From ff2a59b1da234204699fc7b9438c9773a0600df4 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Fri, 17 Jan 2025 15:12:44 -0800 Subject: [PATCH 01/25] Add a 2i2c federation member on Hetzner https://2i2c.mybinder.org/ is up now! https://github.com/2i2c-org/2i2c-org.github.io/pull/356/files#diff-7244b57e647732dd6a8f006bdf63943e1dcb813fa1a085073522ccf40e2cdfc6 has more context - that's also an announcement blog post. It came together quickly. This is a single node k3s cluster running on Hetzner. It's not as large as we'd like it to be - which is CCX63 on https://www.hetzner.com/cloud. That's 48 vCPUs and 192GB of RAM. And with k3s, we can override the number of pods on a node. Given the current guarantee of 450M, we can put approximately 400 pods on this one node! That runs out to less than $1 / month per user capacity which is pretty good. Still need to figure out: 1. Access for everyone else on the team 2. Resize the server to be big, and set up k3s again there from scratch + document (I simply followed the quickstart with traefik disabled) 3. Test prometheus and grafana 4. Add 2i2c to list of supporters Am excited to try this out and see how it goes. Thanks to @choldgraf, @colliand, @jmunroe and others at 2i2c for supporting me through this. --- config/hetzner-2i2c.yaml | 118 +++++++++++++++++++++++++++++++ deploy.py | 22 +++--- secrets/config/hetzner-2i2c.yaml | Bin 0 -> 3320 bytes secrets/hetzner-2i2c.yml | Bin 0 -> 9687 bytes 4 files changed, 130 insertions(+), 10 deletions(-) create mode 100644 config/hetzner-2i2c.yaml create mode 100644 secrets/config/hetzner-2i2c.yaml create mode 100644 secrets/hetzner-2i2c.yml diff --git a/config/hetzner-2i2c.yaml b/config/hetzner-2i2c.yaml new file mode 100644 index 000000000..9da691eb0 --- /dev/null +++ b/config/hetzner-2i2c.yaml @@ -0,0 +1,118 @@ +projectName: hetzner-2i2c + +cryptnono: + detectors: + monero: + enabled: false + +binderhub: + config: + BinderHub: + hub_url: https://hub.2i2c.mybinder.org + badge_base_url: https://mybinder.org + sticky_builds: true + image_prefix: quay.io/mybinder-hetzner-2i2c/image- + # build_docker_host: /var/run/dind/docker.sock + # TODO: we should have CPU requests, too + # use this to limit the number of builds per node + # complicated: dind memory request + KubernetesBuildExecutor.memory_request * builds_per_node ~= node memory + KubernetesBuildExecutor: + memory_request: "2G" + docker_host: /var/run/dind/docker.sock + + LaunchQuota: + total_quota: 300 + + # DockerRegistry: + # token_url: "https://2lmrrh8f.gra7.container-registry.ovh.net/service/token?service=harbor-registry" + + replicas: 1 + + extraVolumes: + - name: secrets + secret: + secretName: events-archiver-secrets + extraVolumeMounts: + - name: secrets + mountPath: /secrets + readOnly: true + extraEnv: + GOOGLE_APPLICATION_CREDENTIALS: /secrets/service-account.json + + dind: {} + + ingress: + hosts: + - 2i2c.mybinder.org + + jupyterhub: + # proxy: + # chp: + # resources: + # requests: + # cpu: "1" + # limits: + # cpu: "1" + ingress: + hosts: + - hub.2i2c.mybinder.org + tls: + - secretName: kubelego-tls-hub + hosts: + - hub.2i2c.mybinder.org + + imageCleaner: + # Use 40GB as upper limit, size is given in bytes + imageGCThresholdHigh: 40e9 + imageGCThresholdLow: 30e9 + imageGCThresholdType: "absolute" + +grafana: + ingress: + hosts: + - grafana.2i2c.mybinder.org + tls: + - hosts: + - grafana.2i2c.mybinder.org + secretName: kubelego-tls-grafana + datasources: + datasources.yaml: + apiVersion: 1 + datasources: + - name: prometheus + orgId: 1 + type: prometheus + url: https://prometheus.2i2c.mybinder.org + access: direct + isDefault: true + editable: false + # persistence: + # storageClassName: csi-cinder-high-speed + +prometheus: + server: + persistentVolume: + size: 50Gi + retention: 30d + ingress: + hosts: + - prometheus.2i2c.mybinder.org + tls: + - hosts: + - prometheus.2i2c.mybinder.org + secretName: kubelego-tls-prometheus + +ingress-nginx: + controller: + replicas: 1 + scope: + enabled: true + service: + loadBalancerIP: 138.199.149.127 + +static: + ingress: + hosts: + - static.2i2c.mybinder.org + tls: + secretName: kubelego-tls-static diff --git a/deploy.py b/deploy.py index 889e68877..8f8a10f80 100755 --- a/deploy.py +++ b/deploy.py @@ -30,6 +30,9 @@ "prod": "us-central1", } +# Projects using raw KUBECONFIG files +KUBECONFIG_CLUSTERS = {"ovh2", "hetzner-2i2c"} + # Mapping of config name to cluster name for AWS EKS deployments AWS_DEPLOYMENTS = {"curvenote": "binderhub"} @@ -100,17 +103,15 @@ def setup_auth_azure(cluster, dry_run=False): print(stdout) -def setup_auth_ovh(release, cluster, dry_run=False): +def setup_auth_kubeconfig(release, cluster, dry_run=False): """ - Set up authentication with 'ovh' K8S from the ovh-kubeconfig.yml + Setup authentication with a pure kubeconfig file """ - print(f"Setup the OVH authentication for namespace {release}") + print(f"Setup authentication for namespace {release} with kubeconfig") - ovh_kubeconfig = os.path.join(ABSOLUTE_HERE, "secrets", f"{release}-kubeconfig.yml") - os.environ["KUBECONFIG"] = ovh_kubeconfig - print(f"Current KUBECONFIG='{ovh_kubeconfig}'") - stdout = check_output(["kubectl", "config", "use-context", cluster], dry_run) - print(stdout) + kubeconfig = os.path.join(ABSOLUTE_HERE, "secrets", f"{release}-kubeconfig.yml") + os.environ["KUBECONFIG"] = kubeconfig + print(f"Current KUBECONFIG='{kubeconfig}'") def setup_auth_gcloud(release, cluster=None, dry_run=False): @@ -442,6 +443,7 @@ def main(): "ovh", "ovh2", "curvenote", + "hetzner-2i2c" ], ) argparser.add_argument( @@ -511,8 +513,8 @@ def main(): # script is running on CI, proceed with auth and helm setup if args.stage in ("all", "auth"): - if cluster.startswith("ovh"): - setup_auth_ovh(args.release, cluster, args.dry_run) + if cluster in KUBECONFIG_CLUSTERS: + setup_auth_kubeconfig(args.release, cluster, args.dry_run) patch_coredns(args.dry_run, args.diff) elif cluster in AZURE_RGs: setup_auth_azure(cluster, args.dry_run) diff --git a/secrets/config/hetzner-2i2c.yaml b/secrets/config/hetzner-2i2c.yaml new file mode 100644 index 0000000000000000000000000000000000000000..25c5a39cfd585691bcf30f3a782af4889e4b2469 GIT binary patch literal 3320 zcmV)m=#+yGMo z_UTX1pqU#ANE>o5c_(Tv$=|wGU2)(PnM?IFX{KoF?!%6E5+ar)ft+R>Psh9GhFzN4 zUH9k~VS8DRi1YfBtx^Yeq+*hoSe~OY9q1P+)+~U(OZy6<=cQN~gRr8WKGcHBMVL;* zJvK{UVz3>fUPU`7Q}<0Zy*xMa5l7KV7~0htNfBmQm$0uqwJ`aWsF+Itv!p>bM6+$P zlM`Ys9_B^O30NqY<@u{P?7Y;M&Ep*Pz5Fa(gib;d&&cBW7hd0FHwapKnCgAAZ?Ugq zCyNw*r<}!zR3s+=L7A7KcQA08V_W=q3)?CUTtQm~W@V8PCyn9leaFDW2^;?1O4%itDymbL}BX2kuCT#hH>*3STCSx z`Z&~^`$?|<+XF>f*^>N0>HOWW^c!-fmar5<%W-LKtDo}(ID(ekZZW^gM+~gXeTnr? zMVo(+iefw!t*kX@CoqhZ#iJDjo^39qj`jd62xW$7#wa|F1p+bnBG zl`20ae`2914x&S27T(WXRM(@anRS!82c;+OX;#pKx+hdriWSc;J=*{oh@1-lF1Mss z(r)?5t^Pmxf|(-gm*(s7xD-%ddkqS+ZInJ59!!?#FC&}F0v2v-oFtSUd6+ClRets; zKq@4`?uJY06YuJ)9^~UqKQ0or&g0u)J(Eae_1vX#fZ9NJ*8^fl3?tj z%=_+NC^nGjV4k^yL*c~PuCVJfY#HyfRHTo#lJd|U_xnhSPaPJkf*s+s=Mwd=k3OMO zDTA={)gva}TxmIVE+h{WDd}a^M<@{T}~z5Mb--06hUJFM$S-JruhAk;;GnD8ResBhIp9Ph6$zgksF z9`sYFihFuZ9Vl+K`$hnQq@q^;L|Rq}r{IDxC~_u#=JbdKmY&%Y;KO3j6)ZnW=pvXG zp$7%nyWaq;R=8$fO4I=4|iMJ=IXWGE9maw1(wEda zm-?B$3KT5umK_n2L`{AkK^Z*#vZL7qD9|AvAB;99ua%yksz2J_2%sKBPIuS`G3JiL<-ih?n-6t!<(qvm zjb(-;=yuWL!FH*26W`vrOjHxSt(`MiLE-ymFYqh0(D1-*#nolV4r!>%Myk`!=>v4h z46K`?(X@zb2-Y@13z+utN=xstKqwLBx`1T1rsp&Pkrb955sgX_U>k zQC=&%8HU#gnQ4{)0x`&Vftkf{A5CiHFBZR`%zE$V2}C@)Fd&^w0o$>i)|YQH8&K*9 zt;JpO?29cDJ$`W#BaO{Zny(T@t7J~W+D${pw+!XKfh=chXvRi;s&pazE%kDZ9r|AH z2sb3SOw`WujfJ<5n~0txUp;Qf-5Mv)m;yIfeXZKI<(PFlpBYjs^n=5zuG)8lxwShKV!2 zagcO~p~oM89BN7qZ9`lTv^=g+z7lFSxsLf>1xY?%Xcxc~DjEU}*B%&Ke*|Z}__;GH z)lwQRng`N(<~p=iJ?BR#3R#VI7IBUIu7=z|XWFg%Rg+WAA}U21tkCS(&?ADXUX zm6`*%c%fw}ZLG*eDrMVbR>KF=tv^TZsc7?mGgp9G@}CUVKghe!lgdeDj&k*)A_|Tn zx9v5{>~Zyl-fBF6DTA=$0hM}t%hUDo2jujH27aY_*avLgJfyHmh%YSmxTp(w-<0r* z#{r1-gt%cjd`;l($84TlyEUQsPNThA{Kjw4qP}X{q^7lO`O{GKn!g@>!e%CPCtMOI z{HfqDUUyIKJx`pwyRIpelIZ{L&d2N zUu&%arpOFNJKfjnF$|3}fN4{P-)!s@{OmIe*BEdsawRt@ay5Hul?#9_gBjzIqv{l_TW+%*k`JobId=W68mLcdqfjT@D2bbVy7kYn-O zvUw!SO~~Sa<^!;u%+PYPq@udsv(+262a-#dm%ptH{w&>NP}ft@-Z_`5Opizb(i?xM zWpIAPoFC$X#UeaqHoZH1H#?fObz%RdTCn@V1mWU#y)fdomA;fmSeC?LN(oWZQ?PT> z4m$35s#V&en4$avXdp^+?<3_Kl=>t61myEI{4l=U;Wa{~sXG>i)3NO90Y81;lX8m3 z*i)X>rT2?o9EMO!HL)KR&E@hs{5{~ZL)z^(arvY*FjP$-^hD|UaX9y39SfRDyZ}_B z9-SifkClMyWdK31eBExHzkSiUFpHl%4?M3RgGtwUkEceex% z9e=~|>gQ{1q4O2Po&zoR5>tvaC^IVlvoyJETn@J)DoJcVGxRaI&W8Eid6o|JXvDoo zSI)XfIo30?^JWFNyL)I8^eo9*%OPqW+8%^i+NHorLAlY$WiFhj0GV9c;w7gR*7`2C zJO#6FvGaT3a1X$wLWNc&tJ<99Ucc77O#PB)bcX^6eV<23 zR%C=0z;REjepxO9R*?Ke;%L^cKAp~CohG|#ZE}B2CXb(;%rCBUZcOd(&U!i~< zD&nu~4o3hg2_PT3&c1jHg$Z@%`(KJ}yk0G){rI39N=YitAh4QiqnzZ`4lra1M Cg>wi1 literal 0 HcmV?d00001 diff --git a/secrets/hetzner-2i2c.yml b/secrets/hetzner-2i2c.yml new file mode 100644 index 0000000000000000000000000000000000000000..432e38bd9ac18cccdca9f98e05cdbcf1d69684d5 GIT binary patch literal 9687 zcmV;|B`DeeM@dveQdv+`0BCP;YlWFX5_a#3A9-*i3BHP`lpU?ZiS{~m6y!=AGApWV zKc(-Z6%&hXjN^++*>X^oD}9u`X*DPa;`@nS`>?APT^~9& zbWiz#kU2y=9&ol2%njXW$brXj8WI)iIR<)3orjL3I8Ns{lg(Qexn?OXmpwPQo?Fr` z$vOZx-Ze_iSk79J3bLDWh?q6#-*2bqr`z%b*P=s2)t`5usI4&Hxf%mOYD)HA zrAS+N{|MT#SDkLzsEbYhIToVL3RmLT$@xW7RV_GSxKw|Izz1Lc=o{)m3$qB-H?HRv zPBpHA5p}q>15N3!4+{wR@cO)~?Ls++*~EgN>jk=QW7DV9F1kApL(VG>=!+AWMVVG{ zhaL~X8~K$)yK%2A;19~awG;fq*k(R{u(Y>W}rTQnP+NEoL?23=2k z>h-9o?(DAm|MY-G7M!b@YCVv zj$JC5>vEA6z>QiM5RXosO1;ohao{A8W3OB!`~K&X>g9{%~3@(XO9ogvS*tiEz(%A1m8R*E-yO5j=#YI9er zSqqBf*j^@vHaRHCbd{{i@&=)C;Xi?iJ17H6`2#3h8LiZE~aYe|-d=5f2OI#50YqED8X> z&xLAn9j^cx4oI&N*gmiCb6gQn{#mNDI{3WR(GheQwfT9&<|ax2gynlH>?2UdOcMsn zGyxWW;oMmuc|CpQGEI%Q`T!$U*x?(I=}r`O5yk&JsK2qRhF2 z-6p0(fyG55Chgu3AltTQth%v$JBU!BqkJpyPJtCD_+*e%#yKcQN}P2#IsHOwO#|d% z<KMl*80(onAuInJb*u ztyhE+sm!CcO>nqeKbOk2Jnt14`wetQ!xo&-e&IdJoA4Z zy5bjT2k8(m?!Hc2-iso?dF8_sJP>ftpC$&NGP&5*e8s)K%(2LsNkg)Vck?vbPDjWX z=f}7MMIcYR7p0_T`T|d~PyI-W!ZOx4fAwJ08xRfCB$9_#3e!K3$+WSq_c8RjzTJ80 z?^^Cq-4GZx>K6F1%oXDOEd*2sLPD{rdz#~77c-Wtxxyv2gG^IP?=V@U{alrY%8^H+ znyUj(8gX(W!7oqW*II#BKw9lztn~Ij_9sa`>Ky1LwRx1JDX@4VJU9B*U7>V(#5i7; zD}Wc^=L&W<;oY&9yke)avdFOveBJ?KpT6mTW@V<-tiKK)o1(n@eX{*g)4R)KidWN4 z6=qYkF;YeJgPK2R`4EhMHz8yCsui8X%MNXZv~R~tZoGv6W0;uO+C9~T377G8R(k_^|L@vjeZ>9u| z$h4$}`ilrp0$-RpSq`!*KQd$e32;H0#a-|LlvTd(-fjWBG(FrTXzJVkOeS;L z-`_KYv!9(U;1v|}M}mp^D9M~14fQiH#ZE*VtjBP2=`)F~&^=gUkj9rSPO=#`1BsL< z>Rxsmp}rvt*}Ew|D;*U|6uU7?I$LuK=m3A`)fpbqZ4)?Na`sau3O7j^3>;^Cb%u;= zxNfN`z@J?ar895304WNR#fY)!^6r2YdD%A=i9$mxE?c$0tx|!>5QE_LuLy({p!XsO zbw2Z6n*Q?u77u?2fB$ctV$|SX8)VLjo?m!O6oAkA?FCzXcmZCemc(+ zAEavZ(#2eVR8n0|7@<2yfv|FCF}3?kO3dX_F$ZLI$8moBfj%d7$PKDdSZ`T{ zzjv|uoDv4CAbT~H?zTnUPrwzsTxN`XWP8exmpXkBRXs0$h7f6%YDCUa)aE4%VkM$I z!0pRZ{e_DfJ>zTV;DKc21G#O1wQECVKBhWaJ7=7!(@;iSfb2Kx490q<`(~HpVe=Y>{d8oUvGdC>m)R z)25+kUMo~5C!^h;w&v5w0Lm{n$k$^P^(5l7Rr>U9I*7;Fg~A@b7O<~Lb>-*x7}S0S?$}wU11;d{#)!3!+0E_V%>4Wt-l9Y zYgSf-l-sWNaLVk2hnH|Ga(z@2s8sf-axniC<7EU{l=RfHDhj}npq_r)5N@lmr4xyV zxobiwQ**L9RS}mbT63W)rSe)=m+3^F1it4nSGT3hr1%W1KPs6@(#%XS$^SB+nh3%> zJ|lynn=KDFkif-N4QkqTH=Tex>U+gor0wE{gD|}k8N?RopGeX!!Z}}fcR|nFm(tSI z33@8|jbOLRl(#8~+}V$p*STdRP(Wob&kYS{+A%#rx*i7qgY7gbV4Q5V3NKIHRD4PM z7p89YBJj#j>|4Kc*)6Ars3HSTjhdF@IDC!e%RNTzcYj(l66c1EQa=LPtZAeEJs2_V zlxQtK+5RmVN+_(smz_j}9ND6n#vvaLd)KQ&f#a5G-!|tRxQuRiw*5vK7Cv!d zdCE`O=xzuV25#0s^9fg4^uM(dd=3D2b31aoqGkxm8&fdM(G4`#g@+(^r$T?(863Rp zjR&8zjYO?hZZb3MWSOf1jWTv!ifWdNObBq*`nn&G*%{M}oj&uSSX8~=2gt|>qmWN0 zyl{nF{RAaS+e+{+@9*^Kz4S7JG%V|NjIf-KNgPvzl8!GWRT|Ing;s!6A;&)NfmxY@ zyObHb{EL9F>fQU2SjB5}5jl>_wWQo(T)mZmHJq#Ty@nIF!h)NoCP^ zarqZjxCJq@xxwD3Q#X(L!=&K-hLm-zubo26G$h1>@#$({hjb>D12%N7isuVdYyrS< zAFOe4tdsfyI4qJeJR^4JX@Fpa<|14PzM=EWcU@$MyrY`Phh5_#J@5!TH+Y-iLx zM(+%Ahxc_}+dA_$ZgGBx>^c&BJTyaZ{M}354-y@Ce zDGk1;ktE|k2n5OF@5DR`U<_7ADg>)f{3=*1J+0n4e9}i}n{b3wT8`I6nY(d=d8l>0 z{Iho}D#(ZhwE3hMjUlfb-Wf;B`5fQpN%fP{{Ja6uMu@53ae26pKtR@puGsFbw>-Hm)09UfnyJGnH&~lqzYrksb>FxO#Lid8tKfx6T6}NFDegRRE z-a;awRgNtDx&NDbWRW5k%&Alb02E6O3IyMKT=frk(}1TiQkR=1pDo&Od4+N`p3#Qx z-R8&~fGHcI6UwAyIo1MOs!OK+F5x?PE#Pf!7tg9LcMaS4$!f}jmkEQAH2-k(X~F&o z3aM*KNHbHzQN#k``Mt$ZCz|R)B%>@eczr{_#ewzxE^CL#b8%0Z+>CGSd#|FJlKWrv zo2FBT8?Kh>UIl{n`9GO_3`Dz$mPg7I8h$|f*C$iS(wEqc{w8eAuJaWU*{6Ed%S%3f z$|R?JBQ!l!Y`t#Jk$E~;%JQ`X=m4<#ToVRS6{L1pHLFCsd~aB`)VN{OX#D$qcVBtE z8DB#&m6Me|d4MYf`L^XvoHYsew^)T+XiF%g1|kPtKA8j|fn}&2A(+XV=4$oGM0cyr2$jFhG)k%xEDL2Y@BNfx6saNtijNYL$ zbN0NaTvakLVgX{R7*u2yd|!P)k{MBQ!&-jhUM^MF2)0kG0(>p*wV5hEcfq83wZ(8A z(;mX6HbWNid4fRN>#D55b8C-)s~J3wD!eO86^Q`!*9OG?l>}ioEIu9M-4W2#{d(>R z5B!!cCSo9O-M-2rTR99NCKWO(7vR#dZwE<}f7Asw_F&F5HdU;JT)IPc<3V>^3Pb!+ zi{1wD9-^{tL&PF5%Hce*om5{$rk~ubffKf=FuQZ8BlT@86(qy4<0d~4gkCn z*s3&k8{Z^>dWX_doghx~N2Q#jwB}Kus|?=aBQ9Ovx{*Q8Bsw2S3ucSvZ^XkQzczTY z`i~w(Bt@~AnwDFkG`>?CMK%VruynhWm65PV*_g1ZyK_;J*;VBjy_O9DdZm%Ue63S< zR$4fhHd~(bw@;-LDGQ(KpuPcO%}t)yiH;jg8g33!wstl31ZH{rCcG&eeKL z6qEeBV@;lFHC6vDo+WabPleF)wcYtp%O3UcwP@6v!_?Ii#?r<_*a{|&{Ux8X9cNgY zWdg(?`dd5>p|2M7ueL`vjk8L#k2>?)1ifGl&Bh=Qtk(@x@Rd@DC6W&0HK&&MEB56W{4Q-vUjtV|Ov+JMG z*ntE;xdBvfAf+rK1Vlt+c7%M$>OTTWPc=l90EGK#Ro6kNK9flyp)hFd2SM0V| zuOVIOn(6#4p4rXiWgun|L+EqKrB~A{-$lxi%v7Tp1q(VKt=d`Xd|BtMqUBCx5FveU z+&e`QVMPhz9LvE3=X<%F*76hPnZaM%7Bbmykbt?R0rRHG)bwfwKHnsdBP3#oIQu|7 zJ^?w+x|`B&3Xt;|S?^GYEJ4o>-A*pGDh@wjvL~9)t(O1EKx*%4pHdK+()Rk8kh!Uj zwB;^uednpE<2ri~1ms;-*ryj_m-uow>!kmnTVbP-^GPZK@bja9Y@)L*_1-rdjmE&0 z%&_!_NgC_l=X4`7KLp+6#NjC8L&N-gsQgNowtg7>GC6hAC^8N#NI#;W9VfN$HGRBEsqcxJUj*cGPpt;a#rx`{Vq->e+j2d#~PE!033LBvV`MyFi?(b%tLLtX zQrn2EckiC*@SFJ3X zt3;VQU!b`Y4Pa60mAs`35FE*3?-+KS#2i2rbnM^E5QKLHRSmIPRrhdGO6Hbue5~>r zAeF(4SEvfGN?jE_F;bL>E|{|Ezd9O-{KU7YWtM0gabi6GlAQrSATx=e=~&>Zh5A;# zJS0(#CC4U#Cx^hotqYj=W!-zd&cmZF`~C37y%RGP9A_uNalgWDdb5DJez0y5Dyxb) zU?4kWFn~3lvTq#pPW{x&!>Ee`xZg z#A^h3(24eSaQS2Jw@^fb`sd1kKK4chK)y6yHllBERWzG+`me1_X0yPpol>%QH$x7y zJW^1S@-Wh z!(QmPclX@1*)yK0O*$;*TZn&3^gjAus`-*N<%QL!SqCd9&XN7NsNT1zbDxt+16r>P z{`-KHGWmT_WVP3(uvbfVTeT1CVg5bj^x4lIJz+@tJo27GkaDNnNa+xofF5{TtUcv* zL22(1q6Z2qHS;E??`2d|ingE?$v3;hh9ns)A3f-%ejuFX4;M$F)2GnP4)#v{TDa|j zt<4UWJ+XSn5+&}e`&rPVOGXVjI!G(U1erx%0{iFd5gDTaoOKUGJFSBm9 zHjwfee?4Qk!YYXN?|7qlMprRtH6C3B1?pE|cV{E3*81jxM_)LqW!n8wU7dq{k+d-S zOaKTQ>BS2ypZ?*?6%8NRFgegmix7OhhCu~buR>dDiaXqMPHRvhg8t-@1%C}8w<*7( zM=AxwTLiUirVq%N*VbllJKk#SALCRDFS@` z+(DG3(G^>-zkb=mvlMqQ_yrC^^nr(pq_F3b9=Jcvs(atz z9K>tf95wAJl*+x}1R3Rii? zcg%)ABZ6@1O(&jKBVG)GbPKt1mFl!VFT>*N=ijn75d5n6606)>mkjjNU!fo>TRVIb z-@iW$=t__dr5xHuarHFmz4iJ|TBb^RSO5~W07UTv9#3^D*jn~!hq=CLh3jKRMt+c zJ%0@An2us32_Mu>S-u#A&mz@n(nflPnodTj5t9Ka&N1TZI(B=D+F4XzHdOp&W#04&F{a^RT9(wt*UE|e0@v@u^KjmE)v5D zTlIPuw#pgzEN2ezGBwH>Y>s$U7j_)Oyria3i>b`yF_zVUQ23FL5bQ>frnQxUy#ul^ zWF0`WU>_lOGas`&nl?PlJ+mmRUz(d-+cize*hD`^*D^v%j1Y}-!cbYD2#dYgxPO)E zFbBVsA(gX?T5V|J@_-|SP&N{QOc=E5$EDeReIAXUxEXmV-{8)z!PGBqhf^$UUI$8) zn55*u&F%D7Le+2M77;uSBaK@hOEA%nts}UJK(>ViTn9XA#z&OzEh9e7S{))B;%bC&4Y*PYPOyH4zaRIH7jZKgnT(FdTW{7_Yge)B|7Gc;>jU^XcuEE&^v1m@`e zcUliPgJ%*4;Zhjd)6@$c2Q_v8BL=}3%pW)6R?dfqi;wt!kiqEEALHxk6rRKM&8o@& zhAGL-du6hcVnjof2x^Sq#u@>+5<|_PR2MA~0R+2M=&kH6I;!L`W+B)b;(s9zq*fi% zrB!m|DZ|qzcvu-3S&yn2FyW&S%0D{j6O|ZlC?abF{cPyC#6tdv-e`F6&+7$=$nKsl zk&o<54eO69Jw;WnrP90pyFoShJ`$*JZtRfH&y$5w2>oaHN1I9nVJkhQJE+ScIp~9B zh;?z?wa85lVWH;Skyk{j{xZfmk^h7a1R}qb&lWrp19-zs*q{mPOvG%NZadZy9)6I+ z#4Y2rfO!|&@5gaKn|DTu<0{9^?4K-KL!HVe{}MViEW+N)5s1Om&-5l;3#hEm@SgFV zMeM%nmDS+wGf;qRW`xnL%^IZ~ZOv5(8A}8qmMEb(4y7zlAW}`TXHse zglR`MKC0VkmkHcq}vse8xAIxO2;t*xqnVaK&LvYd9c>1X_)=cmgDR)L5K{ z*~YuU6#LEBvdu4-LVZS2sq|}oNWT+Dt!t5S(9yq**$tdk=HBWqTI!_qYI(EXHDim` zr_*q7szOo9;O$wgCM0qy~El+>@ZU{P6Fx0H1ZQZvO@GJWQ>Q6-)Q(hQS^-&e=o&8*BN^9 z$b5CkPA^iQxmH!uPu_i&@tl(5FHwouxsVhkU;+-xstKSD1Rt5y@9GOr0-2ydmYYS) zpZ=ciy%|nSp0rmC9mk#{Rp4)q-E^GegNGeUtn zDfXg4C)oyG_^cczncMm-!+E(o_$5+JPC*_9{H{DNoyS~kOdrFJKmAe1ZVI2EPQJOC zOCM@{lT}}BUhu*&m3Tib#+dJN(uL*uYMTdlObHRig|xwmFa=C^DeS9$c{npwTpdao zQkzO56fnfJZ+UV0_XiDkfL;z3)odfx7BYba+^Wp^FL{>0VA{-uT8<^H-52*V01lsr zj~;JDwf~PAW?$UaLxa2<7R(oQ`iSNII`SCb;>15861)3DEm~4YQ{>y^-ozMG`1?-C zM=}M=^HaXGQhp0l?ciGB`z-35w04oq%mdXuS8YZz7e2-ytX)P{afg$w857^coVR{p z_AmV-Z0vXdpu>D@bc$Z_>1Y7x^wTgMJ_k=F;AqoVzYM8zg@eOC>2FD}O_=$k&v{m5 zRkV163xLW+5Z%V@p(O4xf%0!uLsJ7<-Qmlw`so2zo(+#mqTcR6Y=G|vdfr*X&^aIh z+<7BO%zsN?x+EC|7=Ca+)RgS?(T*H(>kLq%ZCy&3xxvW1i0gnYxqHdYS)Xmzi{i08t0S=rP-5t(XdYWZXzV5| zwb<^H4(fS#D@#t0&BTjB5B16@PeX3qTuSdY)|k$-lHMJhSX#7hlwe!H46FGPN$$7f zli4O5w!B^d{k>4sO_d<_TuEcHyIBVW(axQKIq>CDBKj65;yO&CAC+J6Z_F}jqiM)EB!lZ z3AMG+Zz#o_z>3oqLZqqDZbd+^4W6Hp!HUf4n!@FmFYbBhzuE#`0D6B-^dgTg_Uj){ zSNUy20U=%_nPD}oouM~+YbsQ+@06a z>ZPfzE%-Lxmx4=|7gvK(fE3^O-NC| zdoKg%k4(3%{w;llO#oRcE9J3(GTNCmnm8zrg3%?{&BPwT2M_TE$wiArW`aoD%r7$^ z4SCzUeDa}xwO`#Dw<|6)JP4>DW7 z-|kW97?EPB7F*4CcX$K2ADQZfbCS51|FY~!5jR>kV5A#Fd3P9?>4xeS8Qvtjw525Y zFR`!^()yvHZ{Y${NF#FpTQQ<+inWb4{xoQm?h0$)9<7-O)vK>VZ^k9NieAOz(0^sz ZaIsfTH)5|R2hkL)V(@N0G&awbp91}5t?U2* literal 0 HcmV?d00001 From 2a6581befb5dd426dba63b56e9c0bf55d29c3ee2 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Fri, 17 Jan 2025 23:18:23 +0000 Subject: [PATCH 02/25] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- config/hetzner-2i2c.yaml | 4 ++-- deploy.py | 9 +-------- 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/config/hetzner-2i2c.yaml b/config/hetzner-2i2c.yaml index 9da691eb0..2c0b499b9 100644 --- a/config/hetzner-2i2c.yaml +++ b/config/hetzner-2i2c.yaml @@ -24,7 +24,7 @@ binderhub: total_quota: 300 # DockerRegistry: - # token_url: "https://2lmrrh8f.gra7.container-registry.ovh.net/service/token?service=harbor-registry" + # token_url: "https://2lmrrh8f.gra7.container-registry.ovh.net/service/token?service=harbor-registry" replicas: 1 @@ -87,7 +87,7 @@ grafana: isDefault: true editable: false # persistence: - # storageClassName: csi-cinder-high-speed + # storageClassName: csi-cinder-high-speed prometheus: server: diff --git a/deploy.py b/deploy.py index 8f8a10f80..5bbf46bf4 100755 --- a/deploy.py +++ b/deploy.py @@ -437,14 +437,7 @@ def main(): argparser.add_argument( "release", help="Release to deploy", - choices=[ - "staging", - "prod", - "ovh", - "ovh2", - "curvenote", - "hetzner-2i2c" - ], + choices=["staging", "prod", "ovh", "ovh2", "curvenote", "hetzner-2i2c"], ) argparser.add_argument( "--name", From bc9ef714db868c5693a4fae92bb93b5225f6168d Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Fri, 17 Jan 2025 15:26:34 -0800 Subject: [PATCH 03/25] Credit 2i2c --- mybinder/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mybinder/values.yaml b/mybinder/values.yaml index b5e14e1d7..ebd86dc56 100644 --- a/mybinder/values.yaml +++ b/mybinder/values.yaml @@ -152,7 +152,7 @@ binderhub: 🤍 Donate to mybinder.org!
- Thanks to OVH, GESIS Notebooks and Curvenote for supporting us! 🎉 + Thanks to OVH, GESIS Notebooks and 2i2c for supporting us! 🎉
mybinder.org has updated the base image to Ubuntu 22.04! See the upgrade guide for details. From d6ee272e71f5a03eec726e2567b58ecb4c9a9309 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Fri, 17 Jan 2025 15:39:13 -0800 Subject: [PATCH 04/25] Add 2i2c to redirector --- config/prod.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/config/prod.yaml b/config/prod.yaml index 807d25744..bdd219054 100644 --- a/config/prod.yaml +++ b/config/prod.yaml @@ -228,10 +228,16 @@ federationRedirect: weight: 0 health: https://gke.mybinder.org/health versions: https://gke.mybinder.org/versions - gesis: + hetzner-2i2c: prime: true - url: https://notebooks.gesis.org/binder + url: https://2i2c.mybinder.org weight: 60 + health: https://2i2c.mybinder.org/health + versions: https://2i2c.mybinder.org/versions + gesis: + prime: false + url: https://notebooks.gesis.org/binder + weight: 40 health: https://notebooks.gesis.org/binder/health versions: https://notebooks.gesis.org/binder/versions ovh2: From 4438b89934ef98c9456f6858630e1789431f339b Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Fri, 17 Jan 2025 21:21:26 -0800 Subject: [PATCH 05/25] Setup a local docker registry for faster pushes / pulls --- config/hetzner-2i2c.yaml | 12 ++++- mybinder/templates/registry/configmap.yaml | 13 +++++ mybinder/templates/registry/deployment.yaml | 56 +++++++++++++++++++++ mybinder/templates/registry/ingress.yaml | 35 +++++++++++++ mybinder/templates/registry/pvc.yaml | 17 +++++++ mybinder/templates/registry/secret.yaml | 13 +++++ mybinder/templates/registry/service.yaml | 20 ++++++++ 7 files changed, 165 insertions(+), 1 deletion(-) create mode 100644 mybinder/templates/registry/configmap.yaml create mode 100644 mybinder/templates/registry/deployment.yaml create mode 100644 mybinder/templates/registry/ingress.yaml create mode 100644 mybinder/templates/registry/pvc.yaml create mode 100644 mybinder/templates/registry/secret.yaml create mode 100644 mybinder/templates/registry/service.yaml diff --git a/config/hetzner-2i2c.yaml b/config/hetzner-2i2c.yaml index 2c0b499b9..c393c4c4e 100644 --- a/config/hetzner-2i2c.yaml +++ b/config/hetzner-2i2c.yaml @@ -1,5 +1,14 @@ projectName: hetzner-2i2c +registry: + enabled: true + storage: + filesystem: + storageClassName: "local-path" + ingress: + hosts: + - registry.2i2c.mybinder.org + cryptnono: detectors: monero: @@ -11,7 +20,8 @@ binderhub: hub_url: https://hub.2i2c.mybinder.org badge_base_url: https://mybinder.org sticky_builds: true - image_prefix: quay.io/mybinder-hetzner-2i2c/image- + image_prefix: registry.2i2c.mybinder.org/i- + # image_prefix: quay.io/mybinder-hetzner-2i2c/image- # build_docker_host: /var/run/dind/docker.sock # TODO: we should have CPU requests, too # use this to limit the number of builds per node diff --git a/mybinder/templates/registry/configmap.yaml b/mybinder/templates/registry/configmap.yaml new file mode 100644 index 000000000..e3fae2457 --- /dev/null +++ b/mybinder/templates/registry/configmap.yaml @@ -0,0 +1,13 @@ +{{- if .Values.registry.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: registry-config + labels: + app: registry + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +data: + config.yml: | + {{ .Values.registry.config | toJson }} +{{- end }} diff --git a/mybinder/templates/registry/deployment.yaml b/mybinder/templates/registry/deployment.yaml new file mode 100644 index 000000000..7edd66a30 --- /dev/null +++ b/mybinder/templates/registry/deployment.yaml @@ -0,0 +1,56 @@ +{{- if .Values.registry.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: registry + labels: + app: registry + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: registry +spec: + replicas: {{ .Values.registry.replicas }} + selector: + matchLabels: + app: registry + release: {{ .Release.Name }} + component: registry + template: + metadata: + annotations: + checksum/registry-config: {{ include (print $.Template.BasePath "/registry/configmap.yaml") . | sha256sum }} + labels: + app: registry + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + component: registry + spec: + automountServiceAccountToken: false + nodeSelector: {{ toJson .Values.registry.nodeSelector }} + volumes: + - name: registry-config + configMap: + name: registry-config + - name: registry-secret + secret: + secretName: registry-secret + - name: registry-storage + persistentVolumeClaim: + claimName: registry + containers: + - name: registry + image: registry:2.8.3 + volumeMounts: + - name: registry-config + mountPath: /etc/distribution/config.yml + subPath: config.yml + - name: registry-storage + mountPath: /var/lib/registry + - name: registry-secret + mountPath: /etc/distribution/auth.htpasswd + subPath: auth.htpasswd + {{- with .Values.registry.resources }} + resources: + {{- . | toYaml | nindent 10 }} + {{- end }} +{{- end }} diff --git a/mybinder/templates/registry/ingress.yaml b/mybinder/templates/registry/ingress.yaml new file mode 100644 index 000000000..0a8746886 --- /dev/null +++ b/mybinder/templates/registry/ingress.yaml @@ -0,0 +1,35 @@ +{{- if .Values.registry.enabled }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: registry + labels: + app: registry + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + kubernetes.io/tls-acme: "true" + # things be big yo + nginx.ingress.kubernetes.io/proxy-body-size: 4096m +spec: + ingressClassName: nginx + rules: + {{- range $host := .Values.registry.ingress.hosts }} + - host: {{ $host }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: registry + port: + number: 5000 + {{- end }} + tls: + - secretName: tls-registry + hosts: + {{- range $host := .Values.registry.ingress.hosts }} + - {{ $host }} + {{- end }} +{{- end }} diff --git a/mybinder/templates/registry/pvc.yaml b/mybinder/templates/registry/pvc.yaml new file mode 100644 index 000000000..4c82f3f6b --- /dev/null +++ b/mybinder/templates/registry/pvc.yaml @@ -0,0 +1,17 @@ +{{- if .Values.registry.enabled }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: registry + labels: + app: registry + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + storageClassName: {{ .Values.registry.storage.filesystem.storageClassName }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.registry.storage.filesystem.size }} +{{- end }} diff --git a/mybinder/templates/registry/secret.yaml b/mybinder/templates/registry/secret.yaml new file mode 100644 index 000000000..b05b8c7c1 --- /dev/null +++ b/mybinder/templates/registry/secret.yaml @@ -0,0 +1,13 @@ +{{- if .Values.registry.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: registry-secret + labels: + app: registry + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +type: Opaque +data: + auth.htpasswd: {{ htpasswd .Values.registry.auth.username .Values.registry.auth.password | b64enc }} +{{- end }} diff --git a/mybinder/templates/registry/service.yaml b/mybinder/templates/registry/service.yaml new file mode 100644 index 000000000..1819bf8f8 --- /dev/null +++ b/mybinder/templates/registry/service.yaml @@ -0,0 +1,20 @@ +{{- if .Values.registry.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: registry + labels: + app: registry + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} +spec: + type: {{ .Values.registry.service.type }} + selector: + app: registry + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + ports: + - name: registry + protocol: TCP + port: 5000 +{{- end }} From 595601e548499074b349e5455942bb9712a5b556 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Fri, 17 Jan 2025 21:28:37 -0800 Subject: [PATCH 06/25] Fix network policy labels --- mybinder/templates/netpol.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mybinder/templates/netpol.yaml b/mybinder/templates/netpol.yaml index b2ab2ab92..918350ea3 100644 --- a/mybinder/templates/netpol.yaml +++ b/mybinder/templates/netpol.yaml @@ -73,7 +73,7 @@ spec: to: - podSelector: matchLabels: - app: nginx-ingress - component: controller + app.kubernetes.io/component: controller + app.kubernetes.io/name: ingress-nginx {{- end }} From c30441aa9e65936721f1ff97766865f978cedd53 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Fri, 17 Jan 2025 21:28:55 -0800 Subject: [PATCH 07/25] Add missing registry config --- mybinder/values.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/mybinder/values.yaml b/mybinder/values.yaml index ebd86dc56..804c3bbdb 100644 --- a/mybinder/values.yaml +++ b/mybinder/values.yaml @@ -10,6 +10,20 @@ cryptnono: containerdHostPath: /run/containerd/containerd.sock dockerHostPath: /run/dind/docker.sock +registry: + enabled: false + config: + version: 0.1 + auth: + htpasswd: + path: /etc/distribution/auth.htpasswd + service: + type: ClusterIP + storage: + filesystem: + storageClassName: "" + size: 10Gi + imagePullSecrets: tags: {} From 64e478ff16f4918efd6d06a52a29e5dc45ff2c05 Mon Sep 17 00:00:00 2001 From: Yuvi Panda Date: Sat, 18 Jan 2025 09:48:10 -0800 Subject: [PATCH 08/25] Add note about local path provisioner Co-authored-by: Simon Li --- mybinder/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/mybinder/values.yaml b/mybinder/values.yaml index 804c3bbdb..709356da4 100644 --- a/mybinder/values.yaml +++ b/mybinder/values.yaml @@ -22,6 +22,7 @@ registry: storage: filesystem: storageClassName: "" + # Size is currently ignored- using local path provisioner size: 10Gi imagePullSecrets: From 8fb4f33101d351d44f55a5bfd5d6aba09c5b0408 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Sat, 18 Jan 2025 09:47:44 -0800 Subject: [PATCH 09/25] Add note about docker registry config --- mybinder/values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mybinder/values.yaml b/mybinder/values.yaml index 709356da4..6efefc5c3 100644 --- a/mybinder/values.yaml +++ b/mybinder/values.yaml @@ -12,6 +12,8 @@ cryptnono: registry: enabled: false + # Passed through to docker distribution / registry config + # https://distribution.github.io/distribution/about/configuration/ config: version: 0.1 auth: From b97f2543d27504695cab9eae1f8cb919d7b758aa Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Sat, 18 Jan 2025 09:56:13 -0800 Subject: [PATCH 10/25] Add registry secrets --- secrets/config/hetzner-2i2c.yaml | Bin 3320 -> 3416 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/secrets/config/hetzner-2i2c.yaml b/secrets/config/hetzner-2i2c.yaml index 25c5a39cfd585691bcf30f3a782af4889e4b2469..0962b8386b087145a6c38111e97281ed4a5708e1 100644 GIT binary patch literal 3416 zcmV-e4X5$|M@dveQdv+`0GxwFT82N6P2p*=RoJwGteS0TevP#}NhB~0A$?^7u^7Te zKby8piru!c_fHD z)C0pYYIf?f!vqkTzGkl$tx~i#{xk5 zcU*?9MwpLSn{mLS1b>)Zf13wr7_^D3P7Qj~i{Jed(&DzDyq%Bm6VSTR)Od)^(5K+t zNyx>%r~EsQ6|D4Oo%l!qpES2{$psLsHwKCVScpOue4&HW zb3qV&g%LV9&slV{w^F7Ml&PZQ62~-UBd2f^V&}oRyKezoRhZROP!GkR7$WL%r=b6nkEy9+f|_J?{~H$*_gvRF*4-F_a+_JB#Q~V zw(1ND?#DD@G0J(WrzO_z>INy*8FaJjA(-P6R?ff0-CG;)H;sm;o#_9f7bB6SjZ5)# zaQ%_8x`g5aameO_P)FOtlYzg>H`mqaKFUZ7 zC?ap!P0s|qwvcXgs#f@5mrqmiC|n1!^<$B8!s3z@Nk>J%Hcm}JVA9@{nl7Ai|Kw=@ zU1}JJEt^C_&J75Ffi^&dXw0*Obk+pPkw~Ezfly!A%&Bp!A)BHE{c+_iHAbnPY{&er zS2llJ%;!HQ9&{1a95;`)&t>AgEKdl$M}?i0=S|kpqAbtjoU`pK#$ZZ)%JW z<^sHlvg{<>o{gaRV#X4)qe~DB6&h|0LL>jggw8HWvVkdHM2xnqZK~4S#Es$gVKKLM zxSdg8)a8UMZmncIS{7^^p6Zu_9&vaIpT0zb;a2@@FW;K!Q=De)_ypO72=9Nepoc={ zfM34HbXD{q4?>QDQd#yV7uxOGe)XGWkUD#++r-7X%v{K*0nH&wB3GcOYGbb!3pV%c z?ExJP2{R6y+65F=PJR~!M0FQ4Hz15PM*1PWess}1tY ze^XR&r)1EyM^R?2uR;Legf%Ch@lE8`O*-A>uvpfZi$T(rsN;ND`M9{Kpu=#mftwG? z%H&2wi(5B-A>5`XUBtLa@6(;t>!ms=J!nXV1P3&|SJIIeB^qp?2BdmD(q*q`76v+M zFwe^D-6_rlyQ;+;Yl^$t7i(*g`3o<2l1)4RC&T=19N*3iyxS-(AjBcCs(?3VXe+v! zg{LfCv#;;HV#_^SzFKIF#uGBtLj+E`+*Aq`rZ!wYYwlEVN7v-oD0pf@i~$}#AdX!; z-EfG3jtqcZIGJ=K%f4<0Xt_@>ybe1XuT%|xISch&$#EujqJZ%{W)QB+hEj#wF~~!5 zmfvycrMO-Ct5EkRX8StPdGRNy@r047DEi8N7&IDOE|NQ$_~C-ltO18|Mc76^z^dxr2lm5pUr(e?H^(sNx&Z zL?GN_dQyT&*+%_Vp2uDG>=9Yd6@}_L*UcTnt9Q~;^x(3v#e71cC<@lpDQ@(f5Uy>& z3j4dIfK0=2_R@>e^Nfj zV;vjip$*6H3xG#zanj`NYwOt`9u6@7N{882%?V*xJfLfxop9Ew#A1PF5KCSXQBx6G za5V)l+>NxtmDk@YSI|Uk;nuljzp#`A3<}IDRVAxO4L6^+DctzvyeyiYV-Qor`&_EW z0HY?rp_eb@|7p*HLI&eV%<|s+v;xLZGAlw@`q#$g{TP`hh?JJ05`@>1(>x}tN`nNZ#U$(IMB@=Fs*$bpw5J5NE~lrLYfe^b_Opc<0f&S z7t-Yjf7{I@#s5{uS@Iy!k-q>7X@b-w@EM9s#&~$mcE97QxWXLbe(+|^Qi|m34g|e%iN%*)6y8;q5oxtAy)%^Ng;1_sM9@0OJc@^m08n-|g z*$GoVu<5+Y-dpUN?gLE)MtUWCNTVaUuWJb(%$OYq%ed9mu0s=D5<-rOqSdicYj5-D zMJJX=ADGv_P#$T#UFgRbLE<72InGu$SFjFUZtBaigb-{kn3+SAglfl4{ApbKRp}x^ zs-jfv(#3pv(i-#xtv;dVERYNVMh=eY-@mQNHiL@0xXL~9a0842uJxrY4IrolKlLA4aYwH@;_*QwB&u-O#v^+Mg#MfZ z;vztuu?1)CPsHPNat`x$3nm%K(#T=e-VG`XlfFf%U`R(2m05$(6D+D(P5`gkiTke5 z0;oFwAFQh3BhoIX`wWck2|O8N$WQ{4D@73Y(Y9n*03;f*e}b8iVXp0R7L%5vEx4+J z1~?rfWCO8x<^LAl|FddHY_ZLLlOHMkRGb$)@X4$sP%F>+k2I4M*BLfVybg}n2)R`jD5arB%isT2 z;Hu+jk4;#fFqsHuf<9;|HV75DTuTFDVjq%!1$_f u4xdg$2co@*xqARAOplGh`b-}l=K+hNI;p3C`CS1T*Wj!4=jb3CF~2XD$Et4t literal 3320 zcmV)m=#+yGMo z_UTX1pqU#ANE>o5c_(Tv$=|wGU2)(PnM?IFX{KoF?!%6E5+ar)ft+R>Psh9GhFzN4 zUH9k~VS8DRi1YfBtx^Yeq+*hoSe~OY9q1P+)+~U(OZy6<=cQN~gRr8WKGcHBMVL;* zJvK{UVz3>fUPU`7Q}<0Zy*xMa5l7KV7~0htNfBmQm$0uqwJ`aWsF+Itv!p>bM6+$P zlM`Ys9_B^O30NqY<@u{P?7Y;M&Ep*Pz5Fa(gib;d&&cBW7hd0FHwapKnCgAAZ?Ugq zCyNw*r<}!zR3s+=L7A7KcQA08V_W=q3)?CUTtQm~W@V8PCyn9leaFDW2^;?1O4%itDymbL}BX2kuCT#hH>*3STCSx z`Z&~^`$?|<+XF>f*^>N0>HOWW^c!-fmar5<%W-LKtDo}(ID(ekZZW^gM+~gXeTnr? zMVo(+iefw!t*kX@CoqhZ#iJDjo^39qj`jd62xW$7#wa|F1p+bnBG zl`20ae`2914x&S27T(WXRM(@anRS!82c;+OX;#pKx+hdriWSc;J=*{oh@1-lF1Mss z(r)?5t^Pmxf|(-gm*(s7xD-%ddkqS+ZInJ59!!?#FC&}F0v2v-oFtSUd6+ClRets; zKq@4`?uJY06YuJ)9^~UqKQ0or&g0u)J(Eae_1vX#fZ9NJ*8^fl3?tj z%=_+NC^nGjV4k^yL*c~PuCVJfY#HyfRHTo#lJd|U_xnhSPaPJkf*s+s=Mwd=k3OMO zDTA={)gva}TxmIVE+h{WDd}a^M<@{T}~z5Mb--06hUJFM$S-JruhAk;;GnD8ResBhIp9Ph6$zgksF z9`sYFihFuZ9Vl+K`$hnQq@q^;L|Rq}r{IDxC~_u#=JbdKmY&%Y;KO3j6)ZnW=pvXG zp$7%nyWaq;R=8$fO4I=4|iMJ=IXWGE9maw1(wEda zm-?B$3KT5umK_n2L`{AkK^Z*#vZL7qD9|AvAB;99ua%yksz2J_2%sKBPIuS`G3JiL<-ih?n-6t!<(qvm zjb(-;=yuWL!FH*26W`vrOjHxSt(`MiLE-ymFYqh0(D1-*#nolV4r!>%Myk`!=>v4h z46K`?(X@zb2-Y@13z+utN=xstKqwLBx`1T1rsp&Pkrb955sgX_U>k zQC=&%8HU#gnQ4{)0x`&Vftkf{A5CiHFBZR`%zE$V2}C@)Fd&^w0o$>i)|YQH8&K*9 zt;JpO?29cDJ$`W#BaO{Zny(T@t7J~W+D${pw+!XKfh=chXvRi;s&pazE%kDZ9r|AH z2sb3SOw`WujfJ<5n~0txUp;Qf-5Mv)m;yIfeXZKI<(PFlpBYjs^n=5zuG)8lxwShKV!2 zagcO~p~oM89BN7qZ9`lTv^=g+z7lFSxsLf>1xY?%Xcxc~DjEU}*B%&Ke*|Z}__;GH z)lwQRng`N(<~p=iJ?BR#3R#VI7IBUIu7=z|XWFg%Rg+WAA}U21tkCS(&?ADXUX zm6`*%c%fw}ZLG*eDrMVbR>KF=tv^TZsc7?mGgp9G@}CUVKghe!lgdeDj&k*)A_|Tn zx9v5{>~Zyl-fBF6DTA=$0hM}t%hUDo2jujH27aY_*avLgJfyHmh%YSmxTp(w-<0r* z#{r1-gt%cjd`;l($84TlyEUQsPNThA{Kjw4qP}X{q^7lO`O{GKn!g@>!e%CPCtMOI z{HfqDUUyIKJx`pwyRIpelIZ{L&d2N zUu&%arpOFNJKfjnF$|3}fN4{P-)!s@{OmIe*BEdsawRt@ay5Hul?#9_gBjzIqv{l_TW+%*k`JobId=W68mLcdqfjT@D2bbVy7kYn-O zvUw!SO~~Sa<^!;u%+PYPq@udsv(+262a-#dm%ptH{w&>NP}ft@-Z_`5Opizb(i?xM zWpIAPoFC$X#UeaqHoZH1H#?fObz%RdTCn@V1mWU#y)fdomA;fmSeC?LN(oWZQ?PT> z4m$35s#V&en4$avXdp^+?<3_Kl=>t61myEI{4l=U;Wa{~sXG>i)3NO90Y81;lX8m3 z*i)X>rT2?o9EMO!HL)KR&E@hs{5{~ZL)z^(arvY*FjP$-^hD|UaX9y39SfRDyZ}_B z9-SifkClMyWdK31eBExHzkSiUFpHl%4?M3RgGtwUkEceex% z9e=~|>gQ{1q4O2Po&zoR5>tvaC^IVlvoyJETn@J)DoJcVGxRaI&W8Eid6o|JXvDoo zSI)XfIo30?^JWFNyL)I8^eo9*%OPqW+8%^i+NHorLAlY$WiFhj0GV9c;w7gR*7`2C zJO#6FvGaT3a1X$wLWNc&tJ<99Ucc77O#PB)bcX^6eV<23 zR%C=0z;REjepxO9R*?Ke;%L^cKAp~CohG|#ZE}B2CXb(;%rCBUZcOd(&U!i~< zD&nu~4o3hg2_PT3&c1jHg$Z@%`(KJ}yk0G){rI39N=YitAh4QiqnzZ`4lra1M Cg>wi1 From 05ec4a4b29b11b091e428c35a6bdb616a6d1d1a7 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Sat, 18 Jan 2025 12:52:23 -0800 Subject: [PATCH 11/25] Add encrypted ssh key for machine access --- secrets/hetzner-2i2c.key | Bin 0 -> 466 bytes secrets/hetzner-2i2c.key.pub | Bin 0 -> 146 bytes 2 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 secrets/hetzner-2i2c.key create mode 100644 secrets/hetzner-2i2c.key.pub diff --git a/secrets/hetzner-2i2c.key b/secrets/hetzner-2i2c.key new file mode 100644 index 0000000000000000000000000000000000000000..0bc5fac0977ecbcab35d68afc090b07a731757ee GIT binary patch literal 466 zcmV;@0WJOjM@dveQdv+`0PdHTeAK_QR%Q@mor8eTH{*$s2J`Yuig{!J+}quz}N+?%UG zX$9@1!WqN&i;)b9VQoyemG|{&H8|twxQT2+f<*#f;W{1yBf$o_8z{dMF}6ltP^pNE z`KVD|iW0?98Bas|rU@yQinFu`lZ4Whvxp?d>eFYtTU{uzRhWxnc0(rh70&qo0%-;j z6!t<1ss)#P(zp%CU|Jd`DCqe+%P>e!QPNJ4=Zr9_Hj6aVT?#l`wVg9T=(*N{0k#>)bz-C ztt}`Uj*1SPe%_4MPp4(p0X?xsrn0pfrX-L&EvHVFJh1-PItqb*QSVxXVX1am4pp0h zOezg_>|w28+-@yuu0Bp?b{HjXRY$!Iv~6UYa2k6w-N2Kqs~IXf{9IQCD={4&H{#n1 z^lEpE3^K@RBP}~K$NP``1+x% IFl@-?P|{o6?f?J) literal 0 HcmV?d00001 diff --git a/secrets/hetzner-2i2c.key.pub b/secrets/hetzner-2i2c.key.pub new file mode 100644 index 0000000000000000000000000000000000000000..a2195fbc021ac30ae4ac2cea21a982967ee2d282 GIT binary patch literal 146 zcmV;D0B!#OM@dveQdv+`0B^NwM;Uos_)@r_H}j~KVcs?$?gmEgy^Z)6q>krf48EC? z^eEHem2-y!yXFZM0ygDEFCh>9Gz3IV16j9BydP`9wVLtfPH^q4I;rgN*&xX5Rp$W}T*Eiz0*JHe198MSSqdDpSI&=eD2xP*VcLHHFqAD(Tn4>mQ0NDj0MT}8H A#{d8T literal 0 HcmV?d00001 From ce94809d716209c05f6cf32156b2452eb163322a Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Sat, 18 Jan 2025 20:03:39 -0800 Subject: [PATCH 12/25] Use hetzner object storage as backend for registry Also actually make the registry read the config file - it was not doing that before. --- mybinder/templates/registry/deployment.yaml | 8 +++++++- mybinder/values.yaml | 13 +++++++++++++ secrets/config/hetzner-2i2c.yaml | Bin 3416 -> 3728 bytes 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/mybinder/templates/registry/deployment.yaml b/mybinder/templates/registry/deployment.yaml index 7edd66a30..ed1270149 100644 --- a/mybinder/templates/registry/deployment.yaml +++ b/mybinder/templates/registry/deployment.yaml @@ -39,11 +39,17 @@ spec: claimName: registry containers: - name: registry - image: registry:2.8.3 + image: registry:3.0.0-rc.2 volumeMounts: - name: registry-config + # This path is what registry documentation *says* we should put + # our config files in mountPath: /etc/distribution/config.yml subPath: config.yml + - name: registry-config + # This path is what registry *actually* seems to read lol + mountPath: /etc/docker/registry/config.yml + subPath: config.yml - name: registry-storage mountPath: /var/lib/registry - name: registry-secret diff --git a/mybinder/values.yaml b/mybinder/values.yaml index 6efefc5c3..dbd4e2b95 100644 --- a/mybinder/values.yaml +++ b/mybinder/values.yaml @@ -18,7 +18,20 @@ registry: version: 0.1 auth: htpasswd: + realm: basic-realm path: /etc/distribution/auth.htpasswd + + http: + addr: :5000 + log: + level: debug + accesslog: + disabled: false + storage: + s3: + regionendpoint: https://fsn1.your-objectstorage.com + bucket: mybinder-2i2c-registry-hetzner + region: does-not-matter service: type: ClusterIP storage: diff --git a/secrets/config/hetzner-2i2c.yaml b/secrets/config/hetzner-2i2c.yaml index 0962b8386b087145a6c38111e97281ed4a5708e1..b94c351df4e7f26c3b75cb183b7d255d77285dfe 100644 GIT binary patch literal 3728 zcmV;B4sY=QM@dveQdv+`04+pK3l`Zk6DB_1-q05rR~cajluQq74>v@VwhXzl zdN4vZQ_w1t(D!1OgDyr=(na^t#OyCTsfr}Lk90#?Ozk}8U%}I%SxIZgUHvxRhLb&m z!S~?*2G$j=obU+jrjur!W*Y)h)Wt6Nzo_Z7t4;l%x%}!2d8)C*qCnuF#6-+ zbU_Y4h=s5eH^g8!ZQfNcY%wwNzGWhO$@owUpbl}@A?+1wTODXGuyq^cHErQB*(*%P zk&}0!LN$ObC!3lbCl2E zCNAE9+a(<{A)h?=osFv(2MdPgUTf!DJPlLnGG?CuqXU*RxutzqNbewrJ5;+`!N3;x znD-VoiWmGYFQZFU;>*JQ8LXqYGc4G8VZYN}yKcEJZI%!G`m0(3TCMCd>8B%qFq+W8 zK6im~-M`ogMipmc*kJ@vSZ4z9V0kwXZ-Fg+KT9@1k3Xe-50+s zW~oal`h%Xpt!M5vKV*Tuyb!@I72}T^9`TTE0M*s`)e`d+JROz8@RLBpy%c`aVGQEd z?V^CIp+}+`sX+5qpmzP-*BQo4kpe)^Q}Ym4+={;*;C*+aq;G*AH=0k7Fv8U)$Jc%1 zb&iy7gEIx@kqm7d)i$h;*SmC}yB;$2M7a+&`fUL4u$o<9V;~g}U*Wnj5PD3KT8j1@ zvbAB_BAhuxU54VgApq|7jTRq%0T`icRbFZd4{klM(X|vhFgo0~&}vzSo7)-qgMacB zt*fQQ>lUs~OG6)e_$n=nvzD(C(-Itu$HQZWncItU*0LRRI#G$>%7-~7%^Lx6b_~~N zyw^d%OrkT(7py?j?u&19ti48@TOmgtvB-?xnFrRj_iWXOR#mUnb~{op#b+PF^~hM# zd0rv&Hj%XyZsxy;($`t5E>wLs^~6{!OWhNpL4?2M z{j@1gPqqZgbcB$AoXuJ^&Ii2(~j>)>dTHjX>1wg8oL;E>58hO~puYBK;@Uc+`xMxu1b=3(TCJXARQ<+yh4i+c+In?OjUo%)bY*o zy;dKkSJyf5Cj&###h7J2OS1*Dmex1g0OnAru&p*%_MAYb0ZjV>1gG4Q_DP;5#7?QK zc@Z>OtqIjdO%3!2F;k3x?~D-LjrbqCcL={U3*d7ggFk~?+{+=AyuaF}(o&`lxGQ#< z3rjlG1md!mVqUshSjGoKpEk>^n?dGRgNY)!S1 z;+Z{%%sm4Ql)3Y5CacNh2KMp;JCuF7y?LYbQ-AYKo+{XL{c^;M$yu zW=(fNeq!O|>o?d7f^0Bb3I@SK*qCVP|CsXfK4$v5*WvSRv8}Xgts6j7cX1avrLn^& zV9h?FNT@Td2zf7YPLPi{XFdW0ZG-XZtT_7{Yo40ds$RqIC;};G4R1>Ia$p2HO6;p0 zJjenFLz0AS>(nqh8%7v!xdhbxt?>%6@q~ylB*UmH$WMpIU!AfgR&VZ{vrVM&m38ar zg`5R>-I=3qOj>}o4*P@$85mH5oO+2Bgo)zjOsf&|(GrF&gi%nvq^J8>t*Lq8X= ze`c%l4IkjPOtly#65<-uRW5**&22Ts)2C~OYrx6hWwb|{0`wPjN=|uIlH6a)dnoVi z4FU(QK@M5KU>#A$Rp3TJ=H;zz!Lu>C78N65F`ikj+SrpTC^$I$IcfAUS8?N7eH4OU z$2GE4P9|Aoj}VNVwZn#lGug(8_Nucg{}S|6t6cHUG@4GKqX z-DPcNPB|>5CX}e}Ip#iW=;$kOX_*E%_ZhrGyNTRQw{tKQq$-{|M#vadV-@(~VS5rd z5H7!VG;S|Mow30ktjd2arZXT3->BJ{+hDotl`6ktYYJa;4f!Cmh@9Y{cB&IXq4Hz` z!C!o0I@7qr!s58=wqz1LwTNvrw`@Z0k)ZrEw4n^4no4s>uVy4S$kkCk8AUkMNdStW zD$SUn>dQi(X3I(It{Pu^^q+TZ*Awd8lj(*xh_)!()lkX(|K;=w3OGr3K6^_*CAjEB z)Qk3p4b~}V>)Bu$reqm-|JB(8RCU0W%Ktd%8?9m!)ay8O39dgcr8WBZ)Y8neeUriQ zL)rhb4rfC;_nV7l5~YMu>*2#jH-hDnZFBb2-Vxd$U(UY$#qs6_ zYfkB5QZ__~bPjepP{kjs*gLTAlnPF8arJ~?zLBJZ7&5- zyL5t6BjTfPVd6xE3z8F~s@~hvJ~-8mp`TTM3d>ZVcwMC@0uOhxs9_9Sh!yPR(SjW1 zid0X!v;?I6&U(a~D4qs)1^SNgr>gxXS+==^XrI*^fFy%VCt*QZ3g;VY`~H1}-Psa9 zH6Z796qql2#@-gGI%p@bEjJ@UVHp&aF4R`- zjUrH>qGg$?Tv(!UMN&MG;U?(mOU}Q@BaNr38}ClYZ8xx1SRTcsTu}+#v{LgeVS2ot zVryGWgIg9r$fIa$M^LAMIlj%)4|Fa`&0bg0B@kDH9R2G(xl=oxvL#w>4zMZVi@rb$rhp&nl!Q@IHMTNh5lsEXoH6 zRh#eN9klfilv&L> z@WrK_SaMY#Ts`T6-~LndDe}fQC5Y&u>`V`4ZHpA9#jjsCmO&NE04a1G-4iibQT+6Z zZ#`N|GRKqS(p?$aLmaPxtJ>>YI_AnF&y|Ing>6lLq%Kq%aRA2iziP^$2i5%xD82k_ z^LY3C7Uk``{>^2g7cYUd4fjHyRjeHC37Z+t$>JdLwU1V_b`7cTG7xWwv&!Rp+3X2% zrGHCP0xZw8) zg3Dm7q$Q0$sB*iZz}VI;z>^N=sN1z?^#U_pyIlmHXd+-Y?ozdOzxP+ZmZFrFXEdeg zQYlZjj{ih5Gl&orJR0b+OnTp={B3!}mN)RZzasT2yKYsJ0K)j0y7=wMyiwbBUV;1j zFwOZdtk(i1O?X~ zWGXGZjCeQH*1)<%DAl?AffA`bF+fRdg(Hl^z=dK6v#* z7W`7F53Uc99-wvrmjqYWr31ssld7a)F1ykwIiN+R7H%IK2!SIACDha>&FWu zV{)V4a4?X|vx|fM`xS6T1XyN!DIyJ)>?X!bIna^|`UI5fCzW04Saf%y_iu;1J(o*p9v* z=4{G&ALmLi=Vu4?F~e+bTeuxi2|or2#F;M@7;}C13<~YytU&*&hpmWcyZG};vL93_ uMt(E*Oq$G4g0}tc(S@;iO-~>hyCv7YXt=9O1Q&8a#$J|ozyRr$TFNO;B|~KZ literal 3416 zcmV-e4X5$|M@dveQdv+`0GxwFT82N6P2p*=RoJwGteS0TevP#}NhB~0A$?^7u^7Te zKby8piru!c_fHD z)C0pYYIf?f!vqkTzGkl$tx~i#{xk5 zcU*?9MwpLSn{mLS1b>)Zf13wr7_^D3P7Qj~i{Jed(&DzDyq%Bm6VSTR)Od)^(5K+t zNyx>%r~EsQ6|D4Oo%l!qpES2{$psLsHwKCVScpOue4&HW zb3qV&g%LV9&slV{w^F7Ml&PZQ62~-UBd2f^V&}oRyKezoRhZROP!GkR7$WL%r=b6nkEy9+f|_J?{~H$*_gvRF*4-F_a+_JB#Q~V zw(1ND?#DD@G0J(WrzO_z>INy*8FaJjA(-P6R?ff0-CG;)H;sm;o#_9f7bB6SjZ5)# zaQ%_8x`g5aameO_P)FOtlYzg>H`mqaKFUZ7 zC?ap!P0s|qwvcXgs#f@5mrqmiC|n1!^<$B8!s3z@Nk>J%Hcm}JVA9@{nl7Ai|Kw=@ zU1}JJEt^C_&J75Ffi^&dXw0*Obk+pPkw~Ezfly!A%&Bp!A)BHE{c+_iHAbnPY{&er zS2llJ%;!HQ9&{1a95;`)&t>AgEKdl$M}?i0=S|kpqAbtjoU`pK#$ZZ)%JW z<^sHlvg{<>o{gaRV#X4)qe~DB6&h|0LL>jggw8HWvVkdHM2xnqZK~4S#Es$gVKKLM zxSdg8)a8UMZmncIS{7^^p6Zu_9&vaIpT0zb;a2@@FW;K!Q=De)_ypO72=9Nepoc={ zfM34HbXD{q4?>QDQd#yV7uxOGe)XGWkUD#++r-7X%v{K*0nH&wB3GcOYGbb!3pV%c z?ExJP2{R6y+65F=PJR~!M0FQ4Hz15PM*1PWess}1tY ze^XR&r)1EyM^R?2uR;Legf%Ch@lE8`O*-A>uvpfZi$T(rsN;ND`M9{Kpu=#mftwG? z%H&2wi(5B-A>5`XUBtLa@6(;t>!ms=J!nXV1P3&|SJIIeB^qp?2BdmD(q*q`76v+M zFwe^D-6_rlyQ;+;Yl^$t7i(*g`3o<2l1)4RC&T=19N*3iyxS-(AjBcCs(?3VXe+v! zg{LfCv#;;HV#_^SzFKIF#uGBtLj+E`+*Aq`rZ!wYYwlEVN7v-oD0pf@i~$}#AdX!; z-EfG3jtqcZIGJ=K%f4<0Xt_@>ybe1XuT%|xISch&$#EujqJZ%{W)QB+hEj#wF~~!5 zmfvycrMO-Ct5EkRX8StPdGRNy@r047DEi8N7&IDOE|NQ$_~C-ltO18|Mc76^z^dxr2lm5pUr(e?H^(sNx&Z zL?GN_dQyT&*+%_Vp2uDG>=9Yd6@}_L*UcTnt9Q~;^x(3v#e71cC<@lpDQ@(f5Uy>& z3j4dIfK0=2_R@>e^Nfj zV;vjip$*6H3xG#zanj`NYwOt`9u6@7N{882%?V*xJfLfxop9Ew#A1PF5KCSXQBx6G za5V)l+>NxtmDk@YSI|Uk;nuljzp#`A3<}IDRVAxO4L6^+DctzvyeyiYV-Qor`&_EW z0HY?rp_eb@|7p*HLI&eV%<|s+v;xLZGAlw@`q#$g{TP`hh?JJ05`@>1(>x}tN`nNZ#U$(IMB@=Fs*$bpw5J5NE~lrLYfe^b_Opc<0f&S z7t-Yjf7{I@#s5{uS@Iy!k-q>7X@b-w@EM9s#&~$mcE97QxWXLbe(+|^Qi|m34g|e%iN%*)6y8;q5oxtAy)%^Ng;1_sM9@0OJc@^m08n-|g z*$GoVu<5+Y-dpUN?gLE)MtUWCNTVaUuWJb(%$OYq%ed9mu0s=D5<-rOqSdicYj5-D zMJJX=ADGv_P#$T#UFgRbLE<72InGu$SFjFUZtBaigb-{kn3+SAglfl4{ApbKRp}x^ zs-jfv(#3pv(i-#xtv;dVERYNVMh=eY-@mQNHiL@0xXL~9a0842uJxrY4IrolKlLA4aYwH@;_*QwB&u-O#v^+Mg#MfZ z;vztuu?1)CPsHPNat`x$3nm%K(#T=e-VG`XlfFf%U`R(2m05$(6D+D(P5`gkiTke5 z0;oFwAFQh3BhoIX`wWck2|O8N$WQ{4D@73Y(Y9n*03;f*e}b8iVXp0R7L%5vEx4+J z1~?rfWCO8x<^LAl|FddHY_ZLLlOHMkRGb$)@X4$sP%F>+k2I4M*BLfVybg}n2)R`jD5arB%isT2 z;Hu+jk4;#fFqsHuf<9;|HV75DTuTFDVjq%!1$_f u4xdg$2co@*xqARAOplGh`b-}l=K+hNI;p3C`CS1T*Wj!4=jb3CF~2XD$Et4t From 5deee2e435bc91b7bb3d93b743dd3c53300b781f Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Sat, 18 Jan 2025 20:16:23 -0800 Subject: [PATCH 13/25] Run two replicas of the registry --- mybinder/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/mybinder/values.yaml b/mybinder/values.yaml index dbd4e2b95..fe87e7fb7 100644 --- a/mybinder/values.yaml +++ b/mybinder/values.yaml @@ -12,6 +12,7 @@ cryptnono: registry: enabled: false + replicas: 2 # Passed through to docker distribution / registry config # https://distribution.github.io/distribution/about/configuration/ config: From 29b881a6c857f6cc0bc60a5328f31647eae76746 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Sat, 18 Jan 2025 20:18:48 -0800 Subject: [PATCH 14/25] Move storage config to right place --- config/hetzner-2i2c.yaml | 9 +++++++++ mybinder/values.yaml | 5 ----- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/config/hetzner-2i2c.yaml b/config/hetzner-2i2c.yaml index c393c4c4e..cc8e8a2c0 100644 --- a/config/hetzner-2i2c.yaml +++ b/config/hetzner-2i2c.yaml @@ -2,6 +2,15 @@ projectName: hetzner-2i2c registry: enabled: true + config: + storage: + # Uncomment this and comment out the s3 config to use filesystem + # filesystem: + # rootdirectory: /var/lib/registry + s3: + regionendpoint: https://fsn1.your-objectstorage.com + bucket: mybinder-2i2c-registry-hetzner + region: does-not-matter storage: filesystem: storageClassName: "local-path" diff --git a/mybinder/values.yaml b/mybinder/values.yaml index fe87e7fb7..8420fe029 100644 --- a/mybinder/values.yaml +++ b/mybinder/values.yaml @@ -28,11 +28,6 @@ registry: level: debug accesslog: disabled: false - storage: - s3: - regionendpoint: https://fsn1.your-objectstorage.com - bucket: mybinder-2i2c-registry-hetzner - region: does-not-matter service: type: ClusterIP storage: From 7832301a49f32a7f6877f07cf6e6e74f9c367372 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Sat, 18 Jan 2025 20:31:35 -0800 Subject: [PATCH 15/25] Add to wisdom --- WISDOM.md | 1 + 1 file changed, 1 insertion(+) diff --git a/WISDOM.md b/WISDOM.md index e354ef17b..01395eedf 100644 --- a/WISDOM.md +++ b/WISDOM.md @@ -2,3 +2,4 @@ - When you are in an outage, focus only on fixing the outage - do not try to do anything else. - Prefer minor annoyances happening infrequently but at regular intervals, rather than major annoyances happening rarely but at unpredictable intervals. +- Sometimes, surviving is winning. \ No newline at end of file From 27a057ae8e554b31c4a178d348014956c247b8d1 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Sun, 19 Jan 2025 04:31:53 +0000 Subject: [PATCH 16/25] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- WISDOM.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/WISDOM.md b/WISDOM.md index 01395eedf..ab3853cfa 100644 --- a/WISDOM.md +++ b/WISDOM.md @@ -2,4 +2,4 @@ - When you are in an outage, focus only on fixing the outage - do not try to do anything else. - Prefer minor annoyances happening infrequently but at regular intervals, rather than major annoyances happening rarely but at unpredictable intervals. -- Sometimes, surviving is winning. \ No newline at end of file +- Sometimes, surviving is winning. From 8490ecdd4576f16a59c394f76fa88136b029866a Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Sat, 18 Jan 2025 20:41:54 -0800 Subject: [PATCH 17/25] Add simple docs on k3s --- docs/source/deployment/index.rst | 1 + docs/source/deployment/k3s.md | 52 ++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+) create mode 100644 docs/source/deployment/k3s.md diff --git a/docs/source/deployment/index.rst b/docs/source/deployment/index.rst index 5ab6e4f25..a30909a1c 100644 --- a/docs/source/deployment/index.rst +++ b/docs/source/deployment/index.rst @@ -8,3 +8,4 @@ Deployment and Operation prereqs how what + k3s diff --git a/docs/source/deployment/k3s.md b/docs/source/deployment/k3s.md new file mode 100644 index 000000000..1a798d25d --- /dev/null +++ b/docs/source/deployment/k3s.md @@ -0,0 +1,52 @@ +# Deploy a new mybinder.org federation member on a bare VM with `k3s` + +[k3s](https://k3s.io/) is a popular kubernetes distribution that we can use +to build *single node* kubernetes installations that satisfy the needs of the +mybinder project. By focusing on the simplest possible kubernetes installation, +we can get all the benefits of kubernetes (simplified deployment, cloud agnosticity, +unified tooling, etc) **except** autoscaling, and deploy **anywhere we can get a VM +with root access**. This is vastly simpler than managing an autoscaling kubernetes +cluster, and allows expansion of the mybinder federation in ways that would otherwise +be more difficult. + +## VM requirements + +The k3s project publishes [their requirements](https://docs.k3s.io/installation/requirements?), +but we have a slightly more opinionated list. + +1. We must have full `root` access. +2. Runs latest Ubuntu LTS (currently 24.04). Debian is acceptable. +3. Direct internet access, inbound (public IP) and outbound. +4. "As big as possible", as we will be using all the capacity of this one VM +5. Ability to grant same access to the VM to all the operators of the mybinder federation. + +## Installing `k3s` + +We can use the [quickstart](https://docs.k3s.io/quick-start) on the `k3s` website, with the added +config of *disabling traefik* that comes built in. We deploy nginx as part of our deployment, so we +do not need traefik. + +```bash +curl -sfL https://get.k3s.io | sh -s - --disable-traefik +``` + +This runs for a minute, but should set up latest `k3s` on that node! You can verify that by running +`kubectl get node` and `kubectl version`. + +## Extracting authentication information via a `KUBECONFIG` file + +Follow https://docs.k3s.io/cluster-access#accessing-the-cluster-from-outside-with-kubectl + +## Make a config copy for this new member + +TODO + +## Make a secret config for this new member + +TODO + +## Deploy binder! + +## Test and validate + +## Add to the redirector \ No newline at end of file From dab0eb632b7108fa69f507750a9c3e792b66fb49 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Sun, 19 Jan 2025 10:24:35 -0800 Subject: [PATCH 18/25] Add shared secret for registry load balancing --- secrets/config/hetzner-2i2c.yaml | Bin 3728 -> 3817 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/secrets/config/hetzner-2i2c.yaml b/secrets/config/hetzner-2i2c.yaml index b94c351df4e7f26c3b75cb183b7d255d77285dfe..bef7d624a0a53058b0e558011808212a8e861871 100644 GIT binary patch literal 3817 zcmVWQ^a6;&Nq&k<`cb-$yt#!sx1y zgXHzu*MYMfty!v_H~Ey$ed{G1^Kd!nJGePXODJ=SXl2Paff$9QB=yHh029MOmzpq( z4aM3AcBH_26{((74cdOGCY&oLJ~=CXU+X?~p20?*z*2=Ek06N#G)H+o+ z894K_BVVv|B;@!QZEOc31di>t3F7TJ?*oOe-qBR6spd5hkl^}`AhB9j-PU8siO44n-qdJ8xhA7yH5JZ0CiSV zs5eGNritBjfb*kNsgc`*^`z`Ph9{My~}8q zpoVzGF~okZJ016reh%Y}o&($znffArn#Q$SD#2Szq1@M{G~oM28QN*p^&-n+eQjH^uSjCnR^he7~!h9V1|FCE#vde~Ae zVHqKi0k1bH4UCs4$R-bF^^_RLZ`(C)IjNP!S-hXL{x@CarvM-XlCcL3d)l8W zi(>G_&ERZfB;b_c(M}Hpyikc`48Tb?m!Z{{Fhtfo@Pe{4mV;z~Q>6j>6$co~>YOo* zslB4=P8$<2&wk{$gDjJ0Q8|g0SDb=p_Hlhv0Dj{OH1ZVL`7n+CtK4xkkG+r&tjeq) zImWajV%(Bdl-#~RB@$n-x~rfZ$>^4ZM>N8vRxI`aSQFjmDr`#bo?w`BYcD=^dLu_X z{1Dji7a6%jRoUiN1{mEf0zW5$3$uW-*lgrSUAibEEui$RO>S+2>?(YkX5mY&dM zN>@na^Cma20{(IIm*>9j);e4YcG*A&AuFhBugnl+AE?Ib*3;etz&c12UN+;&J{}JA z5>k(DQ>o9QW)=!`;l$9&7e4>FXNBSXTJ20AsAi0g{}fb4{Jt1$%-{g4reXWzK3Zti zADmu=(sWS$vg;EUv6I?U}gx zlGi|%3g-(LHLZU34;pfWpo}u1*%pOQf3rTt#W^U00O3`=r+zonLW-Hh6>M#mzcE$t zqf7w_=oJnIZ`V^@OEN+qQyb1dy+h9lPn|4sqmuqQX5izHfWIO-UZab0FqK#MMNOr3 z0ElGOg(Fw#JJ5!&UJ37X_OwNRXz->;VB-?Bq3;97`?JJkCjC$=a2I7h7eTdvq6pv? zP}_V~5%ag@)SW?bf!fe}`=j5qeqK$943J|{Cf`wp9%LO+oLgJ((xCZFNUshBB`~I& zAP<=&JM>!Zc;dkPoB&5f<7|W|-bokcGIS}^mnh&-XVK29V>=eSti=v|d4Ai_&^nrI zTXI$dvXp;#18=joRvu-s{a8T#3&;S3K&JZm&l53m3kgq_hfXdHE2qLWdEBsP1Kj&x z$LC3&i9J7S2q)8Bb!13VGmfcR!}Zk z;L#Ul`w9%%Q93^tMz?eY4#~Iby&z!$2&Tyj_3*R1`97b%8GYU`_oA};)$=PI7kojb z4WKiyT@>`{6wR!CTasjX*JOL}H;yz2{3`7R`;XVyZh#zj#lY_mm zIBgo*gVt#L%#ePmR;WgNp(S$qOyeHzZL-3afMAN|UpD=-WtsKj2C94R_N(rJdoKb( zhWOnte;Wd7Xs@j&;%Enf0555zCl7cFb&x-%vU!pg+UFsah2(!HQxwEz|E@LD0RsO# zx|if9IKOJae4$}$-XerTX54rf*v+0ldQh@Pefz&I)|hiEb9xM{sxmS_|Ox_p@7 zKv6iw;+b1uYA#MNJSfy7i(}CblKTczyBtP{+aDzQCZrT-(a-{ox-*vDibss~KfRYp z&%=d)V4Mp6frzD$X3sR-6Vf$fwEz5)tn@oDz-yiCpZ1SQE&^7R-+0p4vYWfm*? zC?x1w^0Oeh4U^TUx$4! z8=$iq={yV75nKRXNHLohQIiJ+WbuHpa)ToMn*AU*SgqAh>2RRAynj|~Z!J7o8QMrHLl68w~H5<@op zx5fh^*dXa}a|zGc*BPygBu3)zPs`w{p_Ut2L_{>f8>nfB3HUQ-h$r1=`lq-T!x5V# zZMeo>U>(3(e(B2QI&vXPxIZ+a*DL=9ra3=~`Xiy&0b<`FrVFN~~}}xmiVep&=|7 znBn>PQ_DcdOR7cyP2G12&Xz@2TN4+68ZYv2<7PYmhRA_f%8a1@8|2CG7MT1*DCY_E zi%K-#Y{GT`2fHu(s^<`xBjm2Djt6kpYYSWeJUlr~t52*yaTS8sH(T zSY}fX;*c3`_Wm)SP|rMByT!MP?wWouuM6#@_BM5$t;uVVHT6`?B}AKbzI}QijWTf< z`X>e_GmxoO{Q|_x(M&v{QRc`PX31Kp_kmL9eu=(Agt9c=#)a4ov#T{SJk5(3RC}9g z{4~?xDYOp`SO*cJ{4kc~S^_#8cG z@OkhZB}e(k>x8~po6rGZycWA!0u5?^)gCcu8_bIl2Y%q)JQA~XNFJuDUG0PAC>X>z z7Ej_#fgv;ZT=9};~Jf|Wky0F$b(%J-juZ0d1Pfso&a2Oneqj; zrLVeb*Z2N}6-d#JqJG5Ewn$OZzYNriw$TNWC&t#L< z(i}YjT_rYc5=U?685u!ViBj`~kW~iPZ8j@k?1j_LCw-P{-g?35(~`@ozbf4Rb6(D~ zDH&eb(+p=|_y?}OWMATO7oRbo`+>ioL_rnTaiHmTB_f!V@s$D{PRWMFE`i6fqOaYV zGcprD7z1DALBD(z6OH@*ef1xi@&G8xz^YZRw#(T%38b&t9~ayT=(^dKJbbS*h3?~ECP^=7{^stLQSLCv=ib>3mMU(4ZEH-pT|%mQjuMJXnl!H)^z=J f(W3!GEz}l1`0KG%$c)BURsTD!L&>8{UJ9|5rR~cajluQq74>v@VwhXzl zdN4vZQ_w1t(D!1OgDyr=(na^t#OyCTsfr}Lk90#?Ozk}8U%}I%SxIZgUHvxRhLb&m z!S~?*2G$j=obU+jrjur!W*Y)h)Wt6Nzo_Z7t4;l%x%}!2d8)C*qCnuF#6-+ zbU_Y4h=s5eH^g8!ZQfNcY%wwNzGWhO$@owUpbl}@A?+1wTODXGuyq^cHErQB*(*%P zk&}0!LN$ObC!3lbCl2E zCNAE9+a(<{A)h?=osFv(2MdPgUTf!DJPlLnGG?CuqXU*RxutzqNbewrJ5;+`!N3;x znD-VoiWmGYFQZFU;>*JQ8LXqYGc4G8VZYN}yKcEJZI%!G`m0(3TCMCd>8B%qFq+W8 zK6im~-M`ogMipmc*kJ@vSZ4z9V0kwXZ-Fg+KT9@1k3Xe-50+s zW~oal`h%Xpt!M5vKV*Tuyb!@I72}T^9`TTE0M*s`)e`d+JROz8@RLBpy%c`aVGQEd z?V^CIp+}+`sX+5qpmzP-*BQo4kpe)^Q}Ym4+={;*;C*+aq;G*AH=0k7Fv8U)$Jc%1 zb&iy7gEIx@kqm7d)i$h;*SmC}yB;$2M7a+&`fUL4u$o<9V;~g}U*Wnj5PD3KT8j1@ zvbAB_BAhuxU54VgApq|7jTRq%0T`icRbFZd4{klM(X|vhFgo0~&}vzSo7)-qgMacB zt*fQQ>lUs~OG6)e_$n=nvzD(C(-Itu$HQZWncItU*0LRRI#G$>%7-~7%^Lx6b_~~N zyw^d%OrkT(7py?j?u&19ti48@TOmgtvB-?xnFrRj_iWXOR#mUnb~{op#b+PF^~hM# zd0rv&Hj%XyZsxy;($`t5E>wLs^~6{!OWhNpL4?2M z{j@1gPqqZgbcB$AoXuJ^&Ii2(~j>)>dTHjX>1wg8oL;E>58hO~puYBK;@Uc+`xMxu1b=3(TCJXARQ<+yh4i+c+In?OjUo%)bY*o zy;dKkSJyf5Cj&###h7J2OS1*Dmex1g0OnAru&p*%_MAYb0ZjV>1gG4Q_DP;5#7?QK zc@Z>OtqIjdO%3!2F;k3x?~D-LjrbqCcL={U3*d7ggFk~?+{+=AyuaF}(o&`lxGQ#< z3rjlG1md!mVqUshSjGoKpEk>^n?dGRgNY)!S1 z;+Z{%%sm4Ql)3Y5CacNh2KMp;JCuF7y?LYbQ-AYKo+{XL{c^;M$yu zW=(fNeq!O|>o?d7f^0Bb3I@SK*qCVP|CsXfK4$v5*WvSRv8}Xgts6j7cX1avrLn^& zV9h?FNT@Td2zf7YPLPi{XFdW0ZG-XZtT_7{Yo40ds$RqIC;};G4R1>Ia$p2HO6;p0 zJjenFLz0AS>(nqh8%7v!xdhbxt?>%6@q~ylB*UmH$WMpIU!AfgR&VZ{vrVM&m38ar zg`5R>-I=3qOj>}o4*P@$85mH5oO+2Bgo)zjOsf&|(GrF&gi%nvq^J8>t*Lq8X= ze`c%l4IkjPOtly#65<-uRW5**&22Ts)2C~OYrx6hWwb|{0`wPjN=|uIlH6a)dnoVi z4FU(QK@M5KU>#A$Rp3TJ=H;zz!Lu>C78N65F`ikj+SrpTC^$I$IcfAUS8?N7eH4OU z$2GE4P9|Aoj}VNVwZn#lGug(8_Nucg{}S|6t6cHUG@4GKqX z-DPcNPB|>5CX}e}Ip#iW=;$kOX_*E%_ZhrGyNTRQw{tKQq$-{|M#vadV-@(~VS5rd z5H7!VG;S|Mow30ktjd2arZXT3->BJ{+hDotl`6ktYYJa;4f!Cmh@9Y{cB&IXq4Hz` z!C!o0I@7qr!s58=wqz1LwTNvrw`@Z0k)ZrEw4n^4no4s>uVy4S$kkCk8AUkMNdStW zD$SUn>dQi(X3I(It{Pu^^q+TZ*Awd8lj(*xh_)!()lkX(|K;=w3OGr3K6^_*CAjEB z)Qk3p4b~}V>)Bu$reqm-|JB(8RCU0W%Ktd%8?9m!)ay8O39dgcr8WBZ)Y8neeUriQ zL)rhb4rfC;_nV7l5~YMu>*2#jH-hDnZFBb2-Vxd$U(UY$#qs6_ zYfkB5QZ__~bPjepP{kjs*gLTAlnPF8arJ~?zLBJZ7&5- zyL5t6BjTfPVd6xE3z8F~s@~hvJ~-8mp`TTM3d>ZVcwMC@0uOhxs9_9Sh!yPR(SjW1 zid0X!v;?I6&U(a~D4qs)1^SNgr>gxXS+==^XrI*^fFy%VCt*QZ3g;VY`~H1}-Psa9 zH6Z796qql2#@-gGI%p@bEjJ@UVHp&aF4R`- zjUrH>qGg$?Tv(!UMN&MG;U?(mOU}Q@BaNr38}ClYZ8xx1SRTcsTu}+#v{LgeVS2ot zVryGWgIg9r$fIa$M^LAMIlj%)4|Fa`&0bg0B@kDH9R2G(xl=oxvL#w>4zMZVi@rb$rhp&nl!Q@IHMTNh5lsEXoH6 zRh#eN9klfilv&L> z@WrK_SaMY#Ts`T6-~LndDe}fQC5Y&u>`V`4ZHpA9#jjsCmO&NE04a1G-4iibQT+6Z zZ#`N|GRKqS(p?$aLmaPxtJ>>YI_AnF&y|Ing>6lLq%Kq%aRA2iziP^$2i5%xD82k_ z^LY3C7Uk``{>^2g7cYUd4fjHyRjeHC37Z+t$>JdLwU1V_b`7cTG7xWwv&!Rp+3X2% zrGHCP0xZw8) zg3Dm7q$Q0$sB*iZz}VI;z>^N=sN1z?^#U_pyIlmHXd+-Y?ozdOzxP+ZmZFrFXEdeg zQYlZjj{ih5Gl&orJR0b+OnTp={B3!}mN)RZzasT2yKYsJ0K)j0y7=wMyiwbBUV;1j zFwOZdtk(i1O?X~ zWGXGZjCeQH*1)<%DAl?AffA`bF+fRdg(Hl^z=dK6v#* z7W`7F53Uc99-wvrmjqYWr31ssld7a)F1ykwIiN+R7H%IK2!SIACDha>&FWu zV{)V4a4?X|vx|fM`xS6T1XyN!DIyJ)>?X!bIna^|`UI5fCzW04Saf%y_iu;1J(o*p9v* z=4{G&ALmLi=Vu4?F~e+bTeuxi2|or2#F;M@7;}C13<~YytU&*&hpmWcyZG};vL93_ uMt(E*Oq$G4g0}tc(S@;iO-~>hyCv7YXt=9O1Q&8a#$J|ozyRr$TFNO;B|~KZ From 0f979e41268a2abb0d7c175dfdcac6b879286901 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Sun, 19 Jan 2025 10:24:59 -0800 Subject: [PATCH 19/25] Actually add the 2i2c hetzner kubeconfig file --- secrets/hetzner-2i2c.yml | Bin 9687 -> 2985 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/secrets/hetzner-2i2c.yml b/secrets/hetzner-2i2c.yml index 432e38bd9ac18cccdca9f98e05cdbcf1d69684d5..45fcc734910376a9c6dd65a882bd445b22c054a8 100644 GIT binary patch literal 2985 zcmV;a3s&?1M@dveQdv+`0OtE|^8kak5)d+%%oC%%aMLCEU_;?y8!E~4WcCrQ;aA*8 zHlp~R+gZ($JI_nGk}$N@*>(Jc&LgMq6VF^9CzWYwK>GbbAYp5V%3j6}qFE=cjT>tB zaxWAH;w_%9yw^0V{&~=FLyPUCtg5{Xrz?y^V~J#C(pUD@4qZryO`T%1#S`+%+@x!x zzDLHFhZ-qkRKd(2A6w;s0T^YcNs70ubvID!Cf@mlT8=zd_o;VJ|8;qdNH-|0_l($}K0Zj(wd0gp{Y9 zTu7uBj>hO!+n~`ZWX#w=o2gnJCS{^MX4HN55LiQxUK@{Fi$GSAwF@6OG zr4TT1mJjpKN|ZMtkBBYGmO*E=pr#@B<(U~aZ1Tdi>nlP8ca{zgw;Cik%4zfZ9s^l+ z2s}jMtDyI41{~LvGqFmIVNk6Fv*x-$n{Ur=_OXA=lk1puDK-$WKDJMEgXGGxmw%DM z@weBM#;7`t>n^SRRklpRMs6Evl$L}k&AU(+bnD`!QXFLOrw(`F1su_PlbPo>4$5S< zwb~c-I zUjyey4q;ZIxyb|J;C2AhYVLyt*9NT;Q;*6$$v4N|5p3jf+*jt$Ko7!7xe0#v)@?R( z*wo)se6q;=nZ9a#WYsA)74nOdkdRf+*z}SsWs9SkzvXE>0U=Q7DBPDNNp?N~8z_2a zX82%>bESC1QTqWc2uLXIH;^W7VW#kwO9v8312=XG1X6|IDSP`M1c1OJe{yv>It|cU z$`!8ZhtO;rmFJdapGS%3eyRciCJPl2wY^M^W^V{evK)esQ)V+1iYDxtNjE0r+BRkv z{2l8>enuMWL7yR|Gn!&l$ zE!2i)nAu)V&3$<|pRer?C$CjOf_BuR*mA4&sa%WN3cy*n)dGS_miJJ)_Q)FW4ClvH z=So#|S`9YaC0P3Q<5SeQFu}@L#|DOD>Iwc6fLfLK;@PQWl5+v>7wC<|wwmaLh@+@2 z6M2>_*j^*gj_j|Di42>v&%S?T6Jzt3Nl-~6`}a zXOLzo!p4}h`Aw%FTc7ct^k{=`RfkiN=d$HU#km| zqsDt3Lk@{;a3cLUWDfwna<7;*fEi-H0bi)?RV#Qbu=sx|{Ub8o)yGRJmjI>midTOF z!?i_;Mxre&yZv`-n^4-lR`%lWggzMwQdpk;O#A8=)B`4{0IQbsoR%PnFFgTV=>sz! z!7v*j$oBnPX~ZwMVQV<_!@q{xVJb zcW~6k$+8(^mwZ}IWKYVMyu5U>kQFyQe^ip=6`>}*sanAwtx~ExEYLR6vN1&2X+XiY z1jVX?iC1>A_BOY5C?E{}3avB>vI*$3Z=B+>dJj+WrMYX2U`0&{YJ$B2g3TefrZR;x zEz-Hneo4x>r&nhIi1qro1kfiN4eSWTDHZam#sa~eLA{Hl(8HfAN~7Nap@dqoE!tl9f{=PCv0 zZ(}0qJpDhFAg>Jg+(pl!b1J+;caIw#`5EhxkQ}asGa!fEw{jz_;Hv9waP1^jT};^7 z>NOoCC?VFpT+nDew$J{UJ%HpBV=vt?R}4oab=1Aw*}kT!TVJ89jLrda3a@FE-|wo5 zl~Wp!C1g&FL*bEP;2Yz?9aoA-CFk&wafnejt2o@zq)|3J9ej|nb@Zw=C0O14a>KSD zK)OZ==7T9uHr3?PTCh+*zoV^oj5}C%^oq3qCh0=Y+_>wJY0d?*|Fnj9lxFemv$Nt$ zzyiw2JWi$Hz@a>~G9N&RDHqDxX{v2L_u0u^fXeA>(Zp}4f(2Q5wJV08$Y!l2vA~|6 zb|T8`;djUapw_;J1O;~+p~q*Z=UFpAFwZs1WID~MS1F4}&* zQ%4)dzd;ga{1O{sqv78x5^p2`vz>ZqQe?xVk!2PrdhQnPiPU>;Q7W8G6Wz9+ZH^N~ zHsSVEx`c5_s=lND{;xQ;6w`UGOq=5>YZ^?#sBIedMHzm>HN1_OBPq_epNF93(Y@gg z;0>V=$tR$5;d}P-^$5%Nvmt1jYTIoY@u)(8XGGs+S%u8eevXQiEe-~8yzGC7$g*H* z7_$J3e<_ohH92S9O@B(dg>Ma#{1@hirWwebK8`I0TrD5R?0+J&$35%3va+{&hcpXS zmiVj#EODu%*(_e&@t{E8Avb&4q~KKy))Rm%3L-(iRd(3QqmmDlvMOb#%cf;zV3Z*5 z_pEkK)G!6yl%8k?)E1`ML>Radqv)K47 zV;Z4CRPmh2Gg~?Kg%3zTGW$vRy4p(h_N=RxE|Uf(WE=cHFK{}AJS?tWTGsB6P3jStE&tvhNisF?L=K?uGJ_HaDL*&EyF`tQ#a~`rV&c;l2;Y% zd9DwQVR10?5gA!Rs6^Eip(08O3U@C-GR>_3`LwJ!Kh(^B?$AL)&`aXvNG{&NTrLm8 z|J=(K-4D0u*Y-aI62-OM^eHW*_X+}6W0UR&&~-b&r?YH-sZ%$*S@~=1)n7ZJ1L5Ex zxj@KnZ3J^K+I0)XDIX*IQNIyw@Hpe_xsBh26;kv9j7V$|Dt61d3i%|ZZk1I{S1a9g zJRfJ0@^&Hl8J9CKi+GKRo-vBoxs1j$3T;4w&0W3Ed#O4$?%UiTp;HR8@=E6#paYOF zZ61z$S+S=GWDjO#ERsI(#Fg%k+TkV{bB(;+4RNUMIozrO=p-Q zmuiSQ`0lE!!f}=G1!^u8ju=02I#Q)#@%%!|F$ko^HFYxelicB<4l=U$rbSLEq}E`D z*UUQuUjQ+IlJD*9irw7Q?Fh+3ge&W%%){byP>xHUusW{CxhkcGeK@z`39)xC0p%P{`t+@^8S25b#?rU_shOy_X+-XWDR<~0<@1C6gOy*TK&6K flEau5TCt#miE2%+2txnyg3V>v-8wod^E!s+k`T|Z literal 9687 zcmV;|B`DeeM@dveQdv+`0BCP;YlWFX5_a#3A9-*i3BHP`lpU?ZiS{~m6y!=AGApWV zKc(-Z6%&hXjN^++*>X^oD}9u`X*DPa;`@nS`>?APT^~9& zbWiz#kU2y=9&ol2%njXW$brXj8WI)iIR<)3orjL3I8Ns{lg(Qexn?OXmpwPQo?Fr` z$vOZx-Ze_iSk79J3bLDWh?q6#-*2bqr`z%b*P=s2)t`5usI4&Hxf%mOYD)HA zrAS+N{|MT#SDkLzsEbYhIToVL3RmLT$@xW7RV_GSxKw|Izz1Lc=o{)m3$qB-H?HRv zPBpHA5p}q>15N3!4+{wR@cO)~?Ls++*~EgN>jk=QW7DV9F1kApL(VG>=!+AWMVVG{ zhaL~X8~K$)yK%2A;19~awG;fq*k(R{u(Y>W}rTQnP+NEoL?23=2k z>h-9o?(DAm|MY-G7M!b@YCVv zj$JC5>vEA6z>QiM5RXosO1;ohao{A8W3OB!`~K&X>g9{%~3@(XO9ogvS*tiEz(%A1m8R*E-yO5j=#YI9er zSqqBf*j^@vHaRHCbd{{i@&=)C;Xi?iJ17H6`2#3h8LiZE~aYe|-d=5f2OI#50YqED8X> z&xLAn9j^cx4oI&N*gmiCb6gQn{#mNDI{3WR(GheQwfT9&<|ax2gynlH>?2UdOcMsn zGyxWW;oMmuc|CpQGEI%Q`T!$U*x?(I=}r`O5yk&JsK2qRhF2 z-6p0(fyG55Chgu3AltTQth%v$JBU!BqkJpyPJtCD_+*e%#yKcQN}P2#IsHOwO#|d% z<KMl*80(onAuInJb*u ztyhE+sm!CcO>nqeKbOk2Jnt14`wetQ!xo&-e&IdJoA4Z zy5bjT2k8(m?!Hc2-iso?dF8_sJP>ftpC$&NGP&5*e8s)K%(2LsNkg)Vck?vbPDjWX z=f}7MMIcYR7p0_T`T|d~PyI-W!ZOx4fAwJ08xRfCB$9_#3e!K3$+WSq_c8RjzTJ80 z?^^Cq-4GZx>K6F1%oXDOEd*2sLPD{rdz#~77c-Wtxxyv2gG^IP?=V@U{alrY%8^H+ znyUj(8gX(W!7oqW*II#BKw9lztn~Ij_9sa`>Ky1LwRx1JDX@4VJU9B*U7>V(#5i7; zD}Wc^=L&W<;oY&9yke)avdFOveBJ?KpT6mTW@V<-tiKK)o1(n@eX{*g)4R)KidWN4 z6=qYkF;YeJgPK2R`4EhMHz8yCsui8X%MNXZv~R~tZoGv6W0;uO+C9~T377G8R(k_^|L@vjeZ>9u| z$h4$}`ilrp0$-RpSq`!*KQd$e32;H0#a-|LlvTd(-fjWBG(FrTXzJVkOeS;L z-`_KYv!9(U;1v|}M}mp^D9M~14fQiH#ZE*VtjBP2=`)F~&^=gUkj9rSPO=#`1BsL< z>Rxsmp}rvt*}Ew|D;*U|6uU7?I$LuK=m3A`)fpbqZ4)?Na`sau3O7j^3>;^Cb%u;= zxNfN`z@J?ar895304WNR#fY)!^6r2YdD%A=i9$mxE?c$0tx|!>5QE_LuLy({p!XsO zbw2Z6n*Q?u77u?2fB$ctV$|SX8)VLjo?m!O6oAkA?FCzXcmZCemc(+ zAEavZ(#2eVR8n0|7@<2yfv|FCF}3?kO3dX_F$ZLI$8moBfj%d7$PKDdSZ`T{ zzjv|uoDv4CAbT~H?zTnUPrwzsTxN`XWP8exmpXkBRXs0$h7f6%YDCUa)aE4%VkM$I z!0pRZ{e_DfJ>zTV;DKc21G#O1wQECVKBhWaJ7=7!(@;iSfb2Kx490q<`(~HpVe=Y>{d8oUvGdC>m)R z)25+kUMo~5C!^h;w&v5w0Lm{n$k$^P^(5l7Rr>U9I*7;Fg~A@b7O<~Lb>-*x7}S0S?$}wU11;d{#)!3!+0E_V%>4Wt-l9Y zYgSf-l-sWNaLVk2hnH|Ga(z@2s8sf-axniC<7EU{l=RfHDhj}npq_r)5N@lmr4xyV zxobiwQ**L9RS}mbT63W)rSe)=m+3^F1it4nSGT3hr1%W1KPs6@(#%XS$^SB+nh3%> zJ|lynn=KDFkif-N4QkqTH=Tex>U+gor0wE{gD|}k8N?RopGeX!!Z}}fcR|nFm(tSI z33@8|jbOLRl(#8~+}V$p*STdRP(Wob&kYS{+A%#rx*i7qgY7gbV4Q5V3NKIHRD4PM z7p89YBJj#j>|4Kc*)6Ars3HSTjhdF@IDC!e%RNTzcYj(l66c1EQa=LPtZAeEJs2_V zlxQtK+5RmVN+_(smz_j}9ND6n#vvaLd)KQ&f#a5G-!|tRxQuRiw*5vK7Cv!d zdCE`O=xzuV25#0s^9fg4^uM(dd=3D2b31aoqGkxm8&fdM(G4`#g@+(^r$T?(863Rp zjR&8zjYO?hZZb3MWSOf1jWTv!ifWdNObBq*`nn&G*%{M}oj&uSSX8~=2gt|>qmWN0 zyl{nF{RAaS+e+{+@9*^Kz4S7JG%V|NjIf-KNgPvzl8!GWRT|Ing;s!6A;&)NfmxY@ zyObHb{EL9F>fQU2SjB5}5jl>_wWQo(T)mZmHJq#Ty@nIF!h)NoCP^ zarqZjxCJq@xxwD3Q#X(L!=&K-hLm-zubo26G$h1>@#$({hjb>D12%N7isuVdYyrS< zAFOe4tdsfyI4qJeJR^4JX@Fpa<|14PzM=EWcU@$MyrY`Phh5_#J@5!TH+Y-iLx zM(+%Ahxc_}+dA_$ZgGBx>^c&BJTyaZ{M}354-y@Ce zDGk1;ktE|k2n5OF@5DR`U<_7ADg>)f{3=*1J+0n4e9}i}n{b3wT8`I6nY(d=d8l>0 z{Iho}D#(ZhwE3hMjUlfb-Wf;B`5fQpN%fP{{Ja6uMu@53ae26pKtR@puGsFbw>-Hm)09UfnyJGnH&~lqzYrksb>FxO#Lid8tKfx6T6}NFDegRRE z-a;awRgNtDx&NDbWRW5k%&Alb02E6O3IyMKT=frk(}1TiQkR=1pDo&Od4+N`p3#Qx z-R8&~fGHcI6UwAyIo1MOs!OK+F5x?PE#Pf!7tg9LcMaS4$!f}jmkEQAH2-k(X~F&o z3aM*KNHbHzQN#k``Mt$ZCz|R)B%>@eczr{_#ewzxE^CL#b8%0Z+>CGSd#|FJlKWrv zo2FBT8?Kh>UIl{n`9GO_3`Dz$mPg7I8h$|f*C$iS(wEqc{w8eAuJaWU*{6Ed%S%3f z$|R?JBQ!l!Y`t#Jk$E~;%JQ`X=m4<#ToVRS6{L1pHLFCsd~aB`)VN{OX#D$qcVBtE z8DB#&m6Me|d4MYf`L^XvoHYsew^)T+XiF%g1|kPtKA8j|fn}&2A(+XV=4$oGM0cyr2$jFhG)k%xEDL2Y@BNfx6saNtijNYL$ zbN0NaTvakLVgX{R7*u2yd|!P)k{MBQ!&-jhUM^MF2)0kG0(>p*wV5hEcfq83wZ(8A z(;mX6HbWNid4fRN>#D55b8C-)s~J3wD!eO86^Q`!*9OG?l>}ioEIu9M-4W2#{d(>R z5B!!cCSo9O-M-2rTR99NCKWO(7vR#dZwE<}f7Asw_F&F5HdU;JT)IPc<3V>^3Pb!+ zi{1wD9-^{tL&PF5%Hce*om5{$rk~ubffKf=FuQZ8BlT@86(qy4<0d~4gkCn z*s3&k8{Z^>dWX_doghx~N2Q#jwB}Kus|?=aBQ9Ovx{*Q8Bsw2S3ucSvZ^XkQzczTY z`i~w(Bt@~AnwDFkG`>?CMK%VruynhWm65PV*_g1ZyK_;J*;VBjy_O9DdZm%Ue63S< zR$4fhHd~(bw@;-LDGQ(KpuPcO%}t)yiH;jg8g33!wstl31ZH{rCcG&eeKL z6qEeBV@;lFHC6vDo+WabPleF)wcYtp%O3UcwP@6v!_?Ii#?r<_*a{|&{Ux8X9cNgY zWdg(?`dd5>p|2M7ueL`vjk8L#k2>?)1ifGl&Bh=Qtk(@x@Rd@DC6W&0HK&&MEB56W{4Q-vUjtV|Ov+JMG z*ntE;xdBvfAf+rK1Vlt+c7%M$>OTTWPc=l90EGK#Ro6kNK9flyp)hFd2SM0V| zuOVIOn(6#4p4rXiWgun|L+EqKrB~A{-$lxi%v7Tp1q(VKt=d`Xd|BtMqUBCx5FveU z+&e`QVMPhz9LvE3=X<%F*76hPnZaM%7Bbmykbt?R0rRHG)bwfwKHnsdBP3#oIQu|7 zJ^?w+x|`B&3Xt;|S?^GYEJ4o>-A*pGDh@wjvL~9)t(O1EKx*%4pHdK+()Rk8kh!Uj zwB;^uednpE<2ri~1ms;-*ryj_m-uow>!kmnTVbP-^GPZK@bja9Y@)L*_1-rdjmE&0 z%&_!_NgC_l=X4`7KLp+6#NjC8L&N-gsQgNowtg7>GC6hAC^8N#NI#;W9VfN$HGRBEsqcxJUj*cGPpt;a#rx`{Vq->e+j2d#~PE!033LBvV`MyFi?(b%tLLtX zQrn2EckiC*@SFJ3X zt3;VQU!b`Y4Pa60mAs`35FE*3?-+KS#2i2rbnM^E5QKLHRSmIPRrhdGO6Hbue5~>r zAeF(4SEvfGN?jE_F;bL>E|{|Ezd9O-{KU7YWtM0gabi6GlAQrSATx=e=~&>Zh5A;# zJS0(#CC4U#Cx^hotqYj=W!-zd&cmZF`~C37y%RGP9A_uNalgWDdb5DJez0y5Dyxb) zU?4kWFn~3lvTq#pPW{x&!>Ee`xZg z#A^h3(24eSaQS2Jw@^fb`sd1kKK4chK)y6yHllBERWzG+`me1_X0yPpol>%QH$x7y zJW^1S@-Wh z!(QmPclX@1*)yK0O*$;*TZn&3^gjAus`-*N<%QL!SqCd9&XN7NsNT1zbDxt+16r>P z{`-KHGWmT_WVP3(uvbfVTeT1CVg5bj^x4lIJz+@tJo27GkaDNnNa+xofF5{TtUcv* zL22(1q6Z2qHS;E??`2d|ingE?$v3;hh9ns)A3f-%ejuFX4;M$F)2GnP4)#v{TDa|j zt<4UWJ+XSn5+&}e`&rPVOGXVjI!G(U1erx%0{iFd5gDTaoOKUGJFSBm9 zHjwfee?4Qk!YYXN?|7qlMprRtH6C3B1?pE|cV{E3*81jxM_)LqW!n8wU7dq{k+d-S zOaKTQ>BS2ypZ?*?6%8NRFgegmix7OhhCu~buR>dDiaXqMPHRvhg8t-@1%C}8w<*7( zM=AxwTLiUirVq%N*VbllJKk#SALCRDFS@` z+(DG3(G^>-zkb=mvlMqQ_yrC^^nr(pq_F3b9=Jcvs(atz z9K>tf95wAJl*+x}1R3Rii? zcg%)ABZ6@1O(&jKBVG)GbPKt1mFl!VFT>*N=ijn75d5n6606)>mkjjNU!fo>TRVIb z-@iW$=t__dr5xHuarHFmz4iJ|TBb^RSO5~W07UTv9#3^D*jn~!hq=CLh3jKRMt+c zJ%0@An2us32_Mu>S-u#A&mz@n(nflPnodTj5t9Ka&N1TZI(B=D+F4XzHdOp&W#04&F{a^RT9(wt*UE|e0@v@u^KjmE)v5D zTlIPuw#pgzEN2ezGBwH>Y>s$U7j_)Oyria3i>b`yF_zVUQ23FL5bQ>frnQxUy#ul^ zWF0`WU>_lOGas`&nl?PlJ+mmRUz(d-+cize*hD`^*D^v%j1Y}-!cbYD2#dYgxPO)E zFbBVsA(gX?T5V|J@_-|SP&N{QOc=E5$EDeReIAXUxEXmV-{8)z!PGBqhf^$UUI$8) zn55*u&F%D7Le+2M77;uSBaK@hOEA%nts}UJK(>ViTn9XA#z&OzEh9e7S{))B;%bC&4Y*PYPOyH4zaRIH7jZKgnT(FdTW{7_Yge)B|7Gc;>jU^XcuEE&^v1m@`e zcUliPgJ%*4;Zhjd)6@$c2Q_v8BL=}3%pW)6R?dfqi;wt!kiqEEALHxk6rRKM&8o@& zhAGL-du6hcVnjof2x^Sq#u@>+5<|_PR2MA~0R+2M=&kH6I;!L`W+B)b;(s9zq*fi% zrB!m|DZ|qzcvu-3S&yn2FyW&S%0D{j6O|ZlC?abF{cPyC#6tdv-e`F6&+7$=$nKsl zk&o<54eO69Jw;WnrP90pyFoShJ`$*JZtRfH&y$5w2>oaHN1I9nVJkhQJE+ScIp~9B zh;?z?wa85lVWH;Skyk{j{xZfmk^h7a1R}qb&lWrp19-zs*q{mPOvG%NZadZy9)6I+ z#4Y2rfO!|&@5gaKn|DTu<0{9^?4K-KL!HVe{}MViEW+N)5s1Om&-5l;3#hEm@SgFV zMeM%nmDS+wGf;qRW`xnL%^IZ~ZOv5(8A}8qmMEb(4y7zlAW}`TXHse zglR`MKC0VkmkHcq}vse8xAIxO2;t*xqnVaK&LvYd9c>1X_)=cmgDR)L5K{ z*~YuU6#LEBvdu4-LVZS2sq|}oNWT+Dt!t5S(9yq**$tdk=HBWqTI!_qYI(EXHDim` zr_*q7szOo9;O$wgCM0qy~El+>@ZU{P6Fx0H1ZQZvO@GJWQ>Q6-)Q(hQS^-&e=o&8*BN^9 z$b5CkPA^iQxmH!uPu_i&@tl(5FHwouxsVhkU;+-xstKSD1Rt5y@9GOr0-2ydmYYS) zpZ=ciy%|nSp0rmC9mk#{Rp4)q-E^GegNGeUtn zDfXg4C)oyG_^cczncMm-!+E(o_$5+JPC*_9{H{DNoyS~kOdrFJKmAe1ZVI2EPQJOC zOCM@{lT}}BUhu*&m3Tib#+dJN(uL*uYMTdlObHRig|xwmFa=C^DeS9$c{npwTpdao zQkzO56fnfJZ+UV0_XiDkfL;z3)odfx7BYba+^Wp^FL{>0VA{-uT8<^H-52*V01lsr zj~;JDwf~PAW?$UaLxa2<7R(oQ`iSNII`SCb;>15861)3DEm~4YQ{>y^-ozMG`1?-C zM=}M=^HaXGQhp0l?ciGB`z-35w04oq%mdXuS8YZz7e2-ytX)P{afg$w857^coVR{p z_AmV-Z0vXdpu>D@bc$Z_>1Y7x^wTgMJ_k=F;AqoVzYM8zg@eOC>2FD}O_=$k&v{m5 zRkV163xLW+5Z%V@p(O4xf%0!uLsJ7<-Qmlw`so2zo(+#mqTcR6Y=G|vdfr*X&^aIh z+<7BO%zsN?x+EC|7=Ca+)RgS?(T*H(>kLq%ZCy&3xxvW1i0gnYxqHdYS)Xmzi{i08t0S=rP-5t(XdYWZXzV5| zwb<^H4(fS#D@#t0&BTjB5B16@PeX3qTuSdY)|k$-lHMJhSX#7hlwe!H46FGPN$$7f zli4O5w!B^d{k>4sO_d<_TuEcHyIBVW(axQKIq>CDBKj65;yO&CAC+J6Z_F}jqiM)EB!lZ z3AMG+Zz#o_z>3oqLZqqDZbd+^4W6Hp!HUf4n!@FmFYbBhzuE#`0D6B-^dgTg_Uj){ zSNUy20U=%_nPD}oouM~+YbsQ+@06a z>ZPfzE%-Lxmx4=|7gvK(fE3^O-NC| zdoKg%k4(3%{w;llO#oRcE9J3(GTNCmnm8zrg3%?{&BPwT2M_TE$wiArW`aoD%r7$^ z4SCzUeDa}xwO`#Dw<|6)JP4>DW7 z-|kW97?EPB7F*4CcX$K2ADQZfbCS51|FY~!5jR>kV5A#Fd3P9?>4xeS8Qvtjw525Y zFR`!^()yvHZ{Y${NF#FpTQQ<+inWb4{xoQm?h0$)9<7-O)vK>VZ^k9NieAOz(0^sz ZaIsfTH)5|R2hkL)V(@N0G&awbp91}5t?U2* From 42a4edba59172230785c087ef11fa384f229b126 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Sun, 19 Jan 2025 18:25:44 +0000 Subject: [PATCH 20/25] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- docs/source/deployment/k3s.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/source/deployment/k3s.md b/docs/source/deployment/k3s.md index 1a798d25d..5239c0031 100644 --- a/docs/source/deployment/k3s.md +++ b/docs/source/deployment/k3s.md @@ -1,7 +1,7 @@ # Deploy a new mybinder.org federation member on a bare VM with `k3s` [k3s](https://k3s.io/) is a popular kubernetes distribution that we can use -to build *single node* kubernetes installations that satisfy the needs of the +to build _single node_ kubernetes installations that satisfy the needs of the mybinder project. By focusing on the simplest possible kubernetes installation, we can get all the benefits of kubernetes (simplified deployment, cloud agnosticity, unified tooling, etc) **except** autoscaling, and deploy **anywhere we can get a VM @@ -23,7 +23,7 @@ but we have a slightly more opinionated list. ## Installing `k3s` We can use the [quickstart](https://docs.k3s.io/quick-start) on the `k3s` website, with the added -config of *disabling traefik* that comes built in. We deploy nginx as part of our deployment, so we +config of _disabling traefik_ that comes built in. We deploy nginx as part of our deployment, so we do not need traefik. ```bash @@ -49,4 +49,4 @@ TODO ## Test and validate -## Add to the redirector \ No newline at end of file +## Add to the redirector From 51a756b8c49a5993f2e3678f2abf08cf5d16f7e8 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Sun, 19 Jan 2025 10:31:12 -0800 Subject: [PATCH 21/25] Add note about DNS --- docs/source/deployment/k3s.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/source/deployment/k3s.md b/docs/source/deployment/k3s.md index 5239c0031..01e507dcc 100644 --- a/docs/source/deployment/k3s.md +++ b/docs/source/deployment/k3s.md @@ -37,6 +37,19 @@ This runs for a minute, but should set up latest `k3s` on that node! You can ver Follow https://docs.k3s.io/cluster-access#accessing-the-cluster-from-outside-with-kubectl +## Setup DNS entries + +There's only one IP to set DNS entries for - the public IP of the VM. No loadbalancers or similar here. + +mybinder.org's DNS is managed via Cloudflare. You should have access, or ask someone in the mybinder team who does! + +Add the following entries: + +- An `A` record for `X.mybinder.org` pointing to wards the public IP. `X` should be an organizational identifier that identifies and thanks whoever is donating this. +- Another `A` record for `*.X.mybinder.org` to the same public IP + +Give this a few minutes because it may take a while to propagate. + ## Make a config copy for this new member TODO From 71225152ce204a6076224895ed4968decb2d4229 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Mon, 20 Jan 2025 21:18:10 -0800 Subject: [PATCH 22/25] Switch to newer bigger Hetzner machine --- config/hetzner-2i2c.yaml | 2 +- docs/source/deployment/k3s.md | 30 +++++++++++++++++++++++----- secrets/hetzner-2i2c-kubeconfig.yml | Bin 0 -> 2988 bytes secrets/hetzner-2i2c.yml | Bin 2985 -> 0 bytes 4 files changed, 26 insertions(+), 6 deletions(-) create mode 100644 secrets/hetzner-2i2c-kubeconfig.yml delete mode 100644 secrets/hetzner-2i2c.yml diff --git a/config/hetzner-2i2c.yaml b/config/hetzner-2i2c.yaml index cc8e8a2c0..379e9081a 100644 --- a/config/hetzner-2i2c.yaml +++ b/config/hetzner-2i2c.yaml @@ -127,7 +127,7 @@ ingress-nginx: scope: enabled: true service: - loadBalancerIP: 138.199.149.127 + loadBalancerIP: 116.203.245.43 static: ingress: diff --git a/docs/source/deployment/k3s.md b/docs/source/deployment/k3s.md index 01e507dcc..53a307d2c 100644 --- a/docs/source/deployment/k3s.md +++ b/docs/source/deployment/k3s.md @@ -26,12 +26,32 @@ We can use the [quickstart](https://docs.k3s.io/quick-start) on the `k3s` websit config of _disabling traefik_ that comes built in. We deploy nginx as part of our deployment, so we do not need traefik. -```bash -curl -sfL https://get.k3s.io | sh -s - --disable-traefik -``` +1. Create a Kubelet Config file in `/etc/kubelet.yaml` so we can + tweak various kubelet options, including maximum number of pods on a single + node: -This runs for a minute, but should set up latest `k3s` on that node! You can verify that by running -`kubectl get node` and `kubectl version`. + ```yaml + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + maxPods: 300 + ``` + + We will need to develop better intuition for how many pods per node, but given we offer about + 450M of RAM per user, and RAM is the limiting factor (not CPU), let's roughly start with the + following formula to determine this: + + maxPods = 1.75 * amount of ram in GB + + This adds a good amount of margin. We can tweak this later + +2. Install `k3s`! + + ```bash + curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="server --kubelet-arg=config=/etc/kubelet.yaml" sh -s - --disable=traefik + ``` + + This runs for a minute, but should set up latest `k3s` on that node! You can verify that by running + `kubectl get node` and `kubectl version`. ## Extracting authentication information via a `KUBECONFIG` file diff --git a/secrets/hetzner-2i2c-kubeconfig.yml b/secrets/hetzner-2i2c-kubeconfig.yml new file mode 100644 index 0000000000000000000000000000000000000000..57cbdd47c757838fce4a73f2dc2f0254e38bb33f GIT binary patch literal 2988 zcmV;d3sdv}M@dveQdv+`0Jaiz58zK@Na zzcfA0`?{>x*(Dsu+_RMf0Lhcz<^*umG{s6%hLM9k#1MvtjGi^x<(M51XB95xk}kpK zrni(xBaG#rcr7P7+2|^7I6BlYa^w1E>5Dw5;LAC?z%1{t$#W+wR29s}C>0xDX!by+ z1wYCuVMm*Qy}zoNrlZmH_mC zC$N+T*k$k{@w)wv`EJ)oU$M`k4*uGcf-4hBOd<&Lu(IG?KZ6^=7KGsRlAB}VDvre}`Yd$J5lLUR6t8OFT`_nB8q!0~TgEcrWC zyK|U;8=KprpRT1N^M0p6)v74bGP2sWy z(uB7x2Mm+4%##vl?!s9GO&oY^2F%Zbv21iCwRf#iz8c~gNhZAvItYrR{xNvhu+S-+ zcSng6)`lq>rvr++XQDwP)s? zb0=9p{X4Tf5RJWJ={;MV##cJVKZQ_E{RqMV`WkjPUHC`%;n|+dO(Z2|N3SQQ)$#vj zUDsY`$rnc8(N(7$?}Ho#Xf)`<7*+YaMuKXwFeH1~LrrP&#DseCt(Im6$nzbe&EI7# zaCo*pOXpH>+X0ws3RBU}vr#_>#%kJHB*_RCQ!1u8*uEe*mMibg-DIuH^1;DW7W%j+ zY#SQYmw<)14qE2}Ew#NlplC#iYn3>yE6N12*XL}i$z|>mZKOL%I7ReF`yzr;eE&(s7Jf58AbaGI-3DM!l9IgVoAG*Kg zH_H4m4BE0^gV4RCV;(ceDE*OeQ`aLH z*D!np>H)eO;WMLibmtD}-%l>h%C4gly<@xTP@ul@bz#;{wF=9KSWtQ=tn_U=jyE!@z0Z&Vr%ELWripdPpEC4 z+)Q=fu{OVrh1kvyWGd(ML7LjlNtD?h^%F6LZ#Q}&iYn|G=>$q;n#kPu%QYnhv}htC z&wzqQX@ON9V|+kisLwPRV3;KrpQ6=gf01c@Pa3(mn0dltPtLn#2sF(9+aqHS%#dSR z#>QTzJdF?9$so{;fIs>-C0U+QX#vli3Jtvjv^s{e*#Na>tS)3P zpfdod-hNgXOK2oQQtMb&3tE1OIe3ue1*?{6vO00yujPj1=I~=2<&9O0YxIMVH1k>z z1&0!eVaixG&rsOM@7K$j}Ykhy&G1HW$mi9SYy!JT!;-glh=Yz zd649MHK|b+^i_9{Jy=M4KmcWI8yiVMg@w>`89S^?vZi#!eh>?S+~f|usV4% zxdIbQ8@MAUrQf^0e1bUG$R1xH)l;`k(R}L=TR2RWDkygSG9CipI+=2miAXt=@uuF= z{bYIXk81{y)?lWwd%M7~TB4B28Ujz%1?C*z1NM!nHT=-Sa{2)CEUd99X~pLaU?xV3Apno&t{Nab%K zn>le&dy0J8ywB@1_%dImT?hvD#(2DZrWvh!YNbqeUTRu`#y+8szp%9T+nEsa+Sjx# z|A#%}>1i;S&7^&7P|JrsQ}w1qD=3u`fksdbzsfg0+;{{+B{J%cHy|O!Ffg4}p979b zI%$8k7cn_nm^X5R2~f-OcP)1~zJBjN=m*yG&4IRux8HGmhpYwAK>Le(&$x~ z>0`$nTPc|Z+y4C=cr!AhEroSiuEkT-vX;^@C9?-U=vi@=Bzmmc#5bsO&sR6pZNnm-jrT_WQtX?72q zYf^txwBF}C1b7d8si;xn3o7ZAj`12GSNu-%L%hdNsT zW=aw6|MbD{N1|8rBY#u5lf&G)v|89ZpEVRw@3UTRn)an$7{T0tet-Y@LT<+&wdfv=mT3WjVgE)626~r^z;?Er%7d|{*OC1ONjovWnD)Q zBvo#T1wb7%E_0|2A2SZ_Q^Lk$f4aO7Pimy-jX|CuX&ZCy!2^+fixsstKb{`rE%dC(*7AQpfKv6lAl~`u7xS#IeyK`Z9vRlN|<`_(+Y9OTs i@ilQtBbDt~5ft8hNb2O>n1LB0mn7AO3o7!Z@Jt0et-Q|w literal 0 HcmV?d00001 diff --git a/secrets/hetzner-2i2c.yml b/secrets/hetzner-2i2c.yml deleted file mode 100644 index 45fcc734910376a9c6dd65a882bd445b22c054a8..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2985 zcmV;a3s&?1M@dveQdv+`0OtE|^8kak5)d+%%oC%%aMLCEU_;?y8!E~4WcCrQ;aA*8 zHlp~R+gZ($JI_nGk}$N@*>(Jc&LgMq6VF^9CzWYwK>GbbAYp5V%3j6}qFE=cjT>tB zaxWAH;w_%9yw^0V{&~=FLyPUCtg5{Xrz?y^V~J#C(pUD@4qZryO`T%1#S`+%+@x!x zzDLHFhZ-qkRKd(2A6w;s0T^YcNs70ubvID!Cf@mlT8=zd_o;VJ|8;qdNH-|0_l($}K0Zj(wd0gp{Y9 zTu7uBj>hO!+n~`ZWX#w=o2gnJCS{^MX4HN55LiQxUK@{Fi$GSAwF@6OG zr4TT1mJjpKN|ZMtkBBYGmO*E=pr#@B<(U~aZ1Tdi>nlP8ca{zgw;Cik%4zfZ9s^l+ z2s}jMtDyI41{~LvGqFmIVNk6Fv*x-$n{Ur=_OXA=lk1puDK-$WKDJMEgXGGxmw%DM z@weBM#;7`t>n^SRRklpRMs6Evl$L}k&AU(+bnD`!QXFLOrw(`F1su_PlbPo>4$5S< zwb~c-I zUjyey4q;ZIxyb|J;C2AhYVLyt*9NT;Q;*6$$v4N|5p3jf+*jt$Ko7!7xe0#v)@?R( z*wo)se6q;=nZ9a#WYsA)74nOdkdRf+*z}SsWs9SkzvXE>0U=Q7DBPDNNp?N~8z_2a zX82%>bESC1QTqWc2uLXIH;^W7VW#kwO9v8312=XG1X6|IDSP`M1c1OJe{yv>It|cU z$`!8ZhtO;rmFJdapGS%3eyRciCJPl2wY^M^W^V{evK)esQ)V+1iYDxtNjE0r+BRkv z{2l8>enuMWL7yR|Gn!&l$ zE!2i)nAu)V&3$<|pRer?C$CjOf_BuR*mA4&sa%WN3cy*n)dGS_miJJ)_Q)FW4ClvH z=So#|S`9YaC0P3Q<5SeQFu}@L#|DOD>Iwc6fLfLK;@PQWl5+v>7wC<|wwmaLh@+@2 z6M2>_*j^*gj_j|Di42>v&%S?T6Jzt3Nl-~6`}a zXOLzo!p4}h`Aw%FTc7ct^k{=`RfkiN=d$HU#km| zqsDt3Lk@{;a3cLUWDfwna<7;*fEi-H0bi)?RV#Qbu=sx|{Ub8o)yGRJmjI>midTOF z!?i_;Mxre&yZv`-n^4-lR`%lWggzMwQdpk;O#A8=)B`4{0IQbsoR%PnFFgTV=>sz! z!7v*j$oBnPX~ZwMVQV<_!@q{xVJb zcW~6k$+8(^mwZ}IWKYVMyu5U>kQFyQe^ip=6`>}*sanAwtx~ExEYLR6vN1&2X+XiY z1jVX?iC1>A_BOY5C?E{}3avB>vI*$3Z=B+>dJj+WrMYX2U`0&{YJ$B2g3TefrZR;x zEz-Hneo4x>r&nhIi1qro1kfiN4eSWTDHZam#sa~eLA{Hl(8HfAN~7Nap@dqoE!tl9f{=PCv0 zZ(}0qJpDhFAg>Jg+(pl!b1J+;caIw#`5EhxkQ}asGa!fEw{jz_;Hv9waP1^jT};^7 z>NOoCC?VFpT+nDew$J{UJ%HpBV=vt?R}4oab=1Aw*}kT!TVJ89jLrda3a@FE-|wo5 zl~Wp!C1g&FL*bEP;2Yz?9aoA-CFk&wafnejt2o@zq)|3J9ej|nb@Zw=C0O14a>KSD zK)OZ==7T9uHr3?PTCh+*zoV^oj5}C%^oq3qCh0=Y+_>wJY0d?*|Fnj9lxFemv$Nt$ zzyiw2JWi$Hz@a>~G9N&RDHqDxX{v2L_u0u^fXeA>(Zp}4f(2Q5wJV08$Y!l2vA~|6 zb|T8`;djUapw_;J1O;~+p~q*Z=UFpAFwZs1WID~MS1F4}&* zQ%4)dzd;ga{1O{sqv78x5^p2`vz>ZqQe?xVk!2PrdhQnPiPU>;Q7W8G6Wz9+ZH^N~ zHsSVEx`c5_s=lND{;xQ;6w`UGOq=5>YZ^?#sBIedMHzm>HN1_OBPq_epNF93(Y@gg z;0>V=$tR$5;d}P-^$5%Nvmt1jYTIoY@u)(8XGGs+S%u8eevXQiEe-~8yzGC7$g*H* z7_$J3e<_ohH92S9O@B(dg>Ma#{1@hirWwebK8`I0TrD5R?0+J&$35%3va+{&hcpXS zmiVj#EODu%*(_e&@t{E8Avb&4q~KKy))Rm%3L-(iRd(3QqmmDlvMOb#%cf;zV3Z*5 z_pEkK)G!6yl%8k?)E1`ML>Radqv)K47 zV;Z4CRPmh2Gg~?Kg%3zTGW$vRy4p(h_N=RxE|Uf(WE=cHFK{}AJS?tWTGsB6P3jStE&tvhNisF?L=K?uGJ_HaDL*&EyF`tQ#a~`rV&c;l2;Y% zd9DwQVR10?5gA!Rs6^Eip(08O3U@C-GR>_3`LwJ!Kh(^B?$AL)&`aXvNG{&NTrLm8 z|J=(K-4D0u*Y-aI62-OM^eHW*_X+}6W0UR&&~-b&r?YH-sZ%$*S@~=1)n7ZJ1L5Ex zxj@KnZ3J^K+I0)XDIX*IQNIyw@Hpe_xsBh26;kv9j7V$|Dt61d3i%|ZZk1I{S1a9g zJRfJ0@^&Hl8J9CKi+GKRo-vBoxs1j$3T;4w&0W3Ed#O4$?%UiTp;HR8@=E6#paYOF zZ61z$S+S=GWDjO#ERsI(#Fg%k+TkV{bB(;+4RNUMIozrO=p-Q zmuiSQ`0lE!!f}=G1!^u8ju=02I#Q)#@%%!|F$ko^HFYxelicB<4l=U$rbSLEq}E`D z*UUQuUjQ+IlJD*9irw7Q?Fh+3ge&W%%){byP>xHUusW{CxhkcGeK@z`39)xC0p%P{`t+@^8S25b#?rU_shOy_X+-XWDR<~0<@1C6gOy*TK&6K flEau5TCt#miE2%+2txnyg3V>v-8wod^E!s+k`T|Z From 42764eae778609a53f94461adbfbd84a6b8951a2 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Mon, 20 Jan 2025 21:19:09 -0800 Subject: [PATCH 23/25] Bump up nginx memory limit Was crashlooping on hetzner --- mybinder/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mybinder/values.yaml b/mybinder/values.yaml index 8420fe029..1a8147183 100644 --- a/mybinder/values.yaml +++ b/mybinder/values.yaml @@ -497,7 +497,7 @@ ingress-nginx: memory: 150Mi limits: cpu: 800m - memory: 500Mi + memory: 1Gi tolerations: - key: "node.kubernetes.io/unschedulable" operator: "Exists" From 0212202857d77f877428c39aa781edfe0919102c Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 21 Jan 2025 05:21:04 +0000 Subject: [PATCH 24/25] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- docs/source/deployment/k3s.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/deployment/k3s.md b/docs/source/deployment/k3s.md index 53a307d2c..b0a5f3015 100644 --- a/docs/source/deployment/k3s.md +++ b/docs/source/deployment/k3s.md @@ -40,7 +40,7 @@ do not need traefik. 450M of RAM per user, and RAM is the limiting factor (not CPU), let's roughly start with the following formula to determine this: - maxPods = 1.75 * amount of ram in GB + maxPods = 1.75 \* amount of ram in GB This adds a good amount of margin. We can tweak this later From c4402bc023ce2d070b3116cb670053095a8e8cc1 Mon Sep 17 00:00:00 2001 From: Min RK Date: Tue, 21 Jan 2025 10:19:36 +0100 Subject: [PATCH 25/25] add hetzner-2i2c to deployment workflow --- .github/workflows/cd.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 81476c323..9fa3b793e 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -222,6 +222,11 @@ jobs: helm_version: "" experimental: false + - federation_member: hetzner-2i2c + chartpress_args: "" + helm_version: "" + experimental: false + # OVH deployment paused # - federation_member: ovh2 # helm_version: ""