From 376da7e2d51db120948d2cd6169e495af69d8848 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 22 Jun 2026 11:47:42 -0400 Subject: [PATCH 01/36] Update to puppetlabs-firewall v8 --- Puppetfile | 2 +- site/profile/manifests/base.pp | 4 ++-- site/profile/manifests/reverse_proxy.pp | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Puppetfile b/Puppetfile index 70ee7e836..2e122eb41 100644 --- a/Puppetfile +++ b/Puppetfile @@ -29,7 +29,7 @@ mod 'puppet-squid', '6.0.0' mod 'puppet-swap_file', '5.0.0' mod 'puppet-systemd', '7.1.0' mod 'puppetlabs-concat', '9.1.0' -mod 'puppetlabs-firewall', '6.0.0' +mod 'puppetlabs-firewall', '8.4.0' mod 'puppetlabs-inifile', '6.1.0' mod 'puppetlabs-lvm', '2.0.2' mod 'puppetlabs-mailalias_core', '1.2.0' diff --git a/site/profile/manifests/base.pp b/site/profile/manifests/base.pp index 9acba24cf..4836e9b08 100644 --- a/site/profile/manifests/base.pp +++ b/site/profile/manifests/base.pp @@ -80,7 +80,7 @@ chain => 'INPUT', proto => 'all', source => profile::getcidr(), - action => 'accept', + jump => 'accept', tag => 'mc_bootstrap', } @@ -88,7 +88,7 @@ chain => 'OUTPUT', proto => 'tcp', destination => '169.254.169.254', - action => 'drop', + jump => 'drop', uid => '! root', tag => 'mc_bootstrap', } diff --git a/site/profile/manifests/reverse_proxy.pp b/site/profile/manifests/reverse_proxy.pp index bd5640356..450906bdf 100644 --- a/site/profile/manifests/reverse_proxy.pp +++ b/site/profile/manifests/reverse_proxy.pp @@ -17,7 +17,7 @@ dport => [80, 443], proto => 'tcp', source => '0.0.0.0/0', - action => 'accept', + jump => 'accept', } yumrepo { 'caddy-copr-repo': From b341eee879f3374f7dbca06c6a6d234f49c85571 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Tue, 16 Jun 2026 14:17:15 -0400 Subject: [PATCH 02/36] Bump treydock-globus --- Puppetfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Puppetfile b/Puppetfile index 2e122eb41..8eba2bcba 100644 --- a/Puppetfile +++ b/Puppetfile @@ -38,7 +38,7 @@ mod 'puppetlabs-mount_core', '2.0.1' mod 'puppetlabs-mysql', '16.3.0' mod 'puppetlabs-stdlib', '9.7.0' mod 'puppetlabs-transition', '2.0.0' -mod 'treydock-globus', '9.0.0' +mod 'treydock-globus', '12.0.0' mod 'saz-limits', '6.0.0' mod 'computecanada-jupyterhub', From a638c2c3852665f52e12c73a58a17770c1261e68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Tue, 16 Jun 2026 14:24:58 -0400 Subject: [PATCH 03/36] Simplify globus install --- site/profile/manifests/globus.pp | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/site/profile/manifests/globus.pp b/site/profile/manifests/globus.pp index fc179e41c..9f17a4fc4 100644 --- a/site/profile/manifests/globus.pp +++ b/site/profile/manifests/globus.pp @@ -2,16 +2,6 @@ package { 'wget': ensure => installed, } - - $public_ip = lookup('terraform.self.public_ip') - class { 'globus': - display_name => $globus::display_name, - client_id => $globus::client_id, - client_secret => $globus::client_secret, - contact_email => $globus::contact_email, - ip_address => $public_ip, - organization => $globus::organization, - owner => $globus::owner, - require => Package['wget'], - } + include globus + Package['wget'] -> Class['globus'] } From ded5499775fbbb47d2831d52fd5c24fe56bfc2b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Wed, 17 Jun 2026 21:16:22 -0400 Subject: [PATCH 04/36] Add missing firewall rules to globus profile --- site/profile/manifests/globus.pp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/site/profile/manifests/globus.pp b/site/profile/manifests/globus.pp index 9f17a4fc4..214186f03 100644 --- a/site/profile/manifests/globus.pp +++ b/site/profile/manifests/globus.pp @@ -4,4 +4,20 @@ } include globus Package['wget'] -> Class['globus'] + + firewall { '200 globus public': + chain => 'INPUT', + dport => [443], + proto => 'tcp', + source => '0.0.0.0/0', + action => 'accept', + } + + firewall { '201 gridftp': + chain => 'INPUT', + dport => '50000:51000', + proto => 'tcp', + source => '0.0.0.0/0', + action => 'accept', + } } From e1bd0894ee0c6cdd28d816e48b82326f682c6b1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Wed, 17 Jun 2026 21:18:13 -0400 Subject: [PATCH 05/36] Fix --- site/profile/manifests/globus.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/globus.pp b/site/profile/manifests/globus.pp index 214186f03..10a5bc2f5 100644 --- a/site/profile/manifests/globus.pp +++ b/site/profile/manifests/globus.pp @@ -15,7 +15,7 @@ firewall { '201 gridftp': chain => 'INPUT', - dport => '50000:51000', + dport => '50000-51000', proto => 'tcp', source => '0.0.0.0/0', action => 'accept', From 7c8f2ecdc218a64d948edfe09b61307a93b76f47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Thu, 18 Jun 2026 15:32:36 -0400 Subject: [PATCH 06/36] Switch globus module source --- Puppetfile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Puppetfile b/Puppetfile index 8eba2bcba..0b5a56dd3 100644 --- a/Puppetfile +++ b/Puppetfile @@ -38,9 +38,13 @@ mod 'puppetlabs-mount_core', '2.0.1' mod 'puppetlabs-mysql', '16.3.0' mod 'puppetlabs-stdlib', '9.7.0' mod 'puppetlabs-transition', '2.0.0' -mod 'treydock-globus', '12.0.0' +#mod 'treydock-globus', '12.0.0' mod 'saz-limits', '6.0.0' +mod 'treydock-globus', + :git => 'https://github.com/cmd-ntrf/puppet-module-globus.git', + :ref => 'client_id-secret' + mod 'computecanada-jupyterhub', :git => 'https://github.com/ComputeCanada/puppet-jupyterhub.git', :ref => 'v7.4.0' From d513642d759390476c0204e6c806edd31180b19c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Fri, 19 Jun 2026 10:24:52 -0400 Subject: [PATCH 07/36] Add file to create gateway and collection --- site/profile/manifests/globus.pp | 46 +++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/site/profile/manifests/globus.pp b/site/profile/manifests/globus.pp index 10a5bc2f5..d8a98abe1 100644 --- a/site/profile/manifests/globus.pp +++ b/site/profile/manifests/globus.pp @@ -1,4 +1,6 @@ -class profile::globus { +class profile::globus ( + Array[String] $domains = ['globus.org'] +) { package { 'wget': ensure => installed, } @@ -20,4 +22,46 @@ source => '0.0.0.0/0', action => 'accept', } + + $domain_string = $domains.map|$value| { " --domain ${value}" }.join(' ') + file { '/root/globus-gateway-setup': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + show_diff => false, + content => "GCS_CLI_ENDPOINT_ID=$(jq .endpoint_id -r /var/lib/globus-connect-server/info.json) \ + globus-connect-server -F json storage-gateway create posix \"${lookup('terraform.data.cluster_name')} \ + gateway\" ${domain_string} > /var/lib/globus-connect-server/gateway.json", + } + + file { '/root/globus-collection-setup': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + show_diff => false, + content => "GCS_CLI_ENDPOINT_ID=$(jq .endpoint_id -r /var/lib/globus-connect-server/info.json)\ + globus-connect-server -F json collection create $(jq -r .id /var/lib/globus-connect-server/gateway.json) / \ + \"${lookup('terraform.data.cluster_name')} collection\" > /var/lib/globus-connect-server/collection.json", + } + + # exec { 'globus-setup-gateway': + # command => 'sh /root/globus-gateway-setup', + # environment => [ + # "GCS_CLI_CLIENT_ID=${globus::client_id}", + # "GCS_CLI_CLIENT_SECRET=${globus::client_secret}", + # ], + # creates => '/var/lib/globus-connect-server/gateway.json', + # require => Exec['globus-endpoint-setup'], + # } + # exec { 'globus-setup-collection': + # command => 'sh /root/globus-collection-setup', + # environment => [ + # "GCS_CLI_CLIENT_ID=${globus::client_id}", + # "GCS_CLI_CLIENT_SECRET=${globus::client_secret}", + # ], + # creates => '/var/lib/globus-connect-server/collection.json', + # require => Exec['globus-gateway-setup'], + # } } From 0574c9303f8c41218b628e33fe1cce0ff404c277 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Fri, 19 Jun 2026 10:27:54 -0400 Subject: [PATCH 08/36] Fix --- site/profile/manifests/globus.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site/profile/manifests/globus.pp b/site/profile/manifests/globus.pp index d8a98abe1..cf2b51bc1 100644 --- a/site/profile/manifests/globus.pp +++ b/site/profile/manifests/globus.pp @@ -32,7 +32,7 @@ show_diff => false, content => "GCS_CLI_ENDPOINT_ID=$(jq .endpoint_id -r /var/lib/globus-connect-server/info.json) \ globus-connect-server -F json storage-gateway create posix \"${lookup('terraform.data.cluster_name')} \ - gateway\" ${domain_string} > /var/lib/globus-connect-server/gateway.json", + gateway\" ${domain_string} > /var/lib/globus-connect-server/gateway.json\n", } file { '/root/globus-collection-setup': @@ -43,7 +43,7 @@ show_diff => false, content => "GCS_CLI_ENDPOINT_ID=$(jq .endpoint_id -r /var/lib/globus-connect-server/info.json)\ globus-connect-server -F json collection create $(jq -r .id /var/lib/globus-connect-server/gateway.json) / \ - \"${lookup('terraform.data.cluster_name')} collection\" > /var/lib/globus-connect-server/collection.json", + \"${lookup('terraform.data.cluster_name')} collection\" > /var/lib/globus-connect-server/collection.json\n", } # exec { 'globus-setup-gateway': From 39af1bae886af004b864aa40e16c7cbf8b6000aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 22 Jun 2026 11:37:32 -0400 Subject: [PATCH 09/36] Uncomment endpoint exec --- site/profile/manifests/globus.pp | 37 ++++++++++++++++---------------- 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/site/profile/manifests/globus.pp b/site/profile/manifests/globus.pp index cf2b51bc1..ab99b290c 100644 --- a/site/profile/manifests/globus.pp +++ b/site/profile/manifests/globus.pp @@ -46,22 +46,23 @@ \"${lookup('terraform.data.cluster_name')} collection\" > /var/lib/globus-connect-server/collection.json\n", } - # exec { 'globus-setup-gateway': - # command => 'sh /root/globus-gateway-setup', - # environment => [ - # "GCS_CLI_CLIENT_ID=${globus::client_id}", - # "GCS_CLI_CLIENT_SECRET=${globus::client_secret}", - # ], - # creates => '/var/lib/globus-connect-server/gateway.json', - # require => Exec['globus-endpoint-setup'], - # } - # exec { 'globus-setup-collection': - # command => 'sh /root/globus-collection-setup', - # environment => [ - # "GCS_CLI_CLIENT_ID=${globus::client_id}", - # "GCS_CLI_CLIENT_SECRET=${globus::client_secret}", - # ], - # creates => '/var/lib/globus-connect-server/collection.json', - # require => Exec['globus-gateway-setup'], - # } + exec { 'globus-setup-gateway': + command => '/bin/sh /root/globus-gateway-setup', + environment => [ + "GCS_CLI_CLIENT_ID=${globus::client_id}", + "GCS_CLI_CLIENT_SECRET=${globus::client_secret}", + ], + creates => '/var/lib/globus-connect-server/gateway.json', + require => Exec['globus-endpoint-setup'], + } + + exec { 'globus-setup-collection': + command => '/bin/sh /root/globus-collection-setup', + environment => [ + "GCS_CLI_CLIENT_ID=${globus::client_id}", + "GCS_CLI_CLIENT_SECRET=${globus::client_secret}", + ], + creates => '/var/lib/globus-connect-server/collection.json', + require => Exec['globus-gateway-setup'], + } } From 5f01b54371090d25bf6efce5ef5f2def06ef4ba1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 22 Jun 2026 11:58:15 -0400 Subject: [PATCH 10/36] Bump treydock/globus to v12.1.0 --- Puppetfile | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/Puppetfile b/Puppetfile index 0b5a56dd3..825c2b43d 100644 --- a/Puppetfile +++ b/Puppetfile @@ -38,13 +38,9 @@ mod 'puppetlabs-mount_core', '2.0.1' mod 'puppetlabs-mysql', '16.3.0' mod 'puppetlabs-stdlib', '9.7.0' mod 'puppetlabs-transition', '2.0.0' -#mod 'treydock-globus', '12.0.0' +mod 'treydock-globus', '12.1.0' mod 'saz-limits', '6.0.0' -mod 'treydock-globus', - :git => 'https://github.com/cmd-ntrf/puppet-module-globus.git', - :ref => 'client_id-secret' - mod 'computecanada-jupyterhub', :git => 'https://github.com/ComputeCanada/puppet-jupyterhub.git', :ref => 'v7.4.0' From fc7f88ecdc4e6fdc3fa9f8804a8a36f0e68674fc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 22 Jun 2026 11:58:31 -0400 Subject: [PATCH 11/36] Update globus common params --- data/common.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/data/common.yaml b/data/common.yaml index 7dd3a7797..fcb81d58e 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -369,3 +369,7 @@ metrix::subdomain: 'metrix' metrix::slurm_jobscripts::api_url: "http://%{lookup('terraform.tag_ip.mgmt.0')}:9000" metrix::slurm_jobscripts::token: "%{alias('metrix::root_api_token')}" + +globus::advertised_owner: false +globus::managed_firewall: true + From 2b5875f03828ec17a8f89a8358e3f8af7a35ca08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 22 Jun 2026 11:59:57 -0400 Subject: [PATCH 12/36] Fix --- site/profile/manifests/globus.pp | 32 ++++++++------------------------ 1 file changed, 8 insertions(+), 24 deletions(-) diff --git a/site/profile/manifests/globus.pp b/site/profile/manifests/globus.pp index ab99b290c..ee4df5b87 100644 --- a/site/profile/manifests/globus.pp +++ b/site/profile/manifests/globus.pp @@ -7,22 +7,6 @@ include globus Package['wget'] -> Class['globus'] - firewall { '200 globus public': - chain => 'INPUT', - dport => [443], - proto => 'tcp', - source => '0.0.0.0/0', - action => 'accept', - } - - firewall { '201 gridftp': - chain => 'INPUT', - dport => '50000-51000', - proto => 'tcp', - source => '0.0.0.0/0', - action => 'accept', - } - $domain_string = $domains.map|$value| { " --domain ${value}" }.join(' ') file { '/root/globus-gateway-setup': ensure => 'file', @@ -48,20 +32,20 @@ exec { 'globus-setup-gateway': command => '/bin/sh /root/globus-gateway-setup', - environment => [ - "GCS_CLI_CLIENT_ID=${globus::client_id}", - "GCS_CLI_CLIENT_SECRET=${globus::client_secret}", - ], + environment => Sensitive([ + "GCS_CLI_CLIENT_ID=${globus::client_id}", + "GCS_CLI_CLIENT_SECRET=${globus::client_secret.unwrap}", + ]), creates => '/var/lib/globus-connect-server/gateway.json', require => Exec['globus-endpoint-setup'], } exec { 'globus-setup-collection': command => '/bin/sh /root/globus-collection-setup', - environment => [ - "GCS_CLI_CLIENT_ID=${globus::client_id}", - "GCS_CLI_CLIENT_SECRET=${globus::client_secret}", - ], + environment => Sensitive([ + "GCS_CLI_CLIENT_ID=${globus::client_id}", + "GCS_CLI_CLIENT_SECRET=${globus::client_secret.unwrap}", + ]), creates => '/var/lib/globus-connect-server/collection.json', require => Exec['globus-gateway-setup'], } From 4b4965f0d89555761f3585ca5ff562f3b507b235 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 22 Jun 2026 12:28:40 -0400 Subject: [PATCH 13/36] Fix --- data/common.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/data/common.yaml b/data/common.yaml index fcb81d58e..2be9d80f7 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -373,3 +373,6 @@ metrix::slurm_jobscripts::token: "%{alias('metrix::root_api_token')}" globus::advertised_owner: false globus::managed_firewall: true +lookup_options: + globus::client_secret: + convert_to: "Sensitive" From c8cc1da97ad079ad9ac83dfda35a93c30eda4cd7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 22 Jun 2026 12:31:40 -0400 Subject: [PATCH 14/36] Fix resource names --- site/profile/manifests/globus.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site/profile/manifests/globus.pp b/site/profile/manifests/globus.pp index ee4df5b87..e9f1c672b 100644 --- a/site/profile/manifests/globus.pp +++ b/site/profile/manifests/globus.pp @@ -30,7 +30,7 @@ \"${lookup('terraform.data.cluster_name')} collection\" > /var/lib/globus-connect-server/collection.json\n", } - exec { 'globus-setup-gateway': + exec { 'globus-gateway-setup': command => '/bin/sh /root/globus-gateway-setup', environment => Sensitive([ "GCS_CLI_CLIENT_ID=${globus::client_id}", @@ -40,7 +40,7 @@ require => Exec['globus-endpoint-setup'], } - exec { 'globus-setup-collection': + exec { 'globus-collection-setup': command => '/bin/sh /root/globus-collection-setup', environment => Sensitive([ "GCS_CLI_CLIENT_ID=${globus::client_id}", From 9d2ed831a7ae0036f8cdc731061937667e959216 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 22 Jun 2026 13:18:03 -0400 Subject: [PATCH 15/36] Use explicit ip address when creating gateway --- site/profile/manifests/globus.pp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/site/profile/manifests/globus.pp b/site/profile/manifests/globus.pp index e9f1c672b..099c98db4 100644 --- a/site/profile/manifests/globus.pp +++ b/site/profile/manifests/globus.pp @@ -15,7 +15,9 @@ mode => '0700', show_diff => false, content => "GCS_CLI_ENDPOINT_ID=$(jq .endpoint_id -r /var/lib/globus-connect-server/info.json) \ - globus-connect-server -F json storage-gateway create posix \"${lookup('terraform.data.cluster_name')} \ + globus-connect-server -F json storage-gateway create \ + --use-explicit-host ${lookup('terraform.self.public_ip')} \ + posix \"${lookup('terraform.data.cluster_name')} \ gateway\" ${domain_string} > /var/lib/globus-connect-server/gateway.json\n", } From 6f1a739e922e344e73088511193253f094bc3c3f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 22 Jun 2026 13:28:11 -0400 Subject: [PATCH 16/36] Fix test for running gateway and collection --- site/profile/manifests/globus.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site/profile/manifests/globus.pp b/site/profile/manifests/globus.pp index 099c98db4..8e4a84c0a 100644 --- a/site/profile/manifests/globus.pp +++ b/site/profile/manifests/globus.pp @@ -38,7 +38,7 @@ "GCS_CLI_CLIENT_ID=${globus::client_id}", "GCS_CLI_CLIENT_SECRET=${globus::client_secret.unwrap}", ]), - creates => '/var/lib/globus-connect-server/gateway.json', + unless => 'test -s /var/lib/globus-connect-server/gateway.json', require => Exec['globus-endpoint-setup'], } @@ -48,7 +48,7 @@ "GCS_CLI_CLIENT_ID=${globus::client_id}", "GCS_CLI_CLIENT_SECRET=${globus::client_secret.unwrap}", ]), - creates => '/var/lib/globus-connect-server/collection.json', + unless => 'test -s /var/lib/globus-connect-server/collection.json', require => Exec['globus-gateway-setup'], } } From a3c60abffc487b5825aeaaf26e0fb6cbb146f233 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 22 Jun 2026 13:31:34 -0400 Subject: [PATCH 17/36] Fix --- site/profile/manifests/globus.pp | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/site/profile/manifests/globus.pp b/site/profile/manifests/globus.pp index 8e4a84c0a..ae411f57c 100644 --- a/site/profile/manifests/globus.pp +++ b/site/profile/manifests/globus.pp @@ -34,20 +34,20 @@ exec { 'globus-gateway-setup': command => '/bin/sh /root/globus-gateway-setup', - environment => Sensitive([ - "GCS_CLI_CLIENT_ID=${globus::client_id}", - "GCS_CLI_CLIENT_SECRET=${globus::client_secret.unwrap}", - ]), + environment => [ + "GCS_CLI_CLIENT_ID=${globus::client_id}", + "GCS_CLI_CLIENT_SECRET=${globus::client_secret.unwrap}", + ], unless => 'test -s /var/lib/globus-connect-server/gateway.json', require => Exec['globus-endpoint-setup'], } exec { 'globus-collection-setup': command => '/bin/sh /root/globus-collection-setup', - environment => Sensitive([ - "GCS_CLI_CLIENT_ID=${globus::client_id}", - "GCS_CLI_CLIENT_SECRET=${globus::client_secret.unwrap}", - ]), + environment => [ + "GCS_CLI_CLIENT_ID=${globus::client_id}", + "GCS_CLI_CLIENT_SECRET=${globus::client_secret.unwrap}", + ], unless => 'test -s /var/lib/globus-connect-server/collection.json', require => Exec['globus-gateway-setup'], } From 12673c8720a9f4100c7c2c52b3f38efc3c874f1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 22 Jun 2026 13:32:37 -0400 Subject: [PATCH 18/36] Fix --- site/profile/manifests/globus.pp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/site/profile/manifests/globus.pp b/site/profile/manifests/globus.pp index ae411f57c..223a80c75 100644 --- a/site/profile/manifests/globus.pp +++ b/site/profile/manifests/globus.pp @@ -38,7 +38,7 @@ "GCS_CLI_CLIENT_ID=${globus::client_id}", "GCS_CLI_CLIENT_SECRET=${globus::client_secret.unwrap}", ], - unless => 'test -s /var/lib/globus-connect-server/gateway.json', + unless => '/bin/test -s /var/lib/globus-connect-server/gateway.json', require => Exec['globus-endpoint-setup'], } @@ -48,7 +48,7 @@ "GCS_CLI_CLIENT_ID=${globus::client_id}", "GCS_CLI_CLIENT_SECRET=${globus::client_secret.unwrap}", ], - unless => 'test -s /var/lib/globus-connect-server/collection.json', + unless => '/bin/test -s /var/lib/globus-connect-server/collection.json', require => Exec['globus-gateway-setup'], } } From c3c422d4b0d7b12505cefd8915caf6f252be7bdd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 22 Jun 2026 14:04:55 -0400 Subject: [PATCH 19/36] Mount nfs volumes under /nfs first then mount bind Allow globus to provide access to only /nfs --- site/profile/manifests/globus.pp | 2 +- site/profile/manifests/nfs.pp | 19 ++++++++++++------- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/site/profile/manifests/globus.pp b/site/profile/manifests/globus.pp index 223a80c75..16eb058f5 100644 --- a/site/profile/manifests/globus.pp +++ b/site/profile/manifests/globus.pp @@ -28,7 +28,7 @@ mode => '0700', show_diff => false, content => "GCS_CLI_ENDPOINT_ID=$(jq .endpoint_id -r /var/lib/globus-connect-server/info.json)\ - globus-connect-server -F json collection create $(jq -r .id /var/lib/globus-connect-server/gateway.json) / \ + globus-connect-server -F json collection create $(jq -r .id /var/lib/globus-connect-server/gateway.json) /nfs \ \"${lookup('terraform.data.cluster_name')} collection\" > /var/lib/globus-connect-server/collection.json\n", } diff --git a/site/profile/manifests/nfs.pp b/site/profile/manifests/nfs.pp index b785a66f5..40bbea71f 100644 --- a/site/profile/manifests/nfs.pp +++ b/site/profile/manifests/nfs.pp @@ -70,14 +70,8 @@ $options_nfsv4 = join([$nfs_options, $mount_options], ',') $shares_to_mount.each | String $share_name_raw | { - # If the instance has a volume mounted under the same name as the nfs share, - # we mount the nfs share under /nfs/${share_name}. $share_name = regsubst($share_name_raw, '^/|/$', '', 'G') - if $self_volumes.any |$tag, $volume_hash| { $share_name in $volume_hash } { - $mount_point = "/nfs/${share_name}" - } else { - $mount_point = "/${share_name}" - } + $mount_point = "/nfs/${share_name}" nfs::client::mount { $mount_point: ensure => present, server => $server, @@ -85,6 +79,17 @@ options_nfsv4 => $options_nfsv4, notify => Systemd::Daemon_reload['nfs-client'], } + # If the instance has a volume mounted under the same name as the nfs share, + # we only mount the nfs share under /nfs/${share_name}. Otherwise, we create + # a mount bind to /${share_name}. + if ! $self_volumes.any |$tag, $volume_hash| { $share_name in $volume_hash } { + mount { "/${share_name}": + ensure => mounted, + device => $mount_point, + fstype => none, + options => 'rw,bind', + } + } } } From d4a9e89a15c359a0838c4a2cbf07ecb890fdddaf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 22 Jun 2026 14:21:25 -0400 Subject: [PATCH 20/36] Fix --- site/profile/manifests/globus.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/site/profile/manifests/globus.pp b/site/profile/manifests/globus.pp index 16eb058f5..e06e6640e 100644 --- a/site/profile/manifests/globus.pp +++ b/site/profile/manifests/globus.pp @@ -28,7 +28,8 @@ mode => '0700', show_diff => false, content => "GCS_CLI_ENDPOINT_ID=$(jq .endpoint_id -r /var/lib/globus-connect-server/info.json)\ - globus-connect-server -F json collection create $(jq -r .id /var/lib/globus-connect-server/gateway.json) /nfs \ + globus-connect-server -F json --use-explicit-host ${lookup('terraform.self.public_ip')} \ + collection create $(jq -r .id /var/lib/globus-connect-server/gateway.json) /nfs \ \"${lookup('terraform.data.cluster_name')} collection\" > /var/lib/globus-connect-server/collection.json\n", } From 55759079a9896738d1ddf7ff75a711792a1cfc6a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 22 Jun 2026 14:41:45 -0400 Subject: [PATCH 21/36] Fix --- site/profile/manifests/globus.pp | 3 ++- site/profile/manifests/nfs.pp | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/site/profile/manifests/globus.pp b/site/profile/manifests/globus.pp index e06e6640e..c6dc10666 100644 --- a/site/profile/manifests/globus.pp +++ b/site/profile/manifests/globus.pp @@ -1,4 +1,5 @@ class profile::globus ( + String[1] $collection_path = '/nfs', Array[String] $domains = ['globus.org'] ) { package { 'wget': @@ -29,7 +30,7 @@ show_diff => false, content => "GCS_CLI_ENDPOINT_ID=$(jq .endpoint_id -r /var/lib/globus-connect-server/info.json)\ globus-connect-server -F json --use-explicit-host ${lookup('terraform.self.public_ip')} \ - collection create $(jq -r .id /var/lib/globus-connect-server/gateway.json) /nfs \ + collection create $(jq -r .id /var/lib/globus-connect-server/gateway.json) ${collection_path} \ \"${lookup('terraform.data.cluster_name')} collection\" > /var/lib/globus-connect-server/collection.json\n", } diff --git a/site/profile/manifests/nfs.pp b/site/profile/manifests/nfs.pp index 40bbea71f..5d6530985 100644 --- a/site/profile/manifests/nfs.pp +++ b/site/profile/manifests/nfs.pp @@ -87,7 +87,7 @@ ensure => mounted, device => $mount_point, fstype => none, - options => 'rw,bind', + options => 'bind,x-systemd.automount', } } } From 8afd7805d29a384872cd7306ffc850d758b047fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 22 Jun 2026 15:42:40 -0400 Subject: [PATCH 22/36] Fix --- data/common.yaml | 3 +++ site/profile/manifests/nfs.pp | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/data/common.yaml b/data/common.yaml index 2be9d80f7..038598de5 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -370,8 +370,11 @@ metrix::subdomain: 'metrix' metrix::slurm_jobscripts::api_url: "http://%{lookup('terraform.tag_ip.mgmt.0')}:9000" metrix::slurm_jobscripts::token: "%{alias('metrix::root_api_token')}" +globus::display_name: "%{lookup('terraform.data.domain_name')} endpoint" globus::advertised_owner: false globus::managed_firewall: true +globus::ip_address: "%{lookup('terraform.self.public_ip')}" +globus::owner: "%{lookup('globus::client_id')}@clients.auth.globus.org" lookup_options: globus::client_secret: diff --git a/site/profile/manifests/nfs.pp b/site/profile/manifests/nfs.pp index 5d6530985..ccd8546d2 100644 --- a/site/profile/manifests/nfs.pp +++ b/site/profile/manifests/nfs.pp @@ -83,11 +83,16 @@ # we only mount the nfs share under /nfs/${share_name}. Otherwise, we create # a mount bind to /${share_name}. if ! $self_volumes.any |$tag, $volume_hash| { $share_name in $volume_hash } { + ensure_resource('file', "/${share_name}", { 'ensure' => 'directory' }) mount { "/${share_name}": ensure => mounted, device => $mount_point, fstype => none, options => 'bind,x-systemd.automount', + require => [ + File["/${share_name}"], + Nfs::Client::Mount[$mount_point], + ] } } } From 6558d583bf2af90b67e4fed5e55af09ebf2e7f97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 22 Jun 2026 15:54:04 -0400 Subject: [PATCH 23/36] Make sure firewall rules are defined before globus exec --- site/profile/manifests/globus.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/site/profile/manifests/globus.pp b/site/profile/manifests/globus.pp index c6dc10666..b1b31524f 100644 --- a/site/profile/manifests/globus.pp +++ b/site/profile/manifests/globus.pp @@ -53,4 +53,5 @@ unless => '/bin/test -s /var/lib/globus-connect-server/collection.json', require => Exec['globus-gateway-setup'], } + Firewall <| |> -> Exec['globus-endpoint-setup'] } From 6c0dde253fa636b1065b25da6e7d86d17d52e7ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 22 Jun 2026 16:06:51 -0400 Subject: [PATCH 24/36] Set collection default directory to $USER --- site/profile/manifests/globus.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/site/profile/manifests/globus.pp b/site/profile/manifests/globus.pp index b1b31524f..0b9eb1e86 100644 --- a/site/profile/manifests/globus.pp +++ b/site/profile/manifests/globus.pp @@ -31,6 +31,7 @@ content => "GCS_CLI_ENDPOINT_ID=$(jq .endpoint_id -r /var/lib/globus-connect-server/info.json)\ globus-connect-server -F json --use-explicit-host ${lookup('terraform.self.public_ip')} \ collection create $(jq -r .id /var/lib/globus-connect-server/gateway.json) ${collection_path} \ + --default-directory '\$USER' \ \"${lookup('terraform.data.cluster_name')} collection\" > /var/lib/globus-connect-server/collection.json\n", } From e616fc1a65b355689b13615c64111562832d3206 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Tue, 23 Jun 2026 11:02:33 -0400 Subject: [PATCH 25/36] Make sure everything is mounted before creation a globus collection --- site/profile/manifests/globus.pp | 1 + 1 file changed, 1 insertion(+) diff --git a/site/profile/manifests/globus.pp b/site/profile/manifests/globus.pp index 0b9eb1e86..6830e9757 100644 --- a/site/profile/manifests/globus.pp +++ b/site/profile/manifests/globus.pp @@ -55,4 +55,5 @@ require => Exec['globus-gateway-setup'], } Firewall <| |> -> Exec['globus-endpoint-setup'] + Mount <| |> -> Exec['globus-collection-setup'] } From 4ecd7f237bde56a2c89a4713abbda933fdc04211 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Tue, 23 Jun 2026 11:06:50 -0400 Subject: [PATCH 26/36] Fix --- site/profile/manifests/globus.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/manifests/globus.pp b/site/profile/manifests/globus.pp index 6830e9757..1d177a7cb 100644 --- a/site/profile/manifests/globus.pp +++ b/site/profile/manifests/globus.pp @@ -31,7 +31,7 @@ content => "GCS_CLI_ENDPOINT_ID=$(jq .endpoint_id -r /var/lib/globus-connect-server/info.json)\ globus-connect-server -F json --use-explicit-host ${lookup('terraform.self.public_ip')} \ collection create $(jq -r .id /var/lib/globus-connect-server/gateway.json) ${collection_path} \ - --default-directory '\$USER' \ + --default-directory '/home/\$USER' \ \"${lookup('terraform.data.cluster_name')} collection\" > /var/lib/globus-connect-server/collection.json\n", } From 0f59c3ff91e4dd9e05b89daa6918bd7422eb1e24 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 29 Jun 2026 11:09:40 -0400 Subject: [PATCH 27/36] Start oidc setup --- site/profile/manifests/globus.pp | 82 ++++++++++++++++--- .../globus/globus-collection-setup.epp | 4 + .../templates/globus/globus-gateway-setup.epp | 5 ++ .../templates/globus/globus-oidc-setup.epp | 4 + site/profile/templates/globus/login.mako.epp | 57 +++++++++++++ 5 files changed, 139 insertions(+), 13 deletions(-) create mode 100644 site/profile/templates/globus/globus-collection-setup.epp create mode 100644 site/profile/templates/globus/globus-gateway-setup.epp create mode 100644 site/profile/templates/globus/globus-oidc-setup.epp create mode 100644 site/profile/templates/globus/login.mako.epp diff --git a/site/profile/manifests/globus.pp b/site/profile/manifests/globus.pp index 1d177a7cb..9cd62746f 100644 --- a/site/profile/manifests/globus.pp +++ b/site/profile/manifests/globus.pp @@ -1,6 +1,7 @@ class profile::globus ( String[1] $collection_path = '/nfs', - Array[String] $domains = ['globus.org'] + Array[String] $domains = ['globus.org'], + Enum['running', 'stopped'] $ensure_oidc = 'stopped', ) { package { 'wget': ensure => installed, @@ -15,11 +16,14 @@ group => 'root', mode => '0700', show_diff => false, - content => "GCS_CLI_ENDPOINT_ID=$(jq .endpoint_id -r /var/lib/globus-connect-server/info.json) \ - globus-connect-server -F json storage-gateway create \ - --use-explicit-host ${lookup('terraform.self.public_ip')} \ - posix \"${lookup('terraform.data.cluster_name')} \ - gateway\" ${domain_string} > /var/lib/globus-connect-server/gateway.json\n", + content => epp( + 'globus/globus-gateway-setup', + { + 'public_ip' => lookup('terraform.self.public_ip'), + 'cluster_name' => lookup('terraform.data.cluster_name'), + 'domain_string' => $domain_string, + } + ), } file { '/root/globus-collection-setup': @@ -28,11 +32,33 @@ group => 'root', mode => '0700', show_diff => false, - content => "GCS_CLI_ENDPOINT_ID=$(jq .endpoint_id -r /var/lib/globus-connect-server/info.json)\ - globus-connect-server -F json --use-explicit-host ${lookup('terraform.self.public_ip')} \ - collection create $(jq -r .id /var/lib/globus-connect-server/gateway.json) ${collection_path} \ - --default-directory '/home/\$USER' \ - \"${lookup('terraform.data.cluster_name')} collection\" > /var/lib/globus-connect-server/collection.json\n", + content => epp( + 'globus/globus-collection-setup', + { + 'public_ip' => lookup('terraform.self.public_ip'), + 'cluster_name' => lookup('terraform.data.cluster_name'), + 'collection_path' => $collection_path, + } + ), + } + + $domain_name = lookup('terraform.data.domain_name') + file { '/root/globus-oidc-setup': + ensure => 'file', + owner => 'root', + group => 'root', + mode => '0700', + show_diff => false, + content => epp( + 'globus/globus-oidc-setup', + { + 'domain_name' => $domain_name, + } + ), + } + + if $ensure_oidc == 'stopped' and length($domains) == 0 { + fail('Globus requires at least one authentication domain or ensure OIDC server is running (profile::globus::ensure_oidc: running)') } exec { 'globus-gateway-setup': @@ -42,7 +68,10 @@ "GCS_CLI_CLIENT_SECRET=${globus::client_secret.unwrap}", ], unless => '/bin/test -s /var/lib/globus-connect-server/gateway.json', - require => Exec['globus-endpoint-setup'], + require => [ + Exec['globus-endpoint-setup'], + File['/root/globus-gateway-setup'], + ], } exec { 'globus-collection-setup': @@ -52,8 +81,35 @@ "GCS_CLI_CLIENT_SECRET=${globus::client_secret.unwrap}", ], unless => '/bin/test -s /var/lib/globus-connect-server/collection.json', - require => Exec['globus-gateway-setup'], + require => [ + Exec['globus-gateway-setup'], + File['/root/globus-collection-setup'], + ], + } + + if $ensure_oidc == 'running' { + exec { 'globus-oidc-setup': + command => '/bin/sh /root/globus-oidc-setup', + environment => [ + "GCS_CLI_CLIENT_ID=${globus::client_id}", + "GCS_CLI_CLIENT_SECRET=${globus::client_secret.unwrap}", + ], + unless => '/bin/test -s /var/lib/globus-connect-server/oidc.json', + require => [ + Exec['globus-endpoint-setup'], + File['/root/globus-oidc-setup'], + ], + before => Exec['globus-gateway-setup'], + } } + + # globus-connect-server storage-gateway update posix 7fd7da12-414a-41f8-8d07-5942c88d9cf8 --domain identity.1f30f9.eb38.gaccess.io Firewall <| |> -> Exec['globus-endpoint-setup'] Mount <| |> -> Exec['globus-collection-setup'] + + service { 'globus-oidc': + ensure => $ensure_oidc, + enable => $ensure_oidc == 'running', + require => Exec['globus-oidc-setup'], + } } diff --git a/site/profile/templates/globus/globus-collection-setup.epp b/site/profile/templates/globus/globus-collection-setup.epp new file mode 100644 index 000000000..5070c701c --- /dev/null +++ b/site/profile/templates/globus/globus-collection-setup.epp @@ -0,0 +1,4 @@ +#!/bin/sh +GCS_CLI_ENDPOINT_ID=$(jq .endpoint_id -r /var/lib/globus-connect-server/info.json) +GATEWAY_ID=$(jq -r .id /var/lib/globus-connect-server/gateway.json) +globus-connect-server -F json --use-explicit-host <%= $public_ip %> collection create ${GATEWAY_ID} <%= $collection_path %> --default-directory '/home/$USER' "<%= $cluster_name %> collection" > /var/lib/globus-connect-server/collection.json diff --git a/site/profile/templates/globus/globus-gateway-setup.epp b/site/profile/templates/globus/globus-gateway-setup.epp new file mode 100644 index 000000000..0c880941b --- /dev/null +++ b/site/profile/templates/globus/globus-gateway-setup.epp @@ -0,0 +1,5 @@ +#!/bin/sh +GCS_CLI_ENDPOINT_ID=$(jq .endpoint_id -r /var/lib/globus-connect-server/info.json) +OIDC_DOMAIN=$(test -f /var/lib/globus-connect-server/oidc.json && jq -r '.auth_client.domain // ""' /var/lib/globus-connect-server/oidc.json) +OIDC_DOMAIN=${OIDC_DOMAIN:+--domain ${OIDC_DOMAIN}} +globus-connect-server -F json storage-gateway create --use-explicit-host <%= $public_ip %> posix "<%= $cluster_name %> gateway" <%= $domain_string %> ${OIDC_DOMAIN} > /var/lib/globus-connect-server/gateway.json diff --git a/site/profile/templates/globus/globus-oidc-setup.epp b/site/profile/templates/globus/globus-oidc-setup.epp new file mode 100644 index 000000000..3948b9ab0 --- /dev/null +++ b/site/profile/templates/globus/globus-oidc-setup.epp @@ -0,0 +1,4 @@ +#!/bin/sh +GCS_CLI_ENDPOINT_ID=$(jq .endpoint_id -r /var/lib/globus-connect-server/info.json) +domain_name=<%= $domain_name %> +globus-connect-server -F json oidc create --display-name "${domain_name}" --quickstart-server-name identity --support-contact "${domain_name} admin" --support-email "admin@${domain_name}" > /var/lib/globus-connect-server/oidc.json diff --git a/site/profile/templates/globus/login.mako.epp b/site/profile/templates/globus/login.mako.epp new file mode 100644 index 000000000..cc608b181 --- /dev/null +++ b/site/profile/templates/globus/login.mako.epp @@ -0,0 +1,57 @@ + + + + + + + ${display_name} + + + + + +
+

Log In

+
+
+ + + +

Enter your credentials for ${display_name}

+ +
+
+ + +
+
+ + +
+ +
+ + + + + + + +
+ +
+ +
+ Login Issues? Contact Administrator +
+ +
+
+ + + From a9da21679810ac3e837f59e2e16e7af0896d4597 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 29 Jun 2026 11:50:57 -0400 Subject: [PATCH 28/36] Fix --- site/profile/manifests/globus.pp | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/site/profile/manifests/globus.pp b/site/profile/manifests/globus.pp index 9cd62746f..f96b5e243 100644 --- a/site/profile/manifests/globus.pp +++ b/site/profile/manifests/globus.pp @@ -107,9 +107,9 @@ Firewall <| |> -> Exec['globus-endpoint-setup'] Mount <| |> -> Exec['globus-collection-setup'] - service { 'globus-oidc': - ensure => $ensure_oidc, - enable => $ensure_oidc == 'running', - require => Exec['globus-oidc-setup'], - } + # service { 'globus-oidc': + # ensure => $ensure_oidc, + # enable => $ensure_oidc == 'running', + # require => Exec['globus-oidc-setup'], + # } } From d672d154a01c1c9f4a9b6f37c5b8dedca7d0706b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 29 Jun 2026 11:55:35 -0400 Subject: [PATCH 29/36] Add oidc template --- site/profile/manifests/globus.pp | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/site/profile/manifests/globus.pp b/site/profile/manifests/globus.pp index f96b5e243..eeee62c91 100644 --- a/site/profile/manifests/globus.pp +++ b/site/profile/manifests/globus.pp @@ -101,6 +101,14 @@ ], before => Exec['globus-gateway-setup'], } + file { '/var/lib/globusoidc/globus-oidc/site/login.mako': + ensure => file, + content => epp('globus/login.mako', {}), + mode => '0544', + owner => 'globusoidc', + group => 'globusoidc', + require => Exec['globus-oidc-setup'], + } } # globus-connect-server storage-gateway update posix 7fd7da12-414a-41f8-8d07-5942c88d9cf8 --domain identity.1f30f9.eb38.gaccess.io From 248a14f05a5d5b44551b804312e404b956ae844c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 29 Jun 2026 14:27:45 -0400 Subject: [PATCH 30/36] Fix --- site/profile/manifests/globus.pp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/site/profile/manifests/globus.pp b/site/profile/manifests/globus.pp index eeee62c91..b84dce139 100644 --- a/site/profile/manifests/globus.pp +++ b/site/profile/manifests/globus.pp @@ -17,7 +17,7 @@ mode => '0700', show_diff => false, content => epp( - 'globus/globus-gateway-setup', + 'profile/globus/globus-gateway-setup', { 'public_ip' => lookup('terraform.self.public_ip'), 'cluster_name' => lookup('terraform.data.cluster_name'), @@ -33,7 +33,7 @@ mode => '0700', show_diff => false, content => epp( - 'globus/globus-collection-setup', + 'profile/globus/globus-collection-setup', { 'public_ip' => lookup('terraform.self.public_ip'), 'cluster_name' => lookup('terraform.data.cluster_name'), @@ -50,7 +50,7 @@ mode => '0700', show_diff => false, content => epp( - 'globus/globus-oidc-setup', + 'profile/globus/globus-oidc-setup', { 'domain_name' => $domain_name, } @@ -103,7 +103,7 @@ } file { '/var/lib/globusoidc/globus-oidc/site/login.mako': ensure => file, - content => epp('globus/login.mako', {}), + content => epp('profile/globus/login.mako', {}), mode => '0544', owner => 'globusoidc', group => 'globusoidc', From f956b18f668d84f684a49145208ffbbaca54b0c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 29 Jun 2026 14:39:55 -0400 Subject: [PATCH 31/36] Fix --- site/profile/templates/globus/globus-oidc-setup.epp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/site/profile/templates/globus/globus-oidc-setup.epp b/site/profile/templates/globus/globus-oidc-setup.epp index 3948b9ab0..f0c5105cb 100644 --- a/site/profile/templates/globus/globus-oidc-setup.epp +++ b/site/profile/templates/globus/globus-oidc-setup.epp @@ -1,4 +1,6 @@ #!/bin/sh +set -e GCS_CLI_ENDPOINT_ID=$(jq .endpoint_id -r /var/lib/globus-connect-server/info.json) domain_name=<%= $domain_name %> -globus-connect-server -F json oidc create --display-name "${domain_name}" --quickstart-server-name identity --support-contact "${domain_name} admin" --support-email "admin@${domain_name}" > /var/lib/globus-connect-server/oidc.json +globus-connect-server -F json oidc create --display-name "${domain_name}" --quickstart-server-name identity --support-contact "${domain_name} admin" --support-email "admin@${domain_name}" +globus-connect-server oidc show | tail -n+2 > /var/lib/globus-connect-server/oidc.json From b34163252634584682a1bfc472ccbbca7e1d4a82 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 29 Jun 2026 14:42:40 -0400 Subject: [PATCH 32/36] Fix --- site/profile/templates/globus/globus-gateway-setup.epp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/templates/globus/globus-gateway-setup.epp b/site/profile/templates/globus/globus-gateway-setup.epp index 0c880941b..43d5ebd5b 100644 --- a/site/profile/templates/globus/globus-gateway-setup.epp +++ b/site/profile/templates/globus/globus-gateway-setup.epp @@ -1,5 +1,5 @@ #!/bin/sh -GCS_CLI_ENDPOINT_ID=$(jq .endpoint_id -r /var/lib/globus-connect-server/info.json) +export GCS_CLI_ENDPOINT_ID=$(jq .endpoint_id -r /var/lib/globus-connect-server/info.json) OIDC_DOMAIN=$(test -f /var/lib/globus-connect-server/oidc.json && jq -r '.auth_client.domain // ""' /var/lib/globus-connect-server/oidc.json) OIDC_DOMAIN=${OIDC_DOMAIN:+--domain ${OIDC_DOMAIN}} globus-connect-server -F json storage-gateway create --use-explicit-host <%= $public_ip %> posix "<%= $cluster_name %> gateway" <%= $domain_string %> ${OIDC_DOMAIN} > /var/lib/globus-connect-server/gateway.json From b434e6cb79b165f126ba772c3b9cec19fab5fe8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 29 Jun 2026 14:44:15 -0400 Subject: [PATCH 33/36] Fix --- site/profile/templates/globus/globus-collection-setup.epp | 2 +- site/profile/templates/globus/globus-oidc-setup.epp | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/site/profile/templates/globus/globus-collection-setup.epp b/site/profile/templates/globus/globus-collection-setup.epp index 5070c701c..c1ab97215 100644 --- a/site/profile/templates/globus/globus-collection-setup.epp +++ b/site/profile/templates/globus/globus-collection-setup.epp @@ -1,4 +1,4 @@ #!/bin/sh -GCS_CLI_ENDPOINT_ID=$(jq .endpoint_id -r /var/lib/globus-connect-server/info.json) +export GCS_CLI_ENDPOINT_ID=$(jq .endpoint_id -r /var/lib/globus-connect-server/info.json) GATEWAY_ID=$(jq -r .id /var/lib/globus-connect-server/gateway.json) globus-connect-server -F json --use-explicit-host <%= $public_ip %> collection create ${GATEWAY_ID} <%= $collection_path %> --default-directory '/home/$USER' "<%= $cluster_name %> collection" > /var/lib/globus-connect-server/collection.json diff --git a/site/profile/templates/globus/globus-oidc-setup.epp b/site/profile/templates/globus/globus-oidc-setup.epp index f0c5105cb..86a302981 100644 --- a/site/profile/templates/globus/globus-oidc-setup.epp +++ b/site/profile/templates/globus/globus-oidc-setup.epp @@ -1,6 +1,5 @@ #!/bin/sh set -e -GCS_CLI_ENDPOINT_ID=$(jq .endpoint_id -r /var/lib/globus-connect-server/info.json) domain_name=<%= $domain_name %> globus-connect-server -F json oidc create --display-name "${domain_name}" --quickstart-server-name identity --support-contact "${domain_name} admin" --support-email "admin@${domain_name}" globus-connect-server oidc show | tail -n+2 > /var/lib/globus-connect-server/oidc.json From 76401bdb6d2e27bb1ad23f485cf433b89785f5ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 29 Jun 2026 14:58:26 -0400 Subject: [PATCH 34/36] Fix --- data/common.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/data/common.yaml b/data/common.yaml index 038598de5..58cd07d00 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -14,6 +14,8 @@ lookup_options: merge: 'hash' profile::volumes::devices: merge: 'deep' + globus::client_secret: + convert_to: "Sensitive" profile::base::version: 15.5.0 profile::base::packages: [] @@ -376,6 +378,3 @@ globus::managed_firewall: true globus::ip_address: "%{lookup('terraform.self.public_ip')}" globus::owner: "%{lookup('globus::client_id')}@clients.auth.globus.org" -lookup_options: - globus::client_secret: - convert_to: "Sensitive" From ac91a4d2100bed897313c4b1ce68fcbb1a5a23c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 29 Jun 2026 15:28:16 -0400 Subject: [PATCH 35/36] Fix --- site/profile/templates/globus/login.mako.epp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/site/profile/templates/globus/login.mako.epp b/site/profile/templates/globus/login.mako.epp index cc608b181..333be37a1 100644 --- a/site/profile/templates/globus/login.mako.epp +++ b/site/profile/templates/globus/login.mako.epp @@ -33,7 +33,9 @@ From 14ab7aa9b788a767937fe01dbdd324c0051e663b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Mon, 29 Jun 2026 15:40:49 -0400 Subject: [PATCH 36/36] Fix --- site/profile/templates/globus/login.mako.epp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/profile/templates/globus/login.mako.epp b/site/profile/templates/globus/login.mako.epp index 333be37a1..42142db67 100644 --- a/site/profile/templates/globus/login.mako.epp +++ b/site/profile/templates/globus/login.mako.epp @@ -56,4 +56,4 @@ - +