From 3749d30ae4670ca4b3dfea1bd60b4eb850ec045f Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Wed, 9 Mar 2022 02:18:03 -0800 Subject: [PATCH 01/14] Add LEAP hub Ref https://github.com/2i2c-org/infrastructure/issues/1050 --- .github/workflows/deploy-hubs.yaml | 2 + config/clusters/leap/cluster.yaml | 29 ++++ config/clusters/leap/common.values.yaml | 125 ++++++++++++++++++ .../leap/enc-deployer-credentials.secret.json | 30 +++++ .../leap/enc-grafana-token.secret.yaml | 15 +++ .../clusters/leap/enc-prod.secret.values.yaml | 22 +++ .../leap/enc-staging.secret.values.yaml | 22 +++ config/clusters/leap/support.values.yaml | 14 ++ terraform/gcp/storage.tf | 10 +- 9 files changed, 264 insertions(+), 5 deletions(-) create mode 100644 config/clusters/leap/cluster.yaml create mode 100644 config/clusters/leap/common.values.yaml create mode 100644 config/clusters/leap/enc-deployer-credentials.secret.json create mode 100644 config/clusters/leap/enc-grafana-token.secret.yaml create mode 100644 config/clusters/leap/enc-prod.secret.values.yaml create mode 100644 config/clusters/leap/enc-staging.secret.values.yaml create mode 100644 config/clusters/leap/support.values.yaml diff --git a/.github/workflows/deploy-hubs.yaml b/.github/workflows/deploy-hubs.yaml index 5cc275fbb8..ef5a5a52fb 100644 --- a/.github/workflows/deploy-hubs.yaml +++ b/.github/workflows/deploy-hubs.yaml @@ -45,6 +45,8 @@ jobs: provider: gcp - cluster_name: pangeo-hubs provider: gcp + - cluster_name: leap + provider: gcp - cluster_name: utoronto provider: kubeconfig - cluster_name: azure.carbonplan diff --git a/config/clusters/leap/cluster.yaml b/config/clusters/leap/cluster.yaml new file mode 100644 index 0000000000..03402ac8fa --- /dev/null +++ b/config/clusters/leap/cluster.yaml @@ -0,0 +1,29 @@ +name: pangeo-hubs +provider: gcp +gcp: + key: enc-deployer-credentials.secret.json + project: leap-pangeo + cluster: leap-cluster + zone: us-central1-b +support: + helm_chart_values_files: + - support.values.yaml +hubs: + - name: staging + display_name: "LEAP Staging" + domain: staging.leap.2i2c.cloud + helm_chart: daskhub + auth0: + enabled: false + helm_chart_values_files: + - common.values.yaml + - enc-staging.secret.values.yaml + - name: prod + display_name: "LEAP Prod" + domain: leap.2i2c.cloud + helm_chart: daskhub + auth0: + enabled: false + helm_chart_values_files: + - common.values.yaml + - enc-prod.secret.values.yaml diff --git a/config/clusters/leap/common.values.yaml b/config/clusters/leap/common.values.yaml new file mode 100644 index 0000000000..5d8d0243e5 --- /dev/null +++ b/config/clusters/leap/common.values.yaml @@ -0,0 +1,125 @@ +basehub: + nfs: + enabled: true + pv: + mountOptions: + - soft + - noatime + # Google FileStore IP + serverIP: 10.236.154.106 + # Name of Google Filestore share + baseShareName: /homes/ + jupyterhub: + proxy: + https: + enabled: false + custom: + 2i2c: + add_staff_user_ids_to_admin_users: true + add_staff_user_ids_of_type: "github" + cloudResources: + provider: gcp + gcp: + projectId: leap-pangeo + scratchBucket: + enabled: false + homepage: + templateVars: + org: + name: LEAP + url: https://leap-stc.github.io + logo_url: https://leap-stc.github.io/_static/LEAP_logo.png + designed_by: + name: 2i2c + url: https://2i2c.org + operated_by: + name: 2i2c + url: https://2i2c.org + funded_by: + name: LEAP + url: https://leap-stc.github.io + hub: + config: + Authenticator: + # This hub uses GitHub Teams auth and so we don't set + # allowed_users in order to not deny access to valid members of + # the listed teams. These people should have admin access though. + admin_users: + - rabernat + JupyterHub: + authenticator_class: github + GitHubOAuthenticator: + allowed_organizations: + - pangeo-data:us-central1-b-gcp + - 2i2c-org:tech-team + scope: + - read:org + singleuser: + image: + name: pangeo/pangeo-notebook + tag: bcfacc5 + profileList: + # The mem-guarantees are here so k8s doesn't schedule other pods + # on these nodes. They need to be just under total allocatable + # RAM on a node, not total node capacity + - display_name: "Small (1 GB - 4 GB)" + default: true + kubespawner_override: + cpu_limit: 2 + cpu_guarantee: 0.3 + mem_limit: 4G + mem_guarantee: 1G + node_selector: + node.kubernetes.io/instance-type: n1-standard-4 + - display_name: "Medium (4 GB - 8 GB)" + kubespawner_override: + cpu_limit: 2 + cpu_guarantee: 1 + mem_limit: 8G + mem_guarantee: 4G + node_selector: + node.kubernetes.io/instance-type: n1-standard-8 + - display_name: "Large (12 GB - 16 GB)" + kubespawner_override: + cpu_limit: 4 + cpu_guarantee: 1 + mem_limit: 16G + mem_guarantee: 12G + node_selector: + node.kubernetes.io/instance-type: n1-standard-16 + - display_name: "ML Image - Large (12 GB - 16 GB)" + description: "https://github.com/pangeo-data/pangeo-docker-images/tree/master/ml-notebook" + kubespawner_override: + image: "pangeo/ml-notebook:master" + cpu_limit: 2 + cpu_guarantee: 1 + mem_limit: 16G + mem_guarantee: 12G + node_selector: + node.kubernetes.io/instance-type: n1-standard-16 + initContainers: + # Need to explicitly fix ownership here, since EFS doesn't do anonuid + - name: volume-mount-ownership-fix + image: busybox + command: + [ + "sh", + "-c", + "id && chown 1000:1000 /home/jovyan && ls -lhd /home/jovyan", + ] + securityContext: + runAsUser: 0 + volumeMounts: + - name: home + mountPath: /home/jovyan + subPath: "{username}" +dask-gateway: + gateway: + backend: + scheduler: + cores: + request: 0.8 + limit: 1 + memory: + request: 1G + limit: 2G diff --git a/config/clusters/leap/enc-deployer-credentials.secret.json b/config/clusters/leap/enc-deployer-credentials.secret.json new file mode 100644 index 0000000000..0ca3991feb --- /dev/null +++ b/config/clusters/leap/enc-deployer-credentials.secret.json @@ -0,0 +1,30 @@ +{ + "type": "ENC[AES256_GCM,data:bXgwRCCuUFr4lQ2E2SNY,iv:s2f8CNR1otvSWHZjBoPU0g0edG9Z1oxp4DR19P3nFcM=,tag:8uaIHlomCatJ3nO94vm+Xg==,type:str]", + "project_id": "ENC[AES256_GCM,data:XD/SgAyoYBTSryM=,iv:V8+bdV7rBHqQwOweAD7NpTuFlx59MXFfXyIKZfmy0C0=,tag:YuEn+Nx9FoyU5Mz/othl4g==,type:str]", + "private_key_id": "ENC[AES256_GCM,data:RyEVnVqgxNZ1oxHlKAea36r6dSlaqehJJQCNpg4k675vfD8s3oxAYA==,iv:UidkTYHW7UYhVIeLCemr6TfqQlFXstg677iSXkfO6vo=,tag:Yv2f+19B6sKkMZmNuMBm4A==,type:str]", + "private_key": "ENC[AES256_GCM,data:W4ZRkRTfkiaAkXjXOPrrmJlnucwrOvCd6yf3KIr7dTQO3vyQSt/sIcLQWx7T7g3G7F337WUC9M9pXB+ubCxvkBnhetcfLldMhCZMeJaHfDnGx6Ym9sN6BfvkevsCIR+bDnS+ErLEXiMz6YL7KmGijY7OHoV8N0nRzpSDLq9biIjaPt2374lw2NYe+620R32+PNVE1gqkctgWwwIr8ASOhFbMVa643JH7H+Mstc1Nb1pdhXMi4ny0gTeceNV02Tp5YSGQRXLzyc122Z8K/4ziehjTGvwrFr/eUzUlyq4jX9d03T8rxKsXTyXG/PxWWj+WUpF8+dkU8M56pXSAJ19ZcrOwrkeIl5pit/nAJOJuyHh8bB+CrW/bCwQPWcGg6W3INl89S9MdEALPieDPpHXqA+/8ZQc99sAxGhzJ2v55PkX6FY5fN8qqgjj2lFze3Ng3IjqL+2t/qMF+h2GddWXp0axTvArjONhhzeWcUqZxCa7TlqWf960ZtLkRTKm3NCYbq1pqFcLQl8BdpNTeliIXypKSENB9wWRwCybX5U1jryuIolhBBQXHa+Qm92z4kpAIUX3Y9aL5vuS1MRkQnIg30lwyR4Dd48QUElWBLAc0aKbXcbJDchAnufq1yRfPnA1z6Zi0g2AqV1YFQfQ0dVqDm6xUegE4PUkFQPHXoGvmK12YZpTDyNr/h3LXGU/KUJA89LNhdbW1KyPepKqcMYwa5lIsSwAJ4il+FDAtyRPG29sRWbNljKA8qCtMLpQsfFoDE+W4KlzWcSpCvU+8s1fbYxiZ8Wf0nxat8CSC2ZTnoMtHJjHvfYit9QBUIKKCNMGTk6SMincBzqL7BlVqJcRS2QQLcCLdkwS/TOZ/yR/12kSZyNr412QC9yKfS/T0OYS7G6MS0BOwDDHKdGHckkFijoXUV4A/tYOH1F6rkauORZSTsVhNz1aVRG5J253e5TxD3M9O8qhCSyadiWJW2vIyP48Sj+sI5Ppp7ydZYRNfCjQp9VqlRidrQm1LXvbDfimEz0YCYKDba3j60/twUTLSnP2aZ0raetFYj4rUKGmlHo2gwpX/zg57Atfc0GUpkj9x/OIA8g9hSz1b5vDT+XweOoLRu72a0XJoL61XGFcp1lrDiz9tSTYi2s4oqLdOQCl2AJmwwUTg0OEeu1vlU7HupakbMRiyzt011o/roFtZj9AESS61r3LVKDXnIBCnRAOlD98sNaHQp/Lg/v0+DwDTlIK3FiqOPDFiOTxvnWdgs5iwY0600fOzpDa5yuBGrbJ2LIHA7KnPyompkXBk7R0WhvIPZE50x+fCuO+Rn96NCnICmBuYucmrNvNIccRz2nfxKCgeyaDGJkFnD0Qwuq4yhVuRe0PAadXrXCdauAuDEhDFJr4j/VkVD3t88ijkSf8he+XC962qi9FanjbSnqZUK1osh30m+cMb2UeVFKIORMoNeXW6vd4sCFOoNCPSlIXckms8b6R14sOrfMZd+g5w/L0I6mhJ04G1FNN6wvD5F6PTa1g/8NgQwxx4ymRtcHq1EoIUZWDauKDEJzMgGXGwzjHOJ5yuoPTzPqunSrYZowAjX+XsHq0YwuAZuza2NyEB1PNPOYHEem2iJRGVIbfnnKWUuGCg378azKnbojwQ6s1dUtUlnSaBkbipgRd+mAuc418vfjljDqEjOvSf6kfV3pKXjTWQlOJJn5YOXYonjsKe9jG5H7HW+QnZpteCT5KtrTpeBjs26R+9frm/+WMUGZJMsDtB1NvgC14MXoS8gh+6DtVXyRG0e8cGK0ICCWzbNB7s09sG8/AZ9EaecUW7ou4SLQg58fqKGXx80VUl7N8Ud0j+WyhlCSbqmm78PL86g64NW4K4ltG9+wxkihiShfxZ+/mJvnwObu3y0nBhzz2ebhQ+gAN6A+sljTXaSQ7RkHWIy1RMVRKW0j37cqlhUUbMykUqo5O5O3QZCzDN7zTQIKugRbeOCx4IPyzSObsmXxG8ebhqWCwqPZgJHJa9dJWli1YEYn7/6Z0Ll/MAAC/oPZkFz0b6/wI1UkuhwhXpOqBvnhYSh5n1kUZ2RdNds02UUkU5rbAviW4519zITFMQ0TpfeZK18VsXha5myG4exzwlP5IIHUqGx/5JD/RfNQ8cRJ2tZKZcWq6QgVsJERtP7iMHIUndofwTbNT5VPC9Y5qHbwnlQziyRtFAqKU+kvoDVi2L9607lFUlrRD3Mt+dUTL9zPSi3qrGgQHw9HQMeI+k2ZdZoQm3fata5VPL0419eb8xivSq,iv:EgD4FRnPUx3eF7lO7mrfjYmmx1QxfGYi5PYbbFh0E/A=,tag:aTr3QIHfxhtdovqFj2R23g==,type:str]", + "client_email": "ENC[AES256_GCM,data:1pYHCwTtM2blwTR0PYzRdZxEAcigHYc+dFI0o6H3NfV4Gdp2BI9tSxGsoPxFhg==,iv:XQ9uTRrFoN7DSa1X7lYv89k2uY2o+dOh9MYC6VRkCrc=,tag:nTi4NKlTJn1X8OW55m5rxA==,type:str]", + "client_id": "ENC[AES256_GCM,data:U6WS704VI9XtGpPqfm9lxWR3Q7Mi,iv:/xvGuEGfsJcWxqTW2Z9JJSamJ5vrKIJhpkonB+IRDrI=,tag:yBgTt0CgdCmcIvtgiSs5yg==,type:str]", + "auth_uri": "ENC[AES256_GCM,data:0qByuvHwcpGgzitfrLq1BF+fYbvPaw0GSLgV9ap6UeVW2Obi30SAyEg=,iv:Su94WLXfURaDcYS6kfq3pNScwcmvVOIHEQmr4nL0m+U=,tag:36JEZaLat0pIabEE9+7HUw==,type:str]", + "token_uri": "ENC[AES256_GCM,data:VopsA3EwGJMYx9e9aGln1JQpYbpNw13z1yT7e92VsjdLYfw=,iv:LmpzRcY2tZVspy7CYMMnORybq9zwcgNRCeCuFyKGV5E=,tag:d2VfyqSA+FpQgCF68lp3Hw==,type:str]", + "auth_provider_x509_cert_url": "ENC[AES256_GCM,data:XctyK5UvsjLXpDf2nuvHrrPb6Xeof80vd4voZTT4lHj1PqScsFxCQx0h,iv:kwvSoStJdIUbMJasX6r0i0Ahh5vWdbKQdfgNNAfApso=,tag:+mWUAoiF/K8sS/bWRxQBpg==,type:str]", + "client_x509_cert_url": "ENC[AES256_GCM,data:8X40APDF+qU0QxB/fAl9d3QEK+xV+nadmiEGXWeDVUwWhfHDvKGfmxhQpuq9Jlezh78ZJqk582gji9zbk76jj96MKsDpCTLxVk0afc2kAHhfdWyZr3rWCsApZx1bsJx6Jzs=,iv:86Y1ykaCpyF+GASy9V+wxfmagZgIjFcUqO+f+IV7wuw=,tag:gSHMz9BeGIpMrufCeLoKvA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": [ + { + "resource_id": "projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs", + "created_at": "2022-03-09T10:01:06Z", + "enc": "CiQA4OM7eL+21cxRUstcvIlnsMZrFbLDsiQpXe8XPMnIpbe033ISSADm5XgWSJUtlvvXtnkfqnnyCGz/4hSG6Sm1Mb2C713GGAJrg8oILKXAhrQn7Grp9Ayi48nhjXLltdNRBdEJWkLVv6WvLWcktA==" + } + ], + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-03-09T10:01:07Z", + "mac": "ENC[AES256_GCM,data:R82w7fgEsBoeU/EN4eHS/0IFijn0ts3SjE46/LGpQbb+NtvFf4ynmvp7GOpbV03J9GgWpY1vaoREkkrtbNg+CUNLpbHx4Bg2LFz1QFCYuG6NN/7DbunvEQwHZrd1QmA4MX0CsnQzWzrrXSvZw2W8AX1HNeo9bClvdHOBzGlZctQ=,iv:1Vjso4F+eO+gV1gsx+4OMzxh9WEsC5COZaI+LLmC4kU=,tag:b215foOX/93CciksTJCUDA==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } +} \ No newline at end of file diff --git a/config/clusters/leap/enc-grafana-token.secret.yaml b/config/clusters/leap/enc-grafana-token.secret.yaml new file mode 100644 index 0000000000..9c659805f2 --- /dev/null +++ b/config/clusters/leap/enc-grafana-token.secret.yaml @@ -0,0 +1,15 @@ +grafana_token: ENC[AES256_GCM,data:PBK+VcnU3cq2cVa7nZwJyVdWWwkcsxslGKiH1nhxBpgFEKC8iylsxhEZb5c89Hy15tFxZ4qNfCOZ4ztwrIVsCQ==,iv:Y+KqfLhpJvgYBw/6IP9Rg3w+qbnS1amvBf2QgFvPx/U=,tag:owkBbmy0W6bUbqtIJepOqg==,type:str] +sops: + kms: [] + gcp_kms: + - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs + created_at: "2022-02-24T17:56:52Z" + enc: CiQA4OM7eA1jS3a2zwDnUXuczQfvJW5u9Zp3QHRgCZjXk1ha/P4SSQDm5XgWif8sOYLkjo9k+hTKISv4PddEGATlvRChHeNZREfg2nreeDYujK6tOdiXplp8Yzv+uWxnxxUvlYPbhvReCDgmuEKLGI0= + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-03-09T09:29:33Z" + mac: ENC[AES256_GCM,data:ymz/1FyIv7KwvB46+NBBEsDLncBSh1b5NNxRrAxgIq7leOWBjHWkrh7kwWBGc5i2dIHsZ39VhG/AHZLZtXlp0ef9+JZyHUcejCLl2aOSbNB+6CqPLLh1ps63bUQYiKB7D7hec//hRMAu+CyT9UHYJkhj4jHT+hMtRgou800LcWA=,iv:6qzJEV9ktMy7jLoHDeAKFjh2CkGgMq7Go6P7+/3NFOo=,tag:s/xCYa0ttNl4yOJDGTy53g==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.1 diff --git a/config/clusters/leap/enc-prod.secret.values.yaml b/config/clusters/leap/enc-prod.secret.values.yaml new file mode 100644 index 0000000000..6d097ee8ea --- /dev/null +++ b/config/clusters/leap/enc-prod.secret.values.yaml @@ -0,0 +1,22 @@ +basehub: + jupyterhub: + hub: + config: + GitHubOAuthenticator: + client_id: ENC[AES256_GCM,data:auopWrLSGIBDtQ4PrZZMYe5XFWM=,iv:+tzBIkE6R3PfJm7oYyJOq84yyD6tB3GXeQ++sYPU7S8=,tag:vQrhczBhRRaFoqqwRWeGHg==,type:str] + client_secret: ENC[AES256_GCM,data:xLL5GJTKSnucssmIQjVhCUwwXyZaYl54/+QzXPFx0dJpX63kaeJufw==,iv:2cyHZvDaoNQtlKiPKf2ACoNuvlww6WE7vcGG6jVXISI=,tag:IRcogW5ZDZWA6Pv8DyVcPg==,type:str] + oauth_callback_url: ENC[AES256_GCM,data:d+/oCcmELV7Tvfe86P4YH8DCnLHI0yid0WoUWH0IKT022b9Ba/rnptYp,iv:SVHQK5yK26JOHV6uWycsLYUk42g6Kl8RahOf5oMbqxc=,tag:HjT+HYo30qqP5yCKcgVZCQ==,type:str] +sops: + kms: [] + gcp_kms: + - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs + created_at: "2022-02-24T18:31:21Z" + enc: CiQA4OM7eNU4/NC1GSyOypie5mku2r/szfsjQHdxf5CkEib8PWISSQDm5XgWPd3+MJEgP6vyMdkr+5xZCc0MbF1aoNtwLVU/Z9PKOZsw2UgcoYIAHxpoMCm9aC2mS+qZJyq7N5GnR0xxIc3cGMNybVo= + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-03-09T09:36:42Z" + mac: ENC[AES256_GCM,data:DfmVtvbHRczSN/9KawreI79Hw9rQExWcpu7UJlCgBSxdA05oiEg+sr3Ylv5Qzthn+v0uYMb3pFWWmJrfz2LoY8Rc7HGWRKNTFvgykE/DX7JHyN5MbM6BvQNHGQeCn2Jcu2QhZvQbm5XgY0KOMJu/3y+DZui8NR2BDpXdco+YCl8=,iv:XHeme2xxOHx+zwixzLugknI0lUuhB+nTtwbVjo6bAE0=,tag:5rPqQL/si+x0VREW0LnkoA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.1 diff --git a/config/clusters/leap/enc-staging.secret.values.yaml b/config/clusters/leap/enc-staging.secret.values.yaml new file mode 100644 index 0000000000..15ec79a6d3 --- /dev/null +++ b/config/clusters/leap/enc-staging.secret.values.yaml @@ -0,0 +1,22 @@ +basehub: + jupyterhub: + hub: + config: + GitHubOAuthenticator: + client_id: ENC[AES256_GCM,data:+AMr1i/FBcFuMHVbLXf7dqfvsWc=,iv:6SyzEQjAgag1ReUANQpKpqzbkZQzXXgztqYY+keuC14=,tag:IfcPSe5+GaSDkFM7lqIemg==,type:str] + client_secret: ENC[AES256_GCM,data:wn3bphxQWosKZC596MSVHiNt0d1BuRmR19YX/FK9mcdmvO1IswQVpQ==,iv:cm2FGIjpXnjOHMUnuGeB1WYAjozErtuYSx99737vtVw=,tag:ZBNPrQCPqGiz+ttCNIE/Ag==,type:str] + oauth_callback_url: ENC[AES256_GCM,data:COFoMWuv8XAmHHHcKh0CohhU63qfTAlRzMVeA0fn9aP7U3KBRuYP6yw/Qh8REDnpgXo=,iv:SL9AE00Gr1VFht9jWIS4ipSX+nAnmii5iNX37l19aTA=,tag:mydwvSO+CjurZF2HkkHe8A==,type:str] +sops: + kms: [] + gcp_kms: + - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs + created_at: "2022-02-24T18:04:17Z" + enc: CiQA4OM7eP6diuWK5cq1WJfLBHrUaMLetApVQYdQJjlOFUKSsHASSQDm5XgW8L7w2ZN+LPLHBMIcfpO6YIBeajtpkKFnTdpRgbhgR7+fb9p4HHT8z3H1U7nwKuOaQPtsXj2e8ZPjWr/2tqy6ramzlhU= + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-03-09T09:32:24Z" + mac: ENC[AES256_GCM,data:f0GDINNXc/xX4Ir0ayXvfgMeZzdqIekpgNPkOtOX80a09wS2AWWG58g36uf6pQwi+WTgDFnIL8TUPxjt3SVCJhKuKtFWuYQW35h3qwoHcsTD6thKASfQtD3CyJaMAzuZkYQYIqHhCFAYIr9cCruxnbOzCK+1b3I3ScAYyj+dBWo=,iv:LX+hyL5S3djX7UWPo6OZ0/+vuk6Jbx2GDFpvt46K1/I=,tag:LE3GBK1vgRavlN8ol89ruQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.1 diff --git a/config/clusters/leap/support.values.yaml b/config/clusters/leap/support.values.yaml new file mode 100644 index 0000000000..ae10e7bab0 --- /dev/null +++ b/config/clusters/leap/support.values.yaml @@ -0,0 +1,14 @@ +grafana: + ingress: + hosts: + - grafana.leap.2i2c.cloud + tls: + - secretName: grafana-tls + hosts: + - grafana.leap.2i2c.cloud +prometheus: + server: + resources: + limits: + cpu: 2 + memory: 12Gi diff --git a/terraform/gcp/storage.tf b/terraform/gcp/storage.tf index 0d6b5b895a..7db0a79d83 100644 --- a/terraform/gcp/storage.tf +++ b/terraform/gcp/storage.tf @@ -1,8 +1,8 @@ resource "google_filestore_instance" "homedirs" { - name = "${var.prefix}-homedirs" - zone = var.zone - tier = var.filestore_tier + name = "${var.prefix}-homedirs" + zone = var.zone + tier = var.filestore_tier project = var.project_id count = var.enable_filestore ? 1 : 0 @@ -19,7 +19,7 @@ resource "google_filestore_instance" "homedirs" { } networks { - network = var.enable_private_cluster ? data.google_compute_network.default_network.name : null + network = google_container_cluster.cluster.network modes = ["MODE_IPV4"] } -} \ No newline at end of file +} From d126bcc8e48bac55d937cc63bed1036bd4b48036 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Wed, 9 Mar 2022 02:39:11 -0800 Subject: [PATCH 02/14] Fix title of cluster --- config/clusters/leap/cluster.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/clusters/leap/cluster.yaml b/config/clusters/leap/cluster.yaml index 03402ac8fa..7aaadab726 100644 --- a/config/clusters/leap/cluster.yaml +++ b/config/clusters/leap/cluster.yaml @@ -1,4 +1,4 @@ -name: pangeo-hubs +name: leap provider: gcp gcp: key: enc-deployer-credentials.secret.json From 7394192fb3247dfec79c025e413f50ca5f01c766 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Wed, 9 Mar 2022 09:35:02 -0800 Subject: [PATCH 03/14] Use leap-stc github org for restricting access --- config/clusters/leap/common.values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/clusters/leap/common.values.yaml b/config/clusters/leap/common.values.yaml index 5d8d0243e5..1a4cb5d80c 100644 --- a/config/clusters/leap/common.values.yaml +++ b/config/clusters/leap/common.values.yaml @@ -50,7 +50,7 @@ basehub: authenticator_class: github GitHubOAuthenticator: allowed_organizations: - - pangeo-data:us-central1-b-gcp + - leap-stc:leap-pangeo-users - 2i2c-org:tech-team scope: - read:org From 4453724775c9efef76eca0d94e5106158a2b002a Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Wed, 9 Mar 2022 21:56:39 -0800 Subject: [PATCH 04/14] Use latest pangeo docker image --- config/clusters/leap/common.values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/clusters/leap/common.values.yaml b/config/clusters/leap/common.values.yaml index 1a4cb5d80c..be894716d7 100644 --- a/config/clusters/leap/common.values.yaml +++ b/config/clusters/leap/common.values.yaml @@ -57,7 +57,7 @@ basehub: singleuser: image: name: pangeo/pangeo-notebook - tag: bcfacc5 + tag: 2022.02.04 profileList: # The mem-guarantees are here so k8s doesn't schedule other pods # on these nodes. They need to be just under total allocatable From 075113399289418751b84eefa020404dcdb5264a Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Wed, 9 Mar 2022 23:32:48 -0800 Subject: [PATCH 05/14] Rejig LEAP hub's profile sizes Assign one user per node, using https://learnk8s.io/kubernetes-instance-calculator to calculate how big to make guarantees so pods stick one to a node. This provides a reasonable tradeoff for research use cases I think, although it should still be discussed. --- config/clusters/leap/common.values.yaml | 47 +++++++++++-------------- 1 file changed, 21 insertions(+), 26 deletions(-) diff --git a/config/clusters/leap/common.values.yaml b/config/clusters/leap/common.values.yaml index be894716d7..d232017b0b 100644 --- a/config/clusters/leap/common.values.yaml +++ b/config/clusters/leap/common.values.yaml @@ -61,40 +61,35 @@ basehub: profileList: # The mem-guarantees are here so k8s doesn't schedule other pods # on these nodes. They need to be just under total allocatable - # RAM on a node, not total node capacity - - display_name: "Small (1 GB - 4 GB)" + # RAM on a node, not total node capacity. Values calculated using + # https://learnk8s.io/kubernetes-instance-calculator + - display_name: "Small" + description: 5GB RAM, 2 CPUs default: true kubespawner_override: - cpu_limit: 2 - cpu_guarantee: 0.3 - mem_limit: 4G - mem_guarantee: 1G + mem_limit: 7G + mem_guarantee: 4.5G node_selector: - node.kubernetes.io/instance-type: n1-standard-4 - - display_name: "Medium (4 GB - 8 GB)" + node.kubernetes.io/instance-type: n1-standard-2 + - display_name: Medium + description: 11GB RAM, 4 CPUs kubespawner_override: - cpu_limit: 2 - cpu_guarantee: 1 - mem_limit: 8G - mem_guarantee: 4G + mem_limit: 15G + mem_guarantee: 11G node_selector: - node.kubernetes.io/instance-type: n1-standard-8 - - display_name: "Large (12 GB - 16 GB)" + node.kubernetes.io/instance-type: n1-standard-4 + - display_name: Large + description: 24GB RAM, 8 CPUs kubespawner_override: - cpu_limit: 4 - cpu_guarantee: 1 - mem_limit: 16G - mem_guarantee: 12G + mem_limit: 30G + mem_guarantee: 24G node_selector: - node.kubernetes.io/instance-type: n1-standard-16 - - display_name: "ML Image - Large (12 GB - 16 GB)" - description: "https://github.com/pangeo-data/pangeo-docker-images/tree/master/ml-notebook" + node.kubernetes.io/instance-type: n1-standard-8 + - display_name: Huge + description: 52GB RAM, 16 CPUs kubespawner_override: - image: "pangeo/ml-notebook:master" - cpu_limit: 2 - cpu_guarantee: 1 - mem_limit: 16G - mem_guarantee: 12G + mem_limit: 60G + mem_guarantee: 52G node_selector: node.kubernetes.io/instance-type: n1-standard-16 initContainers: From 4f159cd268cb7d793a1805fff665027d727fe834 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Wed, 9 Mar 2022 23:35:03 -0800 Subject: [PATCH 06/14] Allow named servers in leap hub Quite useful! --- config/clusters/leap/common.values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/config/clusters/leap/common.values.yaml b/config/clusters/leap/common.values.yaml index d232017b0b..62a32555b8 100644 --- a/config/clusters/leap/common.values.yaml +++ b/config/clusters/leap/common.values.yaml @@ -39,6 +39,7 @@ basehub: name: LEAP url: https://leap-stc.github.io hub: + allowNamedServers: true config: Authenticator: # This hub uses GitHub Teams auth and so we don't set From 9f1aa2ed1cfc5e4ecb133c366b9f87a87199aa4e Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Mon, 14 Mar 2022 20:44:24 -0700 Subject: [PATCH 07/14] Add leap hub terraform params --- terraform/gcp/projects/leap.tfvars | 75 ++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 terraform/gcp/projects/leap.tfvars diff --git a/terraform/gcp/projects/leap.tfvars b/terraform/gcp/projects/leap.tfvars new file mode 100644 index 0000000000..74e4a3db81 --- /dev/null +++ b/terraform/gcp/projects/leap.tfvars @@ -0,0 +1,75 @@ +prefix = "leap" +project_id = "leap-pangeo" +core_node_machine_type = "n1-highmem-4" + +# No need for this to be a private cluster, public ones are cheaper +enable_private_cluster = false + +# Multi-tenant cluster, network policy is required to enforce separation between hubs +enable_network_policy = true + +# Some hubs want a storage bucket, so we need to have config connector enabled +config_connector_enabled = false + +# Setup a filestore for in-cluster NFS +enable_filestore = true +filestore_capacity_gb = 1024 + +user_buckets = [ + "pangeo-scratch" +] + +# Setup notebook node pools +notebook_nodes = { + "small" : { + min : 0, + max : 100, + machine_type : "n1-standard-2", + labels: {} + }, + "medium" : { + min : 0, + max : 100, + machine_type : "n1-standard-4", + labels: {} + }, + "large" : { + min : 0, + max : 100, + machine_type : "n1-standard-8", + labels: {} + }, + "huge" : { + min : 0, + max : 100, + machine_type : "n1-standard-16", + labels: {} + }, +} + +dask_nodes = { + "small" : { + min : 0, + max : 100, + machine_type : "n1-standard-2", + labels: {} + }, + "medium" : { + min : 0, + max : 100, + machine_type : "n1-standard-4", + labels: {} + }, + "large" : { + min : 0, + max : 100, + machine_type : "n1-standard-8", + labels: {} + }, + "huge" : { + min : 0, + max : 100, + machine_type : "n1-standard-16", + labels: {} + }, +} From 81b6e6d852f74ebd3e776d76a5d05cc37c7897bd Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Mon, 14 Mar 2022 20:53:08 -0700 Subject: [PATCH 08/14] Put non-secret per-hub values into their own file --- config/clusters/leap/cluster.yaml | 2 ++ config/clusters/leap/enc-prod.secret.values.yaml | 5 ++--- config/clusters/leap/enc-staging.secret.values.yaml | 5 ++--- config/clusters/leap/prod.values.yaml | 5 +++++ config/clusters/leap/staging.values.yaml | 5 +++++ 5 files changed, 16 insertions(+), 6 deletions(-) create mode 100644 config/clusters/leap/prod.values.yaml create mode 100644 config/clusters/leap/staging.values.yaml diff --git a/config/clusters/leap/cluster.yaml b/config/clusters/leap/cluster.yaml index 7aaadab726..0acf2393ca 100644 --- a/config/clusters/leap/cluster.yaml +++ b/config/clusters/leap/cluster.yaml @@ -17,6 +17,7 @@ hubs: enabled: false helm_chart_values_files: - common.values.yaml + - staging.values.yaml - enc-staging.secret.values.yaml - name: prod display_name: "LEAP Prod" @@ -26,4 +27,5 @@ hubs: enabled: false helm_chart_values_files: - common.values.yaml + - prod.yaml - enc-prod.secret.values.yaml diff --git a/config/clusters/leap/enc-prod.secret.values.yaml b/config/clusters/leap/enc-prod.secret.values.yaml index 6d097ee8ea..acda46f9a4 100644 --- a/config/clusters/leap/enc-prod.secret.values.yaml +++ b/config/clusters/leap/enc-prod.secret.values.yaml @@ -5,7 +5,6 @@ basehub: GitHubOAuthenticator: client_id: ENC[AES256_GCM,data:auopWrLSGIBDtQ4PrZZMYe5XFWM=,iv:+tzBIkE6R3PfJm7oYyJOq84yyD6tB3GXeQ++sYPU7S8=,tag:vQrhczBhRRaFoqqwRWeGHg==,type:str] client_secret: ENC[AES256_GCM,data:xLL5GJTKSnucssmIQjVhCUwwXyZaYl54/+QzXPFx0dJpX63kaeJufw==,iv:2cyHZvDaoNQtlKiPKf2ACoNuvlww6WE7vcGG6jVXISI=,tag:IRcogW5ZDZWA6Pv8DyVcPg==,type:str] - oauth_callback_url: ENC[AES256_GCM,data:d+/oCcmELV7Tvfe86P4YH8DCnLHI0yid0WoUWH0IKT022b9Ba/rnptYp,iv:SVHQK5yK26JOHV6uWycsLYUk42g6Kl8RahOf5oMbqxc=,tag:HjT+HYo30qqP5yCKcgVZCQ==,type:str] sops: kms: [] gcp_kms: @@ -15,8 +14,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2022-03-09T09:36:42Z" - mac: ENC[AES256_GCM,data:DfmVtvbHRczSN/9KawreI79Hw9rQExWcpu7UJlCgBSxdA05oiEg+sr3Ylv5Qzthn+v0uYMb3pFWWmJrfz2LoY8Rc7HGWRKNTFvgykE/DX7JHyN5MbM6BvQNHGQeCn2Jcu2QhZvQbm5XgY0KOMJu/3y+DZui8NR2BDpXdco+YCl8=,iv:XHeme2xxOHx+zwixzLugknI0lUuhB+nTtwbVjo6bAE0=,tag:5rPqQL/si+x0VREW0LnkoA==,type:str] + lastmodified: "2022-03-15T03:52:07Z" + mac: ENC[AES256_GCM,data:b96WljyWsCUnPKIGqHI4He+umqvDXKksyRF6VEmDfkjBMdrNm0YqTSPJiHAaNGVr1mjnllhGtDsatEDZCB2v05/M9FCJeoS961DcBKHJ7HTNnvHhjzEgH0TZKop87CF2nCgTtu939YHhlXJMIOAfgnH7k0/Q/8YgWwhy723UVtc=,iv:wyRXPl8iZ7qKjnlK0zRM+WCact0Vl3U7vE6dW1qk74M=,tag:j7CTLd2TSnqcXmzbFKXNLg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.1 diff --git a/config/clusters/leap/enc-staging.secret.values.yaml b/config/clusters/leap/enc-staging.secret.values.yaml index 15ec79a6d3..afd4da8341 100644 --- a/config/clusters/leap/enc-staging.secret.values.yaml +++ b/config/clusters/leap/enc-staging.secret.values.yaml @@ -5,7 +5,6 @@ basehub: GitHubOAuthenticator: client_id: ENC[AES256_GCM,data:+AMr1i/FBcFuMHVbLXf7dqfvsWc=,iv:6SyzEQjAgag1ReUANQpKpqzbkZQzXXgztqYY+keuC14=,tag:IfcPSe5+GaSDkFM7lqIemg==,type:str] client_secret: ENC[AES256_GCM,data:wn3bphxQWosKZC596MSVHiNt0d1BuRmR19YX/FK9mcdmvO1IswQVpQ==,iv:cm2FGIjpXnjOHMUnuGeB1WYAjozErtuYSx99737vtVw=,tag:ZBNPrQCPqGiz+ttCNIE/Ag==,type:str] - oauth_callback_url: ENC[AES256_GCM,data:COFoMWuv8XAmHHHcKh0CohhU63qfTAlRzMVeA0fn9aP7U3KBRuYP6yw/Qh8REDnpgXo=,iv:SL9AE00Gr1VFht9jWIS4ipSX+nAnmii5iNX37l19aTA=,tag:mydwvSO+CjurZF2HkkHe8A==,type:str] sops: kms: [] gcp_kms: @@ -15,8 +14,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2022-03-09T09:32:24Z" - mac: ENC[AES256_GCM,data:f0GDINNXc/xX4Ir0ayXvfgMeZzdqIekpgNPkOtOX80a09wS2AWWG58g36uf6pQwi+WTgDFnIL8TUPxjt3SVCJhKuKtFWuYQW35h3qwoHcsTD6thKASfQtD3CyJaMAzuZkYQYIqHhCFAYIr9cCruxnbOzCK+1b3I3ScAYyj+dBWo=,iv:LX+hyL5S3djX7UWPo6OZ0/+vuk6Jbx2GDFpvt46K1/I=,tag:LE3GBK1vgRavlN8ol89ruQ==,type:str] + lastmodified: "2022-03-15T03:52:01Z" + mac: ENC[AES256_GCM,data:H2VetTwomSuEk84ut0G5XKLmXTh2Mp1R8Mvwj7X0mOiPTVhpw8FnqLCy+DfrcPGD5Yv3f2gyROWCaDv29L1mJkwBk+vxF63AjcljaR48/sOn+oo2c0xOIigrqluU/FFBvqJL7Lcrrt8X1TNbM1e4bu8ckJILfbqQO2c+WfNrSBM=,iv:wbIOKcrVddBAHDLY/snwG+Oc0pC3YQGgKRAMDzoQlY4=,tag:ZHNFCNamz1CZLGU4j0LXCw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.1 diff --git a/config/clusters/leap/prod.values.yaml b/config/clusters/leap/prod.values.yaml new file mode 100644 index 0000000000..94e46d52c4 --- /dev/null +++ b/config/clusters/leap/prod.values.yaml @@ -0,0 +1,5 @@ +basehub: + jupyterhub: + config: + GitHubOAuthenticator: + oauth_callback_url: https://leap.2i2c.cloud/hub/oauth_callback diff --git a/config/clusters/leap/staging.values.yaml b/config/clusters/leap/staging.values.yaml new file mode 100644 index 0000000000..280480cac3 --- /dev/null +++ b/config/clusters/leap/staging.values.yaml @@ -0,0 +1,5 @@ +basehub: + jupyterhub: + config: + GitHubOAuthenticator: + oauth_callback_url: https://staging.leap.2i2c.cloud/hub/oauth_callback From 89159f5d89cf709e7ab0f4f79487d88140ad8f04 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Tue, 15 Mar 2022 05:46:19 -0700 Subject: [PATCH 09/14] Set SCRATCH_BUCKET explicitly for leap hub We aren't using config-connector anymore, so these need to be set explicitly. --- config/clusters/leap/common.values.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/config/clusters/leap/common.values.yaml b/config/clusters/leap/common.values.yaml index 62a32555b8..87bb978d53 100644 --- a/config/clusters/leap/common.values.yaml +++ b/config/clusters/leap/common.values.yaml @@ -59,6 +59,13 @@ basehub: image: name: pangeo/pangeo-notebook tag: 2022.02.04 + extraEnv: + SCRATCH_BUCKET_PROTOCOL: gcs + # Created via terraform + SCRATCH_BUCKET_NAME: leap-pangeo-scratch + # Use k8s syntax of $(ENV_VAR) to substitute env vars dynamically in other env vars + SCRATCH_BUCKET: "{bucket_protocol}://{bucket_name}/$(JUPYTERHUB_USER)" + PANGEO_SCRATCH: "{bucket_protocol}://{bucket_name}/$(JUPYTERHUB_USER)" profileList: # The mem-guarantees are here so k8s doesn't schedule other pods # on these nodes. They need to be just under total allocatable From c218541d80f84dc9584c790515329b5203af5cc2 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Tue, 15 Mar 2022 05:53:05 -0700 Subject: [PATCH 10/14] Nest some config deeper --- config/clusters/leap/cluster.yaml | 2 +- config/clusters/leap/prod.values.yaml | 7 ++++--- config/clusters/leap/staging.values.yaml | 7 ++++--- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/config/clusters/leap/cluster.yaml b/config/clusters/leap/cluster.yaml index 0acf2393ca..15cab590a3 100644 --- a/config/clusters/leap/cluster.yaml +++ b/config/clusters/leap/cluster.yaml @@ -27,5 +27,5 @@ hubs: enabled: false helm_chart_values_files: - common.values.yaml - - prod.yaml + - prod.values.yaml - enc-prod.secret.values.yaml diff --git a/config/clusters/leap/prod.values.yaml b/config/clusters/leap/prod.values.yaml index 94e46d52c4..44dffa4a27 100644 --- a/config/clusters/leap/prod.values.yaml +++ b/config/clusters/leap/prod.values.yaml @@ -1,5 +1,6 @@ basehub: jupyterhub: - config: - GitHubOAuthenticator: - oauth_callback_url: https://leap.2i2c.cloud/hub/oauth_callback + hub: + config: + GitHubOAuthenticator: + oauth_callback_url: https://leap.2i2c.cloud/hub/oauth_callback diff --git a/config/clusters/leap/staging.values.yaml b/config/clusters/leap/staging.values.yaml index 280480cac3..db4dd0acfd 100644 --- a/config/clusters/leap/staging.values.yaml +++ b/config/clusters/leap/staging.values.yaml @@ -1,5 +1,6 @@ basehub: jupyterhub: - config: - GitHubOAuthenticator: - oauth_callback_url: https://staging.leap.2i2c.cloud/hub/oauth_callback + hub: + config: + GitHubOAuthenticator: + oauth_callback_url: https://staging.leap.2i2c.cloud/hub/oauth_callback From 5b11312fa19d3c0969208bcd4e957333c8110697 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Tue, 15 Mar 2022 06:04:54 -0700 Subject: [PATCH 11/14] Fix scratch bucket env vars properly - GCS storage protocol is gs, not gcs - Just hardcode the bucket name here, as env var substitution relies on ordering of env vars and that is just a bit messy. --- config/clusters/leap/common.values.yaml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/config/clusters/leap/common.values.yaml b/config/clusters/leap/common.values.yaml index 87bb978d53..395cc00da3 100644 --- a/config/clusters/leap/common.values.yaml +++ b/config/clusters/leap/common.values.yaml @@ -60,12 +60,9 @@ basehub: name: pangeo/pangeo-notebook tag: 2022.02.04 extraEnv: - SCRATCH_BUCKET_PROTOCOL: gcs - # Created via terraform - SCRATCH_BUCKET_NAME: leap-pangeo-scratch - # Use k8s syntax of $(ENV_VAR) to substitute env vars dynamically in other env vars - SCRATCH_BUCKET: "{bucket_protocol}://{bucket_name}/$(JUPYTERHUB_USER)" - PANGEO_SCRATCH: "{bucket_protocol}://{bucket_name}/$(JUPYTERHUB_USER)" + # This bucket is created by terraform + SCRATCH_BUCKET: "gs://leap-pangeo-scratch/$(JUPYTERHUB_USER)" + PANGEO_SCRATCH: "gs://leap-pangeo-scratch/$(JUPYTERHUB_USER)" profileList: # The mem-guarantees are here so k8s doesn't schedule other pods # on these nodes. They need to be just under total allocatable From 0ee90ff6e5db3833b5683e486591d258ce69d645 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Thu, 24 Mar 2022 14:41:39 -0700 Subject: [PATCH 12/14] Fix comment about config_connector --- terraform/gcp/projects/leap.tfvars | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/gcp/projects/leap.tfvars b/terraform/gcp/projects/leap.tfvars index 74e4a3db81..59043ffb2a 100644 --- a/terraform/gcp/projects/leap.tfvars +++ b/terraform/gcp/projects/leap.tfvars @@ -8,7 +8,8 @@ enable_private_cluster = false # Multi-tenant cluster, network policy is required to enforce separation between hubs enable_network_policy = true -# Some hubs want a storage bucket, so we need to have config connector enabled +# FIXME: config_connector doesn't actually work, so right now access to cloud +# buckets dosn't properly work. Should be fixed by https://github.com/2i2c-org/infrastructure/pull/1130 config_connector_enabled = false # Setup a filestore for in-cluster NFS From 62ed822da9fff754a9f3c9a9e8b94ccc3ee44682 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Thu, 24 Mar 2022 15:04:59 -0700 Subject: [PATCH 13/14] Remove tabs from encrypted JFON file --- .../leap/enc-deployer-credentials.secret.json | 56 +++++++++---------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/config/clusters/leap/enc-deployer-credentials.secret.json b/config/clusters/leap/enc-deployer-credentials.secret.json index 0ca3991feb..41d0ac714d 100644 --- a/config/clusters/leap/enc-deployer-credentials.secret.json +++ b/config/clusters/leap/enc-deployer-credentials.secret.json @@ -1,30 +1,30 @@ { - "type": "ENC[AES256_GCM,data:bXgwRCCuUFr4lQ2E2SNY,iv:s2f8CNR1otvSWHZjBoPU0g0edG9Z1oxp4DR19P3nFcM=,tag:8uaIHlomCatJ3nO94vm+Xg==,type:str]", - "project_id": "ENC[AES256_GCM,data:XD/SgAyoYBTSryM=,iv:V8+bdV7rBHqQwOweAD7NpTuFlx59MXFfXyIKZfmy0C0=,tag:YuEn+Nx9FoyU5Mz/othl4g==,type:str]", - "private_key_id": "ENC[AES256_GCM,data:RyEVnVqgxNZ1oxHlKAea36r6dSlaqehJJQCNpg4k675vfD8s3oxAYA==,iv:UidkTYHW7UYhVIeLCemr6TfqQlFXstg677iSXkfO6vo=,tag:Yv2f+19B6sKkMZmNuMBm4A==,type:str]", - "private_key": "ENC[AES256_GCM,data:W4ZRkRTfkiaAkXjXOPrrmJlnucwrOvCd6yf3KIr7dTQO3vyQSt/sIcLQWx7T7g3G7F337WUC9M9pXB+ubCxvkBnhetcfLldMhCZMeJaHfDnGx6Ym9sN6BfvkevsCIR+bDnS+ErLEXiMz6YL7KmGijY7OHoV8N0nRzpSDLq9biIjaPt2374lw2NYe+620R32+PNVE1gqkctgWwwIr8ASOhFbMVa643JH7H+Mstc1Nb1pdhXMi4ny0gTeceNV02Tp5YSGQRXLzyc122Z8K/4ziehjTGvwrFr/eUzUlyq4jX9d03T8rxKsXTyXG/PxWWj+WUpF8+dkU8M56pXSAJ19ZcrOwrkeIl5pit/nAJOJuyHh8bB+CrW/bCwQPWcGg6W3INl89S9MdEALPieDPpHXqA+/8ZQc99sAxGhzJ2v55PkX6FY5fN8qqgjj2lFze3Ng3IjqL+2t/qMF+h2GddWXp0axTvArjONhhzeWcUqZxCa7TlqWf960ZtLkRTKm3NCYbq1pqFcLQl8BdpNTeliIXypKSENB9wWRwCybX5U1jryuIolhBBQXHa+Qm92z4kpAIUX3Y9aL5vuS1MRkQnIg30lwyR4Dd48QUElWBLAc0aKbXcbJDchAnufq1yRfPnA1z6Zi0g2AqV1YFQfQ0dVqDm6xUegE4PUkFQPHXoGvmK12YZpTDyNr/h3LXGU/KUJA89LNhdbW1KyPepKqcMYwa5lIsSwAJ4il+FDAtyRPG29sRWbNljKA8qCtMLpQsfFoDE+W4KlzWcSpCvU+8s1fbYxiZ8Wf0nxat8CSC2ZTnoMtHJjHvfYit9QBUIKKCNMGTk6SMincBzqL7BlVqJcRS2QQLcCLdkwS/TOZ/yR/12kSZyNr412QC9yKfS/T0OYS7G6MS0BOwDDHKdGHckkFijoXUV4A/tYOH1F6rkauORZSTsVhNz1aVRG5J253e5TxD3M9O8qhCSyadiWJW2vIyP48Sj+sI5Ppp7ydZYRNfCjQp9VqlRidrQm1LXvbDfimEz0YCYKDba3j60/twUTLSnP2aZ0raetFYj4rUKGmlHo2gwpX/zg57Atfc0GUpkj9x/OIA8g9hSz1b5vDT+XweOoLRu72a0XJoL61XGFcp1lrDiz9tSTYi2s4oqLdOQCl2AJmwwUTg0OEeu1vlU7HupakbMRiyzt011o/roFtZj9AESS61r3LVKDXnIBCnRAOlD98sNaHQp/Lg/v0+DwDTlIK3FiqOPDFiOTxvnWdgs5iwY0600fOzpDa5yuBGrbJ2LIHA7KnPyompkXBk7R0WhvIPZE50x+fCuO+Rn96NCnICmBuYucmrNvNIccRz2nfxKCgeyaDGJkFnD0Qwuq4yhVuRe0PAadXrXCdauAuDEhDFJr4j/VkVD3t88ijkSf8he+XC962qi9FanjbSnqZUK1osh30m+cMb2UeVFKIORMoNeXW6vd4sCFOoNCPSlIXckms8b6R14sOrfMZd+g5w/L0I6mhJ04G1FNN6wvD5F6PTa1g/8NgQwxx4ymRtcHq1EoIUZWDauKDEJzMgGXGwzjHOJ5yuoPTzPqunSrYZowAjX+XsHq0YwuAZuza2NyEB1PNPOYHEem2iJRGVIbfnnKWUuGCg378azKnbojwQ6s1dUtUlnSaBkbipgRd+mAuc418vfjljDqEjOvSf6kfV3pKXjTWQlOJJn5YOXYonjsKe9jG5H7HW+QnZpteCT5KtrTpeBjs26R+9frm/+WMUGZJMsDtB1NvgC14MXoS8gh+6DtVXyRG0e8cGK0ICCWzbNB7s09sG8/AZ9EaecUW7ou4SLQg58fqKGXx80VUl7N8Ud0j+WyhlCSbqmm78PL86g64NW4K4ltG9+wxkihiShfxZ+/mJvnwObu3y0nBhzz2ebhQ+gAN6A+sljTXaSQ7RkHWIy1RMVRKW0j37cqlhUUbMykUqo5O5O3QZCzDN7zTQIKugRbeOCx4IPyzSObsmXxG8ebhqWCwqPZgJHJa9dJWli1YEYn7/6Z0Ll/MAAC/oPZkFz0b6/wI1UkuhwhXpOqBvnhYSh5n1kUZ2RdNds02UUkU5rbAviW4519zITFMQ0TpfeZK18VsXha5myG4exzwlP5IIHUqGx/5JD/RfNQ8cRJ2tZKZcWq6QgVsJERtP7iMHIUndofwTbNT5VPC9Y5qHbwnlQziyRtFAqKU+kvoDVi2L9607lFUlrRD3Mt+dUTL9zPSi3qrGgQHw9HQMeI+k2ZdZoQm3fata5VPL0419eb8xivSq,iv:EgD4FRnPUx3eF7lO7mrfjYmmx1QxfGYi5PYbbFh0E/A=,tag:aTr3QIHfxhtdovqFj2R23g==,type:str]", - "client_email": "ENC[AES256_GCM,data:1pYHCwTtM2blwTR0PYzRdZxEAcigHYc+dFI0o6H3NfV4Gdp2BI9tSxGsoPxFhg==,iv:XQ9uTRrFoN7DSa1X7lYv89k2uY2o+dOh9MYC6VRkCrc=,tag:nTi4NKlTJn1X8OW55m5rxA==,type:str]", - "client_id": "ENC[AES256_GCM,data:U6WS704VI9XtGpPqfm9lxWR3Q7Mi,iv:/xvGuEGfsJcWxqTW2Z9JJSamJ5vrKIJhpkonB+IRDrI=,tag:yBgTt0CgdCmcIvtgiSs5yg==,type:str]", - "auth_uri": "ENC[AES256_GCM,data:0qByuvHwcpGgzitfrLq1BF+fYbvPaw0GSLgV9ap6UeVW2Obi30SAyEg=,iv:Su94WLXfURaDcYS6kfq3pNScwcmvVOIHEQmr4nL0m+U=,tag:36JEZaLat0pIabEE9+7HUw==,type:str]", - "token_uri": "ENC[AES256_GCM,data:VopsA3EwGJMYx9e9aGln1JQpYbpNw13z1yT7e92VsjdLYfw=,iv:LmpzRcY2tZVspy7CYMMnORybq9zwcgNRCeCuFyKGV5E=,tag:d2VfyqSA+FpQgCF68lp3Hw==,type:str]", - "auth_provider_x509_cert_url": "ENC[AES256_GCM,data:XctyK5UvsjLXpDf2nuvHrrPb6Xeof80vd4voZTT4lHj1PqScsFxCQx0h,iv:kwvSoStJdIUbMJasX6r0i0Ahh5vWdbKQdfgNNAfApso=,tag:+mWUAoiF/K8sS/bWRxQBpg==,type:str]", - "client_x509_cert_url": "ENC[AES256_GCM,data:8X40APDF+qU0QxB/fAl9d3QEK+xV+nadmiEGXWeDVUwWhfHDvKGfmxhQpuq9Jlezh78ZJqk582gji9zbk76jj96MKsDpCTLxVk0afc2kAHhfdWyZr3rWCsApZx1bsJx6Jzs=,iv:86Y1ykaCpyF+GASy9V+wxfmagZgIjFcUqO+f+IV7wuw=,tag:gSHMz9BeGIpMrufCeLoKvA==,type:str]", - "sops": { - "kms": null, - "gcp_kms": [ - { - "resource_id": "projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs", - "created_at": "2022-03-09T10:01:06Z", - "enc": "CiQA4OM7eL+21cxRUstcvIlnsMZrFbLDsiQpXe8XPMnIpbe033ISSADm5XgWSJUtlvvXtnkfqnnyCGz/4hSG6Sm1Mb2C713GGAJrg8oILKXAhrQn7Grp9Ayi48nhjXLltdNRBdEJWkLVv6WvLWcktA==" - } - ], - "azure_kv": null, - "hc_vault": null, - "age": null, - "lastmodified": "2022-03-09T10:01:07Z", - "mac": "ENC[AES256_GCM,data:R82w7fgEsBoeU/EN4eHS/0IFijn0ts3SjE46/LGpQbb+NtvFf4ynmvp7GOpbV03J9GgWpY1vaoREkkrtbNg+CUNLpbHx4Bg2LFz1QFCYuG6NN/7DbunvEQwHZrd1QmA4MX0CsnQzWzrrXSvZw2W8AX1HNeo9bClvdHOBzGlZctQ=,iv:1Vjso4F+eO+gV1gsx+4OMzxh9WEsC5COZaI+LLmC4kU=,tag:b215foOX/93CciksTJCUDA==,type:str]", - "pgp": null, - "unencrypted_suffix": "_unencrypted", - "version": "3.7.1" - } + "type": "ENC[AES256_GCM,data:bXgwRCCuUFr4lQ2E2SNY,iv:s2f8CNR1otvSWHZjBoPU0g0edG9Z1oxp4DR19P3nFcM=,tag:8uaIHlomCatJ3nO94vm+Xg==,type:str]", + "project_id": "ENC[AES256_GCM,data:XD/SgAyoYBTSryM=,iv:V8+bdV7rBHqQwOweAD7NpTuFlx59MXFfXyIKZfmy0C0=,tag:YuEn+Nx9FoyU5Mz/othl4g==,type:str]", + "private_key_id": "ENC[AES256_GCM,data:RyEVnVqgxNZ1oxHlKAea36r6dSlaqehJJQCNpg4k675vfD8s3oxAYA==,iv:UidkTYHW7UYhVIeLCemr6TfqQlFXstg677iSXkfO6vo=,tag:Yv2f+19B6sKkMZmNuMBm4A==,type:str]", + "private_key": "ENC[AES256_GCM,data:W4ZRkRTfkiaAkXjXOPrrmJlnucwrOvCd6yf3KIr7dTQO3vyQSt/sIcLQWx7T7g3G7F337WUC9M9pXB+ubCxvkBnhetcfLldMhCZMeJaHfDnGx6Ym9sN6BfvkevsCIR+bDnS+ErLEXiMz6YL7KmGijY7OHoV8N0nRzpSDLq9biIjaPt2374lw2NYe+620R32+PNVE1gqkctgWwwIr8ASOhFbMVa643JH7H+Mstc1Nb1pdhXMi4ny0gTeceNV02Tp5YSGQRXLzyc122Z8K/4ziehjTGvwrFr/eUzUlyq4jX9d03T8rxKsXTyXG/PxWWj+WUpF8+dkU8M56pXSAJ19ZcrOwrkeIl5pit/nAJOJuyHh8bB+CrW/bCwQPWcGg6W3INl89S9MdEALPieDPpHXqA+/8ZQc99sAxGhzJ2v55PkX6FY5fN8qqgjj2lFze3Ng3IjqL+2t/qMF+h2GddWXp0axTvArjONhhzeWcUqZxCa7TlqWf960ZtLkRTKm3NCYbq1pqFcLQl8BdpNTeliIXypKSENB9wWRwCybX5U1jryuIolhBBQXHa+Qm92z4kpAIUX3Y9aL5vuS1MRkQnIg30lwyR4Dd48QUElWBLAc0aKbXcbJDchAnufq1yRfPnA1z6Zi0g2AqV1YFQfQ0dVqDm6xUegE4PUkFQPHXoGvmK12YZpTDyNr/h3LXGU/KUJA89LNhdbW1KyPepKqcMYwa5lIsSwAJ4il+FDAtyRPG29sRWbNljKA8qCtMLpQsfFoDE+W4KlzWcSpCvU+8s1fbYxiZ8Wf0nxat8CSC2ZTnoMtHJjHvfYit9QBUIKKCNMGTk6SMincBzqL7BlVqJcRS2QQLcCLdkwS/TOZ/yR/12kSZyNr412QC9yKfS/T0OYS7G6MS0BOwDDHKdGHckkFijoXUV4A/tYOH1F6rkauORZSTsVhNz1aVRG5J253e5TxD3M9O8qhCSyadiWJW2vIyP48Sj+sI5Ppp7ydZYRNfCjQp9VqlRidrQm1LXvbDfimEz0YCYKDba3j60/twUTLSnP2aZ0raetFYj4rUKGmlHo2gwpX/zg57Atfc0GUpkj9x/OIA8g9hSz1b5vDT+XweOoLRu72a0XJoL61XGFcp1lrDiz9tSTYi2s4oqLdOQCl2AJmwwUTg0OEeu1vlU7HupakbMRiyzt011o/roFtZj9AESS61r3LVKDXnIBCnRAOlD98sNaHQp/Lg/v0+DwDTlIK3FiqOPDFiOTxvnWdgs5iwY0600fOzpDa5yuBGrbJ2LIHA7KnPyompkXBk7R0WhvIPZE50x+fCuO+Rn96NCnICmBuYucmrNvNIccRz2nfxKCgeyaDGJkFnD0Qwuq4yhVuRe0PAadXrXCdauAuDEhDFJr4j/VkVD3t88ijkSf8he+XC962qi9FanjbSnqZUK1osh30m+cMb2UeVFKIORMoNeXW6vd4sCFOoNCPSlIXckms8b6R14sOrfMZd+g5w/L0I6mhJ04G1FNN6wvD5F6PTa1g/8NgQwxx4ymRtcHq1EoIUZWDauKDEJzMgGXGwzjHOJ5yuoPTzPqunSrYZowAjX+XsHq0YwuAZuza2NyEB1PNPOYHEem2iJRGVIbfnnKWUuGCg378azKnbojwQ6s1dUtUlnSaBkbipgRd+mAuc418vfjljDqEjOvSf6kfV3pKXjTWQlOJJn5YOXYonjsKe9jG5H7HW+QnZpteCT5KtrTpeBjs26R+9frm/+WMUGZJMsDtB1NvgC14MXoS8gh+6DtVXyRG0e8cGK0ICCWzbNB7s09sG8/AZ9EaecUW7ou4SLQg58fqKGXx80VUl7N8Ud0j+WyhlCSbqmm78PL86g64NW4K4ltG9+wxkihiShfxZ+/mJvnwObu3y0nBhzz2ebhQ+gAN6A+sljTXaSQ7RkHWIy1RMVRKW0j37cqlhUUbMykUqo5O5O3QZCzDN7zTQIKugRbeOCx4IPyzSObsmXxG8ebhqWCwqPZgJHJa9dJWli1YEYn7/6Z0Ll/MAAC/oPZkFz0b6/wI1UkuhwhXpOqBvnhYSh5n1kUZ2RdNds02UUkU5rbAviW4519zITFMQ0TpfeZK18VsXha5myG4exzwlP5IIHUqGx/5JD/RfNQ8cRJ2tZKZcWq6QgVsJERtP7iMHIUndofwTbNT5VPC9Y5qHbwnlQziyRtFAqKU+kvoDVi2L9607lFUlrRD3Mt+dUTL9zPSi3qrGgQHw9HQMeI+k2ZdZoQm3fata5VPL0419eb8xivSq,iv:EgD4FRnPUx3eF7lO7mrfjYmmx1QxfGYi5PYbbFh0E/A=,tag:aTr3QIHfxhtdovqFj2R23g==,type:str]", + "client_email": "ENC[AES256_GCM,data:1pYHCwTtM2blwTR0PYzRdZxEAcigHYc+dFI0o6H3NfV4Gdp2BI9tSxGsoPxFhg==,iv:XQ9uTRrFoN7DSa1X7lYv89k2uY2o+dOh9MYC6VRkCrc=,tag:nTi4NKlTJn1X8OW55m5rxA==,type:str]", + "client_id": "ENC[AES256_GCM,data:U6WS704VI9XtGpPqfm9lxWR3Q7Mi,iv:/xvGuEGfsJcWxqTW2Z9JJSamJ5vrKIJhpkonB+IRDrI=,tag:yBgTt0CgdCmcIvtgiSs5yg==,type:str]", + "auth_uri": "ENC[AES256_GCM,data:0qByuvHwcpGgzitfrLq1BF+fYbvPaw0GSLgV9ap6UeVW2Obi30SAyEg=,iv:Su94WLXfURaDcYS6kfq3pNScwcmvVOIHEQmr4nL0m+U=,tag:36JEZaLat0pIabEE9+7HUw==,type:str]", + "token_uri": "ENC[AES256_GCM,data:VopsA3EwGJMYx9e9aGln1JQpYbpNw13z1yT7e92VsjdLYfw=,iv:LmpzRcY2tZVspy7CYMMnORybq9zwcgNRCeCuFyKGV5E=,tag:d2VfyqSA+FpQgCF68lp3Hw==,type:str]", + "auth_provider_x509_cert_url": "ENC[AES256_GCM,data:XctyK5UvsjLXpDf2nuvHrrPb6Xeof80vd4voZTT4lHj1PqScsFxCQx0h,iv:kwvSoStJdIUbMJasX6r0i0Ahh5vWdbKQdfgNNAfApso=,tag:+mWUAoiF/K8sS/bWRxQBpg==,type:str]", + "client_x509_cert_url": "ENC[AES256_GCM,data:8X40APDF+qU0QxB/fAl9d3QEK+xV+nadmiEGXWeDVUwWhfHDvKGfmxhQpuq9Jlezh78ZJqk582gji9zbk76jj96MKsDpCTLxVk0afc2kAHhfdWyZr3rWCsApZx1bsJx6Jzs=,iv:86Y1ykaCpyF+GASy9V+wxfmagZgIjFcUqO+f+IV7wuw=,tag:gSHMz9BeGIpMrufCeLoKvA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": [ + { + "resource_id": "projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs", + "created_at": "2022-03-09T10:01:06Z", + "enc": "CiQA4OM7eL+21cxRUstcvIlnsMZrFbLDsiQpXe8XPMnIpbe033ISSADm5XgWSJUtlvvXtnkfqnnyCGz/4hSG6Sm1Mb2C713GGAJrg8oILKXAhrQn7Grp9Ayi48nhjXLltdNRBdEJWkLVv6WvLWcktA==" + } + ], + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2022-03-09T10:01:07Z", + "mac": "ENC[AES256_GCM,data:R82w7fgEsBoeU/EN4eHS/0IFijn0ts3SjE46/LGpQbb+NtvFf4ynmvp7GOpbV03J9GgWpY1vaoREkkrtbNg+CUNLpbHx4Bg2LFz1QFCYuG6NN/7DbunvEQwHZrd1QmA4MX0CsnQzWzrrXSvZw2W8AX1HNeo9bClvdHOBzGlZctQ=,iv:1Vjso4F+eO+gV1gsx+4OMzxh9WEsC5COZaI+LLmC4kU=,tag:b215foOX/93CciksTJCUDA==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.1" + } } \ No newline at end of file From 21e50e9a044a91efcd3375bc5be08ef13f0c2423 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Thu, 24 Mar 2022 15:13:30 -0700 Subject: [PATCH 14/14] Re-add config that sets filestore network conditionally null is not an accepted value, but 'default' is --- terraform/gcp/storage.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gcp/storage.tf b/terraform/gcp/storage.tf index 7db0a79d83..29ada0a8ea 100644 --- a/terraform/gcp/storage.tf +++ b/terraform/gcp/storage.tf @@ -19,7 +19,7 @@ resource "google_filestore_instance" "homedirs" { } networks { - network = google_container_cluster.cluster.network + network = var.enable_private_cluster ? data.google_compute_network.default_network.name : "default" modes = ["MODE_IPV4"] } }