Merge pull request #938 from lsst-it/IT-6196/butler-bucket-ownership

(*) fix ownership of rubinobs-butler-* buckets

Author: jhoblitt

fleet/lib/rook-ceph-conf/charts/ayekan/templates/obc-rubinobs-butler-comcam.yaml

@@ -2,13 +2,13 @@
 apiVersion: objectbucket.io/v1alpha1
 kind: ObjectBucketClaim
 metadata:
-  name: rubinobs-butler-comcam
+  name: &name rubinobs-butler-comcam
   namespace: rook-ceph
 spec:
-  bucketName: rubinobs-butler-comcam
+  bucketName: *name
   storageClassName: lfa
   additionalConfig:
-    bucketOwner: comcam
+    bucketOwner: butler
     bucketMaxSize: 20Ti
     bucketPolicy: |
       {

fleet/lib/rook-ceph-conf/charts/ayekan/templates/obc-rubinobs-butler-latiss.yaml

@@ -2,13 +2,13 @@
 apiVersion: objectbucket.io/v1alpha1
 kind: ObjectBucketClaim
 metadata:
-  name: rubinobs-butler-latiss
+  name: &name rubinobs-butler-latiss
   namespace: rook-ceph
 spec:
-  bucketName: rubinobs-butler-latiss
+  bucketName: *name
   storageClassName: lfa
   additionalConfig:
-    bucketOwner: latiss
+    bucketOwner: butler
     bucketMaxSize: 10Ti
     bucketPolicy: |
       {

fleet/lib/rook-ceph-conf/charts/ayekan/templates/obc-rubinobs-butler-lsstcam.yaml

@@ -2,13 +2,13 @@
 apiVersion: objectbucket.io/v1alpha1
 kind: ObjectBucketClaim
 metadata:
-  name: rubinobs-butler-lsstcam
+  name: &name rubinobs-butler-lsstcam
   namespace: rook-ceph
 spec:
-  bucketName: rubinobs-butler-lsstcam
+  bucketName: *name
   storageClassName: lfa
   additionalConfig:
-    bucketOwner: lsstcam
+    bucketOwner: butler
     bucketMaxSize: 2.5Pi
     bucketPolicy: |
       {

fleet/lib/rook-ceph-conf/charts/ayekan/templates/obc-rubinobs-calibrations.yaml

@@ -2,10 +2,10 @@
 apiVersion: objectbucket.io/v1alpha1
 kind: ObjectBucketClaim
 metadata:
-  name: rubinobs-calibrations
+  name: &name rubinobs-calibrations
   namespace: rook-ceph
 spec:
-  bucketName: rubinobs-calibrations
+  bucketName: *name
   storageClassName: lfa
   additionalConfig:
     bucketOwner: calib

fleet/lib/rook-ceph-conf/charts/ayekan/templates/obc-rubinobs-lfa-cp.yaml

@@ -0,0 +1,65 @@
+---
+apiVersion: objectbucket.io/v1alpha1
+kind: ObjectBucketClaim
+metadata:
+  name: &name rubinobs-lfa-cp
+  namespace: rook-ceph
+spec:
+  bucketName: *name
+  storageClassName: lfa
+  additionalConfig:
+    bucketOwner: saluser
+    bucketMaxSize: 10Ti
+    bucketPolicy: |
+      {
+          "Version": "2012-10-17",
+          "Statement": [
+              {
+                  "Sid": "AllowReadAccess",
+                  "Effect": "Allow",
+                  "Principal": {
+                      "AWS": "arn:aws:iam:::user/s3lhn"
+                  },
+                  "Action": [
+                      "s3:ListBucket",
+                      "s3:GetObject",
+                      "s3:GetObjectVersion"
+                  ],
+                  "Resource": [
+                      "arn:aws:s3:::rubinobs-lfa-cp",
+                      "arn:aws:s3:::rubinobs-lfa-cp/*"
+                  ]
+              },
+              {
+                  "Sid": "PublicRead",
+                  "Effect": "Allow",
+                  "Principal": "*",
+                  "Action": [
+                      "s3:GetObject",
+                      "s3:GetObjectVersion"
+                  ],
+                  "Resource": ["arn:aws:s3:::*"]
+              }
+          ]
+      }
+    bucketLifecycle: |
+      {
+        "Rules": [
+          {
+            "ID": "AbortIncompleteMultipartUploads",
+            "Status": "Enabled",
+            "Prefix": "",
+            "AbortIncompleteMultipartUpload": {
+              "DaysAfterInitiation": 1
+            }
+          },
+          {
+            "ID": "ExpireAfter30Days",
+            "Status": "Enabled",
+            "Prefix": "",
+            "Expiration": {
+              "Days": 30
+            }
+          }
+        ]
+      }

fleet/lib/rook-ceph-conf/charts/ayekan/templates/obc-rubinobs-raw-comcam.yaml

@@ -2,12 +2,12 @@
 apiVersion: objectbucket.io/v1alpha1
 kind: ObjectBucketClaim
 metadata:
-  name: rubinobs-raw-comcam
+  name: &name rubinobs-raw-comcam
   namespace: rook-ceph
   labels:
     bucket-notification-lsst.s3.raw.comcam: lsst.s3.raw.comcam
 spec:
-  bucketName: rubinobs-raw-comcam
+  bucketName: *name
   storageClassName: lfa
   additionalConfig:
     bucketOwner: comcam
@@ -62,7 +62,7 @@ spec:
             }
           },
           {
-            "ID": "ExpireAfter30Days",
+            "ID": "ExpireAfter90Days",
             "Status": "Enabled",
             "Prefix": "",
             "Expiration": {

fleet/lib/rook-ceph-conf/charts/ayekan/templates/obc-rubinobs-raw-latiss.yaml

@@ -2,12 +2,12 @@
 apiVersion: objectbucket.io/v1alpha1
 kind: ObjectBucketClaim
 metadata:
-  name: rubinobs-raw-latiss
+  name: &name rubinobs-raw-latiss
   namespace: rook-ceph
   labels:
     bucket-notification-lsst.s3.raw.latiss: lsst.s3.raw.latiss
 spec:
-  bucketName: rubinobs-raw-latiss
+  bucketName: *name
   storageClassName: lfa
   additionalConfig:
     bucketOwner: latiss
@@ -62,7 +62,7 @@ spec:
             }
           },
           {
-            "ID": "ExpireAfter30Days",
+            "ID": "ExpireAfter90Days",
             "Status": "Enabled",
             "Prefix": "",
             "Expiration": {

fleet/lib/rook-ceph-conf/charts/ayekan/templates/obc-rubinobs-raw-lsstcam.yaml

@@ -2,12 +2,12 @@
 apiVersion: objectbucket.io/v1alpha1
 kind: ObjectBucketClaim
 metadata:
-  name: rubinobs-raw-lsstcam
+  name: &name rubinobs-raw-lsstcam
   namespace: rook-ceph
   labels:
     bucket-notification-lsst.s3.raw.lsstcam: lsst.s3.raw.lsstcam
 spec:
-  bucketName: rubinobs-raw-lsstcam
+  bucketName: *name
   storageClassName: lfa
   additionalConfig:
     bucketOwner: lsstcam
@@ -62,7 +62,7 @@ spec:
             }
           },
           {
-            "ID": "ExpireAfter30Days",
+            "ID": "ExpireAfter90Days",
             "Status": "Enabled",
             "Prefix": "",
             "Expiration": {

fleet/lib/rook-ceph-conf/charts/ayekan/templates/obc-rubintv.yaml

@@ -2,10 +2,10 @@
 apiVersion: objectbucket.io/v1alpha1
 kind: ObjectBucketClaim
 metadata:
-  name: rubintv
+  name: &name rubintv
   namespace: rook-ceph
 spec:
-  bucketName: rubintv
+  bucketName: *name
   storageClassName: lfa
   additionalConfig:
     bucketOwner: rubintv

fleet/lib/rook-ceph-conf/charts/ayekan/values.yaml

@@ -4,11 +4,12 @@ users:
     spec:
       store: lfa
       quotas:
-        maxBuckets: 2
-        maxSize: 2Pi
+        maxBuckets: 3
   - name: calib
     spec:
       store: lfa
+      quotas:
+        maxBuckets: 1
   - name: comcam
     spec:
       store: lfa
@@ -27,12 +28,18 @@ users:
   - name: oods-comcam
     spec:
       store: lfa
+      quotas:
+        maxBuckets: 0
   - name: oods-latiss
     spec:
       store: lfa
+      quotas:
+        maxBuckets: 0
   - name: oods-lsstcam
     spec:
       store: lfa
+      quotas:
+        maxBuckets: 0
   - name: rubintv
     spec:
       store: lfa