Merge remote-tracking branch 'upstream/develop' into develop

Author: kmid5280

.github/ISSUE_TEMPLATE/dash-feature.md

@@ -0,0 +1,14 @@
+---
+name: Dash feature request
+about: Report something that's missing from the Dash version
+title: [dash]
+labels: 'dash'
+assignees: ''
+
+---
+
+### Description:
+
+
+
+[ ] This is something we can copy over from streamlit (screenshots if applicable)

.github/ISSUE_TEMPLATE/general-bug-report.md

@@ -0,0 +1,27 @@
+---
+name: General bug report
+about: Create an report to help us improve.
+title: [bug]
+labels: 'bug'
+assignees: ''
+
+---
+
+<!--
+Before you begin, please help us manage volume by checking if this could be submitted another way:
+- Usage questions? Ask in Slack [#chime-help](https://codeforphilly.org/chat?channel=chime-help).
+- Feature ideas? Propose in Slack for discussion.
+- Is this something you can debug and fix? Pull requests are very welcome.
+-->
+
+### Description:
+
+### Steps to reproduce:
+1.
+2.
+3.
+
+### Expected behavior:
+
+### What I got instead:
+(screenshots if applicable)

.github/ISSUE_TEMPLATE/model.md

@@ -0,0 +1,26 @@
+---
+name: Bug report for model
+about: Feedback or bug report for the epidemiological model and analysis.
+title: [model]
+labels: 'models'
+assignees: ''
+
+---
+
+<!--
+Please note: Any changes to the model have a huge impact on rapidly evolving hospital system & public health decisions. The current model has been in use for a while now, and it has been validated against other similar models, so any changes to the model must meet a very high bar.
+
+However, these 2 types of issue reports are very welcome:
+- Bugs causing this model to produce invalid results. In this case, please include details and a suggested fix.
+- If this model is producing a significantly different result than another well-known epidemiological model. In this case, please include proof of this difference and a suggested fix to our approach.
+
+For questions or early discussion, please join us in [#chime-analysis](https://codeforphilly.org/chat?channel=chime-analysis) in Slack instead.
+-->
+
+### Summary
+
+
+### Additional details
+
+
+### Suggested fix

.github/workflows/heroku.yml

@@ -0,0 +1,28 @@
+name: Deploy working development app to Heroku staging project
+
+on:
+  push:
+    branches:
+      - 'develop'
+
+env:
+  HEROKU_USER: 32dd7c8d-eb68-4420-bfe2-9ed047ef8fb0
+  HEROKU_SECRET: ${{ secrets.heroku_secret_key }}
+  HEROKU_APP: cfp-ci-chime
+  HEROKU_EMAIL: [email protected]
+
+jobs:
+  deploy-heroku-stg:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Deploy app
+        id: deploy_stg_job
+        uses: akhileshns/[email protected]
+        with:
+          heroku_api_key: ${HEROKU_SECRET}
+          heroku_app_name: ${HEROKU_APP}
+          heroku_email: ${HEROKU_EMAIL}
+      - name: Return app URL
+        run: |
+          echo "Deployed to: https://${HEROKU_APP}.herokuapp.com/"

README.md

@@ -7,7 +7,7 @@ The **C**OVID-19 **H**ospital **I**mpact **M**odel for **E**pidemics ([penn-chim
 ## Background
 The [CHIME](https://penn-chime.phl.io/) (COVID-19 Hospital Impact Model for Epidemics) Application is designed to assist hospitals and public health officials with understanding hospital capacity needs as they relate to the COVID pandemic. CHIME enables capacity planning by providing estimates of total daily (i.e. new) and running totals of (i.e. census) inpatient hospitalizations, ICU admissions, and patients requiring ventilation. These estimates are generated using a [SIR (Susceptible, Infected, Recovered)](https://mathworld.wolfram.com/SIRModel.html) model, a standard epidemiological modeling technique. Our model has been validated by several epidemiologists including [Michael Z. Levy, PhD](https://www.dbei.med.upenn.edu/bio/michael-z-levy-phd), Associate Professor of Epidemiology, Department of Biostatistics, Epidemiology and Informatics at the Perelman School of Medicine.
 
-Originally developed in `github.com/pennsignals/chime`, active development is now at `github.com/pennsignals/chime`.
+Originally developed in `github.com/pennsignals/chime`, active development is now at `github.com/CodeForPhilly/chime`.
 
 ### Documentation
 

docs/SUMMARY.md

@@ -13,6 +13,9 @@
   - [The `chime-live` Cluster](./operations/chime-live-cluster.md)
   - [Deploy to Heroku](./operations/heroku.md)
   - [Deploy to Your Own Cluster](./operations/byok8s.md)
+  - [Limited Cluster Access for Deployment][1]
 - [Code of Conduct](CODE_OF_CONDUCT.md)
 - [Maintainers](MAINTAINERS.md)
 - [Glossary](GLOSSARY.md)
+
+[1]: ./operations/limited-kubeconfigs/limited-kubeconfigs.md

docs/getting-started/try-online.md

@@ -12,7 +12,7 @@ Try this link: https://pennchime.herokuapp.com/
 
 ### Run Your Own Copy Locally
 
-If you're comfortable working on your computer's command line, you can head over to the [Getting Started: Run Locally](getting-started/run-locally.md) guide to run a private instance on your own computer.
+If you're comfortable working on your computer's command line, you can head over to the [Getting Started: Run Locally](run-locally.md) guide to run a private instance on your own computer.
 
 ### Run a Shared Copy Online for Your Organization
 

docs/operations/limited-kubeconfigs/limited-kubeconfigs.md

@@ -0,0 +1,147 @@
+# Creating Kubeconfigs with Limited Permissions
+
+## Create a Role
+
+Kubernetes has two primary resources which represent a set of permissions,
+Roles and ClusterRoles. ClusterRoles apply to resources in all namespaces,
+whereas Roles are limited to a specific namespace. Let's create a Role in the
+chime namespace which will allow read/write access to Deployments and
+read-only access to Pods.
+
+deployer.yaml:
+
+```
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: deployer
+  namespace: chime
+rules:
+- apiGroups:
+    - apps
+  resources:
+    - deployments
+  verbs:
+    # we are _not_ including 'create' and 'delete'
+    - get
+    - list
+    - watch
+    - update
+    - patch
+- apiGroups:
+    - ""
+  resources:
+    - pods
+  verbs:
+    # so that we can observe our pods getting created
+    - get
+    - list
+    - watch
+```
+
+## Create a ServiceAccount
+
+One of the subjects which can take on a Role is a ServiceAccount. Let's
+create a ServiceAccount called penn-deployer in the chime namespace:
+
+```
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: penn-deployer
+  namespace: chime
+```
+
+## Create a RoleBinding
+
+We can now give the ServiceAccount the Role that we created earlier using a
+RoleBinding in the chime namespace.
+
+```
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: penn-deployer:deployer
+  namespace: chime
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: deployer
+subjects:
+  - kind: ServiceAccount
+    name: penn-deployer
+    namespace: chime
+```
+
+## Grabbing the token for the ServiceAccount
+
+Every ServiceAccount gets a token, lets grab it.
+
+```
+k get secrets -n chime
+```
+
+Look for `penn-deployer-token-<hash>`
+
+```
+k get secrets -n chime penn-deployer-token-<hash>
+```
+
+Grab the "token:" base64 encoded token.
+
+*base64 decode this token, which will produce base64*
+
+## Creating a token-based kubeconfig
+
+Now take a look at the Kubeconfig that you are currently using. Does it use a
+token? If so, you can construct a Kubeconfig for this ServiceAccount by copying
+your kubeconfig and replacing the token and user name with this decoded token
+and the user name "penn-deployer".
+
+It will look something like this:
+
+```
+apiVersion: v1
+kind: Config
+preferences: {}
+
+clusters:
+- name: chime-cluster
+  cluster:
+    certificate-authority-data: <ca-cert-base64, same as existing>
+    server: https://<server-hostname>:<server-port>
+
+users:
+- name: penn-deployer
+  user:
+    as-user-extra: {}
+    token: <ServiceAccount token! Be very sure that this is the ServiceAccount token!>
+
+contexts:
+- name: penn-deployer-chime
+  context:
+    cluster: chime-cluster
+    user: penn-deployer
+    namespace: chime
+
+current-context: penn-deployer-chime
+```
+
+## Test out your token-based Kubeconfig
+
+You can now use this ServiceAccount to modify Deployments, and view Pods, but do nothing else.
+
+```
+$ k get pods -A
+Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:chime:penn-deployer" cannot list resource "pods" in API group "" at the cluster scope
+```
+
+```
+$ export KUBECONFIG=new-kubeconfig.yaml
+$ k get pods -n chime
+$ k get deployments -n chime
+# deploy version 0.5.0
+$ k set image deployment/chime -n chime chime=docker.pkg.github.com/codeforphilly/chime/penn-chime:0.5.0 --record
+# observe status of deployment
+$ k get pods -n chime
+```

docs/operations/limited-kubeconfigs/manifests/deployer.yaml

@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: deployer
+  namespace: chime
+rules:
+- apiGroups:
+  - apps/v1
+  resources:
+  - deployments
+  verbs:
+  # we are _not_ including 'create' and 'delete'
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+    - ""
+  resources:
+    - pods
+  verbs:
+    # so that we can observe our pods getting created
+    - get
+    - list
+    - watch

docs/operations/limited-kubeconfigs/manifests/rolebinding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: penn-deployer:deployer
+  namespace: chime
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: deployer
+subjects:
+  - kind: ServiceAccount
+    name: penn-deployer
+    namespace: chime