argo: install xrootd

---

apiVersion: v1

kind: PersistentVolume

metadata:

  annotations:

    pv.kubernetes.io/provisioned-by: nfs.csi.k8s.io

  name: pv-xrootd

spec:

  capacity:

    storage: 100Gi

  accessModes:

    - ReadWriteMany

  persistentVolumeReclaimPolicy: Retain

  storageClassName: nfs-csi

  mountOptions:

    - nfsvers=4.2

  csi:

    driver: nfs.csi.k8s.io

    volumeHandle: itsrc.novalocal/pv-xrootd

    volumeAttributes:

      server: itsrc.novalocal

      share: /storage/xrootd

---

kind: PersistentVolumeClaim

apiVersion: v1

metadata:

  name: xrootd-pvc

spec:

  accessModes:

    - ReadWriteMany

  resources:

    requests:

      storage: 100Gi

  volumeName: pv-xrootd

  storageClassName: nfs-csi

# Default values for XRootD.

# Tell Kubernetes to spin up multiple instances.  Defaults to 1.

replicaCount: 1

# XRootD deployment

deployment:

  xrootd:

    image: git.ia2.inaf.it:5050/itsrc/xrootd-deployment:5.9.0

    imagePullPolicy: Always

    persistentVolumeClaimName: xrootd-pvc

# XRootD service

service:

  port: 8443

# Ingress

ingress:

  enabled: true

  className: nginx

  hostname: xrootd.itsrc.ext.cineca.it

  annotations:

    cert-manager.io/cluster-issuer: letsencrypt-prod

  tls:

  - hosts:

    - xrootd.itsrc.ext.cineca.it

    secretName: xrootd-tls

# Configuration files (mounted on /etx/xrootd/)

config:

  Authfile: |

    # Allow access to /data

    g * /data a

  scitokens.cfg: |

    [Global]

    onmissing = passthrough

    audience = rucio

    [Issuer SKA-IAM]

    issuer =  https://ska-iam.stfc.ac.uk/

    base_path = /data

    map_subject = false

  xrootd-http.cfg: |

    # The export directive indicates which paths are to be exported.

    all.export /data

    # The adminpath and pidpath variables indicate where the pid and various

    # IPC files should be placed.

    all.adminpath /var/spool/xrootd

    all.pidpath /run/xrootd

    # Site name

    all.sitename ITSRC-ADA-RSE

    # Load the http protocol, indicate that it should be served on port 8080.

    xrd.protocol XrdHttp:8080 libXrdHttp.so

    # Enable Security

    xrootd.seclib libXrdSec.so

    sec.level all compatible

    # Authentication and Authorization

    ofs.authorize 1

    ofs.authlib ++ libXrdAccSciTokens.so config=/etc/xrootd/scitokens.cfg

    acc.authdb /etc/xrootd/Authfile

    acc.audit deny

    acc.authrefresh 60

    # Pass the bearer token to the authorization framework

    http.header2cgi Authorization authz

    # Enable checksum

    xrootd.chksum adler32

apiVersion: argoproj.io/v1alpha1

kind: Application

metadata:

  name: xrootd

  namespace: argocd

  finalizers:

    - resources-finalizer.argocd.argoproj.io

spec:

  project: default

  sources:

    - repoURL: https://www.ict.inaf.it/gitlab/api/v4/projects/2504/packages/helm/stable

      chart: xrootd

      targetRevision: 0.1.1

      helm:

        valueFiles:

          - $repo/apps/xrootd/values-xrootd.yaml

    - repoURL: https://www.ict.inaf.it/gitlab/itsrc/itsrc-services-cd.git

      path: apps/xrootd

      targetRevision: HEAD

      ref: repo

  destination:

    namespace: xrootd

    server: https://kubernetes.default.svc

  syncPolicy:

    automated:

      prune: true

      selfHeal: true

    retry:

      limit: 5

      backoff:

        duration: 10s

        maxDuration: 3m0s

        factor: 2

    syncOptions:

      - CreateNamespace=true