Merge pull request #3657 from yuvipanda/cryptnono

Enable stronger cryptnono protections for public hubs + allow sharing shared directories between hubs
2i2c-org · Jan 31, 2024 · bc97ef4 · bc97ef4
2 parents 640b904 + 45de201
commit bc97ef4
Show file tree

Hide file tree

Showing 14 changed files with 443 additions and 76 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -34,12 +34,16 @@ repos:
     rev: "23.12.1"
     hooks:
       - id: black
+        # This is a `.py` file but is encrypted with sops
+        exclude: deployer/commands/generate/cryptnono_config/enc-blocklist-generator.secret.py
 
   # Lint: Python code
   - repo: https://github.com/pycqa/flake8
     rev: "6.1.0"
     hooks:
       - id: flake8
+        # This is a `.py` file but is encrypted with sops
+        exclude: deployer/commands/generate/cryptnono_config/enc-blocklist-generator.secret.py
 
   # Run `terraform fmt` on all our terraform files automatically
   - repo: https://github.com/yuvipanda/terraform-bin

diff --git a/config/clusters/hhmi/spyglass.values.yaml b/config/clusters/hhmi/spyglass.values.yaml
@@ -1,7 +1,16 @@
 nfs:
-  enabled: false
-  pv:
+  enabled: true
+  dirsizeReporter:
     enabled: false
+  pv:
+    enabled: true
+    mountOptions:
+      - soft
+      - noatime
+    serverIP: 10.55.112.74
+    baseShareName: /homes/
+    shareNameOverride: prod
+
 jupyterhub:
   ingress:
     hosts:
@@ -41,14 +50,20 @@ jupyterhub:
   singleuser:
     initContainers: []
     storage:
-      # No persistent storage should be kept to reduce any potential data
-      # retention & privacy issues.
       type: none
-      extraVolumeMounts: []
+      extraVolumes:
+        - name: shared-dir-pv
+          persistentVolumeClaim:
+            claimName: home-nfs
+      extraVolumeMounts:
+        - name: shared-dir-pv
+          mountPath: /home/jovyan/shared-readonly
+          subPath: _shared
+          readOnly: true
     defaultUrl: /lab
     image:
-      name: quay.io/lorenlab/hhmi-spyglass-image
-      tag: "c307f9418a60"
+      name: quay.io/2i2c/hhmi-spyglass-image
+      tag: "67523d9ea855"
     extraContainers:
       - name: mysql
         image: datajoint/mysql # following the spyglass tutorial at https://lorenfranklab.github.io/spyglass/latest/notebooks/00_Setup/#existing-database
@@ -72,12 +87,9 @@ jupyterhub:
   hub:
     config:
       JupyterHub:
-        authenticator_class: cilogon
-      CILogonOAuthenticator:
-        oauth_callback_url: https://spyglass.hhmi.2i2c.cloud/hub/oauth_callback
-        allowed_idps:
-          http://github.com/login/oauth/authorize:
-            default: true
-            username_derivation:
-              username_claim: "preferred_username"
-            allow_all: true
+        authenticator_class: tmpauthenticator.TmpAuthenticator
+      TmpAuthenticator:
+        # This allows users to go to the hub URL directly again to
+        # get a new server, instead of being plopped back into their
+        # older, existing user with a 'start server' button.
+        force_new_server: true
diff --git a/config/clusters/hhmi/support.values.yaml b/config/clusters/hhmi/support.values.yaml
@@ -26,3 +26,9 @@ grafana:
       - secretName: grafana-tls
         hosts:
           - grafana.hhmi.2i2c.cloud
+
+cryptnono:
+  detectors:
+    # Enable execwhacker, as this cluster has a hub that is widely open to the public
+    execwhacker:
+      enabled: true
diff --git a/deployer/__main__.py b/deployer/__main__.py
@@ -6,6 +6,7 @@
 import deployer.commands.exec.cloud  # noqa: F401
 import deployer.commands.exec.infra_components  # noqa: F401
 import deployer.commands.generate.billing.cost_table  # noqa: F401
+import deployer.commands.generate.cryptnono_config  # noqa: F401
 import deployer.commands.generate.dedicated_cluster.aws  # noqa: F401
 import deployer.commands.generate.dedicated_cluster.gcp  # noqa: F401
 import deployer.commands.generate.helm_upgrade.jobs  # noqa: F401

diff --git a/deployer/commands/generate/cryptnono_config/__init__.py b/deployer/commands/generate/cryptnono_config/__init__.py
@@ -0,0 +1,34 @@
+import shutil
+import subprocess
+from pathlib import Path
+
+from deployer.cli_app import generate_app
+from deployer.utils.file_acquisition import REPO_ROOT_PATH
+
+HERE = Path(__file__).parent
+
+
+@generate_app.command()
+def cryptnono_secret_config():
+    """
+    Update the secret blocklist for cryptnono
+    """
+    unencrypted_path = HERE / "unencrypted_secret_blocklist.py"
+
+    try:
+        # The code to generate this blocklist is small but encrypted.
+        # We temporarily decrypt it before importing the file via regular means,
+        # and then delete the imported file.
+        shutil.copyfile(HERE / "enc-blocklist-generator.secret.py", unencrypted_path)
+        subprocess.check_call(
+            ["sops", "--decrypt", "--in-place", str(unencrypted_path)]
+        )
+
+        from .unencrypted_secret_blocklist import write_encrypted_cryptnono_config
+
+        secret_config_path = (
+            REPO_ROOT_PATH / "helm-charts/support/enc-cryptnono.secret.values.yaml"
+        )
+        write_encrypted_cryptnono_config(secret_config_path)
+    finally:
+        unencrypted_path.unlink()
diff --git a/deployer/commands/generate/cryptnono_config/enc-blocklist-generator.secret.py b/deployer/commands/generate/cryptnono_config/enc-blocklist-generator.secret.py
@@ -0,0 +1,21 @@
+{
+	"data": "ENC[AES256_GCM,data:QHpd2KOljy8H5B2Q+WPP1TPizd7Pdk/B+9/Gq9a1gEp9J9z7BD5KZeHqh3MyZEjM3kdHJczknOsH+xH/hfFS8afLINfQFDWSkkXfDjbbY5HNcqtNA3F2mAsqWk9fWChT2Zd7KcgV3B/y1Wxh88w+PEWS5TZqZcrBSBRbl0QmtvPrTKy5hhlS31YtLK9NNreigm104YIPP9PgF3y9Qqs6zib3kZUfHDvsEuopKl/Xand1mcc6BN1kX+4/lRlNbamCCnW2ZrmNHfYO800su4wCODaNL3QxRVD4UGV+zY6xrFiD+rF7UohtNWeREHTWrjr+MNaRxH0TjnfHa+cDHtPT4nlDOmrgr6O15AicSaQ1JnU4TToihS35TAOoktJg1y1eLFqny59juh2NpSHvi/DGTJqZ32Y/hhpzDrswfTsyoPjO3eSYet/ULE5+ATMLVHOr9boLYtfoiQi7+98cTfkkwOZwT1+Mxf9yvVOg/WT6m7/Xv4/wt71FOSR+MbZ2bi8lghHNdpKqxIB3gNnHbCgeu8YPPLu2sNgSiWClFZoKGA3a4NtIZG6Gtq5To4NUMmyQXp+cSIHPJLuPOlbdudWynOfQN2FmRUiGEyVzcWEyViYLbjl7pdgMnVQQNbM8nRQYrnkOfrFv3cb2mH5DZA06oW5joUEsWbLBefGCgZWgvpfjqxJb/0ndhqF/tCm7diDCaaXKEGo5nLV8sX4/iuYfp8LFZ0VlrBdq5HqAs+tCRliN32SncIRcc87IWvv1KgxI+nC45zT85NcmROe85zJ+k/qAX1PAQDLx0Gcgl6DFKTVja8g4yr1CtIemFJRQIgbqVKxYFEIbJkojhbSk5nQenT0n5o+3h5BhycI+S/158YLSiqtQe6PeOR0E5+0TN6yP8qKqytQ04aQKu/1GF7s37LN9RGEwovrmovgIz0cb29dPjnug4ZbUE3y6wyz9qVYPl8gIFMT05meq8iyl9R9knDyLe5Z1z+pxp4Jp25OYEaiaRzRpjdWfwyuU6ei6fNLbATd+4IUyp2NNJlgbXYmSzUuC9VQ6h/LwADkP8GL+NbqTf56juINkGkjs5v53YfSNoqGGgfCNaRcGHDKVQeFkDHVq7imKHqvXa1qv784z2JEm2CJD1CltEbSZwhpcTQcAcaCvzOitZAAKWmUh3bY+L2QX0TBNeyBl99KtBFG75iw8o9UjLSg6E03rdD2nsBAkln9XZN6DGfJAFTWFU8j0Iu9H+m4vIT/89HODHwtzZbmMe7GAZL8rY68Gd/6xJpZFrTbvOEbxcRkq/ePuMMGczlnUpkE0g0rPt+UHnijITxXhp2T2i7+eKPAANT7F0STJOKNx95HNjIEtHoHbHwoBRBUGuwSd6q1ApGFz3FJ8ZtJUqJ3LydNMz2ma/mCe/wtdvTezqXBXH/knUAhhdToZjOjlPHAaaS2PCypQFmvrgJhZMoEj35jF7UiTB1eiQ2CtovARjZQ+aZrsMERXeN6bggxGdB+AO7V3edER252ehVz3gEFKcVltUHZbgz1fIRmLBpzmxsoET64MFfzEHjZZ6tw4vNFwGvxQai9qzLWAfGXKcodXsRcZcR3KqZRnMmyhqUCKvsQAoE52H1JsbHKG5c4NfNAs0nou+aU7JMypAkJqf6hKHfH519R4BV0d6t7GRdmzb8OPwIsijjxEsISb6BRNI7fO/BL7m91kt9RioYoL2pOJCGBNK3PjYBC+/dSjD/ysseA08DzMplbw4/plwWt1JA6buXBpNRhbcxgkAwUQPkaY0XBzwtrnMqXAzlpGVBHBrdueWrQAewL+b2G18I5YIhmO5oieUiJX89KG6kyIW1kaYvFppF5yxhGs7FWj1F22WxDyn2ToWUBHLXMlc/nP6KEdcEshywl5m4wcE5kOcXhHZ4FKT9r5rwbveY4w19p0vEEKvGyQ0mGJBkRURnBtr1NozdfSFYZO7jrrC1yV5PHEgR4lKwll7jsqqQMG/4Npeh9UK/bm+QLCTWtmDxHNRuTe6qpEfjhIEe0e0vb6Bbgl8d7+N0ogGmLEWUGVLrwvDapQG+/y6BewFXighW0aAhv0eT7jVNkcDHBgMPdpbBNu4uPaaAQppnvW0EO0jTU4qGdKwjRhjhCbPHF+Ch3az3A/ZOTw2IWpm1h3v2GwKbk9BhTLz9AEofdlmnEPLzG8d13V3qkEcYHEAE0zuhfqyt0m4RR9GdIvR9YbfPsUo//DMzwY80LrjhZ81EXLuaNAzuPKWrhbM/RU3HVZBe6KNXjTG83laQEGGwHyBaqNErQZP/a/vDLYjPMCfnYp4jxUfdhndWATn5Yltb7lf/6wxeqlGj3hYxfaapU1yvDOmP8iaNdVFBmB2jdIbEx06Y237aIZrSQ4zmgz26hjDo8WEU2AgI09/30ER2Fe7IyOHN60kUj+KZhkOqwPY8ZnJG2swYShMXBi+zANEJCFRV3DmzlMhZEjQKBPCJdpNZfmMmWwjNcU/T1bJipPQAcgWCrhxFRY6n9z9bPGHgkWdv8eApbjtTvus9EwEdpDamST7JZqUVz0ODylMofdrQuOwFTGteLd0oRhxgWC+vy1rphi8XJ5TGAGG+zLbpomw2OsUo5pch+Rn0UwUsmpRA5np8rSTfIQ2fm+gbFZLSF504fgJnVnqUFMDWVKv0u+9K8+cILY6DQulQ5A05o+YC4u7vHFt7t4fH8O3zoyDP+ww1IVTTdoIyJUrx5moXFk5THOWXpTEUUfeG7C/N0QPO9UBaD4F0b6UYqK6rter9/v4OwyZfeGDrGNgx7cpdItH4MDl9cA/qy1OzhXbvGwfoxfKHVltP6+mXT/mjpsvJOs2A5SL1lowUq5P0L4ZTpXURgyF6P93SyvCtAGRnWPW19P2hVzIZBLT0KOJWggRaOSKffzxr3LkseWO58+isjUythNyq03ptK3noQuINRmmpQmczMNCoKPM/iOwYSIp0zPJHRZDbMiP3QnDzwfSUyUfH5CRA/uOuHxwMQZKDc9xbQJJblGXsDG1Am0WUNgk7V2nTCszfIqR6r+DJbBUDQaxnljplXr7DqqoikE+zoOcomKYVFo6wQiMA2LRQ9VJUG5QMt1M6kieNi3CLkUJFGBquq5BfBPg1djXfSZrpmUf74wYyS90szuFQHAix5KZUbaMKKqCzS88ppQH9vfar6uoiS8COcy+RgJ87M/arJSLf4Fmdz+3hN14llZo81tXdTd+tZm3i1U52BUtm2Lj8VZXhNCu7JVrZwlAYtb5kQa1BcS/1EaC9931VYQjKpNMkL3Wu6tJKOXiK7Yt8pR2LdeIOvMEgbbdVW6Se0pDjwFnfcqUXYJvQWZBx/zy4b+Udzcr2tXRCBlHdloZzgBY7rhBQ2ci7Heh2/mKFMSfd/P5euVFeY0BVBjFClp7+9H0+f4v1/9Q5tjZZ9PBpXtzg1s8MZ/L82t937c7XJ1aD4E6bYzPO3mexwASHmPKtTwXMZkEWu1RQutTgIRHo6vswyY4aFn9YA5vpOWxfAX6ifk6J4JTo5p49tf8X9KqXganrI8iso7Nnmr4Q5Dfezj/ovUSh8tkgVIlCGnWaxQFYx3pIW0LUwkPzDOIoQEZ65u9ak0dgUex+xMpltQtLZv58/C91aX+5nscWaM+gc3FGKoJG+NUlKgwQmCyLge20js7S71atmDlPNFD93E87gWuh/Nv2Q5JUTZdLEET1LOjSyKOvNYIWW2WLoJ8XQzBArgEe7vtyjeFWm0jhJniDU57dtgQLzuAzXJbMCfesMEz429rNT/qXuc7X/vzCC/mlvphsQ9n2mYUMjt53amg4Bmgv7qPS7hr5QohN9WF1/HDopHePv9jkS5AuDHctq9vtixRwutR8acIRfGVg0XvYOdfX6r6bq0CzuDTD04ZdOay7kA/6DJjWRI2saMbq5BfEFgQFZLleJ1Z6UZIcODj5joWDCaliL3YkPz7ffQFY/yCBVAKCGS2GZAsbIsYIRWEbzQvxYfQxVgvSD0J4NiOlLagDsKn3YpxkL/rjWulcP0cfbRRDYLAuy6Y0rAr4/a2FcRPN+bZbpywC2tQiLO/WMyoyujH/+++2l/Z03/T4Z3QeMUMaPrlLv2gByLIOZWzGnrbxgqC85xBoINAPE28oIT75QDX2JJwTjAlMnFcBnxIOfRSYiUU6dN0DMb4r/+aDgRtso4sEzOUcwVaIMG90Gdv0Of5Sm8jYLGKUYVtcHkm1/6ahmRPFEvTVyCD0bE+k3+KukQehVafvwkG/d0O37XKJgO456yh33qNn+gJgTB0Na5/gqe1Km7NK0K4OXTadvG0s4lwGSxesk55y1uCwzYigQi5ehw12ENLuBAfVWE2cO/FEKa7uegy3uUkKtzDMrltbSBqn7BXyrdFcJhD/7HryPm3brSvCUxIlflWkyWo9K+FUsOn80Ouh2D3EtUN5c1b1g7WfJZeWY0UPGCzdUITEBD/CjI/rrJpbHCyn9vTDp7Ka7e23D1mi9qqA94oucr3WPPBrgU5RXhMSJOAbptA6Bna2Z0NzKH7VL7FMFKo2jd+g8CtKzrQwa+QWELARSUFmAhDAyh7YS7vDiibmiPA8il9slSf7U866Oj/cBH1QoTf3uStNNHg5m0IzXlwblJSP+23kucVM9vnGq2mLOmL09MhEGbuXsLN1P8qzDzEB6zSloG/nZpEkaRn4WaXb+IqpIgA+M8BpTtOiDwFMpeHL2Mu06MnhhWHTcWTaaG1AEABqozXdsjfaLfwcuRHdOoPYCdhfOZuppJ4cJxxwiaNhGATwJHCZQaoXbynElpVK6+uWtIq9AiZeZ3rA4zdtSzSxLwJ3hCj5XPeuoPm7tLJ9SKMIVwc2t0l75QQkYpiDmjuhz9m5bctDQ9Uy44KIKvNbGj6zdhKYcN1biD2eT01rRfmABCGbRzOd3fT8hinesxw2BU1BHplBWpafK+0TRjM1M5HIvxdzOOxhtmWeIWhSga2Uj8XjGMTxErlX0mYHt5N9sGYFuIRC6XOyIK0BJwuJ5+xFqQH/PIQiSITSE7AcxeCkZ+6EbV/c7KxN021mEIc1FpWQ8Sx+jQjgIA4Owg4rFcf+3hMlkn2s0g2SU/KFyMCi1mgJdNbprfSDOpqL1i8PQrSHBtdteTKlE6zL95i3c06M23jbz45/3jNAipPmivCbknfXn4JmJ/WZd26K+ndf0yLVMWFQE1QXf2OawMPtaIij47y9FGU/Sny6p/Hxee9bYwfryIHPjGFwwH3XmjhYoaDUpzvog2PMGXmNJ6vBjyDzZWj7vqSFgHMA4+s9F4sZ5zrXd6LU3ZrmaHcBRupMZYaZaWyuPNaQYcgNgoGz41cwuBcBlkViSBJ1VTf4X5DtcfAnMp8sbY8Fkuv0g1I130C2WnbEMKtFR4hc80htjLM/x5u1Ezt4OvPw/KyUiGSFEyoaBvsA0yfTWXd6zZL/kA12RmNK1vvAFjVnp2GDCd1C2U6JveGT6CEFc/ge33OGJjBsqyOSGkeWIHmaR+9VbWDR5VNNhENxjtbhO+554u5S0j2j87mJemoGLN1cTqlkqnDa7yeLuQ9W9H7amAjOFn8taVJQYQublULpnpQAxOcSy0XT+Co3s69176v7SNdyl00z2/BFHMCeS3qimpUYh3GaLRhwFFrKdKIfpv6tb19I8kUHAjjh+MTNgMJ4hg0ry8WiySTvpNvYqdbEguD1HbRZuLJGVOgKiZr/qdhqDZpZQokZJsCxeq0455JZlzB1JkvfrEtpy4IZSwyLCUfKZFeowSbsciOSH2AUvG9drTFHkILkknQj+C7wTgFiKNJJQj2tj8p4Fk34+A7x5i2dqFNjlSUaa1K09TCZLVfWcURMYePwfNlybykAgujZs5Vh6jTNDlmw9oENrjoAmMawA5a2DPqiQb8zCNwrerLRhyQ/fQHuH/Rb3vjTcF3kcRsthoOModLH92chAE5BLCLGClIY/meY1DsxC8LKYR0oXImw8TVdt3tWeQZdoniBa8S1o9cLdPmphz6UXvYTg956c40d+kKFyhuQnMWzl0NsP2/S1H9Exz7f2ElV1uo/kaza2hh/+HvpkYBwSoo/Y5Ur8kzEjQ+6OfWRziD3PHpiXJ3e7U+QYEUfHjUegJDfM5q8sOkUh7h7YXdRjz2NX1OokbHQS4435wgaRspp5ZY7vziDcX/DBEItjgBVSfU6mzEFA3nCSRbRQzzlLM4LC7rgolsRaVSd70KoUYl+MBGeYdXGoh9sW63jOCsvn4lEiXKWYtnIZRa3tpzE0yjHyhkq91nTGf0zvxSP5ZZ4hWvePhyvg1fw3nlPU4s9maGKjFSf9GRzs2PPEiYRG/ie3rK/S3K3ruv8OiESVKPqEU6XznE/Rbgh+1m/GsB9xDaDIsPM8FTocGZQarm2mJ0HlhSSKY0QBpDHm1kwUDZe25aCudnQCsIrKdar08JxRWd50ggBA3lOzm72N9H5yJXbfXW8YaOGiAitiAqvNFdUq7as7h/wIgpNZGuMxKMECIVFstDS6bvkzCmwNqkUBoGrYNc5jJQXJnRvJx2vPm3G/aTqBNYa41ji2LbvtBAWHa7CN/9Z8ItV1NmiBRTKRiKdOSMqJG5SbmKKGke7/6bPljHk4vxypdN68HVFs0jwbuS8pcMJ2u9dGhzYIUkNttBL3teirhXiylUwUt8TcrcBBclYY/Holbl8yarEDTUsqt4KSBcNKq6W48u2VYYAfQj8U2tXx9aO7dsK1nGiky6dXGU+vLuyTfHUs3QAfBmRJ6UCenNOw3KFQYxfrnxmx6+BHCmazHA6TFjCJZ/oogsf7TIucu96TOCL5YVTEtBRvdFwV4QTm3BGrQ3pVYZt4IOa1wGbD3uCd2LSqx9axU3sh9V9h7CTbtJ52TTP2hBfB4P2g260Gny2ezVLVjWoLvLwaNSGhQgHyQCaRmOLYDMjGFzKGuMHiwj2eB3Y5DggcvnVwKf/Krix56CVhBzj0bbATBvFXskq24YlSm0DFC5ZIkfd7gkt00R44d5fpM8lsdkgSqvz080nCXI6vQVT5hTeReguci3EW96LfXtit5lt+x4iUv4aD3qcJG3Miff6zhSM7W0YkFB/5YdF4Nj+Oh4OcRc42ur8JbXC8q1oTefNwHl8UX4pZl8VN5EoIjhsFRcnNAabOSBiYLO+SMZAYXxucg/hUisrVT00rd5KiDBdBGFFnzbunZjjh8eDGwlGRCkiQD3AW3THPUrrDISu3I4I7dDOQpVntmy2100JgyMh8I20qa39WMIPTzlVAnU6W9AP07EhZWK6B5Ttx5AgCxvqkzhpTjy6dfwWycMTKaoeVaAvpZC2ZXtRn1scHCvkFr5LQy57z/zLwQkeWJ4kmL5WGx5aOhFfjibyRRnQeXW04KRkuAOwdfsTA90083KUmh9UFgdcSkJlwNx0z8mcJX2myBsTN/r5pFyI2Sb9NsPxCHX0xBDutS2yW2/1M6QgxhsmDOfqLcVroeXDjM1lXQPT5hWB3luLDi3WlRx55nf9tjnzsBfjANjy1YsfHtSeER6JBPD5Hjinm2fyxgScx13t7GuMqze5q0Zu7Y4RXDBo/NXm9ZJL8Y08JJVCPss9EeUb3RxaVdtkNc3gRc7Lzq89EHLrwAkVDQEauHHws1VZCe48yUxAWEwQH2kaT8Dqkl19iYOUcKF9/6uo7urf3Hy6rBwEJjFBSHCKMUVnfsRwcVMq1k4qAgZu4YXlozqe8Jsr2vd2Jt/EUyCXDAhEbC42oWWGHBOJAP7EHH6QzId8M1uLzBoja8oUnYuuy9MN7RMggw0nhOTCGA9jLdyeDVZE4JuIilbJNPFydEBpMlDRS9XAb74FOj+B2oO4glnxZRMpH0aLbgVJb9VfY9N9yLPn9RFthreP3jr+WG4Fqvis56B1/+YqU5pxaPnJjNziWNxxMa6AqU2IhFheBH/kJyC+IufxQRvscRBJ9rIs1wh8pVGfXlmkSC+wNwJrOLR1xcp+bzJlANAfiAKNXqNXSVDYalumi5PK62NaswJzcmQb5U4Fx1Tqc7clLxFgzDyZcyv+juoBRBxDn5yEQ38EdIPvkNZsj84FeQ7GP8F7dF9xbAY22Rcsuhym4sFkhFF84JCUSfSqxamw1rzZa4WXIWILoJimsIo357XEc8OnOMHAbO9g==,iv:TZ8YGS+cfxUUdYDE5GS+f5REAkp8rRUsHbllvkAIPQE=,tag:wwi8RPqEI3AwKKIrl3Vg3Q==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": [
+			{
+				"resource_id": "projects/two-eye-two-see/locations/global/keyRings/sops-keys/cryptoKeys/similar-hubs",
+				"created_at": "2024-01-30T21:02:48Z",
+				"enc": "CiUA4OM7eCxHPiBqy6mOWR2S3PJbLSWYZXzFOQnZJ8lrTylqCTNlEkgAjTWv+o7jO3nOhYDxVi96kSIKuPF6qw/LbnuwkQhW1Q2KPYvEqWxnuSlGmdbgaB3ue6zs963VkoviKthuemqMELyCzwFLdR8="
+			}
+		],
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": null,
+		"lastmodified": "2024-01-30T21:02:49Z",
+		"mac": "ENC[AES256_GCM,data:y1DPJnP1DLtDdLpCHbtq15gg9G7ZxDz7AB2++fAsrwml+vnEUpsE03Mv7IWP0glVpoY5MEvANTz5QmGtVzLIwyL2iVRlP2qYeZFW54z40pO69p5foUH4wfS+D7G2oKCIOJ4F29MziTVkCkINHb9PVM/6ePvZyh1EGIXXTn5Hs74=,iv:SBgSWs19yRmSxbJ2l3Ddpc4/EZpNaMYnnOBIUEM6gxs=,tag:zGt6bSNusiSF4Q8QN/nc6w==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}
diff --git a/deployer/infra_components/cluster.py b/deployer/infra_components/cluster.py
@@ -71,7 +71,10 @@ def deploy_support(self, cert_manager_version):
         subprocess.check_call(["helm", "dep", "up", support_dir])
 
         # contains both encrypted and unencrypted values files
-        values_file_paths = [support_dir.joinpath("enc-support.secret.values.yaml")] + [
+        values_file_paths = [
+            support_dir.joinpath("enc-support.secret.values.yaml"),
+            support_dir.joinpath("enc-cryptnono.secret.values.yaml"),
+        ] + [
             self.config_path.joinpath(p)
             for p in self.support["helm_chart_values_files"]
         ]