Proper system packaging of credmon

[bbockelm]

We should really include proper packaging of the credmon itself in order to make this straightforward to install "alongside" a schedd.

Thoughts that come to mind:

• RPM packages (see Add simple RPM package of the credmon. #14)
• Drop condor config files necessary to enable the credmon. Only enable if admin specifies it in the config file
• WSGI configuration necessary for integration in apache.
• Generate new signing keys on first start of the credmon.
• Export .well-known directory for OAuth2 auto-discovery.
• Change Flask app to not function unless condor config changed by sysadmin.
• Split configuration files to "must be edited" and "infrequently edited".

The end goal is that yum install scitokens-credmon - with very minimal config changes - should result in a working local issuer.

[jasoncpatton]

For the configs (condor and apache) there are now command line options to scitokens_credmon to install them. Some tweaking is needed to make the install script more configurable/universal, and this should probably be done before tagging 1.0. But this means configs aren't haphazardly added to condor and apache by pip/rpm/etc. until the admin is ready to enable the credmon.

The install script drops two condor configs, one that configures the credd and credmon ("infrequently edited") and another that contains a commented out example for adding a Box OAuth client ("must be edited").

[bbockelm]

Going the install/config script route is pretty nasty. Very difficult to manage via puppet, for example.

Instead, you want to drop the configs in place and let the admin flip the boolean from disabled to enabled.

[jasoncpatton]

Would it be better to drop inert, commented-out configs in the right locations, and then have the script modify them in place? In addition to flipping everything on, it would be nice to have a single script to modify both condor and webserver configs simultaneously so that they are consistent (e.g. port number, web subdirectory).

[bbockelm]

Sure, that’s fine. Just be aware that admins will mostly care about what they need to put into Puppet. So, we want to make sure we explain the relevant config files.