Setup new R hub for UToronto

Adds a README too with some more info on how this specific
cluster of hubs is configured.

Ref 2i2c-org#1961

config/clusters/utoronto/README.md

@@ -0,0 +1,32 @@
+# University of Toronto README
+
+This file documents some of the choices made in the UToronto cluster,
+which serves multiple hubs.
+
+## Staging Hubs
+
+Each hub gets its own staging hub. They match all configuration, except:
+
+1. Home directory storage is different, for security isolation
+2. Different Login credentials
+3. (Possibly) different hub DB sizes, as we still store logs in the hub db dir
+   (a bad practice we should stop soon).
+
+## Usernames
+
+The default hub (at jupyter.utoronto.ca) and its staging hub use an opaque
+id (oid) in the form of a [uuid](https://en.wikipedia.org/wiki/Universally_unique_identifier)
+as usernames. This caused a bunch of confusion with respect to support, and
+hence other hubs use user emails as usernames instead.
+
+## Config Structure
+
+For each hub, we want the following files:
+
+1. `<hub-name>-common.values.yaml` - common values for prod & staging hubs
+2. `<hub-name>-staging.values.yaml` - staging config overrides
+3. `<hub-name>-prod.values.yaml` - prod config overrides
+4. `enc-<hub-name>-staging.secret.values.yaml` - `sops` encrypted config for staging
+5. `enc-<hub-name>-prod.secret.values.yaml` - `sops` encrypted config for prod
+
+There is also a `common.values.yaml` that is common to *all* the hubs.

config/clusters/utoronto/cluster.yaml

@@ -15,22 +15,40 @@ hubs:
     auth0:
       enabled: false
     helm_chart_values_files:
-      # The order in which you list files here is the order the will be passed
-      # to the helm upgrade command in, and that has meaning. Please check
-      # that you intend for these files to be applied in this order.
       - common.values.yaml
-      - staging.values.yaml
-      - enc-staging.secret.values.yaml
+      - default-common.values.yaml
+      - default-staging.values.yaml
+      - enc-default-staging.secret.values.yaml
   - name: prod
     display_name: "University of Toronto (prod)"
     domain: jupyter.utoronto.ca
     helm_chart: basehub
     auth0:
       enabled: false
     helm_chart_values_files:
-      # The order in which you list files here is the order the will be passed
-      # to the helm upgrade command in, and that has meaning. Please check
-      # that you intend for these files to be applied in this order.
       - common.values.yaml
-      - prod.values.yaml
-      - enc-prod.secret.values.yaml
+      - default-common.values.yaml
+      - default-prod.values.yaml
+      - enc-default-prod.secret.values.yaml
+  - name: r-staging
+    display_name: "University of Toronto (r-staging)"
+    domain: r-staging.utoronto.2i2c.cloud
+    helm_chart: basehub
+    auth0:
+      enabled: false
+    helm_chart_values_files:
+      - common.values.yaml
+      - r-common.values.yaml
+      - r-staging.values.yaml
+      - enc-r-staging.secret.values.yaml
+  - name: r-prod
+    display_name: "University of Toronto (R)"
+    domain: r.utoronto.2i2c.cloud
+    helm_chart: basehub
+    auth0:
+      enabled: false
+    helm_chart_values_files:
+      - common.values.yaml
+      - r-common.values.yaml
+      - r-prod.values.yaml
+      - enc-r-prod.secret.values.yaml

config/clusters/utoronto/common.values.yaml

@@ -64,9 +64,6 @@ jupyterhub:
           [credential "https://github.com"]
           helper = !git-credential-github-app --app-key-file /etc/github/github-app-private-key.pem --app-id 93515
           useHttpPath = true
-    image:
-      name: quay.io/2i2c/utoronto-image
-      tag: "445cbd1f113b"
   hub:
     db:
       pvc:
@@ -77,16 +74,12 @@ jupyterhub:
     config:
       Authenticator:
         enable_auth_state: false
-        admin_users:
-          - 7c76d04b-2a80-4db1-b985-a2d2fa2f708c
-          - 09056164-42f5-4113-9fd7-dd852e63ff1d
-          - adb7ebad-9fb8-481a-bc2c-6c0a8b6de670
       JupyterHub:
         authenticator_class: azuread
         concurrent_spawn_limit: 100
         # We wanna keep logs long term, primarily for analytics
         extra_log_file: /srv/jupyterhub/jupyterhub.log
       AzureAdOAuthenticator:
-        username_claim: oid
+        username_claim: email
         login_service: "University of Toronto ID"
         tenant_id: 78aac226-2f03-4b4d-9037-b46d56c55210

config/clusters/utoronto/default-common.values.yaml

@@ -0,0 +1,16 @@
+jupyterhub:
+  singleuser:
+    image:
+      name: quay.io/2i2c/utoronto-image
+      tag: "445cbd1f113b"
+  hub:
+    config:
+      Authenticator:
+        admin_users:
+          - 7c76d04b-2a80-4db1-b985-a2d2fa2f708c
+          - 09056164-42f5-4113-9fd7-dd852e63ff1d
+          - adb7ebad-9fb8-481a-bc2c-6c0a8b6de670
+
+      AzureAdOAuthenticator:
+        # Everyone else uses email
+        username_claim: oid

config/clusters/utoronto/enc-r-prod.secret.values.yaml

@@ -0,0 +1,24 @@
+jupyterhub:
+    singleuser:
+        extraFiles:
+            github-app-private-key.pem:
+                stringData: ENC[AES256_GCM,data:WBoI5eVPCqIgPJYUrEeNLd6QYE07KDgVtJv33WJ63M9g6jX6ZjBBwjcN2OQYR8XGGVK0XH/GMb/CkkPYajlhEB4H0m7kFzv/1rEAIZly03H7CIk1Q+umjtX+JoPciVAlTZNXlZ2Zvcj1u7s+6K7tSivp7WhO9JDQFIpyDlfR7nUXDBUKTNwKaoQqJ8Z8tIDXp2y01xtQkfpCJHDI75gGcdulvuKwLIIFEzIxSrXV18xBncylQYxrJM/wpD5PDWD4Ke8JQMcis8pWTXo1Gpce02p3/Mbjpq2O9QD5PdcsfdGocDcZOMAbJHgSY+BT/aUwY9RY1cYEfx4A6VObHnPk/KJj6FdSP3R0ftdTi9evpKPbP7QK2fFxqKZLqskNup4z6oggqZiaZgYiGz9cl3bMRahJXZK8g9WkSYff5ZYQIq0D1y/S+lkPDaDTavFWxdCwff9060cG3dsV5B7KYLyn+j5DOaM7kQkujNVLXgsAe5MQQ2YhszHhNOp6A1dx117ZwFdyuGZC/2HBTvakuo1XJeN48XatxnaUz0FfmpquoGOigws6znPiuX5T2JG7PRqWwQq1Sq9aDNkd/VICRxqG0ETCBJJ8t6d3kP0cj7Xi0NyC5Mf0vmg8N3tTfO32WjwNrzWDfySpFcK/aCNXMimr5XZ5sTZj2vRZ+2kkf5b/GRJh7PlSFXoKaYiSRNTc8PSx+9VL9nOkzDd1549HRoJBX27am88pQm/4GOqAGoR72VjsDViIS9w551kKa3/pqqPHq9t8U4GZi6MaWhbPmI4t12O5ezSuQbNi/X3Gu1zo7zevzwoadSt4SypBxYmcHdcrdM5r1Tt9uIh7ycfIgIsYCoNIxi7dop5S795/jZ4JFwQIidsf8o6LzJq8khYXWi/8UPE9W2EH8n+Ln1szcAdxcOrXubuAdwSNQ07nHreAY0c4mWKx/6alhuROH+HL2Tfb9ydZaIrD/J4+w/d4/PKljrijUxDXlgpiieCs9wTKWIuO3L2tShA3q5RWkKQeWq7P1aBLiO5YRY/1qd35paXAB71rIPZMYQEN9P0iTPIsWfxCaJtHfhP9Dt7iDixd2d/1/vEQ2Qs9uvSxjpsYeaI4/CmWoBHfOYSGh7lPa1RQzoFUPcV3cfoAl9+UURD/pcj8K0Ec1H7NT8DdIJCwqQSLeuctjphCiWL2dtaYKVK2HrIIoutHufHCUaTaBl2aJyTsTuTeyEiVlnz9UegXAhH0sCAPhP9Pcn4C57vLqjOPNjmOzA2IvbbsaCNblVb25EsFSMkitIkklYsPi2CMoif73DI0EHvB/51yvtYlogBUHdqkCmj0tHkuwF4tBPbmWG123Rs2yGtFrcJD57/KqCCLGjyhC+e2TiVvK7AWyuXE4DLqMOSbO+P4IqnxdL/UD7GJ2LSSfsLJzcj4GdYSIoKXjkgd1XCQ35zFyN9YPvs+3f1zg++rBkWuy0+EUb1u0soAYrvm9yhXJGVMJ1DJnBD3v9NPi9p8LJunLsE0+BBf0Zlk9HeGYPY/MoU1qWi52VvL/CMemYADSeoKrEfkXtSVtUeJzkglR9XMtt89fYXRFhlDLvLzBxx14x8VAkGTFV62b9UAnNxrF6LHPgv2B7OTPvqjrbKTY1Ss2ofgrrbgSR7MLFPGnbgVZ5CrjissqNd1/RABKhts/bQomoK3EpS6H41NrrQh4sWwFlV5mh23UmpUcMQZFPLugM69/ofryE3Cn7NxQ3g+FLxsG3+r4ZdL178a4lsAsdOwNouDlxoPT37i0FSBA5WYT7r397eWHVxP/fXDV9C7ds+slaPcCClSGoUCuHjSusKMr02gEQkvKDirPXsbsxOO74Kf6ddyOtbQUUD0uZ+aRy4/G4cxXQ6EERRsQxAbSb4wnmWJ/FtqNc91J4NHcJv6+ubq2jaG7Cwd7It3iwHyXXFFZgKqiOIP2hvEp/WSCYzR0ejFG7kLLRskl58QhByUruosIwnJxA93XAUTKXW72UIN31R+ZffEo22jLgjKlOOP5yjCVA/emZ1i1pEoWxSCDYjCnGyOBaZf8g92Aau1NSaBX05zGvlwJp2O2YYETWDcssriuf6CNfOAI3vBR+Oj6QQa46YfY8pH4dmL/4kIkZIPUEhmUxEA7rHYzYgwcwaoAIWfYaESa7YqV6Q8UIxvOeN/FhMLB2MYtbUAKirncnL/hKK3aO8OQpr7mpnXlIYzmklumwuoGBsJZ0zMk0DhHi5xjd5L5SY=,iv:sml8ZE7+tO+7MId9/5XQpYA6sMXD9MhQAznzGsQOHV8=,tag:ITulLSSMTWTStGeOrAPP6g==,type:str]
+    hub:
+        config:
+            AzureAdOAuthenticator:
+                client_id: ENC[AES256_GCM,data:NRIJj6slolCvidb+x0f4xI+mbsis8Bl4BACcca0OhyVrycmG,iv:CA8HR207ItxRul1UaEwNBEbbxvOSagpgkq4VseVlj9s=,tag:q0z0HcLBgcljE6OB0suKmw==,type:str]
+                client_secret: ENC[AES256_GCM,data:hkfjIVkw3f1t/1TRORLKf16BfCVZ3pr7w5HeIY73hOIj5HNwr5oYzw==,iv:DyC09nr+LnKNQKuA9gghU6MXZnIDjbSag/XGnUwAZm4=,tag:0E3E9K+vhHgg3j6jebZg4w==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+        - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+          created_at: "2022-02-24T18:09:31Z"
+          enc: CiQA4OM7eOdvNAZ+zUSwT0PqdTYnrcEdl/SXGm7kpyMR1ZOtWnYSSQDm5XgWDUzIYL2PKXD9wHbao/Aqsv6kweTN3XDslnZDyOIFGtYEm1s+8cM9HCWfnSA0UOVQTZoly/a2oc59PnqTdnkLV0iu7dY=
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-08-31T20:17:48Z"
+    mac: ENC[AES256_GCM,data:ZHtBcFWZRkZeRv+UB7m7IGtVlo++NeKfu1B777Pfc7eXjnyZcLi99ojVxANB+kA1c7lICmgmNEMPWKxK922ejOBGJN8pAnJjpHxVswWZ1enAzSzkvnsFZoMEZdMkar9zNMK8AjMUeO7139cqnM/yVj72voiCfTS/C5JdJ1hg82w=,iv:2TV5yr9CkDBWJVoi2OPPqXirRs5up4XdpQ4O0qTRDHw=,tag:EDuhGi1hRT73lbs2nsqLDA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

config/clusters/utoronto/enc-r-staging.secret.values.yaml

@@ -0,0 +1,24 @@
+jupyterhub:
+    singleuser:
+        extraFiles:
+            github-app-private-key.pem:
+                stringData: ENC[AES256_GCM,data:EsWpZIVpvybE/J9sBhb05Tkxw2tAHaEX/UXZmKAS7POvTdGSb3fbrDdZXCgVfU99BXoHvb+s/bHN7bFL8dJjvWO/K/Ai6YWWwciFjh1YyqFcTsYCyITxiCIh08rvrzy3NkIvcne0ISI2P2kfRumKK8Ny6pdrN95Qv4MIKx7Ci+fgaC9zM1/ZsUDwPnHfWc7Y6tWFpyQ6Ay5ZamfWtkBj9AH1aNhMXinA/a/AMM26rs5FGXXSSisWLyrVIqMaCHw6Ezy3e4DRe8QCMjGPM8D7e7bc3O+JTvQTvBdFBKM7/nBvs60MUEE0K2gM00r2nJqivbG/vo1DG3tv0hc7oJ69bXHxdxgadeTuHeCiU6YLpkHWKYdX/gcLJz+K8zKTVQ8MOFISRcKKQEC4z4zdxCx/DuAfjIrGkT5u6V1ENKn17Sj7Wy1jYQHLfOYV7qtWJexP/ret1SGd90jiaORnjw1OmIQRznOuSNwNEJy2v2KJ3E1+rZLh0nrPcZHCBWApbeCYo58TGFVDtmqF8F+E0WCUuELu/sRk0sjbPJqYmvkM3SSLEKsoUoKPm217rgV+TRSeFXJJIU+oZDUKZR3M83yvKng8OJPgcKFUr9WzLuCWQ712/q0s2E7JvRSvkrV2IAh9lCSgLqtMHl2dVs6OD1/WfDDNnACPKlzyMVWk8WYnrhHMJwThEsWJt2AlS2Vn9XhCC336DVV7LDh3TI7X/LOtg2ZkDBOVVPM+znLiHPvT273/xszM0/VwUQFmSI/elnv4DwYli1HDjnqyl0j0Lw9LeMPXTnTuYeUA14jUbRhUa1PqsdB3Tb/ZQYF2Ikm2ct35YkKgyxoqFfUxuTQF3rq+t/XzDk9hCeyYpm97kzz4g50RlOpsYtP8uGoIMsRo041DqT/eBXXGKnN0UrY7bfhZyxiikqZru9CmpCArhBUERAyJqzKGpyFIWlQjrs4ldmD9Ji7atI6KGgY047hv1RunTpBRkMvvJuLA8fruq8DGyTJD8TZFAZbUWnJ/AkcO0ysqNnJnkP4gcXadveyQ8j3hka2pcUTWWL1H19R7IRZ/PHg9KzY0VOCqtaYEe1gY4xAwJqPqle3E8ka5NLI9GS56y6UA6i9k5t6RRG7LrHvTJyCqtl5hQTDwJGsXSv5o0dkWZPq+fKVLNYpqaDIkD2P/VoC8DCrbqI5Q291w22mhsx6dZc5/Rghg/bXJ1kr9KMgtbAqbrgOKhnuRNx24/cYpHFMiCVMn/o7oNSBjkyh7mg9X7ao8TPjtXJEU++XQ/9/vD8a2NPFZEQ5/lAFbk9eMf8Gu7s/j79noSpt/Onk/JhoCgzZRHA8Khxz4YwAHk6P6b8bRmjeDkGWesfF+YFdftZFOqgwDmvjRmfcPtT9Tnlq63T+hgXlo5jDE06cEeIPz5RvO/3CHDH8AjuC/aqHrfojTirUqnIa5d0GqFZPxe6SHJJUB0vY5+roCZz/GcXumM2bXLQdgCQdi4Ouu76KasueHGlc/KyCYlPdOudNy2Cyz50ZCl4AB5S5gpRXa8SGlgNVPzeQDthhIYMwYEjz6/kS82zOj9n7LwgGJ+NGOrEPmcl1ZZNvYGdt9OVg9M38LUoin8X2mRlE/LNgoUpnUQ6QvtFyEPZiI5QglcDsKgrlQfhZVk8jFRjyhyCY0EwVavD2+1KWhDFF1qYd2BsOixkMMAGXBcUJCxMXcccSSe5Gt1qTfF1i+s2Yy72zf9u7RlItKceyftJqOTY0tdMYSF82ghqpoELhobiVYfxGseAEQTpd/L0TWhZQtLAj8i2lCHcYDCPIMXw5PIqkgH+kIJ8qv9eh9tplcW/P/5QSqtqSDV5llGRdhMPUmL05wp4pUndd7NdMCm9r80TVjZCGsx+feWs8mbZFJltUo9Y1HCDitnw4ONFJasxVJTkZ8xDDa0D+iEIiyB5UrJGY83k5CywpfKjbVRKvP17+TbpFr/wNUNyCfNdAXkRQ2doBjXqhOKJVsyeJ6M8m8JIuIV5bA1IGDrOEgC+KQc8oeIxR8+bV84irubPd1CH7bFndm/41Ye6rNNdd/yuRWUKtj0GCFdJQIAWVrHE3/gw8ZFCe4SBl8iIuv4P3RT69olIbuJAuVNyMJpAgQcRLH4yD7gsfwSQquEftbJCetPXM9GDuILk7Re+9zgKVJLDNyYctrIlpFvyxD/A6a8jJyVJzqIHVp8TmXWy1XxyPcSiYq9ysUwHQZwOGvPgJftC8uwzLWEHI=,iv:0/wWZcMZwP9XXASWPCHk1PgmM2gTZEw8hkyZd9lEWCk=,tag:i44AuDtv0bWAzsiQlMg/LQ==,type:str]
+    hub:
+        config:
+            AzureAdOAuthenticator:
+                client_id: ENC[AES256_GCM,data:082nKaBVlegQiGmtVti7PPBz+T7GLTCyB6910E6EgXnedDJZ,iv:mqE0/hkXIp2leSohgkdgdEB7cy6rgy7nH+2NkJCcZ6o=,tag:Ii23/LAfbXi0F66GPmpmRQ==,type:str]
+                client_secret: ENC[AES256_GCM,data:DEYYnc/bxBcJtAJ/TBY/IggBbqdp8tVUM1GgdsayEUGelEtvhmbarQ==,iv:5hWqi8Cag0wRYnfA82I8FI58mQUi4Rm0TRaCr764sb0=,tag:uj91hvmqqc2FwJkYeo1Ebw==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+        - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+          created_at: "2022-02-24T18:08:21Z"
+          enc: CiQA4OM7eBanK+HbBPB2vHvIZKJONEYQrsehrIP5d0u8r0+7R/gSSADm5XgWfJP/jYs7/3IkZmdvNF+pWLMrS5rbDoUJjrqcKlUcDL6u5jrbSXFF/lE4nSuyFrKSxNkMm28dvYAMsqHrZIFwVBLXOg==
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-09-08T07:48:01Z"
+    mac: ENC[AES256_GCM,data:rr/BWRngZh08Su8zP+eJ4OqLuT7IbG7/voAh1iPuwHPPLIeeNTnIopelD/6OLjhCbkiZhtij2y6lASwa5xzwmLuvvxiAdQrX6f+ZqOgBZ1KxuJzELQxSY4X2L6cgCeGFnhHhQY1EoYqsGEwjSk6zrPPtR93sBL80ZmL+swHtz3E=,iv:jFbf45ItjJV/ALnyk0xNyy7dnvtcGuIj3+pQNTqWcaM=,tag:mYHTUwzMJSERSvya1OMNGQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

config/clusters/utoronto/r-common.values.yaml

@@ -0,0 +1,9 @@
+jupyterhub:
+  singleuser:
+    storage:
+      # From https://jupyterhub-image.guide/rocker.html#step-7-setup-zero-to-jupyterhub-configuration-for-home-directory
+      homeMountPath: /home/rstudio
+    defaultUrl: /rstudio
+    image:
+      name: quay.io/2i2c/utoronto-r-image
+      tag: "bd1a9c4eea2e"

config/clusters/utoronto/r-prod.values.yaml

@@ -0,0 +1,10 @@
+jupyterhub:
+  hub:
+    db:
+      pvc:
+        # prod stores logs, so let's make it big
+        storage: 60Gi
+    config:
+      AzureAdOAuthenticator:
+        oauth_callback_url: https://r.utoronto.2i2c.cloud/hub/oauth_callback
+        logout_redirect_url: https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=https://r.utoronto.2i2c.cloud

config/clusters/utoronto/r-staging.values.yaml

@@ -0,0 +1,6 @@
+jupyterhub:
+  hub:
+    config:
+      AzureAdOAuthenticator:
+        oauth_callback_url: https://r-staging.utoronto.2i2c.cloud/hub/oauth_callback
+        logout_redirect_url: https://login.microsoftonline.com/common/oauth2/logout?post_logout_redirect_uri=https://r-staging.utoronto.2i2c.cloud