Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve StreamFlow on Kubernetes #659

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Improve StreamFlow on Kubernetes #659

wants to merge 1 commit into from

Conversation

GlassOfWhiskey
Copy link
Member

This commit heavily refactors the StreamFlow Helm chart to simplify its deployment on top of Kubernetes clusters.

In addition, this commit adds a networkPolicy flag to control the behaviour of CWL DockerRequirement objects into Kubernetes Pod items. Normally, the CWL NetworkAccess requirement is enforced through Kubernetes NetworkPolicy objects. However, NetworkPolicy objects regulate the network security inside a cluster, and giving the StreamFlow Pod permissions to create/delete them may result in unwanted security flaws. The networkPolicy option can be set to False to ignore the CWL NetworkAccess enforcement in such cases.

@codecov Codecov
Copy link

codecov bot commented Feb 9, 2025
edited
Loading

❌ 1 Tests Failed:

Tests completed Failed Passed Skipped
1996 1 1995 9
View the full list of 1 ❄️ flaky tests 
cwl-v1.2-76bdf9b55e2378432e0e6380ccedebb4a94ce483/conformance_tests.cwltest.yaml::conformance_tests::cwltest::yaml::modify_directory_content

Flake rate in main: 46.15% (Passed 7 times, Failed 6 times)

Stack Traces | 10.6s run time 
CWL test execution failed. 
Returned non-zero but it should be zero
Test: job: 
  file:.../streamflow/streamflow/cwl-v1.2-76bdf9b55e2378432e0e6380ccedebb4a94ce483/tests/empty.json
tool: 
  file:.../streamflow/streamflow/cwl-v1.2-76bdf9b55e2378432e0e6380ccedebb4a94ce483/tests/inpdir_update_wf.cwl
doc: inplace update has side effect on directory content
tags:
- inplace_update
- workflow
output:
  a:
  - basename: blurb
    class: File
    location: blurb
  b:
  - basename: blurb
    class: File
    location: blurb
id: 
  file:.../streamflow/streamflow/cwl-v1.2-76bdf9b55e2378432e0e6380ccedebb4a94ce483/conformance_tests.cwltest.yaml#modify_directory_content
line: '2834'

To view more test analytics, go to the Test Analytics Dashboard
📋 Got 3 mins? Take this short survey to help us improve Test Analytics.

@GlassOfWhiskey GlassOfWhiskey force-pushed the update-helm-chart branch 6 times, most recently from eda8219 to 4685214 Compare February 10, 2025 15:38
LanderOtto
LanderOtto approved these changes Feb 10, 2025
View reviewed changes
Copy link
Collaborator

@LanderOtto LanderOtto left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@GlassOfWhiskey
Improve StreamFlow on Kubernetes
5d4a78e 
This commit heavily refactors the StreamFlow Helm chart to simplify its
deployment on top of Kubernetes clusters.

In addition, this commit adds a `networkPolicy` flag to control the
behaviour of CWL `DockerRequirement` objects into Kubernetes `Pod`
items. Normally, the CWL `NetworkAccess` requirement is enforced through
Kubernetes `NetworkPolicy` objects. However, `NetworkPolicy` objects
regulate the network security inside a cluster, and giving the
StreamFlow `Pod` permissions to create/delete them may result in
unwanted security flaws. The `networkPolicy` option can be set to
`False` to ignore the CWL `NetworkAccess` enforcement in such cases.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LanderOtto LanderOtto LanderOtto approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@GlassOfWhiskey @LanderOtto