From 013ce31b4bb8eb49bbff2674f889d0ac28b6cc82 Mon Sep 17 00:00:00 2001 From: Aidan Hilt <11202897+AidanHilt@users.noreply.github.com> Date: Fri, 26 Jan 2024 12:50:15 -0500 Subject: [PATCH 01/39] This was still set to 5 for some reason (#2445) --- kube/services/argo/values.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/kube/services/argo/values.yaml b/kube/services/argo/values.yaml index 67fa05a09..473f7041e 100644 --- a/kube/services/argo/values.yaml +++ b/kube/services/argo/values.yaml @@ -1,5 +1,5 @@ controller: - parallelism: 5 + parallelism: 3 metricsConfig: # -- Enables prometheus metrics server enabled: true @@ -28,11 +28,11 @@ controller: } ] } - } + } resourceRateLimit: limit: 40 - burst: 4 + burst: 4 # -- enable persistence using postgres persistence: @@ -49,7 +49,7 @@ controller: port: 5432 database: GEN3_ARGO_DB_NAME tableName: argo_workflows - # # the database secrets must be in the same namespace of the controller + # # the database secrets must be in the same namespace of the controller userNameSecret: name: argo-db-creds key: db_username @@ -58,7 +58,7 @@ controller: key: db_password nodeStatusOffLoad: true - workflowDefaults: + workflowDefaults: spec: archiveLogs: true @@ -77,11 +77,11 @@ server: baseHref: "/argo/" # -- Extra arguments to provide to the Argo server binary, such as for disabling authentication. extraArgs: - - --auth-mode=server - - --auth-mode=client + - --auth-mode=server + - --auth-mode=client extraEnv: - - name: ARGO_HTTP1 - value: "true" + - name: ARGO_HTTP1 + value: "true" resources: requests: memory: 8Gi From 368eeb0f3046ae90f4c7ee01658fe30752daf9c9 Mon Sep 17 00:00:00 2001 From: emalinowski Date: Wed, 31 Jan 2024 10:31:27 -0600 Subject: [PATCH 02/39] chore(karpenter-upgrade): Updraded karpenter to a supported version when running eks 1.25+ (#2450) Co-authored-by: Edward Malinowski --- gen3/bin/kube-setup-karpenter.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/gen3/bin/kube-setup-karpenter.sh b/gen3/bin/kube-setup-karpenter.sh index 8ba8ed9d9..4dba4eb40 100644 --- a/gen3/bin/kube-setup-karpenter.sh +++ b/gen3/bin/kube-setup-karpenter.sh @@ -24,7 +24,9 @@ gen3_deploy_karpenter() { karpenter=$(g3k_config_lookup .global.karpenter_version) fi export clusterversion=`kubectl version --short -o json | jq -r .serverVersion.minor` - if [ "${clusterversion}" = "24+" ]; then + if [ "${clusterversion}" = "25+" ]; then + karpenter=${karpenter:-v0.27.0} + elif [ "${clusterversion}" = "24+" ]; then karpenter=${karpenter:-v0.24.0} else karpenter=${karpenter:-v0.22.0} From 12baa786e1771e0d4f5533844fee978fd80a51a8 Mon Sep 17 00:00:00 2001 From: EliseCastle23 <109446148+EliseCastle23@users.noreply.github.com> Date: Wed, 31 Jan 2024 12:32:54 -0700 Subject: [PATCH 03/39] adding "migrate to vpc cni" script to cloud-auto (#2446) * adding "migrate to vpc cni" script to cloud-auto * updating the migrate to vpc script * changing to master branch * removing uneeded comments * Updated karpenter templates * adding changes --------- Co-authored-by: Edward Malinowski Co-authored-by: emalinowski --- gen3/bin/migrate-to-vpc-cni.sh | 138 ++++++++++++++++++ .../karpenter/nodeTemplateDefault.yaml | 8 +- kube/services/karpenter/nodeTemplateGPU.yaml | 7 +- .../karpenter/nodeTemplateJupyter.yaml | 7 +- .../karpenter/nodeTemplateWorkflow.yaml | 7 +- 5 files changed, 163 insertions(+), 4 deletions(-) create mode 100644 gen3/bin/migrate-to-vpc-cni.sh diff --git a/gen3/bin/migrate-to-vpc-cni.sh b/gen3/bin/migrate-to-vpc-cni.sh new file mode 100644 index 000000000..510d9ebef --- /dev/null +++ b/gen3/bin/migrate-to-vpc-cni.sh @@ -0,0 +1,138 @@ +#!/bin/bash + +source "${GEN3_HOME}/gen3/lib/utils.sh" +gen3_load "gen3/gen3setup" + +#Get the K8s NS +ctx="$(g3kubectl config current-context)" +ctxNamespace="$(g3kubectl config view -ojson | jq -r ".contexts | map(select(.name==\"$ctx\")) | .[0] | .context.namespace")" + +# Set the cluster name variable +CLUSTER_NAME=`gen3 api environment` + +# Check if in default ns +if [[ ("$ctxNamespace" != "default" && "$ctxNamespace" != "null") ]]; then + gen3_log_err "Namespace must be default" + exit 1 +fi + +# Cd into Cloud-automation repo and pull the latest from master +gen3_log_info "Pulling the latest from Cloud-Auto" +cd /home/$CLUSTER_NAME/cloud-automation || { gen3_log_err "Cloud-automation repo not found"; exit 1; } +#### Change to master +git checkout master || { gen3_log_err "Failed to checkout master branch"; exit 1; } +git pull || { gen3_log_err "Failed to pull from the repository"; exit 1; } + +# Update the Karpenter Node Template +gen3_log_info "Apply new Karpenter Node Template" +if [[ -d $(g3k_manifest_init)/$(g3k_hostname)/manifests/karpenter ]]; then + gen3_log_info "Karpenter setup in manifest. Open a cdismanifest PR and add this line to aws node templates: https://github.com/uc-cdis/cloud-automation/blob/master/kube/services/karpenter/nodeTemplateDefault.yaml#L40" + while true; do + read -p "Have you updated your manifest? (yes/no): " yn + case $yn in + [Yy]* ) + gen3_log_info "Proceeding with Karpenter deployment..." + gen3 kube-setup-karpenter deploy --force || { gen3_log_err "kube-setup-karpenter failed"; exit 1; } + break + ;; + [Nn]* ) + gen3_log_info "Please update the cdismanifest before proceeding." + exit 1 + ;; + * ) + gen3_log_info "Please answer yes or no." + ;; + esac + done +else + gen3 kube-setup-karpenter deploy --force || { gen3_log_err "kube-setup-karpenter failed"; exit 1; } +fi + +# Cordon all the nodes before running gen3 roll all" +gen3_log_info "Cordoning all nodes" +kubectl get nodes --no-headers -o custom-columns=":metadata.name" | grep -v '^fargate' | xargs -I{} kubectl cordon {} + +# Run a "gen3 roll all" so all nodes use the new mounted BPF File System +gen3_log_info "Cycling all the nodes by running gen3 roll all" +gen3 roll all --fast || exit 1 + +# Confirm that all nodes have been rotated +while true; do + read -p "Roll all complete. Have all cordoned nodes been rotated? (yes/no): " yn + case $yn in + [Yy]* ) + gen3_log_info "Continuing with script..." + break + ;; + [Nn]* ) + gen3_log_info "Please drain any remaining nodes with 'kubectl drain --ignore-daemonsets --delete-emptydir-data'" + ;; + * ) + gen3_log_info "Please answer yes or no." + ;; + esac +done + + +# Delete all existing network policies +gen3_log_info "Deleting networkpolicies" +kubectl delete networkpolicies --all + +# Delete all Calico related resources from the “kube-system” namespace +gen3_log_info "Deleting all Calico related resources" +kubectl get deployments -n kube-system | grep calico | awk '{print $1}' | xargs kubectl delete deployment -n kube-system +kubectl get daemonsets -n kube-system | grep calico | awk '{print $1}' | xargs kubectl delete daemonset -n kube-system +kubectl get services -n kube-system | grep calico | awk '{print $1}' | xargs kubectl delete service -n kube-system +kubectl get replicasets -n kube-system | grep calico | awk '{print $1}' | xargs kubectl delete replicaset -n kube-system + +# Backup the current VPC CNI configuration in case of rollback +gen3_log_info "Backing up current VPC CNI Configuration..." +kubectl get daemonset aws-node -n kube-system -o yaml > aws-k8s-cni-old.yaml || { gen3_log_err "Error backig up VPC CNI configuration"; exit 1; } + +# Check to ensure we are not using an AWS plugin to manage the VPC CNI Plugin +if aws eks describe-addon --cluster-name "$CLUSTER_NAME" --addon-name vpc-cni --query addon.addonVersion --output text 2>/dev/null; then + gen3_log_err "Error: VPC CNI Plugin is managed by AWS. Please log into the AWS UI and delete the VPC CNI Plugin in Amazon EKS, then re-run this script." + exit 1 +else + gen3_log_info "No managed VPC CNI Plugin found, proceeding with the script." +fi + +# Apply the new VPC CNI Version +gen3_log_info "Applying new version of VPC CNI" +g3kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.14.1/config/master/aws-k8s-cni.yaml || { gen3_log_err "Failed to apply new VPC CNI version"; exit 1; } + +# Check the version to make sure it updated +NEW_VERSION=$(kubectl describe daemonset aws-node --namespace kube-system | grep amazon-k8s-cni: | cut -d : -f 3) +gen3_log_info "Current version of aws-k8s-cni is: $NEW_VERSION" +if [ "$NEW_VERSION" != "v1.14.1" ]; then + gen3_log_info "The version of aws-k8s-cni has not been updated correctly." + exit 1 +fi + +# Edit the amazon-vpc-cni configmap to enable network policy controller +gen3_log_info "Enabling NetworkPolicies in VPC CNI Configmap" +kubectl patch configmap -n kube-system amazon-vpc-cni --type merge -p '{"data":{"enable-network-policy-controller":"true"}}' || { gen3_log_err "Configmap patch failed"; exit 1; } + +# Edit the aws-node daemonset +gen3_log_info "Enabling NetworkPolicies in aws-node Daemonset" +kubectl patch daemonset aws-node -n kube-system --type=json -p='[{"op": "add", "path": "/spec/template/spec/containers/1/args", "value": ["--enable-network-policy=true", "--enable-ipv6=false", "--enable-cloudwatch-logs=false", "--metrics-bind-addr=:8162", "--health-probe-bind-addr=:8163"]}]' || { gen3_log_err "Daemonset edit failed"; exit 1; } + +# Ensure all the aws-nodes are running +kubectl get pods -n kube-system | grep aws +while true; do + read -p "Do all the aws-node pods in the kube-system ns have 2/2 containers running? (yes/no): " yn + case $yn in + [Yy]* ) + gen3_log_info "Running kube-setup-networkpolicy..." + gen3 kube-setup-networkpolicy || exit 1 + break + ;; + [Nn]* ) + gen3_log_err "Look at aws-node logs to figure out what went wrong. View this document for more details: https://docs.google.com/document/d/1fcBTciQSSwjvHktEnO_7EObY-xR_EvJ2NtgUa70wvL8" + gen3_log_info "Rollback instructions are also available in the above document" + ;; + * ) + gen3_log_info "Please answer yes or no." + ;; + esac +done \ No newline at end of file diff --git a/kube/services/karpenter/nodeTemplateDefault.yaml b/kube/services/karpenter/nodeTemplateDefault.yaml index 107c5e6cc..114de5aba 100644 --- a/kube/services/karpenter/nodeTemplateDefault.yaml +++ b/kube/services/karpenter/nodeTemplateDefault.yaml @@ -37,11 +37,17 @@ spec: sudo dracut -f # configure grub sudo /sbin/grubby --update-kernel=ALL --args="fips=1" - sudo mount -t bpf bpffs /sys/fs/bpf --BOUNDARY Content-Type: text/cloud-config; charset="us-ascii" + mounts: + - ['fstype': 'bpf', 'mountpoint': '/sys/fs/bpf', 'opts': 'rw,relatime'] + + --BOUNDARY + + Content-Type: text/cloud-config; charset="us-ascii" + power_state: delay: now mode: reboot diff --git a/kube/services/karpenter/nodeTemplateGPU.yaml b/kube/services/karpenter/nodeTemplateGPU.yaml index c4fd535d7..cd3eb7386 100644 --- a/kube/services/karpenter/nodeTemplateGPU.yaml +++ b/kube/services/karpenter/nodeTemplateGPU.yaml @@ -37,7 +37,12 @@ spec: sudo dracut -f # configure grub sudo /sbin/grubby --update-kernel=ALL --args="fips=1" - sudo mount -t bpf bpffs /sys/fs/bpf + + --BOUNDARY + Content-Type: text/cloud-config; charset="us-ascii" + + mounts: + - ['fstype': 'bpf', 'mountpoint': '/sys/fs/bpf', 'opts': 'rw,relatime'] --BOUNDARY Content-Type: text/cloud-config; charset="us-ascii" diff --git a/kube/services/karpenter/nodeTemplateJupyter.yaml b/kube/services/karpenter/nodeTemplateJupyter.yaml index bca4436d1..af2da8436 100644 --- a/kube/services/karpenter/nodeTemplateJupyter.yaml +++ b/kube/services/karpenter/nodeTemplateJupyter.yaml @@ -37,7 +37,12 @@ spec: sudo dracut -f # configure grub sudo /sbin/grubby --update-kernel=ALL --args="fips=1" - sudo mount -t bpf bpffs /sys/fs/bpf + + --BOUNDARY + Content-Type: text/cloud-config; charset="us-ascii" + + mounts: + - ['fstype': 'bpf', 'mountpoint': '/sys/fs/bpf', 'opts': 'rw,relatime'] --BOUNDARY Content-Type: text/cloud-config; charset="us-ascii" diff --git a/kube/services/karpenter/nodeTemplateWorkflow.yaml b/kube/services/karpenter/nodeTemplateWorkflow.yaml index 22c95aba1..8609d0746 100644 --- a/kube/services/karpenter/nodeTemplateWorkflow.yaml +++ b/kube/services/karpenter/nodeTemplateWorkflow.yaml @@ -37,7 +37,12 @@ spec: sudo dracut -f # configure grub sudo /sbin/grubby --update-kernel=ALL --args="fips=1" - sudo mount -t bpf bpffs /sys/fs/bpf + + --BOUNDARY + Content-Type: text/cloud-config; charset="us-ascii" + + mounts: + - ['fstype': 'bpf', 'mountpoint': '/sys/fs/bpf', 'opts': 'rw,relatime'] --BOUNDARY Content-Type: text/cloud-config; charset="us-ascii" From c6358c90bf58ca2b38eeb290ef721f0ed40ae2dc Mon Sep 17 00:00:00 2001 From: Hara Prasad Date: Thu, 1 Feb 2024 12:59:21 -0800 Subject: [PATCH 04/39] Update jenkins version (#2455) --- Docker/jenkins/Jenkins/Dockerfile | 2 +- Docker/jenkins/Jenkins2/Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Docker/jenkins/Jenkins/Dockerfile b/Docker/jenkins/Jenkins/Dockerfile index 7cce68b58..04ebe5864 100644 --- a/Docker/jenkins/Jenkins/Dockerfile +++ b/Docker/jenkins/Jenkins/Dockerfile @@ -1,4 +1,4 @@ -FROM jenkins/jenkins:2.439-jdk21 +FROM jenkins/jenkins:2.426.3-lts-jdk21 USER root diff --git a/Docker/jenkins/Jenkins2/Dockerfile b/Docker/jenkins/Jenkins2/Dockerfile index 9976a07c2..e6b73bc76 100644 --- a/Docker/jenkins/Jenkins2/Dockerfile +++ b/Docker/jenkins/Jenkins2/Dockerfile @@ -1,4 +1,4 @@ -FROM jenkins/jenkins:2.415-jdk11 +FROM jenkins/jenkins:2.426.3-lts-jdk21 USER root From 916d1ca7f7a47103eee518574c16a8aa2b2c1f7c Mon Sep 17 00:00:00 2001 From: Mingfei Shao <2475897+mfshao@users.noreply.github.com> Date: Fri, 2 Feb 2024 12:35:42 -0600 Subject: [PATCH 05/39] update script (#2454) Co-authored-by: Michael Lukowski --- files/scripts/healdata/heal-cedar-data-ingest.py | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/files/scripts/healdata/heal-cedar-data-ingest.py b/files/scripts/healdata/heal-cedar-data-ingest.py index 4a7d88c3c..71575e3c5 100644 --- a/files/scripts/healdata/heal-cedar-data-ingest.py +++ b/files/scripts/healdata/heal-cedar-data-ingest.py @@ -24,11 +24,14 @@ "Questionnaire/Survey/Assessment - unvalidated instrument": "Questionnaire/Survey/Assessment", "Cis Male": "Male", "Cis Female": "Female", - "Trans Male": "Female-to-male transsexual", - "Trans Female": "Male-to-female transsexual", - "Agender, Non-binary, gender non-conforming": "Other", - "Gender Queer": "Other", - "Intersex": "Intersexed", + "Trans Male": "Transgender man/trans man/female-to-male (FTM)", + "Female-to-male transsexual": "Transgender man/trans man/female-to-male (FTM)", + "Trans Female": "Transgender woman/trans woman/male-to-female (MTF)", + "Male-to-female transsexual": "Transgender woman/trans woman/male-to-female (MTF)", + "Agender, Non-binary, gender non-conforming": "Genderqueer/gender nonconforming/neither exclusively male nor female", + "Gender Queer": "Genderqueer/gender nonconforming/neither exclusively male nor female", + "Intersex": "Genderqueer/gender nonconforming/neither exclusively male nor female", + "Intersexed": "Genderqueer/gender nonconforming/neither exclusively male nor female", "Buisness Development": "Business Development" } From f6ded7a98e76135657ef8b2e2c0e0455e571414d Mon Sep 17 00:00:00 2001 From: emalinowski Date: Mon, 5 Feb 2024 13:46:57 -0600 Subject: [PATCH 06/39] Chore/squid al23 (#2456) * chore(squid-al23): Updated squid bootstrap script to work with al23 * chore(squid-al23): Updated squid bootstrap script to work with al23 * chore(squid-al23): Updated squid bootstrap script to work with al23 * chore(squid-al23): Updated squid bootstrap script to work with al23 --------- Co-authored-by: Edward Malinowski --- flavors/squid_auto/squid_running_on_docker.sh | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/flavors/squid_auto/squid_running_on_docker.sh b/flavors/squid_auto/squid_running_on_docker.sh index 05607f304..7504cc35e 100644 --- a/flavors/squid_auto/squid_running_on_docker.sh +++ b/flavors/squid_auto/squid_running_on_docker.sh @@ -8,6 +8,9 @@ DISTRO=$(awk -F '[="]*' '/^NAME/ { print $2 }' < /etc/os-release) WORK_USER="ubuntu" if [[ $DISTRO == "Amazon Linux" ]]; then WORK_USER="ec2-user" + if [[ $(awk -F '[="]*' '/^VERSION_ID/ { print $2 }' < /etc/os-release) == "2023" ]]; then + DISTRO="al2023" + fi fi HOME_FOLDER="/home/${WORK_USER}" SUB_FOLDER="${HOME_FOLDER}/cloud-automation" @@ -201,8 +204,10 @@ function install_awslogs { if [[ $DISTRO == "Ubuntu" ]]; then wget ${AWSLOGS_DOWNLOAD_URL} -O amazon-cloudwatch-agent.deb dpkg -i -E ./amazon-cloudwatch-agent.deb - else + elif [[ $DISTRO == "Amazon Linux" ]]; then sudo yum install amazon-cloudwatch-agent nc -y + elif [[ $DISTRO == "al2023" ]]; then + sudo dnf install amazon-cloudwatch-agent nc -y fi # Configure the AWS logs @@ -292,6 +297,19 @@ function main(){ --volume ${SQUID_CACHE_DIR}:${SQUID_CACHE_DIR} \ --volume ${SQUID_CONFIG_DIR}:${SQUID_CONFIG_DIR}:ro \ quay.io/cdis/squid:${SQUID_IMAGE_TAG} + + max_attempts=3 + attempt_counter=0 + while [ $attempt_counter -lt $max_attempts ]; do + sleep 10 + if [[ -z "$(sudo lsof -i:3128)" ]]; then + echo "Squid not healthy, restarting." + docker restart squid + else + echo "Squid healthy" + break + fi + done } main From f24a0dacc4053058d5bb949d5e21c938e68b82eb Mon Sep 17 00:00:00 2001 From: emalinowski Date: Tue, 6 Feb 2024 10:45:03 -0600 Subject: [PATCH 07/39] chore(squid-al23): Updated squid bootstrap script to work with al23 (#2457) Co-authored-by: Edward Malinowski --- flavors/squid_auto/squid_running_on_docker.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/flavors/squid_auto/squid_running_on_docker.sh b/flavors/squid_auto/squid_running_on_docker.sh index 7504cc35e..2b0f07e45 100644 --- a/flavors/squid_auto/squid_running_on_docker.sh +++ b/flavors/squid_auto/squid_running_on_docker.sh @@ -298,7 +298,7 @@ function main(){ --volume ${SQUID_CONFIG_DIR}:${SQUID_CONFIG_DIR}:ro \ quay.io/cdis/squid:${SQUID_IMAGE_TAG} - max_attempts=3 + max_attempts=10 attempt_counter=0 while [ $attempt_counter -lt $max_attempts ]; do sleep 10 @@ -307,7 +307,6 @@ function main(){ docker restart squid else echo "Squid healthy" - break fi done } From 57120c9e9fea0b79c411f3d88844fca8987fb11f Mon Sep 17 00:00:00 2001 From: emalinowski Date: Tue, 6 Feb 2024 12:26:06 -0600 Subject: [PATCH 08/39] chore(tigera-helm): Updated squid to support calico chart repo (#2458) Co-authored-by: Edward Malinowski --- files/squid_whitelist/web_wildcard_whitelist | 1 + 1 file changed, 1 insertion(+) diff --git a/files/squid_whitelist/web_wildcard_whitelist b/files/squid_whitelist/web_wildcard_whitelist index 44f468097..3dca3946a 100644 --- a/files/squid_whitelist/web_wildcard_whitelist +++ b/files/squid_whitelist/web_wildcard_whitelist @@ -100,6 +100,7 @@ .sourceforge.net .southsideweekly.com .theanvil.io +.tigera.io .twistlock.com .ubuntu.com .ucsc.edu From 8c00a2306cba07ff3894aa4688ac14cbdfc6724e Mon Sep 17 00:00:00 2001 From: "J. Q" <55899496+jawadqur@users.noreply.github.com> Date: Tue, 6 Feb 2024 15:53:14 -0600 Subject: [PATCH 09/39] Update web_whitelist --- files/squid_whitelist/web_whitelist | 1 + 1 file changed, 1 insertion(+) diff --git a/files/squid_whitelist/web_whitelist b/files/squid_whitelist/web_whitelist index 83070d335..625c20b29 100644 --- a/files/squid_whitelist/web_whitelist +++ b/files/squid_whitelist/web_whitelist @@ -34,6 +34,7 @@ cernvm.cern.ch charts.bitnami.com charts.helm.sh cloud.r-project.org +coredns.github.io coreos.com covidstoplight.org cpan.mirrors.tds.net From 36ea4d58f7f16cb5a05a844dd6db545036994f4d Mon Sep 17 00:00:00 2001 From: emalinowski Date: Wed, 7 Feb 2024 10:09:09 -0600 Subject: [PATCH 10/39] fix(alb-policy): policy fix (#2459) Co-authored-by: Edward Malinowski --- gen3/bin/kube-setup-ingress.sh | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/gen3/bin/kube-setup-ingress.sh b/gen3/bin/kube-setup-ingress.sh index d0bcff9a4..b75470f73 100644 --- a/gen3/bin/kube-setup-ingress.sh +++ b/gen3/bin/kube-setup-ingress.sh @@ -232,6 +232,28 @@ gen3_ingress_setup_role() { } } }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:AddTags" + ], + "Resource": [ + "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" + ], + "Condition": { + "StringEquals": { + "elasticloadbalancing:CreateAction": [ + "CreateTargetGroup", + "CreateLoadBalancer" + ] + }, + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "false" + } + } + }, { "Effect": "Allow", "Action": [ @@ -329,4 +351,4 @@ g3kubectl apply -f "${GEN3_HOME}/kube/services/revproxy/revproxy-service.yaml" envsubst <$scriptDir/ingress.yaml | g3kubectl apply -f - if [ "$deployWaf" = true ]; then gen3_ingress_setup_waf -fi \ No newline at end of file +fi From 301744b69a069cfddccd8a67fc77aa5362955dd0 Mon Sep 17 00:00:00 2001 From: EliseCastle23 <109446148+EliseCastle23@users.noreply.github.com> Date: Wed, 7 Feb 2024 10:51:02 -0700 Subject: [PATCH 11/39] removing "--short" flag as it is now deprecated (#2462) --- gen3/bin/kube-setup-karpenter.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gen3/bin/kube-setup-karpenter.sh b/gen3/bin/kube-setup-karpenter.sh index 4dba4eb40..c8762c2e5 100644 --- a/gen3/bin/kube-setup-karpenter.sh +++ b/gen3/bin/kube-setup-karpenter.sh @@ -23,7 +23,7 @@ gen3_deploy_karpenter() { if g3k_config_lookup .global.karpenter_version; then karpenter=$(g3k_config_lookup .global.karpenter_version) fi - export clusterversion=`kubectl version --short -o json | jq -r .serverVersion.minor` + export clusterversion=`kubectl version -o json | jq -r .serverVersion.minor` if [ "${clusterversion}" = "25+" ]; then karpenter=${karpenter:-v0.27.0} elif [ "${clusterversion}" = "24+" ]; then From d01c0fa1fd8b612ab7b03c1d9a408e5e8bf36656 Mon Sep 17 00:00:00 2001 From: EliseCastle23 <109446148+EliseCastle23@users.noreply.github.com> Date: Wed, 7 Feb 2024 10:53:02 -0700 Subject: [PATCH 12/39] reverting the BPF (#2461) --- kube/services/karpenter/nodeTemplateDefault.yaml | 8 ++++---- kube/services/karpenter/nodeTemplateGPU.yaml | 8 ++++---- kube/services/karpenter/nodeTemplateJupyter.yaml | 8 ++++---- kube/services/karpenter/nodeTemplateWorkflow.yaml | 8 ++++---- 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/kube/services/karpenter/nodeTemplateDefault.yaml b/kube/services/karpenter/nodeTemplateDefault.yaml index 114de5aba..6ba8b3a0f 100644 --- a/kube/services/karpenter/nodeTemplateDefault.yaml +++ b/kube/services/karpenter/nodeTemplateDefault.yaml @@ -38,11 +38,11 @@ spec: # configure grub sudo /sbin/grubby --update-kernel=ALL --args="fips=1" - --BOUNDARY - Content-Type: text/cloud-config; charset="us-ascii" + # --BOUNDARY + # Content-Type: text/cloud-config; charset="us-ascii" - mounts: - - ['fstype': 'bpf', 'mountpoint': '/sys/fs/bpf', 'opts': 'rw,relatime'] + # mounts: + # - ['fstype': 'bpf', 'mountpoint': '/sys/fs/bpf', 'opts': 'rw,relatime'] --BOUNDARY diff --git a/kube/services/karpenter/nodeTemplateGPU.yaml b/kube/services/karpenter/nodeTemplateGPU.yaml index cd3eb7386..925e7a9a0 100644 --- a/kube/services/karpenter/nodeTemplateGPU.yaml +++ b/kube/services/karpenter/nodeTemplateGPU.yaml @@ -38,11 +38,11 @@ spec: # configure grub sudo /sbin/grubby --update-kernel=ALL --args="fips=1" - --BOUNDARY - Content-Type: text/cloud-config; charset="us-ascii" + # --BOUNDARY + # Content-Type: text/cloud-config; charset="us-ascii" - mounts: - - ['fstype': 'bpf', 'mountpoint': '/sys/fs/bpf', 'opts': 'rw,relatime'] + # mounts: + # - ['fstype': 'bpf', 'mountpoint': '/sys/fs/bpf', 'opts': 'rw,relatime'] --BOUNDARY Content-Type: text/cloud-config; charset="us-ascii" diff --git a/kube/services/karpenter/nodeTemplateJupyter.yaml b/kube/services/karpenter/nodeTemplateJupyter.yaml index af2da8436..1c8970ad6 100644 --- a/kube/services/karpenter/nodeTemplateJupyter.yaml +++ b/kube/services/karpenter/nodeTemplateJupyter.yaml @@ -38,11 +38,11 @@ spec: # configure grub sudo /sbin/grubby --update-kernel=ALL --args="fips=1" - --BOUNDARY - Content-Type: text/cloud-config; charset="us-ascii" + # --BOUNDARY + # Content-Type: text/cloud-config; charset="us-ascii" - mounts: - - ['fstype': 'bpf', 'mountpoint': '/sys/fs/bpf', 'opts': 'rw,relatime'] + # mounts: + # - ['fstype': 'bpf', 'mountpoint': '/sys/fs/bpf', 'opts': 'rw,relatime'] --BOUNDARY Content-Type: text/cloud-config; charset="us-ascii" diff --git a/kube/services/karpenter/nodeTemplateWorkflow.yaml b/kube/services/karpenter/nodeTemplateWorkflow.yaml index 8609d0746..6e47b22f9 100644 --- a/kube/services/karpenter/nodeTemplateWorkflow.yaml +++ b/kube/services/karpenter/nodeTemplateWorkflow.yaml @@ -38,11 +38,11 @@ spec: # configure grub sudo /sbin/grubby --update-kernel=ALL --args="fips=1" - --BOUNDARY - Content-Type: text/cloud-config; charset="us-ascii" + # --BOUNDARY + # Content-Type: text/cloud-config; charset="us-ascii" - mounts: - - ['fstype': 'bpf', 'mountpoint': '/sys/fs/bpf', 'opts': 'rw,relatime'] + # mounts: + # - ['fstype': 'bpf', 'mountpoint': '/sys/fs/bpf', 'opts': 'rw,relatime'] --BOUNDARY Content-Type: text/cloud-config; charset="us-ascii" From 21000363e7c3d562de45dfa7d07ffd24260a300d Mon Sep 17 00:00:00 2001 From: emalinowski Date: Wed, 7 Feb 2024 12:54:00 -0600 Subject: [PATCH 13/39] chore(remove-coredns-autoscaler): Removed dns autoscaler deployment (#2460) Co-authored-by: Edward Malinowski --- gen3/bin/kube-roll-all.sh | 2 +- gen3/bin/kube-setup-system-services.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/gen3/bin/kube-roll-all.sh b/gen3/bin/kube-roll-all.sh index c9cec5a25..6a67f2bdd 100644 --- a/gen3/bin/kube-roll-all.sh +++ b/gen3/bin/kube-roll-all.sh @@ -274,7 +274,7 @@ if [[ "$GEN3_ROLL_FAST" != "true" ]]; then else gen3 kube-setup-autoscaler & fi - gen3 kube-setup-kube-dns-autoscaler & + #gen3 kube-setup-kube-dns-autoscaler & gen3 kube-setup-metrics deploy || true gen3 kube-setup-tiller || true # diff --git a/gen3/bin/kube-setup-system-services.sh b/gen3/bin/kube-setup-system-services.sh index 0afa7d586..c26a04cb5 100644 --- a/gen3/bin/kube-setup-system-services.sh +++ b/gen3/bin/kube-setup-system-services.sh @@ -39,7 +39,7 @@ calico_yaml="https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v${calico} g3kubectl set image daemonset.apps/kube-proxy -n kube-system kube-proxy=${kube_proxy_image} g3kubectl set image --namespace kube-system deployment.apps/coredns coredns=${coredns_image} -g3k_kv_filter "${GEN3_HOME}/kube/services/kube-dns-autoscaler/dns-horizontal-autoscaler.yaml" SERVICE "coredns" IMAGE "$kubednsautoscaler_image" | g3kubectl apply -f - +#g3k_kv_filter "${GEN3_HOME}/kube/services/kube-dns-autoscaler/dns-horizontal-autoscaler.yaml" SERVICE "coredns" IMAGE "$kubednsautoscaler_image" | g3kubectl apply -f - g3kubectl apply -f ${cni_image} g3kubectl apply -f ${calico_yaml} From 5f7aed08fa60ce1364c8016ff95ad9df6d34bfa1 Mon Sep 17 00:00:00 2001 From: emalinowski Date: Wed, 7 Feb 2024 12:55:03 -0600 Subject: [PATCH 14/39] fix(squid-cron): Added crontab to al23 squid (#2463) Co-authored-by: Edward Malinowski --- flavors/squid_auto/squid_running_on_docker.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/flavors/squid_auto/squid_running_on_docker.sh b/flavors/squid_auto/squid_running_on_docker.sh index 2b0f07e45..557809b69 100644 --- a/flavors/squid_auto/squid_running_on_docker.sh +++ b/flavors/squid_auto/squid_running_on_docker.sh @@ -63,6 +63,8 @@ fi function install_basics(){ if [[ $DISTRO == "Ubuntu" ]]; then apt -y install atop + elif [[ $DISTRO == "al2023" ]]; then + sudo dnf install cronie nc -y fi } @@ -207,7 +209,7 @@ function install_awslogs { elif [[ $DISTRO == "Amazon Linux" ]]; then sudo yum install amazon-cloudwatch-agent nc -y elif [[ $DISTRO == "al2023" ]]; then - sudo dnf install amazon-cloudwatch-agent nc -y + sudo dnf install amazon-cloudwatch-agent -y fi # Configure the AWS logs From 0ebd73040e0c3eba67de10b85061a60c969890c9 Mon Sep 17 00:00:00 2001 From: EliseCastle23 <109446148+EliseCastle23@users.noreply.github.com> Date: Fri, 9 Feb 2024 09:39:38 -0700 Subject: [PATCH 15/39] Update ingress.yaml to use newer fips based tls policy (#2447) --- kube/services/ingress/ingress.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kube/services/ingress/ingress.yaml b/kube/services/ingress/ingress.yaml index 65916679a..3f1f31259 100644 --- a/kube/services/ingress/ingress.yaml +++ b/kube/services/ingress/ingress.yaml @@ -11,7 +11,7 @@ metadata: alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]' alb.ingress.kubernetes.io/load-balancer-attributes: idle_timeout.timeout_seconds=600 alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}' - alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS13-1-2-2021-06 + alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS13-1-2-Res-FIPS-2023-04 spec: ingressClassName: alb rules: From 1bf159a57d59dac52544c65fc01f057f53e0b0a7 Mon Sep 17 00:00:00 2001 From: emalinowski Date: Fri, 9 Feb 2024 14:38:55 -0600 Subject: [PATCH 16/39] fix syntax (#2464) Co-authored-by: Edward Malinowski --- flavors/squid_auto/squid_running_on_docker.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/flavors/squid_auto/squid_running_on_docker.sh b/flavors/squid_auto/squid_running_on_docker.sh index 557809b69..94fe22122 100644 --- a/flavors/squid_auto/squid_running_on_docker.sh +++ b/flavors/squid_auto/squid_running_on_docker.sh @@ -303,6 +303,7 @@ function main(){ max_attempts=10 attempt_counter=0 while [ $attempt_counter -lt $max_attempts ]; do + ((attempt_counter++)) sleep 10 if [[ -z "$(sudo lsof -i:3128)" ]]; then echo "Squid not healthy, restarting." From 0f98195cf8b794b044c063b19281a39aca43b3ee Mon Sep 17 00:00:00 2001 From: emalinowski Date: Fri, 9 Feb 2024 15:32:21 -0600 Subject: [PATCH 17/39] prevent reboot (#2465) Co-authored-by: Edward Malinowski --- flavors/squid_auto/squid_running_on_docker.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flavors/squid_auto/squid_running_on_docker.sh b/flavors/squid_auto/squid_running_on_docker.sh index 94fe22122..2d7cf8e68 100644 --- a/flavors/squid_auto/squid_running_on_docker.sh +++ b/flavors/squid_auto/squid_running_on_docker.sh @@ -303,7 +303,7 @@ function main(){ max_attempts=10 attempt_counter=0 while [ $attempt_counter -lt $max_attempts ]; do - ((attempt_counter++)) + #((attempt_counter++)) sleep 10 if [[ -z "$(sudo lsof -i:3128)" ]]; then echo "Squid not healthy, restarting." From 8e02b097b822927ae1c2768fa93b828e2150d732 Mon Sep 17 00:00:00 2001 From: Aidan Hilt <11202897+AidanHilt@users.noreply.github.com> Date: Mon, 12 Feb 2024 16:07:45 -0500 Subject: [PATCH 18/39] Feat/argo va testing revproxy modifications (#2466) * It can't be that easy * It wasn't that easy. What we're going to do is use the manifest to tell us what namespace to look in, and then look there * Dumb typo * Yet another dumb typo * Moving to a different setup, where specify the argo server URL in the manifest. This is more flexible * I'm blaming the last commit on Monday brain * It's a .conf file, not a yaml file * Need to update in both places --- gen3/bin/kube-setup-revproxy.sh | 17 ++++++++--------- ...o-workflows-server.conf => argo-server.conf} | 2 +- 2 files changed, 9 insertions(+), 10 deletions(-) rename kube/services/revproxy/gen3.nginx.conf/{argo-argo-workflows-server.conf => argo-server.conf} (86%) diff --git a/gen3/bin/kube-setup-revproxy.sh b/gen3/bin/kube-setup-revproxy.sh index fcc2ef3b7..5db9850a1 100644 --- a/gen3/bin/kube-setup-revproxy.sh +++ b/gen3/bin/kube-setup-revproxy.sh @@ -111,15 +111,14 @@ for name in $(g3kubectl get services -o json | jq -r '.items[] | .metadata.name' fi done -if g3kubectl get namespace argo > /dev/null 2>&1; -then - for argo in $(g3kubectl get services -n argo -o jsonpath='{.items[*].metadata.name}'); - do - filePath="$scriptDir/gen3.nginx.conf/${argo}.conf" - if [[ -f "$filePath" ]]; then - confFileList+=("--from-file" "$filePath") - fi - done + +if g3k_manifest_lookup .argo.argo_server_service_url 2> /dev/null; then + argo_server_service_url=$(g3k_manifest_lookup .argo.argo_server_service_url) + g3k_kv_filter "${scriptDir}/gen3.nginx.conf/argo-server.conf" SERVICE_URL "${argo_server_service_url}" > /tmp/argo-server-with-url.conf + filePath="/tmp/argo-server-with-url.conf" + if [[ -f "$filePath" ]]; then + confFileList+=("--from-file" "$filePath") + fi fi if g3kubectl get namespace argocd > /dev/null 2>&1; diff --git a/kube/services/revproxy/gen3.nginx.conf/argo-argo-workflows-server.conf b/kube/services/revproxy/gen3.nginx.conf/argo-server.conf similarity index 86% rename from kube/services/revproxy/gen3.nginx.conf/argo-argo-workflows-server.conf rename to kube/services/revproxy/gen3.nginx.conf/argo-server.conf index cb8def3aa..1cdd4608c 100644 --- a/kube/services/revproxy/gen3.nginx.conf/argo-argo-workflows-server.conf +++ b/kube/services/revproxy/gen3.nginx.conf/argo-server.conf @@ -7,7 +7,7 @@ auth_request /gen3-authz; set $proxy_service "argo"; - set $upstream http://argo-argo-workflows-server.argo.svc.cluster.local:2746; + set $upstream SERVICE_URL; rewrite ^/argo/(.*) /$1 break; From e081b2385cffdfb832063fbd7c3930f0310ed738 Mon Sep 17 00:00:00 2001 From: emalinowski Date: Mon, 12 Feb 2024 17:02:16 -0600 Subject: [PATCH 19/39] fix(karpenter-policy): Added kms permissions for karpenter (#2467) * fix(karpenter-policy): Added kms permissions for karpenter * fix(karpenter-policy): Added kms permissions for karpenter * fix(karpenter-policy): Added kms permissions for karpenter --------- Co-authored-by: Edward Malinowski Co-authored-by: EliseCastle23 <109446148+EliseCastle23@users.noreply.github.com> --- gen3/bin/kube-setup-karpenter.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/gen3/bin/kube-setup-karpenter.sh b/gen3/bin/kube-setup-karpenter.sh index c8762c2e5..2737ed6ee 100644 --- a/gen3/bin/kube-setup-karpenter.sh +++ b/gen3/bin/kube-setup-karpenter.sh @@ -79,6 +79,14 @@ gen3_deploy_karpenter() { "Effect": "Allow", "Resource": "*", "Sid": "ConditionalEC2Termination" + }, + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "kms:*" + ], + "Resource": "*" } ], "Version": "2012-10-17" From 11b94fb4e86ac779bf855a451bd16c7e7ecbe5d1 Mon Sep 17 00:00:00 2001 From: Andrew Prokhorenkov Date: Tue, 13 Feb 2024 09:47:57 -0600 Subject: [PATCH 20/39] Feat/argo wrapper namespace config (#2468) * feat: argo-wrapper-namespace-config update * feat: some extra updates * fix: name for file * feat: updates --- gen3/bin/kube-setup-argo-wrapper.sh | 13 ++++++++++++- kube/services/argo-wrapper/argo-wrapper-deploy.yaml | 9 ++++++++- kube/services/argo-wrapper/config.ini | 4 ++++ 3 files changed, 24 insertions(+), 2 deletions(-) create mode 100644 kube/services/argo-wrapper/config.ini diff --git a/gen3/bin/kube-setup-argo-wrapper.sh b/gen3/bin/kube-setup-argo-wrapper.sh index 5727a703e..306050b12 100644 --- a/gen3/bin/kube-setup-argo-wrapper.sh +++ b/gen3/bin/kube-setup-argo-wrapper.sh @@ -19,5 +19,16 @@ if [[ -z "$GEN3_SOURCE_ONLY" ]]; then gen3 roll argo-wrapper g3kubectl apply -f "${GEN3_HOME}/kube/services/argo-wrapper/argo-wrapper-service.yaml" + if g3k_manifest_lookup .argo.argo_server_service_url 2> /dev/null; then + argo_server_service_url=$(g3k_manifest_lookup .argo.argo_server_service_url) + + export ARGO_HOST=${argo_server_service_url} + export ARGO_NAMESPACE=argo-$(gen3 db namespace) + envsubst <"${GEN3_HOME}/kube/services/argo-wrapper/config.ini" > /tmp/config.ini + + g3kubectl delete configmap argo-wrapper-namespace-config + g3kubectl create configmap argo-wrapper-namespace-config --from-file /tmp/config.ini + fi + gen3_log_info "the argo-wrapper service has been deployed onto the kubernetes cluster" -fi \ No newline at end of file +fi diff --git a/kube/services/argo-wrapper/argo-wrapper-deploy.yaml b/kube/services/argo-wrapper/argo-wrapper-deploy.yaml index 65f68d98a..00d118746 100644 --- a/kube/services/argo-wrapper/argo-wrapper-deploy.yaml +++ b/kube/services/argo-wrapper/argo-wrapper-deploy.yaml @@ -58,7 +58,10 @@ spec: configMap: name: manifest-argo optional: true - + - name: argo-wrapper-namespace-config + configMap: + name: argo-wrapper-namespace-config + containers: - name: argo-wrapper GEN3_ARGO-WRAPPER_IMAGE @@ -70,3 +73,7 @@ spec: readOnly: true mountPath: /argo.json subPath: argo.json + - name: argo-wrapper-namespace-config + readOnly: true + mountPath: /src/config.ini + subPath: config.ini diff --git a/kube/services/argo-wrapper/config.ini b/kube/services/argo-wrapper/config.ini new file mode 100644 index 000000000..334438ac2 --- /dev/null +++ b/kube/services/argo-wrapper/config.ini @@ -0,0 +1,4 @@ +[DEFAULT] +ARGO_ACCESS_METHOD = access +ARGO_HOST = $ARGO_HOST +ARGO_NAMESPACE = $ARGO_NAMESPACE From 464f6ebc68f1481c83597920ae411226cdff7ee0 Mon Sep 17 00:00:00 2001 From: emalinowski Date: Wed, 14 Feb 2024 12:22:23 -0600 Subject: [PATCH 21/39] Update squid_running_on_docker.sh (#2469) --- flavors/squid_auto/squid_running_on_docker.sh | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/flavors/squid_auto/squid_running_on_docker.sh b/flavors/squid_auto/squid_running_on_docker.sh index 2d7cf8e68..812a9f738 100644 --- a/flavors/squid_auto/squid_running_on_docker.sh +++ b/flavors/squid_auto/squid_running_on_docker.sh @@ -74,10 +74,18 @@ function install_docker(){ # Docker ############################################################### # Install docker from sources - curl -fsSL ${DOCKER_DOWNLOAD_URL}/gpg | sudo apt-key add - - add-apt-repository "deb [arch=amd64] ${DOCKER_DOWNLOAD_URL} $(lsb_release -cs) stable" - apt update - apt install -y docker-ce + if [[ $DISTRO == "Ubuntu" ]]; then + curl -fsSL ${DOCKER_DOWNLOAD_URL}/gpg | sudo apt-key add - + add-apt-repository "deb [arch=amd64] ${DOCKER_DOWNLOAD_URL} $(lsb_release -cs) stable" + apt update + apt install -y docker-ce + else + sudo yum update -y + sudo yum install -y docker + # Start and enable Docker service + sudo systemctl start docker + sudo systemctl enable docker + fi mkdir -p /etc/docker cp ${SUB_FOLDER}/flavors/squid_auto/startup_configs/docker-daemon.json /etc/docker/daemon.json chmod -R 0644 /etc/docker From 982e7b6fb1d7bf8fb1ba167e1adf2de7ba995a8b Mon Sep 17 00:00:00 2001 From: Aidan Hilt <11202897+AidanHilt@users.noreply.github.com> Date: Thu, 15 Feb 2024 10:57:46 -0500 Subject: [PATCH 22/39] Lowering parallelism to 1 for VA workflows (#2470) * Lowering parallelism to 1 for VA workflows * Caught changes we don't want --- kube/services/argo/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kube/services/argo/values.yaml b/kube/services/argo/values.yaml index 473f7041e..7c2a04531 100644 --- a/kube/services/argo/values.yaml +++ b/kube/services/argo/values.yaml @@ -1,5 +1,5 @@ controller: - parallelism: 3 + parallelism: 1 metricsConfig: # -- Enables prometheus metrics server enabled: true From 0015d1c83ba3e9d0f9cbda1d7eb774e8a57ee68a Mon Sep 17 00:00:00 2001 From: vzpgb <45467497+vzpgb@users.noreply.github.com> Date: Fri, 16 Feb 2024 10:19:27 -0600 Subject: [PATCH 23/39] Increases VA prod parallel workflows to 3 (#2473) --- kube/services/argo/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kube/services/argo/values.yaml b/kube/services/argo/values.yaml index 7c2a04531..473f7041e 100644 --- a/kube/services/argo/values.yaml +++ b/kube/services/argo/values.yaml @@ -1,5 +1,5 @@ controller: - parallelism: 1 + parallelism: 3 metricsConfig: # -- Enables prometheus metrics server enabled: true From f4e99c4c17f28bc4e4ad0bdd476f6b65b94ab183 Mon Sep 17 00:00:00 2001 From: burtonk <117617405+k-burt-uch@users.noreply.github.com> Date: Mon, 19 Feb 2024 15:08:18 -0600 Subject: [PATCH 24/39] Add azure blob storage to web_wildcard_whitelist (#2475) --- packer/configs/web_wildcard_whitelist | 1 + 1 file changed, 1 insertion(+) diff --git a/packer/configs/web_wildcard_whitelist b/packer/configs/web_wildcard_whitelist index c58eeefe8..621dec3d5 100644 --- a/packer/configs/web_wildcard_whitelist +++ b/packer/configs/web_wildcard_whitelist @@ -44,4 +44,5 @@ .yahooapis.com .cloudfront.net .docker.io +.blob.core.windows.net .googleapis.com From 1f8632ff493afad17e14d610eb35c01e1b81e359 Mon Sep 17 00:00:00 2001 From: "J. Q" <55899496+jawadqur@users.noreply.github.com> Date: Mon, 19 Feb 2024 16:12:31 -0600 Subject: [PATCH 25/39] Add whitelist for snap to work (#2476) --- files/squid_whitelist/web_whitelist | 1 - files/squid_whitelist/web_wildcard_whitelist | 2 ++ 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/files/squid_whitelist/web_whitelist b/files/squid_whitelist/web_whitelist index 625c20b29..c191b2e8c 100644 --- a/files/squid_whitelist/web_whitelist +++ b/files/squid_whitelist/web_whitelist @@ -15,7 +15,6 @@ ctds-planx.atlassian.net data.cityofchicago.org dataguids.org api.login.yahoo.com -api.snapcraft.io apt.kubernetes.io argoproj.github.io archive.cloudera.com diff --git a/files/squid_whitelist/web_wildcard_whitelist b/files/squid_whitelist/web_wildcard_whitelist index 3dca3946a..b71ee76c2 100644 --- a/files/squid_whitelist/web_wildcard_whitelist +++ b/files/squid_whitelist/web_wildcard_whitelist @@ -97,6 +97,8 @@ .sks-keyservers.net .slack.com .slack-msgs.com +.snapcraft.io +.snapcraftcontent.com .sourceforge.net .southsideweekly.com .theanvil.io From fe5b5502603ec4158c9f077fad83eb421402763d Mon Sep 17 00:00:00 2001 From: Pauline Ribeyre <4224001+paulineribeyre@users.noreply.github.com> Date: Tue, 20 Feb 2024 14:56:05 -0600 Subject: [PATCH 26/39] gen3 logs snapshot: also get initContainers logs (#2478) --- gen3/lib/logs/snapshot.sh | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/gen3/lib/logs/snapshot.sh b/gen3/lib/logs/snapshot.sh index 31cb80283..d3d3b2c6c 100644 --- a/gen3/lib/logs/snapshot.sh +++ b/gen3/lib/logs/snapshot.sh @@ -36,10 +36,11 @@ gen3_logs_snapshot_container() { # Snapshot all the pods # gen3_logs_snapshot_all() { + # For each pod for which we can list the containers, get the pod name and get its list of containers + # (container names + initContainers names). Diplay them as lines of " ". g3kubectl get pods -o json | \ - jq -r '.items | map(select(.status.phase != "Pending" and .status.phase != "Unknown")) | map( {pod: .metadata.name, containers: .spec.containers | map(.name) } ) | map( .pod as $pod | .containers | map( { pod: $pod, cont: .})[]) | map(select(.cont != "pause" and .cont != "jupyterhub"))[] | .pod + " " + .cont' | \ + jq -r '.items | map(select(.status.phase != "Pending" and .status.phase != "Unknown")) | map( {pod: .metadata.name, containers: [(.spec.containers | select(.!=null) | map(.name)), (.spec.initContainers | select(.!=null) | map(.name)) | add ] } ) | map( .pod as $pod | .containers | map( { pod: $pod, cont: .})[]) | map(select(.cont != "pause" and .cont != "jupyterhub"))[] | .pod + " " + .cont' | \ while read -r line; do gen3_logs_snapshot_container $line done } - From ff88b7b9ab6898587c96c78bb49ae6456cddabad Mon Sep 17 00:00:00 2001 From: Aidan Hilt <11202897+AidanHilt@users.noreply.github.com> Date: Wed, 21 Feb 2024 11:46:29 -0500 Subject: [PATCH 27/39] Adding namespace and overall parallelism so we can run 5 workflows in preprod, and 3 in prod at the same time (#2479) --- kube/services/argo/values.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kube/services/argo/values.yaml b/kube/services/argo/values.yaml index 473f7041e..2b46ced0f 100644 --- a/kube/services/argo/values.yaml +++ b/kube/services/argo/values.yaml @@ -1,5 +1,6 @@ controller: - parallelism: 3 + parallelism: 8 + namespaceParallelism: 3 metricsConfig: # -- Enables prometheus metrics server enabled: true From d8fd2813a1e13e40bdb58d33abd2a6101f398bba Mon Sep 17 00:00:00 2001 From: Andrew Prokhorenkov Date: Thu, 22 Feb 2024 10:47:16 -0600 Subject: [PATCH 28/39] feat(argo-wrapper): update mountpath (#2481) --- kube/services/argo-wrapper/argo-wrapper-deploy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kube/services/argo-wrapper/argo-wrapper-deploy.yaml b/kube/services/argo-wrapper/argo-wrapper-deploy.yaml index 00d118746..89ec29ecc 100644 --- a/kube/services/argo-wrapper/argo-wrapper-deploy.yaml +++ b/kube/services/argo-wrapper/argo-wrapper-deploy.yaml @@ -75,5 +75,5 @@ spec: subPath: argo.json - name: argo-wrapper-namespace-config readOnly: true - mountPath: /src/config.ini + mountPath: /argowrapper/config.ini subPath: config.ini From 2df523111e44e3e1eb3ccc5563066ea1c13f4505 Mon Sep 17 00:00:00 2001 From: Andrew Prokhorenkov Date: Thu, 22 Feb 2024 11:03:28 -0600 Subject: [PATCH 29/39] feat(argo-wrapper): update config.ini, missed option (#2482) --- kube/services/argo-wrapper/config.ini | 1 + 1 file changed, 1 insertion(+) diff --git a/kube/services/argo-wrapper/config.ini b/kube/services/argo-wrapper/config.ini index 334438ac2..1a1f20c29 100644 --- a/kube/services/argo-wrapper/config.ini +++ b/kube/services/argo-wrapper/config.ini @@ -2,3 +2,4 @@ ARGO_ACCESS_METHOD = access ARGO_HOST = $ARGO_HOST ARGO_NAMESPACE = $ARGO_NAMESPACE +COHORT_DEFINITION_BY_SOURCE_AND_TEAM_PROJECT_URL = COHORT_DEFINITION_BY_SOURCE_AND_TEAM_PROJECT_URL = http://cohort-middleware-service/cohortdefinition-stats/by-source-id/{}/by-team-project?team-project={} From e51ed100e8b3b338b7029777a8daadf8b0e22002 Mon Sep 17 00:00:00 2001 From: Andrew Prokhorenkov Date: Thu, 22 Feb 2024 11:21:56 -0600 Subject: [PATCH 30/39] fix(argo-wrapper): fix typo (#2483) --- kube/services/argo-wrapper/config.ini | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kube/services/argo-wrapper/config.ini b/kube/services/argo-wrapper/config.ini index 1a1f20c29..40ac392fd 100644 --- a/kube/services/argo-wrapper/config.ini +++ b/kube/services/argo-wrapper/config.ini @@ -2,4 +2,4 @@ ARGO_ACCESS_METHOD = access ARGO_HOST = $ARGO_HOST ARGO_NAMESPACE = $ARGO_NAMESPACE -COHORT_DEFINITION_BY_SOURCE_AND_TEAM_PROJECT_URL = COHORT_DEFINITION_BY_SOURCE_AND_TEAM_PROJECT_URL = http://cohort-middleware-service/cohortdefinition-stats/by-source-id/{}/by-team-project?team-project={} +COHORT_DEFINITION_BY_SOURCE_AND_TEAM_PROJECT_URL = http://cohort-middleware-service/cohortdefinition-stats/by-source-id/{}/by-team-project?team-project={} From c5c54865cc2261bfd91b0d83cdbc50b8381254ef Mon Sep 17 00:00:00 2001 From: Hara Prasad Date: Fri, 23 Feb 2024 08:17:29 -0800 Subject: [PATCH 31/39] Prevent eviction of ETL job pod while running (#2484) --- kube/services/jobs/etl-job.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kube/services/jobs/etl-job.yaml b/kube/services/jobs/etl-job.yaml index fa201c99a..6b9b887ec 100644 --- a/kube/services/jobs/etl-job.yaml +++ b/kube/services/jobs/etl-job.yaml @@ -2,6 +2,8 @@ apiVersion: batch/v1 kind: Job metadata: + annotations: + karpenter.sh/do-not-evict: "true" name: etl spec: backoffLimit: 0 From 13fb2397dfaac8165c7a71e1fce769bda08ee760 Mon Sep 17 00:00:00 2001 From: Aidan Hilt <11202897+AidanHilt@users.noreply.github.com> Date: Tue, 27 Feb 2024 11:51:18 -0500 Subject: [PATCH 32/39] Fix/argo wrapper default url (#2486) * Adding a secret to contain all values for any workflow templates * Adding an override namespace argument to kube-setup-argo * Fixing a typo * You'd think I'd never written Bash before * Adding the last part of the namespace override logic * Debug prints * Trying to figure out why the override namespace logic doesn't work * Just checking * Desperate * I think we can't use echo in gen3 scripts * Sanity check * Just a commit * Checking if we get the argo_namespace correctly * Making the print clearer * It's debug print time * Fixing references * Adding some stuff * Removing debugs, and adding --overwrite * Adding double quotes * Fixing kube-setup-argo-wrapper to have default values for argo-service URL and argo namespace * Fixing /tmp/config.ini collisions * Turns out that wasn't the way to go, instead we'll just delete /tmp/config.ini to account for multiple environments * Removed some extra stuff that snuck in --- .secrets.baseline | 2 +- gen3/bin/kube-setup-argo-wrapper.sh | 23 ++++++++++++++++------- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index 0a8fe9cc9..936e306e5 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$", "lines": null }, - "generated_at": "2023-10-26T21:32:44Z", + "generated_at": "2024-02-23T20:30:41Z", "plugins_used": [ { "name": "AWSKeyDetector" diff --git a/gen3/bin/kube-setup-argo-wrapper.sh b/gen3/bin/kube-setup-argo-wrapper.sh index 306050b12..9f7cc52ce 100644 --- a/gen3/bin/kube-setup-argo-wrapper.sh +++ b/gen3/bin/kube-setup-argo-wrapper.sh @@ -18,17 +18,26 @@ if [[ -z "$GEN3_SOURCE_ONLY" ]]; then gen3 roll argo-wrapper g3kubectl apply -f "${GEN3_HOME}/kube/services/argo-wrapper/argo-wrapper-service.yaml" + if g3k_manifest_lookup .argo.argo_server_service_url 2> /dev/null; then - argo_server_service_url=$(g3k_manifest_lookup .argo.argo_server_service_url) + export ARGO_HOST=$(g3k_manifest_lookup .argo.argo_server_service_url) + else + export ARGO_HOST="http://argo-argo-workflows-server.argo.svc.cluster.local:2746" + fi + + if g3k_config_lookup '.argo_namespace' $(g3k_manifest_init)/$(g3k_hostname)/manifests/argo/argo.json 2> /dev/null; then + export ARGO_NAMESPACE=$(g3k_config_lookup '.argo_namespace' $(g3k_manifest_init)/$(g3k_hostname)/manifests/argo/argo.json) + else + export ARGO_NAMESPACE="argo" + fi - export ARGO_HOST=${argo_server_service_url} - export ARGO_NAMESPACE=argo-$(gen3 db namespace) - envsubst <"${GEN3_HOME}/kube/services/argo-wrapper/config.ini" > /tmp/config.ini + envsubst <"${GEN3_HOME}/kube/services/argo-wrapper/config.ini" > /tmp/config.ini - g3kubectl delete configmap argo-wrapper-namespace-config - g3kubectl create configmap argo-wrapper-namespace-config --from-file /tmp/config.ini - fi + g3kubectl delete configmap argo-wrapper-namespace-config + g3kubectl create configmap argo-wrapper-namespace-config --from-file /tmp/config.ini + + rm /tmp/config.ini gen3_log_info "the argo-wrapper service has been deployed onto the kubernetes cluster" fi From 1a44bef0712ca5ffb4262615999787ef536644be Mon Sep 17 00:00:00 2001 From: emalinowski Date: Wed, 28 Feb 2024 06:20:07 -0600 Subject: [PATCH 33/39] fix(jenkins-zone): Added zone (#2487) Co-authored-by: Edward Malinowski Co-authored-by: Ajo Augustine --- kube/services/jenkins/jenkins-deploy.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/kube/services/jenkins/jenkins-deploy.yaml b/kube/services/jenkins/jenkins-deploy.yaml index c0eae2040..954e996f2 100644 --- a/kube/services/jenkins/jenkins-deploy.yaml +++ b/kube/services/jenkins/jenkins-deploy.yaml @@ -38,6 +38,10 @@ spec: operator: In values: - on-demand + - key: topology.kubernetes.io/zone + operator: In + values: + - us-east-1a serviceAccountName: jenkins-service securityContext: runAsUser: 1000 From 6c27fc9a7fe6cd3affd7a108db3c80b51c664ad1 Mon Sep 17 00:00:00 2001 From: Michael Lukowski Date: Thu, 29 Feb 2024 09:59:10 -0600 Subject: [PATCH 34/39] updating the cedar data ingest (#2472) * updating the cedar data ingest * fix unsanitized request * address some comments --- .../healdata/heal-cedar-data-ingest.py | 96 +++++++++++++++++++ 1 file changed, 96 insertions(+) diff --git a/files/scripts/healdata/heal-cedar-data-ingest.py b/files/scripts/healdata/heal-cedar-data-ingest.py index 71575e3c5..d3ff246c3 100644 --- a/files/scripts/healdata/heal-cedar-data-ingest.py +++ b/files/scripts/healdata/heal-cedar-data-ingest.py @@ -35,6 +35,16 @@ "Buisness Development": "Business Development" } +# repository links +REPOSITORY_STUDY_ID_LINK_TEMPLATE = { + "NIDDK Central": "https://repository.niddk.nih.gov/studies//", + "NIDA Data Share": "https://datashare.nida.nih.gov/study/", + "NICHD DASH": "https://dash.nichd.nih.gov/study/", + "ICPSR": "https://www.icpsr.umich.edu/web/ICPSR/studies/", + "BioSystics-AP": "https://biosystics-ap.com/assays/assaystudy//", +} + + # Defines field that we don't want to include in the filters OMITTED_VALUES_MAPPING = { "study_metadata.human_subject_applicability.gender_applicability": "Not applicable" @@ -114,6 +124,31 @@ def get_client_token(client_id: str, client_secret: str): return token +def get_related_studies(serial_num, hostname): + related_study_result = [] + + if serial_num: + mds = requests.get(f"https://revproxy-service/mds/metadata?nih_reporter.project_num_split.serial_num={serial_num}&data=true&limit=2000") + if mds.status_code == 200: + related_study_metadata = mds.json() + + for ( + related_study_metadata_key, + related_study_metadata_value, + ) in related_study_metadata.items(): + title = ( + related_study_metadata_value.get( + "gen3_discovery", {} + ) + .get("study_metadata", {}) + .get("minimal_info", {}) + .get("study_name", "") + ) + link = f"https://{hostname}/portal/discovery/{related_study_metadata_key}/" + related_study_result.append({"title": title, "link": link}) + return related_study_result + + parser = argparse.ArgumentParser() parser.add_argument("--directory", help="CEDAR Directory ID for registering ") @@ -214,6 +249,67 @@ def get_client_token(client_id: str, client_secret: str): mds_res["gen3_discovery"]["study_metadata"].update(cedar_record) mds_res["gen3_discovery"]["study_metadata"]["metadata_location"]["other_study_websites"] = cedar_record_other_study_websites + # setup citations + doi_citation = mds_res["gen3_discovery"]["study_metadata"].get("doi_citation", "") + mds_res["gen3_discovery"]["study_metadata"]["citation"]["heal_platform_citation"] = doi_citation + + + # setup repository_study_link + data_repositories = ( + mds_res.get("study_metadata", {}) + .get("metadata_location", {}) + .get("data_repositories", []) + ) + repository_citation = "Users must also include a citation to the data as specified by the local repository." + repository_citation_additional_text = ' The link to the study page at the local repository can be found in the "Data" tab.' + for repository in data_repositories: + if ( + repository["repository_name"] + and repository["repository_name"] + in REPOSITORY_STUDY_ID_LINK_TEMPLATE + and repository["repository_study_ID"] + ): + repository_study_link = REPOSITORY_STUDY_ID_LINK_TEMPLATE[ + repository["repository_name"] + ].replace("", repository["repository_study_ID"]) + repository.update({"repository_study_link": repository_study_link}) + if repository_citation_additional_text not in repository_citation: + repository_citation += repository_citation_additional_text + if len(data_repositories): + data_repositories[0] = { + **data_repositories[0], + "repository_citation": repository_citation, + } + mds_res["gen3_discovery"]["study_metadata"][ + "metadata_location" + ]["data_repositories"] = data_repositories + + + + # set up related studies + serial_num = None + try: + serial_num = ( + mds_res + .get("nih_reporter", {}) + .get("project_num_split", {}) + .get("serial_num", None) + ) + except Exception: + print(f"Unable to get serial number for study") + + if serial_num == None: + print(f"Unable to get serial number for study") + + related_study_result = get_related_studies(serial_num, hostname) + existing_related_study_result = mds_res.get("related_studies", []) + for related_study in related_study_result: + if related_study not in existing_related_study_result: + existing_related_study_result.append(copy.deepcopy(related_study)) + mds_res["gen3_discovery"][ + "related_studies" + ] = copy.deepcopy(existing_related_study_result) + # merge data from cedar that is not study level metadata into a level higher deleted_keys = [] for key, value in mds_res["gen3_discovery"]["study_metadata"].items(): From 072279d59732ff0109e9ca18bb05479b3bdcd577 Mon Sep 17 00:00:00 2001 From: Aidan Hilt <11202897+AidanHilt@users.noreply.github.com> Date: Thu, 29 Feb 2024 11:16:29 -0500 Subject: [PATCH 35/39] Feat/s3 bucket template (#2485) * Adding a secret to contain all values for any workflow templates * Adding an override namespace argument to kube-setup-argo * Fixing a typo * You'd think I'd never written Bash before * Adding the last part of the namespace override logic * Debug prints * Trying to figure out why the override namespace logic doesn't work * Just checking * Desperate * I think we can't use echo in gen3 scripts * Sanity check * Just a commit * Checking if we get the argo_namespace correctly * Making the print clearer * It's debug print time * Fixing references * Adding some stuff * Removing debugs, and adding --overwrite * Adding double quotes --- .secrets.baseline | 4 +-- gen3/bin/kube-setup-argo.sh | 66 ++++++++++++++++++++++++++----------- 2 files changed, 49 insertions(+), 21 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index 936e306e5..b7e06622d 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -3,7 +3,7 @@ "files": "^.secrets.baseline$", "lines": null }, - "generated_at": "2024-02-23T20:30:41Z", + "generated_at": "2024-02-23T20:30:41Z" "plugins_used": [ { "name": "AWSKeyDetector" @@ -342,7 +342,7 @@ "hashed_secret": "40304f287a52d99fdbe086ad19dbdbf9cc1b3897", "is_secret": false, "is_verified": false, - "line_number": 191, + "line_number": 206, "type": "Secret Keyword" } ], diff --git a/gen3/bin/kube-setup-argo.sh b/gen3/bin/kube-setup-argo.sh index ff2438833..20676145b 100644 --- a/gen3/bin/kube-setup-argo.sh +++ b/gen3/bin/kube-setup-argo.sh @@ -5,10 +5,25 @@ source "${GEN3_HOME}/gen3/lib/utils.sh" gen3_load "gen3/gen3setup" gen3_load "gen3/lib/kube-setup-init" +override_namespace=false +force=false + +for arg in "${@}"; do + if [ "$arg" == "--override-namespace" ]; then + override_namespace=true + elif [ "$arg" == "--force" ]; then + force=true + else + #Print usage info and exit + gen3_log_info "Usage: gen3 kube-setup-argo [--override-namespace] [--force]" + exit 1 + fi +done ctx="$(g3kubectl config current-context)" ctxNamespace="$(g3kubectl config view -ojson | jq -r ".contexts | map(select(.name==\"$ctx\")) | .[0] | .context.namespace")" +argo_namespace=$(g3k_config_lookup '.argo_namespace' $(g3k_manifest_init)/$(g3k_hostname)/manifests/argo/argo.json) function setup_argo_buckets { local accountNumber @@ -32,13 +47,13 @@ function setup_argo_buckets { roleName="gen3-argo-${environment//_/-}-role" bucketPolicy="argo-bucket-policy-${nameSpace}" internalBucketPolicy="argo-internal-bucket-policy-${nameSpace}" - if [[ ! -z $(g3k_config_lookup '."s3-bucket"' $(g3k_manifest_init)/$(g3k_hostname)/manifests/argo/argo.json) || ! -z $(g3k_config_lookup '.argo."s3-bucket"') ]]; then - if [[ ! -z $(g3k_config_lookup '."s3-bucket"' $(g3k_manifest_init)/$(g3k_hostname)/manifests/argo/argo.json) ]]; then + if [[ ! -z $(g3k_config_lookup '."downloadable-s3-bucket"' $(g3k_manifest_init)/$(g3k_hostname)/manifests/argo/argo.json) || ! -z $(g3k_config_lookup '.argo."downloadable-s3-bucket"') ]]; then + if [[ ! -z $(g3k_config_lookup '."downloadable-s3-bucket"' $(g3k_manifest_init)/$(g3k_hostname)/manifests/argo/argo.json) ]]; then gen3_log_info "Using S3 bucket found in manifest: ${bucketName}" - bucketName=$(g3k_config_lookup '."s3-bucket"' $(g3k_manifest_init)/$(g3k_hostname)/manifests/argo/argo.json) + bucketName=$(g3k_config_lookup '."downloadable-s3-bucket"' $(g3k_manifest_init)/$(g3k_hostname)/manifests/argo/argo.json) else gen3_log_info "Using S3 bucket found in manifest: ${bucketName}" - bucketName=$(g3k_config_lookup '.argo."s3-bucket"') + bucketName=$(g3k_config_lookup '.argo."downloadable-s3-bucket"') fi fi if [[ ! -z $(g3k_config_lookup '."internal-s3-bucket"' $(g3k_manifest_init)/$(g3k_hostname)/manifests/argo/argo.json) || ! -z $(g3k_config_lookup '.argo."internal-s3-bucket"') ]]; then @@ -131,19 +146,19 @@ EOF g3kubectl create namespace argo || true g3kubectl label namespace argo app=argo || true # Grant admin access within the argo namespace to the default SA in the argo namespace - g3kubectl create rolebinding argo-admin --clusterrole=admin --serviceaccount=argo:default -n argo || true + g3kubectl create rolebinding argo-admin --clusterrole=admin --serviceaccount=argo:default -n $argo_namespace || true fi gen3_log_info "Creating IAM role ${roleName}" if aws iam get-role --role-name "${roleName}" > /dev/null 2>&1; then gen3_log_info "IAM role ${roleName} already exists.." roleArn=$(aws iam get-role --role-name "${roleName}" --query 'Role.Arn' --output text) gen3_log_info "Role annotate" - g3kubectl annotate serviceaccount default eks.amazonaws.com/role-arn=${roleArn} -n argo - g3kubectl annotate serviceaccount argo eks.amazonaws.com/role-arn=${roleArn} -n $nameSpace + g3kubectl annotate serviceaccount default eks.amazonaws.com/role-arn=${roleArn} --overwrite -n $argo_namespace + g3kubectl annotate serviceaccount argo eks.amazonaws.com/role-arn=${roleArn} --overwrite -n $nameSpace else gen3 awsrole create $roleName argo $nameSpace -f all_namespaces roleArn=$(aws iam get-role --role-name "${roleName}" --query 'Role.Arn' --output text) - g3kubectl annotate serviceaccount default eks.amazonaws.com/role-arn=${roleArn} -n argo + g3kubectl annotate serviceaccount default eks.amazonaws.com/role-arn=${roleArn} -n $argo_namespace fi # Grant admin access within the current namespace to the argo SA in the current namespace @@ -177,34 +192,47 @@ EOF for serviceName in indexd; do secretName="${serviceName}-creds" # Only delete if secret is found to prevent early exits - if [[ ! -z $(g3kubectl get secrets -n argo | grep $secretName) ]]; then - g3kubectl delete secret "$secretName" -n argo > /dev/null 2>&1 + if [[ ! -z $(g3kubectl get secrets -n $argo_namespace | grep $secretName) ]]; then + g3kubectl delete secret "$secretName" -n $argo_namespace > /dev/null 2>&1 fi done sleep 1 # I think delete is async - give backend a second to finish indexdFencePassword=$(cat $(gen3_secrets_folder)/creds.json | jq -r .indexd.user_db.$indexd_admin_user) - g3kubectl create secret generic "indexd-creds" --from-literal=user=$indexd_admin_user --from-literal=password=$indexdFencePassword -n argo + g3kubectl create secret generic "indexd-creds" --from-literal=user=$indexd_admin_user --from-literal=password=$indexdFencePassword -n $argo_namespace fi } function setup_argo_db() { - if ! secret="$(g3kubectl get secret argo-db-creds -n argo 2> /dev/null)"; then + if ! secret="$(g3kubectl get secret argo-db-creds -n $argo_namespace 2> /dev/null)"; then gen3_log_info "Setting up argo db persistence" gen3 db setup argo || true dbCreds=$(gen3 secrets decode argo-g3auto dbcreds.json) - g3kubectl create secret -n argo generic argo-db-creds --from-literal=db_host=$(echo $dbCreds | jq -r .db_host) --from-literal=db_username=$(echo $dbCreds | jq -r .db_username) --from-literal=db_password=$(echo $dbCreds | jq -r .db_password) --from-literal=db_database=$(echo $dbCreds | jq -r .db_database) + g3kubectl create secret -n $argo_namespace generic argo-db-creds --from-literal=db_host=$(echo $dbCreds | jq -r .db_host) --from-literal=db_username=$(echo $dbCreds | jq -r .db_username) --from-literal=db_password=$(echo $dbCreds | jq -r .db_password) --from-literal=db_database=$(echo $dbCreds | jq -r .db_database) else gen3_log_info "Argo DB setup already completed" fi } - setup_argo_buckets +function setup_argo_template_secret() { + gen3_log_info "Started the template secret process" + downloadable_bucket_name=$(g3k_config_lookup '."downloadable-s3-bucket"' $(g3k_manifest_init)/$(g3k_hostname)/manifests/argo/argo.json) + # Check if the secret already exists + if [[ ! -z $(g3kubectl get secret argo-template-values-secret -n $argo_namespace) ]]; then + gen3_log_info "Argo template values secret already exists, assuming it's stale and deleting" + g3kubectl delete secret argo-template-values-secret -n $argo_namespace + fi + gen3_log_info "Creating argo template values secret" + g3kubectl create secret generic argo-template-values-secret --from-literal=DOWNLOADABLE_BUCKET=$downloadable_bucket_name -n $argo_namespace +} + +setup_argo_buckets # only do this if we are running in the default namespace -if [[ "$ctxNamespace" == "default" || "$ctxNamespace" == "null" ]]; then +if [[ "$ctxNamespace" == "default" || "$ctxNamespace" == "null" || "$override_namespace" == true ]]; then setup_argo_db - if (! helm status argo -n argo > /dev/null 2>&1 ) || [[ "$1" == "--force" ]]; then - DBHOST=$(kubectl get secrets -n argo argo-db-creds -o json | jq -r .data.db_host | base64 -d) - DBNAME=$(kubectl get secrets -n argo argo-db-creds -o json | jq -r .data.db_database | base64 -d) + setup_argo_template_secret + if (! helm status argo -n $argo_namespace > /dev/null 2>&1 ) || [[ "$force" == true ]]; then + DBHOST=$(kubectl get secrets -n $argo_namespace argo-db-creds -o json | jq -r .data.db_host | base64 -d) + DBNAME=$(kubectl get secrets -n $argo_namespace argo-db-creds -o json | jq -r .data.db_database | base64 -d) if [[ -z $internalBucketName ]]; then BUCKET=$bucketName else @@ -218,7 +246,7 @@ if [[ "$ctxNamespace" == "default" || "$ctxNamespace" == "null" ]]; then helm repo add argo https://argoproj.github.io/argo-helm --force-update 2> >(grep -v 'This is insecure' >&2) helm repo update 2> >(grep -v 'This is insecure' >&2) - helm upgrade --install argo argo/argo-workflows -n argo -f ${valuesFile} --version 0.29.1 + helm upgrade --install argo argo/argo-workflows -n $argo_namespace -f ${valuesFile} --version 0.29.1 else gen3_log_info "kube-setup-argo exiting - argo already deployed, use --force to redeploy" fi From 90b66091c0d1d8b89e7182ad84201e99903d8e44 Mon Sep 17 00:00:00 2001 From: Mingfei Shao <2475897+mfshao@users.noreply.github.com> Date: Thu, 29 Feb 2024 13:29:05 -0600 Subject: [PATCH 36/39] Update heal-cedar-data-ingest.py (#2490) --- files/scripts/healdata/heal-cedar-data-ingest.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/files/scripts/healdata/heal-cedar-data-ingest.py b/files/scripts/healdata/heal-cedar-data-ingest.py index d3ff246c3..1da4ac2d5 100644 --- a/files/scripts/healdata/heal-cedar-data-ingest.py +++ b/files/scripts/healdata/heal-cedar-data-ingest.py @@ -128,7 +128,7 @@ def get_related_studies(serial_num, hostname): related_study_result = [] if serial_num: - mds = requests.get(f"https://revproxy-service/mds/metadata?nih_reporter.project_num_split.serial_num={serial_num}&data=true&limit=2000") + mds = requests.get(f"http://revproxy-service/mds/metadata?nih_reporter.project_num_split.serial_num={serial_num}&data=true&limit=2000") if mds.status_code == 200: related_study_metadata = mds.json() From bd6bc767c0461f8fc1f1d90fa8a755be1e7fc381 Mon Sep 17 00:00:00 2001 From: Mingfei Shao <2475897+mfshao@users.noreply.github.com> Date: Thu, 29 Feb 2024 13:49:47 -0600 Subject: [PATCH 37/39] fix missed import (#2491) --- .secrets.baseline | 346 ++++-------------- .../healdata/heal-cedar-data-ingest.py | 2 +- 2 files changed, 73 insertions(+), 275 deletions(-) diff --git a/.secrets.baseline b/.secrets.baseline index b7e06622d..2583e269f 100644 --- a/.secrets.baseline +++ b/.secrets.baseline @@ -1,9 +1,9 @@ { "exclude": { - "files": "^.secrets.baseline$", + "files": null, "lines": null }, - "generated_at": "2024-02-23T20:30:41Z" + "generated_at": "2024-02-29T19:38:46Z", "plugins_used": [ { "name": "AWSKeyDetector" @@ -61,14 +61,12 @@ "Chef/repo/data_bags/README.md": [ { "hashed_secret": "8a9250639e092d90f164792e35073a9395bff366", - "is_secret": false, "is_verified": false, "line_number": 45, "type": "Secret Keyword" }, { "hashed_secret": "6367c48dd193d56ea7b0baad25b19455e529f5ee", - "is_secret": false, "is_verified": false, "line_number": 51, "type": "Secret Keyword" @@ -77,25 +75,22 @@ "Docker/jenkins/Jenkins-CI-Worker/Dockerfile": [ { "hashed_secret": "10daf3a26c6a17242a5ab2438a12ebc8276c7603", - "is_secret": false, "is_verified": false, - "line_number": 121, + "line_number": 124, "type": "Secret Keyword" } ], "Docker/jenkins/Jenkins-Worker/Dockerfile": [ { "hashed_secret": "10daf3a26c6a17242a5ab2438a12ebc8276c7603", - "is_secret": false, "is_verified": false, - "line_number": 143, + "line_number": 139, "type": "Secret Keyword" } ], "Docker/jenkins/Jenkins/Dockerfile": [ { "hashed_secret": "10daf3a26c6a17242a5ab2438a12ebc8276c7603", - "is_secret": false, "is_verified": false, "line_number": 107, "type": "Secret Keyword" @@ -104,7 +99,6 @@ "Docker/jenkins/Jenkins2/Dockerfile": [ { "hashed_secret": "10daf3a26c6a17242a5ab2438a12ebc8276c7603", - "is_secret": false, "is_verified": false, "line_number": 108, "type": "Secret Keyword" @@ -113,7 +107,6 @@ "Docker/sidecar/service.key": [ { "hashed_secret": "1348b145fa1a555461c1b790a2f66614781091e9", - "is_secret": false, "is_verified": false, "line_number": 1, "type": "Private Key" @@ -122,7 +115,6 @@ "Jenkins/Stacks/Jenkins/jenkins.env.sample": [ { "hashed_secret": "eecee33686ac5861c2a7edc8b46bd0e5432bfddd", - "is_secret": false, "is_verified": false, "line_number": 5, "type": "Secret Keyword" @@ -131,7 +123,6 @@ "ansible/roles/awslogs/defaults/main.yaml": [ { "hashed_secret": "9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684", - "is_secret": false, "is_verified": false, "line_number": 30, "type": "Basic Auth Credentials" @@ -140,14 +131,12 @@ "ansible/roles/slurm/README.md": [ { "hashed_secret": "4acfde1ff9c353ba2ef0dbe0df73bda2743cba42", - "is_secret": false, "is_verified": false, "line_number": 86, "type": "Base64 High Entropy String" }, { "hashed_secret": "579649582303921502d9e6d3f8755f13fdd2b476", - "is_secret": false, "is_verified": false, "line_number": 86, "type": "Secret Keyword" @@ -156,7 +145,6 @@ "apis_configs/config_helper.py": [ { "hashed_secret": "bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f", - "is_secret": false, "is_verified": false, "line_number": 66, "type": "Basic Auth Credentials" @@ -165,7 +153,6 @@ "apis_configs/fence_credentials.json": [ { "hashed_secret": "1f5e25be9b575e9f5d39c82dfd1d9f4d73f1975c", - "is_secret": false, "is_verified": false, "line_number": 23, "type": "Secret Keyword" @@ -174,21 +161,18 @@ "apis_configs/fence_settings.py": [ { "hashed_secret": "3ef0fb8a603abdc0b6caac44a23fdc6792f77ddf", - "is_secret": false, "is_verified": false, "line_number": 6, "type": "Basic Auth Credentials" }, { "hashed_secret": "b60d121b438a380c343d5ec3c2037564b82ffef3", - "is_secret": false, "is_verified": false, "line_number": 58, "type": "Secret Keyword" }, { "hashed_secret": "347cd9c53ff77d41a7b22aa56c7b4efaf54658e3", - "is_secret": false, "is_verified": false, "line_number": 80, "type": "Basic Auth Credentials" @@ -197,7 +181,6 @@ "apis_configs/indexd_settings.py": [ { "hashed_secret": "0a0d18c85e096611b5685b62bc60ec534d19bacc", - "is_secret": false, "is_verified": false, "line_number": 59, "type": "Basic Auth Credentials" @@ -206,7 +189,6 @@ "apis_configs/peregrine_settings.py": [ { "hashed_secret": "347cd9c53ff77d41a7b22aa56c7b4efaf54658e3", - "is_secret": false, "is_verified": false, "line_number": 46, "type": "Basic Auth Credentials" @@ -215,7 +197,6 @@ "apis_configs/sheepdog_settings.py": [ { "hashed_secret": "347cd9c53ff77d41a7b22aa56c7b4efaf54658e3", - "is_secret": false, "is_verified": false, "line_number": 46, "type": "Basic Auth Credentials" @@ -224,7 +205,6 @@ "doc/Gen3-data-upload.md": [ { "hashed_secret": "b8bd20d4a2701dc3aba0efbbf325f1359392d93e", - "is_secret": false, "is_verified": false, "line_number": 26, "type": "Secret Keyword" @@ -233,7 +213,6 @@ "doc/api.md": [ { "hashed_secret": "625de83a7517422051911680cc803921ff99db90", - "is_secret": false, "is_verified": false, "line_number": 47, "type": "Hex High Entropy String" @@ -242,28 +221,24 @@ "doc/gen3OnK8s.md": [ { "hashed_secret": "2db6d21d365f544f7ca3bcfb443ac96898a7a069", - "is_secret": false, "is_verified": false, "line_number": 113, "type": "Secret Keyword" }, { "hashed_secret": "ff9ee043d85595eb255c05dfe32ece02a53efbb2", - "is_secret": false, "is_verified": false, "line_number": 143, "type": "Secret Keyword" }, { "hashed_secret": "70374248fd7129088fef42b8f568443f6dce3a48", - "is_secret": false, "is_verified": false, "line_number": 170, "type": "Secret Keyword" }, { "hashed_secret": "bcf22dfc6fb76b7366b1f1675baf2332a0e6a7ce", - "is_secret": false, "is_verified": false, "line_number": 189, "type": "Secret Keyword" @@ -272,7 +247,6 @@ "doc/kube-setup-data-ingestion-job.md": [ { "hashed_secret": "1f5e25be9b575e9f5d39c82dfd1d9f4d73f1975c", - "is_secret": false, "is_verified": false, "line_number": 30, "type": "Secret Keyword" @@ -281,7 +255,6 @@ "doc/logs.md": [ { "hashed_secret": "9addbf544119efa4a64223b649750a510f0d463f", - "is_secret": false, "is_verified": false, "line_number": 6, "type": "Secret Keyword" @@ -290,7 +263,6 @@ "doc/slurm_cluster.md": [ { "hashed_secret": "2ace62c1befa19e3ea37dd52be9f6d508c5163e6", - "is_secret": false, "is_verified": false, "line_number": 184, "type": "Secret Keyword" @@ -299,14 +271,12 @@ "files/dashboard/usage-reports/package-lock.json": [ { "hashed_secret": "e095101882f706c4de95e0f75c5bcb9666e3f448", - "is_secret": false, "is_verified": false, "line_number": 10, "type": "Base64 High Entropy String" }, { "hashed_secret": "5422e4f96964d5739998b25ac214520c1b113e5b", - "is_secret": false, "is_verified": false, "line_number": 15, "type": "Base64 High Entropy String" @@ -315,14 +285,12 @@ "gen3/bin/api.sh": [ { "hashed_secret": "9f29ed52bc91ba45b309d5234e95edc7ca5286fd", - "is_secret": false, "is_verified": false, "line_number": 407, "type": "Secret Keyword" }, { "hashed_secret": "e7064f0b80f61dbc65915311032d27baa569ae2a", - "is_secret": false, "is_verified": false, "line_number": 477, "type": "Secret Keyword" @@ -331,7 +299,6 @@ "gen3/bin/kube-dev-namespace.sh": [ { "hashed_secret": "d3df8a3b08a9de43b73eca1302d50e7a0e5b360f", - "is_secret": false, "is_verified": false, "line_number": 135, "type": "Secret Keyword" @@ -340,7 +307,6 @@ "gen3/bin/kube-setup-argo.sh": [ { "hashed_secret": "40304f287a52d99fdbe086ad19dbdbf9cc1b3897", - "is_secret": false, "is_verified": false, "line_number": 206, "type": "Secret Keyword" @@ -349,7 +315,6 @@ "gen3/bin/kube-setup-aurora-monitoring.sh": [ { "hashed_secret": "d3df8a3b08a9de43b73eca1302d50e7a0e5b360f", - "is_secret": false, "is_verified": false, "line_number": 59, "type": "Secret Keyword" @@ -358,7 +323,6 @@ "gen3/bin/kube-setup-certs.sh": [ { "hashed_secret": "2e9ee120fd25e31048598693aca91d5473898a99", - "is_secret": false, "is_verified": false, "line_number": 50, "type": "Secret Keyword" @@ -367,14 +331,12 @@ "gen3/bin/kube-setup-dashboard.sh": [ { "hashed_secret": "40304f287a52d99fdbe086ad19dbdbf9cc1b3897", - "is_secret": false, "is_verified": false, "line_number": 40, "type": "Secret Keyword" }, { "hashed_secret": "e7064f0b80f61dbc65915311032d27baa569ae2a", - "is_secret": false, "is_verified": false, "line_number": 41, "type": "Secret Keyword" @@ -383,14 +345,12 @@ "gen3/bin/kube-setup-data-ingestion-job.sh": [ { "hashed_secret": "1f5e25be9b575e9f5d39c82dfd1d9f4d73f1975c", - "is_secret": false, "is_verified": false, "line_number": 37, "type": "Secret Keyword" }, { "hashed_secret": "8695a632956b1b0ea7b66993dcc98732da39148c", - "is_secret": false, "is_verified": false, "line_number": 102, "type": "Secret Keyword" @@ -399,7 +359,6 @@ "gen3/bin/kube-setup-dicom-server.sh": [ { "hashed_secret": "d3df8a3b08a9de43b73eca1302d50e7a0e5b360f", - "is_secret": false, "is_verified": false, "line_number": 43, "type": "Secret Keyword" @@ -408,7 +367,6 @@ "gen3/bin/kube-setup-dicom.sh": [ { "hashed_secret": "d3df8a3b08a9de43b73eca1302d50e7a0e5b360f", - "is_secret": false, "is_verified": false, "line_number": 78, "type": "Secret Keyword" @@ -417,14 +375,26 @@ "gen3/bin/kube-setup-jenkins.sh": [ { "hashed_secret": "05ea760643a5c0a9bacb3544dc844ac79938a51f", - "is_secret": false, "is_verified": false, "line_number": 18, "type": "Secret Keyword" }, { "hashed_secret": "d3df8a3b08a9de43b73eca1302d50e7a0e5b360f", - "is_secret": false, + "is_verified": false, + "line_number": 22, + "type": "Secret Keyword" + } + ], + "gen3/bin/kube-setup-jenkins2.sh": [ + { + "hashed_secret": "05ea760643a5c0a9bacb3544dc844ac79938a51f", + "is_verified": false, + "line_number": 18, + "type": "Secret Keyword" + }, + { + "hashed_secret": "d3df8a3b08a9de43b73eca1302d50e7a0e5b360f", "is_verified": false, "line_number": 22, "type": "Secret Keyword" @@ -433,7 +403,6 @@ "gen3/bin/kube-setup-metadata.sh": [ { "hashed_secret": "9f29ed52bc91ba45b309d5234e95edc7ca5286fd", - "is_secret": false, "is_verified": false, "line_number": 35, "type": "Secret Keyword" @@ -442,21 +411,18 @@ "gen3/bin/kube-setup-revproxy.sh": [ { "hashed_secret": "40304f287a52d99fdbe086ad19dbdbf9cc1b3897", - "is_secret": false, "is_verified": false, "line_number": 38, "type": "Secret Keyword" }, { "hashed_secret": "d3df8a3b08a9de43b73eca1302d50e7a0e5b360f", - "is_secret": false, "is_verified": false, "line_number": 55, "type": "Secret Keyword" }, { "hashed_secret": "9f29ed52bc91ba45b309d5234e95edc7ca5286fd", - "is_secret": false, "is_verified": false, "line_number": 57, "type": "Secret Keyword" @@ -465,21 +431,18 @@ "gen3/bin/kube-setup-secrets.sh": [ { "hashed_secret": "9f29ed52bc91ba45b309d5234e95edc7ca5286fd", - "is_secret": false, "is_verified": false, "line_number": 79, "type": "Secret Keyword" }, { "hashed_secret": "d3df8a3b08a9de43b73eca1302d50e7a0e5b360f", - "is_secret": false, "is_verified": false, "line_number": 82, "type": "Secret Keyword" }, { "hashed_secret": "6f7531b95bbc99ac25a5cc82edb825f319c5dee8", - "is_secret": false, "is_verified": false, "line_number": 95, "type": "Secret Keyword" @@ -488,14 +451,12 @@ "gen3/bin/kube-setup-sftp.sh": [ { "hashed_secret": "9f29ed52bc91ba45b309d5234e95edc7ca5286fd", - "is_secret": false, "is_verified": false, "line_number": 36, "type": "Secret Keyword" }, { "hashed_secret": "83d11e3aec005a3b9a2077c6800683e202a95af4", - "is_secret": false, "is_verified": false, "line_number": 51, "type": "Secret Keyword" @@ -504,7 +465,6 @@ "gen3/bin/kube-setup-sheepdog.sh": [ { "hashed_secret": "d3df8a3b08a9de43b73eca1302d50e7a0e5b360f", - "is_secret": false, "is_verified": false, "line_number": 33, "type": "Secret Keyword" @@ -513,28 +473,24 @@ "gen3/bin/kube-setup-sower-jobs.sh": [ { "hashed_secret": "40304f287a52d99fdbe086ad19dbdbf9cc1b3897", - "is_secret": false, "is_verified": false, "line_number": 25, "type": "Secret Keyword" }, { "hashed_secret": "e7064f0b80f61dbc65915311032d27baa569ae2a", - "is_secret": false, "is_verified": false, "line_number": 26, "type": "Secret Keyword" }, { "hashed_secret": "d3df8a3b08a9de43b73eca1302d50e7a0e5b360f", - "is_secret": false, "is_verified": false, "line_number": 120, "type": "Secret Keyword" }, { "hashed_secret": "9f29ed52bc91ba45b309d5234e95edc7ca5286fd", - "is_secret": false, "is_verified": false, "line_number": 122, "type": "Secret Keyword" @@ -543,21 +499,18 @@ "gen3/bin/kube-setup-ssjdispatcher.sh": [ { "hashed_secret": "9f29ed52bc91ba45b309d5234e95edc7ca5286fd", - "is_secret": false, "is_verified": false, "line_number": 117, "type": "Secret Keyword" }, { "hashed_secret": "7992309146efaa8da936e34b0bd33242cd0e9f93", - "is_secret": false, "is_verified": false, "line_number": 184, "type": "Secret Keyword" }, { "hashed_secret": "d3df8a3b08a9de43b73eca1302d50e7a0e5b360f", - "is_secret": false, "is_verified": false, "line_number": 197, "type": "Secret Keyword" @@ -566,14 +519,12 @@ "gen3/lib/aws.sh": [ { "hashed_secret": "8db3b325254b6389ca194d829d2fc923dc0a945d", - "is_secret": false, "is_verified": false, "line_number": 640, "type": "Secret Keyword" }, { "hashed_secret": "5b4b6c62d3d99d202f095c38c664eded8f640ce8", - "is_secret": false, "is_verified": false, "line_number": 660, "type": "Secret Keyword" @@ -582,14 +533,12 @@ "gen3/lib/bootstrap/templates/Gen3Secrets/apis_configs/fence-config.yaml": [ { "hashed_secret": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3", - "is_secret": false, "is_verified": false, "line_number": 33, "type": "Basic Auth Credentials" }, { "hashed_secret": "5d07e1b80e448a213b392049888111e1779a52db", - "is_secret": false, "is_verified": false, "line_number": 286, "type": "Secret Keyword" @@ -598,7 +547,6 @@ "gen3/lib/bootstrap/templates/Gen3Secrets/creds.json": [ { "hashed_secret": "1f5e25be9b575e9f5d39c82dfd1d9f4d73f1975c", - "is_secret": false, "is_verified": false, "line_number": 26, "type": "Secret Keyword" @@ -607,7 +555,6 @@ "gen3/lib/bootstrap/templates/Gen3Secrets/g3auto/dbfarm/servers.json": [ { "hashed_secret": "1f5e25be9b575e9f5d39c82dfd1d9f4d73f1975c", - "is_secret": false, "is_verified": false, "line_number": 5, "type": "Secret Keyword" @@ -616,7 +563,6 @@ "gen3/lib/logs/utils.sh": [ { "hashed_secret": "76143b4ffc8aa2a53f9700ce229f904e69f1e8b5", - "is_secret": false, "is_verified": false, "line_number": 3, "type": "Secret Keyword" @@ -625,7 +571,6 @@ "gen3/lib/manifestDefaults/hatchery/hatchery.json": [ { "hashed_secret": "0da0e0005ca04acb407af2681d0bede6d9406039", - "is_secret": false, "is_verified": false, "line_number": 78, "type": "Secret Keyword" @@ -634,14 +579,12 @@ "gen3/lib/onprem.sh": [ { "hashed_secret": "29e52a9bac8f274fa41c51fce9c98eba0dd99cb3", - "is_secret": false, "is_verified": false, "line_number": 68, "type": "Secret Keyword" }, { "hashed_secret": "50f013532a9770a2c2cfdc38b7581dd01df69b70", - "is_secret": false, "is_verified": false, "line_number": 84, "type": "Secret Keyword" @@ -650,14 +593,12 @@ "gen3/lib/secrets/rotate-postgres.sh": [ { "hashed_secret": "9f29ed52bc91ba45b309d5234e95edc7ca5286fd", - "is_secret": false, "is_verified": false, "line_number": 162, "type": "Secret Keyword" }, { "hashed_secret": "d3df8a3b08a9de43b73eca1302d50e7a0e5b360f", - "is_secret": false, "is_verified": false, "line_number": 250, "type": "Secret Keyword" @@ -666,49 +607,42 @@ "gen3/lib/testData/etlconvert/expected2.yaml": [ { "hashed_secret": "fe54e5e937d642307ec155b47ac8a214cb40d474", - "is_secret": false, "is_verified": false, "line_number": 10, "type": "Base64 High Entropy String" }, { "hashed_secret": "cea0e701e53c42bede2212b22f58f9ff8324da55", - "is_secret": false, "is_verified": false, "line_number": 13, "type": "Base64 High Entropy String" }, { "hashed_secret": "d98d72830f08c9a8b96ed11d3d96ae9e71b72a26", - "is_secret": false, "is_verified": false, "line_number": 16, "type": "Base64 High Entropy String" }, { "hashed_secret": "667fd45d415f73f4132cf0ed11452beb51117b12", - "is_secret": false, "is_verified": false, "line_number": 18, "type": "Base64 High Entropy String" }, { "hashed_secret": "c2599d515ba3be74ed58821485ba769fc565e424", - "is_secret": false, "is_verified": false, "line_number": 33, "type": "Base64 High Entropy String" }, { "hashed_secret": "6ec5eb29e2884f0c9731493b38902e37c2d672ba", - "is_secret": false, "is_verified": false, "line_number": 35, "type": "Base64 High Entropy String" }, { "hashed_secret": "99126b74731670a59b663d5320712564ec7b5f22", - "is_secret": false, "is_verified": false, "line_number": 36, "type": "Base64 High Entropy String" @@ -717,7 +651,6 @@ "gen3/test/secretsTest.sh": [ { "hashed_secret": "c2c715092ef59cba22520f109f041efca84b8938", - "is_secret": false, "is_verified": false, "line_number": 25, "type": "Secret Keyword" @@ -726,28 +659,24 @@ "gen3/test/terraformTest.sh": [ { "hashed_secret": "8db3b325254b6389ca194d829d2fc923dc0a945d", - "is_secret": false, "is_verified": false, "line_number": 156, "type": "Secret Keyword" }, { "hashed_secret": "1cc07dccfdf640eb0e403e490a873a5536759009", - "is_secret": false, "is_verified": false, "line_number": 172, "type": "Base64 High Entropy String" }, { "hashed_secret": "185a71a740ef6b9b21c84e6eaa47b89c7de181ef", - "is_secret": false, "is_verified": false, "line_number": 175, "type": "Base64 High Entropy String" }, { "hashed_secret": "329b7cd8191942bedd337107934d365c43a86e6c", - "is_secret": false, "is_verified": false, "line_number": 175, "type": "Secret Keyword" @@ -756,21 +685,18 @@ "kube/services/argocd/values.yaml": [ { "hashed_secret": "27c6929aef41ae2bcadac15ca6abcaff72cda9cd", - "is_secret": false, "is_verified": false, "line_number": 360, "type": "Private Key" }, { "hashed_secret": "edbd5e119f94badb9f99a67ac6ff4c7a5204ad61", - "is_secret": false, "is_verified": false, "line_number": 379, "type": "Secret Keyword" }, { "hashed_secret": "91dfd9ddb4198affc5c194cd8ce6d338fde470e2", - "is_secret": false, "is_verified": false, "line_number": 412, "type": "Secret Keyword" @@ -779,7 +705,6 @@ "kube/services/datadog/values.yaml": [ { "hashed_secret": "4a8ce7ae6a8a7f2624e232b61b18c2ac9789c44b", - "is_secret": false, "is_verified": false, "line_number": 23, "type": "Secret Keyword" @@ -788,401 +713,362 @@ "kube/services/fenceshib/fenceshib-configmap.yaml": [ { "hashed_secret": "a985e14b9d6744a2d04f29347693b55c116e478c", - "is_secret": false, "is_verified": false, "line_number": 375, "type": "Base64 High Entropy String" }, { "hashed_secret": "adc747bc5eb82ef4b017f5c3759dcee5aa28c36f", - "is_secret": false, "is_verified": false, "line_number": 376, "type": "Base64 High Entropy String" }, { "hashed_secret": "59b1702ff0eaf92c9271cbd12f587de97df7e13b", - "is_secret": false, "is_verified": false, "line_number": 377, "type": "Base64 High Entropy String" }, { "hashed_secret": "b4a748bbfbbca8925d932a47ab3dcb970d34caf5", - "is_secret": false, "is_verified": false, "line_number": 378, "type": "Base64 High Entropy String" }, { "hashed_secret": "af646701a84f7dd9f0e87753f54def881326e78a", - "is_secret": false, "is_verified": false, "line_number": 379, "type": "Base64 High Entropy String" }, { "hashed_secret": "20c15ad9742124dc06e1612282c49bb443ebcbd9", - "is_secret": false, "is_verified": false, "line_number": 380, "type": "Base64 High Entropy String" }, { "hashed_secret": "9caded71b967a11b7a6cd0f20db91f06f3517d12", - "is_secret": false, "is_verified": false, "line_number": 381, "type": "Base64 High Entropy String" }, { "hashed_secret": "8f19501bc9241b71f7b6db929fb35ab12635dcd7", - "is_secret": false, "is_verified": false, "line_number": 382, "type": "Base64 High Entropy String" }, { "hashed_secret": "d6220f6a55df1ed11c4250f42ab07bb9da20541a", - "is_secret": false, "is_verified": false, "line_number": 383, "type": "Base64 High Entropy String" }, { "hashed_secret": "dadd9b96636f9529f2547d05d754dc310ceba0c3", - "is_secret": false, "is_verified": false, "line_number": 384, "type": "Base64 High Entropy String" }, { "hashed_secret": "3074bc66584550e20c3697a28f67a0762394943c", - "is_secret": false, "is_verified": false, "line_number": 385, "type": "Base64 High Entropy String" }, { "hashed_secret": "823131319b4c4b4688f44d3e832bfa9696f16b52", - "is_secret": false, "is_verified": false, "line_number": 386, "type": "Base64 High Entropy String" }, { "hashed_secret": "015b780cbfb76988caf52de8ac974a6781e53110", - "is_secret": false, "is_verified": false, "line_number": 387, "type": "Base64 High Entropy String" }, { "hashed_secret": "5c8fac33207d74d667680ade09447ea8f43b76d7", - "is_secret": false, "is_verified": false, "line_number": 388, "type": "Base64 High Entropy String" }, { "hashed_secret": "c0c4bb09d8394e8f001e337bd27ccac355433d9e", - "is_secret": false, "is_verified": false, "line_number": 389, "type": "Base64 High Entropy String" }, { "hashed_secret": "f95631bcbbbc56e18487dcb242cfb1b3e74b16a1", - "is_secret": false, "is_verified": false, "line_number": 390, "type": "Base64 High Entropy String" }, { "hashed_secret": "01a692ab6232e0882a313d148981bab58ab98f53", - "is_secret": false, "is_verified": false, "line_number": 391, "type": "Base64 High Entropy String" }, { "hashed_secret": "658060a680d415ce6690ad2c3b622ddb33ddd50a", - "is_secret": false, "is_verified": false, "line_number": 392, "type": "Base64 High Entropy String" }, { "hashed_secret": "80915b0bd9daa5e1f95cad573892980b1b5a2294", - "is_secret": false, "is_verified": false, "line_number": 393, "type": "Base64 High Entropy String" }, { "hashed_secret": "cc55977b293d8cdca8a2c19dfea6874e70057c41", - "is_secret": false, "is_verified": false, "line_number": 394, "type": "Base64 High Entropy String" }, { "hashed_secret": "e400ed02add75dd5f3a8c212857acf12027437d1", - "is_secret": false, "is_verified": false, "line_number": 395, "type": "Base64 High Entropy String" }, { "hashed_secret": "2e819c8baa3b0508a32b77de258655b3f3a6f7cb", - "is_secret": false, "is_verified": false, "line_number": 396, "type": "Base64 High Entropy String" }, { "hashed_secret": "546ed926d58ea5492ab6adb8be94a67aa44ac433", - "is_secret": false, "is_verified": false, "line_number": 397, "type": "Base64 High Entropy String" }, { "hashed_secret": "f056f2deceed268e7af6dbdaf2577079c76e006a", - "is_secret": false, "is_verified": false, "line_number": 398, "type": "Base64 High Entropy String" }, { "hashed_secret": "d75efee28f4798c3a9c6f44b78a8500513ef28b2", - "is_secret": false, "is_verified": false, "line_number": 399, "type": "Base64 High Entropy String" }, { - "hashed_secret": "7803ae08cdc22a5e0b025eff3c9ef0628eedc165", - "is_secret": false, + "hashed_secret": "fbad0bc8f7792b03f89cd3780eb7cf79f284c525", "is_verified": false, "line_number": 419, "type": "Base64 High Entropy String" }, { - "hashed_secret": "b8b61e87f5b58b0eeb597b2122ea0cea2ccab3d9", - "is_secret": false, + "hashed_secret": "3f6480956a775dacb44e2c39aa3d4722a347f7ab", "is_verified": false, "line_number": 420, "type": "Base64 High Entropy String" }, { - "hashed_secret": "787745fc904c3bd7eddc3d1aab683a376c13890f", - "is_secret": false, + "hashed_secret": "17f32ae55b14d708ca121722c2cae37189f19daf", "is_verified": false, "line_number": 423, "type": "Base64 High Entropy String" }, { - "hashed_secret": "81361d672f238f505a6246ef9b655ee2f48d67e7", - "is_secret": false, + "hashed_secret": "08a74689ca077515d406093720a7e5675fb42bb8", "is_verified": false, "line_number": 424, "type": "Base64 High Entropy String" }, { - "hashed_secret": "7c98bff76ac3f273d15ed9bc3dd5294d323ab577", - "is_secret": false, + "hashed_secret": "fa577bb3b2600d2d522dcfea8f1e34896760fcf2", "is_verified": false, "line_number": 425, "type": "Base64 High Entropy String" }, { - "hashed_secret": "46038fc88daceed8dd46817ca45c72ae0270fdd4", - "is_secret": false, + "hashed_secret": "37254f15cca211a1bd5f7ceb23de2b3eb8fb33aa", "is_verified": false, "line_number": 426, "type": "Base64 High Entropy String" }, { - "hashed_secret": "acad0c57b4f5cbed1b4863ed06d02784180a9f92", - "is_secret": false, + "hashed_secret": "86865593e038509467b91c2d5f36ccc09c3f422b", "is_verified": false, "line_number": 427, "type": "Base64 High Entropy String" }, { - "hashed_secret": "1b57f49a6ee337c16ecd6aabfc0dff3b3821cd09", - "is_secret": false, + "hashed_secret": "a899a8d9e114b2a8e108f90e6a72c056db22489f", "is_verified": false, "line_number": 428, "type": "Base64 High Entropy String" }, { - "hashed_secret": "5b688158be36e8b3f265a462ed599dcf69290084", - "is_secret": false, + "hashed_secret": "756b4825f886afd83c25563ac9d45f318d695c48", "is_verified": false, "line_number": 429, "type": "Base64 High Entropy String" }, { - "hashed_secret": "965996e12c8b50b3c325d96003e8984a4ece658a", - "is_secret": false, + "hashed_secret": "89882eeb0aca97717a7e4afcf4bc08d077813c7f", "is_verified": false, "line_number": 430, "type": "Base64 High Entropy String" }, { - "hashed_secret": "584f0c58e764e948af1a35c9e60447aa0f84c6f5", - "is_secret": false, + "hashed_secret": "347140d7b7ceb4e501c3c9c2ea4f29338e2f145e", "is_verified": false, "line_number": 431, "type": "Base64 High Entropy String" }, { - "hashed_secret": "bcaf897786d060a675ee9d654a84ae8baf96e9d0", - "is_secret": false, + "hashed_secret": "61dbf70eb10d609e60c7b87faf8f755ff48abc46", "is_verified": false, "line_number": 432, "type": "Base64 High Entropy String" }, { - "hashed_secret": "0c09277fa183e06d32065f9386a3b4190b445df3", - "is_secret": false, + "hashed_secret": "24cd54c4b2f58378bba008cb2df68ac663fba7c8", "is_verified": false, "line_number": 433, "type": "Base64 High Entropy String" }, { - "hashed_secret": "5a51be06b305d6664e4afd25f21869b0f8b5039b", - "is_secret": false, + "hashed_secret": "fa4f9626ae4b98f4b61203c5bafb6f21c9c31e5d", "is_verified": false, "line_number": 434, "type": "Base64 High Entropy String" }, { - "hashed_secret": "b38404f8853d734e3d03577b2c1084b4540c8708", - "is_secret": false, + "hashed_secret": "b1370003d9cc1e346c83dba33e0418c7775a0c15", "is_verified": false, "line_number": 435, "type": "Base64 High Entropy String" }, { - "hashed_secret": "126ccc602cffcb8292beb57137f7f6719e317b72", - "is_secret": false, + "hashed_secret": "c66526e195e423a7ba7d68ac661cdcd8600dcd1f", "is_verified": false, "line_number": 436, "type": "Base64 High Entropy String" }, { - "hashed_secret": "6681c1d7e1d327642a32cb8864ad51e4b8f981e5", - "is_secret": false, + "hashed_secret": "d29d7044f0944eb30e02cf445f6998e3343dd811", "is_verified": false, "line_number": 437, "type": "Base64 High Entropy String" }, { - "hashed_secret": "7f7b1f316ece195e5f584fe2faf6f9edc6942c6f", - "is_secret": false, + "hashed_secret": "80a869460f33722387d8d58e7d9d2e1bbd5d1fe1", + "is_verified": false, + "line_number": 438, + "type": "Base64 High Entropy String" + }, + { + "hashed_secret": "4a06e2a02cbc665adccb4162dc57836895da65b8", "is_verified": false, "line_number": 439, "type": "Base64 High Entropy String" }, { - "hashed_secret": "bb908c7bc655057f2edc42815c5dff82e9dea529", - "is_secret": false, + "hashed_secret": "ba2549f35835dfa101d3f660f7604dc78e3e226f", "is_verified": false, "line_number": 440, "type": "Base64 High Entropy String" }, { - "hashed_secret": "bc2a0d18e3dd142df7b34e95342d47bf8aadabcb", - "is_secret": false, + "hashed_secret": "f354d4ee5fdb94ad29c7b3600264467f45b80eaa", "is_verified": false, "line_number": 441, "type": "Base64 High Entropy String" }, { - "hashed_secret": "d60f0bcea109bb6edb6e45fd387f5f2c86e49e1a", - "is_secret": false, + "hashed_secret": "bf17b587868ba7c3db9865b114261b5b8f1df870", "is_verified": false, "line_number": 442, "type": "Base64 High Entropy String" }, { - "hashed_secret": "e549dd40a741557cc1c4e377df0a141354e22688", - "is_secret": false, + "hashed_secret": "de1fd7a0d32cba528b4d80818c6601f2588d5383", "is_verified": false, "line_number": 443, "type": "Base64 High Entropy String" }, { - "hashed_secret": "2dd2486dae84cad50387c20bf687b6fbc6162b58", - "is_secret": false, + "hashed_secret": "bcad65055f6de654541db2bf27d4e27bd54d94c7", "is_verified": false, "line_number": 444, "type": "Base64 High Entropy String" }, { - "hashed_secret": "71622010fc7eb09d9273f59c548bde6a5da5dc0e", - "is_secret": false, + "hashed_secret": "f2e16f2dd532f65f79341342fdf57a093fc408d8", "is_verified": false, "line_number": 445, "type": "Base64 High Entropy String" }, { - "hashed_secret": "6f0115cf53bd49ec990c562ac6cbfc452c83cd46", - "is_secret": false, + "hashed_secret": "bb036a679a7d2df9fd2ca57068a446bf7f7dd106", "is_verified": false, "line_number": 446, "type": "Base64 High Entropy String" }, { - "hashed_secret": "70dddd534b2f9bb70871fefe0845b79c3b69363f", - "is_secret": false, + "hashed_secret": "5aa6568b1e8185578a6e964f5c322783ad349554", + "is_verified": false, + "line_number": 447, + "type": "Base64 High Entropy String" + }, + { + "hashed_secret": "4d14835ff0b0bf5aad480296cb705c74ac65f413", "is_verified": false, "line_number": 448, "type": "Base64 High Entropy String" }, { - "hashed_secret": "acf3536b0416aa99608b0be17e87655370ece829", - "is_secret": false, + "hashed_secret": "3f23f77dcf454ad73c4d61c44fd9aa584ef946c1", + "is_verified": false, + "line_number": 451, + "type": "Base64 High Entropy String" + }, + { + "hashed_secret": "1739fe5e5dfcf851b64f8b7b11538f1de29ce0b5", "is_verified": false, - "line_number": 449, + "line_number": 452, "type": "Base64 High Entropy String" }, { - "hashed_secret": "1d13ee35c7279c1fae1c6474ed47611994273e41", - "is_secret": false, + "hashed_secret": "8129db302110714fc735e3494bd82a65690e0963", "is_verified": false, - "line_number": 450, + "line_number": 453, "type": "Base64 High Entropy String" }, { - "hashed_secret": "d38cf89b25bd7378cdb4e00b4b59293001dd500b", - "is_secret": false, + "hashed_secret": "b48bfc62091164086a703115a0e68bdb09212591", "is_verified": false, - "line_number": 451, + "line_number": 454, "type": "Base64 High Entropy String" }, { - "hashed_secret": "1648f34ce2f1b563a8ed1c6d5d55b5e76a395903", - "is_secret": false, + "hashed_secret": "a10284feaf27f84081073a3267e3dce24ca7b911", "is_verified": false, - "line_number": 452, + "line_number": 455, "type": "Base64 High Entropy String" }, { - "hashed_secret": "9bf63f6f49fb01ff80959bc5a60c8688df92cc02", - "is_secret": false, + "hashed_secret": "3fd80f31de4be8dde9d2b421e832c7d4043fd49a", "is_verified": false, - "line_number": 453, + "line_number": 456, "type": "Base64 High Entropy String" } ], "kube/services/jobs/indexd-authz-job.yaml": [ { "hashed_secret": "bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f", - "is_secret": false, "is_verified": false, "line_number": 87, "type": "Basic Auth Credentials" @@ -1191,14 +1077,12 @@ "kube/services/monitoring/grafana-values.yaml": [ { "hashed_secret": "2ae868079d293e0a185c671c7bcdac51df36e385", - "is_secret": false, "is_verified": false, "line_number": 162, "type": "Secret Keyword" }, { "hashed_secret": "7a64ff8446b06d38dc271019994f13823a2cbcf4", - "is_secret": false, "is_verified": false, "line_number": 166, "type": "Secret Keyword" @@ -1207,7 +1091,6 @@ "kube/services/revproxy/helpers.js": [ { "hashed_secret": "1d278d3c888d1a2fa7eed622bfc02927ce4049af", - "is_secret": false, "is_verified": false, "line_number": 10, "type": "Base64 High Entropy String" @@ -1216,7 +1099,6 @@ "kube/services/revproxy/helpersTest.js": [ { "hashed_secret": "e029d4904cc728879d70030572bf37d4510367cb", - "is_secret": false, "is_verified": false, "line_number": 22, "type": "JSON Web Token" @@ -1225,7 +1107,6 @@ "kube/services/superset/superset-deploy.yaml": [ { "hashed_secret": "96e4aceb7cf284be363aa248a32a7cc89785a9f7", - "is_secret": false, "is_verified": false, "line_number": 38, "type": "Secret Keyword" @@ -1234,14 +1115,12 @@ "kube/services/superset/superset-redis.yaml": [ { "hashed_secret": "4af3596275edcb7cd5cc6c3c38bc10479902a08f", - "is_secret": false, "is_verified": false, "line_number": 165, "type": "Secret Keyword" }, { "hashed_secret": "9fe1c31809da38c55b2b64bfab47b92bc5f6b7b9", - "is_secret": false, "is_verified": false, "line_number": 265, "type": "Secret Keyword" @@ -1250,35 +1129,30 @@ "kube/services/superset/values.yaml": [ { "hashed_secret": "6f803b24314c39062efe38d0c1da8c472f47eab3", - "is_secret": false, "is_verified": false, "line_number": 54, "type": "Secret Keyword" }, { "hashed_secret": "6eae3a5b062c6d0d79f070c26e6d62486b40cb46", - "is_secret": false, "is_verified": false, "line_number": 86, "type": "Secret Keyword" }, { "hashed_secret": "3eb416223e9e69e6bb8ee19793911ad1ad2027d8", - "is_secret": false, "is_verified": false, "line_number": 212, "type": "Secret Keyword" }, { "hashed_secret": "ff55435345834a3fe224936776c2aa15f6ed5358", - "is_secret": false, "is_verified": false, "line_number": 396, "type": "Secret Keyword" }, { "hashed_secret": "98a84a63e5633d17e3b27b69695f87aa7189e9dc", - "is_secret": false, "is_verified": false, "line_number": 503, "type": "Secret Keyword" @@ -1287,280 +1161,240 @@ "package-lock.json": [ { "hashed_secret": "0656ad0df3af4633dc369f13d5e8806973c5fd9d", - "is_secret": false, "is_verified": false, "line_number": 1481, "type": "Base64 High Entropy String" }, { "hashed_secret": "00091d875d922437c5fc9e6067a08e78c2482e87", - "is_secret": false, "is_verified": false, "line_number": 1489, "type": "Base64 High Entropy String" }, { "hashed_secret": "c4e5cc37e115bf7d86e76e3d799705bf691e4d00", - "is_secret": false, "is_verified": false, "line_number": 1521, "type": "Base64 High Entropy String" }, { "hashed_secret": "0512e37fbedf1d16828680a038a241b4780a5c04", - "is_secret": false, "is_verified": false, "line_number": 1547, "type": "Base64 High Entropy String" }, { "hashed_secret": "01868fd50edbfe6eb91e5b01209b543adc6857af", - "is_secret": false, "is_verified": false, "line_number": 1611, "type": "Base64 High Entropy String" }, { "hashed_secret": "a6f48bf1e398deffc7fd31da17c3506b46c97a93", - "is_secret": false, "is_verified": false, "line_number": 1640, "type": "Base64 High Entropy String" }, { "hashed_secret": "85ce358dbdec0996cf3ccd2bf1c6602af68c181e", - "is_secret": false, "is_verified": false, "line_number": 1648, "type": "Base64 High Entropy String" }, { "hashed_secret": "6f9bfb49cb818d2fe07592515e4c3f7a0bbd7e0e", - "is_secret": false, "is_verified": false, "line_number": 1664, "type": "Base64 High Entropy String" }, { "hashed_secret": "7098a3e6d6d2ec0a40f04fe12509c5c6f4c49c0e", - "is_secret": false, "is_verified": false, "line_number": 1683, "type": "Base64 High Entropy String" }, { "hashed_secret": "1664ad175bba1795a7ecad572bae7e0740b94f56", - "is_secret": false, "is_verified": false, "line_number": 1733, "type": "Base64 High Entropy String" }, { "hashed_secret": "1ec4ce2eb945ce2f816dcb6ebdd1e10247f439a3", - "is_secret": false, "is_verified": false, "line_number": 1742, "type": "Base64 High Entropy String" }, { "hashed_secret": "a7af5768a6d936e36f28e1030d7f894d7aaf555e", - "is_secret": false, "is_verified": false, "line_number": 1755, "type": "Base64 High Entropy String" }, { "hashed_secret": "6fbc7dd864586173160874f2a86ca7d2d552cb85", - "is_secret": false, "is_verified": false, "line_number": 1769, "type": "Base64 High Entropy String" }, { "hashed_secret": "81a961f2c89c6209328b74a8768e30fd76c3ac72", - "is_secret": false, "is_verified": false, "line_number": 1855, "type": "Base64 High Entropy String" }, { "hashed_secret": "797d4751c536c421cb82b9f62e0a804af30d78f5", - "is_secret": false, "is_verified": false, "line_number": 1889, "type": "Base64 High Entropy String" }, { "hashed_secret": "0d55babfa89f240142c0adfc7b560500a1d3ae7c", - "is_secret": false, "is_verified": false, "line_number": 1894, "type": "Base64 High Entropy String" }, { "hashed_secret": "e9fdc3025cd10bd8aa4508611e6b7b7a9d650a2c", - "is_secret": false, "is_verified": false, "line_number": 1921, "type": "Base64 High Entropy String" }, { "hashed_secret": "4cf9419259c0ce8eee84b468af3c72db8b001620", - "is_secret": false, "is_verified": false, "line_number": 1950, "type": "Base64 High Entropy String" }, { "hashed_secret": "24816e3eb4308e247bde7c1d09ffb7b79c519b71", - "is_secret": false, "is_verified": false, "line_number": 1983, "type": "Base64 High Entropy String" }, { "hashed_secret": "e9adfe8a333d45f4776fe0eab31608be5d7b6a7d", - "is_secret": false, "is_verified": false, "line_number": 2004, "type": "Base64 High Entropy String" }, { "hashed_secret": "03d6fb388dd1b185129b14221f7127715822ece6", - "is_secret": false, "is_verified": false, "line_number": 2013, "type": "Base64 High Entropy String" }, { "hashed_secret": "ee161bb3f899720f95cee50a5f9ef9c9ed96278b", - "is_secret": false, "is_verified": false, "line_number": 2046, "type": "Base64 High Entropy String" }, { "hashed_secret": "ebeb5b574fa1ed24a40248275e6136759e766466", - "is_secret": false, "is_verified": false, "line_number": 2078, "type": "Base64 High Entropy String" }, { "hashed_secret": "a6a555a428522ccf439fd516ce7c7e269274363f", - "is_secret": false, "is_verified": false, "line_number": 2083, "type": "Base64 High Entropy String" }, { "hashed_secret": "f7f85d9f7c87f1e576dcaf4cf50f35728f9a3265", - "is_secret": false, "is_verified": false, "line_number": 2111, "type": "Base64 High Entropy String" }, { "hashed_secret": "3f1646b60abe74297d2f37a1eee5dc771ad834fc", - "is_secret": false, "is_verified": false, "line_number": 2138, "type": "Base64 High Entropy String" }, { "hashed_secret": "fd933c71e82d5519ae0cb0779b370d02f6935759", - "is_secret": false, "is_verified": false, "line_number": 2143, "type": "Base64 High Entropy String" }, { "hashed_secret": "7090aa59cb52ad1f1810b08c4ac1ddf5c8fce523", - "is_secret": false, "is_verified": false, "line_number": 2150, "type": "Base64 High Entropy String" }, { "hashed_secret": "756444bea4ea3d67844d8ddf58ad32356e9c2430", - "is_secret": false, "is_verified": false, "line_number": 2188, "type": "Base64 High Entropy String" }, { "hashed_secret": "f74135fdd6b8dafdfb01ebbc61c5e5c24ee27cf8", - "is_secret": false, "is_verified": false, "line_number": 2291, "type": "Base64 High Entropy String" }, { "hashed_secret": "56fbae787f4aed7d0632e95840d71bd378d3a36f", - "is_secret": false, "is_verified": false, "line_number": 2303, "type": "Base64 High Entropy String" }, { "hashed_secret": "81cb6be182eb79444202c4563080aee75296a672", - "is_secret": false, "is_verified": false, "line_number": 2308, "type": "Base64 High Entropy String" }, { "hashed_secret": "f0f3f7bce32184893046ac5f8cc80da56c3ca539", - "is_secret": false, "is_verified": false, "line_number": 2317, "type": "Base64 High Entropy String" }, { "hashed_secret": "097893233346336f4003acfb6eb173ee59e648f0", - "is_secret": false, "is_verified": false, "line_number": 2327, "type": "Base64 High Entropy String" }, { "hashed_secret": "bb14c3b4ef4a9f2e86ffdd44b88d9b6729419671", - "is_secret": false, "is_verified": false, "line_number": 2332, "type": "Base64 High Entropy String" }, { "hashed_secret": "71344a35cff67ef081920095d1406601fb5e9b97", - "is_secret": false, "is_verified": false, "line_number": 2340, "type": "Base64 High Entropy String" }, { "hashed_secret": "eb3db6990fd43477a35dfeffc90b3f1ffa83c7bd", - "is_secret": false, "is_verified": false, "line_number": 2349, "type": "Base64 High Entropy String" }, { "hashed_secret": "266288bdc14807b538d1e48a5891e361fa9b4a14", - "is_secret": false, "is_verified": false, "line_number": 2357, "type": "Base64 High Entropy String" }, { "hashed_secret": "800477261175fd21f23e7321923e1fba6ae55471", - "is_secret": false, "is_verified": false, "line_number": 2369, "type": "Base64 High Entropy String" }, { "hashed_secret": "3f0c251b9c2c21454445a98fde6915ceacde2136", - "is_secret": false, "is_verified": false, "line_number": 2387, "type": "Base64 High Entropy String" @@ -1569,7 +1403,6 @@ "tf_files/aws/cognito/README.md": [ { "hashed_secret": "f6920f370a30262b7dd70e97293c73ec89739b70", - "is_secret": false, "is_verified": false, "line_number": 106, "type": "Secret Keyword" @@ -1578,14 +1411,12 @@ "tf_files/aws/commons/README.md": [ { "hashed_secret": "d02e53411e8cb4cd709778f173f7bc9a3455f8ed", - "is_secret": false, "is_verified": false, "line_number": 60, "type": "Secret Keyword" }, { "hashed_secret": "9dc0da3613af850c5a018b0a88a5626fb8888e4e", - "is_secret": false, "is_verified": false, "line_number": 78, "type": "Secret Keyword" @@ -1594,7 +1425,6 @@ "tf_files/aws/eks/sample.tfvars": [ { "hashed_secret": "83c1003f406f34fba4d6279a948fee3abc802884", - "is_secret": false, "is_verified": false, "line_number": 107, "type": "Hex High Entropy String" @@ -1603,7 +1433,6 @@ "tf_files/aws/eks/variables.tf": [ { "hashed_secret": "83c1003f406f34fba4d6279a948fee3abc802884", - "is_secret": false, "is_verified": false, "line_number": 133, "type": "Hex High Entropy String" @@ -1612,14 +1441,12 @@ "tf_files/aws/modules/common-logging/README.md": [ { "hashed_secret": "83442aa5a16cb1992731c32367ef464564388017", - "is_secret": false, "is_verified": false, "line_number": 57, "type": "Base64 High Entropy String" }, { "hashed_secret": "fd4a4637ac99de2c1d89155d66d1f3de15d231a2", - "is_secret": false, "is_verified": false, "line_number": 59, "type": "Hex High Entropy String" @@ -1628,28 +1455,24 @@ "tf_files/aws/modules/common-logging/lambda_function.py": [ { "hashed_secret": "061765d6854d72f03a6527610d5b6822c9d516de", - "is_secret": false, "is_verified": false, "line_number": 18, "type": "Hex High Entropy String" }, { "hashed_secret": "61df81a188bb4dba6ae6128ff7e2c9c6a6f736ef", - "is_secret": false, "is_verified": false, "line_number": 18, "type": "Base64 High Entropy String" }, { "hashed_secret": "a4667450661f32f7ad0f06e2f893a8fee9f18e38", - "is_secret": false, "is_verified": false, "line_number": 18, "type": "Hex High Entropy String" }, { "hashed_secret": "4f9fd96d3926f2c53ab0261d33f1d1a85a6a77ff", - "is_secret": false, "is_verified": false, "line_number": 30, "type": "Hex High Entropy String" @@ -1658,21 +1481,18 @@ "tf_files/aws/modules/common-logging/testLambda.py": [ { "hashed_secret": "061765d6854d72f03a6527610d5b6822c9d516de", - "is_secret": false, "is_verified": false, "line_number": 5, "type": "Hex High Entropy String" }, { "hashed_secret": "61df81a188bb4dba6ae6128ff7e2c9c6a6f736ef", - "is_secret": false, "is_verified": false, "line_number": 5, "type": "Base64 High Entropy String" }, { "hashed_secret": "a4667450661f32f7ad0f06e2f893a8fee9f18e38", - "is_secret": false, "is_verified": false, "line_number": 5, "type": "Hex High Entropy String" @@ -1681,7 +1501,6 @@ "tf_files/aws/modules/eks/variables.tf": [ { "hashed_secret": "83c1003f406f34fba4d6279a948fee3abc802884", - "is_secret": false, "is_verified": false, "line_number": 113, "type": "Hex High Entropy String" @@ -1690,14 +1509,12 @@ "tf_files/aws/modules/management-logs/README.md": [ { "hashed_secret": "83442aa5a16cb1992731c32367ef464564388017", - "is_secret": false, "is_verified": false, "line_number": 54, "type": "Base64 High Entropy String" }, { "hashed_secret": "fd4a4637ac99de2c1d89155d66d1f3de15d231a2", - "is_secret": false, "is_verified": false, "line_number": 56, "type": "Hex High Entropy String" @@ -1706,28 +1523,24 @@ "tf_files/aws/modules/management-logs/lambda_function.py": [ { "hashed_secret": "061765d6854d72f03a6527610d5b6822c9d516de", - "is_secret": false, "is_verified": false, "line_number": 18, "type": "Hex High Entropy String" }, { "hashed_secret": "61df81a188bb4dba6ae6128ff7e2c9c6a6f736ef", - "is_secret": false, "is_verified": false, "line_number": 18, "type": "Base64 High Entropy String" }, { "hashed_secret": "a4667450661f32f7ad0f06e2f893a8fee9f18e38", - "is_secret": false, "is_verified": false, "line_number": 18, "type": "Hex High Entropy String" }, { "hashed_secret": "4f9fd96d3926f2c53ab0261d33f1d1a85a6a77ff", - "is_secret": false, "is_verified": false, "line_number": 30, "type": "Hex High Entropy String" @@ -1736,42 +1549,36 @@ "tf_files/aws/modules/management-logs/testLambda.py": [ { "hashed_secret": "061765d6854d72f03a6527610d5b6822c9d516de", - "is_secret": false, "is_verified": false, "line_number": 5, "type": "Hex High Entropy String" }, { "hashed_secret": "61df81a188bb4dba6ae6128ff7e2c9c6a6f736ef", - "is_secret": false, "is_verified": false, "line_number": 5, "type": "Base64 High Entropy String" }, { "hashed_secret": "a4667450661f32f7ad0f06e2f893a8fee9f18e38", - "is_secret": false, "is_verified": false, "line_number": 5, "type": "Hex High Entropy String" }, { "hashed_secret": "3cf8eb4e9254e1d6cc523da01f8b798b9a83101a", - "is_secret": false, "is_verified": false, "line_number": 6, "type": "Base64 High Entropy String" }, { "hashed_secret": "51118900cd675df1b44f254057398f3e52902a5d", - "is_secret": false, "is_verified": false, "line_number": 6, "type": "Hex High Entropy String" }, { "hashed_secret": "60a6dfc8d43cd2f5c6292899fc2f94f2d4fc32c4", - "is_secret": false, "is_verified": false, "line_number": 6, "type": "Hex High Entropy String" @@ -1780,7 +1587,6 @@ "tf_files/aws/slurm/README.md": [ { "hashed_secret": "fd85d792fa56981cf6a8d2a5c0857c74af86e99d", - "is_secret": false, "is_verified": false, "line_number": 83, "type": "Secret Keyword" @@ -1789,7 +1595,6 @@ "tf_files/azure/cloud.tf": [ { "hashed_secret": "7c1a4b52b64e4106041971c345a1f3eab58fb2a4", - "is_secret": false, "is_verified": false, "line_number": 424, "type": "Secret Keyword" @@ -1798,7 +1603,6 @@ "tf_files/gcp-bwg/roots/commons_setup/variables/answerfile-commons_setup-001.template.tfvars": [ { "hashed_secret": "f865b53623b121fd34ee5426c792e5c33af8c227", - "is_secret": false, "is_verified": false, "line_number": 231, "type": "Secret Keyword" @@ -1807,7 +1611,6 @@ "tf_files/gcp-bwg/roots/templates/answerfile-commons_setup-001.template.tfvars": [ { "hashed_secret": "f865b53623b121fd34ee5426c792e5c33af8c227", - "is_secret": false, "is_verified": false, "line_number": 231, "type": "Secret Keyword" @@ -1816,7 +1619,6 @@ "tf_files/gcp-bwg/roots/templates/answerfile-env-tenant.user.tfvars_NO_APP_SETUP": [ { "hashed_secret": "f865b53623b121fd34ee5426c792e5c33af8c227", - "is_secret": false, "is_verified": false, "line_number": 262, "type": "Secret Keyword" @@ -1825,21 +1627,18 @@ "tf_files/gcp/commons/sample.tfvars": [ { "hashed_secret": "9f29ed52bc91ba45b309d5234e95edc7ca5286fd", - "is_secret": false, "is_verified": false, "line_number": 11, "type": "Secret Keyword" }, { "hashed_secret": "8db3b325254b6389ca194d829d2fc923dc0a945d", - "is_secret": false, "is_verified": false, "line_number": 26, "type": "Secret Keyword" }, { "hashed_secret": "253c7b5e7c83a86346fc4501495b130813f08105", - "is_secret": false, "is_verified": false, "line_number": 37, "type": "Secret Keyword" @@ -1848,7 +1647,6 @@ "tf_files/shared/modules/k8s_configs/creds.tpl": [ { "hashed_secret": "1f5e25be9b575e9f5d39c82dfd1d9f4d73f1975c", - "is_secret": false, "is_verified": false, "line_number": 8, "type": "Secret Keyword" diff --git a/files/scripts/healdata/heal-cedar-data-ingest.py b/files/scripts/healdata/heal-cedar-data-ingest.py index 1da4ac2d5..730a3b36e 100644 --- a/files/scripts/healdata/heal-cedar-data-ingest.py +++ b/files/scripts/healdata/heal-cedar-data-ingest.py @@ -1,5 +1,5 @@ import argparse -import json +import copy import sys import requests import pydash From 8103e82b1044daca4290831db63653b40b24b97c Mon Sep 17 00:00:00 2001 From: Hara Prasad Date: Thu, 29 Feb 2024 12:58:32 -0800 Subject: [PATCH 38/39] Add jenkins-dcp to the env pool reset script (#2489) --- files/scripts/ci-env-pool-reset.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/files/scripts/ci-env-pool-reset.sh b/files/scripts/ci-env-pool-reset.sh index c0c1f67c6..362cfbfd5 100644 --- a/files/scripts/ci-env-pool-reset.sh +++ b/files/scripts/ci-env-pool-reset.sh @@ -29,6 +29,7 @@ source "${GEN3_HOME}/gen3/gen3setup.sh" cat - > jenkins-envs-services.txt < Date: Thu, 29 Feb 2024 15:20:15 -0800 Subject: [PATCH 39/39] (HP-572) create dynamodb table for gen3-license workspace (#2441) * (HP-572) create dynamodb table for gen3-license workspace * (HP-572) get GSI from hatchery config * (HP-572) remove extra quotes from 'GSI' * (HP-572) move distribute-license for backwards compatibility --------- Co-authored-by: Mingfei Shao <2475897+mfshao@users.noreply.github.com> --- gen3/bin/kube-setup-hatchery.sh | 57 ++++++++++++++++++++++++++++++--- 1 file changed, 53 insertions(+), 4 deletions(-) diff --git a/gen3/bin/kube-setup-hatchery.sh b/gen3/bin/kube-setup-hatchery.sh index 691fb354a..5454d1e24 100644 --- a/gen3/bin/kube-setup-hatchery.sh +++ b/gen3/bin/kube-setup-hatchery.sh @@ -20,11 +20,60 @@ gen3 jupyter j-namespace setup # (g3k_kv_filter ${GEN3_HOME}/kube/services/hatchery/serviceaccount.yaml BINDING_ONE "name: hatchery-binding1-$namespace" BINDING_TWO "name: hatchery-binding2-$namespace" CURRENT_NAMESPACE "namespace: $namespace" | g3kubectl apply -f -) || true +function exists_or_create_gen3_license_table() { + # Create dynamodb table for gen3-license if it does not exist. + TARGET_TABLE="$1" + echo "Checking for dynamoDB table: ${TARGET_TABLE}" -# cron job to distribute licenses if using Stata workspaces -if [ "$(g3kubectl get configmaps/manifest-hatchery -o yaml | grep "\"image\": .*stata.*")" ]; -then - gen3 job cron distribute-licenses '* * * * *' + FOUND_TABLE=`aws dynamodb list-tables | jq -r .TableNames | jq -c -r '.[]' | grep $TARGET_TABLE` + if [ -n "$FOUND_TABLE" ]; then + echo "Target table already exists in dynamoDB: $FOUND_TABLE" + else + echo "Creating table ${TARGET_TABLE}" + GSI=`g3kubectl get configmaps/manifest-hatchery -o json | jq -r '.data."license-user-maps-global-secondary-index"'` + if [[ -z "$GSI" || "$GSI" == "null" ]]; then + echo "Error: No global-secondary-index in configuration" + return 0 + fi + aws dynamodb create-table \ + --no-cli-pager \ + --table-name "$TARGET_TABLE" \ + --attribute-definitions AttributeName=itemId,AttributeType=S \ + AttributeName=environment,AttributeType=S \ + AttributeName=isActive,AttributeType=S \ + --key-schema AttributeName=itemId,KeyType=HASH \ + AttributeName=environment,KeyType=RANGE \ + --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5 \ + --global-secondary-indexes \ + "[ + { + \"IndexName\": \"$GSI\", + \"KeySchema\": [{\"AttributeName\":\"environment\",\"KeyType\":\"HASH\"}, + {\"AttributeName\":\"isActive\",\"KeyType\":\"RANGE\"}], + \"Projection\":{ + \"ProjectionType\":\"INCLUDE\", + \"NonKeyAttributes\":[\"itemId\",\"userId\",\"licenseId\",\"licenseType\"] + }, + \"ProvisionedThroughput\": { + \"ReadCapacityUnits\": 5, + \"WriteCapacityUnits\": 3 + } + } + ]" + fi +} + +TARGET_TABLE=`g3kubectl get configmaps/manifest-hatchery -o json | jq -r '.data."license-user-maps-dynamodb-table"'` +if [[ -z "$TARGET_TABLE" || "$TARGET_TABLE" == "null" ]]; then + echo "No gen3-license table in configuration" + # cron job to distribute licenses if using Stata workspaces but not using dynamoDB + if [ "$(g3kubectl get configmaps/manifest-hatchery -o yaml | grep "\"image\": .*stata.*")" ]; + then + gen3 job cron distribute-licenses '* * * * *' + fi +else + echo "Found gen3-license table in configuration: $TARGET_TABLE" + exists_or_create_gen3_license_table "$TARGET_TABLE" fi policy=$( cat <