Newer
Older
František Dvořák
committed
---
- name: Notebooks deployments
hosts: master
become: true
tasks:
- name: Configure helm repo
shell: |-
helm repo add jupyterhub https://jupyterhub.github.io/helm-chart/
helm repo add eginotebooks https://egi-federation.github.io/egi-notebooks-chart/
František Dvořák
committed
helm repo update
when: "'jupyterhub' not in ansible_local.helm_repos | map(attribute='name') | list or
'eginotebooks' not in ansible_local.helm_repos | map(attribute='name') | list"
František Dvořák
committed
- name: Get Secrets from Vault for notebooks
vars:
name: "{{ item | basename | splitext | first }}"
set_fact:
secrets: "{{ secrets|default({}) | combine({name: lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/deployment-' + name,
token_validate=false)}) }}"
with_fileglob:
- "../deployments/*.yaml"
- name: Get Secrets from Vault for gateway
set_fact:
gateways_token: "{{ {item: lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/gateway-' + item + ':authtoken',
František Dvořák
committed
token_validate=false)} }}"
František Dvořák
committed
# - name: Debug Deployments Secrets
# debug:
# msg: "{{ item.key }} = {{ item.value }}"
# loop: "{{ secrets | dict2items }}"
# - name: Debug Gateway Secrets
# debug:
# msg: "{{ item.key }} = {{ item.value }}"
# loop: "{{ gateways_token | dict2items }}"
- name: Copy config file to master
vars:
name: "{{ item | basename | splitext | first }}"
František Dvořák
committed
gateways_token: "{{ gateways_token }}"
template:
src: "{{ item }}"
dest: "/tmp/{{ item | basename }}"
mode: 0600
with_fileglob:
- "../deployments/*.yaml"
- name: Deploy/upgrade notebook instance
vars:
name: "{{ item | basename | splitext | first }}"
version: "3.2.1" # app 4.0.2 (2023-11-27)
František Dvořák
committed
shell: |-
helm status --namespace {{ name }} {{ name }}
if [ $? -ne 0 ]; then
helm install --create-namespace --namespace {{ name }} \
-f /tmp/{{ item | basename }} --version {{ version }} --timeout 2h \
{{ name }} jupyterhub/jupyterhub
else
helm upgrade --version {{ version }} -f /tmp/{{ item | basename }} --timeout 2h \
--namespace {{ name }} {{ name }} jupyterhub/jupyterhub
fi
helm status --namespace {{ name }} {{ name }}-monitor
if [ $? -ne 0 ]; then
helm install --namespace {{ name }} \
-f /tmp/{{ item | basename }} --version {{ monitor_version }} \
{{ name }}-monitor eginotebooks/notebooks-monitor
else
helm upgrade --version {{ monitor_version }} \
-f /tmp/{{ item | basename }} --namespace {{ name }} \
{{ name }}-monitor eginotebooks/notebooks-monitor
fi
František Dvořák
committed
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
when: true
with_fileglob:
- "../deployments/*.yaml"
- name: Configure secrets management for the hub
vars:
name: "{{ item | basename | splitext | first }}"
shell: |-
kubectl apply -f - << EOF
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hub-secrets
namespace: {{ name }}
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["secrets"]
verbs: ["get", "watch", "list", "create", "delete", "patch", "update"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hub-secrets
namespace: {{ name }}
subjects:
- kind: ServiceAccount
name: hub
namespace: {{ name }}
roleRef:
kind: Role
name: hub-secrets
apiGroup: rbac.authorization.k8s.io
EOF
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
when: true
with_fileglob: