legacy-onyxia-entrypoint icon indicating copy to clipboard operation
legacy-onyxia-entrypoint copied to clipboard

Published 20 hours ago • verified publisher icon InseeFrLab

[Feature Request] Handle region-specific configurations as region parameters

Open avouacr opened this issue 2 years ago • 7 comments

Right now, region-specific configurations (e.g. proxy adresses, certificates..) are applied through init scripts run at services startup. These settings should be instead passed as parameters of the region, so that they can be directly injected through the chart of the service.

This change would be especially useful when working with an Onyxia instance not open to the internet, as it is not possible/easy to fetch the region init script.. which precisely configures regional proxies/certificates settings (chicken-egg problem).

avouacr avatar Oct 06 '22 12:10 avouacr

How should it be handle in the pojo region? I mean which property shoud we add in https://github.com/InseeFrLab/onyxia-api/blob/be4705924e3d073b38745e31349aeb7e0af0acdb/onyxia-model/src/main/java/fr/insee/onyxia/model/region/Region.java

For example at root of region should we add:

network : { httpProxy: someValue, httpsProxy: someValue, noProxy someValue],
certificates : {authorities: [ "linktoAn AUthorities", "otherLink"]

alexisdondon avatar Oct 13 '22 12:10 alexisdondon

just to keep trace : images-datascience could be build as root with var_env that run script to delete sudo right. or images-datascience could be build as non root with var_env giving sudo right.

In this case to allow certificate injection when non root we could think about giving:

onyxia ALL(ALL:ALL) NOPASSWD:/usr/sbin/update-ca-certificates

alexisdondon avatar Oct 17 '22 18:10 alexisdondon

As the PR is merge the next steps are modifying the charts and the images datascience https://github.com/InseeFrLab/onyxia-api/blob/master/docs/region-configuration.md#proxyinjection-properties https://github.com/InseeFrLab/onyxia-api/blob/master/docs/region-configuration.md#packagerepositoryinjection-properties https://github.com/InseeFrLab/onyxia-api/blob/master/docs/region-configuration.md#certificateauthorityinjection-properties

charts and docker images-datascience it seems

alexisdondon avatar Oct 21 '22 18:10 alexisdondon

We need before update the ui to handle this new parameters https://github.com/InseeFrLab/onyxia-web/issues/409

alexisdondon avatar Nov 08 '22 05:11 alexisdondon

This is possible from release 2.2.26 of onyxia-web and release v0.17 of onyxia-api

We could try the injection in helm charts catalogs

alexisdondon avatar Nov 16 '22 06:11 alexisdondon

working on adding a path to a bundle ca https://github.com/InseeFrLab/onyxia-api/pull/194

alexisdondon avatar Jan 03 '23 06:01 alexisdondon

on my way to add pathToCaBundle and cacrts un api and after i will depreciate crts old field in the api

alexisdondon avatar Jan 03 '23 06:01 alexisdondon