[WLCGPROB-256] Use SciTokens in HTCondor Job submission
This is assuming that check_js
can take both -x
, inherited from here, and --token
.
I thought that there was a qa
and a master
branch in these repos, but I see that the CI builds the QA image on every push to master and the production image is only built when the deploy:production
job is triggered manually. Once this is merged a new ETF image should be available for deployment in etf-06.cern.ch.yaml
(etf-alice-preprod.cern.ch
).
Something else to do I imagine is to add the secrets here, something like:
etf_tokens:
- etf_alice_ce
- etf_alice_ce.key
so this can work. I'll submit a separate merge request.
The above is done in https://gitlab.cern.ch/ai/it-puppet-hostgroup-etf/commit/22b7c1d0616a222a642c7c70292abe8f227d13ca (I hadn't pulled grins)
Those blobs though have to be provided by ALICE and uploaded to Teigi, I assume?
Unclear yet to me what mirrors the OIDC agent configuration from /etc/grid-security/tokens
(Puppet deployed) to /opt/omd/sites/etf/.oidc-agent
inside the ETF container. It's not a volume and I didn't see anything in the entrypoint.
Clear now: https://gitlab.cern.ch/etf/ncgx/blob/master/bin/etf-init.sh#L263