VRE rucio UI deployment v34.6.0

infrastructure/cluster/flux/rucio/rucio-ui.yaml

@@ -0,0 +1,131 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: ui
+  namespace: rucio
+
+spec:
+  releaseName: ui
+  interval: 1m
+  chart:
+    spec:
+      sourceRef:
+        kind: HelmRepository
+        name: rucio-charts
+        namespace: rucio
+      interval: 1m
+      chart: rucio-ui
+      version: 34.0.5
+
+  valuesFrom:
+    - kind: Secret
+      name: rucio-db
+      valuesKey: dbfullstring
+      targetPath: config.database.default
+
+  values:
+    secretMounts:
+      - secretName: hostcert
+        mountPath: /etc/grid-security/hostcert.pem
+        subPath: hostcert.pem
+      - secretName: hostkey
+        mountPath: /etc/grid-security/hostkey.pem
+        subPath: hostkey.pem
+      - secretName: cafile
+        mountPath: /etc/grid-security/ca.pem
+        subPath: ca.pem
+      - secretName: idpsecrets
+        mountPath: /opt/rucio/etc/idpsecrets.json
+        subPath: idpsecrets.json
+
+    replicaCount: 1
+    exposeErrorLogs: True
+    useSSL: true
+    useDeprecatedImplicitSecrets: false
+
+    service:
+      type: LoadBalancer
+      port: 443
+      targetPort: 443
+      protocol: TCP
+      name: https
+      useSSL: true
+
+    image:
+      repository: rucio/rucio-ui
+      tag: release-34.6.0
+      pullPolicy: Always
+
+    strategy:
+      type: RollingUpdate
+      rollingUpdate:
+        maxSurge: 1
+        maxUnavailable: 1
+
+    minReadySeconds: 5
+
+    proxy:
+      rucioProxy: "vre-rucio.cern.ch"
+      rucioProxyScheme: "https"
+      rucioAuthProxy: "vre-rucio-auth.cern.ch"
+      rucioAuthProxyScheme: "https"
+
+    # Followinf documentation [1] this should be enable, but when auth via x509 there is and
+    #  error that no rucio account is mapped to that cert --> Disenabiling it
+    # [1] https://github.com/rucio/helm-charts/tree/master/charts/rucio-ui#ingress
+
+    # ingress:
+    #   enabled: true
+    #   annotations:
+    #     kubernetes.io/ingress.class: nginx
+    #     nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+    #     nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    #   path: /
+    #   hosts: 
+    #     - vre-rucio-ui.cern.ch
+
+    ## values used to configure apache
+    # httpd_config:
+    #   legacy_dn: "False"
+    #   rucio_hostname: "vre-rucio-ui.cern.ch"
+
+    httpd_config:
+      mpm_mode: "event"
+      rucio_hostname: "vre-rucio-ui.cern.ch"
+      # start_servers: "1"
+      # min_spare_threads: "1"
+      # max_spare_threads: "20"
+      # threads_per_child: "5"
+      # max_clients: "20"
+      # max_requests_per_child: "8192"
+      # timeout: 300
+      # min_spare_servers: "1"
+      # max_spare_servers: "5"
+      # server_limit: "10"
+      # keep_alive: "On"
+      # keep_alive_timeout: "5"
+      # max_keep_alive_requests: "128"
+      # threads_limit: "128"
+      # max_request_workers: "1280"
+      # max_connections_per_child: "2048"
+
+    config:
+      policy:
+        permission: "generic"
+        schema: "generic"
+        lfn2pfn_algorithm_default: "identity"
+
+      oidc:
+        idpsecrets: "/opt/rucio/etc/idpsecrets.json"
+        admin_issuer: "escape"
+
+      # credentials:
+      #   gcs: "/opt/rucio/etc/rse-accounts.cfg"
+
+    resources:
+      limits:
+        cpu: 200m
+        memory: 800Mi
+      requests:
+        cpu: 200m
+        memory: 500Mi

infrastructure/scripts/rucio_secrets_5-ui.sh

@@ -0,0 +1,47 @@
+echo " *** START rucio UI Secrets script"
+
+# Once the certificates have been split, provide their path to be read when creating the secrets (NEEDS TO BE EXCLUDED FROM COMMITS!!):
+RAW_SECRETS_UI="/root/clusters_CERTS/vre/ui"
+RAW_SECRETS_IDP="/root/software/vre/infrastructure/secrets/tmp_local_secrets/idpsecrets.json"
+
+
+# kubeseal controller namespace
+CONTROLLER_NS="sealed-secrets"
+CONTROLLER_NAME="sealed-secrets-controller"
+
+# rucio namespace
+RUCIO_NS="rucio"
+HELM_RELEASE_UI="ui"
+
+# Output dir
+SECRETS_DIR="/root/software/vre/infrastructure/secrets/rucio"
+
+echo " *** Create and apply UI secrets"
+
+# Check the names of the secrets on the chart documentation
+# https://github.com/rucio/helm-charts/tree/rucio-ui-34.0.5/charts/rucio-ui#service
+
+kubectl create secret generic ${HELM_RELEASE_UI}-hostcert --dry-run=client --from-file=${RAW_SECRETS_UI}/hostcert.pem -o yaml | \
+kubeseal --controller-name=${CONTROLLER_NAME} --controller-namespace=${CONTROLLER_NS} --format yaml --namespace=${RUCIO_NS} > ${SECRETS_DIR}/ss_${HELM_RELEASE_UI}-hostcert.yaml
+
+kubectl apply -f ${SECRETS_DIR}/ss_${HELM_RELEASE_UI}-hostcert.yaml
+
+kubectl create secret generic ${HELM_RELEASE_UI}-hostkey --dry-run=client --from-file=${RAW_SECRETS_UI}/hostkey.pem -o yaml | \
+kubeseal --controller-name=${CONTROLLER_NAME} --controller-namespace=${CONTROLLER_NS} --format yaml --namespace=${RUCIO_NS} > ${SECRETS_DIR}/ss_${HELM_RELEASE_UI}-hostkey.yaml
+
+kubectl apply -f ${SECRETS_DIR}/ss_${HELM_RELEASE_UI}-hostkey.yaml
+
+# The content of this file is the same as in /etc/pki/tls/certs/CERN-bundle.pem but renamed to ca.pem (inconsistant wiht doc; where it is cafile.pem !!)
+kubectl create secret generic ${HELM_RELEASE_UI}-cafile --dry-run=client --from-file=${RAW_SECRETS_UI}/ca.pem -o yaml | \
+kubeseal --controller-name=${CONTROLLER_NAME} --controller-namespace=${CONTROLLER_NS} --format yaml --namespace=${RUCIO_NS} > ${SECRETS_DIR}/ss_${HELM_RELEASE_UI}-ca.yaml
+
+kubectl apply -f ${SECRETS_DIR}/ss_${HELM_RELEASE_UI}-ca.yaml
+
+echo " *** Create and apply OIDC secrets for UI"
+
+kubectl create secret generic ${HELM_RELEASE_UI}-idpsecrets --dry-run=client --from-file=${RAW_SECRETS_IDP} -o yaml | \
+kubeseal --controller-name=${CONTROLLER_NAME} --controller-namespace=${CONTROLLER_NS} --format yaml --namespace=${RUCIO_NS} > ${SECRETS_DIR}/ss_${HELM_RELEASE_UI}-idpsecrets.yaml
+
+kubectl apply -f ${SECRETS_DIR}/ss_${HELM_RELEASE_UI}-idpsecrets.yaml
+
+echo " *** END rucio UI Secrets Script"