Merge pull request #1498 from sean-morris/csu

CSU hub: set user_name pattern to only edu
2i2c-org · Jul 5, 2022 · 46787f5 · 46787f5
2 parents 93dab71 + 4b7ca70
commit 46787f5
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 6 deletions.
diff --git a/config/clusters/cloudbank/cluster.yaml b/config/clusters/cloudbank/cluster.yaml
@@ -269,11 +269,10 @@ hubs:
     auth0:
       # connection update? Also ensure the basehub Helm chart is provided a
       # matching value for jupyterhub.custom.2i2c.add_staff_user_ids_of_type!
-      connection: password
-      password:
-        database_name: database-csu
+      enabled: false
     helm_chart_values_files:
       # The order in which you list files here is the order the will be passed
       # to the helm upgrade command in, and that has meaning. Please check
       # that you intend for these files to be applied in this order.
       - csu.values.yaml
+      - enc-csu.secret.values.yaml
diff --git a/config/clusters/cloudbank/csu.values.yaml b/config/clusters/cloudbank/csu.values.yaml
@@ -29,12 +29,22 @@ jupyterhub:
           url: http://cloudbank.org/
   hub:
     config:
+      JupyterHub:
+        authenticator_class: cilogon
+      CILogonOAuthenticator:
+        oauth_callback_url: https://csu.cloudbank.2i2c.cloud/hub/oauth_callback
+        username_claim: email
       Authenticator:
-        # Everyone should be able to sign up, so we don't set allowed_users
-        # These folks should still have admin though
+        # These folks should still have admin tho
         admin_users:
-          - ericvd@gmail.com
+          - ericvd@berkeley.edu
           - sean.smorris@berkeley.edu
+          - rula.khayrallah@sjsu.edu
+        # We only want 2i2c users and users with .edu emails to sign up
+        # Protects against cryptominers - https://github.com/2i2c-org/infrastructure/issues/1216
+        # FIXME: This doesn't account for educational institutions that have emails that don't end in .edu,
+        # as is the case for some non-euroamerican universities.
+        username_pattern: '^(.+@2i2c\.org|.+\.edu|deployment-service-check)$'
   cull:
     # Cull after 30min of inactivity
     every: 300

diff --git a/config/clusters/cloudbank/enc-csu.secret.values.yaml b/config/clusters/cloudbank/enc-csu.secret.values.yaml
@@ -0,0 +1,20 @@
+jupyterhub:
+    hub:
+        config:
+            CILogonOAuthenticator:
+                client_id: ENC[AES256_GCM,data:Iai1sdXhEZjIFEd8zT5XeVOSXx13IO/gcceCE6NkkntJOIvWIaFJCNXyNOfpYtPvfslV,iv:MnjBFpZ9CSPi91psemglSMIMdLZAmMEPvNZb0Gu0W7M=,tag:D6ZbLeevpDucfOS4lr+JGw==,type:str]
+                client_secret: ENC[AES256_GCM,data:BxMRL5WOGQRRHXlp/ZvwypWPkHK1kcUd83kB+SQKE5Ii5RjmBVzQjpo8nqHWpmiyRD0GmSGXYTnUSPosrwCxwYylMNh0Rhxmtqi8OXs2vxTcLGXNbQA=,iv:TNAbWucjfP9fp6Im8LOcSgZto45DNX6705oZ0C3mo+o=,tag:41M2uAvtboniKuF+gwrjrw==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+        - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+          created_at: "2022-07-05T16:22:39Z"
+          enc: CiQA4OM7ePEJqmu1Os9qjJEsjaGqgMbZuiMs3j3cYPIlapXGg4ESSQBq6cPrusSGtBAbSReDI3FKpQWdIHHgNPLypi69HcD6gADfCH6H17snBZqoZfcC6wy746FTZN+fysTEmJKTM5vJJUTsBaBTrCA=
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-07-05T16:22:39Z"
+    mac: ENC[AES256_GCM,data:OjeWqqevebxI6EQ41FAzvUYZd/hXj+G3yAUbpCDSQFqnhFTQLkAAoKW0xU0uAe1/pX0ahj1tQu3+R9pNDgONso5wH4hVNMTBuwxvXg2kMVQWoE6g69s7P7RDjJ/jTv0UBy4mgUAmjZcB9STDs7m6cqjWr/R21pYuxQ2JMT51Pv4=,iv:LozsQZ+FxLHYDgPcQymr5Hzt9DW/BQhN4H9no4XZOqc=,tag:vG1IP9VgKIWKbirnSI0g2Q==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.1