Merge branch 'develop' of github.com:MetaCell/cloud-harness into feature/CH-216-dev-containers

Author: filippomc

application-templates/django-fastapi/backend/django_baseapp/settings.py

@@ -20,7 +20,7 @@
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/3.2/howto/deployment/checklist/
 
-# SECURITY WARNING: keep the secret key used in production secret!
+# SECURITY WARNING: keep the secret key used in production secret! TODO change this
 SECRET_KEY = "django-insecure-81kv$0=07xac7r(pgz6ndb5t0at4-z@ae6&f@u6_3jo&9d#4kl"
 
 # SECURITY WARNING: don't run with debug turned on in production!
@@ -164,3 +164,4 @@
 ]
 
 KC_DEFAULT_USER_ROLE = None  # don't add the user role to the realm default role
+SESSION_COOKIE_AGE = 3600

application-templates/django-ninja/backend/django_baseapp/settings.py

@@ -20,7 +20,7 @@
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/3.2/howto/deployment/checklist/
 
-# SECURITY WARNING: keep the secret key used in production secret!
+# SECURITY WARNING: keep the secret key used in production secret! TODO change this
 SECRET_KEY = "django-insecure-81kv$0=07xac7r(pgz6ndb5t0at4-z@ae6&f@u6_3jo&9d#4kl"
 
 # SECURITY WARNING: don't run with debug turned on in production!
@@ -165,3 +165,4 @@
 ]
 
 KC_DEFAULT_USER_ROLE = None  # don't add the user role to the realm default role
+SESSION_COOKIE_AGE = 3600

applications/accounts/Dockerfile

@@ -1,4 +1,4 @@
-FROM quay.io/keycloak/keycloak:26.2.1
+FROM quay.io/keycloak/keycloak:26.3.5
 
 EXPOSE 9000
 EXPOSE 8080
@@ -15,4 +15,4 @@ COPY themes/custom /opt/keycloak/themes/custom
 COPY plugins/metacell-admin-event-listener-module-1.0.0.jar /opt/keycloak/providers/
 
 ENTRYPOINT [ "/opt/keycloak/bin/kc-entrypoint.sh" ]
-CMD [ "start-dev", "--import-realm", "--health-enabled=true", "--metrics-enabled=true" ]
+CMD [ "start", "--import-realm" ]

applications/accounts/deploy/resources/realm.json

@@ -45,6 +45,72 @@
         "duplicateEmailsAllowed": false,
         "resetPasswordAllowed": true,
         "editUsernameAllowed": true,
+        "components": {
+          "org.keycloak.userprofile.UserProfileProvider": [
+            {
+              "id": "002b69df-9702-40dd-b73e-3a66d161bf11",
+              "providerId": "declarative-user-profile",
+              "subComponents": {},
+              "config": {
+                "kc.user.profile.config": [
+                  "{\"attributes\":[{\"name\":\"username\",\"displayName\":\"${username}\",\"validations\":{\"length\":{\"min\":3,\"max\":255},\"username-prohibited-characters\":{},\"up-username-not-idn-homograph\":{}},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"email\",\"displayName\":\"${email}\",\"validations\":{\"email\":{},\"length\":{\"max\":255}},\"annotations\":{},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"firstName\",\"displayName\":\"${firstName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"annotations\":{},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false},{\"name\":\"lastName\",\"displayName\":\"${lastName}\",\"validations\":{\"length\":{\"max\":255},\"person-name-prohibited-characters\":{}},\"annotations\":{},\"permissions\":{\"view\":[\"admin\",\"user\"],\"edit\":[\"admin\",\"user\"]},\"multivalued\":false}],\"groups\":[{\"name\":\"user-metadata\",\"displayHeader\":\"User metadata\",\"displayDescription\":\"Attributes, which refer to user metadata\"}]}"
+                ]
+              }
+            }
+          ],
+          "org.keycloak.keys.KeyProvider": [
+            {
+              "id": "e632ce46-36ad-421a-b1a5-776383cc1565",
+              "name": "rsa-generated",
+              "providerId": "rsa-generated",
+              "subComponents": {},
+              "config": {
+                "priority": [
+                  "100"
+                ]
+              }
+            },
+            {
+              "id": "b68bee45-a8f0-46ca-b7d9-0df90189736a",
+              "name": "hmac-generated-hs512",
+              "providerId": "hmac-generated",
+              "subComponents": {},
+              "config": {
+                "priority": [
+                  "100"
+                ],
+                "algorithm": [
+                  "HS512"
+                ]
+              }
+            },
+            {
+              "id": "55960a57-af77-4f4c-8b6e-925c74bb44db",
+              "name": "aes-generated",
+              "providerId": "aes-generated",
+              "subComponents": {},
+              "config": {
+                "priority": [
+                  "100"
+                ]
+              }
+            },
+            {
+              "id": "ce068675-5cae-434e-851f-09f653ccc604",
+              "name": "rsa-enc-generated",
+              "providerId": "rsa-enc-generated",
+              "subComponents": {},
+              "config": {
+                "priority": [
+                  "100"
+                ],
+                "algorithm": [
+                  "RSA-OAEP"
+                ]
+              }
+            }
+          ]
+        },
         "users": [
             {{- $j := 0}}
             {{- range $app := .Values.apps }}

applications/accounts/deploy/values.yaml

@@ -32,6 +32,18 @@ harness:
       value: "user"
     - name: KC_DB_PASSWORD
       value: "password"
+    - name: KC_HTTP_ENABLED
+      value: "true"
+    - name: KC_PROXY
+      value: "edge"
+    - name: KC_HOSTNAME_STRICT
+      value: "false"
+    - name: KC_HOSTNAME_STRICT_HTTPS
+      value: "false"
+    - name: KC_HEALTH_ENABLED
+      value: "true"
+    - name: KC_METRICS_ENABLED
+      value: "true"
     - name: JAVA_OPTS
       value: -server -Xms64m -Xmx896m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true  --add-exports=java.base/sun.nio.ch=ALL-UNNAMED --add-exports=jdk.unsupported/sun.misc=ALL-UNNAMED --add-exports=jdk.unsupported/sun.reflect=ALL-UNNAMED
   database:

applications/accounts/dev/disable-theme-cache.cli

@@ -1,45 +1,43 @@
-version: '3.2'
-
+name: keycloak-dev
 services:
   postgres:
-      image: postgres
-      environment:
-        POSTGRES_DB: keycloak
-        POSTGRES_USER: keycloak
-        POSTGRES_PASSWORD: password
-        PGDATA: /var/lib/postgresql/data/pgdata
-      volumes:
-        - pg_data:/var/lib/postgresql/data/pgdata
-
+    image: postgres
+    environment:
+      POSTGRES_DB: keycloak
+      POSTGRES_USER: keycloak
+      POSTGRES_PASSWORD: password
+      PGDATA: /var/lib/postgresql/data/pgdata
+    volumes:
+      - pg_data:/var/lib/postgresql/data/pgdata
   keycloak:
-      image: quay.io/keycloak/keycloak:16.1.1
-      environment:
-        DB_VENDOR: POSTGRES
-        DB_ADDR: postgres
-        DB_DATABASE: keycloak
-        DB_USER: keycloak
-        DB_SCHEMA: public
-        DB_PASSWORD: password
-        KEYCLOAK_USER: admin
-        KEYCLOAK_PASSWORD: Pa55w0rd
-
-      ports:
-        - 8080:8080
-      depends_on:
-        - postgres
-      volumes:
-        - type: bind
-          source: ../themes/custom
-          target: /opt/jboss/keycloak/themes/custom
-        # disable cache
-        - type: bind
-          source: ./disable-theme-cache.cli
-          target: /opt/jboss/startup-scripts/disable-theme-cache.cli
-        - type: bind
-          source: ../scripts/create_api_user.sh
-          target: /opt/jboss/startup-scripts/create_api_user.sh
-        - type: bind
-          source: ../plugins/metacell-admin-event-listener-bundle-1.0.0.ear
-          target: /opt/jboss/keycloak/standalone/deployments/metacell-admin-event-listener-bundle-1.0.0.ear
+    image: quay.io/keycloak/keycloak:26.3.4
+    command: ["start-dev",
+              "--spi-theme-static-max-age=1",
+              "--spi-theme-cache-themes=false",
+              "--spi-theme-cache-templates=false",
+              "--hostname", "http://localhost:8080",
+              "--hostname-backchannel-dynamic", "true"]
+    environment:
+      KC_DB_VENDOR: POSTGRES
+      KC_DB_URL_HOST: postgres
+      KC_DB: postgres
+      KC_DB_URL_DATABASE: "postgres"
+      KC_DB_USERNAME: keycloak
+      KC_DB_PASSWORD: password
+      KC_BOOTSTRAP_ADMIN_USERNAME: admin
+      KC_BOOTSTRAP_ADMIN_PASSWORD: Pa55w0rd
+      KC_HEALTH_ENABLED: "true"
+      KC_METRICS_ENABLED: "true"
+      KC_HTTP_ENABLED: "true"
+      KC_HOSTNAME_STRICT: "false"
+      KC_HOSTNAME_STRICT_HTTPS: "false"
+    ports:
+      - "8080:8080"
+    depends_on:
+      - postgres
+    volumes:
+      - type: bind
+        source: ../themes/custom
+        target: /opt/keycloak/themes/custom
 volumes:
-  pg_data:
+  pg_data:

applications/accounts/dev/docker-compose.yaml

@@ -5,6 +5,9 @@ harness:
     auto: true
     port: 8080
     name: common
+  proxy:
+    gatekeeper:
+      replicas: 1
   deployment:
     auto: true
     name: common

applications/common/deploy/values.yaml

@@ -248,18 +248,21 @@ def change_pod_manifest(self: KubeSpawner):
 
             logging.info("Setting user quota cpu/mem usage")
 
-            set_key_value(self, key="cpu_guarantee", value=float(user_quotas.get("quota-ws-guaranteecpu", self.cpu_guarantee)))
-            set_key_value(self, key="cpu_limit", value=float(user_quotas.get("quota-ws-maxcpu", self.cpu_limit)))
-            set_key_value(self, key="mem_guarantee", value=user_quotas.get("quota-ws-guaranteemem", self.mem_guarantee), unit="G")
-            set_key_value(self, key="mem_limit", value=user_quotas.get("quota-ws-maxmem", self.mem_limit), unit="G")
-            # check if there is an applicationHook defined in the values.yaml
-            # if so then execute the applicationHook function with "self" as parameter
-            #
-            # e.g.
-            #   jupyterhub:
-            #       applicationHook: "jupyter.change_pod_manifest"
-            #
-            # this will execute jupyter.change_pod_manifest(self=self)
+        set_key_value(self, key="cpu_guarantee", value=float(user_quotas.get("quota-ws-guaranteecpu", self.cpu_guarantee)))
+        set_key_value(self, key="cpu_limit", value=float(user_quotas.get("quota-ws-maxcpu", self.cpu_limit)))
+        set_key_value(self, key="mem_guarantee", value=user_quotas.get("quota-ws-guaranteemem", self.mem_guarantee), unit="G")
+        set_key_value(self, key="mem_limit", value=user_quotas.get("quota-ws-maxmem", self.mem_limit), unit="G")
+
+        # check if there is an applicationHook defined in the values.yaml
+        # if so then execute the applicationHook function with "self" as parameter
+        #
+        # e.g.
+        #   jupyterhub:
+        #       applicationHook: "jupyter.change_pod_manifest"
+        #
+        # this will execute jupyter.change_pod_manifest(self=self)
+
+        if 'jupyterhub' in harness and harness['jupyterhub']:
             if 'applicationHook' in harness['jupyterhub']:
                 func_name = harness['jupyterhub']['applicationHook'].split('.')
                 logging.info(f"Executing application hook {func_name}")

applications/jupyterhub/src/harness_jupyter/harness_jupyter/jupyterhub.py

@@ -17,6 +17,9 @@ harness:
       usenfs: false
     auto: true
     port: 8080
+  proxy:
+    gatekeeper:
+      replicas: 1
   uri_role_mapping:
     - uri: /
       white-listed: true