debug

.gitignore

@@ -0,0 +1 @@
+deployment/secrets.txt

.woodpecker.yml

@@ -15,14 +15,18 @@ steps:
       - event: [push, tag]
 
   deploy:
-    image: portainer/kubectl-shell:latest
+    image: quay.io/wollud1969/k8s-admin-helper:0.1.2
     secrets:
       - source: kube_config
         target: KUBE_CONFIG_CONTENT
+      - source: gpg_passphrase
+        target: GPG_PASSPHRASE
     commands:
       - export IMAGE_TAG=$CI_COMMIT_TAG
       - printf "$KUBE_CONFIG_CONTENT" > /tmp/kubeconfig
       - export KUBECONFIG=/tmp/kubeconfig
+      - id
+      - pwd
       - ./deployment/deploy.sh
     when:
       - event: tag

Dockerfile

@@ -13,6 +13,7 @@ USER $NB_USER
 RUN \
   conda update -y -n base conda && \
   pip install psycopg && \
+  pip install plotly && \
   conda install -y pandas-datareader && \
   fix-permissions $CONDA_DIR && \
   fix-permissions /home/$NB_USER 

deployment/deploy-yml.tmpl

@@ -19,6 +19,8 @@ metadata:
   name: traefik-forward-auth
   labels:
     app: traefik-forward-auth
+  annotations:
+    secret.reloader.stakater.com/reload: traefik-forward-auth
 spec:
   replicas: 1
   selector:
@@ -144,6 +146,18 @@ spec:
       - X-Forwarded-User
 
 ---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jupyter-workspace
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: nfs-client
+  resources:
+    requests:
+      storage: 100Mi
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -169,6 +183,17 @@ spec:
           env:
             - name: JUPYTER_PORT
               value: "8888"
+          envFrom:
+            - secretRef:
+                name: jupyter
+          volumeMounts:
+            - mountPath: /home/jovyan/work
+              name: work
+      volumes:
+        - name: work
+          persistentVolumeClaim:
+            claimName: jupyter-workspace
+
 ---
 apiVersion: v1
 kind: Service

deployment/deploy.sh

@@ -4,19 +4,43 @@ if [ "$IMAGE_TAG" == "" ]; then
   echo "Make sure IMAGE_TAG is set"
   exit 1
 fi
-
+if [ "$GPG_PASSPHRASE" == "" ]; then
+  echo "Make sure GPG_PASSPHRASE is set"
+  exit 1
+fi
 
 IMAGE_NAME=gitea.hottis.de/wn/jupyter-scipy-database-extension
 NAMESPACE=jupyter
 DEPLOYMENT_DIR=$PWD/deployment
 
 pushd $DEPLOYMENT_DIR > /dev/null
+SECRETS_FILE=`mktemp`
+gpg --decrypt --passphrase $GPG_PASSPHRASE --yes --batch --output $SECRETS_FILE secrets.asc
+. $SECRETS_FILE
+rm $SECRETS_FILE
 
 kubectl create namespace $NAMESPACE \
   --dry-run=client \
   -o yaml | \
   kubectl -f - apply
 
+kubectl create secret generic traefik-forward-auth \
+  --dry-run=client \
+  -o yaml \
+  --save-config \
+  --from-literal=PROVIDERS_OIDC_CLIENT_SECRET="$PROVIDERS_OIDC_CLIENT_SECRET" \
+  --from-literal=SECRET="$SECRET" | \
+  kubectl apply -f - -n $NAMESPACE
+
+kubectl create secret generic jupyter \
+  --dry-run=client \
+  -o yaml \
+  --save-config \
+  --from-literal=PGHOST="$PGHOST" | \
+  --from-literal=PGUSER="$PGUSER" | \
+  --from-literal=PGPASSWORD="$PGPASSWORD" | \
+  --from-literal=PGSSLMODE="$PGSSLMODE" | \
+  kubectl apply -f - -n $NAMESPACE
 
 cat $DEPLOYMENT_DIR/deploy-yml.tmpl | \
   sed -e 's,%IMAGE%,'$IMAGE_NAME':'$IMAGE_TAG','g | \
@@ -24,3 +48,4 @@ cat $DEPLOYMENT_DIR/deploy-yml.tmpl | \
 
 popd > /dev/null
 
+

deployment/secret.yml

@@ -1,9 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  name: traefik-forward-auth
-type: Opaque
-data:
-  PROVIDERS_OIDC_CLIENT_SECRET: PLACEHOLDER
-  SECRET: PLACEHOLDER
-

deployment/secrets.asc

@@ -0,0 +1,10 @@
+-----BEGIN PGP MESSAGE-----
+
+jA0ECQMIDcQyZABQeUf80sBKAQqlG05S05vOpXgoo7dj3iuiAXzOXA+M49yRAJwO
+2T4OhVeEeUAkrzWNWtarDh8K6FJMS9wxhU6PkoJmry3+krIN+IvGGiMvRaxekB2F
+xS6hA4eSH0GIKf7bzYSBekuyI0PuIXWozy4u8cK17mguPjWml3pp7niRmhDlSHyA
+S8RBgiYCuVE4xk9jmJUPosHbDDpzuNb46iYQQdL7XGTVuASB7sujptgmn+ZJrs3i
+kS6Qzkc6eCd6aDqqNwcynwzIi1e/jBk/zihEEY7qYPcU2Wsw0y9QqFRFR7F3WGUz
+8MNv4bnC60awXzO9O3FTxe1JrkWN+V+q25iElLm2rpUUaPTNjyehnAmK0ho=
+=/vom
+-----END PGP MESSAGE-----