New AWS cluster setup for smithsonian

2i2c-org · Apr 12, 2023 · d68b2f9 · d68b2f9
1 parent d3f18c2
commit d68b2f9
Show file tree

Hide file tree

Showing 15 changed files with 511 additions and 0 deletions.
diff --git a/.github/workflows/deploy-hubs.yaml b/.github/workflows/deploy-hubs.yaml
@@ -169,6 +169,7 @@ jobs:
       failure_nasa-veda: "${{ env.failure_nasa-veda }}"
       failure_qcl: "${{ env.failure_qcl }}"
       failure_jupyter-meets-the-earth: "${{ env.failure_jupyter-meets-the-earth }}"
+      failure_smithsonian: "${{ env.failure_smithsonian }}"
 
     # Only run this job on pushes to the default branch and when the job output is not
     # an empty list

diff --git a/config/clusters/smithsonian/cluster.yaml b/config/clusters/smithsonian/cluster.yaml
@@ -0,0 +1,28 @@
+name: smithsonian
+provider: aws # https://2i2c.awsapps.com/start#/
+aws:
+  key: enc-deployer-credentials.secret.json
+  clusterType: eks
+  clusterName: smithsonian
+  region: us-east-2
+support:
+  helm_chart_values_files:
+    - support.values.yaml
+    - enc-support.secret.values.yaml
+hubs:
+  - name: staging
+    display_name: Smithsonian (staging)
+    domain: staging.smithsonian.2i2c.cloud
+    helm_chart: daskhub
+    helm_chart_values_files:
+      - common.values.yaml
+      - staging.values.yaml
+      - enc-staging.secret.values.yaml
+  - name: prod
+    display_name: Smithsonian
+    domain: smithsonian.2i2c.cloud
+    helm_chart: daskhub
+    helm_chart_values_files:
+      - common.values.yaml
+      - prod.values.yaml
+      - enc-prod.secret.values.yaml
diff --git a/config/clusters/smithsonian/common.values.yaml b/config/clusters/smithsonian/common.values.yaml
@@ -0,0 +1,121 @@
+basehub:
+  nfs:
+    pv:
+      # from https://docs.aws.amazon.com/efs/latest/ug/mounting-fs-nfs-mount-settings.html
+      mountOptions:
+        - rsize=1048576
+        - wsize=1048576
+        - timeo=600
+        - soft # We pick soft over hard, so NFS lockups don't lead to hung processes
+        - retrans=2
+        - noresvport
+      serverIP: fs-0ba20c6122f4a7236.efs.us-east-2.amazonaws.com
+      baseShareName: /
+
+  jupyterhub:
+    custom:
+      2i2c:
+        add_staff_user_ids_to_admin_users: true
+        add_staff_user_ids_of_type: "github"
+      homepage:
+        templateVars:
+          org:
+            name: Smithsonian
+            logo_url: https://logo.si.edu/wp-content/uploads/2018/07/logo_primary.svg
+            url: https://www.si.edu/
+          designed_by:
+            name: 2i2c
+            url: https://2i2c.org
+          operated_by:
+            name: 2i2c
+            url: https://2i2c.org
+          funded_by:
+            name: Smithsonian
+            url: https://www.si.edu/
+
+    hub:
+      config:
+        Authenticator:
+          allowed_users: &users
+            - MikeTrizna # Mike Trizna
+            - rdikow # Rebecca Dikow
+            - aewhite100 # Alex White
+          admin_users: *users
+
+    scheduling:
+      userScheduler:
+        enabled: true
+
+    singleuser:
+      image:
+        # Pending information about what image to use in
+        # https://github.com/2i2c-org/infrastructure/issues/2323, the
+        # pangeo/pangeo-notebook image was setup initially as it includes recent
+        # versions of dask/distributed which is relevant for a use with
+        # dask-gateway.
+        #
+        # image source:    https://github.com/pangeo-data/pangeo-docker-images
+        # image published: https://quay.io/repository/pangeo/pangeo-notebook?tab=tags
+        #
+        name: quay.io/pangeo/pangeo-notebook
+        tag: "2023.02.27"
+      profileList:
+        # NOTE: About node sharing
+        #
+        #       CPU/Memory requests/limits are actively considered still. This
+        #       profile list is setup to involve node sharing as considered in
+        #       https://github.com/2i2c-org/infrastructure/issues/2121.
+        #
+        #       - Memory requests are different from the description, based on:
+        #         whats found to remain allocate in k8s, subtracting 1GiB
+        #         overhead for misc system pods, and transitioning from GB in
+        #         description to GiB in mem_guarantee.
+        #       - CPU requests are lower than the description, with a factor of
+        #         10%.
+        #
+        - display_name: "Small: up to 4 CPU / 32 GB RAM"
+          description: &profile_list_description "Start a container with at least a chosen share of capacity on a node of this type"
+          slug: small
+          default: true
+          profile_options:
+            requests:
+              # NOTE: Node share choices are in active development, see comment
+              #       next to profileList: above.
+              display_name: Node share
+              choices:
+                mem_1:
+                  default: true
+                  display_name: ~1 GB, ~0.125 CPU
+                  kubespawner_override:
+                    mem_guarantee: 0.904G
+                    cpu_guarantee: 0.013
+                mem_2:
+                  display_name: ~2 GB, ~0.25 CPU
+                  kubespawner_override:
+                    mem_guarantee: 1.809G
+                    cpu_guarantee: 0.025
+                mem_4:
+                  display_name: ~4 GB, ~0.5 CPU
+                  kubespawner_override:
+                    mem_guarantee: 3.617G
+                    cpu_guarantee: 0.05
+                mem_8:
+                  display_name: ~8 GB, ~1.0 CPU
+                  kubespawner_override:
+                    mem_guarantee: 7.234G
+                    cpu_guarantee: 0.1
+                mem_16:
+                  display_name: ~16 GB, ~2.0 CPU
+                  kubespawner_override:
+                    mem_guarantee: 14.469G
+                    cpu_guarantee: 0.2
+                mem_32:
+                  display_name: ~32 GB, ~4.0 CPU
+                  kubespawner_override:
+                    mem_guarantee: 28.937G
+                    cpu_guarantee: 0.4
+          kubespawner_override:
+            cpu_limit: null
+            mem_limit: null
+            node_selector:
+              node.kubernetes.io/instance-type: r5.xlarge
diff --git a/config/clusters/smithsonian/enc-deployer-credentials.secret.json b/config/clusters/smithsonian/enc-deployer-credentials.secret.json
@@ -0,0 +1,25 @@
+{
+	"AccessKey": {
+		"AccessKeyId": "ENC[AES256_GCM,data:18YDUfZww08/szYBqCgkvmGb1HI=,iv:KTelZifpurHQWFtvT/sup8614BFx1m4Wq4RRmCtpTYw=,tag:POqjEanU96LC9Y8BVoqhhg==,type:str]",
+		"SecretAccessKey": "ENC[AES256_GCM,data:yOdd/Fy0npMt7xiJ4nRojMnOC2vX1AwQRoKkW/23ZINrKhZX+kZQvg==,iv:fD7PszhbzOUT9rOoPhG+VCDPkoXePf8rIoHcJ7hAj48=,tag:y8jIJQSjWtvd58ldSJzOqg==,type:str]",
+		"UserName": "ENC[AES256_GCM,data:vyGTGuoIDbL/n8ACYCcT2/lWkbXINqk=,iv:971bYN1eQKQ+u7mBrugRaPdBJWPsGeyh9GoIiJpxz08=,tag:498ssUF/MdlV3/BAmcTEzg==,type:str]"
+	},
+	"sops": {
+		"kms": null,
+		"gcp_kms": [
+			{
+				"resource_id": "projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs",
+				"created_at": "2023-04-12T14:15:15Z",
+				"enc": "CiUA4OM7ePr1xkbdaR8QQIbNJepW3RVZ1xeHEXAD0nkNA5j2p9lzEkkALQgViN2gy//oKCkVBkmn+SS8YJLnP6/si7ZpN3/iLVkWQnuvCLiY8z5z6Ax90aE377vqg2rq5yH4HGw5p3HsXKuCOQ90WMY9"
+			}
+		],
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2023-04-12T14:15:15Z",
+		"mac": "ENC[AES256_GCM,data:Rfpgf4YqfC+ysDjkg3+4TIur0SwDYa53m5yJrmkq5H4FkxmyShO3g2y1lDHjsvA3iVSsqiSr+gdzphl8BKBc57awe6lKfLSzj4+GiND/6whKg/O6Hu+X/ItUecY0LTmY7Valvw/eTnjgLKdFYgYTWOiF82qxu3huJWfuDMbmqJc=,iv:YtMB6lLYuxG4cz8K6VkcnMNi1SR+MkMXESS5aJnPKpw=,tag:2asDpNML/WterWMgadAhIg==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.2"
+	}
+}
diff --git a/config/clusters/smithsonian/enc-grafana-token.secret.yaml b/config/clusters/smithsonian/enc-grafana-token.secret.yaml
@@ -0,0 +1,15 @@
+grafana_token: ENC[AES256_GCM,data:P8TRLJP0yPIiCNHQ5Ucg0mfOf0QQngZLWI01RN7sGU72T6j3XOMncfeMxEM9hA==,iv:bypdfN2NCFXPwFxXuzxsFi5uVgluJk99v3QXdEIB8FE=,tag:s9nL7rlLtgncTU9+M6Mm5w==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+        - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+          created_at: "2023-04-12T15:07:49Z"
+          enc: CiUA4OM7eNbotNIlYlAvr98lut5KmeOpiXr7hYPE0sEdHEwAzBMoEkkALQgViPbgV3x3apboiOkHki4gKKCEMhuwxiCvfpDg4cHWsCOey8sF+F0W3gVem1aZuW19yjPMNy3NrvSb2NNrXgatO/7eVFgr
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-04-12T15:07:49Z"
+    mac: ENC[AES256_GCM,data:J4VwOq/MkIebyLxe9ZpNYBn/PDFW1zV45sWpvIU8AevPrdT9U7WQO5XrVoc4zfy1b8VZ7BhI6jcyhlSb0wWhGbvnyCXDrx4Tuluql0glgaywFgBxXaLv3M51RfAfWMkZMHMbZd3ErYYJixf2fvf3CF4hp44G7jk1NHLn6/Tkqho=,iv:5LbDpb8x60IWWh9TI0HoslT/PFywhgEQbiA2rYA6Wwc=,tag:SVuB8Qn/bNfZ74oDsshhgw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.2
diff --git a/config/clusters/smithsonian/enc-prod.secret.values.yaml b/config/clusters/smithsonian/enc-prod.secret.values.yaml
@@ -0,0 +1,21 @@
+basehub:
+    jupyterhub:
+        hub:
+            config:
+                CILogonOAuthenticator:
+                    client_id: ENC[AES256_GCM,data:vv+2ARjJ9A5cem3XWvdDF0ov9Ip8tAQ2t6a7KR2Kg5UpATBKyWtFK4ZtXzFfx5raRO4n,iv:0BVpcl1XBwIf4m3WJIL2elGwrKyFihYHKooLakrMsSo=,tag:eWF5exWGttRgvZPYlgenYA==,type:str]
+                    client_secret: ENC[AES256_GCM,data:sSikBmTayW8bhvR9hUt+u4eU/2kF1my/fQ2js4id213LWEU7maV/43lYyP8aWJX99yhu7sqrO9GxXedBKHU1/IJLSMeC8h3MzIHF9BAR6nhRrJhv6wM=,iv:XFKiHwXrPtEYw1KSIDH4rlV+prgOUZu5PzlMlGmEpK4=,tag:dNYI1gOZxj+MypXPO/Tq+w==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+        - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+          created_at: "2023-04-12T15:43:37Z"
+          enc: CiUA4OM7eBSlg/vFf98q1Y/eo+Y9j/Jpt1Rl27bd7p2v65tCkyucEkkALQgViG2N5gHvbg2NNbtP0nX7iDZC7VMO11dSnXhbPCtz1+CULpI5Q79fxdM0V32Ntc6ZWgptj5UsKMtKdkifGHzzoqxpND3d
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-04-12T15:43:38Z"
+    mac: ENC[AES256_GCM,data:ThOqtGePR4cLv3r/CjPxyP2/djbzEjwq+gZsCRMbGz6pl1udspOeIMZURoredCJze+TrjT4ZFRScQkHBH/WI70hgfvBRuAryAzHcWgfw5JahKrIPwX7RPO8UFy1BVMht+L3W5kT2esZ5pnRZOowGobLF5gxdemzFKkR+stmLnr0=,iv:pPQFjwctpKKoEjlokqhDJSRkkeqDM/FhdCWLwXyHePM=,tag:ZMuKlAXKOQ1o8+/fGkVmMw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.2
diff --git a/config/clusters/smithsonian/enc-staging.secret.values.yaml b/config/clusters/smithsonian/enc-staging.secret.values.yaml
@@ -0,0 +1,21 @@
+basehub:
+    jupyterhub:
+        hub:
+            config:
+                CILogonOAuthenticator:
+                    client_id: ENC[AES256_GCM,data:mnzrrn9kwqC5Kqo/3wqgNsz5hjK2bUNR3Q85S2MAgGvr/MJtEjAHP2EuydL70uCzAB5Y,iv:ofnNpD2IpZFlQAjtFF8O2P9skHUJmf5xGKC0M7byxKM=,tag:uOsj/Awo2hsOveNnpzhWtg==,type:str]
+                    client_secret: ENC[AES256_GCM,data:1ICpI+sDlRPwavAApssgU0iWMxt2pwM5G07cOWapqhfbeFPfkXdQa6lnyxBrCVQf5el0g8lWrJdvSd6L0tdof1GXKj+kTeG/zqtrFMrY20h/FnqGMiU=,iv:lDvn7rwAvABY8BNLg/nBT7BDrUQ5nSCdpCpFFGe3FBs=,tag:iuFoRsEWntQ9psjd7WMSOQ==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+        - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+          created_at: "2023-04-12T15:43:24Z"
+          enc: CiUA4OM7eNGxg8BtoEROsvimgkei5V6LuQA2eT+jk4BAcHVu+boEEkkALQgViDc6QuC5J12PhTzhkp4l6bgS3VbZoNWWQgrwzBKFPwPgBIw5keYo45Toi5reoSkuzH2hZqXo3kugwPr14HReHSTLiiaP
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-04-12T15:43:24Z"
+    mac: ENC[AES256_GCM,data:ZgaXHm55iYT9yA33LoYOzwhOCUuRvumt6ATmi/OjvlLZH6jNqY4FQXIpuv2gD6qKyZAYIwgCXwuxvTgZzhyzQZjMlBjS2qeHYEG8wKax0TWP9lRUkHQYG4XvNzUTxTl3i7yuRbSN5iEXym0WGMKVnDoqiGNdgW2fU1U6wQIy7WU=,iv:VvO7AjemmNNmDSiXK5VNuPlWOx15KwlvrIr2iJx1n9c=,tag:sQHNvaqYfVdrcK9kVK3GHQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.2
diff --git a/config/clusters/smithsonian/enc-support.secret.values.yaml b/config/clusters/smithsonian/enc-support.secret.values.yaml
@@ -0,0 +1,17 @@
+prometheusIngressAuthSecret:
+    username: ENC[AES256_GCM,data:DOo8O46jffTMvRAZtzZF68JxsI5aDTvMGpZHkstct+06VCvbii2JE8bay8YKP3Hsw7I5P99I/+Iyh1u2DLNhoA==,iv:uBLeh7fC2kH7GhHmO5PdriuyNXBOSLKnxnUHpPI5bsM=,tag:ikZnMjhdXeluJxNFRIeeRg==,type:str]
+    password: ENC[AES256_GCM,data:n/8FMY0aU8CQ06OLNqNBqzInDZ2wkqTweZfk1ejglTu+TEZtC1EFkbwG6qn4sdYwsc8YmwpldObUxBXEP1sQvQ==,iv:oonkGSKiE3bhO5M6gf47Cv0YZ+zavIbKgkowr0s8v20=,tag:/Yut+kDyzSJVxXHpvNvUfA==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+        - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+          created_at: "2023-04-12T15:12:22Z"
+          enc: CiUA4OM7eF6xWyTlK5DXrP2QbtcRPoeIrK3qmTBCVHS6fAUr/iK1EkkALQgViGSMk7XIHccCcQdddqAlIgRTgkOCr6PPEzQt616bh2DH+4G1renMzx3enbTZW2XUvnHjn/IA1vsIBFLFt+i0Kt/GWNWx
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-04-12T15:12:22Z"
+    mac: ENC[AES256_GCM,data:RkxBHOjYlZRgZr26G19UZlrbXStxK/jT5oM7MZKHKjgNA1+e+7mSyjgJkPJaUsYPvfjFQeY3RlCYd1jhBNkxATjYuQ0QW80nlg/Wta1Wl3ME4csboa5s6Vh9YX7FO2ULHQZBMkPZpUY5KSPeegTh/8FVbPPqRMGy6+CEEuCQsv4=,iv:Jm3UAAQN9xRfMppHOPcEd/rdMt+QF9AhMAh0JNxhgx0=,tag:C3ki+wMTzq4EheGPQCQVeQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.2
diff --git a/config/clusters/smithsonian/prod.values.yaml b/config/clusters/smithsonian/prod.values.yaml
@@ -0,0 +1,22 @@
+basehub:
+  jupyterhub:
+    ingress:
+      hosts: [smithsonian.2i2c.cloud]
+      tls:
+        - hosts: [smithsonian.2i2c.cloud]
+          secretName: https-auto-tls
+    proxy:
+      https:
+        hosts: [smithsonian.2i2c.cloud]
+    hub:
+      config:
+        JupyterHub:
+          authenticator_class: cilogon
+        CILogonOAuthenticator:
+          scope:
+            - "profile"
+          username_claim: "preferred_username"
+          oauth_callback_url: "https://smithsonian.2i2c.cloud/hub/oauth_callback"
+          # Only show the option to login with GitHub
+          shown_idps:
+            - http://github.com/login/oauth/authorize
diff --git a/config/clusters/smithsonian/staging.values.yaml b/config/clusters/smithsonian/staging.values.yaml
@@ -0,0 +1,22 @@
+basehub:
+  jupyterhub:
+    ingress:
+      hosts: [staging.smithsonian.2i2c.cloud]
+      tls:
+        - hosts: [staging.smithsonian.2i2c.cloud]
+          secretName: https-auto-tls
+    proxy:
+      https:
+        hosts: [staging.smithsonian.2i2c.cloud]
+    hub:
+      config:
+        JupyterHub:
+          authenticator_class: cilogon
+        CILogonOAuthenticator:
+          scope:
+            - "profile"
+          username_claim: "preferred_username"
+          oauth_callback_url: "https://staging.smithsonian.2i2c.cloud/hub/oauth_callback"
+          # Only show the option to login with GitHub
+          shown_idps:
+            - http://github.com/login/oauth/authorize
diff --git a/config/clusters/smithsonian/support.values.yaml b/config/clusters/smithsonian/support.values.yaml
@@ -0,0 +1,34 @@
+cluster-autoscaler:
+  enabled: true
+  autoDiscovery:
+    clusterName: smithsonian
+  awsRegion: us-east-2
+
+prometheusIngressAuthSecret:
+  enabled: true
+
+grafana:
+  grafana.ini:
+    server:
+      root_url: https://grafana.smithsonian.2i2c.cloud/
+    auth.github:
+      enabled: true
+      allowed_organizations: 2i2c-org
+  ingress:
+    hosts:
+      - grafana.smithsonian.2i2c.cloud
+    tls:
+      - secretName: grafana-tls
+        hosts:
+          - grafana.smithsonian.2i2c.cloud
+
+prometheus:
+  server:
+    ingress:
+      enabled: true
+      hosts:
+        - prometheus.smithsonian.2i2c.cloud
+      tls:
+        - secretName: prometheus-tls
+          hosts:
+            - prometheus.smithsonian.2i2c.cloud