Merge pull request #2699 from GeorgianaElena/opt-binderhub-service

Add new hub 2i2c-imagebuilding-demo with binderhub-service enabled

config/clusters/2i2c/cluster.yaml

@@ -51,6 +51,14 @@ hubs:
     helm_chart_values_files:
       - binder-staging.values.yaml
       - enc-binder-staging.secret.values.yaml
+  - name: imagebuilding-demo
+    display_name: "2i2c image building demo"
+    domain: imagebuilding-demo.2i2c.cloud.2i2c.cloud
+    helm_chart: basehub
+    helm_chart_values_files:
+      - basehub-common.values.yaml
+      - imagebuilding-demo.values.yaml
+      - enc-imagebuilding-demo.secret.values.yaml
   - name: demo
     display_name: "2i2c demo"
     domain: demo.2i2c.cloud

config/clusters/2i2c/enc-imagebuilding-demo.secret.values.yaml

@@ -0,0 +1,23 @@
+binderhub-service:
+    buildPodsRegistryCredentials:
+        password: ENC[AES256_GCM,data:4qQby5ze18JvIyJZH+UO/fUTXb790fXQsdfqj9SqINGg4KVTWuRq5ubAhJIH2vVeCY2dYDT4OYP6vx8hKKZZKeec4NvypFsgEJHp38bQwSX4Bo13vdd2hMXtpqbG8uZh/L1gE/VJx4Jn/F1zyETyJcmLo1gRg7F2t0wBlH7GaQ0kr2+HYKphP73EJ+WAPx3FtlEp26OsxtwCRBIsdmX6eXbyScsPTFpTpZORy0wlC9Lqne+jgYQubs07lx5pKjDcXweEhj9/7DPff04sUep7v1Ww9GpuW8QRI3r7Hx0zh3/Cl+sjrdOMxpnHfQYFRRdoanF8tQCrsaaRicQAftpMLtfm8KDMWXh4kJMfCwYyDbJZRfszMVWfE+QRmMt4+oj2g1/r2y4A4T+3u7KBQslDeanhh3lqO3JS5XjQvL0W4Wln1kONK778iG4iAR+TAo5m4ewufqTRKUBos4XnD5PuN6KXoom81skn2JV/1BR8UKjmDH26ZL5s1KujK8wujd8urzIn/z0kVPj19Ibba0Jm2FavtF2WQmBdWmGKWBGIAqt4GCo+hk3I4qsNFLN9JBpDuPpqLERbEx1U4kB0d9+tlVO7Z7/+nTaN+Qoq4GygRT6IgwLgwMkqWBdR2egEh+WXNyLeMnZYWmZEONQt1pCM2ZUwrg1dBaF24QowCTyEsdI2ExnliJv2MYFJeugJkXK6Dukd7XINVmdEBJfPOrZQjMThSMhaqhl5A5HUcch9k11PSa2SpW5jIA9dKqW9i+UkZy3V/uy1hC4d4NAwMMP9q+JG3b7xvlnkV7tkGbOGP94lnOzUdZQGTIcIUkQzQi60KHmDyC1T/JgJff4PEf9QBfqMb5nUdOggmotA7Ifbw6hakt7wvX4ILuGFonkjt6kgN7ujdKAt360teSkpS9wYoZsYZlxZEsiHmobpeU9PAjXp1AiFLpEVPXp6rJh5G1WReB5U5jZAqz1IZOwpzy5PKAapuPbSQClFicVHuL9xmOCNGs70mQhrmXQiA5mpkwzPrLJt383jCyoPr4J6kz5xFGvakxps+VtcolVuArK98ToDDfQ+OLtUO45QL18B/MlyaJfM+OOcPW61CMv0t4dUm0SKhb9fN7SzyoYzYl+/dRRNG+oaM0fGXP00Um3xV2ceeuN6m0VwvFCJFwoK8AiyJo/PKufAhJPhHe7bp3syZlEF/u093Vq2gnxExh/g0716g1S1vJRBGwxWopQqCMVc4leUxNouL4HAas6otR2f6hMnhJb4N1cffg5hkoMpyfxDLN21Tc37/uljvzvl/baZPD4vf8IENQ8rdjbTAPTHsHQ3UcOk09OaVy02rHOvdWcmobggoC0IgN+HRQ51z4OdLnD241xQdlbHbncv2h1nSoiA+KvZBI5gAqg8n0P1iF0sdAymRkU3EIjN+GvLX+NiN7oYUTKyq3LRIKr2na0+BGVxOBx2Q7+53gscjb34weGqIxJf9PqNYAKnk3S0zNujYyAylj+jMbx/C4Ok2X48Psb/qmeYKUBjzTM4+CqxtS/5IKnYrvAWcaPu5MCBfrkla2pu1yaLHmZC0PdcRRkBD4easV4ZA5cWrDuLqYpij5C2NC0J7y+Ai9ujFEx26ApM4do5Yv+Cor92a7Sad+apn2P/kG5optZYEuj7oWKqPUD5aE8tVLSMsioVNnREUzd+RRhmhmYLcnhYmXR0j5UaIHjvTTHBxZcfcrA3ObVlt6D3ZlxeXWgcq3nkK4LkbkupKu3gnPssNWfRK8cLZ7x1adeve12wYOlS6V0J+LjvLXQWSR+HtGCN0atYW6UlNhDCkXaxNeCiTHcCpC06faIXY7FMIFMAJcsCz4hVZuyRPpc1MhkXLvjHh/etc9W644eTBtcmquk9+iMwAcrR40OD7HaUSiUHFjpp5rzhnvD7ZsMYuRbNLsLG8x+2WZLVjGjdBVY/k+7QUa9+5UIu5X6ma05Xkd3Iz+tRQgdkYLoO960pcu0iAbPsP4jG0GBeLOsCnz0lOPgWq0QcrMqMIIuEim+DC2/w+P6GUtCw4xupR51j2sahCZjoTrxOjifny8067X0a22DTgRbp/3VmJTPzOCx22TuQ+KfAd5A/s7YAa+ILB1lmV0cNqc3EDrtuypCBglG5h3VDFFcs66LAJeJ95GF6SqHdq7krBXNoDcxEFPIHdQvLOEvLgN0APD3ncFmUun00t24NQQcn9PwFo4yojaC9s3T8dgHNeNrcSXPWmzeheY/APWFUzxC0mvT2MWmATf1B7BWj1NqFnvaOaTJu+7uVICZlDgzvEp8yldDo38COGltBc6nEmkomiTrfA3z/w03BkfASg90f6fLMm/dtKyz+3/DN91hO5AjeC+N3mLwb1P/TBSqk74H3WxcdDXVLcpLMZ53xfe5Jm9JxHUEyWIxiF7sE3inEo5IotW3siXxjDd8YQgm9D3dmL4F1nvjz7jIZDHZBeq/vRKmdBVaVQpOiQHfToX6ZUL+oOFbRbzM4+hOJwtAVHKkBB9Y0NmdncbHlcf7sTyy0nZ3ubkNFW+njwR1iAr83k7XLYVZ4237uhmVixZwEkFDZ5+iRNWN03sfNzOgdZdOvziXirpGduWjVZeCYn0tb6BJTJy4kfXms+B2oDQZXpzAzq/znjGIyOYjC9odNfpYmBxZHdBzxoLMeCSRxBTydaFIUPnC4P5kulInNQ30WFTB2nfN+RCOk4PPDO6INVnOu7l2dcqLj0eQqIp13doed/QkwvDr6+sUMmEhFnNR0H70hbJIFvdY9Fu9nrB/GbNvFqIcTNPRy0nWA9SmW4jYDdML6nJ/nrAwptri237b8yh4NI7J4obaOoRUJtwhFOzv+jvS9eQtOYakcRYkMme2DtLHDfgbp8+uoOUf0d2HF11bFW2v7k6/pcgg8iPLoX7L6gzWmyHYKE1nG+u9NTNx/FqQSnzZzOsDAAIHs1Ydua2GOA8w9HoYFy8xAmvz9T4Cm/buZlEnPJN1bvtf8HTZktEmhhP2jr14q9JYl6HWxyQyJx12UAvJrh2toMhLC6KKak1C6GHYV6m1dr8zTZLAV/gV8Kv5+fAJpfg3Au1ZEcgm1NlIEOPr9JHsDdC4LBvL2vsBil+lALykoTrlIUy7ea7G8FNK3JMXwNkaXIp2qw2+QWIrFsVWIrDimi46kJ2MIfpbtXmtaVuAMGr3XMQzl,iv:0+34W6adUVI8wBO4oWTYX1LpFBrV6mxz+zh4FTUdzQw=,tag:CnErqoj/esIP3b4OKfoj0g==,type:str]
+jupyterhub:
+    hub:
+        config:
+            CILogonOAuthenticator:
+                client_id: ENC[AES256_GCM,data:v3yiJA0ir2lC1qf/1ih5iLLdfiBSg1B+XEREYcrHwF0j+Srx7LV/3AKsWEHKnFB3hOw=,iv:oEcT6PsStTBiYO+GLREnLRTCR7eLeaHdqHWWRRrbc0E=,tag:hx9TAfhzKMqgexWhNd8H5g==,type:str]
+                client_secret: ENC[AES256_GCM,data:+U2J6N0R05DfCwhcest0oBRXv1356e9jeGQTR57Pum24MaE4xFLSt5uQsT7bOAXKF/s8lV1vrDomoPBGuhZ+3t/iCFlS/9KYsDCBLbjDBR/MZFWWWEk=,iv:tZqmBcBhe84BQrNaTEnYTMt9lG4KDU/OJlKYMHqxEf4=,tag:I3X3K+OH1JjKpSFwITvUHw==,type:str]
+sops:
+    kms: []
+    gcp_kms:
+        - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
+          created_at: "2023-07-17T08:45:20Z"
+          enc: CiUA4OM7eMiDjL9h2JVoUk0z51mi94Tov+v2PxCEx9zTshKYF1HlEkkAyiwFHGf++4gB28i3Fcz+7sjHshU7Jd9nogf3dtzpYqZ5AqreK8ONJ3gQTl1WVOjMiDEUrHhWSydPJuO0FR180PtVqAzkQfkz
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2023-07-17T08:45:20Z"
+    mac: ENC[AES256_GCM,data:m0mqujIYiJfZLUKy9/jmXpIn6sypJkZ/GgJNWMeEqaecUUUvtnMNsCzzWxojWd/cMkQJCGEoTbswI18sA2j/J0jewdnziTvPfQqvf52nHwSDfRdiqWKneX+TAJxagSxfK2FTurRGRIGqgv4jqT0ATO3CqNhyMSWifBeGW7q9QXY=,iv:jJd+1AxYIBz1GkuzaPd7SzACh+iXFLzcEPe3eEEnNVA=,tag:DPoo2i8YmEUQZ4Q2Y7BF+g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3

config/clusters/2i2c/enc-staging.secret.values.yaml

@@ -18,8 +18,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-03-09T10:59:06Z"
-    mac: ENC[AES256_GCM,data:RLYpW3qeNkUfreFfwbW3an7k/weE2p/Fu1DXBGd0/GgEyPsy9jQj34w66fT5DFWJFcIpSEvAty3hzB8S4Y0NEATooahD5T6cvvi3GD/d9b+V1pXjeFNpigQ+SRkwUghfajy2LcAVdXTDeorR0V8zlSj8lLUuu51PSeB0UkC5L00=,iv:7blbojnWaAE46D6JgZiXpLEbXWHeup8o7Sh1pehedOs=,tag:ZFXAd9Rw61Bgybla23g1yg==,type:str]
+    lastmodified: "2023-07-17T08:46:09Z"
+    mac: ENC[AES256_GCM,data:3eQh2pOL/wS69S1nijx2lZrcUlG9nxvbQ5KpCrbPDx0yLfjBkAbg4FR82oeho2CwGHi5nky6X4VrxOIZAPgqgOntJ1QzARr1i9QgYh/klTQfEaLpa7ytciaUyXYebQBgGp1seIjug3U4k3aloGcQu4AbBLQRjCe8F2BMOahWTlU=,iv:NV8ao8uAd/c+ab799C4IzN4m1UoJzh7SPuFq78O+crs=,tag:JAJVl3KRDUgB2e0ynBaqlg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3

config/clusters/2i2c/imagebuilding-demo.values.yaml

@@ -0,0 +1,74 @@
+jupyterhub:
+  ingress:
+    hosts:
+      - imagebuilding-demo.2i2c.cloud
+    tls:
+      - secretName: https-auto-tls
+        hosts:
+          - imagebuilding-demo.2i2c.cloud
+  custom:
+    2i2c:
+      add_staff_user_ids_to_admin_users: true
+      add_staff_user_ids_of_type: "google"
+    homepage:
+      templateVars:
+        org:
+          name: demo image building with binderhub-service
+          url: https://2i2c.org
+          logo_url: https://2i2c.org/media/logo.png
+        designed_by:
+          name: 2i2c
+          url: https://2i2c.org
+        operated_by:
+          name: 2i2c
+          url: https://2i2c.org
+        funded_by:
+          name: 2i2c
+          url: https://2i2c.org
+  hub:
+    config:
+      JupyterHub:
+        authenticator_class: cilogon
+      CILogonOAuthenticator:
+        oauth_callback_url: "https://imagebuilding-demo.2i2c.cloud/hub/oauth_callback"
+        username_claim: "email"
+        # Only show the option to login with Google
+        shown_idps:
+          - http://google.com/accounts/o8/id
+
+binderhub-service:
+  nodeSelector:
+    hub.jupyter.org/node-purpose: core
+  enabled: true
+  service:
+    port: 8090
+  # The DaemonSet at https://github.com/2i2c-org/binderhub-service/blob/main/binderhub-service/templates/docker-api/daemonset.yaml
+  # will start a docker-api pod on a user node.
+  # It starts the [dockerd](https://docs.docker.com/engine/reference/commandline/dockerd/) daemon,
+  # that will be accessible via a unix socket, mounted by the build.
+  # The docker-api pod must run on the same node as the builder pods.
+  dockerApi:
+    nodeSelector:
+      hub.jupyter.org/node-purpose: user
+    tolerations:
+      # Tolerate tainted jupyterhub user nodes
+      - key: hub.jupyter.org_dedicated
+        value: user
+        effect: NoSchedule
+      - key: hub.jupyter.org/dedicated
+        value: user
+        effect: NoSchedule
+  config:
+    BinderHub:
+      use_registry: true
+      # Re-uses the registry created for the `binderhub-staging` hub
+      # but pushes images under a different prefix
+      image_prefix: us-central1-docker.pkg.dev/two-eye-two-see/binder-staging-registry/binderhub-service-
+    KubernetesBuildExecutor:
+      node_selector:
+        # Schedule builder pods to run on user nodes only
+        hub.jupyter.org/node-purpose: user
+  # The password to the registry is stored encrypted in the hub's encrypted config file
+  buildPodsRegistryCredentials:
+    server: "https://us-central1-docker.pkg.dev"
+    username: "_json_key"

helm-charts/basehub/Chart.yaml

@@ -13,3 +13,7 @@ dependencies:
     # be found in the Dockerfile's comments.
     version: 3.0.0-beta.1.git.6208.h7b44299a
     repository: https://jupyterhub.github.io/helm-chart/
+  - name: binderhub-service
+    version: 0.1.0-0.dev.git.80.h358d32f
+    repository: https://2i2c.org/binderhub-service/
+    condition: binderhub-service.enabled

helm-charts/basehub/values.schema.yaml

@@ -207,6 +207,17 @@ properties:
   global:
     type: object
     additionalProperties: true
+  binderhub-service:
+    type: object
+    additionalProperties: true
+    required:
+      - enabled
+    properties:
+      enabled:
+        type: boolean
+        # https://github.com/2i2c-org/binderhub-service
+        description: |
+          Enable image building with binderhub-service
   # jupyterhub is a dependent helm chart and we rely _mostly_ on its schema
   # validation for values passed to it and are not imposing restrictions on
   # most of them in this helm chart.

helm-charts/basehub/values.yaml

@@ -5,6 +5,9 @@ userServiceAccount:
   enabled: true
   annotations: {}
 
+binderhub-service:
+  enabled: false
+
 ingressBasicAuth:
   enabled: false
   # Primarily here for validation to 'work',