diff --git a/deployments/cdss-discovery/config/certificate-prod.yaml b/deployments/cdss-discovery/config/certificate-prod.yaml
index 0e3789917..9fd17d455 100644
--- a/deployments/cdss-discovery/config/certificate-prod.yaml
+++ b/deployments/cdss-discovery/config/certificate-prod.yaml
@@ -4,7 +4,6 @@ metadata:
   annotations:
   name: tls-cert
 spec:
-  commonName: cdss-discovery.datahub.berkeley.edu
   dnsNames:
   - cdss-discovery.datahub.berkeley.edu
   issuerRef:
diff --git a/deployments/cdss-discovery/config/certificate-staging.yml b/deployments/cdss-discovery/config/certificate-staging.yml
index 00d44a746..8c1bb5d27 100644
--- a/deployments/cdss-discovery/config/certificate-staging.yml
+++ b/deployments/cdss-discovery/config/certificate-staging.yml
@@ -4,7 +4,6 @@ metadata:
   annotations:
   name: tls-cert
 spec:
-  commonName: cdss-discovery-staging.datahub.berkeley.edu
   dnsNames:
   - cdss-discovery-staging.datahub.berkeley.edu
   issuerRef:
diff --git a/deployments/cdss-discovery/config/common.yaml b/deployments/cdss-discovery/config/common.yaml
index feebef22a..e9b774b3f 100644
--- a/deployments/cdss-discovery/config/common.yaml
+++ b/deployments/cdss-discovery/config/common.yaml
@@ -43,7 +43,13 @@ jupyterhub:
         accessModes:
           - ReadWriteOnce
         storage: 1Gi
-        storageClassName: rook-ceph-block
+        # https://docs.nrp.ai/userdocs/storage/intro/
+        #storageClassName: rook-ceph-block
+        # https://docs.nrp.ai/userdocs/storage/linstor/
+        storageClassName: linstor-igrok
+    nodeSelector:
+      "topology.kubernetes.io/region": "us-west"
+      "nautilus.io/linstor": "true"
     resources:
       limits:
         cpu: "2"
@@ -56,6 +62,13 @@ jupyterhub:
       enabled: false
       egress: null
     config:
+      OAuthenticator:
+        allowed_groups:
+          # CDSS Discovery 2025 Spring
+          # https://bcourses.berkeley.edu/courses/1543936
+          - "course::1543936"
+          # DataHub staff
+          - "course::1524699::group::all-admins"
     loadRoles:
       # datahub staff
       datahub-staff:
@@ -78,6 +91,8 @@ jupyterhub:
     enabled: true
     annotations:
       kubernetes.io/ingress.class: haproxy
+      cert-manager.io/issuer: letsencrypt
+      cert-manager.io/cluster-issuer: null
     pathSuffix: ''
 
   singleuser:
@@ -98,6 +113,9 @@ jupyterhub:
           - 'key': 'topology.kubernetes.io/region'
             'operator': 'In'
             'values': ["us-west"]
+          #- 'key': 'nautilus.io/linstor'
+          #  'operator': 'In'
+          #  'values': ["true"]
     cloudMetadata:
       blockWithIptables: false
     networkPolicy:
@@ -176,6 +194,3 @@ jupyterhub:
   #        name: home
   #        subPath: _some_directory/_ssh
   #        readOnly: true
-
-
-  # https://bcourses.berkeley.edu/courses/1543936
diff --git a/deployments/cdss-discovery/hubploy.yaml b/deployments/cdss-discovery/hubploy.yaml
index 0c080b29b..bf0c194c0 100644
--- a/deployments/cdss-discovery/hubploy.yaml
+++ b/deployments/cdss-discovery/hubploy.yaml
@@ -1,8 +1,6 @@
 images:
   images:
-    #- name: quay.io/jupyter/datascience-notebook:2024-04-22
-    #- name: "quay.io/jupyter/base-notebook:2025-01-28"
-    - name: "gitlab-registry.nrp-nautilus.io/nrp/scientific-images/base:cuda-test"
+    - name: "gitlab-registry.nrp-nautilus.io/nrp/scientific-images/python:latest"
 
 cluster:
   provider: kubeconfig
diff --git a/deployments/cdss-discovery/secrets/prod.yaml b/deployments/cdss-discovery/secrets/prod.yaml
index 2d99c67f4..1ac3474a0 100644
--- a/deployments/cdss-discovery/secrets/prod.yaml
+++ b/deployments/cdss-discovery/secrets/prod.yaml
@@ -2,8 +2,8 @@ jupyterhub:
     hub:
         config:
             CanvasOAuthenticator:
-                client_id: ENC[AES256_GCM,data:UrY3Q95XkzlnDUMD/4db5+Y=,iv:HYe8IseA4K6o0oNl9duVW0FYbzqh8cBLOhD4GLKHn9c=,tag:qvZytlxLIXF4/U5OWCfxTA==,type:str]
-                client_secret: ENC[AES256_GCM,data:43kVDQIwaj5ecVfYkM86tRcZhZ3agnjl4u7yLkSrUz4VgpXtWg1MqKvINFBEO1KnnWNKpNwUs59t83jy4cUoXw==,iv:28dY9NYJxxtwDbWX9UYKcMKHMDM0P/WSUoX2guHdZJI=,tag:uVkDdbIhGiE96DImT3mvaQ==,type:str]
+                client_id: ENC[AES256_GCM,data:RwwBb8aGresMr0aTxopdPeo=,iv:I7cjLKhNAOX9nCDCVgQ//iAmWsqLN9WX0uaaujD7YWQ=,tag:6x7MUJwupqQBguhz78uYyQ==,type:str]
+                client_secret: ENC[AES256_GCM,data:4kZMP0+SVTjSLbRl2J2o5L5vJQEcMKDWYztWnq6MVJ8cGXllx/qiKOgFx/6W0q29gN5Y9HtQLuPeQHIjKqmJMw==,iv:QGcZ3s0RGx2sFLRz/5bzoDY3Vkp3+/C8+YG3+BsVIko=,tag:kNipaxFxXwGc0pHPkXjNxQ==,type:str]
                 oauth_callback_url: ENC[AES256_GCM,data:somy57KDSkcozagu7CwHQEk2C0rL04fzhM2b0ORJylXDwkZbSNz0CA7m1F95nVetSITWvaVB1pQYZgaFHsI=,iv:er+cQ/mojhoE+5fJ78Jpg5crgaD7RpBXveBj64D2IGY=,tag:EkUNtIVFJFFAcxlEfbogSA==,type:str]
 sops:
     kms: []
@@ -14,8 +14,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2025-02-06T00:43:29Z"
-    mac: ENC[AES256_GCM,data:B7TBragR39pBNw+w/idS6gcZL/U/OkHMf7SSX9e5Qc1rBYML2sZEMk/ArfHIAdpfdZ9T5NAK6EWOa9E/eE19+7s6vJ2dQpGrTP1ogFLQ1BNma/8PFQE/XqDUrejfTQmn2cw1vcgBm2MVvkRNTUcSgwMSAKZLOJ88upGXr1DvBmc=,iv:vhH08kOhtMCaMrD+yEHyDi4diYXyCMqUSjSKm+Uw+rQ=,tag:R72sGDE+4ZtrZc+DVwlxgQ==,type:str]
+    lastmodified: "2025-02-06T22:24:18Z"
+    mac: ENC[AES256_GCM,data:4dDo5/YepQBfzz0NDNeza8RvHFqIPkLa5d/JZBSzCbwB1e9lfoS1AX83WBv9a3gC5Dq1/IcfgyD5p7BwZEChROiB70oCtJPnrK3TNnlnG5AEz7xcJ8BHRFXvmPvEdKf9qNoWMqcQ1jFEWcmSiRPqASc/EAnrXf0NCo+dvQxRSXM=,iv:gmQVtF74qgv4kPCjzgMxymYkavaIM5Go/e3rdhUmXvQ=,tag:nNSdPLOCoRWOmUkKw63M2g==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3