Setup NASA ESDIS cluster and hub

.github/workflows/deploy-grafana-dashboards.yaml

@@ -28,6 +28,7 @@ jobs:
           - cluster_name: m2lines
           - cluster_name: meom-ige
           - cluster_name: nasa-cryo
+          - cluster_name: nasa-esdis
           - cluster_name: nasa-veda
           - cluster_name: openscapes
           - cluster_name: pangeo-hubs

.github/workflows/deploy-hubs.yaml

@@ -206,6 +206,7 @@ jobs:
       failure_catalystproject-latam: "${{ env.failure_catalystproject-latam }}"
       failure_catalystproject-africa: "${{ env.failure_catalystproject-africa }}"
       failure_hhmi: "${{ env.failure_hhmi }}"
+      failure_nasa-esdis: "${{ env.failure_nasa-esdis }}"
 
     # Only run this job on pushes to the default branch and when the job output is not
     # an empty list

config/clusters/nasa-esdis/cluster.yaml

@@ -0,0 +1,28 @@
+name: nasa-esdis
+provider: aws
+aws:
+  key: enc-deployer-credentials.secret.json
+  clusterType: eks
+  clusterName: nasa-esdis
+  region: us-west-2
+support:
+  helm_chart_values_files:
+    - support.values.yaml
+    - enc-support.secret.values.yaml
+hubs:
+  - name: staging
+    display_name: "ESDIS (staging)"
+    domain: staging.esdis.2i2c.cloud
+    helm_chart: basehub
+    helm_chart_values_files:
+      - common.values.yaml
+      - staging.values.yaml
+      - enc-staging.secret.values.yaml
+  - name: prod
+    display_name: "ESDIS"
+    domain: esdis.2i2c.cloud
+    helm_chart: basehub
+    helm_chart_values_files:
+      - common.values.yaml
+      - prod.values.yaml
+      - enc-prod.secret.values.yaml

config/clusters/nasa-esdis/common.values.yaml

@@ -0,0 +1,143 @@
+nfs:
+  pv:
+    # from https://docs.aws.amazon.com/efs/latest/ug/mounting-fs-nfs-mount-settings.html
+    mountOptions:
+      - rsize=1048576
+      - wsize=1048576
+      - timeo=600
+      - soft # We pick soft over hard, so NFS lockups don't lead to hung processes
+      - retrans=2
+      - noresvport
+    serverIP: fs-0013506a2d5ee70fc.efs.us-west-2.amazonaws.com
+    baseShareName: /
+jupyterhub:
+  custom:
+    2i2c:
+      add_staff_user_ids_to_admin_users: true
+      add_staff_user_ids_of_type: "github"
+    homepage:
+      templateVars:
+        org:
+          name: ESDIS
+          logo_url: "https://github.com/2i2c-org/infrastructure/assets/61120/3380676a-1f2e-400d-8471-79496510c1e7"
+          url: https://www.earthdata.nasa.gov/esdis
+        designed_by:
+          name: 2i2c
+          url: https://2i2c.org
+        operated_by:
+          name: 2i2c
+          url: https://2i2c.org
+        funded_by:
+          name: NASA
+          url: "https://www.earthdata.nasa.gov/esds"
+  hub:
+    config:
+      JupyterHub:
+        authenticator_class: github
+      GitHubOAuthenticator:
+        allowed_organizations:
+          - nasa-esdis:cloud-users
+        scope:
+          - read:org
+      Authenticator:
+        admin_users:
+          - bilts # Patrick Quinn
+          - freitagb # Brian Freitag
+  singleuser:
+    profileList:
+      - display_name: Python
+        description: Python datascience environment
+        default: true
+        kubespawner_override:
+          image: openscapes/python:6ee57a9
+        profile_options: &profile_options
+          requests:
+            display_name: Resource Allocation
+            choices:
+              mem_1_9:
+                display_name: 1.9 GB RAM, upto 3.75 CPUs
+                kubespawner_override:
+                  mem_guarantee: 1992701952
+                  mem_limit: 1992701952
+                  cpu_guarantee: 0.234375
+                  cpu_limit: 3.75
+                  node_selector:
+                    node.kubernetes.io/instance-type: r5.xlarge
+                default: true
+              mem_3_7:
+                display_name: 3.7 GB RAM, upto 3.75 CPUs
+                kubespawner_override:
+                  mem_guarantee: 3985403904
+                  mem_limit: 3985403904
+                  cpu_guarantee: 0.46875
+                  cpu_limit: 3.75
+                  node_selector:
+                    node.kubernetes.io/instance-type: r5.xlarge
+              mem_7_4:
+                display_name: 7.4 GB RAM, upto 3.75 CPUs
+                kubespawner_override:
+                  mem_guarantee: 7970807808
+                  mem_limit: 7970807808
+                  cpu_guarantee: 0.9375
+                  cpu_limit: 3.75
+                  node_selector:
+                    node.kubernetes.io/instance-type: r5.xlarge
+              mem_14_8:
+                display_name: 14.8 GB RAM, upto 3.75 CPUs
+                kubespawner_override:
+                  mem_guarantee: 15941615616
+                  mem_limit: 15941615616
+                  cpu_guarantee: 1.875
+                  cpu_limit: 3.75
+                  node_selector:
+                    node.kubernetes.io/instance-type: r5.xlarge
+              mem_29_7:
+                display_name: 29.7 GB RAM, upto 3.75 CPUs
+                kubespawner_override:
+                  mem_guarantee: 31883231232
+                  mem_limit: 31883231232
+                  cpu_guarantee: 3.75
+                  cpu_limit: 3.75
+                  node_selector:
+                    node.kubernetes.io/instance-type: r5.xlarge
+              mem_60_6:
+                display_name: 60.6 GB RAM, upto 15.72 CPUs
+                kubespawner_override:
+                  mem_guarantee: 65105797120
+                  mem_limit: 65105797120
+                  cpu_guarantee: 7.86
+                  cpu_limit: 15.72
+                  node_selector:
+                    node.kubernetes.io/instance-type: r5.4xlarge
+              mem_121_3:
+                display_name: 121.3 GB RAM, upto 15.72 CPUs
+                kubespawner_override:
+                  mem_guarantee: 130211594240
+                  mem_limit: 130211594240
+                  cpu_guarantee: 15.72
+                  cpu_limit: 15.72
+                  node_selector:
+                    node.kubernetes.io/instance-type: r5.4xlarge
+      - display_name: R
+        description: R (with RStudio) + Python environment
+        kubespawner_override:
+          image: openscapes/rocker:a7596b5
+        profile_options: *profile_options
+      - display_name: Matlab
+        description: Matlab environment
+        kubespawner_override:
+          image: openscapes/matlab:2023-06-29
+        profile_options: *profile_options
+      - display_name: QGIS
+        description: QGIS environment
+        kubespawner_override:
+          # Explicitly unset this - we set this to 'jupyterhub-singleuser'
+          # in basehub/values.yaml. We instead want to leave this unset,
+          # so the default command for the docker image is used instead.
+          # This is required for .desktop files to show up correctly.
+          cmd: null
+          # Launch people directly into the Linux desktop when they start
+          default_url: /desktop
+          # Built from https://github.com/jupyterhub/jupyter-remote-desktop-proxy/pull/51
+          image: "quay.io/jupyter-remote-desktop-proxy/qgis:2023-09-27"
+        profile_options: *profile_options

config/clusters/nasa-esdis/enc-deployer-credentials.secret.json

@@ -0,0 +1,25 @@
+{
+	"AccessKey": {
+		"AccessKeyId": "ENC[AES256_GCM,data:OIfYt6u0fS+1jOWGtvYGmCpfQ6E=,iv:7TwYcXCyPQee1jivFrpMu0vEGmIid4KpQjorLFiZFls=,tag:ST7Jsc2IMht0sDaCqIHrjw==,type:str]",
+		"SecretAccessKey": "ENC[AES256_GCM,data:sejOP1oMhqmLBMxBwXM39uStZ1lhD5xeP3HJeTOan5IINY9euVsMxw==,iv:1bgN0a/nOU3mcbJp7Md7y7GVcGqIx6bgv/GWhvUQ8E0=,tag:nCCNKq05QG3pmLrHmKIqfw==,type:str]",
+		"UserName": "ENC[AES256_GCM,data:pQlaKgIgS9p+QGYPQWiM0Ru4TsFj+1E=,iv:ed3hBvn3OjrIh+oVUwSkZ98l0zoMA49Mkp+6b+fKNKI=,tag:D/hJ39D1KJapB7OOMWupeQ==,type:str]"
+	},
+	"sops": {
+		"kms": null,
+		"gcp_kms": [
+			{
+				"resource_id": "projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs",
+				"created_at": "2023-10-09T15:31:10Z",
+				"enc": "CiUA4OM7eH4xJQXevXCKXptecUhLJd3hFZgTnrmXafhtsRedVmN2EkkAq2nhVWOF8VhmjbyNdsvgtD/qaSYcI9uosszCwh4AI+yDDqMCvSVfjhyV6oize4db3UxG/oso64R+x54QmghyTo8lBwJw7M5K"
+			}
+		],
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2023-10-09T15:31:11Z",
+		"mac": "ENC[AES256_GCM,data:Vqza5EGpfrQBGJXYEgdfzA07BiYrpAUPm2bppyYPMZBbMw5d56vBmCd1bdMWp2/nXIkwf/7Z6Er+zm2PG16stDe3U7sTRmozuB7kNa09ZdbgUJPMK6OBRqoBRWtPRvIrYbj8+UfOUA1yH/GYFPl8WdDQhHDNlKrDkNdqm5vZcxI=,iv:eCUFG6QJPL4Lj/5T5xovw8w9nV575vrCHO02sufWgg8=,tag:H+HcDGwdP4tYcQbc7etvnQ==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}

config/clusters/nasa-esdis/enc-grafana-token.secret.yaml

@@ -0,0 +1,15 @@
+grafana_token: ENC[AES256_GCM,data:uyKUZxP+puls6Ht40AygajtccsJyZyHY74q3Nbx5FfgiH49TMm1IyYrKLeAtdQ==,iv:c7XXzezDGJ5fCkvNYNajT2cE2Fd83xNNoc46bebE37w=,tag:8X6UoyR9sEql/Ddhw7TAVA==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+        - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+          created_at: "2023-10-23T10:40:41Z"
+          enc: CiUA4OM7eMrbEisfh3RnojiraK+TDneCOOgmhpP0wZc2XpdwTpJuEkkAq2nhVZoCgFbgrh3xd8as3UWZvEGX/sg73sMNyH/4AqdRWkpclW6sWIzYIUS5DWbrbH80gJ5UL8Mo+PjRs+MfIo6+JYMkm5Kt
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-10-23T10:40:42Z"
+    mac: ENC[AES256_GCM,data:jpkY5AbJjqCNpOHKtM5QN+7DBCzvROaaNHgowohw04MsDkXnSacDFPLWSZ7eDJq/S72bFZgE2yCVMKIgkm6vDLw/jVSwrJkRU0bB2L+FI7O0spyIFa8KdOj1eQtz5tEr2ihEXO97U0yqhypaIqEfB/ekyimrN6U8BvK2DLbSK9U=,iv:aZr4nqjXCMg1frBIdPf5R1EThnGCfqhKSvsSXwpQIPQ=,tag:oxB4MfeykVfwZSpmzVWY0g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

config/clusters/nasa-esdis/enc-prod.secret.values.yaml

@@ -0,0 +1,20 @@
+jupyterhub:
+    hub:
+        config:
+            GitHubOAuthenticator:
+                client_id: ENC[AES256_GCM,data:OiqOHcO1+3DGyXRiBht2l5vHH1o=,iv:dwBeTe+8xakdrIr09rZT9b9+wWvflIE6pDm36pU9YcI=,tag:k0hpKiafQ8aqEI2HwXOzlA==,type:str]
+                client_secret: ENC[AES256_GCM,data:YGoTpQ3fivk0Ax9IAkjEmx63r2M4GrCbBYsAwa7wbmV8sbG6ZQrDDA==,iv:jemvx79SGsYUPch8NkRpRErsx2Ze4osLFCaJN30732Q=,tag:CA0V/T2AhjQ+bpQLO/kGDQ==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+        - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+          created_at: "2023-10-24T09:12:24Z"
+          enc: CiUA4OM7eIXRJ1ZnAaA+iseq8LageDtI0yFUj6vX51qxjMXvdCpXEkkAq2nhVeb7uSbMwycRzDo0pjN7SfYdvzXlJTnrzOa4pIgisTqBYfHDynb+BZ5BQV/AUQkrq4K5vLYJp8MKTD4MFM9ZDzqqO5zj
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-10-24T09:12:24Z"
+    mac: ENC[AES256_GCM,data:Zwk0TsPcB/R3j1cXSlscdJ29tF2qP7MGoazhC90/nOJSYnuqCJ9eyP7hZZCk4XPro+GmPswcV9auG25r+5DZ3SoMYqi8/xsQg5dcCkG/Ljmu5aqQx7mpLbsgnfDthknEQLkOh+HBn4CUZeZNjOKR/U9FR2MHA3G7Q22dTqFwWE4=,iv:Wzx/tJybpdO+9BDLqJqN+8l9PRIrmLE8wURyHaKfqcI=,tag:BiGy+pHRQRlpbKnhVmBq+A==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

config/clusters/nasa-esdis/enc-staging.secret.values.yaml

@@ -0,0 +1,20 @@
+jupyterhub:
+    hub:
+        config:
+            GitHubOAuthenticator:
+                client_id: ENC[AES256_GCM,data:lgPuF/Ccu9ntp3XUG1lkQfHAklI=,iv:QUawJ/pnyvUiPAviG/lEsHZdq5D/1B6ctYF0VLlBA5o=,tag:eT3uAWdQ63XjdPTzEsWKug==,type:str]
+                client_secret: ENC[AES256_GCM,data:gEGxqh4OATMqcAYFS99ps715VhtflFeCwD1y0gvCDpmYgej0xjK4pw==,iv:Xcq1gtf9TKKM2YejIyNMZP9esdpJwIRRVy6zZekSqoA=,tag:xx1SZpzKGbh3N+DYxnEJKQ==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+        - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+          created_at: "2023-10-23T10:17:16Z"
+          enc: CiUA4OM7eD87wY66POe9D5m+Z9tdiqNzUWoaZbHqyCI7gYUiuu32EkkAq2nhVbEI/L0WVm+YW6Io8TlpkGVZECpphS8xNk9K5nWJWKJE+ehRQ2lxWjxMkNqk8WNU24zvwiCxIdtRCnYXd18Csws7vw85
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-10-23T10:17:17Z"
+    mac: ENC[AES256_GCM,data:J99yZKLdaWCfpcs2oKgHJCC2KvMZ4Oy9zhxS4hfNGEG72OuKTJXLWwNwcYPRdv9B39+8BoCtoMYubX4/l5DoUNc7JwgWNBIi2u0EZXaHwavaMhNaDBKWTS/Kl9wxwiqKTY6bAu5yGxxw/xRGiQwILIK4su0UXQ+DDq817Vw1PK4=,iv:sVHuo85geO5XVWJodOSU9V0r2uijxjAxDPCfoL+LbEM=,tag:41LNvuUva4JIAL7gwbyoWw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

config/clusters/nasa-esdis/enc-support.secret.values.yaml

@@ -0,0 +1,17 @@
+prometheusIngressAuthSecret:
+    username: ENC[AES256_GCM,data:Pz6bbBswj30Zt/Rv5ARw9raY5rvb8yqetIwCYCZnF7lx4gccvWldkP1m2ELShhocEDfi57g04e4voJKXv2WO7g==,iv:2SX84HKE91rAGVkf+p3OxNwB6vffWJnbba7QiUEpz5E=,tag:6aYPVmS3BYw2egPY6CdgBw==,type:str]
+    password: ENC[AES256_GCM,data:MLYiKI8V8YQ0NCgaDnyu2Bin2etxNe10CfuF0D8NERxD0CbNTUdG1it9uPjgThNa8q0oOX4TcKyKTkflJN0oLQ==,iv:BQ1ttOfsqy0k9J8TnRVefe37QHwIEuyU/ibMWXeY+iA=,tag:eW9vuGW9w6AR3b5u+98maw==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+        - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+          created_at: "2023-10-09T13:05:13Z"
+          enc: CiUA4OM7eIAIlHpZkcgBadhUBd8FPBL7U/SWqPvrYz3XiBc8KD7/EkkAq2nhVcEwgBvz6CpEnx44szACgO0ch0Q6J2TaR8Sv/NTSafO8lgbAKKIygR7jnlf8Kw95NAiJhwWcvElumpz3Vylet3MYHnDx
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-10-09T13:05:13Z"
+    mac: ENC[AES256_GCM,data:e4HwG/ieB4MUlFRfv40hIT0ZyVVUsqiygn/h8lmnj+JV7aZeHc2ptFy7g/1qWTHKbo5BxY7gNv2icpeXuw6XXVu3OpjExogy6bpmA1d+j6KRP/77R78jaMnbxYJ6cOxnPVT61mG6ZgT57ugUoBNteNvXZ8ULhrwZvy3KXe87Jvo=,iv:ni55q20UJOtcPBqrLgZ7Xq32ICTIjuNeDNHm0DlC67I=,tag:kD+miYFmI1gLUyI/ynofMA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

config/clusters/nasa-esdis/prod.values.yaml

@@ -0,0 +1,16 @@
+userServiceAccount:
+  annotations:
+    eks.amazonaws.com/role-arn: arn:aws:iam::942325726017:role/nasa-esdis-prod
+jupyterhub:
+  ingress:
+    hosts: [esdis.2i2c.cloud]
+    tls:
+      - hosts: [esdis.2i2c.cloud]
+        secretName: https-auto-tls
+  singleuser:
+    extraEnv:
+      SCRATCH_BUCKET: s3://nasa-esdis-scratch/$(JUPYTERHUB_USER)
+  hub:
+    config:
+      GitHubOAuthenticator:
+        oauth_callback_url: "https://esdis.2i2c.cloud/hub/oauth_callback"

config/clusters/nasa-esdis/staging.values.yaml

@@ -0,0 +1,16 @@
+userServiceAccount:
+  annotations:
+    eks.amazonaws.com/role-arn: arn:aws:iam::942325726017:role/nasa-esdis-staging
+jupyterhub:
+  ingress:
+    hosts: [staging.esdis.2i2c.cloud]
+    tls:
+      - hosts: [staging.esdis.2i2c.cloud]
+        secretName: https-auto-tls
+  singleuser:
+    extraEnv:
+      SCRATCH_BUCKET: s3://nasa-esdis-scratch-staging/$(JUPYTERHUB_USER)
+  hub:
+    config:
+      GitHubOAuthenticator:
+        oauth_callback_url: "https://staging.esdis.2i2c.cloud/hub/oauth_callback"

config/clusters/nasa-esdis/support.values.yaml

@@ -0,0 +1,34 @@
+prometheusIngressAuthSecret:
+  enabled: true
+
+prometheus:
+  server:
+    ingress:
+      enabled: true
+      hosts:
+        - prometheus.esdis.2i2c.cloud
+      tls:
+        - secretName: prometheus-tls
+          hosts:
+            - prometheus.esdis.2i2c.cloud
+
+grafana:
+  grafana.ini:
+    server:
+      root_url: https://grafana.esdis.2i2c.cloud/
+  auth.github:
+    enabled: true
+    allowed_organizations: 2i2c-org
+  ingress:
+    hosts:
+      - grafana.esdis.2i2c.cloud
+    tls:
+      - secretName: grafana-tls
+        hosts:
+          - grafana.esdis.2i2c.cloud
+
+cluster-autoscaler:
+  enabled: true
+  autoDiscovery:
+    clusterName: nasa-esdis
+  awsRegion: us-west-2