Skip to content

Allow user defined volumes/volumeMounts for diracx pod#254

Draft
maxnoe wants to merge 1 commit into
DIRACGrid:masterfrom
maxnoe:extra-volume-mounts
Draft

Allow user defined volumes/volumeMounts for diracx pod#254
maxnoe wants to merge 1 commit into
DIRACGrid:masterfrom
maxnoe:extra-volume-mounts

Conversation

@maxnoe

@maxnoe maxnoe commented Mar 26, 2026

Copy link
Copy Markdown
Contributor

For our integration tests and in prod, we need to mount a volume of CA certificates (the EGI trust store), but the diracx chart does not allow user-defined extra volumes.

Closes #259

cc @volodymyrss @natthan-pigoux

@maxnoe maxnoe force-pushed the extra-volume-mounts branch 3 times, most recently from 81d67cd to 9e12657 Compare March 26, 2026 17:14
@aldbr aldbr requested review from chaen and natthan-pigoux April 1, 2026 08:59
@chrisburr

Copy link
Copy Markdown
Member

I think this needs an issue explaining why you need them.

@chrisburr chrisburr marked this pull request as draft April 2, 2026 08:30
@maxnoe

maxnoe commented Apr 2, 2026

Copy link
Copy Markdown
Contributor Author

As written above:

For our integration tests and in prod, we need to mount a volume of CA certificates (the EGI trust store)

#259

@maxnoe maxnoe force-pushed the extra-volume-mounts branch from 72c3d5e to 1bac8c4 Compare April 2, 2026 08:57
@maxnoe maxnoe force-pushed the extra-volume-mounts branch from 1bac8c4 to 86404d8 Compare April 2, 2026 08:57
@maxnoe

maxnoe commented Apr 2, 2026

Copy link
Copy Markdown
Contributor Author

To be honest, I am a bit surprised that this wasn't possible. I thought this chart is used in prod by LHCb, how do you handle the CA certificates?

@chaen

chaen commented Apr 14, 2026

Copy link
Copy Markdown
Contributor

After internal discussion.

This is fine but a few points:

  • the volume definition in the values.yaml shouldn't be in diracx subsection because this is targeted at the diracx python part so to say. It should rather go to global.
  • You probably want to mount it similarly to all the other containers (the inits, the cli, etc)
  • For your custom CA issue, you would have to mount the EGI truststore on top of the system ones.

To be honest, I am a bit surprised that this wasn't possible. I thought this chart is used in prod by LHCb, how do you handle the CA certificates?

We only faced publicly trusted certificate so far. We did not have to use self sign anywhere except in the run_demo.sh script.
It is not unreasonable in the future to envisage an extra_ca volume that the code could explicitly refer to, for example when submitting pilot or doing DMS.

@maxnoe

maxnoe commented Apr 14, 2026

Copy link
Copy Markdown
Contributor Author

Does diracx download CAs/CRLs via the BundleDelivery?

@chaen

chaen commented Apr 20, 2026

Copy link
Copy Markdown
Contributor

Does diracx download CAs/CRLs via the BundleDelivery?

No it does not

@maxnoe

maxnoe commented Apr 20, 2026

Copy link
Copy Markdown
Contributor Author

Ok, then I think we want to have this included. I'll address your comments.

@maxnoe

maxnoe commented Apr 20, 2026

Copy link
Copy Markdown
Contributor Author

For your custom CA issue, you would have to mount the EGI truststore on top of the system ones.

That's not needed. We inject our custom CA into the EGI trusted certs for development, the two volumes (one for /etc/grid-security/certificates, one for /etc/pki) already contain it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug]: Chart does not allow custom user-defined volume mounts

3 participants