Add LEAP hub

[yuvipanda]

Ref #1050

[sgibson91]

One typo to fix and one non-blocking comment. Otherwise, LGTM!

[sgibson91]

Suggested change

	name: pangeo-hubs
	name: leap

I think this should be leap, right?

[yuvipanda]

Ah yes! Fixed.

[sgibson91]

I'm in two minds about having oauth_callback_url here. I know it makes the number of files you need to pass around nicer, but this value doesn't need to be encrypted really. And I did lose some time thinking that the uwhackweek hubs were misconfigured because of this pattern before.

No specific action to take in this PR, but I'd like to discuss as a team some guidelines around this for readability's sake.

[yuvipanda]

@sgibson91 yeah I was thinking about that too. While keeping the number of files down helps, I think keeping it separate works alright for me too. But in that case I want to split it into three files - common, staging and prod, rather than just staging and prod. How does that sound?

[sgibson91]

Sounds reasonable. The deployer will work regardless, so long as they're listed in the cluster.yaml file! 🎉

[yuvipanda]

@sgibson91 i've split this now into two non-secret files staging.yaml + prod.yaml.

[yuvipanda]

@sgibson91 can you take another look with the changes I've made? It's all deployed now.

[sgibson91]

Didn't we establish elsewhere that this will create a bucket called Pangeo scratch, but JupyterHub is configured to look for a bucket called <cluster_name>-<hub_name> and so this bucket will never get connected to the hub?

[sgibson91]

See slack message: https://2i2c.slack.com/archives/C028WU9PFBN/p1637755725001500?thread_ts=1637754043.001100&cid=C028WU9PFBN

And what JupyterHub is expecting:

infrastructure/hub-templates/basehub/values.yaml

Line 358 in 0e6006b

bucket_name = f'{project_id}-{release}-scratch-bucket'

[yuvipanda]

@sgibson91 ah good catch. see d83461a.

[sgibson91]

Perfect!

[sgibson91]

LGTM! I have one question about the scratch buckets, but the rest is great.

[yuvipanda]

@sgibson91 aha, looks like scratch bucket access doesn't actually work. Boo. I'll investigate.

[sgibson91]

@yuvipanda this issue may be relevant #1046

[yuvipanda]

Thanks for the review, @damianavila and @sgibson91! This also doesn't have fully functional scratch buckets, something that'll be fixed in #1130.

[yuvipanda]

I also ran a terraform apply, and verified it is as clean as it can be. There's still changes that are see-sawing (with no actual effects) that'll be fixed in #1130.

google_artifact_registry_repository.registry: Refreshing state... [id=projects/leap-pangeo/locations/us-central1/repositories/leap-registry]
google_service_account.cluster_sa: Refreshing state... [id=projects/leap-pangeo/serviceAccounts/[email protected]]
google_service_account.cd_sa: Refreshing state... [id=projects/leap-pangeo/serviceAccounts/[email protected]]
google_project_iam_custom_role.identify_project_role: Refreshing state... [id=projects/leap-pangeo/roles/leap_user_sa_role]
google_storage_bucket.user_buckets["pangeo-scratch"]: Refreshing state... [id=leap-pangeo-scratch]
google_project_iam_member.cd_sa_roles["roles/container.admin"]: Refreshing state... [id=leap-pangeo/roles/container.admin/serviceAccount:[email protected]]
google_project_iam_member.cd_sa_roles["roles/artifactregistry.writer"]: Refreshing state... [id=leap-pangeo/roles/artifactregistry.writer/serviceAccount:[email protected]]
google_project_iam_member.cluster_sa_roles["roles/monitoring.metricWriter"]: Refreshing state... [id=leap-pangeo/roles/monitoring.metricWriter/serviceAccount:[email protected]]
google_project_iam_member.cluster_sa_roles["roles/logging.logWriter"]: Refreshing state... [id=leap-pangeo/roles/logging.logWriter/serviceAccount:[email protected]]
google_service_account_key.cd_sa: Refreshing state... [id=projects/leap-pangeo/serviceAccounts/[email protected]/keys/8192f1f77328895d53a3c3c2cb53cefa78cb4cc5]
google_project_iam_member.cluster_sa_roles["roles/monitoring.viewer"]: Refreshing state... [id=leap-pangeo/roles/monitoring.viewer/serviceAccount:[email protected]]
google_project_iam_member.cluster_sa_roles["roles/stackdriver.resourceMetadata.writer"]: Refreshing state... [id=leap-pangeo/roles/stackdriver.resourceMetadata.writer/serviceAccount:[email protected]]
google_project_iam_member.cluster_sa_roles["roles/artifactregistry.reader"]: Refreshing state... [id=leap-pangeo/roles/artifactregistry.reader/serviceAccount:[email protected]]
google_storage_bucket_iam_member.member["pangeo-scratch"]: Refreshing state... [id=b/leap-pangeo-scratch/roles/storage.admin/serviceAccount:[email protected]]
google_filestore_instance.homedirs[0]: Refreshing state... [id=projects/leap-pangeo/locations/us-central1-b/instances/leap-homedirs]
google_container_cluster.cluster: Refreshing state... [id=projects/leap-pangeo/locations/us-central1-b/clusters/leap-cluster]
google_project_iam_member.identify_project_binding: Refreshing state... [id=leap-pangeo/projects/leap-pangeo/roles/leap_user_sa_role/serviceAccount:[email protected]]
google_container_node_pool.dask_worker["huge"]: Refreshing state... [id=projects/leap-pangeo/locations/us-central1-b/clusters/leap-cluster/nodePools/dask-huge]
google_container_node_pool.notebook["large"]: Refreshing state... [id=projects/leap-pangeo/locations/us-central1-b/clusters/leap-cluster/nodePools/nb-large]
google_container_node_pool.dask_worker["medium"]: Refreshing state... [id=projects/leap-pangeo/locations/us-central1-b/clusters/leap-cluster/nodePools/dask-medium]
google_container_node_pool.dask_worker["large"]: Refreshing state... [id=projects/leap-pangeo/locations/us-central1-b/clusters/leap-cluster/nodePools/dask-large]
google_container_node_pool.notebook["huge"]: Refreshing state... [id=projects/leap-pangeo/locations/us-central1-b/clusters/leap-cluster/nodePools/nb-huge]
google_container_node_pool.dask_worker["small"]: Refreshing state... [id=projects/leap-pangeo/locations/us-central1-b/clusters/leap-cluster/nodePools/dask-small]
google_container_node_pool.notebook["medium"]: Refreshing state... [id=projects/leap-pangeo/locations/us-central1-b/clusters/leap-cluster/nodePools/nb-medium]
google_container_node_pool.core: Refreshing state... [id=projects/leap-pangeo/locations/us-central1-b/clusters/leap-cluster/nodePools/core-pool]
google_container_node_pool.notebook["small"]: Refreshing state... [id=projects/leap-pangeo/locations/us-central1-b/clusters/leap-cluster/nodePools/nb-small]
Note: Objects have changed outside of Terraform
Terraform detected the following changes made outside of Terraform since the

last "terraform apply":
google_container_cluster.cluster has changed
~ resource "google_container_cluster" "cluster" {

id                          = "projects/leap-pangeo/locations/us-central1-b/clusters/leap-cluster"

name                        = "leap-cluster"

# (26 unchanged attributes hidden)
  ~ node_pool {
        name                        = "nb-small"
      ~ node_count                  = 0 -> 1
        # (6 unchanged attributes hidden)




        # (4 unchanged blocks hidden)
    }




    # (22 unchanged blocks hidden)
}

google_container_node_pool.notebook["small"] has changed
~ resource "google_container_node_pool" "notebook" {

id                          = "projects/leap-pangeo/locations/us-central1-b/clusters/leap-cluster/nodePools/nb-small"

name                        = "nb-small"

~ node_count                  = 0 -> 1

# (8 unchanged attributes hidden)
    # (4 unchanged blocks hidden)
}

Unless you have made equivalent changes to your configuration, or ignored the

relevant attributes using ignore_changes, the following plan may include

actions to undo or respond to these changes.
─────────────────────────────────────────────────────────────────────────────
Terraform used the selected providers to generate the following execution

plan. Resource actions are indicated with the following symbols:

~ update in-place
Terraform will perform the following actions:
google_container_node_pool.dask_worker["huge"] will be updated in-place
~ resource "google_container_node_pool" "dask_worker" {

id                          = "projects/leap-pangeo/locations/us-central1-b/clusters/leap-cluster/nodePools/dask-huge"

name                        = "dask-huge"

# (9 unchanged attributes hidden)
  ~ node_config {
        tags              = []
        # (12 unchanged attributes hidden)


      ~ workload_metadata_config {
          ~ mode = "GKE_METADATA" -> "MODE_UNSPECIFIED"
        }
        # (1 unchanged block hidden)
    }

    # (3 unchanged blocks hidden)
}

google_container_node_pool.dask_worker["large"] will be updated in-place
~ resource "google_container_node_pool" "dask_worker" {

id                          = "projects/leap-pangeo/locations/us-central1-b/clusters/leap-cluster/nodePools/dask-large"

name                        = "dask-large"

# (9 unchanged attributes hidden)
  ~ node_config {
        tags              = []
        # (12 unchanged attributes hidden)


      ~ workload_metadata_config {
          ~ mode = "GKE_METADATA" -> "MODE_UNSPECIFIED"
        }
        # (1 unchanged block hidden)
    }

    # (3 unchanged blocks hidden)
}

google_container_node_pool.dask_worker["medium"] will be updated in-place
~ resource "google_container_node_pool" "dask_worker" {

id                          = "projects/leap-pangeo/locations/us-central1-b/clusters/leap-cluster/nodePools/dask-medium"

name                        = "dask-medium"

# (9 unchanged attributes hidden)
  ~ node_config {
        tags              = []
        # (12 unchanged attributes hidden)


      ~ workload_metadata_config {
          ~ mode = "GKE_METADATA" -> "MODE_UNSPECIFIED"
        }
        # (1 unchanged block hidden)
    }

    # (3 unchanged blocks hidden)
}

google_container_node_pool.dask_worker["small"] will be updated in-place
~ resource "google_container_node_pool" "dask_worker" {

id                          = "projects/leap-pangeo/locations/us-central1-b/clusters/leap-cluster/nodePools/dask-small"

name                        = "dask-small"

# (9 unchanged attributes hidden)
  ~ node_config {
        tags              = []
        # (12 unchanged attributes hidden)


      ~ workload_metadata_config {
          ~ mode = "GKE_METADATA" -> "MODE_UNSPECIFIED"
        }
        # (1 unchanged block hidden)
    }

    # (3 unchanged blocks hidden)
}

google_container_node_pool.notebook["huge"] will be updated in-place
~ resource "google_container_node_pool" "notebook" {

id                          = "projects/leap-pangeo/locations/us-central1-b/clusters/leap-cluster/nodePools/nb-huge"

name                        = "nb-huge"

# (9 unchanged attributes hidden)
  ~ node_config {
        tags              = []
        # (12 unchanged attributes hidden)


      ~ workload_metadata_config {
          ~ mode = "GKE_METADATA" -> "MODE_UNSPECIFIED"
        }
        # (1 unchanged block hidden)
    }

    # (3 unchanged blocks hidden)
}

google_container_node_pool.notebook["large"] will be updated in-place
~ resource "google_container_node_pool" "notebook" {

id                          = "projects/leap-pangeo/locations/us-central1-b/clusters/leap-cluster/nodePools/nb-large"

name                        = "nb-large"

# (9 unchanged attributes hidden)
  ~ node_config {
        tags              = []
        # (12 unchanged attributes hidden)


      ~ workload_metadata_config {
          ~ mode = "GKE_METADATA" -> "MODE_UNSPECIFIED"
        }
        # (1 unchanged block hidden)
    }

    # (3 unchanged blocks hidden)
}

google_container_node_pool.notebook["medium"] will be updated in-place
~ resource "google_container_node_pool" "notebook" {

id                          = "projects/leap-pangeo/locations/us-central1-b/clusters/leap-cluster/nodePools/nb-medium"

name                        = "nb-medium"

# (9 unchanged attributes hidden)
  ~ node_config {
        tags              = []
        # (12 unchanged attributes hidden)


      ~ workload_metadata_config {
          ~ mode = "GKE_METADATA" -> "MODE_UNSPECIFIED"
        }
        # (1 unchanged block hidden)
    }

    # (3 unchanged blocks hidden)
}

google_container_node_pool.notebook["small"] will be updated in-place
~ resource "google_container_node_pool" "notebook" {

id                          = "projects/leap-pangeo/locations/us-central1-b/clusters/leap-cluster/nodePools/nb-small"

name                        = "nb-small"

# (9 unchanged attributes hidden)
  ~ node_config {
        tags              = []
        # (12 unchanged attributes hidden)


      ~ workload_metadata_config {
          ~ mode = "GKE_METADATA" -> "MODE_UNSPECIFIED"
        }
        # (1 unchanged block hidden)
    }

    # (3 unchanged blocks hidden)
}

Plan: 0 to add, 8 to change, 0 to destroy.
Warning: Argument is deprecated
with google_filestore_instance.homedirs,

on storage.tf line 4, in resource "google_filestore_instance" "homedirs":

4:   zone    = var.zone
Deprecated in favor of location.
(and one more similar warning elsewhere)
─────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't

guarantee to take exactly these actions if you run "terraform apply" now.