-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmanagedTokens.yml
131 lines (116 loc) · 4.05 KB
/
managedTokens.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
# Global config items
keytabPath: "/opt/managed-tokens/keytabs"
condorCollectorHost: collectorhost.domain
condorScheddConstraint: "my_constraint"
vaultServer: vaultserver.domain
serviceCreddVaultTokenPathRoot: "/var/lib/managed-tokens/service-credd-vault-tokens"
kerberosPrincipalPattern: principal_pattern
dbLocation: "/var/lib/managed-tokens/managed-tokens.db"
errorCountToSendMessage: 3
defaultRoleFileDestinationTemplate: "/tmp/{{.DesiredUID}}_{{.Account}}" # Any field in the worker.Config object is supported here
pingOptions: "--arg1 --arg2 value2" # Options to use with ping
fileCopierOptions: "--perms --chmod=u=r,go=" # Extra options to give to the fileCopier utility - usually rsync
sshOptions: "-o Arg1=val1 -o Arg2=val2" # Options to use with fileCopier to establish the SSH connection
disableNotifications: false # If true, no notifications will be sent
# Optional, and should not be used in production. Defaults to "production", but can be specified here
# or with environment variable MANAGED_TOKENS_DEV_ENVIRONMENT_LABEL
devEnvironmentLabel: development
# Performance/timeouts
timeouts:
globalTimeout: 300s
kerberosTimeout: 20s
vaultStorerTimeout: 60s
pingTimeout: 10s
pushTimeout: 30s
ferryRequestTimeout: 30s
minTokenLifetime: 3d # If our vault token has less than this time left, get a new one
# FERRY config
ferry:
host: ferryhost.domain
port: 8445
caPath: "path/to/certificates"
hostCert: "/path/to/hostcert"
hostKey: "/path/to/hostkey"
serviceExperiment: fermilab
serviceRole:
serviceKerberosPrincipal: "/path/to/service_principal"
serviceKeytabPath: "/path/to/service_kerberos_keytab"
vaultServer: vaultserver.domain
# Email settings
email:
from: admin_email@example.com
smtpHost: localhost
smtpPort: 25
# Logfiles
logs:
refresh-uids-from-ferry:
logfile: "/var/log/managed-tokens/refresh-uids-from-ferry.log"
debugfile: "/var/log/managed-tokens/refresh-uids-from-ferry.debug.log"
token-push:
logfile: "/var/log/managed-tokens/token-push.log"
debugfile: "/var/log/managed-tokens/token-push.debug.log"
# Prometheus settings
prometheus:
host: hostname.domain
jobname: "managed_tokens"
# Loki settings
loki:
host: hostname.domain # Required for loki use
# Tracing settings
tracing:
url: scheme://hostname.domain # Required for tracing use
# Notifications
notifications:
SLACK_ALERTS_URL: https://hooks.slack.com/FILL_IN_URL_HERE
admin_email: admin@example.com
# Same as above, but used in test runs
notifications_test:
SLACK_ALERTS_URL: https://hooks.slack.com/FILL_IN_URL_HERE
admin_email: admin@example.com
# Worker-specific configuration
workerType:
getKerberosTickets:
numRetries: 0
retrySleep: "0s"
storeAndGetToken:
numRetries: 0
retrySleep: "0s"
storeAndGetTokenInteractive:
numRetries: 0
retrySleep: "0s"
pingAggregator:
numRetries: 0
retrySleep: "0s"
pushTokens:
numRetries: 3
retrySleep: "60s"
# Experiment config items
experiments:
dune:
emails: [email1@example.com]
roles:
production:
account: dunepro
destinationNodes: [node1.fnal.gov]
dune-2:
# Example with overrides including experiment override
emails: [email1@example.com]
experimentOverride: dune # Indicates that according to token issuer/storer, this experiment is actually "dune"
roles:
production:
account: dunepro
destinationNodes: [node1.fnal.gov]
keytabPathOverride: "/special/path/to/keytab"
userPrincipalOverride: "dunepro/kerberos/principal@REALM"
desiredUIDOverride: 12345
condorCreddHostOverride: specialcreddhost.domain
condorCollectorHostOverride: specialcollectorhost.domain
defaultRoleFileDestinationTemplateOverride: "/tmp/{{.DesiredUID}}_{{.Account}}" # Any field in the worker.Config object is supported here
disableNotificationsOverride: false # If true, no notifications will be sent for this role
mu2e:
# Minimum required configuration
emails: [email2@example.com]
roles:
production:
account: mu2epro
destinationNodes: [node2.fnal.gov]