-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME.md.gotmpl
62 lines (42 loc) · 3.07 KB
/
README.md.gotmpl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# fusex chart
### Helm Chart for the deployment of the EOS Fusex mount.
-----
{{ template "chart.versionBadge" . }}{{ template "chart.typeBadge" . }}{{ template "chart.appVersionBadge" . }}
{{ template "chart.requirementsSection" . }}
### What for
This chart provides the ability to run an EOS Fusex mount in a pod.
The EOS mount is exposed on the host via a bind mount so that other containers (or processes running on the host) can access it. The default path on the host is `/eos`.
The chart deploys EOS Fusex clients as a daemonSet that will run on each host of the cluster or on a subset of nodes identified by custom labels.
### Add the eos chart repository
Configure helm by adding the eos chart repository to your repository list
```bash
helm repo add eos https://registry.cern.ch/chartrepo/eos
helm repo update
```
### Install the chart
After having configured the relevant bits (see below), install the chart to deploy the eos fusex mount in your cluster with
```bash
helm upgrade -i fusex eos/fusex -n myproject -f my-eos-configuration.yaml
```
### Basic configuration options
It's necessary to configure the deployment to connect to the correct EOS MGM. You can create a yaml file and pass it to the `helm upgrade` command.
For an example of the configurations available, please have a look at the `values.yaml` file in the chart root directory.
Basic requirements to connect to an existing eos instance are:
- fusex.config.eos\_mgm\_alias: The fully qualified domain name of the MGM of the instance to connect to;
- fusex.config.auth: The authetication method of the client with the MGM. The default is SSS (simple shared secret), which requires providing the instance keytab to the fusex client.
- fusex.keytab: The keytab used by SSS authentication.
### Deploying fusex on a subset of nodes
If the access to EOS is required by only a subset of nodes of your cluster, it is possible to restrict the deployment of the fusex pod to these nodes only.
1. Enable the node selection by setting `podAssignment.enableNodeSelector: true`.
2. Define at least one custom label under `customLabels` in the form of key:value. An example is provided.
3. Label the nodes in your cluster according to the chosen customLabels.
### SSS authentication and keytabs
To use SSS authentication, this must be enabled in the instance configuration and the keytab must be _forwardable_ (i.e., it ends with a '+' sign).
The keytab is passed to the fusex pod as a kubernetes secret. It must be base64-encoded in `values.yaml`.
### Configuring fusex as a trusted gateway
In some cases, it might be required to register the fusex client as a trusted gateway. This must be done on the MGM with the command `eos vid set add gateway <hostname> [krb5|gsi|sss|unix|https|grpc]`.
As kubernetes pods do not use the host network by default, their network identifier as seen by the MGM might unknown and/or change over time. To circumvent this problem, it is recommended to set:
- fusex.hostNetwork: true
- fusex.dnsPolicy: ClusterFirstWithHostNet
{{ template "chart.valuesSection" . }}
{{ template "helm-docs.versionFooter" . }}