Commit 796f485e authored by Arthur TOUSSAINT's avatar Arthur TOUSSAINT

Suppression des trucs importés

parent a8445f3b
Pipeline #5118 passed with stage
in 3 minutes and 13 seconds
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
appVersion: 0.9.3
description: Multi-user Jupyter installation
home: https://z2jh.jupyter.org
icon: https://jupyter.org/assets/hublogo.svg
kubeVersion: '>=1.8.0-0'
name: jupyterhub
sources:
- https://github.com/jupyterhub/zero-to-jupyterhub-k8s
tillerVersion: '>=2.9.1-0'
version: 0.8-b5e2b4a
This diff is collapsed.
Thank you for installing JupyterHub!
Your release is named {{ .Release.Name }} and installed into the namespace {{ .Release.Namespace }}.
You can find if the hub and proxy is ready by doing:
kubectl --namespace={{ .Release.Namespace }} get pod
and watching for both those pods to be in status 'Ready'.
You can find the public IP of the JupyterHub by doing:
kubectl --namespace={{ .Release.Namespace }} get svc proxy-public
It might take a few minutes for it to appear!
Note that this is still an alpha release! If you have questions, feel free to
1. Read the guide at https://z2jh.jupyter.org
2. Chat with us at https://gitter.im/jupyterhub/jupyterhub
3. File issues at https://github.com/jupyterhub/zero-to-jupyterhub-k8s/issues
{{- /*
## About
This file contains helpers to systematically name, label and select Kubernetes
objects we define in the .yaml template files.
## How helpers work
Helm helper functions is a good way to avoid repeating something. They will
generate some output based on one single dictionary of input that we call the
helpers scope. When you are in helm, you access your current scope with a
single a single punctuation (.).
When you ask a helper to render its content, one often forward the current
scope to the helper in order to allow it to access .Release.Name,
.Values.rbac.enabled and similar values.
#### Example - Passing the current scope
{{ include "jupyterhub.commonLabels" . }}
It would be possible to pass something specific instead of the current scope
(.), but that would make .Release.Name etc. inaccessible by the helper which
is something we aim to avoid.
#### Example - Passing a new scope
{{ include "demo.bananaPancakes" (dict "pancakes" 5 "bananas" 3) }}
To let a helper access the current scope along with additional values we have
opted to create dictionary containing additional values that is then populated
with additional values from the current scope through a the merge function.
#### Example - Passing a new scope augmented with the old
{{- $_ := merge (dict "appLabel" "kube-lego") . }}
{{- include "jupyterhub.matchLabels" $_ | nindent 6 }}
In this way, the code within the definition of `jupyterhub.matchLabels` will
be able to access .Release.Name and .appLabel.
NOTE:
The ordering of merge is crucial, the latter argument is merged into the
former. So if you would swap the order you would influence the current scope
risking unintentional behavior. Therefore, always put the fresh unreferenced
dictionary (dict "key1" "value1") first and the current scope (.) last.
## Declared helpers
- appLabel |
- componentLabel |
- nameField | uses componentLabel
- commonLabels | uses appLabel
- labels | uses commonLabels
- matchLabels | uses labels
- podCullerSelector | uses matchLabels
## Example usage
```yaml
# Excerpt from proxy/autohttps/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "jupyterhub.nameField" . }}
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
{{- $_ := merge (dict "appLabel" "kube-lego") . }}
{{- include "jupyterhub.matchLabels" $_ | nindent 6 }}
template:
metadata:
labels:
{{- include "jupyterhub.labels" $_ | nindent 8 }}
hub.jupyter.org/network-access-proxy-http: "true"
```
NOTE:
The "jupyterhub.matchLabels" and "jupyterhub.labels" is passed an augmented
scope that will influence the helpers' behavior. It get the current scope
"." but merged with a dictionary containing extra key/value pairs. In this
case the "." scope was merged with a small dictionary containing only one
key/value pair "appLabel: kube-lego". It is required for kube-lego to
function properly. It is a way to override the default app label's value.
*/}}
{{- /*
jupyterhub.appLabel:
Used by "jupyterhub.labels".
*/}}
{{- define "jupyterhub.appLabel" -}}
{{ .Values.nameOverride | default .Chart.Name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- /*
jupyterhub.componentLabel:
Used by "jupyterhub.labels" and "jupyterhub.nameField".
NOTE: The component label is determined by either...
- 1: The provided scope's .componentLabel
- 2: The template's filename if living in the root folder
- 3: The template parent folder's name
- : ...and is combined with .componentPrefix and .componentSuffix
*/}}
{{- define "jupyterhub.componentLabel" -}}
{{- $file := .Template.Name | base | trimSuffix ".yaml" -}}
{{- $parent := .Template.Name | dir | base | trimPrefix "templates" -}}
{{- $component := .componentLabel | default $parent | default $file -}}
{{- $component := print (.componentPrefix | default "") $component (.componentSuffix | default "") -}}
{{ $component }}
{{- end }}
{{- /*
jupyterhub.nameField:
Populates the name field's value.
NOTE: some name fields are limited to 63 characters by the DNS naming spec.
TODO:
- [ ] Set all name fields using this helper.
- [ ] Optionally prefix the release name based on some setting in
.Values to allow for multiple deployments within a single namespace.
*/}}
{{- define "jupyterhub.nameField" -}}
{{- $name := print (.namePrefix | default "") (include "jupyterhub.componentLabel" .) (.nameSuffix | default "") -}}
{{ printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- /*
jupyterhub.commonLabels:
Foundation for "jupyterhub.labels".
Provides labels: app, release, (chart and heritage).
*/}}
{{- define "jupyterhub.commonLabels" -}}
app: {{ .appLabel | default (include "jupyterhub.appLabel" .) }}
release: {{ .Release.Name }}
{{- if not .matchLabels }}
chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
heritage: {{ .heritageLabel | default .Release.Service }}
{{- end }}
{{- end }}
{{- /*
jupyterhub.labels:
Provides labels: component, app, release, (chart and heritage).
*/}}
{{- define "jupyterhub.labels" -}}
component: {{ include "jupyterhub.componentLabel" . }}
{{ include "jupyterhub.commonLabels" . }}
{{- end }}
{{- /*
jupyterhub.matchLabels:
Used to provide pod selection labels: component, app, release.
*/}}
{{- define "jupyterhub.matchLabels" -}}
{{- $_ := merge (dict "matchLabels" true) . -}}
{{ include "jupyterhub.labels" $_ }}
{{- end }}
{{- /*
jupyterhub.dockerconfigjson:
Creates a base64 encoded docker registry json blob for use in a image pull
secret, just like the `kubectl create secret docker-registry` command does
for the generated secrets data.dockerconfigjson field. The output is
verified to be exactly the same even if you have a password spanning
multiple lines as you may need to use a private GCR registry.
- https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
*/}}
{{- define "jupyterhub.dockerconfigjson" -}}
{{ include "jupyterhub.dockerconfigjson.yaml" . | b64enc }}
{{- end }}
{{- define "jupyterhub.dockerconfigjson.yaml" -}}
{{- with .Values.singleuser.imagePullSecret -}}
{
"auths": {
{{ .registry | default "https://index.docker.io/v1/" | quote }}: {
"username": {{ .username | quote }},
"password": {{ .password | quote }},
{{- if .email }}
"email": {{ .email | quote }},
{{- end }}
"auth": {{ (print .username ":" .password) | b64enc | quote }}
}
}
}
{{- end }}
{{- end }}
{{- /*
jupyterhub.resources:
The resource request of a singleuser.
*/}}
{{- define "jupyterhub.resources" -}}
{{- $r1 := .Values.singleuser.cpu.guarantee -}}
{{- $r2 := .Values.singleuser.memory.guarantee -}}
{{- $r3 := .Values.singleuser.extraResource.guarantees -}}
{{- $r := or $r1 $r2 $r3 -}}
{{- $l1 := .Values.singleuser.cpu.limit -}}
{{- $l2 := .Values.singleuser.memory.limit -}}
{{- $l3 := .Values.singleuser.extraResource.limits -}}
{{- $l := or $l1 $l2 $l3 -}}
{{- if $r -}}
requests:
{{- if $r1 }}
cpu: {{ .Values.singleuser.cpu.guarantee }}
{{- end }}
{{- if $r2 }}
memory: {{ .Values.singleuser.memory.guarantee }}
{{- end }}
{{- if $r3 }}
{{- range $key, $value := .Values.singleuser.extraResource.guarantees }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- if $l }}
limits:
{{- if $l1 }}
cpu: {{ .Values.singleuser.cpu.limit }}
{{- end }}
{{- if $l2 }}
memory: {{ .Values.singleuser.memory.limit }}
{{- end }}
{{- if $l3 }}
{{- range $key, $value := .Values.singleuser.extraResource.limits }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
This diff is collapsed.
apiVersion: apps/v1
kind: Deployment
metadata:
name: hub
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
spec:
replicas: 1
selector:
matchLabels:
{{- include "jupyterhub.matchLabels" . | nindent 6 }}
strategy:
{{- .Values.hub.deploymentStrategy | toYaml | trimSuffix "\n" | nindent 4 }}
template:
metadata:
labels:
{{- /* Changes here will cause the Deployment to restart the pods. */}}
{{- include "jupyterhub.matchLabels" . | nindent 8 }}
hub.jupyter.org/network-access-proxy-api: "true"
hub.jupyter.org/network-access-proxy-http: "true"
hub.jupyter.org/network-access-singleuser: "true"
{{- if .Values.hub.labels }}
{{- .Values.hub.labels | toYaml | trimSuffix "\n" | nindent 8 }}
{{- end }}
annotations:
# This lets us autorestart when the secret changes!
checksum/config-map: {{ include (print .Template.BasePath "/hub/configmap.yaml") . | sha256sum }}
checksum/secret: {{ include (print .Template.BasePath "/hub/secret.yaml") . | sha256sum }}
{{- if .Values.hub.annotations }}
{{- .Values.hub.annotations | toYaml | trimSuffix "\n" | nindent 8 }}
{{- end }}
spec:
{{- if .Values.scheduling.podPriority.enabled }}
priorityClassName: {{ .Release.Name }}-default-priority
{{- end }}
nodeSelector: {{ toJson .Values.hub.nodeSelector }}
{{- include "jupyterhub.coreAffinity" . | nindent 6 }}
volumes:
- name: config
configMap:
name: hub-config
- name: secret
secret:
secretName: hub-secret
{{- if .Values.hub.extraVolumes }}
{{- .Values.hub.extraVolumes | toYaml | trimSuffix "\n" | nindent 8 }}
{{- end }}
{{- if eq .Values.hub.db.type "sqlite-pvc" }}
- name: hub-db-dir
persistentVolumeClaim:
claimName: hub-db-dir
{{- end }}
{{- if .Values.rbac.enabled }}
serviceAccountName: hub
{{- end }}
securityContext:
runAsUser: {{ .Values.hub.uid }}
fsGroup: {{ .Values.hub.fsGid }}
containers:
{{- if .Values.hub.extraContainers }}
{{- .Values.hub.extraContainers | toYaml | trimSuffix "\n" | nindent 8 }}
{{- end }}
- name: hub
image: {{ .Values.hub.image.name }}:{{ .Values.hub.image.tag }}
command:
- jupyterhub
- --config
- /srv/jupyterhub_config.py
{{- if .Values.debug.enabled }}
- --debug
{{- end }}
{{- /*
We want to do automatic upgrades for sqlite-pvc by default, but
allow users to opt out of that if they want. Users using their own
db need to 'opt in' Go Templates treat nil and "" and false as
'false', making this code complex. We can probably make this a
one-liner, but doing combinations of boolean vars in go templates is
very inelegant & hard to reason about.
*/}}
{{- $upgradeType := typeOf .Values.hub.db.upgrade }}
{{- if eq $upgradeType "bool" }}
{{- /* .Values.hub.db.upgrade has been explicitly set to true or false */}}
{{- if .Values.hub.db.upgrade }}
- --upgrade-db
{{- end }}
{{- else if eq $upgradeType "<nil>" }}
{{- /* .Values.hub.db.upgrade is nil */}}
{{- if eq .Values.hub.db.type "sqlite-pvc" }}
- --upgrade-db
{{- end }}
{{- end }}
volumeMounts:
- mountPath: /etc/jupyterhub/config/
name: config
- mountPath: /etc/jupyterhub/secret/
name: secret
{{- if .Values.hub.extraVolumeMounts }}
{{- .Values.hub.extraVolumeMounts | toYaml | trimSuffix "\n" | nindent 12 }}
{{- end }}
{{- if eq .Values.hub.db.type "sqlite-pvc" }}
- mountPath: /srv/jupyterhub
name: hub-db-dir
{{- if .Values.hub.db.pvc.subPath }}
subPath: {{ .Values.hub.db.pvc.subPath | quote }}
{{- end }}
{{- end }}
resources:
{{- .Values.hub.resources | toYaml | trimSuffix "\n" | nindent 12 }}
imagePullPolicy: {{ .Values.hub.imagePullPolicy }}
env:
{{- if .Values.hub.cookieSecret }}
- name: JPY_COOKIE_SECRET
valueFrom:
secretKeyRef:
name: hub-secret
key: hub.cookie-secret
{{- end }}
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CONFIGPROXY_AUTH_TOKEN
valueFrom:
secretKeyRef:
name: hub-secret
key: proxy.token
{{- if .Values.auth.state.enabled }}
- name: JUPYTERHUB_CRYPT_KEY
valueFrom:
secretKeyRef:
name: hub-secret
key: auth.state.crypto-key
{{- end }}
{{- if .Values.hub.extraEnv }}
{{- $extraEnvType := typeOf .Values.hub.extraEnv }}
{{- /* If we have a list, embed that here directly. This allows for complex configuration from configmap, downward API, etc. */}}
{{- if eq $extraEnvType "[]interface {}" }}
{{- .Values.hub.extraEnv | toYaml | trimSuffix "\n" | nindent 12 }}
{{- else if eq $extraEnvType "map[string]interface {}" }}
{{- /* If we have a map, treat those as key-value pairs. */}}
{{- range $key, $value := .Values.hub.extraEnv }}
- name: {{ $key | quote }}
value: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end }}
ports:
- containerPort: 8081
name: hub
{{- if .Values.hub.networkPolicy.enabled -}}
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: hub
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
spec:
podSelector:
matchLabels:
{{- include "jupyterhub.matchLabels" . | nindent 6 }}
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
hub.jupyter.org/network-access-hub: "true"
ports:
- protocol: TCP
port: 8081
egress:
{{- /*
The default is to allow all egress for hub If you want to restrict it the
following egress is required
- proxy:8001
- singleuser:8888
- Kubernetes api-server
*/}}
{{- if .Values.hub.networkPolicy.egress }}
{{- .Values.hub.networkPolicy.egress | toYaml | trimSuffix "\n" | nindent 4 }}
{{- end }}
{{- end }}
{{- if .Values.hub.pdb.enabled -}}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: hub
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
spec:
minAvailable: {{ .Values.hub.pdb.minAvailable }}
selector:
matchLabels:
{{- include "jupyterhub.matchLabels" . | nindent 6 }}
{{- end }}
{{- if eq .Values.hub.db.type "sqlite-pvc" -}}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: hub-db-dir
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
{{- if .Values.hub.db.pvc.annotations }}
annotations:
{{- .Values.hub.db.pvc.annotations | toYaml | trimSuffix "\n" | nindent 4 }}
{{- end }}
spec:
{{- if .Values.hub.db.pvc.selector }}
selector:
{{- .Values.hub.db.pvc.selector | toYaml | trimSuffix "\n" | nindent 4 }}
{{- end }}
{{- if typeIs "string" .Values.hub.db.pvc.storageClassName }}
storageClassName: {{ .Values.hub.db.pvc.storageClassName | quote }}
{{- end }}
accessModes:
{{- .Values.hub.db.pvc.accessModes | toYaml | trimSuffix "\n" | nindent 4 }}
resources:
requests:
storage: {{ .Values.hub.db.pvc.storage | quote }}
{{- end }}
{{- if .Values.rbac.enabled -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: hub
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hub
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods", "persistentvolumeclaims"]
verbs: ["get", "watch", "list", "create", "delete"]
- apiGroups: [""] # "" indicates the core API group
resources: ["events"]
verbs: ["get", "watch", "list"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hub
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: hub
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: hub
apiGroup: rbac.authorization.k8s.io
{{- end }}
kind: Secret
apiVersion: v1
metadata:
name: hub-secret
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
type: Opaque
data:
proxy.token: {{ (required "Proxy token must be a 32 byte random string generated with `openssl rand -hex 32`!" .Values.proxy.secretToken) | b64enc | quote }}
{{- if .Values.hub.cookieSecret }}
hub.cookie-secret: {{ .Values.hub.cookieSecret | b64enc | quote }}
{{- end }}
{{- range $key, $value := .Values.hub.services }}
{{- if $value.apiToken }}
services.token.{{$key}}: {{ $value.apiToken | b64enc | quote }}
{{- end }}
{{- end }}
{{- if .Values.auth.state.enabled }}
auth.state.crypto-key: {{ (required "Encryption key is required for auth state to be persisted!" .Values.auth.state.cryptoKey) | b64enc | quote }}
{{- end }}
apiVersion: v1
kind: Service
metadata:
name: hub
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
spec:
type: {{ .Values.hub.service.type }}
{{- if .Values.hub.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.hub.service.loadBalancerIP }}
{{- end }}
selector:
{{- include "jupyterhub.matchLabels" . | nindent 4 }}
ports:
- protocol: TCP
port: 8081
targetPort: 8081
{{- if .Values.hub.service.ports.nodePort }}
nodePort: {{ .Values.hub.service.ports.nodePort }}
{{- end }}
{{- /*
Returns an image-puller daemonset. Two daemonsets will be created like this.
- hook-image-puller: for pre helm upgrade image pulling (lives temporarily)
- continuous-image-puller: for newly added nodes image pulling
*/}}
{{- define "jupyterhub.imagePuller.daemonset" -}}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: {{ print .componentPrefix "image-puller" }}
labels:
{{- include "jupyterhub.labels" . | nindent 4 }}
{{- if .hook }}
hub.jupyter.org/deletable: "true"
{{- end }}
{{- if .hook }}
annotations:
{{- /*
Allows the daemonset to be deleted when the image-awaiter job is completed.
*/}}
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook-weight": "-10"
{{- end }}
spec:
selector:
matchLabels:
{{- include "jupyterhub.matchLabels" . | nindent 6 }}
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 100%
template:
metadata:
labels:
{{- /* Changes here will cause the DaemonSet to restart the pods. */}}
{{- include "jupyterhub.matchLabels" . | nindent 8 }}
spec:
tolerations:
{{- include "jupyterhub.userTolerations" . | nindent 8 }}
nodeSelector: {{ toJson .Values.singleuser.nodeSelector }}
{{- if include "jupyterhub.userNodeAffinityRequired" . }}
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
{{- include "jupyterhub.userNodeAffinityRequired" . | nindent 14 }}
{{- end }}
terminationGracePeriodSeconds: 0
automountServiceAccountToken: false
{{- if .Values.singleuser.imagePullSecret.enabled }}
imagePullSecrets:
- name: {{ if .hook -}} hook- {{- end -}} singleuser-image-credentials
{{- end }}
initContainers:
- name: image-pull-singleuser
image: {{ .Values.singleuser.image.name }}:{{ .Values.singleuser.image.tag }}
imagePullPolicy: IfNotPresent
command:
- /bin/sh
- -c
- echo "Pulling complete"
{{- if not .Values.singleuser.cloudMetadata.enabled }}
- name: image-pull-metadata-block
image: {{ .Values.singleuser.networkTools.image.name }}:{{ .Values.singleuser.networkTools.image.tag }}
imagePullPolicy: IfNotPresent
command:
- /bin/sh
- -c
- echo "Pulling complete"
{{- end }}
{{- range $k, $v := .Values.prePuller.extraImages }}
- name: image-pull-{{ $k }}
image: {{ $v.name }}:{{ $v.tag }}
imagePullPolicy: {{ $v.policy | default "IfNotPresent" }}
command:
- /bin/sh
- -c