diff --git a/.github/workflows/merge-check-paths.yml b/.github/workflows/merge-check-paths.yml index 6c286b3..1100568 100644 --- a/.github/workflows/merge-check-paths.yml +++ b/.github/workflows/merge-check-paths.yml @@ -5,10 +5,12 @@ on: pull_request: paths: - 'infrastructure/cluster/flux/**' + - '**.tf' push: branches: - main paths: + - '**.tf' - 'infrastructure/cluster/flux/**' jobs: diff --git a/README.md b/README.md index 163b2a2..c1ac73d 100644 --- a/README.md +++ b/README.md @@ -10,9 +10,11 @@ VRE links: - Code: https://github.com/vre-hub/vre/ - User documentation: https://vre-hub.github.io/ - Technical documentation: https://github.com/vre-hub/vre/wiki + - :construction: Ongoing migration: https://vre-hub.github.io/docs/tech-docs/home - VRE file transfer monitoring: https://monit-grafana-open.cern.ch/d/PJ65OqBVz/vre-rucio-events?orgId=16 - Live status of the VRE services: https://vre-hub.github.io/status/ - - VRE Slack channel: [invitation link](https://join.slack.com/t/eosc-escape/shared_invite/zt-1zd76ivit-Z2A2nszN0qfn4VF6Uk6UrQ). + - ESCAPE Mattermost Team: [invitation link](https://mattermost.web.cern.ch/signup_user_complete/?id=zqaa9p5fqfd9bnnc64at4b5aye&md=link&sbr=su). + - :exclamation: Afterwards please join the `VRE Support` channel [![flux check pipeline](https://github.com/vre-hub/vre/actions/workflows/merge-check-paths.yml/badge.svg)](https://github.com/vre-hub/vre/actions/workflows/merge-check-paths.yml) [![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](https://opensource.org/licenses/MIT) @@ -31,4 +33,4 @@ To cite us, please use the latest publication: ## Contact -Email the CERN VRE team: `escape-cern-ops'at'cern.ch` \ No newline at end of file +Email the CERN VRE team: `escape-cern-ops'at'cern.ch` diff --git a/containers/rucio-noise/produce_noise.sh b/containers/rucio-noise/produce_noise.sh index 62ffe07..73039bc 100644 --- a/containers/rucio-noise/produce_noise.sh +++ b/containers/rucio-noise/produce_noise.sh @@ -21,32 +21,38 @@ echo '* RUCIO_SCOPE = '"$RUCIO_SCOPE"'' echo '* FILE_LIFETIME = '"$FILE_LIFETIME"'' upload_and_transfer_and_delete () { + for (( i=0; i<$len; i++ )); do - if [ $1 != $i ]; then + echo '*** ======================================================================== ***' + echo '*** '"${rses[$i]}"' ***' + + RANDOM_STRING=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) + echo '*** generated random file identifier: '"$RANDOM_STRING"' ***' + filename=/home/auto_uploaded_${RANDOM_STRING}_source${rses[$i]} + did=auto_uploaded_${RANDOM_STRING}_source${rses[$i]} + + echo '*** generating '"$FILE_SIZE"' file on local storage ***' + head -c $FILE_SIZE < /dev/urandom > $filename + echo '*** filename: '"$filename"' ***' + + echo '*** uploading filename: '"$filename"' to '"${rses[$i]}"' ***' + rucio -v upload --rse ${rses[$i]} --lifetime $FILE_LIFETIME --scope $RUCIO_SCOPE $filename + + for (( j=0; j<$len; j++ )); do - echo '*** ======================================================================== ***' + if [ $i != $j ]; then - RANDOM_STRING=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1) - echo '*** generated random file identifier: '"$RANDOM_STRING"' ***' - filename=/home/auto_uploaded_${RANDOM_STRING}_source${rses[$1]} - did=auto_uploaded_${RANDOM_STRING}_source${rses[$1]} - - echo '*** generating '"$FILE_SIZE"' file on local storage ***' - head -c $FILE_SIZE < /dev/urandom > $filename - echo '*** filename: '"$filename"'' + echo '*** adding rule from '"${rses[$i]}"' to '"${rses[$j]}"' ***' + rucio -v add-rule --lifetime $FILE_LIFETIME --activity "Functional Test" $RUCIO_SCOPE:$did 1 ${rses[$j]} - echo '*** uploading to rse '"${rses[$1]}"' and adding rule to rse '"${rses[$i]}"'' - rucio -v upload --rse ${rses[$1]} --lifetime $FILE_LIFETIME --scope $RUCIO_SCOPE $filename && rucio add-rule --lifetime $FILE_LIFETIME --activity "Functional Test" $RUCIO_SCOPE:$did 1 ${rses[$i]} + fi - #echo 'sleeping' sleep 3600 + done - echo '*** removing all replicas and dids associated to from rse '"${rses[$1]}"' and adding rule to rse '"${rses[$i]}"'' - echo '*** testing if `rucio erase` is able to remove all the replicas too ***' - rucio -v erase $RUCIO_SCOPE:$did + echo '*** Uploaded files and replicas should disappear after '${FILE_LIFETIME}' seconds ***' + # echo '*** Otherwise do a `rucio -v erase $RUCIO_SCOPE:$did` ***' - rm -f $filename - fi done } diff --git a/containers/rucio-noise/rses.txt b/containers/rucio-noise/rses.txt index 71db49b..daf80d9 100644 --- a/containers/rucio-noise/rses.txt +++ b/containers/rucio-noise/rses.txt @@ -1,5 +1,4 @@ -CERN-EOS -CESNET-S3 +CERN-EOSPILOT CNAF-STORM CC-DCACHE PIC-DCACHE diff --git a/infrastructure/cluster/flux/eos/README.md b/infrastructure/cluster/flux/eos/README.md index 0ca41dd..35ed01a 100644 --- a/infrastructure/cluster/flux/eos/README.md +++ b/infrastructure/cluster/flux/eos/README.md @@ -11,35 +11,46 @@ Any user connected to the VRE would be able to make use of the extension to acce ## EOS EULAKE instance -### Configuration +### ~~`eos/eulake`~~ `eos/pilot/eulake` configuration -## `eos/pilot/eulake` configuration +During the summer of 2024, the eulake instance was transferred into the EOS pilot instance. The snippets below have been edited acording to these changes. -During the summer of 2024, the eulake instance was moved into the EOS pilot instance. The snippets below have been edited acording to this changes. +> [!IMPORTANT] +> The `eospilot` instance is not configured by default on the CERN OpenStack clusters - in general, they are deployed with `cern-magnum` charts that brings EOS deployments to the cluster. Because `eulake` is a subdirectory within `eospilot`, note that the following snippets are set up to point to the `eospilot/eulake` subdirectory instead to `eospilot`. -The `eulake` instance is not configured by default on the CERN OpenStack clusters - The cluster are deployed with EOS deployments, though. To do so, path the `eos-csi-dir-etc-eos` configmap to add the eulake instance into your cluster. Modified the various mount directories as you wish. - -Then, add the `eulake` keytab secret as described below. The keytab sercret string can be find on the CERN-VRE `tbag`. + To add the `eospilot` instance to the EOS deployment, patch the `eos-csi-dir-etc-eos` configmap as shown below. No `ssskeytab` is further needed - as `eulake` used to require - `eospilot` uses the commn eos keytab. ```bash -# charts `eosxd-csi-1.3.1` are deployed with k8s clusters v1.29. -> kubectl -n kube-system patch configmap eos-csi-dir-etc-eos -p '{"data": {"fuse.eulake.conf": "{\"name\": \"eulake\", \"hostport\": \"eospilot.cern.ch\", \"remotemountdir\": \"/eos/pilot/eulake/escape/data/\", \"localmountdir\": \"/eos/eulake/\", \"auth\": {\"ssskeytab\": \"/etc/eos.keytab\"}}"}}' - -> kubectl -n kube-system patch secret eos-csi-file-etc-eos-keytab -p '{"stringData": {"fuse.sss.keytab": ""}}' +# charts `eosxd-csi-1.3.1` are deployed with k8s clusters v1.29.2 and cern-magnum-0.15.2. +> kubectl -n kube-system patch configmap eos-csi-dir-etc-eos -p '{"data": {"fuse.pilot.conf": "{\"name\": \"pilot\", \"hostport\": \"eospilot.cern.ch\", \"remotemountdir\": \"/eos/pilot/eulake/escape/data/\", \"auth\": {\"ssskeytab\": \"/etc/eos.keytab\"}}"}}' +``` +```yaml +# Patch also the following line into the big chunk of the `auto.eos` section below the rest of eos instances +data: + auto.eos: | + (...) + pilot -fstype=eosx,fsname=pilot :eosxd + (...) ``` -Now you can add this volumes on the jupyter hub deployment to access the instance from any pod or jupyter session. On the jupyter hub helm release +Now you can add this volume on the jupyterHub deployment to access the instance from any jupyter/pod session. On the jupyterHub helm Helm charts add: ```yaml extraVolumes: - name: eulake-cern-eos-rse hostPath: # This is pointing to /eos/pilot/eulake/escape/data, as defined on the eos-csi-dir-etc-eos/configmap - path: /var/eos/eulake + path: /var/eos/pilot extraVolumeMounts: - name: eulake-cern-eos-rse # mounts the EOS RSE needed for the Rucio JupiterLab extension - mountPath: /eos/cern-eos-rse + mountPath: /eos/eulake mountPropagation: HostToContainer readOnly: true ``` +> [!IMPORTANT] +> Please note that within this configuration there are two things happening. +> 1. The propagation of a volume into the cluster (mounting a specific subdirectory of `eospilot`). +> 2. The user authentication & authorisation to that subdirectory - which is not detailed here, and needs to be done from the eos server side. +> +> If A&A is not correctly given/propagated, users won't be able to access `/eos/eulake` from their session. diff --git a/infrastructure/cluster/flux/eos/eos-client.yaml b/infrastructure/cluster/flux/eos/eos-client.yaml index c99fb9a..d1ee921 100644 --- a/infrastructure/cluster/flux/eos/eos-client.yaml +++ b/infrastructure/cluster/flux/eos/eos-client.yaml @@ -1,20 +1,20 @@ -apiVersion: v1 -kind: Pod -metadata: - name: eos-client - namespace: default -spec: - containers: - - name: my-container - image: gitlab-registry.cern.ch/linuxsupport/alma9-base:latest - imagePullPolicy: IfNotPresent - command: ["sleep", "inf"] - volumeMounts: - - name: eos - mountPath: /eos - mountPropagation: HostToContainer - volumes: - - name: eos - hostPath: - path: /var/eos - type: Directory \ No newline at end of file +# apiVersion: v1 +# kind: Pod +# metadata: +# name: eos-client +# namespace: kube-system +# spec: +# containers: +# - name: my-container +# image: gitlab-registry.cern.ch/linuxsupport/alma9-base:latest +# imagePullPolicy: IfNotPresent +# command: ["sleep", "inf"] +# volumeMounts: +# - name: eos +# mountPath: /eos +# mountPropagation: HostToContainer +# volumes: +# - name: eos +# hostPath: +# path: /var/eos +# type: Directory \ No newline at end of file diff --git a/infrastructure/cluster/flux/eos/eosxd-patches.yaml b/infrastructure/cluster/flux/eos/eosxd-patches.yaml index a066725..2bd4813 100644 --- a/infrastructure/cluster/flux/eos/eosxd-patches.yaml +++ b/infrastructure/cluster/flux/eos/eosxd-patches.yaml @@ -5,22 +5,5 @@ # namespace: kube-system # spec: # data: -# fuse.eulake.conf: "{ -# \"name\": \"eulake\", -# \"hostport\": \"eospilot.cern.ch\", -# \"remotemountdir\": \"/eos/pilot/eulake/escape/data\", -# \"localmountdir\": \"/eos/eulake\", -# \"auth\": { -# \"ssskeytab\": \"/etc/eos.keytab\" -# } -# }" -# --- -# apiVersion: apps/v1 -# kind: Secret -# metadata: -# name: eos-csi-dir-etc-eos -# namespace: kube-system -# spec: -# stringData: -# fuse.sss.keytab: | -# \ No newline at end of file +# fuse.eulake.conf: | +# '{"name":"eulake_test","hostport":"eospilot.cern.ch","remotemountdir":"/eos/pilot/eulake/escape/data/","localmountdir":"/eos/eulake/","auth":{"ssskeytab":"/etc/fuse.sss.keytab"}}' diff --git a/infrastructure/cluster/flux/jhub/jhub-configmap-profiles.yaml b/infrastructure/cluster/flux/jhub/jhub-configmap-profiles.yaml index 2348d3e..35b5c7f 100644 --- a/infrastructure/cluster/flux/jhub/jhub-configmap-profiles.yaml +++ b/infrastructure/cluster/flux/jhub/jhub-configmap-profiles.yaml @@ -22,6 +22,10 @@ data: description: "ROOT v6.26.10 as well as a ROOT C++ and a python-3.8 kernel." kubespawner_override: image: ghcr.io/vre-hub/vre-singleuser-root:sha-c94d95a + - display_name: "ROOT Higgs 2024 environment" + description: "ROOT v6.32.04, and a python-3.11 kernel." + kubespawner_override: + image: ghcr.io/vre-hub/vre-singleuser-root-base:latest - display_name: "VIRGO - WDF environment" description: "Contains the full WDF v2.2.1 environment - Python 3.9 kernel." kubespawner_override: @@ -53,4 +57,4 @@ data: - display_name: "Python 3.11 environment" description: "quay.io/jupyter/scipy-notebook:python-3.11 image" kubespawner_override: - image: quay.io/jupyter/scipy-notebook:python-3.11.8 \ No newline at end of file + image: quay.io/jupyter/scipy-notebook:python-3.11.8 diff --git a/infrastructure/cluster/flux/jhub/jhub-release.yaml b/infrastructure/cluster/flux/jhub/jhub-release.yaml index 057df9f..54d6c2b 100644 --- a/infrastructure/cluster/flux/jhub/jhub-release.yaml +++ b/infrastructure/cluster/flux/jhub/jhub-release.yaml @@ -122,30 +122,35 @@ spec: defaultUrl: "/lab" # The liefcycle hooks are used to create the Rucio configuration file, # and the token file by copying the REFRESH_TOKEN from the environment variable to the token file. - startTimeout: 600 + startTimeout: 1200 lifecycleHooks: postStart: exec: command: - "sh" - "-c" - - > - mkdir -p /certs /tmp; - echo -n $RUCIO_ACCESS_TOKEN > /tmp/rucio_oauth.token; - echo -n "oauth2:${EOS_ACCESS_TOKEN}:iam-escape.cloud.cnaf.infn.it/userinfo" > /tmp/eos_oauth.token; - chmod 0600 /tmp/eos_oauth.token; - mkdir -p /opt/rucio/etc; - echo "[client]" >> /opt/rucio/etc/rucio.cfg; - echo "rucio_host = https://vre-rucio.cern.ch" >> /opt/rucio/etc/rucio.cfg; - echo "auth_host = https://vre-rucio-auth.cern.ch" >> /opt/rucio/etc/rucio.cfg; - echo "ca_cert = /certs/rucio_ca.pem" >> /opt/rucio/etc/rucio.cfg; - echo "account = $JUPYTERHUB_USER" >> /opt/rucio/etc/rucio.cfg; - echo "auth_type = oidc" >> /opt/rucio/etc/rucio.cfg; - echo "oidc_audience = rucio" >> /opt/rucio/etc/rucio.cfg; - echo "oidc_polling = true" >> /opt/rucio/etc/rucio.cfg; - echo "oidc_issuer = escape" >> /opt/rucio/etc/rucio.cfg; - echo "oidc_scope = openid profile offline_access" >> /opt/rucio/etc/rucio.cfg; - echo "auth_token_file_path = /tmp/rucio_oauth.token" >> /opt/rucio/etc/rucio.cfg; + - | + if [ "${SKIP_POSTSTART_HOOK}" = "true" ]; then + echo "hello world"; + else + mkdir -p /certs /tmp; + echo -n $RUCIO_ACCESS_TOKEN > /tmp/rucio_oauth.token; + echo -n "oauth2:${EOS_ACCESS_TOKEN}:iam-escape.cloud.cnaf.infn.it/userinfo" > /tmp/eos_oauth.token; + chmod 0600 /tmp/eos_oauth.token; + mkdir -p /opt/rucio/etc; + echo "[client]" >> /opt/rucio/etc/rucio.cfg; + echo "rucio_host = https://vre-rucio.cern.ch" >> /opt/rucio/etc/rucio.cfg; + echo "auth_host = https://vre-rucio-auth.cern.ch" >> /opt/rucio/etc/rucio.cfg; + echo "ca_cert = /certs/rucio_ca.pem" >> /opt/rucio/etc/rucio.cfg; + echo "account = $JUPYTERHUB_USER" >> /opt/rucio/etc/rucio.cfg; + echo "auth_type = oidc" >> /opt/rucio/etc/rucio.cfg; + echo "oidc_audience = rucio" >> /opt/rucio/etc/rucio.cfg; + echo "oidc_polling = true" >> /opt/rucio/etc/rucio.cfg; + echo "oidc_issuer = escape" >> /opt/rucio/etc/rucio.cfg; + echo "oidc_scope = openid profile offline_access" >> /opt/rucio/etc/rucio.cfg; + echo "auth_token_file_path = /tmp/rucio_oauth.token" >> /opt/rucio/etc/rucio.cfg; + fi; + networkPolicy: enabled: false storage: diff --git a/infrastructure/cluster/flux/rucio/rucio-cronjobs.yaml b/infrastructure/cluster/flux/rucio/rucio-cronjobs.yaml index c68417b..6276efb 100644 --- a/infrastructure/cluster/flux/rucio/rucio-cronjobs.yaml +++ b/infrastructure/cluster/flux/rucio/rucio-cronjobs.yaml @@ -1,4 +1,3 @@ ---- apiVersion: batch/v1 kind: CronJob metadata: @@ -15,6 +14,7 @@ spec: restartPolicy: OnFailure containers: - name: iam-sync + # TODO: make new relase after fixing all the cronjobs/pods and change the image image: ghcr.io/vre-hub/vre-iam-rucio-sync:v1.0.0-rc.2-82-aea1b65 volumeMounts: - name: rucio-cfg @@ -52,82 +52,46 @@ spec: - name: daemons-rucio-x509up secret: secretName: daemons-rucio-x509up -# --- -# apiVersion: batch/v1 -# kind: CronJob -# metadata: -# name: rucio-noise -# namespace: rucio-vre -# spec: -# schedule: "*/10 * * * *" -# concurrencyPolicy: Forbid -# successfulJobsHistoryLimit: 1 -# jobTemplate: -# spec: -# template: -# spec: -# restartPolicy: OnFailure -# containers: -# - name: rucio-noise -# image: ghcr.io/vre-hub/vre-rucio-noise:v1.0.0-rc0-52-7e5585c -# volumeMounts: -# - name: rucio-cfg -# mountPath: /opt/rucio/etc/ -# - name: prod-rucio-x509up -# mountPath: /tmp/ -# tty: true -# imagePullPolicy: Always -# command: -# - /bin/sh -# - -c -# - date; ls -l /etc/pki/tls/certs/; ls -l /tmp/; cd /opt/rucio/etc/; pwd; echo Hello from rucio-noise container; -# export RUCIO_CONFIG=/opt/rucio/etc/rucio.cfg; echo Exported config; cat /opt/rucio/etc/rucio.cfg; rucio -vvv whoami; -# cd /home; export FSIZE=10M; FILE_SIZE=${FSIZE} /bin/bash produce_noise.sh; echo "Rucio noise cronjob ${FSIZE} Done!" -# volumes: -# - name: rucio-cfg -# secret: -# secretName: escape-service-account -# defaultMode: 0400 -# - name: prod-rucio-x509up -# secret: -# secretName: prod-rucio-x509up -# --- -# apiVersion: v1 -# kind: Pod -# metadata: -# name: rucio-client -# namespace: rucio-vre -# spec: -# containers: -# - name: rucio-client -# image: ghcr.io/vre-hub/vre-rucio-client:v0.1.2-1-0487cc0 -# imagePullPolicy: Always -# env: -# - name: RUCIO_CFG_RUCIO_HOST -# value: "https://vre-rucio.cern.ch" -# - name: RUCIO_CFG_AUTH_HOST -# value: "https://vre-rucio-auth.cern.ch" -# - name: RUCIO_CFG_ACCOUNT -# value: "root" -# - name: RUCIO_CFG_AUTH_TYPE -# value: "userpass" -# - name: RUCIO_CFG_USERNAME -# valueFrom: -# secretKeyRef: -# name: root-account -# key: root-username -# - name: RUCIO_CFG_PASSWORD -# valueFrom: -# secretKeyRef: -# name: root-account -# key: root-password -# command: ["sleep","3600"] -# resources: -# limits: -# cpu: 100m -# memory: 50Mi -# requests: -# cpu: 100m -# memory: 50Mi - - +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: rucio-noise + namespace: rucio +spec: + # Change original schedule to 3 times a day and 1 Mb files + #schedule: "*/10 * * * *" + schedule: "30 08 * * *" + concurrencyPolicy: Forbid + successfulJobsHistoryLimit: 1 + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - name: rucio-noise + # TODO: make new relase after fixing all the cronjobs/pods and change the image + image: ghcr.io/vre-hub/vre-rucio-noise:v1.0.0-rc.2-115-9144522 + volumeMounts: + - name: rucio-cfg + mountPath: /opt/rucio/etc/ + # This secrets is the old 'prod-rucio-x509up' + - name: daemons-rucio-x509up + mountPath: /tmp/ + tty: true + imagePullPolicy: Always + command: + - /bin/sh + - -c + - date; ls -l /etc/pki/tls/certs/; ls -l /tmp/; cd /opt/rucio/etc/; pwd; echo Hello from rucio-noise container; + export RUCIO_CONFIG=/opt/rucio/etc/rucio.cfg; echo Exported config; cat /opt/rucio/etc/rucio.cfg; rucio -vvv whoami; + cd /home; export FSIZE=1M; FILE_SIZE=${FSIZE} /bin/bash produce_noise.sh; echo "Rucio noise cronjob ${FSIZE} Done!" + volumes: + - name: rucio-cfg + secret: + secretName: escape-service-account + defaultMode: 0400 + - name: daemons-rucio-x509up + secret: + secretName: daemons-rucio-x509up diff --git a/infrastructure/cluster/flux/rucio/rucio-daemons.yaml b/infrastructure/cluster/flux/rucio/rucio-daemons.yaml index de3ec4c..38d6044 100644 --- a/infrastructure/cluster/flux/rucio/rucio-daemons.yaml +++ b/infrastructure/cluster/flux/rucio/rucio-daemons.yaml @@ -54,15 +54,15 @@ spec: abacusRseCount: 1 automatixCount: 1 cacheConsumerCount: 0 - conveyorTransferSubmitterCount: 2 - conveyorPollerCount: 2 + conveyorTransferSubmitterCount: 1 #2 + conveyorPollerCount: 1 #2 conveyorFinisherCount: 1 conveyorReceiverCount: 0 conveyorStagerCount: 0 conveyorThrottlerCount: 0 conveyorPreparerCount: 0 # for debugging, if it is not there the submitter will do the path computation adn source replica selection, and since the preparer needs a secret but I dont know of which kind, let's try without darkReaperCount: 0 - hermesCount: 2 + hermesCount: 1 #2 hermes2Count: 0 judgeCleanerCount: 1 judgeEvaluatorCount: 1 @@ -70,7 +70,7 @@ spec: judgeRepairerCount: 1 oauthManagerCount: 1 undertakerCount: 1 - reaperCount: 2 + reaperCount: 1 #2 replicaRecovererCount: 0 transmogrifierCount: 1 tracerKronosCount: 0 @@ -432,7 +432,7 @@ spec: vos: - vo: "escape" voms: "escape" - servers: "https://fts3-devel.cern.ch:8446,https://fts3-pilot.cern.ch:8446" + servers: "https://fts3-pilot.cern.ch:8446" script: "escape" secretMounts: - secretName: fts-cert @@ -490,11 +490,11 @@ spec: schema: "escape" conveyor: - scheme: "srm,gsiftp,root,http,https" + scheme: "https,http,root,davs" transfertool: "fts3" ftshosts: "https://fts3-pilot.cern.ch:8446" cacert: "/etc/grid-security/ca.pem" - usercert: "/tmp/x509up" + usercert: "/opt/proxy/x509up" allow_user_oidc_tokens: "True" request_oidc_scope: "openid profile offline_access wlcg.groups email fts:submit-transfer" request_oidc_audience: "fts" diff --git a/infrastructure/cluster/flux/rucio/rucio-gitops-pods.yaml b/infrastructure/cluster/flux/rucio/rucio-gitops-pods.yaml new file mode 100644 index 0000000..2ad0be6 --- /dev/null +++ b/infrastructure/cluster/flux/rucio/rucio-gitops-pods.yaml @@ -0,0 +1,121 @@ +apiVersion: v1 +kind: Pod +metadata: + name: rucio-root-client + namespace: rucio +spec: + containers: + - name: rucio-client + image: rucio/rucio-clients:release-34.6.0 + imagePullPolicy: Always + volumeMounts: + - name: cern-bundle + mountPath: /etc/pki/tls/certs/ + env: + - name: RUCIO_CFG_CLIENT_RUCIO_HOST + value: "https://vre-rucio.cern.ch" + - name: RUCIO_CFG_CLIENT_AUTH_HOST + value: "https://vre-rucio-auth.cern.ch" + - name: RUCIO_CFG_CLIENT_CA_CERT + value: "/etc/pki/tls/certs/CERN-bundle.pem" + - name: RUCIO_CFG_CLIENT_ACCOUNT + value: "root" + - name: RUCIO_CFG_CLIENT_AUTH_TYPE + value: "userpass" + - name: RUCIO_CFG_CLIENT_USERNAME + valueFrom: + secretKeyRef: + name: rucio-root-account + key: root-username + - name: RUCIO_CFG_CLIENT_PASSWORD + valueFrom: + secretKeyRef: + name: rucio-root-account + key: root-password + command: ["sleep","3600"] + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 100m + memory: 50Mi + volumes: + - name: cern-bundle + secret: + secretName: cern-bundle +--- +# This pod deploys the same container as the `iam-sync` cronjob. +# It allows testing RUCIO IAM connection and interacting with the IAM server via python/CLI +apiVersion: v1 +kind: Pod +metadata: + name: rucio-iam-connected-client + namespace: rucio +spec: + containers: + - name: iam-debug + # TODO: make new relase after fixing all the cronjobs/pods and change the image + image: ghcr.io/vre-hub/vre-iam-rucio-sync:v1.0.0-rc.2-82-aea1b65 + imagePullPolicy: Always + env: + - name: IAM_SERVER + value: "https://iam-escape.cloud.cnaf.infn.it/" + - name: IAM_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: rucio-admin-iam-client + key: admin-client_secret + - name: IAM_CLIENT_ID + valueFrom: + secretKeyRef: + name: rucio-admin-iam-client + key: admin-client_id + volumeMounts: + - name: rucio-cfg + mountPath: /opt/rucio/etc/ + - name: daemons-rucio-x509up + mountPath: /tmp/ + command: ["sleep","3600"] + volumes: + - name: rucio-cfg + secret: + secretName: escape-service-account + - name: daemons-rucio-x509up + secret: + secretName: daemons-rucio-x509up +--- +# Same idea as the `rucio-iam-connected-client` pod but for the rucio-noise one. +# Connected to the ESCAPE Service account ewp2c01 +apiVersion: v1 +kind: Pod +metadata: + name: rucio-noise-pod-and-rucio-ewp2c01 + namespace: rucio +spec: + containers: + - name: rucio-noise-test + # TODO: make new relase after fixing all the cronjobs/pods and change the image + image: ghcr.io/vre-hub/vre-rucio-noise:v1.0.0-rc.2-115-9144522 + imagePullPolicy: Always + volumeMounts: + - name: rucio-cfg + mountPath: /opt/rucio/etc/ + # This secrets is the old 'prod-rucio-x509up' + - name: daemons-rucio-x509up + mountPath: /tmp/ + command: ["sleep","3600"] + volumes: + - name: rucio-cfg + secret: + secretName: escape-service-account + defaultMode: 0400 + # This secrets is the old 'prod-rucio-x509up' + - name: daemons-rucio-x509up + secret: + secretName: daemons-rucio-x509up +# commands to be run are on the `rucio-noise` cronjob. Here there are a small +# summary NOT KEPT UPDATED !!!!! +# date; ls -l /etc/pki/tls/certs/; ls -l /tmp/; cd /opt/rucio/etc/; pwd; echo Hello from rucio-noise container; +# export RUCIO_CONFIG=/opt/rucio/etc/rucio.cfg; echo Exported config; cat /opt/rucio/etc/rucio.cfg; rucio -vvv whoami; +# cd /home; export FSIZE=10M; FILE_SIZE=${FSIZE} /bin/bash produce_noise.sh; echo "Rucio noise cronjob ${FSIZE} Done!" \ No newline at end of file diff --git a/infrastructure/cluster/manual/monit-magnum-ingress/ingress_prometeus.yaml b/infrastructure/cluster/manual/monit-magnum-ingress/ingress_prometeus.yaml new file mode 100644 index 0000000..2e0165c --- /dev/null +++ b/infrastructure/cluster/manual/monit-magnum-ingress/ingress_prometeus.yaml @@ -0,0 +1,32 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/rewrite-target: /$2 + nginx.ingress.kubernetes.io/ssl-redirect: "false" + nginx.ingress.kubernetes.io/configuration-snippet: |- + rewrite ^(/graph)(.*) /prometheus/graph$2 redirect; + name: kube-system-ingress + namespace: kube-system +spec: + rules: + - host: prom-vre.cern.ch + http: + paths: + - backend: + service: + name: cern-magnum-kube-prometheu-prometheus + port: + number: 9090 + path: /prometheus(/|$)(.*) + pathType: Prefix + - backend: + service: + name: cern-magnum-kube-prometheu-alertmanager + port: + number: 9093 + path: /alertmanager(/|$)(.*) + pathType: Prefix +status: + loadBalancer: {}