | -| serviceMonitor.namespace | string | `""` | Namespace to create the ServiceMonitor in (usually the same as the one in which the Operator is running). Defaults to the release namespace | -| sharedStorage.accessModes | list | `["ReadWriteMany"]` | accessModes defined for the storage PVC (represented as YAML) | -| sharedStorage.annotations | object | `{"helm.sh/resource-policy":"keep"}` | Define the annotations for the Persistent Volume Claim resource | -| sharedStorage.create | bool | `false` | whether to create the persistentVolumeClaim for shared storage | -| sharedStorage.mount | bool | `false` | Whether the persistentVolumeClaim should be mounted (even if not created) | -| sharedStorage.name | string | `""` | The name of the pvc. By default, computes a value from the release name | -| sharedStorage.path | string | `"/var/lib/rstudio-pm"` | the path to mount the sharedStorage claim within the pod | -| sharedStorage.requests.storage | string | `"10Gi"` | the volume of storage to request for this persistent volume claim | -| sharedStorage.selector | object | `{}` | selector for PVC definition | -| sharedStorage.storageClassName | bool | `false` | storageClassName - the type of storage to use. Must allow ReadWriteMany | -| sharedStorage.volumeName | string | `""` | the volumeName passed along to the persistentVolumeClaim. Optional | -| startupProbe | object | `{"enabled":false,"failureThreshold":30,"httpGet":{"path":"/__ping__","port":4242},"initialDelaySeconds":10,"periodSeconds":10,"timeoutSeconds":1}` | startupProbe is used to configure the container's startupProbe | -| startupProbe.failureThreshold | int | `30` | failureThreshold * periodSeconds should be strictly > worst case startup time | -| strategy | object | `{"rollingUpdate":{"maxSurge":"100%","maxUnavailable":0},"type":"RollingUpdate"}` | The update strategy used by the main service pod. | -| tolerations | list | `[]` | An array used verbatim as the pod's "tolerations" definition | -| topologySpreadConstraints | list | `[]` | An array used verbatim as the pod's "topologySpreadConstraints" definition | -| versionOverride | string | `""` | A Package Manager version to override the "tag" for the RStudio Package Manager image. Necessary until https://github.com/helm/helm/issues/8194 | +| pod.env | list | `[]` | env is an array of maps that is injected as-is into the "env:" component of the pod.container spec | +| pod.labels | object | `{}` | Additional labels to add to the rstudio-pm pods | +| pod.lifecycle | object | `{}` | Container [lifecycle hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/) | +| pod.securityContext | object | `{}` | the [securityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for the pod | +| pod.serviceAccountName | string | `""` | Deprecated, use `serviceAccount.name` instead | +| pod.volumeMounts | list | `[]` | volumeMounts is an array of maps that is injected as-is into the "volumeMounts" component of the pod spec | +| pod.volumes | list | `[]` | volumes is an array of maps that is injected as-is into the "volumes:" component of the pod spec | +| podDisruptionBudget | object | `{}` | Pod disruption budget | +| priorityClassName | string | `""` | The pod's priorityClassName | +| readinessProbe | object | `{"enabled":true,"failureThreshold":3,"httpGet":{"path":"/__ping__","port":4242},"initialDelaySeconds":3,"periodSeconds":3,"successThreshold":1,"timeoutSeconds":1}` | readinessProbe is used to configure the container's readinessProbe | +| replicas | int | `1` | replicas is the number of replica pods to maintain for this service | +| resources | object | `{"limits":{"cpu":"2000m","enabled":false,"ephemeralStorage":"200Mi","memory":"4Gi"},"requests":{"cpu":"100m","enabled":false,"ephemeralStorage":"100Mi","memory":"2Gi"}}` | resources define requests and limits for the rstudio-pm pod | +| rootCheckIsFatal | bool | `true` | Whether the check for root accounts in the config file is fatal. This is meant to simplify migration to the new helm chart version. | +| rstudioPMKey | bool | `false` | rstudioPMKey is the rstudio-pm key used for the RStudio Package Manager service | +| service.annotations | object | `{}` | Annotations for the service, for example to specify [an internal load balancer](https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer) | +| service.clusterIP | string | `""` | The cluster-internal IP to use with `service.type` ClusterIP | +| service.loadBalancerIP | string | `""` | The external IP to use with `service.type` LoadBalancer, when supported by the cloud provider | +| service.nodePort | bool | `false` | The explicit nodePort to use for `service.type` NodePort. If not provided, Kubernetes will choose one automatically | +| service.port | int | `80` | The Service port. This is the port your service will run under. | +| service.type | string | `"ClusterIP"` | The service type, usually ClusterIP (in-cluster only) or LoadBalancer (to expose the service using your cloud provider's load balancer) | +| serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount, if any | +| serviceAccount.create | bool | `true` | Whether to create a [Service Account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/) | +| serviceAccount.labels | object | `{}` | | +| serviceAccount.name | string | When `serviceAccount.create` is `true` this defaults to the full name of the release | ServiceAccount to use, if any, or an explicit name for the one we create | +| serviceMonitor.additionalLabels | object | `{}` | additionalLabels normally includes the release name of the Prometheus Operator | +| serviceMonitor.enabled | bool | `false` | Whether to create a ServiceMonitor CRD for use with a Prometheus Operator | +| serviceMonitor.namespace | string | `""` | Namespace to create the ServiceMonitor in (usually the same as the one in which the Operator is running). Defaults to the release namespace | +| sharedStorage.accessModes | list | `["ReadWriteMany"]` | accessModes defined for the storage PVC (represented as YAML) | +| sharedStorage.annotations | object | `{"helm.sh/resource-policy":"keep"}` | Define the annotations for the Persistent Volume Claim resource | +| sharedStorage.create | bool | `false` | whether to create the persistentVolumeClaim for shared storage | +| sharedStorage.mount | bool | `false` | Whether the persistentVolumeClaim should be mounted (even if not created) | +| sharedStorage.name | string | `""` | The name of the pvc. By default, computes a value from the release name | +| sharedStorage.path | string | `"/var/lib/rstudio-pm"` | the path to mount the sharedStorage claim within the pod | +| sharedStorage.requests.storage | string | `"10Gi"` | the volume of storage to request for this persistent volume claim | +| sharedStorage.selector | object | `{}` | selector for PVC definition | +| sharedStorage.storageClassName | bool | `false` | storageClassName - the type of storage to use. Must allow ReadWriteMany | +| sharedStorage.volumeName | string | `""` | the volumeName passed along to the persistentVolumeClaim. Optional | +| startupProbe | object | `{"enabled":false,"failureThreshold":30,"httpGet":{"path":"/__ping__","port":4242},"initialDelaySeconds":10,"periodSeconds":10,"timeoutSeconds":1}` | startupProbe is used to configure the container's startupProbe | +| startupProbe.failureThreshold | int | `30` | failureThreshold * periodSeconds should be strictly > worst case startup time | +| strategy | object | `{"rollingUpdate":{"maxSurge":"100%","maxUnavailable":0},"type":"RollingUpdate"}` | The update strategy used by the main service pod. | +| tolerations | list | `[]` | An array used verbatim as the pod's "tolerations" definition | +| topologySpreadConstraints | list | `[]` | An array used verbatim as the pod's "topologySpreadConstraints" definition | +| versionOverride | string | `""` | A Package Manager version to override the "tag" for the RStudio Package Manager image. Necessary until https://github.com/helm/helm/issues/8194 | ---------------------------------------------- Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) diff --git a/examples/rbac/rstudio-launcher-rbac-0.2.17.yaml b/examples/rbac/rstudio-launcher-rbac-0.2.17.yaml deleted file mode 100644 index 3b322f8d..00000000 --- a/examples/rbac/rstudio-launcher-rbac-0.2.17.yaml +++ /dev/null @@ -1,88 +0,0 @@ ---- -# Source: rstudio-launcher-rbac/templates/rbac.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: rstudio-launcher-rbac ---- -# Source: rstudio-launcher-rbac/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: rstudio-launcher-rbac -rules: - - apiGroups: - - "" - resources: - - "serviceaccounts" - verbs: - - "list" - - apiGroups: - - "" - resources: - - "pods/log" - verbs: - - "get" - - "watch" - - "list" - - apiGroups: - - "" - resources: - - "pods" - - "pods/attach" - - "pods/exec" - verbs: - - "get" - - "create" - - "update" - - "patch" - - "watch" - - "list" - - "delete" - - apiGroups: - - "" - resources: - - "events" - verbs: - - "watch" - - apiGroups: - - "" - resources: - - "services" - verbs: - - "create" - - "get" - - "watch" - - "list" - - "delete" - - apiGroups: - - "batch" - resources: - - "jobs" - verbs: - - "create" - - "update" - - "patch" - - "get" - - "watch" - - "list" - - "delete" - - apiGroups: - - "metrics.k8s.io" - resources: - - "pods" - verbs: - - "get" ---- -# Source: rstudio-launcher-rbac/templates/rbac.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: rstudio-launcher-rbac -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: rstudio-launcher-rbac -subjects: - - kind: ServiceAccount - name: rstudio-launcher-rbac