Skip to content
Snippets Groups Projects
Commit 7148c282 authored by František Dvořák's avatar František Dvořák
Browse files

Initial import

parents
No related branches found
No related tags found
No related merge requests found
Expand all Hide whitespace changes
Inline Side-by-side
Showing
with 1112 additions and 0 deletions
.ansible-lint 0 → 100644
+ 3
0
View file @ 7148c282
skip_list:
- fqcn-builtins
- yaml[line-length]
LICENSE 0 → 100644
+ 21
0
View file @ 7148c282
The MIT License (MIT)
Copyright (c) 2020-2024 The authors
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.
README.md 0 → 100644
+ 33
0
View file @ 7148c282
# EOSC Notebooks
This directory has all the files to get started with a new deployment of EOSC
Notebooks.
## Admin Environment Setup
### Hashicorp Vault
Prepare environment for interrating with Hashicorp Vault:
export VAULT_ADDR=https://vault.egi.zcu.cz:8200
# replace $LOGIN for real user name in vault
vault login -method=userpass username=$LOGIN
Check environment:
vault kv get -mount=eosc/dev -field 'data' -format=json test
Note: values were created as admin by commands (replace $SECRET\_NAME and $VALUE):
vault kv put -mount=eosc/dev $SECRET_NAME value=$VALUE
## Sites
### CESNET Central
Kubernetes cluster for the "central" components - Jupyter Hub, image repository, ...
### CESNET MCC
Example site. Kubernetes cluster for worker nodes.
cesnet-central/ansible.cfg 0 → 100644
+ 5
0
View file @ 7148c282
[defaults]
inventory=inventory
[diff]
always=true
cesnet-central/deploy.sh 0 → 100755
+ 32
0
View file @ 7148c282
#! /bin/bash -xe
#
# See https://docs.egi.eu/providers/notebooks/operations/
# (without terraform and ansible-inventory tools)
#
INGRESS_HOSTNAME='eosc.zcu.cz'
ip4=78.128.247.56
ip6=2001:718:ff05:205::56
# wait ping
while ! ping -c 1 "$ip4"; do sleep 5; done
# wait ssh
while ! ssh egi@"$ip4" -o ConnectTimeout=10 -o PreferredAuthentications=publickey -o StrictHostKeyChecking=no :; do sleep 10; done
# check ssh access
ansible -m command -a 'uname -a' allnodes
# wait cloud-init
ansible -m shell -a 'while ! test -f /var/lib/cloud/instance/boot-finished; do sleep 2; done' allnodes
# kubernetes
ansible-playbook playbooks/k8s.yaml
# image repository
ansible-playbook playbooks/repository-nexus.yaml
# wait for finish
while ansible -m command -a 'kubectl get pods --all-namespaces' master | tail -n +3 | grep -v ' Running '; do sleep 5; done
cesnet-central/inventory/1-central.yaml 0 → 100644
+ 25
0
View file @ 7148c282
---
fip:
hosts:
78.128.247.56:
ingress_0:
hosts:
k8s-ingress.vm.cesnet.cz:
ingress:
hosts:
k8s-ingress.vm.cesnet.cz:
master:
hosts:
k8s-master.vm.cesnet.cz:
nfs:
hosts:
k8s-nfs.vm.cesnet.cz:
worker:
children:
ingress:
nfs:
cesnet-central/inventory/99-all.yaml 0 → 100644
+ 20
0
View file @ 7148c282
---
allnodes:
children:
master:
worker:
all:
vars:
ansible_become: yes
ansible_user: egi
site_name: cesnet-central
vault_mount_point: eosc/dev
binder_hostname: replay.eosc.zcu.cz
old_binder_hostname: binder.eosc.zcu.cz
docker2_hostname: registry.eosc.zcu.cz
docker_hostname: docker.eosc.zcu.cz
grafana_hostname: grafana.eosc.zcu.cz
nexus_hostname: nexus.eosc.zcu.cz
cesnet-central/playbooks/files/calico.yaml 0 → 100644
+ 0
0
View file @ 7148c282
This diff is collapsed.
cesnet-central/playbooks/files/helm_repos.fact 0 → 100755
+ 2
0
View file @ 7148c282
#! /bin/sh
helm repo list -o json 2</dev/null || echo '{}'
cesnet-central/playbooks/files/k8s-cheats.sh 0 → 100755
+ 17
0
View file @ 7148c282
#! /bin/sh
alias kclaims='kubectl get pvc --all-namespaces'
alias kcronjobs='kubectl get cronjobs --all-namespaces'
alias kdeployments='kubectl get deployments --all-namespaces'
alias kds='kubectl get ds --all-namespaces'
alias kendpoints='kubectl get endpoints --all-namespaces'
alias kevents='kubectl get events --sort-by=.metadata.creationTimestamp --all-namespaces'
alias kingress='kubectl get ingress --all-namespaces'
alias kjobs='kubectl get jobs --all-namespaces'
alias knodes='kubectl get nodes'
alias kpods='kubectl get pods --all-namespaces'
alias kroles='kubectl get roles --all-namespaces'
alias ksecrets='kubectl get secrets --all-namespaces'
alias kservices='kubectl get services --all-namespaces'
alias kvolumes='kubectl get pv --all-namespaces'
alias ke='kubectl exec -it'
alias kl='kubectl logs --all-containers'
cesnet-central/playbooks/files/notebooks-privacy-policy.html 0 → 100644
+ 378
0
View file @ 7148c282
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<title>Privacy policy</title>
<meta http-equiv="X-UA-Compatible" content="chrome=1" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<link
rel="stylesheet"
href="/hub/static/css/style.min.css"
type="text/css"
/>
<link
rel="stylesheet"
href="/policies/style.css"
type="text/css"
/>
</head>
<body>
<nav class="navbar navbar-default">
<div class="container-fluid">
<div class="navbar-header">
<span id="jupyterhub-logo" class="pull-left">
<a href="/hub/"
><img
src="/hub/logo"
alt="JupyterHub"
class="jpy-logo"
title="Home"
/></a>
</span>
</div>
<div class="collapse navbar-collapse" id="thenavbar">
<ul class="nav navbar-nav navbar-right">
<li>
<span id="user-guide">
<a
role="button"
class="navbar-btn btn-sm btn btn-egi"
href="https://docs.egi.eu/users/dev-env/notebooks/"
>
<i aria-hidden="true" class="fa fa-book"></i> User Guide</a
>
</span>
</li>
</ul>
</div>
</div>
</nav>
<div class="container">
<h1>Privacy Notice</h1>
<table class="table">
<tbody>
<tr>
<th>Name of the Service</th>
<td>Notebooks</td>
</tr>
<tr>
<th>Description of the Service</th>
<td>
<p>
The EGI Notebooks service (hereinafter referred to as: "the
service" or "Notebooks" provides a browser-based tool for
interactive analysis of data using EGI storage and compute
infrastructures based on the JupyterHub technology.
</p>
<p>
This privacy notice describes how we, the EGI Foundation
(hereinafter referred to as "we" or "the Data Controller"),
collect and process data by which you can be personally
identified ("Personal Data") when you use the service.
</p>
</td>
</tr>
<tr>
<th>Data controller</th>
<td>
<address class="vcard">
<span class="fn org">EGI Foundation</span>
<span class="street-address">Science Park 140</span>
<span class="postal-code">1098 XG</span>
<span class="locality">Amsterdam</span>
<span class="country-name">Netherlands</span>
</address>
</td>
</tr>
<tr>
<th>Data Protection Officer</th>
<td>
<address class="vcard">
<span class="fn org"
>EGI Foundation Data Protection Officer</span
>
<span class="street-address">Science Park 140</span>
<span class="postal-code">1098 XG</span>
<span class="locality">Amsterdam</span>
<span class="country-name">Netherlands</span>
<span class="email"
>E-mail: <a href="mailto:dpo@egi.eu">dpo@egi.eu</a></span
>
</address>
</td>
</tr>
<tr>
<th>Jurisdiction and supervisory authority</th>
<td>
<p>Jurisdiction: NL, Netherlands</p>
<p>
EGI Foundation's lead supervisory authority is the Dutch Data
Protection Authority. They can be contacted at
<a
href="https://autoriteitpersoonsgegevens.nl/en/contact-dutch-dpa/contact-us"
>https://autoriteitpersoonsgegevens.nl/en/contact-dutch-dpa/contact-us</a
>
</p>
</td>
</tr>
<tr>
<th>Personal data processed</th>
<td>
<p>
In addition to any personal data incorporated in notebooks
managed by end users using the Notebooks service, the following
categories of personal data may be processed by the EGI
Foundation as part of providing the aforementioned service:
</p>
<strong>Identification data:</strong>
<ul>
<li>Identification number</li>
<li>E-mail address</li>
<li>Affiliation</li>
<li>IP address</li>
</ul>
<strong>Behavioural data:</strong>
<ul>
<li>Usage data</li>
<li>Technical logs with timestamps</li>
</ul>
<strong>Data allowing conclusions on the personality:</strong>
<ul>
<li>Membership information on roles, groups and communities</li>
</ul>
</td>
</tr>
<tr>
<th>Purpose of the processing of personal data</th>
<td>
<p>
The purpose of the collection, processing and use of the
personal data mentioned above is:
</p>
<ul>
<li>
To provide the service functions, i.e. users to manage their
notebooks on the resources they can access and allowing
administrators to manage the service and the user groups.
</li>
<li>
Identify the users or the administrators accessing the service
and track usage of resources for accounting, security
management and maintaining service stability and performance.
</li>
</ul>
</td>
</tr>
<tr>
<th>Legal basis</th>
<td>
The legal basis for processing personal data is: Legitimate
interests pursued by the controller or by a third party according
to Art. 6 (1) (f) GDPR.
</td>
</tr>
<tr>
<th>Third parties to whom personal data is disclosed</th>
<td>
<p>
Personal data will not be used beyond the original purpose of
their acquisition. If a forwarding to third parties should be
necessary to answer an inquiry or to carry out a service, the
consent of the data subject is considered to have been given
when using the respective function or service. In particular,
the data you provide to us will not be used for marketing.
</p>
<p>
For the purpose given in this privacy policy, personal data may
be passed to the following third parties:
</p>
<strong> Within the EU / EEA: </strong>
<ul>
<li>
CESNET (resource provider, service administrator,
sub-contracted data processor)
</li>
<li>
Suppliers supporting the customer: Provision of cloud
resources: a comprehensive list of providers contributing to
the federation's cloud resources can be found here:
<a href="https://www.egi.eu/federation/egi-federated-cloud/"
>https://www.egi.eu/federation/egi-federated-cloud/</a
>
</li>
<li>
The records of your use and technical log files produced by
the Service components may be shared, via secured mechanisms,
for security incident response purposes with other authorised
participants in the academic and research distributed digital
infrastructures authorised by EGI Foundation governance, only
for the same purposes and only as far as necessary to provide
the incident response capability where doing so is likely to
assist in the investigation of suspected misuse of
Infrastructure resources.
</li>
</ul>
<strong> Outside the EU / EEA: </strong>
<ul>
<li>
Suppliers supporting the customer: Provision of cloud
resources: a comprehensive list of providers contributing to
the federation's cloud resources can be found here:
<a href="https://www.egi.eu/federation/egi-federated-cloud/"
>https://www.egi.eu/federation/egi-federated-cloud/</a
>
</li>
</ul>
<p>
Any data transfer to a third country outside the EU or the EEA
only takes place under the conditions contained in Chapter V of
the GDPR and in compliance with the provisions of this privacy
policy and any related policies adopted by the EGI Federation.
</p>
</td>
</tr>
<tr>
<th>Your rights</th>
<td>
<p>
You can exercise the following rights at any time by contacting
our data protection officer using the contact details provided
in the Data Protection Officer section:
</p>
<ul>
<li>
Information about your data stored with us and their
processing
</li>
<li>Correction of incorrect personal data</li>
<li>Deletion of your data stored by us</li>
<li>
Restriction of data processing, if we are not yet allowed to
delete your data due to legal obligations
</li>
<li>Objection to the processing of your data by us</li>
<li>Data portability</li>
</ul>
<p>
You can complain at any time to the supervisory data protection
authority (DPA) responsible for you. Your responsible DPA
depends on your country and state of residence, of your
workplace or of the presumed violation. A list of the
supervisory authorities with addresses can be found at
<a href="https://edpb.europa.eu/about-edpb/board/members_en"
>https://edpb.europa.eu/about-edpb/board/members_en</a
>.
</p>
<p>
You can contact EGI Foundation's lead supervising authority
using the contact details provided in the Jurisdiction and
Supervisory Authority section.
</p>
</td>
</tr>
<tr>
<th>Data retention and deletion</th>
<td>
The records of your use and technical log files produced by the
service components will be deleted or anonymised after, at most,
18 months.
</td>
</tr>
<tr>
<th>Security</th>
<td>
<p>
We take appropriate technical and organisational measures to
ensure data security and the protection against accidental or
unlawful destruction, accidental loss, alteration, unauthorised
disclosure or access.
</p>
<p>
A comprehensive overview of the technical and organisational
measures taken by EGI Foundation can be found at
<a
href="https://documents.egi.eu/public/ShowDocument?docid=3737"
>EGI Documentation Database</a
>.
</p>
</td>
</tr>
<tr>
<th>Data Protection Code of Conduct</th>
<td>
<p>
EGI Foundation is conforming to GEANT Code of Conduct and your
personal data will be processed in accordance with the
<a
href="http://www.geant.net/uri/dataprotection-code-of-conduct/v1"
>Code of Conduct for Service Providers</a
>
and the
<a
href="https://documents.egi.eu/public/ShowDocument?docid=2732"
>EGI-doc-2732-v3: Policy on the Processing of Personal
Data.</a
>
</p>
</td>
</tr>
<tr>
<th>Acknowledgement</th>
<td>
This privacy notice is based on the
<a href="https://aarc-project.eu/policies/policy-development-kit/"
>AARC Policy development kit</a
>
(licensed under
<a href="https://creativecommons.org/licenses/by-nc-sa/4.0/"
>CC BY-NC-SA 4.0</a
>)
</td>
</tr>
</tbody>
</table>
</div>
<footer class="footer">
<div class="container text-center">
<a href="/policies/privacy-policy.html">Privacy Notice</a> |
<a href="/policies/terms-of-use.html">Terms of Use</a>
</div>
</footer>
</body>
</html>
cesnet-central/playbooks/files/notebooks-terms-of-use.html 0 → 100644
+ 137
0
View file @ 7148c282
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<title>Terms of Use</title>
<meta http-equiv="X-UA-Compatible" content="chrome=1" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<link
rel="stylesheet"
href="/hub/static/css/style.min.css"
type="text/css"
/>
<link
rel="stylesheet"
href="/policies/style.css"
type="text/css"
/>
</head>
<body>
<nav class="navbar navbar-default">
<div class="container-fluid">
<div class="navbar-header">
<span id="jupyterhub-logo" class="pull-left">
<a href="/hub/"
><img
src="/hub/logo"
alt="JupyterHub"
class="jpy-logo"
title="Home"
/></a>
</span>
</div>
<div class="collapse navbar-collapse" id="thenavbar">
<ul class="nav navbar-nav navbar-right">
<li>
<span id="user-guide">
<a
role="button"
class="navbar-btn btn-sm btn btn-egi"
href="https://docs.egi.eu/users/notebooks/"
>
<i aria-hidden="true" class="fa fa-book"></i> User Guide</a
>
</span>
</li>
</ul>
</div>
</div>
</nav>
<div class="container">
<h1>EGI Notebooks Acceptable Use Policy and Conditions of Use (AUP)</h1>
<p>
This Acceptable Use Policy and Conditions of Use ("AUP") defines the
rules and conditions that govern your access to and use (including
transmission, processing, and storage of data) of the resources and
services ("Services") as granted by the EGI Federation, and the Virtual
Organisation to which you belong, for the purpose of meeting the goals
of EGI, namely to deliver advanced computing services to support
researchers, multinational projects and research infrastructures, and
the goals of your Virtual Organisation or Research Community.
</p>
<ol>
<li>
You shall only use the Services in a manner consistent with the
purposes and limitations described above; you shall show consideration
towards other users including by not causing harm to the Services; you
have an obligation to collaborate in the resolution of issues arising
from your use of the Services.
</li>
<li>
You shall only use the Services for lawful purposes and not breach,
attempt to breach, nor circumvent administrative or security controls.
</li>
<li>
You shall respect intellectual property and confidentiality
agreements.
</li>
<li>
You shall protect your access credentials (e.g. passwords, private
keys or multi-factor tokens); no intentional sharing is permitted.
</li>
<li>
You shall keep your registered information correct and up to date.
</li>
<li>
You shall promptly report known or suspected security breaches,
credential compromise, or misuse to the security contact stated below;
and report any compromised credentials to the relevant issuing
authorities.
</li>
<li>
Reliance on the Services shall only be to the extent specified by any
applicable service level agreements listed below. Use without such
agreements is at your own risk.
</li>
<li>
Your personal data will be processed in accordance with the privacy
statements referenced below.
</li>
<li>
Your use of the Services may be restricted or suspended, for
administrative, operational, or security reasons, without prior notice
and without compensation.
</li>
<li>
If you violate these rules, you may be liable for the consequences,
which may include your account being suspended and a report being made
to your home organisation or to law enforcement.
</li>
</ol>
<p>
The administrative contact for this AUP is:
<a href="mailto:operations@egi.eu">operations@egi.eu</a><br />
The security contact for this AUP is:
<a href="mailto:abuse@egi.eu">abuse@egi.eu</a><br />
The Privacy Notice is located at
<a href="/policies/privacy-policy.html">Privacy Notice</a><br />
</p>
</div>
<footer class="footer">
<div class="container text-center">
<a href="/policies/privacy-policy.html">Privacy Notice</a> |
<a href="/policies/terms-of-use.html">Terms of use</a>
</div>
</footer>
</body>
</html>
cesnet-central/playbooks/files/style.css 0 → 100644
+ 21
0
View file @ 7148c282
/* Minimal extra styles for policy files */
html {
position: relative;
min-height: 100%;
}
body {
margin-bottom: 60px; /* Margin bottom by footer height */
}
.footer {
position: absolute;
bottom: 0;
width: 100%;
height: 60px; /* Set the fixed height of the footer here */
}
address {
white-space: pre-line;
}
cesnet-central/playbooks/k8s.yaml 0 → 100644
+ 412
0
View file @ 7148c282
---
- name: Basic setup and NFS common
hosts: allnodes
become: true
tasks:
- name: Add SSH keys
authorized_key:
user: egi
state: present
key: '{{ item }}'
with_file:
- public_keys/andrea-manzi
- public_keys/enolfc
- public_keys/jhradil
- public_keys/pospisilp
- public_keys/sustr
- public_keys/valtri
- name: Install nfs-common
apt:
name: nfs-common
update_cache: true
- name: Site install packages
package:
name:
- atop
- cron-apt
- fail2ban
- mc
- vim
- postfix
- name: Site remove packages
package:
name:
- unattended-upgrades
state: absent
- name: Site cron-apt config
copy:
dest: /etc/cron-apt/config
content: |
MAILTO=valtri@civ.zcu.cz
MAILON=upgrade
RUNSLEEP=600
mode: 0644
- name: Site cron-apt action
copy:
dest: /etc/cron-apt/action.d/9-upgrade
content: -q -q dist-upgrade
mode: 0644
- name: Site touch
file:
path: "/EOSC-{{ site_name | upper }}"
state: touch
mode: 0644
- name: NFS server
hosts: nfs
become: true
tasks:
- name: Install nfs-server
apt:
name: nfs-kernel-server
state: present
update_cache: true
- name: Create user for NFS
user:
name: volumes
create_home: false
uid: 5005
- name: Create /exports dir
file:
path: /exports
state: directory
mode: 0755
owner: volumes
- name: Create exports
template:
src: templates/etc/exports
dest: /etc/exports
mode: 0644
notify: Reload exports
- name: Start NFS service
service:
name: nfs-server
state: started
handlers:
- name: Reload exports
command: exportfs -ra
- name: K8s master deployment
hosts: master
become: true
roles:
- role: 'grycap.kubernetes'
vars:
# do not downgrade docker
kube_docker_version: latest
kube_version: 1.28.2
kube_network: 'none' # custom network installation
kube_install_helm: true
kube_install_helm_version: 'v3.13.0'
kube_install_metrics: true
tasks:
- name: Create kubectl config dir
file:
path: "~{{ ansible_user }}/.kube"
mode: 0750
owner: "{{ ansible_user }}"
state: directory
- name: Copy kubectl config to regular user
copy:
remote_src: true
src: /etc/kubernetes/admin.conf
dest: "~{{ ansible_user }}/.kube/config"
mode: 0600
owner: "{{ ansible_user }}"
- name: Site k8s cheat sheets
copy:
dest: /etc/profile.d/k8s-cheats.sh
src: files/k8s-cheats.sh
mode: preserve
- name: K8s network deployment
hosts: master
vars:
calicoctl_version: 3.27.0
tasks:
- name: Calico config
copy:
# https://raw.githubusercontent.com/projectcalico/calico/v3.27.0/manifests/calico.yaml
src: files/calico.yaml
dest: /tmp/calico-net.yaml
mode: 0644
- name: Calico installation
command:
cmd: kubectl apply -f /tmp/calico-net.yaml
creates: /var/etcd/calico-data
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
- name: Download calicoctl
get_url:
url: https://github.com/projectcalico/calico/releases/download/v{{ calicoctl_version }}/calicoctl-linux-amd64
dest: /usr/local/sbin/calicoctl
mode: 0755
- name: K8s nodes deployment
hosts: nfs, ingress, worker
become: true
roles:
- role: 'grycap.kubernetes'
vars:
# do not downgrade docker
kube_docker_version: latest
kube_server: "{{ groups['master'][0] }}"
kube_type_of_node: wn
kube_version: 1.28.2
kubelet_extra_args: '--volume-stats-agg-period 0'
- name: K8s customization
hosts: master
become: true
tasks:
- name: Wait for helm
command: helm version
register: result
until: result.rc == 0
retries: 20
delay: 10
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
when: true
- name: Create custom fact directory
file:
path: "/etc/ansible/facts.d"
mode: 0755
recurse: true
state: "directory"
- name: Create helm repos custom fact
copy:
src: files/helm_repos.fact
dest: /etc/ansible/facts.d/helm_repos.fact
mode: 0755
- name: Reload custom facts
setup:
filter: ansible_local
- name: Helm repo add stable
shell: |-
helm repo add stable https://charts.helm.sh/stable/
helm repo update
when: "'stable' not in ansible_local.helm_repos | map(attribute='name') | list"
- name: Helm repo add nfs-subdir-external-provisioner
shell: |-
helm repo add nfs-subdir-external-provisioner https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner
helm repo update
when: "'nfs-subdir-external-provisioner' not in ansible_local.helm_repos | map(attribute='name') | list"
- name: NFS provisioner
vars:
config: >-
--set nfs.server={{ groups['nfs'][0] }}
--set storageClass.defaultClass=true
--set nfs.path=/exports
shell: |-
helm status --namespace kube-system nfs-provisioner
if [ $? -ne 0 ]; then
helm install --namespace kube-system {{ config }} nfs-provisioner nfs-subdir-external-provisioner/nfs-subdir-external-provisioner
else
helm upgrade --namespace kube-system {{ config }} nfs-provisioner nfs-subdir-external-provisioner/nfs-subdir-external-provisioner
fi
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
when: true
- name: Helm repo add ingress-nginx
shell: |-
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update
when: "'ingress-nginx' not in ansible_local.helm_repos | map(attribute='name') | list"
- name: Ingress
vars:
config: >-
--set controller.service.type=NodePort
--set controller.service.externalIPs={{ '{' + hostvars[groups['ingress'][0]].ansible_default_ipv4.address + '}' }}
--set controller.config.proxy-body-size=0
--set controller.allowSnippetAnnotations=false
shell: |-
helm status --namespace kube-system cluster-ingress
if [ $? -ne 0 ]; then
helm install cluster-ingress --namespace kube-system {{ config }} ingress-nginx/ingress-nginx
else
helm upgrade --namespace kube-system {{ config }} cluster-ingress ingress-nginx/ingress-nginx
fi
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
when: true
- name: Cert-manager
vars:
version: 1.13.3
config: >-
--version={{ version }}
--set ingressShim.defaultIssuerName=letsencrypt-prod
--set ingressShim.defaultIssuerKind=ClusterIssuer
--set ingressShim.defaultIssuerGroup=cert-manager.io
shell: |-
helm status --namespace cert-manager certs-man
if [ $? -ne 0 ]; then
kubectl create namespace cert-manager
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v{{ version }}/cert-manager.crds.yaml
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install --namespace cert-manager {{ config }} certs-man jetstack/cert-manager
else
helm upgrade --namespace cert-manager {{ config }} certs-man jetstack/cert-manager
fi
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
when: true
- name: Cluster issuer file
copy:
dest: /tmp/clusterissuer.yaml
mode: 0644
content: |
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: valtri@civ.zcu.cz
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: cluster-issuer-account-key
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: nginx
- name: Cluster issuer
command:
kubectl apply -f /tmp/clusterissuer.yaml
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
when: true
# Accounting / monitoring needs
- name: Helm repo add prometheus-community
shell: |-
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update
when: "'prometheus-community' not in ansible_local.helm_repos | map(attribute='name') | list"
- name: Prometheus configuration
vars:
smtp_from: "noreply@{{ groups['ingress'][0] }}"
limit_memory_warn: 80
limit_cpu_warn: 80
limit_disk_warn: 80
copy:
dest: /tmp/prometheus.yaml
mode: 0600
content: |
alertmanagerFiles:
alertmanager.yml:
global:
smtp_from: "{{ smtp_from }}"
receivers:
- name: default-receiver
email_configs:
- send_resolved: true
to: valtri@civ.zcu.cz
- name: 'null'
route:
group_by: ['job']
kube-state-metrics:
metricAnnotationsAllowList:
- pods=[hub.jupyter.org/username,egi.eu/primary_group]
serverFiles:
alerting_rules.yml:
groups:
- name: limits
rules:
- alert: HighCpuLoad
expr: 100 * (1 - avg by(kubernetes_node) (rate(node_cpu_seconds_total{mode="idle"}[5m]))) > {{ limit_cpu_warn }}
for: 15m
labels:
job: "eosc-{{ site_name }}"
annotations:
summary: "Host high CPU load ({{ '{{ $labels.kubernetes_node }}' }})"
description: "CPU load {{ '{{ $value | printf \"%.2f\" }}' }}% (limit {{ limit_cpu_warn }}%)"
- alert: OutOfMemory
expr: 100 * (1 - avg by(kubernetes_node) (node_memory_MemAvailable_bytes / node_memory_MemTotal_bytes)) > {{ limit_memory_warn }}
for: 20m
labels:
job: "eosc-{{ site_name }}"
annotations:
summary: "Host out of memory ({{ '{{ $labels.kubernetes_node }}' }})"
description: "Node memory {{ '{{ $value | printf \"%.2f\" }}' }}% (limit {{ limit_memory_warn }}%)"
- alert: OutOfDiskSpace
expr: 100 * (1 - avg by (kubernetes_node, mountpoint) (node_filesystem_avail_bytes{device=~"/dev/.*"} / node_filesystem_size_bytes))
> {{ limit_disk_warn }}
for: 20m
labels:
job: "eosc-{{ site_name }}"
annotations:
summary: "Host out of disk space ({{ '{{ $labels.kubernetes_node }}' }})"
description: "Disk is almost full {{ '{{ $value | printf \"%.2f\" }}' }}% (limit {{ limit_disk_warn }}%)"
- name: Prometheus
vars:
config: >-
--version=25.8.2
-f /tmp/prometheus.yaml
shell: |-
helm status --namespace prometheus prometheus
if [ $? -ne 0 ]; then
kubectl create ns prometheus >/dev/null 2>&1 || true
helm install --namespace prometheus {{ config }} prometheus prometheus-community/prometheus
else
helm upgrade --namespace prometheus {{ config }} prometheus prometheus-community/prometheus
fi
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
when: true
- name: Grafana configuration
copy:
dest: /tmp/grafana.yaml
mode: 0640
content: |
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: "nginx"
kubernetes.io/tls-acme: "true"
hosts:
- "{{ grafana_hostname }}"
tls:
- hosts:
- "{{ grafana_hostname }}"
secretName: acme-tls-grafana
datasources:
datasources.yaml:
apiVersion: 1
datasources:
- name: Prometheus
type: prometheus
access: Server
orgId: 1
url: http://prometheus-server.prometheus.svc.cluster.local
isDefault: true
version: 1
editable: false
sidecar:
dashboards:
enabled: true
- name: Grafana
vars:
config: >-
--version=7.0.3
-f /tmp/grafana.yaml
shell: |-
helm status --namespace grafana grafana
if [ $? -ne 0 ]; then
kubectl create ns grafana
helm repo add grafana https://grafana.github.io/helm-charts
helm repo update
helm install --namespace grafana {{ config }} grafana grafana/grafana
else
helm upgrade --namespace grafana {{ config }} grafana grafana/grafana
fi
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
when: true
cesnet-central/playbooks/public_keys/andrea-manzi 0 → 100644
+ 1
0
View file @ 7148c282
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDcbLaaJ0DyEMMZLGFW8It9fXJSEfGhnP8vuPYaKGCX5XhKYU5Rby6/DJcgm9FYxP0BCY6vvcydzA7WC3qLyg/IINNWEqRWkaJNHyPZHQPFWIp2XnJ7hvDp7leGKR3mBBXDR2xBYLc+w/ZgFiM4ypaat3oeqt7movWErG9b49XoAnk1U9cQU7FIDemSsG4tFzIC5Ag6FzUUP/wsrX4Cz40L7rF7DQbYU9M/HhNJPiA1alHdMEgsfHwRFqfxv6QPDBVI2QgJq1Fa0cK4RiZMFQX9chr+HYB6IGlQAfLeXlPIiNGsxP3mJ9LSUFWrBO4Am775d/EmsASmLPIz6Da8iEgn
cesnet-central/playbooks/public_keys/enolfc 0 → 100644
+ 1
0
View file @ 7148c282
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCu3SpTzvT3GYdU7ZmTqZ25pg0GpIVZFM8GY4eBe1uXVWnnZPYZYDsFurUnQRQ92WB8W+si8xxoiEKTI102sK655DF7qzLk1ku2s1QDp5Zv3535nghPVhA8LphhYQ+rZiZIElLVTLQBblWY3UGfP0WcwIKs9fPypKR6wCSmqj8EkWAWap8KXeZ/E8i9ugb8+yEod0JL2C8YATBeldFSJBD239wyRRIIVc5EVscG1Z4yuqM7uhR77OuRGbjp6UpKbH6cnoFAE0d88SHdPkI5xqsn0RurLPNZspLio/FqIIywvBrdiEJcWpLu3vso5ihwPIEv9lUc0WeMp/diPpkAwGhBYJ0gRLcnwOMeXCkZoHaZC5mVRlROy2QGfzrKYgAcV/daoJFJue+OgZqRA89xJgKcrUUQY1xsUbLx5c5SU79uOOkRefscV8NoA/Bw5DNZ8sHvuJyBqpwF6Ck5FE1nx9LNJvzqGL0o4ZJGKPWFHxob0FrctkJwY+D8brxf0GKis2l/G9vBd1UQ1eeluaxwvqhpQawDHlDUyA/mSLvaGm1YW0y05MJ/KCdD0DbApb6nv9WrrzKuLiB34oJp39A+ck1Xf9gJEXpS1D5a7WIoRVHPEAOe07yy28ZpUW8cDHXwaFly5qNEGEwRDdfvMfwYFxby2XqQTk17Ispco8RPFoId3Q==
cesnet-central/playbooks/public_keys/jhradil 0 → 100644
+ 1
0
View file @ 7148c282
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHA5CG7ykzAIZHiN6q9JjSLg089bKZx+15z/lfEpyF6a jaromir.hradil@cesnet.cz
cesnet-central/playbooks/public_keys/pospisilp 0 → 100644
+ 1
0
View file @ 7148c282
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDG42eZbFh9rhVj6jvI/3GN420P1FcmyDAizPORN2GMXd/7/Q9LIOTXtWjzYPq7Bt10eyqM/UebHsuMSI5CUWXPCJFhzt5RWA0C4U4rEU+5xKkliOrx20BvJBCrygxPfCY63KxqOG5asX3M3HCkD87Hod8D80tYP9WFhB5Zba9PGOUjtoRTYrBgqa9I9JEJ8hoJbyy0GwgxJWi8nLHOvN2kd8CADhL5YB05qG6QVE/ISrCKhDz7O38L++8Kvw/ALbre7BqV1AkwNsgIo38ED5HqEiXK3CC2o8hIL9uExkl2fIXGBAq3VAaQgvErk2E8h0ql3TbzZFN9so0FUkJRE9BXOfGG57vxdF2EgHI9Btoc9ra0z0D83+YXRxgRCw/i9+MvYW1XxZcb+JlAme89XYb3zr6i/ycs7T//wGszCOP1D/3MJprMmh/w5zbuZRzh3WVLZ2HkLO1xVTaTGRMcLyXR/7hvx1+Zre9e3g/6F/XJDinQPDDl8Jaqs/TwzyVODHM=
cesnet-central/playbooks/public_keys/sustr 0 → 100644
+ 1
0
View file @ 7148c282
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCtDTSiY3bYdRmPOvezE3aY2wThKcl559JoeCsXHSnHlnzFl1iUJfO6+4Uixc4jptg52Ktu33NQzp0bDrvegxy8XxXZNWK9CrJ6qNjNWm51Eflos2m3ipKsRcLg+r/xQGnP32aUyxUfpMQirH6ou1mQ521FRyWr1EXZ4aB55IAtgJmdS8QU9C2Ht4gBIIMJxTlDsyPiZxq7dNfDE6OxbGyHlhLN+DLcU5cfToAMmPneSRPeGkdMJJndPsoJq46qCrW8iosbXmeGG+SXzNmy523tUjCKnH2LSDL/ieagy23vLeKmObEMnIYIqGusqko3e1zQX6Xsioe0+gaHMEOEQmDdpSIgxE7bMowXn9ykWuigbEsjx9XFLy4yWh07xk2UGdhJFn1vS/yKpZ06EJgllkJahrhZmJDN/BLqlbBLg7JKFQeHyN7xYuq7pB6XDjA1+AmF8XYOq+tcK2e0y/o7J77nBUJbXnXiNu6TQbh17kpjxEHNom+Kkzt/XfuERGPdYCJxxj0dPYhF8jwbActmtJdnTy8vD1dKo3tf0AYilIl1IfAASVFHZAFN2LsbhZtGUwigFZmR1qNu1Jgx6Hwgo2/mW/Y188zy1mmQtX+0Yc608BQYwwliWtMkWmxsCpNSSq8BqNA/N/dGLYAjLM+n9W+3rRfEbDl0bzx2wTfyy0r9ww==
cesnet-central/playbooks/public_keys/valtri 0 → 100644
+ 1
0
View file @ 7148c282
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBC0vJ13maAtYfN8qvJlcL5Qz0frqdT1aZn7P2mpbzpBG8+jefy0WPqlxHn5e3m99uh+9r4xt+4FH4/GgrLVB5b2BtfqUVaEwT7zJajJ4OZpVJt5xht7vQyCCzlQUElXyXQvBraDpoKmZn1x5DfSHcj2ZQMuWnJqHMUPtFi61pc2+vsAb2LZQzYTS2zHKqiETAp7Jeudyq9NGZOkj4sTuSN/QCMUITvy6KZWnM7dsGdlxfEUDhjYWNfePI98uQ+78HYI2VpXbJRQkA4IjpsWv4uVfHdRkCvDrGGIwr+T0LTqZ/uLSy9g7hlftMj5QPxEMk37mH7LaM1yePlVUyG9/R
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment