From 294c19c3592b4fc6a5195d90c74a1ba848764104 Mon Sep 17 00:00:00 2001 From: Matt Shirley Date: Mon, 17 Nov 2025 13:23:18 -0600 Subject: [PATCH 1/2] fix x509 cronjob --- .../templates/x509-secrets/deployment.yaml | 107 +++++++++--------- 1 file changed, 55 insertions(+), 52 deletions(-) diff --git a/helm/servicex/templates/x509-secrets/deployment.yaml b/helm/servicex/templates/x509-secrets/deployment.yaml index e73568984..21111c29e 100644 --- a/helm/servicex/templates/x509-secrets/deployment.yaml +++ b/helm/servicex/templates/x509-secrets/deployment.yaml @@ -7,60 +7,63 @@ metadata: name: x509-secrets spec: schedule: "0 */6 * * *" - template: - metadata: - labels: - app: x509-secrets + jobTemplate: spec: - serviceAccountName: {{ template "servicex.fullname" . }} - # Before launching the main container, copy the certs and set their permissions accordingly - initContainers: - - name: take-data-dir-ownership - image: {{ .Values.x509Secrets.initImage }} - command: ["/bin/sh","-c"] - args: ["cp /etc/grid-certs-ro/usercert.pem /etc/grid-certs; chmod 600 /etc/grid-certs/usercert.pem; cp /etc/grid-certs-ro/userkey.pem /etc/grid-certs; chmod 400 /etc/grid-certs/userkey.pem"] - env: - - name: INSTANCE_NAME - value: {{ .Release.Name }} - volumeMounts: - - name: grid-certs-rw-copy - mountPath: /etc/grid-certs/ - - name: grid-secret - mountPath: /etc/grid-certs-ro/ - containers: - - name: x509-secrets - image: {{ .Values.x509Secrets.image }}:{{ .Values.x509Secrets.tag }} - command: ["bash","-c"] - args: ["python3 x509_updater.py --secret x509-proxy --voms {{ .Values.x509Secrets.vomsOrg }}"] - env: - - name: MY_POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: MY_POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - tty: true - stdin: true - imagePullPolicy: {{ .Values.x509Secrets.pullPolicy }} - volumeMounts: - - name: grid-certs-rw-copy - mountPath: /etc/grid-certs/ - - name: grid-secret - mountPath: /etc/grid-certs-ro/ + template: + metadata: + labels: + app: x509-secrets + spec: + serviceAccountName: {{ template "servicex.fullname" . }} + restartPolicy: OnFailure + # Before launching the main container, copy the certs and set their permissions accordingly + initContainers: + - name: take-data-dir-ownership + image: {{ .Values.x509Secrets.initImage }} + command: ["/bin/sh","-c"] + args: ["cp /etc/grid-certs-ro/usercert.pem /etc/grid-certs; chmod 600 /etc/grid-certs/usercert.pem; cp /etc/grid-certs-ro/userkey.pem /etc/grid-certs; chmod 400 /etc/grid-certs/userkey.pem"] + env: + - name: INSTANCE_NAME + value: {{ .Release.Name }} + volumeMounts: + - name: grid-certs-rw-copy + mountPath: /etc/grid-certs/ + - name: grid-secret + mountPath: /etc/grid-certs-ro/ + containers: + - name: x509-secrets + image: {{ .Values.x509Secrets.image }}:{{ .Values.x509Secrets.tag }} + command: ["bash","-c"] + args: ["python3 x509_updater.py --secret x509-proxy --voms {{ .Values.x509Secrets.vomsOrg }}"] + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + tty: true + stdin: true + imagePullPolicy: {{ .Values.x509Secrets.pullPolicy }} + volumeMounts: + - name: grid-certs-rw-copy + mountPath: /etc/grid-certs/ + - name: grid-secret + mountPath: /etc/grid-certs-ro/ - volumes: - # Mount the usercert, userkey, and passphrase file. These will have the - # wrong permissions to be used for generating the voms proxy - - name: grid-secret - secret: - secretName: grid-certs-secret # Installed via servicex command line + volumes: + # Mount the usercert, userkey, and passphrase file. These will have the + # wrong permissions to be used for generating the voms proxy + - name: grid-secret + secret: + secretName: grid-certs-secret # Installed via servicex command line - # Create an empty dir to share between the init container and the main - # container. The init container will copy the certs from grid-secret - # to this dir and set the correct permissions - - name: grid-certs-rw-copy - emptyDir: {} + # Create an empty dir to share between the init container and the main + # container. The init container will copy the certs from grid-secret + # to this dir and set the correct permissions + - name: grid-certs-rw-copy + emptyDir: {} {{- end }} From 58ed8a32608a9e6b5d639622c57ab1bb244ddf87 Mon Sep 17 00:00:00 2001 From: Matt Shirley Date: Tue, 18 Nov 2025 10:23:28 -0600 Subject: [PATCH 2/2] add post-install x509 job --- .../{deployment.yaml => cronjob.yaml} | 0 .../templates/x509-secrets/install-job.yaml | 74 +++++++++++++++++++ 2 files changed, 74 insertions(+) rename helm/servicex/templates/x509-secrets/{deployment.yaml => cronjob.yaml} (100%) create mode 100644 helm/servicex/templates/x509-secrets/install-job.yaml diff --git a/helm/servicex/templates/x509-secrets/deployment.yaml b/helm/servicex/templates/x509-secrets/cronjob.yaml similarity index 100% rename from helm/servicex/templates/x509-secrets/deployment.yaml rename to helm/servicex/templates/x509-secrets/cronjob.yaml diff --git a/helm/servicex/templates/x509-secrets/install-job.yaml b/helm/servicex/templates/x509-secrets/install-job.yaml new file mode 100644 index 000000000..56af6905e --- /dev/null +++ b/helm/servicex/templates/x509-secrets/install-job.yaml @@ -0,0 +1,74 @@ +{{- if not .Values.noCerts }} + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: x509-secrets-init + labels: + app: x509-secrets + annotations: + "helm.sh/hook": post-install,post-upgrade + "helm.sh/hook-weight": "5" + "helm.sh/hook-delete-policy": hook-succeeded +spec: + backoffLimit: 3 + template: + metadata: + labels: + app: x509-secrets + spec: + serviceAccountName: {{ template "servicex.fullname" . }} + restartPolicy: OnFailure + + initContainers: + - name: take-data-dir-ownership + image: {{ .Values.x509Secrets.initImage }} + command: ["/bin/sh","-c"] + args: + - > + cp /etc/grid-certs-ro/usercert.pem /etc/grid-certs; + chmod 600 /etc/grid-certs/usercert.pem; + cp /etc/grid-certs-ro/userkey.pem /etc/grid-certs; + chmod 400 /etc/grid-certs/userkey.pem + env: + - name: INSTANCE_NAME + value: {{ .Release.Name }} + volumeMounts: + - name: grid-certs-rw-copy + mountPath: /etc/grid-certs/ + - name: grid-secret + mountPath: /etc/grid-certs-ro/ + + containers: + - name: x509-secrets + image: {{ .Values.x509Secrets.image }}:{{ .Values.x509Secrets.tag }} + command: ["bash","-c"] + args: ["python3 x509_updater.py --secret x509-proxy --voms {{ .Values.x509Secrets.vomsOrg }}"] + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + tty: true + stdin: true + imagePullPolicy: {{ .Values.x509Secrets.pullPolicy }} + volumeMounts: + - name: grid-certs-rw-copy + mountPath: /etc/grid-certs/ + - name: grid-secret + mountPath: /etc/grid-certs-ro/ + + volumes: + - name: grid-secret + secret: + secretName: grid-certs-secret + + - name: grid-certs-rw-copy + emptyDir: {} + +{{- end }}