From 750cd7fd320b0069c1ff595ace29cdcf0adc91db Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Tue, 22 Aug 2023 09:25:12 -0700 Subject: [PATCH 001/125] Decom hackanexoplanet Ref https://github.com/2i2c-org/infrastructure/issues/3013 --- config/clusters/2i2c/cluster.yaml | 11 --- .../enc-hackanexoplanet.secret.values.yaml | 17 ----- .../clusters/2i2c/hackanexoplanet.values.yaml | 67 ------------------- 3 files changed, 95 deletions(-) delete mode 100644 config/clusters/2i2c/enc-hackanexoplanet.secret.values.yaml delete mode 100644 config/clusters/2i2c/hackanexoplanet.values.yaml diff --git a/config/clusters/2i2c/cluster.yaml b/config/clusters/2i2c/cluster.yaml index 8c88ccbf39..fdcc4a47b4 100644 --- a/config/clusters/2i2c/cluster.yaml +++ b/config/clusters/2i2c/cluster.yaml @@ -25,17 +25,6 @@ hubs: - basehub-common.values.yaml - staging.values.yaml - enc-staging.secret.values.yaml - - name: hackanexoplanet - display_name: "ESA Hack An Exoplanet" - domain: hackanexoplanet.2i2c.cloud - uptime_check: - # This is an ephemeral hub, fully password protected with HTTP Basic Auth - expected_status: 401 - helm_chart: basehub - helm_chart_values_files: - - basehub-common.values.yaml - - hackanexoplanet.values.yaml - - enc-hackanexoplanet.secret.values.yaml - name: dask-staging display_name: "2i2c dask staging" domain: dask-staging.2i2c.cloud diff --git a/config/clusters/2i2c/enc-hackanexoplanet.secret.values.yaml b/config/clusters/2i2c/enc-hackanexoplanet.secret.values.yaml deleted file mode 100644 index 4e8bcebc2f..0000000000 --- a/config/clusters/2i2c/enc-hackanexoplanet.secret.values.yaml +++ /dev/null @@ -1,17 +0,0 @@ -ingressBasicAuth: - username: ENC[AES256_GCM,data:+fdObg==,iv:To7zbg0l8BA5X3Zkzt+fGv7XjCLLJ/w1zutp+ymAjWc=,tag:+tnCMGXRCWwRKS/cg35HYg==,type:str] - password: ENC[AES256_GCM,data:7hJUGTnj9mGYRkx2l6nAJ+CE2ZYolh0bbQ==,iv:H+VhPe2clY0nf0jVWkn+Aex1ajw3PtN9F7rI7lXizvw=,tag:qlACDFz9NH/vNBNhXWmWiw==,type:str] -sops: - kms: [] - gcp_kms: - - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs - created_at: "2023-04-03T17:57:41Z" - enc: CiUA4OM7eKpDYQzdRUnNgglLnwjcnCH53FPCvXfEaaVtDR8AweM2EkkALQgViEBA5o+hR5n1jm3tdE/McgBDG7oHB8KwGFjR85ciwFPNQfnFxs2WoeNEXqtpYD9vSpatVpQWLAPgfVa3X228kEC23SBw - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2023-04-03T17:57:42Z" - mac: ENC[AES256_GCM,data:UUJo8cmYYzeMtGCT8QRoVsaIlsER6fIXKSJ4e/9TZiDhXCrl6zAO79p43Qh5ziPUIIKFyKmtlweGW73DlsHoq+MLpMS3AxN32TwXtZEt2PTTdupJlgoiDvva3p4TTp7gwImo1i7iaGXIQd+QYmg3o3jQ9R9CWR5ZMgcQ57fzl9o=,iv:Z3xF1sYjfA5wO2839JwdKPdC0q9My4ZlFDMhiEMWR8M=,tag:uaHNptRlD8P9q0TSShzfLQ==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/config/clusters/2i2c/hackanexoplanet.values.yaml b/config/clusters/2i2c/hackanexoplanet.values.yaml deleted file mode 100644 index fcf51d5280..0000000000 --- a/config/clusters/2i2c/hackanexoplanet.values.yaml +++ /dev/null @@ -1,67 +0,0 @@ -ingressBasicAuth: - enabled: true - # Password and username in enc-hackanexoplanet.secret.values.yaml - -jupyterhub: - prePuller: - # Startup performance is important for this event, and so we use - # pre-puller to make sure the images are already present on the - # nodes. This means image *must* be set in config, and not the configurator. - # tmpauthenticator doesn't support admin access anyway, so images - # must be set in config regardless. - hook: - enabled: true - continuous: - enabled: true - ingress: - annotations: - # We protect our entire hub from cryptobros by putting it all - # behind a single shared basicauth - nginx.ingress.kubernetes.io/auth-type: basic - nginx.ingress.kubernetes.io/auth-secret: ingress-basic-auth - nginx.ingress.kubernetes.io/auth-realm: "Authentication Required" - hosts: - - hackanexoplanet.2i2c.cloud - tls: - - secretName: https-auto-tls - hosts: - - hackanexoplanet.2i2c.cloud - custom: - homepage: - # tmpauthenticator does *not* show a home page by default, - # so these are not visible anywhere. But our schema requires we set - # them to strings, so we specify empty strings here. - templateVars: - org: - name: "" - url: "" - logo_url: "" - designed_by: - name: "" - url: "" - operated_by: - name: "" - url: "" - funded_by: - name: "" - url: "" - singleuser: - image: - # Image repository: https://github.com/2i2c-org/hackanexoplanet-env - name: quay.io/2i2c/hackanexoplanet-image - tag: "b6b891cb2b30" - initContainers: null - storage: - # No persistent storage should be kept to reduce any potential data - # retention & privacy issues. - type: none - extraVolumeMounts: null - hub: - config: - JupyterHub: - authenticator_class: tmpauthenticator.TmpAuthenticator - TmpAuthenticator: - # This allows users to go to the hub URL directly again to - # get a new server, instead of being plopped back into their - # older, existing user with a 'start server' button. - force_new_server: true From 433b9c98627f26945e70e101101aa40852d78f16 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Tue, 29 Aug 2023 11:44:53 -0700 Subject: [PATCH 002/125] Decom pfw hub Ref https://github.com/2i2c-org/infrastructure/issues/3051 --- config/clusters/2i2c/cluster.yaml | 8 ---- .../clusters/2i2c/enc-pfw.secret.values.yaml | 20 -------- config/clusters/2i2c/pfw.values.yaml | 48 ------------------- 3 files changed, 76 deletions(-) delete mode 100644 config/clusters/2i2c/enc-pfw.secret.values.yaml delete mode 100644 config/clusters/2i2c/pfw.values.yaml diff --git a/config/clusters/2i2c/cluster.yaml b/config/clusters/2i2c/cluster.yaml index d883edbae5..70da4bdfc9 100644 --- a/config/clusters/2i2c/cluster.yaml +++ b/config/clusters/2i2c/cluster.yaml @@ -75,14 +75,6 @@ hubs: - daskhub-common.values.yaml - ohw.values.yaml - enc-ohw.secret.values.yaml - - name: pfw - display_name: "Purdue Fort Wayne" - domain: pfw.pilot.2i2c.cloud - helm_chart: basehub - helm_chart_values_files: - - basehub-common.values.yaml - - pfw.values.yaml - - enc-pfw.secret.values.yaml - name: aup display_name: "The American University of Paris" domain: aup.pilot.2i2c.cloud diff --git a/config/clusters/2i2c/enc-pfw.secret.values.yaml b/config/clusters/2i2c/enc-pfw.secret.values.yaml deleted file mode 100644 index 805f6e1159..0000000000 --- a/config/clusters/2i2c/enc-pfw.secret.values.yaml +++ /dev/null @@ -1,20 +0,0 @@ -jupyterhub: - hub: - config: - CILogonOAuthenticator: - client_id: ENC[AES256_GCM,data:4FSmYZ6OiQP1B+43wHlzO9VHMfJPKxfKxH6W/GBuAleyp7BFn91151dS6+YN/cSivwgC,iv:1KGdpRM47DUsGdrV8ZkUQuRV82oFXxiAV0UZijYJKXA=,tag:oj/lYmWMHOt7NpLCP6PN1g==,type:str] - client_secret: ENC[AES256_GCM,data:E3JiAxfB/8L1GXzvZxEK1PoX2ft67eDShKPSyqNQdbrUmUrzebuHaCObFP0Dfr8tFXBWPlvN3X7RXXt9VMeFxCV0q3MECmdKGLwlML1hWSlZKemDLNE=,iv:h9kkTzPExnn88UJS0sKsGfYikY/YqkR7CyixBVJtcr4=,tag:cfspCQuGmlRIRdkRCQfdbA==,type:str] -sops: - kms: [] - gcp_kms: - - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs - created_at: "2023-03-09T11:21:27Z" - enc: CiUA4OM7eBjOaqEY18nDzOArcUN3ot6bWO6eRt6z/WMN+9dAcm45EkkALQgViD9hreey1Ktl+EPN5zr/WWA+P+BKx3LlQFT+kcqiIeAjFxYumbkgTtaQx659L22n0pMrtLRTptgK6pvasMM1lsVvduIt - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2023-03-09T11:21:27Z" - mac: ENC[AES256_GCM,data:BPV9gmeCF/YZ5nUOgFEQrlBIPdSTgZ5UZF5ivBvTVF+8QjTfgkCf+CK+UnuHn7yKvUcTXulfnnLbt3AVbV1tPPPuLxDYJCLc4qql8lmChZSz6YUZ26dxo84Psl3S3VuzKohdsLW+6oXHeHVe4W1E5JEgvPHmRaaCUkvxojrSMfM=,iv:+2Wc7J9HiJijwNVpzsritSyPU7VoxafPj+8H+vUyQLQ=,tag:FDj64UXxSMBtlaABw8FoLg==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/config/clusters/2i2c/pfw.values.yaml b/config/clusters/2i2c/pfw.values.yaml deleted file mode 100644 index 6418fa3ae3..0000000000 --- a/config/clusters/2i2c/pfw.values.yaml +++ /dev/null @@ -1,48 +0,0 @@ -jupyterhub: - ingress: - hosts: - - pfw.pilot.2i2c.cloud - tls: - - secretName: https-auto-tls - hosts: - - pfw.pilot.2i2c.cloud - custom: - 2i2c: - add_staff_user_ids_to_admin_users: true - add_staff_user_ids_of_type: "github" - homepage: - templateVars: - org: - name: Purdue Fort Wayne - logo_url: https://upload.wikimedia.org/wikipedia/en/thumb/1/14/Purdue_Fort_Wayne_Mastodons_logo.svg/400px-Purdue_Fort_Wayne_Mastodons_logo.svg.png - url: https://www.pfw.edu/ - designed_by: - name: 2i2c - url: https://2i2c.org - operated_by: - name: 2i2c - url: https://2i2c.org - funded_by: - name: JROST & IOI - url: https://investinopen.org/blog/jrost-rapid-response-fund-awardees - singleuser: - image: - name: quay.io/2i2c/2i2c-hubs-image - tag: "14107b8a85fb" - hub: - config: - JupyterHub: - authenticator_class: cilogon - CILogonOAuthenticator: - scope: - - "profile" - username_claim: "preferred_username" - oauth_callback_url: "https://pfw.pilot.2i2c.cloud/hub/oauth_callback" - # Only show the option to login with GitHub - shown_idps: - - http://github.com/login/oauth/authorize - Authenticator: - allowed_users: &pfw_users - - alessandromariaselvitella - - fosterk86 - admin_users: *pfw_users From 2f0db62671d31b939877fb5a854238b81de2c666 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Tue, 29 Aug 2023 15:32:47 -0700 Subject: [PATCH 003/125] Deploy `unlisted_choice` to NASA VEDA hub Ref https://github.com/2i2c-org/infrastructure/issues/3053 --- config/clusters/nasa-veda/common.values.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index df645f0042..909d511dee 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -32,6 +32,9 @@ basehub: name: "NASA" url: https://www.earthdata.nasa.gov/esds hub: + image: + name: quay.io/2i2c/unlisted-choice-experiment + tag: "0.0.1-0.dev.git.6801.h3f4f0c4a" allowNamedServers: true config: Authenticator: @@ -79,6 +82,13 @@ basehub: profile_options: image: &image_options display_name: Image + unlisted_choice: + enabled: True + display_name: "Custom image" + validation_regex: "^.+:.+$" + validation_message: "Must be an image location, matching ^.+:.+$" + kubespawner_override: + image: "{value}" choices: pangeo: display_name: Modified Pangeo Notebook From d5dcdd26d422dc6803942e17180c3343f1baf7df Mon Sep 17 00:00:00 2001 From: Jonas Date: Wed, 30 Aug 2023 07:32:36 +0000 Subject: [PATCH 004/125] Correct projec title --- config/clusters/nasa-ghg/common.values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/clusters/nasa-ghg/common.values.yaml b/config/clusters/nasa-ghg/common.values.yaml index a34f5b16c1..92c2e79c62 100644 --- a/config/clusters/nasa-ghg/common.values.yaml +++ b/config/clusters/nasa-ghg/common.values.yaml @@ -19,9 +19,9 @@ basehub: homepage: templateVars: org: - name: "NASA Green House Gases Center" + name: "U.S. Greenhouse Gas Center" logo_url: https://raw.githubusercontent.com/US-GHG-Center/ghgc-docs/87204d4a4e5f29c335a8f905c73de551aabd4845/Logo/ghg-logo.svg - url: https://www.nasa.gov/emd/ghg + url: https://www.earthdata.nasa.gov designed_by: name: "2i2c" url: https://2i2c.org From 12983485445c75334137ba007070d09434a35841 Mon Sep 17 00:00:00 2001 From: Jonas Date: Wed, 30 Aug 2023 07:33:00 +0000 Subject: [PATCH 005/125] Point to customized template --- config/clusters/nasa-ghg/staging.values.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/clusters/nasa-ghg/staging.values.yaml b/config/clusters/nasa-ghg/staging.values.yaml index 88db107033..c3406116d6 100644 --- a/config/clusters/nasa-ghg/staging.values.yaml +++ b/config/clusters/nasa-ghg/staging.values.yaml @@ -8,6 +8,10 @@ basehub: tls: - hosts: [staging.ghg.2i2c.cloud] secretName: https-auto-tls + custom: + homepage: + gitRepoBranch: "main" + gitRepoUrl: "https://github.com/NASA-IMPACT/ghg-hub-homepage" hub: config: GitHubOAuthenticator: From 5a3fc637bf82347b40e9d432cf229deafa1926b4 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Wed, 30 Aug 2023 15:15:56 +0300 Subject: [PATCH 006/125] Put support templates into a cloud agnostic location --- .pre-commit-config.yaml | 2 +- .../templates/{gcp => common}/support.secret.values.yaml | 0 config/clusters/templates/{gcp => common}/support.values.yaml | 0 3 files changed, 1 insertion(+), 1 deletion(-) rename config/clusters/templates/{gcp => common}/support.secret.values.yaml (100%) rename config/clusters/templates/{gcp => common}/support.values.yaml (100%) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3f27492331..824d8d8bd1 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -53,7 +53,7 @@ repos: hooks: - id: sops-encryption # Add files here if they contain the word 'secret' but should not be encrypted - exclude: secrets\.md|helm-charts/support/templates/prometheus-ingres-auth/secret\.yaml|helm-charts/basehub/templates/dex/secret\.yaml|helm-charts/basehub/templates/static/secret\.yaml|config/clusters/templates/gcp/support\.secret\.values\.yaml|helm-charts/basehub/templates/ingress-auth/secret\.yaml + exclude: secrets\.md|helm-charts/support/templates/prometheus-ingres-auth/secret\.yaml|helm-charts/basehub/templates/dex/secret\.yaml|helm-charts/basehub/templates/static/secret\.yaml|config/clusters/templates/common/support\.secret\.values\.yaml|helm-charts/basehub/templates/ingress-auth/secret\.yaml # pre-commit.ci config reference: https://pre-commit.ci/#configuration ci: diff --git a/config/clusters/templates/gcp/support.secret.values.yaml b/config/clusters/templates/common/support.secret.values.yaml similarity index 100% rename from config/clusters/templates/gcp/support.secret.values.yaml rename to config/clusters/templates/common/support.secret.values.yaml diff --git a/config/clusters/templates/gcp/support.values.yaml b/config/clusters/templates/common/support.values.yaml similarity index 100% rename from config/clusters/templates/gcp/support.values.yaml rename to config/clusters/templates/common/support.values.yaml From 1f21f27b1dc8c9b8ea537c35007556c4a0ae85ec Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Wed, 30 Aug 2023 15:17:03 +0300 Subject: [PATCH 007/125] Put the common generation config into its own module --- deployer/generate/common.py | 95 +++++++++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) create mode 100644 deployer/generate/common.py diff --git a/deployer/generate/common.py b/deployer/generate/common.py new file mode 100644 index 0000000000..702b201ee6 --- /dev/null +++ b/deployer/generate/common.py @@ -0,0 +1,95 @@ +import os +import secrets +import string +import subprocess +from pathlib import Path + +import jinja2 + +from ..utils import print_colour + +REPO_ROOT = Path(__file__).parent.parent.parent + + +def generate_cluster_config_file(cluster_config_directory, vars): + """ + Generates the `config//cluster.yaml` config + """ + with open(REPO_ROOT / "config/clusters/templates/gcp/cluster.yaml") as f: + cluster_yaml_template = jinja2.Template(f.read()) + with open(cluster_config_directory / "cluster.yaml", "w") as f: + f.write(cluster_yaml_template.render(**vars)) + + +def generate_support_files(cluster_config_directory, vars): + """ + Generates files related to support components. + + They are required to deploy the support chart for the cluster + and to configure the Prometheus instance. + + Generates: + - `config//support.values.yaml` + - `config//enc-support.secret.values.yaml` + """ + # Generate the suppport values file `support.values.yaml` + print_colour("Generating the support values file...", "yellow") + with open(REPO_ROOT / "config/clusters/templates/common/support.values.yaml") as f: + support_values_yaml_template = jinja2.Template(f.read()) + + with open(cluster_config_directory / "support.values.yaml", "w") as f: + f.write(support_values_yaml_template.render(**vars)) + print_colour(f"{cluster_config_directory}/support.values.yaml created") + + # Generate and encrypt prometheus credentials into `enc-support.secret.values.yaml` + print_colour("Generating the prometheus credentials encrypted file...", "yellow") + alphabet = string.ascii_letters + string.digits + credentials = { + "username": "".join(secrets.choice(alphabet) for i in range(64)), + "password": "".join(secrets.choice(alphabet) for i in range(64)), + } + with open( + REPO_ROOT / "config/clusters/templates/common/support.secret.values.yaml" + ) as f: + support_secret_values_yaml_template = jinja2.Template(f.read()) + with open(cluster_config_directory / "enc-support.secret.values.yaml", "w") as f: + f.write(support_secret_values_yaml_template.render(**credentials)) + + # Encrypt the private key + subprocess.check_call( + [ + "sops", + "--in-place", + "--encrypt", + cluster_config_directory / "enc-support.secret.values.yaml", + ] + ) + print_colour( + f"{cluster_config_directory}/enc-support.values.yaml created and encrypted" + ) + + +def generate_config_directory(vars): + """ + Generates the required `config` directory for hubs on a GCP cluster + + Generates the following files: + - `config//cluster.yaml` + - `config//support.values.yaml` + - `config//enc-support.secret.values.yaml` + """ + cluster_config_directory = REPO_ROOT / "config/clusters" / vars["cluster_name"] + + print_colour( + f"Checking if cluster config directory {cluster_config_directory} exists...", + "yellow", + ) + if os.path.exists(cluster_config_directory): + print_colour(f"{cluster_config_directory} already exists.") + return cluster_config_directory + + # Create the cluster config directory and initial `cluster.yaml` file + os.makedirs(cluster_config_directory) + print_colour(f"{cluster_config_directory} created") + + return cluster_config_directory From 82d38eb33c389491fa3cf057010367ba086dca22 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Wed, 30 Aug 2023 15:17:33 +0300 Subject: [PATCH 008/125] Have the gcp generator use the common module --- deployer/generate/generate_gcp_cluster.py | 158 ++++++---------------- 1 file changed, 41 insertions(+), 117 deletions(-) diff --git a/deployer/generate/generate_gcp_cluster.py b/deployer/generate/generate_gcp_cluster.py index 208ce501b4..3714513482 100644 --- a/deployer/generate/generate_gcp_cluster.py +++ b/deployer/generate/generate_gcp_cluster.py @@ -1,111 +1,64 @@ -import os -import secrets -import string -import subprocess -from pathlib import Path +""" +Generates the ` terraform file required to create a GCP cluster +and the required `config` directory for hubs on a GCP cluster. +Generates the following files: +- terraform/gcp/projects/.tfvars` +- `config//cluster.yaml` +- `config//support.values.yaml` +- `config//enc-support.secret.values.yaml` + +""" import jinja2 import typer from ..cli_app import app from ..utils import print_colour - -REPO_ROOT = Path(__file__).parent.parent.parent +from .common import ( + REPO_ROOT, + generate_cluster_config_file, + generate_config_directory, + generate_support_files, +) -def generate_terraform_file(cluster_name, cluster_region, project_id, hub_type): +def generate_terraform_file(vars): """ Generates the `terraform/gcp/projects/.tfvars` terraform file required to create a GCP cluster """ - with open(REPO_ROOT / f"terraform/gcp/projects/{hub_type}-template.tfvars") as f: - tfvars_template = jinja2.Template(f.read()) - - vars = { - "cluster_name": cluster_name, - "cluster_region": cluster_region, - "project_id": project_id, - } - - print_colour("Generating the terraform infrastructure file...", "yellow") with open( - REPO_ROOT / "terraform/gcp/projects" / f"{cluster_name}.tfvars", "w" + REPO_ROOT / f'terraform/gcp/projects/{vars["hub_type"]}-template.tfvars' ) as f: - f.write(tfvars_template.render(**vars)) - print_colour(f"{REPO_ROOT}/terraform/gcp/projects/{cluster_name}.tfvars created") - - -def generate_cluster_config_file(cluster_config_directory, vars): - """ - Generates the `config//cluster.yaml` config - """ - with open(REPO_ROOT / "config/clusters/templates/gcp/cluster.yaml") as f: - cluster_yaml_template = jinja2.Template(f.read()) - with open(cluster_config_directory / "cluster.yaml", "w") as f: - f.write(cluster_yaml_template.render(**vars)) - - -def generate_support_files(cluster_config_directory, vars): - """ - Generates files related to support components. - - They are required to deploy the support chart for the cluster - and to configure the Prometheus instance. - - Generates: - - `config//support.values.yaml` - - `config//enc-support.secret.values.yaml` - """ - # Generate the suppport values file `support.values.yaml` - print_colour("Generating the support values file...", "yellow") - with open(REPO_ROOT / "config/clusters/templates/gcp/support.values.yaml") as f: - support_values_yaml_template = jinja2.Template(f.read()) - - with open(cluster_config_directory / "support.values.yaml", "w") as f: - f.write(support_values_yaml_template.render(**vars)) - print_colour(f"{cluster_config_directory}/support.values.yaml created") - - # Generate and encrypt prometheus credentials into `enc-support.secret.values.yaml` - print_colour("Generating the prometheus credentials encrypted file...", "yellow") - alphabet = string.ascii_letters + string.digits + string.punctuation - credentials = { - "username": "".join(secrets.choice(alphabet) for i in range(64)), - "password": "".join(secrets.choice(alphabet) for i in range(64)), - } - with open( - REPO_ROOT / "config/clusters/templates/gcp/support.secret.values.yaml" - ) as f: - support_secret_values_yaml_template = jinja2.Template(f.read()) - with open(cluster_config_directory / "enc-support.secret.values.yaml", "w") as f: - f.write(support_secret_values_yaml_template.render(**credentials)) + tfvars_template = jinja2.Template(f.read()) - # Encrypt the private key - subprocess.check_call( - [ - "sops", - "--in-place", - "--encrypt", - cluster_config_directory / "enc-support.secret.values.yaml", - ] - ) - print_colour( - f"{cluster_config_directory}/enc-support.values.yaml created and encrypted" + print_colour("Generating the terraform infrastructure file...", "yellow") + tfvars_file_path = ( + REPO_ROOT / "terraform/gcp/projects" / f'{vars["cluster_name"]}.tfvars' ) + with open(tfvars_file_path, "w") as f: + f.write(tfvars_template.render(**vars)) + print_colour(f"{tfvars_file_path} created") -def generate_config_directory( - cluster_name, cluster_region, project_id, hub_type, hub_name +@app.command() +def generate_gcp_cluster( + cluster_name: str = typer.Option(..., prompt="Name of the cluster"), + cluster_region: str = typer.Option(..., prompt="Cluster region"), + project_id: str = typer.Option(..., prompt="Project ID of the GCP project"), + hub_type: str = typer.Option( + ..., prompt="Type of hub. Choose from `basehub` or `daskhub`" + ), + hub_name: str = typer.Option(..., prompt="Name of the first hub"), ): """ - Generates the required `config` directory for hubs on a GCP cluster - - Generates the following files: - - `config//cluster.yaml` - - `config//support.values.yaml` - - `config//enc-support.secret.values.yaml` + Automatically generates the initial files, required to setup a new cluster on GCP """ - cluster_config_directory = REPO_ROOT / "config/clusters" / cluster_name + # Automatically generate the terraform config file + generate_terraform_file(cluster_name, cluster_region, project_id, hub_type) + # These are the variables needed by the templates used to generate the cluster config file + # and support files vars = { "cluster_name": cluster_name, "hub_type": hub_type, @@ -114,40 +67,11 @@ def generate_config_directory( "hub_name": hub_name, } - print_colour( - "Checking if cluster config directory {cluster_config_directory} exists...", - "yellow", - ) - if os.path.exists(cluster_config_directory): - print_colour(f"{cluster_config_directory} already exists.") - return + # Automatically generate the config directory + cluster_config_directory = generate_config_directory(vars) # Create the cluster config directory and initial `cluster.yaml` file - os.makedirs(cluster_config_directory) - print_colour(f"{cluster_config_directory} created") generate_cluster_config_file(cluster_config_directory, vars) # Generate the support files generate_support_files(cluster_config_directory, vars) - - -@app.command() -def generate_gcp_cluster( - cluster_name: str = typer.Option(..., prompt="Name of the cluster"), - cluster_region: str = typer.Option(..., prompt="Cluster region"), - project_id: str = typer.Option(..., prompt="Project ID of the GCP project"), - hub_type: str = typer.Option( - ..., prompt="Type of hub. Choose from `basehub` or `daskhub`" - ), - hub_name: str = typer.Option(..., prompt="Name of the first hub"), -): - """ - Automatically generates the initial files, required to setup a new cluster on GCP - """ - # Automatically generate the terraform config file - generate_terraform_file(cluster_name, cluster_region, project_id, hub_type) - - # Automatically generate the config directory - generate_config_directory( - cluster_name, cluster_region, project_id, hub_type, hub_name - ) From b80997964cc80d2caaf47634fe9e8b8aa77f72cc Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Wed, 30 Aug 2023 15:18:57 +0300 Subject: [PATCH 009/125] Generate cluster config dir and support files for aws clusters too --- deployer/generate/generate_aws_cluster.py | 63 ++++++++++++++--------- 1 file changed, 38 insertions(+), 25 deletions(-) diff --git a/deployer/generate/generate_aws_cluster.py b/deployer/generate/generate_aws_cluster.py index 14e8f81652..65c428c483 100644 --- a/deployer/generate/generate_aws_cluster.py +++ b/deployer/generate/generate_aws_cluster.py @@ -1,24 +1,24 @@ +""" +Generate required files for an AWS cluster + +Generates: +- an eksctl jsonnet file +- a .tfvars file +- An ssh-key (the private part is encrypted) +""" import os import subprocess -from pathlib import Path import jinja2 import typer from ..cli_app import app +from ..utils import print_colour +from .common import REPO_ROOT, generate_config_directory, generate_support_files -REPO_ROOT = Path(__file__).parent.parent.parent - - -def aws(cluster_name, hub_type, cluster_region): - """ - Generate required files for an AWS cluster - Generates: - - an eksctl jsonnet file - - a .tfvars file - - An ssh-key (the private part is encrypted) - """ +def generate_infra_files(vars): + cluster_name = vars["cluster_name"] with open(REPO_ROOT / "eksctl/template.jsonnet") as f: # jsonnet files have `}}` in there, which causes jinja2 to # freak out. So we use different delimiters. @@ -31,22 +31,20 @@ def aws(cluster_name, hub_type, cluster_region): variable_end_string=">>", ) + print_colour("Generating the eksctl jsonnet file...", "yellow") + jsonnet_file_path = REPO_ROOT / "eksctl" / f"{cluster_name}.jsonnet" + with open(jsonnet_file_path, "w") as f: + f.write(jsonnet_template.render(**vars)) + print_colour(f"{jsonnet_file_path} created") + + print_colour("Generating the terraform infrastructure file...", "yellow") with open(REPO_ROOT / "terraform/aws/projects/template.tfvars") as f: tfvars_template = jinja2.Template(f.read()) - vars = { - "cluster_name": cluster_name, - "hub_type": hub_type, - "cluster_region": cluster_region, - } - - with open(REPO_ROOT / "eksctl" / f"{cluster_name}.jsonnet", "w") as f: - f.write(jsonnet_template.render(**vars)) - - with open( - REPO_ROOT / "terraform/aws/projects" / f"{cluster_name}.tfvars", "w" - ) as f: + tfvars_file_path = REPO_ROOT / "terraform/aws/projects" / f"{cluster_name}.tfvars" + with open(tfvars_file_path, "w") as f: f.write(tfvars_template.render(**vars)) + print_colour(f"{tfvars_file_path} created") subprocess.check_call( [ @@ -89,4 +87,19 @@ def generate_aws_cluster( """ Automatically generate the files required to setup a new cluster on AWS """ - aws(cluster_name, hub_type, cluster_region) + + # These are the variables needed by the templates used to generate the cluster config file + # and support files + vars = { + "cluster_name": cluster_name, + "hub_type": hub_type, + "cluster_region": cluster_region, + } + + generate_infra_files(vars) + + # Automatically generate the config directory + cluster_config_directory = generate_config_directory(vars) + + # Generate the support files + generate_support_files(cluster_config_directory, vars) From 45cdccb1552b634ad2ffd674472e7c3de6121e09 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Wed, 30 Aug 2023 15:29:29 +0300 Subject: [PATCH 010/125] Rm any prior refs to gcp from the common config --- deployer/generate/common.py | 12 ++++-------- deployer/generate/generate_gcp_cluster.py | 2 +- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/deployer/generate/common.py b/deployer/generate/common.py index 702b201ee6..53adf4323e 100644 --- a/deployer/generate/common.py +++ b/deployer/generate/common.py @@ -11,11 +11,11 @@ REPO_ROOT = Path(__file__).parent.parent.parent -def generate_cluster_config_file(cluster_config_directory, vars): +def generate_cluster_config_file(cluster_config_directory, provider, vars): """ Generates the `config//cluster.yaml` config """ - with open(REPO_ROOT / "config/clusters/templates/gcp/cluster.yaml") as f: + with open(REPO_ROOT / f"config/clusters/templates/{provider}/cluster.yaml") as f: cluster_yaml_template = jinja2.Template(f.read()) with open(cluster_config_directory / "cluster.yaml", "w") as f: f.write(cluster_yaml_template.render(**vars)) @@ -71,12 +71,8 @@ def generate_support_files(cluster_config_directory, vars): def generate_config_directory(vars): """ - Generates the required `config` directory for hubs on a GCP cluster - - Generates the following files: - - `config//cluster.yaml` - - `config//support.values.yaml` - - `config//enc-support.secret.values.yaml` + Generates the required `config` directory for hubs on a cluster if it doesn't exit + and returns its name. """ cluster_config_directory = REPO_ROOT / "config/clusters" / vars["cluster_name"] diff --git a/deployer/generate/generate_gcp_cluster.py b/deployer/generate/generate_gcp_cluster.py index 3714513482..ae5136302b 100644 --- a/deployer/generate/generate_gcp_cluster.py +++ b/deployer/generate/generate_gcp_cluster.py @@ -71,7 +71,7 @@ def generate_gcp_cluster( cluster_config_directory = generate_config_directory(vars) # Create the cluster config directory and initial `cluster.yaml` file - generate_cluster_config_file(cluster_config_directory, vars) + generate_cluster_config_file(cluster_config_directory, "gcp", vars) # Generate the support files generate_support_files(cluster_config_directory, vars) From 658b8b1a48a5d36171ac8e7bbb08a12912c38efb Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Wed, 30 Aug 2023 16:11:08 +0300 Subject: [PATCH 011/125] Allow calling generate cluster with no options, and gather tham from the prompt --- deployer/generate/generate_gcp_cluster.py | 32 ++++++++++++++++------- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/deployer/generate/generate_gcp_cluster.py b/deployer/generate/generate_gcp_cluster.py index ae5136302b..4f5820848a 100644 --- a/deployer/generate/generate_gcp_cluster.py +++ b/deployer/generate/generate_gcp_cluster.py @@ -11,6 +11,7 @@ """ import jinja2 import typer +from typing_extensions import Annotated from ..cli_app import app from ..utils import print_colour @@ -43,20 +44,28 @@ def generate_terraform_file(vars): @app.command() def generate_gcp_cluster( - cluster_name: str = typer.Option(..., prompt="Name of the cluster"), - cluster_region: str = typer.Option(..., prompt="Cluster region"), - project_id: str = typer.Option(..., prompt="Project ID of the GCP project"), - hub_type: str = typer.Option( - ..., prompt="Type of hub. Choose from `basehub` or `daskhub`" - ), - hub_name: str = typer.Option(..., prompt="Name of the first hub"), + cluster_name: Annotated[ + str, typer.Option(prompt="Please type the name of the new cluster") + ], + project_id: Annotated[ + str, typer.Option(prompt="Please insert the Project ID of the GCP project") + ], + hub_name: Annotated[ + str, + typer.Option( + prompt="Please insert the name of first hub to add to the cluster" + ), + ], + cluster_region: Annotated[ + str, typer.Option(prompt="Please insert the name of the cluster region") + ] = "us-central1", + hub_type: Annotated[ + str, typer.Option(prompt="Please insert the hub type of the first hub") + ] = "basehub", ): """ Automatically generates the initial files, required to setup a new cluster on GCP """ - # Automatically generate the terraform config file - generate_terraform_file(cluster_name, cluster_region, project_id, hub_type) - # These are the variables needed by the templates used to generate the cluster config file # and support files vars = { @@ -67,6 +76,9 @@ def generate_gcp_cluster( "hub_name": hub_name, } + # Automatically generate the terraform config file + generate_terraform_file(vars) + # Automatically generate the config directory cluster_config_directory = generate_config_directory(vars) From 8af0e98efd822efbf3d212066e739aad6b65f95f Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Wed, 30 Aug 2023 13:55:56 -0700 Subject: [PATCH 012/125] Reword unlisted_choice validation message --- config/clusters/2i2c-aws-us/researchdelight.values.yaml | 2 +- config/clusters/2i2c/imagebuilding-demo.values.yaml | 2 +- config/clusters/leap/common.values.yaml | 2 +- config/clusters/nasa-veda/common.values.yaml | 2 +- docs/howto/features/allow-unlisted-profile-choice.md | 4 ++-- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/config/clusters/2i2c-aws-us/researchdelight.values.yaml b/config/clusters/2i2c-aws-us/researchdelight.values.yaml index 51b0adb2cf..a7b5c5b2b6 100644 --- a/config/clusters/2i2c-aws-us/researchdelight.values.yaml +++ b/config/clusters/2i2c-aws-us/researchdelight.values.yaml @@ -56,7 +56,7 @@ basehub: enabled: True display_name: "Custom image" validation_regex: "^.+:.+$" - validation_message: "Must be an image location, matching ^.+:.+$" + validation_message: "Must be a publicly available docker image, of form :" kubespawner_override: image: "{value}" choices: diff --git a/config/clusters/2i2c/imagebuilding-demo.values.yaml b/config/clusters/2i2c/imagebuilding-demo.values.yaml index 53f34fb730..7d70c7e78a 100644 --- a/config/clusters/2i2c/imagebuilding-demo.values.yaml +++ b/config/clusters/2i2c/imagebuilding-demo.values.yaml @@ -38,7 +38,7 @@ jupyterhub: enabled: True display_name: "Custom image" validation_regex: "^.+:.+$" - validation_message: "Must be a valid public docker image, including a tag" + validation_message: "Must be a publicly available docker image, of form :" kubespawner_override: image: "{value}" choices: diff --git a/config/clusters/leap/common.values.yaml b/config/clusters/leap/common.values.yaml index 12cf4b8ddd..044da01111 100644 --- a/config/clusters/leap/common.values.yaml +++ b/config/clusters/leap/common.values.yaml @@ -196,7 +196,7 @@ basehub: enabled: True display_name: "Custom image" validation_regex: "^.+:.+$" - validation_message: "Must be a valid public docker image, including a tag" + validation_message: "Must be a publicly available docker image, of form :" kubespawner_override: image: "{value}" choices: diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index 909d511dee..4474da002b 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -86,7 +86,7 @@ basehub: enabled: True display_name: "Custom image" validation_regex: "^.+:.+$" - validation_message: "Must be an image location, matching ^.+:.+$" + validation_message: "Must be a publicly available docker image, of form :" kubespawner_override: image: "{value}" choices: diff --git a/docs/howto/features/allow-unlisted-profile-choice.md b/docs/howto/features/allow-unlisted-profile-choice.md index 86a233b38a..85b48d60a9 100644 --- a/docs/howto/features/allow-unlisted-profile-choice.md +++ b/docs/howto/features/allow-unlisted-profile-choice.md @@ -20,7 +20,7 @@ jupyterhub: enabled: True display_name: "Custom image" validation_regex: "^.+:.+$" - validation_message: "Must be an image location, matching ^.+:.+$" + validation_message: "Must be a publicly available docker image, of form :" kubespawner_override: image: "{value}" choices: @@ -56,7 +56,7 @@ In the `profileList` for the hub in question, add a profile like this: enabled: True display_name: "Custom image" validation_regex: "^.+:.+$" - validation_message: "Must be an image location, matching ^.+:.+$" + validation_message: "Must be a publicly available docker image, of form :" kubespawner_override: image: "{value}" choices: {} From 3ea814ecb914f9db1687d1b9f135c16c35f10907 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Thu, 31 Aug 2023 10:22:54 +0300 Subject: [PATCH 013/125] Rm hackanexoplanet config files --- .../enc-hackanexoplanet.secret.values.yaml | 17 ----- .../clusters/2i2c/hackanexoplanet.values.yaml | 67 ------------------- 2 files changed, 84 deletions(-) delete mode 100644 config/clusters/2i2c/enc-hackanexoplanet.secret.values.yaml delete mode 100644 config/clusters/2i2c/hackanexoplanet.values.yaml diff --git a/config/clusters/2i2c/enc-hackanexoplanet.secret.values.yaml b/config/clusters/2i2c/enc-hackanexoplanet.secret.values.yaml deleted file mode 100644 index 4e8bcebc2f..0000000000 --- a/config/clusters/2i2c/enc-hackanexoplanet.secret.values.yaml +++ /dev/null @@ -1,17 +0,0 @@ -ingressBasicAuth: - username: ENC[AES256_GCM,data:+fdObg==,iv:To7zbg0l8BA5X3Zkzt+fGv7XjCLLJ/w1zutp+ymAjWc=,tag:+tnCMGXRCWwRKS/cg35HYg==,type:str] - password: ENC[AES256_GCM,data:7hJUGTnj9mGYRkx2l6nAJ+CE2ZYolh0bbQ==,iv:H+VhPe2clY0nf0jVWkn+Aex1ajw3PtN9F7rI7lXizvw=,tag:qlACDFz9NH/vNBNhXWmWiw==,type:str] -sops: - kms: [] - gcp_kms: - - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs - created_at: "2023-04-03T17:57:41Z" - enc: CiUA4OM7eKpDYQzdRUnNgglLnwjcnCH53FPCvXfEaaVtDR8AweM2EkkALQgViEBA5o+hR5n1jm3tdE/McgBDG7oHB8KwGFjR85ciwFPNQfnFxs2WoeNEXqtpYD9vSpatVpQWLAPgfVa3X228kEC23SBw - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2023-04-03T17:57:42Z" - mac: ENC[AES256_GCM,data:UUJo8cmYYzeMtGCT8QRoVsaIlsER6fIXKSJ4e/9TZiDhXCrl6zAO79p43Qh5ziPUIIKFyKmtlweGW73DlsHoq+MLpMS3AxN32TwXtZEt2PTTdupJlgoiDvva3p4TTp7gwImo1i7iaGXIQd+QYmg3o3jQ9R9CWR5ZMgcQ57fzl9o=,iv:Z3xF1sYjfA5wO2839JwdKPdC0q9My4ZlFDMhiEMWR8M=,tag:uaHNptRlD8P9q0TSShzfLQ==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.3 diff --git a/config/clusters/2i2c/hackanexoplanet.values.yaml b/config/clusters/2i2c/hackanexoplanet.values.yaml deleted file mode 100644 index fcf51d5280..0000000000 --- a/config/clusters/2i2c/hackanexoplanet.values.yaml +++ /dev/null @@ -1,67 +0,0 @@ -ingressBasicAuth: - enabled: true - # Password and username in enc-hackanexoplanet.secret.values.yaml - -jupyterhub: - prePuller: - # Startup performance is important for this event, and so we use - # pre-puller to make sure the images are already present on the - # nodes. This means image *must* be set in config, and not the configurator. - # tmpauthenticator doesn't support admin access anyway, so images - # must be set in config regardless. - hook: - enabled: true - continuous: - enabled: true - ingress: - annotations: - # We protect our entire hub from cryptobros by putting it all - # behind a single shared basicauth - nginx.ingress.kubernetes.io/auth-type: basic - nginx.ingress.kubernetes.io/auth-secret: ingress-basic-auth - nginx.ingress.kubernetes.io/auth-realm: "Authentication Required" - hosts: - - hackanexoplanet.2i2c.cloud - tls: - - secretName: https-auto-tls - hosts: - - hackanexoplanet.2i2c.cloud - custom: - homepage: - # tmpauthenticator does *not* show a home page by default, - # so these are not visible anywhere. But our schema requires we set - # them to strings, so we specify empty strings here. - templateVars: - org: - name: "" - url: "" - logo_url: "" - designed_by: - name: "" - url: "" - operated_by: - name: "" - url: "" - funded_by: - name: "" - url: "" - singleuser: - image: - # Image repository: https://github.com/2i2c-org/hackanexoplanet-env - name: quay.io/2i2c/hackanexoplanet-image - tag: "b6b891cb2b30" - initContainers: null - storage: - # No persistent storage should be kept to reduce any potential data - # retention & privacy issues. - type: none - extraVolumeMounts: null - hub: - config: - JupyterHub: - authenticator_class: tmpauthenticator.TmpAuthenticator - TmpAuthenticator: - # This allows users to go to the hub URL directly again to - # get a new server, instead of being plopped back into their - # older, existing user with a 'start server' button. - force_new_server: true From 399ace04bc37654b62ba2fddd7bf44437cf2e2da Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Thu, 31 Aug 2023 10:23:24 +0300 Subject: [PATCH 014/125] Rm hub from cluster list --- config/clusters/2i2c/cluster.yaml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/config/clusters/2i2c/cluster.yaml b/config/clusters/2i2c/cluster.yaml index d883edbae5..d568f0bd08 100644 --- a/config/clusters/2i2c/cluster.yaml +++ b/config/clusters/2i2c/cluster.yaml @@ -25,17 +25,6 @@ hubs: - basehub-common.values.yaml - staging.values.yaml - enc-staging.secret.values.yaml - - name: hackanexoplanet - display_name: "ESA Hack An Exoplanet" - domain: hackanexoplanet.2i2c.cloud - uptime_check: - # This is an ephemeral hub, fully password protected with HTTP Basic Auth - expected_status: 401 - helm_chart: basehub - helm_chart_values_files: - - basehub-common.values.yaml - - hackanexoplanet.values.yaml - - enc-hackanexoplanet.secret.values.yaml - name: dask-staging display_name: "2i2c dask staging" domain: dask-staging.2i2c.cloud From 98b96802a22f1ced6780188b84b4649dff792632 Mon Sep 17 00:00:00 2001 From: Jonas Date: Thu, 31 Aug 2023 11:40:49 +0200 Subject: [PATCH 015/125] Update hub homepage url --- config/clusters/nasa-ghg/staging.values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/clusters/nasa-ghg/staging.values.yaml b/config/clusters/nasa-ghg/staging.values.yaml index c3406116d6..897ba742d7 100644 --- a/config/clusters/nasa-ghg/staging.values.yaml +++ b/config/clusters/nasa-ghg/staging.values.yaml @@ -10,8 +10,8 @@ basehub: secretName: https-auto-tls custom: homepage: - gitRepoBranch: "main" - gitRepoUrl: "https://github.com/NASA-IMPACT/ghg-hub-homepage" + gitRepoBranch: "master" + gitRepoUrl: "https://github.com/US-GHG-Center/ghgc-hub-homepage" hub: config: GitHubOAuthenticator: From 0f711f40c0e4c2174e72bbd7bc30ab630f96a65c Mon Sep 17 00:00:00 2001 From: Julius Busecke Date: Thu, 31 Aug 2023 11:10:42 -0400 Subject: [PATCH 016/125] Remove dupe pangeo-notebook options + bump version --- config/clusters/leap/common.values.yaml | 36 ++++--------------------- 1 file changed, 5 insertions(+), 31 deletions(-) diff --git a/config/clusters/leap/common.values.yaml b/config/clusters/leap/common.values.yaml index 044da01111..8105434ed7 100644 --- a/config/clusters/leap/common.values.yaml +++ b/config/clusters/leap/common.values.yaml @@ -200,38 +200,22 @@ basehub: kubespawner_override: image: "{value}" choices: - pangeo_new: - display_name: Base Pangeo Notebook ("2023.07.05") - default: true - slug: "pangeo_new" - kubespawner_override: - image: "pangeo/pangeo-notebook:2023.07.05" pangeo: display_name: Base Pangeo Notebook default: true slug: "pangeo" kubespawner_override: - image: "pangeo/pangeo-notebook:ebeb9dd" - tensorflow_new: - display_name: Pangeo Tensorflow ML Notebook ("2023.07.05") - slug: "tensorflow_new" - kubespawner_override: - image: "pangeo/ml-notebook:2023.07.05" + image: "pangeo/pangeo-notebook:2023.08.29" tensorflow: display_name: Pangeo Tensorflow ML Notebook slug: "tensorflow" kubespawner_override: - image: "pangeo/ml-notebook:ebeb9dd" - pytorch_new: - display_name: Pangeo PyTorch ML Notebook ("2023.07.05") - slug: "pytorch_new" - kubespawner_override: - image: "pangeo/pytorch-notebook:2023.07.05" + image: "pangeo/ml-notebook:2023.08.29" pytorch: display_name: Pangeo PyTorch ML Notebook slug: "pytorch" kubespawner_override: - image: "pangeo/pytorch-notebook:ebeb9dd" + image: "pangeo/pytorch-notebook:2023.08.29" leap-pangeo-edu: display_name: LEAP Education Notebook (Testing Prototype) slug: "leap_edu" @@ -280,26 +264,16 @@ basehub: display_name: Image unlisted_choice: *profile_list_unlisted_choice choices: - tensorflow_new: - display_name: Pangeo Tensorflow ML Notebook ("2023.07.05") - slug: "tensorflow_new" - kubespawner_override: - image: "pangeo/ml-notebook:2023.07.05" tensorflow: display_name: Pangeo Tensorflow ML Notebook slug: "tensorflow" kubespawner_override: - image: "pangeo/ml-notebook:ebeb9dd" - pytorch_new: - display_name: Pangeo PyTorch ML Notebook ("2023.07.05") - slug: "pytorch_new" - kubespawner_override: - image: "pangeo/pytorch-notebook:2023.07.05" + image: "pangeo/ml-notebook:2023.08.29" pytorch: display_name: Pangeo PyTorch ML Notebook slug: "pytorch" kubespawner_override: - image: "pangeo/pytorch-notebook:ebeb9dd" + image: "pangeo/pytorch-notebook:2023.08.29" kubespawner_override: environment: NVIDIA_DRIVER_CAPABILITIES: compute,utility From 3b194f497e37b436477cde6e99b7f93e7b67dcdd Mon Sep 17 00:00:00 2001 From: Jonas Date: Fri, 1 Sep 2023 00:01:03 +0200 Subject: [PATCH 017/125] Update logo --- config/clusters/nasa-ghg/common.values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/clusters/nasa-ghg/common.values.yaml b/config/clusters/nasa-ghg/common.values.yaml index 92c2e79c62..73cc4038ec 100644 --- a/config/clusters/nasa-ghg/common.values.yaml +++ b/config/clusters/nasa-ghg/common.values.yaml @@ -20,7 +20,7 @@ basehub: templateVars: org: name: "U.S. Greenhouse Gas Center" - logo_url: https://raw.githubusercontent.com/US-GHG-Center/ghgc-docs/87204d4a4e5f29c335a8f905c73de551aabd4845/Logo/ghg-logo.svg + logo_url: https://raw.githubusercontent.com/US-GHG-Center/ghgc-docs/b818ba6fdd3c43ede04b110975bf39d248c40df6/Logo/ghg-logo.svg url: https://www.earthdata.nasa.gov designed_by: name: "2i2c" From 16b15bf50c649e352799507f24d1816756a2b708 Mon Sep 17 00:00:00 2001 From: "2i2c-token-generator-bot[bot]" <106546794+2i2c-token-generator-bot[bot]@users.noreply.github.com> Date: Fri, 1 Sep 2023 00:09:59 +0000 Subject: [PATCH 018/125] Bump charts ['prometheus', 'grafana', 'cluster-autoscaler'] to versions ['24.1.0', '6.59.0', '9.29.3'], respectively --- helm-charts/support/Chart.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/helm-charts/support/Chart.yaml b/helm-charts/support/Chart.yaml index d0125c57a1..705ecef8ad 100644 --- a/helm-charts/support/Chart.yaml +++ b/helm-charts/support/Chart.yaml @@ -15,13 +15,13 @@ dependencies: - name: prometheus # NOTE: CHECK INSTRUCTIONS UNDER prometheus.server.command IN support/values.yaml # EACH TIME THIS VERSION IS BUMPED! - version: 23.1.0 + version: 24.1.0 repository: https://prometheus-community.github.io/helm-charts # Grafana for dashboarding of metrics. # https://github.com/grafana/helm-charts/tree/main/charts/grafana - name: grafana - version: 6.58.6 + version: 6.59.0 repository: https://grafana.github.io/helm-charts # ingress-nginx for a k8s Ingress resource controller that routes traffic from @@ -35,7 +35,7 @@ dependencies: # cluster-autoscaler for k8s clusters where it doesn't come out of the box (EKS) # https://github.com/kubernetes/autoscaler/tree/master/charts/cluster-autoscaler - name: cluster-autoscaler - version: 9.29.1 + version: 9.29.3 repository: https://kubernetes.github.io/autoscaler condition: cluster-autoscaler.enabled From 92ad8d446702dc8d4a840ecf01060dac1ab39142 Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Fri, 1 Sep 2023 11:49:11 +0100 Subject: [PATCH 019/125] Use custom homepage for victor --- config/clusters/victor/common.values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/config/clusters/victor/common.values.yaml b/config/clusters/victor/common.values.yaml index f57aa1a673..568094f27e 100644 --- a/config/clusters/victor/common.values.yaml +++ b/config/clusters/victor/common.values.yaml @@ -17,6 +17,7 @@ basehub: add_staff_user_ids_to_admin_users: true add_staff_user_ids_of_type: "github" homepage: + gitRepoBranch: "victor" templateVars: org: name: Victor From eb3cd0b8206f326330932f4ee4201c705c4957dd Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Mon, 4 Sep 2023 12:03:41 +0300 Subject: [PATCH 020/125] Update profile list for itcoocean --- config/clusters/2i2c-aws-us/itcoocean.values.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/config/clusters/2i2c-aws-us/itcoocean.values.yaml b/config/clusters/2i2c-aws-us/itcoocean.values.yaml index a800c7ab78..43e16d3463 100644 --- a/config/clusters/2i2c-aws-us/itcoocean.values.yaml +++ b/config/clusters/2i2c-aws-us/itcoocean.values.yaml @@ -113,11 +113,15 @@ jupyterhub: geospatial-python-tensorflow: display_name: Geospatial Python with tensorflow kubespawner_override: - image: eeholmes/iopython:20230714 + image: eeholmes/iopython-tf:20230901 + geospatial-python-openscapes: + display_name: Openscapes Python + kubespawner_override: + image: openscapes/python:f577786 geospatial-python-normal: display_name: Geospatial Python kubespawner_override: - image: openscapes/python:f577786 + image: eeholmes/iopython:20230901 geospatial-r-normal: display_name: Geospatial R kubespawner_override: @@ -126,7 +130,7 @@ jupyterhub: default: true display_name: Geospatial R with SDM kubespawner_override: - image: eeholmes/iorocker:20230714 + image: eeholmes/iorocker:20230901 requests: # NOTE: Node share choices are in active development, see comment # next to profileList: above. From b6314c30ae340edf1818be46012850bbffd045a0 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Mon, 4 Sep 2023 12:30:11 +0300 Subject: [PATCH 021/125] Separate prod and staging profile lists --- config/clusters/openscapes/common.values.yaml | 84 ------------------ config/clusters/openscapes/prod.values.yaml | 85 +++++++++++++++++++ .../clusters/openscapes/staging.values.yaml | 85 +++++++++++++++++++ 3 files changed, 170 insertions(+), 84 deletions(-) diff --git a/config/clusters/openscapes/common.values.yaml b/config/clusters/openscapes/common.values.yaml index 9d12dd21bb..4a41e7e19f 100644 --- a/config/clusters/openscapes/common.values.yaml +++ b/config/clusters/openscapes/common.values.yaml @@ -40,90 +40,6 @@ basehub: mountPath: /home/jovyan/shared subPath: _shared readOnly: false - profileList: - - display_name: Python - description: Python datascience environment - default: true - kubespawner_override: - image: openscapes/python:f577786 - profile_options: &profile_options - requests: - display_name: Resource Allocation - choices: - mem_1_9: - display_name: 1.9 GB RAM, upto 3.75 CPUs - kubespawner_override: - mem_guarantee: 1992701952 - mem_limit: 1992701952 - cpu_guarantee: 0.234375 - cpu_limit: 3.75 - node_selector: - node.kubernetes.io/instance-type: r5.xlarge - default: true - mem_3_7: - display_name: 3.7 GB RAM, upto 3.75 CPUs - kubespawner_override: - mem_guarantee: 3985403904 - mem_limit: 3985403904 - cpu_guarantee: 0.46875 - cpu_limit: 3.75 - node_selector: - node.kubernetes.io/instance-type: r5.xlarge - mem_7_4: - display_name: 7.4 GB RAM, upto 3.75 CPUs - kubespawner_override: - mem_guarantee: 7970807808 - mem_limit: 7970807808 - cpu_guarantee: 0.9375 - cpu_limit: 3.75 - node_selector: - node.kubernetes.io/instance-type: r5.xlarge - mem_14_8: - display_name: 14.8 GB RAM, upto 3.75 CPUs - kubespawner_override: - mem_guarantee: 15941615616 - mem_limit: 15941615616 - cpu_guarantee: 1.875 - cpu_limit: 3.75 - node_selector: - node.kubernetes.io/instance-type: r5.xlarge - mem_29_7: - display_name: 29.7 GB RAM, upto 3.75 CPUs - kubespawner_override: - mem_guarantee: 31883231232 - mem_limit: 31883231232 - cpu_guarantee: 3.75 - cpu_limit: 3.75 - node_selector: - node.kubernetes.io/instance-type: r5.xlarge - mem_60_6: - display_name: 60.6 GB RAM, upto 15.72 CPUs - kubespawner_override: - mem_guarantee: 65105797120 - mem_limit: 65105797120 - cpu_guarantee: 7.86 - cpu_limit: 15.72 - node_selector: - node.kubernetes.io/instance-type: r5.4xlarge - mem_121_3: - display_name: 121.3 GB RAM, upto 15.72 CPUs - kubespawner_override: - mem_guarantee: 130211594240 - mem_limit: 130211594240 - cpu_guarantee: 15.72 - cpu_limit: 15.72 - node_selector: - node.kubernetes.io/instance-type: r5.4xlarge - - display_name: R - description: R (with RStudio) + Python environment - kubespawner_override: - image: openscapes/rocker:a7596b5 - profile_options: *profile_options - - display_name: Matlab - description: Matlab environment - kubespawner_override: - image: openscapes/matlab:2023-06-29 - profile_options: *profile_options scheduling: userScheduler: enabled: true diff --git a/config/clusters/openscapes/prod.values.yaml b/config/clusters/openscapes/prod.values.yaml index 784e7bd9e7..ff6e42f256 100644 --- a/config/clusters/openscapes/prod.values.yaml +++ b/config/clusters/openscapes/prod.values.yaml @@ -5,6 +5,91 @@ basehub: tls: - hosts: [openscapes.2i2c.cloud] secretName: https-auto-tls + singleuser: + profileList: + - display_name: Python + description: Python datascience environment + default: true + kubespawner_override: + image: openscapes/python:f577786 + profile_options: &profile_options + requests: + display_name: Resource Allocation + choices: + mem_1_9: + display_name: 1.9 GB RAM, upto 3.75 CPUs + kubespawner_override: + mem_guarantee: 1992701952 + mem_limit: 1992701952 + cpu_guarantee: 0.234375 + cpu_limit: 3.75 + node_selector: + node.kubernetes.io/instance-type: r5.xlarge + default: true + mem_3_7: + display_name: 3.7 GB RAM, upto 3.75 CPUs + kubespawner_override: + mem_guarantee: 3985403904 + mem_limit: 3985403904 + cpu_guarantee: 0.46875 + cpu_limit: 3.75 + node_selector: + node.kubernetes.io/instance-type: r5.xlarge + mem_7_4: + display_name: 7.4 GB RAM, upto 3.75 CPUs + kubespawner_override: + mem_guarantee: 7970807808 + mem_limit: 7970807808 + cpu_guarantee: 0.9375 + cpu_limit: 3.75 + node_selector: + node.kubernetes.io/instance-type: r5.xlarge + mem_14_8: + display_name: 14.8 GB RAM, upto 3.75 CPUs + kubespawner_override: + mem_guarantee: 15941615616 + mem_limit: 15941615616 + cpu_guarantee: 1.875 + cpu_limit: 3.75 + node_selector: + node.kubernetes.io/instance-type: r5.xlarge + mem_29_7: + display_name: 29.7 GB RAM, upto 3.75 CPUs + kubespawner_override: + mem_guarantee: 31883231232 + mem_limit: 31883231232 + cpu_guarantee: 3.75 + cpu_limit: 3.75 + node_selector: + node.kubernetes.io/instance-type: r5.xlarge + mem_60_6: + display_name: 60.6 GB RAM, upto 15.72 CPUs + kubespawner_override: + mem_guarantee: 65105797120 + mem_limit: 65105797120 + cpu_guarantee: 7.86 + cpu_limit: 15.72 + node_selector: + node.kubernetes.io/instance-type: r5.4xlarge + mem_121_3: + display_name: 121.3 GB RAM, upto 15.72 CPUs + kubespawner_override: + mem_guarantee: 130211594240 + mem_limit: 130211594240 + cpu_guarantee: 15.72 + cpu_limit: 15.72 + node_selector: + node.kubernetes.io/instance-type: r5.4xlarge + - display_name: R + description: R (with RStudio) + Python environment + kubespawner_override: + image: openscapes/rocker:a7596b5 + profile_options: *profile_options + - display_name: Matlab + description: Matlab environment + kubespawner_override: + image: openscapes/matlab:2023-06-29 + profile_options: *profile_options hub: config: JupyterHub: diff --git a/config/clusters/openscapes/staging.values.yaml b/config/clusters/openscapes/staging.values.yaml index 5857a41cb4..99425e328f 100644 --- a/config/clusters/openscapes/staging.values.yaml +++ b/config/clusters/openscapes/staging.values.yaml @@ -5,6 +5,91 @@ basehub: tls: - hosts: [staging.openscapes.2i2c.cloud] secretName: https-auto-tls + singleuser: + profileList: + - display_name: Python + description: Python datascience environment + default: true + kubespawner_override: + image: openscapes/python:06b0503 + profile_options: &profile_options + requests: + display_name: Resource Allocation + choices: + mem_1_9: + display_name: 1.9 GB RAM, upto 3.75 CPUs + kubespawner_override: + mem_guarantee: 1992701952 + mem_limit: 1992701952 + cpu_guarantee: 0.234375 + cpu_limit: 3.75 + node_selector: + node.kubernetes.io/instance-type: r5.xlarge + default: true + mem_3_7: + display_name: 3.7 GB RAM, upto 3.75 CPUs + kubespawner_override: + mem_guarantee: 3985403904 + mem_limit: 3985403904 + cpu_guarantee: 0.46875 + cpu_limit: 3.75 + node_selector: + node.kubernetes.io/instance-type: r5.xlarge + mem_7_4: + display_name: 7.4 GB RAM, upto 3.75 CPUs + kubespawner_override: + mem_guarantee: 7970807808 + mem_limit: 7970807808 + cpu_guarantee: 0.9375 + cpu_limit: 3.75 + node_selector: + node.kubernetes.io/instance-type: r5.xlarge + mem_14_8: + display_name: 14.8 GB RAM, upto 3.75 CPUs + kubespawner_override: + mem_guarantee: 15941615616 + mem_limit: 15941615616 + cpu_guarantee: 1.875 + cpu_limit: 3.75 + node_selector: + node.kubernetes.io/instance-type: r5.xlarge + mem_29_7: + display_name: 29.7 GB RAM, upto 3.75 CPUs + kubespawner_override: + mem_guarantee: 31883231232 + mem_limit: 31883231232 + cpu_guarantee: 3.75 + cpu_limit: 3.75 + node_selector: + node.kubernetes.io/instance-type: r5.xlarge + mem_60_6: + display_name: 60.6 GB RAM, upto 15.72 CPUs + kubespawner_override: + mem_guarantee: 65105797120 + mem_limit: 65105797120 + cpu_guarantee: 7.86 + cpu_limit: 15.72 + node_selector: + node.kubernetes.io/instance-type: r5.4xlarge + mem_121_3: + display_name: 121.3 GB RAM, upto 15.72 CPUs + kubespawner_override: + mem_guarantee: 130211594240 + mem_limit: 130211594240 + cpu_guarantee: 15.72 + cpu_limit: 15.72 + node_selector: + node.kubernetes.io/instance-type: r5.4xlarge + - display_name: R + description: R (with RStudio) + Python environment + kubespawner_override: + image: openscapes/rocker:a7596b5 + profile_options: *profile_options + - display_name: Matlab + description: Matlab environment + kubespawner_override: + image: openscapes/matlab:2023-06-29 + profile_options: *profile_options hub: config: JupyterHub: From db7ba17fa87cf19b36ee06944447af70153c337d Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Mon, 4 Sep 2023 13:22:00 +0200 Subject: [PATCH 022/125] 2i2c-aws-us, itcoocean: setup conservative ram limits --- .../2i2c-aws-us/itcoocean.values.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/config/clusters/2i2c-aws-us/itcoocean.values.yaml b/config/clusters/2i2c-aws-us/itcoocean.values.yaml index 43e16d3463..7a9c19ae54 100644 --- a/config/clusters/2i2c-aws-us/itcoocean.values.yaml +++ b/config/clusters/2i2c-aws-us/itcoocean.values.yaml @@ -102,6 +102,11 @@ jupyterhub: # 16 CPU node: 0.9375 # 64 CPU node: 0.984375 # + # - Memory limits are setup conservatively to protect users from + # acquiring a false belief that what memory request they have made + # has been sufficient. This helps users tune their resource + # requests before events. + # - display_name: "Small: up to 4 CPU / 32 GB RAM" description: &profile_list_description "Start a container with at least a chosen share of capacity on a node of this type" slug: small @@ -141,31 +146,37 @@ jupyterhub: display_name: ~1 GB, ~0.125 CPU kubespawner_override: mem_guarantee: 0.836G + mem_limit: 1G cpu_guarantee: 0.094 mem_2: display_name: ~2 GB, ~0.25 CPU kubespawner_override: mem_guarantee: 1.671G + mem_limit: 2G cpu_guarantee: 0.188 mem_4: display_name: ~4 GB, ~0.5 CPU kubespawner_override: mem_guarantee: 3.342G + mem_limit: 4G cpu_guarantee: 0.375 mem_8: display_name: ~8 GB, ~1.0 CPU kubespawner_override: mem_guarantee: 6.684G + mem_limit: 8G cpu_guarantee: 0.75 mem_16: display_name: ~16 GB, ~2.0 CPU kubespawner_override: mem_guarantee: 13.369G + mem_limit: 16G cpu_guarantee: 1.5 mem_32: display_name: ~32 GB, ~4.0 CPU kubespawner_override: mem_guarantee: 26.738G + mem_limit: 32G cpu_guarantee: 3.0 kubespawner_override: cpu_limit: null @@ -186,42 +197,50 @@ jupyterhub: display_name: ~1 GB, ~0.125 CPU kubespawner_override: mem_guarantee: 0.903G + mem_limit: 1G cpu_guarantee: 0.117 mem_2: display_name: ~2 GB, ~0.25 CPU kubespawner_override: mem_guarantee: 1.805G + mem_limit: 2G cpu_guarantee: 0.234 mem_4: default: true display_name: ~4 GB, ~0.5 CPU kubespawner_override: mem_guarantee: 3.611G + mem_limit: 4G cpu_guarantee: 0.469 mem_8: display_name: ~8 GB, ~1.0 CPU kubespawner_override: mem_guarantee: 7.222G + mem_limit: 8G cpu_guarantee: 0.938 mem_16: display_name: ~16 GB, ~2.0 CPU kubespawner_override: mem_guarantee: 14.444G + mem_limit: 16G cpu_guarantee: 1.875 mem_32: display_name: ~32 GB, ~4.0 CPU kubespawner_override: mem_guarantee: 28.887G + mem_limit: 32G cpu_guarantee: 3.75 mem_64: display_name: ~64 GB, ~8.0 CPU kubespawner_override: mem_guarantee: 57.775G + mem_limit: 64G cpu_guarantee: 7.5 mem_128: display_name: ~128 GB, ~16.0 CPU kubespawner_override: mem_guarantee: 115.549G + mem_limit: 128G cpu_guarantee: 15.0 kubespawner_override: cpu_limit: null From 406a3546d23c03cf9750a15d4ea23f803284b0b9 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Mon, 4 Sep 2023 20:48:12 +0200 Subject: [PATCH 023/125] unlisted_choice experiment: update kubespawner --- helm-charts/images/hub/unlisted-choice-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-charts/images/hub/unlisted-choice-requirements.txt b/helm-charts/images/hub/unlisted-choice-requirements.txt index 27ee25150b..e02283cf4e 100644 --- a/helm-charts/images/hub/unlisted-choice-requirements.txt +++ b/helm-charts/images/hub/unlisted-choice-requirements.txt @@ -1,3 +1,3 @@ git+https://github.com/yuvipanda/jupyterhub-configurator@ed7e3a0df1e3d625d10903ef7d7fd9c2fbb548db # Brings on using `unlisted_choice` in profile options per https://github.com/2i2c-org/infrastructure/issues/2146 -git+https://github.com/jupyterhub/kubespawner@934ef321f72e58bd680d35ea5fd6780b2b8b52c7 +git+https://github.com/jupyterhub/kubespawner@8cc569c78bcdb342e694f7344219e43d522f4809 From 6935f57ab9defa9a9c3caa65d11a0f92c7ea747f Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Mon, 4 Sep 2023 21:43:30 +0200 Subject: [PATCH 024/125] unlisted_choice expierment: bump image to have latest kubespawner --- config/clusters/2i2c-aws-us/researchdelight.values.yaml | 2 +- config/clusters/leap/common.values.yaml | 2 +- config/clusters/nasa-veda/common.values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/config/clusters/2i2c-aws-us/researchdelight.values.yaml b/config/clusters/2i2c-aws-us/researchdelight.values.yaml index a7b5c5b2b6..2300745630 100644 --- a/config/clusters/2i2c-aws-us/researchdelight.values.yaml +++ b/config/clusters/2i2c-aws-us/researchdelight.values.yaml @@ -30,7 +30,7 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.6801.h3f4f0c4a" + tag: "0.0.1-0.dev.git.6863.h406a3546" config: JupyterHub: authenticator_class: cilogon diff --git a/config/clusters/leap/common.values.yaml b/config/clusters/leap/common.values.yaml index 8105434ed7..bd4d000c24 100644 --- a/config/clusters/leap/common.values.yaml +++ b/config/clusters/leap/common.values.yaml @@ -39,7 +39,7 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.6801.h3f4f0c4a" + tag: "0.0.1-0.dev.git.6863.h406a3546" allowNamedServers: true config: Authenticator: diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index 4474da002b..2580567ca9 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -34,7 +34,7 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.6801.h3f4f0c4a" + tag: "0.0.1-0.dev.git.6863.h406a3546" allowNamedServers: true config: Authenticator: From 3d04de43f9cd189d29ce22cf5edc59bc14c1fd00 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Mon, 4 Sep 2023 21:44:43 +0200 Subject: [PATCH 025/125] nasa-veda: add missing redirection rule for staging --- config/clusters/nasa-veda/support.values.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/config/clusters/nasa-veda/support.values.yaml b/config/clusters/nasa-veda/support.values.yaml index 526e523d7e..e51536e776 100644 --- a/config/clusters/nasa-veda/support.values.yaml +++ b/config/clusters/nasa-veda/support.values.yaml @@ -32,3 +32,11 @@ prometheus: - secretName: prometheus-tls hosts: - prometheus.nasa-veda.2i2c.cloud + +redirects: + rules: + # nasa-veda was previously used in the domain name, but domains including + # nasa that doesn't end in .gov can get blocked so the name was reduced to + # just veda, see https://github.com/2i2c-org/infrastructure/issues/3029 + - from: staging.nasa-veda.2i2c.cloud + to: staging.veda.2i2c.cloud From 5d5f6a6ea4880d31cc20209576ab35e57bdd8c83 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Mon, 4 Sep 2023 22:12:25 +0200 Subject: [PATCH 026/125] basehub: update old coroutine logic to async/await --- helm-charts/basehub/values.yaml | 99 +++++++++++++++++---------------- 1 file changed, 52 insertions(+), 47 deletions(-) diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index 4019a160e2..c58cea667f 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -698,22 +698,27 @@ jupyterhub: ) c.Spawner.pre_spawn_hook = ensure_db_pvc 05-gh-teams: | + # Re-assignes c.KubeSpawner.profile_list to a callable that filters the + # initial configuration of profile_list based on the user's github + # org/team membership as declared via "allowed_teams" read from + # profile_list profiles. + # + # This is only done if: + # - GitHubOAuthenticator is used + # - GitHubOAuthenticator.populate_teams_in_auth_state is True + # import copy from textwrap import dedent - from tornado import gen, web + from tornado import web from oauthenticator.github import GitHubOAuthenticator - # Make a copy of the original profile_list, as that is the data we will work with original_profile_list = c.KubeSpawner.profile_list - # This has to be a gen.coroutine, not async def! Kubespawner uses gen.maybe_future to - # run this, and that only seems to recognize tornado coroutines, not async functions! - # We can convert this to async def once that has been fixed upstream. - @gen.coroutine - def custom_profile_list(spawner): + async def profile_list_allowed_teams_filter(spawner): """ - Dynamically set allowed list of user profiles based on GitHub teams user is part of. + Returns the initially configured profile_list filtered based on if + the spawning user is part the profiles' specified GitHub org/teams. Adds a 'allowed_teams' key to profile_list, with a list of GitHub teams (of the form org-name:team-name) for which the profile is made available. @@ -728,17 +733,17 @@ jupyterhub: # If populate_teams_in_auth_state is not set, github teams are not fetched # So we just don't do any of this filtering, and let anyone into everything if spawner.authenticator.populate_teams_in_auth_state == False: - return original_profile_list + return original_profile_list - auth_state = yield spawner.user.get_auth_state() + auth_state = await spawner.user.get_auth_state() if not auth_state or "teams" not in auth_state: - if spawner.user.name == 'deployment-service-check': - # For our hub deployer health checker, ignore all this logic - print("Ignoring allowed_teams check for deployment-service-check") - return original_profile_list - print(f"User {spawner.user.name} does not have any auth_state set") - raise web.HTTPError(403) + if spawner.user.name == 'deployment-service-check': + # For our hub deployer health checker, ignore all this logic + print("Ignoring allowed_teams check for deployment-service-check") + return original_profile_list + print(f"User {spawner.user.name} does not have any auth_state set") + raise web.HTTPError(403) # Make a list of team names of form org-name:team-name # This is the same syntax used by allowed_organizations traitlet of GitHubOAuthenticator @@ -752,41 +757,41 @@ jupyterhub: # otherwise we might end up modifying it by mistake profile_list_copy = copy.deepcopy(original_profile_list) for profile in profile_list_copy: - # If there is no ':' in allowed_teams, it's an org and we should check that - # differently - allowed_orgs = set([o for o in profile.get('allowed_teams', []) if ':' not in o]) - allowed_teams = set([t for t in profile.get('allowed_teams', []) if ':' in t]) - - # Keep the profile is the user is part of *any* team listed in allowed_teams - # If allowed_teams is empty or not set, it'll not be accessible to *anyone* - if allowed_teams & teams: - allowed_profiles.append(profile) - print(f"Allowing profile {profile['display_name']} for user {spawner.user.name} based on team membership") - elif allowed_orgs: - for org in allowed_orgs: - user_in_org = yield spawner.authenticator._check_membership_allowed_organizations( - org, spawner.user.name, auth_state['access_token'] - ) - if user_in_org: + # If there is no ':' in allowed_teams, it's an org and we should check that + # differently + allowed_orgs = set([o for o in profile.get('allowed_teams', []) if ':' not in o]) + allowed_teams = set([t for t in profile.get('allowed_teams', []) if ':' in t]) + + # Keep the profile is the user is part of *any* team listed in allowed_teams + # If allowed_teams is empty or not set, it'll not be accessible to *anyone* + if allowed_teams & teams: allowed_profiles.append(profile) - print(f"Allowing profile {profile['display_name']} for user {spawner.user.name} based on org membership") - break - else: - print(f"Dropping profile {profile['display_name']} for user {spawner.user.name}") + print(f"Allowing profile {profile['display_name']} for user {spawner.user.name} based on team membership") + elif allowed_orgs: + for org in allowed_orgs: + user_in_org = await spawner.authenticator._check_membership_allowed_organizations( + org, spawner.user.name, auth_state['access_token'] + ) + if user_in_org: + allowed_profiles.append(profile) + print(f"Allowing profile {profile['display_name']} for user {spawner.user.name} based on org membership") + break + else: + print(f"Dropping profile {profile['display_name']} for user {spawner.user.name}") if len(allowed_profiles) == 0: - # If no profiles are allowed, user should not be able to spawn anything! - # If we don't explicitly stop this, user will be logged into the 'default' settings - # set in singleuser, without any profile overrides. Not desired behavior - # FIXME: User doesn't actually see this error message, just the generic 403. - error_msg = dedent(f""" - Your GitHub team membership is insufficient to launch any server profiles. + # If no profiles are allowed, user should not be able to spawn anything! + # If we don't explicitly stop this, user will be logged into the 'default' settings + # set in singleuser, without any profile overrides. Not desired behavior + # FIXME: User doesn't actually see this error message, just the generic 403. + error_msg = dedent(f""" + Your GitHub team membership is insufficient to launch any server profiles. - GitHub teams you are a member of that this JupyterHub knows about are {', '.join(teams)}. + GitHub teams you are a member of that this JupyterHub knows about are {', '.join(teams)}. - If you are part of additional teams, log out of this JupyterHub and log back in to refresh that information. - """) - raise web.HTTPError(403, error_msg) + If you are part of additional teams, log out of this JupyterHub and log back in to refresh that information. + """) + raise web.HTTPError(403, error_msg) return allowed_profiles @@ -796,7 +801,7 @@ jupyterhub: if c.KubeSpawner.profile_list: # Customize list of profiles dynamically, rather than override options form. # This is more secure, as users can't override the options available to them via the hub API - c.KubeSpawner.profile_list = custom_profile_list + c.KubeSpawner.profile_list = profile_list_allowed_teams_filter 06-salted-username: | # Allow anonymizing username to not store *any* PII From 03fe088080a35c06b204d893484f6268a5d28dbc Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Mon, 4 Sep 2023 22:48:28 +0200 Subject: [PATCH 027/125] 2i2c, terraform: increase from 4 TiB to 5 TiB --- terraform/gcp/projects/pilot-hubs.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gcp/projects/pilot-hubs.tfvars b/terraform/gcp/projects/pilot-hubs.tfvars index 2d6b328947..4f5028cc46 100644 --- a/terraform/gcp/projects/pilot-hubs.tfvars +++ b/terraform/gcp/projects/pilot-hubs.tfvars @@ -12,7 +12,7 @@ enable_network_policy = true regional_cluster = false enable_filestore = true -filestore_capacity_gb = 4096 +filestore_capacity_gb = 5120 notebook_nodes = { "user" : { From 33a5cfcb4932a14344e5bd9f1b1e14c2471dc465 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Tue, 5 Sep 2023 00:34:21 +0000 Subject: [PATCH 028/125] [pre-commit.ci] pre-commit autoupdate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit updates: - [github.com/pre-commit/mirrors-prettier: v3.0.0 → v3.0.3](https://github.com/pre-commit/mirrors-prettier/compare/v3.0.0...v3.0.3) --- .pre-commit-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 824d8d8bd1..6af250d603 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -11,7 +11,7 @@ repos: # Autoformat: markdown, yaml - repo: https://github.com/pre-commit/mirrors-prettier - rev: v3.0.0 + rev: v3.0.3 hooks: - id: prettier From 5eb2fd9aac5775651d686abbdc12391528fd1fd1 Mon Sep 17 00:00:00 2001 From: Jonas Date: Tue, 5 Sep 2023 22:56:36 +0200 Subject: [PATCH 029/125] Set custom homepage for production and staging --- config/clusters/nasa-ghg/prod.values.yaml | 4 ++++ config/clusters/nasa-ghg/staging.values.yaml | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/config/clusters/nasa-ghg/prod.values.yaml b/config/clusters/nasa-ghg/prod.values.yaml index 3acc34eaad..f0444fcb98 100644 --- a/config/clusters/nasa-ghg/prod.values.yaml +++ b/config/clusters/nasa-ghg/prod.values.yaml @@ -8,6 +8,10 @@ basehub: tls: - hosts: [hub.ghg.center] secretName: https-auto-tls + custom: + homepage: + gitRepoBranch: "master" + gitRepoUrl: "https://github.com/US-GHG-Center/ghgc-hub-homepage" hub: config: GitHubOAuthenticator: diff --git a/config/clusters/nasa-ghg/staging.values.yaml b/config/clusters/nasa-ghg/staging.values.yaml index 897ba742d7..c0da76fc18 100644 --- a/config/clusters/nasa-ghg/staging.values.yaml +++ b/config/clusters/nasa-ghg/staging.values.yaml @@ -10,7 +10,7 @@ basehub: secretName: https-auto-tls custom: homepage: - gitRepoBranch: "master" + gitRepoBranch: "staging" gitRepoUrl: "https://github.com/US-GHG-Center/ghgc-hub-homepage" hub: config: From 799b7c163bd66e2d2a59833368ac01ad0515aa6b Mon Sep 17 00:00:00 2001 From: Jonas Date: Wed, 6 Sep 2023 00:15:22 +0200 Subject: [PATCH 030/125] Update attributions --- config/clusters/nasa-ghg/common.values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/clusters/nasa-ghg/common.values.yaml b/config/clusters/nasa-ghg/common.values.yaml index 73cc4038ec..5dd38f8907 100644 --- a/config/clusters/nasa-ghg/common.values.yaml +++ b/config/clusters/nasa-ghg/common.values.yaml @@ -21,7 +21,7 @@ basehub: org: name: "U.S. Greenhouse Gas Center" logo_url: https://raw.githubusercontent.com/US-GHG-Center/ghgc-docs/b818ba6fdd3c43ede04b110975bf39d248c40df6/Logo/ghg-logo.svg - url: https://www.earthdata.nasa.gov + url: https://ghg.center designed_by: name: "2i2c" url: https://2i2c.org @@ -29,8 +29,8 @@ basehub: name: "2i2c" url: https://2i2c.org funded_by: - name: "NASA" - url: https://www.earthdata.nasa.gov/esds + name: "U.S. Greenhouse Gas Center" + url: https://ghg.center hub: allowNamedServers: true config: From f2d7f9f2147c13e4abfb058c3c9a68fae199f617 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Tue, 5 Sep 2023 16:56:37 -0700 Subject: [PATCH 031/125] Enable using cosmicds jupyterhub as an authentication *provider* OAuth2 credentials for the CosmicDS portal, which uses this JupyterHub as authentication *provider*. So when users hit "Login" in the CosmicDS portal, they're actually redirected to this JupyterHub (via auth0). This ensures that the portal knows exactly the (anonymized) usernames of these users, and can do additional work on their part to track them as necessary. From perspective of 2i2c engineers, this is just another JupyterHub service - just one that we don't have to maintain or manage! Our responsibility is to *provide the credentials*, and no more. Documentation of this feature is coming in a separate PR, so as to not block this one from getting merged. Ref https://github.com/2i2c-org/infrastructure/issues/3019 --- .../clusters/2i2c-aws-us/cosmicds.values.yaml | 22 +++++++++++++++++++ .../enc-cosmicds.secret.values.yaml | 17 ++++++++------ 2 files changed, 32 insertions(+), 7 deletions(-) diff --git a/config/clusters/2i2c-aws-us/cosmicds.values.yaml b/config/clusters/2i2c-aws-us/cosmicds.values.yaml index b1c65618e3..c1ecc32225 100644 --- a/config/clusters/2i2c-aws-us/cosmicds.values.yaml +++ b/config/clusters/2i2c-aws-us/cosmicds.values.yaml @@ -46,11 +46,33 @@ jupyterhub: type: none extraVolumeMounts: [] hub: + services: + # OAuth2 credentials for the CosmicDS portal, which uses + # this JupyterHub as authentication *provider*. So when users hit + # "Login" in the CosmicDS portal, they're actually redirected to this + # JupyterHub (via auth0). This ensures that the portal knows exactly + # the (anonymized) usernames of these users, and can do additional work + # on their part to track them as necessary. + cosmicds-portal: + # Don't display this service under 'services' in control panel + display: false + # Don't ask end user if they want to authorize this service explicitly + # This is a trusted service, and we are being used as *authentication* + # in this case. + oauth_no_confirm: true + name: cosmicds-portal + oauth_client_id: service-cosmicds-portal + # Callback URL for the auth0 tenant, provided to us by auth0 + oauth_redirect_uri: https://dev-tbr72rd5whnwlyrg.us.auth0.com/login/callback config: Authenticator: admin_users: - nmearl - patudom + # When using JupyterHub as an auth *provider*, we don't want the + # end user to see the JupyterHub home page at all - just redirect + # them to the upstream auth provider (CILogon) directly. + auto_login_oauth2_authorize: true JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: diff --git a/config/clusters/2i2c-aws-us/enc-cosmicds.secret.values.yaml b/config/clusters/2i2c-aws-us/enc-cosmicds.secret.values.yaml index c47151ece0..6e1a46cc0b 100644 --- a/config/clusters/2i2c-aws-us/enc-cosmicds.secret.values.yaml +++ b/config/clusters/2i2c-aws-us/enc-cosmicds.secret.values.yaml @@ -1,22 +1,25 @@ jupyterhub: hub: + services: + cosmicds-portal: + api_token: ENC[AES256_GCM,data:QY4XnFjLgb8KqvVcXignYeJg7Xi5S5IWZ9dAFYy326XFo/oeds7DSDdj2rKam6zRX00ZC1+Cvx+FHlhL0FsjYg==,iv:dgw2az+wRJMt4uwklBcuxaYK64ETnKYH8VX0vS6RzRs=,tag:GP2yWFm9u69iUCogRoCkoQ==,type:str] extraEnv: - USERNAME_DERIVATION_PEPPER: ENC[AES256_GCM,data:AXMgK5+Gzojb2j65OA87X0BEs4JxjZr1jkemLRNhMp5pxdvt40YyMEO2fyhx+nfNwrvMf9DV6z9Hl7l2XEsbTQ==,iv:B9EBaac4VFOkU+nzxcm7LUzqJRJ4N38o4BbsZqxW69Q=,tag:cERvKEh9TfxyoDyzzVrb1Q==,type:str] + USERNAME_DERIVATION_PEPPER: ENC[AES256_GCM,data:mH/CtGOgBMPqUfy74r1sOdxxS2UcUAs/JkSItBgNKguTkV6WmBkd1VvEiRbiFmh86/VZrgFMj9k3B+eUfBSvMw==,iv:ZBhhx3mMrydErwPTNRQ391yUcZo4UIaEooz3exBY3c8=,tag:4eTclvSgvqby9qthqjAEcA==,type:str] config: CILogonOAuthenticator: - client_id: ENC[AES256_GCM,data:bG3o+fgg9Un2YzPxgBisMSpZ7mu0NnF3u7fbHFf3TErMRSNZdbKYne9InZfntOSt9CFP,iv:K+L30QknUdByGTTgs/Xo7xdWAl3ceUjyRi09PFFq0Us=,tag:GRtn+QCLaBjToj4Wk42kEg==,type:str] - client_secret: ENC[AES256_GCM,data:G/KW5Lha8iIEbK5nslLGyoM5wT/dokcGZN7cHd15QVdAExghviq1AtvqOIBDGH8O9QPU2YjJOfN+qCE3AGOAtuNFXHWevp5cwhrhD9aOsNqR1Qo4RrQ=,iv:losa6BtAz9dT4m7E3ANejNAJQt3ttKUdu21A00iErHU=,tag:QzBd1z3Qdc0DRDFsWTSZ5g==,type:str] + client_id: ENC[AES256_GCM,data:DSAp6gmFnGII9wyLwckBvljwqeokoiaOJdxs8DZdMGtAE68AB4ev5R+e5efCA3CpaFxr,iv:qo012XUuHmAlGbtyG8ty8HupB2GlZ7PLtAeD+9lvRIs=,tag:OU0VSIjWEJj9oh5N+IHwTg==,type:str] + client_secret: ENC[AES256_GCM,data:3NsIJWF/nUcXamPgXT4PQPhP8cBMXWSOHMXBZ9YRP/XC5wk34XgkGl3vKnVAD4XSLAsBHFWcPokojYkNvTx87gOhkCqXKt9lsjO0RB9xvyoGW6Pr+nk=,iv:9tKOZTcxBElSJvlMCdBk0Q76XNoSMd8RLMuEs07nXrE=,tag:ghWW2hqEBtwF+ZqPJNVl6Q==,type:str] sops: kms: [] gcp_kms: - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs - created_at: "2023-07-12T23:25:29Z" - enc: CiUA4OM7eBXY4SwY7PqtCXIN7/imKKYLzyV95f+5/DHHbo5HCTWcEkkAyiwFHIvAzIjhSO3eQzb0EL6A6KW3ZEu2ZUp7s3PN8gOAy6HIcPbTLQrVnFlbMSAxDT8WShiikQDXHbyjFAKVzqo/KKMuEt9o + created_at: "2023-09-05T23:42:06Z" + enc: CiUA4OM7eEaWJ1qxGOi9/guRwEoX5kgrSadOZDGIBeCj6peMaRyOEkkAq2nhVZ+03d2/cJEMHW7xNpZPfjRhz/CKvKzJah09I7vJOSLmcnjbtagA605lm0SsKNsMZBPjRfAB7txSFOuAtn0Eh8B7JN/U azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-07-12T23:25:29Z" - mac: ENC[AES256_GCM,data:JOXoIfDhqmOeSCml+lTi56Sd5/8R36scNKTNP5Z3l1CqUJlm9Z3SBOitFWJ3uG78kNKnrYmtqc9ygbeKv3odBfx+IBRWwcp3kg+IGTxYcVzB1Ys+J0j2S0GzI7kPuEBYPuIuXxD1aAuJsolhyAjbS1S7ZqknFiyz+JCiqMMCLAY=,iv:C69JScxiP/XKWiUlu7AtMkf+s/EGnXKwmS8PrptDzZs=,tag:zxIWjO3Alas/uj5cJZqkbg==,type:str] + lastmodified: "2023-09-05T23:42:07Z" + mac: ENC[AES256_GCM,data:CAQeu301akd2ADKzfVg/l2cqJFpgq4DBLaxxnJP0meqVBEuOI8fOo/sBK0YcRWmF3skhQflsRLqDB+/a2jqoObGO0DJ8GgqH+0jY7KXoGllfYGpSEaa+gS3LBG0pERImY0w9+xc6RntmF9qz7JpN3zxQeLNkMY1FKaCD4jdZXwY=,iv:gEGI+YFnjH+GufdJI0U3kDzoNDW+6IAIHPLQFTcIAFE=,tag:UfXYOo61s9Qotn10fXhslQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 From a5c8471ed539a5cdc2c330d9d42edc9460a89926 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Tue, 5 Sep 2023 19:46:27 -0700 Subject: [PATCH 032/125] Alert on GCP when home directory has < 512GB This weekend too we had an outage caused by a full disk. In the past we have gotten lucky and caught it before it happened. Here, we instead alert whenever the filestore has <512GB in it. This alert will be sent to a pagerduty channel I've configured to post on our slack. I've applied this already to the shared cluster, and when merged, I'll apply this to all our GCP clusters. I also checked the pricing - this shouldn't cost us anything, as it's an alert policy on a pre-existing metric. Fixes https://github.com/2i2c-org/infrastructure/issues/3084 --- terraform/gcp/main.tf | 6 +++ terraform/gcp/pagerduty.tf | 48 +++++++++++++++++++ .../enc-pagerduty-service-key.secret.yaml | 16 +++++++ 3 files changed, 70 insertions(+) create mode 100644 terraform/gcp/pagerduty.tf create mode 100644 terraform/gcp/secret/enc-pagerduty-service-key.secret.yaml diff --git a/terraform/gcp/main.tf b/terraform/gcp/main.tf index 32d37409bf..5c25c9af1d 100644 --- a/terraform/gcp/main.tf +++ b/terraform/gcp/main.tf @@ -18,6 +18,12 @@ terraform { source = "hashicorp/kubernetes" version = "~> 2.18" } + # Used to decrypt sops encrypted secrets containing PagerDuty keys + sops = { + # ref: https://registry.terraform.io/providers/carlpett/sops/latest + source = "carlpett/sops" + version = "~> 0.7.2" + } } } diff --git a/terraform/gcp/pagerduty.tf b/terraform/gcp/pagerduty.tf new file mode 100644 index 0000000000..9d165aa599 --- /dev/null +++ b/terraform/gcp/pagerduty.tf @@ -0,0 +1,48 @@ +data "sops_file" "pagerduty_integration_key" { + # Read sops encrypted file containing integration key for pagerduty + source_file = "secret/enc-pagerduty-service-key.secret.yaml" +} + +resource "google_monitoring_notification_channel" "pagerduty_disk_space" { + project = var.project_id + display_name = "PagerDuty Disk Space Alerts" + type = "pagerduty" + sensitive_labels { + service_key = data.sops_file.pagerduty_integration_key.data["pagerduty.disk_space"] + } +} + +resource "google_monitoring_alert_policy" "disk_space_full_alert" { + + display_name = "Disk Space 80% full on ${var.project_id}" + combiner = "OR" + + conditions { + display_name = "Simple Health Check Endpoint" + condition_threshold { + # Alert based on free bytes left on the filesystem + filter = <<-EOT + resource.type = "filestore_instance" + AND metric.type = "file.googleapis.com/nfs/server/free_bytes" + EOT + duration = "300s" + + # Trigger if free space is < 512GB + threshold_value = 549755813888 + comparison = "COMPARISON_LT" + + aggregations { + # https://cloud.google.com/monitoring/alerts/concepts-indepth#duration has + # more info on alignment + alignment_period = "300s" + per_series_aligner = "ALIGN_MEAN" + cross_series_reducer = "REDUCE_NONE" + } + } + } + + project = var.project_id + + # Send a notification to our PagerDuty channel when this is triggered + notification_channels = [google_monitoring_notification_channel.pagerduty_disk_space.name] +} diff --git a/terraform/gcp/secret/enc-pagerduty-service-key.secret.yaml b/terraform/gcp/secret/enc-pagerduty-service-key.secret.yaml new file mode 100644 index 0000000000..bc275d5f4b --- /dev/null +++ b/terraform/gcp/secret/enc-pagerduty-service-key.secret.yaml @@ -0,0 +1,16 @@ +pagerduty: + disk_space: ENC[AES256_GCM,data:Gu7hX3j1aPEdFf0SUY8WH0JIc2T1tdRmdDfayGge84g=,iv:NbxmjQSoMCTSaRGXfGrZyGja0FYN6HxZ/BZcLVZBVYc=,tag:gRsi6qfuGWRK7jFT4NGcEw==,type:str] +sops: + kms: [] + gcp_kms: + - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs + created_at: "2023-09-06T02:15:53Z" + enc: CiUA4OM7eIlL37yLgesbuDn5QWcuHKv0YHrTneyIXhubGLQgWViwEkkAq2nhVXMwRKAJkVFTLR5MkfYX/tzrk7aQv7qyfXCzJwCi6WRYMobHRj5cmohccEF1vTVbmPViM66PduHbF2zil8dQGS+xu6OL + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-09-06T02:15:53Z" + mac: ENC[AES256_GCM,data:iTQPrv84uUr8W2Ovl1yMKUohj/wUaXxT84bq5cWOX8jiKN1P74Pi3ZJvso+q502XD32I7TPyOdVr8nTSl4oZeb6SHzR/97zx1f/arfSRXFuWC/dL46c84NH6gNYZb8mO9+qs62P+X/PtuHhUS3TIIhWXrV/3XQGvI7mmUj1SZSg=,iv:4MWWgsTAmYinhCqNcwCyAuf9X0/0cBg6BMhZdPjLP88=,tag:ou7M5Zeto+rvZUzTBdJmYw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 From 210bfe089342f598167e9b2388c0b8fcbcbe9890 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Wed, 6 Sep 2023 10:22:14 +0300 Subject: [PATCH 033/125] Enable unlisted_choice for openscapes staging to try out new image tags --- .../clusters/openscapes/staging.values.yaml | 52 +++++++++++++++---- 1 file changed, 42 insertions(+), 10 deletions(-) diff --git a/config/clusters/openscapes/staging.values.yaml b/config/clusters/openscapes/staging.values.yaml index 99425e328f..0f1a7f4ebd 100644 --- a/config/clusters/openscapes/staging.values.yaml +++ b/config/clusters/openscapes/staging.values.yaml @@ -10,10 +10,23 @@ basehub: - display_name: Python description: Python datascience environment default: true - kubespawner_override: - image: openscapes/python:06b0503 - profile_options: &profile_options - requests: + profile_options: + image: + display_name: Image and Tag + unlisted_choice: &unlisted_choice + enabled: true + display_name: "Custom image" + validation_regex: "^.+:.+$" + validation_message: "Must be a publicly available docker image, of form :" + kubespawner_override: + image: "{value}" + choices: + default: + display_name: openscapes/python:b2e79b7 + default: true + kubespawner_override: + image: openscapes/python:b2e79b7 + requests: &requests_profile_options display_name: Resource Allocation choices: mem_1_9: @@ -82,15 +95,34 @@ basehub: node.kubernetes.io/instance-type: r5.4xlarge - display_name: R description: R (with RStudio) + Python environment - kubespawner_override: - image: openscapes/rocker:a7596b5 - profile_options: *profile_options + profile_options: + image: + display_name: Image and Tag + unlisted_choice: *unlisted_choice + choices: + default: + display_name: openscapes/rocker:a7596b5 + default: true + kubespawner_override: + image: openscapes/rocker:a7596b5 + requests: *requests_profile_options - display_name: Matlab description: Matlab environment - kubespawner_override: - image: openscapes/matlab:2023-06-29 - profile_options: *profile_options + profile_options: + image: + display_name: Image and Tag + unlisted_choice: *unlisted_choice + choices: + default: + display_name: openscapes/matlab:2023-06-29 + default: true + kubespawner_override: + image: openscapes/matlab:2023-06-29 + requests: *requests_profile_options hub: + image: + name: quay.io/2i2c/unlisted-choice-experiment + tag: "0.0.1-0.dev.git.6863.h406a3546" config: JupyterHub: authenticator_class: cilogon From 60136b533cb0eef4cd46611a44ad296876a2f168 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Wed, 6 Sep 2023 10:25:57 +0300 Subject: [PATCH 034/125] Default to the original image tag as the latest results in backoff errors --- config/clusters/openscapes/staging.values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/clusters/openscapes/staging.values.yaml b/config/clusters/openscapes/staging.values.yaml index 0f1a7f4ebd..b616daf78d 100644 --- a/config/clusters/openscapes/staging.values.yaml +++ b/config/clusters/openscapes/staging.values.yaml @@ -22,10 +22,10 @@ basehub: image: "{value}" choices: default: - display_name: openscapes/python:b2e79b7 + display_name: openscapes/python:06b0503 default: true kubespawner_override: - image: openscapes/python:b2e79b7 + image: openscapes/python:06b0503 requests: &requests_profile_options display_name: Resource Allocation choices: From 08aa33dc6ffbc39ba1127a925d25a3607cbeb58e Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Wed, 6 Sep 2023 12:19:44 +0200 Subject: [PATCH 035/125] Add comments and tweak naming --- terraform/gcp/pagerduty.tf | 18 +++++++++++++++--- ...erduty-service-integration-keys.secret.yaml | 16 ++++++++++++++++ .../enc-pagerduty-service-key.secret.yaml | 16 ---------------- 3 files changed, 31 insertions(+), 19 deletions(-) create mode 100644 terraform/gcp/secret/enc-pagerduty-service-integration-keys.secret.yaml delete mode 100644 terraform/gcp/secret/enc-pagerduty-service-key.secret.yaml diff --git a/terraform/gcp/pagerduty.tf b/terraform/gcp/pagerduty.tf index 9d165aa599..0a263cb631 100644 --- a/terraform/gcp/pagerduty.tf +++ b/terraform/gcp/pagerduty.tf @@ -1,6 +1,18 @@ -data "sops_file" "pagerduty_integration_key" { +/** +* This file defines alerts and notification channels for sending information to +* PagerDuty in order to trigger incidents. This relies on pre-registered +* PagerDuty services with "stackdriver" integrations in 2i2c's PagerDuty +* account. +* +* - PagerDuty services in 2i2c's PagerDuty account: +* https://2i2c-org.pagerduty.com/service-directory/?direction=asc&query=&team_ids=all +* - GCP docs about managing notification channels: +* https://cloud.google.com/monitoring/support/notification-options +* +*/ +data "sops_file" "pagerduty_service_integration_keys" { # Read sops encrypted file containing integration key for pagerduty - source_file = "secret/enc-pagerduty-service-key.secret.yaml" + source_file = "secret/enc-pagerduty-service-integration-keys.secret.yaml" } resource "google_monitoring_notification_channel" "pagerduty_disk_space" { @@ -8,7 +20,7 @@ resource "google_monitoring_notification_channel" "pagerduty_disk_space" { display_name = "PagerDuty Disk Space Alerts" type = "pagerduty" sensitive_labels { - service_key = data.sops_file.pagerduty_integration_key.data["pagerduty.disk_space"] + service_key = data.sops_file.pagerduty_service_integration_keys.data["pagerduty_service_integration_keys.disk_space"] } } diff --git a/terraform/gcp/secret/enc-pagerduty-service-integration-keys.secret.yaml b/terraform/gcp/secret/enc-pagerduty-service-integration-keys.secret.yaml new file mode 100644 index 0000000000..feac0b2222 --- /dev/null +++ b/terraform/gcp/secret/enc-pagerduty-service-integration-keys.secret.yaml @@ -0,0 +1,16 @@ +pagerduty_service_integration_keys: + disk_space: ENC[AES256_GCM,data:5ueHUnbbCpJYtwP4pPvuJTJbCVLnfTAlrnCpqRp7zo0=,iv:1lGoK1ppB7RYDP6LoeWMlGzRFUgHjJNIrVvyAXvbVa0=,tag:ZJ91lkMdFkh/qk2SLj+vYw==,type:str] +sops: + kms: [] + gcp_kms: + - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs + created_at: "2023-09-06T02:15:53Z" + enc: CiUA4OM7eIlL37yLgesbuDn5QWcuHKv0YHrTneyIXhubGLQgWViwEkkAq2nhVXMwRKAJkVFTLR5MkfYX/tzrk7aQv7qyfXCzJwCi6WRYMobHRj5cmohccEF1vTVbmPViM66PduHbF2zil8dQGS+xu6OL + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-09-06T10:17:13Z" + mac: ENC[AES256_GCM,data:bX5Zhk66QL62A/Bu/WuAGV+a+L/ch9e65Kc56OgBKaKN7bFhkvgcnI20DgOuEov6S1+6LI9pRQoKHAQgR1iHydEKmEtruN5mifT3PSKlLYBzdytOCmLC6mDE2Xy0sOkQgqQEiof0eQbQd/N/l64/0NSCu8rgaYveE7M+roZaBx8=,iv:dQQ3HOOiuz+RxwnZ7kRwGeWA/FspO9DGNaQ2iB5dsGk=,tag:FeMdZssLGCuuNUc7C1Mj7Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/terraform/gcp/secret/enc-pagerduty-service-key.secret.yaml b/terraform/gcp/secret/enc-pagerduty-service-key.secret.yaml deleted file mode 100644 index bc275d5f4b..0000000000 --- a/terraform/gcp/secret/enc-pagerduty-service-key.secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ -pagerduty: - disk_space: ENC[AES256_GCM,data:Gu7hX3j1aPEdFf0SUY8WH0JIc2T1tdRmdDfayGge84g=,iv:NbxmjQSoMCTSaRGXfGrZyGja0FYN6HxZ/BZcLVZBVYc=,tag:gRsi6qfuGWRK7jFT4NGcEw==,type:str] -sops: - kms: [] - gcp_kms: - - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs - created_at: "2023-09-06T02:15:53Z" - enc: CiUA4OM7eIlL37yLgesbuDn5QWcuHKv0YHrTneyIXhubGLQgWViwEkkAq2nhVXMwRKAJkVFTLR5MkfYX/tzrk7aQv7qyfXCzJwCi6WRYMobHRj5cmohccEF1vTVbmPViM66PduHbF2zil8dQGS+xu6OL - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2023-09-06T02:15:53Z" - mac: ENC[AES256_GCM,data:iTQPrv84uUr8W2Ovl1yMKUohj/wUaXxT84bq5cWOX8jiKN1P74Pi3ZJvso+q502XD32I7TPyOdVr8nTSl4oZeb6SHzR/97zx1f/arfSRXFuWC/dL46c84NH6gNYZb8mO9+qs62P+X/PtuHhUS3TIIhWXrV/3XQGvI7mmUj1SZSg=,iv:4MWWgsTAmYinhCqNcwCyAuf9X0/0cBg6BMhZdPjLP88=,tag:ou7M5Zeto+rvZUzTBdJmYw==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.3 From d2d2c06d20f0cbde27d457e9cc24f41e850a2637 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Wed, 6 Sep 2023 14:56:45 -0700 Subject: [PATCH 036/125] Add more comments to the encrypted service integrations file --- terraform/gcp/pagerduty.tf | 2 +- ...pagerduty-service-integration-keys.secret.yaml | 15 +++++++++------ 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/terraform/gcp/pagerduty.tf b/terraform/gcp/pagerduty.tf index 0a263cb631..5b45290681 100644 --- a/terraform/gcp/pagerduty.tf +++ b/terraform/gcp/pagerduty.tf @@ -20,7 +20,7 @@ resource "google_monitoring_notification_channel" "pagerduty_disk_space" { display_name = "PagerDuty Disk Space Alerts" type = "pagerduty" sensitive_labels { - service_key = data.sops_file.pagerduty_service_integration_keys.data["pagerduty_service_integration_keys.disk_space"] + service_key = data.sops_file.pagerduty_service_integration_keys.data["disk_space"] } } diff --git a/terraform/gcp/secret/enc-pagerduty-service-integration-keys.secret.yaml b/terraform/gcp/secret/enc-pagerduty-service-integration-keys.secret.yaml index feac0b2222..2d00bdef4c 100644 --- a/terraform/gcp/secret/enc-pagerduty-service-integration-keys.secret.yaml +++ b/terraform/gcp/secret/enc-pagerduty-service-integration-keys.secret.yaml @@ -1,16 +1,19 @@ -pagerduty_service_integration_keys: - disk_space: ENC[AES256_GCM,data:5ueHUnbbCpJYtwP4pPvuJTJbCVLnfTAlrnCpqRp7zo0=,iv:1lGoK1ppB7RYDP6LoeWMlGzRFUgHjJNIrVvyAXvbVa0=,tag:ZJ91lkMdFkh/qk2SLj+vYw==,type:str] +#ENC[AES256_GCM,data:FxCCu/DMShf4HlOeIL07yuTb5n8Df2viI9NMXk/oxab9Rs4Kn51gVIU3PlIIXM4M3mYVYKVRvpF3j+SmtqXj4lLPpBPK0tn9j7cLw1Z/3J7a,iv:cIotHiLKrulCAs/Yq5DCJhvv69M1ahIz3RXmV1kmgwk=,tag:AZzq1JcRkpm4mbRYSHTONA==,type:comment] +#ENC[AES256_GCM,data:trbapbX57yDKIOw5W2ezVZasO9FVQqHzphqbaDhsyDLvOClBTGdkn4Yeitubv6hqmoNxMkauU/a6y98Gr3rn00gupNlX+t+o1afRmMIEwL5o,iv:9VunnZES/oPFkJDsoFBPup6Eeh8ClmwDXVZMeTahT88=,tag:KfarI7CY8FrQyH+sZ6+ivw==,type:comment] +#ENC[AES256_GCM,data:aEcAW7H5s6bbkKEIGsn3oPmterD1uRjY6s/i6n616A32prTfu7DHoCSSJlOl/SFBBaNdUFy69gRb0qnsEVLxe3Jbx5XWGGvRBNQLwd/GDjTG,iv:W40bcs3XwEEMZsPmO0w+xYqfydbq/1VGm+art6foqcU=,tag:tbrP4q3Iwb1B28zxbz9Z9A==,type:comment] +#ENC[AES256_GCM,data:dnFbCqSAHLriCyq3EAJia0GketuNdLhLWRX0qKxGmDsyTF00BJLv8nKGnUcML+nUecsoFb3dvWlsUUOvRZ3BznJgYrfF9SGq6dMCU7+q79DhBLdU6A==,iv:AbZIdZcl2kD3yWpzV23xfZ7dIWK1wqY0WiUYsB1e0Z4=,tag:wavRZFwVWX6yf+30IgtWLw==,type:comment] +disk_space: ENC[AES256_GCM,data:nwR0G3PGhlSnnne5pisymfvlAN+yPRkTWTG71/jaJb0=,iv:2WQdn69bFBB0XbBeIm7juuh/w1PckvFmYfEGEmq6Hps=,tag:ovZmaZ4a7Ady5x4moNClPA==,type:str] sops: kms: [] gcp_kms: - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs - created_at: "2023-09-06T02:15:53Z" - enc: CiUA4OM7eIlL37yLgesbuDn5QWcuHKv0YHrTneyIXhubGLQgWViwEkkAq2nhVXMwRKAJkVFTLR5MkfYX/tzrk7aQv7qyfXCzJwCi6WRYMobHRj5cmohccEF1vTVbmPViM66PduHbF2zil8dQGS+xu6OL + created_at: "2023-09-06T21:56:23Z" + enc: CiUA4OM7eO/6AvFQhsiSCXcba7zOnYZC45WPgkTzOsO+ivGKt1lIEkkAq2nhVWRy1UZ3GuuIlNwadpU5nz4UTLN4lKOWjQVa+qu0E7fzmPyTKXAM0nNXDxKr+ji1/AsvhsTi/DwCdb98NPU8uFOmH5AL azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-09-06T10:17:13Z" - mac: ENC[AES256_GCM,data:bX5Zhk66QL62A/Bu/WuAGV+a+L/ch9e65Kc56OgBKaKN7bFhkvgcnI20DgOuEov6S1+6LI9pRQoKHAQgR1iHydEKmEtruN5mifT3PSKlLYBzdytOCmLC6mDE2Xy0sOkQgqQEiof0eQbQd/N/l64/0NSCu8rgaYveE7M+roZaBx8=,iv:dQQ3HOOiuz+RxwnZ7kRwGeWA/FspO9DGNaQ2iB5dsGk=,tag:FeMdZssLGCuuNUc7C1Mj7Q==,type:str] + lastmodified: "2023-09-06T21:56:24Z" + mac: ENC[AES256_GCM,data:J1oep9rSOE20uHN1+YP/Mg04s/NG3svnY0AYiLZOY9dXHKWjcSGd+EcBIsD9UvkApGhftyWSBhdA38zjASMzq7pyUepf8/kGNL/OQiLsfQEST9/2OrCTRtRdUS8ryyxw6cUv1E0cCFpKFC8hZuf28J86zNCie2jwyCep1IVEghw=,iv:QWSDNl6vw6b0MoMdcTaXFqZL0jghodYy/z5ouLt2r3k=,tag:NEwRIpyvYJEFy9UQEr4uNQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 From f551e75f978b16887b60afdb9a565d4105632830 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Wed, 6 Sep 2023 15:11:06 -0700 Subject: [PATCH 037/125] Switch filestore alerts back to % based alerts Requiring 512GiB to be free on a 1TiB filestore is too much. So instead we require 10% to be free on all of them. --- terraform/gcp/pagerduty.tf | 8 ++++---- terraform/gcp/variables.tf | 9 +++++++++ 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/terraform/gcp/pagerduty.tf b/terraform/gcp/pagerduty.tf index 5b45290681..7b79f3c012 100644 --- a/terraform/gcp/pagerduty.tf +++ b/terraform/gcp/pagerduty.tf @@ -26,7 +26,7 @@ resource "google_monitoring_notification_channel" "pagerduty_disk_space" { resource "google_monitoring_alert_policy" "disk_space_full_alert" { - display_name = "Disk Space 80% full on ${var.project_id}" + display_name = "Available disk space < ${var.filestore_alert_available_percent}% on ${var.project_id}" combiner = "OR" conditions { @@ -35,12 +35,12 @@ resource "google_monitoring_alert_policy" "disk_space_full_alert" { # Alert based on free bytes left on the filesystem filter = <<-EOT resource.type = "filestore_instance" - AND metric.type = "file.googleapis.com/nfs/server/free_bytes" + AND metric.type = "file.googleapis.com/nfs/server/free_bytes_percent" EOT duration = "300s" - # Trigger if free space is < 512GB - threshold_value = 549755813888 + # Trigger if free space is < 10% + threshold_value = var.filestore_alert_available_percent comparison = "COMPARISON_LT" aggregations { diff --git a/terraform/gcp/variables.tf b/terraform/gcp/variables.tf index 45cb956fea..76613e1483 100644 --- a/terraform/gcp/variables.tf +++ b/terraform/gcp/variables.tf @@ -309,6 +309,15 @@ variable "filestore_tier" { EOT } +variable "filestore_alert_available_percent" { + type = number + default = 10 + description = <<-EOT + % of free space in filestore available under which to fire an alert to pagerduty. + EOT +} + + variable "enable_node_autoprovisioning" { type = bool default = false From 5f5b4aa0e211928939d86fc5d5e825f7c79dd68d Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Wed, 6 Sep 2023 21:26:36 -0700 Subject: [PATCH 038/125] Set default prometheus disk size to 400Gi A lot of instances with 200Gi are in fact failing, as noticed in https://github.com/2i2c-org/infrastructure/actions/runs/6104903072, because their disks are full. The goal is to try to bring these back up first, and then we can work on figuring out why they may be down. Ref https://github.com/2i2c-org/infrastructure/issues/2930 --- helm-charts/support/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-charts/support/values.yaml b/helm-charts/support/values.yaml index b4beb7da08..e8dbd0de6b 100644 --- a/helm-charts/support/values.yaml +++ b/helm-charts/support/values.yaml @@ -277,7 +277,7 @@ prometheus: # hub.jupyter.org/network-access-hub: "true" persistentVolume: - size: 200Gi + size: 400Gi service: type: ClusterIP From 3321e1fac3ee7d13d6690154e0c2047b4bd40ebb Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Wed, 6 Sep 2023 21:37:13 -0700 Subject: [PATCH 039/125] Increase shared cluster prometheus disk size to 1Ti 512Gi was full. We need to still investigate why, but this brings the prometheus back up Ref https://github.com/2i2c-org/infrastructure/issues/2930 --- config/clusters/2i2c/support.values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/clusters/2i2c/support.values.yaml b/config/clusters/2i2c/support.values.yaml index 6bd49d7968..698ba5e55d 100644 --- a/config/clusters/2i2c/support.values.yaml +++ b/config/clusters/2i2c/support.values.yaml @@ -5,7 +5,7 @@ prometheus: server: persistentVolume: # 100Gi filled up, and this is source of our billing data. - size: 512Gi + size: 1Ti ingress: enabled: true hosts: From b43a0e6958c770c4819c79100064e8e0ab418d2f Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Wed, 6 Sep 2023 22:05:16 -0700 Subject: [PATCH 040/125] Bump up awi-ciroh home directory by 512GiB It's almost full, as identified by the pagerduty page --- terraform/gcp/projects/awi-ciroh.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/gcp/projects/awi-ciroh.tfvars b/terraform/gcp/projects/awi-ciroh.tfvars index 65920f8b50..00423fd574 100644 --- a/terraform/gcp/projects/awi-ciroh.tfvars +++ b/terraform/gcp/projects/awi-ciroh.tfvars @@ -5,7 +5,7 @@ region = "us-central1" core_node_machine_type = "n2-highmem-4" enable_network_policy = true enable_filestore = true -filestore_capacity_gb = 1024 +filestore_capacity_gb = 1536 k8s_versions = { min_master_version : "1.25.8-gke.500", From 4766c1f955b18d8879538820967d22508685f59f Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Thu, 7 Sep 2023 00:10:11 -0700 Subject: [PATCH 041/125] Change prometheus block duration time to 60m Based on suspicion in https://github.com/2i2c-org/infrastructure/issues/2934#issuecomment-1669619133 that this is contributing to the slowness of prometheus. Could also be related to why disk space usage is growing so much Ref https://github.com/2i2c-org/infrastructure/issues/2930 Ref https://github.com/2i2c-org/infrastructure/issues/2934 --- helm-charts/support/values.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/helm-charts/support/values.yaml b/helm-charts/support/values.yaml index e8dbd0de6b..6a46bfffb9 100644 --- a/helm-charts/support/values.yaml +++ b/helm-charts/support/values.yaml @@ -181,20 +181,20 @@ prometheus: --web.console.libraries=/etc/prometheus/console_libraries \ --web.console.templates=/etc/prometheus/consoles \ --web.enable-lifecycle \ - --storage.tsdb.min-block-duration=5m \ - --storage.tsdb.max-block-duration=5m" + --storage.tsdb.min-block-duration=60m \ + --storage.tsdb.max-block-duration=60m" # extraFlags MUST BE UPDATED in prometheus.server.defaultFlagsOverride as well extraFlags: - web.enable-lifecycle # We seem to loose data when restarting prometheus during upgrades, and we # also have had memory peaking issues during startup. These flags may help - # us reduce the data loss to at most 30m and has been observed to reduce + # us reduce the data loss to at most 60m and has been observed to reduce # the memory peaking before prometheus 2.45 at least. # # ref: https://github.com/prometheus/prometheus/issues/6934#issuecomment-1099293120 # - - storage.tsdb.min-block-duration=5m - - storage.tsdb.max-block-duration=5m + - storage.tsdb.min-block-duration=60m + - storage.tsdb.max-block-duration=60m # retention MUST BE UPDATED in prometheus.server.defaultFlagsOverride as well retention: 366d # Keep data for at least 1 year From 61ce09c2b348ffc33076bba2039fbd9eb7332f9f Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Thu, 7 Sep 2023 00:28:59 -0700 Subject: [PATCH 042/125] Just revert block timings back to default --- helm-charts/support/values.yaml | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/helm-charts/support/values.yaml b/helm-charts/support/values.yaml index 6a46bfffb9..300187d9ef 100644 --- a/helm-charts/support/values.yaml +++ b/helm-charts/support/values.yaml @@ -180,21 +180,10 @@ prometheus: --storage.tsdb.path=/data \ --web.console.libraries=/etc/prometheus/console_libraries \ --web.console.templates=/etc/prometheus/consoles \ - --web.enable-lifecycle \ - --storage.tsdb.min-block-duration=60m \ - --storage.tsdb.max-block-duration=60m" + --web.enable-lifecycle" # extraFlags MUST BE UPDATED in prometheus.server.defaultFlagsOverride as well extraFlags: - web.enable-lifecycle - # We seem to loose data when restarting prometheus during upgrades, and we - # also have had memory peaking issues during startup. These flags may help - # us reduce the data loss to at most 60m and has been observed to reduce - # the memory peaking before prometheus 2.45 at least. - # - # ref: https://github.com/prometheus/prometheus/issues/6934#issuecomment-1099293120 - # - - storage.tsdb.min-block-duration=60m - - storage.tsdb.max-block-duration=60m # retention MUST BE UPDATED in prometheus.server.defaultFlagsOverride as well retention: 366d # Keep data for at least 1 year From d4b6e9d46ba2d9265760c94dde4615154b79cb21 Mon Sep 17 00:00:00 2001 From: ranchodeluxe Date: Thu, 7 Sep 2023 10:29:55 -0700 Subject: [PATCH 043/125] singleuser post-start lifecycle hook for /veda-docs --- config/clusters/nasa-veda/common.values.yaml | 21 ++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index 2580567ca9..67075c2979 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -61,6 +61,27 @@ basehub: # Based off pangeo/pangeo-notebook:2023.07.05 which uses JupyterLab <4, so jupyterlab-git and dask-dashboard work # If updating this tag, also update it in the profile_options section below tag: "b807c7efa97c8df9ca38779f7e59d09f889fde9299b0d19de80389cf6b064f90" + extraFiles: + k8s-lifecycle-hook-post-start.sh: + mountPath: "/etc/singleuser/k8s-lifecycle-hook-post-start.sh" + stringData: | + #/bin/bash + echo "pulling /veda-docs.." + /srv/conda/envs/notebook/bin/gitpuller https://github.com/NASA-IMPACT/veda-docs/ main /home/jovyan/veda-doc-examples || true + echo "successfully pulled /veda-docs.." + storage: + capacity: "10Mi" + extraVolumes: + - name: user-etc-singleuser + extraVolumeMounts: + - name: user-etc-singleuser + mountPath: /etc/singleuser + lifecycleHooks: + postStart: + exec: + command: + - "bash" + - "/etc/singleuser/k8s-lifecycle-hook-post-start.sh" profileList: # NOTE: About node sharing # From 29aeb8379eef6af7b0b53b75fb1071e9a1b0d630 Mon Sep 17 00:00:00 2001 From: ranchodeluxe Date: Thu, 7 Sep 2023 11:01:13 -0700 Subject: [PATCH 044/125] change images --- config/clusters/nasa-veda/common.values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index 67075c2979..762b99e704 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -60,7 +60,7 @@ basehub: name: public.ecr.aws/nasa-veda/nasa-veda-singleuser # Based off pangeo/pangeo-notebook:2023.07.05 which uses JupyterLab <4, so jupyterlab-git and dask-dashboard work # If updating this tag, also update it in the profile_options section below - tag: "b807c7efa97c8df9ca38779f7e59d09f889fde9299b0d19de80389cf6b064f90" + tag: "5068290376e8c3151d97a36ae6485bb7ff79650b94aecc93ffb2ea1b42d76460" extraFiles: k8s-lifecycle-hook-post-start.sh: mountPath: "/etc/singleuser/k8s-lifecycle-hook-post-start.sh" @@ -121,7 +121,7 @@ basehub: display_name: Rocker Geospatial with RStudio slug: rocker kubespawner_override: - image: rocker/binder:4.3 + image: rocker/geospatial:geospatial_unstable # Launch RStudio after the user logs in default_url: /rstudio # Ensures container working dir is homedir From df67ad26e7d7e77355f2c3d667b48e71110ccf32 Mon Sep 17 00:00:00 2001 From: ranchodeluxe Date: Thu, 7 Sep 2023 12:29:06 -0700 Subject: [PATCH 045/125] wrong tag --- config/clusters/nasa-veda/common.values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index 762b99e704..3cae99a8d4 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -121,7 +121,7 @@ basehub: display_name: Rocker Geospatial with RStudio slug: rocker kubespawner_override: - image: rocker/geospatial:geospatial_unstable + image: rocker/geospatial:unstable # Launch RStudio after the user logs in default_url: /rstudio # Ensures container working dir is homedir From 06e0c36533f1dd9ced39233cd7041216925fd277 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Thu, 7 Sep 2023 23:57:48 +0200 Subject: [PATCH 046/125] ubc-eoas: allow all UBC authenticated users, not just EOAS associated users --- config/clusters/ubc-eoas/common.values.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/config/clusters/ubc-eoas/common.values.yaml b/config/clusters/ubc-eoas/common.values.yaml index 17a34761be..2f15acec19 100644 --- a/config/clusters/ubc-eoas/common.values.yaml +++ b/config/clusters/ubc-eoas/common.values.yaml @@ -47,8 +47,6 @@ jupyterhub: username_claim: email action: strip_idp_domain domain: eoas.ubc.ca - allowed_domains: - - eoas.ubc.ca http://google.com/accounts/o8/id: username_derivation: username_claim: email From 34e573b51c2451d13b8e96c0f3a2ca794cf99535 Mon Sep 17 00:00:00 2001 From: ranchodeluxe Date: Fri, 8 Sep 2023 09:04:43 -0700 Subject: [PATCH 047/125] use image baked python script --- config/clusters/nasa-veda/common.values.yaml | 25 ++++---------------- 1 file changed, 5 insertions(+), 20 deletions(-) diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index 3cae99a8d4..c5e60cab93 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -59,29 +59,14 @@ basehub: image: name: public.ecr.aws/nasa-veda/nasa-veda-singleuser # Based off pangeo/pangeo-notebook:2023.07.05 which uses JupyterLab <4, so jupyterlab-git and dask-dashboard work - # If updating this tag, also update it in the profile_options section below + # If updating this tag, also update it in the `profile_options.image.options.pangeo.kubespawner_override.image`below tag: "5068290376e8c3151d97a36ae6485bb7ff79650b94aecc93ffb2ea1b42d76460" - extraFiles: - k8s-lifecycle-hook-post-start.sh: - mountPath: "/etc/singleuser/k8s-lifecycle-hook-post-start.sh" - stringData: | - #/bin/bash - echo "pulling /veda-docs.." - /srv/conda/envs/notebook/bin/gitpuller https://github.com/NASA-IMPACT/veda-docs/ main /home/jovyan/veda-doc-examples || true - echo "successfully pulled /veda-docs.." - storage: - capacity: "10Mi" - extraVolumes: - - name: user-etc-singleuser - extraVolumeMounts: - - name: user-etc-singleuser - mountPath: /etc/singleuser lifecycleHooks: postStart: exec: command: - - "bash" - - "/etc/singleuser/k8s-lifecycle-hook-post-start.sh" + - "python3" + - "/opt/k8s-lifecycle-hook-post-start.py" profileList: # NOTE: About node sharing # @@ -116,12 +101,12 @@ basehub: default: true slug: pangeo kubespawner_override: - image: public.ecr.aws/nasa-veda/nasa-veda-singleuser:b807c7efa97c8df9ca38779f7e59d09f889fde9299b0d19de80389cf6b064f90 + image: public.ecr.aws/nasa-veda/nasa-veda-singleuser:5068290376e8c3151d97a36ae6485bb7ff79650b94aecc93ffb2ea1b42d76460 rocker: display_name: Rocker Geospatial with RStudio slug: rocker kubespawner_override: - image: rocker/geospatial:unstable + image: rocker/binder:4.3 # Launch RStudio after the user logs in default_url: /rstudio # Ensures container working dir is homedir From ee47cb4e3beb4739359851cab1407962688d485b Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Fri, 8 Sep 2023 15:25:35 -0700 Subject: [PATCH 048/125] Add GPU support for smithsonian hub - Bump up the pangeo notebook version to match latest pytorch and ml images. This shall be communicated to the community champion too. - Remove redundant 'image' tag, as we use profileList - Add GPU to eksctl - Awaiting GPU quota increase being granted Fixes --- .../clusters/smithsonian/common.values.yaml | 46 +++++++++++++------ eksctl/smithsonian.jsonnet | 6 +++ 2 files changed, 38 insertions(+), 14 deletions(-) diff --git a/config/clusters/smithsonian/common.values.yaml b/config/clusters/smithsonian/common.values.yaml index 18b1e3c669..641650670d 100644 --- a/config/clusters/smithsonian/common.values.yaml +++ b/config/clusters/smithsonian/common.values.yaml @@ -59,18 +59,6 @@ basehub: enabled: true singleuser: - image: - # Pending information about what image to use in - # https://github.com/2i2c-org/infrastructure/issues/2323, the - # pangeo/pangeo-notebook image was setup initially as it includes recent - # versions of dask/distributed which is relevant for a use with - # dask-gateway. - # - # image source: https://github.com/pangeo-data/pangeo-docker-images - # image published: https://quay.io/repository/pangeo/pangeo-notebook?tab=tags - # - name: quay.io/pangeo/pangeo-notebook - tag: "2023.02.27" profileList: # NOTE: About node sharing # @@ -113,12 +101,23 @@ basehub: display_name: Jupyter SciPy Notebook slug: scipy kubespawner_override: - image: jupyter/scipy-notebook:2023-06-26 + image: "jupyter/scipy-notebook:2023-09-04" pangeo: display_name: Pangeo Notebook slug: pangeo kubespawner_override: - image: quay.io/pangeo/pangeo-notebook:2023.02.27 + image: "quay.io/pangeo/pangeo-notebook:2023.08.29" + tensorflow: &image_tensorflow + display_name: Pangeo Tensorflow ML Notebook + slug: tensorflow + kubespawner_override: + image: "pangeo/ml-notebook:2023.08.29" + pytorch: &image_pytorch + display_name: Pangeo PyTorch ML Notebook + default: true + slug: pytorch + kubespawner_override: + image: "pangeo/pytorch-notebook:2023.08.29" requests: # NOTE: Node share choices are in active development, see comment # next to profileList: above. @@ -160,3 +159,22 @@ basehub: mem_limit: null node_selector: node.kubernetes.io/instance-type: r5.xlarge + + - display_name: NVIDIA Tesla T4, ~16 GB, ~4 CPUs + slug: gpu + description: "Start a container on a dedicated node with a GPU" + profile_options: + image: + display_name: Image + choices: + tensorflow: *image_tensorflow + pytorch: *image_pytorch + kubespawner_override: + mem_limit: null + environment: + NVIDIA_DRIVER_CAPABILITIES: compute,utility + mem_guarantee: 14G + node_selector: + node.kubernetes.io/instance-type: g4dn.xlarge + extra_resource_limits: + nvidia.com/gpu: "1" diff --git a/eksctl/smithsonian.jsonnet b/eksctl/smithsonian.jsonnet index 943ba20bbc..de44946890 100644 --- a/eksctl/smithsonian.jsonnet +++ b/eksctl/smithsonian.jsonnet @@ -28,6 +28,12 @@ local notebookNodes = [ { instanceType: "r5.xlarge" }, { instanceType: "r5.4xlarge" }, { instanceType: "r5.16xlarge" }, + { + instanceType: "g4dn.xlarge", + tags+: { + "k8s.io/cluster-autoscaler/node-template/resources/nvidia.com/gpu": "1" + }, + }, ]; local daskNodes = [ // Node definitions for dask worker nodes. Config here is merged From fa9b1dbbc7816ba073fd153a334b46ceaa5abfca Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Fri, 8 Sep 2023 15:32:15 -0700 Subject: [PATCH 049/125] Restrict GPU profiles to a subset of users --- config/clusters/smithsonian/common.values.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/config/clusters/smithsonian/common.values.yaml b/config/clusters/smithsonian/common.values.yaml index 641650670d..eff3f85b9e 100644 --- a/config/clusters/smithsonian/common.values.yaml +++ b/config/clusters/smithsonian/common.values.yaml @@ -38,7 +38,8 @@ basehub: JupyterHub: authenticator_class: github GitHubOAuthenticator: - allowed_organizations: + populate_teams_in_auth_state: true + allowed_organizations: &allowed_github_orgs - 2i2c-org - smithsonian - sidatasciencelab @@ -77,6 +78,7 @@ basehub: description: &profile_list_description "Start a container with at least a chosen share of capacity on a node of this type" slug: small default: true + allowed_teams: *allowed_github_orgs profile_options: image: &profile_options_image display_name: Image @@ -163,6 +165,9 @@ basehub: - display_name: NVIDIA Tesla T4, ~16 GB, ~4 CPUs slug: gpu description: "Start a container on a dedicated node with a GPU" + allowed_teams: + - 2i2c-org:hub-access-for-2i2c-staff + - Smithsonian-SDCH:gpu-users profile_options: image: display_name: Image From f329954f7052fd7320f9c718f7171866350789aa Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Fri, 8 Sep 2023 15:56:23 -0700 Subject: [PATCH 050/125] Enable auth state for GitHub --- config/clusters/smithsonian/common.values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/config/clusters/smithsonian/common.values.yaml b/config/clusters/smithsonian/common.values.yaml index eff3f85b9e..b0e28fe45c 100644 --- a/config/clusters/smithsonian/common.values.yaml +++ b/config/clusters/smithsonian/common.values.yaml @@ -47,6 +47,7 @@ basehub: scope: - read:org Authenticator: + enable_auth_state: true # This hub uses GitHub Orgs auth and so we don't set allowed_users in # order to not deny access to valid members of the listed orgs. These # people should have admin access though. From c0763150b05c51211b6cfa8b6436b7ba1ae5b989 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Fri, 8 Sep 2023 16:25:50 -0700 Subject: [PATCH 051/125] Remove multiple defaults from profileList --- config/clusters/smithsonian/common.values.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/config/clusters/smithsonian/common.values.yaml b/config/clusters/smithsonian/common.values.yaml index b0e28fe45c..499066f1ff 100644 --- a/config/clusters/smithsonian/common.values.yaml +++ b/config/clusters/smithsonian/common.values.yaml @@ -117,7 +117,6 @@ basehub: image: "pangeo/ml-notebook:2023.08.29" pytorch: &image_pytorch display_name: Pangeo PyTorch ML Notebook - default: true slug: pytorch kubespawner_override: image: "pangeo/pytorch-notebook:2023.08.29" From 57c65d886f0098c4633136ad4f6c1b7177c8b9bf Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Fri, 8 Sep 2023 19:57:32 -0700 Subject: [PATCH 052/125] Switch researchdelight hub to GitHub authentication - Allow access to members of this team: https://github.com/orgs/2i2c-org/teams/research-delight-team - GPUs shall be gated by membership in a different team, to be provided. Fixes https://github.com/2i2c-org/infrastructure/issues/3099 --- .../enc-researchdelight.secret.values.yaml | 15 ++++++----- .../2i2c-aws-us/researchdelight.values.yaml | 26 +++++++++++++------ 2 files changed, 27 insertions(+), 14 deletions(-) diff --git a/config/clusters/2i2c-aws-us/enc-researchdelight.secret.values.yaml b/config/clusters/2i2c-aws-us/enc-researchdelight.secret.values.yaml index 3d2d84bd48..f69df82a9f 100644 --- a/config/clusters/2i2c-aws-us/enc-researchdelight.secret.values.yaml +++ b/config/clusters/2i2c-aws-us/enc-researchdelight.secret.values.yaml @@ -2,20 +2,23 @@ basehub: jupyterhub: hub: config: + GitHubOAuthenticator: + client_id: ENC[AES256_GCM,data:mBr82zqrB784x/9h2YpDiwPttzA=,iv:g9stn15R7RIl84NCVqzivpwrdX6MVFMulEJi3wHdCcw=,tag:V/BW6JCafJMbAAuaBWYkvg==,type:str] + client_secret: ENC[AES256_GCM,data:w5CT61Tu4UYraJcx64VJVweNYLjpS7PB8G0x1p8l3gKAnpBn6sX43g==,iv:P03azTpBmGrpt/ACXPtVs4fNarZfgcrjAxNFllrUsho=,tag:OF6BHKHd5GrHn5gQxVNi+A==,type:str] CILogonOAuthenticator: - client_id: ENC[AES256_GCM,data:do6oRsCHVlEaopw/SGKnudX6QMwTRo/Vco2sBCXkHNJ8aASBToFUlHqG8U8stmAe1eYJ,iv:FgtBzUzC8kap+BASyDY/sqnv1kvItTOX0a1j+mwYsy4=,tag:BhpZ5fAaYzSSIF9/RzLsXg==,type:str] - client_secret: ENC[AES256_GCM,data:1aIn9R5loffBYMuLuzn5+I+QkmX5qE7kYuqEKy0dvKJQZg/LK0yzVKoHiLOIYYJqTToVUMCc+aC+ZYTlNmCvGg3GwYPTkjVChRVYJRUZvl1ELP7YcV0=,iv:YORVpCcx9w4hgyKlomZKyAzEvnm+OFZbPu3tw3DvQAo=,tag:hUeV48uiv5PtjSp96o5n+w==,type:str] + client_id: ENC[AES256_GCM,data:kBmqvTcdnfTlPz2wNOp05Ck66COWMwvRCt7r6pfXLZnFr0v9ylxXwfDXT6v9YNiQ/do7,iv:c62ozJG3A53M37MFHbHINoYxtAwGMlh2y0oAsfuxh6c=,tag:vevTHn44TzlMpdOpSo5O3g==,type:str] + client_secret: ENC[AES256_GCM,data:G/tYPy+EV1HK5XdfTlBDAV/Ld383PQxI3zFwoFJLBKP6J4N211xvtb2AOcsuIfGqRb6o09wEk8QmJ43WoemOpffe3kqC5G5O/zAk9Fhm/5g4hN/PGeQ=,iv:G7uxbw7rqDkvulvPw0ZowgWS97RxHiTD7lbJ4yvgk/g=,tag:kZFlP7qWKC3VAdHokTxu3w==,type:str] sops: kms: [] gcp_kms: - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs - created_at: "2023-03-13T10:27:13Z" - enc: CiUA4OM7eCdS0zudoyhLRbKlG+r1jUBQwFNAczMpasSH5X06+IWHEkkALQgViIkNihiV+Z+ZUwjJcCpuOprNMklD4AJ6UBeHxurj/VMPpCUBgveo7MwK/8+YMYofFpleS4b5rsLJ717oWDJjjM8cA8+W + created_at: "2023-09-09T02:50:00Z" + enc: CiUA4OM7eMBVcbO2oTRqg6XqINmiJiUqwFASA8+gT+IWQCiyCNdHEkkAq2nhVTfMsecT193wXiQYZZO034C3i8BL0wehQJzwvMlvu5r+PjYyIazgauyqQJxZQMvMIkO60/OcCzBEt0clYSj1tRFke98L azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-03-13T10:27:13Z" - mac: ENC[AES256_GCM,data:Bw1VoDnPAN1CvIOruB4SBVJf0gKXFbtOBHAy8gGSbA7s9PdiVN8FNmRSlutC8xKNqSVQ7vmtYhonJ+AHS6+PXa1aAceKMmQAmeMtwqE0HHSwR9Ujcw3F0bkjwHUMHIGgCOm0FawbHtMFBvAYXb8rgtCnZjGirJGmJ4TJ153IpXg=,iv:SsFQArAjuip3KyOvM45TsqHrNO0SQ+sTReuzZ5Yq8GU=,tag:TbqHDResuHQkapqPd9nSBA==,type:str] + lastmodified: "2023-09-09T02:50:00Z" + mac: ENC[AES256_GCM,data:zAVP82LEsEJo1KHKpNHm54uoPNCpQSyB6z1rRyztQ6g/hasEbS9VnC168/CKcx8tMqm25m8/gDu5WOiqZSeBnEmTqrAwSU2pa62A+zmwbORywto4b8BWgNR2Weoc7fD9Azfk4YHdQF/mQszXF207mP41z0yfF7vI7K6mgjZKKM8=,iv:V2OrjCuzY6H8RDOZp4JCFj9xCTF3dpUTpCGfbyYlXZs=,tag:YE8riKjxViXR/QIDATz+gw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/config/clusters/2i2c-aws-us/researchdelight.values.yaml b/config/clusters/2i2c-aws-us/researchdelight.values.yaml index 2300745630..8d109a2bf4 100644 --- a/config/clusters/2i2c-aws-us/researchdelight.values.yaml +++ b/config/clusters/2i2c-aws-us/researchdelight.values.yaml @@ -33,15 +33,16 @@ basehub: tag: "0.0.1-0.dev.git.6863.h406a3546" config: JupyterHub: - authenticator_class: cilogon - CILogonOAuthenticator: + authenticator_class: github + Authenticator: + enable_auth_state: true + GitHubOAuthenticator: + populate_teams_in_auth_state: true + allowed_organizations: + - 2i2c-org:hub-access-for-2i2c-staff + - 2i2c-org:research-delight-team scope: - - "profile" - username_claim: "preferred_username" - oauth_callback_url: "https://researchdelight.2i2c.cloud/hub/oauth_callback" - # Only show the option to login with GitHub - shown_idps: - - http://github.com/login/oauth/authorize + - read:org singleuser: image: name: quay.io/2i2c/researchdelight-image @@ -49,6 +50,9 @@ basehub: profileList: - display_name: "Shared Small: 1-4 CPU, 8-32 GB" description: "A shared machine, the recommended option until you experience a limitation." + allowed_teams: &allowed_teams + - 2i2c-org:hub-access-for-2i2c-staff + - 2i2c-org:research-delight-team profile_options: &profile_options image: display_name: Image @@ -107,6 +111,7 @@ basehub: - display_name: "Small: 4 CPU, 32 GB" description: "A dedicated machine for you." profile_options: *profile_options + allowed_teams: *allowed_teams kubespawner_override: mem_guarantee: 28.937G cpu_guarantee: 0.4 @@ -117,6 +122,7 @@ basehub: - display_name: "Medium: 16 CPU, 128 GB" description: "A dedicated machine for you." profile_options: *profile_options + allowed_teams: *allowed_teams kubespawner_override: mem_guarantee: 120.513G cpu_guarantee: 1.6 @@ -127,6 +133,7 @@ basehub: - display_name: "Large: 64 CPU, 512 GB" description: "A dedicated machine for you" profile_options: *profile_options + allowed_teams: *allowed_teams kubespawner_override: mem_guarantee: 489.13G cpu_guarantee: 6.4 @@ -136,6 +143,9 @@ basehub: - display_name: NVIDIA Tesla T4, ~16 GB, ~4 CPUs slug: gpu + allowed_teams: + # Just 2i2c folks for now + - 2i2c-org:hub-access-for-2i2c-staff description: "Start a container on a dedicated node with a GPU" profile_options: image: From 93f61e047bc8ae3b147375ee4bf8c27d8a21319e Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Fri, 8 Sep 2023 20:39:47 -0700 Subject: [PATCH 053/125] Specify appropriate team for GPU access --- config/clusters/2i2c-aws-us/researchdelight.values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/clusters/2i2c-aws-us/researchdelight.values.yaml b/config/clusters/2i2c-aws-us/researchdelight.values.yaml index 8d109a2bf4..c7163a272c 100644 --- a/config/clusters/2i2c-aws-us/researchdelight.values.yaml +++ b/config/clusters/2i2c-aws-us/researchdelight.values.yaml @@ -144,8 +144,8 @@ basehub: - display_name: NVIDIA Tesla T4, ~16 GB, ~4 CPUs slug: gpu allowed_teams: - # Just 2i2c folks for now - 2i2c-org:hub-access-for-2i2c-staff + - 2i2c-org:research-delight-gpu-team description: "Start a container on a dedicated node with a GPU" profile_options: image: From ded64f83e2bd65a6a1246671ed16d6b9a7ffcb45 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Sat, 9 Sep 2023 01:38:41 -0700 Subject: [PATCH 054/125] Move 2i2c shared prometheus to pd-balanced disk - Set up our own StorageClass for GKE clusters specifically for use with prometheus data. - Sets retentionPolicy to 'Retain', so we don't accidentally kill the disk and lose all the data. - Sets the disk type to 'Balanced', which is backed by SSDs and *much* faster than spinning disks. No more grafana timeouts! - Move the existing data by manually attaching to a small VM I created, and then copying over to new PVC. - Reduction in size, as https://github.com/2i2c-org/infrastructure/pull/3093 drastically reduced the size of the data! We went from about 512GB to only about 150GB after that. The size explosion has been solved! 512GB here still gives us enough room to grow. Once this lands, I'll manually go through and do this for every single GCP cluster. Grafana timeouts BE GONE. Ref https://github.com/2i2c-org/infrastructure/issues/2934 Ref https://github.com/2i2c-org/infrastructure/issues/2717 Ref https://github.com/2i2c-org/infrastructure/issues/2847 Fixes https://github.com/2i2c-org/infrastructure/issues/3111 --- config/clusters/2i2c/support.values.yaml | 7 ++- helm-charts/support/templates/pd-ssd.yaml | 9 ---- .../support/templates/storageclass/gke.yaml | 15 +++++++ helm-charts/support/values.schema.yaml | 43 +++++++++++++++++++ helm-charts/support/values.yaml | 13 ++++++ 5 files changed, 77 insertions(+), 10 deletions(-) delete mode 100644 helm-charts/support/templates/pd-ssd.yaml create mode 100644 helm-charts/support/templates/storageclass/gke.yaml diff --git a/config/clusters/2i2c/support.values.yaml b/config/clusters/2i2c/support.values.yaml index 698ba5e55d..10cb266142 100644 --- a/config/clusters/2i2c/support.values.yaml +++ b/config/clusters/2i2c/support.values.yaml @@ -1,11 +1,16 @@ prometheusIngressAuthSecret: enabled: true +prometheusStorageClass: + gke: + enabled: true + prometheus: server: persistentVolume: # 100Gi filled up, and this is source of our billing data. - size: 1Ti + size: 512Gi + storageClass: balanced-rwo-retain ingress: enabled: true hosts: diff --git a/helm-charts/support/templates/pd-ssd.yaml b/helm-charts/support/templates/pd-ssd.yaml deleted file mode 100644 index d174b8b167..0000000000 --- a/helm-charts/support/templates/pd-ssd.yaml +++ /dev/null @@ -1,9 +0,0 @@ -# Create an SSD StorageClass for use by Prometheus -# See https://kubernetes.io/docs/concepts/storage/storage-classes/#gce for details -kind: StorageClass -apiVersion: storage.k8s.io/v1 -metadata: - name: ssd -provisioner: kubernetes.io/gce-pd -parameters: - type: pd-ssd \ No newline at end of file diff --git a/helm-charts/support/templates/storageclass/gke.yaml b/helm-charts/support/templates/storageclass/gke.yaml new file mode 100644 index 0000000000..6422ca257f --- /dev/null +++ b/helm-charts/support/templates/storageclass/gke.yaml @@ -0,0 +1,15 @@ +# https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/gce-pd-csi-driver#create_a_storageclass +# has more information about setting up StorageClass for GCP PD CSI Driver, +# for use in GKE environments. +{{- if .Values.prometheusStorageClass.gke.enabled }} +allowVolumeExpansion: true +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: {{ .Values.prometheusStorageClass.gke.name }} +parameters: {{ .Values.prometheusStorageClass.gke.parameters | toJson }} +provisioner: pd.csi.storage.gke.io +# Don't delete the backing disk when the PVC is deleted +reclaimPolicy: Retain +volumeBindingMode: WaitForFirstConsumer +{{- end }} diff --git a/helm-charts/support/values.schema.yaml b/helm-charts/support/values.schema.yaml index cd0836efcb..d63c7bced4 100644 --- a/helm-charts/support/values.schema.yaml +++ b/helm-charts/support/values.schema.yaml @@ -143,6 +143,49 @@ properties: type: string description: | Password for basic auth protecting prometheus + + prometheusStorageClass: + type: object + additionalProperties: false + description: | + Provision a separate storageClass specifically for storing prometheus + data. Lets us control retentionPolicy (so we do not lose the data + when the cluster is deleted) and type of disk used (for performance + tuning) + required: + - gke + properties: + gke: + type: object + additionalProperties: false + description: | + Provision storageClass in a GKE environment, with the appropriate + GCP PD CSI provisioner. + + https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/gce-pd-csi-driver has + more information about this provisioner. + required: + - enabled + - parameters + - name + properties: + enabled: + type: boolean + description: | + Enable creating this StorageClass + parameters: + type: object + additionalProperties: true + description: | + Parameters defining properties of the volume provisioned by this + StorageClass. + + For the GCP CSI driver in use here, the parameters are documented at + https://cloud.google.com/kubernetes-engine/docs/how-to/persistent-volumes/gce-pd-csi-driver + name: + type: string + description: | + Name of the StorageClass to create global: type: object additionalProperties: true diff --git a/helm-charts/support/values.yaml b/helm-charts/support/values.yaml index 300187d9ef..686deaeec0 100644 --- a/helm-charts/support/values.yaml +++ b/helm-charts/support/values.yaml @@ -444,6 +444,19 @@ nvidiaDevicePlugin: enabled: false version: "stable" +# Setup a separate storageClass specifically for prometheus data +prometheusStorageClass: + gke: + # Defaults to false, until all GKE clusters have been manually + # migrated. Could default to true after that. + enabled: false + # pd-balanced is SSD backed, much faster than spinning standard disks and + # cheaper than pd-ssd. We add the -retain to indicate the retainPolicy + # of Retain, rather than the default of Delete + name: balanced-rwo-retain + parameters: + type: pd-balanced + # A placeholder as global values that can be referenced from the same location # of any chart should be possible to provide, but aren't necessarily provided or # used. From 5f35658b3cc7b59305807df569b1320915c6cc47 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 9 Sep 2023 15:32:47 +0200 Subject: [PATCH 055/125] auth - 2i2c, dask-staging: disable public access --- config/clusters/2i2c/dask-staging.values.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/config/clusters/2i2c/dask-staging.values.yaml b/config/clusters/2i2c/dask-staging.values.yaml index a8d141f398..0a0119ed56 100644 --- a/config/clusters/2i2c/dask-staging.values.yaml +++ b/config/clusters/2i2c/dask-staging.values.yaml @@ -48,16 +48,11 @@ basehub: - "email" - "profile" oauth_callback_url: "https://dask-staging.2i2c.cloud/hub/oauth_callback" - # Only show the option to login with Google shown_idps: - http://accounts.google.com/o/oauth2/auth - - http://github.com/login/oauth/authorize allowed_idps: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" allowed_domains: - "2i2c.org" - http://github.com/login/oauth/authorize: - username_derivation: - username_claim: "preferred_username" From 4e4045defeb1f66d78eaabf35e210718fd1bb09e Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 9 Sep 2023 15:52:32 +0200 Subject: [PATCH 056/125] auth - 2i2c-uk, staging: disable public access --- config/clusters/2i2c-uk/staging.values.yaml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/config/clusters/2i2c-uk/staging.values.yaml b/config/clusters/2i2c-uk/staging.values.yaml index ce675a453f..26778efe99 100644 --- a/config/clusters/2i2c-uk/staging.values.yaml +++ b/config/clusters/2i2c-uk/staging.values.yaml @@ -38,10 +38,12 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" - username_claim: "preferred_username" oauth_callback_url: "https://staging.uk.2i2c.cloud/hub/oauth_callback" - # Only show the option to login with GitHub shown_idps: - - http://github.com/login/oauth/authorize + - http://google.com/accounts/o8/id + allowed_idps: + http://google.com/accounts/o8/id: + username_derivation: + username_claim: "email" + allowed_domains: + - "2i2c.org" From 9cf6ec6c2fe9f65743eaea649655e42b39946e0d Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 9 Sep 2023 15:53:46 +0200 Subject: [PATCH 057/125] auth - 2i2c, staging: disable public access --- config/clusters/2i2c/staging.values.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/config/clusters/2i2c/staging.values.yaml b/config/clusters/2i2c/staging.values.yaml index 633e51985b..bd95f724f0 100644 --- a/config/clusters/2i2c/staging.values.yaml +++ b/config/clusters/2i2c/staging.values.yaml @@ -56,7 +56,11 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://staging.2i2c.cloud/hub/oauth_callback" - username_claim: "email" - # Only show the option to login with Google shown_idps: - http://google.com/accounts/o8/id + allowed_idps: + http://google.com/accounts/o8/id: + username_derivation: + username_claim: "email" + allowed_domains: + - "2i2c.org" From af74dc51b0ffe69b715fdc6a98f9bd5a61a9f9ed Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 9 Sep 2023 15:55:03 +0200 Subject: [PATCH 058/125] auth - 2i2c-aws-us, cosmicds: revert temporarily added access --- config/clusters/2i2c-aws-us/cosmicds.values.yaml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/config/clusters/2i2c-aws-us/cosmicds.values.yaml b/config/clusters/2i2c-aws-us/cosmicds.values.yaml index c1ecc32225..77931e0b27 100644 --- a/config/clusters/2i2c-aws-us/cosmicds.values.yaml +++ b/config/clusters/2i2c-aws-us/cosmicds.values.yaml @@ -82,20 +82,9 @@ jupyterhub: oauth_callback_url: https://cosmicds.2i2c.cloud/hub/oauth_callback shown_idps: - http://github.com/login/oauth/authorize - # Temporarily enable google & microsoft auth, to be reverted - # after July 21 2023 - # Ref https://github.com/2i2c-org/infrastructure/issues/2128#issuecomment-1633128941 - - http://google.com/accounts/o8/id - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize allowed_idps: # The username claim here is used to do *authorization*, for both # admin use and any allow listing we want to do. http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" - http://google.com/accounts/o8/id: - username_derivation: - username_claim: "email" - http://login.microsoftonline.com/common/oauth2/v2.0/authorize: - username_derivation: - username_claim: "email" From 1887840d34f1ce14d1e1e7a43815c68c6685500e Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 9 Sep 2023 15:56:10 +0200 Subject: [PATCH 059/125] auth - 2i2c, imagebuilding-demo: disable public access --- config/clusters/2i2c/imagebuilding-demo.values.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/config/clusters/2i2c/imagebuilding-demo.values.yaml b/config/clusters/2i2c/imagebuilding-demo.values.yaml index 7d70c7e78a..50f311916e 100644 --- a/config/clusters/2i2c/imagebuilding-demo.values.yaml +++ b/config/clusters/2i2c/imagebuilding-demo.values.yaml @@ -66,10 +66,15 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://imagebuilding-demo.2i2c.cloud/hub/oauth_callback" - username_claim: "email" - # Only show the option to login with Google shown_idps: - http://google.com/accounts/o8/id + allowed_idps: + http://google.com/accounts/o8/id: + username_derivation: + username_claim: "email" + allowed_domains: + - "2i2c.org" + extraConfig: enable-prototype-UI: | from kubespawner_dynamic_building_ui import TEMPLATE_PATHS, STATIC_HANDLER_TUPLE From 07ca6e491a6bad56b5c5756165af389a1349116c Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 9 Sep 2023 22:29:30 +0200 Subject: [PATCH 060/125] Revert "auth - 2i2c-aws-us, cosmicds: revert temporarily added access" This reverts commit af74dc51b0ffe69b715fdc6a98f9bd5a61a9f9ed. --- config/clusters/2i2c-aws-us/cosmicds.values.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/config/clusters/2i2c-aws-us/cosmicds.values.yaml b/config/clusters/2i2c-aws-us/cosmicds.values.yaml index 77931e0b27..c1ecc32225 100644 --- a/config/clusters/2i2c-aws-us/cosmicds.values.yaml +++ b/config/clusters/2i2c-aws-us/cosmicds.values.yaml @@ -82,9 +82,20 @@ jupyterhub: oauth_callback_url: https://cosmicds.2i2c.cloud/hub/oauth_callback shown_idps: - http://github.com/login/oauth/authorize + # Temporarily enable google & microsoft auth, to be reverted + # after July 21 2023 + # Ref https://github.com/2i2c-org/infrastructure/issues/2128#issuecomment-1633128941 + - http://google.com/accounts/o8/id + - http://login.microsoftonline.com/common/oauth2/v2.0/authorize allowed_idps: # The username claim here is used to do *authorization*, for both # admin use and any allow listing we want to do. http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + http://google.com/accounts/o8/id: + username_derivation: + username_claim: "email" + http://login.microsoftonline.com/common/oauth2/v2.0/authorize: + username_derivation: + username_claim: "email" From 16a9462a9fc16cea42aa3ca80231fcadff92e2c5 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 9 Sep 2023 17:00:02 +0200 Subject: [PATCH 061/125] deployer: add fixme note to relax validation after z3jh 3.0.0 upgrade --- deployer/config_validation.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/deployer/config_validation.py b/deployer/config_validation.py index 8684ede3c7..9165c03579 100644 --- a/deployer/config_validation.py +++ b/deployer/config_validation.py @@ -162,7 +162,15 @@ def validate_authenticator_config(cluster_name, hub_name): For each hub of a specific cluster: - It asserts that when the JupyterHub GitHubOAuthenticator is used, then `Authenticator.allowed_users` is not set. - An error is raised otherwise. + + Before oauthenticator 16 / z2jh 3.0.0-beta.3+, allowed_users was an + additional requirement besides being part of an allowed github + organization or team, which made the config likely to not be what we + intended. + + FIXME: Remove this after we have upgraded to oauthenticator 16 / z2jh + 3.0.0-beta.3+, as that makes this config reasonable again, where a + user can be allowed independently from allowing an organization. """ _prepare_helm_charts_dependencies_and_schemas() From 2cf82c514bada65ef0e576cd39221bd8a249286f Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 9 Sep 2023 17:01:24 +0200 Subject: [PATCH 062/125] auth - add comments for z2jh 3 upgrade, cleanup redundant config --- config/clusters/2i2c/aup.values.yaml | 5 ++++- config/clusters/2i2c/binder-staging.values.yaml | 1 - config/clusters/2i2c/neurohackademy.values.yaml | 4 ++++ config/clusters/callysto/common.values.yaml | 1 - config/clusters/carbonplan/common.values.yaml | 4 ++++ .../catalystproject-latam/unitefa-conicet.values.yaml | 2 -- config/clusters/cloudbank/ccsf.values.yaml | 1 - config/clusters/cloudbank/elcamino.values.yaml | 1 - config/clusters/cloudbank/howard.values.yaml | 5 ++++- config/clusters/cloudbank/lacc.values.yaml | 5 ++++- config/clusters/cloudbank/mills.values.yaml | 1 - config/clusters/cloudbank/miracosta.values.yaml | 1 - config/clusters/cloudbank/mission.values.yaml | 1 - config/clusters/cloudbank/palomar.values.yaml | 5 ++++- config/clusters/cloudbank/sbcc-dev.values.yaml | 5 ++++- config/clusters/cloudbank/sbcc.values.yaml | 5 ++++- config/clusters/cloudbank/sjsu.values.yaml | 1 - config/clusters/cloudbank/staging.values.yaml | 5 ++++- config/clusters/cloudbank/tuskegee.values.yaml | 5 ++++- config/clusters/gridsst/common.values.yaml | 4 ++++ config/clusters/jupyter-meets-the-earth/common.values.yaml | 5 ++++- config/clusters/meom-ige/common.values.yaml | 4 ++++ config/clusters/openscapes/common.values.yaml | 5 ++++- config/clusters/pangeo-hubs/coessing.values.yaml | 7 ++++--- config/clusters/ubc-eoas/common.values.yaml | 6 +++--- 25 files changed, 63 insertions(+), 26 deletions(-) diff --git a/config/clusters/2i2c/aup.values.yaml b/config/clusters/2i2c/aup.values.yaml index 33ef6ca896..4b0a38ae94 100644 --- a/config/clusters/2i2c/aup.values.yaml +++ b/config/clusters/2i2c/aup.values.yaml @@ -41,10 +41,13 @@ jupyterhub: - "profile" username_claim: "preferred_username" oauth_callback_url: "https://aup.pilot.2i2c.cloud/hub/oauth_callback" - # Only show the option to login with GitHub shown_idps: - http://github.com/login/oauth/authorize Authenticator: + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. + # allowed_users: &aup_users - swalker - shaolintl diff --git a/config/clusters/2i2c/binder-staging.values.yaml b/config/clusters/2i2c/binder-staging.values.yaml index 14813bacca..ff4227152d 100644 --- a/config/clusters/2i2c/binder-staging.values.yaml +++ b/config/clusters/2i2c/binder-staging.values.yaml @@ -83,7 +83,6 @@ binderhub: - yuvipanda@2i2c.org CILogonOAuthenticator: oauth_callback_url: "https://binder-staging.hub.2i2c.cloud/hub/oauth_callback" - # Only show the option to login with Google shown_idps: - http://google.com/accounts/o8/id allowed_idps: diff --git a/config/clusters/2i2c/neurohackademy.values.yaml b/config/clusters/2i2c/neurohackademy.values.yaml index 9a492bca4a..f5fba70b7f 100644 --- a/config/clusters/2i2c/neurohackademy.values.yaml +++ b/config/clusters/2i2c/neurohackademy.values.yaml @@ -56,6 +56,10 @@ jupyterhub: JupyterHub: authenticator_class: cilogon Authenticator: + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. + # allowed_users: &neurohackademy_users - arokem admin_users: *neurohackademy_users diff --git a/config/clusters/callysto/common.values.yaml b/config/clusters/callysto/common.values.yaml index 5e155812f6..045570e4f8 100644 --- a/config/clusters/callysto/common.values.yaml +++ b/config/clusters/callysto/common.values.yaml @@ -136,7 +136,6 @@ jupyterhub: - "102749090965437723445" # Byron Chu (Cybera) - "115909958579864751636" # Michael Jones (Cybera) - "106951135662332329542" # Elmar Bouwer (Cybera) - # Only show the option to login with Google and Mirosoft shown_idps: - https://accounts.google.com/o/oauth2/auth - https://login.microsoftonline.com/common/oauth2/v2.0/authorize diff --git a/config/clusters/carbonplan/common.values.yaml b/config/clusters/carbonplan/common.values.yaml index a984db5746..08f6605d26 100644 --- a/config/clusters/carbonplan/common.values.yaml +++ b/config/clusters/carbonplan/common.values.yaml @@ -186,6 +186,10 @@ basehub: allowNamedServers: true config: Authenticator: + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to + # be configured explicitly. + # allowed_users: &users - maxrjones admin_users: *users diff --git a/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml b/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml index 5b45e8a68e..a2df37b761 100644 --- a/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml +++ b/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml @@ -33,8 +33,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://unitefa-conicet.latam.catalystproject.2i2c.cloud/hub/oauth_callback" - username_claim: "email" - # Only show the option to login with Google shown_idps: - http://google.com/accounts/o8/id allowed_idps: diff --git a/config/clusters/cloudbank/ccsf.values.yaml b/config/clusters/cloudbank/ccsf.values.yaml index f94e2ff8bd..33973fe355 100644 --- a/config/clusters/cloudbank/ccsf.values.yaml +++ b/config/clusters/cloudbank/ccsf.values.yaml @@ -35,7 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://ccsf.cloudbank.2i2c.cloud/hub/oauth_callback" - # Only show the option to login with Google shown_idps: - http://google.com/accounts/o8/id - urn:mace:incommon:berkeley.edu diff --git a/config/clusters/cloudbank/elcamino.values.yaml b/config/clusters/cloudbank/elcamino.values.yaml index 585428d13e..c17106e95e 100644 --- a/config/clusters/cloudbank/elcamino.values.yaml +++ b/config/clusters/cloudbank/elcamino.values.yaml @@ -34,7 +34,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://elcamino.cloudbank.2i2c.cloud/hub/oauth_callback" - # Only show the option to login with Google shown_idps: - http://google.com/accounts/o8/id - urn:mace:incommon:berkeley.edu diff --git a/config/clusters/cloudbank/howard.values.yaml b/config/clusters/cloudbank/howard.values.yaml index 60403ebd39..47230603e2 100644 --- a/config/clusters/cloudbank/howard.values.yaml +++ b/config/clusters/cloudbank/howard.values.yaml @@ -29,7 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://howard.cloudbank.2i2c.cloud/hub/oauth_callback" - # Only show the option to login with Google shown_idps: - http://google.com/accounts/o8/id - urn:mace:incommon:berkeley.edu @@ -41,6 +40,10 @@ jupyterhub: username_derivation: username_claim: "email" Authenticator: + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. + # allowed_users: &howard_users - ericvd@berkeley.edu - gwashington@scs.howard.edu diff --git a/config/clusters/cloudbank/lacc.values.yaml b/config/clusters/cloudbank/lacc.values.yaml index d7657fd83e..d0cfb85396 100644 --- a/config/clusters/cloudbank/lacc.values.yaml +++ b/config/clusters/cloudbank/lacc.values.yaml @@ -29,7 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://lacc.cloudbank.2i2c.cloud/hub/oauth_callback" - # Only show the option to login with Google shown_idps: - http://google.com/accounts/o8/id - urn:mace:incommon:berkeley.edu @@ -41,6 +40,10 @@ jupyterhub: username_derivation: username_claim: "email" Authenticator: + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. + # allowed_users: &lacc_users - PINEDAEM@laccd.edu - LAMKT@laccd.edu diff --git a/config/clusters/cloudbank/mills.values.yaml b/config/clusters/cloudbank/mills.values.yaml index 86ccc7ee90..3ab1ed7d43 100644 --- a/config/clusters/cloudbank/mills.values.yaml +++ b/config/clusters/cloudbank/mills.values.yaml @@ -29,7 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://datahub.mills.edu/hub/oauth_callback" - # Only show the option to login with Google shown_idps: - http://google.com/accounts/o8/id - urn:mace:incommon:berkeley.edu diff --git a/config/clusters/cloudbank/miracosta.values.yaml b/config/clusters/cloudbank/miracosta.values.yaml index 4cb3cfeec4..571cf69625 100644 --- a/config/clusters/cloudbank/miracosta.values.yaml +++ b/config/clusters/cloudbank/miracosta.values.yaml @@ -29,7 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://miracosta.cloudbank.2i2c.cloud/hub/oauth_callback - # Only show and allow option to login with Google and Miracosta institutional provider shown_idps: - http://google.com/accounts/o8/id - https://miracosta.fedgw.com/gateway diff --git a/config/clusters/cloudbank/mission.values.yaml b/config/clusters/cloudbank/mission.values.yaml index 5dd33723f5..16603ec4cf 100644 --- a/config/clusters/cloudbank/mission.values.yaml +++ b/config/clusters/cloudbank/mission.values.yaml @@ -35,7 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://mission.cloudbank.2i2c.cloud/hub/oauth_callback - # Only show the option to login with Google shown_idps: - http://google.com/accounts/o8/id - urn:mace:incommon:berkeley.edu diff --git a/config/clusters/cloudbank/palomar.values.yaml b/config/clusters/cloudbank/palomar.values.yaml index c984cd9ce6..ed70944609 100644 --- a/config/clusters/cloudbank/palomar.values.yaml +++ b/config/clusters/cloudbank/palomar.values.yaml @@ -29,7 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://palomar.cloudbank.2i2c.cloud/hub/oauth_callback" - # Only show the option to login with Google shown_idps: - http://google.com/accounts/o8/id - urn:mace:incommon:berkeley.edu @@ -41,6 +40,10 @@ jupyterhub: username_derivation: username_claim: "email" Authenticator: + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. + # allowed_users: &palomar_users - aculich@berkeley.edu - sean.smorris@berkeley.edu diff --git a/config/clusters/cloudbank/sbcc-dev.values.yaml b/config/clusters/cloudbank/sbcc-dev.values.yaml index a95946a67e..b9a5978e26 100644 --- a/config/clusters/cloudbank/sbcc-dev.values.yaml +++ b/config/clusters/cloudbank/sbcc-dev.values.yaml @@ -29,7 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://sbcc-dev.cloudbank.2i2c.cloud/hub/oauth_callback" - # Only show and allow the option to login with Google shown_idps: - http://google.com/accounts/o8/id - https://idp.sbcc.edu/idp/shibboleth @@ -45,6 +44,10 @@ jupyterhub: username_derivation: username_claim: "email" Authenticator: + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. + # allowed_users: &sbcc_users - ericvd@gmail.com - sean.smorris@berkeley.edu diff --git a/config/clusters/cloudbank/sbcc.values.yaml b/config/clusters/cloudbank/sbcc.values.yaml index 48a8b1d6e5..bc6de536b7 100644 --- a/config/clusters/cloudbank/sbcc.values.yaml +++ b/config/clusters/cloudbank/sbcc.values.yaml @@ -29,7 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://sbcc.cloudbank.2i2c.cloud/hub/oauth_callback" - # Only show and allow the option to login with Google shown_idps: - http://google.com/accounts/o8/id - https://idp.sbcc.edu/idp/shibboleth @@ -45,6 +44,10 @@ jupyterhub: username_derivation: username_claim: "email" Authenticator: + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. + # allowed_users: &sbcc_users - ericvd@gmail.com - sean.smorris@berkeley.edu diff --git a/config/clusters/cloudbank/sjsu.values.yaml b/config/clusters/cloudbank/sjsu.values.yaml index b2a7913321..eba295012f 100644 --- a/config/clusters/cloudbank/sjsu.values.yaml +++ b/config/clusters/cloudbank/sjsu.values.yaml @@ -38,7 +38,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://sjsu.cloudbank.2i2c.cloud/hub/oauth_callback - username_claim: "email" shown_idps: - http://google.com/accounts/o8/id - https://idp01.sjsu.edu/idp/shibboleth diff --git a/config/clusters/cloudbank/staging.values.yaml b/config/clusters/cloudbank/staging.values.yaml index b4ab54223a..3d2667584c 100644 --- a/config/clusters/cloudbank/staging.values.yaml +++ b/config/clusters/cloudbank/staging.values.yaml @@ -29,7 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://staging.cloudbank.2i2c.cloud/hub/oauth_callback" - # Only show and allow the option to login with Google shown_idps: - http://google.com/accounts/o8/id - urn:mace:incommon:berkeley.edu @@ -41,6 +40,10 @@ jupyterhub: username_derivation: username_claim: "email" Authenticator: + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. + # allowed_users: &staging_users - sean.smorris@berkeley.edu admin_users: *staging_users diff --git a/config/clusters/cloudbank/tuskegee.values.yaml b/config/clusters/cloudbank/tuskegee.values.yaml index 158149c164..6a2bd2b849 100644 --- a/config/clusters/cloudbank/tuskegee.values.yaml +++ b/config/clusters/cloudbank/tuskegee.values.yaml @@ -29,7 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://tuskegee.cloudbank.2i2c.cloud/hub/oauth_callback" - # Only show and allow the option to login with Google shown_idps: - http://google.com/accounts/o8/id - urn:mace:incommon:berkeley.edu @@ -41,6 +40,10 @@ jupyterhub: username_derivation: username_claim: "email" Authenticator: + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. + # allowed_users: &tuskegee_users - yasmeen.rawajfih@gmail.com - Wu.fan01@gmail.com diff --git a/config/clusters/gridsst/common.values.yaml b/config/clusters/gridsst/common.values.yaml index 9799545c71..718e911de3 100644 --- a/config/clusters/gridsst/common.values.yaml +++ b/config/clusters/gridsst/common.values.yaml @@ -37,6 +37,10 @@ basehub: hub: config: Authenticator: + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to + # be configured explicitly. + # allowed_users: &gridsst_users - alisonrgray - nikki-t diff --git a/config/clusters/jupyter-meets-the-earth/common.values.yaml b/config/clusters/jupyter-meets-the-earth/common.values.yaml index 1a15b5c014..0960b1355e 100644 --- a/config/clusters/jupyter-meets-the-earth/common.values.yaml +++ b/config/clusters/jupyter-meets-the-earth/common.values.yaml @@ -225,10 +225,13 @@ basehub: scope: - "profile" username_claim: "preferred_username" - # Only show the option to login with GitHub shown_idps: - http://github.com/login/oauth/authorize Authenticator: + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. + # allowed_users: &users # This is just listing a few of the users/admins, a lot of # users has been added manually, see: diff --git a/config/clusters/meom-ige/common.values.yaml b/config/clusters/meom-ige/common.values.yaml index 18f30f437f..3aa81e4342 100644 --- a/config/clusters/meom-ige/common.values.yaml +++ b/config/clusters/meom-ige/common.values.yaml @@ -84,6 +84,10 @@ basehub: hub: config: Authenticator: + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. + # allowed_users: &users - roxyboy - lesommer diff --git a/config/clusters/openscapes/common.values.yaml b/config/clusters/openscapes/common.values.yaml index 4a41e7e19f..2d37014c4e 100644 --- a/config/clusters/openscapes/common.values.yaml +++ b/config/clusters/openscapes/common.values.yaml @@ -57,7 +57,10 @@ basehub: - jules32 - erinmr - betolink - # Without this, any GitHub user can authenticate + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. + # allowed_users: *users dask-gateway: gateway: diff --git a/config/clusters/pangeo-hubs/coessing.values.yaml b/config/clusters/pangeo-hubs/coessing.values.yaml index f7814d1110..5bdcffc433 100644 --- a/config/clusters/pangeo-hubs/coessing.values.yaml +++ b/config/clusters/pangeo-hubs/coessing.values.yaml @@ -37,6 +37,10 @@ basehub: Authenticator: admin_users: &admin_users - paigemar@umich.edu + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. + # allowed_users: *admin_users # Delete any prior existing users in the db that don't pass username_pattern delete_invalid_users: true @@ -44,12 +48,9 @@ basehub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://coessing.2i2c.cloud/hub/oauth_callback" - # Only show the option to login with Google shown_idps: - https://accounts.google.com/o/oauth2/auth allowed_idps: - # CILogon still uses the old google oidc enpoint instead of the new one listed in `shown_idps`. - # Ref https://github.com/ncsa/OA4MP/issues/45 http://google.com/accounts/o8/id: username_derivation: username_claim: "email" diff --git a/config/clusters/ubc-eoas/common.values.yaml b/config/clusters/ubc-eoas/common.values.yaml index 2f15acec19..d90b00d44f 100644 --- a/config/clusters/ubc-eoas/common.values.yaml +++ b/config/clusters/ubc-eoas/common.values.yaml @@ -41,6 +41,9 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: + shown_idps: + - https://authentication.ubc.ca + - http://google.com/accounts/o8/id allowed_idps: https://authentication.ubc.ca: username_derivation: @@ -52,9 +55,6 @@ jupyterhub: username_claim: email allowed_domains: - 2i2c.org - shown_idps: - - https://authentication.ubc.ca - - http://google.com/accounts/o8/id singleuser: defaultUrl: /lab From 197b1bd33fd987761d1c368b7d86fd488835fecd Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 9 Sep 2023 17:44:23 +0200 Subject: [PATCH 063/125] auth - openscapes: configure allowed_idps alongside shown_idps --- config/clusters/openscapes/common.values.yaml | 11 +++++++++++ config/clusters/openscapes/prod.values.yaml | 8 -------- config/clusters/openscapes/staging.values.yaml | 8 -------- 3 files changed, 11 insertions(+), 16 deletions(-) diff --git a/config/clusters/openscapes/common.values.yaml b/config/clusters/openscapes/common.values.yaml index 2d37014c4e..cb4feca425 100644 --- a/config/clusters/openscapes/common.values.yaml +++ b/config/clusters/openscapes/common.values.yaml @@ -51,6 +51,17 @@ basehub: readinessProbe: enabled: false config: + JupyterHub: + authenticator_class: cilogon + CILogonOAuthenticator: + scope: + - "profile" + shown_idps: + - http://github.com/login/oauth/authorize + allowed_idps: + http://github.com/login/oauth/authorize: + username_derivation: + username_claim: "preferred_username" Authenticator: admin_users: &users - amfriesz diff --git a/config/clusters/openscapes/prod.values.yaml b/config/clusters/openscapes/prod.values.yaml index ff6e42f256..a937472f8a 100644 --- a/config/clusters/openscapes/prod.values.yaml +++ b/config/clusters/openscapes/prod.values.yaml @@ -92,13 +92,5 @@ basehub: profile_options: *profile_options hub: config: - JupyterHub: - authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" - username_claim: "preferred_username" oauth_callback_url: "https://openscapes.2i2c.cloud/hub/oauth_callback" - # Only show the option to login with GitHub - shown_idps: - - http://github.com/login/oauth/authorize diff --git a/config/clusters/openscapes/staging.values.yaml b/config/clusters/openscapes/staging.values.yaml index b616daf78d..13fcfa7ec1 100644 --- a/config/clusters/openscapes/staging.values.yaml +++ b/config/clusters/openscapes/staging.values.yaml @@ -124,13 +124,5 @@ basehub: name: quay.io/2i2c/unlisted-choice-experiment tag: "0.0.1-0.dev.git.6863.h406a3546" config: - JupyterHub: - authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" - username_claim: "preferred_username" oauth_callback_url: "https://staging.openscapes.2i2c.cloud/hub/oauth_callback" - # Only show the option to login with GitHub - shown_idps: - - http://github.com/login/oauth/authorize From 812f230ade426732539f95f93b1ad5f91efe9b60 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 9 Sep 2023 17:45:00 +0200 Subject: [PATCH 064/125] auth - meom-ige: configure allowed_idps alongside shown_idps --- config/clusters/meom-ige/common.values.yaml | 11 +++++++++++ config/clusters/meom-ige/prod.values.yaml | 8 -------- config/clusters/meom-ige/staging.values.yaml | 8 -------- 3 files changed, 11 insertions(+), 16 deletions(-) diff --git a/config/clusters/meom-ige/common.values.yaml b/config/clusters/meom-ige/common.values.yaml index 3aa81e4342..9b24401572 100644 --- a/config/clusters/meom-ige/common.values.yaml +++ b/config/clusters/meom-ige/common.values.yaml @@ -83,6 +83,17 @@ basehub: enabled: false hub: config: + JupyterHub: + authenticator_class: cilogon + CILogonOAuthenticator: + scope: + - "profile" + shown_idps: + - http://github.com/login/oauth/authorize + allowed_idps: + http://github.com/login/oauth/authorize: + username_derivation: + username_claim: "preferred_username" Authenticator: # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies # allow_existing_users=True, while in z3jh 3.0.0 this needs to be diff --git a/config/clusters/meom-ige/prod.values.yaml b/config/clusters/meom-ige/prod.values.yaml index 1997a4b214..16a1d3c997 100644 --- a/config/clusters/meom-ige/prod.values.yaml +++ b/config/clusters/meom-ige/prod.values.yaml @@ -10,13 +10,5 @@ basehub: secretName: https-auto-tls hub: config: - JupyterHub: - authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" - username_claim: "preferred_username" oauth_callback_url: "https://meom-ige.2i2c.cloud/hub/oauth_callback" - # Only show the option to login with GitHub - shown_idps: - - http://github.com/login/oauth/authorize diff --git a/config/clusters/meom-ige/staging.values.yaml b/config/clusters/meom-ige/staging.values.yaml index c2201a0589..2be03a1d34 100644 --- a/config/clusters/meom-ige/staging.values.yaml +++ b/config/clusters/meom-ige/staging.values.yaml @@ -10,13 +10,5 @@ basehub: secretName: https-auto-tls hub: config: - JupyterHub: - authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" - username_claim: "preferred_username" oauth_callback_url: "https://staging.meom-ige.2i2c.cloud/hub/oauth_callback" - # Only show the option to login with GitHub - shown_idps: - - http://github.com/login/oauth/authorize From 9384c33ee966ba1abb038fdc2ebcb854540cb145 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 9 Sep 2023 17:45:20 +0200 Subject: [PATCH 065/125] auth - 2i2c, aup: configure allowed_idps alongside shown_idps --- config/clusters/2i2c/aup.values.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/config/clusters/2i2c/aup.values.yaml b/config/clusters/2i2c/aup.values.yaml index 4b0a38ae94..5165598e51 100644 --- a/config/clusters/2i2c/aup.values.yaml +++ b/config/clusters/2i2c/aup.values.yaml @@ -39,10 +39,13 @@ jupyterhub: CILogonOAuthenticator: scope: - "profile" - username_claim: "preferred_username" oauth_callback_url: "https://aup.pilot.2i2c.cloud/hub/oauth_callback" shown_idps: - http://github.com/login/oauth/authorize + allowed_idps: + http://github.com/login/oauth/authorize: + username_derivation: + username_claim: "preferred_username" Authenticator: # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies # allow_existing_users=True, while in z3jh 3.0.0 this needs to be From c4bd639ce1f9b8bfff0559b59221929640d00285 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 9 Sep 2023 17:45:43 +0200 Subject: [PATCH 066/125] auth - carbonplan: configure allowed_idps alongside shown_idps --- config/clusters/carbonplan/common.values.yaml | 11 +++++++++++ config/clusters/carbonplan/prod.values.yaml | 8 -------- config/clusters/carbonplan/staging.values.yaml | 8 -------- 3 files changed, 11 insertions(+), 16 deletions(-) diff --git a/config/clusters/carbonplan/common.values.yaml b/config/clusters/carbonplan/common.values.yaml index 08f6605d26..28a0dd8685 100644 --- a/config/clusters/carbonplan/common.values.yaml +++ b/config/clusters/carbonplan/common.values.yaml @@ -185,6 +185,17 @@ basehub: memory: 4Gi allowNamedServers: true config: + JupyterHub: + authenticator_class: cilogon + CILogonOAuthenticator: + scope: + - "profile" + shown_idps: + - http://github.com/login/oauth/authorize + allowed_idps: + http://github.com/login/oauth/authorize: + username_derivation: + username_claim: "preferred_username" Authenticator: # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies # allow_existing_users=True, while in z3jh 3.0.0 this needs to diff --git a/config/clusters/carbonplan/prod.values.yaml b/config/clusters/carbonplan/prod.values.yaml index 5dc1865e45..a8f4b3e428 100644 --- a/config/clusters/carbonplan/prod.values.yaml +++ b/config/clusters/carbonplan/prod.values.yaml @@ -7,13 +7,5 @@ basehub: secretName: https-auto-tls hub: config: - JupyterHub: - authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" - username_claim: "preferred_username" oauth_callback_url: "https://carbonplan.2i2c.cloud/hub/oauth_callback" - # Only show the option to login with GitHub - shown_idps: - - http://github.com/login/oauth/authorize diff --git a/config/clusters/carbonplan/staging.values.yaml b/config/clusters/carbonplan/staging.values.yaml index b44c3c6fbd..64c03a33c2 100644 --- a/config/clusters/carbonplan/staging.values.yaml +++ b/config/clusters/carbonplan/staging.values.yaml @@ -7,13 +7,5 @@ basehub: secretName: https-auto-tls hub: config: - JupyterHub: - authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" - username_claim: "preferred_username" oauth_callback_url: "https://staging.carbonplan.2i2c.cloud/hub/oauth_callback" - # Only show the option to login with GitHub - shown_idps: - - http://github.com/login/oauth/authorize From 7cf4cab139827a39f1bde206fe4ec91c9a4541aa Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 9 Sep 2023 17:46:29 +0200 Subject: [PATCH 067/125] auth - jmte: configure allowed_idps alongside shown_idps --- config/clusters/jupyter-meets-the-earth/common.values.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/config/clusters/jupyter-meets-the-earth/common.values.yaml b/config/clusters/jupyter-meets-the-earth/common.values.yaml index 0960b1355e..ff8a41e278 100644 --- a/config/clusters/jupyter-meets-the-earth/common.values.yaml +++ b/config/clusters/jupyter-meets-the-earth/common.values.yaml @@ -224,9 +224,12 @@ basehub: CILogonOAuthenticator: scope: - "profile" - username_claim: "preferred_username" shown_idps: - http://github.com/login/oauth/authorize + allowed_idps: + http://github.com/login/oauth/authorize: + username_derivation: + username_claim: "preferred_username" Authenticator: # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies # allow_existing_users=True, while in z3jh 3.0.0 this needs to be From abc667aeb8ac96954cb06224a60423493ca14232 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Sat, 9 Sep 2023 16:15:06 -0700 Subject: [PATCH 068/125] Remove non-small profile list options from UBC hub Per request at https://2i2c.freshdesk.com/a/tickets/955 --- config/clusters/ubc-eoas/common.values.yaml | 25 --------------------- 1 file changed, 25 deletions(-) diff --git a/config/clusters/ubc-eoas/common.values.yaml b/config/clusters/ubc-eoas/common.values.yaml index 2f15acec19..243d7a073c 100644 --- a/config/clusters/ubc-eoas/common.values.yaml +++ b/config/clusters/ubc-eoas/common.values.yaml @@ -83,31 +83,6 @@ jupyterhub: mem_guarantee: 6.5G node_selector: node.kubernetes.io/instance-type: m5.large - - display_name: "Medium: m5.xlarge" - description: "~4 CPU, ~15G RAM" - profile_options: *profile_options - kubespawner_override: - mem_limit: 15G - mem_guarantee: 12G - node_selector: - node.kubernetes.io/instance-type: m5.xlarge - - display_name: "Large: m5.2xlarge" - description: "~8 CPU, ~30G RAM" - profile_options: *profile_options - kubespawner_override: - mem_limit: 30G - mem_guarantee: 25G - node_selector: - node.kubernetes.io/instance-type: m5.2xlarge - - display_name: "Huge: m5.8xlarge" - description: "~16 CPU, ~60G RAM" - profile_options: *profile_options - kubespawner_override: - mem_limit: 60G - mem_guarantee: 50G - node_selector: - node.kubernetes.io/instance-type: m5.8xlarge - scheduling: userScheduler: enabled: true From 9d5b6ef1da86422c7cdd1ec63d3162a7570ab912 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Sat, 9 Sep 2023 16:18:19 -0700 Subject: [PATCH 069/125] Add Henryk as technical representative for UBC Per https://2i2c.freshdesk.com/a/tickets/955 --- config/clusters/ubc-eoas/common.values.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/config/clusters/ubc-eoas/common.values.yaml b/config/clusters/ubc-eoas/common.values.yaml index 2f15acec19..2923a4adfd 100644 --- a/config/clusters/ubc-eoas/common.values.yaml +++ b/config/clusters/ubc-eoas/common.values.yaml @@ -36,8 +36,9 @@ jupyterhub: config: Authenticator: admin_users: - - ckrzysik # Primary technical representative, Charles Krzysik - - lheagy # Secondary technical representative, Lindsey Heagy + - ckrzysik # Technical representative, Charles Krzysik + - lheagy # Technical representative, Lindsey Heagy + - hmodzelewski # Technical representative, Henryk Modzelewski JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: From db6821ec05adfeea3fe444d70b4ee5b3b502c33e Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Sat, 9 Sep 2023 16:43:24 -0700 Subject: [PATCH 070/125] Cleanup UBC EOAS profile list There was only one profile with two options - let's just split that out into two profiles. Ref https://2i2c.freshdesk.com/a/tickets/955 --- config/clusters/ubc-eoas/common.values.yaml | 33 ++++++++++----------- 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/config/clusters/ubc-eoas/common.values.yaml b/config/clusters/ubc-eoas/common.values.yaml index 1e8c692ce1..115b7ebac9 100644 --- a/config/clusters/ubc-eoas/common.values.yaml +++ b/config/clusters/ubc-eoas/common.values.yaml @@ -60,30 +60,27 @@ jupyterhub: singleuser: defaultUrl: /lab profileList: - - display_name: "Small: m5.large" - description: "~2 CPU, ~8G RAM" + - display_name: EOSC211 + description: "For class EOSC211, provides ~2 CPU and ~8G RAM" default: true - profile_options: &profile_options - environment: - display_name: Environment - choices: - eosc211: - display_name: EOSC211 - kubespawner_override: - # Using 'latest' for now so updates do not require 2i2c - # involvement. - image: quay.io/henrykmodzelewski/2i2c-eosc211:latest - eosc350: - display_name: EOSC350 - kubespawner_override: - # Using 'latest' for now so updates do not require 2i2c - # involvement. - image: quay.io/henrykmodzelewski/2i2c-eosc350:latest kubespawner_override: mem_limit: 8G mem_guarantee: 6.5G node_selector: node.kubernetes.io/instance-type: m5.large + # Using 'latest' for now so updates do not require 2i2c + # involvement. + image: quay.io/henrykmodzelewski/2i2c-eosc211:latest + - display_name: EOSC350 + description: "For class EOSC350, provides ~2 CPU and ~8G RAM" + kubespawner_override: + mem_limit: 8G + mem_guarantee: 6.5G + node_selector: + node.kubernetes.io/instance-type: m5.large + # Using 'latest' for now so updates do not require 2i2c + # involvement. + image: quay.io/henrykmodzelewski/2i2c-eosc350:latest scheduling: userScheduler: enabled: true From 6687016d633c537923f00474e4c2c0ebd4f77bd0 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Sat, 9 Sep 2023 16:47:39 -0700 Subject: [PATCH 071/125] Fix indentation --- config/clusters/ubc-eoas/common.values.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/config/clusters/ubc-eoas/common.values.yaml b/config/clusters/ubc-eoas/common.values.yaml index 115b7ebac9..e52b05117b 100644 --- a/config/clusters/ubc-eoas/common.values.yaml +++ b/config/clusters/ubc-eoas/common.values.yaml @@ -68,9 +68,9 @@ jupyterhub: mem_guarantee: 6.5G node_selector: node.kubernetes.io/instance-type: m5.large - # Using 'latest' for now so updates do not require 2i2c - # involvement. - image: quay.io/henrykmodzelewski/2i2c-eosc211:latest + # Using 'latest' for now so updates do not require 2i2c + # involvement. + image: quay.io/henrykmodzelewski/2i2c-eosc211:latest - display_name: EOSC350 description: "For class EOSC350, provides ~2 CPU and ~8G RAM" kubespawner_override: @@ -78,9 +78,9 @@ jupyterhub: mem_guarantee: 6.5G node_selector: node.kubernetes.io/instance-type: m5.large - # Using 'latest' for now so updates do not require 2i2c - # involvement. - image: quay.io/henrykmodzelewski/2i2c-eosc350:latest + # Using 'latest' for now so updates do not require 2i2c + # involvement. + image: quay.io/henrykmodzelewski/2i2c-eosc350:latest scheduling: userScheduler: enabled: true From 1cb2c84b262a528aa906df764e4f7212b108cf9b Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Sun, 10 Sep 2023 16:11:15 -0700 Subject: [PATCH 072/125] Re-enable dirsize reporter for shared cluster https://github.com/2i2c-org/infrastructure/issues/2930 was basically solved by https://github.com/2i2c-org/infrastructure/pull/3093, so let's re-enable this and see how that goes. Doing it only in the shared cluster - let's keep an eye on this. --- config/clusters/2i2c/basehub-common.values.yaml | 2 ++ config/clusters/2i2c/daskhub-common.values.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/config/clusters/2i2c/basehub-common.values.yaml b/config/clusters/2i2c/basehub-common.values.yaml index f6def81488..a3024d57c5 100644 --- a/config/clusters/2i2c/basehub-common.values.yaml +++ b/config/clusters/2i2c/basehub-common.values.yaml @@ -1,5 +1,7 @@ nfs: enabled: true + dirsizeReporter: + enabled: true pv: mountOptions: - soft diff --git a/config/clusters/2i2c/daskhub-common.values.yaml b/config/clusters/2i2c/daskhub-common.values.yaml index f4c07b56b4..8969c703fe 100644 --- a/config/clusters/2i2c/daskhub-common.values.yaml +++ b/config/clusters/2i2c/daskhub-common.values.yaml @@ -1,6 +1,8 @@ basehub: nfs: enabled: true + dirsizeReporter: + enabled: true pv: mountOptions: - soft From b0df532828f95ea84afbb628789e682f2fafb75f Mon Sep 17 00:00:00 2001 From: sudobangbang Date: Mon, 11 Sep 2023 07:31:48 -0700 Subject: [PATCH 073/125] remove post-start hook remove post-start hook so we can just update the image --- config/clusters/nasa-veda/common.values.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index c5e60cab93..2eb76b999e 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -61,12 +61,6 @@ basehub: # Based off pangeo/pangeo-notebook:2023.07.05 which uses JupyterLab <4, so jupyterlab-git and dask-dashboard work # If updating this tag, also update it in the `profile_options.image.options.pangeo.kubespawner_override.image`below tag: "5068290376e8c3151d97a36ae6485bb7ff79650b94aecc93ffb2ea1b42d76460" - lifecycleHooks: - postStart: - exec: - command: - - "python3" - - "/opt/k8s-lifecycle-hook-post-start.py" profileList: # NOTE: About node sharing # From bc3cfaa4d12b77ffdfc7c7c8d0cab1503d758c09 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Mon, 11 Sep 2023 10:17:14 -0700 Subject: [PATCH 074/125] Provide more resources to dirsize collector Ref https://github.com/2i2c-org/infrastructure/issues/3121#issuecomment-1714265067 --- helm-charts/basehub/templates/home-dirsize-reporter.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/helm-charts/basehub/templates/home-dirsize-reporter.yaml b/helm-charts/basehub/templates/home-dirsize-reporter.yaml index 494ac3c05e..d002634ddc 100644 --- a/helm-charts/basehub/templates/home-dirsize-reporter.yaml +++ b/helm-charts/basehub/templates/home-dirsize-reporter.yaml @@ -37,16 +37,16 @@ spec: # From https://github.com/yuvipanda/prometheus-dirsize-exporter image: quay.io/yuvipanda/prometheus-dirsize-exporter:v2.0 resources: - # Provide *very few* resources for this collector, as it can + # Provide limited resources for this collector, as it can # baloon up (especially in CPU) quite easily. We are quite ok with # the collection taking a while as long as we aren't costing too much # CPU or RAM requests: - memory: 16Mi + memory: 128Mi cpu: 0.01 limits: cpu: 0.05 - memory: 128Mi + memory: 256Mi command: - dirsize-exporter - /shared-volume From dcbd71ab17d143fa11c624c40164d676bd50c3dc Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sat, 9 Sep 2023 15:55:03 +0200 Subject: [PATCH 075/125] auth - 2i2c-aws-us, cosmicds: revert temporarily added access --- config/clusters/2i2c-aws-us/cosmicds.values.yaml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/config/clusters/2i2c-aws-us/cosmicds.values.yaml b/config/clusters/2i2c-aws-us/cosmicds.values.yaml index c1ecc32225..77931e0b27 100644 --- a/config/clusters/2i2c-aws-us/cosmicds.values.yaml +++ b/config/clusters/2i2c-aws-us/cosmicds.values.yaml @@ -82,20 +82,9 @@ jupyterhub: oauth_callback_url: https://cosmicds.2i2c.cloud/hub/oauth_callback shown_idps: - http://github.com/login/oauth/authorize - # Temporarily enable google & microsoft auth, to be reverted - # after July 21 2023 - # Ref https://github.com/2i2c-org/infrastructure/issues/2128#issuecomment-1633128941 - - http://google.com/accounts/o8/id - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize allowed_idps: # The username claim here is used to do *authorization*, for both # admin use and any allow listing we want to do. http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" - http://google.com/accounts/o8/id: - username_derivation: - username_claim: "email" - http://login.microsoftonline.com/common/oauth2/v2.0/authorize: - username_derivation: - username_claim: "email" From d5ce1d19ad50c19cdd1bf2a1833401053b41a90c Mon Sep 17 00:00:00 2001 From: ranchodeluxe Date: Mon, 11 Sep 2023 14:15:17 -0700 Subject: [PATCH 076/125] add veda docs through init containers --- config/clusters/nasa-veda/common.values.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index 2eb76b999e..672f227482 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -96,6 +96,18 @@ basehub: slug: pangeo kubespawner_override: image: public.ecr.aws/nasa-veda/nasa-veda-singleuser:5068290376e8c3151d97a36ae6485bb7ff79650b94aecc93ffb2ea1b42d76460 + init_containers: + - name: nasa-veda-singleuser-init + image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:1fd99797107550a50d58ce7e5dd4042e37a065ac2f88576bd32c8b7211e445e3 + command: + - "python3" + - "/opt/k8s-init-container-nb-docs.py" + - "/home/jovyan/shared" + volume_mounts: + # Mount the shared readonly directory + - name: home + mountPath: /home/jovyan/shared + subPath: _shared rocker: display_name: Rocker Geospatial with RStudio slug: rocker @@ -107,6 +119,13 @@ basehub: # https://github.com/2i2c-org/infrastructure/issues/2559 working_dir: /home/rstudio # Because this is a list, it will override our default volume mounts + init_containers: + - name: nasa-veda-singleuser-init + image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:1fd99797107550a50d58ce7e5dd4042e37a065ac2f88576bd32c8b7211e445e3 + command: + - "python3" + - "/opt/k8s-init-container-nb-docs.py" + - "/home/rstudio/shared" volume_mounts: # Mount the user home directory - name: home From c1a352b090cf62d82eb44b7d9decfbbd21150181 Mon Sep 17 00:00:00 2001 From: ranchodeluxe Date: Mon, 11 Sep 2023 14:23:09 -0700 Subject: [PATCH 077/125] do not use shared --- config/clusters/nasa-veda/common.values.yaml | 29 +++++++++++--------- 1 file changed, 16 insertions(+), 13 deletions(-) diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index 672f227482..f595b1d6f3 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -102,12 +102,11 @@ basehub: command: - "python3" - "/opt/k8s-init-container-nb-docs.py" - - "/home/jovyan/shared" - volume_mounts: - # Mount the shared readonly directory - - name: home - mountPath: /home/jovyan/shared - subPath: _shared + - "/home/jovyan" + volume_mounts: + - name: home + mountPath: /home/jovyan + subPath: "{username}" rocker: display_name: Rocker Geospatial with RStudio slug: rocker @@ -119,13 +118,6 @@ basehub: # https://github.com/2i2c-org/infrastructure/issues/2559 working_dir: /home/rstudio # Because this is a list, it will override our default volume mounts - init_containers: - - name: nasa-veda-singleuser-init - image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:1fd99797107550a50d58ce7e5dd4042e37a065ac2f88576bd32c8b7211e445e3 - command: - - "python3" - - "/opt/k8s-init-container-nb-docs.py" - - "/home/rstudio/shared" volume_mounts: # Mount the user home directory - name: home @@ -136,6 +128,17 @@ basehub: mountPath: /home/rstudio/shared subPath: _shared readOnly: true + init_containers: + - name: nasa-veda-singleuser-init + image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:1fd99797107550a50d58ce7e5dd4042e37a065ac2f88576bd32c8b7211e445e3 + command: + - "python3" + - "/opt/k8s-init-container-nb-docs.py" + - "/home/rstudio" + volume_mounts: + - name: home + mountPath: /home/rstudio + subPath: "{username}" requests: # NOTE: Node share choices are in active development, see comment # next to profileList: above. From eb46cfc038f07bde111a02b227acede13d6d26da Mon Sep 17 00:00:00 2001 From: sudobangbang Date: Mon, 11 Sep 2023 16:26:45 -0700 Subject: [PATCH 078/125] Update config/clusters/nasa-veda/common.values.yaml Co-authored-by: Yuvi Panda --- config/clusters/nasa-veda/common.values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index f595b1d6f3..c7aad1529a 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -103,7 +103,7 @@ basehub: - "python3" - "/opt/k8s-init-container-nb-docs.py" - "/home/jovyan" - volume_mounts: + volumeMounts: - name: home mountPath: /home/jovyan subPath: "{username}" From abeaca10bc41d569a97d57d089efaf907951bec7 Mon Sep 17 00:00:00 2001 From: sudobangbang Date: Mon, 11 Sep 2023 16:26:51 -0700 Subject: [PATCH 079/125] Update config/clusters/nasa-veda/common.values.yaml Co-authored-by: Yuvi Panda --- config/clusters/nasa-veda/common.values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index c7aad1529a..a67753f3bc 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -135,7 +135,7 @@ basehub: - "python3" - "/opt/k8s-init-container-nb-docs.py" - "/home/rstudio" - volume_mounts: + volumeMounts: - name: home mountPath: /home/rstudio subPath: "{username}" From 61e9ee9f8b58e6118852b5066b55c63a05276df2 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Tue, 12 Sep 2023 01:19:06 +0200 Subject: [PATCH 080/125] deployer: make use-cluster-credentials less intrusive for gcp clusters --- deployer/cluster.py | 45 +++++++++++++++++++-------------------------- 1 file changed, 19 insertions(+), 26 deletions(-) diff --git a/deployer/cluster.py b/deployer/cluster.py index 73804c1f01..6b5149fda5 100644 --- a/deployer/cluster.py +++ b/deployer/cluster.py @@ -222,26 +222,16 @@ def auth_gcp(self): # Else, it'll just have a `zone` key set. Let's respect either. location = config.get("zone", config.get("region")) cluster = config["cluster"] - with tempfile.NamedTemporaryFile() as kubeconfig: - # CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE is removed as the action of - # "gcloud auth activate-server-account" will be secondary to it - # otherwise, and this env var can be set by GitHub Actions we use - # before using this deployer script to deploy hubs to clusters. - orig_cloudsdk_auth_credential_file_override = os.environ.pop( - "CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE", None - ) - orig_kubeconfig = os.environ.get("KUBECONFIG") - try: + + orig_file = os.environ.get("CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE") + orig_kubeconfig = os.environ.get("KUBECONFIG") + try: + with ( + tempfile.NamedTemporaryFile() as kubeconfig, + get_decrypted_file(key_path) as decrypted_file, + ): os.environ["KUBECONFIG"] = kubeconfig.name - with get_decrypted_file(key_path) as decrypted_key_path: - subprocess.check_call( - [ - "gcloud", - "auth", - "activate-service-account", - f"--key-file={os.path.abspath(decrypted_key_path)}", - ] - ) + os.environ["CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE"] = decrypted_file subprocess.check_call( [ @@ -257,10 +247,13 @@ def auth_gcp(self): ) yield - finally: - if orig_kubeconfig is not None: - os.environ["KUBECONFIG"] = orig_kubeconfig - if orig_cloudsdk_auth_credential_file_override is not None: - os.environ[ - "CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE" - ] = orig_cloudsdk_auth_credential_file_override + finally: + # restore modified environment variables to its previous state + if orig_kubeconfig is not None: + os.environ["KUBECONFIG"] = orig_kubeconfig + else: + os.environ.pop("KUBECONFIG") + if orig_file is not None: + os.environ["CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE"] = orig_file + else: + os.environ.pop("CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE") From 42f51c3a487c55618cc367cf4d6aae43db42a67a Mon Sep 17 00:00:00 2001 From: ranchodeluxe Date: Mon, 11 Sep 2023 16:36:08 -0700 Subject: [PATCH 081/125] add commments --- config/clusters/nasa-veda/common.values.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index a67753f3bc..2c20492ac0 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -97,6 +97,8 @@ basehub: kubespawner_override: image: public.ecr.aws/nasa-veda/nasa-veda-singleuser:5068290376e8c3151d97a36ae6485bb7ff79650b94aecc93ffb2ea1b42d76460 init_containers: + # this container loads uses nbgitpuller to mount https://github.com/NASA-IMPACT/veda-docs/ for user pods + # source: https://github.com/NASA-IMPACT/veda-jh-environments/tree/main/docker-images/base/nasa-veda-singleuser-init - name: nasa-veda-singleuser-init image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:1fd99797107550a50d58ce7e5dd4042e37a065ac2f88576bd32c8b7211e445e3 command: @@ -129,6 +131,8 @@ basehub: subPath: _shared readOnly: true init_containers: + # this container loads uses nbgitpuller to mount https://github.com/NASA-IMPACT/veda-docs/ for user pods + # source: https://github.com/NASA-IMPACT/veda-jh-environments/tree/main/docker-images/base/nasa-veda-singleuser-init - name: nasa-veda-singleuser-init image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:1fd99797107550a50d58ce7e5dd4042e37a065ac2f88576bd32c8b7211e445e3 command: From 9807ed7130fb25c929f6de7ff3e7f50cee2095da Mon Sep 17 00:00:00 2001 From: ranchodeluxe Date: Mon, 11 Sep 2023 19:21:40 -0700 Subject: [PATCH 082/125] add init_containers to unlist_choice --- config/clusters/nasa-veda/common.values.yaml | 21 ++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index 2c20492ac0..bc18ce187f 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -89,6 +89,19 @@ basehub: validation_message: "Must be a publicly available docker image, of form :" kubespawner_override: image: "{value}" + init_containers: + # this container uses nbgitpuller to mount https://github.com/NASA-IMPACT/veda-docs/ for user pods + # image source: https://github.com/NASA-IMPACT/veda-jh-environments/tree/main/docker-images/base/nasa-veda-singleuser-init + - name: nasa-veda-singleuser-init + image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:1fd99797107550a50d58ce7e5dd4042e37a065ac2f88576bd32c8b7211e445e3 + command: + - "python3" + - "/opt/k8s-init-container-nb-docs.py" + - "/home/jovyan" + volumeMounts: + - name: home + mountPath: /home/jovyan + subPath: "{username}" choices: pangeo: display_name: Modified Pangeo Notebook @@ -97,8 +110,8 @@ basehub: kubespawner_override: image: public.ecr.aws/nasa-veda/nasa-veda-singleuser:5068290376e8c3151d97a36ae6485bb7ff79650b94aecc93ffb2ea1b42d76460 init_containers: - # this container loads uses nbgitpuller to mount https://github.com/NASA-IMPACT/veda-docs/ for user pods - # source: https://github.com/NASA-IMPACT/veda-jh-environments/tree/main/docker-images/base/nasa-veda-singleuser-init + # this container uses nbgitpuller to mount https://github.com/NASA-IMPACT/veda-docs/ for user pods + # image source: https://github.com/NASA-IMPACT/veda-jh-environments/tree/main/docker-images/base/nasa-veda-singleuser-init - name: nasa-veda-singleuser-init image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:1fd99797107550a50d58ce7e5dd4042e37a065ac2f88576bd32c8b7211e445e3 command: @@ -131,8 +144,8 @@ basehub: subPath: _shared readOnly: true init_containers: - # this container loads uses nbgitpuller to mount https://github.com/NASA-IMPACT/veda-docs/ for user pods - # source: https://github.com/NASA-IMPACT/veda-jh-environments/tree/main/docker-images/base/nasa-veda-singleuser-init + # this container uses nbgitpuller to mount https://github.com/NASA-IMPACT/veda-docs/ for user pods + # image source: https://github.com/NASA-IMPACT/veda-jh-environments/tree/main/docker-images/base/nasa-veda-singleuser-init - name: nasa-veda-singleuser-init image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:1fd99797107550a50d58ce7e5dd4042e37a065ac2f88576bd32c8b7211e445e3 command: From a507332dda1158f8094d3fd3fd9a2a8021757edd Mon Sep 17 00:00:00 2001 From: ranchodeluxe Date: Tue, 12 Sep 2023 12:03:15 -0700 Subject: [PATCH 083/125] remove init contianer from 'unlisted_option' --- config/clusters/nasa-veda/common.values.yaml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index bc18ce187f..b425d83bf6 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -89,19 +89,6 @@ basehub: validation_message: "Must be a publicly available docker image, of form :" kubespawner_override: image: "{value}" - init_containers: - # this container uses nbgitpuller to mount https://github.com/NASA-IMPACT/veda-docs/ for user pods - # image source: https://github.com/NASA-IMPACT/veda-jh-environments/tree/main/docker-images/base/nasa-veda-singleuser-init - - name: nasa-veda-singleuser-init - image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:1fd99797107550a50d58ce7e5dd4042e37a065ac2f88576bd32c8b7211e445e3 - command: - - "python3" - - "/opt/k8s-init-container-nb-docs.py" - - "/home/jovyan" - volumeMounts: - - name: home - mountPath: /home/jovyan - subPath: "{username}" choices: pangeo: display_name: Modified Pangeo Notebook From b3dbb5efd5ff88335f12dd8fd6b8de5713ab8afa Mon Sep 17 00:00:00 2001 From: ranchodeluxe Date: Tue, 12 Sep 2023 19:03:20 -0700 Subject: [PATCH 084/125] new image and securityContext --- config/clusters/nasa-veda/common.values.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index b425d83bf6..6e642954bf 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -100,7 +100,7 @@ basehub: # this container uses nbgitpuller to mount https://github.com/NASA-IMPACT/veda-docs/ for user pods # image source: https://github.com/NASA-IMPACT/veda-jh-environments/tree/main/docker-images/base/nasa-veda-singleuser-init - name: nasa-veda-singleuser-init - image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:1fd99797107550a50d58ce7e5dd4042e37a065ac2f88576bd32c8b7211e445e3 + image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:a6db72110a0dfed84b8926a9b7e9d5ad0f1b4861490a2d6b36c87ac2d4f89064 command: - "python3" - "/opt/k8s-init-container-nb-docs.py" @@ -109,6 +109,9 @@ basehub: - name: home mountPath: /home/jovyan subPath: "{username}" + securityContext: + runAsUser: 1000 + runAsGroup: 1000 rocker: display_name: Rocker Geospatial with RStudio slug: rocker @@ -134,7 +137,7 @@ basehub: # this container uses nbgitpuller to mount https://github.com/NASA-IMPACT/veda-docs/ for user pods # image source: https://github.com/NASA-IMPACT/veda-jh-environments/tree/main/docker-images/base/nasa-veda-singleuser-init - name: nasa-veda-singleuser-init - image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:1fd99797107550a50d58ce7e5dd4042e37a065ac2f88576bd32c8b7211e445e3 + image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:a6db72110a0dfed84b8926a9b7e9d5ad0f1b4861490a2d6b36c87ac2d4f89064 command: - "python3" - "/opt/k8s-init-container-nb-docs.py" @@ -143,6 +146,9 @@ basehub: - name: home mountPath: /home/rstudio subPath: "{username}" + securityContext: + runAsUser: 1000 + runAsGroup: 1000 requests: # NOTE: Node share choices are in active development, see comment # next to profileList: above. From 18ddef93b3192537635f4536dc3f6e302fd43a3b Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 17:13:29 +0200 Subject: [PATCH 085/125] oauthenticator 16: remove shown_idps, allowed_idps now provides that effect --- config/clusters/2i2c-aws-us/cosmicds.values.yaml | 2 -- config/clusters/2i2c-uk/staging.values.yaml | 2 -- config/clusters/2i2c/aup.values.yaml | 2 -- config/clusters/2i2c/binder-staging.values.yaml | 2 -- config/clusters/2i2c/dask-staging.values.yaml | 2 -- config/clusters/2i2c/demo.values.yaml | 4 ---- config/clusters/2i2c/imagebuilding-demo.values.yaml | 2 -- config/clusters/2i2c/mtu.values.yaml | 3 --- config/clusters/2i2c/neurohackademy.values.yaml | 2 -- config/clusters/2i2c/staging.values.yaml | 2 -- config/clusters/2i2c/temple.values.yaml | 3 --- config/clusters/2i2c/ucmerced.values.yaml | 3 --- config/clusters/callysto/common.values.yaml | 3 --- config/clusters/carbonplan/common.values.yaml | 2 -- .../catalystproject-latam/unitefa-conicet.values.yaml | 2 -- config/clusters/cloudbank/bcc.values.yaml | 2 -- config/clusters/cloudbank/ccsf.values.yaml | 3 --- config/clusters/cloudbank/csm.values.yaml | 3 --- config/clusters/cloudbank/csulb.values.yaml | 4 ---- config/clusters/cloudbank/demo.values.yaml | 3 --- config/clusters/cloudbank/dvc.values.yaml | 4 ---- config/clusters/cloudbank/elcamino.values.yaml | 3 --- config/clusters/cloudbank/evc.values.yaml | 4 ---- config/clusters/cloudbank/fresno.values.yaml | 4 ---- config/clusters/cloudbank/glendale.values.yaml | 3 --- config/clusters/cloudbank/howard.values.yaml | 3 --- config/clusters/cloudbank/humboldt.values.yaml | 4 ---- config/clusters/cloudbank/lacc.values.yaml | 3 --- config/clusters/cloudbank/laney.values.yaml | 4 ---- config/clusters/cloudbank/mills.values.yaml | 3 --- config/clusters/cloudbank/miracosta.values.yaml | 4 ---- config/clusters/cloudbank/mission.values.yaml | 3 --- config/clusters/cloudbank/norco.values.yaml | 4 ---- config/clusters/cloudbank/palomar.values.yaml | 3 --- config/clusters/cloudbank/pasadena.values.yaml | 3 --- config/clusters/cloudbank/sacramento.values.yaml | 3 --- config/clusters/cloudbank/saddleback.values.yaml | 3 --- config/clusters/cloudbank/santiago.values.yaml | 4 ---- config/clusters/cloudbank/sbcc-dev.values.yaml | 4 ---- config/clusters/cloudbank/sbcc.values.yaml | 4 ---- config/clusters/cloudbank/sjcc.values.yaml | 4 ---- config/clusters/cloudbank/sjsu.values.yaml | 4 ---- config/clusters/cloudbank/skyline.values.yaml | 3 --- config/clusters/cloudbank/srjc.values.yaml | 3 --- config/clusters/cloudbank/staging.values.yaml | 3 --- config/clusters/cloudbank/tuskegee.values.yaml | 3 --- config/clusters/jupyter-meets-the-earth/common.values.yaml | 2 -- config/clusters/meom-ige/common.values.yaml | 2 -- config/clusters/openscapes/common.values.yaml | 2 -- config/clusters/pangeo-hubs/coessing.values.yaml | 2 -- config/clusters/ubc-eoas/common.values.yaml | 3 --- config/clusters/utoronto/common.values.yaml | 2 -- docs/hub-deployment-guide/configure-auth/cilogon.md | 6 ------ 53 files changed, 160 deletions(-) diff --git a/config/clusters/2i2c-aws-us/cosmicds.values.yaml b/config/clusters/2i2c-aws-us/cosmicds.values.yaml index 77931e0b27..5c060ab0af 100644 --- a/config/clusters/2i2c-aws-us/cosmicds.values.yaml +++ b/config/clusters/2i2c-aws-us/cosmicds.values.yaml @@ -80,8 +80,6 @@ jupyterhub: - "email" - "profile" oauth_callback_url: https://cosmicds.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: # The username claim here is used to do *authorization*, for both # admin use and any allow listing we want to do. diff --git a/config/clusters/2i2c-uk/staging.values.yaml b/config/clusters/2i2c-uk/staging.values.yaml index 26778efe99..6e6535a155 100644 --- a/config/clusters/2i2c-uk/staging.values.yaml +++ b/config/clusters/2i2c-uk/staging.values.yaml @@ -39,8 +39,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://staging.uk.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/aup.values.yaml b/config/clusters/2i2c/aup.values.yaml index 5165598e51..7fe2a8db21 100644 --- a/config/clusters/2i2c/aup.values.yaml +++ b/config/clusters/2i2c/aup.values.yaml @@ -40,8 +40,6 @@ jupyterhub: scope: - "profile" oauth_callback_url: "https://aup.pilot.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/2i2c/binder-staging.values.yaml b/config/clusters/2i2c/binder-staging.values.yaml index ff4227152d..8bc852e22b 100644 --- a/config/clusters/2i2c/binder-staging.values.yaml +++ b/config/clusters/2i2c/binder-staging.values.yaml @@ -83,8 +83,6 @@ binderhub: - yuvipanda@2i2c.org CILogonOAuthenticator: oauth_callback_url: "https://binder-staging.hub.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/dask-staging.values.yaml b/config/clusters/2i2c/dask-staging.values.yaml index 0a0119ed56..52f380bdf7 100644 --- a/config/clusters/2i2c/dask-staging.values.yaml +++ b/config/clusters/2i2c/dask-staging.values.yaml @@ -48,8 +48,6 @@ basehub: - "email" - "profile" oauth_callback_url: "https://dask-staging.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://accounts.google.com/o/oauth2/auth allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/demo.values.yaml b/config/clusters/2i2c/demo.values.yaml index 134f3c351b..f43990eab6 100644 --- a/config/clusters/2i2c/demo.values.yaml +++ b/config/clusters/2i2c/demo.values.yaml @@ -31,10 +31,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://demo.2i2c.cloud/hub/oauth_callback - shown_idps: - # Allow Google for 2i2c.org anr dmbl - - https://accounts.google.com/o/oauth2/auth - - https://enterprise.login.utexas.edu/idp/shibboleth allowed_idps: # UTexas hub https://enterprise.login.utexas.edu/idp/shibboleth: diff --git a/config/clusters/2i2c/imagebuilding-demo.values.yaml b/config/clusters/2i2c/imagebuilding-demo.values.yaml index 50f311916e..94e36d083f 100644 --- a/config/clusters/2i2c/imagebuilding-demo.values.yaml +++ b/config/clusters/2i2c/imagebuilding-demo.values.yaml @@ -66,8 +66,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://imagebuilding-demo.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/mtu.values.yaml b/config/clusters/2i2c/mtu.values.yaml index 040b7a27f2..987dec4528 100644 --- a/config/clusters/2i2c/mtu.values.yaml +++ b/config/clusters/2i2c/mtu.values.yaml @@ -39,9 +39,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://mtu.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - https://sso.mtu.edu/idp/shibboleth allowed_idps: # Allow 2i2c staff to login with Google http://google.com/accounts/o8/id: diff --git a/config/clusters/2i2c/neurohackademy.values.yaml b/config/clusters/2i2c/neurohackademy.values.yaml index f5fba70b7f..34d3cbdb8e 100644 --- a/config/clusters/2i2c/neurohackademy.values.yaml +++ b/config/clusters/2i2c/neurohackademy.values.yaml @@ -67,8 +67,6 @@ jupyterhub: scope: - "profile" oauth_callback_url: https://neurohackademy.2i2c.cloud/hub/oauth_callback - shown_idps: - - https://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/2i2c/staging.values.yaml b/config/clusters/2i2c/staging.values.yaml index bd95f724f0..c37f1e6f97 100644 --- a/config/clusters/2i2c/staging.values.yaml +++ b/config/clusters/2i2c/staging.values.yaml @@ -56,8 +56,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://staging.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/temple.values.yaml b/config/clusters/2i2c/temple.values.yaml index 4ee80ae16b..5285b79915 100644 --- a/config/clusters/2i2c/temple.values.yaml +++ b/config/clusters/2i2c/temple.values.yaml @@ -34,9 +34,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://temple.2i2c.cloud/hub/oauth_callback - shown_idps: - - https://fim.temple.edu/idp/shibboleth - - https://accounts.google.com/o/oauth2/auth allowed_idps: https://fim.temple.edu/idp/shibboleth: username_derivation: diff --git a/config/clusters/2i2c/ucmerced.values.yaml b/config/clusters/2i2c/ucmerced.values.yaml index 2f6801e162..bfe3f70435 100644 --- a/config/clusters/2i2c/ucmerced.values.yaml +++ b/config/clusters/2i2c/ucmerced.values.yaml @@ -38,9 +38,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://ucmerced.2i2c.cloud/hub/oauth_callback - shown_idps: - - urn:mace:incommon:ucmerced.edu - - https://accounts.google.com/o/oauth2/auth allowed_idps: urn:mace:incommon:ucmerced.edu: username_derivation: diff --git a/config/clusters/callysto/common.values.yaml b/config/clusters/callysto/common.values.yaml index 045570e4f8..d458fe5809 100644 --- a/config/clusters/callysto/common.values.yaml +++ b/config/clusters/callysto/common.values.yaml @@ -136,9 +136,6 @@ jupyterhub: - "102749090965437723445" # Byron Chu (Cybera) - "115909958579864751636" # Michael Jones (Cybera) - "106951135662332329542" # Elmar Bouwer (Cybera) - shown_idps: - - https://accounts.google.com/o/oauth2/auth - - https://login.microsoftonline.com/common/oauth2/v2.0/authorize allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/carbonplan/common.values.yaml b/config/clusters/carbonplan/common.values.yaml index 28a0dd8685..0da15e048d 100644 --- a/config/clusters/carbonplan/common.values.yaml +++ b/config/clusters/carbonplan/common.values.yaml @@ -190,8 +190,6 @@ basehub: CILogonOAuthenticator: scope: - "profile" - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml b/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml index a2df37b761..700d3b59d9 100644 --- a/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml +++ b/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml @@ -33,8 +33,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://unitefa-conicet.latam.catalystproject.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id allowed_idps: # The username claim here is used to do *authorization*, for both # admin use and any allow listing we want to do. diff --git a/config/clusters/cloudbank/bcc.values.yaml b/config/clusters/cloudbank/bcc.values.yaml index 639ca29399..82efa8756e 100644 --- a/config/clusters/cloudbank/bcc.values.yaml +++ b/config/clusters/cloudbank/bcc.values.yaml @@ -33,8 +33,6 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://bcc.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/ccsf.values.yaml b/config/clusters/cloudbank/ccsf.values.yaml index 33973fe355..133c1ecbbf 100644 --- a/config/clusters/cloudbank/ccsf.values.yaml +++ b/config/clusters/cloudbank/ccsf.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://ccsf.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/csm.values.yaml b/config/clusters/cloudbank/csm.values.yaml index 240ea4039e..212bb96c36 100644 --- a/config/clusters/cloudbank/csm.values.yaml +++ b/config/clusters/cloudbank/csm.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://csm.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/csulb.values.yaml b/config/clusters/cloudbank/csulb.values.yaml index 4ae0342c76..554bac1627 100644 --- a/config/clusters/cloudbank/csulb.values.yaml +++ b/config/clusters/cloudbank/csulb.values.yaml @@ -35,10 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://csulb.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - https://its-shib.its.csulb.edu/idp/shibboleth - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/demo.values.yaml b/config/clusters/cloudbank/demo.values.yaml index 6fdfc4d9b6..582082b218 100644 --- a/config/clusters/cloudbank/demo.values.yaml +++ b/config/clusters/cloudbank/demo.values.yaml @@ -38,9 +38,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://demo.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/dvc.values.yaml b/config/clusters/cloudbank/dvc.values.yaml index 2ad2b663a4..d3a1e06dcf 100644 --- a/config/clusters/cloudbank/dvc.values.yaml +++ b/config/clusters/cloudbank/dvc.values.yaml @@ -33,10 +33,6 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://dvc.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/elcamino.values.yaml b/config/clusters/cloudbank/elcamino.values.yaml index c17106e95e..2251ab5601 100644 --- a/config/clusters/cloudbank/elcamino.values.yaml +++ b/config/clusters/cloudbank/elcamino.values.yaml @@ -34,9 +34,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://elcamino.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/evc.values.yaml b/config/clusters/cloudbank/evc.values.yaml index 2ff4485923..d0b4a04c28 100644 --- a/config/clusters/cloudbank/evc.values.yaml +++ b/config/clusters/cloudbank/evc.values.yaml @@ -33,10 +33,6 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://evc.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/fresno.values.yaml b/config/clusters/cloudbank/fresno.values.yaml index 82b4ae01c4..aa68e5cd00 100644 --- a/config/clusters/cloudbank/fresno.values.yaml +++ b/config/clusters/cloudbank/fresno.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://fresno.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - https://idp.scccd.edu/idp/shibboleth - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: https://idp.scccd.edu/idp/shibboleth: username_derivation: diff --git a/config/clusters/cloudbank/glendale.values.yaml b/config/clusters/cloudbank/glendale.values.yaml index 6e2907e48c..e061af47a1 100644 --- a/config/clusters/cloudbank/glendale.values.yaml +++ b/config/clusters/cloudbank/glendale.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://glendale.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/howard.values.yaml b/config/clusters/cloudbank/howard.values.yaml index 47230603e2..fe5d9c4cd3 100644 --- a/config/clusters/cloudbank/howard.values.yaml +++ b/config/clusters/cloudbank/howard.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://howard.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/humboldt.values.yaml b/config/clusters/cloudbank/humboldt.values.yaml index b8b5687663..a23fb82f0e 100644 --- a/config/clusters/cloudbank/humboldt.values.yaml +++ b/config/clusters/cloudbank/humboldt.values.yaml @@ -38,10 +38,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://humboldt.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - https://sso.humboldt.edu/idp/metadata - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/lacc.values.yaml b/config/clusters/cloudbank/lacc.values.yaml index d0cfb85396..5c3e8e6442 100644 --- a/config/clusters/cloudbank/lacc.values.yaml +++ b/config/clusters/cloudbank/lacc.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://lacc.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/laney.values.yaml b/config/clusters/cloudbank/laney.values.yaml index 635b814676..030a83fda3 100644 --- a/config/clusters/cloudbank/laney.values.yaml +++ b/config/clusters/cloudbank/laney.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://laney.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/mills.values.yaml b/config/clusters/cloudbank/mills.values.yaml index 3ab1ed7d43..aac9ca925a 100644 --- a/config/clusters/cloudbank/mills.values.yaml +++ b/config/clusters/cloudbank/mills.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://datahub.mills.edu/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/miracosta.values.yaml b/config/clusters/cloudbank/miracosta.values.yaml index 571cf69625..498591ee0c 100644 --- a/config/clusters/cloudbank/miracosta.values.yaml +++ b/config/clusters/cloudbank/miracosta.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://miracosta.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - https://miracosta.fedgw.com/gateway - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/mission.values.yaml b/config/clusters/cloudbank/mission.values.yaml index 16603ec4cf..8201315abe 100644 --- a/config/clusters/cloudbank/mission.values.yaml +++ b/config/clusters/cloudbank/mission.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://mission.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/norco.values.yaml b/config/clusters/cloudbank/norco.values.yaml index 5d42630565..cfdbaf302a 100644 --- a/config/clusters/cloudbank/norco.values.yaml +++ b/config/clusters/cloudbank/norco.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://norco.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/palomar.values.yaml b/config/clusters/cloudbank/palomar.values.yaml index ed70944609..81ae2bd4c3 100644 --- a/config/clusters/cloudbank/palomar.values.yaml +++ b/config/clusters/cloudbank/palomar.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://palomar.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/pasadena.values.yaml b/config/clusters/cloudbank/pasadena.values.yaml index 34d3e1f0fb..a2d10d2a68 100644 --- a/config/clusters/cloudbank/pasadena.values.yaml +++ b/config/clusters/cloudbank/pasadena.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://pasadena.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/sacramento.values.yaml b/config/clusters/cloudbank/sacramento.values.yaml index 3ad1eea699..41d5bab610 100644 --- a/config/clusters/cloudbank/sacramento.values.yaml +++ b/config/clusters/cloudbank/sacramento.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://sacramento.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/saddleback.values.yaml b/config/clusters/cloudbank/saddleback.values.yaml index b266acf112..04bb50c6e0 100644 --- a/config/clusters/cloudbank/saddleback.values.yaml +++ b/config/clusters/cloudbank/saddleback.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://saddleback.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/santiago.values.yaml b/config/clusters/cloudbank/santiago.values.yaml index 8b7bb5f559..64584ef345 100644 --- a/config/clusters/cloudbank/santiago.values.yaml +++ b/config/clusters/cloudbank/santiago.values.yaml @@ -35,10 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://santiago.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/sbcc-dev.values.yaml b/config/clusters/cloudbank/sbcc-dev.values.yaml index b9a5978e26..56f4cd6d44 100644 --- a/config/clusters/cloudbank/sbcc-dev.values.yaml +++ b/config/clusters/cloudbank/sbcc-dev.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://sbcc-dev.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - https://idp.sbcc.edu/idp/shibboleth - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/sbcc.values.yaml b/config/clusters/cloudbank/sbcc.values.yaml index bc6de536b7..638eb616ba 100644 --- a/config/clusters/cloudbank/sbcc.values.yaml +++ b/config/clusters/cloudbank/sbcc.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://sbcc.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - https://idp.sbcc.edu/idp/shibboleth - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/sjcc.values.yaml b/config/clusters/cloudbank/sjcc.values.yaml index c7e631b968..ea7c8b661c 100644 --- a/config/clusters/cloudbank/sjcc.values.yaml +++ b/config/clusters/cloudbank/sjcc.values.yaml @@ -29,10 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://sjcc.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://login.microsoftonline.com/common/oauth2/v2.0/authorize - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/sjsu.values.yaml b/config/clusters/cloudbank/sjsu.values.yaml index eba295012f..8272328530 100644 --- a/config/clusters/cloudbank/sjsu.values.yaml +++ b/config/clusters/cloudbank/sjsu.values.yaml @@ -38,10 +38,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://sjsu.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - https://idp01.sjsu.edu/idp/shibboleth - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/skyline.values.yaml b/config/clusters/cloudbank/skyline.values.yaml index 55ba9646aa..6473ee80de 100644 --- a/config/clusters/cloudbank/skyline.values.yaml +++ b/config/clusters/cloudbank/skyline.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://skyline.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/srjc.values.yaml b/config/clusters/cloudbank/srjc.values.yaml index 55123f9bed..9f94a9a215 100644 --- a/config/clusters/cloudbank/srjc.values.yaml +++ b/config/clusters/cloudbank/srjc.values.yaml @@ -35,9 +35,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://srjc.cloudbank.2i2c.cloud/hub/oauth_callback - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/staging.values.yaml b/config/clusters/cloudbank/staging.values.yaml index 3d2667584c..806d18a453 100644 --- a/config/clusters/cloudbank/staging.values.yaml +++ b/config/clusters/cloudbank/staging.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://staging.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/tuskegee.values.yaml b/config/clusters/cloudbank/tuskegee.values.yaml index 6a2bd2b849..12a0b32027 100644 --- a/config/clusters/cloudbank/tuskegee.values.yaml +++ b/config/clusters/cloudbank/tuskegee.values.yaml @@ -29,9 +29,6 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://tuskegee.cloudbank.2i2c.cloud/hub/oauth_callback" - shown_idps: - - http://google.com/accounts/o8/id - - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/jupyter-meets-the-earth/common.values.yaml b/config/clusters/jupyter-meets-the-earth/common.values.yaml index ff8a41e278..cc32d97778 100644 --- a/config/clusters/jupyter-meets-the-earth/common.values.yaml +++ b/config/clusters/jupyter-meets-the-earth/common.values.yaml @@ -224,8 +224,6 @@ basehub: CILogonOAuthenticator: scope: - "profile" - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/meom-ige/common.values.yaml b/config/clusters/meom-ige/common.values.yaml index 9b24401572..f331c83a5b 100644 --- a/config/clusters/meom-ige/common.values.yaml +++ b/config/clusters/meom-ige/common.values.yaml @@ -88,8 +88,6 @@ basehub: CILogonOAuthenticator: scope: - "profile" - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/openscapes/common.values.yaml b/config/clusters/openscapes/common.values.yaml index cb4feca425..5428b18501 100644 --- a/config/clusters/openscapes/common.values.yaml +++ b/config/clusters/openscapes/common.values.yaml @@ -56,8 +56,6 @@ basehub: CILogonOAuthenticator: scope: - "profile" - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/pangeo-hubs/coessing.values.yaml b/config/clusters/pangeo-hubs/coessing.values.yaml index 5bdcffc433..6a19477097 100644 --- a/config/clusters/pangeo-hubs/coessing.values.yaml +++ b/config/clusters/pangeo-hubs/coessing.values.yaml @@ -48,8 +48,6 @@ basehub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://coessing.2i2c.cloud/hub/oauth_callback" - shown_idps: - - https://accounts.google.com/o/oauth2/auth allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/ubc-eoas/common.values.yaml b/config/clusters/ubc-eoas/common.values.yaml index fbbbf9ec92..bdf33cc29f 100644 --- a/config/clusters/ubc-eoas/common.values.yaml +++ b/config/clusters/ubc-eoas/common.values.yaml @@ -42,9 +42,6 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - shown_idps: - - https://authentication.ubc.ca - - http://google.com/accounts/o8/id allowed_idps: https://authentication.ubc.ca: username_derivation: diff --git a/config/clusters/utoronto/common.values.yaml b/config/clusters/utoronto/common.values.yaml index 984e89b54c..a47175f4f8 100644 --- a/config/clusters/utoronto/common.values.yaml +++ b/config/clusters/utoronto/common.values.yaml @@ -81,8 +81,6 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://r-staging.datatools.utoronto.ca/hub/oauth_callback - shown_idps: - - https://idpz.utorauth.utoronto.ca/shibboleth allowed_idps: https://idpz.utorauth.utoronto.ca/shibboleth: username_derivation: diff --git a/docs/hub-deployment-guide/configure-auth/cilogon.md b/docs/hub-deployment-guide/configure-auth/cilogon.md index de91c07245..bb8c7e0790 100644 --- a/docs/hub-deployment-guide/configure-auth/cilogon.md +++ b/docs/hub-deployment-guide/configure-auth/cilogon.md @@ -69,10 +69,6 @@ jupyterhub: - admin@anu.edu.au CILogonOAuthenticator: oauth_callback_url: https://{{ HUB_DOMAIN }}/hub/oauth_callback - # Show only the option to login with Google and ANU's provider - shown_idps: - - http://google.com/accounts/o8/id - - https://idp2.anu.edu.au/idp/shibboleth # Allow to only login into the hub using Google or ANU's provider allowed_idps: http://google.com/accounts/o8/id: @@ -122,8 +118,6 @@ jupyterhub: scope: - "profile" oauth_callback_url: https://{{ HUB_DOMAIN }}/hub/oauth_callback - shown_idps: - - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: From 640660d53ccbfdb8dfb5113a70e68911aa00775b Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 17:16:10 +0200 Subject: [PATCH 086/125] oauthenticator 16: remove explicit scope, profile is included anyhow The default scope in oauthenticator 16 includes what we need. Let's rely on the default for simplicity. --- config/clusters/2i2c-aws-us/cosmicds.values.yaml | 3 --- config/clusters/2i2c/aup.values.yaml | 2 -- config/clusters/2i2c/dask-staging.values.yaml | 3 --- config/clusters/2i2c/neurohackademy.values.yaml | 2 -- config/clusters/carbonplan/common.values.yaml | 2 -- config/clusters/jupyter-meets-the-earth/common.values.yaml | 2 -- config/clusters/meom-ige/common.values.yaml | 2 -- config/clusters/openscapes/common.values.yaml | 2 -- docs/hub-deployment-guide/configure-auth/cilogon.md | 2 -- 9 files changed, 20 deletions(-) diff --git a/config/clusters/2i2c-aws-us/cosmicds.values.yaml b/config/clusters/2i2c-aws-us/cosmicds.values.yaml index 5c060ab0af..2322f13c54 100644 --- a/config/clusters/2i2c-aws-us/cosmicds.values.yaml +++ b/config/clusters/2i2c-aws-us/cosmicds.values.yaml @@ -76,9 +76,6 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "email" - - "profile" oauth_callback_url: https://cosmicds.2i2c.cloud/hub/oauth_callback allowed_idps: # The username claim here is used to do *authorization*, for both diff --git a/config/clusters/2i2c/aup.values.yaml b/config/clusters/2i2c/aup.values.yaml index 7fe2a8db21..1fdc4934de 100644 --- a/config/clusters/2i2c/aup.values.yaml +++ b/config/clusters/2i2c/aup.values.yaml @@ -37,8 +37,6 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" oauth_callback_url: "https://aup.pilot.2i2c.cloud/hub/oauth_callback" allowed_idps: http://github.com/login/oauth/authorize: diff --git a/config/clusters/2i2c/dask-staging.values.yaml b/config/clusters/2i2c/dask-staging.values.yaml index 52f380bdf7..bb4ffaafa7 100644 --- a/config/clusters/2i2c/dask-staging.values.yaml +++ b/config/clusters/2i2c/dask-staging.values.yaml @@ -44,9 +44,6 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "email" - - "profile" oauth_callback_url: "https://dask-staging.2i2c.cloud/hub/oauth_callback" allowed_idps: http://google.com/accounts/o8/id: diff --git a/config/clusters/2i2c/neurohackademy.values.yaml b/config/clusters/2i2c/neurohackademy.values.yaml index 34d3cbdb8e..70906b73e5 100644 --- a/config/clusters/2i2c/neurohackademy.values.yaml +++ b/config/clusters/2i2c/neurohackademy.values.yaml @@ -64,8 +64,6 @@ jupyterhub: - arokem admin_users: *neurohackademy_users CILogonOAuthenticator: - scope: - - "profile" oauth_callback_url: https://neurohackademy.2i2c.cloud/hub/oauth_callback allowed_idps: http://github.com/login/oauth/authorize: diff --git a/config/clusters/carbonplan/common.values.yaml b/config/clusters/carbonplan/common.values.yaml index 0da15e048d..7cfff01e2e 100644 --- a/config/clusters/carbonplan/common.values.yaml +++ b/config/clusters/carbonplan/common.values.yaml @@ -188,8 +188,6 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/jupyter-meets-the-earth/common.values.yaml b/config/clusters/jupyter-meets-the-earth/common.values.yaml index cc32d97778..80415fcdeb 100644 --- a/config/clusters/jupyter-meets-the-earth/common.values.yaml +++ b/config/clusters/jupyter-meets-the-earth/common.values.yaml @@ -222,8 +222,6 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/meom-ige/common.values.yaml b/config/clusters/meom-ige/common.values.yaml index f331c83a5b..a873e4a96d 100644 --- a/config/clusters/meom-ige/common.values.yaml +++ b/config/clusters/meom-ige/common.values.yaml @@ -86,8 +86,6 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/config/clusters/openscapes/common.values.yaml b/config/clusters/openscapes/common.values.yaml index 5428b18501..adf491db57 100644 --- a/config/clusters/openscapes/common.values.yaml +++ b/config/clusters/openscapes/common.values.yaml @@ -54,8 +54,6 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/docs/hub-deployment-guide/configure-auth/cilogon.md b/docs/hub-deployment-guide/configure-auth/cilogon.md index bb8c7e0790..04a5824843 100644 --- a/docs/hub-deployment-guide/configure-auth/cilogon.md +++ b/docs/hub-deployment-guide/configure-auth/cilogon.md @@ -115,8 +115,6 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: - scope: - - "profile" oauth_callback_url: https://{{ HUB_DOMAIN }}/hub/oauth_callback allowed_idps: http://github.com/login/oauth/authorize: From 435432d26792f1207ad4580112784eeca8bd61e5 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 17:52:09 +0200 Subject: [PATCH 087/125] oauthenticator 16: add allow_existing_users where allowed_users was configured --- config/clusters/2i2c/aup.values.yaml | 6 ++---- .../clusters/2i2c/neurohackademy.values.yaml | 14 ++++++-------- config/clusters/carbonplan/common.values.yaml | 6 ++---- config/clusters/cloudbank/howard.values.yaml | 6 ++---- config/clusters/cloudbank/lacc.values.yaml | 6 ++---- config/clusters/cloudbank/palomar.values.yaml | 6 ++---- config/clusters/cloudbank/sbcc-dev.values.yaml | 6 ++---- config/clusters/cloudbank/sbcc.values.yaml | 6 ++---- config/clusters/cloudbank/staging.values.yaml | 6 ++---- config/clusters/cloudbank/tuskegee.values.yaml | 6 ++---- config/clusters/gridsst/common.values.yaml | 10 ++++------ .../jupyter-meets-the-earth/common.values.yaml | 6 ++---- config/clusters/meom-ige/common.values.yaml | 6 ++---- config/clusters/openscapes/common.values.yaml | 6 ++---- .../clusters/pangeo-hubs/coessing.values.yaml | 18 ++++++++---------- 15 files changed, 42 insertions(+), 72 deletions(-) diff --git a/config/clusters/2i2c/aup.values.yaml b/config/clusters/2i2c/aup.values.yaml index 1fdc4934de..cfc4e743be 100644 --- a/config/clusters/2i2c/aup.values.yaml +++ b/config/clusters/2i2c/aup.values.yaml @@ -42,11 +42,9 @@ jupyterhub: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &aup_users - swalker - shaolintl diff --git a/config/clusters/2i2c/neurohackademy.values.yaml b/config/clusters/2i2c/neurohackademy.values.yaml index 70906b73e5..e0c136686f 100644 --- a/config/clusters/2i2c/neurohackademy.values.yaml +++ b/config/clusters/2i2c/neurohackademy.values.yaml @@ -55,20 +55,18 @@ jupyterhub: config: JupyterHub: authenticator_class: cilogon - Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # - allowed_users: &neurohackademy_users - - arokem - admin_users: *neurohackademy_users CILogonOAuthenticator: oauth_callback_url: https://neurohackademy.2i2c.cloud/hub/oauth_callback allowed_idps: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + OAuthenticator: + allow_existing_users: True + Authenticator: + allowed_users: &neurohackademy_users + - arokem + admin_users: *neurohackademy_users extraFiles: configurator-schema-default: data: diff --git a/config/clusters/carbonplan/common.values.yaml b/config/clusters/carbonplan/common.values.yaml index 7cfff01e2e..8506d67510 100644 --- a/config/clusters/carbonplan/common.values.yaml +++ b/config/clusters/carbonplan/common.values.yaml @@ -192,11 +192,9 @@ basehub: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to - # be configured explicitly. - # allowed_users: &users - maxrjones admin_users: *users diff --git a/config/clusters/cloudbank/howard.values.yaml b/config/clusters/cloudbank/howard.values.yaml index fe5d9c4cd3..32fd25f104 100644 --- a/config/clusters/cloudbank/howard.values.yaml +++ b/config/clusters/cloudbank/howard.values.yaml @@ -36,11 +36,9 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &howard_users - ericvd@berkeley.edu - gwashington@scs.howard.edu diff --git a/config/clusters/cloudbank/lacc.values.yaml b/config/clusters/cloudbank/lacc.values.yaml index 5c3e8e6442..ca20b076a8 100644 --- a/config/clusters/cloudbank/lacc.values.yaml +++ b/config/clusters/cloudbank/lacc.values.yaml @@ -36,11 +36,9 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &lacc_users - PINEDAEM@laccd.edu - LAMKT@laccd.edu diff --git a/config/clusters/cloudbank/palomar.values.yaml b/config/clusters/cloudbank/palomar.values.yaml index 81ae2bd4c3..60ba874481 100644 --- a/config/clusters/cloudbank/palomar.values.yaml +++ b/config/clusters/cloudbank/palomar.values.yaml @@ -36,11 +36,9 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &palomar_users - aculich@berkeley.edu - sean.smorris@berkeley.edu diff --git a/config/clusters/cloudbank/sbcc-dev.values.yaml b/config/clusters/cloudbank/sbcc-dev.values.yaml index 56f4cd6d44..3443173895 100644 --- a/config/clusters/cloudbank/sbcc-dev.values.yaml +++ b/config/clusters/cloudbank/sbcc-dev.values.yaml @@ -39,11 +39,9 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &sbcc_users - ericvd@gmail.com - sean.smorris@berkeley.edu diff --git a/config/clusters/cloudbank/sbcc.values.yaml b/config/clusters/cloudbank/sbcc.values.yaml index 638eb616ba..3399eaa550 100644 --- a/config/clusters/cloudbank/sbcc.values.yaml +++ b/config/clusters/cloudbank/sbcc.values.yaml @@ -39,11 +39,9 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &sbcc_users - ericvd@gmail.com - sean.smorris@berkeley.edu diff --git a/config/clusters/cloudbank/staging.values.yaml b/config/clusters/cloudbank/staging.values.yaml index 806d18a453..fe109f8f5b 100644 --- a/config/clusters/cloudbank/staging.values.yaml +++ b/config/clusters/cloudbank/staging.values.yaml @@ -36,11 +36,9 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &staging_users - sean.smorris@berkeley.edu admin_users: *staging_users diff --git a/config/clusters/cloudbank/tuskegee.values.yaml b/config/clusters/cloudbank/tuskegee.values.yaml index 12a0b32027..d6029d98bf 100644 --- a/config/clusters/cloudbank/tuskegee.values.yaml +++ b/config/clusters/cloudbank/tuskegee.values.yaml @@ -36,11 +36,9 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &tuskegee_users - yasmeen.rawajfih@gmail.com - Wu.fan01@gmail.com diff --git a/config/clusters/gridsst/common.values.yaml b/config/clusters/gridsst/common.values.yaml index 718e911de3..ec498b3cb5 100644 --- a/config/clusters/gridsst/common.values.yaml +++ b/config/clusters/gridsst/common.values.yaml @@ -36,18 +36,16 @@ basehub: url: https://science.nasa.gov/earth-science/focus-areas/climate-variability-and-change/ocean-physics hub: config: + JupyterHub: + authenticator_class: github + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to - # be configured explicitly. - # allowed_users: &gridsst_users - alisonrgray - nikki-t - dgumustel admin_users: *gridsst_users - JupyterHub: - authenticator_class: github singleuser: profileList: # The mem-guarantees are here so k8s doesn't schedule other pods diff --git a/config/clusters/jupyter-meets-the-earth/common.values.yaml b/config/clusters/jupyter-meets-the-earth/common.values.yaml index 80415fcdeb..f51e95bf2f 100644 --- a/config/clusters/jupyter-meets-the-earth/common.values.yaml +++ b/config/clusters/jupyter-meets-the-earth/common.values.yaml @@ -226,11 +226,9 @@ basehub: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &users # This is just listing a few of the users/admins, a lot of # users has been added manually, see: diff --git a/config/clusters/meom-ige/common.values.yaml b/config/clusters/meom-ige/common.values.yaml index a873e4a96d..1e25b0ce32 100644 --- a/config/clusters/meom-ige/common.values.yaml +++ b/config/clusters/meom-ige/common.values.yaml @@ -90,11 +90,9 @@ basehub: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + OAuthenticator: + allow_existing_users: True Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: &users - roxyboy - lesommer diff --git a/config/clusters/openscapes/common.values.yaml b/config/clusters/openscapes/common.values.yaml index adf491db57..bedfa62419 100644 --- a/config/clusters/openscapes/common.values.yaml +++ b/config/clusters/openscapes/common.values.yaml @@ -58,16 +58,14 @@ basehub: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" + OAuthenticator: + allow_existing_users: True Authenticator: admin_users: &users - amfriesz - jules32 - erinmr - betolink - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # allowed_users: *users dask-gateway: gateway: diff --git a/config/clusters/pangeo-hubs/coessing.values.yaml b/config/clusters/pangeo-hubs/coessing.values.yaml index 6a19477097..51028b1c58 100644 --- a/config/clusters/pangeo-hubs/coessing.values.yaml +++ b/config/clusters/pangeo-hubs/coessing.values.yaml @@ -34,16 +34,6 @@ basehub: node.kubernetes.io/instance-type: n1-standard-2 hub: config: - Authenticator: - admin_users: &admin_users - - paigemar@umich.edu - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # - allowed_users: *admin_users - # Delete any prior existing users in the db that don't pass username_pattern - delete_invalid_users: true JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: @@ -52,3 +42,11 @@ basehub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" + OAuthenticator: + allow_existing_users: True + Authenticator: + admin_users: &admin_users + - paigemar@umich.edu + allowed_users: *admin_users + # Delete any prior existing users in the db that don't pass username_pattern + delete_invalid_users: true From 0da0b3eaed7e2af77e43ff232e778181c869f1e9 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 19:18:42 +0200 Subject: [PATCH 088/125] oauthenticator 16: remove outdated comment about allowed_users --- .../2i2c-aws-us/dask-staging.values.yaml | 14 ++++------ .../2i2c-aws-us/researchdelight.values.yaml | 4 +-- .../clusters/2i2c-aws-us/staging.values.yaml | 14 ++++------ config/clusters/2i2c-uk/lis.values.yaml | 13 ++++----- config/clusters/awi-ciroh/common.values.yaml | 13 ++++----- config/clusters/leap/common.values.yaml | 13 ++++----- .../clusters/linked-earth/common.values.yaml | 9 ++---- config/clusters/m2lines/common.values.yaml | 13 ++++----- config/clusters/nasa-cryo/common.values.yaml | 28 +++++++++---------- .../clusters/pangeo-hubs/common.values.yaml | 15 ++++------ config/clusters/qcl/common.values.yaml | 11 +++----- .../clusters/smithsonian/common.values.yaml | 3 -- config/clusters/victor/common.values.yaml | 11 +++----- 13 files changed, 62 insertions(+), 99 deletions(-) diff --git a/config/clusters/2i2c-aws-us/dask-staging.values.yaml b/config/clusters/2i2c-aws-us/dask-staging.values.yaml index 49def94b2c..6b2569467d 100644 --- a/config/clusters/2i2c-aws-us/dask-staging.values.yaml +++ b/config/clusters/2i2c-aws-us/dask-staging.values.yaml @@ -33,15 +33,6 @@ basehub: tag: "2022.06.02" hub: config: - Authenticator: - # This hub uses GitHub Org auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed orgs. - # - # You must always set admin_users, even if it is an empty list, - # otherwise `add_staff_user_ids_to_admin_users: true` will fail - # silently and no staff members will have admin access. - admin_users: [] JupyterHub: authenticator_class: "github" GitHubOAuthenticator: @@ -50,3 +41,8 @@ basehub: - 2i2c-org scope: - read:org + Authenticator: + # You must always set admin_users, even if it is an empty list, + # otherwise `add_staff_user_ids_to_admin_users: true` will fail + # silently and no staff members will have admin access. + admin_users: [] diff --git a/config/clusters/2i2c-aws-us/researchdelight.values.yaml b/config/clusters/2i2c-aws-us/researchdelight.values.yaml index c7163a272c..818ca986dc 100644 --- a/config/clusters/2i2c-aws-us/researchdelight.values.yaml +++ b/config/clusters/2i2c-aws-us/researchdelight.values.yaml @@ -34,8 +34,6 @@ basehub: config: JupyterHub: authenticator_class: github - Authenticator: - enable_auth_state: true GitHubOAuthenticator: populate_teams_in_auth_state: true allowed_organizations: @@ -43,6 +41,8 @@ basehub: - 2i2c-org:research-delight-team scope: - read:org + Authenticator: + enable_auth_state: true singleuser: image: name: quay.io/2i2c/researchdelight-image diff --git a/config/clusters/2i2c-aws-us/staging.values.yaml b/config/clusters/2i2c-aws-us/staging.values.yaml index 13e68094d4..8992c8403c 100644 --- a/config/clusters/2i2c-aws-us/staging.values.yaml +++ b/config/clusters/2i2c-aws-us/staging.values.yaml @@ -28,15 +28,6 @@ jupyterhub: url: https://2i2c.org hub: config: - Authenticator: - # This hub uses GitHub Org auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed orgs. - # - # You must always set admin_users, even if it is an empty list, - # otherwise `add_staff_user_ids_to_admin_users: true` will fail - # silently and no staff members will have admin access. - admin_users: [] JupyterHub: authenticator_class: "github" GitHubOAuthenticator: @@ -45,3 +36,8 @@ jupyterhub: - 2i2c-org scope: - read:org + Authenticator: + # You must always set admin_users, even if it is an empty list, + # otherwise `add_staff_user_ids_to_admin_users: true` will fail + # silently and no staff members will have admin access. + admin_users: [] diff --git a/config/clusters/2i2c-uk/lis.values.yaml b/config/clusters/2i2c-uk/lis.values.yaml index 87c0ea6207..8c6e3d943b 100644 --- a/config/clusters/2i2c-uk/lis.values.yaml +++ b/config/clusters/2i2c-uk/lis.values.yaml @@ -49,17 +49,14 @@ jupyterhub: config: JupyterHub: authenticator_class: github - Authenticator: - # This hub uses GitHub Orgs auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed orgs. These people should have admin access though. - admin_users: - - LaCrecerelle - - matthew-brett GitHubOAuthenticator: + oauth_callback_url: "https://ds.lis.2i2c.cloud/hub/oauth_callback" allowed_organizations: - 2i2c-org - lisacuk scope: - read:org - oauth_callback_url: "https://ds.lis.2i2c.cloud/hub/oauth_callback" + Authenticator: + admin_users: + - LaCrecerelle + - matthew-brett diff --git a/config/clusters/awi-ciroh/common.values.yaml b/config/clusters/awi-ciroh/common.values.yaml index 344f2982cd..e05c6c001d 100644 --- a/config/clusters/awi-ciroh/common.values.yaml +++ b/config/clusters/awi-ciroh/common.values.yaml @@ -33,14 +33,6 @@ basehub: config: JupyterHub: authenticator_class: github - Authenticator: - # This hub uses GitHub Orgs auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed orgs. These people should have admin access though. - admin_users: - - jameshalgren - - arpita0911patel - - karnesh GitHubOAuthenticator: allowed_organizations: - 2i2c-org @@ -48,6 +40,11 @@ basehub: - NOAA-OWP scope: - read:org + Authenticator: + admin_users: + - jameshalgren + - arpita0911patel + - karnesh singleuser: image: # Image build repo: https://github.com/2i2c-org/awi-ciroh-image diff --git a/config/clusters/leap/common.values.yaml b/config/clusters/leap/common.values.yaml index bd4d000c24..cdf8aaf208 100644 --- a/config/clusters/leap/common.values.yaml +++ b/config/clusters/leap/common.values.yaml @@ -42,14 +42,6 @@ basehub: tag: "0.0.1-0.dev.git.6863.h406a3546" allowNamedServers: true config: - Authenticator: - enable_auth_state: true - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - rabernat - - jbusecke JupyterHub: authenticator_class: github # Announcement is a JupyterHub feature to present messages to users in @@ -76,6 +68,11 @@ basehub: - 2i2c-org:hub-access-for-2i2c-staff scope: - read:org + Authenticator: + enable_auth_state: true + admin_users: + - rabernat + - jbusecke singleuser: image: name: pangeo/pangeo-notebook diff --git a/config/clusters/linked-earth/common.values.yaml b/config/clusters/linked-earth/common.values.yaml index f6c9068305..2f18da08f3 100644 --- a/config/clusters/linked-earth/common.values.yaml +++ b/config/clusters/linked-earth/common.values.yaml @@ -33,18 +33,15 @@ basehub: config: JupyterHub: authenticator_class: github - Authenticator: - # This hub uses GitHub Orgs auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed orgs. These people should have admin access though. - admin_users: - - khider GitHubOAuthenticator: allowed_organizations: - 2i2c-org - LinkedEarth scope: - read:org + Authenticator: + admin_users: + - khider singleuser: image: # User image repo: https://quay.io/repository/linkedearth/pyleoclim diff --git a/config/clusters/m2lines/common.values.yaml b/config/clusters/m2lines/common.values.yaml index d624a11e24..08ab1f3824 100644 --- a/config/clusters/m2lines/common.values.yaml +++ b/config/clusters/m2lines/common.values.yaml @@ -39,14 +39,6 @@ basehub: hub: allowNamedServers: true config: - Authenticator: - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - rabernat - - johannag126 - - jbusecke JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -55,6 +47,11 @@ basehub: - 2i2c-org:hub-access-for-2i2c-staff scope: - read:org + Authenticator: + admin_users: + - rabernat + - johannag126 + - jbusecke singleuser: extraFiles: jupyter_notebook_config.json: diff --git a/config/clusters/nasa-cryo/common.values.yaml b/config/clusters/nasa-cryo/common.values.yaml index 53ef4e3997..ed316b6a7d 100644 --- a/config/clusters/nasa-cryo/common.values.yaml +++ b/config/clusters/nasa-cryo/common.values.yaml @@ -37,21 +37,6 @@ basehub: hub: allowNamedServers: true config: - Authenticator: - # We are restricting profiles based on GitHub Team membership and - # so need to persist auth state - enable_auth_state: true - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - tsnow03 - - JessicaS11 - - jdmillstein - - dfelikson - - fperez - - scottyhq - - jomey JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -64,6 +49,19 @@ basehub: - CryoInTheCloud:cryocloudadvanced scope: - read:org + Authenticator: + # We are restricting profiles based on GitHub Team membership and + # so need to persist auth state + enable_auth_state: true + admin_users: + - tsnow03 + - JessicaS11 + - jdmillstein + - dfelikson + - fperez + - scottyhq + - jomey + singleuser: extraFiles: # jupyter_server_config.json is defined by basehub, this entry adds to it diff --git a/config/clusters/pangeo-hubs/common.values.yaml b/config/clusters/pangeo-hubs/common.values.yaml index 2c4bef29bf..e9d9dc23b8 100644 --- a/config/clusters/pangeo-hubs/common.values.yaml +++ b/config/clusters/pangeo-hubs/common.values.yaml @@ -38,15 +38,6 @@ basehub: hub: allowNamedServers: true config: - Authenticator: - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - rabernat - - jhamman - - scottyhq - - TomAugspurger JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -55,6 +46,12 @@ basehub: - 2i2c-org:hub-access-for-2i2c-staff scope: - read:org + Authenticator: + admin_users: + - rabernat + - jhamman + - scottyhq + - TomAugspurger singleuser: extraEnv: GH_SCOPED_CREDS_CLIENT_ID: "Iv1.c90ee430400a347f" diff --git a/config/clusters/qcl/common.values.yaml b/config/clusters/qcl/common.values.yaml index 2587614226..d6d8863e8b 100644 --- a/config/clusters/qcl/common.values.yaml +++ b/config/clusters/qcl/common.values.yaml @@ -36,13 +36,6 @@ jupyterhub: hub: allowNamedServers: true config: - Authenticator: - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - gizmo404 - - jtkmckenna JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -51,6 +44,10 @@ jupyterhub: - QuantifiedCarbon:jupyterhub scope: - read:org + Authenticator: + admin_users: + - gizmo404 + - jtkmckenna singleuser: image: # pangeo/pangeo-notebook is maintained at: https://github.com/pangeo-data/pangeo-docker-images diff --git a/config/clusters/smithsonian/common.values.yaml b/config/clusters/smithsonian/common.values.yaml index 499066f1ff..3a8aba9abc 100644 --- a/config/clusters/smithsonian/common.values.yaml +++ b/config/clusters/smithsonian/common.values.yaml @@ -48,9 +48,6 @@ basehub: - read:org Authenticator: enable_auth_state: true - # This hub uses GitHub Orgs auth and so we don't set allowed_users in - # order to not deny access to valid members of the listed orgs. These - # people should have admin access though. admin_users: - MikeTrizna # Mike Trizna - rdikow # Rebecca Dikow diff --git a/config/clusters/victor/common.values.yaml b/config/clusters/victor/common.values.yaml index 568094f27e..5f3827beb2 100644 --- a/config/clusters/victor/common.values.yaml +++ b/config/clusters/victor/common.values.yaml @@ -34,13 +34,6 @@ basehub: url: https://people.climate.columbia.edu/projects/sponsor/National%20Science%20Foundation hub: config: - Authenticator: - # This hub uses GitHub Teams auth and so we don't set - # allowed_users in order to not deny access to valid members of - # the listed teams. These people should have admin access though. - admin_users: - - einatlev-ldeo - - SamKrasnoff JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -49,6 +42,10 @@ basehub: - VICTOR-Community:victoraccess scope: - read:org + Authenticator: + admin_users: + - einatlev-ldeo + - SamKrasnoff singleuser: profileList: # The mem-guarantees are here so k8s doesn't schedule other pods From 0c43b0c70306aa270e6d2f52d83e441182994036 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 19:20:18 +0200 Subject: [PATCH 089/125] auth config: remove outdated workaround setting empty admin_users This was fixed in https://github.com/2i2c-org/infrastructure/pull/2299 --- config/clusters/2i2c-aws-us/dask-staging.values.yaml | 5 ----- config/clusters/2i2c-aws-us/staging.values.yaml | 5 ----- 2 files changed, 10 deletions(-) diff --git a/config/clusters/2i2c-aws-us/dask-staging.values.yaml b/config/clusters/2i2c-aws-us/dask-staging.values.yaml index 6b2569467d..ef475a47b1 100644 --- a/config/clusters/2i2c-aws-us/dask-staging.values.yaml +++ b/config/clusters/2i2c-aws-us/dask-staging.values.yaml @@ -41,8 +41,3 @@ basehub: - 2i2c-org scope: - read:org - Authenticator: - # You must always set admin_users, even if it is an empty list, - # otherwise `add_staff_user_ids_to_admin_users: true` will fail - # silently and no staff members will have admin access. - admin_users: [] diff --git a/config/clusters/2i2c-aws-us/staging.values.yaml b/config/clusters/2i2c-aws-us/staging.values.yaml index 8992c8403c..7d839d7b3d 100644 --- a/config/clusters/2i2c-aws-us/staging.values.yaml +++ b/config/clusters/2i2c-aws-us/staging.values.yaml @@ -36,8 +36,3 @@ jupyterhub: - 2i2c-org scope: - read:org - Authenticator: - # You must always set admin_users, even if it is an empty list, - # otherwise `add_staff_user_ids_to_admin_users: true` will fail - # silently and no staff members will have admin access. - admin_users: [] From 63eabbcbcef3c6b56a4ea6bcbc9c0dac1eaa3cb3 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 19:33:19 +0200 Subject: [PATCH 090/125] oauthenticator 16: remove redundant spec of allowed_users, add warnings --- config/clusters/2i2c/aup.values.yaml | 27 +++++++++++++++++-- .../clusters/2i2c/neurohackademy.values.yaml | 27 +++++++++++++++++-- config/clusters/carbonplan/common.values.yaml | 27 +++++++++++++++++-- config/clusters/cloudbank/howard.values.yaml | 27 +++++++++++++++++-- config/clusters/cloudbank/lacc.values.yaml | 27 +++++++++++++++++-- config/clusters/cloudbank/palomar.values.yaml | 27 +++++++++++++++++-- .../clusters/cloudbank/sbcc-dev.values.yaml | 27 +++++++++++++++++-- config/clusters/cloudbank/sbcc.values.yaml | 27 +++++++++++++++++-- config/clusters/cloudbank/staging.values.yaml | 27 +++++++++++++++++-- .../clusters/cloudbank/tuskegee.values.yaml | 27 +++++++++++++++++-- config/clusters/gridsst/common.values.yaml | 27 +++++++++++++++++-- .../common.values.yaml | 27 +++++++++++++++++-- config/clusters/meom-ige/common.values.yaml | 27 +++++++++++++++++-- config/clusters/openscapes/common.values.yaml | 27 +++++++++++++++++-- .../clusters/pangeo-hubs/coessing.values.yaml | 27 +++++++++++++++++-- 15 files changed, 375 insertions(+), 30 deletions(-) diff --git a/config/clusters/2i2c/aup.values.yaml b/config/clusters/2i2c/aup.values.yaml index cfc4e743be..8dd38478ca 100644 --- a/config/clusters/2i2c/aup.values.yaml +++ b/config/clusters/2i2c/aup.values.yaml @@ -43,9 +43,32 @@ jupyterhub: username_derivation: username_claim: "preferred_username" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &aup_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - swalker - shaolintl - admin_users: *aup_users diff --git a/config/clusters/2i2c/neurohackademy.values.yaml b/config/clusters/2i2c/neurohackademy.values.yaml index e0c136686f..1cc8148b85 100644 --- a/config/clusters/2i2c/neurohackademy.values.yaml +++ b/config/clusters/2i2c/neurohackademy.values.yaml @@ -62,11 +62,34 @@ jupyterhub: username_derivation: username_claim: "preferred_username" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &neurohackademy_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - arokem - admin_users: *neurohackademy_users extraFiles: configurator-schema-default: data: diff --git a/config/clusters/carbonplan/common.values.yaml b/config/clusters/carbonplan/common.values.yaml index 8506d67510..a8b907ddcd 100644 --- a/config/clusters/carbonplan/common.values.yaml +++ b/config/clusters/carbonplan/common.values.yaml @@ -193,11 +193,34 @@ basehub: username_derivation: username_claim: "preferred_username" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - maxrjones - admin_users: *users dask-gateway: traefik: diff --git a/config/clusters/cloudbank/howard.values.yaml b/config/clusters/cloudbank/howard.values.yaml index 32fd25f104..9dbd30268a 100644 --- a/config/clusters/cloudbank/howard.values.yaml +++ b/config/clusters/cloudbank/howard.values.yaml @@ -37,11 +37,34 @@ jupyterhub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &howard_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - ericvd@berkeley.edu - gwashington@scs.howard.edu - anthony.fgordon64@gmail.com - mikayladorange@gmail.com - admin_users: *howard_users diff --git a/config/clusters/cloudbank/lacc.values.yaml b/config/clusters/cloudbank/lacc.values.yaml index ca20b076a8..a04dba1087 100644 --- a/config/clusters/cloudbank/lacc.values.yaml +++ b/config/clusters/cloudbank/lacc.values.yaml @@ -37,12 +37,35 @@ jupyterhub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &lacc_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - PINEDAEM@laccd.edu - LAMKT@laccd.edu - ericvd@berkeley.edu - k_usovich@berkeley.edu - sean.smorris@berkeley.edu - admin_users: *lacc_users diff --git a/config/clusters/cloudbank/palomar.values.yaml b/config/clusters/cloudbank/palomar.values.yaml index 60ba874481..a95b5a6430 100644 --- a/config/clusters/cloudbank/palomar.values.yaml +++ b/config/clusters/cloudbank/palomar.values.yaml @@ -37,11 +37,34 @@ jupyterhub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &palomar_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - aculich@berkeley.edu - sean.smorris@berkeley.edu - tcanon@palomar.edu - PChen@palomar.edu - admin_users: *palomar_users diff --git a/config/clusters/cloudbank/sbcc-dev.values.yaml b/config/clusters/cloudbank/sbcc-dev.values.yaml index 3443173895..6aee2fa79e 100644 --- a/config/clusters/cloudbank/sbcc-dev.values.yaml +++ b/config/clusters/cloudbank/sbcc-dev.values.yaml @@ -40,10 +40,33 @@ jupyterhub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &sbcc_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - ericvd@gmail.com - sean.smorris@berkeley.edu - nfguebels@pipeline.sbcc.edu - admin_users: *sbcc_users diff --git a/config/clusters/cloudbank/sbcc.values.yaml b/config/clusters/cloudbank/sbcc.values.yaml index 3399eaa550..e5557cf6ac 100644 --- a/config/clusters/cloudbank/sbcc.values.yaml +++ b/config/clusters/cloudbank/sbcc.values.yaml @@ -40,10 +40,33 @@ jupyterhub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &sbcc_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - ericvd@gmail.com - sean.smorris@berkeley.edu - nfguebels@pipeline.sbcc.edu - admin_users: *sbcc_users diff --git a/config/clusters/cloudbank/staging.values.yaml b/config/clusters/cloudbank/staging.values.yaml index fe109f8f5b..31f42cccc3 100644 --- a/config/clusters/cloudbank/staging.values.yaml +++ b/config/clusters/cloudbank/staging.values.yaml @@ -37,8 +37,31 @@ jupyterhub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &staging_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - sean.smorris@berkeley.edu - admin_users: *staging_users diff --git a/config/clusters/cloudbank/tuskegee.values.yaml b/config/clusters/cloudbank/tuskegee.values.yaml index d6029d98bf..9c0c746201 100644 --- a/config/clusters/cloudbank/tuskegee.values.yaml +++ b/config/clusters/cloudbank/tuskegee.values.yaml @@ -37,9 +37,33 @@ jupyterhub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &tuskegee_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - yasmeen.rawajfih@gmail.com - Wu.fan01@gmail.com - yanlisa@berkeley.edu @@ -47,4 +71,3 @@ jupyterhub: - ericvd@berkeley.edu - sean.smorris@berkeley.edu - sean.smorris@gmail.com - admin_users: *tuskegee_users diff --git a/config/clusters/gridsst/common.values.yaml b/config/clusters/gridsst/common.values.yaml index ec498b3cb5..a858234963 100644 --- a/config/clusters/gridsst/common.values.yaml +++ b/config/clusters/gridsst/common.values.yaml @@ -39,13 +39,36 @@ basehub: JupyterHub: authenticator_class: github OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &gridsst_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - alisonrgray - nikki-t - dgumustel - admin_users: *gridsst_users singleuser: profileList: # The mem-guarantees are here so k8s doesn't schedule other pods diff --git a/config/clusters/jupyter-meets-the-earth/common.values.yaml b/config/clusters/jupyter-meets-the-earth/common.values.yaml index f51e95bf2f..5ac108e132 100644 --- a/config/clusters/jupyter-meets-the-earth/common.values.yaml +++ b/config/clusters/jupyter-meets-the-earth/common.values.yaml @@ -227,9 +227,33 @@ basehub: username_derivation: username_claim: "preferred_username" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: # This is just listing a few of the users/admins, a lot of # users has been added manually, see: # https://github.com/pangeo-data/jupyter-earth/issues/53 @@ -249,7 +273,6 @@ basehub: - whyjz # Whyjay Zheng - yuvipanda # Yuvi Panda - jonathan-taylor # Jonathan Taylor - admin_users: *users allowNamedServers: true dask-gateway: diff --git a/config/clusters/meom-ige/common.values.yaml b/config/clusters/meom-ige/common.values.yaml index 1e25b0ce32..1b2adedaab 100644 --- a/config/clusters/meom-ige/common.values.yaml +++ b/config/clusters/meom-ige/common.values.yaml @@ -91,13 +91,36 @@ basehub: username_derivation: username_claim: "preferred_username" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - allowed_users: &users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - roxyboy - lesommer - auraoupa - admin_users: *users allowNamedServers: true dask-gateway: diff --git a/config/clusters/openscapes/common.values.yaml b/config/clusters/openscapes/common.values.yaml index bedfa62419..2f9a057b7c 100644 --- a/config/clusters/openscapes/common.values.yaml +++ b/config/clusters/openscapes/common.values.yaml @@ -59,14 +59,37 @@ basehub: username_derivation: username_claim: "preferred_username" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - admin_users: &users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - amfriesz - jules32 - erinmr - betolink - allowed_users: *users dask-gateway: gateway: extraConfig: diff --git a/config/clusters/pangeo-hubs/coessing.values.yaml b/config/clusters/pangeo-hubs/coessing.values.yaml index 51028b1c58..3744e2c0c0 100644 --- a/config/clusters/pangeo-hubs/coessing.values.yaml +++ b/config/clusters/pangeo-hubs/coessing.values.yaml @@ -43,10 +43,33 @@ basehub: username_derivation: username_claim: "email" OAuthenticator: + # WARNING: Don't use allow_existing_users with config to allow an + # externally managed group of users, such as + # GitHubOAuthenticator.allowed_organizations, as it breaks a + # common expectations for an admin user. + # + # The broken expectation is that removing a user from the + # externally managed group implies that the user won't have + # access any more. In practice the user will still have + # access if it had logged in once before, as it then exists + # in JupyterHub's database of users. + # allow_existing_users: True Authenticator: - admin_users: &admin_users + # WARNING: Removing a user from admin_users or allowed_users doesn't + # revoke admin status or access. + # + # OAuthenticator.allow_existing_users allows any user in the + # JupyterHub database of users able to login. This includes + # any previously logged in user or user previously listed in + # allowed_users or admin_users, as such users are added to + # JupyterHub's database on startup. + # + # To properly revoke access, remove the user from the list, + # deploy the change, and finally delete the user via the + # /hub/admin panel. + # + admin_users: - paigemar@umich.edu - allowed_users: *admin_users # Delete any prior existing users in the db that don't pass username_pattern delete_invalid_users: true From 7201a88492232e503ee5f749371f11eca42e79c3 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 19:36:55 +0200 Subject: [PATCH 091/125] auth config: remove temporary config addition --- config/clusters/pangeo-hubs/coessing.values.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/config/clusters/pangeo-hubs/coessing.values.yaml b/config/clusters/pangeo-hubs/coessing.values.yaml index 3744e2c0c0..d53450e095 100644 --- a/config/clusters/pangeo-hubs/coessing.values.yaml +++ b/config/clusters/pangeo-hubs/coessing.values.yaml @@ -71,5 +71,3 @@ basehub: # admin_users: - paigemar@umich.edu - # Delete any prior existing users in the db that don't pass username_pattern - delete_invalid_users: true From a3bb00339eef4650ec4aa64050fa698aaeb87b66 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 20:12:07 +0200 Subject: [PATCH 092/125] basehub: tweak values to avoid formatting conflicts --- helm-charts/basehub/values.yaml | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index c58cea667f..1c3c2a8047 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -177,11 +177,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && ls -lhd /home/jovyan ", - ] + - "sh" + - "-c" + - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && ls -lhd /home/jovyan" securityContext: runAsUser: 0 volumeMounts: @@ -394,7 +392,7 @@ jupyterhub: interfaces: - value: "/tree" title: Classic Notebook - description: + description: >- The original single-document interface for creating Jupyter Notebooks. - value: "/lab" @@ -420,8 +418,8 @@ jupyterhub: securityContext: runAsUser: 1000 runAsGroup: 1000 - allowPrivilegeEscalation: False - readOnlyRootFilesystem: True + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - name: custom-templates mountPath: /srv/repo @@ -488,8 +486,8 @@ jupyterhub: securityContext: runAsUser: 1000 runAsGroup: 1000 - allowPrivilegeEscalation: False - readOnlyRootFilesystem: True + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true volumeMounts: - name: custom-templates mountPath: /srv/repo @@ -526,7 +524,7 @@ jupyterhub: admin: true image: name: quay.io/2i2c/pilot-hub - tag: "0.0.1-0.dev.git.6074.h895181eb" + tag: "0.0.1-0.dev.git.6863.h406a3546" networkPolicy: enabled: true # interNamespaceAccessLabels=accept makes the hub pod's associated From 28cd4f546d724086c4723e2f5e5f97894f99ae82 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 20:24:16 +0200 Subject: [PATCH 093/125] basehub: refactor, simplify chowning container's command --- config/clusters/2i2c-aws-us/itcoocean.values.yaml | 8 +++----- config/clusters/2i2c/climatematch.values.yaml | 8 +++----- .../clusters/jupyter-meets-the-earth/common.values.yaml | 8 +++----- config/clusters/nasa-cryo/common.values.yaml | 8 +++----- config/clusters/qcl/common.values.yaml | 8 +++----- docs/howto/features/per-user-db.md | 8 +++----- docs/topic/infrastructure/storage-layer.md | 8 +++----- helm-charts/basehub/values.yaml | 6 +++--- 8 files changed, 24 insertions(+), 38 deletions(-) diff --git a/config/clusters/2i2c-aws-us/itcoocean.values.yaml b/config/clusters/2i2c-aws-us/itcoocean.values.yaml index 7a9c19ae54..a2754241fa 100644 --- a/config/clusters/2i2c-aws-us/itcoocean.values.yaml +++ b/config/clusters/2i2c-aws-us/itcoocean.values.yaml @@ -57,11 +57,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/2i2c/climatematch.values.yaml b/config/clusters/2i2c/climatematch.values.yaml index a982022793..5396702629 100644 --- a/config/clusters/2i2c/climatematch.values.yaml +++ b/config/clusters/2i2c/climatematch.values.yaml @@ -39,11 +39,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/jupyter-meets-the-earth/common.values.yaml b/config/clusters/jupyter-meets-the-earth/common.values.yaml index 5ac108e132..0776b2801d 100644 --- a/config/clusters/jupyter-meets-the-earth/common.values.yaml +++ b/config/clusters/jupyter-meets-the-earth/common.values.yaml @@ -49,11 +49,9 @@ basehub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/nasa-cryo/common.values.yaml b/config/clusters/nasa-cryo/common.values.yaml index ed316b6a7d..067d059051 100644 --- a/config/clusters/nasa-cryo/common.values.yaml +++ b/config/clusters/nasa-cryo/common.values.yaml @@ -89,11 +89,9 @@ basehub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/qcl/common.values.yaml b/config/clusters/qcl/common.values.yaml index d6d8863e8b..1d1eddc558 100644 --- a/config/clusters/qcl/common.values.yaml +++ b/config/clusters/qcl/common.values.yaml @@ -228,11 +228,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/docs/howto/features/per-user-db.md b/docs/howto/features/per-user-db.md index 52141691ac..871c843b3f 100644 --- a/docs/howto/features/per-user-db.md +++ b/docs/howto/features/per-user-db.md @@ -60,11 +60,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /var/lib/postgresql/data && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /var/lib/postgresql/data && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/docs/topic/infrastructure/storage-layer.md b/docs/topic/infrastructure/storage-layer.md index 951eb916ca..171b2b0943 100644 --- a/docs/topic/infrastructure/storage-layer.md +++ b/docs/topic/infrastructure/storage-layer.md @@ -118,11 +118,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", - ] + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index 1c3c2a8047..0cf20bc475 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -177,9 +177,9 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - - "sh" - - "-c" - - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && ls -lhd /home/jovyan" + - sh + - -c + - id && chown 1000:1000 /home/jovyan /home/jovyan/shared && ls -lhd /home/jovyan securityContext: runAsUser: 0 volumeMounts: From 4545ef61bb9d75d692db22069f93962afe094aaa Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 20:25:36 +0200 Subject: [PATCH 094/125] basehub: upgrade z2jh from 3.0.0-beta.1 to 3.0.2 --- helm-charts/basehub/Chart.yaml | 2 +- helm-charts/chartpress.yaml | 22 ++++++++++++++++------ helm-charts/images/hub/Dockerfile | 6 +++++- 3 files changed, 22 insertions(+), 8 deletions(-) diff --git a/helm-charts/basehub/Chart.yaml b/helm-charts/basehub/Chart.yaml index ff28172b3e..d410964912 100644 --- a/helm-charts/basehub/Chart.yaml +++ b/helm-charts/basehub/Chart.yaml @@ -11,7 +11,7 @@ dependencies: # images/hub/Dockerfile, and will also involve manually building and pushing # the Dockerfile to https://quay.io/2i2c/pilot-hub. Details about this can # be found in the Dockerfile's comments. - version: 3.0.0-beta.1.git.6208.h7b44299a + version: 3.0.2 repository: https://jupyterhub.github.io/helm-chart/ - name: binderhub-service version: 0.1.0-0.dev.git.80.h358d32f diff --git a/helm-charts/chartpress.yaml b/helm-charts/chartpress.yaml index 962a638476..6ecf191e45 100644 --- a/helm-charts/chartpress.yaml +++ b/helm-charts/chartpress.yaml @@ -1,3 +1,13 @@ +# This is the configuration for chartpress, a CLI for Helm chart management. +# +# chartpress can be used to: +# - Build images +# - Update Chart.yaml (version) and values.yaml (image tags) +# - Package and publish Helm charts to a GitHub based Helm chart repository +# +# For more information about chartpress, see the projects README.md file: +# https://github.com/jupyterhub/chartpress +# charts: - name: basehub imagePrefix: quay.io/2i2c/pilot- @@ -5,16 +15,16 @@ charts: hub: valuesPath: jupyterhub.hub.image buildArgs: - REQUIREMENTS_FILE: "requirements.txt" + REQUIREMENTS_FILE: requirements.txt unlisted-choice-experiment: imageName: quay.io/2i2c/unlisted-choice-experiment buildArgs: - REQUIREMENTS_FILE: "unlisted-choice-requirements.txt" - contextPath: "images/hub" + REQUIREMENTS_FILE: unlisted-choice-requirements.txt + contextPath: images/hub dockerfilePath: images/hub/Dockerfile dynamic-image-building-experiment: imageName: quay.io/2i2c/dynamic-image-building-experiment buildArgs: - REQUIREMENTS_FILE: "dynamic-image-building-requirements.txt" - contextPath: "images/hub" - dockerfilePath: "images/hub/Dockerfile" + REQUIREMENTS_FILE: dynamic-image-building-requirements.txt + contextPath: images/hub + dockerfilePath: images/hub/Dockerfile diff --git a/helm-charts/images/hub/Dockerfile b/helm-charts/images/hub/Dockerfile index 77caeb4434..6d5e7e05b5 100644 --- a/helm-charts/images/hub/Dockerfile +++ b/helm-charts/images/hub/Dockerfile @@ -12,7 +12,11 @@ # `chartpress --push --builder docker-buildx --platform linux/amd64` # Ref: https://cloudolife.com/2022/03/05/Infrastructure-as-Code-IaC/Container/Docker/Docker-buildx-support-multiple-architectures-images/ # -FROM jupyterhub/k8s-hub:3.0.0-beta.1 +FROM jupyterhub/k8s-hub:3.0.2 + +# chartpress.yaml defines multiple hub images differentiated only by a +# requirements.txt file with dependencies, this build argument allows us to +# re-use this Dockerfile for all images. ARG REQUIREMENTS_FILE COPY ${REQUIREMENTS_FILE} /tmp/ From 37d9911530e48b666f54a6cd83ff1fbd3b1c5f0f Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 20:30:02 +0200 Subject: [PATCH 095/125] dynamic image building experiment: bump kubespawner's main branch further --- helm-charts/images/hub/dynamic-image-building-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-charts/images/hub/dynamic-image-building-requirements.txt b/helm-charts/images/hub/dynamic-image-building-requirements.txt index 225a86b394..fcfadf2363 100644 --- a/helm-charts/images/hub/dynamic-image-building-requirements.txt +++ b/helm-charts/images/hub/dynamic-image-building-requirements.txt @@ -1,6 +1,6 @@ # Image lives at quay.io/2i2c/second-hub-experimental git+https://github.com/yuvipanda/jupyterhub-configurator@ed7e3a0df1e3d625d10903ef7d7fd9c2fbb548db # Brings on using `unlisted_choice` in profile options per https://github.com/2i2c-org/infrastructure/issues/2146 -git+https://github.com/jupyterhub/kubespawner@5a90351adba7d65286bd5e00e82f156011bf7b83 +git+https://github.com/jupyterhub/kubespawner@8cc569c78bcdb342e694f7344219e43d522f4809 # Brings in https://github.com/yuvipanda/prototype-kubespawner-dynamic-building-ui git+https://github.com/yuvipanda/prototype-kubespawner-dynamic-building-ui.git@b36ece00b5e7fcba5d4485e7ab70992705601c3c From fa134ceaad1aaa2f83100239ee30a17f77a0ca8f Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Sun, 10 Sep 2023 20:40:04 +0200 Subject: [PATCH 096/125] basehub: update hub image's to a z2jh 3.0.2 derived image --- config/clusters/2i2c-aws-us/researchdelight.values.yaml | 2 +- config/clusters/2i2c/imagebuilding-demo.values.yaml | 2 +- config/clusters/leap/common.values.yaml | 2 +- config/clusters/nasa-veda/common.values.yaml | 2 +- config/clusters/openscapes/staging.values.yaml | 2 +- helm-charts/basehub/values.yaml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/config/clusters/2i2c-aws-us/researchdelight.values.yaml b/config/clusters/2i2c-aws-us/researchdelight.values.yaml index 818ca986dc..6326b3fc18 100644 --- a/config/clusters/2i2c-aws-us/researchdelight.values.yaml +++ b/config/clusters/2i2c-aws-us/researchdelight.values.yaml @@ -30,7 +30,7 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.6863.h406a3546" + tag: "0.0.1-0.dev.git.6935.h7141d766" config: JupyterHub: authenticator_class: github diff --git a/config/clusters/2i2c/imagebuilding-demo.values.yaml b/config/clusters/2i2c/imagebuilding-demo.values.yaml index 94e36d083f..17e2a1c013 100644 --- a/config/clusters/2i2c/imagebuilding-demo.values.yaml +++ b/config/clusters/2i2c/imagebuilding-demo.values.yaml @@ -60,7 +60,7 @@ jupyterhub: hub: image: name: quay.io/2i2c/dynamic-image-building-experiment - tag: "0.0.1-0.dev.git.6765.h33942a27" + tag: "0.0.1-0.dev.git.6935.h7141d766" config: JupyterHub: authenticator_class: cilogon diff --git a/config/clusters/leap/common.values.yaml b/config/clusters/leap/common.values.yaml index cdf8aaf208..7c1684b87b 100644 --- a/config/clusters/leap/common.values.yaml +++ b/config/clusters/leap/common.values.yaml @@ -39,7 +39,7 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.6863.h406a3546" + tag: "0.0.1-0.dev.git.6935.h7141d766" allowNamedServers: true config: JupyterHub: diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index 2eb76b999e..8d3a55327d 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -34,7 +34,7 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.6863.h406a3546" + tag: "0.0.1-0.dev.git.6935.h7141d766" allowNamedServers: true config: Authenticator: diff --git a/config/clusters/openscapes/staging.values.yaml b/config/clusters/openscapes/staging.values.yaml index 13fcfa7ec1..466c1060d6 100644 --- a/config/clusters/openscapes/staging.values.yaml +++ b/config/clusters/openscapes/staging.values.yaml @@ -122,7 +122,7 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.6863.h406a3546" + tag: "0.0.1-0.dev.git.6935.h7141d766" config: CILogonOAuthenticator: oauth_callback_url: "https://staging.openscapes.2i2c.cloud/hub/oauth_callback" diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index 0cf20bc475..c35a07fc0d 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -524,7 +524,7 @@ jupyterhub: admin: true image: name: quay.io/2i2c/pilot-hub - tag: "0.0.1-0.dev.git.6863.h406a3546" + tag: "0.0.1-0.dev.git.6935.h7141d766" networkPolicy: enabled: true # interNamespaceAccessLabels=accept makes the hub pod's associated From 7406a47bb3840708a079e17cfabcb162d31cd479 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Wed, 13 Sep 2023 13:50:19 +0200 Subject: [PATCH 097/125] Refine warning comment about revoking admin status or access --- config/clusters/2i2c/aup.values.yaml | 6 ++++-- config/clusters/2i2c/neurohackademy.values.yaml | 6 ++++-- config/clusters/carbonplan/common.values.yaml | 6 ++++-- config/clusters/cloudbank/howard.values.yaml | 6 ++++-- config/clusters/cloudbank/lacc.values.yaml | 6 ++++-- config/clusters/cloudbank/palomar.values.yaml | 6 ++++-- config/clusters/cloudbank/sbcc-dev.values.yaml | 6 ++++-- config/clusters/cloudbank/sbcc.values.yaml | 6 ++++-- config/clusters/cloudbank/staging.values.yaml | 6 ++++-- config/clusters/cloudbank/tuskegee.values.yaml | 6 ++++-- config/clusters/gridsst/common.values.yaml | 6 ++++-- config/clusters/jupyter-meets-the-earth/common.values.yaml | 6 ++++-- config/clusters/meom-ige/common.values.yaml | 6 ++++-- config/clusters/openscapes/common.values.yaml | 6 ++++-- config/clusters/pangeo-hubs/coessing.values.yaml | 6 ++++-- 15 files changed, 60 insertions(+), 30 deletions(-) diff --git a/config/clusters/2i2c/aup.values.yaml b/config/clusters/2i2c/aup.values.yaml index 8dd38478ca..beec96e623 100644 --- a/config/clusters/2i2c/aup.values.yaml +++ b/config/clusters/2i2c/aup.values.yaml @@ -65,8 +65,10 @@ jupyterhub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/2i2c/neurohackademy.values.yaml b/config/clusters/2i2c/neurohackademy.values.yaml index 1cc8148b85..97df782ea4 100644 --- a/config/clusters/2i2c/neurohackademy.values.yaml +++ b/config/clusters/2i2c/neurohackademy.values.yaml @@ -84,8 +84,10 @@ jupyterhub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/carbonplan/common.values.yaml b/config/clusters/carbonplan/common.values.yaml index a8b907ddcd..cb99bac399 100644 --- a/config/clusters/carbonplan/common.values.yaml +++ b/config/clusters/carbonplan/common.values.yaml @@ -215,8 +215,10 @@ basehub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/cloudbank/howard.values.yaml b/config/clusters/cloudbank/howard.values.yaml index 9dbd30268a..5e77e99332 100644 --- a/config/clusters/cloudbank/howard.values.yaml +++ b/config/clusters/cloudbank/howard.values.yaml @@ -59,8 +59,10 @@ jupyterhub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/cloudbank/lacc.values.yaml b/config/clusters/cloudbank/lacc.values.yaml index a04dba1087..8c6c41b29a 100644 --- a/config/clusters/cloudbank/lacc.values.yaml +++ b/config/clusters/cloudbank/lacc.values.yaml @@ -59,8 +59,10 @@ jupyterhub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/cloudbank/palomar.values.yaml b/config/clusters/cloudbank/palomar.values.yaml index a95b5a6430..91dcb3349c 100644 --- a/config/clusters/cloudbank/palomar.values.yaml +++ b/config/clusters/cloudbank/palomar.values.yaml @@ -59,8 +59,10 @@ jupyterhub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/cloudbank/sbcc-dev.values.yaml b/config/clusters/cloudbank/sbcc-dev.values.yaml index 6aee2fa79e..98e01568a0 100644 --- a/config/clusters/cloudbank/sbcc-dev.values.yaml +++ b/config/clusters/cloudbank/sbcc-dev.values.yaml @@ -62,8 +62,10 @@ jupyterhub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/cloudbank/sbcc.values.yaml b/config/clusters/cloudbank/sbcc.values.yaml index e5557cf6ac..2fc8495102 100644 --- a/config/clusters/cloudbank/sbcc.values.yaml +++ b/config/clusters/cloudbank/sbcc.values.yaml @@ -62,8 +62,10 @@ jupyterhub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/cloudbank/staging.values.yaml b/config/clusters/cloudbank/staging.values.yaml index 31f42cccc3..b45e22d8ae 100644 --- a/config/clusters/cloudbank/staging.values.yaml +++ b/config/clusters/cloudbank/staging.values.yaml @@ -59,8 +59,10 @@ jupyterhub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/cloudbank/tuskegee.values.yaml b/config/clusters/cloudbank/tuskegee.values.yaml index 9c0c746201..40d56e897c 100644 --- a/config/clusters/cloudbank/tuskegee.values.yaml +++ b/config/clusters/cloudbank/tuskegee.values.yaml @@ -59,8 +59,10 @@ jupyterhub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/gridsst/common.values.yaml b/config/clusters/gridsst/common.values.yaml index a858234963..b2bffbfd94 100644 --- a/config/clusters/gridsst/common.values.yaml +++ b/config/clusters/gridsst/common.values.yaml @@ -61,8 +61,10 @@ basehub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/jupyter-meets-the-earth/common.values.yaml b/config/clusters/jupyter-meets-the-earth/common.values.yaml index 0776b2801d..dd9f7364e5 100644 --- a/config/clusters/jupyter-meets-the-earth/common.values.yaml +++ b/config/clusters/jupyter-meets-the-earth/common.values.yaml @@ -247,8 +247,10 @@ basehub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/meom-ige/common.values.yaml b/config/clusters/meom-ige/common.values.yaml index 1b2adedaab..13145dfb45 100644 --- a/config/clusters/meom-ige/common.values.yaml +++ b/config/clusters/meom-ige/common.values.yaml @@ -113,8 +113,10 @@ basehub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/openscapes/common.values.yaml b/config/clusters/openscapes/common.values.yaml index 2f9a057b7c..429becc556 100644 --- a/config/clusters/openscapes/common.values.yaml +++ b/config/clusters/openscapes/common.values.yaml @@ -81,8 +81,10 @@ basehub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: diff --git a/config/clusters/pangeo-hubs/coessing.values.yaml b/config/clusters/pangeo-hubs/coessing.values.yaml index d53450e095..0235e3e56c 100644 --- a/config/clusters/pangeo-hubs/coessing.values.yaml +++ b/config/clusters/pangeo-hubs/coessing.values.yaml @@ -65,8 +65,10 @@ basehub: # allowed_users or admin_users, as such users are added to # JupyterHub's database on startup. # - # To properly revoke access, remove the user from the list, - # deploy the change, and finally delete the user via the + # To revoke admin status or access for a user when + # allow_existing_users is enabled, first remove the user from + # admin_users or allowed_users, then deploy the change, and + # finally revoke the admin status or delete the user via the # /hub/admin panel. # admin_users: From 4160dbb560d2e06c915d41131ddfb0dcd1d19591 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Wed, 13 Sep 2023 14:35:35 +0200 Subject: [PATCH 098/125] meom-ige: specify one default profile list entry --- config/clusters/meom-ige/common.values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/config/clusters/meom-ige/common.values.yaml b/config/clusters/meom-ige/common.values.yaml index 9b24401572..954c78e975 100644 --- a/config/clusters/meom-ige/common.values.yaml +++ b/config/clusters/meom-ige/common.values.yaml @@ -41,6 +41,7 @@ basehub: # RAM on a node, not total node capacity - display_name: "Small" description: "~2 CPU, ~8G RAM" + default: true kubespawner_override: mem_limit: 8G mem_guarantee: 4G From 47377ff96c42fb1bbfe24e22410b34b9e5e1c4ad Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Wed, 13 Sep 2023 16:12:32 +0300 Subject: [PATCH 099/125] Add tfvars for new hhmi gcp cluster and update daskhub template --- .../gcp/projects/daskhub-template.tfvars | 16 ++---- terraform/gcp/projects/hhmi.tfvars | 53 +++++++++++++++++++ 2 files changed, 57 insertions(+), 12 deletions(-) create mode 100644 terraform/gcp/projects/hhmi.tfvars diff --git a/terraform/gcp/projects/daskhub-template.tfvars b/terraform/gcp/projects/daskhub-template.tfvars index 4c756e7e65..26b5c0b3c4 100644 --- a/terraform/gcp/projects/daskhub-template.tfvars +++ b/terraform/gcp/projects/daskhub-template.tfvars @@ -25,26 +25,18 @@ enable_filestore = true filestore_capacity_gb = 1024 user_buckets = { - "scratch-staging" : { - "delete_after" : 7 - }, - "scratch" : { + "scratch-{{ hub_name }}" : { "delete_after" : 7 }, # Tip: add more scratch buckets below, if this cluster will be multi-tenant } hub_cloud_permissions = { - "staging" : { + "{{ hub_name }}" : { requestor_pays : true, - bucket_admin_access : ["scratch-staging", "persistent-staging"], - hub_namespace : "staging" + bucket_admin_access : ["scratch-{{ hub_name }}"], + hub_namespace : "{{ hub_name }}" }, - "prod" : { - requestor_pays : true, - bucket_admin_access : ["scratch", "persistent"], - hub_namespace : "prod" - } # Tip: add more namespaces below, if this cluster will be multi-tenant } diff --git a/terraform/gcp/projects/hhmi.tfvars b/terraform/gcp/projects/hhmi.tfvars new file mode 100644 index 0000000000..3466c94128 --- /dev/null +++ b/terraform/gcp/projects/hhmi.tfvars @@ -0,0 +1,53 @@ +prefix = "hhmi" +project_id = "hhmi" + +zone = "us-west2" +region = "us-west2" + +# Default to a HA cluster for reliability +regional_cluster = true + +core_node_machine_type = "n2-highmem-4" + +# Network policy is required to enforce separation between hubs on multi-tenant clusters +# Tip: uncomment the line below if this cluster will be multi-tenant +# enable_network_policy = true + +# Setup a filestore for in-cluster NFS +enable_filestore = true +filestore_capacity_gb = 1024 + +user_buckets = {} +hub_cloud_permissions = {} + +# Setup notebook node pools +notebook_nodes = { + "small" : { + min : 0, + max : 100, + machine_type : "n2-highmem-4", + }, + "medium" : { + min : 0, + max : 100, + machine_type : "n2-highmem-16", + }, + "large" : { + min : 0, + max : 100, + machine_type : "n2-highmem-64", + }, +} + +# Setup a single node pool for dask workers. +# +# A not yet fully established policy is being developed about using a single +# node pool, see https://github.com/2i2c-org/infrastructure/issues/2687. +# +dask_nodes = { + "worker" : { + min : 0, + max : 200, + machine_type : "n2-highmem-16", + }, +} \ No newline at end of file From bd3634e56ea44d370a2bdb9ecdb53a47f3c971db Mon Sep 17 00:00:00 2001 From: ranchodeluxe Date: Wed, 13 Sep 2023 09:05:55 -0700 Subject: [PATCH 100/125] add chown statement --- config/clusters/nasa-veda/common.values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index 6e642954bf..c03c808e57 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -100,7 +100,7 @@ basehub: # this container uses nbgitpuller to mount https://github.com/NASA-IMPACT/veda-docs/ for user pods # image source: https://github.com/NASA-IMPACT/veda-jh-environments/tree/main/docker-images/base/nasa-veda-singleuser-init - name: nasa-veda-singleuser-init - image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:a6db72110a0dfed84b8926a9b7e9d5ad0f1b4861490a2d6b36c87ac2d4f89064 + image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:c91ebe0a1fc531ca00c1f8f17d91c82edc0c6b88235d94ab47e6fc33af7c0b7f command: - "python3" - "/opt/k8s-init-container-nb-docs.py" @@ -137,7 +137,7 @@ basehub: # this container uses nbgitpuller to mount https://github.com/NASA-IMPACT/veda-docs/ for user pods # image source: https://github.com/NASA-IMPACT/veda-jh-environments/tree/main/docker-images/base/nasa-veda-singleuser-init - name: nasa-veda-singleuser-init - image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:a6db72110a0dfed84b8926a9b7e9d5ad0f1b4861490a2d6b36c87ac2d4f89064 + image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:c91ebe0a1fc531ca00c1f8f17d91c82edc0c6b88235d94ab47e6fc33af7c0b7f command: - "python3" - "/opt/k8s-init-container-nb-docs.py" From ff8c6b62fc30bbb6c667b6a8eaee042e86c7c879 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Wed, 13 Sep 2023 21:04:12 +0200 Subject: [PATCH 101/125] victor: login page, update logo and linked website --- config/clusters/victor/common.values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/clusters/victor/common.values.yaml b/config/clusters/victor/common.values.yaml index 568094f27e..47136ec38c 100644 --- a/config/clusters/victor/common.values.yaml +++ b/config/clusters/victor/common.values.yaml @@ -20,9 +20,9 @@ basehub: gitRepoBranch: "victor" templateVars: org: - name: Victor - logo_url: https://lh3.googleusercontent.com/drive-viewer/AFDK6gOSmgurudnSJrUNMaIdOIEeu8aXUzWS9qZ0Oi3XO3_fFYdfjksmrPQrjv542v_81TCkVPlRT_Acf5BAojMEeYlEzF8nmw=w2880-h1368 - url: https://people.climate.columbia.edu/projects/view/2387 + name: VICTOR + logo_url: https://i.imgur.com/D2vXQ5k.png + url: https://victor.ldeo.columbia.edu designed_by: name: 2i2c url: https://2i2c.org From d882c1026efb66ff52e6b6703521edcea7b2d829 Mon Sep 17 00:00:00 2001 From: ranchodeluxe Date: Wed, 13 Sep 2023 13:59:33 -0700 Subject: [PATCH 102/125] doh, my bad --- config/clusters/nasa-veda/common.values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index c03c808e57..35e9d89e85 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -100,7 +100,7 @@ basehub: # this container uses nbgitpuller to mount https://github.com/NASA-IMPACT/veda-docs/ for user pods # image source: https://github.com/NASA-IMPACT/veda-jh-environments/tree/main/docker-images/base/nasa-veda-singleuser-init - name: nasa-veda-singleuser-init - image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:c91ebe0a1fc531ca00c1f8f17d91c82edc0c6b88235d94ab47e6fc33af7c0b7f + image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:df12447f4a0194e107c7f32cb2486cf4034f89198906aba08ce48967a644f153 command: - "python3" - "/opt/k8s-init-container-nb-docs.py" @@ -137,7 +137,7 @@ basehub: # this container uses nbgitpuller to mount https://github.com/NASA-IMPACT/veda-docs/ for user pods # image source: https://github.com/NASA-IMPACT/veda-jh-environments/tree/main/docker-images/base/nasa-veda-singleuser-init - name: nasa-veda-singleuser-init - image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:c91ebe0a1fc531ca00c1f8f17d91c82edc0c6b88235d94ab47e6fc33af7c0b7f + image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:df12447f4a0194e107c7f32cb2486cf4034f89198906aba08ce48967a644f153 command: - "python3" - "/opt/k8s-init-container-nb-docs.py" From 7c717b7e83896bcb0269e872756013b69a421d18 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Wed, 13 Sep 2023 22:00:09 +0200 Subject: [PATCH 103/125] terraform, gcp: make core node pd-balanced This will force a recreation of core nodes, but not having this has turned out to break the pilot-hubs cluster and meom-ige, so we really need to do this if there is a project without it already. --- terraform/gcp/cluster.tf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/terraform/gcp/cluster.tf b/terraform/gcp/cluster.tf index 5fd1a8e689..8cc052c338 100644 --- a/terraform/gcp/cluster.tf +++ b/terraform/gcp/cluster.tf @@ -185,7 +185,6 @@ resource "google_container_node_pool" "core" { location = google_container_cluster.cluster.location version = var.k8s_versions.core_nodes_version - initial_node_count = 1 autoscaling { min_node_count = 1 @@ -213,6 +212,12 @@ resource "google_container_node_pool" "core" { node_config { + # Balanced disks are much faster than standard disks, and much cheaper + # than SSD disks. It contributes heavily to how fast new nodes spin up, + # as images being pulled takes up a lot of new node spin up time. + # Faster disks provide faster image pulls! + disk_type = "pd-balanced" + labels = { "hub.jupyter.org/node-purpose" = "core", "k8s.dask.org/node-purpose" = "core" From 27b739dbd11b44c1087b1277665996725e8863ba Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Wed, 13 Sep 2023 16:32:20 +0200 Subject: [PATCH 104/125] 2i2c, terraform: update core node from n1- to n2-highmem-4 --- terraform/gcp/projects/pilot-hubs.tfvars | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/terraform/gcp/projects/pilot-hubs.tfvars b/terraform/gcp/projects/pilot-hubs.tfvars index 4f5028cc46..865a53c247 100644 --- a/terraform/gcp/projects/pilot-hubs.tfvars +++ b/terraform/gcp/projects/pilot-hubs.tfvars @@ -1,15 +1,19 @@ prefix = "pilot-hubs" project_id = "two-eye-two-see" -zone = "us-central1-b" -region = "us-central1" - -core_node_machine_type = "n1-highmem-4" +zone = "us-central1-b" +region = "us-central1" +regional_cluster = false -# Multi-tenant cluster, network policy is required to enforce separation between hubs -enable_network_policy = true +k8s_versions = { + min_master_version : "1.26.5-gke.2100", + core_nodes_version : "1.26.5-gke.2100", + notebook_nodes_version : "1.26.4-gke.1400", + dask_nodes_version : "1.26.5-gke.1400", +} -regional_cluster = false +core_node_machine_type = "n2-highmem-4" +enable_network_policy = true enable_filestore = true filestore_capacity_gb = 5120 From 79e3a1e0247778f4ac450e24944ca3866054d2e4 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Wed, 13 Sep 2023 22:01:50 +0200 Subject: [PATCH 105/125] meom-ige: upgrade k8s 1.26 -> 1.27, n2-highmem-4, pd-balanced --- config/clusters/meom-ige/cluster.yaml | 2 +- terraform/gcp/projects/meom-ige.tfvars | 18 ++++++++++-------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/config/clusters/meom-ige/cluster.yaml b/config/clusters/meom-ige/cluster.yaml index aa3de07390..0641eb08f6 100644 --- a/config/clusters/meom-ige/cluster.yaml +++ b/config/clusters/meom-ige/cluster.yaml @@ -1,5 +1,5 @@ name: meom-ige -provider: gcp # https://console.cloud.google.com/kubernetes/clusters/details/us-central1-b/pangeo-hubs-cluster/nodes?project=columbia +provider: gcp # https://console.cloud.google.com/kubernetes/clusters/details/us-central1-b/meom-ige-cluster/details?authuser=3&project=meom-ige-cnrs gcp: key: enc-deployer-credentials.secret.json project: meom-ige-cnrs diff --git a/terraform/gcp/projects/meom-ige.tfvars b/terraform/gcp/projects/meom-ige.tfvars index 442e8c85c3..144d4e461f 100644 --- a/terraform/gcp/projects/meom-ige.tfvars +++ b/terraform/gcp/projects/meom-ige.tfvars @@ -1,15 +1,18 @@ prefix = "meom-ige" project_id = "meom-ige-cnrs" -zone = "us-central1-b" -region = "us-central1" +zone = "us-central1-b" +region = "us-central1" +regional_cluster = false -core_node_machine_type = "n1-highmem-2" +k8s_versions = { + min_master_version : "1.27.4-gke.900", + core_nodes_version : "1.27.4-gke.900", + notebook_nodes_version : "1.27.4-gke.900", +} -# Single-tenant cluster, network policy not needed -enable_network_policy = false - -regional_cluster = false +core_node_machine_type = "n2-highmem-4" +enable_network_policy = false notebook_nodes = { "small" : { @@ -37,7 +40,6 @@ notebook_nodes = { max : 20, machine_type : "n1-standard-64" }, - } # Setup a single node pool for dask workers. From 5ec0ec09429762ab81935606cadfcf12a8cddc80 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Wed, 13 Sep 2023 22:29:31 +0200 Subject: [PATCH 106/125] callysto: upgrade k8s from 1.25 to 1.27, and use pd-balanced disks --- terraform/gcp/projects/callysto.tfvars | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/terraform/gcp/projects/callysto.tfvars b/terraform/gcp/projects/callysto.tfvars index fb45e5c3fb..431d4a6450 100644 --- a/terraform/gcp/projects/callysto.tfvars +++ b/terraform/gcp/projects/callysto.tfvars @@ -1,13 +1,14 @@ prefix = "callysto" project_id = "callysto-202316" -zone = "northamerica-northeast1-b" -region = "northamerica-northeast1" +zone = "northamerica-northeast1-b" +region = "northamerica-northeast1" +regional_cluster = true k8s_versions = { - min_master_version : "1.25.6-gke.1000", - core_nodes_version : "1.25.6-gke.1000", - notebook_nodes_version : "1.25.6-gke.1000", + min_master_version : "1.27.4-gke.900", + core_nodes_version : "1.27.4-gke.900", + notebook_nodes_version : "1.27.4-gke.900", } core_node_machine_type = "n2-highmem-2" From 4a113fcca9ea0628210100291bab472a4d9703eb Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Thu, 14 Sep 2023 00:17:41 +0200 Subject: [PATCH 107/125] 2i2c-uk: upgrade k8s 1.24 -> 1.27, and use pd-balanced disks --- terraform/gcp/projects/2i2c-uk.tfvars | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/terraform/gcp/projects/2i2c-uk.tfvars b/terraform/gcp/projects/2i2c-uk.tfvars index df9336af68..39d3464599 100644 --- a/terraform/gcp/projects/2i2c-uk.tfvars +++ b/terraform/gcp/projects/2i2c-uk.tfvars @@ -1,10 +1,17 @@ prefix = "two-eye-two-see-uk" project_id = "two-eye-two-see-uk" -zone = "europe-west2-b" -region = "europe-west2" +zone = "europe-west2-b" +region = "europe-west2" +regional_cluster = true -core_node_machine_type = "n1-highmem-4" +k8s_versions = { + min_master_version : "1.27.4-gke.900", + core_nodes_version : "1.27.4-gke.900", + notebook_nodes_version : "1.27.4-gke.900", +} + +core_node_machine_type = "n2-highmem-4" enable_network_policy = true # Setup a filestore for in-cluster NFS @@ -15,7 +22,7 @@ notebook_nodes = { "user" : { min : 0, max : 20, - machine_type : "n1-highmem-4" + machine_type : "n2-highmem-4" }, } From 991d121817775cb006da71dbf8fbe89ee9488028 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Thu, 14 Sep 2023 00:19:10 +0200 Subject: [PATCH 108/125] m2lines: upgrade k8s 1.25 -> 1.27, and use pd-balanced disks --- terraform/gcp/projects/m2lines.tfvars | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/terraform/gcp/projects/m2lines.tfvars b/terraform/gcp/projects/m2lines.tfvars index 501db17700..902d5baeb6 100644 --- a/terraform/gcp/projects/m2lines.tfvars +++ b/terraform/gcp/projects/m2lines.tfvars @@ -1,14 +1,22 @@ -prefix = "m2lines" -project_id = "m2lines-hub" -core_node_machine_type = "n1-highmem-4" - -enable_network_policy = true +prefix = "m2lines" +project_id = "m2lines-hub" # GPUs not available in us-central1-b zone = "us-central1-c" region = "us-central1" regional_cluster = true +k8s_versions = { + min_master_version : "1.27.4-gke.900", + core_nodes_version : "1.27.4-gke.900", + notebook_nodes_version : "1.27.4-gke.900", + dask_nodes_version : "1.27.4-gke.900", +} + +core_node_machine_type = "n2-highmem-4" +enable_network_policy = true + + # Setup a filestore for in-cluster NFS enable_filestore = true filestore_capacity_gb = 2048 From 20ad3a8b86cf4f1a9a2f807347e6393bce166f36 Mon Sep 17 00:00:00 2001 From: ranchodeluxe Date: Wed, 13 Sep 2023 15:58:19 -0700 Subject: [PATCH 109/125] add both inits --- config/clusters/nasa-veda/common.values.yaml | 36 ++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index 35e9d89e85..f894c327fa 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -97,10 +97,26 @@ basehub: kubespawner_override: image: public.ecr.aws/nasa-veda/nasa-veda-singleuser:5068290376e8c3151d97a36ae6485bb7ff79650b94aecc93ffb2ea1b42d76460 init_containers: + # Need to explicitly fix ownership here, as otherwise these directories will be owned + # by root on most NFS filesystems - neither EFS nor Google Filestore support anonuid + - name: volume-mount-ownership-fix + image: busybox + command: + [ + "sh", + "-c", + "id && chown 1000:1000 /home/jovyan && chown 1000:1000 && ls -lhd /home/jovyan ", + ] + securityContext: + runAsUser: 0 + volumeMounts: + - name: home + mountPath: /home/jovyan + subPath: "{username}" # this container uses nbgitpuller to mount https://github.com/NASA-IMPACT/veda-docs/ for user pods # image source: https://github.com/NASA-IMPACT/veda-jh-environments/tree/main/docker-images/base/nasa-veda-singleuser-init - name: nasa-veda-singleuser-init - image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:df12447f4a0194e107c7f32cb2486cf4034f89198906aba08ce48967a644f153 + image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:d78dd50564f562fd6879256a589db5334963f0d6ecd28266a4cf0a8d2aaccca9 command: - "python3" - "/opt/k8s-init-container-nb-docs.py" @@ -134,10 +150,26 @@ basehub: subPath: _shared readOnly: true init_containers: + # Need to explicitly fix ownership here, as otherwise these directories will be owned + # by root on most NFS filesystems - neither EFS nor Google Filestore support anonuid + - name: volume-mount-ownership-fix + image: busybox + command: + [ + "sh", + "-c", + "id && chown 1000:1000 /home/rstudio && chown 1000:1000 && ls -lhd /home/rstudio ", + ] + securityContext: + runAsUser: 0 + volumeMounts: + - name: home + mountPath: /home/rstudio + subPath: "{username}" # this container uses nbgitpuller to mount https://github.com/NASA-IMPACT/veda-docs/ for user pods # image source: https://github.com/NASA-IMPACT/veda-jh-environments/tree/main/docker-images/base/nasa-veda-singleuser-init - name: nasa-veda-singleuser-init - image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:df12447f4a0194e107c7f32cb2486cf4034f89198906aba08ce48967a644f153 + image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:d78dd50564f562fd6879256a589db5334963f0d6ecd28266a4cf0a8d2aaccca9 command: - "python3" - "/opt/k8s-init-container-nb-docs.py" From 5bc922a451bbfbc7ae05f9d864501c8ee72652e6 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Thu, 14 Sep 2023 01:16:42 +0200 Subject: [PATCH 110/125] cloudbank: use pd-balanaced disks --- terraform/gcp/projects/cloudbank.tfvars | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/terraform/gcp/projects/cloudbank.tfvars b/terraform/gcp/projects/cloudbank.tfvars index 883976e3eb..4acfafc83f 100644 --- a/terraform/gcp/projects/cloudbank.tfvars +++ b/terraform/gcp/projects/cloudbank.tfvars @@ -1,19 +1,26 @@ prefix = "cb" project_id = "cb-1003-1696" -zone = "us-central1-b" -region = "us-central1" +zone = "us-central1-b" +region = "us-central1" +regional_cluster = false + +k8s_versions = { + min_master_version : "1.26.5-gke.2100", + core_nodes_version : "1.26.5-gke.2100", + notebook_nodes_version : "1.26.4-gke.1400", +} +# FIXME: We have a temporary core node pool setup with n2-highmem-4 and +# pd-balanced. This node pool still has standard though, but has been +# cordoned. +# core_node_machine_type = "n1-highmem-4" +enable_network_policy = true enable_filestore = true filestore_capacity_gb = 1024 -# Multi-tenant cluster, network policy is required to enforce separation between hubs -enable_network_policy = true - -regional_cluster = false - notebook_nodes = { "user" : { min : 0, From 2c4a941b2cb494633cbd3c665339e23065a16d73 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Thu, 14 Sep 2023 01:19:59 +0200 Subject: [PATCH 111/125] qcl: update metadata to reflect current state --- terraform/gcp/projects/qcl.tfvars | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/terraform/gcp/projects/qcl.tfvars b/terraform/gcp/projects/qcl.tfvars index 5ce11208c4..4d5473fb75 100644 --- a/terraform/gcp/projects/qcl.tfvars +++ b/terraform/gcp/projects/qcl.tfvars @@ -1,13 +1,19 @@ prefix = "qcl" project_id = "qcl-hub" -zone = "europe-west1-d" -region = "europe-west1" +zone = "europe-west1-d" +region = "europe-west1" +regional_cluster = true + +k8s_versions = { + min_master_version : "1.25.10-gke.2700", + core_nodes_version : "1.24.9-gke.3200", + notebook_nodes_version : "1.24.9-gke.3200", +} core_node_machine_type = "n2-highmem-2" enable_network_policy = true -# Setup a filestore for in-cluster NFS enable_filestore = true filestore_capacity_gb = 2048 From a862afe150a5b00019af883ce09a949551dfd127 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Thu, 14 Sep 2023 01:25:24 +0200 Subject: [PATCH 112/125] linked-earth: upgrade k8s 1.26 -> 1.27, transition from e2- to n2- --- .../clusters/linked-earth/common.values.yaml | 4 +-- terraform/gcp/projects/linked-earth.tfvars | 25 +++++++++++++------ 2 files changed, 19 insertions(+), 10 deletions(-) diff --git a/config/clusters/linked-earth/common.values.yaml b/config/clusters/linked-earth/common.values.yaml index f6c9068305..1354a071e2 100644 --- a/config/clusters/linked-earth/common.values.yaml +++ b/config/clusters/linked-earth/common.values.yaml @@ -109,7 +109,7 @@ basehub: cpu_limit: null mem_limit: null node_selector: - node.kubernetes.io/instance-type: e2-highmem-4 + node.kubernetes.io/instance-type: n2-highmem-4 - display_name: "Medium: up to 16 CPU / 128 GB RAM" description: *profile_list_description slug: medium @@ -165,7 +165,7 @@ basehub: cpu_limit: null mem_limit: null node_selector: - node.kubernetes.io/instance-type: e2-highmem-16 + node.kubernetes.io/instance-type: n2-highmem-16 dask-gateway: gateway: backend: diff --git a/terraform/gcp/projects/linked-earth.tfvars b/terraform/gcp/projects/linked-earth.tfvars index 170f7c00fd..ee3fb5ecca 100644 --- a/terraform/gcp/projects/linked-earth.tfvars +++ b/terraform/gcp/projects/linked-earth.tfvars @@ -1,11 +1,20 @@ -prefix = "linked-earth" -project_id = "linked-earth-hubs" -zone = "us-central1-c" -region = "us-central1" -core_node_machine_type = "e2-highmem-4" +prefix = "linked-earth" +project_id = "linked-earth-hubs" + +zone = "us-central1-c" +region = "us-central1" +regional_cluster = true + +k8s_versions = { + min_master_version : "1.27.4-gke.900", + core_nodes_version : "1.27.4-gke.900", + notebook_nodes_version : "1.27.4-gke.900", + dask_nodes_version : "1.27.4-gke.900", +} + +core_node_machine_type = "n2-highmem-4" enable_network_policy = true -# Setup a filestore for in-cluster NFS enable_filestore = true filestore_capacity_gb = 1024 @@ -23,12 +32,12 @@ notebook_nodes = { "small" : { min : 0, max : 100, - machine_type : "e2-highmem-4" + machine_type : "n2-highmem-4" }, "medium" : { min : 0, max : 100, - machine_type : "e2-highmem-16" + machine_type : "n2-highmem-16" }, } From 2eef34046b3559b77176a2035a8f5a8e59fd8193 Mon Sep 17 00:00:00 2001 From: ranchodeluxe Date: Thu, 14 Sep 2023 05:47:12 -0700 Subject: [PATCH 113/125] final incantation --- config/clusters/nasa-veda/common.values.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index f894c327fa..955c4d7236 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -105,7 +105,7 @@ basehub: [ "sh", "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 && ls -lhd /home/jovyan ", + "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && ls -lhd /home/jovyan ", ] securityContext: runAsUser: 0 @@ -113,6 +113,11 @@ basehub: - name: home mountPath: /home/jovyan subPath: "{username}" + # mounted without readonly attribute here, + # so we can chown it appropriately + - name: home + mountPath: /home/jovyan/shared + subPath: _shared # this container uses nbgitpuller to mount https://github.com/NASA-IMPACT/veda-docs/ for user pods # image source: https://github.com/NASA-IMPACT/veda-jh-environments/tree/main/docker-images/base/nasa-veda-singleuser-init - name: nasa-veda-singleuser-init @@ -158,7 +163,7 @@ basehub: [ "sh", "-c", - "id && chown 1000:1000 /home/rstudio && chown 1000:1000 && ls -lhd /home/rstudio ", + "id && chown 1000:1000 /home/rstudio && ls -lhd /home/rstudio ", ] securityContext: runAsUser: 0 From 28312242f42d79adfeadfb25a7f281f5fc1ffa05 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Thu, 14 Sep 2023 16:08:56 +0200 Subject: [PATCH 114/125] Revert "Upgrade to z2jh 3.0.2 from 3.0.0-beta.1 - oauthenticator 15.1 bumped to 16.0" --- .../clusters/2i2c-aws-us/cosmicds.values.yaml | 5 +++ .../2i2c-aws-us/dask-staging.values.yaml | 9 ++++ .../2i2c-aws-us/itcoocean.values.yaml | 8 ++-- .../2i2c-aws-us/researchdelight.values.yaml | 6 +-- .../clusters/2i2c-aws-us/staging.values.yaml | 9 ++++ config/clusters/2i2c-uk/lis.values.yaml | 13 +++--- config/clusters/2i2c-uk/staging.values.yaml | 2 + config/clusters/2i2c/aup.values.yaml | 37 ++++----------- .../clusters/2i2c/binder-staging.values.yaml | 2 + config/clusters/2i2c/climatematch.values.yaml | 8 ++-- config/clusters/2i2c/dask-staging.values.yaml | 5 +++ config/clusters/2i2c/demo.values.yaml | 4 ++ .../2i2c/imagebuilding-demo.values.yaml | 4 +- config/clusters/2i2c/mtu.values.yaml | 3 ++ .../clusters/2i2c/neurohackademy.values.yaml | 43 +++++------------- config/clusters/2i2c/staging.values.yaml | 2 + config/clusters/2i2c/temple.values.yaml | 3 ++ config/clusters/2i2c/ucmerced.values.yaml | 3 ++ config/clusters/awi-ciroh/common.values.yaml | 13 +++--- config/clusters/callysto/common.values.yaml | 3 ++ config/clusters/carbonplan/common.values.yaml | 37 ++++----------- .../unitefa-conicet.values.yaml | 2 + config/clusters/cloudbank/bcc.values.yaml | 2 + config/clusters/cloudbank/ccsf.values.yaml | 3 ++ config/clusters/cloudbank/csm.values.yaml | 3 ++ config/clusters/cloudbank/csulb.values.yaml | 4 ++ config/clusters/cloudbank/demo.values.yaml | 3 ++ config/clusters/cloudbank/dvc.values.yaml | 4 ++ .../clusters/cloudbank/elcamino.values.yaml | 3 ++ config/clusters/cloudbank/evc.values.yaml | 4 ++ config/clusters/cloudbank/fresno.values.yaml | 4 ++ .../clusters/cloudbank/glendale.values.yaml | 3 ++ config/clusters/cloudbank/howard.values.yaml | 36 ++++----------- .../clusters/cloudbank/humboldt.values.yaml | 4 ++ config/clusters/cloudbank/lacc.values.yaml | 36 ++++----------- config/clusters/cloudbank/laney.values.yaml | 4 ++ config/clusters/cloudbank/mills.values.yaml | 3 ++ .../clusters/cloudbank/miracosta.values.yaml | 4 ++ config/clusters/cloudbank/mission.values.yaml | 3 ++ config/clusters/cloudbank/norco.values.yaml | 4 ++ config/clusters/cloudbank/palomar.values.yaml | 36 ++++----------- .../clusters/cloudbank/pasadena.values.yaml | 3 ++ .../clusters/cloudbank/sacramento.values.yaml | 3 ++ .../clusters/cloudbank/saddleback.values.yaml | 3 ++ .../clusters/cloudbank/santiago.values.yaml | 4 ++ .../clusters/cloudbank/sbcc-dev.values.yaml | 37 ++++----------- config/clusters/cloudbank/sbcc.values.yaml | 37 ++++----------- config/clusters/cloudbank/sjcc.values.yaml | 4 ++ config/clusters/cloudbank/sjsu.values.yaml | 4 ++ config/clusters/cloudbank/skyline.values.yaml | 3 ++ config/clusters/cloudbank/srjc.values.yaml | 3 ++ config/clusters/cloudbank/staging.values.yaml | 36 ++++----------- .../clusters/cloudbank/tuskegee.values.yaml | 36 ++++----------- config/clusters/gridsst/common.values.yaml | 37 +++------------ .../common.values.yaml | 45 ++++++------------- config/clusters/leap/common.values.yaml | 15 ++++--- .../clusters/linked-earth/common.values.yaml | 9 ++-- config/clusters/m2lines/common.values.yaml | 13 +++--- config/clusters/meom-ige/common.values.yaml | 37 ++++----------- config/clusters/nasa-cryo/common.values.yaml | 36 ++++++++------- config/clusters/nasa-veda/common.values.yaml | 2 +- config/clusters/openscapes/common.values.yaml | 39 +++++----------- .../clusters/openscapes/staging.values.yaml | 2 +- .../clusters/pangeo-hubs/coessing.values.yaml | 43 +++++------------- .../clusters/pangeo-hubs/common.values.yaml | 15 ++++--- config/clusters/qcl/common.values.yaml | 19 +++++--- .../clusters/smithsonian/common.values.yaml | 3 ++ config/clusters/ubc-eoas/common.values.yaml | 3 ++ config/clusters/utoronto/common.values.yaml | 2 + config/clusters/victor/common.values.yaml | 11 +++-- docs/howto/features/per-user-db.md | 8 ++-- .../configure-auth/cilogon.md | 8 ++++ docs/topic/infrastructure/storage-layer.md | 8 ++-- helm-charts/basehub/Chart.yaml | 2 +- helm-charts/basehub/values.yaml | 20 +++++---- helm-charts/chartpress.yaml | 22 +++------ helm-charts/images/hub/Dockerfile | 6 +-- .../dynamic-image-building-requirements.txt | 2 +- 78 files changed, 425 insertions(+), 539 deletions(-) diff --git a/config/clusters/2i2c-aws-us/cosmicds.values.yaml b/config/clusters/2i2c-aws-us/cosmicds.values.yaml index 2322f13c54..77931e0b27 100644 --- a/config/clusters/2i2c-aws-us/cosmicds.values.yaml +++ b/config/clusters/2i2c-aws-us/cosmicds.values.yaml @@ -76,7 +76,12 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: + scope: + - "email" + - "profile" oauth_callback_url: https://cosmicds.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://github.com/login/oauth/authorize allowed_idps: # The username claim here is used to do *authorization*, for both # admin use and any allow listing we want to do. diff --git a/config/clusters/2i2c-aws-us/dask-staging.values.yaml b/config/clusters/2i2c-aws-us/dask-staging.values.yaml index ef475a47b1..49def94b2c 100644 --- a/config/clusters/2i2c-aws-us/dask-staging.values.yaml +++ b/config/clusters/2i2c-aws-us/dask-staging.values.yaml @@ -33,6 +33,15 @@ basehub: tag: "2022.06.02" hub: config: + Authenticator: + # This hub uses GitHub Org auth and so we don't set + # allowed_users in order to not deny access to valid members of + # the listed orgs. + # + # You must always set admin_users, even if it is an empty list, + # otherwise `add_staff_user_ids_to_admin_users: true` will fail + # silently and no staff members will have admin access. + admin_users: [] JupyterHub: authenticator_class: "github" GitHubOAuthenticator: diff --git a/config/clusters/2i2c-aws-us/itcoocean.values.yaml b/config/clusters/2i2c-aws-us/itcoocean.values.yaml index a2754241fa..7a9c19ae54 100644 --- a/config/clusters/2i2c-aws-us/itcoocean.values.yaml +++ b/config/clusters/2i2c-aws-us/itcoocean.values.yaml @@ -57,9 +57,11 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - - sh - - -c - - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan + [ + "sh", + "-c", + "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", + ] securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/2i2c-aws-us/researchdelight.values.yaml b/config/clusters/2i2c-aws-us/researchdelight.values.yaml index 6326b3fc18..c7163a272c 100644 --- a/config/clusters/2i2c-aws-us/researchdelight.values.yaml +++ b/config/clusters/2i2c-aws-us/researchdelight.values.yaml @@ -30,10 +30,12 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.6935.h7141d766" + tag: "0.0.1-0.dev.git.6863.h406a3546" config: JupyterHub: authenticator_class: github + Authenticator: + enable_auth_state: true GitHubOAuthenticator: populate_teams_in_auth_state: true allowed_organizations: @@ -41,8 +43,6 @@ basehub: - 2i2c-org:research-delight-team scope: - read:org - Authenticator: - enable_auth_state: true singleuser: image: name: quay.io/2i2c/researchdelight-image diff --git a/config/clusters/2i2c-aws-us/staging.values.yaml b/config/clusters/2i2c-aws-us/staging.values.yaml index 7d839d7b3d..13e68094d4 100644 --- a/config/clusters/2i2c-aws-us/staging.values.yaml +++ b/config/clusters/2i2c-aws-us/staging.values.yaml @@ -28,6 +28,15 @@ jupyterhub: url: https://2i2c.org hub: config: + Authenticator: + # This hub uses GitHub Org auth and so we don't set + # allowed_users in order to not deny access to valid members of + # the listed orgs. + # + # You must always set admin_users, even if it is an empty list, + # otherwise `add_staff_user_ids_to_admin_users: true` will fail + # silently and no staff members will have admin access. + admin_users: [] JupyterHub: authenticator_class: "github" GitHubOAuthenticator: diff --git a/config/clusters/2i2c-uk/lis.values.yaml b/config/clusters/2i2c-uk/lis.values.yaml index 8c6e3d943b..87c0ea6207 100644 --- a/config/clusters/2i2c-uk/lis.values.yaml +++ b/config/clusters/2i2c-uk/lis.values.yaml @@ -49,14 +49,17 @@ jupyterhub: config: JupyterHub: authenticator_class: github + Authenticator: + # This hub uses GitHub Orgs auth and so we don't set + # allowed_users in order to not deny access to valid members of + # the listed orgs. These people should have admin access though. + admin_users: + - LaCrecerelle + - matthew-brett GitHubOAuthenticator: - oauth_callback_url: "https://ds.lis.2i2c.cloud/hub/oauth_callback" allowed_organizations: - 2i2c-org - lisacuk scope: - read:org - Authenticator: - admin_users: - - LaCrecerelle - - matthew-brett + oauth_callback_url: "https://ds.lis.2i2c.cloud/hub/oauth_callback" diff --git a/config/clusters/2i2c-uk/staging.values.yaml b/config/clusters/2i2c-uk/staging.values.yaml index 6e6535a155..26778efe99 100644 --- a/config/clusters/2i2c-uk/staging.values.yaml +++ b/config/clusters/2i2c-uk/staging.values.yaml @@ -39,6 +39,8 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://staging.uk.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/aup.values.yaml b/config/clusters/2i2c/aup.values.yaml index beec96e623..5165598e51 100644 --- a/config/clusters/2i2c/aup.values.yaml +++ b/config/clusters/2i2c/aup.values.yaml @@ -37,40 +37,21 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: + scope: + - "profile" oauth_callback_url: "https://aup.pilot.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. # - admin_users: + allowed_users: &aup_users - swalker - shaolintl + admin_users: *aup_users diff --git a/config/clusters/2i2c/binder-staging.values.yaml b/config/clusters/2i2c/binder-staging.values.yaml index 8bc852e22b..ff4227152d 100644 --- a/config/clusters/2i2c/binder-staging.values.yaml +++ b/config/clusters/2i2c/binder-staging.values.yaml @@ -83,6 +83,8 @@ binderhub: - yuvipanda@2i2c.org CILogonOAuthenticator: oauth_callback_url: "https://binder-staging.hub.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/climatematch.values.yaml b/config/clusters/2i2c/climatematch.values.yaml index 5396702629..a982022793 100644 --- a/config/clusters/2i2c/climatematch.values.yaml +++ b/config/clusters/2i2c/climatematch.values.yaml @@ -39,9 +39,11 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - - sh - - -c - - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan + [ + "sh", + "-c", + "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", + ] securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/2i2c/dask-staging.values.yaml b/config/clusters/2i2c/dask-staging.values.yaml index bb4ffaafa7..0a0119ed56 100644 --- a/config/clusters/2i2c/dask-staging.values.yaml +++ b/config/clusters/2i2c/dask-staging.values.yaml @@ -44,7 +44,12 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: + scope: + - "email" + - "profile" oauth_callback_url: "https://dask-staging.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://accounts.google.com/o/oauth2/auth allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/demo.values.yaml b/config/clusters/2i2c/demo.values.yaml index f43990eab6..134f3c351b 100644 --- a/config/clusters/2i2c/demo.values.yaml +++ b/config/clusters/2i2c/demo.values.yaml @@ -31,6 +31,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://demo.2i2c.cloud/hub/oauth_callback + shown_idps: + # Allow Google for 2i2c.org anr dmbl + - https://accounts.google.com/o/oauth2/auth + - https://enterprise.login.utexas.edu/idp/shibboleth allowed_idps: # UTexas hub https://enterprise.login.utexas.edu/idp/shibboleth: diff --git a/config/clusters/2i2c/imagebuilding-demo.values.yaml b/config/clusters/2i2c/imagebuilding-demo.values.yaml index 17e2a1c013..50f311916e 100644 --- a/config/clusters/2i2c/imagebuilding-demo.values.yaml +++ b/config/clusters/2i2c/imagebuilding-demo.values.yaml @@ -60,12 +60,14 @@ jupyterhub: hub: image: name: quay.io/2i2c/dynamic-image-building-experiment - tag: "0.0.1-0.dev.git.6935.h7141d766" + tag: "0.0.1-0.dev.git.6765.h33942a27" config: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://imagebuilding-demo.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/mtu.values.yaml b/config/clusters/2i2c/mtu.values.yaml index 987dec4528..040b7a27f2 100644 --- a/config/clusters/2i2c/mtu.values.yaml +++ b/config/clusters/2i2c/mtu.values.yaml @@ -39,6 +39,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://mtu.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id + - https://sso.mtu.edu/idp/shibboleth allowed_idps: # Allow 2i2c staff to login with Google http://google.com/accounts/o8/id: diff --git a/config/clusters/2i2c/neurohackademy.values.yaml b/config/clusters/2i2c/neurohackademy.values.yaml index 97df782ea4..f5fba70b7f 100644 --- a/config/clusters/2i2c/neurohackademy.values.yaml +++ b/config/clusters/2i2c/neurohackademy.values.yaml @@ -55,43 +55,24 @@ jupyterhub: config: JupyterHub: authenticator_class: cilogon + Authenticator: + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. + # + allowed_users: &neurohackademy_users + - arokem + admin_users: *neurohackademy_users CILogonOAuthenticator: + scope: + - "profile" oauth_callback_url: https://neurohackademy.2i2c.cloud/hub/oauth_callback + shown_idps: + - https://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True - Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. - # - admin_users: - - arokem extraFiles: configurator-schema-default: data: diff --git a/config/clusters/2i2c/staging.values.yaml b/config/clusters/2i2c/staging.values.yaml index c37f1e6f97..bd95f724f0 100644 --- a/config/clusters/2i2c/staging.values.yaml +++ b/config/clusters/2i2c/staging.values.yaml @@ -56,6 +56,8 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://staging.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/2i2c/temple.values.yaml b/config/clusters/2i2c/temple.values.yaml index 5285b79915..4ee80ae16b 100644 --- a/config/clusters/2i2c/temple.values.yaml +++ b/config/clusters/2i2c/temple.values.yaml @@ -34,6 +34,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://temple.2i2c.cloud/hub/oauth_callback + shown_idps: + - https://fim.temple.edu/idp/shibboleth + - https://accounts.google.com/o/oauth2/auth allowed_idps: https://fim.temple.edu/idp/shibboleth: username_derivation: diff --git a/config/clusters/2i2c/ucmerced.values.yaml b/config/clusters/2i2c/ucmerced.values.yaml index bfe3f70435..2f6801e162 100644 --- a/config/clusters/2i2c/ucmerced.values.yaml +++ b/config/clusters/2i2c/ucmerced.values.yaml @@ -38,6 +38,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://ucmerced.2i2c.cloud/hub/oauth_callback + shown_idps: + - urn:mace:incommon:ucmerced.edu + - https://accounts.google.com/o/oauth2/auth allowed_idps: urn:mace:incommon:ucmerced.edu: username_derivation: diff --git a/config/clusters/awi-ciroh/common.values.yaml b/config/clusters/awi-ciroh/common.values.yaml index e05c6c001d..344f2982cd 100644 --- a/config/clusters/awi-ciroh/common.values.yaml +++ b/config/clusters/awi-ciroh/common.values.yaml @@ -33,6 +33,14 @@ basehub: config: JupyterHub: authenticator_class: github + Authenticator: + # This hub uses GitHub Orgs auth and so we don't set + # allowed_users in order to not deny access to valid members of + # the listed orgs. These people should have admin access though. + admin_users: + - jameshalgren + - arpita0911patel + - karnesh GitHubOAuthenticator: allowed_organizations: - 2i2c-org @@ -40,11 +48,6 @@ basehub: - NOAA-OWP scope: - read:org - Authenticator: - admin_users: - - jameshalgren - - arpita0911patel - - karnesh singleuser: image: # Image build repo: https://github.com/2i2c-org/awi-ciroh-image diff --git a/config/clusters/callysto/common.values.yaml b/config/clusters/callysto/common.values.yaml index d458fe5809..045570e4f8 100644 --- a/config/clusters/callysto/common.values.yaml +++ b/config/clusters/callysto/common.values.yaml @@ -136,6 +136,9 @@ jupyterhub: - "102749090965437723445" # Byron Chu (Cybera) - "115909958579864751636" # Michael Jones (Cybera) - "106951135662332329542" # Elmar Bouwer (Cybera) + shown_idps: + - https://accounts.google.com/o/oauth2/auth + - https://login.microsoftonline.com/common/oauth2/v2.0/authorize allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/carbonplan/common.values.yaml b/config/clusters/carbonplan/common.values.yaml index cb99bac399..28a0dd8685 100644 --- a/config/clusters/carbonplan/common.values.yaml +++ b/config/clusters/carbonplan/common.values.yaml @@ -188,41 +188,22 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: + scope: + - "profile" + shown_idps: + - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to + # be configured explicitly. # - admin_users: + allowed_users: &users - maxrjones + admin_users: *users dask-gateway: traefik: diff --git a/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml b/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml index 700d3b59d9..a2df37b761 100644 --- a/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml +++ b/config/clusters/catalystproject-latam/unitefa-conicet.values.yaml @@ -33,6 +33,8 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://unitefa-conicet.latam.catalystproject.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id allowed_idps: # The username claim here is used to do *authorization*, for both # admin use and any allow listing we want to do. diff --git a/config/clusters/cloudbank/bcc.values.yaml b/config/clusters/cloudbank/bcc.values.yaml index 82efa8756e..639ca29399 100644 --- a/config/clusters/cloudbank/bcc.values.yaml +++ b/config/clusters/cloudbank/bcc.values.yaml @@ -33,6 +33,8 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://bcc.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/ccsf.values.yaml b/config/clusters/cloudbank/ccsf.values.yaml index 133c1ecbbf..33973fe355 100644 --- a/config/clusters/cloudbank/ccsf.values.yaml +++ b/config/clusters/cloudbank/ccsf.values.yaml @@ -35,6 +35,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://ccsf.cloudbank.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/csm.values.yaml b/config/clusters/cloudbank/csm.values.yaml index 212bb96c36..240ea4039e 100644 --- a/config/clusters/cloudbank/csm.values.yaml +++ b/config/clusters/cloudbank/csm.values.yaml @@ -29,6 +29,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://csm.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/csulb.values.yaml b/config/clusters/cloudbank/csulb.values.yaml index 554bac1627..4ae0342c76 100644 --- a/config/clusters/cloudbank/csulb.values.yaml +++ b/config/clusters/cloudbank/csulb.values.yaml @@ -35,6 +35,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://csulb.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - https://its-shib.its.csulb.edu/idp/shibboleth + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/demo.values.yaml b/config/clusters/cloudbank/demo.values.yaml index 582082b218..6fdfc4d9b6 100644 --- a/config/clusters/cloudbank/demo.values.yaml +++ b/config/clusters/cloudbank/demo.values.yaml @@ -38,6 +38,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://demo.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/dvc.values.yaml b/config/clusters/cloudbank/dvc.values.yaml index d3a1e06dcf..2ad2b663a4 100644 --- a/config/clusters/cloudbank/dvc.values.yaml +++ b/config/clusters/cloudbank/dvc.values.yaml @@ -33,6 +33,10 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://dvc.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - http://login.microsoftonline.com/common/oauth2/v2.0/authorize + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/elcamino.values.yaml b/config/clusters/cloudbank/elcamino.values.yaml index 2251ab5601..c17106e95e 100644 --- a/config/clusters/cloudbank/elcamino.values.yaml +++ b/config/clusters/cloudbank/elcamino.values.yaml @@ -34,6 +34,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://elcamino.cloudbank.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/evc.values.yaml b/config/clusters/cloudbank/evc.values.yaml index d0b4a04c28..2ff4485923 100644 --- a/config/clusters/cloudbank/evc.values.yaml +++ b/config/clusters/cloudbank/evc.values.yaml @@ -33,6 +33,10 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://evc.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://login.microsoftonline.com/common/oauth2/v2.0/authorize + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/fresno.values.yaml b/config/clusters/cloudbank/fresno.values.yaml index aa68e5cd00..82b4ae01c4 100644 --- a/config/clusters/cloudbank/fresno.values.yaml +++ b/config/clusters/cloudbank/fresno.values.yaml @@ -29,6 +29,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://fresno.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - https://idp.scccd.edu/idp/shibboleth + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: https://idp.scccd.edu/idp/shibboleth: username_derivation: diff --git a/config/clusters/cloudbank/glendale.values.yaml b/config/clusters/cloudbank/glendale.values.yaml index e061af47a1..6e2907e48c 100644 --- a/config/clusters/cloudbank/glendale.values.yaml +++ b/config/clusters/cloudbank/glendale.values.yaml @@ -29,6 +29,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://glendale.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/howard.values.yaml b/config/clusters/cloudbank/howard.values.yaml index 5e77e99332..47230603e2 100644 --- a/config/clusters/cloudbank/howard.values.yaml +++ b/config/clusters/cloudbank/howard.values.yaml @@ -29,6 +29,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://howard.cloudbank.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: @@ -36,37 +39,14 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. # - admin_users: + allowed_users: &howard_users - ericvd@berkeley.edu - gwashington@scs.howard.edu - anthony.fgordon64@gmail.com - mikayladorange@gmail.com + admin_users: *howard_users diff --git a/config/clusters/cloudbank/humboldt.values.yaml b/config/clusters/cloudbank/humboldt.values.yaml index a23fb82f0e..b8b5687663 100644 --- a/config/clusters/cloudbank/humboldt.values.yaml +++ b/config/clusters/cloudbank/humboldt.values.yaml @@ -38,6 +38,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://humboldt.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - https://sso.humboldt.edu/idp/metadata + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/lacc.values.yaml b/config/clusters/cloudbank/lacc.values.yaml index 8c6c41b29a..d0cfb85396 100644 --- a/config/clusters/cloudbank/lacc.values.yaml +++ b/config/clusters/cloudbank/lacc.values.yaml @@ -29,6 +29,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://lacc.cloudbank.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: @@ -36,38 +39,15 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. # - admin_users: + allowed_users: &lacc_users - PINEDAEM@laccd.edu - LAMKT@laccd.edu - ericvd@berkeley.edu - k_usovich@berkeley.edu - sean.smorris@berkeley.edu + admin_users: *lacc_users diff --git a/config/clusters/cloudbank/laney.values.yaml b/config/clusters/cloudbank/laney.values.yaml index 030a83fda3..635b814676 100644 --- a/config/clusters/cloudbank/laney.values.yaml +++ b/config/clusters/cloudbank/laney.values.yaml @@ -29,6 +29,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://laney.cloudbank.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://login.microsoftonline.com/common/oauth2/v2.0/authorize + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/mills.values.yaml b/config/clusters/cloudbank/mills.values.yaml index aac9ca925a..3ab1ed7d43 100644 --- a/config/clusters/cloudbank/mills.values.yaml +++ b/config/clusters/cloudbank/mills.values.yaml @@ -29,6 +29,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://datahub.mills.edu/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/miracosta.values.yaml b/config/clusters/cloudbank/miracosta.values.yaml index 498591ee0c..571cf69625 100644 --- a/config/clusters/cloudbank/miracosta.values.yaml +++ b/config/clusters/cloudbank/miracosta.values.yaml @@ -29,6 +29,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://miracosta.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - https://miracosta.fedgw.com/gateway + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/mission.values.yaml b/config/clusters/cloudbank/mission.values.yaml index 8201315abe..16603ec4cf 100644 --- a/config/clusters/cloudbank/mission.values.yaml +++ b/config/clusters/cloudbank/mission.values.yaml @@ -35,6 +35,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://mission.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/norco.values.yaml b/config/clusters/cloudbank/norco.values.yaml index cfdbaf302a..5d42630565 100644 --- a/config/clusters/cloudbank/norco.values.yaml +++ b/config/clusters/cloudbank/norco.values.yaml @@ -29,6 +29,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://norco.cloudbank.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://login.microsoftonline.com/common/oauth2/v2.0/authorize + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/palomar.values.yaml b/config/clusters/cloudbank/palomar.values.yaml index 91dcb3349c..ed70944609 100644 --- a/config/clusters/cloudbank/palomar.values.yaml +++ b/config/clusters/cloudbank/palomar.values.yaml @@ -29,6 +29,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://palomar.cloudbank.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: @@ -36,37 +39,14 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. # - admin_users: + allowed_users: &palomar_users - aculich@berkeley.edu - sean.smorris@berkeley.edu - tcanon@palomar.edu - PChen@palomar.edu + admin_users: *palomar_users diff --git a/config/clusters/cloudbank/pasadena.values.yaml b/config/clusters/cloudbank/pasadena.values.yaml index a2d10d2a68..34d3e1f0fb 100644 --- a/config/clusters/cloudbank/pasadena.values.yaml +++ b/config/clusters/cloudbank/pasadena.values.yaml @@ -35,6 +35,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://pasadena.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/sacramento.values.yaml b/config/clusters/cloudbank/sacramento.values.yaml index 41d5bab610..3ad1eea699 100644 --- a/config/clusters/cloudbank/sacramento.values.yaml +++ b/config/clusters/cloudbank/sacramento.values.yaml @@ -35,6 +35,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://sacramento.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/saddleback.values.yaml b/config/clusters/cloudbank/saddleback.values.yaml index 04bb50c6e0..b266acf112 100644 --- a/config/clusters/cloudbank/saddleback.values.yaml +++ b/config/clusters/cloudbank/saddleback.values.yaml @@ -35,6 +35,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://saddleback.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/santiago.values.yaml b/config/clusters/cloudbank/santiago.values.yaml index 64584ef345..8b7bb5f559 100644 --- a/config/clusters/cloudbank/santiago.values.yaml +++ b/config/clusters/cloudbank/santiago.values.yaml @@ -35,6 +35,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://santiago.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://login.microsoftonline.com/common/oauth2/v2.0/authorize + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/sbcc-dev.values.yaml b/config/clusters/cloudbank/sbcc-dev.values.yaml index 98e01568a0..b9a5978e26 100644 --- a/config/clusters/cloudbank/sbcc-dev.values.yaml +++ b/config/clusters/cloudbank/sbcc-dev.values.yaml @@ -29,6 +29,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://sbcc-dev.cloudbank.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id + - https://idp.sbcc.edu/idp/shibboleth + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: @@ -39,36 +43,13 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. # - admin_users: + allowed_users: &sbcc_users - ericvd@gmail.com - sean.smorris@berkeley.edu - nfguebels@pipeline.sbcc.edu + admin_users: *sbcc_users diff --git a/config/clusters/cloudbank/sbcc.values.yaml b/config/clusters/cloudbank/sbcc.values.yaml index 2fc8495102..bc6de536b7 100644 --- a/config/clusters/cloudbank/sbcc.values.yaml +++ b/config/clusters/cloudbank/sbcc.values.yaml @@ -29,6 +29,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://sbcc.cloudbank.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id + - https://idp.sbcc.edu/idp/shibboleth + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: @@ -39,36 +43,13 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. # - admin_users: + allowed_users: &sbcc_users - ericvd@gmail.com - sean.smorris@berkeley.edu - nfguebels@pipeline.sbcc.edu + admin_users: *sbcc_users diff --git a/config/clusters/cloudbank/sjcc.values.yaml b/config/clusters/cloudbank/sjcc.values.yaml index ea7c8b661c..c7e631b968 100644 --- a/config/clusters/cloudbank/sjcc.values.yaml +++ b/config/clusters/cloudbank/sjcc.values.yaml @@ -29,6 +29,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://sjcc.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://login.microsoftonline.com/common/oauth2/v2.0/authorize + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://login.microsoftonline.com/common/oauth2/v2.0/authorize: username_derivation: diff --git a/config/clusters/cloudbank/sjsu.values.yaml b/config/clusters/cloudbank/sjsu.values.yaml index 8272328530..eba295012f 100644 --- a/config/clusters/cloudbank/sjsu.values.yaml +++ b/config/clusters/cloudbank/sjsu.values.yaml @@ -38,6 +38,10 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://sjsu.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - https://idp01.sjsu.edu/idp/shibboleth + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/skyline.values.yaml b/config/clusters/cloudbank/skyline.values.yaml index 6473ee80de..55ba9646aa 100644 --- a/config/clusters/cloudbank/skyline.values.yaml +++ b/config/clusters/cloudbank/skyline.values.yaml @@ -35,6 +35,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://skyline.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/srjc.values.yaml b/config/clusters/cloudbank/srjc.values.yaml index 9f94a9a215..55123f9bed 100644 --- a/config/clusters/cloudbank/srjc.values.yaml +++ b/config/clusters/cloudbank/srjc.values.yaml @@ -35,6 +35,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: https://srjc.cloudbank.2i2c.cloud/hub/oauth_callback + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: diff --git a/config/clusters/cloudbank/staging.values.yaml b/config/clusters/cloudbank/staging.values.yaml index b45e22d8ae..3d2667584c 100644 --- a/config/clusters/cloudbank/staging.values.yaml +++ b/config/clusters/cloudbank/staging.values.yaml @@ -29,6 +29,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://staging.cloudbank.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: @@ -36,34 +39,11 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. # - admin_users: + allowed_users: &staging_users - sean.smorris@berkeley.edu + admin_users: *staging_users diff --git a/config/clusters/cloudbank/tuskegee.values.yaml b/config/clusters/cloudbank/tuskegee.values.yaml index 40d56e897c..6a2bd2b849 100644 --- a/config/clusters/cloudbank/tuskegee.values.yaml +++ b/config/clusters/cloudbank/tuskegee.values.yaml @@ -29,6 +29,9 @@ jupyterhub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://tuskegee.cloudbank.2i2c.cloud/hub/oauth_callback" + shown_idps: + - http://google.com/accounts/o8/id + - urn:mace:incommon:berkeley.edu allowed_idps: http://google.com/accounts/o8/id: username_derivation: @@ -36,36 +39,12 @@ jupyterhub: urn:mace:incommon:berkeley.edu: username_derivation: username_claim: "email" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. # - admin_users: + allowed_users: &tuskegee_users - yasmeen.rawajfih@gmail.com - Wu.fan01@gmail.com - yanlisa@berkeley.edu @@ -73,3 +52,4 @@ jupyterhub: - ericvd@berkeley.edu - sean.smorris@berkeley.edu - sean.smorris@gmail.com + admin_users: *tuskegee_users diff --git a/config/clusters/gridsst/common.values.yaml b/config/clusters/gridsst/common.values.yaml index b2bffbfd94..718e911de3 100644 --- a/config/clusters/gridsst/common.values.yaml +++ b/config/clusters/gridsst/common.values.yaml @@ -36,41 +36,18 @@ basehub: url: https://science.nasa.gov/earth-science/focus-areas/climate-variability-and-change/ocean-physics hub: config: - JupyterHub: - authenticator_class: github - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to + # be configured explicitly. # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. - # - admin_users: + allowed_users: &gridsst_users - alisonrgray - nikki-t - dgumustel + admin_users: *gridsst_users + JupyterHub: + authenticator_class: github singleuser: profileList: # The mem-guarantees are here so k8s doesn't schedule other pods diff --git a/config/clusters/jupyter-meets-the-earth/common.values.yaml b/config/clusters/jupyter-meets-the-earth/common.values.yaml index dd9f7364e5..ff8a41e278 100644 --- a/config/clusters/jupyter-meets-the-earth/common.values.yaml +++ b/config/clusters/jupyter-meets-the-earth/common.values.yaml @@ -49,9 +49,11 @@ basehub: - name: volume-mount-ownership-fix image: busybox command: - - sh - - -c - - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan + [ + "sh", + "-c", + "id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan", + ] securityContext: runAsUser: 0 volumeMounts: @@ -220,40 +222,20 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: + scope: + - "profile" + shown_idps: + - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. # - admin_users: + allowed_users: &users # This is just listing a few of the users/admins, a lot of # users has been added manually, see: # https://github.com/pangeo-data/jupyter-earth/issues/53 @@ -273,6 +255,7 @@ basehub: - whyjz # Whyjay Zheng - yuvipanda # Yuvi Panda - jonathan-taylor # Jonathan Taylor + admin_users: *users allowNamedServers: true dask-gateway: diff --git a/config/clusters/leap/common.values.yaml b/config/clusters/leap/common.values.yaml index 7c1684b87b..bd4d000c24 100644 --- a/config/clusters/leap/common.values.yaml +++ b/config/clusters/leap/common.values.yaml @@ -39,9 +39,17 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.6935.h7141d766" + tag: "0.0.1-0.dev.git.6863.h406a3546" allowNamedServers: true config: + Authenticator: + enable_auth_state: true + # This hub uses GitHub Teams auth and so we don't set + # allowed_users in order to not deny access to valid members of + # the listed teams. These people should have admin access though. + admin_users: + - rabernat + - jbusecke JupyterHub: authenticator_class: github # Announcement is a JupyterHub feature to present messages to users in @@ -68,11 +76,6 @@ basehub: - 2i2c-org:hub-access-for-2i2c-staff scope: - read:org - Authenticator: - enable_auth_state: true - admin_users: - - rabernat - - jbusecke singleuser: image: name: pangeo/pangeo-notebook diff --git a/config/clusters/linked-earth/common.values.yaml b/config/clusters/linked-earth/common.values.yaml index 9daf307323..1354a071e2 100644 --- a/config/clusters/linked-earth/common.values.yaml +++ b/config/clusters/linked-earth/common.values.yaml @@ -33,15 +33,18 @@ basehub: config: JupyterHub: authenticator_class: github + Authenticator: + # This hub uses GitHub Orgs auth and so we don't set + # allowed_users in order to not deny access to valid members of + # the listed orgs. These people should have admin access though. + admin_users: + - khider GitHubOAuthenticator: allowed_organizations: - 2i2c-org - LinkedEarth scope: - read:org - Authenticator: - admin_users: - - khider singleuser: image: # User image repo: https://quay.io/repository/linkedearth/pyleoclim diff --git a/config/clusters/m2lines/common.values.yaml b/config/clusters/m2lines/common.values.yaml index 08ab1f3824..d624a11e24 100644 --- a/config/clusters/m2lines/common.values.yaml +++ b/config/clusters/m2lines/common.values.yaml @@ -39,6 +39,14 @@ basehub: hub: allowNamedServers: true config: + Authenticator: + # This hub uses GitHub Teams auth and so we don't set + # allowed_users in order to not deny access to valid members of + # the listed teams. These people should have admin access though. + admin_users: + - rabernat + - johannag126 + - jbusecke JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -47,11 +55,6 @@ basehub: - 2i2c-org:hub-access-for-2i2c-staff scope: - read:org - Authenticator: - admin_users: - - rabernat - - johannag126 - - jbusecke singleuser: extraFiles: jupyter_notebook_config.json: diff --git a/config/clusters/meom-ige/common.values.yaml b/config/clusters/meom-ige/common.values.yaml index dd8c89f62b..954c78e975 100644 --- a/config/clusters/meom-ige/common.values.yaml +++ b/config/clusters/meom-ige/common.values.yaml @@ -87,43 +87,24 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: + scope: + - "profile" + shown_idps: + - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. # - admin_users: + allowed_users: &users - roxyboy - lesommer - auraoupa + admin_users: *users allowNamedServers: true dask-gateway: diff --git a/config/clusters/nasa-cryo/common.values.yaml b/config/clusters/nasa-cryo/common.values.yaml index 067d059051..53ef4e3997 100644 --- a/config/clusters/nasa-cryo/common.values.yaml +++ b/config/clusters/nasa-cryo/common.values.yaml @@ -37,22 +37,13 @@ basehub: hub: allowNamedServers: true config: - JupyterHub: - authenticator_class: github - GitHubOAuthenticator: - # We are restricting profiles based on GitHub Team membership and - # so need to populate the teams in the auth state - populate_teams_in_auth_state: true - allowed_organizations: - - 2i2c-org:hub-access-for-2i2c-staff - - CryoInTheCloud:cryoclouduser - - CryoInTheCloud:cryocloudadvanced - scope: - - read:org Authenticator: # We are restricting profiles based on GitHub Team membership and # so need to persist auth state enable_auth_state: true + # This hub uses GitHub Teams auth and so we don't set + # allowed_users in order to not deny access to valid members of + # the listed teams. These people should have admin access though. admin_users: - tsnow03 - JessicaS11 @@ -61,7 +52,18 @@ basehub: - fperez - scottyhq - jomey - + JupyterHub: + authenticator_class: github + GitHubOAuthenticator: + # We are restricting profiles based on GitHub Team membership and + # so need to populate the teams in the auth state + populate_teams_in_auth_state: true + allowed_organizations: + - 2i2c-org:hub-access-for-2i2c-staff + - CryoInTheCloud:cryoclouduser + - CryoInTheCloud:cryocloudadvanced + scope: + - read:org singleuser: extraFiles: # jupyter_server_config.json is defined by basehub, this entry adds to it @@ -89,9 +91,11 @@ basehub: - name: volume-mount-ownership-fix image: busybox command: - - sh - - -c - - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan + [ + "sh", + "-c", + "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", + ] securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index 8d3a55327d..2eb76b999e 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -34,7 +34,7 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.6935.h7141d766" + tag: "0.0.1-0.dev.git.6863.h406a3546" allowNamedServers: true config: Authenticator: diff --git a/config/clusters/openscapes/common.values.yaml b/config/clusters/openscapes/common.values.yaml index 429becc556..cb4feca425 100644 --- a/config/clusters/openscapes/common.values.yaml +++ b/config/clusters/openscapes/common.values.yaml @@ -54,44 +54,25 @@ basehub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: + scope: + - "profile" + shown_idps: + - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: username_claim: "preferred_username" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. - # - admin_users: + admin_users: &users - amfriesz - jules32 - erinmr - betolink + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. + # + allowed_users: *users dask-gateway: gateway: extraConfig: diff --git a/config/clusters/openscapes/staging.values.yaml b/config/clusters/openscapes/staging.values.yaml index 466c1060d6..13fcfa7ec1 100644 --- a/config/clusters/openscapes/staging.values.yaml +++ b/config/clusters/openscapes/staging.values.yaml @@ -122,7 +122,7 @@ basehub: hub: image: name: quay.io/2i2c/unlisted-choice-experiment - tag: "0.0.1-0.dev.git.6935.h7141d766" + tag: "0.0.1-0.dev.git.6863.h406a3546" config: CILogonOAuthenticator: oauth_callback_url: "https://staging.openscapes.2i2c.cloud/hub/oauth_callback" diff --git a/config/clusters/pangeo-hubs/coessing.values.yaml b/config/clusters/pangeo-hubs/coessing.values.yaml index 0235e3e56c..5bdcffc433 100644 --- a/config/clusters/pangeo-hubs/coessing.values.yaml +++ b/config/clusters/pangeo-hubs/coessing.values.yaml @@ -34,42 +34,23 @@ basehub: node.kubernetes.io/instance-type: n1-standard-2 hub: config: + Authenticator: + admin_users: &admin_users + - paigemar@umich.edu + # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies + # allow_existing_users=True, while in z3jh 3.0.0 this needs to be + # configured explicitly. + # + allowed_users: *admin_users + # Delete any prior existing users in the db that don't pass username_pattern + delete_invalid_users: true JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: oauth_callback_url: "https://coessing.2i2c.cloud/hub/oauth_callback" + shown_idps: + - https://accounts.google.com/o/oauth2/auth allowed_idps: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - OAuthenticator: - # WARNING: Don't use allow_existing_users with config to allow an - # externally managed group of users, such as - # GitHubOAuthenticator.allowed_organizations, as it breaks a - # common expectations for an admin user. - # - # The broken expectation is that removing a user from the - # externally managed group implies that the user won't have - # access any more. In practice the user will still have - # access if it had logged in once before, as it then exists - # in JupyterHub's database of users. - # - allow_existing_users: True - Authenticator: - # WARNING: Removing a user from admin_users or allowed_users doesn't - # revoke admin status or access. - # - # OAuthenticator.allow_existing_users allows any user in the - # JupyterHub database of users able to login. This includes - # any previously logged in user or user previously listed in - # allowed_users or admin_users, as such users are added to - # JupyterHub's database on startup. - # - # To revoke admin status or access for a user when - # allow_existing_users is enabled, first remove the user from - # admin_users or allowed_users, then deploy the change, and - # finally revoke the admin status or delete the user via the - # /hub/admin panel. - # - admin_users: - - paigemar@umich.edu diff --git a/config/clusters/pangeo-hubs/common.values.yaml b/config/clusters/pangeo-hubs/common.values.yaml index e9d9dc23b8..2c4bef29bf 100644 --- a/config/clusters/pangeo-hubs/common.values.yaml +++ b/config/clusters/pangeo-hubs/common.values.yaml @@ -38,6 +38,15 @@ basehub: hub: allowNamedServers: true config: + Authenticator: + # This hub uses GitHub Teams auth and so we don't set + # allowed_users in order to not deny access to valid members of + # the listed teams. These people should have admin access though. + admin_users: + - rabernat + - jhamman + - scottyhq + - TomAugspurger JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -46,12 +55,6 @@ basehub: - 2i2c-org:hub-access-for-2i2c-staff scope: - read:org - Authenticator: - admin_users: - - rabernat - - jhamman - - scottyhq - - TomAugspurger singleuser: extraEnv: GH_SCOPED_CREDS_CLIENT_ID: "Iv1.c90ee430400a347f" diff --git a/config/clusters/qcl/common.values.yaml b/config/clusters/qcl/common.values.yaml index 1d1eddc558..2587614226 100644 --- a/config/clusters/qcl/common.values.yaml +++ b/config/clusters/qcl/common.values.yaml @@ -36,6 +36,13 @@ jupyterhub: hub: allowNamedServers: true config: + Authenticator: + # This hub uses GitHub Teams auth and so we don't set + # allowed_users in order to not deny access to valid members of + # the listed teams. These people should have admin access though. + admin_users: + - gizmo404 + - jtkmckenna JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -44,10 +51,6 @@ jupyterhub: - QuantifiedCarbon:jupyterhub scope: - read:org - Authenticator: - admin_users: - - gizmo404 - - jtkmckenna singleuser: image: # pangeo/pangeo-notebook is maintained at: https://github.com/pangeo-data/pangeo-docker-images @@ -228,9 +231,11 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - - sh - - -c - - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan + [ + "sh", + "-c", + "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", + ] securityContext: runAsUser: 0 volumeMounts: diff --git a/config/clusters/smithsonian/common.values.yaml b/config/clusters/smithsonian/common.values.yaml index 3a8aba9abc..499066f1ff 100644 --- a/config/clusters/smithsonian/common.values.yaml +++ b/config/clusters/smithsonian/common.values.yaml @@ -48,6 +48,9 @@ basehub: - read:org Authenticator: enable_auth_state: true + # This hub uses GitHub Orgs auth and so we don't set allowed_users in + # order to not deny access to valid members of the listed orgs. These + # people should have admin access though. admin_users: - MikeTrizna # Mike Trizna - rdikow # Rebecca Dikow diff --git a/config/clusters/ubc-eoas/common.values.yaml b/config/clusters/ubc-eoas/common.values.yaml index bdf33cc29f..fbbbf9ec92 100644 --- a/config/clusters/ubc-eoas/common.values.yaml +++ b/config/clusters/ubc-eoas/common.values.yaml @@ -42,6 +42,9 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: + shown_idps: + - https://authentication.ubc.ca + - http://google.com/accounts/o8/id allowed_idps: https://authentication.ubc.ca: username_derivation: diff --git a/config/clusters/utoronto/common.values.yaml b/config/clusters/utoronto/common.values.yaml index a47175f4f8..984e89b54c 100644 --- a/config/clusters/utoronto/common.values.yaml +++ b/config/clusters/utoronto/common.values.yaml @@ -81,6 +81,8 @@ jupyterhub: config: CILogonOAuthenticator: oauth_callback_url: https://r-staging.datatools.utoronto.ca/hub/oauth_callback + shown_idps: + - https://idpz.utorauth.utoronto.ca/shibboleth allowed_idps: https://idpz.utorauth.utoronto.ca/shibboleth: username_derivation: diff --git a/config/clusters/victor/common.values.yaml b/config/clusters/victor/common.values.yaml index 4efda07888..47136ec38c 100644 --- a/config/clusters/victor/common.values.yaml +++ b/config/clusters/victor/common.values.yaml @@ -34,6 +34,13 @@ basehub: url: https://people.climate.columbia.edu/projects/sponsor/National%20Science%20Foundation hub: config: + Authenticator: + # This hub uses GitHub Teams auth and so we don't set + # allowed_users in order to not deny access to valid members of + # the listed teams. These people should have admin access though. + admin_users: + - einatlev-ldeo + - SamKrasnoff JupyterHub: authenticator_class: github GitHubOAuthenticator: @@ -42,10 +49,6 @@ basehub: - VICTOR-Community:victoraccess scope: - read:org - Authenticator: - admin_users: - - einatlev-ldeo - - SamKrasnoff singleuser: profileList: # The mem-guarantees are here so k8s doesn't schedule other pods diff --git a/docs/howto/features/per-user-db.md b/docs/howto/features/per-user-db.md index 871c843b3f..52141691ac 100644 --- a/docs/howto/features/per-user-db.md +++ b/docs/howto/features/per-user-db.md @@ -60,9 +60,11 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - - sh - - -c - - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /var/lib/postgresql/data && ls -lhd /home/jovyan + [ + "sh", + "-c", + "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /var/lib/postgresql/data && ls -lhd /home/jovyan ", + ] securityContext: runAsUser: 0 volumeMounts: diff --git a/docs/hub-deployment-guide/configure-auth/cilogon.md b/docs/hub-deployment-guide/configure-auth/cilogon.md index 04a5824843..de91c07245 100644 --- a/docs/hub-deployment-guide/configure-auth/cilogon.md +++ b/docs/hub-deployment-guide/configure-auth/cilogon.md @@ -69,6 +69,10 @@ jupyterhub: - admin@anu.edu.au CILogonOAuthenticator: oauth_callback_url: https://{{ HUB_DOMAIN }}/hub/oauth_callback + # Show only the option to login with Google and ANU's provider + shown_idps: + - http://google.com/accounts/o8/id + - https://idp2.anu.edu.au/idp/shibboleth # Allow to only login into the hub using Google or ANU's provider allowed_idps: http://google.com/accounts/o8/id: @@ -115,7 +119,11 @@ jupyterhub: JupyterHub: authenticator_class: cilogon CILogonOAuthenticator: + scope: + - "profile" oauth_callback_url: https://{{ HUB_DOMAIN }}/hub/oauth_callback + shown_idps: + - http://github.com/login/oauth/authorize allowed_idps: http://github.com/login/oauth/authorize: username_derivation: diff --git a/docs/topic/infrastructure/storage-layer.md b/docs/topic/infrastructure/storage-layer.md index 171b2b0943..951eb916ca 100644 --- a/docs/topic/infrastructure/storage-layer.md +++ b/docs/topic/infrastructure/storage-layer.md @@ -118,9 +118,11 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - - sh - - -c - - id && chown 1000:1000 /home/jovyan /home/jovyan/shared /home/jovyan/shared-public && ls -lhd /home/jovyan + [ + "sh", + "-c", + "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && chown 1000:1000 /home/jovyan/shared-public && ls -lhd /home/jovyan ", + ] securityContext: runAsUser: 0 volumeMounts: diff --git a/helm-charts/basehub/Chart.yaml b/helm-charts/basehub/Chart.yaml index d410964912..ff28172b3e 100644 --- a/helm-charts/basehub/Chart.yaml +++ b/helm-charts/basehub/Chart.yaml @@ -11,7 +11,7 @@ dependencies: # images/hub/Dockerfile, and will also involve manually building and pushing # the Dockerfile to https://quay.io/2i2c/pilot-hub. Details about this can # be found in the Dockerfile's comments. - version: 3.0.2 + version: 3.0.0-beta.1.git.6208.h7b44299a repository: https://jupyterhub.github.io/helm-chart/ - name: binderhub-service version: 0.1.0-0.dev.git.80.h358d32f diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index c35a07fc0d..c58cea667f 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -177,9 +177,11 @@ jupyterhub: - name: volume-mount-ownership-fix image: busybox command: - - sh - - -c - - id && chown 1000:1000 /home/jovyan /home/jovyan/shared && ls -lhd /home/jovyan + [ + "sh", + "-c", + "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && ls -lhd /home/jovyan ", + ] securityContext: runAsUser: 0 volumeMounts: @@ -392,7 +394,7 @@ jupyterhub: interfaces: - value: "/tree" title: Classic Notebook - description: >- + description: The original single-document interface for creating Jupyter Notebooks. - value: "/lab" @@ -418,8 +420,8 @@ jupyterhub: securityContext: runAsUser: 1000 runAsGroup: 1000 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true + allowPrivilegeEscalation: False + readOnlyRootFilesystem: True volumeMounts: - name: custom-templates mountPath: /srv/repo @@ -486,8 +488,8 @@ jupyterhub: securityContext: runAsUser: 1000 runAsGroup: 1000 - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true + allowPrivilegeEscalation: False + readOnlyRootFilesystem: True volumeMounts: - name: custom-templates mountPath: /srv/repo @@ -524,7 +526,7 @@ jupyterhub: admin: true image: name: quay.io/2i2c/pilot-hub - tag: "0.0.1-0.dev.git.6935.h7141d766" + tag: "0.0.1-0.dev.git.6074.h895181eb" networkPolicy: enabled: true # interNamespaceAccessLabels=accept makes the hub pod's associated diff --git a/helm-charts/chartpress.yaml b/helm-charts/chartpress.yaml index 6ecf191e45..962a638476 100644 --- a/helm-charts/chartpress.yaml +++ b/helm-charts/chartpress.yaml @@ -1,13 +1,3 @@ -# This is the configuration for chartpress, a CLI for Helm chart management. -# -# chartpress can be used to: -# - Build images -# - Update Chart.yaml (version) and values.yaml (image tags) -# - Package and publish Helm charts to a GitHub based Helm chart repository -# -# For more information about chartpress, see the projects README.md file: -# https://github.com/jupyterhub/chartpress -# charts: - name: basehub imagePrefix: quay.io/2i2c/pilot- @@ -15,16 +5,16 @@ charts: hub: valuesPath: jupyterhub.hub.image buildArgs: - REQUIREMENTS_FILE: requirements.txt + REQUIREMENTS_FILE: "requirements.txt" unlisted-choice-experiment: imageName: quay.io/2i2c/unlisted-choice-experiment buildArgs: - REQUIREMENTS_FILE: unlisted-choice-requirements.txt - contextPath: images/hub + REQUIREMENTS_FILE: "unlisted-choice-requirements.txt" + contextPath: "images/hub" dockerfilePath: images/hub/Dockerfile dynamic-image-building-experiment: imageName: quay.io/2i2c/dynamic-image-building-experiment buildArgs: - REQUIREMENTS_FILE: dynamic-image-building-requirements.txt - contextPath: images/hub - dockerfilePath: images/hub/Dockerfile + REQUIREMENTS_FILE: "dynamic-image-building-requirements.txt" + contextPath: "images/hub" + dockerfilePath: "images/hub/Dockerfile" diff --git a/helm-charts/images/hub/Dockerfile b/helm-charts/images/hub/Dockerfile index 6d5e7e05b5..77caeb4434 100644 --- a/helm-charts/images/hub/Dockerfile +++ b/helm-charts/images/hub/Dockerfile @@ -12,11 +12,7 @@ # `chartpress --push --builder docker-buildx --platform linux/amd64` # Ref: https://cloudolife.com/2022/03/05/Infrastructure-as-Code-IaC/Container/Docker/Docker-buildx-support-multiple-architectures-images/ # -FROM jupyterhub/k8s-hub:3.0.2 - -# chartpress.yaml defines multiple hub images differentiated only by a -# requirements.txt file with dependencies, this build argument allows us to -# re-use this Dockerfile for all images. +FROM jupyterhub/k8s-hub:3.0.0-beta.1 ARG REQUIREMENTS_FILE COPY ${REQUIREMENTS_FILE} /tmp/ diff --git a/helm-charts/images/hub/dynamic-image-building-requirements.txt b/helm-charts/images/hub/dynamic-image-building-requirements.txt index fcfadf2363..225a86b394 100644 --- a/helm-charts/images/hub/dynamic-image-building-requirements.txt +++ b/helm-charts/images/hub/dynamic-image-building-requirements.txt @@ -1,6 +1,6 @@ # Image lives at quay.io/2i2c/second-hub-experimental git+https://github.com/yuvipanda/jupyterhub-configurator@ed7e3a0df1e3d625d10903ef7d7fd9c2fbb548db # Brings on using `unlisted_choice` in profile options per https://github.com/2i2c-org/infrastructure/issues/2146 -git+https://github.com/jupyterhub/kubespawner@8cc569c78bcdb342e694f7344219e43d522f4809 +git+https://github.com/jupyterhub/kubespawner@5a90351adba7d65286bd5e00e82f156011bf7b83 # Brings in https://github.com/yuvipanda/prototype-kubespawner-dynamic-building-ui git+https://github.com/yuvipanda/prototype-kubespawner-dynamic-building-ui.git@b36ece00b5e7fcba5d4485e7ab70992705601c3c From 49c1afc89d5a058ec216caa2e47e0edd0a04bd4e Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Thu, 14 Sep 2023 10:36:52 -0700 Subject: [PATCH 115/125] Run pre-commit --- config/clusters/nasa-veda/common.values.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index 955c4d7236..74de2da64b 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -103,9 +103,9 @@ basehub: image: busybox command: [ - "sh", - "-c", - "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && ls -lhd /home/jovyan ", + "sh", + "-c", + "id && chown 1000:1000 /home/jovyan && chown 1000:1000 /home/jovyan/shared && ls -lhd /home/jovyan ", ] securityContext: runAsUser: 0 @@ -161,9 +161,9 @@ basehub: image: busybox command: [ - "sh", - "-c", - "id && chown 1000:1000 /home/rstudio && ls -lhd /home/rstudio ", + "sh", + "-c", + "id && chown 1000:1000 /home/rstudio && ls -lhd /home/rstudio ", ] securityContext: runAsUser: 0 From 92290b4bd648925d35f9cbd9d971c44e9f770317 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Thu, 14 Sep 2023 10:47:00 -0700 Subject: [PATCH 116/125] Use fully qualified DNS name for meom-ige Was failing with this otherwise: ``` Warning FailedMount 8m55s (x22 over 43m) kubelet MountVolume.SetUp failed for volume "prod-home-nfs" : mount failed: exit status 1 Mounting command: /home/kubernetes/containerized_mounter/mounter Mounting arguments: mount -t nfs -o noresvport,retrans=2,rsize=1048576,soft,timeo=600,wsize=1048576 nfs-server-01:/export/home-01/homes/prod /var/lib/kubelet/pods/d9d6a9ac-3194-4226-b5f0-135419bd6225/volumes/kubernetes.io~nfs/prod-home-nfs Output: Mount failed: mount failed: exit status 32 Mounting command: chroot Mounting arguments: [/home/kubernetes/containerized_mounter/rootfs mount -t nfs -o noresvport,retrans=2,rsize=1048576,soft,timeo=600,wsize=1048576 nfs-server-01:/export/home-01/homes/prod /var/lib/kubelet/pods/d9d6a9ac-3194-4226-b5f0-135419bd6225/volumes/kubernetes.io~nfs/prod-home-nfs] Output: mount.nfs: Failed to resolve server nfs-server-01: Name or service not known ``` Testing dns resolution on the node works fine, but kubelet can't seem to resolve it correctly. I suspect something about resolv.conf and ndots, but given we don't even want to support having a separate NFS server outside, this is a decent fix for now. --- config/clusters/meom-ige/common.values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/clusters/meom-ige/common.values.yaml b/config/clusters/meom-ige/common.values.yaml index 954c78e975..801aed9ce5 100644 --- a/config/clusters/meom-ige/common.values.yaml +++ b/config/clusters/meom-ige/common.values.yaml @@ -9,7 +9,7 @@ basehub: - soft # We pick soft over hard, so NFS lockups don't lead to hung processes - retrans=2 - noresvport - serverIP: nfs-server-01 + serverIP: nfs-server-01.us-central1-b.c.meom-ige-cnrs.internal baseShareName: /export/home-01/homes/ jupyterhub: custom: From 9df149f51e8782d83cc80055233d9575a6883060 Mon Sep 17 00:00:00 2001 From: ranchodeluxe Date: Thu, 14 Sep 2023 12:55:30 -0700 Subject: [PATCH 117/125] new nasa-veda-singleuser-init commit hash 53e93ca --- config/clusters/nasa-veda/common.values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index 74de2da64b..8b4d0414fd 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -121,7 +121,7 @@ basehub: # this container uses nbgitpuller to mount https://github.com/NASA-IMPACT/veda-docs/ for user pods # image source: https://github.com/NASA-IMPACT/veda-jh-environments/tree/main/docker-images/base/nasa-veda-singleuser-init - name: nasa-veda-singleuser-init - image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:d78dd50564f562fd6879256a589db5334963f0d6ecd28266a4cf0a8d2aaccca9 + image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:53e93ca4fa8b0f979f9bd42fc84ad642deb9851ee449f0b273775b1a367e2ecf command: - "python3" - "/opt/k8s-init-container-nb-docs.py" @@ -174,7 +174,7 @@ basehub: # this container uses nbgitpuller to mount https://github.com/NASA-IMPACT/veda-docs/ for user pods # image source: https://github.com/NASA-IMPACT/veda-jh-environments/tree/main/docker-images/base/nasa-veda-singleuser-init - name: nasa-veda-singleuser-init - image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:d78dd50564f562fd6879256a589db5334963f0d6ecd28266a4cf0a8d2aaccca9 + image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:53e93ca4fa8b0f979f9bd42fc84ad642deb9851ee449f0b273775b1a367e2ecf command: - "python3" - "/opt/k8s-init-container-nb-docs.py" From 93d908c2e44abe89591f9a6f3e5d50ed07707aa4 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Thu, 14 Sep 2023 14:34:57 -0700 Subject: [PATCH 118/125] Bump UToronto R image Ref https://2i2c.freshdesk.com/a/tickets/973 Brings in https://github.com/2i2c-org/utoronto-r-image/pull/8 --- config/clusters/utoronto/r-common.values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/clusters/utoronto/r-common.values.yaml b/config/clusters/utoronto/r-common.values.yaml index bd9b0441f9..c9e534251b 100644 --- a/config/clusters/utoronto/r-common.values.yaml +++ b/config/clusters/utoronto/r-common.values.yaml @@ -17,4 +17,4 @@ jupyterhub: defaultUrl: /rstudio image: name: quay.io/2i2c/utoronto-r-image - tag: "c5ec9db8ccb2" + tag: "56882376ee4b" From 16ab6670270ad42f918dbbbaf4e65cd00089c9f2 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Thu, 14 Sep 2023 18:21:44 -0700 Subject: [PATCH 119/125] Make binderhub-service available externally via CHP --- config/clusters/2i2c/imagebuilding-demo.values.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/config/clusters/2i2c/imagebuilding-demo.values.yaml b/config/clusters/2i2c/imagebuilding-demo.values.yaml index 50f311916e..5f46b082a8 100644 --- a/config/clusters/2i2c/imagebuilding-demo.values.yaml +++ b/config/clusters/2i2c/imagebuilding-demo.values.yaml @@ -58,6 +58,11 @@ jupyterhub: mem_limit: 2G cpu_limit: 2 hub: + services: + binder: + # FIXME: ref https://github.com/2i2c-org/binderhub-service/issues/57 + # for something more readable and requiring less copy-pasting + url: http://imagebuilding-demo-binderhub-service:8090 image: name: quay.io/2i2c/dynamic-image-building-experiment tag: "0.0.1-0.dev.git.6765.h33942a27" @@ -107,6 +112,7 @@ binderhub-service: effect: NoSchedule config: BinderHub: + base_url: /services/binder use_registry: true # Re-uses the registry created for the `binderhub-staging` hub # but pushes images under a different prefix From aa286ac88be0cd2504a5f24ca6b6e25ed22e02df Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Fri, 15 Sep 2023 03:38:36 +0200 Subject: [PATCH 120/125] utoronto: r-staging, increase size of hub's disk (was full) --- config/clusters/utoronto/r-staging.values.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/clusters/utoronto/r-staging.values.yaml b/config/clusters/utoronto/r-staging.values.yaml index 52a155ad2e..97c3b40832 100644 --- a/config/clusters/utoronto/r-staging.values.yaml +++ b/config/clusters/utoronto/r-staging.values.yaml @@ -5,6 +5,10 @@ jupyterhub: - hosts: [r-staging.datatools.utoronto.ca] secretName: https-auto-tls hub: + db: + pvc: + # prod stores logs, so let's make it big + storage: 10Gi config: CILogonOAuthenticator: oauth_callback_url: https://r-staging.datatools.utoronto.ca/hub/oauth_callback From 333c48b591131eccc0719cbb3b91618d55b05061 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Fri, 15 Sep 2023 03:55:09 +0200 Subject: [PATCH 121/125] utoronto: fix logo link --- config/clusters/utoronto/common.values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/clusters/utoronto/common.values.yaml b/config/clusters/utoronto/common.values.yaml index 984e89b54c..b9bb4b9d84 100644 --- a/config/clusters/utoronto/common.values.yaml +++ b/config/clusters/utoronto/common.values.yaml @@ -27,7 +27,7 @@ jupyterhub: interface_selector: true org: name: University of Toronto - logo_url: https://raw.githubusercontent.com/utoronto-2i2c/homepage/master/extra-assets/images/home-hero.png + logo_url: https://raw.githubusercontent.com/2i2c-org/default-hub-homepage/utoronto-prod/extra-assets/images/home-hero.png url: https://www.utoronto.ca/ designed_by: name: 2i2c From f02ed7a1038e4ac32bd882fbc7e256919021ae7e Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Thu, 14 Sep 2023 22:04:41 -0700 Subject: [PATCH 122/125] Bump dynamic image UI to latest version --- helm-charts/images/hub/dynamic-image-building-requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-charts/images/hub/dynamic-image-building-requirements.txt b/helm-charts/images/hub/dynamic-image-building-requirements.txt index 225a86b394..bad7b75cee 100644 --- a/helm-charts/images/hub/dynamic-image-building-requirements.txt +++ b/helm-charts/images/hub/dynamic-image-building-requirements.txt @@ -3,4 +3,4 @@ git+https://github.com/yuvipanda/jupyterhub-configurator@ed7e3a0df1e3d625d10903e # Brings on using `unlisted_choice` in profile options per https://github.com/2i2c-org/infrastructure/issues/2146 git+https://github.com/jupyterhub/kubespawner@5a90351adba7d65286bd5e00e82f156011bf7b83 # Brings in https://github.com/yuvipanda/prototype-kubespawner-dynamic-building-ui -git+https://github.com/yuvipanda/prototype-kubespawner-dynamic-building-ui.git@b36ece00b5e7fcba5d4485e7ab70992705601c3c +git+https://github.com/yuvipanda/prototype-kubespawner-dynamic-building-ui.git@2f9b899cb6d7ea91f0e5f69c48562a1cd73fc3da From 27f23c1375e09f28d8884bfc3efa63f61a5273e1 Mon Sep 17 00:00:00 2001 From: YuviPanda Date: Thu, 14 Sep 2023 22:08:02 -0700 Subject: [PATCH 123/125] Build and bump hub image --- config/clusters/2i2c/imagebuilding-demo.values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/clusters/2i2c/imagebuilding-demo.values.yaml b/config/clusters/2i2c/imagebuilding-demo.values.yaml index 5f46b082a8..1a66adb59e 100644 --- a/config/clusters/2i2c/imagebuilding-demo.values.yaml +++ b/config/clusters/2i2c/imagebuilding-demo.values.yaml @@ -65,7 +65,7 @@ jupyterhub: url: http://imagebuilding-demo-binderhub-service:8090 image: name: quay.io/2i2c/dynamic-image-building-experiment - tag: "0.0.1-0.dev.git.6765.h33942a27" + tag: "0.0.1-0.dev.git.7001.hf02ed7a1" config: JupyterHub: authenticator_class: cilogon From fdd3ada12b854d8458326ea5eda83660d8d0636e Mon Sep 17 00:00:00 2001 From: ranchodeluxe Date: Fri, 15 Sep 2023 07:14:24 -0700 Subject: [PATCH 124/125] new init image hash --- config/clusters/nasa-veda/common.values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index 8b4d0414fd..b021304560 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -95,7 +95,7 @@ basehub: default: true slug: pangeo kubespawner_override: - image: public.ecr.aws/nasa-veda/nasa-veda-singleuser:5068290376e8c3151d97a36ae6485bb7ff79650b94aecc93ffb2ea1b42d76460 + image: public.ecr.aws/nasa-veda/nasa-veda-singleuser:38e8998f9be64b0a59ac6c4d6d152d3403121dfc4be6d49bdf52ddc92827af8a init_containers: # Need to explicitly fix ownership here, as otherwise these directories will be owned # by root on most NFS filesystems - neither EFS nor Google Filestore support anonuid @@ -121,7 +121,7 @@ basehub: # this container uses nbgitpuller to mount https://github.com/NASA-IMPACT/veda-docs/ for user pods # image source: https://github.com/NASA-IMPACT/veda-jh-environments/tree/main/docker-images/base/nasa-veda-singleuser-init - name: nasa-veda-singleuser-init - image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:53e93ca4fa8b0f979f9bd42fc84ad642deb9851ee449f0b273775b1a367e2ecf + image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:38e8998f9be64b0a59ac6c4d6d152d3403121dfc4be6d49bdf52ddc92827af8a command: - "python3" - "/opt/k8s-init-container-nb-docs.py" From a5b02314f62fa11fae44535f4abd4cba4e936830 Mon Sep 17 00:00:00 2001 From: ranchodeluxe Date: Fri, 15 Sep 2023 07:33:44 -0700 Subject: [PATCH 125/125] only change init --- config/clusters/nasa-veda/common.values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/clusters/nasa-veda/common.values.yaml b/config/clusters/nasa-veda/common.values.yaml index b021304560..b3df072149 100644 --- a/config/clusters/nasa-veda/common.values.yaml +++ b/config/clusters/nasa-veda/common.values.yaml @@ -95,7 +95,7 @@ basehub: default: true slug: pangeo kubespawner_override: - image: public.ecr.aws/nasa-veda/nasa-veda-singleuser:38e8998f9be64b0a59ac6c4d6d152d3403121dfc4be6d49bdf52ddc92827af8a + image: public.ecr.aws/nasa-veda/nasa-veda-singleuser:5068290376e8c3151d97a36ae6485bb7ff79650b94aecc93ffb2ea1b42d76460 init_containers: # Need to explicitly fix ownership here, as otherwise these directories will be owned # by root on most NFS filesystems - neither EFS nor Google Filestore support anonuid @@ -174,7 +174,7 @@ basehub: # this container uses nbgitpuller to mount https://github.com/NASA-IMPACT/veda-docs/ for user pods # image source: https://github.com/NASA-IMPACT/veda-jh-environments/tree/main/docker-images/base/nasa-veda-singleuser-init - name: nasa-veda-singleuser-init - image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:53e93ca4fa8b0f979f9bd42fc84ad642deb9851ee449f0b273775b1a367e2ecf + image: public.ecr.aws/nasa-veda/nasa-veda-singleuser-init:38e8998f9be64b0a59ac6c4d6d152d3403121dfc4be6d49bdf52ddc92827af8a command: - "python3" - "/opt/k8s-init-container-nb-docs.py"