From 0c00edcef4589b4ecab7c45c2053605849b39a1f Mon Sep 17 00:00:00 2001
From: Scott Henderson <scottyh@uw.edu>
Date: Mon, 20 Apr 2020 09:21:08 -0700
Subject: [PATCH 1/6] add auth to aws

---
 deploy-aws/staging.yaml        |  74 ++++++++++++++++++++++++++++++++-
 k8s-aws/cluster-autoscaler.yml |   2 +-
 k8s-aws/eksctl-config.yml      |  72 +++++++++++++-------------------
 k8s-aws/readme.md              |  23 ++++++++++
 secrets-aws/staging.yaml       | Bin 1271 -> 1478 bytes
 5 files changed, 127 insertions(+), 44 deletions(-)

diff --git a/deploy-aws/staging.yaml b/deploy-aws/staging.yaml
index 7b8d5ae..3b8f777 100644
--- a/deploy-aws/staging.yaml
+++ b/deploy-aws/staging.yaml
@@ -9,6 +9,7 @@ binderhub:
       badge_base_url: https://staging.aws-uswest2-binder.pangeo.io
       image_prefix: pangeoaccess/binder-staging-
       use_registry: true
+      auth_enabled: true
   nodeSelector:
     hub.jupyter.org/node-purpose: core
   resources:
@@ -38,6 +39,8 @@ binderhub:
     hostSocketDir: /var/run/dind/stage
 
   jupyterhub:
+    custom:
+      binderauth_enabled: true
     proxy:
       nodeSelector:
         hub.jupyter.org/node-purpose: core
@@ -71,17 +74,86 @@ binderhub:
 
     singleuser:
       serviceAccountName: pangeo
+      # to make notebook servers aware of hub
+      cmd: jupyterhub-singleuser
+      defaultUrl: "/lab"
       extraEnv:
         DASK_GATEWAY__ADDRESS: "https://hub.staging.aws-uswest2-binder.pangeo.io/services/dask-gateway/"
         DASK_GATEWAY__PROXY_ADDRESS: "gateway://traefik-staging-dask-gateway.staging:80"
 
     hub:
+      redirectToServer: false
       resources:
         requests:
           cpu: 50m
           memory: 100Mi
-
+      extraEnv:
+        OAUTH2_AUTHORIZE_URL: "https://pangeo-aws.auth0.com/authorize"
+        OAUTH2_TOKEN_URL: "https://pangeo-aws.auth0.com/oauth/token"
+        #OAUTH_CALLBACK_URL: "https://staging.aws-uswest2-binder.pangeo.io/hub/oauth_callback"
       services:
+        binder:
+          #url: http://194.95.75.9:30083  # base worker
+          oauth_no_confirm: true
+          oauth_redirect_uri: "https://staging.aws-uswest2-binder.pangeo.io/oauth_callback"
+          oauth_client_id: "auth0"
         dask-gateway:
           # This makes the gateway available at ${HUB_URL}/services/dask-gateway
           url: http://traefik-staging-dask-gateway.staging
+      # clone custom JupyterHub templates into a volume
+      initContainers:
+        - name: git-clone-templates
+          image: alpine/git
+          args:
+            - clone
+            - --single-branch
+            - --branch=master
+            - --depth=1
+            - --
+            - https://github.com/pangeo-data/pangeo-custom-jupyterhub-templates.git
+            - /mnt/template-repo
+          securityContext:
+            runAsUser: 0
+          volumeMounts:
+            - name: custom-templates
+              mountPath: /mnt/template-repo
+      extraVolumes:
+        - name: custom-templates
+          emptyDir: {}
+      extraVolumeMounts:
+        # Note: subPath is relative to repo root dir
+        - name: custom-templates
+          mountPath: /usr/local/share/jupyterhub/custom-templates
+          subPath: templates
+        - name: custom-templates
+          mountPath: /usr/local/share/jupyterhub/static/extra-assets
+          subPath: extra-assets
+      extraConfig:
+        00-template-config: |
+          c.JupyterHub.template_paths = ['/usr/local/share/jupyterhub/custom-templates/']
+          c.JupyterHub.template_vars = {
+            'pangeo_hub_title': 'Pangeo BinderHub',
+            'pangeo_hub_subtitle': 'AWS us-west-2',
+            'pangeo_welcome': """Welcome to Pangeo BinderHub, a platform for distributed computing to support Earth Science research. <strong>This is a prototype and should be treated accordingly. We make no promises that the service will remain active. Do not store passwords or sensitive data</strong>. To provide feedback and report any technical problems, please use the <a href="https://github.com/pangeo-data/pangeo-binder/issues">github issue tracker</a>. Maintained by the <a href="http://pangeo.io">Pangeo project</a> and supported by <a href="https://github.com/pangeo-data/nasa-access-17">NASA Grant #17-ACCESS17-0003</a> and cloud credits from Amazon. <p>Access is currently open to any GitHub user. Register by clicking on the sign in button below:</p>""",
+            'announcement_login': 'This BinderHub now uses Dask Gateway 0.7.1 <a href="https://medium.com/pangeo/pangeo-with-dask-gateway-4b638825f105">Read more</a>'
+          }
+    auth:
+      # Auth0 Login
+      type: custom
+      custom:
+        className: oauthenticator.generic.GenericOAuthenticator
+        config:
+          login_service: "Pangeo Login"
+          token_url: https://pangeo-aws.auth0.com/oauth/token
+          userdata_url: https://pangeo-aws.auth0.com/oauth/userinfo
+          userdata_method: GET
+          username_key: nickname
+          scope:
+            - openid
+            - profile
+            - email
+      admin:
+        access: true
+        users:
+          - scottyhq
+          - salvis2
diff --git a/k8s-aws/cluster-autoscaler.yml b/k8s-aws/cluster-autoscaler.yml
index cb0c0f3..b757752 100644
--- a/k8s-aws/cluster-autoscaler.yml
+++ b/k8s-aws/cluster-autoscaler.yml
@@ -129,7 +129,7 @@ spec:
     spec:
       serviceAccountName: cluster-autoscaler
       containers:
-        - image: k8s.gcr.io/cluster-autoscaler:v1.14.7
+        - image: k8s.gcr.io/autoscaling/cluster-autoscaler:v1.16.7
           name: cluster-autoscaler
           resources:
             limits:
diff --git a/k8s-aws/eksctl-config.yml b/k8s-aws/eksctl-config.yml
index 1da0e0e..780962d 100644
--- a/k8s-aws/eksctl-config.yml
+++ b/k8s-aws/eksctl-config.yml
@@ -37,7 +37,7 @@ iam:
       - "arn:aws:iam::783380859522:policy/pangeo-data-s3"
 
 nodeGroups:
-  - name: core-spot-xl
+  - name: core-spot
     # use single AZ to optimise data transfer between instances, also reconnect to existing hub pvc
     availabilityZones: ["us-west-2c"]
     minSize: 1
@@ -45,9 +45,9 @@ nodeGroups:
     desiredCapacity: 1
     privateNetworking: true
     volumeSize: 100
-    volumeType: gp2
+    volumeType: gp3
     labels:
-      node-role.kubernetes.io/core: core
+      role: core
       hub.jupyter.org/node-purpose: core
     instancesDistribution:
       instanceTypes:
@@ -63,6 +63,7 @@ nodeGroups:
       onDemandPercentageAboveBaseCapacity: 0 # all spot
     ami: auto
     amiFamily: AmazonLinux2
+
   - name: user-spot
     minSize: 0
     maxSize: 10
@@ -77,25 +78,21 @@ nodeGroups:
       onDemandBaseCapacity: 0
       onDemandPercentageAboveBaseCapacity: 0 # all spot
     volumeSize: 100
-    volumeType: gp2
+    volumeType: gp3
     labels:
-      node-role.kubernetes.io/user: user
+      role: user
       hub.jupyter.org/node-purpose: user
     taints:
-      hub.jupyter.org/dedicated: 'user:NoSchedule'
+      hub.jupyter.org/dedicated: user:NoSchedule
     tags:
-        k8s.io/cluster-autoscaler/node-template/label/hub.jupyter.org/node-purpose: user
-        k8s.io/cluster-autoscaler/node-template/taint/hub.jupyter.org/dedicated: 'user:NoSchedule'
+      k8s.io/cluster-autoscaler/pangeo-binder: "owned"
+      k8s.io/cluster-autoscaler/enabled: "true"
+      k8s.io/cluster-autoscaler/node-template/label/hub.jupyter.org/node-purpose: "user"
+      k8s.io/cluster-autoscaler/node-template/taint/hub.jupyter.org/dedicated: "user:NoSchedule"
     ami: auto
     amiFamily: AmazonLinux2
-    iam:
-      withAddonPolicies:
-        autoScaler: true
-    preBootstrapCommands: # see https://github.com/weaveworks/eksctl/issues/1310
-      - yum install -y iptables-services
-      - iptables --insert FORWARD 1 --in-interface eni+ --destination 169.254.169.254/32 --jump DROP
-      - iptables-save | tee /etc/sysconfig/iptables
-      - systemctl enable --now iptables
+    disablePodIMDS: true
+
   - name: worker-spot
     minSize: 0
     maxSize: 10
@@ -110,28 +107,24 @@ nodeGroups:
       onDemandBaseCapacity: 0
       onDemandPercentageAboveBaseCapacity: 0
     volumeSize: 100
-    volumeType: gp2
+    volumeType: gp3
     labels:
-      node-role.kubernetes.io/worker: worker
+      role: worker
       k8s.dask.org/node-purpose: worker
     taints:
-      k8s.dask.org/dedicated: 'worker:NoSchedule'
+      k8s.dask.org/dedicated: worker:NoSchedule
     tags:
-        k8s.io/cluster-autoscaler/node-template/label/k8s.dask.org/node-purpose: worker
-        k8s.io/cluster-autoscaler/node-template/taint/k8s.dask.org/dedicated: "worker:NoSchedule"
+      k8s.io/cluster-autoscaler/pangeo-binder: "owned"
+      k8s.io/cluster-autoscaler/enabled: "true"
+      k8s.io/cluster-autoscaler/node-template/label/k8s.dask.org/node-purpose: "worker"
+      k8s.io/cluster-autoscaler/node-template/taint/k8s.dask.org/dedicated: "worker:NoSchedule"
     ami: auto
     amiFamily: AmazonLinux2
-    iam:
-      withAddonPolicies:
-        autoScaler: true
-    preBootstrapCommands: # see https://github.com/weaveworks/eksctl/issues/1310
-      - yum install -y iptables-services
-      - iptables --insert FORWARD 1 --in-interface eni+ --destination 169.254.169.254/32 --jump DROP
-      - iptables-save | tee /etc/sysconfig/iptables
-      - systemctl enable --now iptables
+    disablePodIMDS: true
+
   - name: scheduler-spot
     minSize: 0
-    maxSize: 20
+    maxSize: 10
     desiredCapacity: 0
     privateNetworking: true
     instancesDistribution:
@@ -142,22 +135,17 @@ nodeGroups:
       onDemandBaseCapacity: 0
       onDemandPercentageAboveBaseCapacity: 0
     volumeSize: 100
-    volumeType: gp2
+    volumeType: gp3
     labels:
-      node-role.kubernetes.io/scheduler: scheduler
+      role: scheduler
       k8s.dask.org/node-purpose: scheduler
     taints:
-      k8s.dask.org/dedicated: 'scheduler:NoSchedule'
+      k8s.dask.org/dedicated: scheduler:NoSchedule
     tags:
-      k8s.io/cluster-autoscaler/node-template/label/k8s.dask.org/node-purpose: scheduler
+      k8s.io/cluster-autoscaler/pangeo-binder: "owned"
+      k8s.io/cluster-autoscaler/enabled: "true"
+      k8s.io/cluster-autoscaler/node-template/label/k8s.dask.org/node-purpose: "scheduler"
       k8s.io/cluster-autoscaler/node-template/taint/k8s.dask.org/dedicated: "scheduler:NoSchedule"
     ami: auto
     amiFamily: AmazonLinux2
-    iam:
-      withAddonPolicies:
-        autoScaler: true
-    preBootstrapCommands: # see https://github.com/weaveworks/eksctl/issues/1310
-      - yum install -y iptables-services
-      - iptables --insert FORWARD 1 --in-interface eni+ --destination 169.254.169.254/32 --jump DROP
-      - iptables-save | tee /etc/sysconfig/iptables
-      - systemctl enable --now iptables
+    disablePodIMDS: true
diff --git a/k8s-aws/readme.md b/k8s-aws/readme.md
index 9f228bc..63656ff 100644
--- a/k8s-aws/readme.md
+++ b/k8s-aws/readme.md
@@ -107,3 +107,26 @@ Other cheatsheet commands:
 ```
 eksctl delete iamserviceaccount --cluster pangeo-binder --name pangeo --namespace staging
 ```
+
+
+## Update Cluster (K8s version and nodegroups)
+https://eksctl.io/usage/cluster-upgrade/
+
+last did this 2/3/2021 with eksctl 0.37.0
+```
+eksctl upgrade cluster --name=pangeo-binder --approve
+eksctl utils update-kube-proxy --profile circleci --name pangeo-binder --region us-west-2 --approve
+eksctl utils update-aws-node --profile circleci --name pangeo-binder --region us-west-2 --approve
+eksctl utils update-coredns --profile circleci --name pangeo-binder --region us-west-2 --approve
+```
+
+create new nodegroups
+```
+eksctl create nodegroup --profile circleci --config-file=eksctl-config.yml
+```
+
+bump autoscaler version (1.16.7)
+https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler#releases
+```
+kubectl apply -f cluster-autoscaler.yml
+```
diff --git a/secrets-aws/staging.yaml b/secrets-aws/staging.yaml
index 1f0c83fad44a2960e2a2f67e44d843cd10c34176..7b78547864c519041792c016a52c639b4e980caf 100644
GIT binary patch
literal 1478
zcmV;%1v&ZvM@dveQdv+`09<m3*(QPeQC@dqshUQXQtkY&eS(uzvo7GISaWshK=_OV
zcsoCd6*5&z!}CipU0W1%CIo>p&_}@SdbXFN!pN!F-_m>dB~WT3NhEl|@pjj)^xCM}
z>``DOW+56IRvC-<7M1HVMF#h#UlKSIB)+%QPh&OUj{8zOf-=z~6hfGnU*#xsvq=?=
zyEXH%JmY!&*@bEEV)oUkq;K*%!=+(&PeDajY%Tm`>N2-hFoJwSk9aAdi!m0b$mI8|
zNs7B4rh<>qM`B>N0a<k26FRyre)5VvLW;-Yl+-Cpv*NVv%KP11DLa21fI5nPgy86K
zy#-=hT?ps1f2>#izy~4~nyc_;h6C1_5`n?iJMvCqPAb-Rb}Ag;i4JweuR<N3Pk|3a
zdDI7?$0*(c122W{sMmcwl$z(@uks?T-xFR^Wdmy-uq)a8ru#aQF#^v>HMjvF;14&C
z{}<=?_`)f{!8p0K9{drk%jSVxTyU*EeW|YOYOOaBv!Py1RFW8)!2<W`;*DcgEB*FD
zMwJB3lA@oKd=da){!(i8Zenugkypd-M(LTw#iWtZ7D(<UG_WU_@)5w*G3Wg3D+G8T
zt<Wa-XY`3ILW+sSeJxw`yBbx#SQOKk=Mb)M>nNMTJk|&~uY`9~q4}h~GeUJ_Umr_N
z2<0wdn?-iarAGDPizv)CYOUG1L)bP<GA9_wwovEA3~YqLG;+SaWKaax%Dkt*Lx1hT
zb!~O3%r|%2hLb3T0iCE2h@7o8FE~@{o^o&6syI!04<UsdrTGBG<!XkR#jk!gv>Eef
zoH5=7rT(UeE<~`#Us2Y1#X=RN1@4k{vPoTxcET+-{w{qZfP5(j4$$oo%M!0M7aj;&
zLfW%#eppHJkXPv7ow!-P{KUXtmHSw8gW}+uH9AOsYoOJ99q$;Jot&6P)sVHGW3Lka
zL8t60jNI6~=%Te!Ba`f;%uv24izbP~#n>%V2Bq8KN4lIRWoA!MG~V*RaV~&4-L~>p
ze4}01xz{|H9OF2#CSuvv<O<VNT=`j!(`!0+PeRlrPOT>{WYU2WV(YN0>X}cO`5Cj~
z4t}_Q%6krRxOx`uo^?4otqKQ>U<4N>5}4G?>$A$+f+W*1@asAo7}=A7)b#+P*AA-7
z?;%x@;w7St41p$B(g_SArL9ky`5k9s%j%6MvWPLb<X;s?iX>0Sv=5^)t7vuLv_Ph+
z+POv^3>+jX)CM}W)*Bge1z=;rtY)6bw#%C==3i~FFeK=Db$74I=62aV5L8?B*&6`2
ziUeE!yLq(yOWDndAUIg3d;BKQqKryq%)5j&t~l{=^3D<Ae=>fbU@(FDof;$9Vi`)O
zDXN_`ep^2$9YKw2KL(;FYfcg87|jh2AG@ZSX(p+|TWRy%eyxKbQ$Nd^7X0kL?tkH1
z5V9*CO8poCv6>LYM5W7AqT-H{t&2uYW`xgF-L)Akb>``h@erZGL!LP)EH^-VA<g&+
zC^8PztqAXg4ouaRG%cEt&XILsdaq|}Gr`cVrGTIGY{}`plw;v7kF<l+74oO(01TLE
zziXfAn~BST02lN}I_ua1D0jV1LKL1dPLWPxUyj&Qy|k2!-fSV~Zvy-c<<a#KAX3As
zCRo;m2qta?0CsBZtsYlfKm14%x)Sis|IJ3O=+Sj>a`6=IZw^D_pNELbmSRj}eCa0I
zJ%IFJ1-6_Y6fA1EYd;em^92XBlWp5?Z)2JqO2Ac0!pxx|G=PH^i=)%-1(g%lF4&cX
zUba0zwWB4lJ&U~2y!^BrI0rlE&c&W`QwR$aUiD<cuUihJoNyj6zdF51EaWBN^x2D*
zkbg*6Z#16%H&`A(Z<U28jEJp3D2yYfF@LlopyN@31KfMFm_PFQfCVJzqZdA*J}p#{
g7tkZgsdQJH_A~0}jVq01Gw%(!x^Xb#poVc{KhCS$ng9R*

literal 1271
zcmV<T1PJ>8M@dveQdv+`0Q4Hv(FJpYpenKf@~;BG-MJrPegNc`FOG!BvmBGXMk0$r
z%&3BmQ<{RuP3igt!%<pv=j&XGe2Pahy=g&Str0mAv)H)!P}9#UD3o*BDmoikq-WeL
zs_j=IA4mVlP7v$sW{;&b?Tsr9sJdyEa$%*|dU+!CX_VK`hz{+yGg+aubl!#zV|K3{
z+Icgc%8J(og1dbq4*{^cao~TyvM5UV6qEP!t%+2tuza$HrNlO1Bq`_wD%vDZ4N4|1
zg7gyq7bHDc_8c2Jfp=hhIvLJ^eUL}*dnYNQbCp61M6Uh0488c(wwJWmXG<>ozgh@_
zHq`LjI9S0Q9`|*Y;RNnfYho(`{FbW$!;E+1Uv$kM9^IUQLIAgBrf4Y6u4h(X2WJFc
z#U|$0A6-0b#fESyumi-YOI*_|6W*kkjeO3!e#=g=ps_(|)y1r0&D6bsK6H@-n94nf
zNC!3ymUyPTct}9n5>AQR-#*&95<+F%%!X$NPsIf!%m2kv81AxbE)$B$EW`4{N>46$
z$?aOD{7p-wS0ley_;Xme5+#9&_Yo~xH^(yeo=0aSG@hn4)<6L17)eJ;e>A7ZGimGL
z+W%8Fu$4+Q$KkmS*b)>2D!6F_iX)~ywOii)<!H84hg_#bfw3$1?ZBjQUvOCT7-eLi
zrDCJxurMSX8T+HP8kloU+NKT9cSC8DGV(|7xh2p{-IdDOkoOvOA784COX=~h^Nq-~
z&rthE1tvYK{as{@4i*h|5;!zpKKdNeXj8rm7X2>XrQW5{(-fZOBmKGQFDGUMLU+u*
zKs3oKl(DstV1y*}NVbrQLWl;;-H6Z2-UaGZ^kz<gTW8!s{p4+6jjyTNp?#Au{Lw1J
zQ3ej21Pdr56)9Xq@z6qSEsfQnEFyrt<OEqg06#JYa(X;`n5i^-PRJ9NKYh#B#-aSl
z3-OU{EoYR|(<SnPQoOeC)o!wm%(1ITA%riPd8fx3KwUrF$ObC&?-!>9bY0P0U)~kl
zc>-imjrSEaZ*~|Ei)pVX4|JL0PQ`tv#c*Dj(lK5#KVyXb^*LiC;-xZnG8`V%h5{xC
zTdY=vvO;UNM{e~b8oiA>lJhW>C#Qf^HWX|^SBZ8Rpt}6ge6m>|5>JWw%Y1WzF-SpB
z7EN#xZB=nLhGnu=d5Xq48o&r!ujlY&vcI!=piLX-Q1geAqLfG+5{WMG@XdX$b15^-
z$OOdKEwc4HTc&SeX9eC*$eRA@RE>BdyL(fv3V%2@m{t6~OwIZ(-e<f9`Bwt@5(#X)
zdROT-Q0`M?ymQ9<Y|-k*;j-wgmz1BUBA!Z-kOVG?vo5%zT?au!zu8n}!bTY1)qgyU
z0Q=JpBa3q!KC+jG%|$_jXSHH|X1da;8qRF{u}#NTU?$$rzFvmHc1d%ias5E-o1QM*
zEu*<obt`gxQ7V~0MMlRNy}$8Np5HfXY<>*y2X2O-u3fmtHk`RAO9&HZzaYMvjH0X(
zs~4obaN9ge>7Zo-GArL}FRd98hpMWfN)!%>EYxbbpz63$JJ3`yyE3rEdU~3iYW8ou
z-5+xU)o`itSjgc<u1G?Sl@fMf7hQK-&<bx+Qx)D+SnzT!+sOGq4N8v)K|4hbr-AYa
h5d%&y_npx~yGrwE!n0f6>sPjkR&p@eoACuJ^Z6r-YbO8z


From e2d661c54ebe86a6e4ab44e17120fd0fa7d55ab0 Mon Sep 17 00:00:00 2001
From: Scott Henderson <scottyh@uw.edu>
Date: Wed, 3 Feb 2021 19:03:39 -0800
Subject: [PATCH 2/6] functional non-auth staging

---
 .circleci/config.yml                          |   8 +--
 deploy-aws/staging.yaml                       |  51 +++++++++--------
 k8s-aws/binderhub-issuer-prod.yaml            |   2 +-
 k8s-aws/binderhub-issuer-staging.yaml         |   2 +-
 k8s-aws/readme.md                             |  12 ++++
 pangeo-binder/requirements.yaml               |  12 ++--
 .../templates/dask-kubernetes-rbac.yaml       |  52 ------------------
 pangeo-binder/templates/pangeo-rbac.yaml      |   2 +-
 secrets-aws/aws-config.txt                    | Bin 138 -> 138 bytes
 secrets-aws/staging.yaml                      | Bin 1478 -> 1482 bytes
 10 files changed, 49 insertions(+), 92 deletions(-)
 delete mode 100644 pangeo-binder/templates/dask-kubernetes-rbac.yaml

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 14e7d7e..8c110d7 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -33,7 +33,7 @@ jobs:
           name: Install helm
           when: always
           command: |
-            curl https://get.helm.sh/helm-v3.1.2-linux-amd64.tar.gz | \
+            curl https://get.helm.sh/helm-v3.4.1-linux-amd64.tar.gz | \
               tar -xzf -
             sudo mv linux-amd64/helm /usr/local/bin
             helm version
@@ -42,7 +42,7 @@ jobs:
             helm repo add dask-gateway https://dask.org/dask-gateway-helm-repo/
             helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
             helm repo add grafana https://grafana.github.io/helm-charts
-            helm repo add stable https://kubernetes-charts.storage.googleapis.com/
+            helm repo add stable https://charts.helm.sh/stable
             helm repo update
 
             cd ~/repo/pangeo-binder
@@ -94,14 +94,12 @@ jobs:
           when: always
           command: |
             RUNNERIP=`curl --silent https://checkip.amazonaws.com`
-            aws eks update-cluster-config --name pangeo-binder --resources-vpc-config publicAccessCidrs=${RUNNERIP}/32 > /dev/null
+            aws eks update-cluster-config --name pangeo-binder --resources-vpc-config publicAccessCidrs=${AWS_IP_WHITELIST},${RUNNERIP}/32 > /dev/null
             sleep 90
       - run:
           name: Deploy AWS binderhub
           when: always
           command: |
-            kubectl apply -f https://raw.githubusercontent.com/dask/dask-gateway/0.8.0/resources/helm/dask-gateway/crds/daskclusters.yaml
-            kubectl apply -f https://raw.githubusercontent.com/dask/dask-gateway/0.8.0/resources/helm/dask-gateway/crds/traefik.yaml
             helm upgrade --wait --install \
               ${CIRCLE_BRANCH} pangeo-binder \
               --namespace=${CIRCLE_BRANCH} --version=v0.2.0 \
diff --git a/deploy-aws/staging.yaml b/deploy-aws/staging.yaml
index 3b8f777..0211507 100644
--- a/deploy-aws/staging.yaml
+++ b/deploy-aws/staging.yaml
@@ -9,7 +9,7 @@ binderhub:
       badge_base_url: https://staging.aws-uswest2-binder.pangeo.io
       image_prefix: pangeoaccess/binder-staging-
       use_registry: true
-      auth_enabled: true
+      #auth_enabled: true
   nodeSelector:
     hub.jupyter.org/node-purpose: core
   resources:
@@ -39,8 +39,8 @@ binderhub:
     hostSocketDir: /var/run/dind/stage
 
   jupyterhub:
-    custom:
-      binderauth_enabled: true
+    #custom:
+    #  binderauth_enabled: true
     proxy:
       nodeSelector:
         hub.jupyter.org/node-purpose: core
@@ -82,21 +82,21 @@ binderhub:
         DASK_GATEWAY__PROXY_ADDRESS: "gateway://traefik-staging-dask-gateway.staging:80"
 
     hub:
-      redirectToServer: false
+      #redirectToServer: false
       resources:
         requests:
           cpu: 50m
           memory: 100Mi
-      extraEnv:
-        OAUTH2_AUTHORIZE_URL: "https://pangeo-aws.auth0.com/authorize"
-        OAUTH2_TOKEN_URL: "https://pangeo-aws.auth0.com/oauth/token"
-        #OAUTH_CALLBACK_URL: "https://staging.aws-uswest2-binder.pangeo.io/hub/oauth_callback"
+      #extraEnv:
+      #  OAUTH2_AUTHORIZE_URL: "https://pangeo.auth0.com/authorize"
+      #  OAUTH2_TOKEN_URL: "https://pangeo.auth0.com/oauth/token"
+      #  OAUTH_CALLBACK_URL: "https://staging.aws-uswest2-binder.pangeo.io/hub/oauth_callback"
       services:
         binder:
           #url: http://194.95.75.9:30083  # base worker
-          oauth_no_confirm: true
-          oauth_redirect_uri: "https://staging.aws-uswest2-binder.pangeo.io/oauth_callback"
-          oauth_client_id: "auth0"
+          #oauth_no_confirm: true
+          #oauth_redirect_uri: "https://staging.aws-uswest2-binder.pangeo.io/oauth_callback"
+          #oauth_client_id: "auth0"
         dask-gateway:
           # This makes the gateway available at ${HUB_URL}/services/dask-gateway
           url: http://traefik-staging-dask-gateway.staging
@@ -135,25 +135,24 @@ binderhub:
             'pangeo_hub_title': 'Pangeo BinderHub',
             'pangeo_hub_subtitle': 'AWS us-west-2',
             'pangeo_welcome': """Welcome to Pangeo BinderHub, a platform for distributed computing to support Earth Science research. <strong>This is a prototype and should be treated accordingly. We make no promises that the service will remain active. Do not store passwords or sensitive data</strong>. To provide feedback and report any technical problems, please use the <a href="https://github.com/pangeo-data/pangeo-binder/issues">github issue tracker</a>. Maintained by the <a href="http://pangeo.io">Pangeo project</a> and supported by <a href="https://github.com/pangeo-data/nasa-access-17">NASA Grant #17-ACCESS17-0003</a> and cloud credits from Amazon. <p>Access is currently open to any GitHub user. Register by clicking on the sign in button below:</p>""",
-            'announcement_login': 'This BinderHub now uses Dask Gateway 0.7.1 <a href="https://medium.com/pangeo/pangeo-with-dask-gateway-4b638825f105">Read more</a>'
+            'announcement_login': 'This BinderHub now uses Dask Gateway 0.9 <a href="https://medium.com/pangeo/pangeo-with-dask-gateway-4b638825f105">Read more</a>'
           }
     auth:
       # Auth0 Login
-      type: custom
-      custom:
-        className: oauthenticator.generic.GenericOAuthenticator
-        config:
-          login_service: "Pangeo Login"
-          token_url: https://pangeo-aws.auth0.com/oauth/token
-          userdata_url: https://pangeo-aws.auth0.com/oauth/userinfo
-          userdata_method: GET
-          username_key: nickname
-          scope:
-            - openid
-            - profile
-            - email
+    #  type: custom
+    #  custom:
+    #    className: oauthenticator.generic.GenericOAuthenticator
+    #    config:
+    #      login_service: "Pangeo Login"
+    #      token_url: https://pangeo.auth0.com/oauth/token
+    #      userdata_url: https://pangeo.auth0.com/oauth/userinfo
+    #      userdata_method: GET
+    #      username_key: nickname
+    #      scope:
+    #        - openid
+    #        - profile
+    #        - email
       admin:
         access: true
         users:
           - scottyhq
-          - salvis2
diff --git a/k8s-aws/binderhub-issuer-prod.yaml b/k8s-aws/binderhub-issuer-prod.yaml
index 6ea04a6..dade87c 100644
--- a/k8s-aws/binderhub-issuer-prod.yaml
+++ b/k8s-aws/binderhub-issuer-prod.yaml
@@ -1,4 +1,4 @@
-apiVersion: cert-manager.io/v1alpha2
+apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   name: letsencrypt-production
diff --git a/k8s-aws/binderhub-issuer-staging.yaml b/k8s-aws/binderhub-issuer-staging.yaml
index 67e3322..03694c7 100644
--- a/k8s-aws/binderhub-issuer-staging.yaml
+++ b/k8s-aws/binderhub-issuer-staging.yaml
@@ -1,4 +1,4 @@
-apiVersion: cert-manager.io/v1alpha2
+apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
   name: letsencrypt-production
diff --git a/k8s-aws/readme.md b/k8s-aws/readme.md
index 63656ff..1b32a24 100644
--- a/k8s-aws/readme.md
+++ b/k8s-aws/readme.md
@@ -130,3 +130,15 @@ https://github.com/kubernetes/autoscaler/tree/master/cluster-autoscaler#releases
 ```
 kubectl apply -f cluster-autoscaler.yml
 ```
+
+Need to upgrade certmanager  https://cert-manager.io/docs/installation/kubernetes/
+https://cert-manager.io/docs/installation/uninstall/kubernetes/
+```
+kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.1.0/cert-manager.yaml
+```
+and update binderhub-issuer-staging.yaml to use `apiVersion: cert-manager.io/v1`
+(https://cert-manager.io/docs/configuration/acme/#creating-a-basic-acme-issuer)
+```
+# Wait about 2 minutes for 'webhook' to start running before running this command:
+kubectl apply -f binderhub-issuer-staging.yaml
+```
diff --git a/pangeo-binder/requirements.yaml b/pangeo-binder/requirements.yaml
index b93e025..f191567 100644
--- a/pangeo-binder/requirements.yaml
+++ b/pangeo-binder/requirements.yaml
@@ -2,13 +2,13 @@
 dependencies:
 - name: binderhub
   version: 0.2.0-n219.hbc17443
-  repository: https://jupyterhub.github.io/helm-chart/
+  repository: https://jupyterhub.github.io/helm-chart
   import-values:
     - child: rbac
       parent: rbac
-- name: nginx-ingress
-  version: 1.34.2
-  repository: https://kubernetes-charts.storage.googleapis.com
+- name: ingress-nginx
+  version: 2.13.0
+  repository: https://kubernetes.github.io/ingress-nginx
 - name: dask-gateway
-  version: "0.9.0"
-  repository: 'https://dask.org/dask-gateway-helm-repo/'
+  version: 0.9.0
+  repository: https://dask.org/dask-gateway-helm-repo
diff --git a/pangeo-binder/templates/dask-kubernetes-rbac.yaml b/pangeo-binder/templates/dask-kubernetes-rbac.yaml
deleted file mode 100644
index a048261..0000000
--- a/pangeo-binder/templates/dask-kubernetes-rbac.yaml
+++ /dev/null
@@ -1,52 +0,0 @@
-{{- if .Values.rbac.enabled -}}
-kind: ServiceAccount
-apiVersion: v1
-metadata:
-  name: daskkubernetes
-  namespace: {{ .Release.Namespace }}
-  labels:
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    component: daskkubernetes
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-
----
-
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: daskkubernetes
-  namespace: {{ .Release.Namespace }}
-  labels:
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    component: daskkubernetes
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-rules:
-- apiGroups: [""] # "" indicates the core API group
-  resources: ["pods", "services"]
-  verbs: ["get", "list", "watch", "create", "delete"]
-- apiGroups: [""] # "" indicates the core API group
-  resources: ["pods/log"]
-  verbs: ["get", "list"]
-
----
-
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: daskkubernetes
-  namespace: {{ .Release.Namespace }}
-  labels:
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    component: daskkubernetes
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-subjects:
-- kind: ServiceAccount
-  name: daskkubernetes
-roleRef:
-  kind: Role
-  name: daskkubernetes
-  apiGroup: rbac.authorization.k8s.io
-{{- end -}}
diff --git a/pangeo-binder/templates/pangeo-rbac.yaml b/pangeo-binder/templates/pangeo-rbac.yaml
index d27f21a..6a6bc67 100644
--- a/pangeo-binder/templates/pangeo-rbac.yaml
+++ b/pangeo-binder/templates/pangeo-rbac.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.rbac.enabled -}}
+{{- if .Values.binderhub.rbac.enabled -}}
 kind: ServiceAccount
 apiVersion: v1
 metadata:
diff --git a/secrets-aws/aws-config.txt b/secrets-aws/aws-config.txt
index 86ef1a187020aa8fb20fd36b1fca6dea90329ec6..bd68c61c9a8380888d638a893819458cf916aa87 100644
GIT binary patch
literal 138
zcmV;50CoQWM@dveQdv+`0QOcqjs=_-E@Hv&64PQO=0?9qrAbdewkj8NCD-O;&Q#Q2
zU>|PtscCRLX9T066=x1bA`l#H8&|pw4JGkEu=*U)10Az1uZl(LcKH!7?>m-^lkTB&
s?uhje6wpdA_o4q_H8E(up>Qe1ce{i-2=O;q*=I=5SQ9s9^0lXgD~{_t*8l(j

literal 138
zcmV;50CoQWM@dveQdv+`0CPg?`cmxuff+tIHmeBHA*RV<3yWlW*Q2m@Dq>phrt)oZ
zI?Kmy?*MzC;KDQKpyCW#+8ytPHIWN7%(R4T5E#oAdTw;Y9I4Ss)9R4AMvb8}DrlS)
s3bn4IiD>(J!S^;`O(YpA%*qA(HUXkBWir~KjLUf}>DRHywp&ekxS~Eo7ytkO

diff --git a/secrets-aws/staging.yaml b/secrets-aws/staging.yaml
index 7b78547864c519041792c016a52c639b4e980caf..6e55d413e0986ef3f61cdc314c02abbe575b70d5 100644
GIT binary patch
literal 1482
zcmV;*1vUBrM@dveQdv+`01_5SwP<77KM^pT*+n+a(0;~jgLwmBhEvKPgd~sQYxfjP
zha(H|YMqI2$|dWQ|A7_nIf5Nv3Ya`ZKuL1(<bqJ~H~Ef)SB|Wn27x33>Y?j9C%PXS
zS4we%LiJNki&UaP$*=_N|7`slenK`=Smr8E;E|=3I2$#1WpqNXLX5l5ZQPl{!o#j@
z@xP+cb9fQJ>yXo&G{CPRs99BgCjo;VZ`Vle^{eaTlO5{{iCV)agY%K&&(l7-IeFKZ
z{Xp&pDpb)(aZdw_)rl^pqXv(*u+js?YU|wGmJIg-ko?W-|3F`5=mnEPr`fJw$11eA
znTG7f223J9%S2xO^HX;0anMsO295(uH>@zo-%UO*EnNRF%(<<_hirrQ8)NwM<BExc
zE&m5tyo|UD_q-0F4Fcg9;N}WQ!Pxf+sOf`z2FI2)_vPr@?Q={hBk<x(c;_4vA3AFc
zpll3sd6AMuTr){%raMQuFGl{DT?U&^kixvl6T#|UEUSeYfeV2_a-M655_j}=;Mi0X
z$uSOsk-FZdOg9D>$;(SI1Epgc?jop(yOe5H#}d~M3d1aRYpYortmlU8fdVeB=D|Nw
z;|)XlXm%F^@p#{Rp%sIG+GVu*79TGvF7BiKSwLp|9BP>YZFBT6oyu5uE5QJC!wX7`
z_*Qu38j)w?F0Yija`<41*$3>eStL>LK04sO%W_uZ`Z+~^gKRXKw!E({nkuFxnv{5;
zbNXYdu!d+%$q=ZupJ?MOds7n0*v5QCn{)!MMZtLY>=%2qI*=ZHp`<=}wF_}h1cRjw
zvoQeYT>novISY?XIDYJO<6)snzZQ5^>pVA4#HNS*{{|K?_n?Y7SW8S9GtB6rB~|BB
zV&Qzl6B4#{t&s1igdWF+Ewcri@Ty5X7(-f7?UZfrY#Qnzfbm9+iwuutV`l5xYJ4~G
z*f>r#;cKf}Y=~6{2IhMqwplJ(Ez=K0aH@mzcat{PYgSbD2xw9aV%%nJsU4J#E!`${
z6OzQGa(q9Es6c$R+bdWO6fHz!gU)#)Aq=Uh-n?SMLE-9-ZjYY?7Bz*}gwnE3@=#`w
zDd3Q~uutkM9Wm3LcFjr0y*m*PlaD-_ej+R&pfg!12p5^rb4QzXEr^SZxxt*|5qTNW
z&_W4Fb~Ta$=S>_&&t6|Xm+#``@4A}y^y@<!p*tC!1U)9E>JQ{af$(+mRf={WFR~hs
ztTit9#+AYM6EEhlPisdST1%eyBFOj>7g)QgS)_?F8yt-d>cy90e9h({KZH0IhVn~8
zTOQJj6Y)ENTf68w<1fa!2>dBCs<%aH1=3JTS15D$%AhhBUwpM|^h+kvKdCSPuo2RO
zKc)K{Fn0QYCWua?sQ=DDS(aH2M-|L-6bOCbddXd#pvox6WHc1O9Mi7>`m-hvWid7i
za+Q#G(w$LMX?j|}?eIoy=FZ;W!?=)rB}u|2e0dnR)INVuUZ!t`>qhmJ24GRUjR+ai
z!g}$Q&mkA-60X!+_Zb7+sZ7Y8U}Iee=0+j<hwiPOt9#)8Tep(^{<!X9n6w-erD)=V
zSQbx?r}EQf+(M9H1wTdL)Xg(xEONgOE4{tt+}O5kKQinDgAJPplT?A<{T9<%?<CxN
z!_-ke@o47?Q!0WBNxVE9qo)(v^f(Oa^gYNvFhip-;n|@Ri2(2Z$w)h`XIt~yNY6gT
zkolOL55~i=0RGyC8m<?fdRS%~R=oOUI8!H#g$mLqoECD(J6=8~Qa-~oLVX0u!QP7n
zEKAKrJxqypQMuS#DTH@l*AL`+EO6-^)kMG6P^!;*lPQITlZ@*!?%H)!>h;QRgeJ1!
zHm`qLqW;k<fQ~S@sh6*tX^~^OeC1w(hLne-DrIWc$c=k5MD}M6gtfMc1CeI?3q@)9
k+Kp`k1?L)!R$#b-<9&)ME%iG9H@??zfy{?&MU%Btd@*X&_5c6?

literal 1478
zcmV;%1v&ZvM@dveQdv+`09<m3*(QPeQC@dqshUQXQtkY&eS(uzvo7GISaWshK=_OV
zcsoCd6*5&z!}CipU0W1%CIo>p&_}@SdbXFN!pN!F-_m>dB~WT3NhEl|@pjj)^xCM}
z>``DOW+56IRvC-<7M1HVMF#h#UlKSIB)+%QPh&OUj{8zOf-=z~6hfGnU*#xsvq=?=
zyEXH%JmY!&*@bEEV)oUkq;K*%!=+(&PeDajY%Tm`>N2-hFoJwSk9aAdi!m0b$mI8|
zNs7B4rh<>qM`B>N0a<k26FRyre)5VvLW;-Yl+-Cpv*NVv%KP11DLa21fI5nPgy86K
zy#-=hT?ps1f2>#izy~4~nyc_;h6C1_5`n?iJMvCqPAb-Rb}Ag;i4JweuR<N3Pk|3a
zdDI7?$0*(c122W{sMmcwl$z(@uks?T-xFR^Wdmy-uq)a8ru#aQF#^v>HMjvF;14&C
z{}<=?_`)f{!8p0K9{drk%jSVxTyU*EeW|YOYOOaBv!Py1RFW8)!2<W`;*DcgEB*FD
zMwJB3lA@oKd=da){!(i8Zenugkypd-M(LTw#iWtZ7D(<UG_WU_@)5w*G3Wg3D+G8T
zt<Wa-XY`3ILW+sSeJxw`yBbx#SQOKk=Mb)M>nNMTJk|&~uY`9~q4}h~GeUJ_Umr_N
z2<0wdn?-iarAGDPizv)CYOUG1L)bP<GA9_wwovEA3~YqLG;+SaWKaax%Dkt*Lx1hT
zb!~O3%r|%2hLb3T0iCE2h@7o8FE~@{o^o&6syI!04<UsdrTGBG<!XkR#jk!gv>Eef
zoH5=7rT(UeE<~`#Us2Y1#X=RN1@4k{vPoTxcET+-{w{qZfP5(j4$$oo%M!0M7aj;&
zLfW%#eppHJkXPv7ow!-P{KUXtmHSw8gW}+uH9AOsYoOJ99q$;Jot&6P)sVHGW3Lka
zL8t60jNI6~=%Te!Ba`f;%uv24izbP~#n>%V2Bq8KN4lIRWoA!MG~V*RaV~&4-L~>p
ze4}01xz{|H9OF2#CSuvv<O<VNT=`j!(`!0+PeRlrPOT>{WYU2WV(YN0>X}cO`5Cj~
z4t}_Q%6krRxOx`uo^?4otqKQ>U<4N>5}4G?>$A$+f+W*1@asAo7}=A7)b#+P*AA-7
z?;%x@;w7St41p$B(g_SArL9ky`5k9s%j%6MvWPLb<X;s?iX>0Sv=5^)t7vuLv_Ph+
z+POv^3>+jX)CM}W)*Bge1z=;rtY)6bw#%C==3i~FFeK=Db$74I=62aV5L8?B*&6`2
ziUeE!yLq(yOWDndAUIg3d;BKQqKryq%)5j&t~l{=^3D<Ae=>fbU@(FDof;$9Vi`)O
zDXN_`ep^2$9YKw2KL(;FYfcg87|jh2AG@ZSX(p+|TWRy%eyxKbQ$Nd^7X0kL?tkH1
z5V9*CO8poCv6>LYM5W7AqT-H{t&2uYW`xgF-L)Akb>``h@erZGL!LP)EH^-VA<g&+
zC^8PztqAXg4ouaRG%cEt&XILsdaq|}Gr`cVrGTIGY{}`plw;v7kF<l+74oO(01TLE
zziXfAn~BST02lN}I_ua1D0jV1LKL1dPLWPxUyj&Qy|k2!-fSV~Zvy-c<<a#KAX3As
zCRo;m2qta?0CsBZtsYlfKm14%x)Sis|IJ3O=+Sj>a`6=IZw^D_pNELbmSRj}eCa0I
zJ%IFJ1-6_Y6fA1EYd;em^92XBlWp5?Z)2JqO2Ac0!pxx|G=PH^i=)%-1(g%lF4&cX
zUba0zwWB4lJ&U~2y!^BrI0rlE&c&W`QwR$aUiD<cuUihJoNyj6zdF51EaWBN^x2D*
zkbg*6Z#16%H&`A(Z<U28jEJp3D2yYfF@LlopyN@31KfMFm_PFQfCVJzqZdA*J}p#{
g7tkZgsdQJH_A~0}jVq01Gw%(!x^Xb#poVc{KhCS$ng9R*


From 8435015376f5569b724287dd59a2b13f78c4ca01 Mon Sep 17 00:00:00 2001
From: Scott Henderson <scottyh@uw.edu>
Date: Thu, 4 Feb 2021 11:21:50 -0800
Subject: [PATCH 3/6] comment all auth

---
 deploy-aws/staging.yaml         |  44 ++++++++++++++++----------------
 pangeo-binder/requirements.yaml |   1 +
 secrets-aws/staging.yaml        | Bin 1482 -> 1487 bytes
 3 files changed, 23 insertions(+), 22 deletions(-)

diff --git a/deploy-aws/staging.yaml b/deploy-aws/staging.yaml
index 0211507..2681001 100644
--- a/deploy-aws/staging.yaml
+++ b/deploy-aws/staging.yaml
@@ -75,8 +75,8 @@ binderhub:
     singleuser:
       serviceAccountName: pangeo
       # to make notebook servers aware of hub
-      cmd: jupyterhub-singleuser
-      defaultUrl: "/lab"
+      #cmd: jupyterhub-singleuser
+      #defaultUrl: "/lab"
       extraEnv:
         DASK_GATEWAY__ADDRESS: "https://hub.staging.aws-uswest2-binder.pangeo.io/services/dask-gateway/"
         DASK_GATEWAY__PROXY_ADDRESS: "gateway://traefik-staging-dask-gateway.staging:80"
@@ -92,8 +92,7 @@ binderhub:
       #  OAUTH2_TOKEN_URL: "https://pangeo.auth0.com/oauth/token"
       #  OAUTH_CALLBACK_URL: "https://staging.aws-uswest2-binder.pangeo.io/hub/oauth_callback"
       services:
-        binder:
-          #url: http://194.95.75.9:30083  # base worker
+        #binder:
           #oauth_no_confirm: true
           #oauth_redirect_uri: "https://staging.aws-uswest2-binder.pangeo.io/oauth_callback"
           #oauth_client_id: "auth0"
@@ -129,6 +128,7 @@ binderhub:
           mountPath: /usr/local/share/jupyterhub/static/extra-assets
           subPath: extra-assets
       extraConfig:
+        # NOTE: this doesn't show up on initial binder landing page
         00-template-config: |
           c.JupyterHub.template_paths = ['/usr/local/share/jupyterhub/custom-templates/']
           c.JupyterHub.template_vars = {
@@ -137,22 +137,22 @@ binderhub:
             'pangeo_welcome': """Welcome to Pangeo BinderHub, a platform for distributed computing to support Earth Science research. <strong>This is a prototype and should be treated accordingly. We make no promises that the service will remain active. Do not store passwords or sensitive data</strong>. To provide feedback and report any technical problems, please use the <a href="https://github.com/pangeo-data/pangeo-binder/issues">github issue tracker</a>. Maintained by the <a href="http://pangeo.io">Pangeo project</a> and supported by <a href="https://github.com/pangeo-data/nasa-access-17">NASA Grant #17-ACCESS17-0003</a> and cloud credits from Amazon. <p>Access is currently open to any GitHub user. Register by clicking on the sign in button below:</p>""",
             'announcement_login': 'This BinderHub now uses Dask Gateway 0.9 <a href="https://medium.com/pangeo/pangeo-with-dask-gateway-4b638825f105">Read more</a>'
           }
-    auth:
+    #auth:
       # Auth0 Login
-    #  type: custom
-    #  custom:
-    #    className: oauthenticator.generic.GenericOAuthenticator
-    #    config:
-    #      login_service: "Pangeo Login"
-    #      token_url: https://pangeo.auth0.com/oauth/token
-    #      userdata_url: https://pangeo.auth0.com/oauth/userinfo
-    #      userdata_method: GET
-    #      username_key: nickname
-    #      scope:
-    #        - openid
-    #        - profile
-    #        - email
-      admin:
-        access: true
-        users:
-          - scottyhq
+      #type: custom
+      #custom:
+      #  className: oauthenticator.generic.GenericOAuthenticator
+      #  config:
+      #    login_service: "Pangeo Login"
+      #    token_url: https://pangeo.auth0.com/oauth/token
+      #    userdata_url: https://pangeo.auth0.com/oauth/userinfo
+      #    userdata_method: GET
+      #    username_key: nickname
+      #    scope:
+      #      - openid
+      #      - profile
+      #      - email
+    #  admin:
+    #    access: true
+    #    users:
+    #      - scottyhq
diff --git a/pangeo-binder/requirements.yaml b/pangeo-binder/requirements.yaml
index f191567..548b0ed 100644
--- a/pangeo-binder/requirements.yaml
+++ b/pangeo-binder/requirements.yaml
@@ -1,4 +1,5 @@
 # requirements.yaml
+# https://github.com/jupyterhub/mybinder.org-deploy/blob/a15bac97e26b8a085255e06b3c765b9fb2e982fd/mybinder/Chart.yaml
 dependencies:
 - name: binderhub
   version: 0.2.0-n219.hbc17443
diff --git a/secrets-aws/staging.yaml b/secrets-aws/staging.yaml
index 6e55d413e0986ef3f61cdc314c02abbe575b70d5..bc544eef5309f228a128c98ebc1ff8a84fbff2fa 100644
GIT binary patch
literal 1487
zcmV;=1u*&mM@dveQdv+`03UHK6Xb;<P;SUsF1wwtVH%nj=r$q^v`p+Mi(?Oih`!IO
zR7)xjf(gjaKw%0;A<IQ)UJtaXX&o(3&Z9F7*~Q<#uw(xD5D-Y3Yeg{{pR>q`=avL+
zm%?F-)yA=GB6nT+)z!S;IR<M<!aHwR*EU`66g)dp!JHSj@`T%+8a2~9K4b5UwrTcw
zsEy9B8e!6ox&1>Hyjy4lR}hNX-ifouO+<{k;_~4=ERr-1>T4+NJ&lC;2JL*+;r~8E
zH=ps8Dd4Vj^AZHope!;rTjoKH4IKo3AM~*&y$sT1V5U=HW8r6=1CHv4{*fyE*WJo1
z-5y-mBvGuF74GYc`8{2cvF{P!*kncF--K?<wQ$l9nT@SLSq5bV)zM#MuId`=`;=nw
zh<Vo;kbT22o2B>l-=adIS8+h$7}=4E!}>|g7g*;ApR!`}<7@3tL6euiu_X<VS-0Dx
zbrP`J$(o*P_J@k+-QB)Uzk`)AucsoVig^1k52GGyYnym?a6&&)_f7PfN&Q)Y?^03I
z{!lc%@C|?Nkx&t11;Vcgu~(K&qnL}tU~tPjCVeN69Vm77E+%+_?D+-$Jq+aB*Yen~
zpkp>bT(O8V#;Z10GnmISv<wh<iUswj0@7om7@r=c`_JRAzI2(%@eq$oI1duy2>GjD
z9eJHEhhSib10Jz+<Gl+*bCBtA#zs66Src?<_P8V%hr6e{N*nGd?C^UT<2`wWq!9%}
zP(GMH)rB3}bPxH#(#-WFSw*HHCiegkJXkva?drB~1r31afT94|*BpF|mKmOV#n;Rc
zuQ7pNip{C^?wzi7(Q|~`=}@lEZvP--(!^f}M@)*CU6l4HE&`%OJ^bB<NBdzJNzJst
z{KGQfw(WZuY9L0rv+ZnzARpH$*`-s52|@Jl;xcooj*|%%Yz_uPi1Yy7+^`v*@^zn5
z3E0{lK!VepYlU4RX!R+d^~MVB&8hMwaEz*9-kVXploE8U9%-k|QW_yOFFWZ~RXN;5
zDNe0p&5wR4wc(56bc1rb9%f7)EQEPq#4zR-S7`_K&UTvd@J(7ZG2v5NZW%{mo)`#`
zs8%GM0oIZ5+qRK{w;5f!FB!09@Ejd3mNP9!h7-jVnFX-ynPjT#zC?WID~3X?7%HNN
z)iJIEx~+~QF4X66KjrC%1+1kN%JW55Mf*j1OGB{s`oi{tCL1}qn3YyH-xOwja}!aN
zyxm11MofqpY66>n`If-CeWOiE$cM%Fo6LcBN!hg(gWvGm;a@0=g2Y4Z^OxxD^kDAl
zb`8?lV<QZWVOxh?iUE>ymC3*ig4NM17WvVOI{B{AXfjX+k>;pdA4d#+e*2$8Tf=W^
zJ(mc4#Xc@&%cYX&kL1a*#|>xi`16~s1})Mw2J6xfgBw&op2St;2dl&D20@cU0Ud(9
zWoU+SB~aimB=r}>T7|@yeZK&MO*3Oz-_}knsM58MV0CS_g4@0OY_Q}P-b99o@jW@m
z0>oQ}Ygq(Ql?AS?ERZ~xm8nW;8H*4#;MkPQ>V(02k+G4Jx0=%GR*a{Yg6Q``d}u+k
z<1THl9q+V3Zm*`^K^#?VgZxE^ir>jO)F?qvT<w_J&YX+M<OUcrz3!l>`6hmM%@7=%
z2X~Qm;S<VBcUw_|JW;r7JgvZ>Fg8KVf}%%J%yBY#q!~VakCJyFK&!k(4--7uq5UdG
zpf0WpAtj#MKKaHGyC0CKvrAie-@e{N<ZCl671ThFS|fiDrKN^9I{Kw%y|>h~)!V?w
z6ys|O%ooi2!HkDt(!o!*@wPd{$yRQ0@U2`(SX`j5>Md<gBaMLfAKwEHLLl@G1$7c!
zwDOr$4TO8N@G<Pt3<iJK>nGlZ49@c~+>r_EK<Zn3Oq7qct{<Bn9MQ<D?FiHV;hQFJ
pDpKmsq0Y=$rn!TxK!`$u<n33j*sC47H>xeS1dJJ#54-83KbHa@>n;EQ

literal 1482
zcmV;*1vUBrM@dveQdv+`01_5SwP<77KM^pT*+n+a(0;~jgLwmBhEvKPgd~sQYxfjP
zha(H|YMqI2$|dWQ|A7_nIf5Nv3Ya`ZKuL1(<bqJ~H~Ef)SB|Wn27x33>Y?j9C%PXS
zS4we%LiJNki&UaP$*=_N|7`slenK`=Smr8E;E|=3I2$#1WpqNXLX5l5ZQPl{!o#j@
z@xP+cb9fQJ>yXo&G{CPRs99BgCjo;VZ`Vle^{eaTlO5{{iCV)agY%K&&(l7-IeFKZ
z{Xp&pDpb)(aZdw_)rl^pqXv(*u+js?YU|wGmJIg-ko?W-|3F`5=mnEPr`fJw$11eA
znTG7f223J9%S2xO^HX;0anMsO295(uH>@zo-%UO*EnNRF%(<<_hirrQ8)NwM<BExc
zE&m5tyo|UD_q-0F4Fcg9;N}WQ!Pxf+sOf`z2FI2)_vPr@?Q={hBk<x(c;_4vA3AFc
zpll3sd6AMuTr){%raMQuFGl{DT?U&^kixvl6T#|UEUSeYfeV2_a-M655_j}=;Mi0X
z$uSOsk-FZdOg9D>$;(SI1Epgc?jop(yOe5H#}d~M3d1aRYpYortmlU8fdVeB=D|Nw
z;|)XlXm%F^@p#{Rp%sIG+GVu*79TGvF7BiKSwLp|9BP>YZFBT6oyu5uE5QJC!wX7`
z_*Qu38j)w?F0Yija`<41*$3>eStL>LK04sO%W_uZ`Z+~^gKRXKw!E({nkuFxnv{5;
zbNXYdu!d+%$q=ZupJ?MOds7n0*v5QCn{)!MMZtLY>=%2qI*=ZHp`<=}wF_}h1cRjw
zvoQeYT>novISY?XIDYJO<6)snzZQ5^>pVA4#HNS*{{|K?_n?Y7SW8S9GtB6rB~|BB
zV&Qzl6B4#{t&s1igdWF+Ewcri@Ty5X7(-f7?UZfrY#Qnzfbm9+iwuutV`l5xYJ4~G
z*f>r#;cKf}Y=~6{2IhMqwplJ(Ez=K0aH@mzcat{PYgSbD2xw9aV%%nJsU4J#E!`${
z6OzQGa(q9Es6c$R+bdWO6fHz!gU)#)Aq=Uh-n?SMLE-9-ZjYY?7Bz*}gwnE3@=#`w
zDd3Q~uutkM9Wm3LcFjr0y*m*PlaD-_ej+R&pfg!12p5^rb4QzXEr^SZxxt*|5qTNW
z&_W4Fb~Ta$=S>_&&t6|Xm+#``@4A}y^y@<!p*tC!1U)9E>JQ{af$(+mRf={WFR~hs
ztTit9#+AYM6EEhlPisdST1%eyBFOj>7g)QgS)_?F8yt-d>cy90e9h({KZH0IhVn~8
zTOQJj6Y)ENTf68w<1fa!2>dBCs<%aH1=3JTS15D$%AhhBUwpM|^h+kvKdCSPuo2RO
zKc)K{Fn0QYCWua?sQ=DDS(aH2M-|L-6bOCbddXd#pvox6WHc1O9Mi7>`m-hvWid7i
za+Q#G(w$LMX?j|}?eIoy=FZ;W!?=)rB}u|2e0dnR)INVuUZ!t`>qhmJ24GRUjR+ai
z!g}$Q&mkA-60X!+_Zb7+sZ7Y8U}Iee=0+j<hwiPOt9#)8Tep(^{<!X9n6w-erD)=V
zSQbx?r}EQf+(M9H1wTdL)Xg(xEONgOE4{tt+}O5kKQinDgAJPplT?A<{T9<%?<CxN
z!_-ke@o47?Q!0WBNxVE9qo)(v^f(Oa^gYNvFhip-;n|@Ri2(2Z$w)h`XIt~yNY6gT
zkolOL55~i=0RGyC8m<?fdRS%~R=oOUI8!H#g$mLqoECD(J6=8~Qa-~oLVX0u!QP7n
zEKAKrJxqypQMuS#DTH@l*AL`+EO6-^)kMG6P^!;*lPQITlZ@*!?%H)!>h;QRgeJ1!
zHm`qLqW;k<fQ~S@sh6*tX^~^OeC1w(hLne-DrIWc$c=k5MD}M6gtfMc1CeI?3q@)9
k+Kp`k1?L)!R$#b-<9&)ME%iG9H@??zfy{?&MU%Btd@*X&_5c6?


From 62936eb16c51de4296a9e14b2617af33a8bf11c2 Mon Sep 17 00:00:00 2001
From: Scott Henderson <scottyh@uw.edu>
Date: Thu, 4 Feb 2021 11:39:47 -0800
Subject: [PATCH 4/6] fully functional staging binder with auth

---
 deploy-aws/staging.yaml  |  60 +++++++++++++++++++--------------------
 secrets-aws/staging.yaml | Bin 1487 -> 1482 bytes
 2 files changed, 30 insertions(+), 30 deletions(-)

diff --git a/deploy-aws/staging.yaml b/deploy-aws/staging.yaml
index 2681001..d5ae085 100644
--- a/deploy-aws/staging.yaml
+++ b/deploy-aws/staging.yaml
@@ -9,7 +9,7 @@ binderhub:
       badge_base_url: https://staging.aws-uswest2-binder.pangeo.io
       image_prefix: pangeoaccess/binder-staging-
       use_registry: true
-      #auth_enabled: true
+      auth_enabled: true
   nodeSelector:
     hub.jupyter.org/node-purpose: core
   resources:
@@ -39,8 +39,8 @@ binderhub:
     hostSocketDir: /var/run/dind/stage
 
   jupyterhub:
-    #custom:
-    #  binderauth_enabled: true
+    custom:
+      binderauth_enabled: true
     proxy:
       nodeSelector:
         hub.jupyter.org/node-purpose: core
@@ -75,8 +75,8 @@ binderhub:
     singleuser:
       serviceAccountName: pangeo
       # to make notebook servers aware of hub
-      #cmd: jupyterhub-singleuser
-      #defaultUrl: "/lab"
+      cmd: jupyterhub-singleuser
+      defaultUrl: "/lab"
       extraEnv:
         DASK_GATEWAY__ADDRESS: "https://hub.staging.aws-uswest2-binder.pangeo.io/services/dask-gateway/"
         DASK_GATEWAY__PROXY_ADDRESS: "gateway://traefik-staging-dask-gateway.staging:80"
@@ -87,15 +87,15 @@ binderhub:
         requests:
           cpu: 50m
           memory: 100Mi
-      #extraEnv:
-      #  OAUTH2_AUTHORIZE_URL: "https://pangeo.auth0.com/authorize"
-      #  OAUTH2_TOKEN_URL: "https://pangeo.auth0.com/oauth/token"
+      extraEnv:
+        OAUTH2_AUTHORIZE_URL: "https://pangeo.auth0.com/authorize"
+        OAUTH2_TOKEN_URL: "https://pangeo.auth0.com/oauth/token"
       #  OAUTH_CALLBACK_URL: "https://staging.aws-uswest2-binder.pangeo.io/hub/oauth_callback"
       services:
-        #binder:
-          #oauth_no_confirm: true
-          #oauth_redirect_uri: "https://staging.aws-uswest2-binder.pangeo.io/oauth_callback"
-          #oauth_client_id: "auth0"
+        binder:
+          oauth_no_confirm: true
+          oauth_redirect_uri: "https://staging.aws-uswest2-binder.pangeo.io/oauth_callback"
+          oauth_client_id: "auth0"
         dask-gateway:
           # This makes the gateway available at ${HUB_URL}/services/dask-gateway
           url: http://traefik-staging-dask-gateway.staging
@@ -137,22 +137,22 @@ binderhub:
             'pangeo_welcome': """Welcome to Pangeo BinderHub, a platform for distributed computing to support Earth Science research. <strong>This is a prototype and should be treated accordingly. We make no promises that the service will remain active. Do not store passwords or sensitive data</strong>. To provide feedback and report any technical problems, please use the <a href="https://github.com/pangeo-data/pangeo-binder/issues">github issue tracker</a>. Maintained by the <a href="http://pangeo.io">Pangeo project</a> and supported by <a href="https://github.com/pangeo-data/nasa-access-17">NASA Grant #17-ACCESS17-0003</a> and cloud credits from Amazon. <p>Access is currently open to any GitHub user. Register by clicking on the sign in button below:</p>""",
             'announcement_login': 'This BinderHub now uses Dask Gateway 0.9 <a href="https://medium.com/pangeo/pangeo-with-dask-gateway-4b638825f105">Read more</a>'
           }
-    #auth:
+    auth:
       # Auth0 Login
-      #type: custom
-      #custom:
-      #  className: oauthenticator.generic.GenericOAuthenticator
-      #  config:
-      #    login_service: "Pangeo Login"
-      #    token_url: https://pangeo.auth0.com/oauth/token
-      #    userdata_url: https://pangeo.auth0.com/oauth/userinfo
-      #    userdata_method: GET
-      #    username_key: nickname
-      #    scope:
-      #      - openid
-      #      - profile
-      #      - email
-    #  admin:
-    #    access: true
-    #    users:
-    #      - scottyhq
+      type: custom
+      custom:
+        className: oauthenticator.generic.GenericOAuthenticator
+        config:
+          login_service: "Pangeo Login"
+          token_url: https://pangeo.auth0.com/oauth/token
+          userdata_url: https://pangeo.auth0.com/oauth/userinfo
+          userdata_method: GET
+          username_key: nickname
+          scope:
+            - openid
+            - profile
+            - email
+      admin:
+        access: true
+        users:
+          - scottyhq
diff --git a/secrets-aws/staging.yaml b/secrets-aws/staging.yaml
index bc544eef5309f228a128c98ebc1ff8a84fbff2fa..34a5d5569c2772533ae4edd069fc3b19e77b953d 100644
GIT binary patch
literal 1482
zcmV;*1vUBrM@dveQdv+`0Fv&jx_BE(5(Oj2O+sHMJlc)E)IfAtwjkjK^6!H2#|b_M
z!PnFvhU7~P{__b%i;{>|SXI}Gl~Ck|W9H7L1@6%(?{C@0ce6#KlEo^4LY^dkvR=ex
z!#We{h*{t@PL-N*k-r~F>3*paG=;+#8rUN$vsV2@=|h7WTDH1mx{Z<dCx<7(wfT(#
z<IEt>SloBKu>c))mQ~J)ZX=-B8R+QnEo)>k4AtDENoG16icbsnrHbgvU1$u}B{6?}
z>%hPvxZ~1S7RHp*4_BtC;FOYbT8-@aJ@F6*{@W`t@RqPvksb?nfM*(=xZxWe+vG;=
zz#;yu>PdZ-a6nQcIQq?VQG+kQ^TphWSAXj|A9GI}v+*`iqxT0IWq4@ZkL_7@5hBrm
zScax^?Sz_@@3a!P5XbG-_u*rdu^x%!t2P_(-jjJr+e!!=;73~_R80=Y_t3O4rbNZG
zQ5rjG+9qnvSX}7l#PB^cW^zPnW)BJ>;@7dK))>!^#df>wOJK`kuUiHHN|RP@`^L*`
z3otQMEqZ<3O1<dwwMSraRTa?8F-JV7*^2|_Tp8$M0SHBdB?5x=IA%=!p0|Y_3=qES
z=Y$sGhje>DrY@5OGwN=NYTIq>JJ*|6Yuk<8k}6^fFejL_zXKNf*dXI`n4}uHo0Y{2
zfYgZG99`@DGzbRQ68O;lf=~OH1Gl;X<9jDs<Jk2(R8iScHH*OU{4u48{da>iF^k<-
z8d=N8uBnj}rK>R3$-JjEFpekV8ZGv|NT{+)c|j0$5dcG5xWgm-4M<Y_^Gv54i9m{}
zzYU3@NhJ&@*Rfw#AGi%S;wt_R`j(1!Axj5+YoM(AaV>QtnutEBR3{<M<5fZOwFG#p
z+2#nhkGDJXUS=U2-t#<Yd&GFO2^Z6Hg}p`8InjhmJC|G;KoylL<2Wnd&01ZP;7L#G
zO1m0IIXJ&7DM+HAvB3#iOyuE~^wr6MbRTZk5Ohb!jkzL*l<)kAi|hEft=*a4u*Iuq
z1lKnN&drJq=t?8qn#=bezv0yiJPD1SEk*apEL3C^jB884R@!9ai{EN_T{}WnD_)KL
z4I@&T)E{CUMI8AqE}u!a7p0$YVJuX*d~70u6@>W}+E|eQ4i>7%!z{N&dxf3@4U6^k
zS3PoG;#=CVGwNBsG&@~BB63o$LvzG;u}ZlmM+pzbg+hq$ja^s$++xzXkWygW0B?K_
zbao@N-avoOj33vsKJ65fzSBUYH7d0@RfCL$CYil-m^XJ!8H@KFffFyT(fbq7fSJ9H
zsZcXG{A2eFt^A$FN++1H)CX-gP$4xCXs2xet!))<5!gWE#NGbPv(QacEdM{XL%fdS
z$D=@J3+fblv#(I(?}$udY}wy_9ydhcNLJ@{1J@+4kzg!|X3z|<S`mjRs?p5uJ7bO*
z?&G%SN9hGo>jMjys<|lwlgvy7;}U0`Q+wpfCSWeD4Vabgi(TmRMJ5za3)dT#1xsrI
z$aoRuu+qX6d%nfRW<D<M+}f0&Cyff!jAX&OnYSY$?eV+}0^v?e#&#+=)%V0dHYVWO
zI00RSpozk~j@GGIf3ynC2kf$}zNH@pv@>`C3Iw`hg+&P`cTYrTIdT_|YFrIU6UNG{
zBSB=9ZYw@^xDk04Lh49C%W(-l?8J&Y75cyw5DO)V)gMrTLl&S!6h~eDYUV>u=tpk0
zenGZB>1r%{QRKw-pdCe=XaQZ5FS&Z>%(UomM7Kd_g@lnZy9UZKle#sTAWs2>Ss?WY
z5;2z(bE)&RX3y{kX0Bj<_B%Uyn<7QL#z+f=8nkdNVPt|dV}_X58MWU7v?7(>qi+a3
z1VyBYTYv1TzdV`SuY+j|?Q2*TznSc6bi@lsGOI%{e?maRpGgdHDPnNx>n`h303gV!
kTy{JviK<nQt8X3wX7yUwZrSzhS%~JIXYDTUJM6-W%pAhcbpQYW

literal 1487
zcmV;=1u*&mM@dveQdv+`03UHK6Xb;<P;SUsF1wwtVH%nj=r$q^v`p+Mi(?Oih`!IO
zR7)xjf(gjaKw%0;A<IQ)UJtaXX&o(3&Z9F7*~Q<#uw(xD5D-Y3Yeg{{pR>q`=avL+
zm%?F-)yA=GB6nT+)z!S;IR<M<!aHwR*EU`66g)dp!JHSj@`T%+8a2~9K4b5UwrTcw
zsEy9B8e!6ox&1>Hyjy4lR}hNX-ifouO+<{k;_~4=ERr-1>T4+NJ&lC;2JL*+;r~8E
zH=ps8Dd4Vj^AZHope!;rTjoKH4IKo3AM~*&y$sT1V5U=HW8r6=1CHv4{*fyE*WJo1
z-5y-mBvGuF74GYc`8{2cvF{P!*kncF--K?<wQ$l9nT@SLSq5bV)zM#MuId`=`;=nw
zh<Vo;kbT22o2B>l-=adIS8+h$7}=4E!}>|g7g*;ApR!`}<7@3tL6euiu_X<VS-0Dx
zbrP`J$(o*P_J@k+-QB)Uzk`)AucsoVig^1k52GGyYnym?a6&&)_f7PfN&Q)Y?^03I
z{!lc%@C|?Nkx&t11;Vcgu~(K&qnL}tU~tPjCVeN69Vm77E+%+_?D+-$Jq+aB*Yen~
zpkp>bT(O8V#;Z10GnmISv<wh<iUswj0@7om7@r=c`_JRAzI2(%@eq$oI1duy2>GjD
z9eJHEhhSib10Jz+<Gl+*bCBtA#zs66Src?<_P8V%hr6e{N*nGd?C^UT<2`wWq!9%}
zP(GMH)rB3}bPxH#(#-WFSw*HHCiegkJXkva?drB~1r31afT94|*BpF|mKmOV#n;Rc
zuQ7pNip{C^?wzi7(Q|~`=}@lEZvP--(!^f}M@)*CU6l4HE&`%OJ^bB<NBdzJNzJst
z{KGQfw(WZuY9L0rv+ZnzARpH$*`-s52|@Jl;xcooj*|%%Yz_uPi1Yy7+^`v*@^zn5
z3E0{lK!VepYlU4RX!R+d^~MVB&8hMwaEz*9-kVXploE8U9%-k|QW_yOFFWZ~RXN;5
zDNe0p&5wR4wc(56bc1rb9%f7)EQEPq#4zR-S7`_K&UTvd@J(7ZG2v5NZW%{mo)`#`
zs8%GM0oIZ5+qRK{w;5f!FB!09@Ejd3mNP9!h7-jVnFX-ynPjT#zC?WID~3X?7%HNN
z)iJIEx~+~QF4X66KjrC%1+1kN%JW55Mf*j1OGB{s`oi{tCL1}qn3YyH-xOwja}!aN
zyxm11MofqpY66>n`If-CeWOiE$cM%Fo6LcBN!hg(gWvGm;a@0=g2Y4Z^OxxD^kDAl
zb`8?lV<QZWVOxh?iUE>ymC3*ig4NM17WvVOI{B{AXfjX+k>;pdA4d#+e*2$8Tf=W^
zJ(mc4#Xc@&%cYX&kL1a*#|>xi`16~s1})Mw2J6xfgBw&op2St;2dl&D20@cU0Ud(9
zWoU+SB~aimB=r}>T7|@yeZK&MO*3Oz-_}knsM58MV0CS_g4@0OY_Q}P-b99o@jW@m
z0>oQ}Ygq(Ql?AS?ERZ~xm8nW;8H*4#;MkPQ>V(02k+G4Jx0=%GR*a{Yg6Q``d}u+k
z<1THl9q+V3Zm*`^K^#?VgZxE^ir>jO)F?qvT<w_J&YX+M<OUcrz3!l>`6hmM%@7=%
z2X~Qm;S<VBcUw_|JW;r7JgvZ>Fg8KVf}%%J%yBY#q!~VakCJyFK&!k(4--7uq5UdG
zpf0WpAtj#MKKaHGyC0CKvrAie-@e{N<ZCl671ThFS|fiDrKN^9I{Kw%y|>h~)!V?w
z6ys|O%ooi2!HkDt(!o!*@wPd{$yRQ0@U2`(SX`j5>Md<gBaMLfAKwEHLLl@G1$7c!
zwDOr$4TO8N@G<Pt3<iJK>nGlZ49@c~+>r_EK<Zn3Oq7qct{<Bn9MQ<D?FiHV;hQFJ
pDpKmsq0Y=$rn!TxK!`$u<n33j*sC47H>xeS1dJJ#54-83KbHa@>n;EQ


From 64e9acb63f6525f22268be566f8a3cba7bbcd2c4 Mon Sep 17 00:00:00 2001
From: Scott Henderson <scottyh@uw.edu>
Date: Thu, 4 Feb 2021 12:03:16 -0800
Subject: [PATCH 5/6] confirmed functional prod with auth

---
 deploy-aws/prod.yaml  |  71 ++++++++++++++++++++++++++++++++++++++++++
 secrets-aws/prod.yaml | Bin 1247 -> 1442 bytes
 2 files changed, 71 insertions(+)

diff --git a/deploy-aws/prod.yaml b/deploy-aws/prod.yaml
index 1f88656..0d7a85f 100644
--- a/deploy-aws/prod.yaml
+++ b/deploy-aws/prod.yaml
@@ -9,6 +9,7 @@ binderhub:
       badge_base_url: https://aws-uswest2-binder.pangeo.io
       image_prefix: pangeoaccess/binder-
       use_registry: true
+      auth_enabled: true
   nodeSelector:
     hub.jupyter.org/node-purpose: core
   resources:
@@ -38,6 +39,8 @@ binderhub:
     hostSocketDir: /var/run/dind/prod
 
   jupyterhub:
+    custom:
+      binderauth_enabled: true
     proxy:
       nodeSelector:
         hub.jupyter.org/node-purpose: core
@@ -60,11 +63,15 @@ binderhub:
 
     singleuser:
       serviceAccountName: pangeo
+      # to make notebook servers aware of hub
+      cmd: jupyterhub-singleuser
+      defaultUrl: "/lab"
       extraEnv:
         DASK_GATEWAY__ADDRESS: "https://hub.aws-uswest2-binder.pangeo.io/services/dask-gateway/"
         DASK_GATEWAY__PROXY_ADDRESS: "gateway://traefik-prod-dask-gateway.prod:80"
 
     hub:
+      #redirectToServer: false
       resources:
         requests:
           cpu: 200m
@@ -72,7 +79,71 @@ binderhub:
         limits:
           cpu: 1250m
           memory: 3Gi
+      extraEnv:
+        OAUTH2_AUTHORIZE_URL: "https://pangeo.auth0.com/authorize"
+        OAUTH2_TOKEN_URL: "https://pangeo.auth0.com/oauth/token"
       services:
+        binder:
+          oauth_no_confirm: true
+          oauth_redirect_uri: "https://aws-uswest2-binder.pangeo.io/oauth_callback"
+          oauth_client_id: "auth0"
         dask-gateway:
           # This makes the gateway available at ${HUB_URL}/services/dask-gateway
           url: http://traefik-prod-dask-gateway.prod
+      # clone custom JupyterHub templates into a volume
+      initContainers:
+        - name: git-clone-templates
+          image: alpine/git
+          args:
+            - clone
+            - --single-branch
+            - --branch=master
+            - --depth=1
+            - --
+            - https://github.com/pangeo-data/pangeo-custom-jupyterhub-templates.git
+            - /mnt/template-repo
+          securityContext:
+            runAsUser: 0
+          volumeMounts:
+            - name: custom-templates
+              mountPath: /mnt/template-repo
+      extraVolumes:
+        - name: custom-templates
+          emptyDir: {}
+      extraVolumeMounts:
+        # Note: subPath is relative to repo root dir
+        - name: custom-templates
+          mountPath: /usr/local/share/jupyterhub/custom-templates
+          subPath: templates
+        - name: custom-templates
+          mountPath: /usr/local/share/jupyterhub/static/extra-assets
+          subPath: extra-assets
+      extraConfig:
+        # NOTE: this doesn't show up on initial binder landing page
+        00-template-config: |
+          c.JupyterHub.template_paths = ['/usr/local/share/jupyterhub/custom-templates/']
+          c.JupyterHub.template_vars = {
+            'pangeo_hub_title': 'Pangeo BinderHub',
+            'pangeo_hub_subtitle': 'AWS us-west-2',
+            'pangeo_welcome': """Welcome to Pangeo BinderHub, a platform for distributed computing to support Earth Science research. <strong>This is a prototype and should be treated accordingly. We make no promises that the service will remain active. Do not store passwords or sensitive data</strong>. To provide feedback and report any technical problems, please use the <a href="https://github.com/pangeo-data/pangeo-binder/issues">github issue tracker</a>. Maintained by the <a href="http://pangeo.io">Pangeo project</a> and supported by <a href="https://github.com/pangeo-data/nasa-access-17">NASA Grant #17-ACCESS17-0003</a> and cloud credits from Amazon. <p>Access is currently open to any GitHub user. Register by clicking on the sign in button below:</p>""",
+            'announcement_login': 'This BinderHub now uses Dask Gateway 0.9 <a href="https://medium.com/pangeo/pangeo-with-dask-gateway-4b638825f105">Read more</a>'
+          }
+    auth:
+      # Auth0 Login
+      type: custom
+      custom:
+        className: oauthenticator.generic.GenericOAuthenticator
+        config:
+          login_service: "Pangeo Login"
+          token_url: https://pangeo.auth0.com/oauth/token
+          userdata_url: https://pangeo.auth0.com/oauth/userinfo
+          userdata_method: GET
+          username_key: nickname
+          scope:
+            - openid
+            - profile
+            - email
+      admin:
+        access: true
+        users:
+          - scottyhq
diff --git a/secrets-aws/prod.yaml b/secrets-aws/prod.yaml
index 23e55be1ae99284f30d0a46b8e9164ecc5ef1038..d5929421d3865d3096d9b2466b96b1c48b0aa98a 100644
GIT binary patch
literal 1442
zcmV;T1zq|8M@dveQdv+`0DB|Wyn_BlwBBx1OQO`0b~4-|g@ytCg%Og|s~{FB${*%5
zJqb(2eLw+xUQ(X#mj>{zuTkn}F;kj(M6+$ZFfFUIf(hH4Me=<uCtEp4v&z(FE=Y5?
zqubZ2x7@)2jOGB~YG4yYEbK_^e*NiUH<uR2I1aYHeh-g@WVoW}es7PT-IsS+HR6@O
zJNGs};B)-Q#h--}ATf^lE|B+yNOFHrG}v9^0oNrkART+z3l5FiVE|3__5x%v6FG}$
zHFb^w{59A3vKvvgIG`An^ro%o_u>e_@K->c|0_1USbLriyH1g=UD#9JF_Z(P_g*2L
z>)M*Hknb7p@TZ?eb|X%XE5>5njO!PJUQkt7HC@`)aca^6Ipz@Kyhcl<Sv4%|StpO}
zKF7v37(LyYy>^zJ>0;V^;yujQ8lHpWoD$!u>@d)+3Vij**OYchjm=a2=~{4i6ao_J
z;RJ>GlL_3BSgCe3O~yBvej0&PB`*srN3s3{7Bw{g*{*<|$(f5(SK7k*juiOKA|KDy
z|CX|%kg?WBnO}KHa}J65qGS126Ww9hP*L&Og8Xk4v6x&+O3s=U+_7tLD+(Wr*0UMX
zbx<pPj9>!}E1si%7^q18VmC);f*1OB?`NALGvpfsvmGVbE0m|BLu~q!>FL~?6!ngO
ziM7%bz{PiQvJC?MH@cJ|Q4x-=oL^1s=v_~>^%*X-5-u(G%G1>)J!p7UPNyQ3?UfT$
zWuk+uBoZO~8s&q3@w6c}sGLuo9o0N&O8C>Yva)jLpU=p1;3X=8hqAlH_S2G>hq2>^
zD0Y$nh?MJUeCLRYLP$Z9%|y<M3X6^f#hiTi0gY}={CKj_K<%b4qD#$2KSN`2XlvtL
z_p?fPX{XHUba<&{V;zj|u9Ga{9D1d}&}n^88<G>@I6G_FI0*bwM_Yks8HkaJ0AGkJ
zi+Du@xDl?wkx)f`pGD1kC_k*C9BBE6lt`rY3Fc&wCG@($Nv(k@CGAUVuy9ar8B_fb
zNAPahI4lF8aTH-~1R%)|a_3P_shJ|^E{1nX1jo)C)D1;p<NnQ_4RV!eWJ7eC>la*7
z)MMy{7j943V*4`&T%uKm*+_9i_qQ)e)&`wQ-}kDCX@<m7A8V`sS9Cl6g84rT1?18$
z7bpjyna!NG3|xGbKD^!-X=4f*{A=v_XB%YMN{Cd~xjGbZdp#%R$)AVgT<pPgfFywX
ze8XS+a13TE>Z`=le-bXI!om3YPd1YS^t&TFYHM*GeQnbaY2}mOBe0cr`@4Gbm6xP-
zCgcFiuAI2i{g#u(k{<Hn@^nboqAUNbS2_t=rvABGRnTgs8jHq<CboVvFL#y(B8Pp+
z)q)mWCMiA=q7Ij|R7d$4R;hh1v2VOchKnDF^(Reyk}4&2eXx(4l|0QlF|Ze{7?(_!
zgGlt#CP%$m2f!P<6>OvO28hu0lzcr^yZGjJhnSc!n3}(P6Vs}f{${wrlu>&5TONnt
z4lM?@=Hr1IUn%llg}|Ji@w+V%AUvGk%V$aJ<U%!Yt(32-_cw%}&cED-Y_v5dH>WSH
zJggd4O>%I|wJovaG)ZL&xxYk}#aijM#WW}_F7V*0d2n=Y$Or2S##$=cJh3CWw0OrU
z6zZt-8^%Y%m5!^RA9uBpYIYN>m^A+?YEPLgT`o*}Vl?`U-=BU33%X4=-QQ3>0o76Z
zG9&bE;a<$z1&E#Vchk&tOLiM@Sui0E;#h6NlsK3_?9cK8`N-{+-8G$wl`pQ~=QdG>
zQFQ<F{$&yPT!iskQX{=t36d&*NBM^%xENSaj0k6EH5f+S-4e&<ARK~cod*0KhO?#w
w>580kHIhi*FRDWxz?DY<>th71f{mqr;<!-1(E0k`jluPfYa%jqMsW?XNObGYd;kCd

literal 1247
zcmV<51R(nWM@dveQdv+`0Qt^+zvitgErOohqd`#AEKfVc2lUf53NI6wGw5TYhPeT&
zYMcZ~+ixi)fv!@2M8o(UELBJ|qtt_Z=DNXOfS+a{c=)0o;h%K_Xu)}U9LIa$=K&B}
z#-s_F>LBMO2)6Q*gXuqx=NI-ok;R@byD9g9ggc6G%14?Mz&Z{bm3YbmyA=(=6jp_o
zM%9IG<+LCp2$Sd9;JTK8yQ<8+-h{Gi+UJKm#98~I_;SYZ%71VB!j&2j=e!f74+8+g
zEX_29>2m(X!|tW_W<LcS<<Lebao@?I6lCtFfSME!;+5a-Tf{g_9Ms;zeB8wBRS9|4
zL-<Lel4L$*)rI<zdk}Mgv7Q8`xajA$IA?sz-DRe(VH**8u48oLN{6v$jFdC(1a&0A
z_u(iGd`DmU&s8yGklW&39ddE@Z5F&B6Whb-t&*dBI5fOy&ScWU9Uzg|abr!u%=PDs
zMxp{Y2q6u^fJt}O%{{SH6lb<XxgHC!;6=XS(?Tjl3*&p6%c1<2C$$<bakL=5UWV@_
z9@WRz8E#1Ku1Sj_90=&VnHc@eu<ec2Dyhu%g`e_-L%h;9;n=L#g4>KT8A^`@bamdE
z4NEb(Kh}htGD_8HQQT_AUIYh)?orH)aU=Zy2}B*SX`cv4QQxmQ<fEZc%D=>%oNm|3
zh)WJw>On{wm34<GoO*O+Z)icCEp<Vc#x#c!mhMP(!j#hO+()8EVIiU5f3VW+JbQQ{
zrcv=eN#~3%<&cew-jE?bsoa4;tcP1Tlq;5cI9>t)ZZRp8NL{}0w_<HrUnJuiV@o>v
zX0{hlpDc?jymy0?|6kHSp%Q?_Dk{QtE!cr$M>FJmCu>jLi{VUeSA*Qzd^lnF6&kF=
zfNBKbMvXIYSy%L<hgv)0i3Sd7P6TNwYbK#@GqczU7-l<`V5B-gmO6;=6w+i}JDipo
z<#po;os}O8pCtM(>2hpBFcCld)Bbm+F=R;4Dg$%zXkzfIH!S8xC(8EDT9ISxHs{W`
z>*Px~rZO|#>R~DK>qK*MRpv1Ar+k9tX2G-8glvm>x)h&*3wqH2opvogo@$MlDv#wB
zRvJ!CofMl5x&{DMR}Ut%j99u5?`ovWM(|mW<KsG6o1aMcRnEe_1kOJ(R00oFxJ|C`
zvsWOHNI9vJ5$UmlbQlm{Z}^P%B!S&22aFtE$6!D}qF+o`1wgJw$QC*EZL)P>=G&Rq
zWD2_U(dw{JVa|J*X%W*EgrcB(2NTuS#T51mWKw}~u-7Ls_2Dmptlk?%U5E50HMbuQ
zVA^7~5`wei4Jlx0uK@M~L?VGv1`+<hqKx_Q{TWo^I#5U(W8G2kAR)b~Bq&Fx{d*rx
z7LL`Ao#SF-@xeM7Zv_?k>hcR~u0&HGn=H+ej&DD*iP5b7#4G~i)gOj!VynWDA*HIN
zfYh;0N8rOb^(V>!NT+C5)Y>osE_R##_4&GbMK)^d<&^-rg+ms-5gRH0+px%w?p(PS
zOf!KP4J4OX=*Gj6_rmmp0>F$#f=IBSHx_;U>3&2!(u8%a__eCy0B(c$`5Y<{oo#2Z
zL-62XJPV%Iue%hg*iQii!Ev@Fyr6quJgmVBXOox&%QE@wjyLE`LAdqLiO`~BohGN>
Jl;C+x^Jfp}YgqsQ


From b7da8318348abcbc8779ff318a3755bd79de2cc5 Mon Sep 17 00:00:00 2001
From: Scott Henderson <scottyh@uw.edu>
Date: Thu, 4 Feb 2021 12:07:36 -0800
Subject: [PATCH 6/6] disable deploys via circleCI for now

---
 .circleci/config.yml | 106 +++++++++++++++++++++----------------------
 1 file changed, 53 insertions(+), 53 deletions(-)

diff --git a/.circleci/config.yml b/.circleci/config.yml
index 8c110d7..a8abf87 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -58,59 +58,59 @@ jobs:
             sudo mv ./kubectl /usr/local/bin/kubectl
             kubectl version --client
 
-      - run:
-          name: Authenticate to Google k8s cluster
-          when: always
-          command: |
-            gcloud auth activate-service-account --key-file ~/repo/secrets/gcloud-service-key.json
-            gcloud container clusters --zone=us-central1-b --project=pangeo-181919 get-credentials binder
-
-      - run:
-          name: Deploy Google binderhub
-          when: always
-          command: |
-            helm upgrade --wait --install \
-              ${CIRCLE_BRANCH} pangeo-binder \
-              --namespace=${CIRCLE_BRANCH} --version=v0.2.0 \
-              -f ./deploy/${CIRCLE_BRANCH}.yaml \
-              -f ./secrets/${CIRCLE_BRANCH}.yaml \
-              -f ./secrets/common.yaml
-
-      # AWS deployment
-      # --------------
-      - run:
-          name: Authenticate to AWS k8s cluster
-          when: always
-          command: |
-            #unable to get this env var to work for some reason
-            #AWS_SHARED_CREDENTIALS_FILE=/home/circleci/repo/secrets-aws/aws-config.txt
-            aws --version
-            mkdir ~/.aws
-            mv /home/circleci/repo/secrets-aws/aws-config.txt ~/.aws/credentials
-            aws configure set default.region us-west-2
-            aws eks update-kubeconfig --name pangeo-binder > /dev/null
-      - run:
-          name: Add Runner IP to EKS Kubernetes API Whitelist
-          when: always
-          command: |
-            RUNNERIP=`curl --silent https://checkip.amazonaws.com`
-            aws eks update-cluster-config --name pangeo-binder --resources-vpc-config publicAccessCidrs=${AWS_IP_WHITELIST},${RUNNERIP}/32 > /dev/null
-            sleep 90
-      - run:
-          name: Deploy AWS binderhub
-          when: always
-          command: |
-            helm upgrade --wait --install \
-              ${CIRCLE_BRANCH} pangeo-binder \
-              --namespace=${CIRCLE_BRANCH} --version=v0.2.0 \
-              -f ./deploy-aws/${CIRCLE_BRANCH}.yaml \
-              -f ./secrets-aws/${CIRCLE_BRANCH}.yaml
-            #helm history ${CIRCLE_BRANCH} -n ${CIRCLE_BRANCH}
-      - run:
-          name: Revert to Original EKS IP Whitelist
-          when: always
-          command: |
-            aws eks update-cluster-config --name pangeo-binder --resources-vpc-config publicAccessCidrs=${AWS_IP_WHITELIST} > /dev/null
+      # - run:
+      #     name: Authenticate to Google k8s cluster
+      #     when: always
+      #     command: |
+      #       gcloud auth activate-service-account --key-file ~/repo/secrets/gcloud-service-key.json
+      #       gcloud container clusters --zone=us-central1-b --project=pangeo-181919 get-credentials binder
+      #
+      # - run:
+      #     name: Deploy Google binderhub
+      #     when: always
+      #     command: |
+      #       helm upgrade --wait --install \
+      #         ${CIRCLE_BRANCH} pangeo-binder \
+      #         --namespace=${CIRCLE_BRANCH} --version=v0.2.0 \
+      #         -f ./deploy/${CIRCLE_BRANCH}.yaml \
+      #         -f ./secrets/${CIRCLE_BRANCH}.yaml \
+      #         -f ./secrets/common.yaml
+      #
+      # # AWS deployment
+      # # --------------
+      # - run:
+      #     name: Authenticate to AWS k8s cluster
+      #     when: always
+      #     command: |
+      #       #unable to get this env var to work for some reason
+      #       #AWS_SHARED_CREDENTIALS_FILE=/home/circleci/repo/secrets-aws/aws-config.txt
+      #       aws --version
+      #       mkdir ~/.aws
+      #       mv /home/circleci/repo/secrets-aws/aws-config.txt ~/.aws/credentials
+      #       aws configure set default.region us-west-2
+      #       aws eks update-kubeconfig --name pangeo-binder > /dev/null
+      # - run:
+      #     name: Add Runner IP to EKS Kubernetes API Whitelist
+      #     when: always
+      #     command: |
+      #       RUNNERIP=`curl --silent https://checkip.amazonaws.com`
+      #       aws eks update-cluster-config --name pangeo-binder --resources-vpc-config publicAccessCidrs=${AWS_IP_WHITELIST},${RUNNERIP}/32 > /dev/null
+      #       sleep 90
+      # - run:
+      #     name: Deploy AWS binderhub
+      #     when: always
+      #     command: |
+      #       helm upgrade --wait --install \
+      #         ${CIRCLE_BRANCH} pangeo-binder \
+      #         --namespace=${CIRCLE_BRANCH} --version=v0.2.0 \
+      #         -f ./deploy-aws/${CIRCLE_BRANCH}.yaml \
+      #         -f ./secrets-aws/${CIRCLE_BRANCH}.yaml
+      #       #helm history ${CIRCLE_BRANCH} -n ${CIRCLE_BRANCH}
+      # - run:
+      #     name: Revert to Original EKS IP Whitelist
+      #     when: always
+      #     command: |
+      #       aws eks update-cluster-config --name pangeo-binder --resources-vpc-config publicAccessCidrs=${AWS_IP_WHITELIST} > /dev/null
 
 workflows:
   version: 2