diff --git a/config/clusters/maap/staging.values.yaml b/config/clusters/maap/staging.values.yaml index 3b391c1a0b..25e2b3c0e3 100644 --- a/config/clusters/maap/staging.values.yaml +++ b/config/clusters/maap/staging.values.yaml @@ -22,10 +22,8 @@ jupyterhub: - -c - > id && - chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public /home/jovyan/shared-group && - if [ -d "/home/jovyan/shared-group" ] && [ "$(ls -A /home/jovyan/shared-group)" ]; then - chown 1000:1000 /home/jovyan/shared-group/* || true; - fi && + chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && + chown 1000:1000 /home/jovyan/shared-group/* && ls -lhd /home/jovyan securityContext: runAsUser: 0 @@ -33,8 +31,8 @@ jupyterhub: - name: home mountPath: /home/jovyan subPath: '{escaped_username}' - # Mounted without readonly attribute here, - # so we can chown it appropriately + # Mounted without readonly attribute here, + # so we can chown it appropriately - name: home mountPath: /home/jovyan/shared subPath: _shared @@ -42,8 +40,13 @@ jupyterhub: mountPath: /home/jovyan/shared-public subPath: _shared-public - name: home - mountPath: /home/jovyan/shared-group - subPath: _shared-group + mountPath: /home/jovyan/shared-group/CPU_L + subPath: _shared-group/CPU_L + - name: home + mountPath: /home/jovyan/shared-group/GPU_T4 + subPath: _shared-group/GPU_T4 + storage: + type: none profileList: - display_name: Choose your environment and resources @@ -229,6 +232,92 @@ jupyterhub: config: JupyterHub: authenticator_class: generic-oauth + KubeSpawner: + volumes: + 00-home-nfs: + name: home + persistentVolumeClaim: + claimName: home-nfs + 01-dev-shm: + name: dev-shm + emptyDir: + medium: Memory + 02-extra-files: + name: files + secret: + secretName: singleuser + items: + - key: ghsa-w3vc-fx9p-wp4v-check-patch-run + mode: 493 + path: ghsa-w3vc-fx9p-wp4v-check-patch-run + - key: ipython_kernel_config.json + path: ipython_kernel_config.json + - key: jupyter_notebook_config.json + path: jupyter_notebook_config.json + - key: jupyter_server_config.json + path: jupyter_server_config.json + 03-shared-group: + name: shared-group-placeholder + emptyDir: + medium: Memory + sizeLimit: 1Mi + volume_mounts: + 00-home-nfs: + name: home + mountPath: /home/jovyan + subPath: '{escaped_username}' + 01-home-shared: + name: home + mountPath: /home/jovyan/shared + subPath: _shared + readOnly: true + 02-home-shared-group: + # overrides the root of the shared-group folder with an empty dir + # so that the user can't see the contents of other groups' folders + # that the user is not a member of + name: shared-group-placeholder + mountPath: /home/jovyan/shared-group + 03-home-shared-public: + name: home + mountPath: /home/jovyan/shared-public + subPath: _shared-public + 04-dev-shm: + name: dev-shm + mountPath: /dev/shm + 05-mount-ghsa-patch: + name: files + mountPath: /mnt/ghsa-w3vc-fx9p-wp4v/check-patch-run + subPath: ghsa-w3vc-fx9p-wp4v-check-patch-run + 06-mount-ipython-config: + name: files + mountPath: /usr/local/etc/ipython/ipython_kernel_config.json + subPath: ipython_kernel_config.json + 07-mount-jupyter-notebook-config: + name: files + mountPath: /usr/local/etc/jupyter/jupyter_notebook_config.json + subPath: jupyter_notebook_config.json + 08-mount-jupyter-server-config: + name: files + mountPath: /usr/local/etc/jupyter/jupyter_server_config.json + subPath: jupyter_server_config.json + group_overrides: + # Explicitly mount the shared group folders based on group membership + 00-group-CPU-L-extra-volume-mounts: + groups: [CPU:L] + spawner_override: + volume_mounts: + 00-group-CPU-L-extra-volume-mounts: + name: home + mountPath: /home/jovyan/shared-group/CPU_L + subPath: _shared-group/CPU_L + 01-group-GPU-T4-extra-volume-mounts: + groups: [GPU:T4] + spawner_override: + volume_mounts: + 01-group-GPU-T4-extra-volume-mounts: + name: home + mountPath: /home/jovyan/shared-group/GPU_T4 + subPath: _shared-group/GPU_T4 Authenticator: admin_users: [] GitHubOAuthenticator: @@ -261,53 +350,6 @@ jupyterhub: - CPU:XXL - CPU:XXXL - GPU:T4 - extraConfig: - 00-volumes-and-volume-mounts-as-dict: | - # The base jupyterhub config in zero-to-jupyterhub defines - # volumes and volume_mounts as lists. - # But we can't add new volumes or volume_mounts to the list - # as that replaces the entire list. - # So we convert them to dictionaries, which allows us to - # add new volumes and volume_mounts as needed. - if isinstance(c.KubeSpawner.volumes, list): - existing_volumes = c.KubeSpawner.volumes - c.KubeSpawner.volumes = {} - for volume in existing_volumes: - c.KubeSpawner.volumes[volume["name"]] = volume - if isinstance(c.KubeSpawner.volume_mounts, list): - existing_volume_mounts = c.KubeSpawner.volume_mounts - c.KubeSpawner.volume_mounts = {} - for idx, volume_mount in enumerate(existing_volume_mounts): - c.KubeSpawner.volume_mounts[f"{idx}-{volume_mount['name']}"] = volume_mount - 01-group-shared-directories: | - c.KubeSpawner.group_overrides = { - "00-group-CPU-L-extra-volume-mounts": { - "groups": ["CPU:L"], - "spawner_override": { - "volume_mounts": { - "00-group-CPU-L-shared-dir": { - "name": "home", - "mountPath": "/home/jovyan/shared-group/CPU_L", - "subPath": "_shared-group/CPU_L", - "readOnly": False - }, - } - }, - }, - "01-group-GPU-T4-extra-volume-mounts": { - "groups": ["GPU:T4"], - "spawner_override": { - "volume_mounts": { - "00-group-GPU-T4-shared-dir": { - "name": "home", - "mountPath": "/home/jovyan/shared-group/GPU_T4", - "subPath": "_shared-group/GPU_T4", - "readOnly": False - }, - } - }, - } - } ingress: hosts: [staging.hub.maap.2i2c.cloud] tls: