- HCL 87.8%
- Dockerfile 12.2%
| containers | ||
| .gitignore | ||
| .procedure | ||
| .terraform.lock.hcl | ||
| LICENSE | ||
| main.tf | ||
| README.md | ||
tofu.uiogeo — JupyterHub on NIRD Toolkit
OpenTofu deployment of JupyterHub in the uiogeo-apps-ns1000k namespace on the
NIRD Toolkit (Sigma2, Norway).
Stack
- JupyterHub 3.3.8 (Zero-to-JupyterHub)
- GitHub OAuth authentication
- NIRD datalake mounted at
/nird/datalake/NS1000K - State stored in Minio (
tofu-state/nird-jupyterhub.tfstate) - Argo Workflows — pending CRDs installation by Sigma2 (see below)
URLs
| Service | URL |
|---|---|
| JupyterHub | https://jupyterhub-tofu.uiogeo-apps.sigma2.no |
| Argo Workflows | https://argo-workflows.uiogeo-apps.sigma2.no |
| Minio console | https://minio.uiogeo-apps.sigma2.no |
Prerequisites
- OpenTofu >= 1.6
kubectlconfigured withnird-toolkit-auth-helper(Feide/OIDC)- Access to namespace
uiogeo-apps-ns1000k
Authentication — NIRD Toolkit
Install nird-toolkit-auth-helper:
go install github.com/UNINETTSigma2/nird-toolkit-auth-helper@latest
Place the kubeconfig in ~/.kube/config (see
https://github.com/UNINETTSigma2/nird-toolkit-auth-helper for the minimal
kubeconfig template), then:
kubectl config use-context nird-lmd
kubectl get ns | grep ns1000k
The authentication browser window opens on port 49999 — forward it via your SSH tunnel manager (e.g. Asbru).
Step 1 — Configure secrets
Create backend.tfvars (not committed):
access_key = "<minio_user>"
secret_key = "<minio_password>"
Create secrets.tfvars (not committed):
github_client_secret = "<github_oauth_client_secret>"
minio_access_key = "<minio_user>"
minio_secret_key = "<minio_password>"
Minio credentials are stored as a Kubernetes secret in the namespace:
kubectl get secret minio-1739373161-minio -n uiogeo-apps-ns1000k \
-o jsonpath='{.data}' | jq 'to_entries[] | {key: .key, value: (.value | @base64d)}'
Step 2 — Initialize Tofu
tofu init -backend-config=backend.tfvars
Step 3 — Deploy
tofu apply -var-file=secrets.tfvars
Architecture
NIRD Toolkit — Sigma2
│
└── Namespace: uiogeo-apps-ns1000k
├── JupyterHub 3.3.8 — https://jupyterhub-tofu.uiogeo-apps.sigma2.no
│ ├── Auth: GitHub OAuth
│ ├── Image: quay.io/jeani/jupytergis-notebook:0.13.2
│ └── Storage: NIRD datalake (PVC 5693621a) → /nird/datalake/NS1000K
│ └── subPath: GRID4EARTH/notebooks
├── Argo Workflows 0.46.2 — https://argo-workflows.uiogeo-apps.sigma2.no
│ └── ⚠️ En attente des CRDs argoproj.io (voir ci-dessous)
└── Minio — https://minio.uiogeo-apps.sigma2.no
└── Bucket tofu-state → nird-jupyterhub.tfstate
Ingress & TLS
The NGINX ingress controller and wildcard TLS certificate (wildcard-tls) are
managed by Sigma2 at the cluster level. No cert-manager setup required.
Domain pattern: *.uiogeo-apps.sigma2.no
Argo Workflows — pending
Argo Workflows is configured in main.tf but not yet deployed because the
argoproj.io CRDs are not installed at the cluster level.
A request has been sent to Sigma2 to install the CRDs. Once confirmed, add back
to main.tf:
resource "helm_release" "argo_workflows" {
name = "argo-workflows"
repository = "https://argoproj.github.io/argo-helm"
chart = "argo-workflows"
namespace = "uiogeo-apps-ns1000k"
version = "0.46.2"
values = [<<YAML
crds:
install: false
createAggregateRoles: false
singleNamespace: true
controller:
clusterWorkflowTemplates:
enabled: false
server:
authModes:
- server
clusterWorkflowTemplates:
enabled: false
serviceType: ClusterIP
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
hosts:
- argo-workflows.uiogeo-apps.sigma2.no
tls:
- hosts:
- argo-workflows.uiogeo-apps.sigma2.no
secretName: wildcard-tls
YAML
]
}
GPU support
GPU node availability and labels/taints to be confirmed by Sigma2.
Once confirmed, add GPU profile to JupyterHub singleuser.profileList in main.tf.