Merge branch 'main' into datasets

artifacts/jupyter/jupyterhub_k8s.yml

@@ -8,6 +8,37 @@
     jup_admin_user: "{{ admin_user | default('admin') }}"
     dns_name: "{{ kube_public_dns_name | default('') }}"
     jup_storage_size: "{{ storage_size | default('10Gi') }}"
+    default_profile_list:
+      - display_name: '1CPU 1GB environment'
+        description: '1CPU 1GB environment'
+        default: true
+      - display_name: '2CPU 2GB environment'
+        description: '2CPU 2GB environment'
+        kubespawner_override:
+          cpu_limit: 2
+          mem_limit: '2G'
+          cpu_guarantee: 2
+          mem_guarantee': '2G'
+      - display_name: '2CPU 2GB ItwinAI environment'
+        description: '2CPU 2GB ItwinAI environment'
+        kubespawner_override:
+          image: 'grycap/jupyterhub-k8s-itwinai'
+          cpu_limit: 2
+          mem_limit: '2G'
+          cpu_guarantee: 2
+          mem_guarantee': '2G'
+      - display_name: '2CPU 4GB 1GPU environment'
+        description: '2CPU 4GB 1GPU environment (only use it if some of the K8s WNs has GPU support)'
+        kubespawner_override:
+          image: 'grycap/k8s-singleuser-sample-gpu:latest'
+          cpu_limit: 2
+          mem_limit: '4G'
+          cpu_guarantee: 2
+          mem_guarantee': '4G'
+          extra_resource_limits:
+            nvidia.com/gpu: 1
+          extra_resource_guarantees:
+            nvidia.com/gpu: 1
   tasks:
     - name: Add jupyterhub helm repo
       command: helm repo add jupyterhub https://jupyterhub.github.io/helm-chart/
@@ -66,6 +97,10 @@
       environment:
         KUBECONFIG: "/etc/kubernetes/admin.conf"
 
+    - name: Set profile list
+      set_fact:
+        jup_profile_list: "{{ profile_list | default(default_profile_list) }}"
+
     - name: "Create values file"
       copy:
         dest: /tmp/config.yaml
@@ -106,37 +141,7 @@
                   - name: vol-data
                     mountPath: /home/jovyan/data
                     readOnly: True
-              profileList:
-                - display_name: '1CPU 1GB environment'
-                  description: '1CPU 1GB environment'
-                  default: true
-                - display_name: '2CPU 2GB environment'
-                  description: '2CPU 2GB environment'
-                  kubespawner_override:
-                    cpu_limit: 2
-                    mem_limit: '2G'
-                    cpu_guarantee: 2
-                    mem_guarantee': '2G'
-                - display_name: '2CPU 2GB ItwinAI environment'
-                  description: '2CPU 2GB ItwinAI environment'
-                  kubespawner_override:
-                    image: 'grycap/jupyterhub-k8s-itwinai'
-                    cpu_limit: 2
-                    mem_limit: '2G'
-                    cpu_guarantee: 2
-                    mem_guarantee': '2G'
-                - display_name: '2CPU 4GB 1GPU environment'
-                  description: '2CPU 4GB 1GPU environment (only use it if some of the K8s WNs has GPU support)'
-                  kubespawner_override:
-                    image: 'grycap/k8s-singleuser-sample-gpu:latest'
-                    cpu_limit: 2
-                    mem_limit: '4G'
-                    cpu_guarantee: 2
-                    mem_guarantee': '4G'
-                    extra_resource_limits:
-                      nvidia.com/gpu: 1
-                    extra_resource_guarantees:
-                      nvidia.com/gpu: 1
+              profileList: {{ jup_profile_list }}
 
     - name: Install (or upgrade) the chart
       command: helm upgrade --install jupyterhub jupyterhub/jupyterhub --namespace jupyter --create-namespace --values /tmp/config.yaml --timeout 10m

artifacts/lrms/htcondor_fe_install.yml

@@ -3,6 +3,14 @@
   connection: local
   vars:
     vnode_prefix: vnode-
+  pre_tasks:
+    # Avoid error in ntp installation in Debian
+    - name: Remove systemd-timesyncd in Debian systems
+      package:
+        name: systemd-timesyncd
+        state: absent
+      ignore_errors: true
+      when: ansible_os_family == "Debian"
   roles:
     - role: grycap.nfs
       nfs_mode: 'front'

artifacts/lrms/htcondor_wn_install.yml

@@ -3,6 +3,14 @@
   connection: local
   vars:
     vnode_prefix: vnode-
+  pre_tasks:
+    # Avoid error in ntp installation in Debian
+    - name: Remove systemd-timesyncd in Debian systems
+      package:
+        name: systemd-timesyncd
+        state: absent
+      ignore_errors: true
+      when: ansible_os_family == "Debian"
   roles:
     - role: grycap.nfs
       nfs_mode: 'wn'

artifacts/lrms/kube_fe_install.yml

@@ -27,6 +27,13 @@
       set_fact:
         kube_install_longhorn: true
       when: csi_driver == 'Longhorn'
+    # Avoid error in ntp installation in Debian
+    - name: Remove systemd-timesyncd in Debian systems
+      package:
+        name: systemd-timesyncd
+        state: absent
+      ignore_errors: true
+      when: ansible_os_family == "Debian"
   roles:
     - role: grycap.nfs
       nfs_mode: 'front'

artifacts/lrms/kube_wn_install.yml

@@ -4,6 +4,14 @@
   vars:
     vnode_prefix: vnode-
     csi_driver: "{{ kube_csi_driver | default('NFS') }}"
+  pre_tasks:
+    # Avoid error in ntp installation in Debian
+    - name: Remove systemd-timesyncd in Debian systems
+      package:
+        name: systemd-timesyncd
+        state: absent
+      ignore_errors: true
+      when: ansible_os_family == "Debian"
   roles:
     - role: grycap.nfs
       nfs_mode: 'wn'

artifacts/lrms/slurm_fe_install.yml

@@ -7,6 +7,13 @@
     - name: stop firewalld
       service: name=firewalld state=stopped
       ignore_errors: true
+    # Avoid error in ntp installation in Debian
+    - name: Remove systemd-timesyncd in Debian systems
+      package:
+        name: systemd-timesyncd
+        state: absent
+      ignore_errors: true
+      when: ansible_os_family == "Debian"
   roles:
     - role: grycap.nfs
       nfs_mode: 'front'

artifacts/lrms/slurm_wn_install.yml

@@ -3,6 +3,14 @@
   connection: local
   vars:
     vnode_prefix: vnode-
+  pre_tasks:
+    # Avoid error in ntp installation in Debian
+    - name: Remove systemd-timesyncd in Debian systems
+      package:
+        name: systemd-timesyncd
+        state: absent
+      ignore_errors: true
+      when: ansible_os_family == "Debian"
   roles:
     - role: grycap.nfs
       nfs_mode: 'wn'

artifacts/mlflow_auth_compose.yml

@@ -0,0 +1,89 @@
+---
+- hosts: localhost
+  connection: local
+  vars:
+    # defalt pass is "operatorpass"
+    GOACCESS_PASSWORD: "{{ mlflow_operator_pass | default('$$2y$$05$$lPcMyqoHliTPF5QeAHoPWOGyLFZxGQg.pSfJlHssQJ9Ny7OFcSI3i') }}"
+    MLFLOW_USERNAME: "{{ mlflow_admin_user | default('admin') }}"
+    MLFLOW_PASSWORD: "{{ mlflow_admin_password | default('password') }}"
+    OIDC_AUTHORITY: "{{ mlflow_oidc_auth | default('https://aai-demo.egi.eu/auth/realms/egi') }}"
+    OIDC_CLIENT_ID: "{{ mlflow_oidc_client_id | default('oidc-client') }}"
+    OAUTH_USERINFO_ENDPOINT: "{{ mlflow_auth_userinfo_endpoint | default(OIDC_AUTHORITY + '/protocol/openid-connect/userinfo') }}"
+    SUPPORTED_VO: "{{ mlflow_oidc_vo | default('vo.ai4eosc.eu') }}"
+    REQUIRED_ENTITLEMENT: "{{ mlflow_required_entitlement | default('urn:mace:egi.eu:group:' + SUPPORTED_VO + ':role=member#aai.egi.eu') }}"
+  roles:
+    - role: 'grycap.docker'
+  tasks:
+    - name: Clone git repository
+      git:
+        repo: https://github.com/m-team-kit/mlflow-auth-gui
+        dest: /opt/mlflow-auth-gui/mlflow-auth-gui/
+        version: main
+      ignore_errors: true
+
+    - name: Set default DNS name (nip.io)
+      set_fact:
+        dns_name: "mlflow.{{ public_ip_address }}.nip.io"
+      when: mlflow_dns_name is not defined or mlflow_dns_name == ""
+    - name: Set custom DNS name
+      set_fact:
+        dns_name: "{{ mlflow_dns_name }}"
+      when: mlflow_dns_name is defined and mlflow_dns_name != ""
+
+    - name: Set admin username and password in ini file
+      ini_file:
+        path: /opt/mlflow-auth-gui/mlflow-auth-gui/backend/srv/auth_config.ini
+        section: "mlflow"
+        option: "{{ item.option }}"
+        value: "{{ item.value }}"
+        mode: '0644'
+      loop:
+        - { "option": "admin_username", "value": "{{ MLFLOW_USERNAME }}" }
+        - { "option": "admin_password", "value": "{{ MLFLOW_PASSWORD }}" }
+
+    - name: Create .env file
+      copy:
+        dest: /opt/mlflow-auth-gui/mlflow-auth-gui/.env
+        mode: '0644'
+        content: |
+          # Domain where MLFLOW is hosted
+          DOMAIN={{ dns_name }}
+          # POSTGRES CONFIG
+          DATABASE_NAME=mlflowdb
+          DATABASE_USER=postgres
+          DATABASE_PASSWORD=dummypassword
+          DATABASE_HOST=database
+          DATABASE_PORT=5432
+          # MLFLOW Authentication Database File
+          AUTH_DB_FILE=basic_auth.db
+          # Local (host) BASE PATH to store MLFLOW data, e.g. app-data, user-data, artifacts, backup_db.
+          # Pay attention about subdirectories ownership, may need to set uid:gid of "docker"
+          MLFLOW_BASE_PATH_LOCAL=/opt/mlflow-auth-gui/mlflow-auth-gui/
+          # MLflow user registration service
+          MLFLOW_USERNAME={{ MLFLOW_USERNAME }}
+          MLFLOW_PASSWORD={{ MLFLOW_PASSWORD }}
+          MLFLOW_HOSTNAME=http://backend:5000
+          OIDC_AUTHORITY={{ OIDC_AUTHORITY }}
+          OIDC_CLIENT_ID={{ OIDC_CLIENT_ID }}
+          OAUTH_USERINFO_ENDPOINT={{ OAUTH_USERINFO_ENDPOINT }}
+          REQUIRED_ENTITLEMENT={{ REQUIRED_ENTITLEMENT }}
+          PRIVACY_POLICY_URL=https://confluence.egi.eu/display/IMPAIP/Privacy+Policy
+          TERMS_OF_USE_URL=https://confluence.egi.eu/display/IMPAIP/Acceptable+Use+Policy
+          # can be left blank, but prefer putting one
+          LETSENCRYPT_EMAIL={{ mlflow_cert_email }}
+          CORS_ORIGINS=http://localhost,http://foo.bar
+          # Monitoring based on goaccess
+          GOACCESS_ETC_PATH_LOCAL=${MLFLOW_BASE_PATH_LOCAL}/goaccess-etc
+          GOACCESS_OUT_PATH_LOCAL=${MLFLOW_BASE_PATH_LOCAL}/goaccess-out
+          GOACCESS_WEB_ROUTE=goaccess
+          GOACCESS_USER=operator
+          GOACCESS_PASSWORD={{ GOACCESS_PASSWORD }}     # bcrypt encrypted password, use "htpasswd -B -n operator" to generate. use $$ instead of $ in GOACCESS_PASSWORD value
+          GOACCESS_ACCESSLOG_FORMAT=TRAEFIKCLF
+
+    - name: Exec docker-compose up
+      community.docker.docker_compose_v2:
+        project_src: /opt/mlflow-auth-gui/mlflow-auth-gui/
+        state: present
+        files:
+          - compose.yml
+          - compose.prod.yml

artifacts/openeo_k8s.yml

@@ -0,0 +1,93 @@
+---
+- hosts: localhost
+  connection: local
+  vars:
+    stac_url: "{{ openeo_stac_url | default('https://stac.eodc.eu/api/v1') }}"
+    oidc_url: "{{ openeo_oidc_url | default('https://aai.egi.eu/auth/realms/egi') }}"
+    oidc_organisation: "{{ openeo_oidc_organisation | default('egi') }}"
+    oidc_roles: "{{ openeo_oidc_roles | default(['developer']) }}"
+  tasks:
+    - name: Set default DNS name (nip.io)
+      set_fact:
+        dns_name: "openeo.{{ public_ip_address }}.nip.io"
+      when: openeo_dns_name is not defined or openeo_dns_name == ""
+    - name: Set custom DNS name
+      set_fact:
+        dns_name: "{{ openeo_dns_name }}"
+      when: openeo_dns_name is defined and openeo_dns_name != ""
+    - name: Create OpenEO Helm values file
+      copy:
+        dest: /tmp/openeo_config.yaml
+        mode: '644'
+        content: |
+          global:
+            env:
+              alembicDir: "/opt/openeo_argoworkflows_api/psql"
+              apiDns: 127.0.0.1:8000
+              apiTLS: false
+              apiTitle: "OpenEO ArgoWorkflows"
+              apiDescription: "A K8S deployment of the openeo api for argoworkflows."
+              oidcUrl: "{{ oidc_url }}"
+              odicOrganisation: "{{ oidc_organisation }}"
+              oidcRoles: {{ oidc_roles }}
+              stacCatalogueUrl: "{{ stac_url }}"
+              workspaceRoot: "/user_workspaces"
+              executorImage: "ghcr.io/eodcgmbh/openeo-argoworkflows:executor-2024.9.1"
+          image:
+            repository: ghcr.io/eodcgmbh/openeo-argoworkflows
+            # Overrides the image tag whose default is the chart appVersion.
+            tag: "api-2024.9.2"
+          persistence:
+            capacity: "8Gi"
+          ingress:
+            enabled: true
+            className: "nginx"
+            hosts:
+              - host: {{ dns_name }}
+                paths:
+                  - path: /
+                    pathType: ImplementationSpecific
+
+    - name: Install git
+      package:
+        name: git
+        state: present
+
+    - name: Download Helm chart
+      git:
+        repo: https://github.com/eodcgmbh/charts
+        dest: /opt/eodcgmbh-charts
+        version: main
+        force: false
+
+    - name: Install Helm repositories
+      command: helm repo add {{ item.name }} {{ item.url }}
+      environment:
+        KUBECONFIG: "/etc/kubernetes/admin.conf"
+      register: helm_repo
+      changed_when: "'already exists' not in helm_repo.stdout"
+      loop:
+        - { name: "bitnami", url: "https://charts.bitnami.com/bitnami" }
+        - { name: "argo", url: "https://argoproj.github.io/argo-helm" }
+        - { name: "dask", url: "https://helm.dask.org" }
+
+    - name: Install Helm dependencies
+      command: helm dependency build
+      args:
+        chdir: /opt/eodcgmbh-charts/eodc/openeo-argo
+        creates: /opt/eodcgmbh-charts/eodc/openeo-argo/charts
+      environment:
+        KUBECONFIG: "/etc/kubernetes/admin.conf"
+
+    - name: Create namespace
+      command: kubectl create namespace openeo
+      environment:
+        KUBECONFIG: "/etc/kubernetes/admin.conf"
+      failed_when: false
+      register: namespace
+      changed_when: "'AlreadyExists' not in namespace.stdout"
+
+    - name: Install OpenEO Helm chart
+      command: helm upgrade -n openeo --install openeo /opt/eodcgmbh-charts/eodc/openeo-argo --values /tmp/openeo_config.yaml
+      environment:
+        KUBECONFIG: "/etc/kubernetes/admin.conf"