From 999a69a3e18741441ec1c4ef0784a95540f73f06 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Wed, 22 May 2024 15:04:25 +0300 Subject: [PATCH 01/24] Add initial support for a binderhub UI hub --- helm-charts/basehub/values.schema.yaml | 8 ++ helm-charts/basehub/values.yaml | 122 +++++++++++++++++++++++ terraform/gcp/projects/pilot-hubs.tfvars | 1 + 3 files changed, 131 insertions(+) diff --git a/helm-charts/basehub/values.schema.yaml b/helm-charts/basehub/values.schema.yaml index bf8fec4315..f638c04201 100644 --- a/helm-charts/basehub/values.schema.yaml +++ b/helm-charts/basehub/values.schema.yaml @@ -516,3 +516,11 @@ properties: properties: enabled: type: boolean + binderhubUI: + type: object + additionalProperties: false + required: + - enabled + properties: + enabled: + type: boolean diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index 4f376ff40f..9299b1e29e 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -820,6 +820,125 @@ jupyterhub: limits: memory: 2Gi extraConfig: + # This is copy-pasted exactly from https://github.com/jupyterhub/binderhub/blob/c6c5dc8fe73f81ca538c47b420b33f317c3aa8ae/helm-chart/binderhub/values.yaml#L87 + # Should be updated every time the upstream code changes + 0-binderspawnermixin: | + """ + Helpers for creating BinderSpawners + + FIXME: + This file is defined in binderhub/binderspawner_mixin.py + and is copied to helm-chart/binderhub/values.yaml + by ci/check_embedded_chart_code.py + + The BinderHub repo is just used as the distribution mechanism for this spawner, + BinderHub itself doesn't require this code. + + Longer term options include: + - Move BinderSpawnerMixin to a separate Python package and include it in the Z2JH Hub + image + - Override the Z2JH hub with a custom image built in this repository + - Duplicate the code here and in binderhub/binderspawner_mixin.py + """ + + from tornado import web + from traitlets import Bool, Unicode + from traitlets.config import Configurable + + + class BinderSpawnerMixin(Configurable): + """ + Mixin to convert a JupyterHub container spawner to a BinderHub spawner + + Container spawner must support the following properties that will be set + via spawn options: + - image: Container image to launch + - token: JupyterHub API token + """ + + def __init__(self, *args, **kwargs): + # Is this right? Is it possible to having multiple inheritance with both + # classes using traitlets? + # https://stackoverflow.com/questions/9575409/calling-parent-class-init-with-multiple-inheritance-whats-the-right-way + # https://github.com/ipython/traitlets/pull/175 + super().__init__(*args, **kwargs) + + auth_enabled = Bool( + False, + help=""" + Enable authenticated binderhub setup. + + Requires `jupyterhub-singleuser` to be available inside the repositories + being built. + """, + config=True, + ) + + cors_allow_origin = Unicode( + "", + help=""" + Origins that can access the spawned notebooks. + + Sets the Access-Control-Allow-Origin header in the spawned + notebooks. Set to '*' to allow any origin to access spawned + notebook servers. + + See also BinderHub.cors_allow_origin in binderhub config + for controlling CORS policy for the BinderHub API endpoint. + """, + config=True, + ) + + def get_args(self): + if self.auth_enabled: + args = super().get_args() + else: + args = [ + "--ip=0.0.0.0", + f"--port={self.port}", + f"--NotebookApp.base_url={self.server.base_url}", + f"--NotebookApp.token={self.user_options['token']}", + "--NotebookApp.trust_xheaders=True", + ] + if self.default_url: + args.append(f"--NotebookApp.default_url={self.default_url}") + + if self.cors_allow_origin: + args.append("--NotebookApp.allow_origin=" + self.cors_allow_origin) + # allow_origin=* doesn't properly allow cross-origin requests to single files + # see https://github.com/jupyter/notebook/pull/5898 + if self.cors_allow_origin == "*": + args.append("--NotebookApp.allow_origin_pat=.*") + args += self.args + # ServerApp compatibility: duplicate NotebookApp args + for arg in list(args): + if arg.startswith("--NotebookApp."): + args.append(arg.replace("--NotebookApp.", "--ServerApp.")) + return args + + def start(self): + if not self.auth_enabled: + if "token" not in self.user_options: + raise web.HTTPError(400, "token required") + if "image" not in self.user_options: + raise web.HTTPError(400, "image required") + if "image" in self.user_options: + self.image = self.user_options["image"] + return super().start() + + def get_env(self): + env = super().get_env() + if "repo_url" in self.user_options: + env["BINDER_REPO_URL"] = self.user_options["repo_url"] + for key in ( + "binder_ref_url", + "binder_launch_host", + "binder_persistent_request", + "binder_request", + ): + if key in self.user_options: + env[key.upper()] = self.user_options[key] + return env 01-custom-theme: | # adds a JupyterHub template path and updates template variables @@ -861,6 +980,8 @@ jupyterhub: } c.JupyterHub.services.append(jhc_service) + if get_config("custom.binderhubUI.enabled"): + spawner_base_classes = [BinderSpawnerMixin, KubeSpawner] class BaseHubSpawner(*spawner_base_classes): def start(self, *args, **kwargs): @@ -883,6 +1004,7 @@ jupyterhub: self.service_account = admin_service_account return super().start(*args, **kwargs) + c.JupyterHub.spawner_class = BaseHubSpawner diff --git a/terraform/gcp/projects/pilot-hubs.tfvars b/terraform/gcp/projects/pilot-hubs.tfvars index 8f3cfbf616..918807f310 100644 --- a/terraform/gcp/projects/pilot-hubs.tfvars +++ b/terraform/gcp/projects/pilot-hubs.tfvars @@ -77,4 +77,5 @@ hub_cloud_permissions = { container_repos = [ "binder-staging", + "binderhub-ui-demo" ] From 81bd511ab91bad9faa169f14ae86471dd1fd0756 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Wed, 22 May 2024 15:05:42 +0300 Subject: [PATCH 02/24] Add the config files to the new cluster --- .../2i2c/binderhub-ui-demo.values.yaml | 106 ++++++++++++++++++ .../enc-binderhub-ui-demo.secret.values.yaml | 23 ++++ 2 files changed, 129 insertions(+) create mode 100644 config/clusters/2i2c/binderhub-ui-demo.values.yaml create mode 100644 config/clusters/2i2c/enc-binderhub-ui-demo.secret.values.yaml diff --git a/config/clusters/2i2c/binderhub-ui-demo.values.yaml b/config/clusters/2i2c/binderhub-ui-demo.values.yaml new file mode 100644 index 0000000000..65fb966db5 --- /dev/null +++ b/config/clusters/2i2c/binderhub-ui-demo.values.yaml @@ -0,0 +1,106 @@ +jupyterhub: + ingress: + hosts: + - hub.binderhub-ui-demo.2i2c.cloud + tls: + - secretName: https-auto-tls + hosts: + - hub.binderhub-ui-demo.2i2c.cloud + custom: + 2i2c: + add_staff_user_ids_to_admin_users: true + add_staff_user_ids_of_type: "github" + jupyterhubConfigurator: + enabled: false + binderhubUI: + enabled: true + homepage: + templateVars: + org: + name: Demo binderhub UI with binderhub-service + url: https://2i2c.org + logo_url: https://2i2c.org/media/logo.png + designed_by: + name: 2i2c + url: https://2i2c.org + operated_by: + name: 2i2c + url: https://2i2c.org + funded_by: + name: "" + url: "" + singleuser: + # This is copied from https://github.com/jupyterhub/binderhub/blob/c6c5dc8fe73f81ca538c47b420b33f317c3aa8ae/helm-chart/binderhub/values.yaml + # We should update this as soon as the upstream updates + # FIXME: investigate incorporating this configuration + # in the configuration defaults coming from basehub + # potentially taking into account the value of custom.binderhubUI.enabled + # to avoid specifying it over and over again for each new hub using the + # binderhub UI + cmd: + # start jupyterlab server *if available* + # fallback on jupyter-notebook + - python3 + - "-c" + - | + import os + import sys + + try: + import jupyterlab + import jupyterlab.labapp + major = int(jupyterlab.__version__.split(".", 1)[0]) + except Exception as e: + print("Failed to import jupyterlab: {e}", file=sys.stderr) + have_lab = False + else: + have_lab = major >= 3 + + if have_lab: + # technically, we could accept another jupyter-server-based frontend + print("Launching jupyter-lab", file=sys.stderr) + exe = "jupyter-lab" + else: + print("jupyter-lab not found, launching jupyter-notebook", file=sys.stderr) + exe = "jupyter-notebook" + + # launch the notebook server + os.execvp(exe, sys.argv) + storage: + type: none + hub: + services: + binder: + # FIXME: ref https://github.com/2i2c-org/binderhub-service/issues/57 + # for something more readable and requiring less copy-pasting + url: http://binderhub-ui-demo-binderhub-service:8090 + display: false + config: + BinderSpawnerMixin: + auth_enabled: true + JupyterHub: + authenticator_class: github + GitHubOAuthenticator: + oauth_callback_url: https://binderhub-ui-demo.2i2c.cloud/hub/oauth_callback + +binderhub-service: + enabled: true + ingress: + enabled: true + hosts: + - binderhub-ui-demo.2i2c.cloud + tls: + - secretName: https-auto-tls + hosts: + - binderhub-ui-demo.2i2c.cloud + config: + BinderHub: + hub_url: https://hub.binderhub-ui-demo.2i2c.cloud + badge_base_url: https://binderhub-ui-demo.2i2c.cloud + auth_enabled: true + enable_api_only_mode: false + image_prefix: us-central1-docker.pkg.dev/two-eye-two-see/binderhub-ui-demo-registry/binderhub-service- + # The password to the registry is stored encrypted in the hub's encrypted config file + buildPodsRegistryCredentials: + server: "https://us-central1-docker.pkg.dev" + username: "_json_key" diff --git a/config/clusters/2i2c/enc-binderhub-ui-demo.secret.values.yaml b/config/clusters/2i2c/enc-binderhub-ui-demo.secret.values.yaml new file mode 100644 index 0000000000..f0594410c8 --- /dev/null +++ b/config/clusters/2i2c/enc-binderhub-ui-demo.secret.values.yaml @@ -0,0 +1,23 @@ +binderhub-service: + buildPodsRegistryCredentials: + password: ENC[AES256_GCM,data:Q8Kt61NWFDqFL0tZhNTAiwRg2x59hgZKZgej/fcgCBG2bKb3yqx216VsCBsOXoAoBotX6dCWAMzI1oQJrkJEWCXl7fwKMY/Ew8bIa+h+2b7WgDmu4866WTpVPaXlOPQfeQ4g7umKtnrUbX7DumFe/Ssuf8As4lOkReKfpFwWpGK0Y6GZX2gcXJ84MlqnyQrnT1f9Heq4Txxcp60V4/9WOG+/xW7z4xQUtV5DPX8qblfREeSgov2BtoKpUXZWW2rzKEMAhzQ5/KArRw+/KgskJt1FibM62KNCJACBCxs5EG1UA+UP7zIXB+8nzjX0JcmNxbhtgKZQEpT6qSi9hm6Qt6UHT9iAyHZkBSvtJ8RJ69Jm/Tb10afpMu2oqU4MpkCuTLC7cxW+SMEJNSoa4zILhBQdwDdRJkQmHUklE06Xwed/u0e1mA9pvTLClmNcgI1dez7H+ZnRunTco824n30EczPvj3ppqEmCvqVPOBB5S+07AfOnYd91K/BQ7j7swT21mwaxWz01vYrClUcJ5MsSpYmX5Agp5dkbiUO9MYv7PwUe/qBul/1/Fa/Ki8FM9P1ol7ON7tPkG0XW+R+2wPrmKL5exbS79MKJEib+qp9CqzZQnxa/FZi+DXwdB9/5gV2ef6ASVZqiKpJA1SFsjs2S8UpMp5tNpZCoe/JXAo75N5xwfmLm101uZrGEWq3k9YGocC5XnAX2T+Lop+CIEMAihe1Kn70ss3PYvkj4h6rrHCMQFyotgLjp5sbzQZQlOGvy8sRUKKA5RKgDQO6E1rhHyIkMWHqCtAMq6iVELRAlc2wJ+vVsADey7E+FqSd5m05/UQ/DWuxxK4HqaATc2X8bhb8g4QTLOKHLL+h6KPT5ox3czOsB3asYIBIJoiDf3W/FL25dgDxMe2amXoeFJvhU+JnI6sG+f1BzmhOIZSsNFXI5mhhANJK6gWXXjcdnQwg70ztBRcFmTzv6XD2qEQ1SKgpwhwKA1EWWcKGeKucfgBvFmABg+PB1vWwnouJGOicbb5DxKOl4F+jzyOK/o/bH9PQBjb6uAPUjxSU0LRqQasHlPlBqFs93DMHmLjQpHU81so9o1B+Tfq3RgzE7CLnxCTax4aKcvcagfwiphRgaK3mxa2uzCMzfghVqz/EFstbY2MmED0/8pz4k9qwbaH2SK/vUyV6uohDAhr5VwQ6lm5g/nXQVNi79CLXmyJm5ubaYWuZ8R+cqDZup2eJ6UEPfs2Zk5sc8ffoV+tOfnpNcMgJ5hXSUPuWWzCok8HSZhiTQzN6mApzS0yiEZAp58j41aMl9CRFtezOlAzQ7obASrJK02eA3TCrCwFL9DLLAcavmufwCVQQ9SfMmIPSzNvr6Fm1oIqzHUgstIK1YdTfc6vcWEg61zafq8nRw+nt7FaYj6EY3DFUGqNdkxw17iPaxVvwiLpaybFsXBft8A2mOlNPHXSOk8IbBuUhiWmxDPse54Nz49loUtP6j1QsRhSDxhWG4V6MAoSzfwkyeVXioaNluKxfXpktos7k3QXZNBCMk2UOqRadZNkKBAhKX3EZNbUSHY1MhqZusUwvYePN5wK+Qlmrv7L3uxFyeI8+E5FLvMYk52GrE8TLCWk0Qd2q3UewyG54lSjULdnVq4sHyIi7zFLt/dAXpF1OdEJZOMVsn0EZyuQ5KsxUfxhB6jS6IcHbGUkLibRxvIdakS0T/UlByvzgNvBcPc19by5fy24ukObz8+FafwZCSe5XNiIRRLat/2o6RY/V8TlKmxFk2V0ZH/Jq8JD9F+RvLHwnJywN1gdXLszM3h3aQR6AsLQYda6+M6YdT8xMzz3DAk7sQyxyrPphwMFvaCRDVetWbuTjNjh2NheZsQcMMBdoY+NwkOcFHmATYJ2g0xHOMM38w9wXdLH0t4GuWjqAGBAdvb4ZAXP/S5gkchYjl2OsLAwN5GeaUcZWyX82VJpW1mgdYiAHTCfrOee/f7uw8ZtltzSI9hacWYbsy8M8dpaLMjrMTaIGhuoBjfY28GhDvo8FS0QMk+EBmfTM9WdnpSjWflS5zCDdDH2evc7z40MLtPcsSvoei8glhk/OkBsw7tFeZCat4HB1keCMUlA4ckgvp5TACSk8XHq4bFLp55PVt258ojpr6tfoPir1HSzl4UfAp04eXmBK6CWjI9eDwSrH4aLzD+oTdaPOow1dQEmJnq9nzVOMYGudlzddJXPpNRPXQStX3NpBwws0RzitXpoaaGM1unVR4ZcwYoLrD0rt3EdTFOPpMBMRx7vPomOlG2rCLQZMOXHsvQUuKr3oo920b6/HOm/yxAGnaZlJLrs7EsfFNmH6UYTHzElGlIXKEP4eNBB2O1smxBy+3+5gLvRR8KsqK8uUWdth+NpPa770kTXH59wexx8Fo8UaBM+/y97nDJP3CV6uhUW6cVLA5TPD4JVs7uX7KSYQC51sIp7DTe2MP4bdDcJguR/ZYceLfMD0pPwwVmV/2gsqncamVjI1Dl4827vbpKJ0pKj+q/JDk8N0CQ5OwSYqDgBv3EATfnR/8JmF8ERUZ8iYwmbeOAIL0n/MOZhUL5+QN7zZxJ51OSrfgQSkZk7woCvpTY7ACiuDLQ9D2p1FMrP1DdsiiWJlFvaA2JW9xtICyjykERBrBzO8Ugsg2PvCIs46vzn/g739VuAnL+Pn9X/P9OZfpZRBM37yns+hAOJX6DepFINx28tvQFktYbnxGGbL5DkZB/1Wu5ILVUYztcpueDNlyDK4VQ2qecNDmd6J1LXmLWDj/osAUe/MfrQOUXC96Wic3G1NYWJajEVdbmd7fCqZo2g8FB/YNz260rMaLse3mmM4vfuaSwjk97utTM5HnLBk3UHzyC8DqaKWyC7kwcDcEuhVSkPV2ANZy0gSI7soaKHJUo8JNsMfkPO/yIr+JCqOb5zoUiZYy+LnnNAmUVhztavFGHN0TNWe+oYwo6XDv/m26ztqWQbxl66rAuK4v2M2CmDitZnp6cEQHIaBRy60w2Uk5epWv7i/w7tNsiz12a+wZfxvelhHEmxi+8lZpDQwCrbAedwVMEpcXue/1TLrsswfPmab+9q4Mb1l29zGtXJ3JA6rwll01hHbTbs64UE6Ea6OLdSIsJHle7klkOo9OuGPNKRPauJEFAvx1E1/5wbS56a6c9nMEXav5jkoWFul8+3FCz1pex7uOLK2YoGl0obEh,iv:5Sobvu+/bAQi+QCidA+CV9L6pPcV3y7G4dnFlAe9LBE=,tag:gFEO2EF1n4lqGGXr8AFCUg==,type:str] +jupyterhub: + hub: + config: + GitHubOAuthenticator: + client_id: ENC[AES256_GCM,data:f5y+pUy+68Zje3YK5/Wj6e+9Jxk=,iv:3T9S9PrRjuJYrOovbd8She7xuWSOSEHZM0Exgh8MzyA=,tag:6fTW5zwfhCbeuNtjczq2tg==,type:str] + client_secret: ENC[AES256_GCM,data:Z1XDr41p9QmewcUAzOudW91Cr3DFnikveK5io2kTIbsdJ4SEhk1tUQ==,iv:vchLWpcUUzSOaatVicy2r6Iq/WxqyFpxlakVswC7ViI=,tag:/Mbw4GgwxlDnYbvOPtaL6w==,type:str] +sops: + kms: [] + gcp_kms: + - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs + created_at: "2023-09-18T19:00:41Z" + enc: CiUA4OM7eFioG9yDgVwKtc0cYrU65GNcqMSDuUgnuXuq3KW9dRI6EkkAq2nhVV2TFrZOq5jktjMd4TQF1lwH/08tAyGd3vMfBmdd3Xdy3bAUUHhrPXcK6QabMRYdXPzQzgB+oBGaqOsJO7D7jT9NpeCn + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-05-22T09:37:49Z" + mac: ENC[AES256_GCM,data:VMhtLKg3d/fGoebkQ9ls8FhGnS2v4UO0OkyeC73zd3gcTPAcuvF4tyN4/a3GjP6e3nrrIUAI69kp5D2I2zc0aQIVGkZHS0z9YiBbRBIGHMjuCvnttl89hcsaQ1QjhKUPyI7VUu9rqXADige25OPNDJciZNSTem7Rt/V2lgwvDnQ=,iv:yRpE3PckCIlPwQ40swsTI8imZBbcnm3jQamMyDjqmtk=,tag:KB73g44EzQlalSnAQSjw5Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 From 34891e0c4f502eed5c10de72acfda02b4388d792 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Wed, 22 May 2024 16:22:56 +0300 Subject: [PATCH 03/24] Use the hub's url --- config/clusters/2i2c/binderhub-ui-demo.values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/clusters/2i2c/binderhub-ui-demo.values.yaml b/config/clusters/2i2c/binderhub-ui-demo.values.yaml index 65fb966db5..23794c9a3c 100644 --- a/config/clusters/2i2c/binderhub-ui-demo.values.yaml +++ b/config/clusters/2i2c/binderhub-ui-demo.values.yaml @@ -81,7 +81,7 @@ jupyterhub: JupyterHub: authenticator_class: github GitHubOAuthenticator: - oauth_callback_url: https://binderhub-ui-demo.2i2c.cloud/hub/oauth_callback + oauth_callback_url: https://hub.binderhub-ui-demo.2i2c.cloud/hub/oauth_callback binderhub-service: enabled: true From 57dd87efaeb96173bf4afac5f87587dff8dd8d93 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Wed, 22 May 2024 15:47:08 +0200 Subject: [PATCH 04/24] Make use of binderhub-service new extraEnv --- config/clusters/2i2c/binderhub-ui-demo.values.yaml | 6 ++++++ helm-charts/basehub/Chart.yaml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/config/clusters/2i2c/binderhub-ui-demo.values.yaml b/config/clusters/2i2c/binderhub-ui-demo.values.yaml index 23794c9a3c..f5b89f4d01 100644 --- a/config/clusters/2i2c/binderhub-ui-demo.values.yaml +++ b/config/clusters/2i2c/binderhub-ui-demo.values.yaml @@ -93,6 +93,12 @@ binderhub-service: - secretName: https-auto-tls hosts: - binderhub-ui-demo.2i2c.cloud + extraEnv: + - name: JUPYTERHUB_API_TOKEN + valueFrom: + secretKeyRef: + name: '{{ include "jupyterhub.hub.fullname" . }}' + key: hub.services.binder.apiToken config: BinderHub: hub_url: https://hub.binderhub-ui-demo.2i2c.cloud diff --git a/helm-charts/basehub/Chart.yaml b/helm-charts/basehub/Chart.yaml index 8cbd4d190e..364b9aeb16 100644 --- a/helm-charts/basehub/Chart.yaml +++ b/helm-charts/basehub/Chart.yaml @@ -15,6 +15,6 @@ dependencies: version: 3.3.7 repository: https://jupyterhub.github.io/helm-chart/ - name: binderhub-service - version: 0.1.0-0.dev.git.110.hd833d08 + version: 0.1.0-0.dev.git.215.h263a589 repository: https://2i2c.org/binderhub-service/ condition: binderhub-service.enabled From 9d873eb7227b70e9004949bc994a96e6dd7e40dc Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Fri, 24 May 2024 13:39:02 +0300 Subject: [PATCH 05/24] Use latest binderhub --- helm-charts/basehub/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-charts/basehub/Chart.yaml b/helm-charts/basehub/Chart.yaml index 364b9aeb16..2e0a945596 100644 --- a/helm-charts/basehub/Chart.yaml +++ b/helm-charts/basehub/Chart.yaml @@ -15,6 +15,6 @@ dependencies: version: 3.3.7 repository: https://jupyterhub.github.io/helm-chart/ - name: binderhub-service - version: 0.1.0-0.dev.git.215.h263a589 + version: 0.1.0-0.dev.git.217.h06e9a55 repository: https://2i2c.org/binderhub-service/ condition: binderhub-service.enabled From 8c03dc9116144dbb813d7768d0f7d59e9a9fc776 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Fri, 24 May 2024 13:48:09 +0300 Subject: [PATCH 06/24] Export more relevant env vars --- config/clusters/2i2c/binderhub-ui-demo.values.yaml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/config/clusters/2i2c/binderhub-ui-demo.values.yaml b/config/clusters/2i2c/binderhub-ui-demo.values.yaml index f5b89f4d01..bb49fd8320 100644 --- a/config/clusters/2i2c/binderhub-ui-demo.values.yaml +++ b/config/clusters/2i2c/binderhub-ui-demo.values.yaml @@ -74,7 +74,8 @@ jupyterhub: # FIXME: ref https://github.com/2i2c-org/binderhub-service/issues/57 # for something more readable and requiring less copy-pasting url: http://binderhub-ui-demo-binderhub-service:8090 - display: false + display: true + oauth_no_confirm: true config: BinderSpawnerMixin: auth_enabled: true @@ -87,6 +88,10 @@ binderhub-service: enabled: true ingress: enabled: true + ingressClassName: nginx + annotations: + nginx.ingress.kubernetes.io/proxy-body-size: 256m + cert-manager.io/cluster-issuer: letsencrypt-prodc hosts: - binderhub-ui-demo.2i2c.cloud tls: @@ -99,6 +104,13 @@ binderhub-service: secretKeyRef: name: '{{ include "jupyterhub.hub.fullname" . }}' key: hub.services.binder.apiToken + - name: JUPYTERHUB_CLIENT_ID + value: "service-binder" + - name: JUPYTERHUB_OAUTH_CALLBACK_URL + value: "/services/binder/oauth_callback" + - name: JUPYTERHUB_API_URL + value: "https://hub.binderhub-ui-demo.2i2c.cloud/hub/api/" + config: BinderHub: hub_url: https://hub.binderhub-ui-demo.2i2c.cloud From c7389a93b2f796ebc6e517890e8936901ea50216 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Fri, 24 May 2024 23:40:06 +0300 Subject: [PATCH 07/24] Temp use the old chart until latest is fixed --- helm-charts/basehub/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-charts/basehub/Chart.yaml b/helm-charts/basehub/Chart.yaml index 2e0a945596..364b9aeb16 100644 --- a/helm-charts/basehub/Chart.yaml +++ b/helm-charts/basehub/Chart.yaml @@ -15,6 +15,6 @@ dependencies: version: 3.3.7 repository: https://jupyterhub.github.io/helm-chart/ - name: binderhub-service - version: 0.1.0-0.dev.git.217.h06e9a55 + version: 0.1.0-0.dev.git.215.h263a589 repository: https://2i2c.org/binderhub-service/ condition: binderhub-service.enabled From ecdd191a4728df21a4a517cf7276de9a55454b15 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Fri, 24 May 2024 23:41:46 +0300 Subject: [PATCH 08/24] Fix ingress config and add binderhub's public ip for oauth callback --- config/clusters/2i2c/binderhub-ui-demo.values.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/config/clusters/2i2c/binderhub-ui-demo.values.yaml b/config/clusters/2i2c/binderhub-ui-demo.values.yaml index bb49fd8320..bcba2cae97 100644 --- a/config/clusters/2i2c/binderhub-ui-demo.values.yaml +++ b/config/clusters/2i2c/binderhub-ui-demo.values.yaml @@ -76,6 +76,7 @@ jupyterhub: url: http://binderhub-ui-demo-binderhub-service:8090 display: true oauth_no_confirm: true + oauth_redirect_uri: https://binderhub-ui-demo.2i2c.cloud/oauth_callback config: BinderSpawnerMixin: auth_enabled: true @@ -91,11 +92,11 @@ binderhub-service: ingressClassName: nginx annotations: nginx.ingress.kubernetes.io/proxy-body-size: 256m - cert-manager.io/cluster-issuer: letsencrypt-prodc + cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - binderhub-ui-demo.2i2c.cloud tls: - - secretName: https-auto-tls + - secretName: binder-https-auto-tls hosts: - binderhub-ui-demo.2i2c.cloud extraEnv: @@ -107,9 +108,9 @@ binderhub-service: - name: JUPYTERHUB_CLIENT_ID value: "service-binder" - name: JUPYTERHUB_OAUTH_CALLBACK_URL - value: "/services/binder/oauth_callback" + value: "https://binderhub-ui-demo.2i2c.cloud/oauth_callback" - name: JUPYTERHUB_API_URL - value: "https://hub.binderhub-ui-demo.2i2c.cloud/hub/api/" + value: "https://hub.binderhub-ui-demo.2i2c.cloud/hub/api" config: BinderHub: From 492f7016b1056ae84f249ca3f384dbabb60a2ecd Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Sat, 25 May 2024 17:19:52 +0300 Subject: [PATCH 09/24] Switch to cilogon, load roles --- .../2i2c/binderhub-ui-demo.values.yaml | 59 ++++++------------- .../enc-binderhub-ui-demo.secret.values.yaml | 16 ++--- 2 files changed, 26 insertions(+), 49 deletions(-) diff --git a/config/clusters/2i2c/binderhub-ui-demo.values.yaml b/config/clusters/2i2c/binderhub-ui-demo.values.yaml index bcba2cae97..a86327da38 100644 --- a/config/clusters/2i2c/binderhub-ui-demo.values.yaml +++ b/config/clusters/2i2c/binderhub-ui-demo.values.yaml @@ -9,7 +9,7 @@ jupyterhub: custom: 2i2c: add_staff_user_ids_to_admin_users: true - add_staff_user_ids_of_type: "github" + add_staff_user_ids_of_type: "google" jupyterhubConfigurator: enabled: false binderhubUI: @@ -30,60 +30,37 @@ jupyterhub: name: "" url: "" singleuser: - # This is copied from https://github.com/jupyterhub/binderhub/blob/c6c5dc8fe73f81ca538c47b420b33f317c3aa8ae/helm-chart/binderhub/values.yaml - # We should update this as soon as the upstream updates - # FIXME: investigate incorporating this configuration - # in the configuration defaults coming from basehub - # potentially taking into account the value of custom.binderhubUI.enabled - # to avoid specifying it over and over again for each new hub using the - # binderhub UI - cmd: - # start jupyterlab server *if available* - # fallback on jupyter-notebook - - python3 - - "-c" - - | - import os - import sys - - try: - import jupyterlab - import jupyterlab.labapp - major = int(jupyterlab.__version__.split(".", 1)[0]) - except Exception as e: - print("Failed to import jupyterlab: {e}", file=sys.stderr) - have_lab = False - else: - have_lab = major >= 3 - - if have_lab: - # technically, we could accept another jupyter-server-based frontend - print("Launching jupyter-lab", file=sys.stderr) - exe = "jupyter-lab" - else: - print("jupyter-lab not found, launching jupyter-notebook", file=sys.stderr) - exe = "jupyter-notebook" - - # launch the notebook server - os.execvp(exe, sys.argv) + # This is copied from https://binderhub.readthedocs.io/en/latest/authentication.html#enabling-authentication + # to make notebook servers aware of hub + cmd: jupyterhub-singleuser storage: type: none hub: + redirectToServer: false services: binder: # FIXME: ref https://github.com/2i2c-org/binderhub-service/issues/57 # for something more readable and requiring less copy-pasting - url: http://binderhub-ui-demo-binderhub-service:8090 display: true oauth_no_confirm: true + url: http://binderhub-ui-demo-binderhub-service:8090 oauth_redirect_uri: https://binderhub-ui-demo.2i2c.cloud/oauth_callback + loadRoles: + user: + scopes: + - self + - "access:services" config: BinderSpawnerMixin: auth_enabled: true JupyterHub: - authenticator_class: github - GitHubOAuthenticator: - oauth_callback_url: https://hub.binderhub-ui-demo.2i2c.cloud/hub/oauth_callback + authenticator_class: cilogon + CILogonOAuthenticator: + oauth_callback_url: "https://hub.binderhub-ui-demo.2i2c.cloud/hub/oauth_callback" + allowed_idps: + http://google.com/accounts/o8/id: + username_derivation: + username_claim: "email" binderhub-service: enabled: true diff --git a/config/clusters/2i2c/enc-binderhub-ui-demo.secret.values.yaml b/config/clusters/2i2c/enc-binderhub-ui-demo.secret.values.yaml index f0594410c8..f9418f79c1 100644 --- a/config/clusters/2i2c/enc-binderhub-ui-demo.secret.values.yaml +++ b/config/clusters/2i2c/enc-binderhub-ui-demo.secret.values.yaml @@ -1,23 +1,23 @@ binderhub-service: buildPodsRegistryCredentials: - password: ENC[AES256_GCM,data:Q8Kt61NWFDqFL0tZhNTAiwRg2x59hgZKZgej/fcgCBG2bKb3yqx216VsCBsOXoAoBotX6dCWAMzI1oQJrkJEWCXl7fwKMY/Ew8bIa+h+2b7WgDmu4866WTpVPaXlOPQfeQ4g7umKtnrUbX7DumFe/Ssuf8As4lOkReKfpFwWpGK0Y6GZX2gcXJ84MlqnyQrnT1f9Heq4Txxcp60V4/9WOG+/xW7z4xQUtV5DPX8qblfREeSgov2BtoKpUXZWW2rzKEMAhzQ5/KArRw+/KgskJt1FibM62KNCJACBCxs5EG1UA+UP7zIXB+8nzjX0JcmNxbhtgKZQEpT6qSi9hm6Qt6UHT9iAyHZkBSvtJ8RJ69Jm/Tb10afpMu2oqU4MpkCuTLC7cxW+SMEJNSoa4zILhBQdwDdRJkQmHUklE06Xwed/u0e1mA9pvTLClmNcgI1dez7H+ZnRunTco824n30EczPvj3ppqEmCvqVPOBB5S+07AfOnYd91K/BQ7j7swT21mwaxWz01vYrClUcJ5MsSpYmX5Agp5dkbiUO9MYv7PwUe/qBul/1/Fa/Ki8FM9P1ol7ON7tPkG0XW+R+2wPrmKL5exbS79MKJEib+qp9CqzZQnxa/FZi+DXwdB9/5gV2ef6ASVZqiKpJA1SFsjs2S8UpMp5tNpZCoe/JXAo75N5xwfmLm101uZrGEWq3k9YGocC5XnAX2T+Lop+CIEMAihe1Kn70ss3PYvkj4h6rrHCMQFyotgLjp5sbzQZQlOGvy8sRUKKA5RKgDQO6E1rhHyIkMWHqCtAMq6iVELRAlc2wJ+vVsADey7E+FqSd5m05/UQ/DWuxxK4HqaATc2X8bhb8g4QTLOKHLL+h6KPT5ox3czOsB3asYIBIJoiDf3W/FL25dgDxMe2amXoeFJvhU+JnI6sG+f1BzmhOIZSsNFXI5mhhANJK6gWXXjcdnQwg70ztBRcFmTzv6XD2qEQ1SKgpwhwKA1EWWcKGeKucfgBvFmABg+PB1vWwnouJGOicbb5DxKOl4F+jzyOK/o/bH9PQBjb6uAPUjxSU0LRqQasHlPlBqFs93DMHmLjQpHU81so9o1B+Tfq3RgzE7CLnxCTax4aKcvcagfwiphRgaK3mxa2uzCMzfghVqz/EFstbY2MmED0/8pz4k9qwbaH2SK/vUyV6uohDAhr5VwQ6lm5g/nXQVNi79CLXmyJm5ubaYWuZ8R+cqDZup2eJ6UEPfs2Zk5sc8ffoV+tOfnpNcMgJ5hXSUPuWWzCok8HSZhiTQzN6mApzS0yiEZAp58j41aMl9CRFtezOlAzQ7obASrJK02eA3TCrCwFL9DLLAcavmufwCVQQ9SfMmIPSzNvr6Fm1oIqzHUgstIK1YdTfc6vcWEg61zafq8nRw+nt7FaYj6EY3DFUGqNdkxw17iPaxVvwiLpaybFsXBft8A2mOlNPHXSOk8IbBuUhiWmxDPse54Nz49loUtP6j1QsRhSDxhWG4V6MAoSzfwkyeVXioaNluKxfXpktos7k3QXZNBCMk2UOqRadZNkKBAhKX3EZNbUSHY1MhqZusUwvYePN5wK+Qlmrv7L3uxFyeI8+E5FLvMYk52GrE8TLCWk0Qd2q3UewyG54lSjULdnVq4sHyIi7zFLt/dAXpF1OdEJZOMVsn0EZyuQ5KsxUfxhB6jS6IcHbGUkLibRxvIdakS0T/UlByvzgNvBcPc19by5fy24ukObz8+FafwZCSe5XNiIRRLat/2o6RY/V8TlKmxFk2V0ZH/Jq8JD9F+RvLHwnJywN1gdXLszM3h3aQR6AsLQYda6+M6YdT8xMzz3DAk7sQyxyrPphwMFvaCRDVetWbuTjNjh2NheZsQcMMBdoY+NwkOcFHmATYJ2g0xHOMM38w9wXdLH0t4GuWjqAGBAdvb4ZAXP/S5gkchYjl2OsLAwN5GeaUcZWyX82VJpW1mgdYiAHTCfrOee/f7uw8ZtltzSI9hacWYbsy8M8dpaLMjrMTaIGhuoBjfY28GhDvo8FS0QMk+EBmfTM9WdnpSjWflS5zCDdDH2evc7z40MLtPcsSvoei8glhk/OkBsw7tFeZCat4HB1keCMUlA4ckgvp5TACSk8XHq4bFLp55PVt258ojpr6tfoPir1HSzl4UfAp04eXmBK6CWjI9eDwSrH4aLzD+oTdaPOow1dQEmJnq9nzVOMYGudlzddJXPpNRPXQStX3NpBwws0RzitXpoaaGM1unVR4ZcwYoLrD0rt3EdTFOPpMBMRx7vPomOlG2rCLQZMOXHsvQUuKr3oo920b6/HOm/yxAGnaZlJLrs7EsfFNmH6UYTHzElGlIXKEP4eNBB2O1smxBy+3+5gLvRR8KsqK8uUWdth+NpPa770kTXH59wexx8Fo8UaBM+/y97nDJP3CV6uhUW6cVLA5TPD4JVs7uX7KSYQC51sIp7DTe2MP4bdDcJguR/ZYceLfMD0pPwwVmV/2gsqncamVjI1Dl4827vbpKJ0pKj+q/JDk8N0CQ5OwSYqDgBv3EATfnR/8JmF8ERUZ8iYwmbeOAIL0n/MOZhUL5+QN7zZxJ51OSrfgQSkZk7woCvpTY7ACiuDLQ9D2p1FMrP1DdsiiWJlFvaA2JW9xtICyjykERBrBzO8Ugsg2PvCIs46vzn/g739VuAnL+Pn9X/P9OZfpZRBM37yns+hAOJX6DepFINx28tvQFktYbnxGGbL5DkZB/1Wu5ILVUYztcpueDNlyDK4VQ2qecNDmd6J1LXmLWDj/osAUe/MfrQOUXC96Wic3G1NYWJajEVdbmd7fCqZo2g8FB/YNz260rMaLse3mmM4vfuaSwjk97utTM5HnLBk3UHzyC8DqaKWyC7kwcDcEuhVSkPV2ANZy0gSI7soaKHJUo8JNsMfkPO/yIr+JCqOb5zoUiZYy+LnnNAmUVhztavFGHN0TNWe+oYwo6XDv/m26ztqWQbxl66rAuK4v2M2CmDitZnp6cEQHIaBRy60w2Uk5epWv7i/w7tNsiz12a+wZfxvelhHEmxi+8lZpDQwCrbAedwVMEpcXue/1TLrsswfPmab+9q4Mb1l29zGtXJ3JA6rwll01hHbTbs64UE6Ea6OLdSIsJHle7klkOo9OuGPNKRPauJEFAvx1E1/5wbS56a6c9nMEXav5jkoWFul8+3FCz1pex7uOLK2YoGl0obEh,iv:5Sobvu+/bAQi+QCidA+CV9L6pPcV3y7G4dnFlAe9LBE=,tag:gFEO2EF1n4lqGGXr8AFCUg==,type:str] + password: ENC[AES256_GCM,data:lxa+mye7mMNseGhO9l0NxVapxmKpeqm7Hm56q9Mij4MttpaSN4q8HkhYYaMUykN6DCTOa0feLCcspLnkQyTr23y0InseqmEUY6CAAhnu+7yUAyoBdsxNGDhm+BfxpaKpb6d3H9+8xpLC9c9rcvWmCpWvMOUDh0Aqd2pCdf4FBNRL7P2kiar8gariKgngC/ii8JIa5lRE2EHvePTpduRqjUMaleGTknBxmnRHCtEUzdYQnGJ+tgFouo+J7/ebbAUSAoGd3QZkEXiyy0veIT1wuu4zZOMnuGcOx4pLw2yKdq8dX04zC9CkVLBCXjDQ6PkBjpU0voxCt+2WJ1I6I/70ya/l0qUGOG2Rqh7wRgM5BQqE5MNH4TMTYszFySvFRF991Vuq1MJI8dcRueoRUYRAGD82wIkr/sic3wPtJgyTctOI2bn4ou/eLOw9W6B9LwzBKpZ7TzB4jzV3BRpVai8nvVaDQKZR01Ysz3mdQLSz+nUCStnCmATSMeGXCjc8da40QjigbD5cht0ma4LLkO6nUZZxUfROGH5f6hShX9awyC8DW9NHTWA5UZwu6gjCK2uxrNXB510/Hq+ip9zxbCEd7GdqMHbFBzt+6LmcbM4cNE1Djy++Nsd+6+inJAdXlWlwnn2ujhIrjTS1TV6TfhCDBdsFSUUNeUQGBuA/wJOV76y2Vkjq5gInyNb7/rX9NxInr9D7ixZG49+qXngyjjxBMtzY3Un6kx24NO61Q+8/91IIvZngVUn8rU1QJNtwfaO9kg+zLFTwxBP9UEycTZhm9wdMUHrKWYOTHx3MCJ/Vu2pE8XIAowD2c2gvpWD6YLd0AFdhobawitVkiH6vyv61c9wGI9y0CtD4vmM/WKoIw5aIFaT6wh20hLPMofZin6GixkrZvPY04q9LM8HGW7Y36C5q/S5p5kpuqt5Mpd363nLElJcoZyrIu/nKjZkcsVgERkiBpEZSRaPndedKfSs9JvX0hLfHKLWCGdwcdUam4j4DH0eAPZiWZfe6JH1L1ec+rBhj4qR202oZpKNYnk+eC3Fx1QbQkSq7xSxH5N1JtQpYIORioU/pubmCry9m35THe00WpxVZ6A9FBKjyn5whQQOFVJmwUATi0ew8e+k0CgacF7B8puupetxMfFAmEH8obbXekzX4gBvkY+UuHBhWWjm0nBk0s1kzvwX9Rei0TzH8VZWWCVNbp1uOaCHxx1X9SHdqUGj2HK05kWfjzJTDusQqF6ricfO+iu2HDJEfUD33LCblhecDVZDEvb2f6ynQ12/a6AaXXtEDgXvGA4ee4QQ6AnYYQmPt0ulg2H9LtQj8W9Nls47hgCHftQ4ASekVtAzmK47B1k3UFd2QQPum5RggArSeHMIp6R0kNtSFl4cZtiFKrrd0qwsTrVF5pC0vhfbNIm4yaswccT+5LYQ1wyaQqD0zWLOhpbhQm6rvm5Fco5NvarGBVqC/NCQ2WVBL0XEG3/RM88PMO0sqgWHxnPkZraN1NCUcGzp5s05eHWZXrfDAjA95CJsMocrgACoyzGwCU0TVWzHTGERgWQzi2Imrn6KPQnlLAzgByCfvT6J526qYIRWC100oU8XX8Z6TcUiCmYND2XoiHjMnyI5AxUD/g7k7efuK+0HwMcIX/yR3jlvXuWjiOaJ/TnaqjgUDCluPLrMQ/oLf+7p1SIF/nXAkzw1us25dDHjL8oPGj94nPoFQf46aPNHHMWRlbLUQSD3L7JdwaTN4hi9vLDMJ6zGrH7nDcXi4UXgsDjYjnzrMrVXKykR+wdpSLfh75uV82PjatQIpnot4xyzRqQUxnj/5xcjuJJgpzAXfM+dxbsqO/kt2edmvs8yBPLOOtWG8EUgUKh/eyVCCPCBKe1+Q1JgZXUCKJ/LSyO2r5r9RIz6gPoqsABeWfcUrN59+zfFTKdNy0bJPdP+qdyXOwdnZ9ZOe0W0SZiGkBrhFeKFmCcBImf11LfBszFVQ5NUL2X4AdJQzvrB9cl7rdqhQq/x5TWYdI5c9VH7xgiBuRcpFW1J3uD8HyHCbKRVzLkgkPvMJb8yUF136SulnF8xNU69xF31tizWHq5wo2T7TZgOziyv4y3F4a33m8DYhBt7uVQWSaMaTO1mVelK+DAbM2GWe/l3PgoI+uG3VFj7z2cbIbjy1SuajnlYWFm4YFi6b0BbJftK6XtK1JtHzINywq9eJyyXWOXBmT1U+ntSx0K4ERxtJF7nRHqw24GX1kbp8FGESRIS6h/QvBhu94ZhcghoD2okaWkYiJVtUzcxX7kGXH0uXu3lYeiV+Ih/n8xzNhOEfEK8sQ8IR3QlYX+rKwnF4CDFGhF6DA0kePdZDGFNNYjNRRE6GLxJwOpgdmTyxALCYZ/yQf05Rhr0rbmlBEuOHWFpi/FQx/Z73XRH6jOZLGXGpcWS8XD4ZAjKARojVycK3HTBP/DhJryuCbKp5LMFGt4gN3Ak2SJG4Rgah3vzYI3SrEX4CJAphyJzmDcKFLunWvtTX1/QBS7czk8MjGEVLcfTXDgx9EmxJmx/f7LezTrsUAnLablDekOHb5oUvD8MUunc1I37jIlatTVQAbxpGNKcrKtHQ9si90ZDQaq3EfQ7EtuVTd1hnbIqEVt4/Twn9OMmB23Uu6JlLejadq585tQdvCgXKxPQ+dTH0zPNFNnladfKOJBNEECCtnJOnhCTHHEZHwQIYgPXfl1BGCKF8Z057d+lVuFiMS7Ij8hP2Euo3yuACCyGIW0hsioeddB9Em6VI/Gm3cd6HSS3xtnHQDkDDNcyQMPrwsS3NGaubrzHvmjyS1i4eqKwg9T4y3hgZHhOzhGjoBeqnseH0MDXS9I2bfwsxcjGGVM/0/F6B5mMbxmNTVZqH5D8LUrRLYgWPLrP0dmuaud5trfLqUJYQcIoVkVvAxzeepWNEmg5UJgFOiz3JbuQ+BxWUx9+hw3U6tvHt/aCETwmkkCxz9ivGgy+MuKzu94hXc56VBChNF4zQItZFpMHBNm8OHqQ8+4TGbQuw0SM/O4pW4bHe4IL62jZn+8yeRwCRIsRgQhRioZWuy8NKTYKHH1ofesIIFb7zNx4lo5tTtHnDJzbwyUX3CA0W4S3R6QrkKp+4p7bc2qOY18tEYVRoRqhzB/lB4bXcRNNoLZg6bTZpWGa0Qv66aOTmdAAwykDddMNSW6YZlLC59nHmgmlPLRH1AYOwxhxaxnMYEB8EetTghg==,iv:uYUE22t5hqYIryh8YldEAJBat+JKoNB9i8+WIjF+b+A=,tag:HaNZ1snSkKgETUDbeDeAew==,type:str] jupyterhub: hub: config: - GitHubOAuthenticator: - client_id: ENC[AES256_GCM,data:f5y+pUy+68Zje3YK5/Wj6e+9Jxk=,iv:3T9S9PrRjuJYrOovbd8She7xuWSOSEHZM0Exgh8MzyA=,tag:6fTW5zwfhCbeuNtjczq2tg==,type:str] - client_secret: ENC[AES256_GCM,data:Z1XDr41p9QmewcUAzOudW91Cr3DFnikveK5io2kTIbsdJ4SEhk1tUQ==,iv:vchLWpcUUzSOaatVicy2r6Iq/WxqyFpxlakVswC7ViI=,tag:/Mbw4GgwxlDnYbvOPtaL6w==,type:str] + CILogonOAuthenticator: + client_id: ENC[AES256_GCM,data:ptYq9TZ42TKo5c3Fkgvw+v95vjdE2haXWy+dvzftNvcJXSpBUqSLrFWAt6vhlJCQyFc=,iv:EkgSotgHOLQvFs+EEi9qA4shqRP22FCVK5tZHTadlVI=,tag:3ik5oEMbrdnlG6S2MNfoKg==,type:str] + client_secret: ENC[AES256_GCM,data:65CiR4C65xBbhI8xwxJZtp7JwWUU3qC23sVdwUv/6bb4XuP7emzm5vSZWxqOqVFt34+jlBC7zsjB2gSbtDjvruvYRwcsHKMGX9jE8fCNZWvuSZTD+oc=,iv:jKw58OrJzsRVyG/GWVcCmHjQCSdVsc7/m9gSzk01wt4=,tag:XhPvvtdH5zcMaCtnjG1ArA==,type:str] sops: kms: [] gcp_kms: - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs - created_at: "2023-09-18T19:00:41Z" - enc: CiUA4OM7eFioG9yDgVwKtc0cYrU65GNcqMSDuUgnuXuq3KW9dRI6EkkAq2nhVV2TFrZOq5jktjMd4TQF1lwH/08tAyGd3vMfBmdd3Xdy3bAUUHhrPXcK6QabMRYdXPzQzgB+oBGaqOsJO7D7jT9NpeCn + created_at: "2024-05-25T09:02:21Z" + enc: CiUA4OM7eDU34wbeCqXXw8GdYJRzcOAehya7ucaDGUX9hrN+Kv6WEkkAWX/fcYD4WjDtXbAZ+FAcVxu/mUYY1f5fOTMuBxdrjcIFOax9vRoZRIhMEkcZvTvbInh51U/hZ3fdqvmpxHFJfZxbQgK6jFRO azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-05-22T09:37:49Z" - mac: ENC[AES256_GCM,data:VMhtLKg3d/fGoebkQ9ls8FhGnS2v4UO0OkyeC73zd3gcTPAcuvF4tyN4/a3GjP6e3nrrIUAI69kp5D2I2zc0aQIVGkZHS0z9YiBbRBIGHMjuCvnttl89hcsaQ1QjhKUPyI7VUu9rqXADige25OPNDJciZNSTem7Rt/V2lgwvDnQ=,iv:yRpE3PckCIlPwQ40swsTI8imZBbcnm3jQamMyDjqmtk=,tag:KB73g44EzQlalSnAQSjw5Q==,type:str] + lastmodified: "2024-05-25T09:02:22Z" + mac: ENC[AES256_GCM,data:r1XOu5DDG1+0vT7QDGOycKZu/ZzoWA839cz6o0ayTQTdEluyDAw4iDBKaUU4Ry8+L3mHblR0nbMLtgPNBS80GMdK01LT7LhWoh/xYW15FyITiCimVEj12sp22mDkpGeOwvN/Tco7VPqHPdWCeoWL8qa810rUvSlKIhawmX62ZXs=,iv:MZfoLMDabaeL6OAnwSuex7CiEnBWYh+52xZO6NNYoSM=,tag:YagTyO27hFR84hdA72K5fA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 From f1f04f17f70e67f83d8dded4f9afbc6051b41258 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Sat, 25 May 2024 17:20:26 +0300 Subject: [PATCH 10/24] Reset base url otherwise we're stuck with /binder/services --- config/clusters/2i2c/binderhub-ui-demo.values.yaml | 1 + config/clusters/2i2c/cluster.yaml | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/config/clusters/2i2c/binderhub-ui-demo.values.yaml b/config/clusters/2i2c/binderhub-ui-demo.values.yaml index a86327da38..fce3ff1c69 100644 --- a/config/clusters/2i2c/binderhub-ui-demo.values.yaml +++ b/config/clusters/2i2c/binderhub-ui-demo.values.yaml @@ -91,6 +91,7 @@ binderhub-service: config: BinderHub: + base_url: / hub_url: https://hub.binderhub-ui-demo.2i2c.cloud badge_base_url: https://binderhub-ui-demo.2i2c.cloud auth_enabled: true diff --git a/config/clusters/2i2c/cluster.yaml b/config/clusters/2i2c/cluster.yaml index c37b44a659..e20ad4a2f9 100644 --- a/config/clusters/2i2c/cluster.yaml +++ b/config/clusters/2i2c/cluster.yaml @@ -41,6 +41,14 @@ hubs: - basehub-common.values.yaml - imagebuilding-demo.values.yaml - enc-imagebuilding-demo.secret.values.yaml + - name: binderhub-ui-demo + display_name: "2i2c Binderhub UI demo" + domain: hub.binderhub-ui-demo-demo.2i2c.cloud + helm_chart: basehub + helm_chart_values_files: + - basehub-common.values.yaml + - binderhub-ui-demo.values.yaml + - enc-binderhub-ui-demo.secret.values.yaml - name: demo display_name: "2i2c demo" domain: demo.2i2c.cloud From f17c600b47e64b42e693a35cfd1c2b5e951ede68 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Sat, 25 May 2024 18:10:39 +0300 Subject: [PATCH 11/24] Export JUPYTERHUB_BASE_URL instead of JUPYTHUB_API_URL to fix redirect --- config/clusters/2i2c/binderhub-ui-demo.values.yaml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/config/clusters/2i2c/binderhub-ui-demo.values.yaml b/config/clusters/2i2c/binderhub-ui-demo.values.yaml index fce3ff1c69..8796e105fd 100644 --- a/config/clusters/2i2c/binderhub-ui-demo.values.yaml +++ b/config/clusters/2i2c/binderhub-ui-demo.values.yaml @@ -41,7 +41,7 @@ jupyterhub: binder: # FIXME: ref https://github.com/2i2c-org/binderhub-service/issues/57 # for something more readable and requiring less copy-pasting - display: true + display: false oauth_no_confirm: true url: http://binderhub-ui-demo-binderhub-service:8090 oauth_redirect_uri: https://binderhub-ui-demo.2i2c.cloud/oauth_callback @@ -61,7 +61,6 @@ jupyterhub: http://google.com/accounts/o8/id: username_derivation: username_claim: "email" - binderhub-service: enabled: true ingress: @@ -84,11 +83,13 @@ binderhub-service: key: hub.services.binder.apiToken - name: JUPYTERHUB_CLIENT_ID value: "service-binder" + # Without this, the redirect URL to /hub/api/... gets + # appended to binderhub's URL instead of the hub's + # and setting JUPYTHUB_API_URL has no effect + - name: JUPYTERHUB_BASE_URL + value: "https://hub.binderhub-ui-demo.2i2c.cloud/" - name: JUPYTERHUB_OAUTH_CALLBACK_URL value: "https://binderhub-ui-demo.2i2c.cloud/oauth_callback" - - name: JUPYTERHUB_API_URL - value: "https://hub.binderhub-ui-demo.2i2c.cloud/hub/api" - config: BinderHub: base_url: / From 6aa4d03a5ea03068039e263be1eed24f3f662b4f Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Sat, 25 May 2024 21:24:44 +0300 Subject: [PATCH 12/24] JUPYTERHUB_API_URL needs to be set as well otherwise a weird concatenation of internal's hub url and the /hub/api base url happens --- .../2i2c/binderhub-ui-demo.values.yaml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/config/clusters/2i2c/binderhub-ui-demo.values.yaml b/config/clusters/2i2c/binderhub-ui-demo.values.yaml index 8796e105fd..980ae42da2 100644 --- a/config/clusters/2i2c/binderhub-ui-demo.values.yaml +++ b/config/clusters/2i2c/binderhub-ui-demo.values.yaml @@ -75,6 +75,14 @@ binderhub-service: - secretName: binder-https-auto-tls hosts: - binderhub-ui-demo.2i2c.cloud + config: + BinderHub: + base_url: / + hub_url: https://hub.binderhub-ui-demo.2i2c.cloud + badge_base_url: https://binderhub-ui-demo.2i2c.cloud + auth_enabled: true + enable_api_only_mode: false + image_prefix: us-central1-docker.pkg.dev/two-eye-two-see/binderhub-ui-demo-registry/binderhub-service- extraEnv: - name: JUPYTERHUB_API_TOKEN valueFrom: @@ -83,21 +91,14 @@ binderhub-service: key: hub.services.binder.apiToken - name: JUPYTERHUB_CLIENT_ID value: "service-binder" + - name: JUPYTERHUB_API_URL + value: "https://hub.binderhub-ui-demo.2i2c.cloud/hub/api" # Without this, the redirect URL to /hub/api/... gets # appended to binderhub's URL instead of the hub's - # and setting JUPYTHUB_API_URL has no effect - name: JUPYTERHUB_BASE_URL value: "https://hub.binderhub-ui-demo.2i2c.cloud/" - name: JUPYTERHUB_OAUTH_CALLBACK_URL value: "https://binderhub-ui-demo.2i2c.cloud/oauth_callback" - config: - BinderHub: - base_url: / - hub_url: https://hub.binderhub-ui-demo.2i2c.cloud - badge_base_url: https://binderhub-ui-demo.2i2c.cloud - auth_enabled: true - enable_api_only_mode: false - image_prefix: us-central1-docker.pkg.dev/two-eye-two-see/binderhub-ui-demo-registry/binderhub-service- # The password to the registry is stored encrypted in the hub's encrypted config file buildPodsRegistryCredentials: server: "https://us-central1-docker.pkg.dev" From e0bbb1331d11421557853e63971b54fcf36bd5c8 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Mon, 27 May 2024 22:22:39 +0300 Subject: [PATCH 13/24] Update the binderhub-service chart --- helm-charts/basehub/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helm-charts/basehub/Chart.yaml b/helm-charts/basehub/Chart.yaml index 364b9aeb16..801066c876 100644 --- a/helm-charts/basehub/Chart.yaml +++ b/helm-charts/basehub/Chart.yaml @@ -15,6 +15,6 @@ dependencies: version: 3.3.7 repository: https://jupyterhub.github.io/helm-chart/ - name: binderhub-service - version: 0.1.0-0.dev.git.215.h263a589 + version: 0.1.0-0.dev.git.240.hdaf17cc repository: https://2i2c.org/binderhub-service/ condition: binderhub-service.enabled From fe284c1c900e1a044648d542dcff247142b50683 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Mon, 27 May 2024 23:03:08 +0300 Subject: [PATCH 14/24] Temp declare extra config from chart in hub's values file --- config/clusters/2i2c/binderhub-ui-demo.values.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/config/clusters/2i2c/binderhub-ui-demo.values.yaml b/config/clusters/2i2c/binderhub-ui-demo.values.yaml index 980ae42da2..dc0302fa96 100644 --- a/config/clusters/2i2c/binderhub-ui-demo.values.yaml +++ b/config/clusters/2i2c/binderhub-ui-demo.values.yaml @@ -83,6 +83,14 @@ binderhub-service: auth_enabled: true enable_api_only_mode: false image_prefix: us-central1-docker.pkg.dev/two-eye-two-see/binderhub-ui-demo-registry/binderhub-service- + extraConfig: + # FIXME: set KubernetesBuildExecutor.push_secret again + # without this for some reason the build pods + # search after the wrong secret name (i.e. the default name) + # set by binderhub in KubernetesBuildExecutor.push_secret + 01-binderhub-service-set-push-secret: | + import os + c.KubernetesBuildExecutor.push_secret = os.environ["PUSH_SECRET_NAME"] extraEnv: - name: JUPYTERHUB_API_TOKEN valueFrom: From 55b819e1a57d4eaf1e815a8456cf762d85cf9a64 Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Mon, 27 May 2024 23:24:55 +0300 Subject: [PATCH 15/24] Temp use old's registry creds --- .../2i2c/enc-binderhub-ui-demo.secret.values.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/config/clusters/2i2c/enc-binderhub-ui-demo.secret.values.yaml b/config/clusters/2i2c/enc-binderhub-ui-demo.secret.values.yaml index f9418f79c1..c0218072cb 100644 --- a/config/clusters/2i2c/enc-binderhub-ui-demo.secret.values.yaml +++ b/config/clusters/2i2c/enc-binderhub-ui-demo.secret.values.yaml @@ -1,23 +1,23 @@ binderhub-service: buildPodsRegistryCredentials: - password: ENC[AES256_GCM,data:lxa+mye7mMNseGhO9l0NxVapxmKpeqm7Hm56q9Mij4MttpaSN4q8HkhYYaMUykN6DCTOa0feLCcspLnkQyTr23y0InseqmEUY6CAAhnu+7yUAyoBdsxNGDhm+BfxpaKpb6d3H9+8xpLC9c9rcvWmCpWvMOUDh0Aqd2pCdf4FBNRL7P2kiar8gariKgngC/ii8JIa5lRE2EHvePTpduRqjUMaleGTknBxmnRHCtEUzdYQnGJ+tgFouo+J7/ebbAUSAoGd3QZkEXiyy0veIT1wuu4zZOMnuGcOx4pLw2yKdq8dX04zC9CkVLBCXjDQ6PkBjpU0voxCt+2WJ1I6I/70ya/l0qUGOG2Rqh7wRgM5BQqE5MNH4TMTYszFySvFRF991Vuq1MJI8dcRueoRUYRAGD82wIkr/sic3wPtJgyTctOI2bn4ou/eLOw9W6B9LwzBKpZ7TzB4jzV3BRpVai8nvVaDQKZR01Ysz3mdQLSz+nUCStnCmATSMeGXCjc8da40QjigbD5cht0ma4LLkO6nUZZxUfROGH5f6hShX9awyC8DW9NHTWA5UZwu6gjCK2uxrNXB510/Hq+ip9zxbCEd7GdqMHbFBzt+6LmcbM4cNE1Djy++Nsd+6+inJAdXlWlwnn2ujhIrjTS1TV6TfhCDBdsFSUUNeUQGBuA/wJOV76y2Vkjq5gInyNb7/rX9NxInr9D7ixZG49+qXngyjjxBMtzY3Un6kx24NO61Q+8/91IIvZngVUn8rU1QJNtwfaO9kg+zLFTwxBP9UEycTZhm9wdMUHrKWYOTHx3MCJ/Vu2pE8XIAowD2c2gvpWD6YLd0AFdhobawitVkiH6vyv61c9wGI9y0CtD4vmM/WKoIw5aIFaT6wh20hLPMofZin6GixkrZvPY04q9LM8HGW7Y36C5q/S5p5kpuqt5Mpd363nLElJcoZyrIu/nKjZkcsVgERkiBpEZSRaPndedKfSs9JvX0hLfHKLWCGdwcdUam4j4DH0eAPZiWZfe6JH1L1ec+rBhj4qR202oZpKNYnk+eC3Fx1QbQkSq7xSxH5N1JtQpYIORioU/pubmCry9m35THe00WpxVZ6A9FBKjyn5whQQOFVJmwUATi0ew8e+k0CgacF7B8puupetxMfFAmEH8obbXekzX4gBvkY+UuHBhWWjm0nBk0s1kzvwX9Rei0TzH8VZWWCVNbp1uOaCHxx1X9SHdqUGj2HK05kWfjzJTDusQqF6ricfO+iu2HDJEfUD33LCblhecDVZDEvb2f6ynQ12/a6AaXXtEDgXvGA4ee4QQ6AnYYQmPt0ulg2H9LtQj8W9Nls47hgCHftQ4ASekVtAzmK47B1k3UFd2QQPum5RggArSeHMIp6R0kNtSFl4cZtiFKrrd0qwsTrVF5pC0vhfbNIm4yaswccT+5LYQ1wyaQqD0zWLOhpbhQm6rvm5Fco5NvarGBVqC/NCQ2WVBL0XEG3/RM88PMO0sqgWHxnPkZraN1NCUcGzp5s05eHWZXrfDAjA95CJsMocrgACoyzGwCU0TVWzHTGERgWQzi2Imrn6KPQnlLAzgByCfvT6J526qYIRWC100oU8XX8Z6TcUiCmYND2XoiHjMnyI5AxUD/g7k7efuK+0HwMcIX/yR3jlvXuWjiOaJ/TnaqjgUDCluPLrMQ/oLf+7p1SIF/nXAkzw1us25dDHjL8oPGj94nPoFQf46aPNHHMWRlbLUQSD3L7JdwaTN4hi9vLDMJ6zGrH7nDcXi4UXgsDjYjnzrMrVXKykR+wdpSLfh75uV82PjatQIpnot4xyzRqQUxnj/5xcjuJJgpzAXfM+dxbsqO/kt2edmvs8yBPLOOtWG8EUgUKh/eyVCCPCBKe1+Q1JgZXUCKJ/LSyO2r5r9RIz6gPoqsABeWfcUrN59+zfFTKdNy0bJPdP+qdyXOwdnZ9ZOe0W0SZiGkBrhFeKFmCcBImf11LfBszFVQ5NUL2X4AdJQzvrB9cl7rdqhQq/x5TWYdI5c9VH7xgiBuRcpFW1J3uD8HyHCbKRVzLkgkPvMJb8yUF136SulnF8xNU69xF31tizWHq5wo2T7TZgOziyv4y3F4a33m8DYhBt7uVQWSaMaTO1mVelK+DAbM2GWe/l3PgoI+uG3VFj7z2cbIbjy1SuajnlYWFm4YFi6b0BbJftK6XtK1JtHzINywq9eJyyXWOXBmT1U+ntSx0K4ERxtJF7nRHqw24GX1kbp8FGESRIS6h/QvBhu94ZhcghoD2okaWkYiJVtUzcxX7kGXH0uXu3lYeiV+Ih/n8xzNhOEfEK8sQ8IR3QlYX+rKwnF4CDFGhF6DA0kePdZDGFNNYjNRRE6GLxJwOpgdmTyxALCYZ/yQf05Rhr0rbmlBEuOHWFpi/FQx/Z73XRH6jOZLGXGpcWS8XD4ZAjKARojVycK3HTBP/DhJryuCbKp5LMFGt4gN3Ak2SJG4Rgah3vzYI3SrEX4CJAphyJzmDcKFLunWvtTX1/QBS7czk8MjGEVLcfTXDgx9EmxJmx/f7LezTrsUAnLablDekOHb5oUvD8MUunc1I37jIlatTVQAbxpGNKcrKtHQ9si90ZDQaq3EfQ7EtuVTd1hnbIqEVt4/Twn9OMmB23Uu6JlLejadq585tQdvCgXKxPQ+dTH0zPNFNnladfKOJBNEECCtnJOnhCTHHEZHwQIYgPXfl1BGCKF8Z057d+lVuFiMS7Ij8hP2Euo3yuACCyGIW0hsioeddB9Em6VI/Gm3cd6HSS3xtnHQDkDDNcyQMPrwsS3NGaubrzHvmjyS1i4eqKwg9T4y3hgZHhOzhGjoBeqnseH0MDXS9I2bfwsxcjGGVM/0/F6B5mMbxmNTVZqH5D8LUrRLYgWPLrP0dmuaud5trfLqUJYQcIoVkVvAxzeepWNEmg5UJgFOiz3JbuQ+BxWUx9+hw3U6tvHt/aCETwmkkCxz9ivGgy+MuKzu94hXc56VBChNF4zQItZFpMHBNm8OHqQ8+4TGbQuw0SM/O4pW4bHe4IL62jZn+8yeRwCRIsRgQhRioZWuy8NKTYKHH1ofesIIFb7zNx4lo5tTtHnDJzbwyUX3CA0W4S3R6QrkKp+4p7bc2qOY18tEYVRoRqhzB/lB4bXcRNNoLZg6bTZpWGa0Qv66aOTmdAAwykDddMNSW6YZlLC59nHmgmlPLRH1AYOwxhxaxnMYEB8EetTghg==,iv:uYUE22t5hqYIryh8YldEAJBat+JKoNB9i8+WIjF+b+A=,tag:HaNZ1snSkKgETUDbeDeAew==,type:str] + password: ENC[AES256_GCM,data:K1E93Tu6Yg9lNr4h6CMiL0QFarMce3jMamLo5Cq3/epsKB/AywWnSBwGIQB2IGXgMXQLZXp1SiQTYsNH7rKV2k8bDs+u7z3ho+8fxIAGacjUmaiprJks1lVuhNQg9reEjnunFCaiG5yIk7oTlF8Vg4otX+Shnq2QJT6y6xSH3DcJcKWQjsm+MuQeMxd4HZIh7ZPTyB7Qhs7USY9e6Z13hx9BM7PkE43cgM+Clq7VRKAmlsRxYMZzyKHfl+15/4GDUKvyX/+Ywe5vX8AebJH0UJJSlsEpn/AsE4EeBBzVfEsoUatL+oBxBzewBJFl46I8srnpDTMvGtDKAZZvW5JYq7KE0JkaLRisMMZ2Bsq8aOfKALT/E49dGxi3mwQQOApqvo3lrj+5HqSySz+FhkG8a8akSmqAFy3lKVsbGS8QlLdxlMkJQm+TpZjL7xu5+w67PrWcYmtd4X+S/CbZso3uqZrwIQ5MQupBNIjx+s8WTWUdsNZGmVrNHcQdLfND/vXwuZUhtckfslG+dcGVKt5BZvorXO6FL79Lw12gT/Ua8V6tcUmMQubiRu/NkCxk7mfbg/H8eS7YAAOtgBF3NDONMq1i7zAtB4msDWHlvLV2DCR1+pDjFJgrBVGQ1OpvLYpNzeazhnH/x9q+EcqAiYi3CA6gULkiOv7Y4b1MThX6WwOWqiDF2kz+Fjt9HFsr7BnA/guGthJtrtXeOkSsol3BFaXBa0PZLTD2y5zlYrE1EYxoKrFbQewYGTJPPbv1jOZGCMj5z3jviLN9xUxBtnU6VH+kMNdmv+DtfSnJX5YiFOaNgQgBvKGNKrBvD7n2oBPB2F86HUj4A3kzPdiUFtv/vNFzqfgbEnQA8qsZmNPSSj5thU3pEmZpR7dXoasl3YJRjiZi/52H4nsIHS5/Blm1M64bl2Zj3SVTgc8ttWn1eebsgow00/ECxIArSVaTTR+Tz/dGzlEDEAsY6w5ZrNzkkJuThfso9IMvXzxLqIOsuEB5KzH4YrhZHg3oDRrHcRmbv5sP/aHDBU14/lAd9cUsgP1PaUQ2ZlOpkaV5A4BSoVEv6pMzTzVIEURTiD40l3Pq2ztXlGuU4kepFZNr5p12BdTuK/PdeZLksxkprzILFp9dEti0+U4fAvxiEpa1ZJLDB72NFFhnC0JhHcrzTDhq19skt9kt3ZX71hGdwDeMxD0D5zc//suapzSUdw8a9Mm15/PhBtO5gKT5oUwLKQbAWvhXx1cocoPmaT9bhjvgFwrpr0ZMAIGMmWL2kuaMPLZt3mEyGjn1tWtgrzksSCBNSc8B5WhmWbMxxbuCMQr+4i4GhNzFEWv+SZt9yRS29kEozSMApaKcCOeQwGOFgD2Deyy7YsSZEY54d0EO8p4uT/tNbps1pUJsDWjbTMfVrIAQ80BKRiEi6902qde2jmTmbT8k8vnQa5N+k99KexgxKqjV+c4MHZw8Ognw5wze5yColnq1VdZmSwJ5SAcVKKQWXKQGCKF2LZyQw+BrEQlZoJO9KeND84w9W7ENFUoc2w7y4ksbbg9Q9IpKS2l5y5jryAhiFtDxgiUkfp/UIvBQ/6gByyBIBtiTO2FVsk5/xsjli3ij8DNZSFUgzT4TrQqRDp6OSgF7zx1cK2B2nf8AVLk8XHqDMHfjVgWdIf0OEj8f23Wjnq0UjQIQ15ZtTs1iesTS5mGLOk50AwDpIFQFOv7QLqVbgy5zX1ll1KuLFxex0YPLQdkf/xOsPJ2DflOOdz4N/JTMNhYG8r4czCOG0FdLTDpQ8KRql8co24KGaTqyLPAEK6QE6vR5e5HJyeSDTCZweNQU2f5x2+12c4ES5bsbFQiFjiBV+ANwdqoTETRkRD6qKnV8lRxnLqi6IiQRH4l1WRJNUL5V2Y8hXWx+MW9hJ7QieVeT/P6ZPOFZTJFPiytzBbLWOanTMMDNxA+dYjk3gRRSX2dVdzqvgUTVemVT7V0YgXCkU4td8deXgtKMpGGh+zfLxmz+5Sp8ANP1GgZcJr0DxncPqh4MI73NVeNWuY+Y5+S5yW5d3Hr+ToZaWGmEYRMj31iFoZ+NjwcXGX5RwDepxfn4u7rNos+fuq+C8ZSMrVsooBbHXTJwYQ8zdKT7Ln+WHrXxcItgkAPYsps4HHu7RUEFZsYj6zMNFZgRx7ZmFP4kT3VnqEAZyBtdToAmNhQJrWXtByn1ZXFawXTepfxBEcEE5x8rcNSzHe3y4yc4fBGlkIKQbEsVnouSkZKiVVlGBjIxdrS9PCQWo+tmgTfhv5IpdQavWPmPzX5rQBCAEPXFj17wQbPFh3nCOp2FBBhtxrSYoGwu2NCgWeFLjzraM/5FnRwi8+KZwSNSS4GY1wHoj5Kfvc+pv4bHuy6iV+biH2a9osngVWhjvIztiijj56E+Bbq1GGb5sxAYOg4IDBvBQsIp2LMAvDV7bSoQSGCClSwJ2n82PC73pfYWJCHZkekBXrs+rs084a5erfKxKj/gn0dYdOe0nK7Ja1gWxyaLI1LrEc0KwzlTBnylcEFaiprFSA5d/AFMZHa0cP7PKVNBwOUy+Wec/koLYo2lfrz9YiTGqLQpE9NZdVOdOW9VAEG34zxX4qNtNzsdWI57gJ/uBnSQbEywEypYwhCRAiPk+mQ9NU5W+pBvRcKKtnglQi7nLMcZyEzDnmR3R6ZP1oi6IH5xIqA91d1+KFZrHWFKKmgduM+c6+out384jBssqntpQ7+SvKOJg0nHz00AuR/QIdBP/vgRqV5+fp8PrKPcdPB+yiZSxQNepegRufs3hdCkEZUdDIhMVncJltCibyzv9Ui8BCY7gtZtAgtsSvtS+dG8twv/ipZPbtFtwLi2wZU3QqMO7B2mZ8stjqG4gYGZuruTqFWN6nv21kgjle231WKa9eaCt3NSAeruCsAZIeaz2OfsopezX4wfpp7GhUyW3drJXxNek8Q3aK1mGBOuNDPjkKV1+dMvxk4FqnUwHoz/WSgN/tA9deQuwS8D4NCfl/2N1vfW/WJoRsLUTuVyAFI046Pe7p2kLSc4tYb5A9tm+6px4twsDDyaWjFzBhgOcKZWx7ZPzIXwUSb9HmmUdqYPNrslskxkwNYnzLXPrTFI7osbnmkWiq4fSEdrdfLWck3qHDiPo0UNXSFm3nW0wtVZeBadctOs0bLUqS49jgK740FQ9yny83R5ADMO+gcW,iv:Fr6VUfSfac5BrF/WGSTz0NUEsYAtQJmTFTLQUAgr7vg=,tag:5ch5EIGE0bz06GMBEywQwg==,type:str] jupyterhub: hub: config: CILogonOAuthenticator: - client_id: ENC[AES256_GCM,data:ptYq9TZ42TKo5c3Fkgvw+v95vjdE2haXWy+dvzftNvcJXSpBUqSLrFWAt6vhlJCQyFc=,iv:EkgSotgHOLQvFs+EEi9qA4shqRP22FCVK5tZHTadlVI=,tag:3ik5oEMbrdnlG6S2MNfoKg==,type:str] - client_secret: ENC[AES256_GCM,data:65CiR4C65xBbhI8xwxJZtp7JwWUU3qC23sVdwUv/6bb4XuP7emzm5vSZWxqOqVFt34+jlBC7zsjB2gSbtDjvruvYRwcsHKMGX9jE8fCNZWvuSZTD+oc=,iv:jKw58OrJzsRVyG/GWVcCmHjQCSdVsc7/m9gSzk01wt4=,tag:XhPvvtdH5zcMaCtnjG1ArA==,type:str] + client_id: ENC[AES256_GCM,data:tEZMVs9TkdzJaAqsbF+uNX2uwhTCnsuJnxcwJD3rSB0FXt481yze4Rs8t/5Ef/npccE=,iv:bJzGDmlZArcO3yfUO9mCQDDZI7jMDjeC66U7zvBWSKI=,tag:Xt8OKd/iFHik6a6QesR7wg==,type:str] + client_secret: ENC[AES256_GCM,data:AwgZagRLArMGhZji3jon4YVjfblBmp3wyTmqvOFg7mZs5LMiFNrlnAtTQ8oqv5O4QQfyeMGZhustlnmmWMW9Vqtxkax3zljiPfAA0zfy/Ie4t0085Nw=,iv:vwPzC67oR7vzOHEyDMs2PDc19mRRPMkIjSDScT6M0Cc=,tag:imEiXTjo7KGB9Wl2G8eyMQ==,type:str] sops: kms: [] gcp_kms: - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs - created_at: "2024-05-25T09:02:21Z" - enc: CiUA4OM7eDU34wbeCqXXw8GdYJRzcOAehya7ucaDGUX9hrN+Kv6WEkkAWX/fcYD4WjDtXbAZ+FAcVxu/mUYY1f5fOTMuBxdrjcIFOax9vRoZRIhMEkcZvTvbInh51U/hZ3fdqvmpxHFJfZxbQgK6jFRO + created_at: "2023-09-18T19:00:41Z" + enc: CiUA4OM7eFioG9yDgVwKtc0cYrU65GNcqMSDuUgnuXuq3KW9dRI6EkkAq2nhVV2TFrZOq5jktjMd4TQF1lwH/08tAyGd3vMfBmdd3Xdy3bAUUHhrPXcK6QabMRYdXPzQzgB+oBGaqOsJO7D7jT9NpeCn azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-05-25T09:02:22Z" - mac: ENC[AES256_GCM,data:r1XOu5DDG1+0vT7QDGOycKZu/ZzoWA839cz6o0ayTQTdEluyDAw4iDBKaUU4Ry8+L3mHblR0nbMLtgPNBS80GMdK01LT7LhWoh/xYW15FyITiCimVEj12sp22mDkpGeOwvN/Tco7VPqHPdWCeoWL8qa810rUvSlKIhawmX62ZXs=,iv:MZfoLMDabaeL6OAnwSuex7CiEnBWYh+52xZO6NNYoSM=,tag:YagTyO27hFR84hdA72K5fA==,type:str] + lastmodified: "2024-05-27T20:18:26Z" + mac: ENC[AES256_GCM,data:FWM3YCH5DXlFQPmPXlyNzyxadbMCuUdvR45+dgOP+wieErZILIU6Qc3oA65lmHsAZXNeFyO5Iak97x8+MnnLlmx4THDYdfntpMiAIxohpAYBaA5rDK575xFOQUeDwVZkvljD00Zjq5sUfummN4h85lQsNkHB0kp1BGtz7BsoseY=,iv:IRw83ZG/yVpEeJJ3hqwcKSf8r/Lvho8/Cj4L4qgBhLw=,tag:mLCTv+PJ0atXvLBT7nXLlQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 From 2f125c19bcafd0c7b35226fc8034c95e1be6b3f9 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Tue, 28 May 2024 09:08:30 +0200 Subject: [PATCH 16/24] Add scopes for the binder service to use relevant hub REST API --- config/clusters/2i2c/binderhub-ui-demo.values.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/config/clusters/2i2c/binderhub-ui-demo.values.yaml b/config/clusters/2i2c/binderhub-ui-demo.values.yaml index dc0302fa96..c450055d43 100644 --- a/config/clusters/2i2c/binderhub-ui-demo.values.yaml +++ b/config/clusters/2i2c/binderhub-ui-demo.values.yaml @@ -46,6 +46,12 @@ jupyterhub: url: http://binderhub-ui-demo-binderhub-service:8090 oauth_redirect_uri: https://binderhub-ui-demo.2i2c.cloud/oauth_callback loadRoles: + binder: + services: + - binder + scopes: + - servers + - "admin:users" # only required if authentication is enabled user: scopes: - self From c2d5f915dc624403d259c022e6919e38b8658a46 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Tue, 28 May 2024 09:09:08 +0200 Subject: [PATCH 17/24] Unset initContainers referencing home folders not mounted --- config/clusters/2i2c/binderhub-ui-demo.values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/config/clusters/2i2c/binderhub-ui-demo.values.yaml b/config/clusters/2i2c/binderhub-ui-demo.values.yaml index c450055d43..6de4b8b899 100644 --- a/config/clusters/2i2c/binderhub-ui-demo.values.yaml +++ b/config/clusters/2i2c/binderhub-ui-demo.values.yaml @@ -35,6 +35,7 @@ jupyterhub: cmd: jupyterhub-singleuser storage: type: none + initContainers: [] hub: redirectToServer: false services: From 3523ccbc73b47db16c22f30ffd1bde191f2f268a Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Tue, 28 May 2024 09:28:09 +0200 Subject: [PATCH 18/24] Unset other volume mounts not used --- config/clusters/2i2c/binderhub-ui-demo.values.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/clusters/2i2c/binderhub-ui-demo.values.yaml b/config/clusters/2i2c/binderhub-ui-demo.values.yaml index 6de4b8b899..5a8b83faaa 100644 --- a/config/clusters/2i2c/binderhub-ui-demo.values.yaml +++ b/config/clusters/2i2c/binderhub-ui-demo.values.yaml @@ -29,12 +29,15 @@ jupyterhub: funded_by: name: "" url: "" + singleuserAdmin: + extraVolumeMounts: [] singleuser: # This is copied from https://binderhub.readthedocs.io/en/latest/authentication.html#enabling-authentication # to make notebook servers aware of hub cmd: jupyterhub-singleuser storage: type: none + extraVolumeMounts: [] initContainers: [] hub: redirectToServer: false From e72c1e88b823aa1ff41e541c501735d866e6a581 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Tue, 28 May 2024 09:35:10 +0200 Subject: [PATCH 19/24] Cleanup not needed parts --- config/clusters/2i2c/binderhub-ui-demo.values.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/config/clusters/2i2c/binderhub-ui-demo.values.yaml b/config/clusters/2i2c/binderhub-ui-demo.values.yaml index 5a8b83faaa..c0c2a159a1 100644 --- a/config/clusters/2i2c/binderhub-ui-demo.values.yaml +++ b/config/clusters/2i2c/binderhub-ui-demo.values.yaml @@ -43,11 +43,8 @@ jupyterhub: redirectToServer: false services: binder: - # FIXME: ref https://github.com/2i2c-org/binderhub-service/issues/57 - # for something more readable and requiring less copy-pasting display: false oauth_no_confirm: true - url: http://binderhub-ui-demo-binderhub-service:8090 oauth_redirect_uri: https://binderhub-ui-demo.2i2c.cloud/oauth_callback loadRoles: binder: @@ -56,10 +53,6 @@ jupyterhub: scopes: - servers - "admin:users" # only required if authentication is enabled - user: - scopes: - - self - - "access:services" config: BinderSpawnerMixin: auth_enabled: true From 6637088b1f8c750b0dff712fb56677d9fcec5954 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Tue, 28 May 2024 09:39:14 +0200 Subject: [PATCH 20/24] Cleanup re-setting of default jupyterhub-singleuser This was only required for configuring the official binderhub chart which overrides singleuser.cmd, but we haven't done that in the first place so we don't need to re-set it to jupyterhub-singleuser. --- config/clusters/2i2c/binderhub-ui-demo.values.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/config/clusters/2i2c/binderhub-ui-demo.values.yaml b/config/clusters/2i2c/binderhub-ui-demo.values.yaml index c0c2a159a1..816c5bce70 100644 --- a/config/clusters/2i2c/binderhub-ui-demo.values.yaml +++ b/config/clusters/2i2c/binderhub-ui-demo.values.yaml @@ -32,9 +32,6 @@ jupyterhub: singleuserAdmin: extraVolumeMounts: [] singleuser: - # This is copied from https://binderhub.readthedocs.io/en/latest/authentication.html#enabling-authentication - # to make notebook servers aware of hub - cmd: jupyterhub-singleuser storage: type: none extraVolumeMounts: [] From 617292c5d7975307d3d384d83845a59d39d3dbb4 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Tue, 28 May 2024 11:05:26 +0200 Subject: [PATCH 21/24] Tweak permissions for binder service to be minimal --- config/clusters/2i2c/binderhub-ui-demo.values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/clusters/2i2c/binderhub-ui-demo.values.yaml b/config/clusters/2i2c/binderhub-ui-demo.values.yaml index 816c5bce70..018e74dc90 100644 --- a/config/clusters/2i2c/binderhub-ui-demo.values.yaml +++ b/config/clusters/2i2c/binderhub-ui-demo.values.yaml @@ -49,7 +49,7 @@ jupyterhub: - binder scopes: - servers - - "admin:users" # only required if authentication is enabled + - read:users # admin:users is required if authentication isn't enabled config: BinderSpawnerMixin: auth_enabled: true From 7d17a3ff468a11998f834d824ac8523fd58c8218 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Tue, 28 May 2024 11:36:25 +0200 Subject: [PATCH 22/24] Additional tweaking of required config for binderhub-ui --- config/clusters/2i2c/binderhub-ui-demo.values.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/config/clusters/2i2c/binderhub-ui-demo.values.yaml b/config/clusters/2i2c/binderhub-ui-demo.values.yaml index 018e74dc90..0f77e060bf 100644 --- a/config/clusters/2i2c/binderhub-ui-demo.values.yaml +++ b/config/clusters/2i2c/binderhub-ui-demo.values.yaml @@ -40,7 +40,6 @@ jupyterhub: redirectToServer: false services: binder: - display: false oauth_no_confirm: true oauth_redirect_uri: https://binderhub-ui-demo.2i2c.cloud/oauth_callback loadRoles: @@ -50,6 +49,12 @@ jupyterhub: scopes: - servers - read:users # admin:users is required if authentication isn't enabled + user: + scopes: + - self + # Admin users will by default have access:services, so this is only + # observed to be required for non-admin users. + - access:services!service=binder config: BinderSpawnerMixin: auth_enabled: true From 41818bef55fe7349eaf6c7f586e976f8225c84aa Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Tue, 28 May 2024 14:24:17 +0300 Subject: [PATCH 23/24] Move the ingress class nama and annotations to basehub --- config/clusters/2i2c/binderhub-ui-demo.values.yaml | 4 ---- helm-charts/basehub/values.yaml | 6 ++++++ 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/config/clusters/2i2c/binderhub-ui-demo.values.yaml b/config/clusters/2i2c/binderhub-ui-demo.values.yaml index 0f77e060bf..592170871d 100644 --- a/config/clusters/2i2c/binderhub-ui-demo.values.yaml +++ b/config/clusters/2i2c/binderhub-ui-demo.values.yaml @@ -70,10 +70,6 @@ binderhub-service: enabled: true ingress: enabled: true - ingressClassName: nginx - annotations: - nginx.ingress.kubernetes.io/proxy-body-size: 256m - cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - binderhub-ui-demo.2i2c.cloud tls: diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml index 9299b1e29e..45bba46d74 100644 --- a/helm-charts/basehub/values.yaml +++ b/helm-charts/basehub/values.yaml @@ -11,6 +11,12 @@ adminServiceAccount: binderhub-service: enabled: false + ingress: + enabled: false + ingressClassName: nginx + annotations: + nginx.ingress.kubernetes.io/proxy-body-size: 256m + cert-manager.io/cluster-issuer: letsencrypt-prod nodeSelector: hub.jupyter.org/node-purpose: core service: From 488641fb4a96bc57e76c00901e5aa16fbd39396a Mon Sep 17 00:00:00 2001 From: Georgiana Dolocan Date: Tue, 28 May 2024 14:53:37 +0300 Subject: [PATCH 24/24] Update the registry password with the one in terraform output --- .../clusters/2i2c/enc-binderhub-ui-demo.secret.values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/clusters/2i2c/enc-binderhub-ui-demo.secret.values.yaml b/config/clusters/2i2c/enc-binderhub-ui-demo.secret.values.yaml index c0218072cb..81ed9cee1a 100644 --- a/config/clusters/2i2c/enc-binderhub-ui-demo.secret.values.yaml +++ b/config/clusters/2i2c/enc-binderhub-ui-demo.secret.values.yaml @@ -1,6 +1,6 @@ binderhub-service: buildPodsRegistryCredentials: - password: ENC[AES256_GCM,data:K1E93Tu6Yg9lNr4h6CMiL0QFarMce3jMamLo5Cq3/epsKB/AywWnSBwGIQB2IGXgMXQLZXp1SiQTYsNH7rKV2k8bDs+u7z3ho+8fxIAGacjUmaiprJks1lVuhNQg9reEjnunFCaiG5yIk7oTlF8Vg4otX+Shnq2QJT6y6xSH3DcJcKWQjsm+MuQeMxd4HZIh7ZPTyB7Qhs7USY9e6Z13hx9BM7PkE43cgM+Clq7VRKAmlsRxYMZzyKHfl+15/4GDUKvyX/+Ywe5vX8AebJH0UJJSlsEpn/AsE4EeBBzVfEsoUatL+oBxBzewBJFl46I8srnpDTMvGtDKAZZvW5JYq7KE0JkaLRisMMZ2Bsq8aOfKALT/E49dGxi3mwQQOApqvo3lrj+5HqSySz+FhkG8a8akSmqAFy3lKVsbGS8QlLdxlMkJQm+TpZjL7xu5+w67PrWcYmtd4X+S/CbZso3uqZrwIQ5MQupBNIjx+s8WTWUdsNZGmVrNHcQdLfND/vXwuZUhtckfslG+dcGVKt5BZvorXO6FL79Lw12gT/Ua8V6tcUmMQubiRu/NkCxk7mfbg/H8eS7YAAOtgBF3NDONMq1i7zAtB4msDWHlvLV2DCR1+pDjFJgrBVGQ1OpvLYpNzeazhnH/x9q+EcqAiYi3CA6gULkiOv7Y4b1MThX6WwOWqiDF2kz+Fjt9HFsr7BnA/guGthJtrtXeOkSsol3BFaXBa0PZLTD2y5zlYrE1EYxoKrFbQewYGTJPPbv1jOZGCMj5z3jviLN9xUxBtnU6VH+kMNdmv+DtfSnJX5YiFOaNgQgBvKGNKrBvD7n2oBPB2F86HUj4A3kzPdiUFtv/vNFzqfgbEnQA8qsZmNPSSj5thU3pEmZpR7dXoasl3YJRjiZi/52H4nsIHS5/Blm1M64bl2Zj3SVTgc8ttWn1eebsgow00/ECxIArSVaTTR+Tz/dGzlEDEAsY6w5ZrNzkkJuThfso9IMvXzxLqIOsuEB5KzH4YrhZHg3oDRrHcRmbv5sP/aHDBU14/lAd9cUsgP1PaUQ2ZlOpkaV5A4BSoVEv6pMzTzVIEURTiD40l3Pq2ztXlGuU4kepFZNr5p12BdTuK/PdeZLksxkprzILFp9dEti0+U4fAvxiEpa1ZJLDB72NFFhnC0JhHcrzTDhq19skt9kt3ZX71hGdwDeMxD0D5zc//suapzSUdw8a9Mm15/PhBtO5gKT5oUwLKQbAWvhXx1cocoPmaT9bhjvgFwrpr0ZMAIGMmWL2kuaMPLZt3mEyGjn1tWtgrzksSCBNSc8B5WhmWbMxxbuCMQr+4i4GhNzFEWv+SZt9yRS29kEozSMApaKcCOeQwGOFgD2Deyy7YsSZEY54d0EO8p4uT/tNbps1pUJsDWjbTMfVrIAQ80BKRiEi6902qde2jmTmbT8k8vnQa5N+k99KexgxKqjV+c4MHZw8Ognw5wze5yColnq1VdZmSwJ5SAcVKKQWXKQGCKF2LZyQw+BrEQlZoJO9KeND84w9W7ENFUoc2w7y4ksbbg9Q9IpKS2l5y5jryAhiFtDxgiUkfp/UIvBQ/6gByyBIBtiTO2FVsk5/xsjli3ij8DNZSFUgzT4TrQqRDp6OSgF7zx1cK2B2nf8AVLk8XHqDMHfjVgWdIf0OEj8f23Wjnq0UjQIQ15ZtTs1iesTS5mGLOk50AwDpIFQFOv7QLqVbgy5zX1ll1KuLFxex0YPLQdkf/xOsPJ2DflOOdz4N/JTMNhYG8r4czCOG0FdLTDpQ8KRql8co24KGaTqyLPAEK6QE6vR5e5HJyeSDTCZweNQU2f5x2+12c4ES5bsbFQiFjiBV+ANwdqoTETRkRD6qKnV8lRxnLqi6IiQRH4l1WRJNUL5V2Y8hXWx+MW9hJ7QieVeT/P6ZPOFZTJFPiytzBbLWOanTMMDNxA+dYjk3gRRSX2dVdzqvgUTVemVT7V0YgXCkU4td8deXgtKMpGGh+zfLxmz+5Sp8ANP1GgZcJr0DxncPqh4MI73NVeNWuY+Y5+S5yW5d3Hr+ToZaWGmEYRMj31iFoZ+NjwcXGX5RwDepxfn4u7rNos+fuq+C8ZSMrVsooBbHXTJwYQ8zdKT7Ln+WHrXxcItgkAPYsps4HHu7RUEFZsYj6zMNFZgRx7ZmFP4kT3VnqEAZyBtdToAmNhQJrWXtByn1ZXFawXTepfxBEcEE5x8rcNSzHe3y4yc4fBGlkIKQbEsVnouSkZKiVVlGBjIxdrS9PCQWo+tmgTfhv5IpdQavWPmPzX5rQBCAEPXFj17wQbPFh3nCOp2FBBhtxrSYoGwu2NCgWeFLjzraM/5FnRwi8+KZwSNSS4GY1wHoj5Kfvc+pv4bHuy6iV+biH2a9osngVWhjvIztiijj56E+Bbq1GGb5sxAYOg4IDBvBQsIp2LMAvDV7bSoQSGCClSwJ2n82PC73pfYWJCHZkekBXrs+rs084a5erfKxKj/gn0dYdOe0nK7Ja1gWxyaLI1LrEc0KwzlTBnylcEFaiprFSA5d/AFMZHa0cP7PKVNBwOUy+Wec/koLYo2lfrz9YiTGqLQpE9NZdVOdOW9VAEG34zxX4qNtNzsdWI57gJ/uBnSQbEywEypYwhCRAiPk+mQ9NU5W+pBvRcKKtnglQi7nLMcZyEzDnmR3R6ZP1oi6IH5xIqA91d1+KFZrHWFKKmgduM+c6+out384jBssqntpQ7+SvKOJg0nHz00AuR/QIdBP/vgRqV5+fp8PrKPcdPB+yiZSxQNepegRufs3hdCkEZUdDIhMVncJltCibyzv9Ui8BCY7gtZtAgtsSvtS+dG8twv/ipZPbtFtwLi2wZU3QqMO7B2mZ8stjqG4gYGZuruTqFWN6nv21kgjle231WKa9eaCt3NSAeruCsAZIeaz2OfsopezX4wfpp7GhUyW3drJXxNek8Q3aK1mGBOuNDPjkKV1+dMvxk4FqnUwHoz/WSgN/tA9deQuwS8D4NCfl/2N1vfW/WJoRsLUTuVyAFI046Pe7p2kLSc4tYb5A9tm+6px4twsDDyaWjFzBhgOcKZWx7ZPzIXwUSb9HmmUdqYPNrslskxkwNYnzLXPrTFI7osbnmkWiq4fSEdrdfLWck3qHDiPo0UNXSFm3nW0wtVZeBadctOs0bLUqS49jgK740FQ9yny83R5ADMO+gcW,iv:Fr6VUfSfac5BrF/WGSTz0NUEsYAtQJmTFTLQUAgr7vg=,tag:5ch5EIGE0bz06GMBEywQwg==,type:str] + password: ENC[AES256_GCM,data:oIqMepLt8hmsRTLhbZvDigfozMw9mIW4sYn+JWamN2k/HrQWq9OkAJr17UznADanwh4ClXwHMhjUTAf77HlpdHfnFReerIzvD+DscPnp3oFMIXU50Z2iZAUdz8PwOUm5UYk2/Tj8W/gi3bs/XJsPL4udI7GMn6T38d9NdExZKA98wb2Ka24rV5SnDAhLvMgCYCDvLgGZu7fqcv9UluavhN5T1bybDJcaOHQZePnbhB+QV1j/HHWy8AnwHjFoGd2ZiErzh9NF4nNhINVpgsWAo2VMZWbFrfqgrKylzDQpPEdkuEmFZI0WhFJHMXhKW4Ab0Pp+O7Agb9ol6LYpV4O8Ji+8FmtQp+09Ch8TsK9JjPAAVKRrx1upLhcCMzqvhJXagFSUPi625AOnxxtZ33VIFqTzIzNvhCab8BU5KDQ3RdJkaHHfs5N2I/+6F/YRQWkq3naz10pDVmeZ+wPNPlCYLCCYmwiKhuHvnNB9K+tloV1PPncZxcTLJMp9QghmiMLt+nZ1M7ofnXnR5CBqYKaHxqtJ5uVU3qxeR2lUm1PunfN7CY/BmpdsBiJblflseSTJy5XCE1qACwY68H0X6+VKt9FcNrVZZrmsoeXmyuzqiWG+PgUEV6W/RSzSCjt8dQqKeKUNdh2An9fONGqipNqfLnHKFppcwi+cCg7kQzwhTFS2mgmTLuJgzu3MGaCsBbWFOSOeNy8P//Htdk3UzUPlJV9Q6KNFTGzHuHWTyZGXTY+mrmG1YZ4QJvOAvve5Foq3L7f/YV9J+50l86aQCrdBZDOeN0FVfw8MamOt/0VeX2IdzDKgSL2cXjAlq9nEXSOZTqZ2wDFNUl7sKPD6Y/eh4+GbsA4V6+rJ28IaqWNBOaIFeM77Jwejc+C4umCW1q961ojR2WHJWmQv0521VnMk/GWOJIIyUWR6qDsyDXBqdTdnW4AiAuTfFissnrQfEVyqw180x+8L1+vvN9hMfOutNgdyQO1AR38/qYNuWENSoefZkoHoYb+k+Bo8if/CK+P9VzdnQtELx+SYkUm9I5ZtBoeR3HJtvYkwi84tOFM9RNQBR8LyDIViRf1x9dIdJDhMFldVDY/ubci+EpVTVT5qOyuTRSlKio7boi/aO6JP2fGPLHdUW87ViprRQko3NfBpYsH5GxEeiF2mLv39g6RCHlaqLK5Ax2/bXoE30GRZz7NF5mNVa0lFFQaPS0HM/Xr1vzU/HzFlfwdBtQIJ08qT2qRptn8qKTmByH5FZNa4NBu+d4rHhUuku0+W4iMHHM2ZSqlGODr5ZtMwQb1uNiBg5bJdeRJoCx3CN8Xb5qS9rZ/+5pGDwJqEhHDoJBL55bDKvS40mEU60HGJfvcAUj3GNl9Dmj/IhDuSoX3Uwj/ZgMlEn4S16DmL/lMzdXoqmLbkknXOc8wW6CJKIErQts8BpgP4VpOwNCdHLMcNkh6tSm+rPCShg+i0REj/4SACPNGiMvTBy133AXZuYCKKWrJsVbSgnk9xDp1JSppnnJyxdMyWDe6L4Ebathg13o4Bs8iNrnOhnTtu2UDaKawHi9A/WBuhGG0/vjZ8/1Zd1kxHtNF7H6NmHA0c7XFRvqqHxyK/GCCnpTTUwEzbG+AumVAFGl8RXQOi6OdCuvNxzX5bsWtxOdFJPc9s4ZsICduSeo9hemS5sqwuNrQKohFCjEGOmg4ET0R6nA8JChN4QvO53KqonWamuCKwtErh+IeIucuWWPN5sPfEcaPCUw6kezNZA5JcwR1FzpGnhweImU+GKVomK1C8GhlxTsvlpnPlHJXE7pr66CwWTqaiRkIejdVQViD2U0fPQqBdvWn360Eafgt5GkzUcMb1ylUKWUBw1rOe57QSV3R9XQrywvgQmgjMx6Vh6etNbmi2bUw0CCy0BkQH4Yoat/FM9HcCyMkxB4pq0q6sPVI4NJKZdEAzKbwSZjcyzcUvTR3RWLtJDy/QBguoO3f3q55ofvdFhkDhVpRK4cEX7YpbFpEBQcnFkyPQMSPQN3Gc6QvaLS3yktX4uhS0NhIcknvkeLXNBnQDYWwE6uCEQsVVQD27ehB+dGwMzzKhTGwLL90xH1Lv0u1vONTPLRCVmak8eVEiS0iDbVM4rtpHLgCZ/Bu772yvzFdGDjUX3yMRPFuJbeVhzPRT9pXneCNGOngVV8ijSXn51Y19+7DYqRjzAi/DYX3LY9FyVi1UhLLPeT+wfxOfter/cts+lZMPDCfcSjTqD+DNYT3psGz+F19InjoYVy4xRlggOvo3GPLRnn4gbaGiGh4i4JK1VM4O/j637UqoRaWlMBuYd2aN2HnvMTnflYnr0SoNP7s28930bICmWMKnOeCjkaLPrJe/KisZRobA5FvysRU7Cv4UCq4//ejVqSV6LNve5I+EN5f/X0FkRCN4B3YyskajLweC8bnnxxLItGxV8XdCV134rACob8fUl2xf8HGGnmn+rYJxTNO2GTIlYzRAdwfydMhOT8XabB0safuLHUj/T91EDypKZJ0LDH/s4fVBHHJCybPORik7rYLdkPwsVieCKsCCClqQQPOkTjTVwImxFfYS4/xTjKT+UUsdQMS+TueZhPRWFe99SHdIX3a7d0eYA/VMFYEyAtXY719e5BOSRs4qgxA49dRT2AfyQV7RWW+qccWKopGSa2STsJfBeU/+fAFcEvejFwCYQsGG7RFOyxIR1DxI9cdI0o74agZtvZsIDij1bpmwoAh7kCjTPVNXY0LVzIGUKLAoZYfvEcGDTLHxRnrFoCnzycRvPxocK3nOsanehR+ZQUx94+Mtn378f1txtwL65G6HeKPk/M3QUAjBiypjXnvlG/Ea4TzvS6/iEBkr9HFx5fwaps2YQulnb8AtkVRFRw94V3g3KV/Zbl4NNdhAwWZc8Qxr99tQ3Wkmv7Fv2uJ0SihpcaEjjJPzZEkbD47khYpCgwfjKOId2ENNUj0PuUl1cl1x9cZgF+0cz2ySIYlFvRms9nufTQ8eczg2cV7lWZPNn53ZpNpFqrQ5/FcYmXGUSCXrsaHY+NP4KkCJmDRt0SLNBZPAa09I5WQUgx/qi07W20ApEu9jzyyG2WpMvId8OCbRJ7CYAEKjWbj4052sA6VsZMfWkBBzYK5PtdTmor9cPkt1Km4YwRMZkPFeciJxfFKIamtAY3/UCmpLOASc7H4QIl0bizLUpYxpORAUPdLGSATPiQqXzvvj,iv:O57KfiTHSPiNYyrN+rJG5weJdfsrZOUO0fyMHUuIKKk=,tag:GCvuufg1uyZw6DIg17rEdw==,type:str] jupyterhub: hub: config: @@ -16,8 +16,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-05-27T20:18:26Z" - mac: ENC[AES256_GCM,data:FWM3YCH5DXlFQPmPXlyNzyxadbMCuUdvR45+dgOP+wieErZILIU6Qc3oA65lmHsAZXNeFyO5Iak97x8+MnnLlmx4THDYdfntpMiAIxohpAYBaA5rDK575xFOQUeDwVZkvljD00Zjq5sUfummN4h85lQsNkHB0kp1BGtz7BsoseY=,iv:IRw83ZG/yVpEeJJ3hqwcKSf8r/Lvho8/Cj4L4qgBhLw=,tag:mLCTv+PJ0atXvLBT7nXLlQ==,type:str] + lastmodified: "2024-05-28T11:32:40Z" + mac: ENC[AES256_GCM,data:DHS9gRya0PThBNrc+2ImEnzLLGIKGVpCkZIn70AjxgY5XTM8oPCChsF72n7b08BEDE6muncb/52Baqbi01nkmDJZLn/TAgIhMmJHmsFYyLxwAQ4IefKOWUtm+zYjRj8ybZxwV3ZItVnoyC9bS+PIC76+HFe8hmK2dzCPt44Sjbc=,iv:AGZy4gL5eb8C15JN+6xBlg7Dctt7DJGrwVytnrtgVMw=,tag:mlbhJCJljDunsXy5FM4B8Q==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1