From 2c49cd2289f1a45683710638077fcc5d4f6fcc95 Mon Sep 17 00:00:00 2001
From: Ryan Lovett <rylo@berkeley.edu>
Date: Thu, 6 Feb 2025 14:27:21 -0800
Subject: [PATCH 1/7] Fix prod oauth parameters.

---
 deployments/cdss-discovery/secrets/prod.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/deployments/cdss-discovery/secrets/prod.yaml b/deployments/cdss-discovery/secrets/prod.yaml
index 2d99c67f4..1ac3474a0 100644
--- a/deployments/cdss-discovery/secrets/prod.yaml
+++ b/deployments/cdss-discovery/secrets/prod.yaml
@@ -2,8 +2,8 @@ jupyterhub:
     hub:
         config:
             CanvasOAuthenticator:
-                client_id: ENC[AES256_GCM,data:UrY3Q95XkzlnDUMD/4db5+Y=,iv:HYe8IseA4K6o0oNl9duVW0FYbzqh8cBLOhD4GLKHn9c=,tag:qvZytlxLIXF4/U5OWCfxTA==,type:str]
-                client_secret: ENC[AES256_GCM,data:43kVDQIwaj5ecVfYkM86tRcZhZ3agnjl4u7yLkSrUz4VgpXtWg1MqKvINFBEO1KnnWNKpNwUs59t83jy4cUoXw==,iv:28dY9NYJxxtwDbWX9UYKcMKHMDM0P/WSUoX2guHdZJI=,tag:uVkDdbIhGiE96DImT3mvaQ==,type:str]
+                client_id: ENC[AES256_GCM,data:RwwBb8aGresMr0aTxopdPeo=,iv:I7cjLKhNAOX9nCDCVgQ//iAmWsqLN9WX0uaaujD7YWQ=,tag:6x7MUJwupqQBguhz78uYyQ==,type:str]
+                client_secret: ENC[AES256_GCM,data:4kZMP0+SVTjSLbRl2J2o5L5vJQEcMKDWYztWnq6MVJ8cGXllx/qiKOgFx/6W0q29gN5Y9HtQLuPeQHIjKqmJMw==,iv:QGcZ3s0RGx2sFLRz/5bzoDY3Vkp3+/C8+YG3+BsVIko=,tag:kNipaxFxXwGc0pHPkXjNxQ==,type:str]
                 oauth_callback_url: ENC[AES256_GCM,data:somy57KDSkcozagu7CwHQEk2C0rL04fzhM2b0ORJylXDwkZbSNz0CA7m1F95nVetSITWvaVB1pQYZgaFHsI=,iv:er+cQ/mojhoE+5fJ78Jpg5crgaD7RpBXveBj64D2IGY=,tag:EkUNtIVFJFFAcxlEfbogSA==,type:str]
 sops:
     kms: []
@@ -14,8 +14,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2025-02-06T00:43:29Z"
-    mac: ENC[AES256_GCM,data:B7TBragR39pBNw+w/idS6gcZL/U/OkHMf7SSX9e5Qc1rBYML2sZEMk/ArfHIAdpfdZ9T5NAK6EWOa9E/eE19+7s6vJ2dQpGrTP1ogFLQ1BNma/8PFQE/XqDUrejfTQmn2cw1vcgBm2MVvkRNTUcSgwMSAKZLOJ88upGXr1DvBmc=,iv:vhH08kOhtMCaMrD+yEHyDi4diYXyCMqUSjSKm+Uw+rQ=,tag:R72sGDE+4ZtrZc+DVwlxgQ==,type:str]
+    lastmodified: "2025-02-06T22:24:18Z"
+    mac: ENC[AES256_GCM,data:4dDo5/YepQBfzz0NDNeza8RvHFqIPkLa5d/JZBSzCbwB1e9lfoS1AX83WBv9a3gC5Dq1/IcfgyD5p7BwZEChROiB70oCtJPnrK3TNnlnG5AEz7xcJ8BHRFXvmPvEdKf9qNoWMqcQ1jFEWcmSiRPqASc/EAnrXf0NCo+dvQxRSXM=,iv:gmQVtF74qgv4kPCjzgMxymYkavaIM5Go/e3rdhUmXvQ=,tag:nNSdPLOCoRWOmUkKw63M2g==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3

From 064efd4f94ee80eb0da74648f3b80971fe0fd9a7 Mon Sep 17 00:00:00 2001
From: Ryan Lovett <rylo@berkeley.edu>
Date: Thu, 6 Feb 2025 14:28:50 -0800
Subject: [PATCH 2/7] Limit access to CDSS Discovery students.

This hub is for a specific class and it has been granted access to shared computing resources. Limit hub access to those in the class and to DataHub staff.
---
 deployments/cdss-discovery/config/common.yaml | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/deployments/cdss-discovery/config/common.yaml b/deployments/cdss-discovery/config/common.yaml
index feebef22a..7918ff752 100644
--- a/deployments/cdss-discovery/config/common.yaml
+++ b/deployments/cdss-discovery/config/common.yaml
@@ -56,6 +56,13 @@ jupyterhub:
       enabled: false
       egress: null
     config:
+      OAuthenticator:
+        allowed_groups:
+          # CDSS Discovery 2025 Spring
+          # https://bcourses.berkeley.edu/courses/1543936
+          - "course::1543936"
+          # DataHub staff
+          - "course::1524699::group::all-admins"
     loadRoles:
       # datahub staff
       datahub-staff:
@@ -176,6 +183,3 @@ jupyterhub:
   #        name: home
   #        subPath: _some_directory/_ssh
   #        readOnly: true
-
-
-  # https://bcourses.berkeley.edu/courses/1543936

From 7ea88700ecfe7dc265a90a7b3398059bdf78c203 Mon Sep 17 00:00:00 2001
From: Ryan Lovett <rylo@berkeley.edu>
Date: Mon, 10 Feb 2025 10:02:13 -0800
Subject: [PATCH 3/7] Remove commonName.

dnsNames is preferred.
---
 deployments/cdss-discovery/config/certificate-prod.yaml   | 1 -
 deployments/cdss-discovery/config/certificate-staging.yml | 1 -
 2 files changed, 2 deletions(-)

diff --git a/deployments/cdss-discovery/config/certificate-prod.yaml b/deployments/cdss-discovery/config/certificate-prod.yaml
index 0e3789917..9fd17d455 100644
--- a/deployments/cdss-discovery/config/certificate-prod.yaml
+++ b/deployments/cdss-discovery/config/certificate-prod.yaml
@@ -4,7 +4,6 @@ metadata:
   annotations:
   name: tls-cert
 spec:
-  commonName: cdss-discovery.datahub.berkeley.edu
   dnsNames:
   - cdss-discovery.datahub.berkeley.edu
   issuerRef:
diff --git a/deployments/cdss-discovery/config/certificate-staging.yml b/deployments/cdss-discovery/config/certificate-staging.yml
index 00d44a746..8c1bb5d27 100644
--- a/deployments/cdss-discovery/config/certificate-staging.yml
+++ b/deployments/cdss-discovery/config/certificate-staging.yml
@@ -4,7 +4,6 @@ metadata:
   annotations:
   name: tls-cert
 spec:
-  commonName: cdss-discovery-staging.datahub.berkeley.edu
   dnsNames:
   - cdss-discovery-staging.datahub.berkeley.edu
   issuerRef:

From b4bcf8485508146359f4a169d46b25155d141ecb Mon Sep 17 00:00:00 2001
From: Ryan Lovett <rylo@berkeley.edu>
Date: Mon, 10 Feb 2025 10:02:44 -0800
Subject: [PATCH 4/7] Use linstor for hub db storage.

The rook storage can be less reliable when the nodes the volumes that they are attached to come down. They can't be detached until the nodes come back up, or until a cluster admin intervenes.
---
 deployments/cdss-discovery/config/common.yaml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/deployments/cdss-discovery/config/common.yaml b/deployments/cdss-discovery/config/common.yaml
index 7918ff752..4c003cef5 100644
--- a/deployments/cdss-discovery/config/common.yaml
+++ b/deployments/cdss-discovery/config/common.yaml
@@ -43,7 +43,13 @@ jupyterhub:
         accessModes:
           - ReadWriteOnce
         storage: 1Gi
-        storageClassName: rook-ceph-block
+        # https://docs.nrp.ai/userdocs/storage/intro/
+        #storageClassName: rook-ceph-block
+        # https://docs.nrp.ai/userdocs/storage/linstor/
+        storageClassName: linstor-igrok
+    nodeSelector:
+      "topology.kubernetes.io/region": "us-west"
+      "nautilus.io/linstor": "true"
     resources:
       limits:
         cpu: "2"

From 708f590756d3c0780a3daefde5c3a2d482750b3a Mon Sep 17 00:00:00 2001
From: Ryan Lovett <rylo@berkeley.edu>
Date: Mon, 10 Feb 2025 10:03:56 -0800
Subject: [PATCH 5/7] Use an issuer in the namespace.

The hubs on our google cloud infrastructure use a ClusterIssuer, but we must use an Issuer in our namespace at NRP.
---
 deployments/cdss-discovery/config/common.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/deployments/cdss-discovery/config/common.yaml b/deployments/cdss-discovery/config/common.yaml
index 4c003cef5..5bfcd13ea 100644
--- a/deployments/cdss-discovery/config/common.yaml
+++ b/deployments/cdss-discovery/config/common.yaml
@@ -91,6 +91,8 @@ jupyterhub:
     enabled: true
     annotations:
       kubernetes.io/ingress.class: haproxy
+      cert-manager.io/issuer: letsencrypt
+      cert-manager.io/cluster-issuer: null
     pathSuffix: ''
 
   singleuser:

From f0fa0607171430b83842a56c850e89e177ec24dd Mon Sep 17 00:00:00 2001
From: Ryan Lovett <rylo@berkeley.edu>
Date: Mon, 10 Feb 2025 10:05:27 -0800
Subject: [PATCH 6/7] Disable node affinity item.

This was disabled during testing, and I did not need to re-enable it. However I think this could be a fluke.
---
 deployments/cdss-discovery/config/common.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/deployments/cdss-discovery/config/common.yaml b/deployments/cdss-discovery/config/common.yaml
index 5bfcd13ea..e9b774b3f 100644
--- a/deployments/cdss-discovery/config/common.yaml
+++ b/deployments/cdss-discovery/config/common.yaml
@@ -113,6 +113,9 @@ jupyterhub:
           - 'key': 'topology.kubernetes.io/region'
             'operator': 'In'
             'values': ["us-west"]
+          #- 'key': 'nautilus.io/linstor'
+          #  'operator': 'In'
+          #  'values': ["true"]
     cloudMetadata:
       blockWithIptables: false
     networkPolicy:

From 8ea27f0f16b8572508a3ab958f569428b41e3965 Mon Sep 17 00:00:00 2001
From: Ryan Lovett <rylo@berkeley.edu>
Date: Mon, 10 Feb 2025 10:15:29 -0800
Subject: [PATCH 7/7] Use NRP python image.

We'll probably need to change this again. It doesn't have torch, tensorflow, or a few other things.
---
 deployments/cdss-discovery/hubploy.yaml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/deployments/cdss-discovery/hubploy.yaml b/deployments/cdss-discovery/hubploy.yaml
index 0c080b29b..bf0c194c0 100644
--- a/deployments/cdss-discovery/hubploy.yaml
+++ b/deployments/cdss-discovery/hubploy.yaml
@@ -1,8 +1,6 @@
 images:
   images:
-    #- name: quay.io/jupyter/datascience-notebook:2024-04-22
-    #- name: "quay.io/jupyter/base-notebook:2025-01-28"
-    - name: "gitlab-registry.nrp-nautilus.io/nrp/scientific-images/base:cuda-test"
+    - name: "gitlab-registry.nrp-nautilus.io/nrp/scientific-images/python:latest"
 
 cluster:
   provider: kubeconfig