Streamline GESIS deployment

[rgaiacs]

During JupyterCon 2023, @yuvipanda asked me if I could move the deployment of the GESIS node to https://github.com/jupyterhub/mybinder.org-deploy. I mentioned that we were running things a bit different and were uncertain of how to bring the GESIS deployment to https://github.com/jupyterhub/mybinder.org-deploy. Yesterday, @arnim and I were talking and we concluded that we should bring this conversation up again and let all the contributors to share the thoughts.

OVH deployment vs GESIS deployment

Topic	OVH deployment	GESIS deployment
Repository	https://github.com/jupyterhub/mybinder.org-deploy	https://github.com/gesiscss/orc2
Repository uses git-crypt	Yes	Yes
Server type	Public Cloud	Dedicated Server / bare-metal
Server SSH access requires VPN	No	Yes
Server SSH access limited to	mybinder.org core team	GESIS staff
Stack	100% on Kubernetes	Core on Kubernetes + external NGINX
Continuous Integration	GitHub Actions	On-premises GitLab CI
Base URL	/	/binder/
Landing page	Default	Customised
Additional pages	No	Yes

GESIS Helm Chart upgrade workflow

To keep GESIS binderhub version in sync with mybinder.org, we are doing the follow

1. GitHub Actions executes a web hook request to GESIS GitLab
2. GESIS GitLab triggers a GESIS GitLab CI job
3. GESIS GitLab CI job fetches public information from https://github.com/jupyterhub/mybinder.org-deploy and update the GESIS Notebooks (BinderHub) deployment Git repository
4. Update on the GESIS Notebooks (BinderHub) deployment Git repository triggers a new deployment

At the moment, this workflows implementation is not capable of update files in the secret folders.

Proposed new workflow

The previous steps are replaced with

1. GitHub Actions executes a web hook request to GESIS GitLab
2. GESIS GitLab triggers a GESIS GitLab CI job
3. GESIS GitLab CI job git fetches https://github.com/jupyterhub/mybinder.org-deploy, validates (verifies digital signature) changes to GESIS specific files, and git merges changes
4. git merge triggers a new deployment

This new workflow requires

• GESIS Helm configuration in https://github.com/jupyterhub/mybinder.org-deploy/tree/main/config
• GESIS specific templates in https://github.com/jupyterhub/mybinder.org-deploy/tree/main/mybinder/templates
• GESIS specific files in https://github.com/jupyterhub/mybinder.org-deploy/tree/main/mybinder/files
• GESIS specific .gitlab-ci.yml

This files could be kept in a separate branch.

@arnim @minrk @yuvipanda @manics what do you think?

[arnim]

Thank you @rgaiacs for this great overview :)
We, GESIS, should be flexible wrt the implementation. The unavoidable limitation is VPN and staff only access. All in all I'd love if we can keep this as simple (and maintainable) as possible. Everything that helps to that end is usually a 👍

[manics]

Seems fine to me! Would you mind holding off until I've finished with #2698 (and the inevitably many follow-ups) before making changes to the shared files?

[rgaiacs]

I will hold until #2698 is finished.

[rgaiacs]

Change GESIS deployment as discussed at the first post will contribute to avoid cryptnono/cryptnono#8 and similar issues where a new file is created and the my update script silence fails.

[manics]

Curvenote is now officially added! There'll probably be some more tweaks but hopefully nothing major, so if you haven't already feel free to make any changes you need for GESIS.