From a6de7e54f0e6685130885e49ecceb2cc16078b19 Mon Sep 17 00:00:00 2001 From: Elsa Mayra Irgens Date: Fri, 20 Oct 2023 13:07:48 +0200 Subject: [PATCH 1/2] Cleaned up links to sample repos --- .../docs/src/docs/topic-docker/index.md | 2 +- .../docs/src/docs/topic-security/index.md | 20 +++++++++---- .../docs/src/guides/deploy-only/index.md | 2 +- public-site/docs/src/other/release/index.md | 28 ++++++++++++++++--- public-site/docs/src/other/scenarios/index.md | 12 -------- 5 files changed, 41 insertions(+), 23 deletions(-) diff --git a/public-site/docs/src/docs/topic-docker/index.md b/public-site/docs/src/docs/topic-docker/index.md index 4b0cfa37..f7901ab3 100644 --- a/public-site/docs/src/docs/topic-docker/index.md +++ b/public-site/docs/src/docs/topic-docker/index.md @@ -69,4 +69,4 @@ Docker build speed can be reduced by understanding caching of layers. In short, ### Testing -Automatic testing of an application can be done as a build stage inside the container. This will then be run as one of the steps when radix build the image. The [`Dockerfile`](https://github.com/equinor/radix-example-scenario-docker-multistage-with-test/blob/master/Dockerfile) used in the Radix workhops provides a good example. +Automatic testing of an application can be done as a build stage inside the container. This will then be run as one of the steps when radix build the image. diff --git a/public-site/docs/src/docs/topic-security/index.md b/public-site/docs/src/docs/topic-security/index.md index 20b62f3e..dabec759 100644 --- a/public-site/docs/src/docs/topic-security/index.md +++ b/public-site/docs/src/docs/topic-security/index.md @@ -5,16 +5,26 @@ title: Security # Security ## Role Based Access Control +There are three roles which govern access to the management plane of Radix. -Membership in the 'Radix Platform User' AD group grants access to +#### Radix Platform User +The Radix Platform User role is scoped to the entirety of the Radix platform. Members of the Radix Platform User AD +group are granted access to create new Radix applications, view the Radix Web Console and the Grafana Dashboard (Monitoring). +Membership of this AD group is granted by submitting an application in AccessIT. -- Radix Web Console -- Grafana Dashboard (Monitoring) +#### Radix Application Admin Role +Each Radix application has a list of AD groups whose members are granted the Radix Application Admin role. +Users with this role can view and modify all attributes of a Radix applications, including, but not limited to, +the application's configuration, environment variables, and secrets. -Only members of the AD group provided during application registration, will be able to see the application listed in the Radix web console. Same AD group also controls who will be able to change the configuration of the application in the Radix web console. +#### Radix Application Reader Role +Similar to the Radix Application Admin role, each Radix application has a list of AD groups whose members are granted the +Radix Application Reader role. This role is designed for users who require read-only access to information about a Radix application. +These users can not perform any actions that could impact the application's state, such as starting or stopping components or deleting the application. +Readers have the privilege to access logs associated with the application's replicas and jobs. This access enables troubleshooting and gathering insights without having the risk of impacting the application. ## Authentication It is important to understand that **application authentication is not handled by Radix**. The application endpoints will be public. Each team managing an application hosted on Radix is responsible for authenticating their users. -For an example of in-app authentication using AD have a look at [Radix Authentication Example](https://github.com/equinor/radix-example-oauth-proxy) code. + diff --git a/public-site/docs/src/guides/deploy-only/index.md b/public-site/docs/src/guides/deploy-only/index.md index 72ab35a8..7417f573 100644 --- a/public-site/docs/src/guides/deploy-only/index.md +++ b/public-site/docs/src/guides/deploy-only/index.md @@ -168,7 +168,7 @@ In the above workflow we have a series of steps. They are: - `Build API component` - Building is now done outside of Radix - `Push the image to GPR` - Pushes a package to Github package repository using the `PRIVATE_TOKEN` (personal access token) - `Prepare for committing new tag to radix config on master` - Since we are using the dynamic tagging for prod environment, we have to commit to master a version of the `radixconfig.yaml` holding the newly produced tag. This step checks out master branch of the repository -- `Modify radixconfig tag for production on master branch` - This step calls a [custom script](https://github.com/equinor/radix-example-arm-template/blob/master/hack/modifyTag.py) to modify the tag in `radixconfig.yaml` and the commits and push the change on master +- `Modify radixconfig tag for production on master branch` - This step calls a custom script to modify the tag in `radixconfig.yaml` and the commits and push the change on master - `Get environment from branch` - This steps calls a utility function in the CLI for obtaining the environment based on the current brach from the branch-environment mapping in the `radixconfig.yaml` of the repository - `Deploy API on Radix` - This step calls the CLI function, which calls the deploy pipeline function of the Radix API for running the deploy pipeline. It uses the output of the previous step to tell Radix which environment it should deploy to. Note that is using `development` context to contact the API in the development cluster. Similarly if context is `playground` it will contact API in playground cluster. If you remove this entirely, it will default to `production` context diff --git a/public-site/docs/src/other/release/index.md b/public-site/docs/src/other/release/index.md index 27e8f716..4e692d7d 100644 --- a/public-site/docs/src/other/release/index.md +++ b/public-site/docs/src/other/release/index.md @@ -7,6 +7,29 @@ sidebarDepth: 2 ## 2023 + +### 2023-08-15 - Radix application reader role +A `Radix application reader` role has been added to Radix. This role is a read-only role intended for users who need to view information about a Radix application, but should not be allowed to perform any actions such as starting or stopping components, or deleting the application. +Readers have the privilege to view logs associated with their replicas and jobs. +The role is an Azure AD group that can be assigned under `Access control` in the Configuration page of the application. + +### 2023-08-01 - Restart batches and *jobs with recent active deployment* + +In addition to restart job with original deployment, Radix now allows to restart scheduled single jobs, entire batch or individual jobs within the batch with latest active deployment (if it is different than for the restarting job). [Read more](../guides/jobs/jobs-in-web-console.md) +Scheduled jobs now can be run with `imageTagName` , specified in [radixconfig](../../references/reference-radix-config/index.md) and altered in [JobDescription](../guides/jobs/configure-jobs.md#single-job) +```` +{ + "payload": "abc", + "imageTagName": "1.0.0" +} +```` + +### 2023-07-13 - Restart scheduled batches and jobs + +Radix now allows to restart scheduled single jobs, entire batch or individual jobs within the batch - completed, failed, stopped or running. +Technically it deletes the corresponding Kubernetes job and starts new instead, with the same deployment, job-description and payload. +Use-case - restart jobs, failed due to temporary issues, lack of memory, unavailable external data or api. + ### 2023-07-05 - Change in Azure Blob volume-mounts option If your Radix application uses [Azure Blob volume mount](../../guides/volume-mounts/), [radixconfig.yaml](../../references/reference-radix-config/index.md) it is recommended to replace its configuration with BlobFuse2: @@ -109,7 +132,7 @@ The Radix Github Action is used by many Radixians to execute rx CLI commands in ```yaml - name: list-apps - uses: equinor/radix-github-actions@master + uses: equinor/radix-github-actions@v1 with: github-token: ${{ secrets.GITHUB_TOKEN }} args: > @@ -437,9 +460,6 @@ If by any circumstance the pod running your app restarts, for instance due to la [Security – running as non-root](../../docs/topic-docker/#running-as-non-root) -Sample - [non-root oauth application](https://github.com/equinor/radix-example-oauth-proxy) -Sample - [.NET non-root](https://github.com/equinor/radix-example-4-dotnet) -Sample - [NODE non-root](https://github.com/equinor/radix-example-scenario-5-nodejs) ### 2021-06-22 - Support for files in Azure blob container diff --git a/public-site/docs/src/other/scenarios/index.md b/public-site/docs/src/other/scenarios/index.md index 00d3d06e..fcb7e261 100644 --- a/public-site/docs/src/other/scenarios/index.md +++ b/public-site/docs/src/other/scenarios/index.md @@ -23,16 +23,4 @@ Example for Omnia Radix showing how to use the OAuth2 feature in Radix - [Omnia Radix Oauth2 Feature](https://github.com/equinor/radix-example-oauth2-feature) -## Other samples -App with "multiple" containers. No external dependencies. No back end dependencies. No storage. No secrets. Static/Dynamic web page - -- [App with "multiple" containers - React.js](https://github.com/equinor/radix-example-scenario-2-chat) - -App with monitoring, Prometheus and Grafana - -- [Prometheus metrics app - Node.js](https://github.com/equinor/radix-example-scenario-5-nodejs) - -App "running linter and unit tests as part of multistage docker build". Broken tests fail build. - -- [Multistage docker build app - Python](https://github.com/equinor/radix-example-scenario-7-python) From 0f690a2e391d3cef7407bbe2021863f409c116fa Mon Sep 17 00:00:00 2001 From: Elsa Mayra Irgens Date: Fri, 20 Oct 2023 13:09:19 +0200 Subject: [PATCH 2/2] remove link to auth-repo --- public-site/docs/src/other/scenarios/index.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/public-site/docs/src/other/scenarios/index.md b/public-site/docs/src/other/scenarios/index.md index fcb7e261..332a4472 100644 --- a/public-site/docs/src/other/scenarios/index.md +++ b/public-site/docs/src/other/scenarios/index.md @@ -13,8 +13,6 @@ For each scenario you can find example code for at least one programming languag App which authenticates the user in AD, if logged in read basic user information from AD. -- [Omnia Radix Auth Example](https://github.com/equinor/radix-example-auth) - Example for Omnia Radix showing how to use a OAuth proxy for authentication - [Omnia Radix OAuth proxy for authentication](https://github.com/equinor/radix-example-oauth-proxy)