From af6a0b75b78813c088e534ac5bb33f7fb31375c1 Mon Sep 17 00:00:00 2001 From: Tyler Graff Date: Tue, 12 Mar 2024 15:57:09 -0400 Subject: [PATCH 01/27] upgrade auth0-python version to ultimately resolve CVE-2024-26130 --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index cb90bc52d0..292df9c68a 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -55,7 +55,7 @@ classifiers = [ ] dependencies = [ - "auth0-python==4.4.2", + "auth0-python==4.7.1", "azure-identity==1.12.0", "azure-mgmt-containerservice==26.0.0", "azure-mgmt-resource==23.0.1", From e15a7ecbefa8cf17f7f301e3bcef03d7273be46e Mon Sep 17 00:00:00 2001 From: Tyler Graff Date: Wed, 13 Mar 2024 09:48:27 -0400 Subject: [PATCH 02/27] due to dependency conflicts cve-2024-26130 can be fixed in Nebari only for python>=3.10 --- pyproject.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 292df9c68a..ee703dd95c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -55,7 +55,8 @@ classifiers = [ ] dependencies = [ - "auth0-python==4.7.1", + "auth0-python==4.7.1; python_version >= \"3.10\"", + "auth0-python==4.4.2; python_version < \"3.10\"", "azure-identity==1.12.0", "azure-mgmt-containerservice==26.0.0", "azure-mgmt-resource==23.0.1", From 2092595104f97ae965016a2ab21f94b7336b0366 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Wed, 13 Mar 2024 10:37:44 -0400 Subject: [PATCH 03/27] update ruamel.yaml --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index ee703dd95c..72bd8476ea 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -72,7 +72,7 @@ dependencies = [ "questionary==2.0.0", "requests-toolbelt==1.0.0", "rich==13.5.1", - "ruamel.yaml==0.17.32", + "ruamel.yaml>=0.18.0", "typer==0.9.0", "packaging==23.2", ] From 142a21726fd5213ee9018a4a52d5f06914d0e634 Mon Sep 17 00:00:00 2001 From: Amit Kumar Date: Fri, 15 Mar 2024 12:47:31 +0000 Subject: [PATCH 04/27] Fix loki gateway url when deployed on non-dev namespace --- .../modules/kubernetes/services/monitoring/main.tf | 8 ++++++++ .../modules/kubernetes/services/monitoring/values.yaml | 6 ------ 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/main.tf b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/main.tf index 413a9e08d2..869f616c71 100644 --- a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/main.tf +++ b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/main.tf @@ -181,6 +181,14 @@ resource "helm_release" "prometheus-grafana" { "${var.node-group.key}" = var.node-group.value } + additionalDataSources = [ + { + name = "Loki" + type = "loki" + url = "http://loki-gateway.${var.namespace}" + } + ] + # Avoid using the default password, as that's a security risk adminPassword : random_password.grafana_admin_password.result diff --git a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/values.yaml b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/values.yaml index f3cf47c88d..ada868882f 100644 --- a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/values.yaml +++ b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/monitoring/values.yaml @@ -1,7 +1 @@ # https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/values.yaml - -grafana: - additionalDataSources: - - name: Loki - type: loki - url: http://loki-gateway.dev From d4af7a2e27164663cb90a18b4b166d921a312ca6 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Fri, 15 Mar 2024 13:19:03 -0400 Subject: [PATCH 05/27] update ruamel.yaml --- pyproject.toml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 72bd8476ea..7c7e1de35e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -55,8 +55,7 @@ classifiers = [ ] dependencies = [ - "auth0-python==4.7.1; python_version >= \"3.10\"", - "auth0-python==4.4.2; python_version < \"3.10\"", + "auth0-python==4.7.1", "azure-identity==1.12.0", "azure-mgmt-containerservice==26.0.0", "azure-mgmt-resource==23.0.1", From 15bb87e2394e0cfcd74b878a31b347b31a55d851 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Fri, 15 Mar 2024 13:25:43 -0400 Subject: [PATCH 06/27] update ruamel.yaml --- .github/workflows/test_conda_build.yaml | 2 +- conda_build.py | 59 +++++++++++++++++++++++++ 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 conda_build.py diff --git a/.github/workflows/test_conda_build.yaml b/.github/workflows/test_conda_build.yaml index e34363d9a3..169a327169 100644 --- a/.github/workflows/test_conda_build.yaml +++ b/.github/workflows/test_conda_build.yaml @@ -33,7 +33,7 @@ jobs: uses: conda-incubator/setup-miniconda@v2 with: auto-update-conda: true - python-version: 3.8 + python-version: 3.10 channels: conda-forge activate-environment: nebari-dev diff --git a/conda_build.py b/conda_build.py new file mode 100644 index 0000000000..2a2e8fa5af --- /dev/null +++ b/conda_build.py @@ -0,0 +1,59 @@ +import subprocess +from pathlib import Path + +SRC_DIR = Path(__file__) +PYPROJECT = SRC_DIR / "pyproject.toml" + + +def test_build_by_conda_forge(tmp_path): + """ + This test ensures that nebari can be built and packaged by conda-forge. + This is achieved by walking through the following steps: + 1. Use Python build package to generate the `sdist` .tar.gz file + 2. Use grayskull package to generate the `meta.yaml` recipe file + 3. Use conda build to attempt to build the nebari package from the `meta.yaml` + These steps mimic what takes places on the conda-forge/nebari-feedstock repo whenever + a new version of the package gets released. + NOTE: this test requires conda and conda-build + """ + + assert PYPROJECT.exists() + + try: + # build sdist + subprocess.run( + ["python", "-m", "build", SRC_DIR, "--outdir", tmp_path], + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + check=True, + ) + + # get location of sdist file built above + sdist_loc = next(tmp_path.glob("*.tar.gz")) + # run grayskull to create the meta.yaml using the local sdist file + subprocess.run( + [ + "grayskull", + "pypi", + "--strict-conda-forge", + sdist_loc, + "--output", + tmp_path, + ], + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + check=True, + ) + + # get the directory the meta.yaml is in + meta_loc = tmp_path / "nebari" + # try to run conda build to build package from meta.yaml + subprocess.run( + ["conda", "build", "--channel=conda-forge", meta_loc], + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + check=True, + ) + except subprocess.CalledProcessError as e: + print(e.stderr.decode("utf-8")) + raise e From 3c42cb56930e8bc5bd1c53989049f9d080a6d138 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Fri, 15 Mar 2024 13:31:20 -0400 Subject: [PATCH 07/27] update ruamel.yaml --- .github/workflows/test_conda_build.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test_conda_build.yaml b/.github/workflows/test_conda_build.yaml index 169a327169..b0c04a36d0 100644 --- a/.github/workflows/test_conda_build.yaml +++ b/.github/workflows/test_conda_build.yaml @@ -25,12 +25,12 @@ jobs: cancel-in-progress: true steps: - name: "Checkout Infrastructure" - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Setup miniconda - uses: conda-incubator/setup-miniconda@v2 + uses: conda-incubator/setup-miniconda@v3 with: auto-update-conda: true python-version: 3.10 From da35f8be243929183eafc2e8e1604716e2e2564f Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Fri, 15 Mar 2024 13:36:39 -0400 Subject: [PATCH 08/27] update ruamel.yaml --- .github/workflows/test_conda_build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test_conda_build.yaml b/.github/workflows/test_conda_build.yaml index b0c04a36d0..e1d00f4caa 100644 --- a/.github/workflows/test_conda_build.yaml +++ b/.github/workflows/test_conda_build.yaml @@ -33,7 +33,7 @@ jobs: uses: conda-incubator/setup-miniconda@v3 with: auto-update-conda: true - python-version: 3.10 + python-version: "3.10" channels: conda-forge activate-environment: nebari-dev From 47e4f1529861fca211f68e9a73fa0cd181e0f4e3 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Fri, 15 Mar 2024 13:45:35 -0400 Subject: [PATCH 09/27] update python version tests --- .github/workflows/test-provider.yaml | 2 +- .github/workflows/test.yaml | 2 -- .github/workflows/test_helm_charts.yaml | 2 +- .github/workflows/test_local_integration.yaml | 2 +- README.md | 2 +- pyproject.toml | 4 +--- 6 files changed, 5 insertions(+), 9 deletions(-) diff --git a/.github/workflows/test-provider.yaml b/.github/workflows/test-provider.yaml index 3c0a3fa89c..1f25c3cd8e 100644 --- a/.github/workflows/test-provider.yaml +++ b/.github/workflows/test-provider.yaml @@ -67,7 +67,7 @@ jobs: - name: Set up Python uses: actions/setup-python@v4 with: - python-version: 3.8 + python-version: "3.11" - name: Retrieve secret from Vault uses: hashicorp/vault-action@v2.5.0 diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 6a8fa4a446..59c0e5ef2b 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -32,8 +32,6 @@ jobs: strategy: matrix: python-version: - - "3.8" - - "3.9" - "3.10" - "3.11" fail-fast: false diff --git a/.github/workflows/test_helm_charts.yaml b/.github/workflows/test_helm_charts.yaml index daf9abb6da..208ca937c7 100644 --- a/.github/workflows/test_helm_charts.yaml +++ b/.github/workflows/test_helm_charts.yaml @@ -29,7 +29,7 @@ jobs: - name: Set up Python uses: actions/setup-python@v4 with: - python-version: "3.8" + python-version: "3.11" - name: Install additional Python dependencies run: | pip install python-hcl2 diff --git a/.github/workflows/test_local_integration.yaml b/.github/workflows/test_local_integration.yaml index 05dec384b0..5a4c8740e7 100644 --- a/.github/workflows/test_local_integration.yaml +++ b/.github/workflows/test_local_integration.yaml @@ -62,7 +62,7 @@ jobs: CONDA: /home/runnerx/miniconda3 with: auto-update-conda: true - python-version: 3.8 + python-version: "3.11" miniconda-version: "latest" - name: Install Nebari and playwright diff --git a/README.md b/README.md index 1787360b84..c693dfb22f 100644 --- a/README.md +++ b/README.md @@ -79,7 +79,7 @@ Amazon [AWS](https://aws.amazon.com/), [GCP](https://cloud.google.com/ "Google C - Operating System: Currently, Nebari supports development on macOS and Linux operating systems. Windows is NOT supported. However, we would welcome contributions that add and improve support for Windows. -- You need Python >= 3.8 on your local machine or virtual environment to work on Nebari. +- You need Python >= 3.10 on your local machine or virtual environment to work on Nebari. - Adopting virtual environments ([`conda`](https://docs.conda.io/en/latest/), [`pipenv`](https://github.com/pypa/pipenv) or [`venv`](https://docs.python.org/3/library/venv.html)) is also encouraged. diff --git a/pyproject.toml b/pyproject.toml index 7c7e1de35e..5a0f7b7480 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -23,7 +23,7 @@ name = "nebari" dynamic = ["version"] description = "A Jupyter and Dask-powered open source data science platform." readme = "README.md" -requires-python = ">=3.8" +requires-python = ">=3.10" license = "BSD-3-Clause" authors = [ { name = "Nebari development team", email = "internal-it@quansight.com" }, @@ -42,8 +42,6 @@ classifiers = [ "Intended Audience :: Developers", "Topic :: Software Development :: Build Tools", "Programming Language :: Python :: 3", - "Programming Language :: Python :: 3.8", - "Programming Language :: Python :: 3.9", "Programming Language :: Python :: 3.10", "Programming Language :: Python :: 3.11", "Intended Audience :: Developers", From 544119f98ea7f9fba6a8d5510d181ed53da64f9f Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Fri, 15 Mar 2024 14:06:57 -0400 Subject: [PATCH 10/27] update python version tests --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 5a0f7b7480..636fb84df6 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -53,7 +53,7 @@ classifiers = [ ] dependencies = [ - "auth0-python==4.7.1", + "auth0-python>=4.7.1", "azure-identity==1.12.0", "azure-mgmt-containerservice==26.0.0", "azure-mgmt-resource==23.0.1", From 64802948dbdc3ee0644b0f85b4c279bfbbd8f92c Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Fri, 15 Mar 2024 14:50:26 -0400 Subject: [PATCH 11/27] update dependencies --- conda_build.py | 59 -------------------------------------------------- pyproject.toml | 4 ++-- 2 files changed, 2 insertions(+), 61 deletions(-) delete mode 100644 conda_build.py diff --git a/conda_build.py b/conda_build.py deleted file mode 100644 index 2a2e8fa5af..0000000000 --- a/conda_build.py +++ /dev/null @@ -1,59 +0,0 @@ -import subprocess -from pathlib import Path - -SRC_DIR = Path(__file__) -PYPROJECT = SRC_DIR / "pyproject.toml" - - -def test_build_by_conda_forge(tmp_path): - """ - This test ensures that nebari can be built and packaged by conda-forge. - This is achieved by walking through the following steps: - 1. Use Python build package to generate the `sdist` .tar.gz file - 2. Use grayskull package to generate the `meta.yaml` recipe file - 3. Use conda build to attempt to build the nebari package from the `meta.yaml` - These steps mimic what takes places on the conda-forge/nebari-feedstock repo whenever - a new version of the package gets released. - NOTE: this test requires conda and conda-build - """ - - assert PYPROJECT.exists() - - try: - # build sdist - subprocess.run( - ["python", "-m", "build", SRC_DIR, "--outdir", tmp_path], - stdout=subprocess.PIPE, - stderr=subprocess.PIPE, - check=True, - ) - - # get location of sdist file built above - sdist_loc = next(tmp_path.glob("*.tar.gz")) - # run grayskull to create the meta.yaml using the local sdist file - subprocess.run( - [ - "grayskull", - "pypi", - "--strict-conda-forge", - sdist_loc, - "--output", - tmp_path, - ], - stdout=subprocess.PIPE, - stderr=subprocess.PIPE, - check=True, - ) - - # get the directory the meta.yaml is in - meta_loc = tmp_path / "nebari" - # try to run conda build to build package from meta.yaml - subprocess.run( - ["conda", "build", "--channel=conda-forge", meta_loc], - stdout=subprocess.PIPE, - stderr=subprocess.PIPE, - check=True, - ) - except subprocess.CalledProcessError as e: - print(e.stderr.decode("utf-8")) - raise e diff --git a/pyproject.toml b/pyproject.toml index 636fb84df6..c1f1fa5918 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -58,14 +58,14 @@ dependencies = [ "azure-mgmt-containerservice==26.0.0", "azure-mgmt-resource==23.0.1", "bcrypt==4.0.1", - "boto3==1.28.40", + "boto3>=1.28.40", "cloudflare==2.11.7", "kubernetes==27.2.0", "pluggy==1.3.0", "prompt-toolkit==3.0.36", "pydantic==1.10.12", "pynacl==1.5.0", - "python-keycloak==3.3.0", + "python-keycloak>=3.3.0", "questionary==2.0.0", "requests-toolbelt==1.0.0", "rich==13.5.1", From d07b7e4bd48b473fa7487be566e6295ed610a02f Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Fri, 15 Mar 2024 15:01:52 -0400 Subject: [PATCH 12/27] add python 3.12 test --- .github/workflows/test.yaml | 1 + pyproject.toml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 52a7d92956..5e527e9aa5 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -34,6 +34,7 @@ jobs: python-version: - "3.10" - "3.11" + - "3.12" fail-fast: false concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}-${{ matrix.python-version }} diff --git a/pyproject.toml b/pyproject.toml index c1f1fa5918..7685ca525d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -44,6 +44,7 @@ classifiers = [ "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.10", "Programming Language :: Python :: 3.11", + "Programming Language :: Python :: 3.12", "Intended Audience :: Developers", "Intended Audience :: Education", "Intended Audience :: Information Technology", From 30cd7eafca7cc049955ff6f911e3be9fd6d78325 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Fri, 15 Mar 2024 15:21:46 -0400 Subject: [PATCH 13/27] pin packages --- pyproject.toml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 7685ca525d..3bb407866c 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -54,23 +54,23 @@ classifiers = [ ] dependencies = [ - "auth0-python>=4.7.1", + "auth0-python==4.7.1", "azure-identity==1.12.0", "azure-mgmt-containerservice==26.0.0", "azure-mgmt-resource==23.0.1", "bcrypt==4.0.1", - "boto3>=1.28.40", + "boto3==1.34.63", "cloudflare==2.11.7", "kubernetes==27.2.0", "pluggy==1.3.0", "prompt-toolkit==3.0.36", "pydantic==1.10.12", "pynacl==1.5.0", - "python-keycloak>=3.3.0", + "python-keycloak>=3.9.1", "questionary==2.0.0", "requests-toolbelt==1.0.0", "rich==13.5.1", - "ruamel.yaml>=0.18.0", + "ruamel.yaml==0.18.6", "typer==0.9.0", "packaging==23.2", ] From 0e4c2e5d66a13b049eb1cbae8e7b2449719a1771 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Tue, 19 Mar 2024 09:49:56 -0400 Subject: [PATCH 14/27] remove python 3.12 until further tested --- .github/workflows/test_conda_build.yaml | 1 + pyproject.toml | 3 +-- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test_conda_build.yaml b/.github/workflows/test_conda_build.yaml index e1d00f4caa..f4da36fca8 100644 --- a/.github/workflows/test_conda_build.yaml +++ b/.github/workflows/test_conda_build.yaml @@ -52,3 +52,4 @@ jobs: - name: Build conda package run: | conda build nebari + nebari --version diff --git a/pyproject.toml b/pyproject.toml index 3bb407866c..9614ddd93f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -44,7 +44,6 @@ classifiers = [ "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.10", "Programming Language :: Python :: 3.11", - "Programming Language :: Python :: 3.12", "Intended Audience :: Developers", "Intended Audience :: Education", "Intended Audience :: Information Technology", @@ -66,7 +65,7 @@ dependencies = [ "prompt-toolkit==3.0.36", "pydantic==1.10.12", "pynacl==1.5.0", - "python-keycloak>=3.9.1", + "python-keycloak>=3.9.2", "questionary==2.0.0", "requests-toolbelt==1.0.0", "rich==13.5.1", From 76df3d4f032bce05f4caa7ef87a9b68d2fbd4f0b Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Tue, 19 Mar 2024 09:53:01 -0400 Subject: [PATCH 15/27] update python-keycloak version --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 9614ddd93f..9c21badb43 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -65,7 +65,7 @@ dependencies = [ "prompt-toolkit==3.0.36", "pydantic==1.10.12", "pynacl==1.5.0", - "python-keycloak>=3.9.2", + "python-keycloak>=3.9.0", "questionary==2.0.0", "requests-toolbelt==1.0.0", "rich==13.5.1", From d4a4ad59a3dde7c2ba8cb19718fa4aff4c65cc58 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Tue, 19 Mar 2024 10:05:22 -0400 Subject: [PATCH 16/27] add test for nebari --- .github/workflows/test_conda_build.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/test_conda_build.yaml b/.github/workflows/test_conda_build.yaml index f4da36fca8..04ec6ee61d 100644 --- a/.github/workflows/test_conda_build.yaml +++ b/.github/workflows/test_conda_build.yaml @@ -52,4 +52,7 @@ jobs: - name: Build conda package run: | conda build nebari + - name: Test nebari + run: | + conda install --use-local nebari nebari --version From 3363e90830a71f5fb874e215134b1546a7a1c4a2 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Tue, 19 Mar 2024 10:26:08 -0400 Subject: [PATCH 17/27] add test for nebari --- .github/workflows/test_conda_build.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/test_conda_build.yaml b/.github/workflows/test_conda_build.yaml index 04ec6ee61d..34caa52dc6 100644 --- a/.github/workflows/test_conda_build.yaml +++ b/.github/workflows/test_conda_build.yaml @@ -54,5 +54,4 @@ jobs: conda build nebari - name: Test nebari run: | - conda install --use-local nebari nebari --version From 3024107bd3ad4e0a3cfc0d238b31e4b169d2fc19 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Tue, 19 Mar 2024 10:58:15 -0400 Subject: [PATCH 18/27] add test for nebari --- .github/workflows/test_conda_build.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/test_conda_build.yaml b/.github/workflows/test_conda_build.yaml index 34caa52dc6..9a288fd594 100644 --- a/.github/workflows/test_conda_build.yaml +++ b/.github/workflows/test_conda_build.yaml @@ -39,7 +39,7 @@ jobs: - name: Install dependencies run: | - conda install build grayskull conda-build + conda install build grayskull conda-build conda-verify - name: Generate sdist run: | @@ -52,6 +52,4 @@ jobs: - name: Build conda package run: | conda build nebari - - name: Test nebari - run: | nebari --version From 6eeb2e0596fb4bc224faee467ef2acf4ef278056 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Tue, 19 Mar 2024 11:13:58 -0400 Subject: [PATCH 19/27] add test for nebari --- .github/workflows/test_conda_build.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/test_conda_build.yaml b/.github/workflows/test_conda_build.yaml index 9a288fd594..7002c766c3 100644 --- a/.github/workflows/test_conda_build.yaml +++ b/.github/workflows/test_conda_build.yaml @@ -52,4 +52,8 @@ jobs: - name: Build conda package run: | conda build nebari - nebari --version + + - name: Test conda package + run: | + conda install --use-local nebari + python -c "import nebari; print(nebari.__version__)" From 3f5537709ab783ff50f1873cdf8434fa2e0e9400 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Tue, 19 Mar 2024 11:36:15 -0400 Subject: [PATCH 20/27] add test for nebari --- .github/workflows/test_conda_build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test_conda_build.yaml b/.github/workflows/test_conda_build.yaml index 7002c766c3..2a959cdb6b 100644 --- a/.github/workflows/test_conda_build.yaml +++ b/.github/workflows/test_conda_build.yaml @@ -56,4 +56,4 @@ jobs: - name: Test conda package run: | conda install --use-local nebari - python -c "import nebari; print(nebari.__version__)" + nebari --version From d6986307263603d435d747077576d679d9c308d2 Mon Sep 17 00:00:00 2001 From: Adam Lewis <23342526+Adam-D-Lewis@users.noreply.github.com> Date: Tue, 19 Mar 2024 15:33:49 -0500 Subject: [PATCH 21/27] remove depracated code paths (#2349) --- src/_nebari/render.py | 3 +-- src/_nebari/utils.py | 12 ------------ 2 files changed, 1 insertion(+), 14 deletions(-) diff --git a/src/_nebari/render.py b/src/_nebari/render.py index d46a66852f..daf2fa506d 100644 --- a/src/_nebari/render.py +++ b/src/_nebari/render.py @@ -8,7 +8,6 @@ from rich.table import Table from _nebari.deprecate import DEPRECATED_FILE_PATHS -from _nebari.utils import is_relative_to from nebari import hookspecs, schema @@ -89,7 +88,7 @@ def render_template( for path in deleted: abs_path = (output_directory / path).resolve() - if not is_relative_to(abs_path, output_directory): + if not abs_path.is_relative_to(output_directory): raise Exception( f"[ERROR] SHOULD NOT HAPPEN filename was about to be deleted but path={abs_path} is outside of output_directory" ) diff --git a/src/_nebari/utils.py b/src/_nebari/utils.py index 3378116a1d..3488c6f0e8 100644 --- a/src/_nebari/utils.py +++ b/src/_nebari/utils.py @@ -268,18 +268,6 @@ def random_secure_string( return "".join(secrets.choice(chars) for i in range(length)) -def is_relative_to(self: Path, other: Path, /) -> bool: - """Compatibility function to bring ``Path.is_relative_to`` to Python 3.8""" - if sys.version_info[:2] >= (3, 9): - return self.is_relative_to(other) - - try: - self.relative_to(other) - return True - except ValueError: - return False - - def set_do_environment(): os.environ["AWS_ACCESS_KEY_ID"] = os.environ["SPACES_ACCESS_KEY_ID"] os.environ["AWS_SECRET_ACCESS_KEY"] = os.environ["SPACES_SECRET_ACCESS_KEY"] From c4dc7d0781b4307feab810fd765cc14fc2731f89 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Wed, 20 Mar 2024 20:48:49 -0400 Subject: [PATCH 22/27] Create SECURITY.md --- SECURITY.md | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..b89ecfe58b --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,11 @@ +# Security Policy + +## Supported Versions + +We support only the latest version, and we use [CalVer](https://calver.org/) for versioning. + +You should feel comfortable upgrading if you're using our documented public APIs and pay attention to `DeprecationWarnings`. Whenever there is a need to break compatibility, it is announced in the [Changelog](./CHANGELOG.md) and will raise a `DeprecationWarning` before it's finally really broken. + +## Reporting a Vulnerability + +If you think you found a vulnerability, please report it at [nebari/security](https://github.com/nebari-dev/nebari/security). From 72ff6f96d869d69020b3b699d943ca8bab25066f Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Thu, 21 Mar 2024 08:36:10 -0400 Subject: [PATCH 23/27] Update SECURITY.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: MichaƂ Krassowski <5832902+krassowski@users.noreply.github.com> --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index b89ecfe58b..0a637b1b67 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -4,7 +4,7 @@ We support only the latest version, and we use [CalVer](https://calver.org/) for versioning. -You should feel comfortable upgrading if you're using our documented public APIs and pay attention to `DeprecationWarnings`. Whenever there is a need to break compatibility, it is announced in the [Changelog](./CHANGELOG.md) and will raise a `DeprecationWarning` before it's finally really broken. +You should feel comfortable upgrading if you're using our documented public APIs and pay attention to `DeprecationWarnings`. Whenever there is a need to break compatibility, it is announced in the [Changelog](https://www.nebari.dev/docs/references/RELEASE) and will raise a `DeprecationWarning` before it's finally really broken. ## Reporting a Vulnerability From 811806a2fb3205fe1e575e0fd6128d57a47a92a7 Mon Sep 17 00:00:00 2001 From: Chuck McAndrew <6248903+dcmcand@users.noreply.github.com> Date: Thu, 21 Mar 2024 08:42:40 -0400 Subject: [PATCH 24/27] update security.md --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 0a637b1b67..76f80ef924 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -8,4 +8,4 @@ You should feel comfortable upgrading if you're using our documented public APIs ## Reporting a Vulnerability -If you think you found a vulnerability, please report it at [nebari/security](https://github.com/nebari-dev/nebari/security). +If you think you found a vulnerability, please report it at [nebari/security](https://github.com/nebari-dev/nebari/security/new). Please do not report security vulnerabilities on our public issue tracker. Exposing vulnerabilities publicly without giving maintainers a chance to release a fix puts users at risk. From 3b318a6bf934664343eae956fbcbe8a6cff62a62 Mon Sep 17 00:00:00 2001 From: Adam Lewis <23342526+Adam-D-Lewis@users.noreply.github.com> Date: Thu, 21 Mar 2024 14:35:17 -0500 Subject: [PATCH 25/27] Set node affinity for more pods to ensure they run on general node pool (#2353) Co-authored-by: Scott Blair --- .../template/aws/modules/kubernetes/main.tf | 34 ++++++++++++++++--- .../template/aws/modules/network/main.tf | 1 - .../infrastructure/template/aws/versions.tf | 2 +- .../modules/cluster-autoscaler/main.tf | 18 ++++++++++ .../services/argo-workflows/main.tf | 17 ++++++++++ 5 files changed, 66 insertions(+), 6 deletions(-) diff --git a/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/main.tf b/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/main.tf index 848d1c0471..43e5538507 100644 --- a/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/main.tf +++ b/src/_nebari/stages/infrastructure/template/aws/modules/kubernetes/main.tf @@ -57,7 +57,6 @@ resource "aws_eks_node_group" "main" { ] tags = merge({ - # "kubernetes.io/cluster/${var.name}" = "shared" "k8s.io/cluster-autoscaler/node-template/label/dedicated" = var.node_groups[count.index].name propagate_at_launch = true }, var.tags) @@ -69,9 +68,36 @@ data "aws_eks_cluster_auth" "main" { resource "aws_eks_addon" "aws-ebs-csi-driver" { # required for Kubernetes v1.23+ on AWS - addon_name = "aws-ebs-csi-driver" - cluster_name = aws_eks_cluster.main.name - resolve_conflicts = "OVERWRITE" + addon_name = "aws-ebs-csi-driver" + cluster_name = aws_eks_cluster.main.name + resolve_conflicts_on_create = "OVERWRITE" + resolve_conflicts_on_update = "OVERWRITE" + + configuration_values = jsonencode({ + controller = { + nodeSelector = { + "eks.amazonaws.com/nodegroup" = "general" + } + } + }) + + # Ensure cluster and node groups are created + depends_on = [ + aws_eks_cluster.main, + aws_eks_node_group.main, + ] +} + +resource "aws_eks_addon" "coredns" { + addon_name = "coredns" + cluster_name = aws_eks_cluster.main.name + + configuration_values = jsonencode({ + nodeSelector = { + "eks.amazonaws.com/nodegroup" = "general" + } + }) + # Ensure cluster and node groups are created depends_on = [ aws_eks_cluster.main, diff --git a/src/_nebari/stages/infrastructure/template/aws/modules/network/main.tf b/src/_nebari/stages/infrastructure/template/aws/modules/network/main.tf index b3601a2a91..da42767976 100644 --- a/src/_nebari/stages/infrastructure/template/aws/modules/network/main.tf +++ b/src/_nebari/stages/infrastructure/template/aws/modules/network/main.tf @@ -3,7 +3,6 @@ resource "aws_vpc" "main" { enable_dns_support = true enable_dns_hostnames = true - enable_classiclink = false tags = merge({ Name = var.name }, var.tags, var.vpc_tags) } diff --git a/src/_nebari/stages/infrastructure/template/aws/versions.tf b/src/_nebari/stages/infrastructure/template/aws/versions.tf index 54fc973d6a..68c0faf27b 100644 --- a/src/_nebari/stages/infrastructure/template/aws/versions.tf +++ b/src/_nebari/stages/infrastructure/template/aws/versions.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "3.73.0" + version = "5.33.0" } } required_version = ">= 1.0" diff --git a/src/_nebari/stages/kubernetes_initialize/template/modules/cluster-autoscaler/main.tf b/src/_nebari/stages/kubernetes_initialize/template/modules/cluster-autoscaler/main.tf index 29f982c86a..c07edd70dd 100644 --- a/src/_nebari/stages/kubernetes_initialize/template/modules/cluster-autoscaler/main.tf +++ b/src/_nebari/stages/kubernetes_initialize/template/modules/cluster-autoscaler/main.tf @@ -19,6 +19,24 @@ resource "helm_release" "autoscaler" { clusterName = var.cluster-name enabled = true } + + affinity = { + nodeAffinity = { + requiredDuringSchedulingIgnoredDuringExecution = { + nodeSelectorTerms = [ + { + matchExpressions = [ + { + key = "eks.amazonaws.com/nodegroup" + operator = "In" + values = ["general"] + } + ] + } + ] + } + } + } }) ], var.overrides) } diff --git a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/argo-workflows/main.tf b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/argo-workflows/main.tf index 29f27da26a..92bcad6eae 100644 --- a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/argo-workflows/main.tf +++ b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/argo-workflows/main.tf @@ -557,6 +557,23 @@ resource "kubernetes_manifest" "deployment_admission_controller" { } }, ] + affinity = { + nodeAffinity = { + requiredDuringSchedulingIgnoredDuringExecution = { + nodeSelectorTerms = [ + { + matchExpressions = [ + { + key = var.node-group.key + operator = "In" + values = [var.node-group.value] + } + ] + } + ] + } + } + } } } } From 0ff7b7cab2bc53f1dce2bebd8a7df011636eab45 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Krassowski?= <5832902+krassowski@users.noreply.github.com> Date: Fri, 22 Mar 2024 19:56:59 +0000 Subject: [PATCH 26/27] Deduplicate conda-store in JupyterLab main menu (#2347) --- .../files/jupyterlab/overrides.json | 26 ++++++++++++++----- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/files/jupyterlab/overrides.json b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/files/jupyterlab/overrides.json index fd6cafc624..02d6564455 100644 --- a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/files/jupyterlab/overrides.json +++ b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/files/jupyterlab/overrides.json @@ -6,7 +6,8 @@ "apiUrl": "/conda-store/", "authMethod": "cookie", "loginUrl": "/conda-store/login?next=", - "authToken": "" + "authToken": "", + "addMainMenuItem": false }, "@jupyterlab/apputils-extension:notification": { "checkForUpdates": false, @@ -50,13 +51,24 @@ "rank": 1000, "items": [ { - "command": "help:open", - "rank": 1, + "command": "nebari:run-first-enabled", "args": { - "url": "/conda-store", - "text": "Environment Management", - "newBrowserTab": true - } + "commands": [ + { + "id": "condastore:open", + "label": "Environment Management" + }, + { + "id": "help:open", + "args": { + "url": "/conda-store", + "text": "Environment Management", + "newBrowserTab": true + } + } + ] + }, + "rank": 1 }, { "command": "help:open", From 9b9b6bcac6801488bd167362b718df41ae8306c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Krassowski?= <5832902+krassowski@users.noreply.github.com> Date: Sat, 23 Mar 2024 07:08:08 +0000 Subject: [PATCH 27/27] Pass current namespace to argo via environment variable (#2317) Co-authored-by: Vinicius D. Cerutti <51954708+viniciusdc@users.noreply.github.com> --- .../services/jupyterhub/files/jupyterhub/03-profiles.py | 8 ++++++++ .../modules/kubernetes/services/jupyterhub/main.tf | 5 +++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/files/jupyterhub/03-profiles.py b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/files/jupyterhub/03-profiles.py index 5c66ca72d5..ddbc3b6be2 100644 --- a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/files/jupyterhub/03-profiles.py +++ b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/files/jupyterhub/03-profiles.py @@ -455,6 +455,14 @@ def profile_conda_store_viewer_token(): } } }, + "CONDA_STORE_SERVICE_NAMESPACE": { + "valueFrom": { + "secretKeyRef": { + "name": "argo-workflows-conda-store-token", + "key": "conda-store-service-namespace", + } + } + }, } diff --git a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/main.tf b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/main.tf index af690112f6..f99ef62eed 100644 --- a/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/main.tf +++ b/src/_nebari/stages/kubernetes_services/template/modules/kubernetes/services/jupyterhub/main.tf @@ -264,8 +264,9 @@ resource "kubernetes_secret" "argo-workflows-conda-store-token" { } data = { - "conda-store-api-token" = var.conda-store-argo-workflows-jupyter-scheduler-token - "conda-store-service-name" = var.conda-store-service-name + "conda-store-api-token" = var.conda-store-argo-workflows-jupyter-scheduler-token + "conda-store-service-name" = var.conda-store-service-name + "conda-store-service-namespace" = var.namespace } type = "Opaque"