Skip to content

CONFIGURATION_NOTES.md

Latest commit

 

History

History
211 lines (149 loc) · 4.6 KB

CONFIGURATION_NOTES.md

File metadata and controls

211 lines (149 loc) · 4.6 KB

Configuration Notes

Use this file as the quick reference for irods-go-drs configuration.

Config sources

The service reads configuration in this order:

  1. drs-config.yaml
  2. DRS_* environment variable overrides
  3. Secret files for sensitive values

To use one exact config file, set:

DRS_CONFIG_FILE=/path/to/drs-config.yaml

Main runtime settings

These are the settings you will usually care about:

DRS_LISTEN_PORT=8080
DRS_DRS_LOG_LEVEL=info

DRS_IRODS_HOST=irods-provider
DRS_IRODS_PORT=1247
DRS_IRODS_ZONE=tempZone
DRS_IRODS_ADMIN_USER=rods
DRS_IRODS_PRIMARY_TEST_USER=test1
DRS_IRODS_PRIMARY_TEST_PASSWORD=test1
DRS_IRODS_SECONDARY_TEST_USER=test2
DRS_IRODS_SECONDARY_TEST_PASSWORD=test2
DRS_RESOURCE_AFFINITY=demoResc,edgeResc

DRS_OIDC_URL=https://localhost:8443
DRS_OIDC_REALM=drs
DRS_OIDC_CLIENT_ID=irods-go-drs
DRS_OIDC_INSECURE_SKIP_VERIFY=false

If your local Keycloak uses a self-signed certificate, you can temporarily use:

DRS_OIDC_INSECURE_SKIP_VERIFY=true

Use that only for local development.

In YAML config files, use:

OidcInsecureSkipVerify: true

OidcSkipTLSVerify is still accepted for compatibility, but OidcInsecureSkipVerify is the preferred config key.

Resource affinity

ResourceAffinity is optional and maps iRODS storage resources to HTTPS DRS hosts that are proximate to those resources.

Supported forms:

ResourceAffinity:
  - Host: https://drs-resc-a.example.org
    Resources:
      - demoResc
      - cacheResc
  - Host: https://drs-default.example.org
    Resources: []

or environment override:

DRS_RESOURCE_AFFINITY=demoResc,edgeResc

Notes:

  • resources entries with exact names are preferred for matching replicas.
  • The first entry with an empty Resources array is the default for unmatched resources.
  • * is still accepted for backward compatibility.
  • Environment override remains a legacy compatibility path and maps to one default affinity entry using HttpsAccessMethodBaseURL as the host base URL.

Secrets

Prefer secret files over inline secrets.

Supported file-backed secret settings:

IrodsAdminPasswordFile: /run/secrets/irods_admin_password
OidcClientSecretFile: /run/secrets/oidc_client_secret

Environment variable equivalents:

DRS_IRODS_ADMIN_PASSWORD_FILE=/run/secrets/irods_admin_password
DRS_OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret

Secret precedence is:

  1. explicit value
  2. secret file
  3. empty

Test user settings

For integration and E2E work, keep the test users in the same config file:

IrodsAdminUser: rods
IrodsAdminPasswordFile: /run/secrets/irods_admin_password
IrodsPrimaryTestUser: test1
IrodsPrimaryTestPassword: test1
IrodsSecondaryTestUser: test2
IrodsSecondaryTestPassword: test2

The test helpers use proxy authentication through IrodsAdminUser and IrodsAdminPassword, and they default the effective test user to IrodsPrimaryTestUser.

If you add Basic-authenticated E2E tests, use IrodsPrimaryTestPassword and IrodsSecondaryTestPassword as the source of truth for those user credentials.

Do not use the old YAML keys:

IrodsDrsAdminUser:
IrodsDrsAdminPassword:
IrodsDrsAdminPasswordFile:

Use:

IrodsAdminUser:
IrodsAdminPassword:
IrodsAdminPasswordFile:

Access methods

Configured access methods are now driven by structured booleans and provider settings in drs-config.yaml.

Example:

IrodsAccessMethodSupported: false
FileAccessMethodSupported: false
HttpsAccessMethodSupported: true
HttpsAccessImplementation: irods-go-rest
HttpsAccessMethodBaseURL: https://drs.example.org/api/v1/path/contents?irods_path=
HttpsAccessUseTicket: true
LocalAccessRootPath: /mnt/irods

Current behavior:

  • https returns an access_id for later resolution through /access
  • irods returns an access_id
  • local returns a local:///... path
  • s3 is a placeholder

Current https implementations:

  • irods-go-rest is supported
  • irods-https-api is supported

Service-info JSON

You can keep service-info metadata in a separate JSON file:

ServiceInfoFilePath: service-info.json
ServiceInfoSampleIntervalMinutes: 5

Environment variable equivalent:

DRS_SERVICE_INFO_FILE_PATH=/path/to/service-info.json

If the path is relative, it is resolved relative to drs-config.yaml.

Docker test framework

The local Docker test stack is under:

deployments/docker-test-framework/5-0

This is for development and testing, not production.

If you keep a private keycloak.env outside the repo, point Compose at it with:

KEYCLOAK_ENV_FILE=/path/to/keycloak.env