cookiecutter'ed the deployment, sops'ed the secrets

deployments/ugr01/config/common.yaml

@@ -0,0 +1,94 @@
+nfsPVC:
+  enabled: true
+  nfs:
+    serverIP: 10.49.181.18
+
+jupyterhub:
+  scheduling:
+    userScheduler:
+      nodeSelector:
+        hub.jupyter.org/pool-name: core-pool-2024-05-08
+  proxy:
+    chp:
+      nodeSelector:
+        hub.jupyter.org/pool-name: core-pool-2024-05-08
+
+  hub:
+    nodeSelector:
+      hub.jupyter.org/pool-name: core-pool-2024-05-08
+    config:
+    loadRoles:
+      # datahub staff
+      datahub-staff:
+        description: Enable admin for datahub staff
+        # this role provides permissions to...
+        scopes:
+          - admin-ui
+          - admin:groups
+          - admin:users
+          - admin:servers
+          - read:roles
+          - read:hub
+          - access:servers
+        # this role will be assigned to...
+        groups:
+          - course::1524699::group::all-admins
+  singleuser:
+    extraFiles:
+      # DH-216
+      remove-exporters:
+        mountPath: /etc/jupyter/jupyter_notebook_config.py
+        stringData: |
+          c.QtPDFExporter.enabled = False
+          c.QtPNGExporter.enabled = False
+          c.WebPDFExporter.enabled = False
+    extraEnv:
+      # Unset NotebookApp from hub/values. Necessary for recent lab versions.
+      JUPYTERHUB_SINGLEUSER_APP: "jupyter_server.serverapp.ServerApp"
+    nodeSelector:
+      hub.jupyter.org/pool-name: user-ugr01
+    storage:
+      type: static
+      static:
+        pvcName: home-nfs-v3
+        subPath: "{username}"
+    memory:
+      guarantee: 512M
+      limit: 1G
+
+  #custom:
+  #  group_profiles:
+  #
+  #    # Example: increase memory for everyone affiliated with a course.
+  #
+  #    # Name of Class 100, Fall '22; requested in #98765
+  #    course::123456:
+  #      mem_limit: 4096M
+  #      mem_guarantee: 2048M
+  #
+  #    # Example: grant admin rights to course staff.
+  #    # Enrollment types returned by the Canvas API are `teacher`,
+  #    # `student`, `ta`, `observer`, and `designer`.
+  #    # https://canvas.instructure.com/doc/api/enrollments.html
+  #
+  #    # Some other class 200, Spring '23; requested in #98776
+  #    course::234567::enrollment_type::teacher:
+  #      mem_limit: 2096M
+  #      mem_guarantee: 2048M
+  #    course::234567::enrollment_type::ta:
+  #      mem_limit: 2096M
+  #      mem_guarantee: 2048M
+  #
+  #
+  #    # Example: a fully specified CanvasOAuthenticator group name.
+  #    # This could be useful for temporary resource bumps where the
+  #    # instructor could add people to groups in the bCourses UI. This
+  #    # would benefit from the ability to read resource bumps from
+  #    # jupyterhub's properties. (attributes in the ORM)
+  #
+  #    # Name of Class 100, Fall '22; requested in #98770
+  #    course::123456::group::lab4-bigdata:
+  #      - mountPath: /home/rstudio/.ssh
+  #        name: home
+  #        subPath: _some_directory/_ssh
+  #        readOnly: true

deployments/ugr01/config/filestore/squash-flags.json

@@ -0,0 +1,16 @@
+{
+"--file-share":
+  {
+    "name": "shares",
+    "capacity": "desired-capacity",
+    "nfs-export-options": [
+      {
+        "access-mode": "READ_WRITE",
+        "ip-ranges": ["10.0.0.0/8"],
+        "squash-mode": "ROOT_SQUASH",
+        "anon_uid": 1000,
+        "anon_gid": 1000
+      }
+    ],
+  }
+}

deployments/ugr01/config/prod.yaml

@@ -0,0 +1,18 @@
+nfsPVC:
+  nfs:
+    shareName: shares/ugr01/prod
+
+jupyterhub:
+  ingress:
+    enabled: true
+    hosts:
+      - ugr01.datahub.berkeley.edu
+    tls:
+      - secretName: tls-cert
+        hosts:
+          - ugr01.datahub.berkeley.edu
+  hub:
+    db:
+      pvc:
+        # This also holds logs
+        storage: 4Gi

deployments/ugr01/config/staging.yaml

@@ -0,0 +1,19 @@
+nfsPVC:
+  nfs:
+    shareName: shares/ugr01/staging
+
+jupyterhub:
+  scheduling:
+    userScheduler:
+      replicas: 1
+  prePuller:
+    continuous:
+      enabled: false
+  ingress:
+    enabled: true
+    hosts:
+      - ugr01-staging.datahub.berkeley.edu
+    tls:
+      - secretName: tls-cert
+        hosts:
+          - ugr01-staging.datahub.berkeley.edu

deployments/ugr01/hubploy.yaml

@@ -0,0 +1,17 @@
+images:
+  images:
+    - name: us-central1-docker.pkg.dev/ucb-datahub-2018/user-images/primary-user-image
+      path: ../datahub/images/default
+  registry:
+    provider: gcloud
+    gcloud:
+      project: ucb-datahub-2018
+      service_key: gcr-key.json
+
+cluster:
+  provider: gcloud
+  gcloud:
+    project: ucb-datahub-2018
+    service_key: gke-key.json
+    cluster: ugresearch-cluster
+    zone: us-central1

deployments/ugr01/secrets/prod.yaml

@@ -0,0 +1,21 @@
+jupyterhub:
+    hub:
+        config:
+            CanvasOAuthenticator:
+                client_id: ENC[AES256_GCM,data:/VedfPLyL+Rj3gciMxQ5H84=,iv:WZsC/06SEfEEeH4/NY+txGypgP/lShrJLc8DVXS7tco=,tag:kdZCzktRscuCYz4nRlkxTA==,type:str]
+                client_secret: ENC[AES256_GCM,data:EqzXDvAIMyGeTnGjUDOg6X6XqSwDmogtz/HXhc2LNYMhoSgg8PSUqvEFNUNG6w59tkRXPerBR6PyOuG31ftYXQ==,iv:D/rf3aWams6O2NcmdjFYxEVV5dQoWv3ubZ1kTN5KMO8=,tag:/LLaEHP/RB17Td0UW1I2bQ==,type:str]
+                oauth_callback_url: ENC[AES256_GCM,data:RU1IE0Q0bHIXfuVwptLkVgRyj+7z9ps4V30cvQozIL1XcprM3PSp5cJ7Mdyk9MwWQKUHe3o=,iv:QfiqlA0VAJIigpKfhbmvsg74VA/f8l0/+E7n587DZSI=,tag:i5OLqjG4BdJm+cVE3nBgIQ==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+        - resource_id: projects/ucb-datahub-2018/locations/global/keyRings/datahub/cryptoKeys/sops
+          created_at: "2021-05-05T10:57:58Z"
+          enc: CiQA67O9AK2027WGYGTzywa01Cz+Ez7sOTk/d9payovyK5pg8g4SSADmhpq89bbIWFjlGg79o/iupJ4anLU5Ab9VL+qNzhu6e83JtJ7wSv6sK+cDiEfVSaKQ1YIcadDXFt4WUKRt7MFvAa1sLqp2LA==
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-07-16T21:32:11Z"
+    mac: ENC[AES256_GCM,data:NC/cFuqBfuRWCKKuIWBIyejGcOme6lOD84trvY/QQWVWd9dJVHfCDKwDEVU2EOYn4bFjXR1z4Hi//hlWqoH47LIfS87KprPoVSGN+0DoG6tdN0SzP44hKi37rGwKotrvL6+qnwHnH45M6yk12efs2bU5iFbiOlFhuWMYOxqNEo8=,iv:GqPajLKVLr+R8kUQgWwFkjd+duKnpKFMmPPYBBrssq8=,tag:yYsWY3wuIsNXZRmN33rG9Q==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0

deployments/ugr01/secrets/staging.yaml

@@ -0,0 +1,21 @@
+jupyterhub:
+    hub:
+        config:
+            CanvasOAuthenticator:
+                client_id: ENC[AES256_GCM,data:G0+pIvyOsh+Zj4ZxddKbON4=,iv:iX8jMrXcJvjBi0GKRtuN886bXWFwBfCsaUoH+HRMn6U=,tag:BsyGAveKrd8TvWMuUlw3kw==,type:str]
+                client_secret: ENC[AES256_GCM,data:6mR3zs4jvkVuVwjut56tuW3HIOHcYWRSIJJZiOeC+H82tqgZeuVEe7+/zMxq6J0ba5RMas9npep4svuL+TppcA==,iv:K6/MFusdxnLkrEA5LaXLO8mFm1Xa4U2OmxUBOLqdpJk=,tag:xweE4+/ZCIcXj9CtbFpUSw==,type:str]
+                oauth_callback_url: ENC[AES256_GCM,data:ycdZfwiP7ouq/0pGarj89xGze4aXoVAJiA+k0U+9GHtt1yqiqcw4cndcO67q+0LfrtNOB/ugHPaWu+gkig==,iv:Y9k4n0NyHKX2B8cO1Bo4cRIUZBtYD8si9GszXd4aGKc=,tag:h0Bff7yQPxc57GBk1e44wQ==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+        - resource_id: projects/ucb-datahub-2018/locations/global/keyRings/datahub/cryptoKeys/sops
+          created_at: "2021-05-05T10:57:58Z"
+          enc: CiQA67O9ALEiz+lgnWQQgjT08Fx2+SUNdWEA2MqdIoEl0Ett3zASSQDmhpq85T+08Rtt/sqeMktjA6t8rCVH8soCR/sNJwDHgXabOipn/od+64D/L+aggCaXqJ433twByk0+YUJAe5z733oW/3J53eU=
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-07-16T21:32:30Z"
+    mac: ENC[AES256_GCM,data:V+KX6npLuuvAGl3+PgZ2EmdEk8glFRxNOjNvm0A5e20/gJIABFucy0yo7xnel/NfLfyGPnMwKHWJ/5CPLJYNRZ2x/gBYY15L+QvPN1ktwtLWa15rr9o1bQP5grv8WVt78iverz39l9HUgaLODjgPNKrsHFmvpAkUruH1uSD5T1M=,iv:elQE5tpiQ5spWOw/3GpdsUDnKxiavBruMA8bvAoSP0g=,tag:hSFukL/hx7SgkDne7ctH+w==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0