feat(cloud): single-shot deploy.sh + FROST stack + healthchecks
Stage 5 — make the cloud composition spin up in one command and add
the SensorThings (FROST) stack as a fully segregated tenant.
cloud/deploy.sh — idempotent, 7-step bring-up:
preflight → validate → up + wait → cert state → issue/renew →
service status → endpoint smoke test. Reissues LE cert only when
current issuer no longer matches ACME_CA_URI. Move-aside-then-
restore-on-failure so the bootstrap cert survives a failed certbot.
stacks/frost — new stack, segregated from shared sql/rabbitmq:
- dedicated postgis container (frost-db)
- dedicated internal mosquitto bus (frost-mosquitto)
- frost-http + frost-mqtt on a private frost-internal network,
joined to cloud-app only for nginx ingress at frost.wbd-rd.nl
- shared mosquitto stack deleted; rabbitmq remains the only public
MQTT broker (mqtt.wbd-rd.nl:8883 via stream proxy)
stacks/sql — pg_isready healthcheck so keycloak/gitea/mlflow can gate
on service_healthy via cloud-level depends_on overrides.
stacks/nginx-proxy:
- nginx-init service generates a self-signed bootstrap cert on
fresh deploy so nginx starts before certbot has issued a real one
- frost.wbd-rd.nl vhost (/FROST-Server → frost-http:8080,
/mqtt → frost-mqtt:9876 WebSocket)
stacks/mlflow — custom Dockerfile (upstream + psycopg2-binary) so the
official image can speak to the shared sql backend.
stacks/jupyterhub — DummyAuthenticator stub gated by
JUPYTERHUB_ADMIN_PASSWORD; TODO comments point at OIDC + DockerSpawner.
stacks/rabbitmq — config/{enabled_plugins,rabbitmq.conf} stubs
(management + mqtt plugins, MQTT auth required).
stacks/portainer — ports unpublished; nginx now the only ingress.
stacks/node-red — pin to 4.1 (the floating "4" tag does not exist).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
znetsixe
33
stacks/jupyterhub/config/jupyterhub_config.py
Normal file
33
stacks/jupyterhub/config/jupyterhub_config.py
Normal file
@@ -0,0 +1,33 @@
|
||||
# JupyterHub bootstrap config.
|
||||
#
|
||||
# WARNING: this is a STUB. It uses DummyAuthenticator with a single shared
|
||||
# password and LocalProcessSpawner. It boots, it's password-gated, but it is
|
||||
# NOT the production setup. Before exposing this to anything beyond the
|
||||
# cloud-host operator, swap to:
|
||||
# - GenericOAuthenticator pointed at Keycloak (wbd realm, jupyterhub client)
|
||||
# - DockerSpawner with per-user persistent volumes
|
||||
# See stacks/jupyterhub/README.md TODO.
|
||||
|
||||
import os
|
||||
|
||||
c = get_config() # noqa: F821 — provided by JupyterHub
|
||||
|
||||
# --- Authenticator (stub) -----------------------------------------------------
|
||||
c.JupyterHub.authenticator_class = "dummy"
|
||||
c.DummyAuthenticator.password = os.environ["JUPYTERHUB_ADMIN_PASSWORD"]
|
||||
|
||||
admin_users = os.environ.get("JUPYTERHUB_ADMIN_USERS", "").strip()
|
||||
if admin_users:
|
||||
c.Authenticator.admin_users = {u.strip() for u in admin_users.split(",") if u.strip()}
|
||||
c.Authenticator.allow_all = True # stub: any username, single shared password
|
||||
|
||||
# --- Spawner (stub) -----------------------------------------------------------
|
||||
# LocalProcessSpawner runs notebooks as OS processes inside the hub container.
|
||||
# Fine for a single operator on the stub; production should use DockerSpawner.
|
||||
c.JupyterHub.spawner_class = "simple"
|
||||
c.Spawner.default_url = "/lab"
|
||||
|
||||
# --- Hub posture --------------------------------------------------------------
|
||||
c.JupyterHub.bind_url = "http://:8000"
|
||||
c.JupyterHub.hub_bind_url = "http://0.0.0.0:8081"
|
||||
c.JupyterHub.cleanup_servers = True
|
||||
Reference in New Issue
Block a user