notebooks.yaml

---
- name: Notebooks deployments
  hosts: master
  become: true
  tasks:
    - name: Configure helm repo
      shell: |-
        helm repo add jupyterhub https://jupyterhub.github.io/helm-chart/
        helm repo add eginotebooks https://egi-federation.github.io/egi-notebooks-chart/
        helm repo update
      when: "'jupyterhub' not in ansible_local.helm_repos | map(attribute='name') | list or
             'eginotebooks' not in ansible_local.helm_repos | map(attribute='name') | list"
    - name: Get Secrets from Vault for notebooks
      vars:
        name: "{{ item | basename | splitext | first }}"
      set_fact:
        secrets: "{{ secrets|default({}) | combine({name: lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/deployment-' + name,
          token_validate=false)}) }}"
      with_fileglob:
        - "../deployments/*.yaml"
    - name: Debug Deployments Secrets
      debug:
        msg: "{{ item.key }} = {{ item.value }}"
      loop: "{{ secrets | dict2items }}"
    - name: Copy config file to master
      vars:
        name: "{{ item | basename | splitext | first }}"
        secret: "{{ secrets[name] }}"
      template:
        src: "{{ item }}"
        dest: "/tmp/{{ item | basename }}"
        mode: 0600
      with_fileglob:
        - "../deployments/*.yaml"
    - name: Deploy/upgrade notebook instance
      vars:
        name: "{{ item | basename | splitext | first }}"
        version: "3.2.1" # app 4.0.2 (2023-11-27)
        monitor_version: "0.3.1"
      shell: |-
        helm status --namespace {{ name }} {{ name }}
        if [ $? -ne 0 ]; then
            helm install --create-namespace --namespace {{ name }} \
                -f /tmp/{{ item | basename }} --version {{ version }} --timeout 2h \
                 {{ name }} jupyterhub/jupyterhub
        else
            helm upgrade --version {{ version }} -f /tmp/{{ item | basename }} --timeout 2h \
                --namespace {{ name }} {{ name }} jupyterhub/jupyterhub
        fi
        helm status --namespace {{ name }} {{ name }}-monitor
        if [ $? -ne 0 ]; then
            helm install --namespace {{ name }} \
                -f /tmp/{{ item | basename }} --version {{ monitor_version }} \
                {{ name }}-monitor eginotebooks/notebooks-monitor
        else
            helm upgrade --version {{ monitor_version }} \
                -f /tmp/{{ item | basename }} --namespace {{ name }} \
                {{ name }}-monitor eginotebooks/notebooks-monitor
        fi
      environment:
        KUBECONFIG: /etc/kubernetes/admin.conf
        PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
      when: true
      with_fileglob:
        - "../deployments/*.yaml"

    - name: Configure secrets management for the hub
      vars:
        name: "{{ item | basename | splitext | first }}"
      shell: |-
        kubectl apply -f - << EOF
        ---
        kind: Role
        apiVersion: rbac.authorization.k8s.io/v1
        metadata:
          name: hub-secrets
          namespace: {{ name }}
        rules:
          - apiGroups: [""]       # "" indicates the core API group
            resources: ["secrets"]
            verbs: ["get", "watch", "list", "create", "delete", "patch", "update"]
        ---
        kind: RoleBinding
        apiVersion: rbac.authorization.k8s.io/v1
        metadata:
          name: hub-secrets
          namespace: {{ name }}
        subjects:
          - kind: ServiceAccount
            name: hub
            namespace: {{ name }}
        roleRef:
          kind: Role
          name: hub-secrets
          apiGroup: rbac.authorization.k8s.io
        EOF
      environment:
        KUBECONFIG: /etc/kubernetes/admin.conf
        PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
      when: true
      with_fileglob:
        - "../deployments/*.yaml"
    # do the extra bits of configuration
    # here we should have all the namespaces, pre-requirements in place
    # XXX: this won't remove things that are delete from the directory
    - name: Copy extra configuration files
      copy:
        src: "{{ item }}"
        dest: "/tmp/{{ item | basename }}"
        mode: 0600
      with_fileglob:
        - "../extra/*.yaml"
    - name: Extra configuration
      command: |-
          kubectl apply -f /tmp/{{ item | basename }}
      environment:
        KUBECONFIG: /etc/kubernetes/admin.conf
      with_fileglob:
        - "../extra/*.yaml"
      when: true
    # Workaround for pods stuck in "Terminating" state
    - name: K8s pods cleaner script
      copy:
        dest: /usr/local/bin/k8s-pods-cleaner.sh
        src: files/usr/local/bin/k8s-pods-cleaner.sh
        mode: preserve
    # Workaround for pods stuck in "Terminating" state
    - name: Regular cleanup of failed user notebooks pods
      vars:
        name: "{{ item | basename | splitext | first }}"
      cron:
        cron_file: "notebooks-{{ name }}-cleaner"
        name: "Notebooks {{ name }} cleanup"
        minute: "*"
        hour: "*"
        job: "KUBECONFIG=$HOME/.kube/config /usr/local/bin/k8s-pods-cleaner.sh '{{ name }}' --yes >/dev/null 2>&1"
        user: egi
      with_fileglob:
        - "../deployments/*.yaml"
- hosts: nfs
  become: true
  tasks:
    - name: Quota settings
      vars:
        name: "{{ item | basename | splitext | first }}"
      cron:
        cron_file: notebook-quotas
        name: "{{ name }} quotas"
        minute: "0"
        hour: "*/2"
        job: "/usr/local/bin/xfs-quotas.sh --include ^/exports/{{ name }}- --exclude ^/exports/{{ name }}-hub-db-dir-"
        user: root
      with_fileglob:
        - "../deployments/*.yaml"