/
values.yaml
323 lines (313 loc) · 12.9 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
---
# pawsPublicEnabled enables the anonymous viewing service for notebooks
pawsPublicEnabled: true
pawspublic:
nbserve:
image:
name: quay.io/wikimedia-paws-prod/nbserve
tag: pr-277 # nbserve tag managed by github actions
# pawspublic.nbserve.image.template safely defines image:tag name in yaml
template: "{{ .Values.pawspublic.nbserve.image.name}}:{{.Values.pawspublic.nbserve.image.tag }}"
replicas: 1
requests:
memory: "20Mi"
renderer:
image:
name: quay.io/wikimedia-paws-prod/renderer
tag: pr-168 # renderer tag managed by github actions
# pawspublic.nbserve.image.template safely defines image:tag name in yaml
template: "{{ .Values.pawspublic.renderer.image.name}}:{{.Values.pawspublic.renderer.image.tag }}"
requests:
cpu: "10m" # give a token amount for local dev
memory: "10Mi"
ingress:
host: public.hub.paws.local
legacyHost: paws-public.wmflabs.org
paws:
# frontPageEnabled switches the URL path of / to a redirect to paws.ingress.frontRedirect
frontPageEnabled: true
ingress:
legacyHost: paws.wmflabs.org
# paws.ingress.frontHost should be the domain the URL path of / uses to redirect to docs
frontHost: paws.wmcloud.org
# paws.ingress.frontRedirect should be the destination for URL path of / at paws.ingress.frontHost
frontRedirect: https://wikitech.wikimedia.org/wiki/PAWS
jupyterhub:
prePuller:
containerSecurityContext:
runAsUser: 52771
runAsGroup: 52771
hook:
containerSecurityContext:
runAsUser: 52771
runAsGroup: 52771
pause:
containerSecurityContext:
runAsUser: 52771
runAsGroup: 52771
proxy:
chp:
resources:
requests:
memory: "200Mi"
cpu: .2
containerSecurityContext:
runAsUser: 52771
runAsGroup: 52771
# jupyterhub.proxy.secretToken is a valid dummy value for development
secretToken: "23f542cc4b1af000e68088f1acc7ca8275a67cf496bae15ead6a79b8c6702597"
service:
nodePorts:
http: 32611
type: NodePort
cull:
timeout: 86400
hub:
config:
# updated auth object for chart version 0.11.0+ this is the local dev values
MWOAuthenticator:
client_id: fea321f1b6b5aed9fa83d5362839cd3d
client_secret: 6b17e5b87ae5ee893f5d4ba8b0e2377c6c0c3fcc
mw_index_url: https://meta.wikimedia.org/w/index.php
JupyterHub:
authenticator_class: mediawiki
db:
# jupyterhub.hub.db values are overridden in Cloud VPS
url: sqlite://
type: sqlite-pvc
upgrade: true
extraVolumes:
- name: homes
hostPath:
path: /srv/paws/project
- name: dumps
hostPath:
path: /mnt/public/dumps
# Without this, dumps becomes inaccessible and can hang the host
- name: dumps-src1
hostPath:
path: /mnt/nfs/dumps-clouddumps1001.wikimedia.org
type: DirectoryOrCreate
- name: dumps-src2
hostPath:
path: /mnt/nfs/dumps-clouddumps1002.wikimedia.org
type: DirectoryOrCreate
extraVolumeMounts:
- name: homes
mountPath: /data/project
- name: dumps
mountPath: /public/dumps
readOnly: true
- name: dumps-src1
mountPath: /mnt/nfs/dumps-clouddumps1001.wikimedia.org
readOnly: true
- name: dumps-src2
mountPath: /mnt/nfs/dumps-clouddumps1002.wikimedia.org
readOnly: true
extraConfig:
fixLabels: |
def fix_labels(spawner, pod):
del pod.metadata.labels['hub.jupyter.org/username']
return pod
c.KubeSpawner.modify_pod_hook = fix_labels
00-myConfig: |
localdev = True
10-myConfig: |
import hmac
import hashlib
import subprocess
import os
import json
from oauthenticator.mediawiki import MWOAuthenticator
from tornado import gen
from tornado.escape import url_escape
from tornado.httpclient import AsyncHTTPClient
class Auth(MWOAuthenticator):
enable_auth_state = True
def normalize_username(self, username):
return username
async def refresh_user(self, user, handler=None):
client = AsyncHTTPClient()
try:
response = await client.fetch(f"https://meta.wikimedia.org/w/api.php?action=query&format=json&formatversion=2&meta=globaluserinfo&guiuser={url_escape(user.name)}",
user_agent="PAWS-authenticator/0.1 (https://phabricator.wikimedia.org/tag/paws/)" )
locked = bool(json.loads(response.body)['query']['globaluserinfo'].get("locked", False))
if locked:
await user.spawner.stop(now=True)
return False
else:
return True
except Exception as e:
self.log.error(f"Error checking for Wikimedia lock on user {user.name}: {e}")
return False # Notebook cookies keep user logged in
@gen.coroutine
# more information about where this comes from found here:
# https://jupyterhub-kubespawner.readthedocs.io/en/latest/spawner.html#kubespawner.KubeSpawner.volumes
def pre_spawn_start(self, user, spawner):
auth_state = yield user.get_auth_state()
identity = auth_state['MEDIAWIKI_USER_IDENTITY']
spawner.environment['ACCESS_KEY'] = auth_state['ACCESS_TOKEN_KEY']
spawner.environment['ACCESS_SECRET'] = auth_state['ACCESS_TOKEN_SECRET']
spawner.environment['CLIENT_ID'] = self.client_id
spawner.environment['CLIENT_SECRET'] = self.client_secret
spawner.environment['USER'] = identity['username']
# Set rather than use .extend!
# Since otherwise the volumes list will grow each time
# the spawner stops and starts!
homedir = '/data/project/paws/userhomes/{}'.format(identity['sub'])
homenfs = '/srv/paws/project/paws/userhomes/{}'.format(identity['sub'])
# Create the homedir so docker doesn't do it as root
os.makedirs(homedir, mode=0o755, exist_ok=True)
if localdev == True:
spawner.volumes = [
{
'name': 'home',
'hostPath': { 'path': homenfs }
},
{
'name': 'dumps',
'hostPath': { 'path': '/public/dumps' }
},
{
'name': 'dumps-src1',
'hostPath': { 'path': '/mnt/nfs/dumps-clouddumps1001.wikimedia.org' }
},
{
'name': 'dumps-src2',
'hostPath': { 'path': '/mnt/nfs/dumps-clouddumps1002.wikimedia.org' }
}
]
else:
spawner.volumes = [
{
'name': 'home',
'nfs': { 'server': nfs_home, 'path': homenfs }
},
{
'name': 'dumps',
'nfs': { 'server': dumps_src1, 'path': '/' }
},
{
'name': 'dumps-src1',
'nfs': { 'server': dumps_src1, 'path': '/' }
},
{
'name': 'dumps-src2',
'nfs': { 'server': dumps_src2, 'path': '/' }
}
]
spawner.volume_mounts = [
{
'name': 'home',
'mountPath': '/home/paws'
},
{
'name': 'dumps',
'mountPath': '/public/dumps/public',
'readOnly': True
},
{
'name': 'dumps-src1',
'mountPath': '/mnt/nfs/dumps-clouddumps1001.wikimedia.org',
'readOnly': True
},
{
'name': 'dumps-src2',
'mountPath': '/mnt/nfs/dumps-clouddumps1002.wikimedia.org',
'readOnly': True
},
]
c.OAuthenticator.admin_users = {
"BDavis (WMF)",
"VRook (WMF)",
"ABorrero (WMF)",
"NSkaggs (WMF)",
"Andrewbogott",
"Chicocvenancio"
}
c.OAuthenticator.allow_all = True
c.JupyterHub.authenticator_class = Auth
c.JupyterHub.authenticate_prometheus = False
c.JupyterHub.logo_file = '/srv/jupyterhub/PAWS.svg'
c.JupyterHub.template_vars = {
'announcement': ('<span class="alert-success">'
'Welcome to PAWS. '
'Please <a href="https://phabricator.wikimedia.or'
'g/maniphest/task/edit/form/1/?title=%5Bbug%5D%20%3Cyour%20request%20here%3E&description=%3D%3D%20What%20happened%3F%0D%0A%0D%0AA%20brief%20explanation%20of%20the%20problem%20you%20found%20(if%20you%20can%20give%20screenshots%20please%20do)%0D%0A%0D%0A%3D%3D%20What%20should%20have%20happened%3F%0D%0A%0D%0AWhat%20is%20it%20that%20you%20expected%20to%20happen%20instead&projects=PAWS&subscribers=dcaro%2Ckomla&priority=triage">'
' report any issues on Phabricator</a>, you can also give feedback <a href="https://phabricator.wikimedia.org/maniphest/task/edit/form/1/?title=%5Bfeature%5D%20%3Cyour%20request%20here%3E&description=%3D%3D%20Why%0D%0A%0D%0AA%20brief%20explanation%20of%20the%20problem%20you%20are%20trying%20to%20solve%0D%0A%0D%0A%3D%3D%20How%3F%0D%0A%0D%0AIf%20you%20have%20an%20idea%2C%20some%20explanation%20on%20how%20to%20solve%20it%20(optional).&projects=PAWS&subscribers=dcaro%2Ckomla&priority=triage">here</a>'
'</span>')
}
extraEnv:
USER: tools.paws
JUPYTERHUB_CRYPT_KEY: "4849a4d92a49cdf9a80b49486293e29966c4f02daefa0f5597cf14546bab09f8"
MYSQL_HMAC_KEY: "9a33d49db4bb823e87187a11e4f6296bee41bc35c41dc195634dff440c1870f0"
cookieSecret: 827902ad187337f83adc565dadfb4c095ce1962442aae043ac78948f9b216a8f
podSecurityContext:
fsGroup: 52771
image:
name: quay.io/wikimedia-paws-prod/paws-hub
tag: pr-317 # paws-hub tag managed by github actions
containerSecurityContext:
runAsUser: 52771
resources:
requests:
memory: "200Mi"
cpu: .2
ingress:
enabled: true
hosts:
- hub.paws.local
ingressClassName: "nginx"
# We are not on an autoscaling cluster, so we don't want this
scheduling:
userScheduler:
enabled: false
userPlaceholder:
containerSecurityContext:
runAsUser: 52771
runAsGroup: 52771
singleuser:
cmd:
- jupyterhub-singleuser
fsGid: 52771
image:
name: quay.io/wikimedia-paws-prod/singleuser
tag: pr-326 # singleuser tag managed by github actions
pullPolicy: Always
memory:
guarantee: 0.70G
limit: 3G
cpu:
guarantee: .15
limit: 1
storage:
type: none
uid: 52771
# This must be false or this whole thing cannot work with restrictive PSP
cloudMetadata:
blockWithIptables: false
extraEnv:
HUB_DOMAIN: "hub.paws.local" # Check jupyterhub.ingress.hosts
REFINE_DOMAIN: "*" # Check jupyterhub.ingress.hosts
networkPolicy:
egressAllowRules:
privateIPs: true # needed for access to replicas
# mysql configures the wiki replica backend variables
mysql:
domain: "svc.cluster.local"
username: s52771
password: "iAmNotSecret0"
minesweeper:
enabled: false # most local-dev testers won't have the key to configs
image:
name: quay.io/wikimedia-paws-prod/minesweeper
tag: pr-321 # minesweeper tag managed by github actions
template: "{{ .Values.minesweeper.image.name }}:{{ .Values.minesweeper.image.tag }}"
# If not deployed for prod use, we use the some hacks for testing
localdev:
enabled: true
image:
name: quay.io/wikimedia-paws-prod/jobber
tag: pr-155 # jobber tag managed by github actions
# mediawikiHacks.image.template safely defines image:tag name in yaml
template: "{{ .Values.localdev.image.name}}:{{.Values.localdev.image.tag }}"