Proposed version 0.2.0

[matyasselmeci]

This PR contains many changes in order to reflect both how we (OSDF ops) want to set up our caches and community conventions for how Helm charts should look.

In addition, the PR adds support for host networking and various othe rfeatures, plus safety checks to avoid inconsistent deployments.

Notable changes:

Features

• Host networking is available as an option; Service and NetworkPolicy won't be created if host networking is enabled.
• Admin users are now specified as a YAML list instead of a string.
• Reusing the cache volume for logging is now possible (this is something we do in NRP).
• Cache, lotman, and logging can now use existing PVCs or cause creation of new ones;
  in the latter case, "storageClass" must be specified.
• All created PVCs are now annotated such that they will be kept even if the chart is deleted.
• Setting sleep: true causes the cache to sleep instead of running, for debugging purposes.

Validation

• federation.label must match federation.discoveryUrl for the "osdf" and "osdf-itb" federations:
  ("osdf" must have a discoveryUrl of "https://osg-htc.org"; "osdf-itb" must have a discoveryUrl of "https://osdf-itb.osg-htc.org")
• If creating new PVC(s) (instead of reusing existing ones), the corresponding storageClass attributes must be specified for each.
• If using a host path, the path must be specified.
• sitename (used for Xrootd.Sitename in the Pelican config) must be specified.
• tls.certManager.enabled and tls.existingSecret cannot both be set.
• If using CertManager, serverHostname must be specified; it's automatically added to the DNS names list.

Various renames

• "Namespace key" has been renamed to "issuer key" to match what Pelican calls it - in addition, the default key in the secret for the issuer key is private-key.pem, which is what pelican key generate creates.
• "storageClassName" has been renamed to "storageClass" per community conventions.
• Various settings have been collected and nested:
  • Logrotate config is no longer split between logrotateImage, resources.logrotate, and logrotate; these have been merged into the logrotate mapping.
  • hostPath, storageClassName, pvcSize are no longer mixed together under cache; now you have a cache.hostPath mapping with path, and a cache.pvc mapping with existingClaim, storageClass, and size
  • Cache resources have been moved under the cache mapping.
  • tls.existingSecret and certificate (for CerManager config) are no longer separate: now there are tls.certManager and tls.existingSecret.
  • webPasswordSecret and webPasswordSecretKey have been renamed to webPassword.existingSecret and webPassword.key.
  • xrootd.sitename has been pulled out and moved to the top as just sitename; as mentioned above, it's required.
  • logging.storageClassName and logging.pvcSize have been moved to logging.persistence.storageClass and logging.persistence.size; there are also options to not create a separate volume (logging.persistence.separateVolume: false, or reuse an existing PVC (logging.persistence.existingClaim))

Minor changes

• The default image pull policy for the cache image is now IfNotPresent since the cache uses an image with a version tag.
  The logrotate image still uses the Always policy.
  As per community convention, the chart's AppVersion is used as the default image tag instead of being specifiedi n the default values file.
• The default size of the logging PVC has been raised from 5 Gi to 50 Gi.
• XRD_CURLDISABLEX509=1 is now always set in the environment.

[brianhlin]

I find the organization of values.yaml odd, almost as if a machine wrote it :)

[matyasselmeci]

OK, this is ready for another look. Other than your comments, one thing I changed was to split out the Pelican cache configuration (high water mark, low water mark, etc.) from the Kubernetes configuration (cache image, pvc, etc.). Same for logging/logrotate. I think it's cleaner if application and Kubernetes parameters aren't mixed together.