jhub: configure rucio extension #68

vre-hub · Mar 22, 2023 · 37e59c3 · 37e59c3
1 parent 57c7ab6
commit 37e59c3
Show file tree

Hide file tree

Showing 2 changed files with 83 additions and 0 deletions.
diff --git a/iac/cluster/tf/jhub/config.yaml b/iac/cluster/tf/jhub/config.yaml
@@ -58,8 +58,51 @@ proxy:
     #   contactEmail: eosc.future@cern.ch
 
 singleuser:
+  defaultUrl: "/lab"
+  cmd:
+    - /bin/bash
+    - /usr/local/bin/datalake-config/configure-datalake.sh
+    - configure.sh
+    - jupyterhub-singleuser
+  image:
+    name: gitlab-registry.cern.ch/escape-wp2/docker-images/datalake-singleuser
+    tag: "cc7a62a9"
+    pullPolicy: Always
+  extraTolerations:
+    - key: jupyter-role
+      operator: Equal
+      value: singleuser
+      effect: NoSchedule
+  extraEnv:
+    EOS_OAUTH_ID: "eos-eulake"
+    RUCIO_OAUTH_ID: "rucio"
+    RUCIO_MODE: "replica"
+    RUCIO_DESTINATION_RSE: "EULAKE-1"
+    RUCIO_RSE_MOUNT_PATH: "/eos/eulake_1"
+    RUCIO_PATH_BEGINS_AT: "5"
+    RUCIO_WILDCARD_ENABLED: "1"
+    RUCIO_REPLICATION_RULE_LIFETIME_DAYS: "7"
+    RUCIO_OIDC_AUTH: "env"
+    RUCIO_OIDC_FILE_NAME: "/tmp/rucio_oauth.token"
+    RUCIO_OIDC_ENV_NAME: "TOKEN"
+    RUCIO_DEFAULT_AUTH_TYPE: "oidc"
+    OAUTH2_TOKEN: "FILE:/tmp/eos_oauth.token"
+    TOKEN: "" # test workaround
   storage:
     type: none
+    extraVolumes:
+      - name: config-script
+        configMap:
+          name: jupyter-config-script
+      - name: eulake-scratch
+        hostPath:
+          path: /var/
+    extraVolumeMounts:
+      - name: config-script
+        mountPath: /usr/local/bin/datalake-config
+      - name: eulake-scratch
+        mountPath: /scratch/dogosein/
+        mountPropagation: HostToContainer
 
 # ingress:
 #   enabled: true # can be an alternative for LBaaS in combination with proxy.service.type: ClusterIP

diff --git a/iac/cluster/tf/jhub/jupyter-config-script.yaml b/iac/cluster/tf/jhub/jupyter-config-script.yaml
@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: jupyter-config-script
+  namespace: jhub
+data:
+  configure-datalake.sh: |
+    #!/bin/bash
+    set -e
+
+    if [[ $ACCESS_TOKEN != "" ]]; then
+        EOS_OAUTH_ID="${EOS_OAUTH_ID:-eos-eulake}"
+        RUCIO_OAUTH_ID="${RUCIO_OAUTH_ID:-rucio}"
+        echo "c.SwanOauthRenew.files = [
+            ('/tmp/oauth.token', 'access_token', '{token}'),
+            ('/tmp/rucio_oauth.token', 'exchanged_tokens/$RUCIO_OAUTH_ID', '{token}'),
+            ('/tmp/eos_oauth.token', 'exchanged_tokens/$EOS_OAUTH_ID', 'oauth2:{token}:$OAUTH_INSPECTION_ENDPOINT')
+        ]" >> /etc/jupyter/jupyter_notebook_config.py
+        
+        touch /tmp/oauth.token && chmod 600 /tmp/oauth.token && chown -R $NB_UID /tmp/oauth.token
+        touch /tmp/rucio_oauth.token && chmod 600 /tmp/rucio_oauth.token && chown -R $NB_UID /tmp/rucio_oauth.token
+        printf "oauth2:$EOS_OAUTH_TOKEN:$OAUTH_INSPECTION_ENDPOINT" > /tmp/eos_oauth.token && chmod 600 /tmp/eos_oauth.token && chown -R $NB_UID /tmp/eos_oauth.token
+        
+        mkdir -p /opt/rucio/etc
+        
+        echo "[client]
+    rucio_host = $RUCIO_BASE_URL
+    auth_host = $RUCIO_AUTH_URL
+    ca_cert = $RUCIO_CA_CERT
+    account = $JUPYTERHUB_USER
+    vo = $RUCIO_VO
+    auth_type = oidc
+    auth_token_file_path = $RUCIO_OIDC_FILE_NAME
+    " > /opt/rucio/etc/rucio.cfg
+    fi
+
+    mkdir -p /scratch/$JUPYTERHUB_USER
+    touch /scratch/$JUPYTERHUB_USER || true
+
+    exec env SCRATCH=/scratch/$JUPYTERHUB_USER PATH=$PATH:/usr/local/bin/datalakectl-scripts "$@"