htcondorcern: fix Singularity and Kerberos tokens

Fixes CERN HTCondor compute backend for Singularity unpacked images
execution mode where jobs couldn't access restricted EOS directories due
to inaccessible Kerberos credentials.

reana_job_controller/htcondorcern_job_manager.py

@@ -102,6 +102,10 @@ def __init__(
         initialize_krb5_token(workflow_uuid=self.workflow_uuid)
         globals()["htcondor"] = __import__("htcondor")
 
+        # Send Krb5 credentials
+        credd = htcondor.Credd()
+        credd.add_user_cred(htcondor.CredTypes.Kerberos, None)
+
     @JobManager.execution_hook
     def execute(self):
         """Execute / submit a job with HTCondor."""
@@ -146,6 +150,7 @@ def execute(self):
             job_ad["MaxRunTime"] = 3600
         if self.htcondor_accounting_group:
             job_ad["AccountingGroup"] = self.htcondor_accounting_group
+        job_ad["MY.SendCredential"] = True
         future = current_app.htcondor_executor.submit(self._submit, job_ad)
         clusterid = future.result()
         return clusterid
@@ -229,12 +234,15 @@ def _copy_wrapper_file(self):
                 )
             else:
                 template = (
-                    "#!/bin/bash \n"
+                    "#!/bin/bash\n"
+                    'SINGULARITY_KRB5CCNAME="FILE:/srv/$(basename $KRB5CCNAME)"\n'
                     "singularity exec "
+                    "--contain "
+                    "--ipc "
+                    "--pid "
                     "--home $PWD:/srv "
-                    "--bind $PWD:/srv "
                     "--bind /cvmfs "
-                    "--bind /eos "
+                    "--env KRB5CCNAME=$SINGULARITY_KRB5CCNAME "
                     "{DOCKER_IMG} {CMD}".format(
                         DOCKER_IMG=self.docker_img,
                         CMD=self._format_arguments() + " | bash",