Move Staging to run on OVH with k3s

[yuvipanda]

• Changes existing OVH terraform code to instead be able to support OVH registry only, as we use k3s for kubernetes
• Setup a new kubernetes k3s cluster, following our existing k3s docs, for running the staging cluster
• Deploy to this new staging cluster
• Have the staging cluster's launch events come to the same analytics pipeline as our prod cluster for now, instead of setting up two separate ones as we have so far. This adds a tiny amount of noise to our pipeline (potentially - i see it's a different log name) but is worth it
• Turn off the event publisher related code for now. This means we'll only have this in prod.
• Turn off matomo, as we use plausible now in prod instances.
• Setup k3s on a manually created VM on OVHCloud. I added an ssh key with access to the ubuntu user (which has full sudo) to this PR as a secret.
• DNS is currently set to https://staging.mybinder.2i2c.cloud/ because i no longer have access to mybinder.org DNS. It's on cloudflare but it seems to require 2fa now and i don't have access. Maybe @minrk does?

TODO

• Fix the DNS to point to staging.mybinder.org instead of the 2i2c.cloud domains
• Test that this works in our CI
• Rip out the existing staging cluster and everything with it, say 'thank you' and gently bury it with respect

See #3477 (keep it open until we've cleaned up the old staging)

[manics]

The mybinder.org domain is managed by Jupyter: jupyterhub/team-compass#424 (comment)

[yuvipanda]

i no longer have access to that cloudflare account. It seems to require 2fa and i don’t have 2fa for it :(

[manics]

@Carreau has very kindly updated the DNS for staging.mybinder.org to point to this new host.
Next step is to update this PR with the new hostnames for the K8S ingress and certificates

[manics]

/test-this-pr

[jupyterhub-bot]

This Pull Request is now being tested 🎉 See the test progress in GitHub Actions.

[jupyterhub-bot]

Job status: failure
Branch 'test-this-pr/3476' has been deleted

[manics]

The deployment failed because events-archiver-secrets isn't available for staging. It's not configured on our current staging, so I'll revert the extraVolumes config added in 4d2594f

Edit: reverted the revert in a subsequent commit, it's needed

[manics]

/test-this-pr

[jupyterhub-bot]

This Pull Request is now being tested 🎉 See the test progress in GitHub Actions.

[jupyterhub-bot]

Job status: failure
Branch 'test-this-pr/3476' has been deleted

[manics]

/test-this-pr

[jupyterhub-bot]

This Pull Request is now being tested 🎉 See the test progress in GitHub Actions.

[jupyterhub-bot]

Job status: failure
Branch 'test-this-pr/3476' has been deleted

[manics]

/test-this-pr

[jupyterhub-bot]

This Pull Request is now being tested 🎉 See the test progress in GitHub Actions.

[manics]

@yuvipanda do you have some unpushed changes? secrets/config/staging.yaml is missing the updated OVH registry credentials

[jupyterhub-bot]

Job status: failure
Branch 'test-this-pr/3476' has been deleted

[manics]

I've updated the ovh registry secrets using the terraform outputs from

mybinder.org-deploy/terraform/ovh/harbor.tf

Lines 104 to 121 in 02b3755

	output "registry_builder_name" {
	value = harbor_robot_account.builder.full_name
	sensitive = true
	}
	output "registry_builder_token" {
	value = harbor_robot_account.builder.secret
	sensitive = true
	}
	output "registry_user_puller_name" {
	value = harbor_robot_account.user-puller.full_name
	sensitive = true
	}
	output "registry_user_puller_token" {
	value = harbor_robot_account.user-puller.secret
	sensitive = true
	}

/test-this-pr

[jupyterhub-bot]

This Pull Request is now being tested 🎉 See the test progress in GitHub Actions.

[jupyterhub-bot]

Job status: success
Branch 'test-this-pr/3476' has been deleted

[manics]

test-this-pr has successfully deployed this to staging! Be aware the node is quite small, I suspect this causes more complicated images to fail e.g. https://github.com/manics/jupyter-desktop-mate/ will build and launch, but the desktop hangs.

I think another review would be good, then merge!

[yuvipanda]

Thank you for taking this through, @manics! I think you should just merge and see how it goes :D

[manics]

@yuvipanda Thanks! YOLO....

[yuvipanda]

@manics how did this go?

[manics]

Seems to have worked 😀