From 57c65d886f0098c4633136ad4f6c1b7177c8b9bf Mon Sep 17 00:00:00 2001
From: YuviPanda <yuvipanda@gmail.com>
Date: Fri, 8 Sep 2023 19:57:32 -0700
Subject: [PATCH 1/2] Switch researchdelight hub to GitHub authentication

- Allow access to members of this team:
  https://github.com/orgs/2i2c-org/teams/research-delight-team
- GPUs shall be gated by membership in a different team, to
  be provided.

Fixes https://github.com/2i2c-org/infrastructure/issues/3099
---
 .../enc-researchdelight.secret.values.yaml    | 15 ++++++-----
 .../2i2c-aws-us/researchdelight.values.yaml   | 26 +++++++++++++------
 2 files changed, 27 insertions(+), 14 deletions(-)

diff --git a/config/clusters/2i2c-aws-us/enc-researchdelight.secret.values.yaml b/config/clusters/2i2c-aws-us/enc-researchdelight.secret.values.yaml
index 3d2d84bd4..f69df82a9 100644
--- a/config/clusters/2i2c-aws-us/enc-researchdelight.secret.values.yaml
+++ b/config/clusters/2i2c-aws-us/enc-researchdelight.secret.values.yaml
@@ -2,20 +2,23 @@ basehub:
     jupyterhub:
         hub:
             config:
+                GitHubOAuthenticator:
+                    client_id: ENC[AES256_GCM,data:mBr82zqrB784x/9h2YpDiwPttzA=,iv:g9stn15R7RIl84NCVqzivpwrdX6MVFMulEJi3wHdCcw=,tag:V/BW6JCafJMbAAuaBWYkvg==,type:str]
+                    client_secret: ENC[AES256_GCM,data:w5CT61Tu4UYraJcx64VJVweNYLjpS7PB8G0x1p8l3gKAnpBn6sX43g==,iv:P03azTpBmGrpt/ACXPtVs4fNarZfgcrjAxNFllrUsho=,tag:OF6BHKHd5GrHn5gQxVNi+A==,type:str]
                 CILogonOAuthenticator:
-                    client_id: ENC[AES256_GCM,data:do6oRsCHVlEaopw/SGKnudX6QMwTRo/Vco2sBCXkHNJ8aASBToFUlHqG8U8stmAe1eYJ,iv:FgtBzUzC8kap+BASyDY/sqnv1kvItTOX0a1j+mwYsy4=,tag:BhpZ5fAaYzSSIF9/RzLsXg==,type:str]
-                    client_secret: ENC[AES256_GCM,data:1aIn9R5loffBYMuLuzn5+I+QkmX5qE7kYuqEKy0dvKJQZg/LK0yzVKoHiLOIYYJqTToVUMCc+aC+ZYTlNmCvGg3GwYPTkjVChRVYJRUZvl1ELP7YcV0=,iv:YORVpCcx9w4hgyKlomZKyAzEvnm+OFZbPu3tw3DvQAo=,tag:hUeV48uiv5PtjSp96o5n+w==,type:str]
+                    client_id: ENC[AES256_GCM,data:kBmqvTcdnfTlPz2wNOp05Ck66COWMwvRCt7r6pfXLZnFr0v9ylxXwfDXT6v9YNiQ/do7,iv:c62ozJG3A53M37MFHbHINoYxtAwGMlh2y0oAsfuxh6c=,tag:vevTHn44TzlMpdOpSo5O3g==,type:str]
+                    client_secret: ENC[AES256_GCM,data:G/tYPy+EV1HK5XdfTlBDAV/Ld383PQxI3zFwoFJLBKP6J4N211xvtb2AOcsuIfGqRb6o09wEk8QmJ43WoemOpffe3kqC5G5O/zAk9Fhm/5g4hN/PGeQ=,iv:G7uxbw7rqDkvulvPw0ZowgWS97RxHiTD7lbJ4yvgk/g=,tag:kZFlP7qWKC3VAdHokTxu3w==,type:str]
 sops:
     kms: []
     gcp_kms:
         - resource_id: projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs
-          created_at: "2023-03-13T10:27:13Z"
-          enc: CiUA4OM7eCdS0zudoyhLRbKlG+r1jUBQwFNAczMpasSH5X06+IWHEkkALQgViIkNihiV+Z+ZUwjJcCpuOprNMklD4AJ6UBeHxurj/VMPpCUBgveo7MwK/8+YMYofFpleS4b5rsLJ717oWDJjjM8cA8+W
+          created_at: "2023-09-09T02:50:00Z"
+          enc: CiUA4OM7eMBVcbO2oTRqg6XqINmiJiUqwFASA8+gT+IWQCiyCNdHEkkAq2nhVTfMsecT193wXiQYZZO034C3i8BL0wehQJzwvMlvu5r+PjYyIazgauyqQJxZQMvMIkO60/OcCzBEt0clYSj1tRFke98L
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-03-13T10:27:13Z"
-    mac: ENC[AES256_GCM,data:Bw1VoDnPAN1CvIOruB4SBVJf0gKXFbtOBHAy8gGSbA7s9PdiVN8FNmRSlutC8xKNqSVQ7vmtYhonJ+AHS6+PXa1aAceKMmQAmeMtwqE0HHSwR9Ujcw3F0bkjwHUMHIGgCOm0FawbHtMFBvAYXb8rgtCnZjGirJGmJ4TJ153IpXg=,iv:SsFQArAjuip3KyOvM45TsqHrNO0SQ+sTReuzZ5Yq8GU=,tag:TbqHDResuHQkapqPd9nSBA==,type:str]
+    lastmodified: "2023-09-09T02:50:00Z"
+    mac: ENC[AES256_GCM,data:zAVP82LEsEJo1KHKpNHm54uoPNCpQSyB6z1rRyztQ6g/hasEbS9VnC168/CKcx8tMqm25m8/gDu5WOiqZSeBnEmTqrAwSU2pa62A+zmwbORywto4b8BWgNR2Weoc7fD9Azfk4YHdQF/mQszXF207mP41z0yfF7vI7K6mgjZKKM8=,iv:V2OrjCuzY6H8RDOZp4JCFj9xCTF3dpUTpCGfbyYlXZs=,tag:YE8riKjxViXR/QIDATz+gw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.7.3
diff --git a/config/clusters/2i2c-aws-us/researchdelight.values.yaml b/config/clusters/2i2c-aws-us/researchdelight.values.yaml
index 230074563..8d109a2bf 100644
--- a/config/clusters/2i2c-aws-us/researchdelight.values.yaml
+++ b/config/clusters/2i2c-aws-us/researchdelight.values.yaml
@@ -33,15 +33,16 @@ basehub:
         tag: "0.0.1-0.dev.git.6863.h406a3546"
       config:
         JupyterHub:
-          authenticator_class: cilogon
-        CILogonOAuthenticator:
+          authenticator_class: github
+        Authenticator:
+          enable_auth_state: true
+        GitHubOAuthenticator:
+          populate_teams_in_auth_state: true
+          allowed_organizations:
+            - 2i2c-org:hub-access-for-2i2c-staff
+            - 2i2c-org:research-delight-team
           scope:
-            - "profile"
-          username_claim: "preferred_username"
-          oauth_callback_url: "https://researchdelight.2i2c.cloud/hub/oauth_callback"
-          # Only show the option to login with GitHub
-          shown_idps:
-            - http://github.com/login/oauth/authorize
+            - read:org
     singleuser:
       image:
         name: quay.io/2i2c/researchdelight-image
@@ -49,6 +50,9 @@ basehub:
       profileList:
         - display_name: "Shared Small: 1-4 CPU, 8-32 GB"
           description: "A shared machine, the recommended option until you experience a limitation."
+          allowed_teams: &allowed_teams
+            - 2i2c-org:hub-access-for-2i2c-staff
+            - 2i2c-org:research-delight-team
           profile_options: &profile_options
             image:
               display_name: Image
@@ -107,6 +111,7 @@ basehub:
         - display_name: "Small: 4 CPU, 32 GB"
           description: "A dedicated machine for you."
           profile_options: *profile_options
+          allowed_teams: *allowed_teams
           kubespawner_override:
             mem_guarantee: 28.937G
             cpu_guarantee: 0.4
@@ -117,6 +122,7 @@ basehub:
         - display_name: "Medium: 16 CPU, 128 GB"
           description: "A dedicated machine for you."
           profile_options: *profile_options
+          allowed_teams: *allowed_teams
           kubespawner_override:
             mem_guarantee: 120.513G
             cpu_guarantee: 1.6
@@ -127,6 +133,7 @@ basehub:
         - display_name: "Large: 64 CPU, 512 GB"
           description: "A dedicated machine for you"
           profile_options: *profile_options
+          allowed_teams: *allowed_teams
           kubespawner_override:
             mem_guarantee: 489.13G
             cpu_guarantee: 6.4
@@ -136,6 +143,9 @@ basehub:
 
         - display_name: NVIDIA Tesla T4, ~16 GB, ~4 CPUs
           slug: gpu
+          allowed_teams:
+            # Just 2i2c folks for now
+            - 2i2c-org:hub-access-for-2i2c-staff
           description: "Start a container on a dedicated node with a GPU"
           profile_options:
             image:

From 93f61e047bc8ae3b147375ee4bf8c27d8a21319e Mon Sep 17 00:00:00 2001
From: YuviPanda <yuvipanda@gmail.com>
Date: Fri, 8 Sep 2023 20:39:47 -0700
Subject: [PATCH 2/2] Specify appropriate team for GPU access

---
 config/clusters/2i2c-aws-us/researchdelight.values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/clusters/2i2c-aws-us/researchdelight.values.yaml b/config/clusters/2i2c-aws-us/researchdelight.values.yaml
index 8d109a2bf..c7163a272 100644
--- a/config/clusters/2i2c-aws-us/researchdelight.values.yaml
+++ b/config/clusters/2i2c-aws-us/researchdelight.values.yaml
@@ -144,8 +144,8 @@ basehub:
         - display_name: NVIDIA Tesla T4, ~16 GB, ~4 CPUs
           slug: gpu
           allowed_teams:
-            # Just 2i2c folks for now
             - 2i2c-org:hub-access-for-2i2c-staff
+            - 2i2c-org:research-delight-gpu-team
           description: "Start a container on a dedicated node with a GPU"
           profile_options:
             image: