apiVersion: v1
kind: Service
metadata: { name: notebook, namespace: ml }
spec:
  selector: { app: jupyterlab }
  ports: [{ port: 80, targetPort: 8888 }]
---
apiVersion: apps/v1
kind: Deployment
metadata: { name: jupyterlab, namespace: ml }
spec:
  replicas: 1
  selector: { matchLabels: { app: jupyterlab } }
  template:
    metadata: { labels: { app: jupyterlab } }
    spec:
      securityContext:
        runAsUser: 1000
        fsGroup: 100
      nodeSelector: { node: hetzner-2 }
      containers:
      - name: jupyter
        image: jupyter/base-notebook:latest
        args: ["start-notebook.sh", "--NotebookApp.token=$(PASSWORD)"]
        env:
          - name: PASSWORD
            valueFrom: { secretKeyRef: { name: jupyter-auth, key: PASSWORD } }
        ports: [{ containerPort: 8888 }]
        volumeMounts:
          - { name: work, mountPath: /home/jovyan/work }
      volumes:
        - name: work
          persistentVolumeClaim: { claimName: jupyter-pvc }
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata: { name: jupyter-pvc, namespace: ml }
spec:
  accessModes: ["ReadWriteOnce"]
  storageClassName: local-ssd-hetzner
  resources: { requests: { storage: 20Gi } }
---
apiVersion: v1
kind: Secret
metadata: { name: jupyter-auth, namespace: ml }
type: Opaque
stringData: { PASSWORD: "notebook" }
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: notebook
  namespace: ml
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    # nginx.ingress.kubernetes.io/auth-type: basic
    # nginx.ingress.kubernetes.io/auth-secret: basic-auth-notebook
    # nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
  ingressClassName: nginx
  tls: [{ hosts: ["notebook.betelgeusebytes.io"], secretName: notebook-tls }]
  rules:
  - host: notebook.betelgeusebytes.io
    http:
      paths:
      - path: /
        pathType: Prefix
        backend: { service: { name: notebook, port: { number: 80 } } }