From f8a48f9ffbdea86c632e5076a9dee6fc99db7908 Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Thu, 23 Sep 2021 13:05:06 +0100 Subject: [PATCH 1/5] Add encrypted client ID and secret for GitHub OAuth App --- secrets/config/hubs/pangeo-hubs.cluster.yaml | 24 ++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 secrets/config/hubs/pangeo-hubs.cluster.yaml diff --git a/secrets/config/hubs/pangeo-hubs.cluster.yaml b/secrets/config/hubs/pangeo-hubs.cluster.yaml new file mode 100644 index 0000000000..03af51aed2 --- /dev/null +++ b/secrets/config/hubs/pangeo-hubs.cluster.yaml @@ -0,0 +1,24 @@ +hubs: + - name: ENC[AES256_GCM,data:Fn161Lzsng==,iv:PNitibdRvHzMaMU9IPqM0iMs+emXA9E6zelfTQB1BYM=,tag:rCY7acQFechcFSGy94RMzQ==,type:str] + config: + basehub: + jupyterhub: + hub: + config: + GitHubOAuthenticator: + client_id: ENC[AES256_GCM,data:HGNeAuzHqKgpPgxlqc/VDgGQX2o=,iv:D7Ms4JSrKUW5KfuNdAC/VOayYsFWaK3oJSUURjEeCTQ=,tag:eLf2IvkTmq0lyg+lEHWOSw==,type:str] + client_secret: ENC[AES256_GCM,data:/iilnqtJaEVNVLp8V4LOpQz8Q19ADr9Qdk1ul/EVlynzJbRQcJXZUA==,iv:gEGMykdY1LoLGSXxHvwREwZVVAfmKdAzU2ddqWKSeg4=,tag:YQWTlrvMJF3NGWIB++wJDg==,type:str] +sops: + kms: [] + gcp_kms: + - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs + created_at: "2021-09-23T11:39:22Z" + enc: CiQA4OM7eNF5IudCQucrsGQG3wsRyoqPuaVA5SgIYHGJLcp5EucSSQC9ZQbLJ42M2kH6oTiAdH+xQrqwfVn2shiKrOzGOM35kfWXKpk0bHLxE0xkQrPdpxraFM24UjUxaEZd49h8lh41gt44Rw8j0oM= + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2021-09-23T11:39:23Z" + mac: ENC[AES256_GCM,data:dyS/xZtXbiox31+3uO70lFkoHy/9IYBu1JhIXEZG1XNQqsWGUchRh2O85dS6bTSPtYVf+cTc/uwjsr8YfyzCDewWNxbXdqL51aAx2TFPGJcAtj+xC0ntuktJeLm3oY6rcs/GJ7XFFdx2crhKV9WOLony2havSJ1EuaMH+RUbUpQ=,iv:P4m/+cV6BSzlExyxcn0+56BLik09A60Hp4kvgA6xLAs=,tag:YjZinx3R4TRQx6xZTvw7Wg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.1 From e33a4877d2ab4321b6c7272458948b8c27f41163 Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Thu, 23 Sep 2021 13:05:27 +0100 Subject: [PATCH 2/5] Add config to enable auth via GitHub teams --- config/hubs/pangeo-hubs.cluster.yaml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/config/hubs/pangeo-hubs.cluster.yaml b/config/hubs/pangeo-hubs.cluster.yaml index 090a1d5ae3..23d800a900 100644 --- a/config/hubs/pangeo-hubs.cluster.yaml +++ b/config/hubs/pangeo-hubs.cluster.yaml @@ -24,13 +24,12 @@ support: controller: admissionWebhooks: enabled: false - nfs-server-provisioner: - enabled: false hubs: - name: staging domain: staging.pangeo.2i2c.cloud template: daskhub auth0: + enabled: false connection: github config: &stagingConfig basehub: @@ -74,6 +73,17 @@ hubs: - choldgraf - rabernat admin_users: *staging_users + JupyterHub: + authenticator_class: github + GitHubOAuthenticator: + oauth_callback_url: https://staging.pangeo.2i2c.cloud/hub/oauth_callback + allowed_organizations: + - pangeo-data:us-central1-b-gcp + - 2i2c-org:tech-team + scope: + - read:org + extraConfig: + 06-custom-authenticator: "" singleuser: image: name: pangeo/pangeo-notebook From 8f5cfe84715713bffa780fbe9a3e30ceff9b23f8 Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Thu, 23 Sep 2021 13:09:54 +0100 Subject: [PATCH 3/5] Explicitly set config for prod hub This ensures prod will continue to work as expected until we are ready to migrate the staging config onto prod --- config/hubs/pangeo-hubs.cluster.yaml | 107 ++++++++++++++++++++++++++- 1 file changed, 106 insertions(+), 1 deletion(-) diff --git a/config/hubs/pangeo-hubs.cluster.yaml b/config/hubs/pangeo-hubs.cluster.yaml index 23d800a900..1b317ffae0 100644 --- a/config/hubs/pangeo-hubs.cluster.yaml +++ b/config/hubs/pangeo-hubs.cluster.yaml @@ -153,4 +153,109 @@ hubs: template: daskhub auth0: connection: github - config: *stagingConfig + config: + basehub: + nfs: + enabled: true + pv: + mountOptions: + - soft + - noatime + # Google FileStore IP + serverIP: 10.229.44.234 + # Name of Google Filestore share + baseShareName: /homes/ + jupyterhub: + proxy: + https: + enabled: false + custom: + homepage: + templateVars: + org: + name: Pangeo + url: https://pangeo.io + logo_url: "https://raw.githubusercontent.com/pangeo-data/pangeo/master/docs/_static/pangeo_simple_logo.svg" + designed_by: + name: 2i2c + url: https://2i2c.org + operated_by: + name: 2i2c + url: https://2i2c.org + funded_by: + name: The Gordon and Betty Moore Foundation + url: https://www.moore.org/ + hub: + config: + Authenticator: + allowed_users: &prod_users + - sgibson91 + - yuvipanda + - damianavila + - choldgraf + - rabernat + admin_users: *prod_users + singleuser: + image: + name: pangeo/pangeo-notebook + tag: bcfacc5 + profileList: + # The mem-guarantees are here so k8s doesn't schedule other pods + # on these nodes. They need to be just under total allocatable + # RAM on a node, not total node capacity + - display_name: "Small (1 GB - 4 GB)" + default: true + kubespawner_override: + cpu_limit: 2 + cpu_guarantee: 0.3 + mem_limit: 4G + mem_guarantee: 1G + node_selector: + node.kubernetes.io/instance-type: n1-standard-4 + - display_name: "Medium (4 GB - 8 GB)" + kubespawner_override: + cpu_limit: 2 + cpu_guarantee: 1 + mem_limit: 8G + mem_guarantee: 4G + node_selector: + node.kubernetes.io/instance-type: n1-standard-8 + - display_name: "Large (12 GB - 16 GB)" + kubespawner_override: + cpu_limit: 4 + cpu_guarantee: 1 + mem_limit: 16G + mem_guarantee: 12G + node_selector: + node.kubernetes.io/instance-type: n1-standard-16 + - display_name: "ML Image - Large (12 GB - 16 GB)" + description: "https://github.com/pangeo-data/pangeo-docker-images/tree/master/ml-notebook" + kubespawner_override: + image: "pangeo/ml-notebook:master" + cpu_limit: 2 + cpu_guarantee: 1 + mem_limit: 16G + mem_guarantee: 12G + node_selector: + node.kubernetes.io/instance-type: n1-standard-16 + initContainers: + # Need to explicitly fix ownership here, since EFS doesn't do anonuid + - name: volume-mount-ownership-fix + image: busybox + command: ["sh", "-c", "id && chown 1000:1000 /home/jovyan && ls -lhd /home/jovyan"] + securityContext: + runAsUser: 0 + volumeMounts: + - name: home + mountPath: /home/jovyan + subPath: "{username}" + dask-gateway: + gateway: + backend: + scheduler: + cores: + request: 0.8 + limit: 1 + memory: + request: 1G + limit: 2G From 1b5594adb883b4a0442863a58af3659508f406ca Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Mon, 27 Sep 2021 13:05:05 +0100 Subject: [PATCH 4/5] Remove some hard-coded config --- config/hubs/pangeo-hubs.cluster.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/config/hubs/pangeo-hubs.cluster.yaml b/config/hubs/pangeo-hubs.cluster.yaml index 1b317ffae0..0abdcd8787 100644 --- a/config/hubs/pangeo-hubs.cluster.yaml +++ b/config/hubs/pangeo-hubs.cluster.yaml @@ -30,7 +30,6 @@ hubs: template: daskhub auth0: enabled: false - connection: github config: &stagingConfig basehub: nfs: @@ -82,8 +81,6 @@ hubs: - 2i2c-org:tech-team scope: - read:org - extraConfig: - 06-custom-authenticator: "" singleuser: image: name: pangeo/pangeo-notebook From ee39b165fa5a91c61517ff2ad9d441e0d446ddef Mon Sep 17 00:00:00 2001 From: Sarah Gibson Date: Mon, 4 Oct 2021 17:03:52 +0100 Subject: [PATCH 5/5] Remove allowed_users block This prevents folk from logging in even if they're accepted by the org/team condition --- config/hubs/pangeo-hubs.cluster.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/config/hubs/pangeo-hubs.cluster.yaml b/config/hubs/pangeo-hubs.cluster.yaml index 0abdcd8787..16d17185d9 100644 --- a/config/hubs/pangeo-hubs.cluster.yaml +++ b/config/hubs/pangeo-hubs.cluster.yaml @@ -65,13 +65,12 @@ hubs: hub: config: Authenticator: - allowed_users: &staging_users + admin_users: - sgibson91 - yuvipanda - damianavila - choldgraf - rabernat - admin_users: *staging_users JupyterHub: authenticator_class: github GitHubOAuthenticator: