8 Commits
0.0.3 ... 0.2.0

Author SHA1 Message Date
7483095d5f add plotly
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
ci/woodpecker/tag/woodpecker Pipeline was successful
2025-01-21 18:42:52 +01:00
e2e497270d pvc added
All checks were successful
ci/woodpecker/tag/woodpecker Pipeline was successful
ci/woodpecker/push/woodpecker Pipeline was successful
2024-06-02 13:19:24 +02:00
492bd7292d fix 2
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
ci/woodpecker/tag/woodpecker Pipeline was successful
2024-01-29 17:55:16 +01:00
e8e561ed27 fix
All checks were successful
ci/woodpecker/tag/woodpecker Pipeline was successful
ci/woodpecker/push/woodpecker Pipeline was successful
2024-01-29 17:52:24 +01:00
626441ad42 nothing
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
ci/woodpecker/tag/woodpecker Pipeline was successful
2024-01-29 17:37:47 +01:00
cb4c5ab769 secrets
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
2024-01-29 17:32:14 +01:00
84dc821eca auth
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
ci/woodpecker/tag/woodpecker Pipeline was successful
2024-01-29 16:37:07 +01:00
262c670859 fix config, 2
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
ci/woodpecker/tag/woodpecker Pipeline was successful
2024-01-26 21:39:08 +01:00
8 changed files with 301 additions and 19 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
deployment/secrets.txt

View File

@ -19,6 +19,10 @@ steps:
secrets:
- source: kube_config
target: KUBE_CONFIG_CONTENT
- source: encryption_key
target: ENCRYPTION_KEY
- source: secrets_checksum
target: MD5_CHECKSUM
commands:
- export IMAGE_TAG=$CI_COMMIT_TAG
- printf "$KUBE_CONFIG_CONTENT" > /tmp/kubeconfig

View File

@ -13,6 +13,7 @@ USER $NB_USER
RUN \
conda update -y -n base conda && \
pip install psycopg && \
pip install plotly && \
conda install -y pandas-datareader && \
fix-permissions $CONDA_DIR && \
fix-permissions /home/$NB_USER

43
deployment/decrypt-secrets.sh Executable file
View File

@ -0,0 +1,43 @@
#!/bin/bash
if [ "$ENCRYPTION_KEY" = "" ]; then
echo "ENCRYPTION_KEY not set"
exit 1
fi
if [ "$MD5_CHECKSUM" = "" ]; then
echo "No checksum given"
exit 1
fi
SECRETS_CIPHERTEXT_FILE=secrets.enc
SECRETS_PLAINTEXT_FILE=/tmp/secrets
TMP_FILE=`mktemp`
POD_NAME_SUFFIX=`date +%s`
cat $SECRETS_CIPHERTEXT_FILE | \
kubectl run openssl-$POD_NAME_SUFFIX \
--rm \
--image bitnami/debian-base-buildpack:latest \
--env KEY=$ENCRYPTION_KEY \
-i \
-q \
-- \
/bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a -d" > \
$TMP_FILE
if [ `uname` = "Darwin" ]; then
CALCULATED_CHECKSUM=`cat $TMP_FILE | md5`
elif [ `uname` = "Linux" ]; then
CALCULATED_CHECKSUM=`cat $TMP_FILE | md5sum - | awk '{print $1}'`
fi
if [ "$MD5_CHECKSUM" != "$CALCULATED_CHECKSUM" ]; then
echo "Invalid checksum"
exit 1
fi
# cat $TMP_FILE
mv $TMP_FILE $SECRETS_PLAINTEXT_FILE

View File

@ -1,3 +1,163 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: traefik-forward-auth
data:
INSECURE_COOKIE: 'true'
COOKIE_DOMAIN: jupyter.hottis.de
DOMAINS: jupyter.hottis.de
AUTH_HOST: auth.jupyter.hottis.de
URL_PATH: /_oauth
DEFAULT_PROVIDER: oidc
PROVIDERS_OIDC_ISSUER_URL: https://auth2.hottis.de/realms/hottis
PROVIDERS_OIDC_CLIENT_ID: jupyter
REQUIRED_ROLE: JupyterAccess
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik-forward-auth
labels:
app: traefik-forward-auth
annotations:
secret.reloader.stakater.com/reload: traefik-forward-auth
spec:
replicas: 1
selector:
matchLabels:
app: traefik-forward-auth
template:
metadata:
labels:
app: traefik-forward-auth
annotations:
container.apparmor.security.beta.kubernetes.io/traefik-forward-auth: runtime/default
spec:
containers:
- name: traefik-forward-auth
#image: thomseddon/traefik-forward-auth
image: wollud1969/traefik-forward-auth:3.0.0
imagePullPolicy: Always
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
capabilities:
drop:
- ALL
livenessProbe:
failureThreshold: 3
tcpSocket:
port: 4181
initialDelaySeconds: 10
periodSeconds: 10
resources:
limits:
memory: '50Mi'
cpu: '100m'
ports:
- containerPort: 4181
protocol: TCP
env:
- name: PROVIDERS_OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth
key: PROVIDERS_OIDC_CLIENT_SECRET
- name: SECRET
valueFrom:
secretKeyRef:
name: traefik-forward-auth
key: SECRET
- name: LOG_LEVEL
value: info
envFrom:
- configMapRef:
name: traefik-forward-auth
---
apiVersion: v1
kind: Service
metadata:
name: traefik-forward-auth
labels:
app: traefik-forward-auth
spec:
type: ClusterIP
selector:
app: traefik-forward-auth
ports:
- name: auth-http
port: 4181
targetPort: 4181
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: auth-jupyter-hottis-de
spec:
secretName: auth-jupyter-cert
duration: 2160h
renewBefore: 360h
subject:
organizations:
- hottis-de
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- server auth
dnsNames:
- auth.jupyter.hottis.de
issuerRef:
name: letsencrypt-production-http
kind: ClusterIssuer
group: cert-manager.io
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-forward-auth
labels:
app: traefik-forward-auth
spec:
entryPoints:
- websecure
routes:
- match: Host(`auth.jupyter.hottis.de`)
kind: Rule
services:
- name: traefik-forward-auth
port: 4181
tls:
secretName: auth-jupyter-cert
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: traefik-forward-auth
spec:
forwardAuth:
trustForwardHeader: true
address: http://traefik-forward-auth.jupyter.svc.cluster.local:4181
authResponseHeaders:
- X-Forwarded-User
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jupyter-workspace
spec:
accessModes:
- ReadWriteOnce
storageClassName: nfs-client
resources:
requests:
storage: 100Mi
---
apiVersion: apps/v1
kind: Deployment
metadata:
@ -22,7 +182,15 @@ spec:
protocol: TCP
env:
- name: JUPYTER_PORT
value: 8888
value: "8888"
volumeMounts:
- mountPath: /home/jovyan/work
name: work
volumes:
- name: work
persistentVolumeClaim:
claimName: jupyter-workspace
---
apiVersion: v1
kind: Service
@ -37,26 +205,48 @@ spec:
targetPort: 8888
port: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: jupyter-hottis-de
spec:
secretName: jupyter-cert
duration: 2160h
renewBefore: 360h
subject:
organizations:
- hottis-de
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- server auth
dnsNames:
- jupyter.hottis.de
issuerRef:
name: letsencrypt-production-http
kind: ClusterIssuer
group: cert-manager.io
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: jupyter
annotations:
cert-manager.io/cluster-issuer: letsencrypt-staging-http
labels:
app: jupyter
spec:
entryPoints:
- websecure
routes:
- match: Host(`jupyter.hottis.de`)
kind: Rule
services:
- name: jupyter
port: 80
middlewares:
- name: traefik-forward-auth
tls:
- hosts:
- jupyter.hottis.de
secretName: jupyter-cert
rules:
- host: jupyter.hottis.de
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: jupyter
port:
number: 80
secretName: jupyter-cert

View File

@ -11,12 +11,23 @@ NAMESPACE=jupyter
DEPLOYMENT_DIR=$PWD/deployment
pushd $DEPLOYMENT_DIR > /dev/null
./decrypt-secrets.sh || exit 1
. /tmp/secrets
rm /tmp/secrets
kubectl create namespace $NAMESPACE \
--dry-run=client \
-o yaml | \
kubectl -f - apply
kubectl create secret generic traefik-forward-auth \
--dry-run=client \
-o yaml \
--save-config \
--from-literal=PROVIDERS_OIDC_CLIENT_SECRET="$PROVIDERS_OIDC_CLIENT_SECRET" \
--from-literal=SECRET="$SECRET" | \
kubectl apply -f - -n $NAMESPACE
cat $DEPLOYMENT_DIR/deploy-yml.tmpl | \
sed -e 's,%IMAGE%,'$IMAGE_NAME':'$IMAGE_TAG','g | \
@ -24,3 +35,4 @@ cat $DEPLOYMENT_DIR/deploy-yml.tmpl | \
popd > /dev/null

28
deployment/encrypt-secrets.sh Executable file
View File

@ -0,0 +1,28 @@
#!/bin/bash
ENCRYPTION_KEY=`openssl rand -hex 32`
echo $ENCRYPTION_KEY
SECRETS_PLAINTEXT_FILE=secrets.txt
SECRETS_CIPHERTEXT_FILE=secrets.enc
if [ `uname` = "Darwin" ]; then
cat $SECRETS_PLAINTEXT_FILE | md5
elif [ `uname` = "Linux" ]; then
cat $SECRETS_PLAINTEXT_FILE | md5sum - | awk '{print $1}'
fi
POD_NAME_SUFFIX=`date +%s`
cat $SECRETS_PLAINTEXT_FILE | \
kubectl run openssl-$POD_NAME_SUFFIX \
--rm \
--image bitnami/debian-base-buildpack:latest \
--env KEY=$ENCRYPTION_KEY \
-i \
-q \
-- \
/bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a" > \
$SECRETS_CIPHERTEXT_FILE

3
deployment/secrets.enc Normal file
View File

@ -0,0 +1,3 @@
U2FsdGVkX1+ieFWR0PfwpZvaYyk9EzC6noAzAyjeRxrX4UDdQ5cIE1Rdtymt/eo5
acU7SqzyrCRaJyCvAgqrqbNCn3qgL+PENLZbcyT8115MlIVSmMfkBXhN6Mc1KMOo
todGAfQ9twY/tsuoxwTeb621IBiq4XwhRPMI1+xsoNk=