From 1e436f2c3d6a299f1b95e71326f073f60ea70f05 Mon Sep 17 00:00:00 2001 From: George Matthews Date: Wed, 8 Feb 2023 13:21:52 +0000 Subject: [PATCH 1/4] Add multi-vo fts cronjob Add longproxy for multi-vo Add additional secrets for voms server info Add variables for multi-vo --- .../templates/renew-fts-cronjob.yaml | 41 ++++++++++++++++--- 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/charts/rucio-daemons/templates/renew-fts-cronjob.yaml b/charts/rucio-daemons/templates/renew-fts-cronjob.yaml index ecb7f2e..44e6728 100644 --- a/charts/rucio-daemons/templates/renew-fts-cronjob.yaml +++ b/charts/rucio-daemons/templates/renew-fts-cronjob.yaml @@ -6,6 +6,12 @@ - name: longproxy secret: secretName: {{ if empty .Values.ftsRenewal.ftsLongProxy.existingSecret.name }} {{ .Release.Name }}-longproxy {{- else }} {{ .Values.ftsRenewal.ftsLongProxy.existingSecret.name }} {{ end }} + {{- else if (eq .Values.ftsRenewal.vo "multi_vo")}} + {{- range $val := .Values.ftsRenewal.vomses }} + - name: longproxy-{{$val.vo}} + secret: + secretName: {{ if empty $.Values.ftsRenewal.ftsLongProxy.existingSecret.name }} {{ $.Release.Name }}-longproxy-{{$val.vo}} {{- else }} {{ $.Values.ftsRenewal.ftsLongProxy.existingSecret.name }}-{{$val.vo}} {{ end }} + {{- end }} {{- else }} - name: usercert secret: @@ -14,11 +20,16 @@ secret: secretName: {{ if empty .Values.ftsRenewal.ftsKey.existingSecret.name }} {{ .Release.Name }}-fts-key {{- else }} {{ .Values.ftsRenewal.ftsKey.existingSecret.name }} {{ end }} {{- end }} + {{- range $key, $val := .Values.additionalSecrets }} + - name: {{ $key }} + secret: + secretName: {{ $.Release.Name }}-{{ $val.secretName }} + {{- end }} {{- range $key, $val := .Values.persistentVolumes }} - name: {{ $key }} persistentVolumeClaim: claimName: {{ $val.name }} - {{- end}} + {{- end }} containers: - name: renew-fts-cron image: "{{ .Values.ftsRenewal.image.repository }}:{{ .Values.ftsRenewal.image.tag }}" @@ -29,29 +40,47 @@ {{- if or (eq .Values.ftsRenewal.vo "atlas") (eq .Values.ftsRenewal.vo "dteam") }} - name: longproxy mountPath: /opt/rucio/certs/ + {{- else if (eq .Values.ftsRenewal.vo "multi_vo")}} + {{- range $val := .Values.ftsRenewal.vomses }} + - name: longproxy-{{$val.vo}} + mountPath: /opt/rucio/certs/{{$val.vo}}/ + {{- end }} {{- else }} - name: usercert mountPath: /opt/rucio/certs/ - name: userkey mountPath: /opt/rucio/keys/ {{- end }} + {{- range $key, $val := .Values.additionalSecrets }} + - name: {{ $key }} + mountPath: {{ $val.mountPath }} + {{- end }} {{- range $key, $val := .Values.persistentVolumes }} - name: {{ $key }} mountPath: {{ $val.mountPath }} - {{- end}} + {{- end }} env: {{- range $key1, $val1 := .Values.optional_config }} - name: {{ $key1 | upper }} - value: "{{ $val1 }}" - {{- end}} + value: "{{ $val1 }}" + {{- end }} - name: RUCIO_VO value: {{ .Values.ftsRenewal.vo | quote }} + {{- if (eq .Values.ftsRenewal.vo "multi_vo")}} + - name: RUCIO_FTS_VOS + value: {{ range $val := .Values.ftsRenewal.vomses }}{{$val.vo}} {{end}} + {{- range $val := .Values.ftsRenewal.vomses }} + - name: RUCIO_FTS_VOMS_{{ $val.vo | upper}} + value: {{ $val.voms }} + {{- end }} + {{- else}} - name: RUCIO_FTS_VOMS value: {{ .Values.ftsRenewal.voms | quote }} + {{- end }} - name: RUCIO_FTS_SERVERS value: {{ .Values.ftsRenewal.servers | quote }} - name: RUCIO_FTS_SECRETS - value: "{{ .Release.Name }}-rucio-x509up" + value: {{ if empty .Values.ftsRenewal.ftsSecrets }} {{ .Release.Name }}-rucio-x509up {{- else }} {{ .Values.ftsRenewal.ftsSecrets }} {{ end }} {{- if .Values.ftsRenewal.gridPassphrase.required }} - name: GRID_PASSPHRASE valueFrom: @@ -59,7 +88,7 @@ name: {{ .Values.ftsRenewal.gridPassphrase.existingSecret.name | quote }} key: {{ .Values.ftsRenewal.gridPassphrase.existingSecret.key | quote }} {{- end }} - {{- if or (eq .Values.ftsRenewal.vo "atlas") (eq .Values.ftsRenewal.vo "dteam") }} + {{- if or (eq .Values.ftsRenewal.vo "atlas") (eq .Values.ftsRenewal.vo "dteam") (eq .Values.ftsRenewal.vo "multi_vo") }} {{- if .Values.ftsRenewal.longProxy }} - name: RUCIO_LONG_PROXY value: {{ .Values.ftsRenewal.longProxy | quote }} From 56a76dd4d6d02f364d319221af2f978c27a5e07f Mon Sep 17 00:00:00 2001 From: George Matthews Date: Wed, 8 Feb 2023 13:22:18 +0000 Subject: [PATCH 2/4] Update documentation Add multi-vo fts cronjob to documentation --- charts/rucio-daemons/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/rucio-daemons/README.md b/charts/rucio-daemons/README.md index d492053..8da2d60 100644 --- a/charts/rucio-daemons/README.md +++ b/charts/rucio-daemons/README.md @@ -69,6 +69,7 @@ The conveyor needs a delegated X509 user proxy and the necessary CA so that it c name: 'grid-passphrase' key: 'passphrase' servers: "https://fts3-devel.cern.ch:8446,https://fts3-pilot.cern.ch:8446" + ftsSecrets: '' # e.g., rucio-x509up ftsCert: existingSecret: name: '' # e.g., fts-cert @@ -90,6 +91,7 @@ The possible VOs are: - `escape` expects a separate key and cert as input secrets, as well as a grid passphrase called. It then creates a user proxy with the given VOMS extensions and with 96h lifetime and delegates it to the given FTS servers. Then saves it as a cluster secret (`-rucio-x509up`). - `dteam` expects a long proxy like `atlas` and then creates, delegates and saves the user proxy like `cms`. - `tutorial` expects a separate key and cert as input secrets like `cms` and then directly delegates to FTS. No proxy generation and `-rucio-x509up` has to be manually created. +- `multi_vo` expects a long proxy as input secret (`-longproxy-`). Takes vo and voms extention values in vomses, then creates a user proxy with the given VOMS extensions and with 24h lifetime and delegates it to the given FTS servers. Then saves it as a cluster secret (`-rucio-x509up-`). Some extra values are needed for multi-vo to work, [see here](https://github.com/rucio/documentation/blob/main/docs/multi_vo_rucio.md) - Any other VO value will lead to the execution of the default script and expects a separate key and cert as input secrets. It then creates a user proxy with the given VOMS extensions and with 96h lifetime and delegates it to the given FTS servers. Then saves it as a cluster secret (`-rucio-x509up`). Additionally a grid passphrase can be specified and saved in a dedicated secret. ### Reaper From 318920fbe36b5a1966494c5e12c8e9aebe020fc3 Mon Sep 17 00:00:00 2001 From: George Matthews Date: Wed, 8 Feb 2023 15:06:57 +0000 Subject: [PATCH 3/4] Add ftsSecrets to values.yaml --- charts/rucio-daemons/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/charts/rucio-daemons/values.yaml b/charts/rucio-daemons/values.yaml index b1e98e0..d2e71a8 100644 --- a/charts/rucio-daemons/values.yaml +++ b/charts/rucio-daemons/values.yaml @@ -404,6 +404,7 @@ ftsRenewal: name: 'grid-passphrase' key: 'passphrase' servers: "https://fts3-devel.cern.ch:8446,https://cmsfts3.fnal.gov:8446,https://fts3.cern.ch:8446,https://lcgfts3.gridpp.rl.ac.uk:8446,https://fts3-pilot.cern.ch:8446" + ftsSecrets: '' ftsCert: existingSecret: name: '' # e.g., fts-cert From cd00ebd25d68044edf2c437c9b0e7758dcdc4047 Mon Sep 17 00:00:00 2001 From: George Matthews Date: Wed, 8 Feb 2023 15:20:48 +0000 Subject: [PATCH 4/4] Chart version bump --- charts/rucio-daemons/Chart.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/charts/rucio-daemons/Chart.yaml b/charts/rucio-daemons/Chart.yaml index 8928f47..421036c 100644 --- a/charts/rucio-daemons/Chart.yaml +++ b/charts/rucio-daemons/Chart.yaml @@ -1,5 +1,5 @@ name: rucio-daemons -version: 1.30.4 +version: 1.30.5 apiVersion: v1 description: A Helm chart to deploy daemons for Rucio keywords: @@ -11,4 +11,3 @@ sources: maintainers: - name: Rucio development team email: rucio-dev@cern.ch -