Skip to content

Commit

Permalink
VRE rucio UI deployment v34.6.0 (#293)
Browse files Browse the repository at this point in the history 
* VRE rucio UI deployment v34.6.0

* configure ui

* re apply ca secret with correct naming - inconsistant wiht rucio doc

* enable ingress for x509 auth

* enable oidc auth for ui

* remove ingress - not working correctl
  • Loading branch information
@garciagenrique
garciagenrique authored Nov 15, 2024
1 parent a4ab69d commit 31481b6
Show file tree
Hide file tree
Showing 7 changed files with 253 additions and 0 deletions.
131 changes: 131 additions & 0 deletions infrastructure/cluster/flux/rucio/rucio-ui.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: ui
namespace: rucio

spec:
releaseName: ui
interval: 1m
chart:
spec:
sourceRef:
kind: HelmRepository
name: rucio-charts
namespace: rucio
interval: 1m
chart: rucio-ui
version: 34.0.5

valuesFrom:
- kind: Secret
name: rucio-db
valuesKey: dbfullstring
targetPath: config.database.default

values:
secretMounts:
- secretName: hostcert
mountPath: /etc/grid-security/hostcert.pem
subPath: hostcert.pem
- secretName: hostkey
mountPath: /etc/grid-security/hostkey.pem
subPath: hostkey.pem
- secretName: cafile
mountPath: /etc/grid-security/ca.pem
subPath: ca.pem
- secretName: idpsecrets
mountPath: /opt/rucio/etc/idpsecrets.json
subPath: idpsecrets.json

replicaCount: 1
exposeErrorLogs: True
useSSL: true
useDeprecatedImplicitSecrets: false

service:
type: LoadBalancer
port: 443
targetPort: 443
protocol: TCP
name: https
useSSL: true

image:
repository: rucio/rucio-ui
tag: release-34.6.0
pullPolicy: Always

strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 1

minReadySeconds: 5

proxy:
rucioProxy: "vre-rucio.cern.ch"
rucioProxyScheme: "https"
rucioAuthProxy: "vre-rucio-auth.cern.ch"
rucioAuthProxyScheme: "https"

# Followinf documentation [1] this should be enable, but when auth via x509 there is and
# error that no rucio account is mapped to that cert --> Disenabiling it
# [1] https://github.com/rucio/helm-charts/tree/master/charts/rucio-ui#ingress

# ingress:
# enabled: true
# annotations:
# kubernetes.io/ingress.class: nginx
# nginx.ingress.kubernetes.io/ssl-passthrough: "true"
# nginx.ingress.kubernetes.io/ssl-redirect: "true"
# path: /
# hosts:
# - vre-rucio-ui.cern.ch

## values used to configure apache
# httpd_config:
# legacy_dn: "False"
# rucio_hostname: "vre-rucio-ui.cern.ch"

httpd_config:
mpm_mode: "event"
rucio_hostname: "vre-rucio-ui.cern.ch"
# start_servers: "1"
# min_spare_threads: "1"
# max_spare_threads: "20"
# threads_per_child: "5"
# max_clients: "20"
# max_requests_per_child: "8192"
# timeout: 300
# min_spare_servers: "1"
# max_spare_servers: "5"
# server_limit: "10"
# keep_alive: "On"
# keep_alive_timeout: "5"
# max_keep_alive_requests: "128"
# threads_limit: "128"
# max_request_workers: "1280"
# max_connections_per_child: "2048"

config:
policy:
permission: "generic"
schema: "generic"
lfn2pfn_algorithm_default: "identity"

oidc:
idpsecrets: "/opt/rucio/etc/idpsecrets.json"
admin_issuer: "escape"

# credentials:
# gcs: "/opt/rucio/etc/rse-accounts.cfg"

resources:
limits:
cpu: 200m
memory: 800Mi
requests:
cpu: 200m
memory: 500Mi
47 changes: 47 additions & 0 deletions infrastructure/scripts/rucio_secrets_5-ui.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
echo " *** START rucio UI Secrets script"

# Once the certificates have been split, provide their path to be read when creating the secrets (NEEDS TO BE EXCLUDED FROM COMMITS!!):
RAW_SECRETS_UI="/root/clusters_CERTS/vre/ui"
RAW_SECRETS_IDP="/root/software/vre/infrastructure/secrets/tmp_local_secrets/idpsecrets.json"


# kubeseal controller namespace
CONTROLLER_NS="sealed-secrets"
CONTROLLER_NAME="sealed-secrets-controller"

# rucio namespace
RUCIO_NS="rucio"
HELM_RELEASE_UI="ui"

# Output dir
SECRETS_DIR="/root/software/vre/infrastructure/secrets/rucio"

echo " *** Create and apply UI secrets"

# Check the names of the secrets on the chart documentation
# https://github.com/rucio/helm-charts/tree/rucio-ui-34.0.5/charts/rucio-ui#service

kubectl create secret generic ${HELM_RELEASE_UI}-hostcert --dry-run=client --from-file=${RAW_SECRETS_UI}/hostcert.pem -o yaml | \
kubeseal --controller-name=${CONTROLLER_NAME} --controller-namespace=${CONTROLLER_NS} --format yaml --namespace=${RUCIO_NS} > ${SECRETS_DIR}/ss_${HELM_RELEASE_UI}-hostcert.yaml

kubectl apply -f ${SECRETS_DIR}/ss_${HELM_RELEASE_UI}-hostcert.yaml

kubectl create secret generic ${HELM_RELEASE_UI}-hostkey --dry-run=client --from-file=${RAW_SECRETS_UI}/hostkey.pem -o yaml | \
kubeseal --controller-name=${CONTROLLER_NAME} --controller-namespace=${CONTROLLER_NS} --format yaml --namespace=${RUCIO_NS} > ${SECRETS_DIR}/ss_${HELM_RELEASE_UI}-hostkey.yaml

kubectl apply -f ${SECRETS_DIR}/ss_${HELM_RELEASE_UI}-hostkey.yaml

# The content of this file is the same as in /etc/pki/tls/certs/CERN-bundle.pem but renamed to ca.pem (inconsistant wiht doc; where it is cafile.pem !!)
kubectl create secret generic ${HELM_RELEASE_UI}-cafile --dry-run=client --from-file=${RAW_SECRETS_UI}/ca.pem -o yaml | \
kubeseal --controller-name=${CONTROLLER_NAME} --controller-namespace=${CONTROLLER_NS} --format yaml --namespace=${RUCIO_NS} > ${SECRETS_DIR}/ss_${HELM_RELEASE_UI}-ca.yaml

kubectl apply -f ${SECRETS_DIR}/ss_${HELM_RELEASE_UI}-ca.yaml

echo " *** Create and apply OIDC secrets for UI"

kubectl create secret generic ${HELM_RELEASE_UI}-idpsecrets --dry-run=client --from-file=${RAW_SECRETS_IDP} -o yaml | \
kubeseal --controller-name=${CONTROLLER_NAME} --controller-namespace=${CONTROLLER_NS} --format yaml --namespace=${RUCIO_NS} > ${SECRETS_DIR}/ss_${HELM_RELEASE_UI}-idpsecrets.yaml

kubectl apply -f ${SECRETS_DIR}/ss_${HELM_RELEASE_UI}-idpsecrets.yaml

echo " *** END rucio UI Secrets Script"
Loading

0 comments on commit 31481b6

Please sign in to comment.