Merge pull request #51 from rstudio/cluster-role-create

Cluster role create

charts/rstudio-connect/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: rstudio-library
   repository: file://../rstudio-library
-  version: 0.1.14
-digest: sha256:6a1279da28329efcf0d122fdd66bf063940a9133a9c4ab1fafc8f0345e1787d5
-generated: "2021-08-18T11:56:33.292946-04:00"
+  version: 0.1.15
+digest: sha256:b3c5cbc4bdacc6bb80b907eb50ec360640bdd5ff97efb22a3f91f8dfe4af8bbc
+generated: "2021-09-21T15:43:19.314825873-05:00"

charts/rstudio-connect/Chart.yaml

@@ -1,6 +1,6 @@
 name: rstudio-connect
 description: Official Helm chart for RStudio Connect
-version: 0.2.1
+version: 0.2.2
 apiVersion: v2
 appVersion: 1.9.0.1
 icon: https://rstudio.com/wp-content/uploads/2018/10/RStudio-Logo-Flat.png
@@ -14,7 +14,7 @@ maintainers:
     url: https://github.com/sol-eng
 dependencies:
   - name: rstudio-library
-    version: 0.1.14
+    version: 0.1.15
     repository: file://../rstudio-library
 annotations:
   artifacthub.io/images: |

charts/rstudio-connect/NEWS.md

@@ -1,3 +1,11 @@
+# 0.2.2
+
+- Added a new parameter `rbac.clusterRoleCreate` to `values.yaml` to allow for disabling the creation of the 
+  `ClusterRole` that allows for access to the nodes API. This API is used to ensure that all of the IP addresses
+  for nodes are available when reporting the addresses of the node that is running a particular job so that 
+  clients can connect to it. This is generally not a needed permission for the Launcher as the internal IP is 
+  usually sufficient, so it is disabled by default.
+
 # 0.2.1
 
 - Update docs

charts/rstudio-connect/README.md

@@ -1,6 +1,6 @@
 # RStudio Connect
 
-![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square) ![AppVersion: 1.9.0.1](https://img.shields.io/badge/AppVersion-1.9.0.1-informational?style=flat-square)
+![Version: 0.2.2](https://img.shields.io/badge/Version-0.2.2-informational?style=flat-square) ![AppVersion: 1.9.0.1](https://img.shields.io/badge/AppVersion-1.9.0.1-informational?style=flat-square)
 
 #### _Official Helm chart for RStudio Connect_
 
@@ -23,11 +23,11 @@ As a result, please:
 
 ## Installing the Chart
 
-To install the chart with the release name `my-release` at version 0.2.1:
+To install the chart with the release name `my-release` at version 0.2.2:
 
 ```bash
 helm repo add rstudio https://helm.rstudio.com
-helm install my-release rstudio/rstudio-connect --version=0.2.1
+helm install my-release rstudio/rstudio-connect --version=0.2.2
 ```
 
 ## Required Configuration
@@ -105,6 +105,7 @@ The Helm `config` values are converted into the `rstudio-connect.gcfg` service c
 | prometheusExporter.image.imagePullPolicy | string | `"IfNotPresent"` |  |
 | prometheusExporter.image.repository | string | `"prom/graphite-exporter"` |  |
 | prometheusExporter.image.tag | string | `"v0.9.0"` |  |
+| rbac.clusterRoleCreate | bool | `false` | Whether to create the ClusterRole that grants access to the Kubernetes nodes API. This is used by the Launcher to get all of the IP addresses associated with the node that is running a particular job. In most cases, this can be disabled as the node's internal address is sufficient to allow proper functionality. |
 | rbac.create | bool | `true` | Whether to create rbac. (also depends on launcher.enabled = true) |
 | rbac.serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | The serviceAccount to be associated with rbac (also depends on launcher.enabled = true) |
 | readinessProbe | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":3,"periodSeconds":3,"successThreshold":1,"timeoutSeconds":1}` | Used to configure the container's readinessProbe |

charts/rstudio-connect/templates/rbac.yaml

@@ -4,8 +4,10 @@
 {{ $serviceAccountName := default .Values.rbac.serviceAccount.name (include "rstudio-connect.fullname" .) }}
 {{ $serviceAccountCreate := .Values.rbac.serviceAccount.create }}
 {{ $serviceAccountAnnotations := .Values.rbac.serviceAccount.annotations }}
+{{ $clusterRoleCreate := .Values.rbac.clusterRoleCreate }}
 {{ $rbacValues1 := dict "namespace" $namespace "serviceAccountName" $serviceAccountName "targetNamespace" $targetNamespace }}
 {{ $rbacValues2 := dict "serviceAccountCreate" $serviceAccountCreate "serviceAccountAnnotations" $serviceAccountAnnotations }}
-{{ $rbacValues := merge $rbacValues1 $rbacValues2 }}
+{{ $rbacValues3 := dict "clusterRoleCreate" $clusterRoleCreate }}
+{{ $rbacValues := merge $rbacValues1 $rbacValues2 $rbacValues3 }}
 {{ include "rstudio-library.rbac" $rbacValues }}
 {{- end }}

charts/rstudio-connect/values.yaml

@@ -27,6 +27,10 @@ sharedStorage:
 rbac:
   # -- Whether to create rbac. (also depends on launcher.enabled = true)
   create: true
+  # -- Whether to create the ClusterRole that grants access to the Kubernetes nodes API. This is used by the Launcher
+  # to get all of the IP addresses associated with the node that is running a particular job. In most cases, this can
+  # be disabled as the node's internal address is sufficient to allow proper functionality.
+  clusterRoleCreate: false
   # -- The serviceAccount to be associated with rbac (also depends on launcher.enabled = true)
   serviceAccount:
     create: true

charts/rstudio-launcher-rbac/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: rstudio-library
   repository: file://../rstudio-library
-  version: 0.1.14
-digest: sha256:6a1279da28329efcf0d122fdd66bf063940a9133a9c4ab1fafc8f0345e1787d5
-generated: "2021-08-18T11:57:41.714512-04:00"
+  version: 0.1.15
+digest: sha256:b3c5cbc4bdacc6bb80b907eb50ec360640bdd5ff97efb22a3f91f8dfe4af8bbc
+generated: "2021-09-21T15:43:28.698327508-05:00"

charts/rstudio-launcher-rbac/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: rstudio-launcher-rbac
 description: RBAC definition for the RStudio Job Launcher
 type: application
-version: 0.2.4
-appVersion: 0.2.4
+version: 0.2.5
+appVersion: 0.2.5
 icon: https://rstudio.com/wp-content/uploads/2018/10/RStudio-Logo-Flat.png
 sources:
   - https://github.com/rstudio/helm
@@ -13,7 +13,7 @@ maintainers:
     url: https://github.com/sol-eng
 dependencies:
   - name: rstudio-library
-    version: 0.1.14
+    version: 0.1.15
     repository: file://../rstudio-library
 keywords:
   - "data science"

charts/rstudio-launcher-rbac/NEWS.md

@@ -1,3 +1,11 @@
+# 0.2.5
+
+- Added a new parameter `clusterRoleCreate` to `values.yaml` to allow for disabling the creation of the         
+  `ClusterRole` that allows for access to the nodes API. This API is used to ensure that all of the IP addresses
+  for nodes are available when reporting the addresses of the node that is running a particular job so that
+  clients can connect to it. This is generally not a needed permission for the Launcher as the internal IP is
+  usually sufficient, so it is disabled by default.
+
 # 0.1.2
 
 - Specify namespace in ClusterRoleBinding always (it is required)

charts/rstudio-launcher-rbac/README.md

@@ -1,6 +1,6 @@
 # rstudio-launcher-rbac
 
-![Version: 0.2.4](https://img.shields.io/badge/Version-0.2.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.4](https://img.shields.io/badge/AppVersion-0.2.4-informational?style=flat-square)
+![Version: 0.2.5](https://img.shields.io/badge/Version-0.2.5-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.5](https://img.shields.io/badge/AppVersion-0.2.5-informational?style=flat-square)
 
 #### _RBAC definition for the RStudio Job Launcher_
 
@@ -20,11 +20,11 @@ As a result, please:
 
 ## Installing the Chart
 
-To install the chart with the release name `my-release` at version 0.2.4:
+To install the chart with the release name `my-release` at version 0.2.5:
 
 ```bash
 helm repo add rstudio https://helm.rstudio.com
-helm install my-release rstudio/rstudio-launcher-rbac --version=0.2.4
+helm install my-release rstudio/rstudio-launcher-rbac --version=0.2.5
 ```
 
 ## Common Usage
@@ -43,6 +43,7 @@ helm template -n rstudio rstudio-launcher-rbac rstudio/rstudio-launcher-rbac
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| clusterRoleCreate | bool | `false` | Whether to create the ClusterRole that grants access to the Kubernetes nodes API. This is used by the Launcher to get all of the IP addresses associated with the node that is running a particular job. In most cases, this can be disabled as the node's internal address is sufficient to allow proper functionality. |
 | fullnameOverride | string | `""` | The override for the "FullName" which defaults to "ReleaseName-ChartName" or "ReleaseName" (if "ReleaseName" contains "ChartName") |
 | includeReleaseNamespace | bool | `true` | Whether the helm release namespace should be a possible launcher target |
 | nameOverride | string | `""` | The override for "ChartName" in the "FullName" which defaults to "ReleaseName-ChartName" or "ReleaseName" (if "ReleaseName" contains "ChartName") |

charts/rstudio-launcher-rbac/templates/rbac.yaml

@@ -17,6 +17,7 @@
 {{- $roleName := include "rstudio-launcher-rbac.fullname" . }}
 {{- $serviceAccountCreate := .Values.serviceAccount.create }}
 {{- $serviceAccountAnnotations := .Values.serviceAccount.annotations }}
+{{- $clusterRoleCreate := .Values.clusterRoleCreate }}
 
 {{- $rbacValues := dict
   "namespace"                 ($namespace)
@@ -26,6 +27,7 @@
   "serviceAccountAnnotations" ($serviceAccountAnnotations)
   "removeNamespaceReferences" (.Values.removeNamespaceReferences)
   "roleName"                  ($roleName)
+  "clusterRoleCreate"         ($clusterRoleCreate)
 }}
 {{/*
   For code-sharing, we use a shared library chart called "rstudio-library" to generate

charts/rstudio-launcher-rbac/values.yaml

@@ -12,6 +12,11 @@ nameOverride: ""
 # -- The override for the "FullName" which defaults to "ReleaseName-ChartName" or "ReleaseName" (if "ReleaseName" contains "ChartName")
 fullnameOverride: ""
 
+# -- Whether to create the ClusterRole that grants access to the Kubernetes nodes API. This is used by the Launcher
+# to get all of the IP addresses associated with the node that is running a particular job. In most cases, this can
+# be disabled as the node's internal address is sufficient to allow proper functionality.
+clusterRoleCreate: false
+
 serviceAccount:
   # Specifies whether a service account should be created
   create: true

charts/rstudio-library/Chart.yaml

@@ -2,8 +2,8 @@ apiVersion: v2
 name: rstudio-library
 description: Helm library helpers for use by Official RStudio charts
 type: library
-version: 0.1.14
-appVersion: 0.1.14
+version: 0.1.15
+appVersion: 0.1.15
 icon: https://rstudio.com/wp-content/uploads/2018/10/RStudio-Logo-Flat.png
 home: https://www.rstudio.com
 sources:

charts/rstudio-library/NEWS.md

@@ -1,3 +1,15 @@
+# 0.1.15
+
+- Added a new parameter `clusterRoleCreate` to `rstudio-library.rbac` to allow for disabling the creation of the 
+  `ClusterRole` that allows for access to the nodes API. This API is used to ensure that all of the IP addresses
+  for nodes are available when reporting the addresses of the node that is running a particular job so that 
+  clients can connect to it. This is generally not a needed permission for the Launcher as the internal IP is 
+  usually sufficient, so it is disabled by default. 
+
+# 0.1.12 - 0.1.14
+
+- Various descriptive changes to prepare for official release to the public
+
 # 0.1.11
 
 - Fix whitespace issue in `.ini` for arrays

charts/rstudio-library/README.md

@@ -1,6 +1,6 @@
 # rstudio-library
 
-![Version: 0.1.14](https://img.shields.io/badge/Version-0.1.14-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: 0.1.14](https://img.shields.io/badge/AppVersion-0.1.14-informational?style=flat-square)
+![Version: 0.1.15](https://img.shields.io/badge/Version-0.1.15-informational?style=flat-square) ![Type: library](https://img.shields.io/badge/Type-library-informational?style=flat-square) ![AppVersion: 0.1.15](https://img.shields.io/badge/AppVersion-0.1.15-informational?style=flat-square)
 
 #### _Helm library helpers for use by Official RStudio charts_
 

charts/rstudio-library/templates/_rbac.tpl

@@ -8,6 +8,7 @@
     "removeNamespaceReferences": "whether to remove namespace references"
     "serviceAccountCreate": "whether to create the service account"
     "serviceAccountAnnotations": "annotation object for the serviceAccount"
+    "clusterRoleCreate": "whether or not to create the ClusterRole that allows access to the nodes API"
 */ -}}
 {{- define "rstudio-library.rbac" -}}
 {{- $serviceAccountAnnotations := default (dict) .serviceAccountAnnotations }}
@@ -18,6 +19,8 @@
 {{- $namespace := default "default" .namespace }}
 {{- $targetNamespace := default $namespace .targetNamespace }}
 {{- $allNamespaces := list $targetNamespace }}
+{{- $clusterRoleCreate := default false .clusterRoleCreate }}
+{{- if $clusterRoleCreate }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -45,6 +48,7 @@ subjects:
   - kind: ServiceAccount
     name: {{ $serviceAccountName }}
     namespace: {{ $namespace }}
+{{- end }}
 {{- if $serviceAccountCreate }}
 ---
 apiVersion: v1

charts/rstudio-pm/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: rstudio-library
   repository: file://../rstudio-library
-  version: 0.1.14
-digest: sha256:6a1279da28329efcf0d122fdd66bf063940a9133a9c4ab1fafc8f0345e1787d5
-generated: "2021-08-18T11:57:27.773175-04:00"
+  version: 0.1.15
+digest: sha256:b3c5cbc4bdacc6bb80b907eb50ec360640bdd5ff97efb22a3f91f8dfe4af8bbc
+generated: "2021-09-21T15:43:37.239256936-05:00"

charts/rstudio-pm/Chart.yaml

@@ -1,6 +1,6 @@
 name: rstudio-pm
 description: Official Helm chart for RStudio Package Manager
-version: 0.2.1
+version: 0.2.2
 apiVersion: v2
 appVersion: 1.2.2.1-17
 icon: https://rstudio.com/wp-content/uploads/2018/10/RStudio-Logo-Flat.png
@@ -14,7 +14,7 @@ maintainers:
     url: https://github.com/rstudio/helm
 dependencies:
   - name: rstudio-library
-    version: 0.1.14
+    version: 0.1.15
     repository: file://../rstudio-library
 annotations:
   artifacthub.io/images: |

charts/rstudio-pm/NEWS.md

@@ -1,3 +1,7 @@
+# 0.2.2
+
+- Update `rstudio-library` dependency
+
 # 0.2.1
 
 - Update docs

charts/rstudio-pm/README.md

@@ -1,6 +1,6 @@
 # RStudio Package Manager
 
-![Version: 0.2.1](https://img.shields.io/badge/Version-0.2.1-informational?style=flat-square) ![AppVersion: 1.2.2.1-17](https://img.shields.io/badge/AppVersion-1.2.2.1--17-informational?style=flat-square)
+![Version: 0.2.2](https://img.shields.io/badge/Version-0.2.2-informational?style=flat-square) ![AppVersion: 1.2.2.1-17](https://img.shields.io/badge/AppVersion-1.2.2.1--17-informational?style=flat-square)
 
 #### _Official Helm chart for RStudio Package Manager_
 
@@ -23,11 +23,11 @@ As a result, please:
 
 ## Installing the Chart
 
-To install the chart with the release name `my-release` at version 0.2.1:
+To install the chart with the release name `my-release` at version 0.2.2:
 
 ```bash
 helm repo add rstudio https://helm.rstudio.com
-helm install my-release rstudio/rstudio-pm --version=0.2.1
+helm install my-release rstudio/rstudio-pm --version=0.2.2
 ```
 
 ## Required Configuration

charts/rstudio-workbench/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: rstudio-library
   repository: file://../rstudio-library
-  version: 0.1.14
-digest: sha256:6a1279da28329efcf0d122fdd66bf063940a9133a9c4ab1fafc8f0345e1787d5
-generated: "2021-08-18T11:56:13.750958-04:00"
+  version: 0.1.15
+digest: sha256:b3c5cbc4bdacc6bb80b907eb50ec360640bdd5ff97efb22a3f91f8dfe4af8bbc
+generated: "2021-09-21T15:43:10.930036774-05:00"

charts/rstudio-workbench/Chart.yaml

@@ -1,6 +1,6 @@
 name: rstudio-workbench
 description: Official Helm chart for RStudio Workbench
-version: 0.4.3
+version: 0.4.4
 apiVersion: v2
 appVersion: 1.4.1717-3
 icon: https://rstudio.com/wp-content/uploads/2018/10/RStudio-Logo-Flat.png
@@ -13,7 +13,7 @@ maintainers:
     url: https://github.com/sol-eng
 dependencies:
   - name: rstudio-library
-    version: 0.1.14
+    version: 0.1.15
     repository: file://../rstudio-library
 annotations:
   artifacthub.io/images: |

charts/rstudio-workbench/NEWS.md

@@ -1,3 +1,11 @@
+# 0.4.4
+
+- Added a new parameter `rbac.clusterRoleCreate` to `values.yaml` to allow for disabling the creation of the 
+  `ClusterRole` that allows for access to the nodes API. This API is used to ensure that all of the IP addresses
+  for nodes are available when reporting the addresses of the node that is running a particular job so that 
+  clients can connect to it. This is generally not a needed permission for the Launcher as the internal IP is 
+  usually sufficient, so it is disabled by default.
+
 # 0.4.3
 
 - BUGFIX: The load-balancer sidecar container was not selecting app labels properly. This is now fixed. It could have been causing issues in load-balanced setups

charts/rstudio-workbench/README.md

@@ -1,6 +1,6 @@
 # RStudio Workbench
 
-![Version: 0.4.3](https://img.shields.io/badge/Version-0.4.3-informational?style=flat-square) ![AppVersion: 1.4.1717-3](https://img.shields.io/badge/AppVersion-1.4.1717--3-informational?style=flat-square)
+![Version: 0.4.4](https://img.shields.io/badge/Version-0.4.4-informational?style=flat-square) ![AppVersion: 1.4.1717-3](https://img.shields.io/badge/AppVersion-1.4.1717--3-informational?style=flat-square)
 
 #### _Official Helm chart for RStudio Workbench_
 
@@ -23,11 +23,11 @@ As a result, please:
 
 ## Installing the Chart
 
-To install the chart with the release name `my-release` at version 0.4.3:
+To install the chart with the release name `my-release` at version 0.4.4:
 
 ```bash
 helm repo add rstudio https://helm.rstudio.com
-helm install my-release rstudio/rstudio-workbench --version=0.4.3
+helm install my-release rstudio/rstudio-workbench --version=0.4.4
 ```
 
 ## Required Configuration
@@ -219,6 +219,7 @@ mounting paradigm, you will need to change the `XDG_CONFIG_DIRS` environment var
 | prometheusExporter.image.repository | string | `"prom/graphite-exporter"` |  |
 | prometheusExporter.image.tag | string | `"v0.9.0"` |  |
 | prometheusExporter.mappingYaml | string | `nil` | Yaml that defines the graphite exporter mapping. null by default, which uses the embedded / default mapping yaml file |
+| rbac.clusterRoleCreate | bool | `false` | Whether to create the ClusterRole that grants access to the Kubernetes nodes API. This is used by the Launcher to get all of the IP addresses associated with the node that is running a particular job. In most cases, this can be disabled as the node's internal address is sufficient to allow proper functionality. |
 | rbac.create | bool | `true` | Whether to create rbac. (also depends on launcher.enabled = true) |
 | rbac.serviceAccount | object | `{"annotations":{},"create":true,"name":""}` | The serviceAccount to be associated with rbac (also depends on launcher.enabled = true) |
 | readinessProbe | object | `{"enabled":true,"failureThreshold":3,"initialDelaySeconds":3,"periodSeconds":3,"successThreshold":1,"timeoutSeconds":1}` | readinessProbe is used to configure the container's readinessProbe |

charts/rstudio-workbench/templates/rbac.yaml

@@ -5,9 +5,11 @@
 {{- $serviceAccountCreate := .Values.rbac.create }}
 {{- $roleName := $serviceAccountName }}
 {{- $serviceAccountAnnotations := .Values.serviceAccountAnnotations }}
+{{- $clusterRoleCreate := .Values.rbac.clusterRoleCreate }}
 {{- $rbacValues1 := dict "namespace" $namespace "serviceAccountName" $serviceAccountName "targetNamespace" $targetNamespace }}
 {{- $rbacValues2 := dict "serviceAccountCreate" $.Values.rbac.create "serviceAccountAnnotations" $serviceAccountAnnotations "roleName" ($roleName) }}
-{{- $rbacValues := merge $rbacValues1 $rbacValues2 }}
+{{- $rbacValues3 := dict "clusterRoleCreate" $clusterRoleCreate }}
+{{- $rbacValues := merge $rbacValues1 $rbacValues2 $rbacValues3 }}
 {{- include "rstudio-library.rbac" $rbacValues }}
 {{- if ne $namespace $targetNamespace }}
 {{- /*