cm-service: configure htcondor

applications/cm-service/README.md

@@ -39,9 +39,6 @@ Campaign Management for Rubin Data Release Production
 | ingress.annotations | object | `{}` | Additional annotations for the frontend ingress rule |
 | internalDB | bool | `false` | Whether to use the internal (phalanx) database |
 | worker.affinity | object | `{}` | Affinity rules for the worker pods |
-| worker.butler.dbUrl | string | `nil` | URL of a Butler Registry Database |
-| worker.butler.dbUsername | string | `nil` | Name of a user to use with the Butler Registry Database |
-| worker.butler.mountPath | string | `nil` | If specified, location for htcondor config file to be injected into worker containers |
 | worker.htcondor.config.contents | string | `nil` | If specified, contents of htcondor config file to be injected into worker containers |
 | worker.htcondor.config.mountPath | string | `nil` | If specified, location for htcondor config file to be injected into worker containers |
 | worker.htcondor.fsRemoteDir.storage | string | `"1Gi"` | Minimum storage requested in the condor remote area PVC |

applications/cm-service/templates/api-deployment.yaml

@@ -31,6 +31,8 @@ spec:
             - configMapRef:
                 name: {{ .Chart.Name }}-env
           env:
+            - name: BUTLER__MOCK
+              value: "1"
             - name: DB__PASSWORD
               valueFrom:
                 secretKeyRef:
@@ -54,12 +56,13 @@ spec:
               drop:
                 - "all"
             readOnlyRootFilesystem: true
+          # TODO: we hopefully do not actually need this mounted on the API
           volumeMounts:
-            - mountPath: "/output"
+            {{- with .Values.config.outputVolume }}
+            - mountPath: {{ .mountPath }}
               name: "output-volume"
-              {{- with .Values.config.outputVolume.subPath }}
-              subPath: {{ . }}
-              {{- end }}
+              subPath: {{ .subPath }}
+            {{- end }}
       volumes:
         - name: output-volume
           persistentVolumeClaim:

applications/cm-service/templates/configmap.yaml

@@ -6,7 +6,6 @@ metadata:
     {{- include "application.labels" . | nindent 4 }}
 data:
   ASGI__PREFIX: {{ .Values.config.pathPrefix | quote }}
-  BUTLER__MOCK: "1"
   {{- with .Values.config.db }}
   DB__URL: "postgresql://{{ .username }}@{{ .hostname }}:{{ .port }}/{{ .name }}"
   DB__ECHO: {{ .echo | quote }}
@@ -21,8 +20,10 @@ metadata:
   labels:
     {{- include "application.labels" . | nindent 4 }}
 data:
-  CONDOR_CONFIG: /home/lsstsvc1/.config/condor/condor-config
-  DAF_BUTLER_PASSWORD: placeholder_for_secret
+  HTCONDOR__schedd_host: sdfiana012.sdf.slac.stanford.edu
+  HTCONDOR__collector_host: sdfiana012.sdf.slac.stanford.edu
+  HTCONDOR__condor_home: /opt/htcondor
   HTCONDOR__condor_submit_bin: /opt/htcondor/bin/condor_submit
   HTCONDOR__condor_q_bin: /opt/htcondor/bin/condor_q
-  HTCONDOR__alias_path: /sdf/group/rubin/{{ .Values.config.outputVolume.subPath }}
+  HTCONDOR__working_directory: /sdf/group/rubin/{{ .Values.config.outputVolume.subPath }}
+  HTCONDOR__fs_remote_dir: /sdf/group/rubin/services/htcondor/shared

applications/cm-service/templates/worker-configmap.yaml

@@ -9,9 +9,3 @@ data:
   config: |
     {{- .contents | nindent 4 }}
   {{- end }}
-  {{- with .Values.worker.butler }}
-  butlerAuth: |
-    - url: {{ .dbUrl }}
-      username: {{ .dbUsername }}
-      password: ${env:DAF_BUTLER_PASSWORD}
-  {{- end }}

applications/cm-service/templates/worker-deployment.yaml

@@ -20,6 +20,9 @@ spec:
         {{- include "application.selectorLabels" . | nindent 8 }}
         app.kubernetes.io/component: "worker"
     spec:
+      # securityContext:
+      #   runAsGroup: ...
+      #   runAsNonRoot: true
       {{- with .Values.worker.affinity }}
       affinity:
         {{- toYaml . | nindent 8 }}
@@ -43,6 +46,8 @@ spec:
             - configMapRef:
                 name: {{ .Chart.Name }}-htcondor-env
           env:
+            - name: LSST_DB_AUTH
+              value: "/home/lsstsvc1/.lsst/db-auth.yaml"
             - name: DB__PASSWORD
               valueFrom:
                 secretKeyRef:
@@ -57,51 +62,36 @@ spec:
                 - "all"
             readOnlyRootFilesystem: true
           volumeMounts:
-            - mountPath: "/output"
+            {{- with .Values.config.outputVolume }}
+            - mountPath: {{ .mountPath }}
               name: "output-volume"
-              {{- with .Values.config.outputVolume.subPath }}
-              subPath: {{ . }}
-              {{- end }}
+              subPath: {{ .subPath }}
+            {{- end }}
             - mountPath: "/tmp"
               name: "tmp-volume"
-            {{- with .Values.worker.htcondor.config }}
-            - mountPath: {{ .mountPath }}
-              name: "condor-config-volume"
-              readOnly: true
-            {{- end }}
-            {{- with .Values.worker.butler }}
-            - mountPath: {{ .mountPath }}
-              name: "butler-auth-volume"
-              readOnly: true
-            {{- end }}
             {{- with .Values.worker.htcondor.fsRemoteDir }}
             - mountPath: {{ .mountPath }}
               name: "condor-remote-volume"
-              {{- with .subPath }}
-              subPath: {{ . }}
-              {{- end }}
+              subPath: {{ .subPath }}
             {{- end }}
+            - name: "butler-registry-volume"
+              mountPath: "/home/lsstsvc1/.lsst"
+              readonly: true
       volumes:
         - name: output-volume
           persistentVolumeClaim:
             claimName: {{ .Chart.Name }}-output
         - name: tmp-volume
           emptyDir:
             sizeLimit: 500Mi
-        - name: condor-config-volume
-          configMap:
-            name: {{ $.Chart.Name }}-config-worker
-            items:
-              - key: config
-                path: condor-config
         - name: condor-remote-volume
           persistentVolumeClaim:
             claimName: {{ $.Chart.Name }}-htcondor
-        - name: butler-auth-volume
-          configMap:
-            name: {{ $.Chart.Name }}-config-worker
+        - name: butler-registry-volume
+          secret:
+            secretName: cm-service-butler
             items:
-              - key: butlerAuth
+              - key: butler-registry
                 path: db-auth.yaml
       {{- with .Values.worker.nodeSelector }}
       nodeSelector:

applications/cm-service/values-usdf-cm-dev.yaml

@@ -1,3 +1,9 @@
+# service writes artifacts that eventually resolve to the path
+#   /sdf/group/rubin/shared/campaigns/users/usdf-cm-dev/<production>/<campaign>/
+# outputVolume: mounted at the container's path /output
+#  sdf-data-rubin == /sdf/group/rubin
+#  sdf-group-rubin == /sdf/group/rubin
+---
 internalDB: true
 config:
   logLevel: "INFO"
@@ -8,20 +14,17 @@ config:
   outputVolume:
     storageClassName: "sdf-data-rubin"
     subPath: "shared/campaigns/users/usdf-cm-dev"
+    mountPath: "/sdf/group/rubin/shared/campaigns/users/usdf-cm-dev"
 image:
   tag: "tickets-DM-48099-release"
   pullPolicy: Always
 worker:
   image:
     tag: "tickets-DM-48099-release"
     pullPolicy: Always
-  butler:
-    mountPath: "/home/lsstsvc1/.config/butler"
-    dbUrl: "postgresql://usdf-butler.slac.stanford.edu:5432/lsstdb1"
-    dbUsername: rubin
   htcondor:
     config:
-      mountPath: "/home/lsstsvc1/.config/condor"
+      mountPath: "/usr/local/etc"
       contents: |
         CONDOR_HOST = sdfiana012.sdf.slac.stanford.edu
         COLLECTOR_HOST = sdfiana012.sdf.slac.stanford.edu

applications/cm-service/values.yaml

@@ -131,16 +131,6 @@ worker:
   # -- Tolerations for the worker pods
   tolerations: []
 
-  butler:
-    # -- If specified, location for htcondor config file to be injected into worker containers
-    mountPath: null
-
-    # -- URL of a Butler Registry Database
-    dbUrl: null
-
-    # -- Name of a user to use with the Butler Registry Database
-    dbUsername: null
-
   htcondor:
 
     host: