Compare commits
12 Commits
Author | SHA1 | Date | |
---|---|---|---|
55803d3a5c
|
|||
f46f7b06d1
|
|||
8af7497bad
|
|||
87bb67365a
|
|||
fcdf97a9fa
|
|||
7483095d5f
|
|||
e2e497270d
|
|||
492bd7292d
|
|||
e8e561ed27
|
|||
626441ad42
|
|||
cb4c5ab769
|
|||
84dc821eca
|
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
deployment/secrets.txt
|
@ -15,14 +15,18 @@ steps:
|
|||||||
- event: [push, tag]
|
- event: [push, tag]
|
||||||
|
|
||||||
deploy:
|
deploy:
|
||||||
image: portainer/kubectl-shell:latest
|
image: quay.io/wollud1969/k8s-admin-helper:0.1.2
|
||||||
secrets:
|
secrets:
|
||||||
- source: kube_config
|
- source: kube_config
|
||||||
target: KUBE_CONFIG_CONTENT
|
target: KUBE_CONFIG_CONTENT
|
||||||
|
- source: gpg_passphrase
|
||||||
|
target: GPG_PASSPHRASE
|
||||||
commands:
|
commands:
|
||||||
- export IMAGE_TAG=$CI_COMMIT_TAG
|
- export IMAGE_TAG=$CI_COMMIT_TAG
|
||||||
- printf "$KUBE_CONFIG_CONTENT" > /tmp/kubeconfig
|
- printf "$KUBE_CONFIG_CONTENT" > /tmp/kubeconfig
|
||||||
- export KUBECONFIG=/tmp/kubeconfig
|
- export KUBECONFIG=/tmp/kubeconfig
|
||||||
|
- id
|
||||||
|
- pwd
|
||||||
- ./deployment/deploy.sh
|
- ./deployment/deploy.sh
|
||||||
when:
|
when:
|
||||||
- event: tag
|
- event: tag
|
||||||
|
@ -13,6 +13,7 @@ USER $NB_USER
|
|||||||
RUN \
|
RUN \
|
||||||
conda update -y -n base conda && \
|
conda update -y -n base conda && \
|
||||||
pip install psycopg && \
|
pip install psycopg && \
|
||||||
|
pip install plotly && \
|
||||||
conda install -y pandas-datareader && \
|
conda install -y pandas-datareader && \
|
||||||
fix-permissions $CONDA_DIR && \
|
fix-permissions $CONDA_DIR && \
|
||||||
fix-permissions /home/$NB_USER
|
fix-permissions /home/$NB_USER
|
||||||
|
@ -1,3 +1,163 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: traefik-forward-auth
|
||||||
|
data:
|
||||||
|
INSECURE_COOKIE: 'true'
|
||||||
|
COOKIE_DOMAIN: jupyter.hottis.de
|
||||||
|
DOMAINS: jupyter.hottis.de
|
||||||
|
AUTH_HOST: auth.jupyter.hottis.de
|
||||||
|
URL_PATH: /_oauth
|
||||||
|
DEFAULT_PROVIDER: oidc
|
||||||
|
PROVIDERS_OIDC_ISSUER_URL: https://auth2.hottis.de/realms/hottis
|
||||||
|
PROVIDERS_OIDC_CLIENT_ID: jupyter
|
||||||
|
REQUIRED_ROLE: JupyterAccess
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: traefik-forward-auth
|
||||||
|
labels:
|
||||||
|
app: traefik-forward-auth
|
||||||
|
annotations:
|
||||||
|
secret.reloader.stakater.com/reload: traefik-forward-auth
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: traefik-forward-auth
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: traefik-forward-auth
|
||||||
|
annotations:
|
||||||
|
container.apparmor.security.beta.kubernetes.io/traefik-forward-auth: runtime/default
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: traefik-forward-auth
|
||||||
|
#image: thomseddon/traefik-forward-auth
|
||||||
|
image: wollud1969/traefik-forward-auth:3.0.0
|
||||||
|
imagePullPolicy: Always
|
||||||
|
securityContext:
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 65534
|
||||||
|
runAsGroup: 65534
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
livenessProbe:
|
||||||
|
failureThreshold: 3
|
||||||
|
tcpSocket:
|
||||||
|
port: 4181
|
||||||
|
initialDelaySeconds: 10
|
||||||
|
periodSeconds: 10
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
memory: '50Mi'
|
||||||
|
cpu: '100m'
|
||||||
|
ports:
|
||||||
|
- containerPort: 4181
|
||||||
|
protocol: TCP
|
||||||
|
env:
|
||||||
|
- name: PROVIDERS_OIDC_CLIENT_SECRET
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: traefik-forward-auth
|
||||||
|
key: PROVIDERS_OIDC_CLIENT_SECRET
|
||||||
|
- name: SECRET
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: traefik-forward-auth
|
||||||
|
key: SECRET
|
||||||
|
- name: LOG_LEVEL
|
||||||
|
value: info
|
||||||
|
envFrom:
|
||||||
|
- configMapRef:
|
||||||
|
name: traefik-forward-auth
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: traefik-forward-auth
|
||||||
|
labels:
|
||||||
|
app: traefik-forward-auth
|
||||||
|
spec:
|
||||||
|
type: ClusterIP
|
||||||
|
selector:
|
||||||
|
app: traefik-forward-auth
|
||||||
|
ports:
|
||||||
|
- name: auth-http
|
||||||
|
port: 4181
|
||||||
|
targetPort: 4181
|
||||||
|
---
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
name: auth-jupyter-hottis-de
|
||||||
|
spec:
|
||||||
|
secretName: auth-jupyter-cert
|
||||||
|
duration: 2160h
|
||||||
|
renewBefore: 360h
|
||||||
|
subject:
|
||||||
|
organizations:
|
||||||
|
- hottis-de
|
||||||
|
isCA: false
|
||||||
|
privateKey:
|
||||||
|
algorithm: RSA
|
||||||
|
encoding: PKCS1
|
||||||
|
size: 2048
|
||||||
|
usages:
|
||||||
|
- server auth
|
||||||
|
dnsNames:
|
||||||
|
- auth.jupyter.hottis.de
|
||||||
|
issuerRef:
|
||||||
|
name: letsencrypt-production-http
|
||||||
|
kind: ClusterIssuer
|
||||||
|
group: cert-manager.io
|
||||||
|
---
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: IngressRoute
|
||||||
|
metadata:
|
||||||
|
name: traefik-forward-auth
|
||||||
|
labels:
|
||||||
|
app: traefik-forward-auth
|
||||||
|
spec:
|
||||||
|
entryPoints:
|
||||||
|
- websecure
|
||||||
|
routes:
|
||||||
|
- match: Host(`auth.jupyter.hottis.de`)
|
||||||
|
kind: Rule
|
||||||
|
services:
|
||||||
|
- name: traefik-forward-auth
|
||||||
|
port: 4181
|
||||||
|
tls:
|
||||||
|
secretName: auth-jupyter-cert
|
||||||
|
---
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: traefik-forward-auth
|
||||||
|
spec:
|
||||||
|
forwardAuth:
|
||||||
|
trustForwardHeader: true
|
||||||
|
address: http://traefik-forward-auth.jupyter.svc.cluster.local:4181
|
||||||
|
authResponseHeaders:
|
||||||
|
- X-Forwarded-User
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: PersistentVolumeClaim
|
||||||
|
metadata:
|
||||||
|
name: jupyter-workspace
|
||||||
|
spec:
|
||||||
|
accessModes:
|
||||||
|
- ReadWriteOnce
|
||||||
|
storageClassName: nfs-client
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: 100Mi
|
||||||
|
---
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
metadata:
|
metadata:
|
||||||
@ -23,6 +183,17 @@ spec:
|
|||||||
env:
|
env:
|
||||||
- name: JUPYTER_PORT
|
- name: JUPYTER_PORT
|
||||||
value: "8888"
|
value: "8888"
|
||||||
|
envFrom:
|
||||||
|
- secretRef:
|
||||||
|
name: jupyter
|
||||||
|
volumeMounts:
|
||||||
|
- mountPath: /home/jovyan/work
|
||||||
|
name: work
|
||||||
|
volumes:
|
||||||
|
- name: work
|
||||||
|
persistentVolumeClaim:
|
||||||
|
claimName: jupyter-workspace
|
||||||
|
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
@ -37,26 +208,48 @@ spec:
|
|||||||
targetPort: 8888
|
targetPort: 8888
|
||||||
port: 80
|
port: 80
|
||||||
---
|
---
|
||||||
apiVersion: networking.k8s.io/v1
|
apiVersion: cert-manager.io/v1
|
||||||
kind: Ingress
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
name: jupyter-hottis-de
|
||||||
|
spec:
|
||||||
|
secretName: jupyter-cert
|
||||||
|
duration: 2160h
|
||||||
|
renewBefore: 360h
|
||||||
|
subject:
|
||||||
|
organizations:
|
||||||
|
- hottis-de
|
||||||
|
isCA: false
|
||||||
|
privateKey:
|
||||||
|
algorithm: RSA
|
||||||
|
encoding: PKCS1
|
||||||
|
size: 2048
|
||||||
|
usages:
|
||||||
|
- server auth
|
||||||
|
dnsNames:
|
||||||
|
- jupyter.hottis.de
|
||||||
|
issuerRef:
|
||||||
|
name: letsencrypt-production-http
|
||||||
|
kind: ClusterIssuer
|
||||||
|
group: cert-manager.io
|
||||||
|
---
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: IngressRoute
|
||||||
metadata:
|
metadata:
|
||||||
name: jupyter
|
name: jupyter
|
||||||
annotations:
|
labels:
|
||||||
cert-manager.io/cluster-issuer: letsencrypt-staging-http
|
app: jupyter
|
||||||
spec:
|
spec:
|
||||||
|
entryPoints:
|
||||||
|
- websecure
|
||||||
|
routes:
|
||||||
|
- match: Host(`jupyter.hottis.de`)
|
||||||
|
kind: Rule
|
||||||
|
services:
|
||||||
|
- name: jupyter
|
||||||
|
port: 80
|
||||||
|
middlewares:
|
||||||
|
- name: traefik-forward-auth
|
||||||
tls:
|
tls:
|
||||||
- hosts:
|
secretName: jupyter-cert
|
||||||
- jupyter.hottis.de
|
|
||||||
secretName: jupyter-cert
|
|
||||||
rules:
|
|
||||||
- host: jupyter.hottis.de
|
|
||||||
http:
|
|
||||||
paths:
|
|
||||||
- path: /
|
|
||||||
pathType: Prefix
|
|
||||||
backend:
|
|
||||||
service:
|
|
||||||
name: jupyter
|
|
||||||
port:
|
|
||||||
number: 80
|
|
||||||
|
|
||||||
|
@ -4,19 +4,43 @@ if [ "$IMAGE_TAG" == "" ]; then
|
|||||||
echo "Make sure IMAGE_TAG is set"
|
echo "Make sure IMAGE_TAG is set"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
if [ "$GPG_PASSPHRASE" == "" ]; then
|
||||||
|
echo "Make sure GPG_PASSPHRASE is set"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
IMAGE_NAME=gitea.hottis.de/wn/jupyter-scipy-database-extension
|
IMAGE_NAME=gitea.hottis.de/wn/jupyter-scipy-database-extension
|
||||||
NAMESPACE=jupyter
|
NAMESPACE=jupyter
|
||||||
DEPLOYMENT_DIR=$PWD/deployment
|
DEPLOYMENT_DIR=$PWD/deployment
|
||||||
|
|
||||||
pushd $DEPLOYMENT_DIR > /dev/null
|
pushd $DEPLOYMENT_DIR > /dev/null
|
||||||
|
SECRETS_FILE=`mktemp`
|
||||||
|
gpg --decrypt --passphrase $GPG_PASSPHRASE --yes --batch --output $SECRETS_FILE secrets.asc
|
||||||
|
. $SECRETS_FILE
|
||||||
|
rm $SECRETS_FILE
|
||||||
|
|
||||||
kubectl create namespace $NAMESPACE \
|
kubectl create namespace $NAMESPACE \
|
||||||
--dry-run=client \
|
--dry-run=client \
|
||||||
-o yaml | \
|
-o yaml | \
|
||||||
kubectl -f - apply
|
kubectl -f - apply
|
||||||
|
|
||||||
|
kubectl create secret generic traefik-forward-auth \
|
||||||
|
--dry-run=client \
|
||||||
|
-o yaml \
|
||||||
|
--save-config \
|
||||||
|
--from-literal=PROVIDERS_OIDC_CLIENT_SECRET="$PROVIDERS_OIDC_CLIENT_SECRET" \
|
||||||
|
--from-literal=SECRET="$SECRET" | \
|
||||||
|
kubectl apply -f - -n $NAMESPACE
|
||||||
|
|
||||||
|
kubectl create secret generic jupyter \
|
||||||
|
--dry-run=client \
|
||||||
|
-o yaml \
|
||||||
|
--save-config \
|
||||||
|
--from-literal=PGHOST="$PGHOST" | \
|
||||||
|
--from-literal=PGUSER="$PGUSER" | \
|
||||||
|
--from-literal=PGPASSWORD="$PGPASSWORD" | \
|
||||||
|
--from-literal=PGSSLMODE="$PGSSLMODE" | \
|
||||||
|
kubectl apply -f - -n $NAMESPACE
|
||||||
|
|
||||||
cat $DEPLOYMENT_DIR/deploy-yml.tmpl | \
|
cat $DEPLOYMENT_DIR/deploy-yml.tmpl | \
|
||||||
sed -e 's,%IMAGE%,'$IMAGE_NAME':'$IMAGE_TAG','g | \
|
sed -e 's,%IMAGE%,'$IMAGE_NAME':'$IMAGE_TAG','g | \
|
||||||
@ -24,3 +48,4 @@ cat $DEPLOYMENT_DIR/deploy-yml.tmpl | \
|
|||||||
|
|
||||||
popd > /dev/null
|
popd > /dev/null
|
||||||
|
|
||||||
|
|
||||||
|
10
deployment/secrets.asc
Normal file
10
deployment/secrets.asc
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
-----BEGIN PGP MESSAGE-----
|
||||||
|
|
||||||
|
jA0ECQMIDcQyZABQeUf80sBKAQqlG05S05vOpXgoo7dj3iuiAXzOXA+M49yRAJwO
|
||||||
|
2T4OhVeEeUAkrzWNWtarDh8K6FJMS9wxhU6PkoJmry3+krIN+IvGGiMvRaxekB2F
|
||||||
|
xS6hA4eSH0GIKf7bzYSBekuyI0PuIXWozy4u8cK17mguPjWml3pp7niRmhDlSHyA
|
||||||
|
S8RBgiYCuVE4xk9jmJUPosHbDDpzuNb46iYQQdL7XGTVuASB7sujptgmn+ZJrs3i
|
||||||
|
kS6Qzkc6eCd6aDqqNwcynwzIi1e/jBk/zihEEY7qYPcU2Wsw0y9QqFRFR7F3WGUz
|
||||||
|
8MNv4bnC60awXzO9O3FTxe1JrkWN+V+q25iElLm2rpUUaPTNjyehnAmK0ho=
|
||||||
|
=/vom
|
||||||
|
-----END PGP MESSAGE-----
|
Reference in New Issue
Block a user