diff --git a/supported/osg-htc/osg-hosted-ce/Chart.yaml b/supported/osg-htc/osg-hosted-ce/Chart.yaml index 237b27e..c664591 100644 --- a/supported/osg-htc/osg-hosted-ce/Chart.yaml +++ b/supported/osg-htc/osg-hosted-ce/Chart.yaml @@ -3,4 +3,4 @@ apiVersion: v1 appVersion: "V5-branch" description: OSG Hosted Compute Entrypoint name: osg-hosted-ce -version: 4.6.3 +version: 4.7.0 diff --git a/supported/osg-htc/osg-hosted-ce/README.md b/supported/osg-htc/osg-hosted-ce/README.md index 3bcc865..47d0d17 100644 --- a/supported/osg-htc/osg-hosted-ce/README.md +++ b/supported/osg-htc/osg-hosted-ce/README.md @@ -242,12 +242,6 @@ To avoid these rate limits, it's possible to bootstrap the certificate request p slate secret create --cluster --group --from-file host.key= -1. Update your values file to use the host key secret that you've created: - - HostCredentials: - HostKeySecret: - HostCertSecret: null - 1. Upon successful startup of the Hosted CE app, the Let's Encrypt host certificate can be found in the instance logs: slate instance logs --container osg-hosted-ce --max-lines 0 @@ -258,12 +252,6 @@ To avoid these rate limits, it's possible to bootstrap the certificate request p slate secret create --cluster --group --from-file host.cert= -1. Update your values file to use the host key secret that you've created: - - HostCredentials: - HostKeySecret: - HostCertSecret: - ### Developer Simply disable this. It is in place for the purpose of OSG Internal Testbed hosts, and is not intended for use with production CEs. @@ -329,8 +317,7 @@ BoscoOverrides: GitKeySecret: null HostCredentials: - HostKeySecret: null - HostCertSecret: null + HostCertKeySecret: null Developer: Enabled: false diff --git a/supported/osg-htc/osg-hosted-ce/templates/_helpers.tpl b/supported/osg-htc/osg-hosted-ce/templates/_helpers.tpl index 563fb7b..22afed3 100644 --- a/supported/osg-htc/osg-hosted-ce/templates/_helpers.tpl +++ b/supported/osg-htc/osg-hosted-ce/templates/_helpers.tpl @@ -20,10 +20,6 @@ If release name contains chart name it will be used as a full name. {{- end -}} {{- end -}} -{{- define "namespace" -}} -{{- .Release.Namespace | trimPrefix "slate-vo-" | printf " %s" -}} -{{- end -}} - {{/* Create chart name and version as used by the chart label. */}} diff --git a/supported/osg-htc/osg-hosted-ce/templates/configmap.yaml b/supported/osg-htc/osg-hosted-ce/templates/configmap.yaml index 0bf73a3..32e781b 100644 --- a/supported/osg-htc/osg-hosted-ce/templates/configmap.yaml +++ b/supported/osg-htc/osg-hosted-ce/templates/configmap.yaml @@ -72,7 +72,8 @@ data: {{ end }} SLATE_HOSTED_CE = True - SCHEDD_ATTRS = $(SCHEDD_ATTRS) SLATE_HOSTED_CE + OSG_HOSTED_CE = True + SCHEDD_ATTRS = $(SCHEDD_ATTRS) SLATE_HOSTED_CE OSG_HOSTED_CE # Templatize IDTOKEN generation for glidein -> CE collector advertising (SOFTWARE-5556) {{- range $index, $map := .Values.SciTokenRemoteUserMapping }} @@ -136,7 +137,7 @@ data: apiVersion: v1 kind: ConfigMap metadata: - name: osg-hosted-ce-{{ .Values.Instance }}-slate-scitokens + name: osg-hosted-ce-{{ .Values.Instance }}-scitokens labels: app: osg-hosted-ce instance: {{ .Values.Instance }} @@ -144,7 +145,7 @@ metadata: app.kubernetes.io/part-of: {{ .Chart.Name }} app.kubernetes.io/instance: {{ .Release.Name }} data: - 50-slate-scitokens.conf: |+ + 50-scitokens.conf: |+ {{- range $index, $map := .Values.SciTokenRemoteUserMapping }} {{- range $url, $user := $map }} SCITOKENS /^{{ $url | replace "/" "\\/" | replace "." "\\." | replace "-" "\\-" }}{{ if not ( $url | contains "," ) }},{{ end }}/ {{ $user }} diff --git a/supported/osg-htc/osg-hosted-ce/templates/deployment.yaml b/supported/osg-htc/osg-hosted-ce/templates/deployment.yaml index 7f666ba..a841189 100644 --- a/supported/osg-htc/osg-hosted-ce/templates/deployment.yaml +++ b/supported/osg-htc/osg-hosted-ce/templates/deployment.yaml @@ -6,7 +6,6 @@ metadata: app: {{ template "osg-hosted-ce.name" . }} release: {{ .Release.Name }} instance: {{ .Values.Instance }} - instanceID: {{ .Values.SLATE.Instance.ID | quote }} app.kubernetes.io/part-of: {{ .Chart.Name }} app.kubernetes.io/instance: {{ .Release.Name }} spec: @@ -47,9 +46,9 @@ spec: - name: osg-hosted-ce-{{ .Values.Instance }}-htcondor-ce-configuration configMap: name: osg-hosted-ce-{{ .Values.Instance }}-htcondor-ce-configuration - - name: osg-hosted-ce-{{ .Values.Instance }}-slate-scitokens + - name: osg-hosted-ce-{{ .Values.Instance }}-scitokens configMap: - name: osg-hosted-ce-{{ .Values.Instance }}-slate-scitokens + name: osg-hosted-ce-{{ .Values.Instance }}-scitokens - name: bosco-ssh-private-key-volume secret: secretName: {{ .Values.RemoteCluster.PrivateKeySecret }} @@ -82,25 +81,6 @@ spec: - key: tls.key path: hostkey.pem mode: 0o400 - {{ else }} - {{ if and .Values.HostCredentials.HostCertSecret .Values.HostCredentials.HostKeySecret }} - - name: osg-hosted-ce-hostcert-volume - secret: - secretName: {{ .Values.HostCredentials.HostCertSecret }} - items: - - key: host.cert - path: hostcert.pem - mode: 256 - {{ end }} - {{ if .Values.HostCredentials.HostKeySecret }} - - name: osg-hosted-ce-hostkey-volume - secret: - secretName: {{ .Values.HostCredentials.HostKeySecret }} - items: - - key: host.key - path: hostkey.pem - mode: 256 - {{ end }} {{ end }} {{ if .Values.BoscoOverrides.Enabled }} {{ if .Values.BoscoOverrides.GitKeySecret }} @@ -152,17 +132,6 @@ spec: {{ if .Values.HostCredentials.HostCertKeySecret }} - name: osg-hosted-ce-hostcertkey-volume mountPath: /etc/grid-security-orig.d - {{ else }} - {{ if and .Values.HostCredentials.HostCertSecret .Values.HostCredentials.HostKeySecret }} - - name: osg-hosted-ce-hostcert-volume - mountPath: /etc/grid-security/hostcert.pem - subPath: hostcert.pem - {{ end }} - {{ if .Values.HostCredentials.HostKeySecret }} - - name: osg-hosted-ce-hostkey-volume - mountPath: /etc/grid-security/hostkey.pem - subPath: hostkey.pem - {{ end }} {{ end }} {{ if .Values.Persistence.LogVolume}} - name: log-volume @@ -176,21 +145,14 @@ spec: {{ end }} {{ end }} {{ if .Values.SciTokenRemoteUserMapping }} - - name: osg-hosted-ce-{{ .Values.Instance }}-slate-scitokens - mountPath: /etc/condor-ce/mapfiles.d/50-slate-scitokens.conf - subPath: 50-slate-scitokens.conf + - name: osg-hosted-ce-{{ .Values.Instance }}-scitokens + mountPath: /etc/condor-ce/mapfiles.d/50-scitokens.conf + subPath: 50-scitokens.conf {{ end }} ports: - name: htcondor-ce containerPort: 9619 protocol: TCP - {{ if or .Values.Dashboard.Enabled - ( and (not .Values.HostCredentials.HostCertKeySecret) - (not .Values.HostCredentials.HostCertSecret) ) }} - - name: http # needed to get a cert issued from Let's Encrypt - containerPort: 80 - protocol: TCP - {{ end }} env: {{ if eq .Values.Networking.ServiceType "HostNetwork" }} - name: _CONDOR_NETWORK_HOSTNAME @@ -215,10 +177,6 @@ spec: {{ else }} value: "false" {{ end }} - {{ if .Values.Dashboard.Enabled }} - - name: ENABLE_CE_VIEW - value: "true" - {{ end }} {{ if .Values.Debug.ContinueOnError }} - name: HOSTED_CE_CONTINUE_ON_ERROR value: "true" @@ -231,6 +189,10 @@ spec: - name: SSH_PROXY_JUMP value: {{ .Values.RemoteCluster.ProxyJump }} {{ end }} + {{ if .Values.RemoteCluster.ProxyJumpUser }} + - name: SSH_PROXY_JUMP_USER + value: {{ .Values.RemoteCluster.ProxyJumpUser }} + {{ end }} - name: REMOTE_BATCH value: {{ .Values.RemoteCluster.Batch | lower }} - name: REMOTE_BOSCO_DIR diff --git a/supported/osg-htc/osg-hosted-ce/templates/networkpolicy.yaml b/supported/osg-htc/osg-hosted-ce/templates/networkpolicy.yaml index 80d4454..d35b609 100644 --- a/supported/osg-htc/osg-hosted-ce/templates/networkpolicy.yaml +++ b/supported/osg-htc/osg-hosted-ce/templates/networkpolicy.yaml @@ -13,11 +13,5 @@ spec: - ports: - protocol: TCP port: 9619 - {{ if or .Values.Dashboard.Enabled - ( and (not .Values.HostCredentials.HostCertKeySecret) - (not .Values.HostCredentials.HostCertSecret) ) }} - - protocol: TCP - port: 80 - {{ end }} egress: - {} diff --git a/supported/osg-htc/osg-hosted-ce/templates/service.yaml b/supported/osg-htc/osg-hosted-ce/templates/service.yaml index 2cc7a92..3aeb53b 100644 --- a/supported/osg-htc/osg-hosted-ce/templates/service.yaml +++ b/supported/osg-htc/osg-hosted-ce/templates/service.yaml @@ -22,14 +22,6 @@ spec: port: 9619 targetPort: htcondor-ce protocol: TCP - {{ if or .Values.Dashboard.Enabled - ( and (not .Values.HostCredentials.HostCertKeySecret) - (not .Values.HostCredentials.HostCertSecret) ) }} - - name: http # needed to get a cert issued from Let's Encrypt (since the admin's not supplying a cert/key as a secret) - port: 80 - targetPort: http - protocol: TCP - {{ end }} {{ if .Values.Networking.RequestIP }} loadBalancerIP: {{ .Values.Networking.RequestIP }} {{ end }} diff --git a/supported/osg-htc/osg-hosted-ce/values.yaml b/supported/osg-htc/osg-hosted-ce/values.yaml index c8e2515..93cda31 100644 --- a/supported/osg-htc/osg-hosted-ce/values.yaml +++ b/supported/osg-htc/osg-hosted-ce/values.yaml @@ -19,6 +19,7 @@ RemoteCluster: # Jump host formatted as host[:port] # If set, KnownHosts below must also be set. ProxyJump: null + ProxyJumpUser: null # Contents of SSH known_hosts # Required for sites with ProyJump defined KnownHosts: null @@ -27,7 +28,7 @@ RemoteCluster: # login04.osgconnect.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqsciY/FmcH6yedW7DxbTwLjkwlgVcbcG43QwdaSvMuN5EHAeLRH2P6ig3H6s/4hZqJn7AU2oNsoIqjZZ8iHqGyiTB9r70Aovt9PUuQXw5qHvYiIoyw49/waJ+yzu4+UD3qfnxeHuRw5EOaXia72MNJJ4lBMoS6iw1JveFJY4rBgKZ7nta1eAGGfHADsf5lfhlIXnJPN050X6zcUjqEEKXjdUkFa3wDiVbFEIESCMwi1b6Q1OXGGFwuSNse1X38CREBzQ+NjOB97o70chZoh2jZ2O3iZZZbujYcDzpxF3RxmewFC3pDmkoOpJrfV2W58n1KdJJnyvjlqEZGXCXcAlB # login04.osgconnect.net ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCnySArMSVd0O3UniYN4vX3a/d9d9mEMnrf2z1S900t0GrxVazVGu3ObeLfWwYRc3qFXNRPGh3mKcz5QVG6gcm4= # login04.osgconnect.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJBW6weAaFSdLYksn4vIvqt4+geNVQ/bUvp71kTeQsKV - # SLATE secret with 'bosco.key' containing the SSH key to access LoginHost: + # Secret with 'bosco.key' containing the SSH key to access LoginHost: PrivateKeySecret: lincolnb-bosco # Secret containing a signed certificate (required by some sites) # See CertificateFile in `man ssh_config` @@ -144,9 +145,7 @@ SciTokenRemoteUserMapping: # max_wall_time = 34560 # queue = opportunistic -# Enable persistence to HostedCE files by creating corresponding SLATE Volumes -# SLATE Creates a PVC in Kubernetes which can be reclaimed on restart -# The value for each volume should correspond to the volume name within SLATE +# Enable persistence to HostedCE files by creating corresponding Volumes Persistence: # /var/log/condor-ce LogVolume: null @@ -160,8 +159,9 @@ Persistence: BoscoOverrides: Enabled: false BoscoOverrideDir: null - GitEndpoint: https://github.com/slateci/bosco-override-template - # If GitEndpoint requires authentication, create a SLATE secret with + GitEndpoint: git@github.com:opensciencegrid/hosted-ce-config.git + RepoNeedsPrivKey: true + # If GitEndpoint requires authentication, create a secret with # 'git.key' containing the private SSH key that can access # it. Specify the name of the secret in GitKeySecret: GitKeySecret: null @@ -188,28 +188,13 @@ ServiceAnnotations: {} HostCredentials: # Name of the secret containing a host key and certificate in - # "tls.key" and "tls.crt", respectively. If defined, values of - # HostCertSecret and HostKeySecret are ignored. + # "tls.key" and "tls.crt", respectively. HostCertKeySecret: null - # Use a pre-existing host key to request a new Let's Encrypt - # certificate If HostCertSecret is also specified, the Let's Encrypt - # request is skipped. Secret must contain a "host.key" key - # containing the encoded host key. - HostKeySecret: null - # Use a pre-existing host certificate instead of requesting a new - # Let'S Encrypt certificate. If HostKeySecret is not specified, a - # new Let's Encrypt certificate and key are requested anyway. - # Secret must contain a "host.cert" containing the encoded host - # certificate. - HostCertSecret: null # If set to 'true', use the Let's Encrypt staging server. This is # useful for avoiding Let's Encrypt rate limits when first setting # up a CE. NOT SUITABLE FOR PRODUCTION USE. LetsEncryptStaging: false -Dashboard: - Enabled: false - # Choose which tag to use for the specified containers ContainerTags: HostedCE: release @@ -225,9 +210,3 @@ Debug: # - Generates a test CA and self-signed host cert/key pair Developer: Enabled: false - -### SLATE-START ### -SLATE: - Instance: - ID: "untagged" -### SLATE-END ###