Enabling GitHub Teams Authentication for the Pangeo Staging Hub

config/hubs/pangeo-hubs.cluster.yaml

@@ -24,14 +24,12 @@ support:
       controller:
         admissionWebhooks:
           enabled: false
-    nfs-server-provisioner:
-      enabled: false
 hubs:
   - name: staging
     domain: staging.pangeo.2i2c.cloud
     template: daskhub
     auth0:
-      connection: github
+      enabled: false
     config: &stagingConfig
       basehub:
         nfs:
@@ -67,13 +65,21 @@ hubs:
           hub:
             config:
               Authenticator:
-                allowed_users: &staging_users
+                admin_users:
                   - sgibson91
                   - yuvipanda
                   - damianavila
                   - choldgraf
                   - rabernat
-                admin_users: *staging_users
+              JupyterHub:
+                authenticator_class: github
+              GitHubOAuthenticator:
+                oauth_callback_url: https://staging.pangeo.2i2c.cloud/hub/oauth_callback
+                allowed_organizations:
+                  - pangeo-data:us-central1-b-gcp
+                  - 2i2c-org:tech-team
+                scope:
+                  - read:org
           singleuser:
             image:
               name: pangeo/pangeo-notebook
@@ -143,4 +149,109 @@ hubs:
     template: daskhub
     auth0:
       connection: github
-    config: *stagingConfig
+    config:
+      basehub:
+        nfs:
+          enabled: true
+          pv:
+            mountOptions:
+            - soft
+            - noatime
+            # Google FileStore IP
+            serverIP: 10.229.44.234
+            # Name of Google Filestore share
+            baseShareName: /homes/
+        jupyterhub:
+          proxy:
+            https:
+              enabled: false
+          custom:
+            homepage:
+              templateVars:
+                org:
+                  name: Pangeo
+                  url: https://pangeo.io
+                  logo_url: "https://raw.githubusercontent.com/pangeo-data/pangeo/master/docs/_static/pangeo_simple_logo.svg"
+                designed_by:
+                  name: 2i2c
+                  url: https://2i2c.org
+                operated_by:
+                  name: 2i2c
+                  url: https://2i2c.org
+                funded_by:
+                  name: The Gordon and Betty Moore Foundation
+                  url: https://www.moore.org/
+          hub:
+            config:
+              Authenticator:
+                allowed_users: &prod_users
+                  - sgibson91
+                  - yuvipanda
+                  - damianavila
+                  - choldgraf
+                  - rabernat
+                admin_users: *prod_users
+          singleuser:
+            image:
+              name: pangeo/pangeo-notebook
+              tag: bcfacc5
+            profileList:
+              # The mem-guarantees are here so k8s doesn't schedule other pods
+              # on these nodes. They need to be just under total allocatable
+              # RAM on a node, not total node capacity
+              - display_name: "Small (1 GB - 4 GB)"
+                default: true
+                kubespawner_override:
+                  cpu_limit: 2
+                  cpu_guarantee: 0.3
+                  mem_limit: 4G
+                  mem_guarantee: 1G
+                  node_selector:
+                    node.kubernetes.io/instance-type: n1-standard-4
+              - display_name: "Medium (4 GB - 8 GB)"
+                kubespawner_override:
+                  cpu_limit: 2
+                  cpu_guarantee: 1
+                  mem_limit: 8G
+                  mem_guarantee: 4G
+                  node_selector:
+                    node.kubernetes.io/instance-type: n1-standard-8
+              - display_name: "Large (12 GB - 16 GB)"
+                kubespawner_override:
+                  cpu_limit: 4
+                  cpu_guarantee: 1
+                  mem_limit: 16G
+                  mem_guarantee: 12G
+                  node_selector:
+                    node.kubernetes.io/instance-type: n1-standard-16
+              - display_name: "ML Image - Large (12 GB - 16 GB)"
+                description: "https://github.com/pangeo-data/pangeo-docker-images/tree/master/ml-notebook"
+                kubespawner_override:
+                  image: "pangeo/ml-notebook:master"
+                  cpu_limit: 2
+                  cpu_guarantee: 1
+                  mem_limit: 16G
+                  mem_guarantee: 12G
+                  node_selector:
+                    node.kubernetes.io/instance-type: n1-standard-16
+            initContainers:
+              # Need to explicitly fix ownership here, since EFS doesn't do anonuid
+            - name: volume-mount-ownership-fix
+              image: busybox
+              command: ["sh", "-c", "id && chown 1000:1000 /home/jovyan && ls -lhd /home/jovyan"]
+              securityContext:
+                runAsUser: 0
+              volumeMounts:
+              - name: home
+                mountPath: /home/jovyan
+                subPath: "{username}"
+      dask-gateway:
+        gateway:
+          backend:
+            scheduler:
+              cores:
+                request: 0.8
+                limit: 1
+              memory:
+                request: 1G
+                limit: 2G

secrets/config/hubs/pangeo-hubs.cluster.yaml

@@ -0,0 +1,24 @@
+hubs:
+    - name: ENC[AES256_GCM,data:Fn161Lzsng==,iv:PNitibdRvHzMaMU9IPqM0iMs+emXA9E6zelfTQB1BYM=,tag:rCY7acQFechcFSGy94RMzQ==,type:str]
+      config:
+        basehub:
+            jupyterhub:
+                hub:
+                    config:
+                        GitHubOAuthenticator:
+                            client_id: ENC[AES256_GCM,data:HGNeAuzHqKgpPgxlqc/VDgGQX2o=,iv:D7Ms4JSrKUW5KfuNdAC/VOayYsFWaK3oJSUURjEeCTQ=,tag:eLf2IvkTmq0lyg+lEHWOSw==,type:str]
+                            client_secret: ENC[AES256_GCM,data:/iilnqtJaEVNVLp8V4LOpQz8Q19ADr9Qdk1ul/EVlynzJbRQcJXZUA==,iv:gEGMykdY1LoLGSXxHvwREwZVVAfmKdAzU2ddqWKSeg4=,tag:YQWTlrvMJF3NGWIB++wJDg==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+        - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+          created_at: "2021-09-23T11:39:22Z"
+          enc: CiQA4OM7eNF5IudCQucrsGQG3wsRyoqPuaVA5SgIYHGJLcp5EucSSQC9ZQbLJ42M2kH6oTiAdH+xQrqwfVn2shiKrOzGOM35kfWXKpk0bHLxE0xkQrPdpxraFM24UjUxaEZd49h8lh41gt44Rw8j0oM=
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2021-09-23T11:39:23Z"
+    mac: ENC[AES256_GCM,data:dyS/xZtXbiox31+3uO70lFkoHy/9IYBu1JhIXEZG1XNQqsWGUchRh2O85dS6bTSPtYVf+cTc/uwjsr8YfyzCDewWNxbXdqL51aAx2TFPGJcAtj+xC0ntuktJeLm3oY6rcs/GJ7XFFdx2crhKV9WOLony2havSJ1EuaMH+RUbUpQ=,iv:P4m/+cV6BSzlExyxcn0+56BLik09A60Hp4kvgA6xLAs=,tag:YjZinx3R4TRQx6xZTvw7Wg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.1