[New] Opensci cluster and hub

.github/workflows/deploy-grafana-dashboards.yaml

@@ -29,6 +29,7 @@ jobs:
           - cluster_name: nasa-esdis
           - cluster_name: nasa-veda
           - cluster_name: openscapes
+          - cluster_name: opensci
           - cluster_name: pangeo-hubs
           - cluster_name: qcl
           - cluster_name: smithsonian

.github/workflows/deploy-hubs.yaml

@@ -206,6 +206,7 @@ jobs:
       failure_hhmi: "${{ env.failure_hhmi }}"
       failure_nasa-esdis: "${{ env.failure_nasa-esdis }}"
       failure_earthscope: "${{ env.failure_earthscope }}"
+      failure_opensci: "${{ env.failure_opensci }}"
 
     # Only run this job on pushes to the default branch and when the job output is not
     # an empty list

config/clusters/2i2c/imagebuilding-demo.values.yaml

@@ -137,40 +137,10 @@ jupyterhub:
         setup_ui(c)
 
 binderhub-service:
-  nodeSelector:
-    hub.jupyter.org/node-purpose: core
   enabled: true
-  service:
-    port: 8090
-  # The DaemonSet at https://github.com/2i2c-org/binderhub-service/blob/main/binderhub-service/templates/docker-api/daemonset.yaml
-  # will start a docker-api pod on a user node.
-  # It starts the [dockerd](https://docs.docker.com/engine/reference/commandline/dockerd/) daemon,
-  # that will be accessible via a unix socket, mounted by the build.
-  # The docker-api pod must run on the same node as the builder pods.
-  dockerApi:
-    nodeSelector:
-      hub.jupyter.org/node-purpose: user
-    tolerations:
-      # Tolerate tainted jupyterhub user nodes
-      - key: hub.jupyter.org_dedicated
-        value: user
-        effect: NoSchedule
-      - key: hub.jupyter.org/dedicated
-        value: user
-        effect: NoSchedule
   config:
     BinderHub:
-      base_url: /services/binder
-      use_registry: true
-      # Re-uses the registry created for the `binderhub-staging` hub
-      # but pushes images under a different prefix
       image_prefix: us-central1-docker.pkg.dev/two-eye-two-see/binder-staging-registry/binderhub-service-
-    KubernetesBuildExecutor:
-      # Get ourselves a newer repo2docker!
-      build_image: quay.io/jupyterhub/repo2docker:2023.06.0-8.gd414e99
-      node_selector:
-        # Schedule builder pods to run on user nodes only
-        hub.jupyter.org/node-purpose: user
   # The password to the registry is stored encrypted in the hub's encrypted config file
   buildPodsRegistryCredentials:
     server: "https://us-central1-docker.pkg.dev"

config/clusters/opensci/cluster.yaml

@@ -0,0 +1,23 @@
+name: opensci
+provider: aws # https://2i2c.awsapps.com/start#/
+aws:
+  key: enc-deployer-credentials.secret.json
+  clusterType: eks
+  clusterName: opensci
+  region: us-west-2
+support:
+  helm_chart_values_files:
+    - support.values.yaml
+    - enc-support.secret.values.yaml
+hubs:
+  - name: sciencecore
+    display_name: "Sciencecore "
+    domain: sciencecore.opensci.2i2c.cloud
+    helm_chart: basehub
+    helm_chart_values_files:
+      # The order in which you list files here is the order the will be passed
+      # to the helm upgrade command in, and that has meaning. Please check
+      # that you intend for these files to be applied in this order.
+      - common.values.yaml
+      - sciencecore.values.yaml
+      - enc-sciencecore.secret.values.yaml

config/clusters/opensci/common.values.yaml

@@ -0,0 +1,14 @@
+nfs:
+  enabled: true
+  pv:
+    enabled: true
+    # from https://docs.aws.amazon.com/efs/latest/ug/mounting-fs-nfs-mount-settings.html
+    mountOptions:
+      - rsize=1048576
+      - wsize=1048576
+      - timeo=600
+      - soft # We pick soft over hard, so NFS lockups don't lead to hung processes
+      - retrans=2
+      - noresvport
+    serverIP: fs-065fcb5bb0ad79b25.efs.us-west-2.amazonaws.com
+    baseShareName: /

config/clusters/opensci/enc-deployer-credentials.secret.json

@@ -0,0 +1,25 @@
+{
+	"AccessKey": {
+		"AccessKeyId": "ENC[AES256_GCM,data:MtyZwyAG9hUN2TZmVBY99AUkTzk=,iv:X1yxWvoAR4qlzPGDr9sh5fI5/nPqsKezibr/gJ6sGyI=,tag:JkExYO+KJxqrBep71B+tpw==,type:str]",
+		"SecretAccessKey": "ENC[AES256_GCM,data:k5ZOOtSBK6GQG60fkcuVju/zuIzyXSmou+lMpbqI9KXj/70nK2vMxw==,iv:rxPpG9bTHAFB6TbtZoJQ6CglXHnDk0d6+3OV3//TqUs=,tag:CksFoyD6jh7Bd3tIZHQvug==,type:str]",
+		"UserName": "ENC[AES256_GCM,data:POvIw42gLg8qNOAQeZsvyi+Zma/I5Jo=,iv:uMiKk7ONZxSMm5K/rSEgOL1ZusHy8VgFD9C2D2ezEcg=,tag:oDJTF8RmGwpCBpEjvqL+PA==,type:str]"
+	},
+	"sops": {
+		"kms": null,
+		"gcp_kms": [
+			{
+				"resource_id": "projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs",
+				"created_at": "2024-02-21T15:39:23Z",
+				"enc": "CiUA4OM7eF5o6mB9Vayi+puvS7aVXCANRtsaycfD68b7ISp9B6drEkkAXoW3JtPtnpYszaNYGfUeJiDVthqBYPcRJjtmCPqm6DEVL9Uyyordh2F636IlremL8X5LedANy3V6JQfofNHug3SiOYSzTqaj"
+			}
+		],
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2024-02-21T15:39:24Z",
+		"mac": "ENC[AES256_GCM,data:mX6G6KmXOkBiUMT/robJTZ2L8KozL2S8av0UIBhO7lNWo4BJJYLNx9fQL6wzjgWkclE8NI6AiZg57qo6u8SCIV+Fg1veJjsTv9mxOtuV1NbSH8vLs8FOCq0Qp/qDUTFCTIATqqIGPaTB6oUeM7TkBAlwS3SedRn/GTVMAFFDjbY=,iv:zncrRM8g/aC+oh/Hoogil+kUSst/GXOrQbKOwtbw1G4=,tag:V4wlwuxyDLVdLn9t1No41Q==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}

config/clusters/opensci/enc-grafana-token.secret.yaml

@@ -0,0 +1,15 @@
+grafana_token: ENC[AES256_GCM,data:FUDyTxRjgJ3FrEzZ4FJeNCVOYtfAVGtz82Xjzlq0JSDrcDSdcOVc5VRZAixo6g==,iv:wP1WsvpXh4T6i0zKQatAmYS/+GRa5vwmRtOUz82VUWY=,tag:WY1AuW4YhYE54ij6pIjmZQ==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+        - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+          created_at: "2024-02-27T08:21:10Z"
+          enc: CiUA4OM7eJwLqe0B1wFs4I0fTW9ca4t9EVaupRu6drh9jlu2BMxSEkkAXoW3JoVJBEtoW1U21/GHpWilS78im8nQUr/+YbIpFgHLJO1hsEbVqIjhJQ82ZfYryz9ozn/4/Fwxlzx6XymhncSnR/1KllE1
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-02-27T08:21:11Z"
+    mac: ENC[AES256_GCM,data:dgsHlAhpVrM3246Mmk+Hiemmh4MVrkd75LYNx7ffyw0ojThJ8/wTLL8Bio25Py7vzQR10r3qVtj1+TNnDXE3cGHPTpXBuBS4RfdI63/+SAdoONL8T0J0zUM58opWfkhp3XaB5JAKJH4JTP+WGVDGmYWiyRC6kbxvn7fhLqq509U=,iv:SZ+s+LU+EJHNPbfGpHpkOzS4aTUWT0fHGyX5om0jH2w=,tag:F0vuPTXtXVUqlpCOKcLaAA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

config/clusters/opensci/enc-sciencecore.secret.values.yaml

@@ -0,0 +1,28 @@
+binderhub-service:
+    buildPodsRegistryCredentials:
+        password: ENC[AES256_GCM,data:8SoSbjJQoxjSvjiWMv2isnKD1tNWzQEijO7KGQG7L3VBFrqHTn00vE5k8kiiNfVDh1fcrnVMbTp4h414mTrtsg==,iv:s58wLbD13dRyYyg0RAKBjq4AuFNauU+MeTEP9fUYoZU=,tag:bHFEG8hRXmQ60XGe4G1n7A==,type:str]
+jupyterhub:
+    imagePullSecret:
+        create: ENC[AES256_GCM,data:aJ5t7w==,iv:mdiodKbsYFnfzFkwCBbgQ6B/myJcL/z1+f15vTgSQwQ=,tag:mmuYSMXreRi2O4nwAzaZsw==,type:bool]
+        registry: ENC[AES256_GCM,data:iGtOHQXDhw==,iv:YXdzdemCE+6B5sA437zaUFKDhb2xj2X7gMZNzu3tTqM=,tag:Bqn2k57b6RYQJYB5v1Li2A==,type:str]
+        username: ENC[AES256_GCM,data:ii7f/N3KXNmkvv5Sh2wsPlqRRh0LHjjExQkm+kK+lRCVwe8FDNI=,iv:rqk6+iWqGYh/fgDPGqcRZ/fyRROM6a144PCrVWokm+o=,tag:9krQyW6n7QCiQ5vNM/wozQ==,type:str]
+        password: ENC[AES256_GCM,data:CjC/nUzk/7LH5oSA3cF4KRjmzLMa3QAIodKxAKTTB8ruEFHdQAUDCfm9m2zco4lLykwG6JX5JiWClI26C2O+wg==,iv:KzXdwlH0EeI79hgTEL0iRSsPxHeZTXusuRqQQe+YbG4=,tag:5xIfUhfUS2qUFLoiRYwTlw==,type:str]
+    hub:
+        config:
+            GitHubOAuthenticator:
+                client_id: ENC[AES256_GCM,data:dhNb/AwKFr/2s1+RUIsndJ5EKC4=,iv:6Rzm5NBgBZcHrOyWFYi1qib1iraWoRpeoPCo42wUD10=,tag:JIKjxJQ8I8fM+Z+MFRfsEA==,type:str]
+                client_secret: ENC[AES256_GCM,data:LQedpZelm6SO8KAFBpV5fHFYmTOXyzz75HoKC+N9D3/lH7TXZFxl9w==,iv:isCaLvhi3aU/mOLEtsRegzSVxcMh4HRV2kCB3Klrsq0=,tag:c3zZ2190eyzsuK1Mv2t6CQ==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+        - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+          created_at: "2023-09-18T19:00:41Z"
+          enc: CiUA4OM7eFioG9yDgVwKtc0cYrU65GNcqMSDuUgnuXuq3KW9dRI6EkkAq2nhVV2TFrZOq5jktjMd4TQF1lwH/08tAyGd3vMfBmdd3Xdy3bAUUHhrPXcK6QabMRYdXPzQzgB+oBGaqOsJO7D7jT9NpeCn
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-03-01T09:20:50Z"
+    mac: ENC[AES256_GCM,data:/H85LAsXQBVCUly595+EGHmTN7jw8Mspsj1GFfyVBjUj/QYJResChPxuDfEf02PD+h0Va9UK0xQVBLVJFuO8nVKLY9WAGG5agAiTHYudhHGsPpzGSL5jkjDkQrqNhyAWunkh7euqbMIDKLU8Yn4LXVU1JaD6DrbNXQJcnJbAbAM=,iv:jDS6yvbuz57WixC/5qKrZztd0IXeLsAJXzYj8zsOBzI=,tag:O9JM6fBZuD8quswUFe7cJQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

config/clusters/opensci/enc-support.secret.values.yaml

@@ -0,0 +1,17 @@
+prometheusIngressAuthSecret:
+    username: ENC[AES256_GCM,data:NAA8fg7Oin4CLlFAR0/q9I0FpqHHsyXntce7by5Fg4B4PVGnmboc6hiHKbcvq4gkhFu3JkSPO/UZOnAi/vPXVA==,iv:t21nYjrvFgJ5vRM/8FDGwMrlGiLYsE9R4+BFxjDf91c=,tag:gnyjHQCSfouHljf6AzQKiw==,type:str]
+    password: ENC[AES256_GCM,data:Dcu0hyudGn0a51p8yutj2MbMv0ydSS/ewXqDF1xAVsWV75DUikNjnqxKZWbBDmjZisi+lMiRHZEUrxaszcGE9w==,iv:AM/9clOgMS80/JdZb1UC9fZNliQwhD8BJdZmSk7+Xow=,tag:kV4UPf5vPkTjESJGNusS9A==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+        - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+          created_at: "2024-02-21T14:04:13Z"
+          enc: CiUA4OM7eH9GfolTeTic397lI94/FljLr1s7Hz77OOck8EsW/8pvEkkAXoW3JqTtm0UrLSlLBrebh+OQ+6ik5KFXmY8Xxl9ICv9kSnbz7CFBvAHlhrP7W7/NK8ZP5+6NnOivp0SZlghOW9M5Lv5ZpnQc
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-02-21T14:04:13Z"
+    mac: ENC[AES256_GCM,data:IlvuWpEYx2Qjp12hXHSnQdS9RYU1lwH2L8CgE1Js2cXRzhFr+cRalpJ68h/G8uzJOowb/WI5svSBB372HoX0FSf3kRmUPBdj0nI0Leb7kzZoOWJfVsCNh+Z7KVqs7iBnCWRtIr5v00eD6WUf1Q93qgxgcuZgAewd8rzaiixN0GE=,iv:I6/qm0v3/kBt+zFXm/jM29wo3ZW8p6xT9cfI+ruJGCQ=,tag:F2rZt0kHoHSsdECq0IY7eQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

config/clusters/opensci/sciencecore.values.yaml

@@ -0,0 +1,144 @@
+jupyterhub:
+  ingress:
+    hosts:
+      - sciencecore.opensci.2i2c.cloud
+    tls:
+      - secretName: https-auto-tls
+        hosts:
+          - sciencecore.opensci.2i2c.cloud
+  custom:
+    2i2c:
+      add_staff_user_ids_to_admin_users: true
+      add_staff_user_ids_of_type: "github"
+    jupyterhubConfigurator:
+      enabled: false
+    homepage:
+      templateVars:
+        org:
+          name: Sciencecore
+          url: https://2i2c.org
+          logo_url: https://2i2c.org/media/logo.png
+        designed_by:
+          name: 2i2c
+          url: https://2i2c.org
+        operated_by:
+          name: 2i2c
+          url: https://2i2c.org
+        funded_by:
+          name: ""
+          url: ""
+  singleuser:
+    profileList:
+      - display_name: "Only Profile Available, this info is not shown in the UI"
+        slug: only-choice
+        profile_options:
+          image:
+            display_name: Image
+            unlisted_choice: &profile_list_unlisted_choice
+              enabled: True
+              display_name: "Custom image"
+              validation_regex: "^.+:.+$"
+              validation_message: "Must be a publicly available docker image, of form <image-name>:<tag>"
+              display_name_in_choices: "Specify an existing docker image"
+              description_in_choices: "Use a pre-existing docker image from a public docker registry (dockerhub, quay, etc)"
+              kubespawner_override:
+                image: "{value}"
+            choices:
+              pangeo:
+                display_name: Pangeo Notebook Image
+                description: "Python image with scientific, dask and geospatial tools"
+                kubespawner_override:
+                  image: pangeo/pangeo-notebook:2023.09.11
+              geospatial:
+                display_name: Rocker Geospatial
+                description: "R image with RStudio, the tidyverse & Geospatial tools"
+                default: true
+                slug: geospatial
+                kubespawner_override:
+                  image: rocker/binder:4.3
+                  # Launch into RStudio after the user logs in
+                  default_url: /rstudio
+                  # Ensures container working dir is homedir
+                  # https://github.com/2i2c-org/infrastructure/issues/2559
+                  working_dir: /home/rstudio
+              scipy:
+                display_name: Jupyter SciPy Notebook
+                slug: scipy
+                kubespawner_override:
+                  image: jupyter/scipy-notebook:2023-06-26
+          resources:
+            display_name: Resource Allocation
+            choices:
+              mem_3_7:
+                display_name: 3.7 GB RAM, upto 3.7 CPUs
+                kubespawner_override:
+                  mem_guarantee: 3982682624
+                  mem_limit: 3982682624
+                  cpu_guarantee: 0.46875
+                  cpu_limit: 3.75
+                  node_selector:
+                    node.kubernetes.io/instance-type: r5.xlarge
+                default: true
+              mem_7_4:
+                display_name: 7.4 GB RAM, upto 3.7 CPUs
+                kubespawner_override:
+                  mem_guarantee: 7965365248
+                  mem_limit: 7965365248
+                  cpu_guarantee: 0.9375
+                  cpu_limit: 3.75
+                  node_selector:
+                    node.kubernetes.io/instance-type: r5.xlarge
+              mem_14_8:
+                display_name: 14.8 GB RAM, upto 3.7 CPUs
+                kubespawner_override:
+                  mem_guarantee: 15930730496
+                  mem_limit: 15930730496
+                  cpu_guarantee: 1.875
+                  cpu_limit: 3.75
+                  node_selector:
+                    node.kubernetes.io/instance-type: r5.xlarge
+              mem_29_7:
+                display_name: 29.7 GB RAM, upto 3.7 CPUs
+                kubespawner_override:
+                  mem_guarantee: 31861460992
+                  mem_limit: 31861460992
+                  cpu_guarantee: 3.75
+                  cpu_limit: 3.75
+                  node_selector:
+                    node.kubernetes.io/instance-type: r5.xlarge
+
+  hub:
+    allowNamedServers: true
+    services:
+      binder:
+        # FIXME: ref https://github.com/2i2c-org/binderhub-service/issues/57
+        # for something more readable and requiring less copy-pasting
+        url: http://sciencecore-binderhub-service:8090
+    image:
+      name: quay.io/2i2c/dynamic-image-building-experiment
+      tag: "0.0.1-0.dev.git.7567.ha4162031"
+    config:
+      JupyterHub:
+        authenticator_class: github
+      GitHubOAuthenticator:
+        oauth_callback_url: https://sciencecore.opensci.2i2c.cloud/hub/oauth_callback
+        allowed_organizations:
+          - 2i2c-demo-hub-access
+          - ScienceCore
+        scope:
+          - read:org
+
+    extraConfig:
+      enable-fancy-profiles: |
+        from jupyterhub_fancy_profiles import setup_ui
+        setup_ui(c)
+
+binderhub-service:
+  enabled: true
+  config:
+    BinderHub:
+      image_prefix: quay.io/2i2c-opensci-sciencecore/binderhub-service-
+  # The password to the registry is stored encrypted in the hub's encrypted config file
+  buildPodsRegistryCredentials:
+    server: "https://quay.io"
+    username: "2i2c-opensci-sciencecore+image_manager"

config/clusters/opensci/support.values.yaml

@@ -0,0 +1,34 @@
+prometheusIngressAuthSecret:
+  enabled: true
+
+cluster-autoscaler:
+  enabled: true
+  autoDiscovery:
+    clusterName: opensci
+  awsRegion: us-west-2
+
+prometheus:
+  server:
+    ingress:
+      enabled: true
+      hosts:
+        - prometheus.opensci.2i2c.cloud
+      tls:
+        - secretName: prometheus-tls
+          hosts:
+            - prometheus.opensci.2i2c.cloud
+
+grafana:
+  grafana.ini:
+    server:
+      root_url: https://grafana.opensci.2i2c.cloud/
+  auth.github:
+    enabled: true
+    allowed_organizations: 2i2c-org
+  ingress:
+    hosts:
+      - grafana.opensci.2i2c.cloud
+    tls:
+      - secretName: grafana-tls
+        hosts:
+          - grafana.opensci.2i2c.cloud