Sync in Dawn work

.github/workflows/build-images.yml

@@ -0,0 +1,50 @@
+name: Publish Container Images
+on:
+  push:
+    paths:
+      - images/**
+jobs:
+  build_push_images:
+    name: Build and push images
+    permissions:
+      contents: read
+      id-token: write         # needed for signing the images with GitHub OIDC Token
+      packages: write         # required for pushing container images
+      security-events: write  # required for pushing SARIF files
+    runs-on: ubuntu-22.04
+    strategy:
+      matrix:
+        include:
+          - image: jupyterhub-intel-gpu
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@v4
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Calculate metadata for image
+        id: image-meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/${{ matrix.image }}
+          # Produce the branch name or tag and the SHA as tags
+          tags: |
+            type=ref,event=branch
+            type=ref,event=tag
+            type=sha,prefix=
+
+      - name: Build and push image
+        uses: azimuth-cloud/github-actions/docker-multiarch-build-push@master
+        with:
+          cache-key: ${{ matrix.image }}
+          context: ./images/${{ matrix.image }}
+          platforms: linux/amd64
+          push: true
+          tags: ${{ steps.image-meta.outputs.tags }}
+          labels: ${{ steps.image-meta.outputs.labels }}
+

README.md

@@ -1,2 +1,22 @@
 # fluxcd-demo-apps
 A repository of example apps deployed and managed using Flux CD
+
+> [!CAUTION]
+> This is very much a work in progress!!
+
+## Creating Sealed Secrets
+
+We assume the use of sealed secrets.
+
+TODO: add more instructions!
+
+## How to install
+
+The host cluster must have the [Flux CD](https://fluxcd.io/) controllers installed.
+
+Configuring Flux to manage the apps defined in the repository is a one-time operation:
+
+```sh
+flux create source git myapps --url=<giturl> --branch=main
+flux create kustomization myapps --source=GitRepository/myapps --prune=true
+```

apps/cert-manager/configmap.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cert-manager-config
+  namespace: cert-manager
+data:
+  values.yaml: |
+    installCRDs: true

apps/cert-manager/helmchart.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  chart: cert-manager
+  version: v1.16.1
+  sourceRef:
+    kind: HelmRepository
+    name: jetstack
+  interval: 1h

apps/cert-manager/helmrelease.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  chartRef:
+    kind: HelmChart
+    name: cert-manager
+  releaseName: cert-manager
+  valuesFrom:
+    - kind: ConfigMap
+      name: cert-manager-config
+      valuesKey: values.yaml
+  install:
+    createNamespace: true
+    remediation:
+      retries: -1
+  upgrade:
+    remediation:
+      retries: -1
+  driftDetection:
+    mode: enabled
+  interval: 5m

apps/cert-manager/helmrepository.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: jetstack
+  namespace: cert-manager
+spec:
+  url: https://charts.jetstack.io
+  interval: 1h

apps/cert-manager/kustomization.yaml

@@ -0,0 +1,6 @@
+resources:
+  - namespace.yaml
+  - configmap.yaml
+  - helmrepository.yaml
+  - helmchart.yaml
+  - helmrelease.yaml

apps/cert-manager/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager

apps/jupyterhub/configmap.yaml

@@ -0,0 +1,137 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: jupyterhub-config
+  namespace: jupyterhub
+data:
+  values.yaml: |
+
+    # Add JupyterHub customisations here
+    # See https://artifacthub.io/packages/helm/jupyterhub/jupyterhub
+
+    # We don't need a load balancer for the proxy
+    # since we want to use ingress instead.
+    #
+    # To access manually try:
+    # kubectl port-forward -n jupyterhub svc/proxy-public 8080:80
+    proxy:
+      service:
+        type: ClusterIP
+
+    # Make JupyterHub accessible via ingress
+    ingress:
+      enabled: false
+      ingressClassName: nginx
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt-prod
+      hosts:
+        # IP must match NGINX ingress controller's
+        # load balancer IP.
+        # See `kubectl get svc -n ingress-nginx`
+        - &host jh.dawntest.128-232-224-75.nip.io
+      pathSuffix: ""
+      tls:
+        - hosts:
+          - *host
+          secretName: jupyterhub-ingress-cert
+
+    hub:
+      allowNamedServers: true
+      namedServerLimitPerUser: 3
+      activeServerLimit: 5
+      # Server startup fails with default
+      # restrictive network policy.
+      networkPolicy:
+         enabled: false
+
+      # # Configure Keycloak auth
+      # config:
+      #   JupyterHub:
+      #     authenticator_class: generic-oauth
+      #   GenericOAuthenticator:
+      #     client_id: scott-jupyterhub-test
+      #     # client_secret: <stored-in-sealed-secret>
+      #     # Must match ingress host
+      #     oauth_callback_url: https://128-232-226-29.sslip.io/hub/oauth_callback
+      #     authorize_url: https://identity.apps.hpc.cam.ac.uk/realms/az-rcp-cloud-portal-demo/protocol/openid-connect/auth
+      #     token_url: https://identity.apps.hpc.cam.ac.uk/realms/az-rcp-cloud-portal-demo/protocol/openid-connect/token
+      #     userdata_url: https://identity.apps.hpc.cam.ac.uk/realms/az-rcp-cloud-portal-demo/protocol/openid-connect/userinfo
+      #     scope:
+      #     - openid
+      #     - groups
+      #     username_claim: preferred_username
+      #     claim_groups_key: groups
+      #     userdata_params:
+      #       state: state
+
+      #     # Limit access to specific keycloak groups
+      #     allowed_groups:
+      #     - /admins
+      #     - /platform-users
+
+      #     # Allow hub admin access to keycloak users/groups
+      #     # admin_groups:
+      #     # - /admins
+      #     admin_users:
+      #     - scottd_stack
+
+      #     # Label for the 'Sign in with ___' button
+      #     login_service: Keycloak
+
+    # turn this off for now
+    prePuller:
+      hook:
+        enabled: false
+      continuous:
+        enabled: false
+
+    singleuser:
+      image:
+        name: quay.io/jupyter/minimal-notebook
+        tag: "2025-01-28"
+      cloudMetadata:
+        blockWithIptables: false
+      profileList:
+        - display_name: "Minimal environment"
+          description: "To avoid too much bells and whistles: Python."
+          default: true
+        - display_name: "Datascience environment"
+          description: "If you want the additional bells and whistles: Python, R, and Julia."
+          kubespawner_override:
+            image: quay.io/jupyter/datascience-notebook:2025-01-28
+        - display_name: "Pytorch environment with 1 x Intel XPUs"
+          description: "Pytorch Jupyter Stacks image!"
+          kubespawner_override:
+            #image: quay.io/jupyter/pytorch-notebook:2025-01-28
+            #image: ghcr.io/stackhpc/jupyterhub-pytorch-intel-gpu:v0.0.1
+            image: ghcr.io/johngarbutt/jupyterhub-intel-gpu:6421ba1
+            extra_resource_limits:
+              "gpu.intel.com/i915": "1"
+              # "nvidia.com/hostdev": "1"
+            supplemental_gids:
+              - "110" # Ubuntu render group GID, requred for permission to use Intel GPU device
+            # privilaged: false
+            # container_security_context:
+            #   allowPrivilegeEscalation: false
+            #   capabilities:
+            #     drop:
+            #       - ALL
+        - display_name: "Pytorch environment with 2 x Intel XPUs"
+          description: "Pytorch Jupyter Stacks image!"
+          kubespawner_override:
+            image: ghcr.io/johngarbutt/jupyterhub-intel-gpu:6421ba1
+            extra_resource_limits:
+              "gpu.intel.com/i915": "2"
+              "nvidia.com/hostdev": "2"
+            supplemental_gids:
+              - "110" # Ubuntu render group GID, requred for permission to use Intel GPU device
+        - display_name: "Pytorch environment with 4 x Intel XPUs"
+          description: "Pytorch Jupyter Stacks image!"
+          kubespawner_override:
+            image: ghcr.io/johngarbutt/jupyterhub-intel-gpu:6421ba1
+            extra_resource_limits:
+              "gpu.intel.com/i915": "4"
+              "nvidia.com/hostdev": "4"
+            supplemental_gids:
+              - "110" # Ubuntu render group GID, requred for permission to use Intel GPU device

apps/jupyterhub/example-secret.yaml

@@ -0,0 +1,19 @@
+---
+############
+# IMPORTANT: Make sure you run kubeseal against any secret before commiting it to git!
+# Example command:
+# kubeseal \
+#   --kubeconfig clusters/jupyterhub/kubeconfig \
+#   --format yaml \
+#   --controller-name sealed-secrets \
+#   --controller-namespace sealed-secrets-system \
+#   --secret-file components/jupyterhub/secret.yaml \
+#   --sealed-secret-file components/jupyterhub/secret.yaml
+############
+apiVersion: v1
+kind: Secret
+metadata:
+  name: jupyterhub-keycloak-config
+  namespace: jupyterhub
+stringData:
+  keycloakClientSecret: <keycloak-client-secret>

apps/jupyterhub/extra-rbac.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: jupyterhub-node-list
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: jupyterhub-node-list
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: jupyterhub-node-list
+subjects:
+- kind: ServiceAccount
+  name: hub
+  namespace: jupyterhub

apps/jupyterhub/helmchart.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmChart
+metadata:
+  name: jupyterhub
+  namespace: jupyterhub
+spec:
+  chart: jupyterhub
+  version: "4.1.0"
+  sourceRef:
+    kind: HelmRepository
+    name: jupyterhub
+  interval: 10m0s

apps/jupyterhub/helmrelease.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: jupyterhub
+  namespace: jupyterhub
+spec:
+  chartRef:
+    kind: HelmChart
+    name: jupyterhub
+  releaseName: jupyterhub
+  valuesFrom:
+  - kind: ConfigMap
+    name: jupyterhub-config
+  # - kind: Secret
+  #   name: jupyterhub-keycloak-config
+  #   valuesKey: keycloakClientSecret
+  #   targetPath: hub.config.GenericOAuthenticator.client_secret
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  driftDetection:
+    mode: enabled
+  interval: 5m

apps/jupyterhub/helmrepository.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: jupyterhub
+  namespace: jupyterhub
+spec:
+  url: https://jupyterhub.github.io/helm-chart
+  interval: 1h

apps/jupyterhub/kustomization.yaml

@@ -0,0 +1,9 @@
+resources:
+  - namespace.yaml
+  - helmrepository.yaml
+  - helmchart.yaml
+  - helmrelease.yaml
+  - configmap.yaml
+  # - secret.yaml
+  # TODO - restore the auto profile detection
+  # - extra-rbac.yaml