Configuration Options

This page details the various configuration options that are available to for the various Managed Tokens executables.

Global configuration

• keytabPath: Default path for kerberos keytabs to be stored. Can be overridden per service.
• kerberosPrincipalPattern: Default pattern template for kerberos keytab principal. This pattern is a Go template and should use {{.Account}} as the placeholder where the account name should be. Can be overridden per service.
• condorCollectorHost: Default HTCondor collector host. Can be overridden per service.
• condorScheddConstraint: HTCondor constraint to be applied when querying the condorCollectorHost for the list of schedds. Can be overridden per service.
• vaultServer: Hostname of the Hashicorp Vault server used to store and retrieve the vault and refresh tokens
• serviceCreddVaultTokenPathRoot: Directory on disk where service-credd-level vault tokens are stored. This is to ensure that each credd always has a valid token stored (see #61 for details).
• dbLocation: The location of the Managed Tokens SQLite database that stores the UIDs for the various configured accounts, and also stores the error counts
• errorCountToSendMessage: Number of consecutive failures to push a particular service vault token to a node before notifications are sent. For example, if this number is 3, then upon the 3rd consecutive failure, a notification is sent.
• defaultRoleFileDestinationTemplate: Path on the destination node where the default role file should be installed. This is a Go template, and supports any field in the internal/worker.Config type.
• pingOptions: Options to use when pinging nodes
• fileCopierOptions: Extra options to give to the fileCopier utility (rsync).
• sshOptions: Options to use with fileCopier to establish the SSH connection
• disableNotifications: If true, no notifications will be sent globally. Can be overridden per service.
• devEnvironmentLabel: Optional, and should not be used in production. Defaults to "production", but can be specified here or with environment variable MANAGED_TOKENS_DEV_ENVIRONMENT_LABEL
• minTokenLifetime: If the obtained vault token has less than this time left due to token caching, get a new one. The value here should be a string that can be parsed using Go's time.ParseDuration.

timeouts

• timeouts.globalTimeout: All operations must complete before this timeout
• timeouts.kerberosTimeout: Timeout to obtain a kerberos ticket
• timeouts.vaultstorerTimeout: Timeout to obtain a vault token from the Hashicorp Vault and store it on the HTCondor Credd
• timeouts.pingTimeout: Timeout to ping an intended destination node
• timeouts.pushTimeout: Timeout to push a file to an intended destination node
• timeouts.ferryrequestTimeout: Timeout to contact the FERRY webserver
• timeouts.dbTimeout: Timeout for database transactions

ferry

This section deals with connections to the FERRY service.

• ferry.host: The hostname of the FERRY server
• ferry.port: The port on ferry.host on which the FERRY service is running
• ferry.caPath: If using host certificate for secure connection to FERRY server: The directory where CA certificates are stored that should be used for HTTP requests to the FERRY server
• ferry.hostCert: If using host certificate for secure connection to FERRY server: The location of said certificate
• ferry.hostKey: If using host certificate for secure connection to FERRY server: The location of the Managed Tokens service host key that corresponds to the ferry.hostCert
• ferry.serviceExperiment: If using WLCG Common JWT (JSON Web Token) for secure connection to FERRY server: The token issuer for the WLCG Common JWT.
• ferry.serviceRole: If using WLCG Common JWT (JSON Web Token) for secure connection to FERRY server: The role for the WLCG Common JWT.
• ferry.serviceKerberosPrincipal: If using WLCG Common JWT (JSON Web Token) for secure connection to FERRY server: Kerberos principal for authenticated connection to ferry.vaultServer
• ferry.serviceKeytabPath: If using WLCG Common JWT (JSON Web Token) for secure connection to FERRY server: The local path where the kerberos keytab is located for creation of a kerberos credential with principal ferry.serviceKerberosPrincipal.
• ferry.vaultServer: If using WLCG Common JWT (JSON Web Token) for secure connection to FERRY server: The Hashicorp Vault Server to connect to when obtaining the JWT.

email

• email.from: The email address from which all notifications should be sent
• email.smtpHost: The hostname of the SMTP server to use to send notifications
• email.smtpPort: The port on which the SMTP server to use to send notifications is listening

Observability

logs

• logs.refresh-uids-from-ferry.logfile: Location of INFO-level logfile for refresh-uids-from-ferry
• logs.refresh-uids-from-ferry.debugfile: Location of DEBUG-level logfile for refresh-uids-from-ferry
• logs.run-onboarding-managed-tokens.logfile: Location of INFO-level logfile for run-onboarding-managed-tokens
• logs.run-onboarding-managed-tokens.debugfile: Location of DEBUG-level logfile for run-onboarding-managed-tokens
• logs.token-push.logfile: Location of INFO-level logfile for token-push
• logs.token-push.debugfile: Location of DEBUG-level logfile for token-push

prometheus

• prometheus.host: If configured, this is the server of a prometheus pushgateway to which the executables can push metrics
• prometheus.jobname: The job name under which prometheus metrics should be pushed to prometheus.host.

loki

• loki.host: Hostname of Grafana Loki instance to send INFO and higher-level logs. Optional.

tracing:

• tracing.url: Endpoint URL of OpenTelemetry Trace Collector service to send OpenTelemetry Traces to. Optional.

notifications

• notifications.SLACK_ALERTS_URL: If configured, abridged notifications can be sent to this Slack webhook endpoint.
• notifications.admin_email: Email to which all notifications are sent so operators are aware of any issues.

notifications_test:

Same as above, but used in test runs.

• notifications_test.SLACK_ALERTS_URL: See above
• notifications_test.admin_email: See above

workerType

Worker-specific configuration

• workerType.getKerberosTickets.numRetries: Number of retries allowed for getKerberosTickets worker
• workerType.storeAndGetToken.numRetries: Number of retries allowed for storeAndGetToken worker
• workerType.pingAggregator.numRetries: Number of retries allowed for pingAggregator worker
• workerType.pushTokens.numRetries: Number of retries allowed for pushTokens worker

experiment

• experiment.<experiment>.emails: List of email addresses to which notifications will be sent if there is an error in pushing tokens
• experiment.<experiment>.experimentOverride: If is different than the actual token issuer, give the token issuer name here.
• experiment.<experiment>.roles.<role>.account: Username that should be used to push token to experiment.<experiment>.roles.<role>.destinationNodes.
• experiment.<experiment>.roles.<role>.destinationNodes: List of hosts where vault token will be pushed
• experiment.<experiment>.roles.<role>.keytabPathOverride: Set kerberos keytab path, regardless of the global keytabPath setting
• experiment.<experiment>.roles.<role>.userPrincipalOverride: Set kerberos principal to be used when generating kerberos credential from experiment.<experiment>.roles.<role>.keytabPathOverride
• experiment.<experiment>.roles.<role>.desiredUIDOverride: Set UID that should be used when installing token on experiment.<experiment>.roles.<role>.destinationNodes
• experiment.<experiment>.roles.<role>.condorCollectorHostOverride: Set HTCondor collector that should be queried to get schedds/credds
• experiment.<experiment>.roles.<role>.condorCreddHostOverride: Set HTCondor credd
• experiment.<experiment>.roles.<role>.defaultRoleFileDestinationTemplateOverride: Overrides the global defaultRoleFileDestinationTemplate template for the destination path of the default role file
• experiment.<experiment>.roles.<role>.disableNotificationsOverride: Overrides disableNotifications. If true, no notifications will be sent for this role