diff --git a/.circleci/config.yml b/.circleci/config.yml index 541b8916e..6fa02f25d 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -289,6 +289,12 @@ jobs: # hubploy deploy --timeout 30m logodev hub ${CIRCLE_BRANCH} # no_output_timeout: 30m + - run: + name: Deploy nature + command: | + hubploy deploy --timeout 30m nature hub ${CIRCLE_BRANCH} + no_output_timeout: 30m + - run: name: Deploy prob140 command: | @@ -472,6 +478,15 @@ workflows: # ignore: # - staging # - prod + - hubploy/build-image: + deployment: nature + name: nature image build + # Filters can only be per-job? wtf + filters: + branches: + ignore: + - staging + - prod - hubploy/build-image: deployment: publichealth name: publichealth image build @@ -645,6 +660,15 @@ workflows: # branches: # only: # - staging + - hubploy/build-image: + deployment: nature + name: nature image build + push: true + # Filters can only be per-job? wtf + filters: + branches: + only: + - staging - hubploy/build-image: deployment: publichealth name: publichealth image build @@ -701,6 +725,7 @@ workflows: - ischool image build - julia hub image build # - logodev image build + - nature image build - publichealth image build - shiny image build - stat20 image build diff --git a/.github/labeler.yml b/.github/labeler.yml index c6a3ee5fb..a74875c95 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -115,6 +115,8 @@ node-placeholder-scaler: - 'deployments/julia/**' 'hub: logodev': - 'deployments/logodev/**' +'hub: nature': + - 'deployments/nature/**' 'hub: prob140': - 'deployments/prob140/**' 'hub: publichealth': diff --git a/deployments/nature/config/common.yaml b/deployments/nature/config/common.yaml new file mode 100644 index 000000000..4ffa072de --- /dev/null +++ b/deployments/nature/config/common.yaml @@ -0,0 +1,93 @@ +nfsPVC: + enabled: true + nfs: + serverIP: 10.75.147.186 + +jupyterhub: + scheduling: + userScheduler: + nodeSelector: + hub.jupyter.org/pool-name: core-pool-2024-05-08 + proxy: + chp: + nodeSelector: + hub.jupyter.org/pool-name: core-pool-2024-05-08 + + hub: + nodeSelector: + hub.jupyter.org/pool-name: core-pool-2024-05-08 + config: + loadRoles: + # datahub staff + datahub-staff: + description: Enable admin for datahub staff + # this role provides permissions to... + scopes: + - admin-ui + - admin:groups + - admin:users + - admin:servers + - read:roles + - read:hub + - access:servers + # this role will be assigned to... + groups: + - course::1524699::group::all-admins + singleuser: + extraFiles: + remove-exporters: + mountPath: /etc/jupyter/jupyter_notebook_config.py + stringData: | + c.QtPDFExporter.enabled = False + c.QtPNGExporter.enabled = False + c.WebPDFExporter.embed_images = True + extraEnv: + # Unset NotebookApp from hub/values. Necessary for recent lab versions. + JUPYTERHUB_SINGLEUSER_APP: "jupyter_server.serverapp.ServerApp" + nodeSelector: + hub.jupyter.org/pool-name: nature-pool + storage: + type: static + static: + pvcName: home-nfs-v3 + subPath: "{username}" + memory: + guarantee: 4G + limit: 4G + + #custom: + # group_profiles: + # + # # Example: increase memory for everyone affiliated with a course. + # + # # Name of Class 100, Fall '22; requested in #98765 + # course::123456: + # mem_limit: 4096M + # mem_guarantee: 2048M + # + # # Example: grant admin rights to course staff. + # # Enrollment types returned by the Canvas API are `teacher`, + # # `student`, `ta`, `observer`, and `designer`. + # # https://canvas.instructure.com/doc/api/enrollments.html + # + # # Some other class 200, Spring '23; requested in #98776 + # course::234567::enrollment_type::teacher: + # mem_limit: 2096M + # mem_guarantee: 2048M + # course::234567::enrollment_type::ta: + # mem_limit: 2096M + # mem_guarantee: 2048M + # + # + # # Example: a fully specified CanvasOAuthenticator group name. + # # This could be useful for temporary resource bumps where the + # # instructor could add people to groups in the bCourses UI. This + # # would benefit from the ability to read resource bumps from + # # jupyterhub's properties. (attributes in the ORM) + # + # # Name of Class 100, Fall '22; requested in #98770 + # course::123456::group::lab4-bigdata: + # - mountPath: /home/rstudio/.ssh + # name: home + # subPath: _some_directory/_ssh + # readOnly: true diff --git a/deployments/nature/config/filestore/squash-flags.json b/deployments/nature/config/filestore/squash-flags.json new file mode 100644 index 000000000..832c32e7f --- /dev/null +++ b/deployments/nature/config/filestore/squash-flags.json @@ -0,0 +1,16 @@ +{ +"--file-share": + { + "name": "shares", + "capacity": "1TiB", + "nfs-export-options": [ + { + "access-mode": "READ_WRITE", + "ip-ranges": ["10.0.0.0/8"], + "squash-mode": "ROOT_SQUASH", + "anon_uid": 1000, + "anon_gid": 1000 + } + ], + } +} diff --git a/deployments/nature/config/prod.yaml b/deployments/nature/config/prod.yaml new file mode 100644 index 000000000..d0c7b77fa --- /dev/null +++ b/deployments/nature/config/prod.yaml @@ -0,0 +1,18 @@ +nfsPVC: + nfs: + shareName: shares/nature/prod + +jupyterhub: + ingress: + enabled: true + hosts: + - nature.datahub.berkeley.edu + tls: + - secretName: tls-cert + hosts: + - nature.datahub.berkeley.edu + hub: + db: + pvc: + # This also holds logs + storage: 4Gi diff --git a/deployments/nature/config/staging.yaml b/deployments/nature/config/staging.yaml new file mode 100644 index 000000000..572ad127a --- /dev/null +++ b/deployments/nature/config/staging.yaml @@ -0,0 +1,19 @@ +nfsPVC: + nfs: + shareName: shares/nature/staging + +jupyterhub: + scheduling: + userScheduler: + replicas: 1 + prePuller: + continuous: + enabled: false + ingress: + enabled: true + hosts: + - nature-staging.datahub.berkeley.edu + tls: + - secretName: tls-cert + hosts: + - nature-staging.datahub.berkeley.edu diff --git a/deployments/nature/hubploy.yaml b/deployments/nature/hubploy.yaml new file mode 100644 index 000000000..1ae5a7106 --- /dev/null +++ b/deployments/nature/hubploy.yaml @@ -0,0 +1,19 @@ +images: + images: + - name: us-central1-docker.pkg.dev/ucb-datahub-2018/user-images/nature-user-image + path: image/ + repo2docker: + base_image: docker.io/library/buildpack-deps:jammy + registry: + provider: gcloud + gcloud: + project: ucb-datahub-2018 + service_key: gcr-key.json + +cluster: + provider: gcloud + gcloud: + project: ucb-datahub-2018 + service_key: gke-key.json + cluster: spring-2024 + zone: us-central1 diff --git a/deployments/nature/image/apt.txt b/deployments/nature/image/apt.txt new file mode 100644 index 000000000..a990f28e0 --- /dev/null +++ b/deployments/nature/image/apt.txt @@ -0,0 +1,52 @@ +# Some linux packages for basic terminal work, particularly +# oriented at users new to Unix/cmd line environments. + +# installing less as more just isn't enough +less + +# Download tools +curl +wget +vim + +# for easily managing multiple repositories with one command (perl-doc +# is needed for its help pages to work) +mr +perl-doc + +# Regular build tools for compiling common stuff +build-essential + +# Dependencies for nbconvert +texlive-xetex +texlive-fonts-recommended +texlive-plain-generic +texlive-lang-chinese +lmodern + +# Other useful document-related tools +pandoc +latexdiff + +# Some useful git utilities use basic Ruby +ruby + +# Other niceties for command-line work and life +rsync + +# playwright deps https://jira-secure.berkeley.edu/browse/DH-325 +libnss3 +libnspr4 +libdbus-1-3 +libatk1.0-0 +libatk-bridge2.0-0 +libcups2 +libdrm2 +libxkbcommon0 +libatspi2.0-0 +libxcomposite1 +libxdamage1 +libxfixes3 +libxrandr2 +libgbm1 +libasound2 diff --git a/deployments/nature/image/environment.yml b/deployments/nature/image/environment.yml new file mode 100644 index 000000000..7947296da --- /dev/null +++ b/deployments/nature/image/environment.yml @@ -0,0 +1,31 @@ +name: nature + +channels: +- conda-forge + +dependencies: + +# Items required for basic level functionality +- python==3.11.* +- git==2.46.0 +- jupyter-resource-usage=1.1.0 +- jupyterhub==4.1.6 +- jupyterlab==4.2.5 +- jupyter_server==2.14.2 +- notebook==7.2.2 +- nbgitpuller==1.2.1 + +# vscode +- code-server==4.23.1 +- jupyter-vscode-proxy==0.6 + +# other packages +- seaborn==0.13.2 +- altair==5.4.1 +- ibis-framework[pandas,duckdb]==9.3.0 +- leafmap==0.36.10 +- jupyterlab-myst==2.4.2 + +- pip==24.2 +- pip: + - nbconvert[webpdf]==7.16.4 diff --git a/deployments/nature/image/postBuild b/deployments/nature/image/postBuild new file mode 100644 index 000000000..f8d71f964 --- /dev/null +++ b/deployments/nature/image/postBuild @@ -0,0 +1,6 @@ +#!/usr/bin/env bash +set -euo pipefail + +# installing chromium browser to enable webpdf conversion using nbconvert +export PLAYWRIGHT_BROWSERS_PATH=${CONDA_DIR} +playwright install chromium diff --git a/deployments/nature/image/start b/deployments/nature/image/start new file mode 100644 index 000000000..c3a978b7f --- /dev/null +++ b/deployments/nature/image/start @@ -0,0 +1,5 @@ +#!/bin/bash + +# See https://jira-secure.berkeley.edu/browse/DH-305 +export PLAYWRIGHT_BROWSERS_PATH=${CONDA_DIR} +exec "$@" diff --git a/deployments/nature/secrets/gcr-key.json b/deployments/nature/secrets/gcr-key.json new file mode 100644 index 000000000..909076d23 --- /dev/null +++ b/deployments/nature/secrets/gcr-key.json @@ -0,0 +1,30 @@ +{ + "type": "ENC[AES256_GCM,data:0I7dYFUSBF5oONBtUxkc,iv:Ws7MGUhHoDOGESUyEi+HdPY1CbBDB98FufA8d+cOw18=,tag:bkfWgySRKcIXnIzB5/9AJQ==,type:str]", + "project_id": "ENC[AES256_GCM,data:TwqH+3sdXcs3zOOSoCgkaA==,iv:vDjOAoumM6tnMNcVkzlqPk7ujGEwOI/Db0kVaO5AAqk=,tag:OT7c60NkyS1aw0L1HvYd/g==,type:str]", + "private_key_id": "ENC[AES256_GCM,data:EpePb4USzZBigubVyyo+sjdNcGXAeyXgmJS33MZtDqXs8VfBCvL16w==,iv:NLyJFb62z/Yj+4X0IUTN8WxTgdpxtc5udlJ89WH6c6I=,tag:y9bHxvqYyaJsxMLaHhkvsA==,type:str]", + "private_key": "ENC[AES256_GCM,data:7W6mEaJGtJj26n+DzHoNy1MMLWha5mIKH+D71Gt7vjVzM/oHKbQCpF550Q/rX9iTsxDpYwQqKETF82Rb91GwnNTfXUhcFneyAcEuKUMlnlqdDgEUIOKMJf5ZAyARDK/nA38sLIbt+nFK8wVEVETJqQd09m+Wy1ebD6XuoXEaUiLq3drzwcwUTF8UgcClx5IGYbbNuFvQy3B4pVx1N/Ow1BtgiDO/OEFwXQhyS5kCGq8MHAX3bm1NpyQ2+cQNhpQ/A+H3/VseafjxiSGUXgkBRrz16zyS1yJoI87tV15ky5YZ4jgNrNlYxXfydUK7OvMz+gCvc/eBknru3UW75DC3PXYmmA2JnVoFieVGhtiAmuzFdK3u+uq61FnMjaCAhwvcdPV/Ml/Wavkawj3eViZj4ZfJalLNpWksHrAE/HYg8CHVW6P0Whws34Ya1xgLqnurUNE0CsyDqy7Tyrr0NEwDSox2d5eOMM3mADRt4UGtlB+Nm/rOg8IB5Gdc6904bIeaHTkcf5PE2ftoeI8NiNevyK9N1uYyh9Ahn3zFsasGWs8kPoISqCTM82dMXRe/Ayz2vZG3YpSY1N9EVE47784Pvt2+Eaxb5tFEqRopkRg2eGSj37GgI+feqLOwpPbrtyb3/4Nm9XWFoC6xn9FKR1iUOzCxL54JHf0arwl3ZUOr989qdYymH2wSpI8QdCpdI1ltkz8tONZze8z49mVoC+dyZlG0f8a+DWmX7cu3zD/MufKw9bySlsZl4X5odGU7SUwjeSOLx2PrKIxdMCVHO4RfhU0HCGUfdVOBCrEb+Uf6LUHDvnYqZ2O5/WUj+HMf+lrltLuMdesNFUu4XN7tyyTSUNfvma0pU3ljiolY/Aet/WfIMk3g0O2nCe4R21YgUT/w03sBYztPwlb3MaI5x/vveCtGfNdo8aotQ2e50JU/Q7Nj2Nght/Bca/Q0yZzQ9QiiE9Bty9VJgfXDBUawzd+LJyRmLvNHOtpTv0gfb0TOFDRJc8ngv9+rXfc+0rg3gJYXrgnfqMFBMxbK/QLAV7iSL0ZDmo6PQhpDYHwJGRmWgz/WnGX5bJYX2OW5wuTHZrArtVKIh7w0enMZLWEqVB9Iihl+vnOWBw+VvCzzYRnqmGEF9qY2y+bvgVNTenD5B5iHrQReJ/F1pBrfx9LyMs1qJ4NrwNl16/zD/YY4xlMV/i3dXyL6C7CopMl9wceb1ZQayxhT1GJVAjLPXYNWihfOhotbelNW6hWBPG7nIgI0jsgsX8hs/uI0HTmltRlosyjbQDTLABXiL2xx3wpAPrFG+asduM/b8JIqOc25SY5EYn8Jn8vW2Nr4L8y9DHmdxKgehAVRSL5jUJeJ9+p86ZdGe888w/zEP6XDKyuZy6TEcHfHoyKQvCfVSx0XChz5qTdjh58moe15bCFqRxdDosz70+Mi9myx4ZcPPZPo4+wKcKyL47mrUDui+E7C2ehSw4b7Y1Iz0CvDpYvlYaO8mr0ER9prN0q6X364Kw5OSXH5/LwRHeKtP9U9NSvlb8p6ATW9xAXu7xLDtbNu6tGcYq+eCHlwMIODX/4WSrwWfyWd/C6EJfbAG1e1AhzIXziQIsT/cqbp08ZPSuMTpxNdKn+SdrWOat9Zxr6glVDsdyO2CAWAAmpw71rypgxwvxPD/qEZoyjyHr0B3D/lFLtM43nNSwhAVcK9e+rcPX5VBLRg7Bf6s2B3yvC8Jfn0a6JN7HvrMp6Tt19gk2Q83nDX4aGWr8H4b1OBMehmUUFtDupoDlXxzchTR42Infvvp0iUmWbvipVMplu0mUrXHrzA8okv9u45LNUt2BPQE+cFgU1Uuvg4H2vhATSpr3YU94hM+C7quOkm77F+njDEtpa1fC6kKdeE2emXpKBqgf2j8oVCUpw1QITp3ZLXwr1PejrZ6IRM9ZDsrVF3O6Px/yl2imq+SYGMA9Ee0yue2OUxxoKp1VM3dictwI2JrwKoQVo+W0Tsd1Zj5GMcbJZsLJW54J3Kp3R78t9HgaW4R2x1yBbKrzE3VbAfoanxId6deAIZtEhLxoetDSNmxekrIjSan/GyjiLLCRf3sq8hKYvlGPW8wmge9H2jvd8ghmDRnITRKfBHohNGPQd9i53Q3iomkmiqxlYIbZFN1E2u2tSEyM2a5gI17+C2+JlUXa8AgqYVPI0Cdm5dzdJAxFH+BlAvKLKx4jvLSUNC2Igf40GEnCCzHWOk4anl0pAToovxecHXGZEIvL2LG5UVLp0zgOqvBQlsKA/f/90yl/5A,iv:9qLRN/v7Q2Twl/5SaOOCN3ACOs8ZyLnZx+Qkbg6X2Ig=,tag:cNLrRzp6ZWnU9WgWc0kdqQ==,type:str]", + "client_email": "ENC[AES256_GCM,data:r1/9+NDcLQ5oh4MAaF0h2gPfUJJLoMZ6SIJnBgnpa/nCCoAjOn3BlMlVb+odkhGnW1W4qIDnRFuepw==,iv:ALhr5g8VLEOV3PPw8E7rbV/INU2qte0VEJVbtVF8kWk=,tag:l8a4Al6+9k7HiO9fnclcGA==,type:str]", + "client_id": "ENC[AES256_GCM,data:lKB1S3DiB430noJTuWEFsxzhqeu6,iv:f9wPi87mJekuNaO4kBOsMEe7aK0qaVUTRRht7skZQd4=,tag:DgXci6MDlY7Y7v/p6pOAzA==,type:str]", + "auth_uri": "ENC[AES256_GCM,data:sw+45WN8mou/cSjmcbdweGel3odEV7tTw3pNSywaw0MSWSJ0H9qZIhM=,iv:tmCzryizCEmwQ/vnVhF2xecwXtjkj9j74qYX2OXfY8E=,tag:X2JuV9/6Ir4LyE8E7uUqLQ==,type:str]", + "token_uri": "ENC[AES256_GCM,data:u8bETqFMsmGIhG74OvFh1guEawWasf/TPi9W6q5mr5xdR0U=,iv:SvY5NGGU2pstrT3bgk7tLy72VIZWIcrtb6n4fQJmaJI=,tag:q/+ZftThljF/NQkx4yyWng==,type:str]", + "auth_provider_x509_cert_url": "ENC[AES256_GCM,data:0Wyr5hZPP8EFxj09do28+hTNpRQ2W7kgCd8RKwgdgj+HjyngwFNMlX8t,iv:dtagZNXNeN4gAO0EQSCPe4aJ2jo64uVgy7KNpm0O554=,tag:BTKYg7hnSmxCVBcYUQOGkA==,type:str]", + "client_x509_cert_url": "ENC[AES256_GCM,data:nBL+9RFEq7Yak5F/rfMTLVmrTlwRqJcmU7XuTby+CTWYxLrvj45cJ4zGjrFJVprR4SX/atfJvd+oz3INJtj+R2xuFqeAEwOA83cQ8hc2QQTp/dZnIfx/mfhLYcee2pYSdw9UvUeVMwZnrMNU2Ds=,iv:4hrK/i4PMwffA0fPkhO1IhOMgEuXo1BGUVHuK0gFjMA=,tag:LxT+OWq5eV72w5YjoSvgJQ==,type:str]", + "sops": { + "kms": null, + "gcp_kms": [ + { + "resource_id": "projects/ucb-datahub-2018/locations/global/keyRings/datahub/cryptoKeys/sops", + "created_at": "2021-04-09T20:37:52Z", + "enc": "CiQA67O9AMN7YazFkiINr1H6EseNuc5e1Uaev/rqdGmyNJN0U4QSSADmhpq83a6J0ki/Id/e8MhBAAKdaADW6SFNX8J8wlVaXX2s7u3P8wMYloROZUpRG+mrpXAVsLAEWRFKV9ITu+TVluTg3Ig1HQ==" + } + ], + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2021-04-09T20:37:52Z", + "mac": "ENC[AES256_GCM,data:B+LJnO3hpZQKgKtQaDdxJMVVW80uDAdFBzmEBXOlE5IR5Qj20lgSbdwo7ELo1+pZnsa3m8Efik1qUkYm8cRz0FPDxt1GjUMNQ3EnkZYBQBY5I1IdS/+GkYIlGnzbwnc2+K5rx2n8dXoCKBLZmbLLgaLWJHgVN600UrBtVXwtohI=,iv:/nSQ0o+Z4hNQCjcHOB4PMvyhZI4Nv+POxOL4W3G6NVU=,tag:f+o3HM7bGecoDcS0CU1sSQ==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.0" + } +} \ No newline at end of file diff --git a/deployments/nature/secrets/gke-key.json b/deployments/nature/secrets/gke-key.json new file mode 100644 index 000000000..b93212fa3 --- /dev/null +++ b/deployments/nature/secrets/gke-key.json @@ -0,0 +1,30 @@ +{ + "type": "ENC[AES256_GCM,data:pviDYpoudn2mPXuSTCau,iv:5gsuBqez83Rd1A/wbbkKd5e3qbMzEmD7pL7jXW0cPqU=,tag:0mwsPS5wQptG/DaSQgm8HQ==,type:str]", + "project_id": "ENC[AES256_GCM,data:mR7xINYn/ly6dkpKJTZycg==,iv:Nxu2uscmC80IVfcAdDh9COmtAGDdtCHQ5uAORvjdGKM=,tag:ZejnMpC4ilLXA4D3tnxxwg==,type:str]", + "private_key_id": "ENC[AES256_GCM,data:6bJxLE0n0QM1HLX+ennIeHf9H6SYylodt5+zsgH07fjc30RSpBRUKA==,iv:YUFoEj2fQ4pNHt7TVVosBi9k9w6aXIKsQU6DSFG8brc=,tag:RK6k0YlB991yxtf+95E0Vw==,type:str]", + "private_key": "ENC[AES256_GCM,data:oF+xAYXTSufe3xtFNU9qlBZDX0iNhf9oUre7H7h5AygW0o/pu7PZNkuJYUGbcQuLS4zWWzJUFlhUxs3bjXGELhcqPa3VJVBHGUWjvbwMHUMW775KZOJaXj3fg66mF50Fnj24rqfMYh8ZXdkrlt5/EtE50CdCEVay60cODk4QMG0VIT/6PVrzrQlKz0EvkRnfOC9Xf2bBolWmKcnkw5V8BXZGh+kcRdxCwdNBNdTDHeJustlHaPdo86k2OzVu8Cbpll5iIAlJ034aFESEZrmyruYZ2Vcbh7fI9++gIVk7GiuSXk9bKn7HQAs3RcjcyiJ/x77IF2t7YQGpgpCggyJN17ufMqD11TyjLLRZzzpCmcv+OOQdORCTE+x+9AfePTNVd/G6fRLjWMGPd9LSstsNDkxgeYGWL00LlzzzRqTztMrRZOfa3miM92+G+tPRqHCjlP1tkzkKgpWpCshAGBQlZmwGSUBtVOjwBCVC6V72c7c8n28FktFjRylYZHJpAPB6U1XHD0Nojb7ZHkA1lsl05j79Ht2PUHZdqCEWct8WSSxahcIOWV95kwb9Vk2oCc6lsFhIVq1L2+ZR4O65D/JgljFLpyUPYNMKyfW7ZxNWC0Eb2GUqAKqyOIKyH5dZA/vpwJwoD6GHX/oZM9H3eg0NSr+mBUL3FRxDLa2TU8emHH5goxTw6wUaIhVndsYGPnhn/gPPsGaO+naTAq3uR1MLf6ednVn2GUNJdm1gdvXq9Q4woWO52CBGFVFuaSHsaWeN9t3kAq27ba071PJ/4uEpYRWZb7Iyt3BFgJbe8TZyO2+PfLaK5+ydDMAwJQLwmIpAk7Q86i0jkoEIPF0ZegH871UJALT6Jqf03dkYgPTlIgbb/EmyB0VSmkj7EGPxdBaCpz7dvdKlhmnPqA8rdarS/VFAjTJw0BOnNDPD4a3klQujqDEzv83RwkPj2ZCA1axfjGjvMacAF1e76Vesp9cOLmo6e4TU1BcC0vZ89tfVsxkZiAs/E2RWmTpgfklmv0dPzOkd2Eht+9oc1/mg0kUC1ipofKNYz4VacLmVYAe/gY8bC/wwcaM2mYjue10voUQPrleUHf4F5rlplHwfnJa88snh25EGAC8OqBoY+nmx6qq1ZCcugJaFW7ewh2oMfROlzYljScUk31C15vuLNTw/XcfbC1UwiuAZNsHCM6H99MycVDyYG5RffqK/LqQ2l/9ORE7YTZU9bwT836bTW8SkUfLdH+cDScuUamK9JYoyiTXlj/9GovywPgQ6AaE6z2CUKe+BZejwT5kNM/C+D/EK8WYOTVzWtE9mIdrgPfKNx80a6rOYIhtfb3YfvjLS4BD3sDPEPdl6U6koeyS0cDaVfAuAUrHiofXlxijyZ5XBxAAjzUFoZuCkg3AL209bcXiuW08ePn+XzVae0mDFoB3bJGKovDaE8dw0U3annk2kG/mHxjxPYbeYRB+UgVsxG9j2Pc9i9SiExJLj/HHyt5gfBH2Q2lISEmKEEkGtoh5Z40hcYnzgl6RzMtJYenSXmeQ3UOB2TRUNwRgYZfc3+hTHoqINBE5wK7vD/19HIJGLRmYwn8hnGf6p/gXxSmWum7t1wxuoawqWp3To3eF/OjX2MH/REwHQJHCo9PDPIZjBRWz1D8TopWi+v00C04+T8hqpD1H8QuNpdNKAYEEh1BjjW00aqNCQ+9JPfglN8+PwY7YtgGP15hkDNXZxDfb6RhIo6gw6wgwgTXz7N1VuTk7OEtB9OGrPL6KKOFoM6wg44qbSUZXnTY6ZezynUaqtYnlGVgCQGH6WyDfFdBYcyy6XXiztRinBMIG+b87Z0ucI5sGVvniMhCqOeLybaOKY+lSHL/cfZGJNU0tQaN0kRx5R69NWDN7mNyJqND4Y88aJs2mY62XJiaaSYCtuKezCgnvfebr8e+kleniI0hemGI1D3cMOcLMezgEYtobKKLzxg9YzZUxwcgvB7riS8ljcYSTwY15gVOnVfGBxMpjYojnaY5THtC4hiT97A3P/tn6nGFcO0quWATQ28Ef1bgjD08rScIcWgnq40uN1bgtsvPZDaxr4sCGSrNQEO7JO85Ed+bEWiu1/1giaNhsMP56ezwF9VsL4E0zvwPXI3zidfPfKDdJc1QvZGZPTfDJx2XJWSRrtAtYtYPyLUVq//lqIgn+N4Gw7R1gl9BM9iHPt09Nni5Nn3BWHxc9ELp3K0oAVaLcfEVxLQdCI3OvXHIOHxh3U07XsJlp4TuT1tu9gYBsDy6gcrX7ybJAk,iv:rbE1gehD5XO8z8OZ2pzZgGKXb//IP9VkeqLWVYazENw=,tag:0g/VRRFexQDWSkKBoD+b9Q==,type:str]", + "client_email": "ENC[AES256_GCM,data:F7CrAz9fxWpAfIgxzUtHuw4eWMh08MpcKpoLVW6WygRQEbqO6WQIxBzyrU1goMhA,iv:9FXvjHt2hy6spkWfyOQr1m67cWd6vChV+8vg5Frd7XI=,tag:MjptTtfiWHKoiVhB3dC9dA==,type:str]", + "client_id": "ENC[AES256_GCM,data:NFrWfX2TNO9AKzPOYHyM1AIX50eo,iv:lLV/e9tj/ba0KvxOMAYLWv3RyYU9n97ku2GHCCkgED8=,tag:H7k/cQqLJBNOaXnPCv4JfA==,type:str]", + "auth_uri": "ENC[AES256_GCM,data:K85ELixk7QPpuqhjNTG4QIYUbz5yyKy3qXfarTxO650S77SJWXHsYR8=,iv:vt2GJ7cwKJyY/7XDiCZdX51ZBY3nb7g9miHmmfabriY=,tag:HB8xc5oeEc1JCnqIa1eZYg==,type:str]", + "token_uri": "ENC[AES256_GCM,data:kaKX9Zx/DU0rqFWeyoVEpghkCjqOmTjifSgg0NU4ESdI5Ss=,iv:Rp5NJKCRDdxbw8xmp0gcy+CnilVE6YeookI3criH/mE=,tag:729lX9HQpeyUdg4C1AQAPw==,type:str]", + "auth_provider_x509_cert_url": "ENC[AES256_GCM,data:2tTSvbO8RUjv1cUwIg3/JTZcHIVKt+Ki4tyPRxvMwj46YeRkeE+ZC0/p,iv:9ci+AYYmjPq7hfIFPuilgUtxks/9ypIgU4+PXvwfSzM=,tag:AsGU//l4WbQX85/NV1L5dA==,type:str]", + "client_x509_cert_url": "ENC[AES256_GCM,data:uAvNlbSLjImhE93+Z6NuIRdfVVGbmvwf9cFD5N7y9Ln79W7Oa6Mi3lUgyzbmuk5T3j9W+u2SONcKMRiyekyXXsBEOWlJP5OHYb3x0jfO0dIy4+eWXxkkkfFgz6CNX7Z6xZJ+kg==,iv:PUC1h4esq7Bf6594yhV/CMHxFlbXbh48Y2RIJOVwUaQ=,tag:YBJjzkvNe9I4xUGZEYCQ5w==,type:str]", + "sops": { + "kms": null, + "gcp_kms": [ + { + "resource_id": "projects/ucb-datahub-2018/locations/global/keyRings/datahub/cryptoKeys/sops", + "created_at": "2021-04-09T20:37:56Z", + "enc": "CiQA67O9AJiRNfloqVj5a7vZOpd6u0guaOQw8jj6EQhNSo6WNY0SSQDmhpq8262T34fGwV/BFo5FV/8s5kyPq3+1UG4orX22ASsKhzXJiOUxc5BqF8oVkMXgkjsR5saTuBI1tqpVbwfin8vspFa2JDo=" + } + ], + "azure_kv": null, + "hc_vault": null, + "age": null, + "lastmodified": "2021-04-09T20:37:57Z", + "mac": "ENC[AES256_GCM,data:RCfor+HF2+DT4GWZ3dooDb9hhR7FWMmYJ9e6SRdXQcG25eIU9Jo5H+OdvRJVj4d5slljcjeIGadgODgvdfLD+rqq2RGTqp/cZJ1qlpdIec2y+6AHt0mqM7lHLw/qLs/5Cx/MMmSGk4BrIvGlK22ciixP660JV34mdSJuG/4As3Q=,iv:nl6FLf43mKK6MSQKEkHxeHoTuqwYEm0ZNwFNj0b+pCA=,tag:ZJQvL+MAuM11C1oTS2hLpw==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.0" + } +} \ No newline at end of file diff --git a/deployments/nature/secrets/prod.yaml b/deployments/nature/secrets/prod.yaml new file mode 100644 index 000000000..f88216a6b --- /dev/null +++ b/deployments/nature/secrets/prod.yaml @@ -0,0 +1,21 @@ +jupyterhub: + hub: + config: + CanvasOAuthenticator: + client_id: ENC[AES256_GCM,data:/VedfPLyL+Rj3gciMxQ5H84=,iv:WZsC/06SEfEEeH4/NY+txGypgP/lShrJLc8DVXS7tco=,tag:kdZCzktRscuCYz4nRlkxTA==,type:str] + client_secret: ENC[AES256_GCM,data:EqzXDvAIMyGeTnGjUDOg6X6XqSwDmogtz/HXhc2LNYMhoSgg8PSUqvEFNUNG6w59tkRXPerBR6PyOuG31ftYXQ==,iv:D/rf3aWams6O2NcmdjFYxEVV5dQoWv3ubZ1kTN5KMO8=,tag:/LLaEHP/RB17Td0UW1I2bQ==,type:str] + oauth_callback_url: ENC[AES256_GCM,data:53XmEOsjx6DttwhKUhSJYXwym9I8kuJd3p6GTIiV9b+f11dfADdqD75L6tmrvtnglopDVh/g,iv:8qtAR/o0WuOMvLa4UKhr0JOwJv+bFExzJT0ikPFgP4g=,tag:1BmSfQ/o7H66ATjdIWHFvw==,type:str] +sops: + kms: [] + gcp_kms: + - resource_id: projects/ucb-datahub-2018/locations/global/keyRings/datahub/cryptoKeys/sops + created_at: "2021-05-05T10:57:58Z" + enc: CiQA67O9AK2027WGYGTzywa01Cz+Ez7sOTk/d9payovyK5pg8g4SSADmhpq89bbIWFjlGg79o/iupJ4anLU5Ab9VL+qNzhu6e83JtJ7wSv6sK+cDiEfVSaKQ1YIcadDXFt4WUKRt7MFvAa1sLqp2LA== + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-08-30T18:15:24Z" + mac: ENC[AES256_GCM,data:hRMon9bg/+czXTjqV5bsZGYddmFjkZRIVkHq1xGg3mD04Vam1E13wqyZcWyj6lK35bkSiEJ7mhvwZzL4rzX+Nxej/Hg5IhlBD8xrIrWtqWg+7cA9OFC/xHUuYixIC7wQgiVxshUoZmVOk7pEbfJvQ3ogEAHhSovhv2Q82CDtqIQ=,iv:rnQXOoQH9x/oh6/qvxdKvFBrn9fPLWVkIotDzeuf+Fc=,tag:M0dRaAqO8r9/d3rxDHzS9w==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/deployments/nature/secrets/staging.yaml b/deployments/nature/secrets/staging.yaml new file mode 100644 index 000000000..f50b0b804 --- /dev/null +++ b/deployments/nature/secrets/staging.yaml @@ -0,0 +1,21 @@ +jupyterhub: + hub: + config: + CanvasOAuthenticator: + client_id: ENC[AES256_GCM,data:G0+pIvyOsh+Zj4ZxddKbON4=,iv:iX8jMrXcJvjBi0GKRtuN886bXWFwBfCsaUoH+HRMn6U=,tag:BsyGAveKrd8TvWMuUlw3kw==,type:str] + client_secret: ENC[AES256_GCM,data:6mR3zs4jvkVuVwjut56tuW3HIOHcYWRSIJJZiOeC+H82tqgZeuVEe7+/zMxq6J0ba5RMas9npep4svuL+TppcA==,iv:K6/MFusdxnLkrEA5LaXLO8mFm1Xa4U2OmxUBOLqdpJk=,tag:xweE4+/ZCIcXj9CtbFpUSw==,type:str] + oauth_callback_url: ENC[AES256_GCM,data:WCMlCx1a3JLn7HvmOKSkQUoZwKvnJtvn31srm2/+uh3Bmj15aH9575l5ZjL7ZB9ncAiYQeZtFdjODMBAz9A=,iv:I04Gv5SLv4Z0lG2PfbXjNJ7m36wRMkDhgvoRiGmGewM=,tag:jLrSQif6oidL5nCKwGyNwA==,type:str] +sops: + kms: [] + gcp_kms: + - resource_id: projects/ucb-datahub-2018/locations/global/keyRings/datahub/cryptoKeys/sops + created_at: "2021-05-05T10:57:58Z" + enc: CiQA67O9ALEiz+lgnWQQgjT08Fx2+SUNdWEA2MqdIoEl0Ett3zASSQDmhpq85T+08Rtt/sqeMktjA6t8rCVH8soCR/sNJwDHgXabOipn/od+64D/L+aggCaXqJ433twByk0+YUJAe5z733oW/3J53eU= + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-08-30T18:14:58Z" + mac: ENC[AES256_GCM,data:MzwYjNtvSq0Xpab4J4Jv1ZzrODG+gIFJqfE85lYuTG7Kb2sDqppz2XIDoVRvo0OB0wWbcujwvNEbtMwjccVPtAhKvE6D8GVsByQ/W+2KgML/ctZiggvmuMU3WSiZoZ5YB+LCEZWEjLJo9OkiSacL/es8XGFSVLBi0NF7HaldGMI=,iv:J6SxdxqzEsmPB36KCeKNXOIjcGVbaXeh5MDxKNHHDV8=,tag:+DhOfJofu6R23SZPVWXNqA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/docs/admins/howto/new-hub.qmd b/docs/admins/howto/new-hub.qmd index 3554547fd..727362a24 100644 --- a/docs/admins/howto/new-hub.qmd +++ b/docs/admins/howto/new-hub.qmd @@ -142,7 +142,7 @@ You can run the following command in gcloud terminal to log in to the NFS utility VM: ```bash -gcloud compute ssh nfsserver-01 --zone=us-central1-b +gcloud compute ssh nfsserver-01 --zone=us-central1-b --tunnel-through-iap ``` Alternatively, launch console.cloud.google.com > Select *ucb-datahub-2018* as @@ -232,7 +232,7 @@ secrets for these are provided by the cookiecutter template, however the new hubs need to be added to the authorized callback list maintained in bcourses. -1. Use `sops` to edit `secrets/dev.yaml` and `secrets/prod.yaml`, replacing the +1. Use `sops` to edit `secrets/staging.yaml` and `secrets/prod.yaml`, replacing the cookiecutter hub_name. `cookiecutter` can't do this for you since the values are encrypted. @@ -242,6 +242,8 @@ bcourses. 3. Add `.datahub.berkeley.edu/hub/oauth_callback` to the production hub client (id 10720000000000472) +4. Copy gcr-key.json and gke-key.json from any other hub's secrets to the hub's secrets/ + Please reach out to Jonathan Felder to set this up, or if he is not available. @@ -288,10 +290,15 @@ sections of the CircleCI configuration file: ``` Review hubploy.yaml file inside your project directory and update the -image name to the latest image. Something like this, +images section. Example from a11y hub: ``` yaml -image_name: us-central1-docker.pkg.dev/ucb-datahub-2018/user-images/a11y-user-image +images: + images: + - name: us-central1-docker.pkg.dev/ucb-datahub-2018/user-images/a11y-user-image + path: image/ + repo2docker: + base_image: docker.io/library/buildpack-deps:jammy ``` ### Add hub to the github labeler workflow diff --git a/node-placeholder/values.yaml b/node-placeholder/values.yaml index fb8d0ed88..7c1e77daf 100644 --- a/node-placeholder/values.yaml +++ b/node-placeholder/values.yaml @@ -168,6 +168,14 @@ nodePools: # Some value slightly lower than allocatable RAM on the nodepool memory: 60929654784 replicas: 1 + nature: + nodeSelector: + hub.jupyter.org/pool-name: nature-pool + resources: + requests: + # Some value slightly lower than allocatable RAM on the nodepool + memory: 60929654784 + replicas: 1 publichealth: nodeSelector: hub.jupyter.org/pool-name: publichealth-pool