Deploy auth server with OIDC authN on integration cluster

[ericvaandering]

dmwm/rucio-flux#61

[dciangot]

@ericvaandering regarding sync script for OIDC subject <-> rucio account.

I have a script that can do that and it needs:

• a special IAM ID and secret authorized to get users details
• a rucio account capable of adding identities to accounts

I was thinking that should be quite easy to integrate this with the CRIC sync script, or maybe make a parallel one (even better). What are your thougths/preferences?

[ericvaandering]

My suggestion would be another script run by this script: https://github.com/dmwm/CMSRucio/blob/master/docker/CMSRucioClient/scripts/k8s_sync_users_links.sh <https://github.com/dmwm/CMSRucio/blob/master/docker/CMSRucioClient/scripts/k8s_sync_users_links.sh> This runs every 12 hours and runs with the Robot account so no problems with adding identities. I assume the secret needed to get user details does not change frequently? Then I would make your script pick it up from an environment variable and I’ll get it into that variable via kubernetes mechanisms

…

On Jun 22, 2022, at 2:57 AM, dciangot ***@***.***> wrote: @ericvaandering <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ericvaandering&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=EHaoB-POFWGrYFvPXoj1bQ&m=xzoOiZvICVSAjxBB34_ZB_MrMYVSMRjxCm6LG0JrYPovYuiMsGhOk4DlwmnAgoc5&s=6Ohf1VVtOSpT-9NyMhDzzaLwBZcYf_q4EKFUBeeRcH8&e=> regarding sync script for OIDC subject <-> rucio account. I have a script that can do that and it needs: a special IAM ID and secret authorized to get users details a rucio account capable of adding identities to accounts I was thinking that should be quite easy to integrate this with the CRIC sync script, or maybe make a parallel one (even better). What are your thougths/preferences? — Reply to this email directly, view it on GitHub <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_dmwm_CMSRucio_issues_261-23issuecomment-2D1162776445&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=EHaoB-POFWGrYFvPXoj1bQ&m=xzoOiZvICVSAjxBB34_ZB_MrMYVSMRjxCm6LG0JrYPovYuiMsGhOk4DlwmnAgoc5&s=hErUqhGV6t_krt7kKyRWRBm9vyo1wUX4wi4BRXRoNqE&e=>, or unsubscribe <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_notifications_unsubscribe-2Dauth_AAMYJLWJPDA7FSVIQLAOTT3VQLBP5ANCNFSM5STJRBLA&d=DwMCaQ&c=gRgGjJ3BkIsb5y6s49QqsA&r=EHaoB-POFWGrYFvPXoj1bQ&m=xzoOiZvICVSAjxBB34_ZB_MrMYVSMRjxCm6LG0JrYPovYuiMsGhOk4DlwmnAgoc5&s=2D4V3ZXKT5rYp0uWbps5o2EhazC0A0RAxw4iWBsNvWY&e=>. You are receiving this because you were mentioned.

[ericvaandering]

I guess we we should follow this up with an issue to get this into production? @dciangot want to make that and put it in the project?

Then actually close this one?

[dciangot]

My suggestion would be another script run by this script: https://github.com/dmwm/CMSRucio/blob/master/docker/CMSRucioClient/scripts/k8s_sync_users_links.sh https://github.com/dmwm/CMSRucio/blob/master/docker/CMSRucioClient/scripts/k8s_sync_users_links.sh This runs every 12 hours and runs with the Robot account so no problems with adding identities. I assume the secret needed to get user details does not change frequently? Then I would make your script pick it up from an environment variable and I’ll get it into that variable via kubernetes mechanisms

So far I have added a separate .sh that contains the oidc-agent configuration (needed to refresh the token used to get user info). I'd avoid to get x509 sync stuck due to OIDC server issues or any bug related to this. Can we evaluate to setup a separate k8s cronjob?

[ericvaandering]

I'd rather not. We can investigate setting timeouts or just do your part at the end.

[ericvaandering]

https://stackoverflow.com/questions/55431218/cron-job-with-timeout

I should set these in general.

[dciangot]

Ok, np, I'll put all in the same sh then.

[ericvaandering]

Then we need something like dmwm/rucio-flux@e583d7e for prod as well

[dciangot]

Created #312 for PROD deployment. I'm closing this.