mesh service
JupyterHub is an open-source tool that offers the ability to spin up Jupyter notebook servers on demand. The notebooks can be used for data analysis or to create and execute Machine learning models. Istio is a service mesh that offers secure and observable communication mechanism between different services in a Kubernetes cluster.One of the benefits of running JupyterHub in an istio-enabled cluster is to gain support for mTLS(mutual TLS) capabilities between different JupyterHub components. mTLS ensures that all communication between the hub and the user-notebook servers is encrypted and is safe from eavesdropping. This capability has been requested by many users in the JupyterHub community.
JupyterHub是一种开源工具,可以按需启动Jupyter笔记本服务器。 笔记本可用于数据分析或创建和执行机器学习模型。 Istio是一个服务网格,可在Kubernetes集群中的不同服务之间提供安全且可观察的通信机制。在启用istio的集群中运行JupyterHub的好处之一是获得对不同JupyterHub组件之间的mTLS(相互TLS)功能的支持。 mTLS确保集线器和用户笔记本服务器之间的所有通信都经过加密,并且不会被窃听。 JupyterHub社区中的许多用户都要求此功能。
To follow along this journey, it is important to know the basic component interactions in JupyterHub
要遵循此过程,重要的是要了解JupyterHub中的基本组件交互
- The Hub configures the proxy by calling proxy-api集线器通过调用proxy-api配置代理
- The proxy forwards all requests to the Hub by default代理默认将所有请求转发到集线器
- The Hub handles login, and spawns single-user notebook servers on demand集线器处理登录,并按需生成单用户笔记本服务器
- The Hub configures the proxy to forward url prefixes to single-user notebook servers集线器将代理配置为将url前缀转发到单用户笔记本服务器
建立(Setup)
— Install istio
—安装istio
$ istioctl install --set profile=demo
— Install JupyterHub
—安装JupyterHub
Create the jupyterhub
namespace to install the JupyterHub. Set the istio-injection
label to configure the automatic injection of the istio-proxy sidecar in the pods that start in the namespace. Set the mTLS
mode for all services on the namespace.
创建jupyterhub
命名空间以安装JupyterHub。 设置istio-injection
标签,以配置在命名空间中开始的pod中自动注入istio-proxy sidecar。 为名称空间上的所有服务设置mTLS
模式。
$ kubectl create ns jupyterhub
$ kubectl label namespace jupyterhub istio-injection=enabled$ kubectl apply -n jupyterhub -f - <<EOF
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata:
name: "default"
spec:
mtls:
mode: STRICT
EOF
Next, setup the helm charts repository.
接下来,设置头盔图表存储库。
$ helm repo add jupyterhub https://jupyterhub.github.io/helm-chart/
$ helm repo update
Setup the config for the helm chart.
设置舵图的配置。
$ echo -n "proxy:\n secretToken: '$(openssl rand -hex 32)'\n" > config.yaml
Install JupyterHub in the jupyterhub
namespace
在jupyterhub
命名空间中安装JupyterHub
$ helm template jupyterhub/jupyterhub \
--version=0.9.0 \
--values config.yaml | kubectl -n jupyterhub apply -f -
$ # Not using `helm install` is a personal preference. I prefer qbec instead for day to day use. Using helm here as it is used to package JupyterHub for Kubernetes in the community.
Next, we’ll verify the deployment to see if the pods are running. Both the hub and the proxy pods running as expected.
接下来,我们将验证部署以查看Pod是否正在运行。 集线器和代理容器都按预期运行。
$ kubectl -n jupyterhub get po
hub-fd88f65b6-6zqb9 2/2 Running 1 5m31s
proxy-98fdbb5fd-bv7nt 2/2 Running 0 5m31s
The 2/2 part shows that there are two containers in the pod - the main container and a s