Merge pull request #885 from scottyhq/aws-fix

closes #884. fix AWS staging for jupyterhub 10.2
pangeo-data · Dec 1, 2020 · 6f28f26 · 6f28f26
2 parents 4bdb2ce + 7ac73ca
commit 6f28f26
Show file tree

Hide file tree

Showing 9 changed files with 73 additions and 6 deletions.
diff --git a/.github/workflows/deploy-aws-hub.yaml b/.github/workflows/deploy-aws-hub.yaml
@@ -38,14 +38,15 @@ jobs:
 
       - name: Setup Helm
         run: |
-          curl https://get.helm.sh/helm-v3.1.2-linux-amd64.tar.gz | tar -xzf -
+          curl https://get.helm.sh/helm-v3.4.1-linux-amd64.tar.gz | tar -xzf -
           sudo mv linux-amd64/helm $HELM_EXECUTABLE
           helm3 version
           helm3 repo add jupyterhub https://jupyterhub.github.io/helm-chart/
           helm3 repo add dask https://helm.dask.org/
           helm3 repo add dask-gateway https://dask.org/dask-gateway-helm-repo/
-          helm3 repo add stable https://kubernetes-charts.storage.googleapis.com
-          helm3 repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
+          helm3 repo add stable https://charts.helm.sh/stable
+          #for prometheus & grafana
+          #helm3 repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
           helm3 repo update
 
       - name: Add Runner IP to EKS Kubernetes API Whitelist

diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml
@@ -0,0 +1,46 @@
+name: Helm
+on:
+  pull_request_target:
+    branches:
+      - staging
+      - prod
+
+env:
+  HELM_EXECUTABLE: /usr/local/bin/helm3
+
+# See https://github.com/jupyterhub/zero-to-jupyterhub-k8s/blob/master/tools/templates/lint-and-validate.py
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Unlock git-crypt Secrets
+        uses: docker://yuvipanda/hubploy:20200826083951674280
+        env:
+          GIT_CRYPT_KEY: ${{ secrets.GIT_CRYPT_KEY }}
+        with:
+          entrypoint: /bin/bash
+          args: -c "echo ${GIT_CRYPT_KEY} | base64 -d | git crypt unlock - && git crypt status"
+
+      - name: Setup Helm
+        run: |
+          curl https://get.helm.sh/helm-v3.4.1-linux-amd64.tar.gz | tar -xzf -
+          sudo mv linux-amd64/helm $HELM_EXECUTABLE
+          helm3 version
+          helm3 repo add jupyterhub https://jupyterhub.github.io/helm-chart/
+          helm3 repo add dask https://helm.dask.org/
+          helm3 repo add dask-gateway https://dask.org/dask-gateway-helm-repo/
+          helm3 repo add stable https://charts.helm.sh/stable
+          # needed for prometheus and grafana
+          #helm3 repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
+          helm3 repo update
+
+      - name: Helm Lint AWS Config
+        run: |
+          helm lint --strict pangeo-deploy -f pangeo-deploy/values.yaml \
+                                  -f deployments/icesat2/config/common.yaml \
+                                  -f deployments/icesat2/config/staging.yaml \
+                                  -f deployments/icesat2/secrets/staging.yaml
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
+.swp
 Chart.lock
 pangeo-deploy/charts/
 pangeo-deploy/requirements.lock

diff --git a/deployments/icesat2/config/common.yaml b/deployments/icesat2/config/common.yaml
@@ -1,5 +1,14 @@
 daskhub:
   jupyterhub:
+    proxy:
+      # Disable network security policy, perhaps causing upgrade issues.
+      # https://github.com/pangeo-data/pangeo-cloud-federation/issues/884
+      chp:
+        networkPolicy:
+          enabled: false
+      traefik:
+        networkPolicy:
+          enabled: false
     scheduling:
       userPods:
         nodeAffinity:
@@ -12,8 +21,13 @@ daskhub:
       continuous:
         enabled: false
     singleuser:
-      image:
-        pullPolicy: 'Always'
+      networkPolicy:
+        # Disable network security policy, perhaps causing upgrade issues.
+        # https://github.com/pangeo-data/pangeo-cloud-federation/issues/884
+        enabled: false
+      # only if using 'latest' or 'master' tags
+      #image:
+      #  pullPolicy: 'Always'
       startTimeout: 600
       initContainers:
         - name: change-volume-mount-permissions

diff --git a/deployments/icesat2/config/prod.yaml b/deployments/icesat2/config/prod.yaml
@@ -24,6 +24,7 @@ daskhub:
             image: uwhackweeks/icesat2:latest
     proxy:
       https:
+        enabled: true
         hosts:
           - aws-uswest2.pangeo.io
         letsencrypt:

diff --git a/deployments/icesat2/config/staging.yaml b/deployments/icesat2/config/staging.yaml
@@ -13,6 +13,9 @@ daskhub:
       extraEnv:
         OAUTH_CALLBACK_URL: "https://staging.aws-uswest2.pangeo.io/hub/oauth_callback"
     singleuser:
+      # only if using 'latest' or 'master' tags
+      image:
+        pullPolicy: 'Always'
       profileList:
         - display_name: "Default Image"
           default: "True"
@@ -44,6 +47,7 @@ daskhub:
             image: uwhackweeks/icesat2:latest
     proxy:
       https:
+        enabled: true
         hosts:
           - staging.aws-uswest2.pangeo.io
         letsencrypt:

diff --git a/deployments/icesat2/secrets/prod.yaml b/deployments/icesat2/secrets/prod.yaml
diff --git a/deployments/icesat2/secrets/staging.yaml b/deployments/icesat2/secrets/staging.yaml
diff --git a/pangeo-deploy/templates/pangeo-rbac.yaml b/pangeo-deploy/templates/pangeo-rbac.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.rbac.enabled -}}
+{{- if .Values.daskhub.rbac.enabled -}}
 kind: ServiceAccount
 apiVersion: v1
 metadata: