diff --git a/manifests/psp.yaml b/manifests/psp.yaml index 6ef12896..68f7731c 100644 --- a/manifests/psp.yaml +++ b/manifests/psp.yaml @@ -42,15 +42,16 @@ spec: - 'secret' - 'downwardAPI' - 'hostPath' + - 'nfs' - 'persistentVolumeClaim' allowedHostPaths: - - pathPrefix: '/public/dumps' + - pathPrefix: '/mnt/public/dumps' readOnly: true - pathPrefix: '/mnt/nfs' readOnly: true - pathPrefix: '/var/lib/sss/pipes' readOnly: false - - pathPrefix: '/data/project' + - pathPrefix: '/mnt/project' readOnly: false --- apiVersion: policy/v1beta1 @@ -95,6 +96,7 @@ spec: - 'secret' - 'downwardAPI' - 'hostPath' + - 'nfs' - 'persistentVolumeClaim' allowedHostPaths: - pathPrefix: '/public/dumps' diff --git a/paws/nfs.yaml b/paws/nfs.yaml new file mode 100644 index 00000000..68bf6ba2 --- /dev/null +++ b/paws/nfs.yaml @@ -0,0 +1,23 @@ +jupyterhub: + hub: + extraVolumes: + - name: homes + nfs: + server: 192.168.122.223 + path: /mnt/project + - name: dumps + nfs: + server: 192.168.122.223 + path: /mnt/public/dumps + # Without this, dumps becomes inaccessible and can hang the host + - name: dumps-src1 + nfs: + server: 192.168.122.223 + path: /mnt/nfs/dumps-labstore1007.wikimedia.org + - name: dumps-src2 + nfs: + server: 192.168.122.223 + path: /mnt/nfs/dumps-labstore1006.wikimedia.org + extraConfig: + 00-myConfig: | + localdev = False diff --git a/paws/production.yaml b/paws/production.yaml index 44984d3f..4c54efb9 100644 --- a/paws/production.yaml +++ b/paws/production.yaml @@ -9,6 +9,32 @@ dbProxy: tag: latest jupyterhub: hub: + extraVolumes: + - name: homes + nfs: + server: nfs-for-test-paws.admin.codfw1dev.wikimedia.cloud + #server: nfs-tools-project.svc.eqiad.wmnet + path: /mnt/project + #path: /srv/misc/shared/paws/project + - name: dumps + nfs: + server: nfs-for-test-paws.admin.codfw1dev.wikimedia.cloud + #server: labstore1007.wikimedia.org + path: / + # Without this, dumps becomes inaccessible and can hang the host + - name: dumps-src1 + nfs: + server: nfs-for-test-paws.admin.codfw1dev.wikimedia.cloud + #server: labstore1007.wikimedia.org + path: / + - name: dumps-src2 + nfs: + server: nfs-for-test-paws.admin.codfw1dev.wikimedia.cloud + #server: labstore1006.wikimedia.org + path: / + extraConfig: + 00-myConfig: | + localdev = False db: type: mysql upgrade: true diff --git a/paws/secrets.yaml b/paws/secrets.yaml index 3c8393b5..bf61a2fc 100644 Binary files a/paws/secrets.yaml and b/paws/secrets.yaml differ diff --git a/paws/templates/frontpage.yaml b/paws/templates/frontpage.yaml index a6978809..1265de3c 100644 --- a/paws/templates/frontpage.yaml +++ b/paws/templates/frontpage.yaml @@ -9,6 +9,7 @@ metadata: ingress.paws.wmcloud.org: front annotations: nginx.ingress.kubernetes.io/permanent-redirect: {{ .Values.paws.ingress.frontRedirect | quote }} + kubernetes.io/ingress.class: "nginx" name: paws-front-page spec: rules: diff --git a/paws/templates/legacy.yaml b/paws/templates/legacy.yaml index 3762916a..7959e343 100644 --- a/paws/templates/legacy.yaml +++ b/paws/templates/legacy.yaml @@ -9,6 +9,7 @@ metadata: annotations: nginx.ingress.kubernetes.io/permanent-redirect: $scheme://{{ .Values.pawspublic.ingress.host }}/$2$is_args$args nginx.ingress.kubernetes.io/use-regex: "true" + kubernetes.io/ingress.class: "nginx" name: paws-public-legacy spec: rules: @@ -34,6 +35,7 @@ metadata: annotations: nginx.ingress.kubernetes.io/permanent-redirect: $scheme://{{ index .Values.jupyterhub.ingress.hosts 0 }}/$2 nginx.ingress.kubernetes.io/use-regex: "true" + kubernetes.io/ingress.class: "nginx" name: paws-legacy spec: rules: diff --git a/paws/templates/localdev.yaml b/paws/templates/localdev.yaml index ef53e348..18d375dc 100644 --- a/paws/templates/localdev.yaml +++ b/paws/templates/localdev.yaml @@ -11,7 +11,7 @@ spec: capacity: storage: 1Gi hostPath: - path: /data/project/paws/userhomes + path: /mnt/project/paws/userhomes --- apiVersion: v1 kind: PersistentVolume @@ -47,7 +47,7 @@ spec: capacity: storage: 1Gi hostPath: - path: /public/dumps + path: /mnt/public/dumps --- apiVersion: batch/v1 kind: Job @@ -84,5 +84,5 @@ spec: volumes: - name: security-disaster-only-for-minikube hostPath: - path: /data/project/paws/userhomes + path: /mnt/project/paws/userhomes {{ end }} diff --git a/paws/templates/public.yaml b/paws/templates/public.yaml index 2ae766bc..ef31f9e7 100644 --- a/paws/templates/public.yaml +++ b/paws/templates/public.yaml @@ -41,8 +41,15 @@ spec: cpu: "50m" volumes: +{{ if .Values.localdev.enabled }} - hostPath: - path: /data/project/paws/userhomes + path: /mnt/project/paws/userhomes +{{ else }} + - nfs: + server: nfs-for-test-paws.admin.codfw1dev.wikimedia.cloud + #server: nfs-tools-project.svc.eqiad.wmnet + path: /srv/misc/shared/paws/project/paws/userhomes +{{ end }} name: pawshomes --- @@ -83,8 +90,15 @@ spec: memory: "1000Mi" cpu: {{ .Values.pawspublic.renderer.cpu }} volumes: +{{ if .Values.localdev.enabled }} - hostPath: - path: /data/project/paws/userhomes + path: /mnt/project/paws/userhomes +{{ else }} + - nfs: + server: nfs-for-test-paws.admin.codfw1dev.wikimedia.cloud + #server: nfs-tools-project.svc.eqiad.wmnet + path: /srv/misc/shared/paws/project/paws/userhomes +{{ end }} name: pawshomes --- apiVersion: autoscaling/v1 @@ -136,6 +150,8 @@ metadata: labels: name: paws-public-custom ingress.paws.wmcloud.org: public + annotations: + kubernetes.io/ingress.class: "nginx" name: paws-public-custom spec: rules: diff --git a/paws/values.yaml b/paws/values.yaml index a7d4d95c..9fad586e 100644 --- a/paws/values.yaml +++ b/paws/values.yaml @@ -87,10 +87,10 @@ jupyterhub: extraVolumes: - name: homes hostPath: - path: /data/project + path: /mnt/project - name: dumps hostPath: - path: /public/dumps + path: /mnt/public/dumps # Without this, dumps becomes inaccessible and can hang the host - name: dumps-src1 hostPath: @@ -119,7 +119,9 @@ jupyterhub: return pod c.KubeSpawner.modify_pod_hook = fix_labels - myConfig: | + 00-myConfig: | + localdev = True + 10-myConfig: | import hmac import hashlib import subprocess @@ -167,24 +169,50 @@ jupyterhub: homedir = '/data/project/paws/userhomes/{}'.format(identity['sub']) # Create the homedir so docker doesn't do it as root os.makedirs(homedir, mode=0o755, exist_ok=True) - spawner.volumes = [ - { - 'name': 'home', - 'hostPath': { 'path': homedir } - }, - { - 'name': 'dumps', - 'hostPath': { 'path': '/public/dumps' } - }, - { - 'name': 'dumps-src1', - 'hostPath': { 'path': '/mnt/nfs/dumps-clouddumps1002.wikimedia.org' } - }, - { - 'name': 'dumps-src2', - 'hostPath': { 'path': '/mnt/nfs/dumps-clouddumps1001.wikimedia.org' } - } - ] + if localdev == True: + spawner.volumes = [ + { + 'name': 'home', + 'hostPath': { 'path': homedir } + }, + { + 'name': 'dumps', + 'hostPath': { 'path': '/public/dumps' } + }, + { + 'name': 'dumps-src1', + 'hostPath': { 'path': '/mnt/nfs/dumps-clouddumps1002.wikimedia.org' } + }, + { + 'name': 'dumps-src2', + 'hostPath': { 'path': '/mnt/nfs/dumps-clouddumps1001.wikimedia.org' } + } + ] + else: + homenfs = '/mnt/project/paws/userhomes/{}'.format(identity['sub']) + spawner.volumes = [ + { + 'name': 'home', + 'nfs': { 'server': 'nfs-for-test-paws.admin.codfw1dev.wikimedia.cloud', 'path': homenfs } + #'nfs': { 'server': 'nfs-tools-project.svc.eqiad.wmnet', 'path': homenfs } + }, + { + 'name': 'dumps', + 'nfs': { 'server': 'nfs-for-test-paws.admin.codfw1dev.wikimedia.cloud', 'path': '/' } + #'nfs': { 'server': 'labstore1007.wikimedia.org', 'path': '/' } + }, + { + 'name': 'dumps-src1', + 'nfs': { 'server': 'nfs-for-test-paws.admin.codfw1dev.wikimedia.cloud', 'path': '/' } + #'nfs': { 'server': 'clouddumps1002.wikimedia.org', 'path': '/' } + }, + { + 'name': 'dumps-src2', + 'nfs': { 'server': 'nfs-for-test-paws.admin.codfw1dev.wikimedia.cloud', 'path': '/' } + #'nfs': { 'server': 'clouddumps1002.wikimedia.org', 'path': '/' } + } + ] + spawner.volume_mounts = [ { 'name': 'home', @@ -235,6 +263,7 @@ jupyterhub: cpu: .2 ingress: enabled: true + annotations: {kubernetes.io/ingress.class: "nginx"} hosts: - hub.paws.local # We are not on an autoscaling cluster, so we don't want this @@ -255,10 +284,10 @@ jupyterhub: tag: pr-222 # singleuser tag managed by github actions pullPolicy: Always memory: - guarantee: 1G + guarantee: .1G limit: 3G cpu: - guarantee: .5 + guarantee: .1 limit: 1 storage: type: none