iterative / helm-charts Goto Github PK

Currently, enabling read-only mode in the security context for the UI pod causes it to crash.
This is because the UI uses server-side rendering and must write compiled files to the local filesystem. We should mount the directory for the compiled files as a volume to fix this.

In #82 we introduced the local baking store to fix issues with Minio (missing path based routing). Delivering the change we started deploying nginx container, which was mounting the PVC volume blobvault attached to worker pod.

C4Dynamic
    ContainerDb(c1, "blobvault", "PVC")
    Container_Boundary(B, "Worker") {
      Container(c2, "Worker Pod")
    }
    Container_Boundary(c, "Nginx Pod",) {
      Container(c3, "Nginx")
    }
    Rel(c2, c1, "")
    Rel(c1, c3, "")

Please extend the helm chart to provide a way for hosting studio with path based routing. For instance, serve studio and its sub-components on /studio path instead of default /.

CSS break when hosting studio on non-default path, for instance /studio Screenshot attached

We should have a changelog for our Helm charts so that users can read about breaking changes and adjust their values.yml accordingly.

Customer specific features are controlled through environment variables / flags. Need to extend Helm chart providing a way to inject customer specific environment variables through values.yaml / override file.

For instance:

extra_vars:
  - name: CUSTOMER_SPEC_VAR_1
     value: customer-variable-value-1
  - name: CUSTOMER_SPEC_VAR_2
     value: customer-variable-value-2

These can then be added to various studio components as needed.

Please provide a way to securely configure Redis connection using a secret and SSL.

Use case is for using external Redis cache service instead of in-cluster. The service, by policy, has non-SSL port 6379 disabled. The service only accepts connections on port 6380 and is secured by a secret (access key / password).

We should create a Helm repository hosted on GitHub Pages so that users can do everything via the helm command and won't need to clone this Git repository.

• https://github.com/iterative/studio/pull/7690#issuecomment-1725526566
  • https://github.com/iterative/studio/pull/7690#issuecomment-1727672427

We should probably set .Values.ray.enabled to true when running the chart-testing workflow and make sure it works.

Bug

In the env_file.tpl there is a range loop:

- name: API_URL
  value: https://api1/api
  value: https://api2/api

Expected result

The expected value here is a single endpoint.

As most data stored on the blobvault is supposed to be static data, ideal backend for blobvault should be an object/blob store. Add provision in the helm chart to provision an object store based Persistent Volume to be used by the studio backend component.

Studio UI being a node component, needs an extra variable to pass the CA certificate file path. Need to extend the chart to accommodate cert injection and variable configuration.

A possible solution could be:

• Create an optional configmap with CA certs which can be mounted as a volume to the UI component
• If the configmap exists, export NODE_EXTRA_CA_CERTS environment variable to UI component with value set as path/to/certificate-file

Opt-in value to fill in MIXPANEL_PROJECT_TOKEN env var and send it to frontend pod.
We should keep this opt-in - it's both an unexpected behavior, and also will most likely not be wanted or possible for most self-hosted installations (no internet access).

This is not considered secret, but can arguably be in the secret and not configmap 🤷

From #123 (comment)

The lint-test workflow may break unexpectedly when the pull request branch contains new values not present in the main branch. As per #123 (comment), we can wrap every level with parenteses to avoid the error, but values will still be null.

Example

Error: UPGRADE FAILED: template: studio/templates/raycluster-studio.yaml:1:14: executing "studio/templates/raycluster-studio.yaml" at <.Values.ray.enabled>: nil pointer evaluating interface {}.enabled

References

• helm/chart-testing#525
• helm/chart-testing#531
• helm/helm#9653

For convenience, including an autogenerated self-signed TLS certificate would be nice so that HTTPS will work even when the user did not configure it explicitly.

We'd like to include information in all git commit messages about the type of change. To achieve this, we can implement Conventional Commits or use prefixes like bug:, docs:, feat:, etc.

Lastly, we must ensure that all contributor's commit messages conform to this standard via some safeguards like pre-commit or a CI job.

Like we do for SECRET_KEY, we should also autogenerate Minio and Postgres passwords unless provided in values.yaml

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Edited/Blocked

These updates have been manually edited so Renovate will no longer make changes. To discard all commits and start over, click on a checkbox.

• Update nginx Docker tag to v1.26.0
• Update rayproject/ray Docker tag to v2.12.0
• Update Helm release postgresql to v15
• Update Helm release redis to v19

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Update helm/kind-action action to v1.10.0

Ignored or Blocked

These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.

• Update tibdex/github-app-token digest to 3eb77c7
• Update Helm release kuberay-operator to v0.6.1
• Update Helm release redis to v17.17.1
• Update Helm release kuberay-operator to v1

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

The Studio Helm chart does not offer any way to include a custom root CA certificate. We want to support this scenario similarly to the way we do it in the dockerized version of Studio, albeit in a more user-friendly way.

Should be SELF_HOSTED_USER_LIMIT (currently using old on-prem terminology)
Need to add to values + configmap and pass to backend