Develop (#37)

* Version bump to 0.6.0

* Idp image (#22)

* idp-image: Moved the idp initializer logic to its own docker image, to avoid installing at runtime

* idp-image: Added dedicated image for the idp initializer. Added imagepullpolicy

* idp-image: Hadolint fixes for pip-related errors

* Azure bugfixes (#23)

* azure-bugfixes: Incresed ttl removal time for jobs to 30s. Added service account name to jobs. Added extra check for aks clusters, as sometimes jobs get deleted but the pod is still there.

* azure-bugfixes: Version bump. Changelog update

* azure-bugfixes: Big refactor on crd representation. Added env, inputs, outputs as crd fields to give more flexibility. Removed dataset as a required field.

* azure-bugfixes: Try catch to autorestart the watcher

* azure-bugfixes: Moved bunch of logic for github push to the controller helper docker image

* azure-bugfixes: Changelog update. Hadolint fixes

* azure-bugfixes: Fixed missing mocks on file open for ci tests

* azure-bugfixes: removed the docker copy of scripts

* azure-bugfixes: Added a while true in the main

* azure-bugfixes: Adjusted few paths mounted

* azure-bugfixes: changed the delete policy on idp-initializer

* azure-bugfixes: Addressed an issue with the controller creating too many jobs at the moment of updating the annotations

* azure-bugfixes: Renamed user sync script to something more intuitive

* azure-bugfixes: small refactor on create_retry_job

* develop: Added summary to pipeline

* develop: Removed vuln scan from pipeline, we will rely on github

* develop: Moved an init job as post install as the delete policy was not working

* develop: Added post-upgrade

* develop: Added a timeout in case a pod doesn't exist, leaving the controller hanging

* develop:  Updated tests and changelog

* develop: Updated references for alpine to be more dynamic as we are not using 3.19 as only tag

* develop: Bumped version

* develop: Updated CHANGELOG.md

* Version bump to 0.7.2

* not-alpine: Moved away from python alpine, added support for db-virtu… (#26)

* not-alpine: Moved away from python alpine, added support for db-virtualization

* not-alpine: hadolint fixes

* not-alpine: renamed task body field

* not-alpine: renamed fields in the crd class and schema

* not-alpine: Added Changelogs

* HEAD: develop: Added before-hook-creation for init job. Copy secret is now conditional on keycloak info, as when used as subchart, the main chart will take care of that

* develop: version bump

* develop: Updated changelog

* branch-name: Changed the branch name where the results will be pushed to (#29)

* 0.7.3 (#28)

* Version bump to 0.6.0

* Idp image (#22)

* idp-image: Moved the idp initializer logic to its own docker image, to avoid installing at runtime

* idp-image: Added dedicated image for the idp initializer. Added imagepullpolicy

* idp-image: Hadolint fixes for pip-related errors

* Azure bugfixes (#23)

* azure-bugfixes: Incresed ttl removal time for jobs to 30s. Added service account name to jobs. Added extra check for aks clusters, as sometimes jobs get deleted but the pod is still there.

* azure-bugfixes: Version bump. Changelog update

* azure-bugfixes: Big refactor on crd representation. Added env, inputs, outputs as crd fields to give more flexibility. Removed dataset as a required field.

* azure-bugfixes: Try catch to autorestart the watcher

* azure-bugfixes: Moved bunch of logic for github push to the controller helper docker image

* azure-bugfixes: Changelog update. Hadolint fixes

* azure-bugfixes: Fixed missing mocks on file open for ci tests

* azure-bugfixes: removed the docker copy of scripts

* azure-bugfixes: Added a while true in the main

* azure-bugfixes: Adjusted few paths mounted

* azure-bugfixes: changed the delete policy on idp-initializer

* azure-bugfixes: Addressed an issue with the controller creating too many jobs at the moment of updating the annotations

* azure-bugfixes: Renamed user sync script to something more intuitive

* azure-bugfixes: small refactor on create_retry_job

* develop: Added summary to pipeline

* develop: Removed vuln scan from pipeline, we will rely on github

* develop: Moved an init job as post install as the delete policy was not working

* develop: Added post-upgrade

* develop: Added a timeout in case a pod doesn't exist, leaving the controller hanging

* develop:  Updated tests and changelog

* develop: Updated references for alpine to be more dynamic as we are not using 3.19 as only tag

* develop: Bumped version

* develop: Updated CHANGELOG.md

* Version bump to 0.7.2

* not-alpine: Moved away from python alpine, added support for db-virtu… (#26)

* not-alpine: Moved away from python alpine, added support for db-virtualization

* not-alpine: hadolint fixes

* not-alpine: renamed task body field

* not-alpine: renamed fields in the crd class and schema

* not-alpine: Added Changelogs

* HEAD: develop: Added before-hook-creation for init job. Copy secret is now conditional on keycloak info, as when used as subchart, the main chart will take care of that

* develop: version bump

* develop: Updated changelog

---------

Co-authored-by: PHEMS bot <[email protected]>

* main: negated the kc-secrets condition

* branch-name: Changed the branch name where the results will be pushed to

* branch-name: version bump

* branch-name: added user info to the other create_helper_job call

* branch-name: Updated changelog

---------

Co-authored-by: PHEMS bot <[email protected]>

* develop: v1.0.0

* Version bump to 1.1.0

* 144-aws-storage: Added support for AWS EFS (#34)

* 144-aws-storage: Added support for AWS EFS

* 144-aws-storage: Added default storageclass definition

* 144-aws-storage: Added dynamic pv and pvc naming so capacity can be changed at upgrade time

* 144-aws-storage: Added default value for storage capacity on template

* 144-aws-storage: wrong condition on copy-secrets

* 144-aws-storage: added post-install hooks on copy template

* 144-aws-storage: Reverted Changes

* develop: Vulnerabilities fix

* develop: makefile change

* 34 base image upgrade (#33)

* 34-base-image-upgrade: Migrated to python 3.13

* 34-base-image-upgrade: Fixed the path for the python venv

* 34-base-image-upgrade: hadolint fixes on test.dockerfile

* 34-base-image-upgrade: Moved to uv from pip on the helper image

* 34-base-image-upgrade: more hadolint fixes

* 34-base-image-upgrade: updated uv.lock

* Version bump to 1.2.0

* Review with third (#18)

* chart-integration: Added cases where common alues are picked up from global rather than root values

* 81-third-party: Added new way to push results. Restructured the CRD to have a clearer separation and initial validation at cluster level.

* 81-third-party: Added more unittests

* 81-third-party: hadolint fixes

* 81-third-party: Missing key

* 81-third-party: Assumed the result credentials are in a secret already. Adjusted tests. Pylint fixes

* 81-third-party: removed unnecessary verify. There is a custom wrapper for it

* 81-third-party: Refactored some mocking to be more narrowed down

* 81-third-party: Added a field for tasks to indicate we are triggering it from the fntc

* 81-third-party: Added pre-install hook as the idp initializer needs it when installed as subchart

* 81-third-party: Added hooks to configmap

* 81-third-party: added hook to secret copy

* 81-third-party: Added weight to cm

* 81-third-party: Moved away from pre-hooks, using weights. pre is causing a lot of sync errors as a subchart

* 81-third-party: Added a global value to check if the chart is used as subchart, so that we won't override regcred contents

* 81-third-party: Renamed regcreds file

* 81-third-party: Moved the check in the main if

* 81-third-party: Added generalization for namespaces

* 81-third-party: Adjusted global templates

* 81-third-party: wrong if

* chart-integration: Removed outdated makefile option. Bumped version

* review-with-third: Added check for review. To make optional

* review-with-third: Added feature flag

* 81-third-party: removed organization field from the CRD as is not used anymore.

* 81-third-party: Changelog

* review-with-third: Fixed tests

* review-with-third: pylint fix for unused imports

* review-with-third: Changed the result extension to zip

* review-with-third: Fixed python path bin

---------

Co-authored-by: Riccardo Casula <[email protected]>

---------

Co-authored-by: PHEMS bot <[email protected]>
Co-authored-by: Riccardo Casula <[email protected]>

Author: r-casula

CHANGELOG.md

@@ -1,5 +1,7 @@
 # Releases Changelog
 
+# 1.2.0
+- Added a dynamic configuration to `global.taskReview` in the values files. This is only effective when deployed with the federated node. It will hold the result release until approved from the api, which in turns should set the task's CRD annotation `approved` to `"true"` and allowing result delivery. Defaults to `false`.
 # 1.1.0
 - Added support for AWS EFS persistent volume through the csi driver `efs.csi.aws.com`
     To configure it, set in the values file:

Dockerfile

@@ -1,28 +1,25 @@
-FROM python:3.12.2-slim
+FROM python:3.13.5-slim
 
 COPY controller /app/controller
-COPY Pipfile* /app
+COPY pyproject.toml /app
 
 WORKDIR /app
 
 ENV PYTHONUNBUFFERED=1
 ENV PYTHONIOENCODING=UTF-8
 
-# hadolint detects pipenv as another invocation of pip
-# hadolint ignore=DL3013,DL3008
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+# hadolint ignore=DL3008
 RUN apt-get update \
     && apt-get install --no-install-recommends -y \
         gcc gh jq curl openssl tar \
-    && pip install --no-cache-dir --upgrade pip \
-    && python3 -m pip install --no-cache-dir pipenv \
-    && pipenv lock \
-    && pipenv install --system --deploy --categories packages \
-    && pip uninstall -y pipenv \
+    && curl -LsSf https://astral.sh/uv/install.sh | sh \
+    && /root/.local/bin/uv sync \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
 # hadolint ignore=DL3013,DL3008
-RUN curl -sSL -O https://packages.microsoft.com/config/debian/12/packages-microsoft-prod.deb \
+RUN curl -sSL -O https://packages.microsoft.com/config/debian/"$(grep VERSION_ID /etc/os-release | cut -d '"' -f 2)"/packages-microsoft-prod.deb \
     && dpkg -i packages-microsoft-prod.deb \
     && apt-get update \
     && apt-get install --no-install-recommends -y azcopy \
@@ -33,4 +30,5 @@ RUN curl -sSL -O https://packages.microsoft.com/config/debian/12/packages-micros
     && rm -rf /var/lib/apt/lists/*
 
 ENV PYTHONPATH=/app/controller
+ENV PATH="/app/.venv/bin:$PATH"
 CMD ["python3", "-m", "controller"]

Makefile

@@ -1,5 +1,5 @@
 SHELL=/bin/bash
-IMAGE ?= ghcr.io/aridhia-open-source/fn_task_controller:0.7.0
+IMAGE ?= ghcr.io/aridhia-open-source/fn_task_controller:1.2.0
 TESTS_IMAGE ?= ghcr.io/aridhia-open-source/fn_task_controller_tests
 TEST_CONTAINER ?= fn-controller-tests
 
@@ -9,6 +9,9 @@ build_docker:
 build_test_container:
 	docker build . -f test.Dockerfile -t ${TESTS_IMAGE}
 
+build_helper:
+	docker build build/helper -t ghcr.io/aridhia-open-source/fn_task_controller_helper:1.0.0
+
 run_test_container: cleanup_test_container
 	docker run --name ${TEST_CONTAINER} ${TESTS_IMAGE}
 	docker cp ${TEST_CONTAINER}:/app/artifacts/coverage.xml artifacts/coverage.xml

Pipfile

@@ -1,4 +1,4 @@
-FROM alpine/k8s:1.29.4
+FROM alpine/k8s:1.33.2
 
 ARG USERNAME=fednode
 ARG USER_UID=1001
@@ -9,18 +9,15 @@ RUN addgroup -S "${USERNAME}" --gid "${USER_GID}" \
 
 WORKDIR /apps
 # Can't find venv-related files
+SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 # hadolint ignore=SC1091
-RUN apk add --no-cache \
-        'jq=~1.7' \
-        'curl=~8.5' \
-        'openssl=~3.1' \
-        'github-cli=~2.39' \
-    && python3 -m venv venv \
-    && . venv/bin/activate \
-    && pip install --no-cache-dir "requests==2.32.3" \
+RUN curl -LsSf https://astral.sh/uv/install.sh | sh \
+    && /root/.local/bin/uv init \
+    && /root/.local/bin/uv add requests \
     && chown "${USER_UID}:${USER_GID}" /apps
 
 COPY . /apps/
 USER ${USER_UID}
 
-ENTRYPOINT [ "/apps/venv/bin/python3", "idp-init.py" ]
+ENV PATH="/apps/.venv/bin:$PATH"
+ENTRYPOINT [ "python3", "idp-init.py" ]

Pipfile.lock

@@ -1,6 +1,7 @@
 """
 Entrypoint for the FNTC
 """
+
 from .controller import start
 
 print("Starting the controller")

build/helper/Dockerfile

@@ -6,7 +6,6 @@
 
 import base64
 import logging
-import json
 import re
 import subprocess
 from kubernetes.watch import Watch

controller/__main__.py

@@ -1,5 +1,6 @@
 import json
 from math import exp
+import os
 import re
 
 from exceptions import CRDException
@@ -45,7 +46,22 @@ def can_trigger_task(self) -> bool:
         return self.annotations.get(f"{self.domain}/user") and not self.annotations.get(f"{self.domain}/done")
 
     def can_deliver_results(self) -> bool:
-        return self.annotations.get(f"{self.domain}/done") and not self.annotations.get(f"{self.domain}/results")
+        """
+        Overcomplicated flow control, but there are few requirements to
+        fetch results:
+        - done HAS to be there, which means task pod is done
+        - results HAS NOT to be there, meaning results have not been fetched and delivered yet
+
+        TASK_REVIEW and approved annotation should make the whole check fail when:
+            TASK_REVIEW is set and approved is not "true". So we check for this
+            case, and negate it.
+        """
+        return self.annotations.get(f"{self.domain}/done") and \
+            not self.annotations.get(f"{self.domain}/results") and \
+            not (
+                os.getenv("TASK_REVIEW") is not None and \
+                self.annotations.get(f"{self.domain}/approved", "false").lower() != "true"
+            )
 
     def should_skip(self) -> bool:
         return bool(self.is_delete or self.annotations.get(f"{self.domain}/results"))

controller/helpers/pod_watcher.py

@@ -142,6 +142,30 @@ def mock_crd_api_basic_done(mock_crd_task_done):
     }}
     return deepcopy(mock_crd_task_done)
 
+@pytest.fixture
+def mock_crd_azcopy_done(mock_crd_task_done):
+    mock_crd_task_done["object"]["spec"]["results"] = {"other": {
+        "url": "https://fancyresultsplace.com/api/storage",
+        "auth_type": "AzCopy"
+    }}
+    return deepcopy(mock_crd_task_done)
+
+@pytest.fixture
+def mock_crd_api_done(mock_crd_task_done):
+    mock_crd_task_done["object"]["spec"]["results"] = {"other": {
+        "url": "https://fancyresultsplace.com/api/storage",
+        "auth_type": "Bearer"
+    }}
+    return deepcopy(mock_crd_task_done)
+
+@pytest.fixture
+def mock_crd_api_basic_done(mock_crd_task_done):
+    mock_crd_task_done["object"]["spec"]["results"] = {"other": {
+        "url": "https://fancyresultsplace.com/api/storage",
+        "auth_type": "Basic"
+    }}
+    return deepcopy(mock_crd_task_done)
+
 @pytest.fixture(autouse=True)
 def k8s_config(mocker):
     mocker.patch('kubernetes.config.load_kube_config', return_value=Mock())
@@ -286,3 +310,7 @@ def delivery_open(request, mocker):
     if getattr(request, "param", None):
         file_contents = request.param
     return mocker.patch("models.crd.open", mock_open(read_data=json.dumps(file_contents)))
+
+@pytest.fixture
+def review_env(monkeypatch):
+    monkeypatch.setenv("TASK_REVIEW", "enabled")