From 749ea29625091e40c9417f95d13bd8bfd995d320 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Wed, 21 Feb 2024 17:19:59 +0200 Subject: [PATCH 01/23] Update docs --- docs/topic/access-creds/cloud-auth.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/topic/access-creds/cloud-auth.md b/docs/topic/access-creds/cloud-auth.md index f05d3326d..50b41bbd2 100644 --- a/docs/topic/access-creds/cloud-auth.md +++ b/docs/topic/access-creds/cloud-auth.md @@ -102,11 +102,12 @@ To do so, follow these steps: after logging in for current set of IAM users. 2. Go to the [SSO users](https://console.aws.amazon.com/singlesignon/identity/home?region=us-east-1#!/users) page, and create an appropriate entry for the new user. - a. Their username should match their `2i2c.org` email address. - b. Use their `2i2c.org` address as email address. - c. Other than email and username, provide as little info as possible. This would be + + - Their username should match their `2i2c.org` email address. + - Use their `2i2c.org` address as email address. + - Other than email and username, provide as little info as possible. This would be just first name, last name and display name. - d. "Send an email to the user with password setup instructions". + - "Send an email to the user with password setup instructions". 3. Add them to the `2i2c-engineers` group. This gives them access to all the other AWS accounts we create. 4. Create the account! They'll receive an email with appropriate instructions. From ed7cd616e91ce3eca000f6f01ccd3e6b18028541 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Wed, 21 Feb 2024 17:21:15 +0200 Subject: [PATCH 02/23] Add the eksctl files for new cluster opensci --- eksctl/opensci.jsonnet | 128 +++++++++++++++++++++++++++++ eksctl/ssh-keys/opensci.key.pub | 1 + eksctl/ssh-keys/secret/opensci.key | 21 +++++ 3 files changed, 150 insertions(+) create mode 100644 eksctl/opensci.jsonnet create mode 100644 eksctl/ssh-keys/opensci.key.pub create mode 100644 eksctl/ssh-keys/secret/opensci.key diff --git a/eksctl/opensci.jsonnet b/eksctl/opensci.jsonnet new file mode 100644 index 000000000..f81a65c04 --- /dev/null +++ b/eksctl/opensci.jsonnet @@ -0,0 +1,128 @@ +/* + This file is a jsonnet template of a eksctl's cluster configuration file, + that is used with the eksctl CLI to both update and initialize an AWS EKS + based cluster. + + This file has in turn been generated from eksctl/template.jsonnet which is + relevant to compare with for changes over time. + + To use jsonnet to generate an eksctl configuration file from this, do: + + jsonnet opensci.jsonnet > opensci.eksctl.yaml + + References: + - https://eksctl.io/usage/schema/ +*/ +local ng = import "./libsonnet/nodegroup.jsonnet"; + +// place all cluster nodes here +local clusterRegion = "us-west-2"; +local masterAzs = ["us-west-2a", "us-west-2b", "us-west-2c"]; +local nodeAz = "us-west-2a"; + +// Node definitions for notebook nodes. Config here is merged +// with our notebook node definition. +// A `node.kubernetes.io/instance-type label is added, so pods +// can request a particular kind of node with a nodeSelector +local notebookNodes = [ + { instanceType: "r5.xlarge" }, + { instanceType: "r5.4xlarge" }, + { instanceType: "r5.16xlarge" }, +]; +local daskNodes = []; + + +{ + apiVersion: 'eksctl.io/v1alpha5', + kind: 'ClusterConfig', + metadata+: { + name: "opensci", + region: clusterRegion, + version: "1.28", + }, + availabilityZones: masterAzs, + iam: { + withOIDC: true, + }, + // If you add an addon to this config, run the create addon command. + // + // eksctl create addon --config-file=opensci.eksctl.yaml + // + addons: [ + { + // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that + // couple to AWS EBS based storage, without it expect to see pods + // mounting a PVC failing to schedule and PVC resources that are + // unbound. + // + // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html + // + name: 'aws-ebs-csi-driver', + version: "latest", + wellKnownPolicies: { + ebsCSIController: true, + }, + }, + ], + nodeGroups: [ + ng + { + namePrefix: 'core', + nameSuffix: 'a', + nameIncludeInstanceType: false, + availabilityZones: [nodeAz], + ssh: { + publicKeyPath: 'ssh-keys/opensci.key.pub' + }, + instanceType: "r5.xlarge", + minSize: 1, + maxSize: 6, + labels+: { + "hub.jupyter.org/node-purpose": "core", + "k8s.dask.org/node-purpose": "core" + }, + }, + ] + [ + ng + { + namePrefix: 'nb', + availabilityZones: [nodeAz], + minSize: 0, + maxSize: 500, + instanceType: n.instanceType, + ssh: { + publicKeyPath: 'ssh-keys/opensci.key.pub' + }, + labels+: { + "hub.jupyter.org/node-purpose": "user", + "k8s.dask.org/node-purpose": "scheduler" + }, + taints+: { + "hub.jupyter.org_dedicated": "user:NoSchedule", + "hub.jupyter.org/dedicated": "user:NoSchedule" + }, + } + n for n in notebookNodes + ] + ( if daskNodes != null then + [ + ng + { + namePrefix: 'dask', + availabilityZones: [nodeAz], + minSize: 0, + maxSize: 500, + ssh: { + publicKeyPath: 'ssh-keys/opensci.key.pub' + }, + labels+: { + "k8s.dask.org/node-purpose": "worker" + }, + taints+: { + "k8s.dask.org_dedicated" : "worker:NoSchedule", + "k8s.dask.org/dedicated" : "worker:NoSchedule" + }, + instancesDistribution+: { + onDemandBaseCapacity: 0, + onDemandPercentageAboveBaseCapacity: 0, + spotAllocationStrategy: "capacity-optimized", + }, + } + n for n in daskNodes + ] else [] + ) +} \ No newline at end of file diff --git a/eksctl/ssh-keys/opensci.key.pub b/eksctl/ssh-keys/opensci.key.pub new file mode 100644 index 000000000..0a3046478 --- /dev/null +++ b/eksctl/ssh-keys/opensci.key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCronsz3J+j6Lbp8BJ/mpTn25/1dgmpZQpoLjEqflTtK0Ur/JBZ+P05aD6eLKy89ANyD9RC/x1oHgDwIAtN7zoCG6QJA+8dWUhqlESYzfQ4ieSW36oi1k4VxPLVUU4zVMPr71tdBaFPOsE3jTEWJxSeDZ8YjzHa0sr5X8HzuACO0V5HG8FnSxsXCPAAtwR1VdZF9xRjhQ8u4yLhDz/kTb1vXCjgz0CcHIs7b7ZSxY/tLxIeCTjfyw3SSvHPTZRgZgoqY5mXwgxq4mLQ96u19u6T9zW1qTjHqVQ2OhuAfIC7LzKtZq2S+RlPiv9xoP1+vK2OULZMtdH/u8VHXGGws4iiPVo+xuADtIKAVZCXgrkvHP//bN4pFObzxsxWa2w1m+mGcXKLmHWy3sqSYZHIJwYhcXQXSSiZF56fFKKtCoT/0Ddk6FdMr9WqNjc3Tq12AfXQgobn0JbDUhYRl5bLVfIo7urshDEfTN+fRvcMnDKCNEmnT/ihn5Ki9BPP+Q8NTOU= georgiana@georgiana.local diff --git a/eksctl/ssh-keys/secret/opensci.key b/eksctl/ssh-keys/secret/opensci.key new file mode 100644 index 000000000..98a5dff54 --- /dev/null +++ b/eksctl/ssh-keys/secret/opensci.key @@ -0,0 +1,21 @@ +{ + "data": "ENC[AES256_GCM,data:3U6QvkVPU64GcF+6QaYPnPff9ILQLpmRYlL7yWVZbDGP5z/YTwoIRh+eIN+78zAmQwiJgWDpKN6Y3MAPYpmzKaktXzsz6tnADGBZlL28kYDHkgVd8iqexoQgq5JCqNKnw28rzMLlEpUMGefu8ZZMxpBcJu8DfvvymnV6hfjmPxCRSTBj+ZqDQtdDoMPNrZq9tF/W+Rs1yDIlImJpsy1KGsWQSluShr1t2wrfuZEcHZXaCg9qd9qRD1UTCq+mFhYy9oC8XKdHYOMrVNynau2pr3JOWhNBYxVGdEUEu13w0ySrBL9FWKhpoLetqIgtetm8V9Cvfd/DjbhuPPuoWN4Hpxr7o3/NR0MEdg4H6YI1IgyrYU6oF59032z8JZVFSktBwSSyPREyxTWhIuuqKCXoz7ZP9JSUt9aE8oJZD7GvRz4yOBi5/7Eyhg1Jof/CYqF7ncUdAJk1sprh2WV3FclpoDjaM2scgBAjy9HjTRUB0jKhQ/nOzVdVguTTvEPOqEbu1dx2D8p3JOQFpCHVmlBKpBmq35X1L0SqR4EkvcSFySqstVMt2vBmOdy2gx8Gl7HaSV1HBnDJWvFomESzI5nxB+ZFrtv+5ljYQP4o02fTCSa0fcEhsz64MpZHh8BlULQDh/FyUSUn+1otiNoLmd0tIhAMRcGslHvGzM1st9oyVP0dRAvG2cxZaRflpOpS63ezjHpCRmYgDuRcogNTTbrXoFSvZEhqamGmQTgNEte0GGtIU6U7NX2EMLloU+znqT7OQJyNHBByx2tcC4dxzc105P2VusWFPFEN4gL2ltq74TBGwIckeBC2b6BQuIgrBrc49z56HwEszWkpLEgHnjW1R+qCFxb4JEPlUtCTRvB+n3rdBKHHtvhLZhHM9LKNbBqr/10gwcBqD8i7B3bGwRvYeIKNOU5/UWtBxy2Byn9P+Z1RVTrXLNLXDjE/MfsWd3NInxgnQsPzpg/ZiESZH/cgD9KQmI+VM/tXbmaQXIyo4tod5x0zh50Y52/yqHZ7uKtPjetM/oJwRiKGbEQcMPqAdN9m5JKP9gyYn/sdIRPVmSoD9+5spxE96sBb1kwiuQXDdXFwVQsBZ1eGr2nRkLTddsX13+oPKVVPbYukGTRPDPZR7TyjQ+ztXTybsmQ3h8mbZ5Xf20UhSs63nkh0W691Gyo6H1d2lAJFBh5doKl0/i8v1im8kyip5GrH8xoVmCfEVYSRXbotXY4ccqzPoCqsh4VumeM3O4qa+fZLaVGsGc0UsR+9MWcmZ2E8HTEZi2vnDQA/wgEn6zbCfoxyaoX7nC/mPTcgRhvfPRRfZEuPIaTTGOaEyt85QpSVSqf5diZf/DaoYsIMasQ0XI/JH2fDcXtduc86kW9bdOS2RdG3XqMBJWdI5XmcdaDw5stQTxXFRsVy1jshAm6SXprMs54LbiQPXmzVEiOz8xjVlqmH40BN4ihbyW1VLujSQkUZ+wZ9cRhNYiSGNUUCBtajcdYSYOsLw+nvzv9DZB6wl8pBJkwElOuGaaiFrlpMdEJYQrkwkwIdIv6lx5oe9QH9SFrLbXS3i7+Vffh+mzwu/BLnQi4tRJJjtI3ORo94od3dZXoiDUJikl7zFXoiE2bgBvFhVDd2UTRwpbql3iW/dcvBzsHPtfiXsUKSPhGCGb5pVuTSEwXs0reK+V+/aY/BWuH7DFUEAvVqPSr0OpkK3y2Ok1XK3+4AdSWDPYo3nPy89b8Aid4Bj+BEb0nOeEl7uOTxR0D0emTgyCTffHV+eoYFMfsozmcME0y93GuEBe800GLaucmKjUHN8QTUpgXr1p2ReLgL3uayvnOQ4eEJQOEPYr4seKfDzDzCLabCd8o77hgnQReoDl6RmLpOiJd0KsFl8oUv03egIdQN+2++NYCd+H4n+S5rWE6wZWqwKU9ieADyZxTr2QGO22vFliktWVx09As+4R96NfCjoVLgY8pFBaC00HArGsPKVWp0zrPgBdjnup5J9JJOMK1dJKN/V0Ha4xbVuskDXY8JGZMeUc04lAg1s7ylm5w3vqnSPJ80w5wgYXfTy9t+fFTxSq//wqe0bgAM/gGgS25+JcSad84N4uaNvuj/nX0zWb1TUUXdKUt1sdptssgg5ExCryRMX0oVlUNhMD4jrpK1oyzIiUUWOUyawLpDWT29tgVBVFTVd4KiDuJThqWa1amAjYL+tsk6IStxNuFIzs3390JWg4WIOy0eg14Cr3J1JaND/IK97d3Y4IdewRhfR21TPZT8sRGg+V5oP0rMXxyte8YARaKRNY9j1X+zg4cEtg2mFw32UkxEpEHHSSk/1JPGJoCAo6AhdIalc9hb3gzqTlPC+roJvQT7KEftE+ZLyXu1lwIwXor0wYtpz2u6SNi+cHBRh3T2dYKkhrklKTMq2ZoRzh9xwoEL3cfzFeFv0XbbJtfILmSxt5KitRisv1w21g/tn746psfRHXD/FIpj5WDr21QCkW0tvsKvWc72Ww6Furnljay1osBHJ5GLgLQdZMNMF4t2nh3De2YMyYxfdprcZQCLtsIzBv1f+seqV3ffUTGDpNCPJryMAreZJS4+7X0qKEOR6jt/yyUPz6r7mYGMA5YBZ4wYuwo5SpQpLn5s1dVTseaLD+giSV6QHR8czs1ZohUMmqAXxBvX0wcCvsYcyFu5kd92zm0MIfZv2k5RHMHl4fwa936oPGd1pXkInR42K38PTrKAgJn5XcoyZ91ebUI4gcw4DaQX9D66T5Td8GLijOkI/reBIXhqLjDRvz9d3Odl21lnrOppBKGTA5kN3IODqxEE92Wqfexmaq6uIJUCA67PHgpuRK7Z/KxOYwjXXCgejazymicB7XYbMRSTxJWAHEo8pmuh/7TgZe+1YENHYnZ+QguR4guSuu6iVSRTtsUSA9ilgFkvoZhKJ4vDMBMeZ7FBPV8uix3C2vM8ukx5YnbKEmYLnoDQKS5mLxs3iUurtYw27+kmIemaKUjElTcdmXFNvOBqru6M0mWNZqW1DH+WeIHxQMjK1zQ8iyiA5K4+46ytNrHxkEEc66Pj55/x21O5wP3ETDigv2gOnX/dY3erFhP9N4/xlIoiYwYi/4P/IzQLd1tXwsd4iz+auoRps2ioUgxvCH8ItRcQwxiLGBDM2j3Yyh7GM0JQCcIKjfftMbfzF+eTo57yo72VTMRxUsi9w/RUdatK1rvmlxuLLZDkz50fEqaATMEQoaiwc+XxZHSlrmbbcsRG/vcnBo+ZamBaiDxFbr3T0AFzWwCSVrj9UOyXOS02VnoxuDT1ibL9POyn4UlInNuHdIc9LQZl3v5PW1R1CStDmuWta7wQA9fm1YbhSbSkyGOc85LV8nhSr9eXwUZjdYjXloJvDj26cCCwBKtw9olN+vOBA/ATGyxCD3ST54MpkBvA0qjkmGe0LZZ3RZT3SGiYK0NDUt7dI87ShWlRDnLuGHmqvYro6184yFd4tM75NsmFaAnSMB8D2rli,iv:MGI6Z8r7iSq607tG9zNZro9vcm1QyQfonvPDALwcGos=,tag:M50exMUMyB/XP/g74gNCwQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": [ + { + "resource_id": "projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs", + "created_at": "2024-02-21T14:04:12Z", + "enc": "CiUA4OM7eKhKM5t1tiyTheQFNUS/u/5AvlqlPcTYNvKLlsPgIhHAEkkAXoW3JqdiQg/3FWiPJ9Gww+hh66YZI5UEaRalxl93S47xW0YbFcL3NFirOHbZXflEHW6Wtp+Wco9XoyL7uBmeQBKcOzLTivvo" + } + ], + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2024-02-21T14:04:13Z", + "mac": "ENC[AES256_GCM,data:ZPkBK+cIm8zAW8Zji/bk5GzlAnz2H3maYzgiHw+dssSyAf2gVZPl8fy5+jHFfg0GfG2Cy2dwEgURNYg7Aa4UsVUq1Xkr/ppl0ZtjMqjCxs0DPK5K3jXjpA7vgvhgPCGBAaZOsA2camkAFPQrUtzWUkLq5D0LmdJGyg1bvCHKVPg=,iv:XvtMDUT3uHmw6moSNcrhhIpPHE8t8FLZl6dtkywAl6c=,tag:peyJkyp/sjAegeOnpyVllQ==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file From c29131296e085e2cd1b02e43342a6ffbace53ca5 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Wed, 21 Feb 2024 17:43:13 +0200 Subject: [PATCH 03/23] Add terraform and basic cluster config --- .../enc-deployer-credentials.secret.json | 25 +++++++++++++++++ .../opensci/enc-support.secret.values.yaml | 17 +++++++++++ config/clusters/opensci/support.values.yaml | 28 +++++++++++++++++++ terraform/aws/projects/opensci.tfvars | 28 +++++++++++++++++++ 4 files changed, 98 insertions(+) create mode 100644 config/clusters/opensci/enc-deployer-credentials.secret.json create mode 100644 config/clusters/opensci/enc-support.secret.values.yaml create mode 100644 config/clusters/opensci/support.values.yaml create mode 100644 terraform/aws/projects/opensci.tfvars diff --git a/config/clusters/opensci/enc-deployer-credentials.secret.json b/config/clusters/opensci/enc-deployer-credentials.secret.json new file mode 100644 index 000000000..8130dd5fc --- /dev/null +++ b/config/clusters/opensci/enc-deployer-credentials.secret.json @@ -0,0 +1,25 @@ +{ + "AccessKey": { + "AccessKeyId": "ENC[AES256_GCM,data:MtyZwyAG9hUN2TZmVBY99AUkTzk=,iv:X1yxWvoAR4qlzPGDr9sh5fI5/nPqsKezibr/gJ6sGyI=,tag:JkExYO+KJxqrBep71B+tpw==,type:str]", + "SecretAccessKey": "ENC[AES256_GCM,data:k5ZOOtSBK6GQG60fkcuVju/zuIzyXSmou+lMpbqI9KXj/70nK2vMxw==,iv:rxPpG9bTHAFB6TbtZoJQ6CglXHnDk0d6+3OV3//TqUs=,tag:CksFoyD6jh7Bd3tIZHQvug==,type:str]", + "UserName": "ENC[AES256_GCM,data:POvIw42gLg8qNOAQeZsvyi+Zma/I5Jo=,iv:uMiKk7ONZxSMm5K/rSEgOL1ZusHy8VgFD9C2D2ezEcg=,tag:oDJTF8RmGwpCBpEjvqL+PA==,type:str]" + }, + "sops": { + "kms": null, + "gcp_kms": [ + { + "resource_id": "projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs", + "created_at": "2024-02-21T15:39:23Z", + "enc": "CiUA4OM7eF5o6mB9Vayi+puvS7aVXCANRtsaycfD68b7ISp9B6drEkkAXoW3JtPtnpYszaNYGfUeJiDVthqBYPcRJjtmCPqm6DEVL9Uyyordh2F636IlremL8X5LedANy3V6JQfofNHug3SiOYSzTqaj" + } + ], + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2024-02-21T15:39:24Z", + "mac": "ENC[AES256_GCM,data:mX6G6KmXOkBiUMT/robJTZ2L8KozL2S8av0UIBhO7lNWo4BJJYLNx9fQL6wzjgWkclE8NI6AiZg57qo6u8SCIV+Fg1veJjsTv9mxOtuV1NbSH8vLs8FOCq0Qp/qDUTFCTIATqqIGPaTB6oUeM7TkBAlwS3SedRn/GTVMAFFDjbY=,iv:zncrRM8g/aC+oh/Hoogil+kUSst/GXOrQbKOwtbw1G4=,tag:V4wlwuxyDLVdLn9t1No41Q==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/config/clusters/opensci/enc-support.secret.values.yaml b/config/clusters/opensci/enc-support.secret.values.yaml new file mode 100644 index 000000000..d19f4384f --- /dev/null +++ b/config/clusters/opensci/enc-support.secret.values.yaml @@ -0,0 +1,17 @@ +prometheusIngressAuthSecret: + username: ENC[AES256_GCM,data:NAA8fg7Oin4CLlFAR0/q9I0FpqHHsyXntce7by5Fg4B4PVGnmboc6hiHKbcvq4gkhFu3JkSPO/UZOnAi/vPXVA==,iv:t21nYjrvFgJ5vRM/8FDGwMrlGiLYsE9R4+BFxjDf91c=,tag:gnyjHQCSfouHljf6AzQKiw==,type:str] + password: ENC[AES256_GCM,data:Dcu0hyudGn0a51p8yutj2MbMv0ydSS/ewXqDF1xAVsWV75DUikNjnqxKZWbBDmjZisi+lMiRHZEUrxaszcGE9w==,iv:AM/9clOgMS80/JdZb1UC9fZNliQwhD8BJdZmSk7+Xow=,tag:kV4UPf5vPkTjESJGNusS9A==,type:str] +sops: + kms: [] + gcp_kms: + - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs + created_at: "2024-02-21T14:04:13Z" + enc: CiUA4OM7eH9GfolTeTic397lI94/FljLr1s7Hz77OOck8EsW/8pvEkkAXoW3JqTtm0UrLSlLBrebh+OQ+6ik5KFXmY8Xxl9ICv9kSnbz7CFBvAHlhrP7W7/NK8ZP5+6NnOivp0SZlghOW9M5Lv5ZpnQc + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-02-21T14:04:13Z" + mac: ENC[AES256_GCM,data:IlvuWpEYx2Qjp12hXHSnQdS9RYU1lwH2L8CgE1Js2cXRzhFr+cRalpJ68h/G8uzJOowb/WI5svSBB372HoX0FSf3kRmUPBdj0nI0Leb7kzZoOWJfVsCNh+Z7KVqs7iBnCWRtIr5v00eD6WUf1Q93qgxgcuZgAewd8rzaiixN0GE=,iv:I6/qm0v3/kBt+zFXm/jM29wo3ZW8p6xT9cfI+ruJGCQ=,tag:F2rZt0kHoHSsdECq0IY7eQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/config/clusters/opensci/support.values.yaml b/config/clusters/opensci/support.values.yaml new file mode 100644 index 000000000..690b30401 --- /dev/null +++ b/config/clusters/opensci/support.values.yaml @@ -0,0 +1,28 @@ +prometheusIngressAuthSecret: + enabled: true + +prometheus: + server: + ingress: + enabled: true + hosts: + - prometheus.opensci.2i2c.cloud + tls: + - secretName: prometheus-tls + hosts: + - prometheus.opensci.2i2c.cloud + +grafana: + grafana.ini: + server: + root_url: https://grafana.opensci.2i2c.cloud/ + auth.github: + enabled: true + allowed_organizations: 2i2c-org + ingress: + hosts: + - grafana.opensci.2i2c.cloud + tls: + - secretName: grafana-tls + hosts: + - grafana.opensci.2i2c.cloud diff --git a/terraform/aws/projects/opensci.tfvars b/terraform/aws/projects/opensci.tfvars new file mode 100644 index 000000000..7472d20bc --- /dev/null +++ b/terraform/aws/projects/opensci.tfvars @@ -0,0 +1,28 @@ +region = "us-west-2" + +cluster_name = "opensci" + +cluster_nodes_location = "us-west-2a" + +user_buckets = { + "scratch-staging" : { + "delete_after" : 7 + }, + "scratch" : { + "delete_after" : 7 + }, +} + + +hub_cloud_permissions = { + "staging" : { + requestor_pays : true, + bucket_admin_access : ["scratch-staging"], + extra_iam_policy : "" + }, + "prod" : { + requestor_pays : true, + bucket_admin_access : ["scratch"], + extra_iam_policy : "" + }, +} \ No newline at end of file From 58347a22d99c92029949e3db20c7da8fd61c4e22 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Wed, 21 Feb 2024 17:50:06 +0200 Subject: [PATCH 04/23] Add basic cluster config file --- config/clusters/opensci/cluster.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 config/clusters/opensci/cluster.yaml diff --git a/config/clusters/opensci/cluster.yaml b/config/clusters/opensci/cluster.yaml new file mode 100644 index 000000000..28c5060ac --- /dev/null +++ b/config/clusters/opensci/cluster.yaml @@ -0,0 +1,8 @@ +name: opensci +provider: aws +aws: + key: enc-deployer-credentials.secret.json + clusterType: eks + clusterName: opensci + region: us-west-2 +hubs: [] From b04118f0952a681860c489c2dbfa401859d34156 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Thu, 22 Feb 2024 14:18:22 +0200 Subject: [PATCH 05/23] Add the new cluster to the deployment workflow --- .github/workflows/deploy-hubs.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy-hubs.yaml b/.github/workflows/deploy-hubs.yaml index c2ae2ff39..b6f821b8b 100644 --- a/.github/workflows/deploy-hubs.yaml +++ b/.github/workflows/deploy-hubs.yaml @@ -206,6 +206,7 @@ jobs: failure_hhmi: "${{ env.failure_hhmi }}" failure_nasa-esdis: "${{ env.failure_nasa-esdis }}" failure_earthscope: "${{ env.failure_earthscope }}" + failure_opensci: "${{ env.failure_opensci }}" # Only run this job on pushes to the default branch and when the job output is not # an empty list From 361eaef5c26f5c90e4b858812aa0648bd8ff1f1d Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Thu, 22 Feb 2024 14:19:10 +0200 Subject: [PATCH 06/23] Add the support config and initial staging hub --- config/clusters/opensci/cluster.yaml | 17 +- config/clusters/opensci/common.values.yaml | 179 ++++++++++++++++++ .../opensci/enc-staging.secret.values.yaml | 20 ++ config/clusters/opensci/staging.values.yaml | 17 ++ config/clusters/opensci/support.values.yaml | 6 + 5 files changed, 238 insertions(+), 1 deletion(-) create mode 100644 config/clusters/opensci/common.values.yaml create mode 100644 config/clusters/opensci/enc-staging.secret.values.yaml create mode 100644 config/clusters/opensci/staging.values.yaml diff --git a/config/clusters/opensci/cluster.yaml b/config/clusters/opensci/cluster.yaml index 28c5060ac..598ccb156 100644 --- a/config/clusters/opensci/cluster.yaml +++ b/config/clusters/opensci/cluster.yaml @@ -5,4 +5,19 @@ aws: clusterType: eks clusterName: opensci region: us-west-2 -hubs: [] +support: + helm_chart_values_files: + - support.values.yaml + - enc-support.secret.values.yaml +hubs: + - name: staging + display_name: "Opensci (staging)" + domain: staging.opensci.2i2c.cloud + helm_chart: basehub + helm_chart_values_files: + # The order in which you list files here is the order the will be passed + # to the helm upgrade command in, and that has meaning. Please check + # that you intend for these files to be applied in this order. + - common.values.yaml + - staging.values.yaml + - enc-staging.secret.values.yaml diff --git a/config/clusters/opensci/common.values.yaml b/config/clusters/opensci/common.values.yaml new file mode 100644 index 000000000..0d701951b --- /dev/null +++ b/config/clusters/opensci/common.values.yaml @@ -0,0 +1,179 @@ +nfs: + pv: + # from https://docs.aws.amazon.com/efs/latest/ug/mounting-fs-nfs-mount-settings.html + mountOptions: + - rsize=1048576 + - wsize=1048576 + - timeo=600 + - soft # We pick soft over hard, so NFS lockups don't lead to hung processes + - retrans=2 + - noresvport + serverIP: fs-065fcb5bb0ad79b25.efs.us-west-2.amazonaws.com + baseShareName: / + +jupyterhub: + custom: + 2i2c: + add_staff_user_ids_to_admin_users: true + add_staff_user_ids_of_type: "github" + jupyterhubConfigurator: + enabled: false + homepage: + templateVars: + org: + name: Demo image building with binderhub-service + url: https://2i2c.org + logo_url: https://2i2c.org/media/logo.png + designed_by: + name: 2i2c + url: https://2i2c.org + operated_by: + name: 2i2c + url: https://2i2c.org + funded_by: + name: "" + url: "" + singleuser: + profileList: + - display_name: "Only Profile Available, this info is not shown in the UI" + slug: only-choice + profile_options: + image: + display_name: Image + unlisted_choice: &profile_list_unlisted_choice + enabled: True + display_name: "Custom image" + validation_regex: "^.+:.+$" + validation_message: "Must be a publicly available docker image, of form :" + display_name_in_choices: "Specify an existing docker image" + description_in_choices: "Use a pre-existing docker image from a public docker registry (dockerhub, quay, etc)" + kubespawner_override: + image: "{value}" + choices: + pangeo: + display_name: Pangeo Notebook Image + description: "Python image with scientific, dask and geospatial tools" + kubespawner_override: + image: pangeo/pangeo-notebook:2023.09.11 + geospatial: + display_name: Rocker Geospatial + description: "R image with RStudio, the tidyverse & Geospatial tools" + default: true + slug: geospatial + kubespawner_override: + image: rocker/binder:4.3 + # Launch into RStudio after the user logs in + default_url: /rstudio + # Ensures container working dir is homedir + # https://github.com/2i2c-org/infrastructure/issues/2559 + working_dir: /home/rstudio + scipy: + display_name: Jupyter SciPy Notebook + slug: scipy + kubespawner_override: + image: jupyter/scipy-notebook:2023-06-26 + resources: + display_name: Resource Allocation + choices: + mem_3_4: + display_name: 3.4 GB RAM, upto 3.485 CPUs + kubespawner_override: + mem_guarantee: 3662286336 + mem_limit: 3662286336 + cpu_guarantee: 0.435625 + cpu_limit: 3.485 + node_selector: + node.kubernetes.io/instance-type: n2-highmem-4 + default: true + mem_6_8: + display_name: 6.8 GB RAM, upto 3.485 CPUs + kubespawner_override: + mem_guarantee: 7324572672 + mem_limit: 7324572672 + cpu_guarantee: 0.87125 + cpu_limit: 3.485 + node_selector: + node.kubernetes.io/instance-type: n2-highmem-4 + mem_13_6: + display_name: 13.6 GB RAM, upto 3.485 CPUs + kubespawner_override: + mem_guarantee: 14649145344 + mem_limit: 14649145344 + cpu_guarantee: 1.7425 + cpu_limit: 3.485 + node_selector: + node.kubernetes.io/instance-type: n2-highmem-4 + mem_27_3: + display_name: 27.3 GB RAM, upto 3.485 CPUs + kubespawner_override: + mem_guarantee: 29298290688 + mem_limit: 29298290688 + cpu_guarantee: 3.485 + cpu_limit: 3.485 + node_selector: + node.kubernetes.io/instance-type: n2-highmem-4 + hub: + # Allows for multiple concurrent demos + allowNamedServers: true + services: + binder: + # FIXME: ref https://github.com/2i2c-org/binderhub-service/issues/57 + # for something more readable and requiring less copy-pasting + url: http://imagebuilding-demo-binderhub-service:8090 + image: + name: quay.io/2i2c/dynamic-image-building-experiment + tag: "0.0.1-0.dev.git.7567.ha4162031" + config: + JupyterHub: + authenticator_class: github + GitHubOAuthenticator: + allowed_organizations: + - 2i2c-demo-hub-access + - ScienceCore + scope: + - read:org + + extraConfig: + enable-fancy-profiles: | + from jupyterhub_fancy_profiles import setup_ui + setup_ui(c) + +binderhub-service: + nodeSelector: + hub.jupyter.org/node-purpose: core + enabled: true + service: + port: 8090 + # The DaemonSet at https://github.com/2i2c-org/binderhub-service/blob/main/binderhub-service/templates/docker-api/daemonset.yaml + # will start a docker-api pod on a user node. + # It starts the [dockerd](https://docs.docker.com/engine/reference/commandline/dockerd/) daemon, + # that will be accessible via a unix socket, mounted by the build. + # The docker-api pod must run on the same node as the builder pods. + dockerApi: + nodeSelector: + hub.jupyter.org/node-purpose: user + tolerations: + # Tolerate tainted jupyterhub user nodes + - key: hub.jupyter.org_dedicated + value: user + effect: NoSchedule + - key: hub.jupyter.org/dedicated + value: user + effect: NoSchedule + config: + BinderHub: + base_url: /services/binder + use_registry: true + # Re-uses the registry created for the `binderhub-staging` hub + # but pushes images under a different prefix + image_prefix: us-central1-docker.pkg.dev/two-eye-two-see/binder-staging-registry/binderhub-service- + KubernetesBuildExecutor: + # Get ourselves a newer repo2docker! + build_image: quay.io/jupyterhub/repo2docker:2023.06.0-8.gd414e99 + node_selector: + # Schedule builder pods to run on user nodes only + hub.jupyter.org/node-purpose: user + # The password to the registry is stored encrypted in the hub's encrypted config file + buildPodsRegistryCredentials: + server: "https://us-central1-docker.pkg.dev" + username: "_json_key" diff --git a/config/clusters/opensci/enc-staging.secret.values.yaml b/config/clusters/opensci/enc-staging.secret.values.yaml new file mode 100644 index 000000000..a04fd2334 --- /dev/null +++ b/config/clusters/opensci/enc-staging.secret.values.yaml @@ -0,0 +1,20 @@ +jupyterhub: + hub: + config: + GitHubOAuthenticator: + client_id: ENC[AES256_GCM,data:s6J6NCDKC+8DWL/G1HfeoS6LvVw=,iv:ppAQJ0Bcp4jR2RM7ZzpjKN8a+lKCAf93m8GxyoemFvY=,tag:xNT4AbtaYEilgTPtOAb+Lw==,type:str] + client_secret: ENC[AES256_GCM,data:690jNdjfNH8tEOmPs8vvsaU1R9Z0ooQIY/EabmqX4bU7CSF6Ho6rOQ==,iv:TXeDQdL4Bzx1Ky0fjg1tNCPhRG1lJra5KvzPkSHMYmE=,tag:m173HByyyMF0CEvt4aJBCw==,type:str] +sops: + kms: [] + gcp_kms: + - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs + created_at: "2024-02-22T12:06:32Z" + enc: CiUA4OM7eP01v1Kyb9Ju8g3mAA1U9yPxtdOKulHLakW+cmwRyDweEkkAXoW3JodsyugXQTcoglPT5W4ElfRnz3O0EMdsoNY5DHJiaKFSa6bZUOrbePG1/9R6vA7iPS4ZX1f1kd8iyYIb05255bumCIzo + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-02-22T12:06:33Z" + mac: ENC[AES256_GCM,data:3SL337k6foIN/veukv1DeYRP4xmSbnhLaEKgujqbjSG2AzBZPngukdhUQ31ExO6/MqcjFpSllicHZPhjtPYcgSbxJfKRM+7zxEofeZqVtJkA3Q1N0J3JigTm483MNTc9l89Rn+JnaKej1ouBaR3O3PD6jjCAowZXpKoSgcrgxPk=,iv:dBfT1g+ZR1kwbp2rNFdekwKlTcpnt4/72ExKybqTJwo=,tag:lzCkerc3rNarGHWy3CfcrQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/config/clusters/opensci/staging.values.yaml b/config/clusters/opensci/staging.values.yaml new file mode 100644 index 000000000..c2c939b6d --- /dev/null +++ b/config/clusters/opensci/staging.values.yaml @@ -0,0 +1,17 @@ +jupyterhub: + ingress: + hosts: + - staging.opensci.2i2c.cloud + tls: + - secretName: https-auto-tls + hosts: + - staging.opensci.2i2c.cloud + hub: + config: + GitHubOAuthenticator: + oauth_callback_url: https://staging.opensci.2i2c.cloud/hub/oauth_callback + services: + binder: + # FIXME: ref https://github.com/2i2c-org/binderhub-service/issues/57 + # for something more readable and requiring less copy-pasting + url: https://staging.opensci-binderhub-service:8090 diff --git a/config/clusters/opensci/support.values.yaml b/config/clusters/opensci/support.values.yaml index 690b30401..d1d7ba1c9 100644 --- a/config/clusters/opensci/support.values.yaml +++ b/config/clusters/opensci/support.values.yaml @@ -1,6 +1,12 @@ prometheusIngressAuthSecret: enabled: true +cluster-autoscaler: + enabled: true + autoDiscovery: + clusterName: opensci + awsRegion: us-west-2 + prometheus: server: ingress: From 73d805571771b4793ac709a6b0131798f3832d8e Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Thu, 22 Feb 2024 14:51:23 +0200 Subject: [PATCH 07/23] Update the resource allocation options to aws --- config/clusters/opensci/common.values.yaml | 56 +++++++++++----------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/config/clusters/opensci/common.values.yaml b/config/clusters/opensci/common.values.yaml index 0d701951b..8a91f0054 100644 --- a/config/clusters/opensci/common.values.yaml +++ b/config/clusters/opensci/common.values.yaml @@ -75,43 +75,43 @@ jupyterhub: resources: display_name: Resource Allocation choices: - mem_3_4: - display_name: 3.4 GB RAM, upto 3.485 CPUs + mem_3_7: + display_name: 3.7 GB RAM, upto 3.7 CPUs kubespawner_override: - mem_guarantee: 3662286336 - mem_limit: 3662286336 - cpu_guarantee: 0.435625 - cpu_limit: 3.485 + mem_guarantee: 3982682624 + mem_limit: 3982682624 + cpu_guarantee: 0.46875 + cpu_limit: 3.75 node_selector: - node.kubernetes.io/instance-type: n2-highmem-4 + node.kubernetes.io/instance-type: r5.xlarge default: true - mem_6_8: - display_name: 6.8 GB RAM, upto 3.485 CPUs + mem_7_4: + display_name: 7.4 GB RAM, upto 3.7 CPUs kubespawner_override: - mem_guarantee: 7324572672 - mem_limit: 7324572672 - cpu_guarantee: 0.87125 - cpu_limit: 3.485 + mem_guarantee: 7965365248 + mem_limit: 7965365248 + cpu_guarantee: 0.9375 + cpu_limit: 3.75 node_selector: - node.kubernetes.io/instance-type: n2-highmem-4 - mem_13_6: - display_name: 13.6 GB RAM, upto 3.485 CPUs + node.kubernetes.io/instance-type: r5.xlarge + mem_14_8: + display_name: 14.8 GB RAM, upto 3.7 CPUs kubespawner_override: - mem_guarantee: 14649145344 - mem_limit: 14649145344 - cpu_guarantee: 1.7425 - cpu_limit: 3.485 + mem_guarantee: 15930730496 + mem_limit: 15930730496 + cpu_guarantee: 1.875 + cpu_limit: 3.75 node_selector: - node.kubernetes.io/instance-type: n2-highmem-4 - mem_27_3: - display_name: 27.3 GB RAM, upto 3.485 CPUs + node.kubernetes.io/instance-type: r5.xlarge + mem_29_7: + display_name: 29.7 GB RAM, upto 3.7 CPUs kubespawner_override: - mem_guarantee: 29298290688 - mem_limit: 29298290688 - cpu_guarantee: 3.485 - cpu_limit: 3.485 + mem_guarantee: 31861460992 + mem_limit: 31861460992 + cpu_guarantee: 3.75 + cpu_limit: 3.75 node_selector: - node.kubernetes.io/instance-type: n2-highmem-4 + node.kubernetes.io/instance-type: r5.xlarge hub: # Allows for multiple concurrent demos allowNamedServers: true From aa0748b41c96ae27c2761d17e3d3068233554790 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Fri, 23 Feb 2024 12:32:27 +0200 Subject: [PATCH 08/23] Move whole config into the staging yaml --- config/clusters/opensci/common.values.yaml | 167 -------------------- config/clusters/opensci/staging.values.yaml | 166 ++++++++++++++++++- 2 files changed, 162 insertions(+), 171 deletions(-) diff --git a/config/clusters/opensci/common.values.yaml b/config/clusters/opensci/common.values.yaml index 8a91f0054..9e58930e8 100644 --- a/config/clusters/opensci/common.values.yaml +++ b/config/clusters/opensci/common.values.yaml @@ -10,170 +10,3 @@ nfs: - noresvport serverIP: fs-065fcb5bb0ad79b25.efs.us-west-2.amazonaws.com baseShareName: / - -jupyterhub: - custom: - 2i2c: - add_staff_user_ids_to_admin_users: true - add_staff_user_ids_of_type: "github" - jupyterhubConfigurator: - enabled: false - homepage: - templateVars: - org: - name: Demo image building with binderhub-service - url: https://2i2c.org - logo_url: https://2i2c.org/media/logo.png - designed_by: - name: 2i2c - url: https://2i2c.org - operated_by: - name: 2i2c - url: https://2i2c.org - funded_by: - name: "" - url: "" - singleuser: - profileList: - - display_name: "Only Profile Available, this info is not shown in the UI" - slug: only-choice - profile_options: - image: - display_name: Image - unlisted_choice: &profile_list_unlisted_choice - enabled: True - display_name: "Custom image" - validation_regex: "^.+:.+$" - validation_message: "Must be a publicly available docker image, of form :" - display_name_in_choices: "Specify an existing docker image" - description_in_choices: "Use a pre-existing docker image from a public docker registry (dockerhub, quay, etc)" - kubespawner_override: - image: "{value}" - choices: - pangeo: - display_name: Pangeo Notebook Image - description: "Python image with scientific, dask and geospatial tools" - kubespawner_override: - image: pangeo/pangeo-notebook:2023.09.11 - geospatial: - display_name: Rocker Geospatial - description: "R image with RStudio, the tidyverse & Geospatial tools" - default: true - slug: geospatial - kubespawner_override: - image: rocker/binder:4.3 - # Launch into RStudio after the user logs in - default_url: /rstudio - # Ensures container working dir is homedir - # https://github.com/2i2c-org/infrastructure/issues/2559 - working_dir: /home/rstudio - scipy: - display_name: Jupyter SciPy Notebook - slug: scipy - kubespawner_override: - image: jupyter/scipy-notebook:2023-06-26 - resources: - display_name: Resource Allocation - choices: - mem_3_7: - display_name: 3.7 GB RAM, upto 3.7 CPUs - kubespawner_override: - mem_guarantee: 3982682624 - mem_limit: 3982682624 - cpu_guarantee: 0.46875 - cpu_limit: 3.75 - node_selector: - node.kubernetes.io/instance-type: r5.xlarge - default: true - mem_7_4: - display_name: 7.4 GB RAM, upto 3.7 CPUs - kubespawner_override: - mem_guarantee: 7965365248 - mem_limit: 7965365248 - cpu_guarantee: 0.9375 - cpu_limit: 3.75 - node_selector: - node.kubernetes.io/instance-type: r5.xlarge - mem_14_8: - display_name: 14.8 GB RAM, upto 3.7 CPUs - kubespawner_override: - mem_guarantee: 15930730496 - mem_limit: 15930730496 - cpu_guarantee: 1.875 - cpu_limit: 3.75 - node_selector: - node.kubernetes.io/instance-type: r5.xlarge - mem_29_7: - display_name: 29.7 GB RAM, upto 3.7 CPUs - kubespawner_override: - mem_guarantee: 31861460992 - mem_limit: 31861460992 - cpu_guarantee: 3.75 - cpu_limit: 3.75 - node_selector: - node.kubernetes.io/instance-type: r5.xlarge - hub: - # Allows for multiple concurrent demos - allowNamedServers: true - services: - binder: - # FIXME: ref https://github.com/2i2c-org/binderhub-service/issues/57 - # for something more readable and requiring less copy-pasting - url: http://imagebuilding-demo-binderhub-service:8090 - image: - name: quay.io/2i2c/dynamic-image-building-experiment - tag: "0.0.1-0.dev.git.7567.ha4162031" - config: - JupyterHub: - authenticator_class: github - GitHubOAuthenticator: - allowed_organizations: - - 2i2c-demo-hub-access - - ScienceCore - scope: - - read:org - - extraConfig: - enable-fancy-profiles: | - from jupyterhub_fancy_profiles import setup_ui - setup_ui(c) - -binderhub-service: - nodeSelector: - hub.jupyter.org/node-purpose: core - enabled: true - service: - port: 8090 - # The DaemonSet at https://github.com/2i2c-org/binderhub-service/blob/main/binderhub-service/templates/docker-api/daemonset.yaml - # will start a docker-api pod on a user node. - # It starts the [dockerd](https://docs.docker.com/engine/reference/commandline/dockerd/) daemon, - # that will be accessible via a unix socket, mounted by the build. - # The docker-api pod must run on the same node as the builder pods. - dockerApi: - nodeSelector: - hub.jupyter.org/node-purpose: user - tolerations: - # Tolerate tainted jupyterhub user nodes - - key: hub.jupyter.org_dedicated - value: user - effect: NoSchedule - - key: hub.jupyter.org/dedicated - value: user - effect: NoSchedule - config: - BinderHub: - base_url: /services/binder - use_registry: true - # Re-uses the registry created for the `binderhub-staging` hub - # but pushes images under a different prefix - image_prefix: us-central1-docker.pkg.dev/two-eye-two-see/binder-staging-registry/binderhub-service- - KubernetesBuildExecutor: - # Get ourselves a newer repo2docker! - build_image: quay.io/jupyterhub/repo2docker:2023.06.0-8.gd414e99 - node_selector: - # Schedule builder pods to run on user nodes only - hub.jupyter.org/node-purpose: user - # The password to the registry is stored encrypted in the hub's encrypted config file - buildPodsRegistryCredentials: - server: "https://us-central1-docker.pkg.dev" - username: "_json_key" diff --git a/config/clusters/opensci/staging.values.yaml b/config/clusters/opensci/staging.values.yaml index c2c939b6d..bf75fa88e 100644 --- a/config/clusters/opensci/staging.values.yaml +++ b/config/clusters/opensci/staging.values.yaml @@ -6,12 +6,170 @@ jupyterhub: - secretName: https-auto-tls hosts: - staging.opensci.2i2c.cloud + custom: + 2i2c: + add_staff_user_ids_to_admin_users: true + add_staff_user_ids_of_type: "github" + jupyterhubConfigurator: + enabled: false + homepage: + templateVars: + org: + name: Opensci (Staging) + url: https://2i2c.org + logo_url: https://2i2c.org/media/logo.png + designed_by: + name: 2i2c + url: https://2i2c.org + operated_by: + name: 2i2c + url: https://2i2c.org + funded_by: + name: "" + url: "" + singleuser: + profileList: + - display_name: "Only Profile Available, this info is not shown in the UI" + slug: only-choice + profile_options: + image: + display_name: Image + unlisted_choice: &profile_list_unlisted_choice + enabled: True + display_name: "Custom image" + validation_regex: "^.+:.+$" + validation_message: "Must be a publicly available docker image, of form :" + display_name_in_choices: "Specify an existing docker image" + description_in_choices: "Use a pre-existing docker image from a public docker registry (dockerhub, quay, etc)" + kubespawner_override: + image: "{value}" + choices: + pangeo: + display_name: Pangeo Notebook Image + description: "Python image with scientific, dask and geospatial tools" + kubespawner_override: + image: pangeo/pangeo-notebook:2023.09.11 + geospatial: + display_name: Rocker Geospatial + description: "R image with RStudio, the tidyverse & Geospatial tools" + default: true + slug: geospatial + kubespawner_override: + image: rocker/binder:4.3 + # Launch into RStudio after the user logs in + default_url: /rstudio + # Ensures container working dir is homedir + # https://github.com/2i2c-org/infrastructure/issues/2559 + working_dir: /home/rstudio + scipy: + display_name: Jupyter SciPy Notebook + slug: scipy + kubespawner_override: + image: jupyter/scipy-notebook:2023-06-26 + resources: + display_name: Resource Allocation + choices: + mem_3_7: + display_name: 3.7 GB RAM, upto 3.7 CPUs + kubespawner_override: + mem_guarantee: 3982682624 + mem_limit: 3982682624 + cpu_guarantee: 0.46875 + cpu_limit: 3.75 + node_selector: + node.kubernetes.io/instance-type: r5.xlarge + default: true + mem_7_4: + display_name: 7.4 GB RAM, upto 3.7 CPUs + kubespawner_override: + mem_guarantee: 7965365248 + mem_limit: 7965365248 + cpu_guarantee: 0.9375 + cpu_limit: 3.75 + node_selector: + node.kubernetes.io/instance-type: r5.xlarge + mem_14_8: + display_name: 14.8 GB RAM, upto 3.7 CPUs + kubespawner_override: + mem_guarantee: 15930730496 + mem_limit: 15930730496 + cpu_guarantee: 1.875 + cpu_limit: 3.75 + node_selector: + node.kubernetes.io/instance-type: r5.xlarge + mem_29_7: + display_name: 29.7 GB RAM, upto 3.7 CPUs + kubespawner_override: + mem_guarantee: 31861460992 + mem_limit: 31861460992 + cpu_guarantee: 3.75 + cpu_limit: 3.75 + node_selector: + node.kubernetes.io/instance-type: r5.xlarge + hub: - config: - GitHubOAuthenticator: - oauth_callback_url: https://staging.opensci.2i2c.cloud/hub/oauth_callback + # Allows for multiple concurrent demos + allowNamedServers: true services: binder: # FIXME: ref https://github.com/2i2c-org/binderhub-service/issues/57 # for something more readable and requiring less copy-pasting - url: https://staging.opensci-binderhub-service:8090 + url: http://staging-binderhub-service:8090 + image: + name: quay.io/2i2c/dynamic-image-building-experiment + tag: "0.0.1-0.dev.git.7567.ha4162031" + config: + JupyterHub: + authenticator_class: github + GitHubOAuthenticator: + oauth_callback_url: https://staging.opensci.2i2c.cloud/hub/oauth_callback + allowed_organizations: + - 2i2c-demo-hub-access + - ScienceCore + scope: + - read:org + + extraConfig: + enable-fancy-profiles: | + from jupyterhub_fancy_profiles import setup_ui + setup_ui(c) + +binderhub-service: + nodeSelector: + hub.jupyter.org/node-purpose: core + enabled: true + service: + port: 8090 + # The DaemonSet at https://github.com/2i2c-org/binderhub-service/blob/main/binderhub-service/templates/docker-api/daemonset.yaml + # will start a docker-api pod on a user node. + # It starts the [dockerd](https://docs.docker.com/engine/reference/commandline/dockerd/) daemon, + # that will be accessible via a unix socket, mounted by the build. + # The docker-api pod must run on the same node as the builder pods. + dockerApi: + nodeSelector: + hub.jupyter.org/node-purpose: user + tolerations: + # Tolerate tainted jupyterhub user nodes + - key: hub.jupyter.org_dedicated + value: user + effect: NoSchedule + - key: hub.jupyter.org/dedicated + value: user + effect: NoSchedule + config: + BinderHub: + base_url: /services/binder + use_registry: true + # Re-uses the registry created for the `binderhub-staging` hub + # but pushes images under a different prefix + image_prefix: us-central1-docker.pkg.dev/two-eye-two-see/binder-staging-registry/binderhub-service- + KubernetesBuildExecutor: + # Get ourselves a newer repo2docker! + build_image: quay.io/jupyterhub/repo2docker:2023.06.0-8.gd414e99 + node_selector: + # Schedule builder pods to run on user nodes only + hub.jupyter.org/node-purpose: user + # The password to the registry is stored encrypted in the hub's encrypted config file + buildPodsRegistryCredentials: + server: "https://us-central1-docker.pkg.dev" + username: "_json_key" From 4752ae42075d79b44191a9855adee87dbfb17319 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Fri, 23 Feb 2024 13:03:49 +0200 Subject: [PATCH 09/23] Add registry creds --- config/clusters/opensci/enc-staging.secret.values.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/config/clusters/opensci/enc-staging.secret.values.yaml b/config/clusters/opensci/enc-staging.secret.values.yaml index a04fd2334..bced0be13 100644 --- a/config/clusters/opensci/enc-staging.secret.values.yaml +++ b/config/clusters/opensci/enc-staging.secret.values.yaml @@ -1,3 +1,6 @@ +binderhub-service: + buildPodsRegistryCredentials: + password: ENC[AES256_GCM,data:PYZwok82f2+UkmzVkTGh03HPRpUbOG2HC1CGB6SvU+BtXxPHeqlEWtWRt7S5jXXamBlo6zvE90O8rep7wVVKHlAxp5ckwnirs9ZyujRYhlKgVpbcRFO0znnGZbxOJboy5dGOdMVxmBuL0IIdKTLIn+hLYW1QvOGlzbDwZy4PtVi6HP1nk80ZZz30hUcDy3pnVbNvVexH719Gl/Wk2YeGCLsm9/3CjyAmnZxzR3JCTprgQnSdigdUoL9cgiBxge66W8tOdOhXqb6HRNSouXGruwm1iybJIUmzWJYGvrsbK+IV8FWaeMU6XtOsL7Dho/L7t+MaAqX4rZugqmDs2fif8lUAmSfvfcG7tzoWIboHLBSxMWT4wO89l6KE14n8QBcAEHNv7/7cqUZIWne6uTiUoexQ0/KyYp5UZ9LdIwf7nCsaQga9HO0fQl6A8iDdNa0YQnAsPhNwNJCzYM/U4+truyw24dx70DVPINdxXIejPr2vv0dqHIvWCJIdDlBq65oZLwDg1x0Bj5mYPdnoFaU1hwi6y1251F+U2F6CRfq60itvfmr/6EINeYUVoeYdIom3jmrUo4cPtcwmEy3/EfjK7c7ki93yLrol47bFWt9sANFLD4mDdkzhQPH85YonVlj1iXpnJ3ExYj/TqNTm8KLUfFq6l9A4ZGGtDQZpveRxXYLzBqcLK6Ysg9H7+cFyhPFFQ4q6bAIBy8A5LYDlYAo4oWRKo3VoH5A4opZSbcY/OV238Tv2kdWwSefqLfNfwb8WXhT5lbZW18vHQsOkeOXsnQ4h/j+4mDjVUbk0HIHXrIaPuNZwSugaChX3H/sRUmxhIHZIhb1E1YyYlpuzfqorqpnQ/0omP5hofSNOXBZO45TTVkLO5Fen8CL1JeizdL9BpINvnFIrlntUrCfr4qxa27op9s+xZwEOFQky2o3FBKK2+NU7n5cWKfhTgz2oJPAk8LI2UX3gooo4Vbiz0jRfZ4ZuLtKYxC/8zEwP3I+jT3bKSiyjiQM2TAFuwxlj9Ojbr+d5SATMMkkdjw7YGnExW3JkL3WLP1y3ZCBVxqiw62NGCGwYsMMuEAhoiRqIE1+IF9Gip3/SPtLxiS/G7ceWHCIghZ/Jv04EUDhreCm7CaxD/5GVCxDG4xLFmKWi20t9fRJFKx+khdtWp6l84Vn5DrzLuh1IAW0a22I6L8rVXGJHAYhuVPhXUAjp4F/Vai9ZVUH+WPf2WbqIOXvhGRG7XWl+rpc8H0+ECSTheg/Ieurn8Y2k6CKKKwWky0B9Lj5d1K/A6BKW0+1wLHTDykihVI5XOp7yNTlDgLA9zgpyasj1rpY0J0FQp+h6o1OSDuhIAizdHhEfZIQfLs3IebGHL/fJlk2TjU10kUUgzdn2APS41OkyQtKfLUpPDt/OE60YROZ3q4pFKejjapngQVVwR1S/jUNULo2WA6zfSI9foGrYzIF9nd1NAHnMxnrfBLP3wtyKU7nnJ0PWJ42PyQz0hfW7ACoPPjdlx4OqMcB6JnlmcDzHKwuCtCNntgug5uD+sy+7q4m/y3pVOG/PziiToIn2IF7xwRVlzK/trbFNfbYJeoAkJzMlgyguUijFOY/yjkgzwupO2JTwHQxnH3Ip+3kqi6IXep561OcBySm/sAQmnnT6kgyjfYjGviELeqQsCjl4O9o2/DpZ6bHookw5G0gdfWfukqC2PTF9DWkMUoUir7MOBIQv+UT2G0NBbohhP2Qano2JPk9j5wGyrwnSnUf5vbrasDnPJKrOiYVs9lRR3MWuKV1uh08dp7v5DfpYj5pV6/y2pBuAWATbBZOLRkQeVNRdHaBWkhLaKSA8r/rhkVkPJ3G0oDTbIud+8PE5gXbp8wAOZn0Ms8se4NXY3889pZp2OV2oxD6htgaTu2/sY/HszXI6bhB95oFAvB09VBd58xBQe7z4efbY354Gd7S/iDzOZLvUCmPNtxXDdT2i3lnAsp8mTqZct/7M8X9sgEZtTtHKk8gp5KTyb6W6U5+VUZt50ZKsXXZpGYp8/dxYNk2jJ9SXCarvHAabksFIZJrVd8KAD/LZ9N19ZDtn1B8o3+2nTQnN+FK/lrHMmjblg60QCkzArMxuPfh1DStnoY+mXNWfrGTRfuj/EGpZl5mq0hiuTsStI1I4hGM20ATAnUHcPf9eXUbZMr3UiHTv0bVmOlr2FMwjVVEzBgB+Q2GuMC/LTU0w5IW/OV0BTJtyiZPIMIBj0ur6XArb5SmsythTumHQUzVtdK9k+zEnGHnIkOT/x+H95Z0X5zQAmYFYbeXK1kO8WyoIb+IinGoZHrNZTbHMSoLxVNx0j7srNTLTSZ4BMLfVJt4QfODcIBK6IsRyQ4APATytPxkEbnpXxaia9ADvj4UGQ9GsPfufDlMLctxew5CSMBoAu5AvGakWeg8A0a7tYWlHM0sROGRX5SZLfqtgckx8GIyQHGwUzJ/ougsICLJW+L+UcLEUDpjiL7XjYrMAMMcodK7n1t6fjXcMkTap84yZa5ErnHiCUUkEG0ceQfJBIab2ZT9IcvcH+qPAcVbtCnanZcsgTHjpj1oVcPPVlgbPOaS+I//ml17onp4ZAHwLedBE23kjBcCC5SiNYpvk0jS8zeHecQjsxhkeF0mhl3OOx0eQH4z1nfwtAc47mxZw/5+wwBE5YSLuwYYt1NCNR6Ogy3ZrrYVv0gFmiX9jSHnq2b3mNo0fQ/hT3F+1VXcUr6H53aa2kjpzyfxi3MjOl+Z/KWF2qn7fwzevcg6ou9ZKYh7ux7CvV9Ukiwk0bxwhRURWEIZ/Jzl5PdrveH29P0c5zojmXb6vH8m9n+TKd/N6RID3q29eCseBDXz0zOCHNAGHi2F40n10yhZ1jMPBwhtsrgJRjrKjTFSXWblhYIHK3tUp8quFob4CnBEwavTnFJXACuQpZPjqpVMmii1zWV5x4ADjvPJeRK/5xkFJzvtWn+QENX3bt1FPWrtaRva6++zQ2oIik56xpfsQ1+tUrulmnhC50krGSCpoZgr6aAQMExlvm680LuUPgyQ7EyE4DLiL5T66F4pkCEz45oNvnXBKNts+GsNYM4QKNqbszTQR5fLODfbufErgV2IQ8fg/rHp/RLLqGsnTNMv+JiEa6T6bNWtgTpzVjmFg+toGTm+LWW7SHgBkwKcY2qLW8wgGVzTxA3cXZ33iNhac0uLhiC7W+XQVVHHVXyXt2SLD+CcOLvwq49/aENSKhNwcFpPXUNXMayW+A6p4/i5YPWiAl6c/9fhI57Jz8zLQfVd7HkR0fd2k607ijT7TCOvI9DpAdlN4PFaINDUFLkl6ydSzz9k=,iv:QacAujnWzobIHty1/VpiWUNhY7WXnoJqJq8LjD44Ttg=,tag:9VM1+usAXUj+3rZwW7NFOQ==,type:str] jupyterhub: hub: config: @@ -13,8 +16,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-02-22T12:06:33Z" - mac: ENC[AES256_GCM,data:3SL337k6foIN/veukv1DeYRP4xmSbnhLaEKgujqbjSG2AzBZPngukdhUQ31ExO6/MqcjFpSllicHZPhjtPYcgSbxJfKRM+7zxEofeZqVtJkA3Q1N0J3JigTm483MNTc9l89Rn+JnaKej1ouBaR3O3PD6jjCAowZXpKoSgcrgxPk=,iv:dBfT1g+ZR1kwbp2rNFdekwKlTcpnt4/72ExKybqTJwo=,tag:lzCkerc3rNarGHWy3CfcrQ==,type:str] + lastmodified: "2024-02-23T10:41:27Z" + mac: ENC[AES256_GCM,data:Iy3P4qI6Fe53yLA5gF69qjjmlaP0cXufyqxp0nPHi1XVCnaGmSsSkFvVEUUyi+ZZ/nvTWf+K22g8QTWEFwuANor1wZms73ATrkU8LRp3Tp72v3OJHFqCOJOpvAk0XhjLBhZjxkSdvcC/XgBUnW/i0+fCDMtTAz8aLMDdgVp6dm8=,iv:GSxTy8DdXKz2iW9/ZO1GniSW0Ccp/0tTOz4lJ6Jsd5w=,tag:Po+2MsvZ/pokWYcRYvAxqw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 From 631369ebf7f1907fcce42bc9f48417c5b4d4c28e Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Fri, 23 Feb 2024 13:04:03 +0200 Subject: [PATCH 10/23] Update the image prefix --- config/clusters/opensci/staging.values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/clusters/opensci/staging.values.yaml b/config/clusters/opensci/staging.values.yaml index bf75fa88e..c26ccad8a 100644 --- a/config/clusters/opensci/staging.values.yaml +++ b/config/clusters/opensci/staging.values.yaml @@ -162,7 +162,7 @@ binderhub-service: use_registry: true # Re-uses the registry created for the `binderhub-staging` hub # but pushes images under a different prefix - image_prefix: us-central1-docker.pkg.dev/two-eye-two-see/binder-staging-registry/binderhub-service- + image_prefix: us-central1-docker.pkg.dev/two-eye-two-see/binder-staging-registry/opensci- KubernetesBuildExecutor: # Get ourselves a newer repo2docker! build_image: quay.io/jupyterhub/repo2docker:2023.06.0-8.gd414e99 From 40e202464ddf82ec9f02f3a0296d93e8bfe82cb7 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Fri, 23 Feb 2024 14:04:56 +0200 Subject: [PATCH 11/23] Rm the staging hub --- config/clusters/opensci/cluster.yaml | 10 +- .../opensci/enc-staging.secret.values.yaml | 23 --- config/clusters/opensci/staging.values.yaml | 175 ------------------ 3 files changed, 5 insertions(+), 203 deletions(-) delete mode 100644 config/clusters/opensci/enc-staging.secret.values.yaml delete mode 100644 config/clusters/opensci/staging.values.yaml diff --git a/config/clusters/opensci/cluster.yaml b/config/clusters/opensci/cluster.yaml index 598ccb156..3ba0308dc 100644 --- a/config/clusters/opensci/cluster.yaml +++ b/config/clusters/opensci/cluster.yaml @@ -10,14 +10,14 @@ support: - support.values.yaml - enc-support.secret.values.yaml hubs: - - name: staging - display_name: "Opensci (staging)" - domain: staging.opensci.2i2c.cloud + - name: sciencecore + display_name: "Sciencecore " + domain: sciencecore.opensci.2i2c.cloud helm_chart: basehub helm_chart_values_files: # The order in which you list files here is the order the will be passed # to the helm upgrade command in, and that has meaning. Please check # that you intend for these files to be applied in this order. - common.values.yaml - - staging.values.yaml - - enc-staging.secret.values.yaml + - sciencecore.values.yaml + - enc-sciencecore.secret.values.yaml diff --git a/config/clusters/opensci/enc-staging.secret.values.yaml b/config/clusters/opensci/enc-staging.secret.values.yaml deleted file mode 100644 index bced0be13..000000000 --- a/config/clusters/opensci/enc-staging.secret.values.yaml +++ /dev/null @@ -1,23 +0,0 @@ -binderhub-service: - buildPodsRegistryCredentials: - password: ENC[AES256_GCM,data:PYZwok82f2+UkmzVkTGh03HPRpUbOG2HC1CGB6SvU+BtXxPHeqlEWtWRt7S5jXXamBlo6zvE90O8rep7wVVKHlAxp5ckwnirs9ZyujRYhlKgVpbcRFO0znnGZbxOJboy5dGOdMVxmBuL0IIdKTLIn+hLYW1QvOGlzbDwZy4PtVi6HP1nk80ZZz30hUcDy3pnVbNvVexH719Gl/Wk2YeGCLsm9/3CjyAmnZxzR3JCTprgQnSdigdUoL9cgiBxge66W8tOdOhXqb6HRNSouXGruwm1iybJIUmzWJYGvrsbK+IV8FWaeMU6XtOsL7Dho/L7t+MaAqX4rZugqmDs2fif8lUAmSfvfcG7tzoWIboHLBSxMWT4wO89l6KE14n8QBcAEHNv7/7cqUZIWne6uTiUoexQ0/KyYp5UZ9LdIwf7nCsaQga9HO0fQl6A8iDdNa0YQnAsPhNwNJCzYM/U4+truyw24dx70DVPINdxXIejPr2vv0dqHIvWCJIdDlBq65oZLwDg1x0Bj5mYPdnoFaU1hwi6y1251F+U2F6CRfq60itvfmr/6EINeYUVoeYdIom3jmrUo4cPtcwmEy3/EfjK7c7ki93yLrol47bFWt9sANFLD4mDdkzhQPH85YonVlj1iXpnJ3ExYj/TqNTm8KLUfFq6l9A4ZGGtDQZpveRxXYLzBqcLK6Ysg9H7+cFyhPFFQ4q6bAIBy8A5LYDlYAo4oWRKo3VoH5A4opZSbcY/OV238Tv2kdWwSefqLfNfwb8WXhT5lbZW18vHQsOkeOXsnQ4h/j+4mDjVUbk0HIHXrIaPuNZwSugaChX3H/sRUmxhIHZIhb1E1YyYlpuzfqorqpnQ/0omP5hofSNOXBZO45TTVkLO5Fen8CL1JeizdL9BpINvnFIrlntUrCfr4qxa27op9s+xZwEOFQky2o3FBKK2+NU7n5cWKfhTgz2oJPAk8LI2UX3gooo4Vbiz0jRfZ4ZuLtKYxC/8zEwP3I+jT3bKSiyjiQM2TAFuwxlj9Ojbr+d5SATMMkkdjw7YGnExW3JkL3WLP1y3ZCBVxqiw62NGCGwYsMMuEAhoiRqIE1+IF9Gip3/SPtLxiS/G7ceWHCIghZ/Jv04EUDhreCm7CaxD/5GVCxDG4xLFmKWi20t9fRJFKx+khdtWp6l84Vn5DrzLuh1IAW0a22I6L8rVXGJHAYhuVPhXUAjp4F/Vai9ZVUH+WPf2WbqIOXvhGRG7XWl+rpc8H0+ECSTheg/Ieurn8Y2k6CKKKwWky0B9Lj5d1K/A6BKW0+1wLHTDykihVI5XOp7yNTlDgLA9zgpyasj1rpY0J0FQp+h6o1OSDuhIAizdHhEfZIQfLs3IebGHL/fJlk2TjU10kUUgzdn2APS41OkyQtKfLUpPDt/OE60YROZ3q4pFKejjapngQVVwR1S/jUNULo2WA6zfSI9foGrYzIF9nd1NAHnMxnrfBLP3wtyKU7nnJ0PWJ42PyQz0hfW7ACoPPjdlx4OqMcB6JnlmcDzHKwuCtCNntgug5uD+sy+7q4m/y3pVOG/PziiToIn2IF7xwRVlzK/trbFNfbYJeoAkJzMlgyguUijFOY/yjkgzwupO2JTwHQxnH3Ip+3kqi6IXep561OcBySm/sAQmnnT6kgyjfYjGviELeqQsCjl4O9o2/DpZ6bHookw5G0gdfWfukqC2PTF9DWkMUoUir7MOBIQv+UT2G0NBbohhP2Qano2JPk9j5wGyrwnSnUf5vbrasDnPJKrOiYVs9lRR3MWuKV1uh08dp7v5DfpYj5pV6/y2pBuAWATbBZOLRkQeVNRdHaBWkhLaKSA8r/rhkVkPJ3G0oDTbIud+8PE5gXbp8wAOZn0Ms8se4NXY3889pZp2OV2oxD6htgaTu2/sY/HszXI6bhB95oFAvB09VBd58xBQe7z4efbY354Gd7S/iDzOZLvUCmPNtxXDdT2i3lnAsp8mTqZct/7M8X9sgEZtTtHKk8gp5KTyb6W6U5+VUZt50ZKsXXZpGYp8/dxYNk2jJ9SXCarvHAabksFIZJrVd8KAD/LZ9N19ZDtn1B8o3+2nTQnN+FK/lrHMmjblg60QCkzArMxuPfh1DStnoY+mXNWfrGTRfuj/EGpZl5mq0hiuTsStI1I4hGM20ATAnUHcPf9eXUbZMr3UiHTv0bVmOlr2FMwjVVEzBgB+Q2GuMC/LTU0w5IW/OV0BTJtyiZPIMIBj0ur6XArb5SmsythTumHQUzVtdK9k+zEnGHnIkOT/x+H95Z0X5zQAmYFYbeXK1kO8WyoIb+IinGoZHrNZTbHMSoLxVNx0j7srNTLTSZ4BMLfVJt4QfODcIBK6IsRyQ4APATytPxkEbnpXxaia9ADvj4UGQ9GsPfufDlMLctxew5CSMBoAu5AvGakWeg8A0a7tYWlHM0sROGRX5SZLfqtgckx8GIyQHGwUzJ/ougsICLJW+L+UcLEUDpjiL7XjYrMAMMcodK7n1t6fjXcMkTap84yZa5ErnHiCUUkEG0ceQfJBIab2ZT9IcvcH+qPAcVbtCnanZcsgTHjpj1oVcPPVlgbPOaS+I//ml17onp4ZAHwLedBE23kjBcCC5SiNYpvk0jS8zeHecQjsxhkeF0mhl3OOx0eQH4z1nfwtAc47mxZw/5+wwBE5YSLuwYYt1NCNR6Ogy3ZrrYVv0gFmiX9jSHnq2b3mNo0fQ/hT3F+1VXcUr6H53aa2kjpzyfxi3MjOl+Z/KWF2qn7fwzevcg6ou9ZKYh7ux7CvV9Ukiwk0bxwhRURWEIZ/Jzl5PdrveH29P0c5zojmXb6vH8m9n+TKd/N6RID3q29eCseBDXz0zOCHNAGHi2F40n10yhZ1jMPBwhtsrgJRjrKjTFSXWblhYIHK3tUp8quFob4CnBEwavTnFJXACuQpZPjqpVMmii1zWV5x4ADjvPJeRK/5xkFJzvtWn+QENX3bt1FPWrtaRva6++zQ2oIik56xpfsQ1+tUrulmnhC50krGSCpoZgr6aAQMExlvm680LuUPgyQ7EyE4DLiL5T66F4pkCEz45oNvnXBKNts+GsNYM4QKNqbszTQR5fLODfbufErgV2IQ8fg/rHp/RLLqGsnTNMv+JiEa6T6bNWtgTpzVjmFg+toGTm+LWW7SHgBkwKcY2qLW8wgGVzTxA3cXZ33iNhac0uLhiC7W+XQVVHHVXyXt2SLD+CcOLvwq49/aENSKhNwcFpPXUNXMayW+A6p4/i5YPWiAl6c/9fhI57Jz8zLQfVd7HkR0fd2k607ijT7TCOvI9DpAdlN4PFaINDUFLkl6ydSzz9k=,iv:QacAujnWzobIHty1/VpiWUNhY7WXnoJqJq8LjD44Ttg=,tag:9VM1+usAXUj+3rZwW7NFOQ==,type:str] -jupyterhub: - hub: - config: - GitHubOAuthenticator: - client_id: ENC[AES256_GCM,data:s6J6NCDKC+8DWL/G1HfeoS6LvVw=,iv:ppAQJ0Bcp4jR2RM7ZzpjKN8a+lKCAf93m8GxyoemFvY=,tag:xNT4AbtaYEilgTPtOAb+Lw==,type:str] - client_secret: ENC[AES256_GCM,data:690jNdjfNH8tEOmPs8vvsaU1R9Z0ooQIY/EabmqX4bU7CSF6Ho6rOQ==,iv:TXeDQdL4Bzx1Ky0fjg1tNCPhRG1lJra5KvzPkSHMYmE=,tag:m173HByyyMF0CEvt4aJBCw==,type:str] -sops: - kms: [] - gcp_kms: - - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs - created_at: "2024-02-22T12:06:32Z" - enc: CiUA4OM7eP01v1Kyb9Ju8g3mAA1U9yPxtdOKulHLakW+cmwRyDweEkkAXoW3JodsyugXQTcoglPT5W4ElfRnz3O0EMdsoNY5DHJiaKFSa6bZUOrbePG1/9R6vA7iPS4ZX1f1kd8iyYIb05255bumCIzo - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2024-02-23T10:41:27Z" - mac: ENC[AES256_GCM,data:Iy3P4qI6Fe53yLA5gF69qjjmlaP0cXufyqxp0nPHi1XVCnaGmSsSkFvVEUUyi+ZZ/nvTWf+K22g8QTWEFwuANor1wZms73ATrkU8LRp3Tp72v3OJHFqCOJOpvAk0XhjLBhZjxkSdvcC/XgBUnW/i0+fCDMtTAz8aLMDdgVp6dm8=,iv:GSxTy8DdXKz2iW9/ZO1GniSW0Ccp/0tTOz4lJ6Jsd5w=,tag:Po+2MsvZ/pokWYcRYvAxqw==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/config/clusters/opensci/staging.values.yaml b/config/clusters/opensci/staging.values.yaml deleted file mode 100644 index c26ccad8a..000000000 --- a/config/clusters/opensci/staging.values.yaml +++ /dev/null @@ -1,175 +0,0 @@ -jupyterhub: - ingress: - hosts: - - staging.opensci.2i2c.cloud - tls: - - secretName: https-auto-tls - hosts: - - staging.opensci.2i2c.cloud - custom: - 2i2c: - add_staff_user_ids_to_admin_users: true - add_staff_user_ids_of_type: "github" - jupyterhubConfigurator: - enabled: false - homepage: - templateVars: - org: - name: Opensci (Staging) - url: https://2i2c.org - logo_url: https://2i2c.org/media/logo.png - designed_by: - name: 2i2c - url: https://2i2c.org - operated_by: - name: 2i2c - url: https://2i2c.org - funded_by: - name: "" - url: "" - singleuser: - profileList: - - display_name: "Only Profile Available, this info is not shown in the UI" - slug: only-choice - profile_options: - image: - display_name: Image - unlisted_choice: &profile_list_unlisted_choice - enabled: True - display_name: "Custom image" - validation_regex: "^.+:.+$" - validation_message: "Must be a publicly available docker image, of form :" - display_name_in_choices: "Specify an existing docker image" - description_in_choices: "Use a pre-existing docker image from a public docker registry (dockerhub, quay, etc)" - kubespawner_override: - image: "{value}" - choices: - pangeo: - display_name: Pangeo Notebook Image - description: "Python image with scientific, dask and geospatial tools" - kubespawner_override: - image: pangeo/pangeo-notebook:2023.09.11 - geospatial: - display_name: Rocker Geospatial - description: "R image with RStudio, the tidyverse & Geospatial tools" - default: true - slug: geospatial - kubespawner_override: - image: rocker/binder:4.3 - # Launch into RStudio after the user logs in - default_url: /rstudio - # Ensures container working dir is homedir - # https://github.com/2i2c-org/infrastructure/issues/2559 - working_dir: /home/rstudio - scipy: - display_name: Jupyter SciPy Notebook - slug: scipy - kubespawner_override: - image: jupyter/scipy-notebook:2023-06-26 - resources: - display_name: Resource Allocation - choices: - mem_3_7: - display_name: 3.7 GB RAM, upto 3.7 CPUs - kubespawner_override: - mem_guarantee: 3982682624 - mem_limit: 3982682624 - cpu_guarantee: 0.46875 - cpu_limit: 3.75 - node_selector: - node.kubernetes.io/instance-type: r5.xlarge - default: true - mem_7_4: - display_name: 7.4 GB RAM, upto 3.7 CPUs - kubespawner_override: - mem_guarantee: 7965365248 - mem_limit: 7965365248 - cpu_guarantee: 0.9375 - cpu_limit: 3.75 - node_selector: - node.kubernetes.io/instance-type: r5.xlarge - mem_14_8: - display_name: 14.8 GB RAM, upto 3.7 CPUs - kubespawner_override: - mem_guarantee: 15930730496 - mem_limit: 15930730496 - cpu_guarantee: 1.875 - cpu_limit: 3.75 - node_selector: - node.kubernetes.io/instance-type: r5.xlarge - mem_29_7: - display_name: 29.7 GB RAM, upto 3.7 CPUs - kubespawner_override: - mem_guarantee: 31861460992 - mem_limit: 31861460992 - cpu_guarantee: 3.75 - cpu_limit: 3.75 - node_selector: - node.kubernetes.io/instance-type: r5.xlarge - - hub: - # Allows for multiple concurrent demos - allowNamedServers: true - services: - binder: - # FIXME: ref https://github.com/2i2c-org/binderhub-service/issues/57 - # for something more readable and requiring less copy-pasting - url: http://staging-binderhub-service:8090 - image: - name: quay.io/2i2c/dynamic-image-building-experiment - tag: "0.0.1-0.dev.git.7567.ha4162031" - config: - JupyterHub: - authenticator_class: github - GitHubOAuthenticator: - oauth_callback_url: https://staging.opensci.2i2c.cloud/hub/oauth_callback - allowed_organizations: - - 2i2c-demo-hub-access - - ScienceCore - scope: - - read:org - - extraConfig: - enable-fancy-profiles: | - from jupyterhub_fancy_profiles import setup_ui - setup_ui(c) - -binderhub-service: - nodeSelector: - hub.jupyter.org/node-purpose: core - enabled: true - service: - port: 8090 - # The DaemonSet at https://github.com/2i2c-org/binderhub-service/blob/main/binderhub-service/templates/docker-api/daemonset.yaml - # will start a docker-api pod on a user node. - # It starts the [dockerd](https://docs.docker.com/engine/reference/commandline/dockerd/) daemon, - # that will be accessible via a unix socket, mounted by the build. - # The docker-api pod must run on the same node as the builder pods. - dockerApi: - nodeSelector: - hub.jupyter.org/node-purpose: user - tolerations: - # Tolerate tainted jupyterhub user nodes - - key: hub.jupyter.org_dedicated - value: user - effect: NoSchedule - - key: hub.jupyter.org/dedicated - value: user - effect: NoSchedule - config: - BinderHub: - base_url: /services/binder - use_registry: true - # Re-uses the registry created for the `binderhub-staging` hub - # but pushes images under a different prefix - image_prefix: us-central1-docker.pkg.dev/two-eye-two-see/binder-staging-registry/opensci- - KubernetesBuildExecutor: - # Get ourselves a newer repo2docker! - build_image: quay.io/jupyterhub/repo2docker:2023.06.0-8.gd414e99 - node_selector: - # Schedule builder pods to run on user nodes only - hub.jupyter.org/node-purpose: user - # The password to the registry is stored encrypted in the hub's encrypted config file - buildPodsRegistryCredentials: - server: "https://us-central1-docker.pkg.dev" - username: "_json_key" From fdba7447d883902c192c7cb1bd8fd4c857dfab09 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Fri, 23 Feb 2024 14:05:20 +0200 Subject: [PATCH 12/23] Add the science core hub instead --- .../enc-sciencecore.secret.values.yaml | 23 +++ .../clusters/opensci/sciencecore.values.yaml | 175 ++++++++++++++++++ 2 files changed, 198 insertions(+) create mode 100644 config/clusters/opensci/enc-sciencecore.secret.values.yaml create mode 100644 config/clusters/opensci/sciencecore.values.yaml diff --git a/config/clusters/opensci/enc-sciencecore.secret.values.yaml b/config/clusters/opensci/enc-sciencecore.secret.values.yaml new file mode 100644 index 000000000..7ab0a63c1 --- /dev/null +++ b/config/clusters/opensci/enc-sciencecore.secret.values.yaml @@ -0,0 +1,23 @@ +binderhub-service: + buildPodsRegistryCredentials: + password: ENC[AES256_GCM,data:1OhtPmu5jb1D1yUMvIY2tcGpGYRFXnibqinkdalyDqsbDgCdtHLS9Hojidm8JchEXWDpI7wtwXEWXDvm4gXj3g1RpDI+ghUT1v5GeV0Gx9KLDSSdf+mUMC27HlqT5CdVeA9vJs3kjjZ3lBPjZGRi3Yec1tFNVUvbHiCTBTosBIA3YAUdG2rUMxjB2MTxiZzLl5sAICDEmYmbHRLNL7HjbXvpzFYvLxKZIqR4V8jeNBWyfMttCnTqYFNoFrB89WlmgJqdy7JvgmjOlSYBkPd/Czajk2bYeb2DNZmk0OOohDYygdSk1GQM7mNKHB6ToyvxKNnl2rpZxFIZNPvUIoiiS/D0+bvZtkZ3ENhggDVCf7pI4ZtStuQNTjOn7AbkKpHL+ZjdIwno6eixABGday5ulD9N+Tje8Vmp980vNXsmFljCljIx3D8h2qIFjSZ3THxeTP1IbfdwtbI2CR6WEwjlAgPUGLH3U6fOXX31I6bbsJ3HqJOj2qgqSr4g28Tzyt9k1l3dFAg2tXKyIMVqk45/Dm+k160Rxf7n4bHmicyXASVig/rLHwq3OhZh2uJSozqkT3Omw0tZJyZxSqEfL6Kt1q6sJfS/NxYevZp1+hMA9sf+9hl3o5ltdktqGGDxQoLkHiDdfNUnnyt5+zWUtWwGG1CZQ3P7aiQwkLAZ66LsJ/nsK02mBK9ae5D8/lbCEgs069ryDD6KY5in/2Oe+6CGw0bqG/swRNJFr65kQ2oZMRNBhT6pVR2RFkskZY8buBBt+rlXwZqbdVhfTkv0OVwZIxRVcMMDi9xYuGDpvdJ6xTyKZ7cX7TnPO7fV1DRjprt2YkqcYL8j+KkQ+UzJ9zbwYLrSrqIu0kpHlCJwsxix3u6lvmd028uhVkDd2GKaN7Q2c3vJx9Sm3KBVmKcL5+HFHfoy59Ouo4oIVcvEecHDvp8UDDkm8RzFHGaZZZeZ4UqGHETU/ZGB+0tKZpZjzwOKQbPYWrTEadd1rzRC+8UqYjOyQRiCPnDpnsXBmcvXYZ0F+WnB4E/EJaqdRmfoSlZFivjq8aEoc7xx6XsPDwyEEgBAV1MfV5VY3RiHGXUI2BRquObDTl+RBTb2saQzI9ONzAqa9HlJ3rmMQgeXVzgtXB8jKuXQDdmJMrTZnPRCy1IdQrqeUkNOhgP4JZXVws+so1K/DhnUNMtgFoTS3gFtQNHGojAEUK0RkaNj8EeU4ODiWsO7b9bGbwKK5aKMCzoZrjVsoKb/aCBGw6innDJnZQcV0EPsSsJ2eqB9f8iVeQSIkzFRQnmEiQG07MO9j0onJxjtpQ68Pa68Jhr2JegaRX/ixX5mHkquMCIsyERIJXk+yQ0cbeROeTu0HcnTf8i6oyEfOb1qpDXgMyFpKNH7VUZeKfNyec9oOuEVcG7UM6ewdnq5FUcV5raXxyaHXy5zfk3pZ2sA6Ov+5tPSihmlAHg8lfC0jsOxzxY8iAU5JTf6xRCYrPMdy8CqZRzYdtM9TPaz4LUOJyH3BCuGzPttzd9Q5N9l/kvNe+U4zJ3C9pCR0sgo5G1DTRcofpuCHQmpEuOfoMwSPdi4RT9nR4+d7WXl+geyKSqWKF3YxcJRpuyUQ7yC0+NMA6EyKvGx2RgH2rij2wUX8YvEPL0RF4/7iZGG+82z+8IjOCZCKGwwdcZhTuUw/oT22014lQ7EbLTh6EghYoVm/h7q8smqwqw2zBS1PvoadP327/RJcxIXocI7WXc/OlHBgggxQD4S0fpsGz2Glle/vcbx4GGZhU/U1Vh88jtnNgJGR12W2Z/C0u3oplO4jl0+LYK73qmvYQYDkN2EM3SpsY1KTPPFT4Y2qKwXPBZSLdXBA5uMgMrP2S8pKZDEO3l35Q52lzz+C+0wtoaaExp6QA9ruN5nd31pUMyToF/S2S28a0OAkH/5yrrkSAd16BTeBS3e1miFiWCWhEQbNa+8uZCItuobaf5bS90JeR3t8l/miD/lgWwn51w2HTYmikSlfCcoxtUakhGNCXOHKcTRy61GM7uEdEi0HjsPc+vk6fjF3Rvdsrv8j7CF+HY00wBYudUDRA3dB/7F1ZOTfItgsKdejQmtWPeLiJSXnK/sBR0psd/rmr5wFJU+qIzSiZc7qWeeIophQWw557XBboBcxLOyHwwBUe1rDc4brgm8dHLEnXUfZJeLkL301YthhsSSfKoRnkTPQSpvxiNy62verETEaCJrZ0Q/SD1cPMIdNDHSKIbRDbJEo86G3UFOGE82C+MwVib2v6+Te6V+Ug8jAiW+d3spY4bAmngjzf6JWxHqt6wtxlEUTH4JU3OeqztSNc8dmenjs3frkk2y4tLP0BkMtuf4PMtB2n4OgWjlEPcjO1XcLT+bYOfSU03LBvGAT8N9SACpC+pC44MwnWpdwzTN0b3gFLSbPTh2uynRpniWHoAD3mq0E/A9WcFiWzbXqKplm7m1n9uhOhMEHROv7p9eHgMPMiieu5XEH06KQJ9mRlHBz8iUs086SCjwsM3O7Rtf/pgjrAW2X69cis31iS3JcspCcY+fn2U81TiW+pIS71pMXsl4FtJ+GCVvLPJpYyLmrJhK372mERGT5t9xiNZpmNcyL5vQaQl/F4aq3u2wlcJICFIsx6G58NcB7ICFFkHQ5IF6PCFiTXEr4P4tBPHQO+JewIFbdxFGKUtUHgC13tEvRjb8HD8bOGSnOzTi/wgxB1GujJOrk5sauJ9bARfcOng4v5DJf8xhy7Yy0umhLdwyatQ5UkkKHZO412tJwp9uyfyIlE+XONJdWfSdbxB7y7wZbX9zWOg3HmuMC7SbJAKPrBkQ9pIqilRio9Y5o5kgw/btzFyBo7QeWp0poD/k8YOeB3qDGxnN7nlsDEG778bZ46sR+2mEoV6tJUCJWL9968QW36VFWQzTSACrRISaXNxFS5XYNf4JvMVZI+9bpqZAWOSFfaicpupQnHAqai3eY1VouyG4DOLb5KMzbmcyJZ0Cqks/JOgz5KPIXvT3FkXNjubhGshqoZqfWUEFR/WjdIQJQLeKQIerwKiPX8KWZrjCOFjVJVthkBWI+bslNNtiUlj7Z9xK5+Mv0DnumDthu6d27HKKMbBMpMt5+2c0JXqVK9SvZGl9zy5JzYkj95SniAS4tUpIskX2vIgPXACCl5urfRo8HqxYK1scM8wyn6goIg4H4+ce/3pXBY+TYywoxBaEXtYvt/J/on1jLSp4zlWxrnf53d4QF7LX,iv:iWOUHcl6uE/5WtybLkDYM7duIpnFKQaSn2/bFvg3GKw=,tag:OL02P4I73VNxhNA1cD7KhA==,type:str] +jupyterhub: + hub: + config: + GitHubOAuthenticator: + client_id: ENC[AES256_GCM,data:dhNb/AwKFr/2s1+RUIsndJ5EKC4=,iv:6Rzm5NBgBZcHrOyWFYi1qib1iraWoRpeoPCo42wUD10=,tag:JIKjxJQ8I8fM+Z+MFRfsEA==,type:str] + client_secret: ENC[AES256_GCM,data:LQedpZelm6SO8KAFBpV5fHFYmTOXyzz75HoKC+N9D3/lH7TXZFxl9w==,iv:isCaLvhi3aU/mOLEtsRegzSVxcMh4HRV2kCB3Klrsq0=,tag:c3zZ2190eyzsuK1Mv2t6CQ==,type:str] +sops: + kms: [] + gcp_kms: + - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs + created_at: "2023-09-18T19:00:41Z" + enc: CiUA4OM7eFioG9yDgVwKtc0cYrU65GNcqMSDuUgnuXuq3KW9dRI6EkkAq2nhVV2TFrZOq5jktjMd4TQF1lwH/08tAyGd3vMfBmdd3Xdy3bAUUHhrPXcK6QabMRYdXPzQzgB+oBGaqOsJO7D7jT9NpeCn + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-02-23T11:56:17Z" + mac: ENC[AES256_GCM,data:1NuBjid3SNq/Fv5Pxdfby5Wl7mb7mQG9MYa6pjPaEU2YFf9wRK8WNADCEa4H98xI4dPxcFyftJ0Ww7xUX2o6sa6N6ExM0RMbpSFZ7gttUhDTsLa/D1oYvyr5sFZXOsfeXKyqmSeQZ8+zmZ1GROKjSuNpumS+TGe5ir2EIE3Zuf0=,iv:bJqET8IxysTgdjvmlL2u4xU/fcnDV+j4AlShoMeQ28k=,tag:N+e3YkfTFqEaqqYPwpmuLQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/config/clusters/opensci/sciencecore.values.yaml b/config/clusters/opensci/sciencecore.values.yaml new file mode 100644 index 000000000..b45508baa --- /dev/null +++ b/config/clusters/opensci/sciencecore.values.yaml @@ -0,0 +1,175 @@ +jupyterhub: + ingress: + hosts: + - sciencecore.opensci.2i2c.cloud + tls: + - secretName: https-auto-tls + hosts: + - sciencecore.opensci.2i2c.cloud + custom: + 2i2c: + add_staff_user_ids_to_admin_users: true + add_staff_user_ids_of_type: "github" + jupyterhubConfigurator: + enabled: false + homepage: + templateVars: + org: + name: Sciencecore + url: https://2i2c.org + logo_url: https://2i2c.org/media/logo.png + designed_by: + name: 2i2c + url: https://2i2c.org + operated_by: + name: 2i2c + url: https://2i2c.org + funded_by: + name: "" + url: "" + singleuser: + profileList: + - display_name: "Only Profile Available, this info is not shown in the UI" + slug: only-choice + profile_options: + image: + display_name: Image + unlisted_choice: &profile_list_unlisted_choice + enabled: True + display_name: "Custom image" + validation_regex: "^.+:.+$" + validation_message: "Must be a publicly available docker image, of form :" + display_name_in_choices: "Specify an existing docker image" + description_in_choices: "Use a pre-existing docker image from a public docker registry (dockerhub, quay, etc)" + kubespawner_override: + image: "{value}" + choices: + pangeo: + display_name: Pangeo Notebook Image + description: "Python image with scientific, dask and geospatial tools" + kubespawner_override: + image: pangeo/pangeo-notebook:2023.09.11 + geospatial: + display_name: Rocker Geospatial + description: "R image with RStudio, the tidyverse & Geospatial tools" + default: true + slug: geospatial + kubespawner_override: + image: rocker/binder:4.3 + # Launch into RStudio after the user logs in + default_url: /rstudio + # Ensures container working dir is homedir + # https://github.com/2i2c-org/infrastructure/issues/2559 + working_dir: /home/rstudio + scipy: + display_name: Jupyter SciPy Notebook + slug: scipy + kubespawner_override: + image: jupyter/scipy-notebook:2023-06-26 + resources: + display_name: Resource Allocation + choices: + mem_3_7: + display_name: 3.7 GB RAM, upto 3.7 CPUs + kubespawner_override: + mem_guarantee: 3982682624 + mem_limit: 3982682624 + cpu_guarantee: 0.46875 + cpu_limit: 3.75 + node_selector: + node.kubernetes.io/instance-type: r5.xlarge + default: true + mem_7_4: + display_name: 7.4 GB RAM, upto 3.7 CPUs + kubespawner_override: + mem_guarantee: 7965365248 + mem_limit: 7965365248 + cpu_guarantee: 0.9375 + cpu_limit: 3.75 + node_selector: + node.kubernetes.io/instance-type: r5.xlarge + mem_14_8: + display_name: 14.8 GB RAM, upto 3.7 CPUs + kubespawner_override: + mem_guarantee: 15930730496 + mem_limit: 15930730496 + cpu_guarantee: 1.875 + cpu_limit: 3.75 + node_selector: + node.kubernetes.io/instance-type: r5.xlarge + mem_29_7: + display_name: 29.7 GB RAM, upto 3.7 CPUs + kubespawner_override: + mem_guarantee: 31861460992 + mem_limit: 31861460992 + cpu_guarantee: 3.75 + cpu_limit: 3.75 + node_selector: + node.kubernetes.io/instance-type: r5.xlarge + + hub: + # Allows for multiple concurrent demos + allowNamedServers: true + services: + binder: + # FIXME: ref https://github.com/2i2c-org/binderhub-service/issues/57 + # for something more readable and requiring less copy-pasting + url: http://sciencecore-binderhub-service:8090 + image: + name: quay.io/2i2c/dynamic-image-building-experiment + tag: "0.0.1-0.dev.git.7567.ha4162031" + config: + JupyterHub: + authenticator_class: github + GitHubOAuthenticator: + oauth_callback_url: https://sciencecore.opensci.2i2c.cloud/hub/oauth_callback + allowed_organizations: + - 2i2c-demo-hub-access + - ScienceCore + scope: + - read:org + + extraConfig: + enable-fancy-profiles: | + from jupyterhub_fancy_profiles import setup_ui + setup_ui(c) + +binderhub-service: + nodeSelector: + hub.jupyter.org/node-purpose: core + enabled: true + service: + port: 8090 + # The DaemonSet at https://github.com/2i2c-org/binderhub-service/blob/main/binderhub-service/templates/docker-api/daemonset.yaml + # will start a docker-api pod on a user node. + # It starts the [dockerd](https://docs.docker.com/engine/reference/commandline/dockerd/) daemon, + # that will be accessible via a unix socket, mounted by the build. + # The docker-api pod must run on the same node as the builder pods. + dockerApi: + nodeSelector: + hub.jupyter.org/node-purpose: user + tolerations: + # Tolerate tainted jupyterhub user nodes + - key: hub.jupyter.org_dedicated + value: user + effect: NoSchedule + - key: hub.jupyter.org/dedicated + value: user + effect: NoSchedule + config: + BinderHub: + base_url: /services/binder + use_registry: true + # Re-uses the registry created for the `binderhub-staging` hub + # but pushes images under a different prefix + image_prefix: us-central1-docker.pkg.dev/two-eye-two-see/binder-staging-registry/opensci- + KubernetesBuildExecutor: + # Get ourselves a newer repo2docker! + build_image: quay.io/jupyterhub/repo2docker:2023.06.0-8.gd414e99 + node_selector: + # Schedule builder pods to run on user nodes only + hub.jupyter.org/node-purpose: user + # The password to the registry is stored encrypted in the hub's encrypted config file + buildPodsRegistryCredentials: + server: "https://us-central1-docker.pkg.dev" + username: "_json_key" From 7ba5d437d58e78ee2772d3c4daf6c06b848e2ffc Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Sun, 25 Feb 2024 19:01:24 +0200 Subject: [PATCH 13/23] Switch to quay.io --- config/clusters/opensci/enc-sciencecore.secret.values.yaml | 6 +++--- config/clusters/opensci/sciencecore.values.yaml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/config/clusters/opensci/enc-sciencecore.secret.values.yaml b/config/clusters/opensci/enc-sciencecore.secret.values.yaml index 7ab0a63c1..90e60c5a2 100644 --- a/config/clusters/opensci/enc-sciencecore.secret.values.yaml +++ b/config/clusters/opensci/enc-sciencecore.secret.values.yaml @@ -1,6 +1,6 @@ binderhub-service: buildPodsRegistryCredentials: - password: ENC[AES256_GCM,data:1OhtPmu5jb1D1yUMvIY2tcGpGYRFXnibqinkdalyDqsbDgCdtHLS9Hojidm8JchEXWDpI7wtwXEWXDvm4gXj3g1RpDI+ghUT1v5GeV0Gx9KLDSSdf+mUMC27HlqT5CdVeA9vJs3kjjZ3lBPjZGRi3Yec1tFNVUvbHiCTBTosBIA3YAUdG2rUMxjB2MTxiZzLl5sAICDEmYmbHRLNL7HjbXvpzFYvLxKZIqR4V8jeNBWyfMttCnTqYFNoFrB89WlmgJqdy7JvgmjOlSYBkPd/Czajk2bYeb2DNZmk0OOohDYygdSk1GQM7mNKHB6ToyvxKNnl2rpZxFIZNPvUIoiiS/D0+bvZtkZ3ENhggDVCf7pI4ZtStuQNTjOn7AbkKpHL+ZjdIwno6eixABGday5ulD9N+Tje8Vmp980vNXsmFljCljIx3D8h2qIFjSZ3THxeTP1IbfdwtbI2CR6WEwjlAgPUGLH3U6fOXX31I6bbsJ3HqJOj2qgqSr4g28Tzyt9k1l3dFAg2tXKyIMVqk45/Dm+k160Rxf7n4bHmicyXASVig/rLHwq3OhZh2uJSozqkT3Omw0tZJyZxSqEfL6Kt1q6sJfS/NxYevZp1+hMA9sf+9hl3o5ltdktqGGDxQoLkHiDdfNUnnyt5+zWUtWwGG1CZQ3P7aiQwkLAZ66LsJ/nsK02mBK9ae5D8/lbCEgs069ryDD6KY5in/2Oe+6CGw0bqG/swRNJFr65kQ2oZMRNBhT6pVR2RFkskZY8buBBt+rlXwZqbdVhfTkv0OVwZIxRVcMMDi9xYuGDpvdJ6xTyKZ7cX7TnPO7fV1DRjprt2YkqcYL8j+KkQ+UzJ9zbwYLrSrqIu0kpHlCJwsxix3u6lvmd028uhVkDd2GKaN7Q2c3vJx9Sm3KBVmKcL5+HFHfoy59Ouo4oIVcvEecHDvp8UDDkm8RzFHGaZZZeZ4UqGHETU/ZGB+0tKZpZjzwOKQbPYWrTEadd1rzRC+8UqYjOyQRiCPnDpnsXBmcvXYZ0F+WnB4E/EJaqdRmfoSlZFivjq8aEoc7xx6XsPDwyEEgBAV1MfV5VY3RiHGXUI2BRquObDTl+RBTb2saQzI9ONzAqa9HlJ3rmMQgeXVzgtXB8jKuXQDdmJMrTZnPRCy1IdQrqeUkNOhgP4JZXVws+so1K/DhnUNMtgFoTS3gFtQNHGojAEUK0RkaNj8EeU4ODiWsO7b9bGbwKK5aKMCzoZrjVsoKb/aCBGw6innDJnZQcV0EPsSsJ2eqB9f8iVeQSIkzFRQnmEiQG07MO9j0onJxjtpQ68Pa68Jhr2JegaRX/ixX5mHkquMCIsyERIJXk+yQ0cbeROeTu0HcnTf8i6oyEfOb1qpDXgMyFpKNH7VUZeKfNyec9oOuEVcG7UM6ewdnq5FUcV5raXxyaHXy5zfk3pZ2sA6Ov+5tPSihmlAHg8lfC0jsOxzxY8iAU5JTf6xRCYrPMdy8CqZRzYdtM9TPaz4LUOJyH3BCuGzPttzd9Q5N9l/kvNe+U4zJ3C9pCR0sgo5G1DTRcofpuCHQmpEuOfoMwSPdi4RT9nR4+d7WXl+geyKSqWKF3YxcJRpuyUQ7yC0+NMA6EyKvGx2RgH2rij2wUX8YvEPL0RF4/7iZGG+82z+8IjOCZCKGwwdcZhTuUw/oT22014lQ7EbLTh6EghYoVm/h7q8smqwqw2zBS1PvoadP327/RJcxIXocI7WXc/OlHBgggxQD4S0fpsGz2Glle/vcbx4GGZhU/U1Vh88jtnNgJGR12W2Z/C0u3oplO4jl0+LYK73qmvYQYDkN2EM3SpsY1KTPPFT4Y2qKwXPBZSLdXBA5uMgMrP2S8pKZDEO3l35Q52lzz+C+0wtoaaExp6QA9ruN5nd31pUMyToF/S2S28a0OAkH/5yrrkSAd16BTeBS3e1miFiWCWhEQbNa+8uZCItuobaf5bS90JeR3t8l/miD/lgWwn51w2HTYmikSlfCcoxtUakhGNCXOHKcTRy61GM7uEdEi0HjsPc+vk6fjF3Rvdsrv8j7CF+HY00wBYudUDRA3dB/7F1ZOTfItgsKdejQmtWPeLiJSXnK/sBR0psd/rmr5wFJU+qIzSiZc7qWeeIophQWw557XBboBcxLOyHwwBUe1rDc4brgm8dHLEnXUfZJeLkL301YthhsSSfKoRnkTPQSpvxiNy62verETEaCJrZ0Q/SD1cPMIdNDHSKIbRDbJEo86G3UFOGE82C+MwVib2v6+Te6V+Ug8jAiW+d3spY4bAmngjzf6JWxHqt6wtxlEUTH4JU3OeqztSNc8dmenjs3frkk2y4tLP0BkMtuf4PMtB2n4OgWjlEPcjO1XcLT+bYOfSU03LBvGAT8N9SACpC+pC44MwnWpdwzTN0b3gFLSbPTh2uynRpniWHoAD3mq0E/A9WcFiWzbXqKplm7m1n9uhOhMEHROv7p9eHgMPMiieu5XEH06KQJ9mRlHBz8iUs086SCjwsM3O7Rtf/pgjrAW2X69cis31iS3JcspCcY+fn2U81TiW+pIS71pMXsl4FtJ+GCVvLPJpYyLmrJhK372mERGT5t9xiNZpmNcyL5vQaQl/F4aq3u2wlcJICFIsx6G58NcB7ICFFkHQ5IF6PCFiTXEr4P4tBPHQO+JewIFbdxFGKUtUHgC13tEvRjb8HD8bOGSnOzTi/wgxB1GujJOrk5sauJ9bARfcOng4v5DJf8xhy7Yy0umhLdwyatQ5UkkKHZO412tJwp9uyfyIlE+XONJdWfSdbxB7y7wZbX9zWOg3HmuMC7SbJAKPrBkQ9pIqilRio9Y5o5kgw/btzFyBo7QeWp0poD/k8YOeB3qDGxnN7nlsDEG778bZ46sR+2mEoV6tJUCJWL9968QW36VFWQzTSACrRISaXNxFS5XYNf4JvMVZI+9bpqZAWOSFfaicpupQnHAqai3eY1VouyG4DOLb5KMzbmcyJZ0Cqks/JOgz5KPIXvT3FkXNjubhGshqoZqfWUEFR/WjdIQJQLeKQIerwKiPX8KWZrjCOFjVJVthkBWI+bslNNtiUlj7Z9xK5+Mv0DnumDthu6d27HKKMbBMpMt5+2c0JXqVK9SvZGl9zy5JzYkj95SniAS4tUpIskX2vIgPXACCl5urfRo8HqxYK1scM8wyn6goIg4H4+ce/3pXBY+TYywoxBaEXtYvt/J/on1jLSp4zlWxrnf53d4QF7LX,iv:iWOUHcl6uE/5WtybLkDYM7duIpnFKQaSn2/bFvg3GKw=,tag:OL02P4I73VNxhNA1cD7KhA==,type:str] + password: ENC[AES256_GCM,data:+WZcWoVpAteJXujz9dAaEAv0tvLWgdgfEThAGDD4abuABmWoBVCBWzrmsaD1FX4OWrRRC5cPM+sBgqD/ICT4zw==,iv:OuvUqG1pf2RnAbrnVi/4fAna83t9nXM4WENMX22fluc=,tag:o6dTP6IM8h2GATDZvR45/A==,type:str] jupyterhub: hub: config: @@ -16,8 +16,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-02-23T11:56:17Z" - mac: ENC[AES256_GCM,data:1NuBjid3SNq/Fv5Pxdfby5Wl7mb7mQG9MYa6pjPaEU2YFf9wRK8WNADCEa4H98xI4dPxcFyftJ0Ww7xUX2o6sa6N6ExM0RMbpSFZ7gttUhDTsLa/D1oYvyr5sFZXOsfeXKyqmSeQZ8+zmZ1GROKjSuNpumS+TGe5ir2EIE3Zuf0=,iv:bJqET8IxysTgdjvmlL2u4xU/fcnDV+j4AlShoMeQ28k=,tag:N+e3YkfTFqEaqqYPwpmuLQ==,type:str] + lastmodified: "2024-02-25T17:01:03Z" + mac: ENC[AES256_GCM,data:grR3Oni0pj5ycFq2Y+gdfHSXYcmCb8TK80GTY1DuFopCq86u8sv3X+7YfH0davs/Un+SZtZjZU0nUTu/BZFq27vmQrmcfdFjF9iTqFbBIUvwZqwuWZKQtJuWvU0Nkaww70EjaGdB/yVenyRLoTSR70TGtuNUn73Kva70kZEIse8=,iv:bNmrHC4JFdyIXYsRoDejlD8P1oRasL8m0r3Yrum1Qt8=,tag:AE6/SNzcuox8gGlkCqdgSQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/config/clusters/opensci/sciencecore.values.yaml b/config/clusters/opensci/sciencecore.values.yaml index b45508baa..25ea9056d 100644 --- a/config/clusters/opensci/sciencecore.values.yaml +++ b/config/clusters/opensci/sciencecore.values.yaml @@ -162,7 +162,7 @@ binderhub-service: use_registry: true # Re-uses the registry created for the `binderhub-staging` hub # but pushes images under a different prefix - image_prefix: us-central1-docker.pkg.dev/two-eye-two-see/binder-staging-registry/opensci- + image_prefix: quay.io/2i2c/opensci-sciencecore KubernetesBuildExecutor: # Get ourselves a newer repo2docker! build_image: quay.io/jupyterhub/repo2docker:2023.06.0-8.gd414e99 @@ -171,5 +171,5 @@ binderhub-service: hub.jupyter.org/node-purpose: user # The password to the registry is stored encrypted in the hub's encrypted config file buildPodsRegistryCredentials: - server: "https://us-central1-docker.pkg.dev" - username: "_json_key" + server: "https://quay.io" + username: "2i2c+opensci_sciencecore_binderhub_service" From 66fbc990c3fc6d5e70a0483e899053ad490575eb Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Mon, 26 Feb 2024 11:03:03 +0200 Subject: [PATCH 14/23] Add imagepullSecret to be able to pull private images from our quay registry --- .../clusters/opensci/enc-sciencecore.secret.values.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/config/clusters/opensci/enc-sciencecore.secret.values.yaml b/config/clusters/opensci/enc-sciencecore.secret.values.yaml index 90e60c5a2..94e3663e7 100644 --- a/config/clusters/opensci/enc-sciencecore.secret.values.yaml +++ b/config/clusters/opensci/enc-sciencecore.secret.values.yaml @@ -2,6 +2,11 @@ binderhub-service: buildPodsRegistryCredentials: password: ENC[AES256_GCM,data:+WZcWoVpAteJXujz9dAaEAv0tvLWgdgfEThAGDD4abuABmWoBVCBWzrmsaD1FX4OWrRRC5cPM+sBgqD/ICT4zw==,iv:OuvUqG1pf2RnAbrnVi/4fAna83t9nXM4WENMX22fluc=,tag:o6dTP6IM8h2GATDZvR45/A==,type:str] jupyterhub: + imagePullSecret: + create: ENC[AES256_GCM,data:aJ5t7w==,iv:mdiodKbsYFnfzFkwCBbgQ6B/myJcL/z1+f15vTgSQwQ=,tag:mmuYSMXreRi2O4nwAzaZsw==,type:bool] + registry: ENC[AES256_GCM,data:iGtOHQXDhw==,iv:YXdzdemCE+6B5sA437zaUFKDhb2xj2X7gMZNzu3tTqM=,tag:Bqn2k57b6RYQJYB5v1Li2A==,type:str] + username: ENC[AES256_GCM,data:Tpi9Jr933Pdr30dJciikd5986k2qgWM+NR/uywFO25qFKYkWUTpEGpbT,iv:UQKLBLwKAqzlvBgj5QQvEwTT+M8NQ20YP1HuJ1JpNzo=,tag:PcNrqzCGRQetSslXb6IdfA==,type:str] + password: ENC[AES256_GCM,data:ykY706UePlnQ6L5swTY5e5/N1yk3Hpql8s2wy7MpYLugwmM4cr0VhKHbP1ZuL7uGrSIKYHXPQB0y7hfwgWsm9g==,iv:suZsgkz1dzBKp53XX+8QfzQ+fvWGnMIHEjIP+tVFERs=,tag:bNVbdkVD19YS5PxGMyBWfA==,type:str] hub: config: GitHubOAuthenticator: @@ -16,8 +21,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-02-25T17:01:03Z" - mac: ENC[AES256_GCM,data:grR3Oni0pj5ycFq2Y+gdfHSXYcmCb8TK80GTY1DuFopCq86u8sv3X+7YfH0davs/Un+SZtZjZU0nUTu/BZFq27vmQrmcfdFjF9iTqFbBIUvwZqwuWZKQtJuWvU0Nkaww70EjaGdB/yVenyRLoTSR70TGtuNUn73Kva70kZEIse8=,iv:bNmrHC4JFdyIXYsRoDejlD8P1oRasL8m0r3Yrum1Qt8=,tag:AE6/SNzcuox8gGlkCqdgSQ==,type:str] + lastmodified: "2024-02-26T08:54:20Z" + mac: ENC[AES256_GCM,data:dFxtb2e64nSVwq310U8IyNs+PCFe4AxBLHAdlMZWtSS3alZIm79Kn/wPC6WJFX41ib+mVSGU8rPFDoqsM/pBv4Ol8Fjkz2zlvSYbYpT/DwZO7hsCR+hoUrdiGTPFx0+qd4efN+J7WZKBb3dTkxzVECgS37WJGR8tv2afBBHlhQM=,iv:gIVEDiNshqJNDg5Ktb4k9sZHPw+5k9ALR5TR2Xhuzqs=,tag:oGufX/5w/PqG1OWPZ6H+rw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 From c34cef4c8143f519ce9490d6ed090571ebda4c4f Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Tue, 27 Feb 2024 10:16:18 +0200 Subject: [PATCH 15/23] Return some defaults when key dicts don't exist instead of raising errors --- .../generate-hub-features-table.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/helper-programs/generate-hub-features-table.py b/docs/helper-programs/generate-hub-features-table.py index fc7a15e31..8e7e1e1e5 100644 --- a/docs/helper-programs/generate-hub-features-table.py +++ b/docs/helper-programs/generate-hub-features-table.py @@ -96,7 +96,7 @@ def retrieve_jupyterhub_config_dict(hub_config): return hub_config["binderhub"]["jupyterhub"] return hub_config["jupyterhub"] except KeyError: - return + return {} def parse_yaml_config_value_files_for_features(cluster_path, hub_values_files): @@ -168,20 +168,20 @@ def build_options_list_entry(hub, hub_count, values_files_features, terraform_fe return { "domain": domain, "dedicated cluster": False if hub_count else True, - "dedicated nodepool": values_files_features["dedicated_nodepool"], + "dedicated nodepool": values_files_features.get("dedicated_nodepool", False), "user buckets (scratch/persistent)": terraform_features.get( hub["name"], {} ).get("user_buckets", False), "requester pays for buckets storage": terraform_features.get( hub["name"], {} ).get("requestor_pays", False), - "authenticator": values_files_features["authenticator"], - "user anonymisation": values_files_features["anonymization"], - "admin access to allusers dirs": values_files_features["allusers"], + "authenticator": values_files_features.get("authenticator", None), + "user anonymisation": values_files_features.get("anonymization", False), + "admin access to allusers dirs": values_files_features.get("allusers", False), "community domain": False if "2i2c.cloud" in domain else True, - "custom login page": values_files_features["custom_homepage"], - "custom html pages": values_files_features["custom_html"], - "gh-scoped-creds": values_files_features["gh_scoped_creds"], + "custom login page": values_files_features.get("custom_homepage", False), + "custom html pages": values_files_features.get("custom_html", False), + "gh-scoped-creds": values_files_features.get("gh_scoped_creds", False), # "static web pages": # "GPUs": # "profile lists": From c9b5def993e1b06cdeb1225f364b9e6eb4849e89 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Tue, 27 Feb 2024 10:23:48 +0200 Subject: [PATCH 16/23] Deploy grafana dashboards and add new cluster to the central one --- .github/workflows/deploy-grafana-dashboards.yaml | 1 + .../opensci/enc-grafana-token.secret.yaml | 15 +++++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 config/clusters/opensci/enc-grafana-token.secret.yaml diff --git a/.github/workflows/deploy-grafana-dashboards.yaml b/.github/workflows/deploy-grafana-dashboards.yaml index 208772c51..fd0b8688c 100644 --- a/.github/workflows/deploy-grafana-dashboards.yaml +++ b/.github/workflows/deploy-grafana-dashboards.yaml @@ -29,6 +29,7 @@ jobs: - cluster_name: nasa-esdis - cluster_name: nasa-veda - cluster_name: openscapes + - cluster_name: opensci - cluster_name: pangeo-hubs - cluster_name: qcl - cluster_name: smithsonian diff --git a/config/clusters/opensci/enc-grafana-token.secret.yaml b/config/clusters/opensci/enc-grafana-token.secret.yaml new file mode 100644 index 000000000..dbe09afae --- /dev/null +++ b/config/clusters/opensci/enc-grafana-token.secret.yaml @@ -0,0 +1,15 @@ +grafana_token: ENC[AES256_GCM,data:FUDyTxRjgJ3FrEzZ4FJeNCVOYtfAVGtz82Xjzlq0JSDrcDSdcOVc5VRZAixo6g==,iv:wP1WsvpXh4T6i0zKQatAmYS/+GRa5vwmRtOUz82VUWY=,tag:WY1AuW4YhYE54ij6pIjmZQ==,type:str] +sops: + kms: [] + gcp_kms: + - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs + created_at: "2024-02-27T08:21:10Z" + enc: CiUA4OM7eJwLqe0B1wFs4I0fTW9ca4t9EVaupRu6drh9jlu2BMxSEkkAXoW3JoVJBEtoW1U21/GHpWilS78im8nQUr/+YbIpFgHLJO1hsEbVqIjhJQ82ZfYryz9ozn/4/Fwxlzx6XymhncSnR/1KllE1 + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-02-27T08:21:11Z" + mac: ENC[AES256_GCM,data:dgsHlAhpVrM3246Mmk+Hiemmh4MVrkd75LYNx7ffyw0ojThJ8/wTLL8Bio25Py7vzQR10r3qVtj1+TNnDXE3cGHPTpXBuBS4RfdI63/+SAdoONL8T0J0zUM58opWfkhp3XaB5JAKJH4JTP+WGVDGmYWiyRC6kbxvn7fhLqq509U=,iv:SZ+s+LU+EJHNPbfGpHpkOzS4aTUWT0fHGyX5om0jH2w=,tag:F0vuPTXtXVUqlpCOKcLaAA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 From 17243bab2b685abdaa89b5572071afb41c2d85c8 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Thu, 29 Feb 2024 18:21:32 +0200 Subject: [PATCH 17/23] Rm copy-pasted comments --- config/clusters/opensci/sciencecore.values.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/config/clusters/opensci/sciencecore.values.yaml b/config/clusters/opensci/sciencecore.values.yaml index 25ea9056d..93ababfe0 100644 --- a/config/clusters/opensci/sciencecore.values.yaml +++ b/config/clusters/opensci/sciencecore.values.yaml @@ -108,7 +108,6 @@ jupyterhub: node.kubernetes.io/instance-type: r5.xlarge hub: - # Allows for multiple concurrent demos allowNamedServers: true services: binder: @@ -160,8 +159,6 @@ binderhub-service: BinderHub: base_url: /services/binder use_registry: true - # Re-uses the registry created for the `binderhub-staging` hub - # but pushes images under a different prefix image_prefix: quay.io/2i2c/opensci-sciencecore KubernetesBuildExecutor: # Get ourselves a newer repo2docker! From fabe66edcce91a3d15a6df642ee748b47c72ed9d Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Fri, 1 Mar 2024 10:00:36 +0200 Subject: [PATCH 18/23] Move most of the binderhub-service config into the common basehub values.yaml --- .../2i2c/imagebuilding-demo.values.yaml | 30 ------------------- .../clusters/opensci/sciencecore.values.yaml | 28 ----------------- helm-charts/basehub/values.yaml | 30 +++++++++++++++++++ 3 files changed, 30 insertions(+), 58 deletions(-) diff --git a/config/clusters/2i2c/imagebuilding-demo.values.yaml b/config/clusters/2i2c/imagebuilding-demo.values.yaml index 19c42a951..e6ac20b8e 100644 --- a/config/clusters/2i2c/imagebuilding-demo.values.yaml +++ b/config/clusters/2i2c/imagebuilding-demo.values.yaml @@ -137,40 +137,10 @@ jupyterhub: setup_ui(c) binderhub-service: - nodeSelector: - hub.jupyter.org/node-purpose: core enabled: true - service: - port: 8090 - # The DaemonSet at https://github.com/2i2c-org/binderhub-service/blob/main/binderhub-service/templates/docker-api/daemonset.yaml - # will start a docker-api pod on a user node. - # It starts the [dockerd](https://docs.docker.com/engine/reference/commandline/dockerd/) daemon, - # that will be accessible via a unix socket, mounted by the build. - # The docker-api pod must run on the same node as the builder pods. - dockerApi: - nodeSelector: - hub.jupyter.org/node-purpose: user - tolerations: - # Tolerate tainted jupyterhub user nodes - - key: hub.jupyter.org_dedicated - value: user - effect: NoSchedule - - key: hub.jupyter.org/dedicated - value: user - effect: NoSchedule config: BinderHub: - base_url: /services/binder - use_registry: true - # Re-uses the registry created for the `binderhub-staging` hub - # but pushes images under a different prefix image_prefix: us-central1-docker.pkg.dev/two-eye-two-see/binder-staging-registry/binderhub-service- - KubernetesBuildExecutor: - # Get ourselves a newer repo2docker! - build_image: quay.io/jupyterhub/repo2docker:2023.06.0-8.gd414e99 - node_selector: - # Schedule builder pods to run on user nodes only - hub.jupyter.org/node-purpose: user # The password to the registry is stored encrypted in the hub's encrypted config file buildPodsRegistryCredentials: server: "https://us-central1-docker.pkg.dev" diff --git a/config/clusters/opensci/sciencecore.values.yaml b/config/clusters/opensci/sciencecore.values.yaml index 93ababfe0..7b7422bb8 100644 --- a/config/clusters/opensci/sciencecore.values.yaml +++ b/config/clusters/opensci/sciencecore.values.yaml @@ -134,38 +134,10 @@ jupyterhub: setup_ui(c) binderhub-service: - nodeSelector: - hub.jupyter.org/node-purpose: core enabled: true - service: - port: 8090 - # The DaemonSet at https://github.com/2i2c-org/binderhub-service/blob/main/binderhub-service/templates/docker-api/daemonset.yaml - # will start a docker-api pod on a user node. - # It starts the [dockerd](https://docs.docker.com/engine/reference/commandline/dockerd/) daemon, - # that will be accessible via a unix socket, mounted by the build. - # The docker-api pod must run on the same node as the builder pods. - dockerApi: - nodeSelector: - hub.jupyter.org/node-purpose: user - tolerations: - # Tolerate tainted jupyterhub user nodes - - key: hub.jupyter.org_dedicated - value: user - effect: NoSchedule - - key: hub.jupyter.org/dedicated - value: user - effect: NoSchedule config: BinderHub: - base_url: /services/binder - use_registry: true image_prefix: quay.io/2i2c/opensci-sciencecore - KubernetesBuildExecutor: - # Get ourselves a newer repo2docker! - build_image: quay.io/jupyterhub/repo2docker:2023.06.0-8.gd414e99 - node_selector: - # Schedule builder pods to run on user nodes only - hub.jupyter.org/node-purpose: user # The password to the registry is stored encrypted in the hub's encrypted config file buildPodsRegistryCredentials: server: "https://quay.io" diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index dde5aa20b..91fdff77f 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -7,6 +7,36 @@ userServiceAccount: binderhub-service: enabled: false + nodeSelector: + hub.jupyter.org/node-purpose: core + service: + port: 8090 + # The DaemonSet at https://github.com/2i2c-org/binderhub-service/blob/main/binderhub-service/templates/docker-api/daemonset.yaml + # will start a docker-api pod on a user node. + # It starts the [dockerd](https://docs.docker.com/engine/reference/commandline/dockerd/) daemon, + # that will be accessible via a unix socket, mounted by the build. + # The docker-api pod must run on the same node as the builder pods. + dockerApi: + nodeSelector: + hub.jupyter.org/node-purpose: user + tolerations: + # Tolerate tainted jupyterhub user nodes + - key: hub.jupyter.org_dedicated + value: user + effect: NoSchedule + - key: hub.jupyter.org/dedicated + value: user + effect: NoSchedule + config: + BinderHub: + base_url: /services/binder + use_registry: true + KubernetesBuildExecutor: + # Get ourselves a newer repo2docker! + build_image: quay.io/jupyterhub/repo2docker:2023.06.0-8.gd414e99 + node_selector: + # Schedule builder pods to run on user nodes only + hub.jupyter.org/node-purpose: user ingressBasicAuth: enabled: false From fc78ba7428e4df93eefc08794a7a1cad3752d607 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Fri, 1 Mar 2024 11:21:14 +0200 Subject: [PATCH 19/23] Create a new quay org for the hub --- .../opensci/enc-sciencecore.secret.values.yaml | 10 +++++----- config/clusters/opensci/sciencecore.values.yaml | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/config/clusters/opensci/enc-sciencecore.secret.values.yaml b/config/clusters/opensci/enc-sciencecore.secret.values.yaml index 94e3663e7..de65d96a1 100644 --- a/config/clusters/opensci/enc-sciencecore.secret.values.yaml +++ b/config/clusters/opensci/enc-sciencecore.secret.values.yaml @@ -1,12 +1,12 @@ binderhub-service: buildPodsRegistryCredentials: - password: ENC[AES256_GCM,data:+WZcWoVpAteJXujz9dAaEAv0tvLWgdgfEThAGDD4abuABmWoBVCBWzrmsaD1FX4OWrRRC5cPM+sBgqD/ICT4zw==,iv:OuvUqG1pf2RnAbrnVi/4fAna83t9nXM4WENMX22fluc=,tag:o6dTP6IM8h2GATDZvR45/A==,type:str] + password: ENC[AES256_GCM,data:8SoSbjJQoxjSvjiWMv2isnKD1tNWzQEijO7KGQG7L3VBFrqHTn00vE5k8kiiNfVDh1fcrnVMbTp4h414mTrtsg==,iv:s58wLbD13dRyYyg0RAKBjq4AuFNauU+MeTEP9fUYoZU=,tag:bHFEG8hRXmQ60XGe4G1n7A==,type:str] jupyterhub: imagePullSecret: create: ENC[AES256_GCM,data:aJ5t7w==,iv:mdiodKbsYFnfzFkwCBbgQ6B/myJcL/z1+f15vTgSQwQ=,tag:mmuYSMXreRi2O4nwAzaZsw==,type:bool] registry: ENC[AES256_GCM,data:iGtOHQXDhw==,iv:YXdzdemCE+6B5sA437zaUFKDhb2xj2X7gMZNzu3tTqM=,tag:Bqn2k57b6RYQJYB5v1Li2A==,type:str] - username: ENC[AES256_GCM,data:Tpi9Jr933Pdr30dJciikd5986k2qgWM+NR/uywFO25qFKYkWUTpEGpbT,iv:UQKLBLwKAqzlvBgj5QQvEwTT+M8NQ20YP1HuJ1JpNzo=,tag:PcNrqzCGRQetSslXb6IdfA==,type:str] - password: ENC[AES256_GCM,data:ykY706UePlnQ6L5swTY5e5/N1yk3Hpql8s2wy7MpYLugwmM4cr0VhKHbP1ZuL7uGrSIKYHXPQB0y7hfwgWsm9g==,iv:suZsgkz1dzBKp53XX+8QfzQ+fvWGnMIHEjIP+tVFERs=,tag:bNVbdkVD19YS5PxGMyBWfA==,type:str] + username: ENC[AES256_GCM,data:ii7f/N3KXNmkvv5Sh2wsPlqRRh0LHjjExQkm+kK+lRCVwe8FDNI=,iv:rqk6+iWqGYh/fgDPGqcRZ/fyRROM6a144PCrVWokm+o=,tag:9krQyW6n7QCiQ5vNM/wozQ==,type:str] + password: ENC[AES256_GCM,data:CjC/nUzk/7LH5oSA3cF4KRjmzLMa3QAIodKxAKTTB8ruEFHdQAUDCfm9m2zco4lLykwG6JX5JiWClI26C2O+wg==,iv:KzXdwlH0EeI79hgTEL0iRSsPxHeZTXusuRqQQe+YbG4=,tag:5xIfUhfUS2qUFLoiRYwTlw==,type:str] hub: config: GitHubOAuthenticator: @@ -21,8 +21,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-02-26T08:54:20Z" - mac: ENC[AES256_GCM,data:dFxtb2e64nSVwq310U8IyNs+PCFe4AxBLHAdlMZWtSS3alZIm79Kn/wPC6WJFX41ib+mVSGU8rPFDoqsM/pBv4Ol8Fjkz2zlvSYbYpT/DwZO7hsCR+hoUrdiGTPFx0+qd4efN+J7WZKBb3dTkxzVECgS37WJGR8tv2afBBHlhQM=,iv:gIVEDiNshqJNDg5Ktb4k9sZHPw+5k9ALR5TR2Xhuzqs=,tag:oGufX/5w/PqG1OWPZ6H+rw==,type:str] + lastmodified: "2024-03-01T09:20:50Z" + mac: ENC[AES256_GCM,data:/H85LAsXQBVCUly595+EGHmTN7jw8Mspsj1GFfyVBjUj/QYJResChPxuDfEf02PD+h0Va9UK0xQVBLVJFuO8nVKLY9WAGG5agAiTHYudhHGsPpzGSL5jkjDkQrqNhyAWunkh7euqbMIDKLU8Yn4LXVU1JaD6DrbNXQJcnJbAbAM=,iv:jDS6yvbuz57WixC/5qKrZztd0IXeLsAJXzYj8zsOBzI=,tag:O9JM6fBZuD8quswUFe7cJQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/config/clusters/opensci/sciencecore.values.yaml b/config/clusters/opensci/sciencecore.values.yaml index 7b7422bb8..bf27e2986 100644 --- a/config/clusters/opensci/sciencecore.values.yaml +++ b/config/clusters/opensci/sciencecore.values.yaml @@ -141,4 +141,4 @@ binderhub-service: # The password to the registry is stored encrypted in the hub's encrypted config file buildPodsRegistryCredentials: server: "https://quay.io" - username: "2i2c+opensci_sciencecore_binderhub_service" + username: "2i2c-opensci-sciencecore+image_manager" From 21c59f67f3160373401042035d0b7b4c51f0ba5d Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Fri, 1 Mar 2024 12:50:25 +0200 Subject: [PATCH 20/23] Update the image prefix name --- config/clusters/opensci/sciencecore.values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/clusters/opensci/sciencecore.values.yaml b/config/clusters/opensci/sciencecore.values.yaml index bf27e2986..af5f003cb 100644 --- a/config/clusters/opensci/sciencecore.values.yaml +++ b/config/clusters/opensci/sciencecore.values.yaml @@ -137,7 +137,7 @@ binderhub-service: enabled: true config: BinderHub: - image_prefix: quay.io/2i2c/opensci-sciencecore + image_prefix: quay.io/2i2c-opensci-sciencecore # The password to the registry is stored encrypted in the hub's encrypted config file buildPodsRegistryCredentials: server: "https://quay.io" From 3b4d8b865f3f2a01f43756afb9dffea6724e468e Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Fri, 1 Mar 2024 13:34:15 +0200 Subject: [PATCH 21/23] Update the prefix --- config/clusters/opensci/sciencecore.values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/clusters/opensci/sciencecore.values.yaml b/config/clusters/opensci/sciencecore.values.yaml index af5f003cb..60688b069 100644 --- a/config/clusters/opensci/sciencecore.values.yaml +++ b/config/clusters/opensci/sciencecore.values.yaml @@ -137,7 +137,7 @@ binderhub-service: enabled: true config: BinderHub: - image_prefix: quay.io/2i2c-opensci-sciencecore + image_prefix: quay.io/2i2c-opensci-sciencecore/binderhub-service- # The password to the registry is stored encrypted in the hub's encrypted config file buildPodsRegistryCredentials: server: "https://quay.io" From 69bd7c89e22fe0bf8712f325262d3c31af5fe037 Mon Sep 17 00:00:00 2001 From: Georgiana Date: Tue, 5 Mar 2024 12:19:36 +0200 Subject: [PATCH 22/23] Add comment about cluster being in the sso aws account Co-authored-by: Erik Sundell --- config/clusters/opensci/cluster.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/clusters/opensci/cluster.yaml b/config/clusters/opensci/cluster.yaml index 3ba0308dc..e1b7de05b 100644 --- a/config/clusters/opensci/cluster.yaml +++ b/config/clusters/opensci/cluster.yaml @@ -1,5 +1,5 @@ name: opensci -provider: aws +provider: aws # https://2i2c.awsapps.com/start#/ aws: key: enc-deployer-credentials.secret.json clusterType: eks From dc29e643e1fb427c23fbcdec7a8ed805e7591772 Mon Sep 17 00:00:00 2001 From: Georgiana Date: Tue, 5 Mar 2024 12:20:49 +0200 Subject: [PATCH 23/23] Be explicit about nfs pv defaults Co-authored-by: Erik Sundell --- config/clusters/opensci/common.values.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/clusters/opensci/common.values.yaml b/config/clusters/opensci/common.values.yaml index 9e58930e8..5a1824807 100644 --- a/config/clusters/opensci/common.values.yaml +++ b/config/clusters/opensci/common.values.yaml @@ -1,5 +1,7 @@ nfs: + enabled: true pv: + enabled: true # from https://docs.aws.amazon.com/efs/latest/ug/mounting-fs-nfs-mount-settings.html mountOptions: - rsize=1048576