notebooks.yaml

---
- name: Notebooks deployments
  hosts: master
  become: true
  tasks:
    - name: Configure helm repo
      shell: |-
        helm repo add jupyterhub https://jupyterhub.github.io/helm-chart/
        helm repo add eginotebooks https://egi-federation.github.io/egi-notebooks-chart/
        helm repo update
      when: "'jupyterhub' not in ansible_local.helm_repos | map(attribute='name') | list or
             'eginotebooks' not in ansible_local.helm_repos | map(attribute='name') | list"
    - name: Get Secrets from Vault for notebooks
      vars:
        name: "{{ item | basename | splitext | first }}"
      set_fact:
        secrets: "{{ secrets|default({}) | combine({name: lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/deployment-' + name,
          token_validate=false)}) }}"
      with_fileglob:
        - "../deployments/*.yaml"
    - name: Get Secrets from Vault for gateway
      set_fact:
        gateways_token: "{{ {item: lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/gateway-' + item + ':authtoken',
          token_validate=false)} }}"
      loop:
        - cesnet-mcc
    # - name: Debug Deployments Secrets
    #   debug:
    #     msg: "{{ item.key }} = {{ item.value }}"
    #   loop: "{{ secrets | dict2items }}"
    # - name: Debug Gateway Secrets
    #   debug:
    #     msg: "{{ item.key }} = {{ item.value }}"
    #   loop: "{{ gateways_token | dict2items }}"
    - name: Copy config file to master
      vars:
        name: "{{ item | basename | splitext | first }}"
        secret: "{{ secrets[name] }}"
        gateways_token: "{{ gateways_token }}"
      template:
        src: "{{ item }}"
        dest: "/tmp/{{ item | basename }}"
        mode: 0600
      with_fileglob:
        - "../deployments/*.yaml"
    - name: Deploy/upgrade notebook instance
      vars:
        name: "{{ item | basename | splitext | first }}"
        version: "3.2.1" # app 4.0.2 (2023-11-27)
        monitor_version: "0.3.1"
      shell: |-
        helm status --namespace {{ name }} {{ name }}
        if [ $? -ne 0 ]; then
            helm install --create-namespace --namespace {{ name }} \
                -f /tmp/{{ item | basename }} --version {{ version }} --timeout 2h \
                 {{ name }} jupyterhub/jupyterhub
        else
            helm upgrade --version {{ version }} -f /tmp/{{ item | basename }} --timeout 2h \
                --namespace {{ name }} {{ name }} jupyterhub/jupyterhub
        fi
        helm status --namespace {{ name }} {{ name }}-monitor
        if [ $? -ne 0 ]; then
            helm install --namespace {{ name }} \
                -f /tmp/{{ item | basename }} --version {{ monitor_version }} \
                {{ name }}-monitor eginotebooks/notebooks-monitor
        else
            helm upgrade --version {{ monitor_version }} \
                -f /tmp/{{ item | basename }} --namespace {{ name }} \
                {{ name }}-monitor eginotebooks/notebooks-monitor
        fi
      environment:
        KUBECONFIG: /etc/kubernetes/admin.conf
        PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
      when: true
      with_fileglob:
        - "../deployments/*.yaml"

    - name: Configure secrets management for the hub
      vars:
        name: "{{ item | basename | splitext | first }}"
      shell: |-
        kubectl apply -f - << EOF
        ---
        kind: Role
        apiVersion: rbac.authorization.k8s.io/v1
        metadata:
          name: hub-secrets
          namespace: {{ name }}
        rules:
          - apiGroups: [""]       # "" indicates the core API group
            resources: ["secrets"]
            verbs: ["get", "watch", "list", "create", "delete", "patch", "update"]
        ---
        kind: RoleBinding
        apiVersion: rbac.authorization.k8s.io/v1
        metadata:
          name: hub-secrets
          namespace: {{ name }}
        subjects:
          - kind: ServiceAccount
            name: hub
            namespace: {{ name }}
        roleRef:
          kind: Role
          name: hub-secrets
          apiGroup: rbac.authorization.k8s.io
        EOF
      environment:
        KUBECONFIG: /etc/kubernetes/admin.conf
        PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
      when: true
      with_fileglob:
        - "../deployments/*.yaml"
    # do the extra bits of configuration
    # here we should have all the namespaces, pre-requirements in place
    # XXX: this won't remove things that are delete from the directory
    - name: Copy extra configuration files
      copy:
        src: "{{ item }}"
        dest: "/tmp/{{ item | basename }}"
        mode: 0600
      with_fileglob:
        - "../extra/*.yaml"
    - name: Extra configuration
      command: |-
          kubectl apply -f /tmp/{{ item | basename }}
      environment:
        KUBECONFIG: /etc/kubernetes/admin.conf
      with_fileglob:
        - "../extra/*.yaml"
      when: true