Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
0f805a0
add drs server chart
matthewpeterkort Mar 4, 2026
6333d03
update navigation
matthewpeterkort Mar 11, 2026
3fc18ad
update drs-server routes
matthewpeterkort Mar 31, 2026
52ee5df
Merge branch 'ohsu-develop' into feature/drs-server
matthewpeterkort Mar 31, 2026
57ea41a
fix: Resolve Fence JWT token permission denied error on local deploys
lbeckman314 Mar 27, 2026
acf2156
chore: Revert Makefile K8s cluster/context name
lbeckman314 Mar 30, 2026
e2e96c7
rename drs server to syfon
matthewpeterkort Apr 1, 2026
58b7b1f
update syfon helm chart db init scripts
matthewpeterkort May 4, 2026
b223e90
remove presigned-url-fence from helm chart
matthewpeterkort May 4, 2026
7700863
update init db job to use default password if none configured
matthewpeterkort May 4, 2026
634d1ca
factor out fence_url arg into helm chart
matthewpeterkort May 4, 2026
6e88fb8
fix: Minor linting error
lbeckman314 May 4, 2026
c3d3203
update charts to not deploy qdrant by default
matthewpeterkort May 6, 2026
7f9e3b7
update helm
matthewpeterkort May 26, 2026
a3856bf
update charts
matthewpeterkort May 26, 2026
f26e68a
updates
matthewpeterkort May 26, 2026
834a48e
update syfon db init job
matthewpeterkort May 27, 2026
878f499
define a pv for the existing git repo pvc
matthewpeterkort May 27, 2026
4cd7b5b
various updates
matthewpeterkort Jun 2, 2026
e1ab4fd
update / patch various issues
matthewpeterkort Jun 5, 2026
f8b22f9
fix outstanding bugs
matthewpeterkort Jun 16, 2026
450e4e1
cleanup args related to fence data handling that no longer need to exist
matthewpeterkort Jun 16, 2026
af71c58
patch gecko space bug
matthewpeterkort Jun 26, 2026
99993e1
patch out faulty regex
matthewpeterkort Jun 26, 2026
b9716e8
patch gecko config
matthewpeterkort Jun 26, 2026
6ff8a7c
integrate funnel helm chart
matthewpeterkort Jul 6, 2026
2d4f295
update charts to support gecko redis caching for audits
matthewpeterkort Jul 8, 2026
09c51bc
Merge branch 'ohsu-develop' into feature/drs-server
matthewpeterkort Jul 13, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion helm/arborist/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.11
version: 0.1.12

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand Down
8 changes: 5 additions & 3 deletions helm/arborist/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -60,11 +60,14 @@ A Helm chart for gen3 arborist
| global.publicDataSets | bool | `true` | Whether public datasets are enabled. |
| global.revproxyArn | string | `"arn:aws:acm:us-east-1:123456:certificate"` | ARN of the reverse proxy certificate. |
| global.tierAccessLevel | string | `"libre"` | Access level for tiers. acceptable values for `tier_access_level` are: `libre`, `regular` and `private`. If omitted, by default common will be treated as `private` |
| image | map | `{"pullPolicy":"IfNotPresent","repository":"quay.io/cdis/arborist","tag":""}` | Docker image information. |
| image | map | `{"pullPolicy":"IfNotPresent","repository":"quay.io/ohsu-comp-bio/arborist","tag":""}` | Docker image information. |
| image.pullPolicy | string | `"IfNotPresent"` | Docker pull policy. |
| image.repository | string | `"quay.io/cdis/arborist"` | Docker repository. |
| image.repository | string | `"quay.io/ohsu-comp-bio/arborist"` | Docker repository. |
| image.tag | string | `""` | Overrides the image tag whose default is the chart appVersion. |
| imagePullSecrets | list | `[]` | Docker image pull secrets. |
| migrations | map | `{"command":"/app/migrations/latest","enabled":true}` | Database migration settings. Arborist migrations are packaged in the application image; deploying a new image with new migration files is enough for this chart to apply them before starting Arborist. |
| migrations.command | string | `"/app/migrations/latest"` | Migration command inside the Arborist image. |
| migrations.enabled | bool | `true` | Whether to run Arborist database migrations at container startup. |
| nameOverride | string | `""` | Override the name of the chart. |
| nodeSelector | map | `{}` | Node selector to apply to the pod |
| partOf | string | `"Authentication"` | Label to help organize pods and their use. Any value is valid, but use "_" or "-" to divide words. |
Expand Down Expand Up @@ -104,4 +107,3 @@ A Helm chart for gen3 arborist
| tolerations | list | `[]` | Tolerations to apply to the pod |
| volumeMounts | list | `[]` | Volume mounts to attach to the container |
| volumes | list | `[]` | Volumes to attach to the pod |

29 changes: 26 additions & 3 deletions helm/arborist/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,27 @@ spec:
serviceAccountName: {{ include "arborist.serviceAccountName" . }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- if .Values.authzSnapshotCache.waitForRedis.enabled }}
initContainers:
- name: wait-for-authz-cache
image: "{{ .Values.authzSnapshotCache.waitForRedis.image }}"
imagePullPolicy: IfNotPresent
env:
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.authzSnapshotCache.waitForRedis.secretName }}
key: {{ .Values.authzSnapshotCache.waitForRedis.passwordKey }}
optional: false
command:
- /bin/sh
- -c
- |
until redis-cli -h {{ .Values.authzSnapshotCache.waitForRedis.host }} -p {{ .Values.authzSnapshotCache.waitForRedis.port }} -a "$REDIS_PASSWORD" --no-auth-warning ping | grep -q PONG; do
echo "waiting for authz cache redis at {{ .Values.authzSnapshotCache.waitForRedis.host }}:{{ .Values.authzSnapshotCache.waitForRedis.port }}"
sleep 2
done
{{- end }}
containers:
- name: {{ .Chart.Name }}
securityContext:
Expand Down Expand Up @@ -68,11 +89,13 @@ spec:
# set env vars
export PGSSLMODE="disable"

{{- if .Values.migrations.enabled }}
# bring the database schema up to the latest version
/go/src/github.com/uc-cdis/arborist/migrations/latest
{{ .Values.migrations.command }}
{{- end }}

# run arborist
/go/src/github.com/uc-cdis/arborist/bin/arborist
/usr/local/bin/arborist
env:
{{- if .Values.global.ddEnabled }}
{{- include "common.datadogEnvVar" . | nindent 12 }}
Expand Down Expand Up @@ -132,4 +155,4 @@ spec:
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
31 changes: 28 additions & 3 deletions helm/arborist/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -109,12 +109,21 @@ replicaCount: 1
# -- (map) Docker image information.
image:
# -- (string) Docker repository.
repository: quay.io/cdis/arborist
repository: quay.io/ohsu-comp-bio/arborist
# -- (string) Docker pull policy.
pullPolicy: IfNotPresent
pullPolicy: Always
# -- (string) Overrides the image tag whose default is the chart appVersion.
tag: ""

# -- (map) Database migration settings. Arborist migrations are packaged in the
# application image; deploying a new image with new migration files is enough for
# this chart to apply them before starting Arborist.
migrations:
# -- (bool) Whether to run Arborist database migrations at container startup.
enabled: true
# -- (string) Migration command inside the Arborist image.
command: /app/migrations/latest

# -- (list) Docker image pull secrets.
imagePullSecrets: []

Expand Down Expand Up @@ -214,7 +223,23 @@ env:
# -- (string) The URL of the JSON Web Key Set (JWKS) endpoint for authentication
- name: JWKS_ENDPOINT
value: "http://fence-service/.well-known/jwks"

- name: AUTHZ_SNAPSHOT_CACHE_REDIS_URL
value: "redis://authz-cache-service:6379/0"
- name: AUTHZ_SNAPSHOT_CACHE_REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: authz-cache-credentials
key: redis-password
optional: false

authzSnapshotCache:
waitForRedis:
enabled: true
image: "redis:7.2-alpine"
host: "authz-cache-service"
port: 6379
secretName: "authz-cache-credentials"
passwordKey: "redis-password"

# Values to determine the labels that are used for the deployment, pod, etc.
# -- (string) Valid options are "production" or "dev". If invalid option is set- the value will default to "dev".
Expand Down
5 changes: 2 additions & 3 deletions helm/fence/README.md

Large diffs are not rendered by default.

8 changes: 0 additions & 8 deletions helm/fence/fence-secret/config_helper.py
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,6 @@ def inject_creds_into_fence_config(creds_file_path, config_file_path):
db_password = _get_nested_value(creds, "db_password")
db_database = _get_nested_value(creds, "db_database")
hostname = _get_nested_value(creds, "hostname")
indexd_password = _get_nested_value(creds, "indexd_password")
google_client_secret = _get_nested_value(creds, "google_client_secret")
google_client_id = _get_nested_value(creds, "google_client_id")
hmac_key = _get_nested_value(creds, "hmac_key")
Expand All @@ -75,10 +74,6 @@ def inject_creds_into_fence_config(creds_file_path, config_file_path):
print(" BASE_URL injected with value(s) from creds.json")
config_file = _replace(config_file, "BASE_URL", "https://{}/user".format(hostname))

print(" INDEXD_PASSWORD injected with value(s) from creds.json")
config_file = _replace(config_file, "INDEXD_PASSWORD", indexd_password)
config_file = _replace(config_file, "INDEXD_USERNAME", "fence")

print(" ENCRYPTION_KEY injected with value(s) from creds.json")
config_file = _replace(config_file, "ENCRYPTION_KEY", hmac_key)

Expand Down Expand Up @@ -121,9 +116,6 @@ def set_prod_defaults(config_file_path):
"/var/www/fence/fence_google_storage_creds_secret.json",
)

print(" INDEXD set as http://indexd-service/")
config_file = _replace(config_file, "INDEXD", "http://indexd-service/")

print(" ARBORIST set as http://arborist-service/")
config_file = _replace(config_file, "ARBORIST", "http://arborist-service/")

Expand Down
2 changes: 0 additions & 2 deletions helm/fence/fence-secret/fence_settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -165,6 +165,4 @@ def get_from_dict(dictionary, key, default=""):

DEFAULT_LOGIN_URL_REDIRECT_PARAM = "redirect"

INDEXD = "http://indexd-service/"

ARBORIST = "http://arborist-service/"
2 changes: 0 additions & 2 deletions helm/fence/templates/fence-creds.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,7 @@ stringData:
"db_password": "{{include "gen3.service-postgres" (dict "key" "password" "service" $.Chart.Name "context" $) }}",
"db_database": "{{ include "gen3.service-postgres" (dict "key" "database" "service" $.Chart.Name "context" $)}}",
"hostname": "{{ .Values.global.hostname }}",
"indexd_password": "",
"google_client_secret": "YOUR.GOOGLE.SECRET",
"google_client_id": "YOUR.GOOGLE.CLIENT",
"hmac_key": ""
}

24 changes: 24 additions & 0 deletions helm/fence/templates/fence-deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,10 @@ spec:
cp /var/run/fence-secrets/fence-config-secret.yaml /var/www/fence/fence-config.yaml
fi

if [[ -n "${AUTHZ_SNAPSHOT_CACHE_REDIS_PASSWORD:-""}" ]]; then
python -c $'import os, yaml\npath = "/var/www/fence/fence-config.yaml"\nwith open(path) as f:\n data = yaml.safe_load(f) or {}\nurl = data.get("AUTHZ_SNAPSHOT_CACHE_REDIS_URL")\npassword = os.environ.get("AUTHZ_SNAPSHOT_CACHE_REDIS_PASSWORD", "")\nif url and password and url.startswith("redis://") and "@" not in url:\n data["AUTHZ_SNAPSHOT_CACHE_REDIS_URL"] = f"redis://:{password}@{url[8:]}"\n with open(path, "w") as f:\n yaml.safe_dump(data, f, sort_keys=False)'
fi

if [[ -f /var/run/fence-secrets/jwt_private_key.pem ]]; then
mkdir -p /fence/keys/key
cp /var/run/fence-secrets/jwt_private_key.pem /fence/keys/key/jwt_private_key.pem
Expand All @@ -90,6 +94,26 @@ spec:
volumeMounts:
{{- toYaml .Values.volumeMounts | nindent 12 }}
initContainers:
{{- if .Values.authzSnapshotCache.waitForRedis.enabled }}
- name: wait-for-authz-cache
image: "{{ .Values.authzSnapshotCache.waitForRedis.image }}"
imagePullPolicy: IfNotPresent
env:
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.authzSnapshotCache.waitForRedis.secretName }}
key: {{ .Values.authzSnapshotCache.waitForRedis.passwordKey }}
optional: false
command:
- /bin/sh
- -c
- |
until redis-cli -h {{ .Values.authzSnapshotCache.waitForRedis.host }} -p {{ .Values.authzSnapshotCache.waitForRedis.port }} -a "$REDIS_PASSWORD" --no-auth-warning ping | grep -q PONG; do
echo "waiting for authz cache redis at {{ .Values.authzSnapshotCache.waitForRedis.host }}:{{ .Values.authzSnapshotCache.waitForRedis.port }}"
sleep 2
done
{{- end }}
- name: fence-init
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
Expand Down
4 changes: 2 additions & 2 deletions helm/fence/templates/usersync-cron.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,7 @@ spec:
containers:
- name: usersync
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: Always
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
- name: SYNC_FROM_DBGAP
value: {{ .Values.usersync.syncFromDbgap | quote }}
Expand Down Expand Up @@ -211,4 +211,4 @@ spec:
echo "Exit code: $exitcode"
exit "$exitcode"
restartPolicy: "Never"
{{- end }}
{{- end }}
6 changes: 4 additions & 2 deletions helm/fence/templates/useryaml-job.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ spec:
containers:
- name: fence
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: Always
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
{{- toYaml .Values.env | nindent 10 }}
volumeMounts:
Expand All @@ -44,5 +44,7 @@ spec:
# Script always succeeds if it runs (echo exits with 0)
- |
# can be removed once this is merged: https://github.com/uc-cdis/fence/pull/1096
fence-create sync --arborist http://arborist-service --yaml /var/www/fence/user.yaml
cd /fence
export PYTHONPATH=/fence${PYTHONPATH:+:$PYTHONPATH}
/fence/.venv/bin/python -m bin.fence_create sync --arborist http://arborist-service --yaml /var/www/fence/user.yaml
restartPolicy: OnFailure
52 changes: 33 additions & 19 deletions helm/fence/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -297,6 +297,12 @@ env:
name: manifest-fence
key: fence-config-public.yaml
optional: true
- name: AUTHZ_SNAPSHOT_CACHE_REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: authz-cache-credentials
key: redis-password
optional: false
- name: PGHOST
valueFrom:
secretKeyRef:
Expand Down Expand Up @@ -329,17 +335,21 @@ env:
optional: false
- name: DB
value: postgresql://$(PGUSER):$(PGPASSWORD)@$(PGHOST):5432/$(PGDB)
- name: INDEXD_PASSWORD
valueFrom:
secretKeyRef:
name: indexd-service-creds
key: fence
- name: gen3Env
valueFrom:
configMapKeyRef:
name: manifest-global
key: hostname

authzSnapshotCache:
waitForRedis:
enabled: true
image: "redis:7.2-alpine"
host: "authz-cache-service"
port: 6379
secretName: "authz-cache-credentials"
passwordKey: "redis-password"

# -- (list) Volumes to attach to the container.
volumes:
- name: old-config-volume
Expand Down Expand Up @@ -1677,6 +1687,7 @@ FENCE_CONFIG:
- "openid"
- "user"
- "data"
- "github_credentials"
- "google_credentials"
- "google_service_account"
- "google_link"
Expand All @@ -1690,6 +1701,7 @@ FENCE_CONFIG:
- "user"
- "data"
- "admin"
- "github_credentials"
- "google_credentials"
- "google_service_account"
- "google_link"
Expand All @@ -1708,6 +1720,19 @@ FENCE_CONFIG:
- "google_link"
- "ga4gh_passport_v1"

# -- (map) GitHub App configuration for Fence-managed installation token brokering
GITHUB_APP:
# -- (string) GitHub App ID
app_id: ''
# -- (string) PEM-encoded GitHub App private key
private_key: ''
# -- (string) Optional path to a PEM file mounted in the container. Mutually exclusive with private_key.
private_key_file: ''
# -- (string) GitHub API base URL. Leave default for github.com, override for GitHub Enterprise.
api_base_url: 'https://api.github.com'
# -- (int) Timeout in seconds for outbound GitHub API requests
timeout_seconds: 30

# //////////////////////////////////////////////////////////////////////////////////////
# LOGIN
# - Modify based on which OIDC provider(s) you configured above
Expand Down Expand Up @@ -2018,20 +2043,6 @@ FENCE_CONFIG:
host: null
port: 3128

# //////////////////////////////////////////////////////////////////////////////////////
# MICROSERVICE PATHS
# - Support `/data` endpoints & authz functionality
# //////////////////////////////////////////////////////////////////////////////////////
# url where indexd microservice is running (for signed urls primarily)
# NOTE: Leaving as null will force fence to default to {{BASE_URL}}/index
# example value: 'https://example.com/index'
INDEXD: http://indexd-service

# this is the username which fence uses to make authenticated requests to indexd
INDEXD_USERNAME: 'fence'
# this is the password which fence uses to make authenticated requests to indexd
INDEXD_PASSWORD: ''

# //////////////////////////////////////////////////////////////////////////////////////
# AZURE STORAGE BLOB CONFIGURATION
# - Support Azure Blob Data Access Methods
Expand All @@ -2048,6 +2059,9 @@ FENCE_CONFIG:

# url where authz microservice is running
ARBORIST: http://arborist-service
AUTHZ_SNAPSHOT_CACHE_ENABLED: true
AUTHZ_SNAPSHOT_CACHE_REDIS_URL: redis://authz-cache-service:6379/0
AUTHZ_SNAPSHOT_CACHE_TTL_SECONDS: 3600

# url where the audit-service is running
AUDIT_SERVICE: 'http://audit-service'
Expand Down
14 changes: 4 additions & 10 deletions helm/funnel/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.76
version: 0.1.77

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
Expand All @@ -26,12 +26,6 @@ version: 0.1.76
appVersion: "2025-12-22"

dependencies:
- name: postgresql
version: 18.1.15
repository: https://charts.bitnami.com/bitnami
condition: postgresql.enabled

- name: mongodb
version: 13.9.4
repository: https://charts.bitnami.com/bitnami
condition: mongodb.enabled
- name: common
version: 0.1.10
repository: file://../common
Loading
Loading