SwissDataScienceCenter / renku-data-services

87%

main: 86%

LAST BUILD ON BRANCH v0.28.0

branch: v0.28.0

CHANGE BRANCH

x

Reset

• v0.28.0
• 000-add-copied-and-migrated-project-metrics
• 649-fix-copy-project
• add-alert-service
• add-pycharm-pytest-config
• andrea/add-projects-migrated
• andrea/add-user-preferences-for-dismiss-project-migration
• andrea/fix-patch-image-secret
• andrea/fix-total-groups-in-all-group
• andrea/get-all-migrations
• andrea/support-private-images
• archive-envs
• build-project-authz-disentangle
• build/decouple-gitlab
• build/external-resources-2
• build/external-resources-cleanups
• build/external-resources-cluster-entities
• build/external-resources-demo
• build/group-page-search-features
• build/handle-private-images-from-gitlab
• build/private-images
• build/redirects
• build/session-secrets
• build/support-build-arm
• build/support-remote-sessions-hpc
• bump-dependencies
• bump-sanic-ext
• bump-schemathesis
• chore-add-coding-guidelines
• chore-add-linting-rules-20250528
• chore-add-pr-template
• chore-add-samuel-salim-codeowners
• chore-fix-devcontainer-k9s-cli-feature
• chore-improve-makefile
• chore-improve-makefile-2
• chore-narrower-security-context-for-sessions
• chore-reduce-db-conn-pool-size
• chore-remove-unused-code-to-20241210
• chore-run-data-services-with-single-process
• chore-run-server-in-single-process
• chore-run-single-process-secret-service
• chore-run-solr-from-container
• chore-switch-to-azure-dev
• chore-update-actions-to-1.18.1
• chore-update-amalthea-schemas
• chore-update-renku-action-c1.14.0
• chore-update-renku-action-v1.14.0
• chore-update-renku-action-v1.14.2
• chore-update-renku-action-v1.15.0
• chore-update-renku-action-v1.16.0
• chore-use-kind-in-test
• ciyer/autostart-banner
• ciyer/list-all-migrations
• ciyer/redirects
• ciyer/session-env-vars
• ciyer/session-env-vars-fixes
• ciyer/session-start-env-vars
• cloudstorage-in-workdir
• copy-project-documentation
• copying-project-with-built-environments
• data-svc-k8s-watcher
• dependabot/github_actions/SwissDataScienceCenter/renku-actions-1.14.0
• dependabot/github_actions/SwissDataScienceCenter/renku-actions-1.15.1
• dependabot/github_actions/SwissDataScienceCenter/renku-actions-1.16.0
• dependabot/github_actions/SwissDataScienceCenter/renku-actions-1.17.0
• dependabot/github_actions/SwissDataScienceCenter/renku-actions-1.18.0
• dependabot/github_actions/SwissDataScienceCenter/renku-actions-1.18.2
• dependabot/github_actions/SwissDataScienceCenter/renku-actions-1.19.1
• dependabot/github_actions/actions/checkout-5
• dependabot/github_actions/github/codeql-action-4
• dependabot/github_actions/peter-evans/create-or-update-comment-5
• dependabot/github_actions/peter-evans/find-comment-4
• dependabot/pip/poetry-04d8eb7f7e
• dependabot/pip/poetry-834aac31ad
• dependabot/pip/poetry-882466b6bd
• dependencies-background-jobs-k8s-watcher
• dependencies-remove-lazy-init
• document-add-env-vars-528
• eikek/931-entity-removal-search
• eikek/background-process-deployment
• eikek/build/integration-improvements
• eikek/ensure-solr-cores
• eikek/feat/dockerhub-private-images
• eikek/fix-admin-usage
• eikek/fix-project-search-update
• eikek/fix-query-parser
• eikek/fix-search-project-dc
• eikek/fix-solr-devcontainer
• eikek/fix/github-provider
• eikek/fix/private-images
• eikek/improve-logging-setup
• eikek/parallel-publish
• eikek/project-copies-index
• eikek/remove-dc-project-ref
• eikek/reprovision-on-start
• eikek/request-id-logging
• eikek/s3-endpoint-fix
• eikek/search-data-connector
• eikek/search-dc-project-namespace
• eikek/search-global-dcs
• eikek/search-query
• eikek/search-query-manual
• eikek/search-scenarios
• eikek/search-sync
• eikek/solr-models
• eikek/solr-startup
• eikek/testing
• eikek/update-flake
• emtpy-head
• feat-add-endpoint-to-get-v1-project-properties
• feat-add-jupyter-buildpack
• feat-add-missing-dc-namespace-endpoint
• feat-add-project-as-dc-owner-pt2
• feat-add-project-as-dc-owner-pt3
• feat-add-project-as-dc-owner-pt4
• feat-add-project-as-dc-owner-pt5
• feat-add-project-as-dc-owner-pt6
• feat-add-project-as-dc-owner-pt7
• feat-add-project-as-dc-owner-pt8
• feat-add-service-account-name-to-pools
• feat-extend-image-check-endpoint
• feat-run-notebooks-service
• feat/amalthea-session-ingress-classname
• feat/custom-rclone-doi
• feat/k8s-client-merge
• feature/search-migration
• fix-add-hibernation-thresholds-from-resource-pool
• fix-add-memory-limits-to-all-sessions
• fix-add-missing-slug-constraints
• fix-add-server-default-to-migration-banner-field
• fix-add-vendor-field-for-polybox-webdav-provider
• fix-add-vendor-for-polybox-and-switchdrive
• fix-apispec-merge
• fix-as-casing-on-dockerfiles
• fix-authentication-container-certificates
• fix-cache-watching-buildruns
• fix-copy-data-connector-links-when-copying-projects
• fix-creating-image-pull-secret
• fix-creation-timestamp
• fix-delete-anon-sessions-quickly-after-hibernating
• fix-do-not-apply-internal-defaults-for-culling
• fix-do-not-delete-project-when-dc-is-deleted
• fix-do-not-skip-k8s-cache
• fix-duplicate-the-in-docstring
• fix-environment-args-setup
• fix-expired-kc-tokens-in-tasks
• fix-failing-manifest-resources-parsing
• fix-flickering-sessions-on-deletion
• fix-git-clone-mount-path-v1-sessions
• fix-handle-missing-solr-core
• fix-idle-times
• fix-imports-in-test-suites
• fix-improve-k8s-cache-efficiency
• fix-k8s-watcher-bandit
• fix-k8s-watcher-push
• fix-keycloak-algorithms
• fix-loading-kube-configs
• fix-make-secret-service-patch-on-conflict
• fix-metrics-anonymous-indication
• fix-migrate-copied-projects-environments
• fix-move-prometheus-multiproc-dir-to-tmp
• fix-patch-session-resources
• fix-patching-session-resources
• fix-propagate-project-moves-to-dcs
• fix-properly-handle-unknown-buildrun-status
• fix-s3-customization
• fix-send-authenticated-flag-to-posthog
• fix-session-patching
• fix-session-sync
• fix-set-memory-limits-when-patching
• fix-swagger-page-search-reprovisioning
• fix-sync-k8s-caches
• fix-unhandled-cancelled-error
• fix-update-poetry-devcontainer
• fix-upgrade-buildpacks-0.0.6
• fix-upgrade-kr8s
• fix-uppercase-characters-validation-in-namespaces
• fix-uppsercase-characters-in-slug-responses
• fix-use-correct-gid-uid
• fix-using-nb-config-fallback-for-culling
• flaky-schemathesis
• get-clusters-changes
• initial-envs
• k8s-watcher-in-notebooks
• kpack-resources
• leaft/fix-renku-1-secret-filenames
• leafty-build-push-action
• leafty/852-tests
• leafty/854-fix-bad-project-namespace
• leafty/859-fix-dc-no-slug
• leafty/974-gh-enterprise-server
• leafty/975-add-sentry-release
• leafty/982-no-v1-sessions
• leafty/add-disk-size-session-envs
• leafty/add-generic-oidc-integration
• leafty/add-sentry-k8s-watcher
• leafty/add-session-env-vars
• leafty/add-shipwright-source-options
• leafty/add-ttyd-option
• leafty/allow-project-slug-update
• leafty/buildrun-logs
• leafty/buildruns-cache
• leafty/check-image-platforms
• leafty/clean-add-remote-resource-pool
• leafty/configure-arm-builds
• leafty/configure-buildpacks
• leafty/cscs-firecrest-poc
• leafty/define-buildrun-retention
• leafty/dependabot/github_actions/github/codeql-action-4
• leafty/doi-fix-keywords
• leafty/exp-dev-naming
• leafty/feat-1009-allow-dc-skip
• leafty/feat-add-support-rclone-doi
• leafty/feat-dc-add-on-resume
• leafty/feat-dc-in-remote-sessions
• leafty/feat-launch-remote-sessions-clean
• leafty/feat-tune-doi-mounts
• leafty/fix-1005-buildrun
• leafty/fix-1033-intersect-node-affinities
• leafty/fix-1047-identify-users
• leafty/fix-1079-ini-interpolation
• leafty/fix-1082-await-ns
• leafty/fix-1096-copy-secret-slots
• leafty/fix-1104-upsert-secrets-session-resume
• leafty/fix-576
• leafty/fix-580
• leafty/fix-613
• leafty/fix-712-git-repositories
• leafty/fix-917
• leafty/fix-921
• leafty/fix-936
• leafty/fix-941
• leafty/fix-951
• leafty/fix-963-remove-sftp-options
• leafty/fix-bash-run
• leafty/fix-build-from-code
• leafty/fix-clashing-mount-points
• leafty/fix-cloudstorage-in-workdir
• leafty/fix-cpu-req-issue
• leafty/fix-doi-tests
• leafty/fix-doi-tests-2
• leafty/fix-gh-action
• leafty/fix-k8s-watcher
• leafty/fix-pre-commit-hook
• leafty/fix-print
• leafty/fix-project-etag
• leafty/fix-quiet-404
• leafty/fix-session-env-api
• leafty/fix-session-order
• leafty/fix-sftp-host
• leafty/fix-sftp-test-connection
• leafty/fix-user-full-sync
• leafty/logs-pod-initializing
• leafty/refactor-crc
• leafty/refactor-reset
• leafty/remote-pool-add-config-2
• leafty/revert-dev-name
• leafty/session-api-proxy
• leafty/session-builds-api
• leafty/session-secrets-7
• leafty/test-devcontainer
• leafty/update-action
• leafty/update-bp
• leafty/update-crc-k8s-selectors
• leafty/update-rclone-1-69
• leafty/update-rclone-1.69.2
• leafty/update-rclone-1.69.3
• leafty/update-rclone-1.70.0
• leafty/update-rclone-schema-doc
• leafty/upgrade-rclone-1.72.1
• leafty/urgent-codeowners
• lorenzo/fix-acceptance-job
• lorenzo/ingore-vscode-folder
• lorenzo/relax-permissions-getbuild
• lorenzo/single_table_global_connectors
• lorenzo/update-ci
• main
• metrics-build
• nix-setup-update
• non-empty-list-changes
• notebooks-catchup-1
• notebooks-catchup-2
• notebooks-catchup-3-cloud-storage
• notebooks-catchup-4-pr-1984
• notebooks-catchup-7-1923
• olevski/feat-add-option-to-strip-prefix
• olevski/fix-delete-if-secret-already-exists
• olevski/fix-pinned-project-validation
• olevski/fix-set-image-pull-policy
• olevski/fix-will-delete-at-timestamp
• olevski/handle-bad-refresh-token-in-connectors
• olevski/handle-missing-pod-when-getting-logs
• pinned-slug-regex
• pitch/connect-renkulab-and-openbis-datasets
• pitch/copy-projects-message
• pitch/custom-environment-build
• pitch/staging-table
• posthog-metrics
• private-resource-permission
• product-metrics-k8s-cache
• python-3.13
• refactor-bg-jobs-to-data-tasks
• refactor-configs
• refactor-rclone-patches
• remove-ide-file
• remove-notebooks-datasvc-calls
• remove-user-folder
• revert-kr8s-20.7-update
• sambuc-test-azure
• sambuc/test-azure
• search-feature-flag
• search-metrics
• sgaist/935-forbbid-cluster-change
• sgaist/kpack-resources
• shipwright-new-cache
• snapshot-tests
• snyk-scanning
• stop-sending-redis-queue-messages
• test-deploy-branch-wes-2025-06-18
• undo-order-changes-in-apispec
• update-email
• update-kr8s-0-20-7
• v0.0.1
• v0.0.2
• v0.0.3
• v0.1.0
• v0.1.1
• v0.10.0
• v0.11.0
• v0.13.0
• v0.14.0
• v0.14.1
• v0.15.0
• v0.15.1
• v0.16.0
• v0.16.1
• v0.17.0
• v0.18.0
• v0.19.1
• v0.2.0
• v0.2.1
• v0.2.2
• v0.2.3
• v0.20.0
• v0.21.0
• v0.22.0
• v0.23.0
• v0.24.0
• v0.24.1
• v0.24.2
• v0.25.0
• v0.26.0
• v0.27.0
• v0.27.1
• v0.29.0
• v0.3.0
• v0.30.0
• v0.31.0
• v0.31.1
• v0.32.0
• v0.33.0
• v0.34.0
• v0.35.0
• v0.35.1
• v0.35.2
• v0.36.0
• v0.37.0
• v0.37.1
• v0.38.0
• v0.39.0
• v0.4.0
• v0.40.0
• v0.41.0
• v0.42.0
• v0.43.0
• v0.43.1
• v0.43.2
• v0.44.0
• v0.45.0
• v0.46.0
• v0.47.0
• v0.47.1
• v0.48.0
• v0.48.1
• v0.49.0
• v0.5.0
• v0.5.1
• v0.5.2
• v0.50.0
• v0.51.0
• v0.52.0
• v0.53.0
• v0.53.1
• v0.53.2
• v0.54.0
• v0.55.0
• v0.56.0
• v0.57.0
• v0.58.0
• v0.59.0
• v0.6.0
• v0.60.0
• v0.60.1
• v0.60.2
• v0.7.0
• v0.8.0
• v0.8.1
• v0.8.2
• v0.8.3
• v0.9.0
• validate-docker-names

Build # 12373412724

Build Type

push

github

Committed by web-flow

Commit Message

feat!: add support for session secrets (#545)

Closes #509.

Details:
* Add support for session secret slots which describe files with secret contents to be mounted in sessions. Session secret slots exist at the project level and can be managed by users with at the WRITE permission on the project. Session secrets can be used by all users with the READ permission on the project.
* Add support for session secrets which connect a project's session secret slots to user secrets. Session secrets can be used by all users with the READ permission on the project.
* Add support for mounting user secrets in sessions according to the project's session secret slots.
* Add support for multiple names in `key_mapping` when creating a kubernetes secret. This allows the same user secret to be supplied more than once in sessions.
* Re-work user secrets to make them more usable in Renku 2.0.
    - Change the `name` field to be `default_filename`. This field is only meaningful in the context of Renku 1.0.
    - Add a new `name` field (which does not have constraints) to let users name their secrets, e.g. "AWS Secret Key ID for Project XYZ".
    - User secret objects now include back references to Session secret slots and Data connectors -> `session_secret_slot_ids` and `data_connector_ids` fields returned from the API.
    - The `UserSecretsRepo` class has been split into `LowLevelUserSecretsRepo` and `UserSecretsRepo`. `LowLevelUserSecretsRepo` is used internally, e.g. for key rotation  and `UserSecretsRepo` is used for the `UserSecretsBP` blueprint
* Add a new field secrets_mount_directory to projects, which allows user to configure where secrets are mounted in sessions.

---------

Co-authored-by: Tasko Olevski <olevski90@gmail.com>
Co-authored-by: Ralf Grubenmann <ralf.grubenmann@sdsc.ethz.ch>

Run Details

632 of 683 new or added lines in 27 files covered. (92.53%)

15142 of 17482 relevant lines covered (86.61%)

1.53 hits per line