---
- name: Notebooks deployments
hosts: master
become: true
tasks:
- name: Configure helm repo
shell: |-
helm repo add jupyterhub https://jupyterhub.github.io/helm-chart/
helm repo add eginotebooks https://egi-federation.github.io/egi-notebooks-chart/
helm repo update
when: "'jupyterhub' not in ansible_local.helm_repos | map(attribute='name') | list or
'eginotebooks' not in ansible_local.helm_repos | map(attribute='name') | list"
- name: Get Secrets from Vault for notebooks
vars:
name: "{{ item | basename | splitext | first }}"
set_fact:
secrets: "{{ secrets|default({}) | combine({name: lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/deployment-' + name,
token_validate=false)}) }}"
with_fileglob:
- "../deployments/*.yaml"
- name: Debug Deployments Secrets
debug:
msg: "{{ item.key }} = {{ item.value }}"
loop: "{{ secrets | dict2items }}"
- name: Copy config file to master
vars:
name: "{{ item | basename | splitext | first }}"
secret: "{{ secrets[name] }}"
template:
src: "{{ item }}"
dest: "/tmp/{{ item | basename }}"
mode: 0600
with_fileglob:
- "../deployments/*.yaml"
- name: Deploy/upgrade notebook instance
vars:
name: "{{ item | basename | splitext | first }}"
version: "3.2.1" # app 4.0.2 (2023-11-27)
monitor_version: "0.3.1"
shell: |-
helm status --namespace {{ name }} {{ name }}
if [ $? -ne 0 ]; then
helm install --create-namespace --namespace {{ name }} \
-f /tmp/{{ item | basename }} --version {{ version }} --timeout 2h \
{{ name }} jupyterhub/jupyterhub
else
helm upgrade --version {{ version }} -f /tmp/{{ item | basename }} --timeout 2h \
--namespace {{ name }} {{ name }} jupyterhub/jupyterhub
fi
helm status --namespace {{ name }} {{ name }}-monitor
if [ $? -ne 0 ]; then
helm install --namespace {{ name }} \
-f /tmp/{{ item | basename }} --version {{ monitor_version }} \
{{ name }}-monitor eginotebooks/notebooks-monitor
else
helm upgrade --version {{ monitor_version }} \
-f /tmp/{{ item | basename }} --namespace {{ name }} \
{{ name }}-monitor eginotebooks/notebooks-monitor
fi
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
when: true
with_fileglob:
- "../deployments/*.yaml"
- name: Configure secrets management for the hub
vars:
name: "{{ item | basename | splitext | first }}"
shell: |-
kubectl apply -f - << EOF
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hub-secrets
namespace: {{ name }}
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["secrets"]
verbs: ["get", "watch", "list", "create", "delete", "patch", "update"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hub-secrets
namespace: {{ name }}
subjects:
- kind: ServiceAccount
name: hub
namespace: {{ name }}
roleRef:
kind: Role
name: hub-secrets
apiGroup: rbac.authorization.k8s.io
EOF
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
when: true
with_fileglob:
- "../deployments/*.yaml"
# do the extra bits of configuration
# here we should have all the namespaces, pre-requirements in place
# XXX: this won't remove things that are delete from the directory
- name: Copy extra configuration files
copy:
src: "{{ item }}"
dest: "/tmp/{{ item | basename }}"
mode: 0600
with_fileglob:
- "../extra/*.yaml"
- name: Extra configuration
command: |-
kubectl apply -f /tmp/{{ item | basename }}
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
with_fileglob:
- "../extra/*.yaml"
when: true
# Workaround for pods stuck in "Terminating" state
- name: K8s pods cleaner script
copy:
dest: /usr/local/bin/k8s-pods-cleaner.sh
src: files/usr/local/bin/k8s-pods-cleaner.sh
mode: preserve
# Workaround for pods stuck in "Terminating" state
- name: Regular cleanup of failed user notebooks pods
vars:
name: "{{ item | basename | splitext | first }}"
cron:
cron_file: "notebooks-{{ name }}-cleaner"
name: "Notebooks {{ name }} cleanup"
minute: "*"
hour: "*"
job: "KUBECONFIG=$HOME/.kube/config /usr/local/bin/k8s-pods-cleaner.sh '{{ name }}' --yes >/dev/null 2>&1"
user: egi
with_fileglob:
- "../deployments/*.yaml"
- hosts: nfs
become: true
tasks:
- name: Quota settings
vars:
name: "{{ item | basename | splitext | first }}"
cron:
cron_file: notebook-quotas
name: "{{ name }} quotas"
minute: "0"
hour: "*/2"
job: "/usr/local/bin/xfs-quotas.sh --include ^/exports/{{ name }}- --exclude ^/exports/{{ name }}-hub-db-dir-"
user: root
with_fileglob:
- "../deployments/*.yaml"