16369691288

Committed 18 Jul 2025 11:43AM UTC coverage: 87.186% (-0.04%) from 87.229%

Build # 16369691288

Build Type

Pull #929

github

Committed by

web-flow

Commit Message

Merge 03ce98685 into 8be58eb79

Pull Request Pull Request #929: exp: session api proxy

Run Details

8 of 21 new or added lines in 3 files covered. (38.1%)

13 existing lines in 5 files now uncovered.

21486 of 24644 relevant lines covered (87.19%)

1.53 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

86.67

/components/renku_data_services/notebooks/api/amalthea_patches/git_proxy.py

"""Patches for the git proxy container."""

from __future__ import annotations

import json
from dataclasses import asdict
from typing import TYPE_CHECKING, Any

from kubernetes import client

from renku_data_services.base_models.core import AnonymousAPIUser, AuthenticatedAPIUser
from renku_data_services.notebooks.api.amalthea_patches.utils import get_certificates_volume_mounts
from renku_data_services.notebooks.api.classes.repository import GitProvider, Repository
from renku_data_services.notebooks.config import NotebooksConfig

if TYPE_CHECKING:
    # NOTE: If these are directly imported then you get circular imports.
    from renku_data_services.notebooks.api.classes.server import UserServer


async def main_container(
    user: AnonymousAPIUser | AuthenticatedAPIUser,
    config: NotebooksConfig,
    repositories: list[Repository],
    git_providers: list[GitProvider],
) -> client.V1Container | None:
    """The patch that adds the git proxy container to a session statefulset."""
    if not user.is_authenticated or not repositories or user.access_token is None or user.refresh_token is None:
        return None

    etc_cert_volume_mount = get_certificates_volume_mounts(
        config,
        custom_certs=False,
        etc_certs=True,
        read_only_etc_certs=True,
    )

    prefix = "GIT_PROXY_"
    env = [
        client.V1EnvVar(name=f"{prefix}PORT", value=str(config.sessions.git_proxy.port)),
        client.V1EnvVar(name=f"{prefix}HEALTH_PORT", value=str(config.sessions.git_proxy.health_port)),
        client.V1EnvVar(
            name=f"{prefix}ANONYMOUS_SESSION",
            value="false" if user.is_authenticated else "true",
        ),
        client.V1EnvVar(name=f"{prefix}RENKU_ACCESS_TOKEN", value=str(user.access_token)),
        client.V1EnvVar(name=f"{prefix}RENKU_REFRESH_TOKEN", value=str(user.refresh_token)),
        client.V1EnvVar(name=f"{prefix}RENKU_REALM", value=config.keycloak_realm),
        client.V1EnvVar(
            name=f"{prefix}RENKU_CLIENT_ID",
            value=str(config.sessions.git_proxy.renku_client_id),
        ),
        client.V1EnvVar(
            name=f"{prefix}RENKU_CLIENT_SECRET",
            value=str(config.sessions.git_proxy.renku_client_secret),
        ),
        client.V1EnvVar(name=f"{prefix}RENKU_URL", value="https://" + config.sessions.ingress.host),
        client.V1EnvVar(
            name=f"{prefix}REPOSITORIES",
            value=json.dumps([asdict(repo) for repo in repositories]),
        ),
        client.V1EnvVar(
            name=f"{prefix}PROVIDERS",
            value=json.dumps(
                [dict(id=provider.id, access_token_url=provider.access_token_url) for provider in git_providers]
            ),
        ),
    ]
    container = client.V1Container(
        image=config.sessions.git_proxy.image,
        security_context={
            "runAsGroup": 1000,
            "runAsUser": 1000,
            "allowPrivilegeEscalation": False,
            "runAsNonRoot": True,
            "capabilities": {"drop": ["ALL"]},
        },
        name="git-proxy",
        env=env,
        liveness_probe={
            "httpGet": {
                "path": "/health",
                "port": config.sessions.git_proxy.health_port,
            },
            "initialDelaySeconds": 3,
        },
        readiness_probe={
            "httpGet": {
                "path": "/health",
                "port": config.sessions.git_proxy.health_port,
            },
            "initialDelaySeconds": 3,
        },
        volume_mounts=etc_cert_volume_mount,
        resources={
            "requests": {"memory": "16Mi", "cpu": "50m"},
        },
    )
    return container


async def main(server: UserServer) -> list[dict[str, Any]]:
    """The patch that adds the git proxy container to a session statefulset."""
    repositories = await server.repositories()
    if not server.user.is_authenticated or not repositories:
        return []

    git_providers = await server.git_providers()
    container = await main_container(server.user, server.config, repositories, git_providers)
    if not container:
        return []

    patches = []

    patches.append(
        {
            "type": "application/json-patch+json",
            "patch": [
                {
                    "op": "add",
                    "path": "/statefulset/spec/template/spec/containers/-",
                    "value": client.ApiClient().sanitize_for_serialization(container),
                },
            ],
        }
    )
    return patches

1	"""Patches for the git proxy container."""
2
3	from __future__ import annotations	2✔
4
5	import json	2✔
6	from dataclasses import asdict	2✔
7	from typing import TYPE_CHECKING, Any	2✔
8
9	from kubernetes import client	2✔
10
11	from renku_data_services.base_models.core import AnonymousAPIUser, AuthenticatedAPIUser	2✔
12	from renku_data_services.notebooks.api.amalthea_patches.utils import get_certificates_volume_mounts	2✔
13	from renku_data_services.notebooks.api.classes.repository import GitProvider, Repository	2✔
14	from renku_data_services.notebooks.config import NotebooksConfig	2✔
15
16	if TYPE_CHECKING:	2✔
17	# NOTE: If these are directly imported then you get circular imports.
18	from renku_data_services.notebooks.api.classes.server import UserServer	×
19
20
21	async def main_container(	2✔
22	user: AnonymousAPIUser \| AuthenticatedAPIUser,
23	config: NotebooksConfig,
24	repositories: list[Repository],
25	git_providers: list[GitProvider],
26	) -> client.V1Container \| None:
27	"""The patch that adds the git proxy container to a session statefulset."""
28	if not user.is_authenticated or not repositories or user.access_token is None or user.refresh_token is None:	1✔
29	return None	×
30
31	etc_cert_volume_mount = get_certificates_volume_mounts(	1✔
32	config,
33	custom_certs=False,
34	etc_certs=True,
35	read_only_etc_certs=True,
36	)
37
38	prefix = "GIT_PROXY_"	1✔
39	env = [	1✔
40	client.V1EnvVar(name=f"{prefix}PORT", value=str(config.sessions.git_proxy.port)),
41	client.V1EnvVar(name=f"{prefix}HEALTH_PORT", value=str(config.sessions.git_proxy.health_port)),
42	client.V1EnvVar(
43	name=f"{prefix}ANONYMOUS_SESSION",
44	value="false" if user.is_authenticated else "true",
45	),
46	client.V1EnvVar(name=f"{prefix}RENKU_ACCESS_TOKEN", value=str(user.access_token)),
47	client.V1EnvVar(name=f"{prefix}RENKU_REFRESH_TOKEN", value=str(user.refresh_token)),
48	client.V1EnvVar(name=f"{prefix}RENKU_REALM", value=config.keycloak_realm),
49	client.V1EnvVar(
50	name=f"{prefix}RENKU_CLIENT_ID",
51	value=str(config.sessions.git_proxy.renku_client_id),
52	),
53	client.V1EnvVar(
54	name=f"{prefix}RENKU_CLIENT_SECRET",
55	value=str(config.sessions.git_proxy.renku_client_secret),
56	),
57	client.V1EnvVar(name=f"{prefix}RENKU_URL", value="https://" + config.sessions.ingress.host),
58	client.V1EnvVar(
59	name=f"{prefix}REPOSITORIES",
60	value=json.dumps([asdict(repo) for repo in repositories]),
61	),
62	client.V1EnvVar(
63	name=f"{prefix}PROVIDERS",
64	value=json.dumps(
65	[dict(id=provider.id, access_token_url=provider.access_token_url) for provider in git_providers]
66	),
67	),
68	]
69	container = client.V1Container(	1✔
70	image=config.sessions.git_proxy.image,
71	security_context={
72	"runAsGroup": 1000,
73	"runAsUser": 1000,
74	"allowPrivilegeEscalation": False,
75	"runAsNonRoot": True,
76	"capabilities": {"drop": ["ALL"]},
77	},
78	name="git-proxy",
79	env=env,
80	liveness_probe={
81	"httpGet": {
82	"path": "/health",
83	"port": config.sessions.git_proxy.health_port,
84	},
85	"initialDelaySeconds": 3,
86	},
87	readiness_probe={
88	"httpGet": {
89	"path": "/health",
90	"port": config.sessions.git_proxy.health_port,
91	},
92	"initialDelaySeconds": 3,
93	},
94	volume_mounts=etc_cert_volume_mount,
95	resources={
96	"requests": {"memory": "16Mi", "cpu": "50m"},
97	},
98	)
99	return container	1✔
100
101
102	async def main(server: UserServer) -> list[dict[str, Any]]:	2✔
103	"""The patch that adds the git proxy container to a session statefulset."""
104	repositories = await server.repositories()	1✔
105	if not server.user.is_authenticated or not repositories:	1✔
UNCOV 106	return []	×
107
108	git_providers = await server.git_providers()	1✔
109	container = await main_container(server.user, server.config, repositories, git_providers)	1✔
110	if not container:	1✔
UNCOV 111	return []	×
112
113	patches = []	1✔
114
115	patches.append(	1✔
116	{
117	"type": "application/json-patch+json",
118	"patch": [
119	{
120	"op": "add",
121	"path": "/statefulset/spec/template/spec/containers/-",
122	"value": client.ApiClient().sanitize_for_serialization(container),
123	},
124	],
125	}
126	)
127	return patches	1✔

SwissDataScienceCenter / renku-data-services / 16369691288

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous