Add the support config and initial staging hub

Author: GeorgianaElena

config/clusters/opensci/cluster.yaml

@@ -5,4 +5,19 @@ aws:
   clusterType: eks
   clusterName: opensci
   region: us-west-2
-hubs: []
+support:
+  helm_chart_values_files:
+    - support.values.yaml
+    - enc-support.secret.values.yaml
+hubs:
+  - name: staging
+    display_name: "Opensci (staging)"
+    domain: staging.opensci.2i2c.cloud
+    helm_chart: basehub
+    helm_chart_values_files:
+      # The order in which you list files here is the order the will be passed
+      # to the helm upgrade command in, and that has meaning. Please check
+      # that you intend for these files to be applied in this order.
+      - common.values.yaml
+      - staging.values.yaml
+      - enc-staging.secret.values.yaml

config/clusters/opensci/common.values.yaml

@@ -0,0 +1,179 @@
+nfs:
+  pv:
+    # from https://docs.aws.amazon.com/efs/latest/ug/mounting-fs-nfs-mount-settings.html
+    mountOptions:
+      - rsize=1048576
+      - wsize=1048576
+      - timeo=600
+      - soft # We pick soft over hard, so NFS lockups don't lead to hung processes
+      - retrans=2
+      - noresvport
+    serverIP: fs-065fcb5bb0ad79b25.efs.us-west-2.amazonaws.com
+    baseShareName: /
+
+jupyterhub:
+  custom:
+    2i2c:
+      add_staff_user_ids_to_admin_users: true
+      add_staff_user_ids_of_type: "github"
+    jupyterhubConfigurator:
+      enabled: false
+    homepage:
+      templateVars:
+        org:
+          name: Demo image building with binderhub-service
+          url: https://2i2c.org
+          logo_url: https://2i2c.org/media/logo.png
+        designed_by:
+          name: 2i2c
+          url: https://2i2c.org
+        operated_by:
+          name: 2i2c
+          url: https://2i2c.org
+        funded_by:
+          name: ""
+          url: ""
+  singleuser:
+    profileList:
+      - display_name: "Only Profile Available, this info is not shown in the UI"
+        slug: only-choice
+        profile_options:
+          image:
+            display_name: Image
+            unlisted_choice: &profile_list_unlisted_choice
+              enabled: True
+              display_name: "Custom image"
+              validation_regex: "^.+:.+$"
+              validation_message: "Must be a publicly available docker image, of form <image-name>:<tag>"
+              display_name_in_choices: "Specify an existing docker image"
+              description_in_choices: "Use a pre-existing docker image from a public docker registry (dockerhub, quay, etc)"
+              kubespawner_override:
+                image: "{value}"
+            choices:
+              pangeo:
+                display_name: Pangeo Notebook Image
+                description: "Python image with scientific, dask and geospatial tools"
+                kubespawner_override:
+                  image: pangeo/pangeo-notebook:2023.09.11
+              geospatial:
+                display_name: Rocker Geospatial
+                description: "R image with RStudio, the tidyverse & Geospatial tools"
+                default: true
+                slug: geospatial
+                kubespawner_override:
+                  image: rocker/binder:4.3
+                  # Launch into RStudio after the user logs in
+                  default_url: /rstudio
+                  # Ensures container working dir is homedir
+                  # https://github.com/2i2c-org/infrastructure/issues/2559
+                  working_dir: /home/rstudio
+              scipy:
+                display_name: Jupyter SciPy Notebook
+                slug: scipy
+                kubespawner_override:
+                  image: jupyter/scipy-notebook:2023-06-26
+          resources:
+            display_name: Resource Allocation
+            choices:
+              mem_3_4:
+                display_name: 3.4 GB RAM, upto 3.485 CPUs
+                kubespawner_override:
+                  mem_guarantee: 3662286336
+                  mem_limit: 3662286336
+                  cpu_guarantee: 0.435625
+                  cpu_limit: 3.485
+                  node_selector:
+                    node.kubernetes.io/instance-type: n2-highmem-4
+                default: true
+              mem_6_8:
+                display_name: 6.8 GB RAM, upto 3.485 CPUs
+                kubespawner_override:
+                  mem_guarantee: 7324572672
+                  mem_limit: 7324572672
+                  cpu_guarantee: 0.87125
+                  cpu_limit: 3.485
+                  node_selector:
+                    node.kubernetes.io/instance-type: n2-highmem-4
+              mem_13_6:
+                display_name: 13.6 GB RAM, upto 3.485 CPUs
+                kubespawner_override:
+                  mem_guarantee: 14649145344
+                  mem_limit: 14649145344
+                  cpu_guarantee: 1.7425
+                  cpu_limit: 3.485
+                  node_selector:
+                    node.kubernetes.io/instance-type: n2-highmem-4
+              mem_27_3:
+                display_name: 27.3 GB RAM, upto 3.485 CPUs
+                kubespawner_override:
+                  mem_guarantee: 29298290688
+                  mem_limit: 29298290688
+                  cpu_guarantee: 3.485
+                  cpu_limit: 3.485
+                  node_selector:
+                    node.kubernetes.io/instance-type: n2-highmem-4
+  hub:
+    # Allows for multiple concurrent demos
+    allowNamedServers: true
+    services:
+      binder:
+        # FIXME: ref https://github.com/2i2c-org/binderhub-service/issues/57
+        # for something more readable and requiring less copy-pasting
+        url: http://imagebuilding-demo-binderhub-service:8090
+    image:
+      name: quay.io/2i2c/dynamic-image-building-experiment
+      tag: "0.0.1-0.dev.git.7567.ha4162031"
+    config:
+      JupyterHub:
+        authenticator_class: github
+      GitHubOAuthenticator:
+        allowed_organizations:
+          - 2i2c-demo-hub-access
+          - ScienceCore
+        scope:
+          - read:org
+
+    extraConfig:
+      enable-fancy-profiles: |
+        from jupyterhub_fancy_profiles import setup_ui
+        setup_ui(c)
+
+binderhub-service:
+  nodeSelector:
+    hub.jupyter.org/node-purpose: core
+  enabled: true
+  service:
+    port: 8090
+  # The DaemonSet at https://github.com/2i2c-org/binderhub-service/blob/main/binderhub-service/templates/docker-api/daemonset.yaml
+  # will start a docker-api pod on a user node.
+  # It starts the [dockerd](https://docs.docker.com/engine/reference/commandline/dockerd/) daemon,
+  # that will be accessible via a unix socket, mounted by the build.
+  # The docker-api pod must run on the same node as the builder pods.
+  dockerApi:
+    nodeSelector:
+      hub.jupyter.org/node-purpose: user
+    tolerations:
+      # Tolerate tainted jupyterhub user nodes
+      - key: hub.jupyter.org_dedicated
+        value: user
+        effect: NoSchedule
+      - key: hub.jupyter.org/dedicated
+        value: user
+        effect: NoSchedule
+  config:
+    BinderHub:
+      base_url: /services/binder
+      use_registry: true
+      # Re-uses the registry created for the `binderhub-staging` hub
+      # but pushes images under a different prefix
+      image_prefix: us-central1-docker.pkg.dev/two-eye-two-see/binder-staging-registry/binderhub-service-
+    KubernetesBuildExecutor:
+      # Get ourselves a newer repo2docker!
+      build_image: quay.io/jupyterhub/repo2docker:2023.06.0-8.gd414e99
+      node_selector:
+        # Schedule builder pods to run on user nodes only
+        hub.jupyter.org/node-purpose: user
+  # The password to the registry is stored encrypted in the hub's encrypted config file
+  buildPodsRegistryCredentials:
+    server: "https://us-central1-docker.pkg.dev"
+    username: "_json_key"

config/clusters/opensci/enc-staging.secret.values.yaml

@@ -0,0 +1,20 @@
+jupyterhub:
+    hub:
+        config:
+            GitHubOAuthenticator:
+                client_id: ENC[AES256_GCM,data:s6J6NCDKC+8DWL/G1HfeoS6LvVw=,iv:ppAQJ0Bcp4jR2RM7ZzpjKN8a+lKCAf93m8GxyoemFvY=,tag:xNT4AbtaYEilgTPtOAb+Lw==,type:str]
+                client_secret: ENC[AES256_GCM,data:690jNdjfNH8tEOmPs8vvsaU1R9Z0ooQIY/EabmqX4bU7CSF6Ho6rOQ==,iv:TXeDQdL4Bzx1Ky0fjg1tNCPhRG1lJra5KvzPkSHMYmE=,tag:m173HByyyMF0CEvt4aJBCw==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+        - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+          created_at: "2024-02-22T12:06:32Z"
+          enc: CiUA4OM7eP01v1Kyb9Ju8g3mAA1U9yPxtdOKulHLakW+cmwRyDweEkkAXoW3JodsyugXQTcoglPT5W4ElfRnz3O0EMdsoNY5DHJiaKFSa6bZUOrbePG1/9R6vA7iPS4ZX1f1kd8iyYIb05255bumCIzo
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-02-22T12:06:33Z"
+    mac: ENC[AES256_GCM,data:3SL337k6foIN/veukv1DeYRP4xmSbnhLaEKgujqbjSG2AzBZPngukdhUQ31ExO6/MqcjFpSllicHZPhjtPYcgSbxJfKRM+7zxEofeZqVtJkA3Q1N0J3JigTm483MNTc9l89Rn+JnaKej1ouBaR3O3PD6jjCAowZXpKoSgcrgxPk=,iv:dBfT1g+ZR1kwbp2rNFdekwKlTcpnt4/72ExKybqTJwo=,tag:lzCkerc3rNarGHWy3CfcrQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

config/clusters/opensci/staging.values.yaml

@@ -0,0 +1,17 @@
+jupyterhub:
+  ingress:
+    hosts:
+      - staging.opensci.2i2c.cloud
+    tls:
+      - secretName: https-auto-tls
+        hosts:
+          - staging.opensci.2i2c.cloud
+  hub:
+    config:
+      GitHubOAuthenticator:
+        oauth_callback_url: https://staging.opensci.2i2c.cloud/hub/oauth_callback
+    services:
+      binder:
+        # FIXME: ref https://github.com/2i2c-org/binderhub-service/issues/57
+        # for something more readable and requiring less copy-pasting
+        url: https://staging.opensci-binderhub-service:8090

config/clusters/opensci/support.values.yaml

@@ -1,6 +1,12 @@
 prometheusIngressAuthSecret:
   enabled: true
 
+cluster-autoscaler:
+  enabled: true
+  autoDiscovery:
+    clusterName: opensci
+  awsRegion: us-west-2
+
 prometheus:
   server:
     ingress: