Streamline deployment of GESIS stage server

.editorconfig

@@ -0,0 +1,8 @@
+root = true
+
+[ansible/**]
+charset = utf-8
+end_of_line = lf
+indent_size = 2
+indent_style = space
+insert_final_newline = true

.gitlab-ci.yml

@@ -0,0 +1,81 @@
+variables:
+  GIT_STRATEGY: clone
+  GIT_CLEAN_FLAGS: "-ffdx"
+
+stages:
+  - build
+  - deploy-stage-ansible
+  - deploy-stage-helm
+  - test-stage
+  - deploy-prod-nginx
+  - deploy-prod-helm
+
+include:
+  - component: $CI_SERVER_FQDN/rse/docker/images/ansible/ansible-lint@10.2.6
+    inputs:
+      stage: build
+      dir: ansible
+
+  - component: $CI_SERVER_FQDN/rse/docker/images/ansible/ansible-deploy@10.2.6
+    inputs:
+      stage: deploy-stage-ansible
+      dir: ansible
+      inventory: gesis-stage
+      playbook: gesis.yml
+      ssh-user: ansible
+      ssh-key-type: ed25519
+
+.gesis helm deploy:
+  image: 
+    name: docker-private.gesis.intra/gesis/ilcm/orc2/k8s:latest
+    entrypoint: [""]
+  variables:
+    HELM_ENVIRONMENT: template
+  script:
+    - cat $git_crypt_secret_key | base64 -d > git_crypt_secret_key
+    - git-crypt unlock git_crypt_secret_key
+    - kubectl config use-context ${CI_PROJECT_PATH}:${HELM_ENVIRONMENT}
+    - helm version
+    - |
+      for d in ./mybinder*/; do
+        helm dependency update "$d";
+      done
+    - |
+      for chart in mybinder-kube-system mybinder-tigera-operator; do
+        helm upgrade \
+        ${chart:9} ./${chart} \
+        --cleanup-on-fail \
+        --create-namespace \
+        --history-max 3 \
+        --install \
+        --namespace=${chart};
+      done
+    - |
+      helm lint ./mybinder \
+      --values ./config/gesis-${HELM_ENVIRONMENT}.yaml
+    - |
+      helm upgrade \
+      binderhub ./mybinder \
+      --cleanup-on-fail \
+      --create-namespace \
+      --history-max 3 \
+      --install \
+      --namespace=gesis \
+      --render-subchart-notes \
+      --values ./config/gesis-${HELM_ENVIRONMENT}.yaml \
+      --values ./secrets/config/common/common.yaml \
+      --values ./secrets/config/common/cryptnono.yaml \
+      --values ./secrets/config/gesis-${HELM_ENVIRONMENT}.yaml
+
+gesis helm stage deploy:
+  resource_group: stage
+  stage: deploy-stage-helm
+  variables:
+    HELM_ENVIRONMENT: stage
+  extends:
+    - .gesis helm deploy
+
+smoke test to stage cluster:
+  stage: test-stage
+  script:
+    - curl https://notebooks-test.gesis.org/binder/

.gitlab/agents/stage/config.yaml

@@ -0,0 +1,3 @@
+ci_access:
+  projects:
+    - id: methods-hub/interactive-environment

ansible/gesis.yml

@@ -0,0 +1,29 @@
+- name: Configure servers that are part of Kubernetes cluster
+  hosts: all
+  gather_facts: false
+  become: true
+  roles:
+    - k8s-common
+- name: Configure Kubernetes control panel
+  hosts: kubernetes_control_panel
+  gather_facts: false
+  become: true
+  roles:
+    - k8s-control-panel
+- name: Configure Kubernetes workers
+  hosts: kubernetes_workers
+  gather_facts: false
+  become: true
+  roles:
+    - k8s-worker
+- name: Configure JupyterHub workers
+  hosts: jupyterhub_single_user
+  gather_facts: false
+  become: true
+  roles:
+    - k8s-worker
+- name: Configure mybinder.org Kubernetes cluster
+  hosts: kubernetes_control_panel
+  gather_facts: false
+  roles:
+    - mybinder

ansible/inventories/gesis-stage

@@ -0,0 +1,41 @@
+[all]
+#svko-ilcm04 ansible_host=194.95.75.14 ansible_ssh_user=ansible ansible_become_pass='{{ become_pass_194_95_75_14 }}'
+svko-css-backup-node ansible_host=194.95.75.20 ansible_ssh_user=ansible ansible_become_pass='{{ become_pass_194_95_75_20 }}'
+svko-k8s-test01 ansible_host=194.95.75.21 ansible_ssh_user=ansible ansible_become_pass='{{ become_pass_194_95_75_21 }}'
+svko-k8s-test02 ansible_host=194.95.75.22 ansible_ssh_user=ansible ansible_become_pass='{{ become_pass_194_95_75_22 }}'
+svko-k8s-test03 ansible_host=194.95.75.23 ansible_ssh_user=ansible ansible_become_pass='{{ become_pass_194_95_75_23 }}'
+
+[all:vars]
+INVENTORY_NAME=stage
+K8S_CONTROL_PLANE_ENDPOINT=194.95.75.21
+K8S_CONTROL_PLANE_ALIAS=svko-k8s-test01
+
+[notebooks_gesis_org]
+svko-css-backup-node
+
+[kubernetes_control_panel]
+svko-k8s-test01
+
+[kubernetes_workers]
+#svko-ilcm04
+svko-css-backup-node
+svko-k8s-test02
+svko-k8s-test03
+
+[ingress]
+svko-css-backup-node
+
+[harbor]
+svko-css-backup-node
+
+[binderhub]
+svko-k8s-test02
+
+[jupyterhub_single_user]
+svko-k8s-test03
+
+[prometheus]
+svko-css-backup-node
+
+[grafana]
+svko-css-backup-node

ansible/roles/jupyterhub/files/var/lib/kubelet/config.yaml

@@ -0,0 +1,45 @@
+apiVersion: kubelet.config.k8s.io/v1beta1
+authentication:
+  anonymous:
+    enabled: false
+  webhook:
+    cacheTTL: 0s
+    enabled: true
+  x509:
+    clientCAFile: /etc/kubernetes/pki/ca.crt
+authorization:
+  mode: Webhook
+  webhook:
+    cacheAuthorizedTTL: 0s
+    cacheUnauthorizedTTL: 0s
+cgroupDriver: systemd
+clusterDNS:
+  - 10.96.0.10
+clusterDomain: cluster.local
+cpuManagerReconcilePeriod: 0s
+evictionPressureTransitionPeriod: 0s
+fileCheckFrequency: 0s
+healthzBindAddress: 127.0.0.1
+healthzPort: 10248
+httpCheckFrequency: 0s
+imageMinimumGCAge: 0s
+kind: KubeletConfiguration
+logging:
+  flushFrequency: 0
+  options:
+    json:
+      infoBufferSize: "0"
+  verbosity: 0
+memorySwap: {}
+nodeStatusReportFrequency: 0s
+nodeStatusUpdateFrequency: 0s
+resolvConf: /run/systemd/resolve/resolv.conf
+rotateCertificates: true
+runtimeRequestTimeout: 0s
+shutdownGracePeriod: 0s
+shutdownGracePeriodCriticalPods: 0s
+staticPodPath: /etc/kubernetes/manifests
+streamingConnectionIdleTimeout: 0s
+syncFrequency: 0s
+volumeStatsAggPeriod: 0s
+maxPods: 500

ansible/roles/jupyterhub/tasks/main.yml

@@ -0,0 +1,15 @@
+- name: Stop kubelet service
+  ansible.builtin.systemd:
+    name: kubelet
+    state: stopped
+- name: Copy kubelet configuration
+  ansible.builtin.copy:
+    src: ../var/lib/kubelet/config.yaml
+    dest: /var/lib/kubelet/config.yaml
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+- name: Restarted kubelet service
+  ansible.builtin.systemd:
+    name: kubelet
+    state: restarted