Merge branch 'develop' into staging

apps/views.py

@@ -217,7 +217,7 @@ def get(self, request, user, project, ai_id):
             name=current_volume.name if current_volume else None
         )
 
-        if request.user.id != appinstance.owner.id:
+        if request.user.id != appinstance.owner.id and not request.user.is_superuser:
             show_permissions = False
 
         return render(request, template, locals())

charts/apps/python-serve/chart/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+appVersion: "0.1"
+description: A Helm chart for Python Model Deployment
+name: python-model-deployment
+version: 0.0.1

charts/apps/python-serve/chart/templates/deployment.yaml

@@ -0,0 +1,86 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Values.appname }}
+  namespace: {{ .Values.namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      release: {{ .Release.Name }}
+      app: {{ .Values.appname }}
+      project: {{ .Values.project.slug }}
+      type: app
+      pod: {{ .Values.appname }}
+  template:
+    metadata:
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/path: /metrics
+        prometheus.io/port: "8501"
+      labels:
+        release: {{ $.Release.Name }}
+        app: {{ .Values.appname }}
+        project: {{ $.Values.project.slug }}
+        networking/allow-internet-egress: "true"
+        networking/allow-egress-to-studio-web: "true"
+        type: app
+        pod: {{ .Values.appname }}
+    spec:
+    {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      automountServiceAccountToken: false
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      volumes:
+      - name: rp-conf
+        configMap:
+          name: {{ .Release.Name }}-rp-config
+      {{ if .Values.apps.volumeK8s }}
+      {{- range $key, $value := .Values.apps.volumeK8s }}
+      - name: model-vol
+        persistentVolumeClaim:
+          claimName: {{ $value.release }}
+      {{- end }}
+      {{- end }}
+      containers:
+      - name: reverse-proxy
+        image: nginx:alpine
+        imagePullPolicy: Always
+        volumeMounts:
+        - name: rp-conf
+          mountPath: /etc/nginx
+        resources:
+          limits:
+            cpu: 200m
+            memory: 256Mi
+          requests:
+            cpu: 100m
+            memory: 128Mi
+
+      - name: serve
+        securityContext:
+          {{- toYaml .Values.securityContext | nindent 10 }}
+        resources:
+          {{- toYaml .Values.flavor | nindent 10 }}
+        volumeMounts:
+          - name: model-vol
+            mountPath: /home/user/models
+        env:
+        - name: GUNICORN_CMD_ARGS
+          value: "--limit-request-field_size 0"
+          {{- with .Values.extraEnv }}
+          {{- tpl . $ | nindent 10 }}
+          {{- end }}
+        - name: PYTHONPATH
+          value: "/home/user/models"
+        - name: STACKN_MODEL_PATH
+          value: "/home/user/models"
+        image: {{ .Values.environment.repository }}/{{ .Values.environment.image }}
+        imagePullPolicy: Always
+        ports:
+        - containerPort: {{ .Values.appconfig.port }}
+      terminationGracePeriodSeconds: 30
+      dnsPolicy: ClusterFirst

charts/apps/python-serve/chart/templates/ingress.yaml

@@ -0,0 +1,29 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .Release.Name }}-ingress
+  namespace: {{ .Values.namespace }}
+  labels:
+    io.kompose.service: {{ .Release.Name }}-ingress
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: 50m
+    {{ if ne .Values.permission "public" }}
+    nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.protocol }}://{{ .Values.global.auth_domain }}:8080/auth/?release={{ .Values.release }}"
+    nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.global.domain }}/accounts/login/?next=$scheme%3A%2F%2F$host"
+    {{- end }}
+spec:
+  rules:
+    - host: {{ .Release.Name }}.{{ .Values.global.domain }}
+      http:
+        paths:
+        - path: /
+          backend:
+            service:
+              name: {{ .Values.service.name }}
+              port:
+                number: {{ .Values.service.port }}
+          pathType: ImplementationSpecific
+  tls:
+    - secretName: {{ .Values.ingress.secretName }}
+      hosts:
+        - {{ .Values.global.domain }}

charts/apps/python-serve/chart/templates/nginx_conf.yaml

@@ -0,0 +1,22 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ .Release.Name }}-rp-config
+  namespace: {{ .Values.namespace }}
+data:
+  # Configuration values can be set as key-value properties
+  nginx.conf: |-
+    worker_processes 1;
+    events { worker_connections 1024; }
+    http {
+        server {
+            listen 1234;
+
+            client_max_body_size 500M;
+            large_client_header_buffers 4 128k;
+
+            location / {
+                proxy_pass http://127.0.0.1:{{ .Values.appconfig.port }};
+            }
+        }
+    }

charts/apps/python-serve/chart/templates/service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.service.name }}
+  namespace: {{ .Values.namespace }}
+  labels:
+    run: {{ .Values.appname }}-python-serve
+spec:
+  ports:
+  - port: {{ .Values.service.port }}
+    targetPort: {{ .Values.appconfig.port }}
+    protocol: TCP
+  selector:
+    release: {{ .Release.Name }}

charts/apps/python-serve/chart/values.yaml

@@ -0,0 +1,38 @@
+namespace: default
+appname: python-serve
+project:
+  name: project
+  slug: project-slug
+
+global:
+  protocol: TCP
+
+apps:
+  volumek8s:
+
+appconfig:
+  port: 8000
+
+service:
+  name: pythonserve-svc
+
+imagePullSecrets:
+  - name: regcred
+
+ingress:
+  secretName: prod-ingress
+
+podSecurityContext:
+  seccompProfile:
+      type: RuntimeDefault
+  fsGroup: 1000
+
+securityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+  runAsGroup: 1000
+  allowPrivilegeEscalation: false
+  privileged: false
+  capabilities:
+    drop:
+      - all

charts/apps/python-serve/config.json

@@ -0,0 +1,46 @@
+{
+  "category": "serve",
+  "description": "",
+  "name": "Python Model Deployment",
+  "priority": "200",
+  "settings": {
+    "default_values": {
+      "port": "80",
+      "targetport": "8080"
+    },
+    "env_variables": {
+      "{{ app_name }}_URL": "https://{{ release }}.{{ global.domain }}/predict/"
+    },
+    "environment": {
+      "name": "from",
+      "quantity": "one",
+      "title": "Environment",
+      "type": "match"
+    },
+    "flavor": "one",
+    "logs": [
+      "serve"
+    ],
+    "model": {
+      "object_type": "python-model"
+    },
+    "permissions": {
+      "private": {
+        "option": "true",
+        "value": "false"
+      },
+      "project": {
+        "option": "true",
+        "value": "true"
+      },
+      "public": {
+        "option": "true",
+        "value": "false"
+      }
+    }
+  },
+  "slug": "python-serve",
+  "table_field": {
+    "url": "https://{{ release }}.{{ global.domain }}/predict/"
+  }
+}

charts/apps/shinyproxy/chart/templates/configmap.yaml

@@ -35,7 +35,7 @@ data:
         id:  {{ .Release.Name }}
         labels:
           sp.instance: {{ .Release.Name }}
-          alow-api-access: "true"
+          allow-internet-egress: "true"
           shinyproxy-app: {{ .Release.Name }}
         kubernetes-pod-patches: |
           - op: add

charts/apps/shinyproxy/chart/templates/deployment.yaml

@@ -36,7 +36,7 @@ spec:
       affinity:
         {{ .Values.affinity | toYaml | nindent 8 | trim }}
     {{ end }}
-      automountServiceAccountToken: true
+      serviceAccountName: {{ .Values.namespace }}-shinyproxy
       containers:
       - name: serve
         image: {{ .Values.appconfig.proxyimage }}

charts/apps/shinyproxy/chart/templates/hooks.yaml

@@ -17,7 +17,7 @@ spec:
         allow-api-access: "true"
     spec:
       restartPolicy: Never
-      serviceAccountName: default
+      serviceAccountName: {{ .Values.namespace }}-shinyproxy
       containers:
       - name: delete-user-pods
         image: bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}

charts/apps/shinyproxy/chart/templates/ingress.yaml

@@ -10,6 +10,7 @@ metadata:
     nginx.ingress.kubernetes.io/auth-url: "{{ .Values.global.protocol }}://{{ .Values.global.auth_domain }}:8080/auth/?release={{ .Values.release }}"
     nginx.ingress.kubernetes.io/auth-signin: "https://{{ .Values.global.domain }}/accounts/login/?next=$scheme%3A%2F%2F$host"
     {{- end }}
+    nginx.ingress.kubernetes.io/proxy-body-size: 2000m
     #nginx.ingress.kubernetes.io/auth-response-headers: X-Forwarded-Host
 spec:
   rules:

common/admin.py

@@ -2,7 +2,7 @@
 from django.contrib.auth.admin import UserAdmin as DefaultUserAdmin
 from django.contrib.auth.models import User
 
-from .models import UserProfile
+from .models import EmailVerificationTable, UserProfile
 
 
 class UserProfileInline(admin.StackedInline):
@@ -12,8 +12,15 @@ class UserProfileInline(admin.StackedInline):
     fk_name = "user"
 
 
+class EmailVerificationTableInline(admin.StackedInline):
+    model = EmailVerificationTable
+    can_delete = True
+    verbose_name_plural = "EmailVerificationTable"
+    fk_name = "user"
+
+
 class UserAdmin(DefaultUserAdmin):
-    inlines = (UserProfileInline,)
+    inlines = (UserProfileInline, EmailVerificationTableInline)
     list_display = ("username", "email", "first_name", "last_name", "is_staff", "get_affiliation")
     list_select_related = ("userprofile",)
 

common/forms.py

@@ -1,5 +1,6 @@
 import json
 import re
+import uuid
 from dataclasses import dataclass
 from typing import Optional, Sequence
 
@@ -12,7 +13,7 @@
 from django.db import transaction
 from django.utils.safestring import mark_safe
 
-from common.models import UserProfile
+from common.models import EmailVerificationTable, UserProfile
 
 with open(settings.STATICFILES_DIRS[0] + "/common/departments.json", "r") as f:
     DEPARTMENTS = json.load(f).get("departments", [])
@@ -280,8 +281,31 @@ def is_valid(self, force_clean=False) -> bool:
     # But if you are going to use it somewhere else, you should add it
     def save(self):
         user = self.user.save()
+        email_verification = EmailVerificationTable(user=user, token=uuid.uuid4())
         profile = self.profile.save(commit=False)
         profile.user = user
         profile.is_approved = self.is_approved
         profile.save()
+        email_verification.save()
         return profile
+
+
+class TokenVerificationForm(forms.Form):
+    token = forms.CharField(
+        max_length=100,
+        label="Token",
+        widget=forms.TextInput(attrs={"class": "form-control"}),
+        help_text="Token from email",
+    )
+
+    def clean_token(self):
+        token = self.cleaned_data["token"]
+        if not EmailVerificationTable.objects.filter(token=token).exists():
+            raise ValidationError("Invalid token")
+        return token
+
+    class Meta:
+        model = EmailVerificationTable
+        fields = [
+            "token",
+        ]

common/migrations/0002_emailverificationtable.py

@@ -0,0 +1,26 @@
+# Generated by Django 4.2.5 on 2023-11-24 13:27
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ("common", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="EmailVerificationTable",
+            fields=[
+                ("id", models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name="ID")),
+                ("token", models.CharField(max_length=100)),
+                (
+                    "user",
+                    models.OneToOneField(on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL),
+                ),
+            ],
+        ),
+    ]