-
Notifications
You must be signed in to change notification settings - Fork 56
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add a container to run FTS proxy renewal in
- Loading branch information
1 parent
f02a242
commit f5c0c08
Showing
3 changed files
with
71 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
FROM centos:7 | ||
|
||
# Repos needed for (VOMS and FTS) and WLCG certs | ||
RUN curl -o /etc/yum.repos.d/ca.repo https://raw.githubusercontent.com/rucio/rucio/master/etc/docker/dev/ca.repo | ||
|
||
RUN yum install -y epel-release.noarch http://linuxsoft.cern.ch/wlcg/centos7/x86_64/wlcg-repo-1.0.0-1.el7.noarch.rpm && \ | ||
yum clean all && \ | ||
rm -rf /var/cache/yum | ||
|
||
RUN yum update -y && \ | ||
yum upgrade -y && \ | ||
yum clean all && \ | ||
rm -rf /var/cache/yum | ||
|
||
# Install latest kubectl | ||
RUN curl -o /usr/bin/kubectl -L https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl | ||
RUN chmod +x /usr/bin/kubectl | ||
|
||
# Install VOMS and FTS clients for delegating proxies | ||
RUN yum -y install ca-certificates.noarch lcg-CA voms-clients-cpp fts-rest-cli \ | ||
wlcg-voms-cms wlcg-voms-atlas \ | ||
python-pip python-setuptools python-requests && \ | ||
yum clean all && \ | ||
rm -rf /var/cache/yum | ||
|
||
RUN pip install --upgrade pip setuptools | ||
RUN pip install j2cli | ||
|
||
RUN mkdir -p /opt/rucio/certs/ | ||
|
||
ADD docker-entrypoint.sh / | ||
ADD renew_fts_proxy.sh.j2 / | ||
|
||
ENTRYPOINT ["/docker-entrypoint.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
#!/bin/bash -e | ||
|
||
j2 /renew_fts_proxy.sh.j2 > /renew_fts_proxy.sh | ||
chmod +x /renew_fts_proxy.sh | ||
|
||
echo "=================== /renew_fts_proxy.sh ========================" | ||
cat /renew_fts_proxy.sh | ||
echo "" | ||
|
||
/renew_fts_proxy.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
#! /bin/bash | ||
|
||
# We have to copy the certificates because we cannot change permissions on them as mounted secrets and voms-proxy is particular about permissions | ||
|
||
cp /opt/rucio/certs/usercert.pem /tmp/cert.pem | ||
cp /opt/rucio/keys/new_userkey.pem /tmp/key.pem | ||
chmod 400 /tmp/key.pem | ||
|
||
# Generate a proxy with the voms extension if requested | ||
voms-proxy-init2 --debug -rfc -valid 96:00 -cert /tmp/cert.pem -key /tmp/key.pem -out /tmp/x509up {% if RUCIO_FTS_VOMS is defined -%}-voms {{ RUCIO_FTS_VOMS }}{%- endif %} -rfc -timeout 5 | ||
|
||
# Delegate the proxy to the requested servers | ||
{% if RUCIO_FTS_SERVERS is defined %} | ||
{% set ftses = RUCIO_FTS_SERVERS.split(',') %} | ||
{% for fts in ftses %} | ||
fts-rest-delegate -v -f -H 96 --key=/tmp/x509up --cert=/tmp/x509up -s {{ fts }} | ||
{% endfor %} | ||
{% endif %} | ||
|
||
# Create the corresponding kubernetes secrets if asked | ||
{% if RUCIO_FTS_SECRETS is defined %} | ||
{% set secrets = RUCIO_FTS_SECRETS.split(',') %} | ||
{% for secret in secrets %} | ||
kubectl create secret generic {{ secret }} --from-file=/tmp/x509up --dry-run -o yaml | kubectl apply --validate=false -f - | ||
{% endfor %} | ||
{% endif %} | ||
|