PanDA System Kubernetes Deployment

Main Components

  • PanDA: Workload manager, manages/schedules tasks and jobs.

    • panda-server

    • panda-JEDI

    • panda-database (postgresql)

  • Harvester: Resource facing service to submit pilots to Grid/Cloud.

    • Harvester

    • Harvester-db (mariadb)

  • iDDS: Workflow manager, manages the dependencies of tasks and jobs.

    • rest

    • daemon

    • database (postgresql)

  • bigmon: panda monitor

  • activemq: messaging service

  • IAM: OIDC authentication service

    • indigo-iam-login_service

    • database (mariadb)

Github module for k8s deployment

You can find the kubernetes module with all the deployment helm charts at

Please checkout the module first:

git clone

then enter the panda-k8s directory:

cd panda-k8s

and follow the deployment instructions below.

Deployment order

  • PanDA, Harvester and iDDS depend on activemq.

  • PanDA, Harvester, iDDS and bigmon depend on IAM.

  • Harvester, iDDS and BigMon need to communicate with PanDA.

  • So the installation order is

    • activemq, IAM

    • PanDA

    • Harvester, iDDS, BigMon

Deployment info

There are different installations:

  • Secret installation: In this installation, secret information are kept in secrets/. You need to keep the secret file in a diferent place (such as applying helm secrets). For the secret deployment, you can keep them for long time and only update it when it’s needed. After deploying the secrets, you can deploy the service.

  • Experiment based installation: For different experiments, there might be special requirements, for example different namespaces or different persistent volumens. In this case, an experiment specific file values-<experiment>.yaml is required.

  • In the example, secrets are kept in the same location as service files. For a production instance, it’s good to encrypt them or put them in a different location.

Deployment with secrets

  • Deploy secrets. The secrets files can be kept in a private repository or use ‘helm secrets’ to encrypt them.

Different experiments many have different solutions to keep the secrets. Here we separate the secrets part because we can keep them for long time after they are deployed. The updating frequence for secrets can be much less than updating the instance.

Deploy secrets:

The secrets can be stored in a private repository or in the same repository but encrypted. They can be deployed one time and then used for long term (Please set the values correctly in the secrets/<>/values.yaml):

helm install panda-secrets secrets/

Deploy the instances:

When the secrets are deployed. Someone else or some daemons can automatically deploy the panda instances. There is a tool to deploy instances consistently with the secrets:

$ ./bin/install -h
      usage: install [-h] [--affix AFFIX] [--experiment EXPERIMENT]
                 [--enable ENABLE] [--disable DISABLE] [--template]

      optional arguments:
        -h, --help            show this help message and exit
        --affix AFFIX, -a AFFIX
                              Prefix (blah-) or suffix (-blah) of instance names. If
                              this option is not specified, it looks for affix in
                              secrets/values.yaml. "test-" is used if affix is not
                              found in the values.yaml
        --experiment EXPERIMENT, -e EXPERIMENT
                              Experiment name
        --enable ENABLE, -c ENABLE
                              Comma-separated list of components to be installed
        --disable DISABLE, -d DISABLE
                              Comma-separated list of disabled components and/or
        --template, -t        Dry-run
  • Deploy ActiveMQ:

./bin/install -c msgsvc
  • Deploy IAM:

./bin/install -c iam
  • Deploy PanDA:

./bin/install -c panda
  • Deploy iDDS:

./bin/install -c idds
  • Deploy Harvester:

./bin/install -c harvester
  • Deploy BigMon:

./bin/install -c bigmon
  • Deploy all components in one go:


LSST deployment

For LSST deployment (at SLAC), you need to specify -e lsst

  • Deploy ActiveMQ for example:

./bin/install -c msgsvc -e lsst
  • Deploy all components in one go:

./bin/install -e lsst

Sphenix deployment

For Sphenix deployment (at BNL), you need to specify -e sphenix

  • Deploy ActiveMQ for example:

./bin/install -c msgsvc -e sphenix
  • Deploy all components in one go:

./bin/install -e sphenix -d iam

CRIC-free deployment

It is possible to deploy the PanDA system without CRIC. First, you need to prepare a couple of json files that define PanDA queues, sites, storages, etc, and place them under ./secrets/files/cric_jsons. It would be easiest to download json files from an exising CRIC instance and edit them. E.g.

curl -s -k -o ./secrets/files/cric_jsons/sites.json ""
curl -s -k -o ./secrets/files/cric_jsons/panda_queues.json ""
curl -s -k -o ./secrets/files/cric_jsons/ddm_endpoints.json ""

Then, set the real flag to true in the cric section in /secrets/values.yaml

# real CRIC
real: true

and deploy secrets and the instances as usual.

helm install panda-secrets secrets/
./bin/install -c ...

Those json files are mounted on a volume in service instances, so they are auto-updated by periodic sync when secrets are updated, i.e., service instances don’t have to be restarted. For example, when you change a status of a PanDA queue in panda_queues.json, it is enough to do

helm upgrade panda-secrets secrets/

The table below shows the list of json files. Files with * are mandatory.



sites.json *

Site definitions

panda_queues.json *

PanDA queue definitions

ddm_endpoints.json *

Storage definitions


Blacklist of storages


Cost metrix of data transfer among storages