Setup shared cluster on AWS and deploy 'researchdelight' hub

.github/ISSUE_TEMPLATE/2_new-hub-provide-info.yml

@@ -61,6 +61,26 @@ body:
     validations:
       required: true
 
+  - type: dropdown
+    attributes:
+      label: "[GitHub Auth only] How would you like to manage your users?"
+      description: |
+        Please describe how you would prefer to manage your users accessing the hub via GitHub Auth.
+      options:
+        - Manually, by adding specific GitHub handles in the JupyterHub Admin panel
+        - Allowing members of a specific GitHub organization
+        - Allowing members of specific GitHub team(s)
+
+  - type: textarea
+    attributes:
+      label: "[GitHub Teams Auth only] Profile restriction based on team membership"
+      description: |
+        If you wish to offer a range of machine sizes/image types but to only a subset of your users, we can facilitate this through GitHub Teams.
+        Please provide a list of GitHub Teams in your org and what resources you'd like each to access.
+      placeholder: |
+        @MyCoolOrg/all-users: Small and Medium sized machines
+        @MyCoolOrg/advanced-users: Small, Medium, Large and GPU machines
+
   - type: markdown
     attributes:
       value: |
@@ -189,7 +209,8 @@ body:
       options:
         - label: 1. Deploy information filled in above
         - label: 2. Engineer who will deploy the hub is assigned
-        - label: 3. Initial Hub deployment PR <link to PR>
-        - label: 4. Administrators able to log on -> Hub now in steady-state
+        - label: 3. If using GitHub Orgs/Teams Auth, Engineer is given Owner rights to the org to set this up.
+        - label: 4. Initial Hub deployment PR <link to PR>
+        - label: 5. Administrators able to log on -> Hub now in steady-state
     validations:
       required: false

.github/ISSUE_TEMPLATE/6_event-hub.md

@@ -17,8 +17,11 @@ assignees: ''
 
 - **Community Representative:** <!-- The GitHub ID of the current representative for the Hub and Community, e.g. @octocat -->
 - **Event begin:** <!-- The date that the event will start. -->
+  - **In your timezone:** <!-- Add an https://arewemeetingyet.com/ link or similar so team members can translate to their timezone -->
 - **Event end:** <!-- The date that the event will end. -->
+  - **In your timezone:** <!-- Add an https://arewemeetingyet.com/ link or similar so team members can translate to their timezone -->
 - **Active times:** <!-- What hours of the day will participants be active? (e.g., 5am - 5pm US/Pacific) -->
+  - **In your timezone:** <!-- Add an https://arewemeetingyet.com/ link or similar so team members can translate to their timezone -->
 - **Number of attendees:** <!-- How many attendees should we expect simultaneously each day. -->
 - [**Hub Events Calendar**](https://calendar.google.com/calendar/u/2?cid=Y19rdDg0c2g3YW5tMHNsb2NqczJzdTNqdnNvY0Bncm91cC5jYWxlbmRhci5nb29nbGUuY29t)
 

.github/actions/setup-deploy/action.yaml

@@ -69,7 +69,7 @@ runs:
       shell: bash
 
     # This action use the github official cache mechanism internally
-    - uses: azure/setup-helm@v3.4
+    - uses: azure/setup-helm@v3.5
       with:
         # version is pinned for helm to avoid an automatic update of its version
         # which would cause something unexpected without an action on our
@@ -78,7 +78,7 @@ runs:
 
     # Pin kubectl version to 1.23 otherwise interactions with k8s clusters versioned <=1.21 won't work.
     # See https://github.com/2i2c-org/infrastructure/issues/1271.
-    - uses: azure/setup-kubectl@v3.0
+    - uses: azure/setup-kubectl@v3.1
       with:
         version: "v1.23.5"
 

.github/workflows/deploy-grafana-dashboards.yaml

@@ -27,6 +27,7 @@ jobs:
           - cluster_name: nasa-cryo
           - cluster_name: gridsst
           - cluster_name: victor
+          - cluster-name: 2i2c-aws-us
     steps:
       - name: Checkout repo
         uses: actions/checkout@v3

.github/workflows/deploy-hubs.yaml

@@ -162,6 +162,7 @@ jobs:
       failure_nasa-cryo: "${{ env.failure_nasa-cryo }}"
       failure_gridsst: "${{ env.failure_gridsst }}"
       failure_victor: "${{ env.failure_victor }}"
+      failure_2i2c-aws-us: "${{ env.failure_2i2c-aws-us }}"
 
     # Only run this job on pushes to the default branch and when the job output is not
     # an empty list

.github/workflows/validate-clusters.yaml

@@ -13,20 +13,26 @@ on:
     branches:
       - master
     paths:
-      - config/clusters/**
-      - helm-charts/**
-      - deployer/**
-      - requirements.txt
-      - .github/workflows/validate-clusters.yaml
+      - "config/clusters/**"
+      # Exclude changes to the templates directory from
+      # triggering this workflow
+      - "!config/clusters/templates"
+      - "helm-charts/**"
+      - "deployer/**"
+      - "requirements.txt"
+      - ".github/workflows/validate-clusters.yaml"
   push:
     branches:
       - master
     paths:
-      - config/clusters/**
-      - helm-charts/**
-      - deployer/**
-      - requirements.txt
-      - .github/workflows/validate-clusters.yaml
+      - "config/clusters/**"
+      # Exclude changes the templates directory from
+      # triggering this workflow
+      - "!config/clusters/templates"
+      - "helm-charts/**"
+      - "deployer/**"
+      - "requirements.txt"
+      - ".github/workflows/validate-clusters.yaml"
     tags:
       - "**"
   workflow_dispatch:
@@ -103,19 +109,28 @@ jobs:
         shell: python
         run: |
           import os
+          import json
 
           # List all cluster folders
           cluster_folders = os.listdir("config/clusters")
 
           # Construct a matrix of all clusters
           matrix = []
           for cluster in cluster_folders:
-              matrix.append({"cluster_name": cluster})
+              # The `templates` directory contains template yaml configs
+              # and doesn't represent a "real" cluster.
+              # This is why we need to exclude it from the list of clusters
+              # and hence all workflows, otherwise it will cause them to fail.
+              if cluster != "templates":
+                matrix.append({"cluster_name": cluster})
 
           # Write matrix to the GITHUB_ENV file in GitHub Actions
           env_file = os.getenv("GITHUB_ENV")
           with open(env_file, "a") as f:
-              f.write(f"MATRIX={matrix}")
+              # Explicitly dump these as JSON, as that is what they are read as
+              # General python object syntax sometimes works but sometimes does
+              # not - for example, single quotes are not valid in JSON.
+              f.write(f"MATRIX={json.dumps(matrix)}")
 
       # Only run this step if there are *NO* changes under the common filter,
       # but *ARE* changes under the cluster_specific filter, *AND* we have not
@@ -128,6 +143,7 @@ jobs:
         shell: python
         run: |
           import os
+          import json
           from pathlib import Path
 
           # Consume list of changed cluster files and convert to list by splitting
@@ -153,7 +169,10 @@ jobs:
           # Write the matrix to the GITHUB_ENV file in GitHub Actions
           env_file = os.getenv("GITHUB_ENV")
           with open(env_file, "a") as f:
-              f.write(f"matrix={matrix}")
+              # Explicitly dump these as JSON, as that is what they are read as
+              # General python object syntax sometimes works but sometimes does
+              # not - for example, single quotes are not valid in JSON.
+              f.write(f"MATRIX={json.dumps(matrix)}")
 
   # This job runs the 'deployer validate' subcommand across a matrix of
   # cluster names.

.pre-commit-config.yaml

@@ -20,21 +20,21 @@ repos:
 
   # Autoformat: Python code, syntax patterns are modernized
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.2.2
+    rev: v3.3.1
     hooks:
       - id: pyupgrade
         args:
           - --py36-plus
 
   # Autoformat: Python code
   - repo: https://github.com/pycqa/isort
-    rev: "5.10.1"
+    rev: "5.11.4"
     hooks:
       - id: isort
 
   # Autoformat: Python code
   - repo: https://github.com/psf/black
-    rev: "22.10.0"
+    rev: "22.12.0"
     hooks:
       - id: black
 
@@ -46,8 +46,8 @@ repos:
 
   # Prevent unencrypted files from being committed
   - repo: https://github.com/yuvipanda/pre-commit-hook-ensure-sops
-    rev: v1.0
+    rev: v1.1
     hooks:
       - id: sops-encryption
         # Add files here if they contain the word 'secret' but should not be encrypted
-        exclude: secrets\.md|helm-charts/support/templates/prometheus-ingres-auth/secret\.yaml|helm-charts/basehub/templates/dex/secret\.yaml|helm-charts/basehub/templates/static/secret\.yaml
+        exclude: secrets\.md|helm-charts/support/templates/prometheus-ingres-auth/secret\.yaml|helm-charts/basehub/templates/dex/secret\.yaml|helm-charts/basehub/templates/static/secret\.yaml|config/clusters/templates/gcp/support\.secret\.values\.yaml

config/clusters/2i2c-aws-us/cluster.yaml

@@ -0,0 +1,38 @@
+name: 2i2c-aws-us
+provider: aws
+aws:
+  key: enc-deployer-credentials.secret.json
+  clusterType: eks
+  clusterName: 2i2c-aws-us
+  region: us-west-2
+support:
+  helm_chart_values_files:
+    - support.values.yaml
+    - enc-support.secret.values.yaml
+hubs:
+  - name: staging
+    display_name: "2i2c AWS staging"
+    domain: staging.aws.2i2c.cloud
+    helm_chart: basehub
+    auth0:
+      enabled: false
+    helm_chart_values_files:
+      - staging.values.yaml
+      - enc-staging.secret.values.yaml
+  - name: dask-staging
+    display_name: "2i2c AWS dask-staging"
+    domain: dask-staging.aws.2i2c.cloud
+    helm_chart: daskhub
+    auth0:
+      enabled: false
+    helm_chart_values_files:
+      - dask-staging.values.yaml
+      - enc-dask-staging.secret.values.yaml
+  - name: researchdelight
+    display_name: "2i2c Research Delight"
+    domain: researchdelight.2i2c.cloud
+    helm_chart: daskhub
+    auth0:
+      connection: github
+    helm_chart_values_files:
+      - researchdelight.values.yaml

config/clusters/2i2c-aws-us/dask-staging.values.yaml

@@ -0,0 +1,59 @@
+basehub:
+  userServiceAccount:
+    annotations:
+      eks.amazonaws.com/role-arn: arn:aws:iam::790657130469:role/2i2c-aws-us-dask-staging
+  nfs:
+    pv:
+      # from https://docs.aws.amazon.com/efs/latest/ug/mounting-fs-nfs-mount-settings.html
+      mountOptions:
+        - rsize=1048576
+        - wsize=1048576
+        - timeo=600
+        - soft # We pick soft over hard, so NFS lockups don't lead to hung processes
+        - retrans=2
+        - noresvport
+      serverIP: fs-0b70db2b65209a77d.efs.us-west-2.amazonaws.com
+      baseShareName: /
+  jupyterhub:
+    custom:
+      2i2c:
+        add_staff_user_ids_to_admin_users: true
+        add_staff_user_ids_of_type: "github"
+      homepage:
+        templateVars:
+          org:
+            name: 2i2c Dask Staging
+            url: https://2i2c.org
+            logo_url: https://2i2c.org/media/logo.png
+          designed_by:
+            name: 2i2c
+            url: https://2i2c.org
+          operated_by:
+            name: 2i2c
+            url: https://2i2c.org
+          funded_by:
+            name: 2i2c
+            url: https://2i2c.org
+    singleuser:
+      image:
+        name: pangeo/pangeo-notebook
+        tag: "2022.06.02"
+    hub:
+      config:
+        Authenticator:
+          # This hub uses GitHub Org auth and so we don't set
+          # allowed_users in order to not deny access to valid members of
+          # the listed orgs.
+          #
+          # You must always set admin_users, even if it is an empty list,
+          # otherwise `add_staff_user_ids_to_admin_users: true` will fail
+          # silently and no staff members will have admin access.
+          admin_users: []
+        JupyterHub:
+          authenticator_class: github
+        GitHubOAuthenticator:
+          oauth_callback_url: "https://dask-staging.aws.2i2c.cloud/hub/oauth_callback"
+          allowed_organizations:
+            - 2i2c-org
+          scope:
+            - read:org

config/clusters/2i2c-aws-us/enc-dask-staging.secret.values.yaml

@@ -0,0 +1,21 @@
+basehub:
+    jupyterhub:
+        hub:
+            config:
+                GitHubOAuthenticator:
+                    client_id: ENC[AES256_GCM,data:ZiUCM3p/hY+y/zpQFS+R13pd7wY=,iv:M3N7NmEtE5qngrCwlr2vLxTUaFvbQM+q6uOGsw3Vmbg=,tag:TtN0bMLKmSiSSiPipWCEAw==,type:str]
+                    client_secret: ENC[AES256_GCM,data:46JoY+yo01tG12QsaIlpuZ9hX00YfHHmL+MXKkyl4ncHQjVbj+4hNQ==,iv:T1YQnD2mr2JKhAtSHaPXTTlD8CreiHOxAxG1wfueNME=,tag:s0xmzKuhqUKaWy6pmJzQUw==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+        - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+          created_at: "2023-01-05T15:25:09Z"
+          enc: CiUA4OM7eN6ULedt07hrYSuCYNviz84p6Myz4gLx0SHi2soZ8b5JEkkA+0T9hZ0nLyBqO0b1X7/wXW+AXp9K52uffuEDJvyCG97WP75nEi2k0QqjCsLQGaIr7QuYzkVkvMWf6bfJeLE8DravcpVoVqUH
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-01-05T15:25:09Z"
+    mac: ENC[AES256_GCM,data:4rpy/3DM8UDSnyeB+B2JLWE/xaucbCvwucTv3cU5rItFZaUIlmynLcXpqhOBCoEEfPbAFG+eTo3Kdm8qEETFl4Ssd8yNU9kedgOn8V64LT/hTWaPzmGkzTx3bdjXIjHJwuvLpMItSonItapwSbN4ZOSdRUETylzpxr+zYhJySvw=,iv:PP+vA0UrQmlCXMwVzzWrIT+fF9TvZxad4VXLA16EsUw=,tag:D3qv+InhBs6Najw0E7gIXA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

config/clusters/2i2c-aws-us/enc-deployer-credentials.secret.json

@@ -0,0 +1,25 @@
+{
+	"AccessKey": {
+		"AccessKeyId": "ENC[AES256_GCM,data:6PvELWFuIRU3X/xw0KFAUB9tALw=,iv:qAUuL9XpmqVfmIPAg1jVLw6BOgOLdI6Nh9ciGoYR1ko=,tag:YkB81KaQkneoErdvbA+gcQ==,type:str]",
+		"SecretAccessKey": "ENC[AES256_GCM,data:yL9fFhLZwIwYGIcH0rMlom1AMf8SP8rHuqIaFcCMHgxJrvBwrIjEtA==,iv:QUL+KmQVs+fqwei8qATePtz7DYRGISeqK76C3C6ZYHQ=,tag:1JKsN+6MwzrwncgcnJOY0Q==,type:str]",
+		"UserName": "ENC[AES256_GCM,data:uINElYnC8kT9jENDB0HZobYeJRtg0pQ=,iv:6WcmGN4Uo/0ESepK+6GnNJzqhOiKN7XUlyCmDBV9wbs=,tag:rtoBQVLgs4iwHF9xxWY5LA==,type:str]"
+	},
+	"sops": {
+		"kms": null,
+		"gcp_kms": [
+			{
+				"resource_id": "projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs",
+				"created_at": "2022-12-02T16:26:52Z",
+				"enc": "CiUA4OM7eOLLa/imL4GpHRd9gcsB84MVB/Ad4qDdcZR1yN5dCQEEEkkA+0T9hZ4MsWpzgSLLO687tPm2nrUQ+Ah6/7KRQH66x5sYPrKozkBm5ch5T2Y8YTXSb2stXzIlTqQA9Eq8sBc7rTyEG0G+Ryad"
+			}
+		],
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2022-12-02T16:26:52Z",
+		"mac": "ENC[AES256_GCM,data:csHlSvetk7n+RSN1OK5ZbFND3bRd/liGLiStaY0XsXTXjzq2okXjazEKeS6tNIRt6MKsLNQ3LOv84q7nmHnbLx2/jlBhmKu9oRwd5CBdponB/14CRnPhpI/cVm9i6D/FTUi/Wy5MVojJZdj/4DIMyN5cjpWeQSYAATuFzbsYPKU=,iv:JZAhUHxxurCQRStaMCoL6qu5JihtVOrnFpXFWQDx8Xk=,tag:azOozPUyO9iz0SnVfbt+Sw==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}

config/clusters/2i2c-aws-us/enc-grafana-token.secret.yaml

@@ -0,0 +1,15 @@
+grafana_token: ENC[AES256_GCM,data:t2qk7Ze8CPLm04pnwFDpqhoXv430t1wBH+o4H3KxGLLPZXeeBfMgHNTjOFeX0xABJ8eZw8yRi/TRXHfil9QQ+OKoTIMJ9olTr++YdBEVBRqQijlFJTc5IVRQQXNR9LhG,iv:9vVNYHRyCOexYjx49JMHqxD8RbYSs4OaU2RsDFjW1N4=,tag:Wgnr/0UIGJiCuQPULCfgbA==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+        - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+          created_at: "2022-12-02T17:06:57Z"
+          enc: CiUA4OM7eE9zAnsvqqZ1DkU29yZuDSdm7AoElAMABbgu9/p8tLGkEkkA+0T9hXy+VFXSo6A4H8d8HFNwQBsm67tqAGBBUQ7SlIoWIz28wMPTIez5sNPBziRv9VrsXuIFJozC+Z2oqwexcy6Wy6663t9I
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-12-02T17:06:58Z"
+    mac: ENC[AES256_GCM,data:NHmFKLI8yUkZW+lhh9+rZl0LhTjBFbVgAua1M4E2+5DcDY+tA1tO87T1QcPcX+PPAPIXTO41eofFB01MbfG1FbsXjPYQE3235pmA2WNEIaeY2fTAdKylrUfbiICV/2doex/eXLdQwIrXJeyyrIYXA0Sjj1hDBkuV6DCU8HbKQ+s=,iv:1XrSnJHntEpQ9qx0MbOEfHpzpeFiIIoK0eCsEQCVI40=,tag:4+9qqk4LXBriUpPMSbTlew==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

config/clusters/2i2c-aws-us/enc-staging.secret.values.yaml

@@ -0,0 +1,20 @@
+jupyterhub:
+    hub:
+        config:
+            GitHubOAuthenticator:
+                client_id: ENC[AES256_GCM,data:cCcFsREidFJE+8mNguzsiglaDNU=,iv:8/ONoisn8fresVPcztUejV5j1njBJe1TiyTPbzsl9ag=,tag:1zUsouNBoTdAAoVwZCrXNw==,type:str]
+                client_secret: ENC[AES256_GCM,data:QVmzgFYEGKPgTrj6bCrumcQp5mZreLFrw6G+zITLOSJtydDY62zD/Q==,iv:nAdsoPGHyPhFzFPU4uxRAbQOm4fuZSD4IKtZYAHx3vU=,tag:jV9OsG1sy/OyOTUp7M9pvA==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+        - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+          created_at: "2023-01-05T15:13:06Z"
+          enc: CiUA4OM7ePFTK8jhF1PvaNsOlsH2PwopRPJE7K+2pVikF/Brl4zPEkkA+0T9hUjgsZa2zAOVqZHOAjeg91553kP+YnHnIW2QPPnSha1dlGfrTcesxV5hsrbeqc3fxs7OnKow5KK3fr48Djf31CYGOgLY
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-01-05T15:13:06Z"
+    mac: ENC[AES256_GCM,data:tSbbwxnJEQflFUma0Ou0Faci4nypPH7UDFkPe6jyfnNEckteG9qviBk9pUbpuR404NOZp8QtVqB0Vqv3fwo1EBGrmeT0E0zhgz0RR2/k85nDnPD9mLYWq4xtestHQOdibmMAFe4D2QbVSgI4t8NiYAWLPqKaH8UGKFgiFAV9pnU=,iv:yPX35eIVYw1rh9BTmPpc3P+DzEu499Wk/GJkwN4AcUs=,tag:mWr1ieAR7bZ605gA2tHHdA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3