RnD/infra
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f69453df99d1f0ecdb26bbba8e9643554c97ed6b
infra/stacks/jupyterhub/config/jupyterhub_config.py

34 lines
1.5 KiB
Python
Raw Normal View History

feat(cloud): single-shot deploy.sh + FROST stack + healthchecks Stage 5 — make the cloud composition spin up in one command and add the SensorThings (FROST) stack as a fully segregated tenant. cloud/deploy.sh — idempotent, 7-step bring-up: preflight → validate → up + wait → cert state → issue/renew → service status → endpoint smoke test. Reissues LE cert only when current issuer no longer matches ACME_CA_URI. Move-aside-then- restore-on-failure so the bootstrap cert survives a failed certbot. stacks/frost — new stack, segregated from shared sql/rabbitmq: - dedicated postgis container (frost-db) - dedicated internal mosquitto bus (frost-mosquitto) - frost-http + frost-mqtt on a private frost-internal network, joined to cloud-app only for nginx ingress at frost.wbd-rd.nl - shared mosquitto stack deleted; rabbitmq remains the only public MQTT broker (mqtt.wbd-rd.nl:8883 via stream proxy) stacks/sql — pg_isready healthcheck so keycloak/gitea/mlflow can gate on service_healthy via cloud-level depends_on overrides. stacks/nginx-proxy: - nginx-init service generates a self-signed bootstrap cert on fresh deploy so nginx starts before certbot has issued a real one - frost.wbd-rd.nl vhost (/FROST-Server → frost-http:8080, /mqtt → frost-mqtt:9876 WebSocket) stacks/mlflow — custom Dockerfile (upstream + psycopg2-binary) so the official image can speak to the shared sql backend. stacks/jupyterhub — DummyAuthenticator stub gated by JUPYTERHUB_ADMIN_PASSWORD; TODO comments point at OIDC + DockerSpawner. stacks/rabbitmq — config/{enabled_plugins,rabbitmq.conf} stubs (management + mqtt plugins, MQTT auth required). stacks/portainer — ports unpublished; nginx now the only ingress. stacks/node-red — pin to 4.1 (the floating "4" tag does not exist). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 16:37:58 +02:00
# JupyterHub bootstrap config.
#
# WARNING: this is a STUB. It uses DummyAuthenticator with a single shared
# password and LocalProcessSpawner. It boots, it's password-gated, but it is
# NOT the production setup. Before exposing this to anything beyond the
# cloud-host operator, swap to:
# - GenericOAuthenticator pointed at Keycloak (wbd realm, jupyterhub client)
# - DockerSpawner with per-user persistent volumes
# See stacks/jupyterhub/README.md TODO.
import os
c = get_config() # noqa: F821 — provided by JupyterHub
# --- Authenticator (stub) -----------------------------------------------------
c.JupyterHub.authenticator_class = "dummy"
c.DummyAuthenticator.password = os.environ["JUPYTERHUB_ADMIN_PASSWORD"]
admin_users = os.environ.get("JUPYTERHUB_ADMIN_USERS", "").strip()
if admin_users:
c.Authenticator.admin_users = {u.strip() for u in admin_users.split(",") if u.strip()}
c.Authenticator.allow_all = True # stub: any username, single shared password
# --- Spawner (stub) -----------------------------------------------------------
# LocalProcessSpawner runs notebooks as OS processes inside the hub container.
# Fine for a single operator on the stub; production should use DockerSpawner.
c.JupyterHub.spawner_class = "simple"
c.Spawner.default_url = "/lab"
# --- Hub posture --------------------------------------------------------------
c.JupyterHub.bind_url = "http://:8000"
c.JupyterHub.hub_bind_url = "http://0.0.0.0:8081"
c.JupyterHub.cleanup_servers = True
Reference in New Issue Copy Permalink