feat: git import

Author: slisson

helm/modelix/Chart.lock

@@ -5,5 +5,8 @@ dependencies:
 - name: cert-manager
   repository: https://charts.jetstack.io
   version: v1.11.0
-digest: sha256:e1c91b6cbbad23e6af7930b3723474ada0ccc66de0e5aadfcceb305168434c65
-generated: "2023-05-02T15:38:43.774893577+02:00"
+- name: kestra
+  repository: https://helm.kestra.io/
+  version: 0.22.2
+digest: sha256:210d98f2461c18107f8ca4f0b9f959b0a9e411d00ff4f5dda5f9923058f42033
+generated: "2025-04-15T14:33:52.414036+02:00"

helm/modelix/Chart.yaml

@@ -33,3 +33,6 @@ dependencies:
     version: v1.11.0
     repository: https://charts.jetstack.io
     condition: certmanager.enabled
+  - name: kestra
+    repository: https://helm.kestra.io/
+    version: 0.22.2

helm/modelix/charts/kestra-0.22.2.tgz

@@ -31,6 +31,14 @@ spec:
               value: /secrets/jwk/wsmanager/workspace-manager-public.pem
             - name: "MODELIX_JWK_FILE_INSTANCES_MANAGER"
               value: /secrets/jwk/instancesmanager/instances-manager-public.pem
+            - name: MODELIX_AUTHORIZATION_URI
+              value: "{{ include "modelix.externalKeycloakUrl" . }}realms/{{ .Values.keycloak.realm }}/protocol/openid-connect/auth"
+            - name: MODELIX_TOKEN_URI
+              value: "{{ include "modelix.externalKeycloakUrl" . }}realms/{{ .Values.keycloak.realm }}/protocol/openid-connect/token"
+            - name: MODELIX_PERMISSION_CHECKS_ENABLED
+              value: "true"
+            - name: JAVA_OPTS
+              value: "-Xms1000m -Xmx1000m"
             {{- include "modelix.authorizationConfig" . | nindent 12 }}
           image: "{{ .Values.dockerProxy.prefix }}modelix/model-server:{{ .Values.imageTags.model | default .Values.versions.modelix.core }}"
           imagePullPolicy: IfNotPresent
@@ -41,10 +49,10 @@ spec:
               name: "jvm-debug"
           resources:
             requests:
-              memory: "800Mi"
+              memory: "2000Mi"
               cpu: "0.1"
             limits:
-              memory: "800Mi"
+              memory: "2000Mi"
               cpu: "1.0"
           readinessProbe:
             httpGet:

helm/modelix/templates/common/model-deployment.yaml

@@ -24,7 +24,7 @@ spec:
         {{- include "modelix.selectorLabels" . | nindent 8 }}
     spec:
       containers:
-        - image: "{{ .Values.dockerProxy.prefix }}redis:7.0.2"
+        - image: "{{ .Values.dockerProxy.prefix }}redis:7.4.2"
           name: redis
           resources:
             requests:
@@ -45,7 +45,7 @@ spec:
             initialDelaySeconds: 3
             periodSeconds: 10
             timeoutSeconds: 5
-        - image: "{{ default .Values.dockerProxy.prefix "quay.io/" }}oauth2-proxy/oauth2-proxy:{{ .Values.imageTags.oauth | default "v7.8.1" }}"
+        - image: "{{ default .Values.dockerProxy.prefix "quay.io/" }}oauth2-proxy/oauth2-proxy:{{ .Values.imageTags.oauth | default "v7.8.2" }}"
           name: oauth2-proxy
           env:
           - name: OAUTH2_PROXY_CLIENT_SECRET

helm/modelix/templates/common/oauth-deployment.yaml

@@ -32,6 +32,8 @@ spec:
             value: "{{ .Release.Namespace }}"
           - name: KUBERNETES_INSTANCE_PREFIX
             value: "{{ include "modelix.fullname" . }}-"
+          - name: HELM_RELEASE_NAME
+            value: "{{ .Release.Name }}"
           - name: MODELIX_MAX_BODY_SIZE
             value:  "{{ .Values.maxBodySize }}"
         ports:

helm/modelix/templates/common/proxy-deployment.yaml

@@ -65,6 +65,10 @@ spec:
             value: localhost:5000
           - name: INTERNAL_DOCKER_REGISTRY_AUTHORITY
             value: "localhost:{{ .Values.internalDockerRegistry.nodePort }}"
+          - name: KESTRA_URL
+            value: http://{{ .Release.Name }}-kestra-service:8080/
+          - name: GIT_IMPORT_IMAGE
+            value: "{{ .Values.dockerProxy.prefix }}modelix/mps-git-import:{{ .Values.versions.modelix.core }}"
           {{- include "modelix.authorizationConfig" . | nindent 10 }}
           {{- include "modelix.commonVariables" . | nindent 10 }}
         image: "{{ .Values.dockerProxy.prefix }}modelix/modelix-workspace-manager:{{ .Values.imageTags.wsManager | default .Values.versions.modelix.workspaces }}"

helm/modelix/templates/common/workspace-manager-deployment.yaml

@@ -30,7 +30,7 @@ spec:
           value: "{{ .Values.db.db }}"
         - name: PGDATA
           value: /var/lib/postgresql/data/pgdata
-        image: "{{ .Values.dockerProxy.prefix }}modelix/modelix-db:{{ .Values.imageTags.db | default .Chart.Version }}"
+        image: "{{ .Values.dockerProxy.prefix }}modelix/modelix-db:{{ .Values.imageTags.db | default .Values.versions.modelix.kubernetes | default .Chart.Version }}"
         imagePullPolicy: IfNotPresent
         name: db
         volumeMounts:

helm/modelix/templates/local/db-deployment.yaml

@@ -4,8 +4,8 @@ fullnameOverride: ""
 
 versions:
   modelix:
-    workspaces: "0.12.1"
-    core: "11.3.0"
+    workspaces: "0.13.0"
+    core: "14.4.3"
     kubernetes: ""
     vncBaseImage: "0.9.4"
 
@@ -63,6 +63,40 @@ certmanager:
   # https://cert-manager.io/docs/installation/helm/#option-1-installing-crds-with-kubectl
   enabled: false
 
+kestra:
+  configuration:
+    kestra:
+      basic-auth:
+        enabled: true
+        username: admin
+        password: secret
+      encryption:
+        secretKey: jhm3E/1WNE9EIiDsPptckrdgD4EsxaeaptnwlQyCDos=
+#    micronaut:
+#      server:
+#        contextPath: "kestra"
+  ingress:
+    enabled: false
+  postgresql:
+    enabled: true
+  dind:
+    image:
+      tag: dind
+    args:
+      - --log-level=fatal
+    securityContext:
+      runAsUser: 0
+      runAsGroup: 0
+  securityContext:
+    runAsUser: 0
+    runAsGroup: 0
+#  readinessProbe:
+#    path: /kestra/health/readiness
+#  livenessProbe:
+#    path: /kestra/health/liveness
+#  startupProbe:
+#    path: /kestra/health
+
 db:
   useGCloud: false
   user: "modelix"

helm/modelix/values.yaml

@@ -12,6 +12,13 @@ handle_path /keycloak/* {
     reverse_proxy {$KUBERNETES_INSTANCE_PREFIX}keycloak.{$KUBERNETES_NAMESPACE}.svc.cluster.local:8080
 }
 
+handle_path /kestra/* {
+    reverse_proxy {$HELM_RELEASE_NAME}-kestra-service.{$KUBERNETES_NAMESPACE}.svc.cluster.local:8080
+}
+
+reverse_proxy /ui/* {$HELM_RELEASE_NAME}-kestra-service.{$KUBERNETES_NAMESPACE}.svc.cluster.local:8080
+reverse_proxy /api/* {$HELM_RELEASE_NAME}-kestra-service.{$KUBERNETES_NAMESPACE}.svc.cluster.local:8080
+
 reverse_proxy /workspace-* {$KUBERNETES_INSTANCE_PREFIX}workspace-manager.{$KUBERNETES_NAMESPACE}.svc.cluster.local:33332
 
 reverse_proxy /resource/* {$KUBERNETES_INSTANCE_PREFIX}keycloak.{$KUBERNETES_NAMESPACE}.svc.cluster.local:8080