Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multi-vo renew fts cronjob #126

Closed
wants to merge 4 commits into from
Closed

Multi-vo renew fts cronjob #126

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1e436f2
Add multi-vo fts cronjob
gmatthews20 Feb 8, 2023
56a76dd
Update documentation
gmatthews20 Feb 8, 2023
318920f
Add ftsSecrets to values.yaml
gmatthews20 Feb 8, 2023
cd00ebd
Chart version bump
gmatthews20 Feb 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions charts/rucio-daemons/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
name: rucio-daemons
version: 1.30.4
version: 1.30.5
apiVersion: v1
description: A Helm chart to deploy daemons for Rucio
keywords:
Expand All @@ -11,4 +11,3 @@ sources:
maintainers:
- name: Rucio development team
email: [email protected]

2 changes: 2 additions & 0 deletions charts/rucio-daemons/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ The conveyor needs a delegated X509 user proxy and the necessary CA so that it c
name: 'grid-passphrase'
key: 'passphrase'
servers: "https://fts3-devel.cern.ch:8446,https://fts3-pilot.cern.ch:8446"
ftsSecrets: '' # e.g., rucio-x509up
ftsCert:
existingSecret:
name: '' # e.g., fts-cert
Expand All @@ -90,6 +91,7 @@ The possible VOs are:
- `escape` expects a separate key and cert as input secrets, as well as a grid passphrase called. It then creates a user proxy with the given VOMS extensions and with 96h lifetime and delegates it to the given FTS servers. Then saves it as a cluster secret (`<releasename>-rucio-x509up`).
- `dteam` expects a long proxy like `atlas` and then creates, delegates and saves the user proxy like `cms`.
- `tutorial` expects a separate key and cert as input secrets like `cms` and then directly delegates to FTS. No proxy generation and `<releasename>-rucio-x509up` has to be manually created.
- `multi_vo` expects a long proxy as input secret (`<releasename>-longproxy-<vo>`). Takes vo and voms extention values in vomses, then creates a user proxy with the given VOMS extensions and with 24h lifetime and delegates it to the given FTS servers. Then saves it as a cluster secret (`<releasename>-rucio-x509up-<vo>`). Some extra values are needed for multi-vo to work, [see here](https://github.com/rucio/documentation/blob/main/docs/multi_vo_rucio.md)
- Any other VO value will lead to the execution of the default script and expects a separate key and cert as input secrets. It then creates a user proxy with the given VOMS extensions and with 96h lifetime and delegates it to the given FTS servers. Then saves it as a cluster secret (`<releasename>-rucio-x509up`). Additionally a grid passphrase can be specified and saved in a dedicated secret.

### Reaper
Expand Down
41 changes: 35 additions & 6 deletions charts/rucio-daemons/templates/renew-fts-cronjob.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,12 @@
- name: longproxy
secret:
secretName: {{ if empty .Values.ftsRenewal.ftsLongProxy.existingSecret.name }} {{ .Release.Name }}-longproxy {{- else }} {{ .Values.ftsRenewal.ftsLongProxy.existingSecret.name }} {{ end }}
{{- else if (eq .Values.ftsRenewal.vo "multi_vo")}}
{{- range $val := .Values.ftsRenewal.vomses }}
- name: longproxy-{{$val.vo}}
secret:
secretName: {{ if empty $.Values.ftsRenewal.ftsLongProxy.existingSecret.name }} {{ $.Release.Name }}-longproxy-{{$val.vo}} {{- else }} {{ $.Values.ftsRenewal.ftsLongProxy.existingSecret.name }}-{{$val.vo}} {{ end }}
{{- end }}
{{- else }}
- name: usercert
secret:
Expand All @@ -14,11 +20,16 @@
secret:
secretName: {{ if empty .Values.ftsRenewal.ftsKey.existingSecret.name }} {{ .Release.Name }}-fts-key {{- else }} {{ .Values.ftsRenewal.ftsKey.existingSecret.name }} {{ end }}
{{- end }}
{{- range $key, $val := .Values.additionalSecrets }}
- name: {{ $key }}
secret:
secretName: {{ $.Release.Name }}-{{ $val.secretName }}
{{- end }}
{{- range $key, $val := .Values.persistentVolumes }}
- name: {{ $key }}
persistentVolumeClaim:
claimName: {{ $val.name }}
{{- end}}
{{- end }}
containers:
- name: renew-fts-cron
image: "{{ .Values.ftsRenewal.image.repository }}:{{ .Values.ftsRenewal.image.tag }}"
Expand All @@ -29,37 +40,55 @@
{{- if or (eq .Values.ftsRenewal.vo "atlas") (eq .Values.ftsRenewal.vo "dteam") }}
- name: longproxy
mountPath: /opt/rucio/certs/
{{- else if (eq .Values.ftsRenewal.vo "multi_vo")}}
{{- range $val := .Values.ftsRenewal.vomses }}
- name: longproxy-{{$val.vo}}
mountPath: /opt/rucio/certs/{{$val.vo}}/
{{- end }}
{{- else }}
- name: usercert
mountPath: /opt/rucio/certs/
- name: userkey
mountPath: /opt/rucio/keys/
{{- end }}
{{- range $key, $val := .Values.additionalSecrets }}
- name: {{ $key }}
mountPath: {{ $val.mountPath }}
{{- end }}
{{- range $key, $val := .Values.persistentVolumes }}
- name: {{ $key }}
mountPath: {{ $val.mountPath }}
{{- end}}
{{- end }}
env:
{{- range $key1, $val1 := .Values.optional_config }}
- name: {{ $key1 | upper }}
value: "{{ $val1 }}"
{{- end}}
value: "{{ $val1 }}"
{{- end }}
- name: RUCIO_VO
value: {{ .Values.ftsRenewal.vo | quote }}
{{- if (eq .Values.ftsRenewal.vo "multi_vo")}}
- name: RUCIO_FTS_VOS
value: {{ range $val := .Values.ftsRenewal.vomses }}{{$val.vo}} {{end}}
{{- range $val := .Values.ftsRenewal.vomses }}
- name: RUCIO_FTS_VOMS_{{ $val.vo | upper}}
value: {{ $val.voms }}
{{- end }}
{{- else}}
- name: RUCIO_FTS_VOMS
value: {{ .Values.ftsRenewal.voms | quote }}
{{- end }}
- name: RUCIO_FTS_SERVERS
value: {{ .Values.ftsRenewal.servers | quote }}
- name: RUCIO_FTS_SECRETS
value: "{{ .Release.Name }}-rucio-x509up"
value: {{ if empty .Values.ftsRenewal.ftsSecrets }} {{ .Release.Name }}-rucio-x509up {{- else }} {{ .Values.ftsRenewal.ftsSecrets }} {{ end }}
{{- if .Values.ftsRenewal.gridPassphrase.required }}
- name: GRID_PASSPHRASE
valueFrom:
secretKeyRef:
name: {{ .Values.ftsRenewal.gridPassphrase.existingSecret.name | quote }}
key: {{ .Values.ftsRenewal.gridPassphrase.existingSecret.key | quote }}
{{- end }}
{{- if or (eq .Values.ftsRenewal.vo "atlas") (eq .Values.ftsRenewal.vo "dteam") }}
{{- if or (eq .Values.ftsRenewal.vo "atlas") (eq .Values.ftsRenewal.vo "dteam") (eq .Values.ftsRenewal.vo "multi_vo") }}
{{- if .Values.ftsRenewal.longProxy }}
- name: RUCIO_LONG_PROXY
value: {{ .Values.ftsRenewal.longProxy | quote }}
Expand Down
1 change: 1 addition & 0 deletions charts/rucio-daemons/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -404,6 +404,7 @@ ftsRenewal:
name: 'grid-passphrase'
key: 'passphrase'
servers: "https://fts3-devel.cern.ch:8446,https://cmsfts3.fnal.gov:8446,https://fts3.cern.ch:8446,https://lcgfts3.gridpp.rl.ac.uk:8446,https://fts3-pilot.cern.ch:8446"
ftsSecrets: ''
ftsCert:
existingSecret:
name: '' # e.g., fts-cert
Expand Down