Merge branch 'develop' into mishmosh/introtext

Author: themightychris

.github/ISSUE_TEMPLATE/dash-feature.md

@@ -0,0 +1,14 @@
+---
+name: Dash feature request
+about: Report something that's missing from the Dash version
+title: [dash]
+labels: 'dash'
+assignees: ''
+
+---
+
+### Description:
+
+
+
+[ ] This is something we can copy over from streamlit (screenshots if applicable)

.github/workflows/heroku.yml

@@ -0,0 +1,28 @@
+name: Deploy working development app to Heroku staging project
+
+on:
+  push:
+    branches:
+      - 'develop'
+
+env:
+  HEROKU_USER: 32dd7c8d-eb68-4420-bfe2-9ed047ef8fb0
+  HEROKU_SECRET: ${{ secrets.heroku_secret_key }}
+  HEROKU_APP: cfp-ci-chime
+  HEROKU_EMAIL: [email protected]
+
+jobs:
+  deploy-heroku-stg:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Deploy app
+        id: deploy_stg_job
+        uses: akhileshns/[email protected]
+        with:
+          heroku_api_key: ${HEROKU_SECRET}
+          heroku_app_name: ${HEROKU_APP}
+          heroku_email: ${HEROKU_EMAIL}
+      - name: Return app URL
+        run: |
+          echo "Deployed to: https://${HEROKU_APP}.herokuapp.com/"

docs/SUMMARY.md

@@ -13,6 +13,9 @@
   - [The `chime-live` Cluster](./operations/chime-live-cluster.md)
   - [Deploy to Heroku](./operations/heroku.md)
   - [Deploy to Your Own Cluster](./operations/byok8s.md)
+  - [Limited Cluster Access for Deployment][1]
 - [Code of Conduct](CODE_OF_CONDUCT.md)
 - [Maintainers](MAINTAINERS.md)
 - [Glossary](GLOSSARY.md)
+
+[1]: ./operations/limited-kubeconfigs/limited-kubeconfigs.md

docs/operations/limited-kubeconfigs/limited-kubeconfigs.md

@@ -0,0 +1,147 @@
+# Creating Kubeconfigs with Limited Permissions
+
+## Create a Role
+
+Kubernetes has two primary resources which represent a set of permissions,
+Roles and ClusterRoles. ClusterRoles apply to resources in all namespaces,
+whereas Roles are limited to a specific namespace. Let's create a Role in the
+chime namespace which will allow read/write access to Deployments and
+read-only access to Pods.
+
+deployer.yaml:
+
+```
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: deployer
+  namespace: chime
+rules:
+- apiGroups:
+    - apps
+  resources:
+    - deployments
+  verbs:
+    # we are _not_ including 'create' and 'delete'
+    - get
+    - list
+    - watch
+    - update
+    - patch
+- apiGroups:
+    - ""
+  resources:
+    - pods
+  verbs:
+    # so that we can observe our pods getting created
+    - get
+    - list
+    - watch
+```
+
+## Create a ServiceAccount
+
+One of the subjects which can take on a Role is a ServiceAccount. Let's
+create a ServiceAccount called penn-deployer in the chime namespace:
+
+```
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: penn-deployer
+  namespace: chime
+```
+
+## Create a RoleBinding
+
+We can now give the ServiceAccount the Role that we created earlier using a
+RoleBinding in the chime namespace.
+
+```
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: penn-deployer:deployer
+  namespace: chime
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: deployer
+subjects:
+  - kind: ServiceAccount
+    name: penn-deployer
+    namespace: chime
+```
+
+## Grabbing the token for the ServiceAccount
+
+Every ServiceAccount gets a token, lets grab it.
+
+```
+k get secrets -n chime
+```
+
+Look for `penn-deployer-token-<hash>`
+
+```
+k get secrets -n chime penn-deployer-token-<hash>
+```
+
+Grab the "token:" base64 encoded token.
+
+*base64 decode this token, which will produce base64*
+
+## Creating a token-based kubeconfig
+
+Now take a look at the Kubeconfig that you are currently using. Does it use a
+token? If so, you can construct a Kubeconfig for this ServiceAccount by copying
+your kubeconfig and replacing the token and user name with this decoded token
+and the user name "penn-deployer".
+
+It will look something like this:
+
+```
+apiVersion: v1
+kind: Config
+preferences: {}
+
+clusters:
+- name: chime-cluster
+  cluster:
+    certificate-authority-data: <ca-cert-base64, same as existing>
+    server: https://<server-hostname>:<server-port>
+
+users:
+- name: penn-deployer
+  user:
+    as-user-extra: {}
+    token: <ServiceAccount token! Be very sure that this is the ServiceAccount token!>
+
+contexts:
+- name: penn-deployer-chime
+  context:
+    cluster: chime-cluster
+    user: penn-deployer
+    namespace: chime
+
+current-context: penn-deployer-chime
+```
+
+## Test out your token-based Kubeconfig
+
+You can now use this ServiceAccount to modify Deployments, and view Pods, but do nothing else.
+
+```
+$ k get pods -A
+Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:chime:penn-deployer" cannot list resource "pods" in API group "" at the cluster scope
+```
+
+```
+$ export KUBECONFIG=new-kubeconfig.yaml
+$ k get pods -n chime
+$ k get deployments -n chime
+# deploy version 0.5.0
+$ k set image deployment/chime -n chime chime=docker.pkg.github.com/codeforphilly/chime/penn-chime:0.5.0 --record
+# observe status of deployment
+$ k get pods -n chime
+```

docs/operations/limited-kubeconfigs/manifests/deployer.yaml

@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: deployer
+  namespace: chime
+rules:
+- apiGroups:
+  - apps/v1
+  resources:
+  - deployments
+  verbs:
+  # we are _not_ including 'create' and 'delete'
+  - get
+  - list
+  - watch
+  - update
+  - patch
+- apiGroups:
+    - ""
+  resources:
+    - pods
+  verbs:
+    # so that we can observe our pods getting created
+    - get
+    - list
+    - watch

docs/operations/limited-kubeconfigs/manifests/rolebinding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: penn-deployer:deployer
+  namespace: chime
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: deployer
+subjects:
+  - kind: ServiceAccount
+    name: penn-deployer
+    namespace: chime

docs/operations/limited-kubeconfigs/manifests/serviceaccount.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: penn-deployer
+  namespace: chime

k8s/app.yaml

@@ -25,7 +25,7 @@ spec:
         app: chime
     spec:
       containers:
-      - image: docker.pkg.github.com/codeforphilly/chime/penn-chime:0.4.1
+      - image: docker.pkg.github.com/codeforphilly/chime/penn-chime:1.0.0
         name: chime
         ports:
         - containerPort: 8000

src/penn_chime/presentation.py

@@ -345,19 +345,8 @@ def show_more_info_about_this_tool(st, model, parameters, defaults, notes: str =
 def write_definitions(st):
     st.subheader("Guidance on Selecting Inputs")
     st.markdown(
-        """* **Hospitalized COVID-19 Patients:** The number of patients currently hospitalized with COVID-19 **at your hospital(s)**. This number is used in conjunction with Hospital Market Share and Hospitalization % to estimate the total number of infected individuals in your region.
-* **Doubling Time (days):** This parameter drives the rate of new cases during the early phases of the outbreak. The American Hospital Association currently projects doubling rates between 7 and 10 days. This is the doubling time you expect under status quo conditions. To account for reduced contact and other public health interventions, modify the _Social distancing_ input.
-* **Social distancing (% reduction in person-to-person physical contact):** This parameter allows users to explore how reduction in interpersonal contact & transmission (hand-washing) might slow the rate of new infections. It is your estimate of how much social contact reduction is being achieved in your region relative to the status quo. While it is unclear how much any given policy might affect social contact (eg. school closures or remote work), this parameter lets you see how projections change with percentage reductions in social contact.
-* **Hospitalization %(total infections):** Percentage of **all** infected cases which will need hospitalization.
-* **ICU %(total infections):** Percentage of **all** infected cases which will need to be treated in an ICU.
-* **Ventilated %(total infections):** Percentage of **all** infected cases which will need mechanical ventilation.
-* **Hospital Length of Stay:** Average number of days of treatment needed for hospitalized COVID-19 patients.
-* **ICU Length of Stay:** Average number of days of ICU treatment needed for ICU COVID-19 patients.
-* **Vent Length of Stay:**  Average number of days of ventilation needed for ventilated COVID-19 patients.
-* **Hospital Market Share (%):** The proportion of patients in the region that are likely to come to your hospital (as opposed to other hospitals in the region) when they get sick. One way to estimate this is to look at all of the hospitals in your region and add up all of the beds. The number of beds at your hospital divided by the total number of beds in the region times 100 will give you a reasonable starting estimate.
-* **Regional Population:** Total population size of the catchment region of your hospital(s).
-* **Currently Known Regional Infections**: The number of infections reported in your hospital's catchment region. This is only used to compute detection rate - **it will not change projections**. This input is used to estimate the detection rate of infected individuals.
-    """
+        """**This information has been moved to the 
+[User Documentation](https://code-for-philly.gitbook.io/chime/what-is-chime/parameters#guidance-on-selecting-inputs)**"""
     )