From 30ca4b376196750e2563d7e5c13cd9094e98c588 Mon Sep 17 00:00:00 2001 From: Chandrasekhar Ramakrishnan Date: Mon, 29 Jan 2024 11:52:43 +0100 Subject: [PATCH 1/2] build: make configuration of privacy policy more flexible See https://github.com/SwissDataScienceCenter/renku-ui/issues/2954 --- docs/how-to-guides/admin/privacycookie.rst | 24 ++++++----- helm-chart/renku/templates/NOTES.txt | 2 +- .../templates/ui/ui-client-configmap.yaml | 20 ++++++++- .../ui/ui-client-deployment-template.yaml | 17 +++++--- helm-chart/renku/values.yaml | 5 ++- helm-chart/values.yaml.changelog.md | 42 ++++++++++++------- 6 files changed, 73 insertions(+), 37 deletions(-) diff --git a/docs/how-to-guides/admin/privacycookie.rst b/docs/how-to-guides/admin/privacycookie.rst index d71e64c72c..6c9c904090 100644 --- a/docs/how-to-guides/admin/privacycookie.rst +++ b/docs/how-to-guides/admin/privacycookie.rst @@ -3,22 +3,24 @@ User interface configuration options ------------------------------------ -Privacy page -~~~~~~~~~~~~ +Privacy page and Terms of Use +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -The UI has a privacy page with a completely configurable content, suited for showing -any policy/terms related information, like the `Privacy Policy Statement` or the -`Terms of Use`. +The UI can be configured to show a `Privacy Policy` and `Terms of Use`. These are +displayed under the `Help` section of the UI. -The content is read from a ``ConfigMap``. You need to configure the values in -``ui.privacy.page`` to enable the feature and set the reference ConfigMap name and key. -Both ``ui.privacy.enabled`` and ``ui.privacy.page.enabled`` need to be ``true`` for -enabling the privacy page. +For each of these, the content is read from a ``ConfigMap``. You need to configure +the values in ``ui.client.privacy.page`` to enable the feature and set the reference +ConfigMap name and key. If ``ui.client.privacy.page.enabled`` is ``true``, then the privacy +policy and terms of use will be shown in the UI, with content taken from the ConfigMap +specified by ``ui.client.privacy.page.configMapName`` at the key +``ui.client.privacy.page.configMapPolicyKey`` for the privacy policy and +``ui.client.privacy.page.configMapTermsKey`` for the terms of use. .. note:: If you don't set the ConfigMap name and key, - `a sample `_ + `a sample `_ will be used instead. You can start from it as a template to create your customized ConfigMap. The `Markdown syntax `_ is fully supported for the @@ -33,7 +35,7 @@ for anonymous users (i.e. without an account or not currently logged in). To com international laws, it's strongly advised to explicitly require consent to the user for storing these data and using cookies. -To activate this feature, please set ``ui.privacy.enabled: true``. We have already configured a +To activate this feature, please set ``ui.privacy.banner.enabled: true``. We have already configured a default cookie banner to inform the users about the aforementioned requirements and points to point them to the privacy page for further details. diff --git a/helm-chart/renku/templates/NOTES.txt b/helm-chart/renku/templates/NOTES.txt index c1ea9777d7..d0ab572768 100644 --- a/helm-chart/renku/templates/NOTES.txt +++ b/helm-chart/renku/templates/NOTES.txt @@ -9,7 +9,7 @@ can be accessed using the following one-liner (you need to have jq installed). kubectl get secrets -n {{ .Release.Namespace }} {{ template "renku.fullname" . }} -o json | jq -r .data.users | base64 --decode {{- end -}} -{{ if .Values.ui.client.privacy.enabled -}} +{{ if or .Values.ui.client.privacy.banner.enabled .Values.ui.client.privacy.page.enabled -}} You may need to customize privacy values for your RenkuLab deployment (E.G. the Privacy page). Please refer to the following documentation: https://renku.readthedocs.io/en/latest/admin/index.html#additional-configurations {{ end }} diff --git a/helm-chart/renku/templates/ui/ui-client-configmap.yaml b/helm-chart/renku/templates/ui/ui-client-configmap.yaml index d81939eded..75c0e3cfcd 100644 --- a/helm-chart/renku/templates/ui/ui-client-configmap.yaml +++ b/helm-chart/renku/templates/ui/ui-client-configmap.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: ConfigMap metadata: - name: {{ template "ui.fullname" . }}-privacy-sample + name: {{ template "renku.fullname" . }}-privacy-sample labels: app: ui chart: {{ template "renku.chart" . }} @@ -17,7 +17,7 @@ data: ## Configure the Privacy Page You should customize the privacy statement by cloning the sample ConfigMap ``*-sample-privacy`` and adjust the content. Any markdown formatted text works. Feel free to change the ConfigMap key and to pick any name, - be sure to properly configure the values ``ui.privacy.page`` before upgrading your RenkuLab deployment. + be sure to properly configure the values ``ui.client.privacy.page`` before upgrading your RenkuLab deployment. If the mapping is enabled but no text is provided (empty content, wrong ``privacy.page`` values, missing ConfigMap, etc.), the links in the navigation bars will be hidden and users manually accessing the privacy page will get a warning. @@ -25,3 +25,19 @@ data: ## Apply the changes If you edit the ConfigMap content and you don't upgrade the deployment from helm, keep in mind that the ui pod needs to be manually re-deployed in order to apply the changes to the privacy page. + terms: | + # Terms of Use + The content of this page is only a template. + ## Information + If you are reading this message, the Terms of Use page content has not been updated for this RenkuLab deployment. + The following content is intended to be read by a RenkuLab admin. + ## Configure the Terms of Use + You should customize the terms of use by cloning the sample ConfigMap ``*-sample-privacy`` and adjust the + content. Any markdown formatted text works. Feel free to change the ConfigMap key and to pick any name, + be sure to properly configure the values ``ui.client.privacy.page`` before upgrading your RenkuLab deployment. + If the mapping is enabled but no text is provided (empty content, wrong ``privacy.page`` values, missing + ConfigMap, etc.), the links in the navigation bars will be hidden and users manually accessing the terms page + will get a warning. + ## Apply the changes + If you edit the ConfigMap content and you don't upgrade the deployment from helm, keep in mind that the + ui pod needs to be manually re-deployed in order to apply the changes to the terms page. diff --git a/helm-chart/renku/templates/ui/ui-client-deployment-template.yaml b/helm-chart/renku/templates/ui/ui-client-deployment-template.yaml index 0d554fc275..ae58ef7a41 100644 --- a/helm-chart/renku/templates/ui/ui-client-deployment-template.yaml +++ b/helm-chart/renku/templates/ui/ui-client-deployment-template.yaml @@ -25,14 +25,17 @@ spec: app: ui release: {{ .Release.Name }} spec: - {{- if and .Values.ui.client.privacy.enabled .Values.ui.client.privacy.page.enabled }} + {{- if .Values.ui.client.privacy.page.enabled }} volumes: - name: privacy configMap: name: {{ .Values.ui.client.privacy.page.configMapName | default (printf "%s-privacy-sample" (include "renku.fullname" .)) | quote }} items: - - key: {{ .Values.ui.client.privacy.page.configMapKey | default (printf "privacy_statement") | quote }} + - key: {{ .Values.ui.client.privacy.page.configMapPolicyKey | default (printf "privacy_statement") | quote }} path: statement.md + - key: {{ .Values.ui.client.privacy.page.configMapTermsKey | default (printf "terms") | quote }} + path: terms.md + {{- end }} automountServiceAccountToken: {{ .Values.global.debug }} containers: @@ -43,7 +46,7 @@ spec: - name: http containerPort: 8080 protocol: TCP - {{- if and .Values.ui.client.privacy.enabled .Values.ui.client.privacy.page.enabled }} + {{- if .Values.ui.client.privacy.page.enabled }} volumeMounts: - mountPath: /config-privacy name: privacy @@ -75,9 +78,11 @@ spec: {{- end }} - name: ANONYMOUS_SESSIONS value: {{ .Values.global.anonymousSessions.enabled | default (printf "false") | quote }} - - name: PRIVACY_ENABLED - value: {{ .Values.ui.client.privacy.enabled | quote }} - {{- if .Values.ui.client.privacy.enabled }} + - name: PRIVACY_BANNER_ENABLED + value: {{ .Values.ui.client.privacy.banner.enabled | quote }} + - name: TERMS_PAGES_ENABLED + value: {{ .Values.ui.client.privacy.page.enabled | quote }} + {{- if .Values.ui.client.privacy.banner.enabled }} - name: PRIVACY_BANNER_CONTENT value: {{ .Values.ui.client.privacy.banner.content | default (printf "") | b64enc | quote }} - name: PRIVACY_BANNER_LAYOUT diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index bc15ad9450..e7ed993f76 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -696,12 +696,13 @@ ui: # privacy.page.configMapName value. As a reference, you can use the sample configMap generated when # enabling the feature. privacy: - enabled: false page: enabled: false #configMapName: privacy-page - #configMapKey: privacy_statement + #configMapPolicyKey: privacy_statement + #configMapTermsKey: terms banner: + enabled: false content: | This website requires cookies in order to ensure basic functionality. By clicking or navigating the site, you consent to the use of cookies in accordance with diff --git a/helm-chart/values.yaml.changelog.md b/helm-chart/values.yaml.changelog.md index 1aa578b668..c4b2e1b961 100644 --- a/helm-chart/values.yaml.changelog.md +++ b/helm-chart/values.yaml.changelog.md @@ -5,23 +5,35 @@ For changes that require manual steps other than changing values, please check o Please follow this convention when adding a new row * ` - **:
` +## Upgrading to Renku 0.48.0 + +The handling of privacy policy and terms of service content has been slightly changed to make +it more flexible. + +* DELETE `ui.privacy.enabled` has been removed to make the privacy policy and cookie banner configurable independently. +* NEW `ui.privacy.banner.enabled` allows turning on the cookie banner (defaults to false). +* DELETE `ui.client.privacy.page.configMapKey` which has been renamed to `ui.client.privacy.page.configMapPolicyKey`. +* NEW `ui.client.privacy.page.configMapPolicyKey` the key in the ConfigMap where the content for the privacy policy is located. +* NEW `ui.client.privacy.page.configMapTermsKey` the key in the ConfigMap where the content for the terms of use is located. + + ## Upgrading to Renku 0.47.0 -We completely overhauled how mounting cloud storage in sessions works, relying on a new CSI driver based on RClone -which has to be installed in the cluster for things to work. Either install it as part of Renku using the flag -mentioned below or install the csi-rclone chart manually and set the correct storage class in the values for the +We completely overhauled how mounting cloud storage in sessions works, relying on a new CSI driver based on RClone +which has to be installed in the cluster for things to work. Either install it as part of Renku using the flag +mentioned below or install the csi-rclone chart manually and set the correct storage class in the values for the notebooks service. * NEW `noteboks.cloudstorage.enabled` - set to `true` to enable mounting cloud storage in sessions. * DELETE `notebooks.cloudstorage.s3.enabed` - superseeded by previous property. -* NEW `notebooks.cloudstorage.storageClass` - the storage class for the CSI Rclone chart, needed for new cloudstorage +* NEW `notebooks.cloudstorage.storageClass` - the storage class for the CSI Rclone chart, needed for new cloudstorage to work. The default `csi-rclone` should be fine unless already in use. -* NEW `global.csi-rclone.install` - if `true` installs the csi-rclone chart alongside Renku. The chart is needed for +* NEW `global.csi-rclone.install` - if `true` installs the csi-rclone chart alongside Renku. The chart is needed for cloud storage in sessions to work. -* NEW `csi-rclone.storageClassName` - the storage class name the CSI drivers uses, should match what is configured in +* NEW `csi-rclone.storageClassName` - the storage class name the CSI drivers uses, should match what is configured in the `storageClass` property mentioned above. -* NEW `csi-rclone.csiNodePlugin.tolerations` - Tolerations for the node plugin part of the CSI driver. Need to be set - in a way that allows it to be scheduled on user session nodes. By default this would mean `key=renku.io/dedicated`, +* NEW `csi-rclone.csiNodePlugin.tolerations` - Tolerations for the node plugin part of the CSI driver. Need to be set + in a way that allows it to be scheduled on user session nodes. By default this would mean `key=renku.io/dedicated`, `operator=Equal`, `value=user` and `effect=NoSchedule` @@ -82,7 +94,7 @@ Amalthea will simply use your default Kubernetes scheduler. * DELETE `amalthea.scheduler.image` - deprecated will be ignored if provided * DELETE `amalthea.scheduler.enable` - deprecated will be ignored if provided * DELETE `amalthea.scheduler.priorities` - deprecated will be ignored if provided -* NEW `amalthea.scheduler.packing` - can be used to enable a preset scheduler that will try to pack sessions on the smallest number of nodes and favor the most used nodes +* NEW `amalthea.scheduler.packing` - can be used to enable a preset scheduler that will try to pack sessions on the smallest number of nodes and favor the most used nodes * NEW `amalthea.scheduler.custom` - can be used to add any custom scheduler for Amalthea, admins just have to provide the scheduler name * EDIT `crc` - the field has been renamed to `dataService`, all child fields and functionality remains the same * NEW `global.gitlab.url` has been added and needs to be specified, this will be the single place where the Gitlab URL will be specified in future releases we will deprecated all the other Gitlab URL fields in the values file. @@ -105,14 +117,14 @@ configuration is possible from its `values.yaml` file. * EDIT - `notebooks.amalthea.*` moved to `amalthea.*` * EDIT - `notebooks.dlf-chart.*` moved to `dlf-chart.*` -In addition going forward we will follow a much stricter versioning scheme that will distinguish changes to +In addition going forward we will follow a much stricter versioning scheme that will distinguish changes to the Renku Helm chart as opposed to changes to the application. Notably: - Patch changes (i.e. `0.50.1` -> `0.50.2`) indicate that there are NO changes in the Helm chart and that only appplication level bug fixes are present in the new release. - Minor version changes (i.e. `0.50.2` -> `0.51.0`) indicate that there are NO changes in the Helm chart and that only application level new features and/or application level breaking changes are present. -- Major version changes (i.e. `0.50.0` -> `1.0.0`) will be reserved for changes in the Helm chart, either when the -values file changes or when the Helm templates change. +- Major version changes (i.e. `0.50.0` -> `1.0.0`) will be reserved for changes in the Helm chart, either when the +values file changes or when the Helm templates change. ## Upgrading to Renku 0.37.0 * EDIT - `notebooks.culling.idleThresholdSeconds` in the notebooks' values file was renamed to @@ -261,7 +273,7 @@ redis: sentinel: true existingSecret: redis-secret existingSecretPasswordKey: redis-password - + commonConfiguration: |- appendonly no save "" @@ -269,10 +281,10 @@ redis: replica: replicaCount: 3 resources: - limits: + limits: cpu: 250m memory: 256Mi - requests: + requests: cpu: 250m memory: 256Mi updateStrategy: From a0ca8534b13b5d52add559c582a672b275de15d1 Mon Sep 17 00:00:00 2001 From: Flora Thiebaut Date: Thu, 8 Feb 2024 13:14:52 +0100 Subject: [PATCH 2/2] build: update to latest renku/keycloak-theme --- helm-chart/renku/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/helm-chart/renku/values.yaml b/helm-chart/renku/values.yaml index e7ed993f76..910d81c5dd 100644 --- a/helm-chart/renku/values.yaml +++ b/helm-chart/renku/values.yaml @@ -295,7 +295,7 @@ keycloakx: enabled: false extraInitContainers: | - name: theme-provider - image: renku/keycloak-theme:4.1.3 + image: renku/keycloak-theme:4.1.5 imagePullPolicy: IfNotPresent command: - sh @@ -858,10 +858,10 @@ dlf-chart: csi-rclone: {} # This section is only relevant if you are installing csi-rclone as part of Renku ## Name of the csi storage class to use for RClone/Cloudstorage. Should be unique per cluster. - # storageClassName: csi-rclone + # storageClassName: csi-rclone # csiNodepluginRclone: # nodeSelector: {} - # Set tolerations if you have taints on your user session nodes. The csi has to run on every node + # Set tolerations if you have taints on your user session nodes. The csi has to run on every node # where it is used. # tolerations: [] # affinity: {}