Application Hub⚓︎
The Application Hub provides a set of web-based tooling, including JupyterLab for interactive analysis, Code Server for application development, and the capability to add user-defined interactive dashboards.
Helm Chart⚓︎
The Application Hub is deployed via the application-hub
helm chart from the EOEPCA Helm Chart Repository.
The chart is configured via values, which are detailed in the default values file for the chart.
helm install --version 2.0.55 --values application-hub-values.yaml \
--repo https://eoepca.github.io/helm-charts \
application-hub application-hub
Values⚓︎
The Application Hub supports many values to configure the service - ref. the default values file for the chart.
Typically, values for the following attributes may be specified:
- The fully-qualified public URL for the service
- Specification of Ingress for reverse-proxy access to the service
- Storage class for persistence
- Node selector rule - required by JupyterHub to spawn container workloads
- Values for integration with the user workspace
- Integration of JupyterHub with the Login Service (identity provider) via OpenID Connect configuration
- OIDC client credentials from a secret
Example application-hub-values.yaml
…
ingress:
enabled: true
annotations: {}
hosts:
- host: applicationhub.192-168-49-2.nip.io
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: applicationhub-tls
hosts:
- applicationhub.192-168-49-2.nip.io
clusterIssuer: letsencrypt-production
jupyterhub:
fullnameOverride: "application-hub"
hub:
existingSecret: application-hub-secrets
extraEnv:
JUPYTERHUB_ENV: "dev"
JUPYTERHUB_SINGLE_USER_IMAGE: "eoepca/pde-container:1.0.3"
OAUTH_CALLBACK_URL: https://applicationhub.192-168-49-2.nip.io/hub/oauth_callback
OAUTH2_USERDATA_URL: https://keycloak.192-168-49-2.nip.io/oxauth/restv1/userinfo
OAUTH2_TOKEN_URL: https://keycloak.192-168-49-2.nip.io/oxauth/restv1/token
OAUTH2_AUTHORIZE_URL: https://keycloak.192-168-49-2.nip.io/oxauth/restv1/authorize
OAUTH_LOGOUT_REDIRECT_URL: "https://applicationhub.192-168-49-2.nip.io"
OAUTH2_USERNAME_KEY: "preferred_username"
STORAGE_CLASS: "standard"
RESOURCE_MANAGER_WORKSPACE_PREFIX: "ws"
JUPYTERHUB_CRYPT_KEY:
valueFrom:
secretKeyRef:
name: application-hub-secrets
key: JUPYTERHUB_CRYPT_KEY
OAUTH_CLIENT_ID:
valueFrom:
secretKeyRef:
name: application-hub-secrets
key: OAUTH_CLIENT_ID
OAUTH_CLIENT_SECRET:
valueFrom:
secretKeyRef:
name: application-hub-secrets
key: OAUTH_CLIENT_SECRET
image:
# name: eoepca/application-hub
# tag: "1.2.0"
pullPolicy: Always
# pullSecrets: []
db:
pvc:
storageClassName: standard
singleuser:
image:
name: jupyter/minimal-notebook
tag: "2343e33dec46"
profileList:
- display_name: "Minimal environment"
description: "To avoid too much bells and whistles: Python."
default: "True"
- display_name: "EOEPCA profile"
description: "Sample profile"
kubespawner_override:
cpu_limit": 4
mem_limit": "8G"
nodeSelector:
key: minikube.k8s.io/primary
value: \"true\"
Client and Credentials⚓︎
The Application Hub requires an OIDC client to be registered with the Identity Service (Keycloak) in order to enable user identity integration - ref. OAUTH_CLIENT_ID
and OAUTH_CLIENT_SECRET
.
This can be created with the create-client
helper script, as descirbed in section Client Registration.
For example…
../bin/create-client \
-a https://keycloak.192-168-49-2.nip.io \
-i https://identity-api.192-168-49-2.nip.io \
-r "master" \
-u "admin" \
-p "changeme" \
-c "admin-cli" \
--id=application-hub \
--name="Application Hub OIDC Client" \
--secret="changeme" \
--description="Client to be used by Application Hub for OIDC integration"
Corresponding to this client, a secret application-hub-secrets
must be created (ref. value jupyterhub.hub.existingSecret: application-hub-secrets
)…
kubectl -n proc create secret generic application-hub-secrets \
--from-literal=JUPYTERHUB_CRYPT_KEY="$(openssl rand -hex 32)" \
--from-literal=OAUTH_CLIENT_ID="application-hub" \
--from-literal=OAUTH_CLIENT_SECRET="changeme"
Post-deployment Manual Steps⚓︎
The deployment of the Application Hub has been designed, as far as possible, to automate the configuration. However, there remain some steps that must be performed manually after the scripted deployment has completed…
Groups and Users⚓︎
The default helm chart has some built-in application launchers whose assignments to example users (eric and bob) assume the existence of some JupyterHub groups - which must be replicated to exploit this configuration.
- In a browser, navigate to the Application Hub - https://applicationhub.192-168-49-2.nip.io/
- Login as the user eric (or bob) for admin access
- Select the
Admin
menu (top of page) - Add groups
group-1
,group-2
,group-3
to ApplicationHub, and add userseric
,bob
to these groups
This setup corresponds to the ‘sample’ configuration that is built=in to the help chart - see file config.yaml
.
Additional Information⚓︎
Additional information regarding the Application Hub can be found at: