Merge pull request #8 from ericvaandering/fts_cron

Add a container to run FTS proxy renewal in
rucio · Dec 28, 2018 · c2a5be9 · c2a5be9
2 parents b87112d + f5c0c08
commit c2a5be9
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 0 deletions.
diff --git a/fts-cron/Dockerfile b/fts-cron/Dockerfile
@@ -0,0 +1,34 @@
+FROM centos:7
+
+# Repos needed for (VOMS and FTS) and WLCG certs
+RUN curl -o  /etc/yum.repos.d/ca.repo https://raw.githubusercontent.com/rucio/rucio/master/etc/docker/dev/ca.repo
+
+RUN yum install -y epel-release.noarch http://linuxsoft.cern.ch/wlcg/centos7/x86_64/wlcg-repo-1.0.0-1.el7.noarch.rpm && \
+    yum clean all && \
+    rm -rf /var/cache/yum
+
+RUN yum update -y && \
+    yum upgrade -y && \
+    yum clean all && \
+    rm -rf /var/cache/yum
+
+# Install latest kubectl
+RUN curl -o /usr/bin/kubectl -L https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
+RUN chmod +x /usr/bin/kubectl
+
+# Install VOMS and FTS clients for delegating proxies
+RUN yum -y install ca-certificates.noarch lcg-CA voms-clients-cpp fts-rest-cli \
+    wlcg-voms-cms wlcg-voms-atlas \
+    python-pip python-setuptools python-requests && \
+    yum clean all && \
+    rm -rf /var/cache/yum
+
+RUN pip install --upgrade pip setuptools
+RUN pip install j2cli
+
+RUN mkdir -p /opt/rucio/certs/
+
+ADD docker-entrypoint.sh /
+ADD renew_fts_proxy.sh.j2 /
+
+ENTRYPOINT ["/docker-entrypoint.sh"]
diff --git a/fts-cron/docker-entrypoint.sh b/fts-cron/docker-entrypoint.sh
@@ -0,0 +1,10 @@
+#!/bin/bash -e
+
+j2 /renew_fts_proxy.sh.j2 > /renew_fts_proxy.sh
+chmod +x /renew_fts_proxy.sh
+
+echo "=================== /renew_fts_proxy.sh ========================"
+cat /renew_fts_proxy.sh
+echo ""
+
+/renew_fts_proxy.sh
diff --git a/fts-cron/renew_fts_proxy.sh.j2 b/fts-cron/renew_fts_proxy.sh.j2
@@ -0,0 +1,27 @@
+#! /bin/bash
+
+# We have to copy the certificates because we cannot change permissions on them as mounted secrets and voms-proxy is particular about permissions
+
+cp /opt/rucio/certs/usercert.pem /tmp/cert.pem
+cp /opt/rucio/keys/new_userkey.pem /tmp/key.pem
+chmod 400 /tmp/key.pem
+
+# Generate a proxy with the voms extension if requested
+voms-proxy-init2 --debug -rfc -valid 96:00 -cert /tmp/cert.pem -key /tmp/key.pem -out /tmp/x509up {% if RUCIO_FTS_VOMS is defined -%}-voms {{ RUCIO_FTS_VOMS }}{%- endif %} -rfc -timeout 5
+
+# Delegate the proxy to the requested servers
+{% if RUCIO_FTS_SERVERS is defined %}
+{% set ftses = RUCIO_FTS_SERVERS.split(',') %}
+{% for fts in ftses %}
+fts-rest-delegate -v -f -H 96 --key=/tmp/x509up --cert=/tmp/x509up -s {{ fts }}
+{% endfor %}
+{% endif %}
+
+# Create the corresponding kubernetes secrets if asked
+{% if RUCIO_FTS_SECRETS is defined %}
+{% set secrets = RUCIO_FTS_SECRETS.split(',') %}
+{% for secret in secrets %}
+kubectl create secret generic  {{ secret }} --from-file=/tmp/x509up --dry-run -o yaml | kubectl apply --validate=false  -f  -
+{% endfor %}
+{% endif %}
+