From c38633eb8c76de9c8173aafde72b3bb4ea26abd4 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Mon, 25 Sep 2023 17:47:41 +0200 Subject: [PATCH 1/4] meom-ige, terraform: add n2-highmem-4,16,64 machines --- terraform/gcp/projects/meom-ige.tfvars | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/terraform/gcp/projects/meom-ige.tfvars b/terraform/gcp/projects/meom-ige.tfvars index 144d4e461f..7f51b0bf89 100644 --- a/terraform/gcp/projects/meom-ige.tfvars +++ b/terraform/gcp/projects/meom-ige.tfvars @@ -15,6 +15,21 @@ core_node_machine_type = "n2-highmem-4" enable_network_policy = false notebook_nodes = { + "n2-highmem-4" : { + min : 0, + max : 100, + machine_type : "n2-highmem-4" + }, + "n2-highmem-16" : { + min : 0, + max : 100, + machine_type : "n2-highmem-16" + }, + "n2-highmem-64" : { + min : 0, + max : 100, + machine_type : "n2-highmem-64" + }, "small" : { min : 0, max : 20, From ee87fc7ff8322c9a27ab6e4302d7997ddd876958 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Mon, 25 Sep 2023 17:49:32 +0200 Subject: [PATCH 2/4] meom-ige: transition to GitHubOAuthenticator --- config/clusters/meom-ige/common.values.yaml | 28 ++++++++----------- .../meom-ige/enc-prod.secret.values.yaml | 10 +++---- .../meom-ige/enc-staging.secret.values.yaml | 10 +++---- 3 files changed, 21 insertions(+), 27 deletions(-) diff --git a/config/clusters/meom-ige/common.values.yaml b/config/clusters/meom-ige/common.values.yaml index 801aed9ce5..83ecb13114 100644 --- a/config/clusters/meom-ige/common.values.yaml +++ b/config/clusters/meom-ige/common.values.yaml @@ -83,30 +83,24 @@ basehub: userScheduler: enabled: false hub: + allowNamedServers: true config: JupyterHub: - authenticator_class: cilogon - CILogonOAuthenticator: + authenticator_class: github + GitHubOAuthenticator: + populate_teams_in_auth_state: true + allowed_organizations: + - 2i2c-org:hub-access-for-2i2c-staff + - meom-group:hub-users # long term users + - demo-dask-grenoble2023:demo # temporary users for event scope: - - "profile" - shown_idps: - - http://github.com/login/oauth/authorize - allowed_idps: - http://github.com/login/oauth/authorize: - username_derivation: - username_claim: "preferred_username" + - read:org Authenticator: - # FIXME: In z2jh 3.0.0-beta.1, a truthy allowed_users implies - # allow_existing_users=True, while in z3jh 3.0.0 this needs to be - # configured explicitly. - # - allowed_users: &users + enable_auth_state: true + admin_users: - roxyboy - lesommer - auraoupa - admin_users: *users - - allowNamedServers: true dask-gateway: gateway: extraConfig: diff --git a/config/clusters/meom-ige/enc-prod.secret.values.yaml b/config/clusters/meom-ige/enc-prod.secret.values.yaml index 549006b331..dfc2e0ef09 100644 --- a/config/clusters/meom-ige/enc-prod.secret.values.yaml +++ b/config/clusters/meom-ige/enc-prod.secret.values.yaml @@ -2,9 +2,9 @@ basehub: jupyterhub: hub: config: - CILogonOAuthenticator: - client_id: ENC[AES256_GCM,data:xIMwdp4OmWwc1w0H9Grbhv6g+CpATbn3rScgJlShpcte1LzDqeVgLvBHiLrUMo/Xi70Q,iv:5f5lrIHUrtbN2M74b9OPefH4WRCmlm36yToX8Wsziss=,tag:WUCXxLH38iWWHnW/1RM6cQ==,type:str] - client_secret: ENC[AES256_GCM,data:tWeX8fYjm/xCXcRGNiHqby0D1b1HKGZ6j+wkF1F8TMR3JuzGEhXLI6j2HI/TgenX6/Ai0v/y16OxG1Ae62KaWJLa0YRtIhONN/XDOKFZppApKm+P2A4=,iv:Mqs9fuH3rzoFUipiocz3irGTHS65ymQOjigdlhOBmFs=,tag:9dCcnlMlH3+WHDZlVSzcNg==,type:str] + GitHubOAuthenticator: + client_id: ENC[AES256_GCM,data:20CT8KFoVZy2P4Od43no0lAVhCU=,iv:Arlo3GtDraZv8eatIL4/JIMLukIyIUyD75SLL3sxa9M=,tag:SvulfupLUmpeaT7+PNhZqg==,type:str] + client_secret: ENC[AES256_GCM,data:BocSICHjaMSsU+z6HtufNWpIvmnucu3PZM9UUSxElgkPt8SfxFpjXw==,iv:q+maJU6vHU/XJHWRCn8SCpaNYVfE7w4YczcwvV65u7E=,tag:DBJ2ifD+es8wykPEZ7jfbw==,type:str] sops: kms: [] gcp_kms: @@ -14,8 +14,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-03-13T10:17:09Z" - mac: ENC[AES256_GCM,data:h7iNgvpiwxTARQxz8/MGI/xOf0vC7BK3xZ/CBJF4nYofIdKltVAwqHRX/ztLCpzCMRZ6BdyFUIIHVAWxIIQTVFT0l/Cp9f/cxvoddHKzx4cerA9WC9Zv8lmdgCIL2irFshyNFm/7BQmTTpjLDGmt9OW0/wZflyJCAC7uWNaiMRQ=,iv:l84Ikdxm9pv0/tihz03sAVIfMiUPzj56ayefwolJ7JQ=,tag:DBaGopzzB8FWce4VZFchfQ==,type:str] + lastmodified: "2023-09-25T15:34:20Z" + mac: ENC[AES256_GCM,data:A9sAboZs2rn/ncU/v0WRAtENRsbg/e9Astg+7AaiIyZOICS8qqY2w+rQ5kJOdOCWZZ77XUFdiMEeKRaTwy/0VLVE4tHtFUBROwlPmvX5bxhnLd0qSPFjoP0Z+k4JHl70pSF1IWDLT5EzHdc+6jARGqO+Ssgc6+kYCT+ezBGcPNA=,iv:epR71c+eqgZPbolP7wD3nm0cZt/YxrN1O5pziE1RdsQ=,tag:95qKL+q7/sDMrSPaye/D3w==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 diff --git a/config/clusters/meom-ige/enc-staging.secret.values.yaml b/config/clusters/meom-ige/enc-staging.secret.values.yaml index 432042469f..e015215ba7 100644 --- a/config/clusters/meom-ige/enc-staging.secret.values.yaml +++ b/config/clusters/meom-ige/enc-staging.secret.values.yaml @@ -2,9 +2,9 @@ basehub: jupyterhub: hub: config: - CILogonOAuthenticator: - client_id: ENC[AES256_GCM,data:yx2uzwGKf+WEoG+pyGKzkA0NvoayyW1PXJ+dtXwf0sHnohOUkGsQmWt7mLBm2d6sXzc0,iv:axmz1xSTtAgNgEXnFuQ1Af0ftDqxu13KABtZIixmboc=,tag:dZA//khE2//4d4+3pT+F+Q==,type:str] - client_secret: ENC[AES256_GCM,data:MAjP8OZLLJlL0moBRR13xc+2dWcVkFMi6O0U/6m+pcZeCD8HNw2Jo9mX0cHzHciGD6a5Q63iFHiMKR/i9Nnj7kddBW3mnp1ZCO+qpFvoR4JFE3VJ2/M=,iv:zNMIhEL8/RbKk3Ss0UljkzHntRXPzvrdOTZTciH51FU=,tag:mDCSDz671bJ291nPccD6zw==,type:str] + GitHubOAuthenticator: + client_id: ENC[AES256_GCM,data:Cj/DCB17LsiBb0wTPmMTZzyeeVY=,iv:smUgveZ51h6I5ysRzirM1QZOI72pfP92FhoDUC89fNM=,tag:Kph3L3FdvfPKtBn2IL7/tw==,type:str] + client_secret: ENC[AES256_GCM,data:Oql9Tpcd8T/Oot8Nq/4A8B/j0qtPZhldq4ZRMzu5O/5aUcJX/P5+fw==,iv:ejOc3X/H4lncpRz5IsiLtxcuWubuVKcg2Ir9/NhaAPA=,tag:eXo5cwT8CA73wIaMKdHNpw==,type:str] sops: kms: [] gcp_kms: @@ -14,8 +14,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-03-13T10:15:46Z" - mac: ENC[AES256_GCM,data:YTpTnlBaZaya4DY1D1/z3SjHrjtAZ/JJmgwa8urrNz7CgQOu/nreWbO6+xalfEKJS7F8jl/rntPOJC/B5V38/gu77sTH31snGtoqMHcJg2yrP+LuEBB40OjukpVi/6cBdM4HmduXCt/ksjGsuo3rvZ9qqmCEoRv/nGg/WK3L3qM=,iv:Ph+2pjyyko4k5tWwT2OWf/pOcpFvuviSj8P5EnaNVQk=,tag:2hGU/xdfyX/C8QicHiLeYw==,type:str] + lastmodified: "2023-09-25T15:33:42Z" + mac: ENC[AES256_GCM,data:7PfLfCKajZpSyDTzOHxukoJdCVrCzdNj+k5mt/LIIoObSA/POfAVZdFhsqkeDq+mKd6uZsO+2JadQpeaeHTBZgbLzo+Dz7K+OB/HPG/W/2nwgDyIAo1ibeW0665RYkI+f4/hzg8GFKw2edjY8zCTBmb7dY88qdFgTX+bb8B+3Js=,iv:8bqwW/ldiG8iZWuo7FJplu3w6tP+376R7l+9vaDziFE=,tag:09bhG2Crp7D3W7ESI7s1jQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3 From dcc80c05e7da209c95cd2ec8f04a548780669d40 Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Mon, 25 Sep 2023 17:50:03 +0200 Subject: [PATCH 3/4] meom-ige: add profile list entry for event with node sharing --- config/clusters/meom-ige/common.values.yaml | 57 ++++++++++++++++++++- 1 file changed, 56 insertions(+), 1 deletion(-) diff --git a/config/clusters/meom-ige/common.values.yaml b/config/clusters/meom-ige/common.values.yaml index 83ecb13114..7b84c9a6f5 100644 --- a/config/clusters/meom-ige/common.values.yaml +++ b/config/clusters/meom-ige/common.values.yaml @@ -36,18 +36,70 @@ basehub: DATA_BUCKET: gs://meom-ige-data SCRATCH_BUCKET: "gs://meom-ige-scratch/$(JUPYTERHUB_USER)" profileList: + # This profile list option was added for the event outlined in + # https://github.com/2i2c-org/infrastructure/issues/3126, it is a one + # day event taking place september 27th 2023. Access to users in the + # temporary group should be removed after the event. + - display_name: Grenoble demo + default: true + allowed_teams: + - 2i2c-org:hub-access-for-2i2c-staff + - meom-group:hub-users # long term users + - demo-dask-grenoble2023:demo # temporary users for event + description: Start a server on a machine with 64 CPUs and 512GB of memory + slug: demo + profile_options: + requests: + display_name: Resource allocation + choices: + mem_8: + display_name: 8 GB RAM, up to 4 CPU + kubespawner_override: + mem_guarantee: 7.593G + mem_limit: 8G + cpu_guarantee: 0.984 + cpu_limit: 4 + mem_16: + default: true + display_name: 16 GB RAM, up to 8 CPU + kubespawner_override: + mem_guarantee: 15.186G + mem_limit: 16G + cpu_guarantee: 1.969 + cpu_limit: 8 + mem_32: + display_name: 32 GB RAM, up to 16 CPU + kubespawner_override: + mem_guarantee: 30.372G + mem_limit: 32G + cpu_guarantee: 3.938 + cpu_limit: 16 + mem_64: + display_name: 64 GB RAM, up to 32 CPU + kubespawner_override: + mem_guarantee: 60.744G + mem_limit: 64G + cpu_guarantee: 7.875 + cpu_limit: 32 + kubespawner_override: + node_selector: + node.kubernetes.io/instance-type: n2-highmem-64 + # The mem-guarantees are here so k8s doesn't schedule other pods # on these nodes. They need to be just under total allocatable # RAM on a node, not total node capacity - display_name: "Small" + allowed_teams: &allowed_teams_normal_use + - 2i2c-org:hub-access-for-2i2c-staff + - meom-group:hub-users # long term users description: "~2 CPU, ~8G RAM" - default: true kubespawner_override: mem_limit: 8G mem_guarantee: 4G node_selector: node.kubernetes.io/instance-type: n1-standard-2 - display_name: "Medium" + allowed_teams: *allowed_teams_normal_use description: "~8 CPU, ~32G RAM" kubespawner_override: mem_limit: 32G @@ -55,6 +107,7 @@ basehub: node_selector: node.kubernetes.io/instance-type: n1-standard-8 - display_name: "Large" + allowed_teams: *allowed_teams_normal_use description: "~16 CPU, ~64G RAM" kubespawner_override: mem_limit: 64G @@ -62,6 +115,7 @@ basehub: node_selector: node.kubernetes.io/instance-type: n1-standard-16 - display_name: "Very Large" + allowed_teams: *allowed_teams_normal_use description: "~32 CPU, ~128G RAM" kubespawner_override: mem_limit: 128G @@ -69,6 +123,7 @@ basehub: node_selector: node.kubernetes.io/instance-type: n1-standard-32 - display_name: "Huge" + allowed_teams: *allowed_teams_normal_use description: "~64 CPU, ~256G RAM" kubespawner_override: mem_limit: 256G From 6b8fd45e84b9e88371051b8de933381bcbf6fa0a Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Mon, 25 Sep 2023 17:58:04 +0200 Subject: [PATCH 4/4] meom-ige: cleanup unused demo-drakkar github oauth application --- .../enc-drakkar-demo.secret.values.yaml | 20 ------------------- 1 file changed, 20 deletions(-) delete mode 100644 config/clusters/meom-ige/enc-drakkar-demo.secret.values.yaml diff --git a/config/clusters/meom-ige/enc-drakkar-demo.secret.values.yaml b/config/clusters/meom-ige/enc-drakkar-demo.secret.values.yaml deleted file mode 100644 index 63a6010ef4..0000000000 --- a/config/clusters/meom-ige/enc-drakkar-demo.secret.values.yaml +++ /dev/null @@ -1,20 +0,0 @@ -jupyterhub: - hub: - config: - GitHubOAuthenticator: - client_id: ENC[AES256_GCM,data:wyfiCAyI8xA/1LswZTPbLzH5cvg=,iv:QJQWqyMU6EWn5KPaQZ1A5WQL3ek8drD7DRGEL9Map6U=,tag:XAvKdtdM8HPFgEIbG0QwIQ==,type:str] - client_secret: ENC[AES256_GCM,data:saZSJFR2HF5tliDaLN7A+NMcfT2JIFKnjqYRhRixUZbI7W6SABtJ0Q==,iv:RGvbki7fABSTLIWxNhZQFeLI5hxPyRw3/Nvfh2qKsyM=,tag:2kCgC8l+4KCBqb3Tqf7Hng==,type:str] -sops: - kms: [] - gcp_kms: - - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs - created_at: "2023-01-24T01:25:26Z" - enc: CiUA4OM7eJ9kYc7z9T6SOX/qS9jIydZZHp7aZmUWcDxoUuWEfCqnEkkA+0T9hb996SnSYAsxXzqTttukTPvhByVWjvGdPa2CIQ+R1thrGNRlDmaC45gEdC2pxpXDDALBNPPwXQXDEdMh8pxjDWE15zMm - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2023-01-24T01:25:27Z" - mac: ENC[AES256_GCM,data:x/Cp0sCxxylUl3hN73IrWT95aotuUNK2tZgqMEH03cR1WG32BmcUKordtChCTAXm7Zjii1lTLbz32UIZkYUBLlICE486h7CHPA3hN4mB2CGImKCO0dUD15mnMAkAGR4of28dSyVRChme0CRMYuEU2srTjs1kd7Glzi/jA1dhleY=,iv:3+qY08IZxCkpi+HPZZEJvDDSfVywx7gftLVBx8nmYKo=,tag:jsONqV9vpXavF8jaMfRc6w==,type:str] - pgp: [] - unencrypted_suffix: _unencrypted - version: 3.7.2