From e36de567e4e33b027bb3ec5842456108f4cd689f Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Tue, 26 Mar 2024 21:39:22 +0100 Subject: [PATCH] linc: add cluster, and deploy support chart and staging hub --- .../workflows/deploy-grafana-dashboards.yaml | 1 + .github/workflows/deploy-hubs.yaml | 37 ++--- config/clusters/linc/cluster.yaml | 20 +++ config/clusters/linc/common.values.yaml | 53 +++++++ .../linc/enc-deployer-credentials.secret.json | 25 +++ .../linc/enc-grafana-token.secret.yaml | 15 ++ .../linc/enc-staging.secret.values.yaml | 21 +++ .../linc/enc-support.secret.values.yaml | 22 +++ config/clusters/linc/staging.values.yaml | 16 ++ config/clusters/linc/support.values.yaml | 34 ++++ .../templates/common/support.values.yaml | 2 +- eksctl/linc.jsonnet | 149 ++++++++++++++++++ eksctl/ssh-keys/linc.key.pub | 1 + eksctl/ssh-keys/secret/linc.key | 21 +++ terraform/aws/projects/linc.tfvars | 26 +++ 15 files changed, 424 insertions(+), 19 deletions(-) create mode 100644 config/clusters/linc/cluster.yaml create mode 100644 config/clusters/linc/common.values.yaml create mode 100644 config/clusters/linc/enc-deployer-credentials.secret.json create mode 100644 config/clusters/linc/enc-grafana-token.secret.yaml create mode 100644 config/clusters/linc/enc-staging.secret.values.yaml create mode 100644 config/clusters/linc/enc-support.secret.values.yaml create mode 100644 config/clusters/linc/staging.values.yaml create mode 100644 config/clusters/linc/support.values.yaml create mode 100644 eksctl/linc.jsonnet create mode 100644 eksctl/ssh-keys/linc.key.pub create mode 100644 eksctl/ssh-keys/secret/linc.key create mode 100644 terraform/aws/projects/linc.tfvars diff --git a/.github/workflows/deploy-grafana-dashboards.yaml b/.github/workflows/deploy-grafana-dashboards.yaml index de85e9ce99..5caf0b3ade 100644 --- a/.github/workflows/deploy-grafana-dashboards.yaml +++ b/.github/workflows/deploy-grafana-dashboards.yaml @@ -23,6 +23,7 @@ jobs: - cluster_name: hhmi - cluster_name: jupyter-meets-the-earth - cluster_name: leap + - cluster_name: linc - cluster_name: linked-earth - cluster_name: meom-ige - cluster_name: nasa-cryo diff --git a/.github/workflows/deploy-hubs.yaml b/.github/workflows/deploy-hubs.yaml index 0e55c1ce00..9c356dcf98 100644 --- a/.github/workflows/deploy-hubs.yaml +++ b/.github/workflows/deploy-hubs.yaml @@ -180,32 +180,33 @@ jobs: # # If you are adding a new cluster, please remember to list it here! outputs: - failure_2i2c: "${{ env.failure_2i2c }}" + failure_2i2c-aws-us: "${{ env.failure_2i2c-aws-us }}" failure_2i2c-uk: "${{ env.failure_2i2c-uk }}" + failure_2i2c: "${{ env.failure_2i2c }}" + failure_awi-ciroh: "${{ env.failure_awi-ciroh }}" + failure_catalystproject-africa: "${{ env.failure_catalystproject-africa }}" + failure_catalystproject-latam: "${{ env.failure_catalystproject-latam }}" failure_cloudbank: "${{ env.failure_cloudbank }}" + failure_earthscope: "${{ env.failure_earthscope }}" + failure_gridsst: "${{ env.failure_gridsst }}" + failure_hhmi: "${{ env.failure_hhmi }}" + failure_jupyter-meets-the-earth: "${{ env.failure_jupyter-meets-the-earth }}" failure_leap: "${{ env.failure_leap }}" - failure_meom-ige: "${{ env.failure_meom-ige }}" - failure_openscapes: "${{ env.failure_openscapes }}" - failure_pangeo-hubs: "${{ env.failure_pangeo-hubs }}" - failure_utoronto: "${{ env.failure_utoronto }}" + failure_linc: "${{ env.failure_linc }}" failure_linked-earth: "${{ env.failure_linked-earth }}" - failure_awi-ciroh: "${{ env.failure_awi-ciroh }}" + failure_meom-ige: "${{ env.failure_meom-ige }}" failure_nasa-cryo: "${{ env.failure_nasa-cryo }}" - failure_gridsst: "${{ env.failure_gridsst }}" - failure_victor: "${{ env.failure_victor }}" - failure_2i2c-aws-us: "${{ env.failure_2i2c-aws-us }}" - failure_ubc-eoas: "${{ env.failure_ubc-eoas }}" - failure_nasa-veda: "${{ env.failure_nasa-veda }}" + failure_nasa-esdis: "${{ env.failure_nasa-esdis }}" failure_nasa-ghg: "${{ env.failure_nasa-ghg }}" + failure_nasa-veda: "${{ env.failure_nasa-veda }}" + failure_openscapes: "${{ env.failure_openscapes }}" + failure_opensci: "${{ env.failure_opensci }}" + failure_pangeo-hubs: "${{ env.failure_pangeo-hubs }}" failure_qcl: "${{ env.failure_qcl }}" - failure_jupyter-meets-the-earth: "${{ env.failure_jupyter-meets-the-earth }}" failure_smithsonian: "${{ env.failure_smithsonian }}" - failure_catalystproject-latam: "${{ env.failure_catalystproject-latam }}" - failure_catalystproject-africa: "${{ env.failure_catalystproject-africa }}" - failure_hhmi: "${{ env.failure_hhmi }}" - failure_nasa-esdis: "${{ env.failure_nasa-esdis }}" - failure_earthscope: "${{ env.failure_earthscope }}" - failure_opensci: "${{ env.failure_opensci }}" + failure_ubc-eoas: "${{ env.failure_ubc-eoas }}" + failure_utoronto: "${{ env.failure_utoronto }}" + failure_victor: "${{ env.failure_victor }}" # Only run this job on pushes to the default branch and when the job output is not # an empty list diff --git a/config/clusters/linc/cluster.yaml b/config/clusters/linc/cluster.yaml new file mode 100644 index 0000000000..539b9289be --- /dev/null +++ b/config/clusters/linc/cluster.yaml @@ -0,0 +1,20 @@ +name: linc +provider: aws # https://2i2c.awsapps.com/start#/ +aws: + key: enc-deployer-credentials.secret.json + clusterType: eks + clusterName: linc + region: us-east-1 +support: + helm_chart_values_files: + - support.values.yaml + - enc-support.secret.values.yaml +hubs: + - name: staging + display_name: MIT Linc Staging + domain: staging.linc.2i2c.cloud + helm_chart: daskhub + helm_chart_values_files: + - common.values.yaml + - staging.values.yaml + - enc-staging.secret.values.yaml diff --git a/config/clusters/linc/common.values.yaml b/config/clusters/linc/common.values.yaml new file mode 100644 index 0000000000..2b43ca6b8e --- /dev/null +++ b/config/clusters/linc/common.values.yaml @@ -0,0 +1,53 @@ +basehub: + nfs: + enabled: true + pv: + enabled: true + # from https://docs.aws.amazon.com/efs/latest/ug/mounting-fs-nfs-mount-settings.html + mountOptions: + - rsize=1048576 + - wsize=1048576 + - timeo=600 + - soft # We pick soft over hard, so NFS lockups don't lead to hung processes + - retrans=2 + - noresvport + serverIP: fs-0276405f3cabae08b.efs.us-east-1.amazonaws.com + baseShareName: / + jupyterhub: + hub: + config: + JupyterHub: + authenticator_class: github + GitHubOAuthenticator: + populate_teams_in_auth_state: true + # allowed_organizations: + # - abc:def + scope: + - read:org + Authenticator: + enable_auth_state: true + # admin_users: + # - asdf + custom: + 2i2c: + add_staff_user_ids_to_admin_users: true + add_staff_user_ids_of_type: "github" + jupyterhubConfigurator: + enabled: false + homepage: + templateVars: + org: + logo_url: "" + url: "" + designed_by: + name: 2i2c + url: https://2i2c.org + operated_by: + name: 2i2c + url: https://2i2c.org + funded_by: + name: "" + url: "" + scheduling: + userScheduler: + enabled: true diff --git a/config/clusters/linc/enc-deployer-credentials.secret.json b/config/clusters/linc/enc-deployer-credentials.secret.json new file mode 100644 index 0000000000..8cfaf09ac6 --- /dev/null +++ b/config/clusters/linc/enc-deployer-credentials.secret.json @@ -0,0 +1,25 @@ +{ + "AccessKey": { + "AccessKeyId": "ENC[AES256_GCM,data:obOoEAg96TUdY+rBDp2nWpGiQ4E=,iv:dVtyMB/d2usnEiOgsQEDDVGuM2Di0qzez2RT2qnt01E=,tag:6ot0Os/64E89A7zPFILljA==,type:str]", + "SecretAccessKey": "ENC[AES256_GCM,data:XL8EYVl1ntBn2lF8+nPvxj0LUQMfXZWmRTABAXYQ0ez3IOiJn4Wcjw==,iv:uKnfzEmcpX0tIuH4JhMRDumWNFHMEphc8gsYapbWI1w=,tag:PLb9a0mGmPpqV9+ytohfSw==,type:str]", + "UserName": "ENC[AES256_GCM,data:DlTmkL/Osn+TFxu0ddV9CC0sAvjDj9g=,iv:mBMJNleUt6s3W1ZG96jeEgx1/8gbTL+EuwzAxRxK840=,tag:ZXZt9gAUQqhXfwdppKjPOQ==,type:str]" + }, + "sops": { + "kms": null, + "gcp_kms": [ + { + "resource_id": "projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs", + "created_at": "2024-03-26T15:19:58Z", + "enc": "CiUA4OM7eNHxko8FmJx7qgQUbKHY3ABCe8rJErxdTt6tKMOp4L0uEkkAXoW3Jh1L5kIsyg7ix0MdFQj/wNuAzinGsGTbMVmFcX7w/+Pwoqx3clgp2oG9D4jeSfDkqd49poH2LF7fN6uvd/zHcwyTBVXA" + } + ], + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2024-03-26T15:19:59Z", + "mac": "ENC[AES256_GCM,data:8XdKuQnDYS4a3eFh0gmYTZI5BLl5m3PSnO8iqLH0CFHA22cK74uJLV5hMmew31wsj49AiegfWYN0FvCZIgMpgI8K+KGDed1+2JekMxsw+0eNEGcAfe2J+tNMw4vRGtLflQQ69Ti3n5lvxnH4hu803KRLzpCkIZOQXj2Mni24IAQ=,iv:2dW0TocUokRTovj1MbCQKuQ6FiBWJGqclztqIOYG4NQ=,tag:2GDKtyRN+UTCOeT1TbLMTQ==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/config/clusters/linc/enc-grafana-token.secret.yaml b/config/clusters/linc/enc-grafana-token.secret.yaml new file mode 100644 index 0000000000..5eb014c609 --- /dev/null +++ b/config/clusters/linc/enc-grafana-token.secret.yaml @@ -0,0 +1,15 @@ +grafana_token: ENC[AES256_GCM,data:kIEiFXS/cN5tKDGew4Wl5tng9r5z0yPu453jtzcVCqF9dY4OuCEajsGMCMhJYQ==,iv:IrLuXFo1iWRwZli/wGaBqlN2fP6ZO/u9Co1+4OZUVQ8=,tag:6K6ZBmY/JuYfmIO2Jibxcg==,type:str] +sops: + kms: [] + gcp_kms: + - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs + created_at: "2024-03-26T19:06:56Z" + enc: CiUA4OM7eHCt0w2TUePPc5KRUvBsuLMUbxto1N1qOpqdK+Kdd+aQEkkAXoW3JkGGOlVo/b3ye3FSYzNh9AexBXjEHVEBKfG58kQvAGFBO8Lm+ZPzijCFCwWvKC8iLLFKuRjSZQ9vlYk0CnICNzj1fJdE + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-03-26T19:06:56Z" + mac: ENC[AES256_GCM,data:q6V5FUfmO2Tp8viPS7sWccyw3giZewA+y51pvQNIctQ2s/tXfbFWxrznF4/Tne77daMa/u7DGIZZDoNQKHKjfcsg7drP7D5GTJORcbLtYIXvhOW92Z8Wmo0kl6+is+lW3UfyVo7nUtZsgsNXay5kd2/ajc1KXGBO/7BFowBcar0=,iv:oCjf/KA5+zwrbuVPLno6QG1fZcxQy/B3s4XuGC0H7MM=,tag:vc1tuC+VJ/XaEPRDFJoGCQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/config/clusters/linc/enc-staging.secret.values.yaml b/config/clusters/linc/enc-staging.secret.values.yaml new file mode 100644 index 0000000000..4ec942d23b --- /dev/null +++ b/config/clusters/linc/enc-staging.secret.values.yaml @@ -0,0 +1,21 @@ +basehub: + jupyterhub: + hub: + config: + GitHubOAuthenticator: + client_id: ENC[AES256_GCM,data:iqSeYxc7IMNhcpNGiRmeWOl094k=,iv:1FZm7sWuuXMQeO58nZbwa/JwDlzA8VlJNfe9ch6LcKI=,tag:5qLvu3c/cMTPtPFt0+KSTw==,type:str] + client_secret: ENC[AES256_GCM,data:xGqTAceOHIXAUV1T6L3l88XHcz+CxfmThoyBqCruFlzWoPmx7fGOGg==,iv:FLevQvMe+JuAi3uxhItGlgjj6jr9sU+0NJHuwlCwQi8=,tag:VNkTtaHvtX+/kj9D3fI1DA==,type:str] +sops: + kms: [] + gcp_kms: + - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs + created_at: "2024-03-26T20:12:17Z" + enc: CiUA4OM7eNNn06TvKdpGzzSeNZuhYETgaxlOvCcPguaIfbTpp6pvEkkAXoW3JkNqEFls9o/uPAImn37WfgEq77tvHn2/XPm1Es4zGVKRF0izBUlKS1tTDP5307XZFnapSoMiPr2ICOgBv7/KB7bVTDLz + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-03-26T20:12:17Z" + mac: ENC[AES256_GCM,data:6PnxDsjI2xpBBs5PtktXO2rCOj1Uml/C0xp7IMClXAK8scxGtcQ8XnntieeiCHtAon0yY5IQP+swDwY1ZpixnL34O/B0JLX86mANM7lhos4DFeC2RtAxeYZvdgz0yWOU5k4A2So/dhEWpPK19AlplZ9YXbTDdZR6N50fjhg0PUw=,iv:7/5Qw1Wj38FMvVxHEU+Jvoie/jeX2qmPuXwaPm4qlxU=,tag:ykDpQFuaI/sZC4O2HvXkJw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/config/clusters/linc/enc-support.secret.values.yaml b/config/clusters/linc/enc-support.secret.values.yaml new file mode 100644 index 0000000000..3d84b9881f --- /dev/null +++ b/config/clusters/linc/enc-support.secret.values.yaml @@ -0,0 +1,22 @@ +prometheusIngressAuthSecret: + username: ENC[AES256_GCM,data:KnFsl1f9JzCmlkO9lRsD7WlgVl7QaAKw6yRARWqXAr922ZdQBjFuP0U9RV3mOqywtN6BAghW7xWk1hJPJsGPpQ==,iv:wbPi9YqYibvUXvNpA0Zqgocw2APKv3+sSm+ulLAxqQw=,tag:nwAVKHo2b+vGB2d9LhAyyg==,type:str] + password: ENC[AES256_GCM,data:u/0+dh7WOm4XwRuMIeHog3csEj3D6+vExyboJZJ/kGb9OpAhNzECSjm6Jk0aJcQWCq7Bfur7hf7nAvMzOcTbQw==,iv:J7c7OVZIjQXC2FOHEtMhX4SNhmh9aolKOgsAccu3iAo=,tag:iKXUJEOa9/kNt6szLLZfnw==,type:str] +grafana: + grafana.ini: + auth.github: + client_id: ENC[AES256_GCM,data:eAfKvoZDnyAskxeDA89WrTa/E64=,iv:tXullNgwUB4dBoaYzzgg34HlkGX6VEFkZMwZ5v677Cw=,tag:7MULePUMAhxkJ+4jdWxMxA==,type:str] + client_secret: ENC[AES256_GCM,data:bm9lHXiXI69hWz03gMwJsCbkWMhHpHyJK/DMub8BnmbWXILIBJbCDA==,iv:42IjM17W/BPQMBX4w336NRXhtc/RnUegbpCeHJxU84Y=,tag:7DyZQym+d01tmErPqDjvdg==,type:str] +sops: + kms: [] + gcp_kms: + - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs + created_at: "2024-03-26T14:01:51Z" + enc: CiUA4OM7eFnE/G6kcDKgG8VNSZ8l+2EzjyWaKoGzi7oP7dudbOy4EkkAXoW3JgUyIqJjkz37SB2zkVaJsQMrfq8wR27oiAyuULvsc10K6xTQBfIabCXk/uILwPwkoo14Mw9oyfbZyZyfvgUwzEg/pCSB + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-03-26T19:51:46Z" + mac: ENC[AES256_GCM,data:xVT9dTtzgw72XnoSsA8oU3WrFcLLucVnUPiPrA3uySQygmfmBK1E6+oh4SUWccbiR+CgBbj/Qa2ppbwYikokjpUDOp+5JumQab105amCOoevMAZBgq1VoTlhqAuITQR1VirikMlIf5gSnl44DcF0AHHr0C5Z9Hgz7ig2a8X8Hss=,iv:AUrNWiT06Sk3LV/u6FJg5o59GgzSDDNkLr+4jUxpJIg=,tag:dm9MF1ulF0R3D1X8qz8RxA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/config/clusters/linc/staging.values.yaml b/config/clusters/linc/staging.values.yaml new file mode 100644 index 0000000000..d13cceec4c --- /dev/null +++ b/config/clusters/linc/staging.values.yaml @@ -0,0 +1,16 @@ +basehub: + jupyterhub: + ingress: + hosts: [staging.linc.2i2c.cloud] + tls: + - hosts: [staging.linc.2i2c.cloud] + secretName: https-auto-tls + hub: + config: + GitHubOAuthenticator: + oauth_callback_url: https://staging.linc.2i2c.cloud/hub/oauth_callback + custom: + homepage: + templateVars: + org: + name: MIT Linc (staging) diff --git a/config/clusters/linc/support.values.yaml b/config/clusters/linc/support.values.yaml new file mode 100644 index 0000000000..99b44f7678 --- /dev/null +++ b/config/clusters/linc/support.values.yaml @@ -0,0 +1,34 @@ +prometheusIngressAuthSecret: + enabled: true + +prometheus: + server: + ingress: + enabled: true + hosts: + - prometheus.linc.2i2c.cloud + tls: + - secretName: prometheus-tls + hosts: + - prometheus.linc.2i2c.cloud + +grafana: + grafana.ini: + server: + root_url: https://grafana.linc.2i2c.cloud/ + auth.github: + enabled: true + allowed_organizations: 2i2c-org + ingress: + hosts: + - grafana.linc.2i2c.cloud + tls: + - secretName: grafana-tls + hosts: + - grafana.linc.2i2c.cloud + +cluster-autoscaler: + enabled: true + autoDiscovery: + clusterName: linc + awsRegion: us-east-1 diff --git a/config/clusters/templates/common/support.values.yaml b/config/clusters/templates/common/support.values.yaml index b56f944aa1..21e6d1be9b 100644 --- a/config/clusters/templates/common/support.values.yaml +++ b/config/clusters/templates/common/support.values.yaml @@ -1,6 +1,6 @@ prometheusIngressAuthSecret: enabled: true - + prometheus: server: ingress: diff --git a/eksctl/linc.jsonnet b/eksctl/linc.jsonnet new file mode 100644 index 0000000000..a201d51606 --- /dev/null +++ b/eksctl/linc.jsonnet @@ -0,0 +1,149 @@ +/* + This file is a jsonnet template of a eksctl's cluster configuration file, + that is used with the eksctl CLI to both update and initialize an AWS EKS + based cluster. + + This file has in turn been generated from eksctl/template.jsonnet which is + relevant to compare with for changes over time. + + To use jsonnet to generate an eksctl configuration file from this, do: + + jsonnet linc.jsonnet > linc.eksctl.yaml + + References: + - https://eksctl.io/usage/schema/ +*/ +local ng = import "./libsonnet/nodegroup.jsonnet"; + +// place all cluster nodes here +local clusterRegion = "us-east-1"; +local masterAzs = ["us-east-1a", "us-east-1b", "us-east-1c"]; +local nodeAz = "us-east-1a"; + +// Node definitions for notebook nodes. Config here is merged +// with our notebook node definition. +// A `node.kubernetes.io/instance-type label is added, so pods +// can request a particular kind of node with a nodeSelector +local notebookNodes = [ + { instanceType: "r5.xlarge" }, + { instanceType: "r5.4xlarge" }, + { instanceType: "r5.16xlarge" }, + { + instanceType: "g4dn.xlarge", + tags+: { + "k8s.io/cluster-autoscaler/node-template/resources/nvidia.com/gpu": "1" + }, + // Allow provisioning GPUs across all AZs, to prevent situation where all + // GPUs in a single AZ are in use and no new nodes can be spawned + availabilityZones: masterAzs, + } +]; +local daskNodes = [ + // Node definitions for dask worker nodes. Config here is merged + // with our dask worker node definition, which uses spot instances. + // A `node.kubernetes.io/instance-type label is set to the name of the + // *first* item in instanceDistribution.instanceTypes, to match + // what we do with notebook nodes. Pods can request a particular + // kind of node with a nodeSelector + // + // A not yet fully established policy is being developed about using a single + // node pool, see https://github.com/2i2c-org/infrastructure/issues/2687. + // + { instancesDistribution+: { instanceTypes: ["r5.4xlarge"] }}, +]; + + +{ + apiVersion: 'eksctl.io/v1alpha5', + kind: 'ClusterConfig', + metadata+: { + name: "linc", + region: clusterRegion, + version: "1.29", + }, + availabilityZones: masterAzs, + iam: { + withOIDC: true, + }, + // If you add an addon to this config, run the create addon command. + // + // eksctl create addon --config-file=linc.eksctl.yaml + // + addons: [ + { + // aws-ebs-csi-driver ensures that our PVCs are bound to PVs that + // couple to AWS EBS based storage, without it expect to see pods + // mounting a PVC failing to schedule and PVC resources that are + // unbound. + // + // Related docs: https://docs.aws.amazon.com/eks/latest/userguide/managing-ebs-csi.html + // + name: 'aws-ebs-csi-driver', + version: "latest", + wellKnownPolicies: { + ebsCSIController: true, + }, + }, + ], + nodeGroups: [ + ng + { + namePrefix: 'core', + nameSuffix: 'a', + nameIncludeInstanceType: false, + availabilityZones: [nodeAz], + ssh: { + publicKeyPath: 'ssh-keys/linc.key.pub' + }, + instanceType: "r5.xlarge", + minSize: 1, + maxSize: 6, + labels+: { + "hub.jupyter.org/node-purpose": "core", + "k8s.dask.org/node-purpose": "core" + }, + }, + ] + [ + ng + { + namePrefix: 'nb', + availabilityZones: [nodeAz], + minSize: 0, + maxSize: 500, + instanceType: n.instanceType, + ssh: { + publicKeyPath: 'ssh-keys/linc.key.pub' + }, + labels+: { + "hub.jupyter.org/node-purpose": "user", + "k8s.dask.org/node-purpose": "scheduler" + }, + taints+: { + "hub.jupyter.org_dedicated": "user:NoSchedule", + "hub.jupyter.org/dedicated": "user:NoSchedule" + }, + } + n for n in notebookNodes + ] + ( if daskNodes != null then + [ + ng + { + namePrefix: 'dask', + availabilityZones: [nodeAz], + minSize: 0, + maxSize: 500, + ssh: { + publicKeyPath: 'ssh-keys/linc.key.pub' + }, + labels+: { + "k8s.dask.org/node-purpose": "worker" + }, + taints+: { + "k8s.dask.org_dedicated" : "worker:NoSchedule", + "k8s.dask.org/dedicated" : "worker:NoSchedule" + }, + instancesDistribution+: { + onDemandBaseCapacity: 0, + onDemandPercentageAboveBaseCapacity: 0, + spotAllocationStrategy: "capacity-optimized", + }, + } + n for n in daskNodes + ] else [] + ) +} \ No newline at end of file diff --git a/eksctl/ssh-keys/linc.key.pub b/eksctl/ssh-keys/linc.key.pub new file mode 100644 index 0000000000..2c2cd01aeb --- /dev/null +++ b/eksctl/ssh-keys/linc.key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDRLnb24AR6VY0pPfNgEjKAFWKoCe2ElztR1pXPt63qasSlZGUdTRQ80rPaPyswYqmoS4/ojqt66Kpajr8CDXtpU+J/HONl0VEP5D4aC+zjlZ45qQmJL+RmvTagKrwz1HeVElSzVoBx9gEoVV8UjEjluMnQKVky3HUWUCzOkljXXE55S+RzXqaVJ+lAwODOfSOED7zb1RvwiRyOILAuJjKwRn1tWNZsqO0JCmr7gJ5ZeBd1shXj0K8Q3oCOmjfdasJHL+8WSuCCDo7mrPbWuyiANbBpt96PuUp2lbq2DAF1JFJR9DTIGjnFaXLA88lpXeI7dO7mSn8/9G5F/m/IWsKCULkkp+P+4k/apMkWXUVqhaHUBWsGRoKM6bWhJOVjH0yjRaR1htcNAom1TpcRHSDB1vfQdTJxz3cB/7Sb2rh4EJEm7/ak8LEGhRhouWkNlGEg8zpiFYZ/ab5Cfc/Ymq9e1yTt2bwxiex6g1GuvZ5lAwkAbQRT+3zgsDkVHrFwSak= erik@dl diff --git a/eksctl/ssh-keys/secret/linc.key b/eksctl/ssh-keys/secret/linc.key new file mode 100644 index 0000000000..ab5d181932 --- /dev/null +++ b/eksctl/ssh-keys/secret/linc.key @@ -0,0 +1,21 @@ +{ + "data": "ENC[AES256_GCM,data:qaY9nsscCSkhMeiO2AacyFSoL0SYrEMqe3quPkB1NwH6C2b6J8vxCjwtw3njNd3YrPrVqIkXSuye7JkipikmRcquGe5spzOv5M4YIU9ou9rk0ufWKiIxnUnjHK8naaBZy+21bN/IpuZ2YcFX0JatA7DUoxXppAkvTMe8lcHyXrvQje+5BgwJfmw8iJgamXK6ICEmvCUnYDqbdfrXahWt4SR2J3UnIUFSFZkd5DqHlg/R4jlE5liVPMcnJs3diNd2kkE4QXVbOJ/GAVBsnGBNCzZuiQW0jfLXdmTeFXJ+W1Gk/GAFLcXAGvXo0gq6Q1uhYSPMegTg5gpmNKQgIQloWsrMGShmf38Kr5fFHCOsTH/36fCY7bP7Bzvyhe6ZcrjGVDY6Z0tpy/ycY9r9ziG9sI0IvzeyFPSyclgG2VrdIJ+rxmNmzbrPZztvOfOOO9HhLekg5nvcYwemDxgmRUp9KcmmhENuoZWnu0seY5g/mYXgtgafJznkYyk0SXAH2Ztf4laLi4EaFYfPW0kevMuBYLDFi/2zF66tqdJ40DvMTrU7shEEAhriHDrXq7YN9767vNPrquwmb6DKlBSZPizaCv5R4pPzD0vA5iQ1TV8Nqe6+t0FEk8ONVXeVXYqhw9/mfeD7I1d7BN7SmCoQJ7C2yogUhq7GSIeQbKNoHAa0W/Sgi+8cWnyKtfmTKKUdyOGzuUozOb9fQeCD8RfXlW7xEK7Hb/H0KO7hpgmUGois1EzrjxmpobpvF+kvUo7f8pfISTFe0ZU8+qZdPorgBrcygobyvvtUDu7oHzqDyYESbs801W5uZ1gncVQnKFCOHB+kSdvTN22UVTR9B0iOKs2QOkKaDTAB+VlFPLKAvB2Kuk2JOCuWKCeODMSdNtV83Q2CwbiluIaC3zRHVLunPoyr7v5/C85zkYvmnAa+n+gu2fvfBeJWOZARi0NmOH/8b3lIO6oGcc4symULF5s4Qyc9P2I5bvuSjD+FsBTzLeAZhQ5oSmilcyMwGypC2N8KghZ7I/uHHa0hKJJ0bLCqjnveysfkrTJFZSErJhQxRd3rlouvyOkr9l3Hkouu0LKgxErAZwTvS4cXyoZeABsHnb2yeBx7Gl06wUkL5e9q6c1769yu70v/fhNHOTTHJh4+jkY0FLHdOQC2kfOo6qRQDsgD256g7JzFFZSXTQP6gtvpD6XaOvcsw5TK+acrxCvvhncpaAOETRyiiKU9aGkxdFBVq7TyuiTPiBMdWKtMWnOGwohbgBpHNNRT7wHkKY8LzZ9in1sygJg/EEZKqGQlLsNLaS9CjT6dDjEfBET8Chu6Ai+dUuCfaEjemjvlLKVrKZaz6kzAmkeCxT8fQSJZ00H0zRTCFMIyQsehhs8IT48hhWwsoE5u4oOSReF8AH/oAhhN2+xGRCp3WkPXLzeAos4ZHaZvkHmRYdtx1NfstLL+KvdL01Q2zZsaZW25pnbHzasGG+I8dhUq9eDqpbpDTSdD7MNMea7VG7AAtrFEekQLfc3gH6Y/1tmJBdhI4JLtfxh0+LfuLtMjrmsHtNgvffGICAk+iTRp80kpf+U/VIgDlmI3eHgwsYVUHUlmIXSGRX2/6IxeVWTLiE3XqYgjq+P+FvTtcYHvyG+xBwIW+M+bbdZ7ZTSj9U8gu/lZ/PaahnA07PQwVdgS1Fw7KU4/1X7uYGWTbuTBN7EXuO3lpimspOU4xG/4c1cDAA8p8cP4pZm/Cqb0k0OvaKQPOxhySP+yvM89kj/Kq/PUY5I2jLgSIHnlHb1MFG3QlNjcZyKoUXo1OSlYsQLAkbStISITqGcdMnToa2juo3Ja8CorZiYXyeistyiyE7O4cqGq3ly4ZkTDppkuP9KAy2gLX7BYvQTOsTu6MajFUKC2srTmr6w5wmy3RIXaBZXSGE6tgX+wUFXI/hlcpQ6TcQDmuiCgYy58RipysFSOwMgsYRjq1M8tsb1Ato/eFwWSrGjbZErqU9+Pds0EzP2lDOvmpu3r32kvOdsxBqHbYa0RzDqmp9otwIh+E/F/KWo2P6yiIF8PYOuFDeg6f8LKa5iVGigcODk70cbFVuZ0h8PiNFsnqDn3b4g/JeAqy41u62VJuzPLOH7GZXgAwZFBBVLicf+I+D9ahBXyopawHdUB6CxWgS0pemxjlxPicYjdQvVwFZuRoxx2SpT4j5Aj6+R3GOW5gvJ5D/g9N1jurpQKeufFDVGqTVgkD5yDDCOtplohTQg8IjsNAqkWv4GJrl0FBW+X/YrtOop8qCUO+9GVQI1ydXGMwneZ8rpy/9VncCTFJ4v7Xc/CGjs9I5tkd4sLc5rpeDXglio31QwiVPnlXKaNoVA7usFqfscp/0sKbGWwuh2tn0OcATay8Vl669TNXyaXQ+r8BuAbbzokvAadNtHXHeyqowPxvtLgVQYyIwgIrqKz/E4fw8tyZaqg2n3FTpa6qoLv3q6Ko9U9BtLtBaws1Ri/cZk2EnoVD9Ge4npc81I/lrJVkyIr+fAz6ASFoPb6Io/jo+wzGYo1r4LzOsIC0Sr6tlwz+SDwCs5aaiRWSnXikqnykw9SgnOBhd4IW0dhn6/t5lI74313MOesxu8Ae9H1wyzaErlHQsPlTQ+AaBsl9sQTd3VR/unWZdQvxVDLVr+Och0LACqsFv00Frmg36wHKYRdmhnxAC/oRz/NT/rIJPewLWdRPMdH/KRBJ4PB51pK0iKyJwv3YgIR8DqVu68GTp39YeAVe2SFoFoviulPlzWWDSFjpoK7DmyUXY+IGowqmZKq8wgUzPF+pm8CHswBFycBYnymcv+hxtUWeou1CxyJP+EolllckjXYEo4wsCPqJo9UOpBygB3uc2JwlL9OK7YVjaCifwPNes3a2UTI4Xqnei9Ptf6RMt0T7JLVzDcuIUPRvogmlqWlQ3CQ57JXtszSE+Gj5NVB7Os5CaiVLiV1hUQ+CLLddxi7CDRimZzAbIGcf+CEtJJpFQzWPyNU6hqWSt29rJIXIjNHOb7AGDCN5+5rJ7Z5xfQ6I8OAfQ02k5bEaGlYMstjT+IOOC8CbWW23LRtiYAObi96j7i0CDw2R+kVk5R+Or5zsZ9TBNtbGgYQROaw+M2V4DblPwvy4fA5qr6xNSFctUh/te7iNhP84NHtscqrzsrp9rLLo/Juz2g1kHv/iKUPu0HHqaT9kZ2MeIBmbXgYJm1YJOJZSvyaHi+42Ybjnd0G0YYgTRtQwQniNc1PcCJBTl+StJjCw7k5yVCNmD3nvMT3t2RMnjWTqvAdHyY//lhkmuyToWZLJ7Fc25Umcsr3Z7Es272AjVjmOWHnn5ZoIk+lQVwXe7vOowNbAIZ9GruaF5p6CItEjwvYJnhPa2cQygnFP82ZsaAp/sSFFdgs0KwnMQuM9ijIvNlBHmZP8oigHglj/GIw1T/UU7BeH9DZ+o7lKOIx7jKf3xmpYAWTF4NdVbHg0A==,iv:K7xxrM42UuxnvaOsmBSXotEF90shdhgNIc+Aoiubf5A=,tag:P9WZ/TzhK4QPy0DE22HJxQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": [ + { + "resource_id": "projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs", + "created_at": "2024-03-26T14:01:50Z", + "enc": "CiUA4OM7eK68wqj5KpnNdxEW34sW7fdn7WOIixlp/gBta1o9rha5EkkAXoW3JihzEN7tCpE7139p8KYckgqGS9xpbTINuDWyrmm0ZRdp109xyr6Y671ddBGvD3k1IP1o3IDydxDvdZ2bMuFwu2k4LoA8" + } + ], + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2024-03-26T14:01:51Z", + "mac": "ENC[AES256_GCM,data:n5mz6KF+nByYfh8FYmw9IY6Nx0MCyHKres47e/8jV+BvN2R/10Q/USrdt/Koeczc0blxKeOGrYLtUOb1h0q9mieOv1tNxQgWO+c3jiivJBp+H89i1rC0+ve23A2+HFPKfH0WGDjBbGnXRq2blo6ff6WbyDfoHQfvBqX0tbKxZL0=,iv:TsqPnLHyJYX/jqX3ulSd1bDLu6KNXxB4NHfMOECfw8c=,tag:38QBYp1Kyqb1TzrN6WFoLg==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file diff --git a/terraform/aws/projects/linc.tfvars b/terraform/aws/projects/linc.tfvars new file mode 100644 index 0000000000..ef5821b54a --- /dev/null +++ b/terraform/aws/projects/linc.tfvars @@ -0,0 +1,26 @@ +region = "us-east-1" + +cluster_name = "linc" + +cluster_nodes_location = "us-east-1a" + +user_buckets = { + "scratch-staging" : { + "delete_after" : 7 + }, + "scratch" : { + "delete_after" : 7 + }, +} + + +hub_cloud_permissions = { + "staging" : { + bucket_admin_access : ["scratch-staging"], + extra_iam_policy : "" + }, + "prod" : { + bucket_admin_access : ["scratch"], + extra_iam_policy : "" + }, +} \ No newline at end of file