Add hub config for geospatial workshop

[sgibson91]

This PR adds a config file to deploy a hub for the Geospatial Workshop being held in Ghana later this month.

Done:

• Deploys a daskhub
• Uses Google authentication
• list of admins
• user limits for dask
• URL setup in NameCheap

Needs:

• Review and merge

related to: #473

[sgibson91]

I have pushed a commit with folks gmail account for admin access (mostly copy-pasted from configs on the 2i2c cluster). If your email is not there and you'd like it to be, please feel free to add it!

[sgibson91]

I have tried to set some limits for singleuser and dask gateway by borrowing config from pangeo:

• singleuser: https://github.com/pangeo-data/pangeo-cloud-federation/blob/d4f868e4d5c1ea92675facdabff86d49f31c7253/pangeo-deploy/values.yaml#L19-L25
• dask gateway: https://github.com/pangeo-data/pangeo-cloud-federation/blob/e0b8afdd5571a8a1e68b4b7a33b789703a97ac7f/deployments/icesat2/config/common.yaml#L149-L154

Would love to know if I'm on the right lines with this in terms of (i) is this correct config? (ii) will it achieve Paige's desires in #473 (comment)?

[sgibson91]

In order to set the URL/DNS stuff, I tried deploying the hub with proxy.https.enabled = false using the deployer locally, but ran into the following error

auth0.v3.exceptions.Auth0Error: 403: You reached the limit of entities of this type for this tenant.

https://auth0.com/docs/policies/entity-limit-policy?_gl=1*1ulg0hl*rollup_ga*ODY5Njk2MDcyLjE2MjM4NTg3NDc.*rollup_ga_F1G3E656YZ*MTYyNjM1NjE4Ny4zLjEuMTYyNjM1NjE5OS40OA

This is a bug in creating duplicate auth0 apps. Issue filed: #519

[sgibson91]

I'm having trouble with the NFS server for deployment.

• I created a VM on pangeo-181919 like the nfs-server-01 VM under two-eye-two-see
• On that VM, I created /etc/exports and wrote /export/home-01 10.0.0.0/8(all_squash,anonuid=1000,anongid=1000,no_subtree_check,rw,sync) to it

However, the nfs-share-creator is still in ContainerCreating mode with FailedMount events for the volume "home-base". I'm not sure what to do next 😕

[damianavila]

Would love to know if I'm on the right lines with this in terms of (i) is this correct config? (ii) will it achieve Paige's desires in #473 (comment)?

I think you are going in the right direction, but I am not a Dask guy 😉
@yuvipanda, do you know if the options that are available here: https://github.com/2i2c-org/pilot-hubs/blob/master/hub-templates/daskhub/values.yaml#L183 are somehow "enforced/restricted" by the limits @sgibson91 wants to use in the config file?

I'm having trouble with the NFS server for deployment.

IIRC, @yuvipanda had some issues in the past related to an "insecure" flag

NFS server was again set up manually, and needed the insecure
flag - even though other hubs are setup the same way and didn't
need this. NFS situation needs to be sorted.

Not sure if that is relevant here... but I just remembered it 😛 !

[sgibson91]

I think a lot of this is that I'm totally new to setting up NFS servers! I've just managed to work out that it helps to have the NFS packages installed on the VM! 😝

[sgibson91]

I have been playing around and the hub is definitely not happy. The hub is not reachable by it's external IP or the URL http://coessing.pangeo.2i2c.cloud

Main error statement from tests is below (annoyingly, including the truncation 😞 )

FAILED deployer/tests/test_hub_health.py::test_hub_healthy - aiohttp.client_exceptions.ClientConnectorError: Cannot connect to host coessing.pangeo.2i2c.cloud:443 ssl:default [Connect call f...

[damianavila]

The hub is not reachable by it's external IP or the URL http://coessing.pangeo.2i2c.cloud

I just tried that URL and I was able to, at least, reach it...

[sgibson91]

Thanks @damianavila! I should be more patient with DNS things 😆 I will come back to this today

[sgibson91]

Ha, this was 💯 me not being patient enough with DNS stuff! Hub check now passes and I can log in! 🎉

[damianavila]

Quick general question, we usually have staging and prod hubs on each cluster we create, ie. https://github.com/2i2c-org/pilot-hubs/blob/master/config/hubs/meom-ige.cluster.yaml
I am only seeing one hub in this config, is that intended?

[sgibson91]

Quick general question, we usually have staging and prod hubs on each cluster we create, ie. https://github.com/2i2c-org/pilot-hubs/blob/master/config/hubs/meom-ige.cluster.yaml
I am only seeing one hub in this config, is that intended?

Yeah. I guess because I'm envisioning both this hub being brought down after the workshop, and the cluster it's on being destroyed once the appropriate constraints have been lifted/amended on the new Pangeo account.

[choldgraf]

This looks good to me! I'll defer to @damianavila to make sure that his questions are resolved!

[choldgraf]

is it a problem that I can see the text for all of these? Or are they properly encoded? :-)

[sgibson91]

They are encoded as prefaced by the ENC part of the value. Compare, for example, with the key for the 2i2c cluster: https://github.com/2i2c-org/pilot-hubs/blob/master/secrets/2i2c.json I think what makes sops a little more clever than, say, git-crypt is that it encrypts the actual values, not just the whole file. So you can visually check the structure is as expected without also needing to see the secret part.

[damianavila]

I have one remaining question but I will open a new issue to follow up on that discussion.
AFAIK, this one is already deployed and working.
LGTM.

[sgibson91]

Ok, this is all up-to-date now, I'm gonna merge!

[choldgraf]

🚀🚀🚀