├── README.md ├── extra └── vault │ ├── cors.json │ ├── enable-cors.sh │ └── policy.hcl ├── img ├── kube.png ├── oidc.jpeg └── reverse-proxy.png └── manifests ├── ingress-nginx-avec-certif ├── .gitignore ├── Chart.yaml └── values.yaml ├── ingress-nginx ├── .gitignore ├── Chart.yaml └── values.yaml ├── jupyter-basique └── deployment.yaml ├── jupyter-helm ├── .gitignore ├── Chart.yaml └── values.yaml ├── keycloak ├── .gitignore ├── Chart.yaml └── values.yaml ├── minio ├── .gitignore ├── Chart.yaml └── values.yaml ├── onyxia-brut ├── .gitignore ├── Chart.yaml └── values.yaml ├── onyxia-oidc ├── .gitignore ├── Chart.yaml └── values.yaml ├── onyxia-s3-minio-vault ├── .gitignore ├── Chart.yaml └── values.yaml ├── onyxia-s3-minio ├── .gitignore ├── Chart.yaml └── values.yaml └── vault ├── .gitignore ├── Chart.yaml └── values.yaml /README.md: -------------------------------------------------------------------------------- 1 | # Construisons ensemble de A à Z un cloud opensource pour le datascientist 2 | 3 | Pour poser des questions pendant la conférence : https://hebdo.framapad.org/p/devoxx-2023-conf-datalab-a0cu?lang=fr 4 | 5 | ## Contexte et objectif 6 | 7 | https://minio.lab.sspcloud.fr/projet-onyxia/diffusion/Presentation/devoxx-intro.pdf 8 | 9 | Plan de jeu : 10 | 11 | 1. [Provisionner un cluster Kubernetes](#provisionner-un-cluster-kubernetes) 12 | 2. [Prise en main "admin" du cluster](#prise-en-main-admin-du-cluster) 13 | 3. [Datascience 101: déploiement d'un service](#datascience-101--déploiement-dun-service) 14 | 4. [Packaging, reproductibilité et configuration: Helm](#packaging-reproductibilité-et-configuration--helm) 15 | 5. [Exposition des services vers l'extérieur](#exposition-des-services-vers-lextérieur) 16 | 6. [Bilan d'étape](#bilan-détape) 17 | 7. [Onyxia, notre sauveur](#onyxia-notre-sauveur) 18 | 8. [Installation d'Onyxia](#installation-donyxia) 19 | 9. [Multi utilisateurs: authentification](#multi-users--authentification) 20 | 10. [Stockage S3](#stockage-s3) 21 | 11. [Catalogue de services](#catalogue-de-services) 22 | 12. [Gestion des secrets](#gestion-des-secrets) 23 | 13. [Customisation](#customisation) 24 | 14. [Bonus](#bonus) 25 | 26 | ## Provisionner un cluster Kubernetes 27 | 28 | ### `Théorie` 29 | 30 | - Un prérequis : un cluster Kubernetes 31 | - "Agnostique de la distribution / cloud provider" 32 | - Aujourd'hui : cluster managé chez OVH 33 | 34 | ### `Pratique` 35 | 36 | - Création d'un cluster Kubernetes sur OVH 37 | 38 | ## Prise en main "admin" du cluster 39 | 40 | ### `Théorie` 41 | 42 | ![](img/kube.png) 43 | 44 | - Interaction avec l'API Server 45 | 46 | ### `Pratique` 47 | 48 | - Installation de `kubectl` (https://kubernetes.io/docs/tasks/tools/), attention au [Version skew policy](https://kubernetes.io/releases/version-skew-policy/) : respecter `+/- 1` par rapport au cluster pour éviter les problèmes. Le mettre dans le `PATH`. 49 | - Téléchargement du `kubeconfig` depuis l'interface du provider (ou récupération en fonction de la distribution), le placer dans `~/.kube/config` 50 | - Confirmer avec `kubectl get nodes` la présence des noeuds 51 | 52 | ## Datascience 101 : déploiement d'un service 53 | 54 | ### `Théorie` 55 | 56 | - On a un cluster, on déploie et c'est fini, non ? 57 | 58 | ### `Pratique` 59 | 60 | - Déploiement d'un jupyter notebook basique. `kubectl apply -f manifests/jupyter-basique` 61 | - `kubectl get pods` pour suivre la création du pod 62 | - `kubectl logs podname` une fois `Running` pour consulter les logs et récupérer le token d'accès (on ne l'a pas précisé donc il est généré dynamiquement à chaque lancement) 63 | - `kubectl port-forward podname 8888:8888` pour ouvrir un tunnel entre `localhost:8888` et le port 8888 du Jupyter 64 | - Accès et utilisation du Jupyter via `localhost:8888` 65 | 66 | Superbe infra datascience :thumbsup: 67 | 68 | ## Packaging, reproductibilité et configuration : Helm 69 | 70 | ### `Théorie` 71 | 72 | Intérêt du packaging, principes de [Helm](https://helm.sh/) 73 | 74 | ### `Pratique` 75 | 76 | Désinstallation et réinstallation du service précédent 77 | 78 | - `kubectl delete -f manifests/jupyter-basique` pour nettoyer le service précédent 79 | - Recherche d'un `chart` Helm pour jupyterlab ... 80 | - https://github.com/inseefrlab/helm-charts-interactive-services 81 | 82 | ``` 83 | helm repo add helm-charts-interactive-services https://inseefrlab.github.io/helm-charts-interactive-services 84 | helm repo update 85 | helm install jupyter helm-charts-interactive-services/jupyter-python 86 | ``` 87 | 88 | - Pratique : faire un `chart` "coquille" avec une dépendance vers le `chart` réel (cf `manifests/jupyter-helm`) 89 | - Bonne pratique : Utiliser `helm template` AVANT d'installer pour contrôler ce qui va être installé. (à défaut, `helm get manifest ` pour voir les manifests après installation) 90 | - Bonne pratique : Externaliser les values dans un `values.yaml` (`helm install -f values.yaml`) 91 | - Bonne pratique : `helm uninstall jupyter` 92 | 93 | ## Exposition des services vers l'extérieur 94 | 95 | ### `Théorie` 96 | 97 | ![](img/reverse-proxy.png) 98 | 99 | ### `Pratique` 100 | 101 | - `cd manifests/ingress-nginx`, `helm dependencies build` pour télécharger les dépendances (`helm dependencies update` pour les mettre à jour) 102 | - `kubectl create namespace ingress-nginx` 103 | - `helm template ingress-nginx . -f values.yaml -n ingress-nginx` pour prévisualisation 104 | - `helm install ingress-nginx . -f values.yaml -n ingress-nginx` pour l'installation 105 | - `kubectl get pods -n ingress-nginx` pour suivre l'avancée des pods, `kubectl get service -n ingress-nginx` pour suivre l'affectation de l'IP loadbalancer 106 | - Récupérer l'IP externe (après affectation par le cloud provider) 107 | 108 | ### `Théorie` 109 | 110 | Une adresse IP c'est bien, un nom de domaine c'est mieux 111 | 112 | ### `Pratique` 113 | 114 | - Configuration d'un champ DNS `A` `*.devoxx.insee.io` => `ipexterne` 115 | - Modifier le jupyter pour utiliser le reverse proxy (`helm upgrade jupyter helm-charts-interactive-services/jupyter-python --set ingress.enabled=true --set ingress.hostname=devoxx.insee.io`) 116 | 117 | ### `Théorie` 118 | 119 | - `HTTP` brut en 2023 :vomiting_face: 120 | - 2 approches : `cert-manager` et `wildcard` 121 | 122 | ### `Pratique` 123 | 124 | - Wildcard (via [let's encrypt](https://letsencrypt.org/)) : `certbot certonly --manual --preferred-challenges dns` 125 | - `kubectl create secret tls wildcard --key privkey.pem --cert fullchain.pem -n ingress-nginx` 126 | - Ou cert-manager : https://cert-manager.io/docs/installation/helm/ 127 | 128 | ## Bilan d'étape 129 | 130 | On a un cluster, accessible aux admins avec possibilité de déployer des services de façon technique. 131 | **Nécessité d'industrialisation et de proposer une UX** 132 | 133 | ## Onyxia, notre sauveur 🙏🏻 134 | 135 | 136 | image 137 | 138 |

139 |
140 | onyxia.sh 141 |
142 |
143 |

144 | 145 | 146 | 147 | Vidéo + présentation de l'appli + démo sspcloud (J) 148 | 149 | ## Installation d'Onyxia 150 | 151 | ### `Théorie` 152 | 153 | - https://www.onyxia.sh/ 154 | - Pattern "namespace as a service" 155 | 156 | ### `Pratique` 157 | 158 | - `cd manifests/onyxia-brut`, `helm dependencies build`, `helm install onyxia . -f values.yaml -n onyxia --create-namespace` 159 | - ... 160 | - `https://datalab.devoxx.insee.io` 161 | 162 | ## Multi utilisateurs : authentification 163 | 164 | ### `Théorie` 165 | 166 | ![](img/oidc.jpeg) 167 | 168 | ### `Pratique` 169 | 170 | Installation d'un [Keycloak](https://github.com/keycloak/keycloak) 171 | 172 | - `cd manifests/keycloak`, `helm dependencies build`, `helm install keycloak . -f values.yaml -n keycloak --create-namespace` 173 | 174 | * Interface d'admin : https://auth.devoxx.insee.io/auth 175 | * Création d'un realm `datalab`, onglet `login` activation de `User registration` 176 | * Création d'un client `onyxia` avec `Root URL` : `https://datalab.devoxx.insee.io`, `Valid redirect URIs` : `https://datalab.devoxx.insee.io/*` et `Web origins` : `+` 177 | 178 | Configuration d'onyxia : 179 | 180 | - `cd manifests/onyxia-oidc`, `helm dependencies build`, `helm upgrade onyxia . -f values.yaml -n onyxia` 181 | 182 | ## Stockage S3 183 | 184 | ### `Théorie` 185 | 186 | Intérêt du stockage S3 (F) 187 | 188 | ### `Pratique` 189 | 190 | Installation d'un [minIO](https://github.com/minio/minio) 191 | 192 | - `cd manifests/minio`, `helm dependencies build`, `helm install minio . -f values.yaml -n minio --create-namespace` 193 | - Utilisation de [mc](https://min.io/download#/linux) 194 | - `mc alias set devoxx https://minio.devoxx.insee.io admin changeme` 195 | - `mc admin info devoxx` 196 | - `mc ls devoxx` 197 | 198 | Authentification OpenIDConnect : 199 | 200 | - Création d'un client `minio`, `Root URL` : `https://minio.devoxx.insee.io`, `Valid redirect URIs` : `https://minio.devoxx.insee.io/*` et `https://minio-console.devoxx.insee.io/*`, `Web origins` : `+` 201 | - Ajout d'un mapper pour ce client : `clients` => `minio` => `client scopes` => `minio-dedicated` => `configure a new mapper` => `hardcoded claim` : 202 | _ Name: `stsonly` 203 | _ Token claim name: `policy` \* Claim value : `stsonly` 204 | Console disponible sur [https://minio-console.devoxx.insee.io](https://minio-console.devoxx.insee.io) 205 | 206 | Intégration avec Onyxia : 207 | 208 | - Création d'un client `onyxia-minio`, `Root URL` : `https://datalab.devoxx.insee.io`, `Valid redirect URIs` : `https://datalab.devoxx.insee.io/*`, `Web origins` : `+` 209 | - Ajout d'un mapper pour ce client : `clients` => `onyxia-minio` => `client scopes` => `minio-dedicated` => `configure a new mapper` => `hardcoded claim` : 210 | - Name: `stsonly` 211 | - Token claim name: `policy` 212 | - Claim value : `stsonly` 213 | - Ajout d'une audience spécifique pour ce client : `clients` => `onyxia-minio` => `client scopes` => `onyxia-minio-dedicated` => `add mapper by configuration` => `audience` : 214 | - Name: `audience-minio` 215 | - Included Custom Audience : `minio` 216 | - Add to ID token: `true` 217 | - `cd manifests/onyxia-s3-minio`, `helm dependencies build`, `helm upgrade onyxia . -f values.yaml -n onyxia` 218 | 219 | Minio intégré dans Onyxia :) 220 | 221 | ## Catalogue de services 222 | 223 | ### `Théorie` 224 | 225 | Fonctionnement du catalogue (J) 226 | 227 | ## Gestion des secrets 228 | 229 | ### `Théorie` 230 | 231 | La gestion des secrets avec Vault (F) 232 | 233 | ### `Pratique` 234 | 235 | https://github.com/InseeFrLab/onyxia/tree/main/step-by-step#configuring-keycloak-for-vault 236 | 237 | ## Customisation 238 | 239 | ### `Théorie` 240 | 241 | Design, cohérence de l'expérience utilisateur ... (J) 242 | 243 | ### `Pratique` 244 | 245 | https://www.keycloakify.dev/ 246 | 247 | ## Bonus 248 | 249 | - [Catalogue de formations](https://www.sspcloud.fr/formation) 250 | - [Gitops avec argocd](https://argo-cd.readthedocs.io/en/stable/) 251 | - [Monitoring / billing](https://github.com/opencost/opencost) 252 | -------------------------------------------------------------------------------- /extra/vault/cors.json: -------------------------------------------------------------------------------- 1 | { 2 | "allowed_origins": "*", 3 | "allowed_headers": "X-Custom-Header" 4 | } 5 | -------------------------------------------------------------------------------- /extra/vault/enable-cors.sh: -------------------------------------------------------------------------------- 1 | curl --header "X-Vault-Token: root" --request POST --data @cors.json https://vault.devoxx.insee.io/v1/sys/config/cors 2 | -------------------------------------------------------------------------------- /extra/vault/policy.hcl: -------------------------------------------------------------------------------- 1 | path "onyxia-kv/{{identity.entity.aliases.auth_jwt_e230c5d4.name}}/*" { 2 | capabilities = ["create","update","read","delete","list"] 3 | } 4 | 5 | path "onyxia-kv/data/{{identity.entity.aliases.auth_jwt_e230c5d4.name}}/*" { 6 | capabilities = ["create","update","read"] 7 | } 8 | 9 | path "onyxia-kv/metadata/{{identity.entity.aliases.auth_jwt_e230c5d4.name}}/*" { 10 | capabilities = ["delete", "list", "read"] 11 | } 12 | -------------------------------------------------------------------------------- /img/kube.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InseeFrLab/devoxx-2023/9dfc67a554ed3599e12154ae9ff8811411c50b23/img/kube.png -------------------------------------------------------------------------------- /img/oidc.jpeg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InseeFrLab/devoxx-2023/9dfc67a554ed3599e12154ae9ff8811411c50b23/img/oidc.jpeg -------------------------------------------------------------------------------- /img/reverse-proxy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/InseeFrLab/devoxx-2023/9dfc67a554ed3599e12154ae9ff8811411c50b23/img/reverse-proxy.png -------------------------------------------------------------------------------- /manifests/ingress-nginx-avec-certif/.gitignore: -------------------------------------------------------------------------------- 1 | charts 2 | Chart.lock -------------------------------------------------------------------------------- /manifests/ingress-nginx-avec-certif/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: demo-ingress-nginx 3 | version: 1.0.0 4 | dependencies: 5 | - name: ingress-nginx 6 | version: 4.6.0 7 | repository: https://kubernetes.github.io/ingress-nginx -------------------------------------------------------------------------------- /manifests/ingress-nginx-avec-certif/values.yaml: -------------------------------------------------------------------------------- 1 | ingress-nginx: 2 | controller: 3 | watchIngressWithoutClass: true 4 | extraArgs: 5 | default-ssl-certificate: ingress-nginx/wildcard 6 | config: 7 | proxy-buffer-size: "128k" # see https://stackoverflow.com/a/68811151 8 | rbac: 9 | create: true 10 | -------------------------------------------------------------------------------- /manifests/ingress-nginx/.gitignore: -------------------------------------------------------------------------------- 1 | charts 2 | Chart.lock -------------------------------------------------------------------------------- /manifests/ingress-nginx/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: demo-ingress-nginx 3 | version: 1.0.0 4 | dependencies: 5 | - name: ingress-nginx 6 | version: 4.6.0 7 | repository: https://kubernetes.github.io/ingress-nginx -------------------------------------------------------------------------------- /manifests/ingress-nginx/values.yaml: -------------------------------------------------------------------------------- 1 | ingress-nginx: 2 | controller: 3 | watchIngressWithoutClass: true 4 | rbac: 5 | create: true -------------------------------------------------------------------------------- /manifests/jupyter-basique/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: jupyter 5 | spec: 6 | selector: 7 | matchLabels: 8 | app: jupyter 9 | template: 10 | metadata: 11 | labels: 12 | app: jupyter 13 | spec: 14 | containers: 15 | - name: jupyter 16 | image: jupyter/datascience-notebook 17 | -------------------------------------------------------------------------------- /manifests/jupyter-helm/.gitignore: -------------------------------------------------------------------------------- 1 | charts 2 | Chart.lock -------------------------------------------------------------------------------- /manifests/jupyter-helm/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: jupyter 3 | version: 1.0.0 4 | dependencies: 5 | - name: jupyter-python 6 | version: 1.10.1 7 | repository: https://inseefrlab.github.io/helm-charts-interactive-services -------------------------------------------------------------------------------- /manifests/jupyter-helm/values.yaml: -------------------------------------------------------------------------------- 1 | jupyter: 2 | ingress: 3 | enabled: true 4 | hostname: jupyter.devoxx.insee.io 5 | -------------------------------------------------------------------------------- /manifests/keycloak/.gitignore: -------------------------------------------------------------------------------- 1 | charts 2 | Chart.lock -------------------------------------------------------------------------------- /manifests/keycloak/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: keycloak 3 | version: 1.0.0 4 | dependencies: 5 | - name: keycloakx 6 | version: 2.1.1 7 | repository: https://codecentric.github.io/helm-charts -------------------------------------------------------------------------------- /manifests/keycloak/values.yaml: -------------------------------------------------------------------------------- 1 | keycloakx: 2 | ingress: 3 | enabled: true 4 | rules: 5 | - host: auth.devoxx.insee.io 6 | paths: 7 | - path: / 8 | pathType: Prefix 9 | tls: 10 | - hosts: 11 | - auth.devoxx.insee.io 12 | command: 13 | - "/opt/keycloak/bin/kc.sh" 14 | - "start" 15 | - "--http-enabled=true" 16 | - "--http-port=8080" 17 | - "--hostname-strict=false" 18 | - "--hostname-strict-https=false" 19 | extraEnv: | 20 | - name: KEYCLOAK_ADMIN 21 | value: admin 22 | - name: KEYCLOAK_ADMIN_PASSWORD 23 | value: Fu38b32YnjTM1t5wJa3h 24 | - name: JAVA_OPTS_APPEND 25 | value: >- 26 | -Djgroups.dns.query={{ include "keycloak.fullname" . }}-headless -Dkeycloak.profile=preview 27 | rbac: 28 | create: true 29 | rules: 30 | # RBAC rules for KUBE_PING 31 | - apiGroups: 32 | - "" 33 | resources: 34 | - pods 35 | verbs: 36 | - get 37 | - list 38 | -------------------------------------------------------------------------------- /manifests/minio/.gitignore: -------------------------------------------------------------------------------- 1 | charts 2 | Chart.lock -------------------------------------------------------------------------------- /manifests/minio/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: minio 3 | version: 1.0.0 4 | dependencies: 5 | - name: minio 6 | version: 5.0.7 7 | repository: https://charts.min.io/ -------------------------------------------------------------------------------- /manifests/minio/values.yaml: -------------------------------------------------------------------------------- 1 | minio: 2 | rootUser: admin 3 | rootPassword: G3PJwYC467pdsuzng154bEsDom 4 | mode: standalone 5 | persistence: 6 | size: 1Gi 7 | resources: 8 | requests: 9 | memory: 512Mi 10 | ingress: 11 | enabled: true 12 | hosts: 13 | - minio.devoxx.insee.io 14 | tls: 15 | - hosts: 16 | - minio.devoxx.insee.io 17 | consoleIngress: 18 | enabled: true 19 | hosts: 20 | - minio-console.devoxx.insee.io 21 | tls: 22 | - hosts: 23 | - minio-console.devoxx.insee.io 24 | oidc: 25 | enabled: true 26 | configUrl: "https://auth.devoxx.insee.io/auth/realms/datalab/.well-known/openid-configuration" 27 | clientId: "minio" 28 | clientSecret: "" 29 | claimName: "policy" 30 | scopes: "openid,profile,email" 31 | redirectUri: "https://minio-console.devoxx.insee.io/oauth_callback" 32 | policies: 33 | - name: stsonly 34 | statements: 35 | - resources: 36 | - "arn:aws:s3:::oidc-${jwt:preferred_username}" 37 | - "arn:aws:s3:::oidc-${jwt:preferred_username}/*" 38 | actions: 39 | - "s3:*" 40 | -------------------------------------------------------------------------------- /manifests/onyxia-brut/.gitignore: -------------------------------------------------------------------------------- 1 | charts 2 | Chart.lock -------------------------------------------------------------------------------- /manifests/onyxia-brut/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: onyxia-brut 3 | version: 1.0.0 4 | dependencies: 5 | - name: onyxia 6 | version: 3.8.3 7 | repository: https://inseefrlab.github.io/helm-charts -------------------------------------------------------------------------------- /manifests/onyxia-brut/values.yaml: -------------------------------------------------------------------------------- 1 | onyxia: 2 | ingress: 3 | enabled: true 4 | hosts: 5 | - host: datalab.devoxx.insee.io 6 | tls: 7 | - hosts: 8 | - datalab.devoxx.insee.io 9 | -------------------------------------------------------------------------------- /manifests/onyxia-oidc/.gitignore: -------------------------------------------------------------------------------- 1 | charts 2 | Chart.lock -------------------------------------------------------------------------------- /manifests/onyxia-oidc/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: onyxia-brut 3 | version: 1.0.0 4 | dependencies: 5 | - name: onyxia 6 | version: 3.8.3 7 | repository: https://inseefrlab.github.io/helm-charts -------------------------------------------------------------------------------- /manifests/onyxia-oidc/values.yaml: -------------------------------------------------------------------------------- 1 | onyxia: 2 | ingress: 3 | enabled: true 4 | hosts: 5 | - host: datalab.devoxx.insee.io 6 | tls: 7 | - hosts: 8 | - datalab.devoxx.insee.io 9 | serviceAccount: 10 | clusterAdmin: true 11 | ui: 12 | env: 13 | KEYCLOAK_REALM: datalab 14 | KEYCLOAK_URL: https://auth.devoxx.insee.io/auth 15 | api: 16 | env: 17 | authentication.mode: openidconnect 18 | keycloak.realm: datalab 19 | keycloak.auth-server-url: https://auth.devoxx.insee.io/auth 20 | regions: 21 | [ 22 | { 23 | "id": "demo", 24 | "name": "Demo", 25 | "description": "This is a demo region, feel free to try Onyxia !", 26 | "services": 27 | { 28 | "type": "KUBERNETES", 29 | "singleNamespace": false, 30 | "namespacePrefix": "user-", 31 | "usernamePrefix": "oidc-", 32 | "groupNamespacePrefix": "projet-", 33 | "groupPrefix": "oidc-", 34 | "authenticationMode": "admin", 35 | "expose": { "domain": "devoxx.insee.io" }, 36 | "monitoring": { "URLPattern": "todo" }, 37 | "cloudshell": 38 | { 39 | "catalogId": "inseefrlab-helm-charts-datascience", 40 | "packageName": "cloudshell", 41 | }, 42 | "initScript": "https://inseefrlab.github.io/onyxia/onyxia-init.sh", 43 | }, 44 | "data": 45 | { "S3": { "URL": "todo", "monitoring": { "URLPattern": "todo" } } }, 46 | "auth": { "type": "openidconnect" }, 47 | "location": 48 | { "lat": 48.8164, "long": 2.3174, "name": "Montrouge (France)" }, 49 | }, 50 | ] 51 | -------------------------------------------------------------------------------- /manifests/onyxia-s3-minio-vault/.gitignore: -------------------------------------------------------------------------------- 1 | charts 2 | Chart.lock -------------------------------------------------------------------------------- /manifests/onyxia-s3-minio-vault/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: onyxia-brut 3 | version: 1.0.0 4 | dependencies: 5 | - name: onyxia 6 | version: 3.8.3 7 | repository: https://inseefrlab.github.io/helm-charts -------------------------------------------------------------------------------- /manifests/onyxia-s3-minio-vault/values.yaml: -------------------------------------------------------------------------------- 1 | onyxia: 2 | ingress: 3 | enabled: true 4 | hosts: 5 | - host: datalab.devoxx.insee.io 6 | tls: 7 | - hosts: 8 | - datalab.devoxx.insee.io 9 | serviceAccount: 10 | clusterAdmin: true 11 | ui: 12 | env: 13 | KEYCLOAK_REALM: datalab 14 | KEYCLOAK_URL: https://auth.devoxx.insee.io/auth 15 | api: 16 | env: 17 | authentication.mode: openidconnect 18 | keycloak.realm: datalab 19 | keycloak.auth-server-url: https://auth.devoxx.insee.io/auth 20 | regions: 21 | [ 22 | { 23 | "id": "demo", 24 | "name": "Demo", 25 | "description": "This is a demo region, feel free to try Onyxia !", 26 | "services": 27 | { 28 | "type": "KUBERNETES", 29 | "singleNamespace": false, 30 | "namespacePrefix": "user-", 31 | "usernamePrefix": "oidc-", 32 | "groupNamespacePrefix": "projet-", 33 | "groupPrefix": "oidc-", 34 | "authenticationMode": "admin", 35 | "expose": { "domain": "devoxx.insee.io" }, 36 | "monitoring": { "URLPattern": "todo" }, 37 | "cloudshell": 38 | { 39 | "catalogId": "inseefrlab-helm-charts-datascience", 40 | "packageName": "cloudshell", 41 | }, 42 | "initScript": "https://inseefrlab.github.io/onyxia/onyxia-init.sh", 43 | }, 44 | "data": 45 | { 46 | "S3": 47 | { 48 | "type": "minio", 49 | "URL": "https://minio.devoxx.insee.io", 50 | "region": "us-east-1", 51 | "bucketPrefix": "oidc-", 52 | "groupBucketPrefix": "projet-", 53 | "bucketClaim": "preferred_username", 54 | "defaultDurationSeconds": 86400, 55 | "keycloakParams": 56 | { 57 | "URL": "https://auth.devoxx.insee.io/auth", 58 | "realm": "datalab", 59 | "clientId": "onyxia-minio", 60 | }, 61 | "acceptBucketCreation": true, 62 | "monitoring": { "URLPattern": "todo" }, 63 | }, 64 | }, 65 | "vault": 66 | { 67 | "URL": "https://vault.devoxx.insee.io", 68 | "kvEngine": "onyxia-kv", 69 | "role": "onyxia-user", 70 | }, 71 | "auth": { "type": "openidconnect" }, 72 | "location": 73 | { "lat": 48.8164, "long": 2.3174, "name": "Montrouge (France)" }, 74 | }, 75 | ] 76 | -------------------------------------------------------------------------------- /manifests/onyxia-s3-minio/.gitignore: -------------------------------------------------------------------------------- 1 | charts 2 | Chart.lock -------------------------------------------------------------------------------- /manifests/onyxia-s3-minio/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: onyxia-brut 3 | version: 1.0.0 4 | dependencies: 5 | - name: onyxia 6 | version: 3.8.3 7 | repository: https://inseefrlab.github.io/helm-charts -------------------------------------------------------------------------------- /manifests/onyxia-s3-minio/values.yaml: -------------------------------------------------------------------------------- 1 | onyxia: 2 | ingress: 3 | enabled: true 4 | hosts: 5 | - host: datalab.devoxx.insee.io 6 | tls: 7 | - hosts: 8 | - datalab.devoxx.insee.io 9 | serviceAccount: 10 | clusterAdmin: true 11 | ui: 12 | env: 13 | KEYCLOAK_REALM: datalab 14 | KEYCLOAK_URL: https://auth.devoxx.insee.io/auth 15 | api: 16 | env: 17 | authentication.mode: openidconnect 18 | keycloak.realm: datalab 19 | keycloak.auth-server-url: https://auth.devoxx.insee.io/auth 20 | regions: 21 | [ 22 | { 23 | "id": "demo", 24 | "name": "Demo", 25 | "description": "This is a demo region, feel free to try Onyxia !", 26 | "services": 27 | { 28 | "type": "KUBERNETES", 29 | "singleNamespace": false, 30 | "namespacePrefix": "user-", 31 | "usernamePrefix": "oidc-", 32 | "groupNamespacePrefix": "projet-", 33 | "groupPrefix": "oidc-", 34 | "authenticationMode": "admin", 35 | "expose": { "domain": "devoxx.insee.io" }, 36 | "monitoring": { "URLPattern": "todo" }, 37 | "cloudshell": 38 | { 39 | "catalogId": "inseefrlab-helm-charts-datascience", 40 | "packageName": "cloudshell", 41 | }, 42 | "initScript": "https://inseefrlab.github.io/onyxia/onyxia-init.sh", 43 | }, 44 | "data": 45 | { 46 | "S3": 47 | { 48 | "type": "minio", 49 | "URL": "https://minio.devoxx.insee.io", 50 | "region": "us-east-1", 51 | "bucketPrefix": "oidc-", 52 | "groupBucketPrefix": "projet-", 53 | "bucketClaim": "preferred_username", 54 | "defaultDurationSeconds": 86400, 55 | "keycloakParams": 56 | { 57 | "URL": "https://auth.devoxx.insee.io/auth", 58 | "realm": "datalab", 59 | "clientId": "onyxia-minio", 60 | }, 61 | "acceptBucketCreation": true, 62 | "monitoring": { "URLPattern": "todo" }, 63 | }, 64 | }, 65 | "auth": { "type": "openidconnect" }, 66 | "location": 67 | { "lat": 48.8164, "long": 2.3174, "name": "Montrouge (France)" }, 68 | }, 69 | ] 70 | -------------------------------------------------------------------------------- /manifests/vault/.gitignore: -------------------------------------------------------------------------------- 1 | charts 2 | Chart.lock -------------------------------------------------------------------------------- /manifests/vault/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | name: vault 3 | version: 1.0.0 4 | dependencies: 5 | - name: vault 6 | version: 0.24.0 7 | repository: https://helm.releases.hashicorp.com -------------------------------------------------------------------------------- /manifests/vault/values.yaml: -------------------------------------------------------------------------------- 1 | vault: 2 | server: 3 | dev: 4 | enabled: true 5 | # Set VAULT_DEV_ROOT_TOKEN_ID value 6 | devRootToken: "root" 7 | ingress: 8 | enabled: true 9 | hosts: 10 | - host: vault.devoxx.insee.io 11 | tls: 12 | - hosts: 13 | - vault.devoxx.insee.io 14 | --------------------------------------------------------------------------------