Merge pull request #248 from dynamic-entropy/oidc_mount

OIDC mount
dmwm · Jan 31, 2024 · 670b153 · 670b153
2 parents 980bbe7 + 2f547f2
commit 670b153
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 55 deletions.
diff --git a/apps/base/cms-rucio-common.yaml b/apps/base/cms-rucio-common.yaml
@@ -2,41 +2,46 @@ image:
  tag: release-1.19.5
 
 config:
- accounts:
- special_accounts: "tier0"
- policy:
- package: CMSRucioPolicy
- lfn2pfn_algorithm_default: "identity"
- support: "https://its.cern.ch/jira/projects/CMSRUCIO/summary"
- messaging_hermes:
- brokers: "localhost"
- voname: "cms" 
- email_from: "[email protected]"
- messaging_cache:
- brokers: "localhost"
- voname: "cms" 
- messaging_fts3:
- brokers: "localhost"
- voname: "cms" 
- tracer_kronos:
- brokers: "localhost"
- voname: "cms" 
- conveyor:
- ftshosts: "https://cmsfts3.fnal.gov:8446,https://fts3-cms.cern.ch:8446,https://lcgfts3.gridpp.rl.ac.uk:8446"
- ftsmonhosts: "https://cmsfts3.fnal.gov:8449,https://fts3-cms.cern.ch:8449,https://lcgfts3.gridpp.rl.ac.uk:8449"
- bring_online: "2678400"
- monitor:
- carbon_server: statsd-exporter-rucio-statsd-exporter.prometheus
- user_scope: rucio
+ accounts:
+ special_accounts: "tier0"
+ oidc:
+ idpsecrets: "/opt/rucio/etc/idpsecrets.json"
 
-# Configure database connections for Oracle Database Resident Connection Pool (DRCP)
- database:
- pool_reset_on_return: "rollback"
- pool_timeout: "30"
- echo: "0"
- max_overflow: "10"
- pool_size: "5"
- pool_recycle: "600"
+ policy:
+ package: CMSRucioPolicy
+ lfn2pfn_algorithm_default: "identity"
+ support: "https://its.cern.ch/jira/projects/CMSRUCIO/summary"
+ permission: "cms"
+ schema: "cms"
+ messaging_hermes:
+ brokers: "localhost"
+ voname: "cms"
+ email_from: "[email protected]"
+ messaging_cache:
+ brokers: "localhost"
+ voname: "cms"
+ messaging_fts3:
+ brokers: "localhost"
+ voname: "cms"
+ tracer_kronos:
+ brokers: "localhost"
+ voname: "cms"
+ conveyor:
+ ftshosts: "https://cmsfts3.fnal.gov:8446,https://fts3-cms.cern.ch:8446,https://lcgfts3.gridpp.rl.ac.uk:8446"
+ ftsmonhosts: "https://cmsfts3.fnal.gov:8449,https://fts3-cms.cern.ch:8449,https://lcgfts3.gridpp.rl.ac.uk:8449"
+ bring_online: "2678400"
+ monitor:
+ carbon_server: statsd-exporter-rucio-statsd-exporter.prometheus
+ user_scope: rucio
+
+ # Configure database connections for Oracle Database Resident Connection Pool (DRCP)
+ database:
+ pool_reset_on_return: "rollback"
+ pool_timeout: "30"
+ echo: "0"
+ max_overflow: "10"
+ pool_size: "5"
+ pool_recycle: "600"
 
 useDeprecatedImplicitSecrets: false
 
@@ -56,9 +61,13 @@ ftsRenewal:
  - vo: "cms"
  voms: "cms:/cms/Role=production"
  additionalEnvs:
- # - name: RUCIO_FTS_SECRETS
- # value: release-rucio-x509up
  - name: USERCERT_NAME
  value: "usercert.pem"
  - name: USERKEY_NAME
  value: "new_userkey.pem"
+
+secretMounts:
+ - secretFullName: server-idpsecrets
+ mountPath: /opt/rucio/etc/
+ subPaths:
+ - idpsecrets.json
diff --git a/apps/base/rucio-daemons/cms-rucio-daemons.yaml b/apps/base/rucio-daemons/cms-rucio-daemons.yaml
@@ -62,7 +62,8 @@ reaper:
  value: "/opt/proxy/x509up"
 
 conveyorTransferSubmitter:
- activities: "'Data Challenge' 'Data Consolidation' 'Recovery' 'Data Brokering' 'Data rebalancing' 'Debug' 'Express' 'Group Subscriptions' 'Production Input' 'Production Output' 'Analysis Input' 'Analysis Output' 'Staging' 'T0 Export' 'T0 Tape' 'Upload/Download (Job)' 'Upload/Download (User)' 'User Subscriptions' 'User AutoApprove'"
+ activities:
+ "'Data Challenge' 'Data Consolidation' 'Recovery' 'Data Brokering' 'Data rebalancing' 'Debug' 'Express' 'Group Subscriptions' 'Production Input' 'Production Output' 'Analysis Input' 'Analysis Output' 'Staging' 'T0 Export' 'T0 Tape' 'Upload/Download (Job)' 'Upload/Download (User)' 'User Subscriptions' 'User AutoApprove'"
  # Same size or smaller than bulk which is 100
  groupBulk: 50
  sleepTime: 60
@@ -116,12 +117,12 @@ hermes:
  limits:
  memory: 9000Mi
 
-judgeEvaluator: 
+judgeEvaluator:
  resources:
  limits:
- cpu: 3750m 
+ cpu: 3750m
  requests:
- cpu: 750m 
+ cpu: 750m
  podAnnotations:
  prometheus.io/scrape: "true"
  prometheus.io/port: "8080"
@@ -130,10 +131,10 @@ judgeCleaner:
  threads: 2
  resources:
  limits:
- cpu: 3750m 
+ cpu: 3750m
  memory: 4000Mi
  requests:
- cpu: 750m 
+ cpu: 750m
  memory: 400Mi
  podAnnotations:
  prometheus.io/scrape: "true"
@@ -143,10 +144,10 @@ judgeInjector:
  threads: 2
  resources:
  limits:
- cpu: 3750m 
+ cpu: 3750m
  memory: 8000Mi
  requests:
- cpu: 750m 
+ cpu: 750m
  memory: 400Mi
  podAnnotations:
  prometheus.io/scrape: "true"
@@ -155,10 +156,10 @@ judgeInjector:
 judgeRepairer:
  resources:
  limits:
- cpu: 3750m 
+ cpu: 3750m
  memory: 4000Mi
  requests:
- cpu: 750m 
+ cpu: 750m
  podAnnotations:
  prometheus.io/scrape: "true"
  prometheus.io/port: "8080"
@@ -200,6 +201,8 @@ config:
  voname: "cms"
  nonssl_port: "61113"
  use_ssl: "False"
+ oidc:
+ admin_issuer: "def"
 
 transmogrifier:
  threads: 4
@@ -221,10 +224,10 @@ tracerKronos:
  threads: 1
  resources:
  limits:
- cpu: 3000m 
+ cpu: 3000m
  memory: 4Gi
  requests:
- cpu: 1000m 
+ cpu: 1000m
  memory: 2Gi
  podAnnotations:
  prometheus.io/scrape: "true"
@@ -233,13 +236,13 @@ tracerKronos:
  auto-restart: "true"
 
 abacusAccount:
-  resources:
-  limits:
-  cpu: 700m
-  memory: 2000Mi
-  requests:
-  cpu: 700m
-  memory: 250Mi
+ resources:
+ limits:
+ cpu: 700m
+ memory: 2000Mi
+ requests:
+ cpu: 700m
+ memory: 250Mi
 
 # Unused daemons which supply prometheus
 automatix: