17750: Update nginx/ssl example pillars and states

Arvados-DCO-1.1-Signed-off-by: Javier Bértoli <jbertoli@curii.com>

diff --git a/test/salt/pillar/examples/nginx_controller_configuration.sls b/test/salt/pillar/examples/nginx_controller_configuration.sls
index 88d69f403919d8238c2d507a28baee8405b195a4..787af824959aa7780f97a5080714b81225a8fdcc 100644 (file)
--- a/test/salt/pillar/examples/nginx_controller_configuration.sls
+++ b/test/salt/pillar/examples/nginx_controller_configuration.sls
@@ -36,6 +36,8 @@ nginx:
       arvados_controller_ssl.conf:
         enabled: true
         overwrite: true
+        requires:
+          file: nginx_snippet_arvados-snakeoil.conf
         config:
           - server:
             - server_name: fixme.example.net
@@ -53,8 +55,7 @@ nginx:
               - proxy_set_header: 'X-Forwarded-For $proxy_add_x_forwarded_for'
               - proxy_set_header: 'X-External-Client $external_client'
             - include: 'snippets/ssl_hardening_default.conf'
-            # - include: 'snippets/letsencrypt.conf'
-            - include: 'snippets/ssl_snakeoil.conf'
+            - include: 'snippets/arvados-snakeoil.conf'
             - access_log: /var/log/nginx/fixme.example.net.access.log combined
             - error_log: /var/log/nginx/fixme.example.net.error.log
             - client_max_body_size: 128m

diff --git a/test/salt/pillar/examples/nginx_keepproxy_configuration.sls b/test/salt/pillar/examples/nginx_keepproxy_configuration.sls
index 8500afbf52ba991a968e4a58b9b9ed3eec977236..d9ed0c6c13896dacf7d65ea16d940903b409e393 100644 (file)
--- a/test/salt/pillar/examples/nginx_keepproxy_configuration.sls
+++ b/test/salt/pillar/examples/nginx_keepproxy_configuration.sls
@@ -32,6 +32,8 @@ nginx:
       arvados_keepproxy_ssl.conf:
         enabled: true
         overwrite: true
+        requires:
+          file: nginx_snippet_arvados-snakeoil.conf
         config:
           - server:
             - server_name: keep.fixme.example.net
@@ -53,7 +55,6 @@ nginx:
             - proxy_http_version: '1.1'
             - proxy_request_buffering: 'off'
             - include: 'snippets/ssl_hardening_default.conf'
-            # - include: 'snippets/letsencrypt.conf'
-            - include: 'snippets/ssl_snakeoil.conf'
+            - include: 'snippets/arvados-snakeoil.conf'
             - access_log: /var/log/nginx/keepproxy.fixme.example.net.access.log combined
             - error_log: /var/log/nginx/keepproxy.fixme.example.net.error.log

diff --git a/test/salt/pillar/examples/nginx_keepweb_configuration.sls b/test/salt/pillar/examples/nginx_keepweb_configuration.sls
index 53854308498dc0395160593e907db4156bad6027..be18c4da2818a5fb756f80ef48321ea4f9e6d573 100644 (file)
--- a/test/salt/pillar/examples/nginx_keepweb_configuration.sls
+++ b/test/salt/pillar/examples/nginx_keepweb_configuration.sls
@@ -33,6 +33,8 @@ nginx:
       arvados_collections_download_ssl.conf:
         enabled: true
         overwrite: true
+        requires:
+          file: nginx_snippet_arvados-snakeoil.conf
         config:
           - server:
             - server_name: collections.fixme.example.net download.fixme.example.net
@@ -53,7 +55,6 @@ nginx:
             - proxy_http_version: '1.1'
             - proxy_request_buffering: 'off'
             - include: 'snippets/ssl_hardening_default.conf'
-            # - include: 'snippets/letsencrypt.conf'
-            - include: 'snippets/ssl_snakeoil.conf'
+            - include: 'snippets/arvados-snakeoil.conf'
             - access_log: /var/log/nginx/collections.fixme.example.net.access.log combined
             - error_log: /var/log/nginx/collections.fixme.example.net.error.log

diff --git a/test/salt/pillar/examples/nginx_passenger.sls b/test/salt/pillar/examples/nginx_passenger.sls
index 8437d33986071a2d2f1daec379e446a2a8badf41..6bbd98942703acdf2682862f04f11a1951495039 100644 (file)
--- a/test/salt/pillar/examples/nginx_passenger.sls
+++ b/test/salt/pillar/examples/nginx_passenger.sls
@@ -60,8 +60,8 @@ nginx:
       # replace with the IP address of your resolver
       # - resolver: 127.0.0.1
 
-    ssl_snakeoil.conf:
-      - ssl_certificate: /etc/ssl/certs/arvados-snakeoil-cert.pem
+    arvados-snakeoil.conf:
+      - ssl_certificate: /etc/ssl/private/arvados-snakeoil-cert.pem
       - ssl_certificate_key: /etc/ssl/private/arvados-snakeoil-cert.key
 
   ### SITES

diff --git a/test/salt/pillar/examples/nginx_webshell_configuration.sls b/test/salt/pillar/examples/nginx_webshell_configuration.sls
index 661ce2c6bf02ce536944e471908a6f46a2a34223..d2287154a38bb6363a47eeeaee517bc5287c0c8b 100644 (file)
--- a/test/salt/pillar/examples/nginx_webshell_configuration.sls
+++ b/test/salt/pillar/examples/nginx_webshell_configuration.sls
@@ -58,6 +58,8 @@ nginx:
       arvados_webshell_ssl.conf:
         enabled: true
         overwrite: true
+        requires:
+          file: nginx_snippet_arvados-snakeoil.conf
         config:
           - server:
             - server_name: webshell.fixme.example.net
@@ -96,8 +98,7 @@ nginx:
                 - add_header: "'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'"
             {%- endfor %}
             - include: 'snippets/ssl_hardening_default.conf'
-            # - include: 'snippets/letsencrypt.conf'
-            - include: 'snippets/ssl_snakeoil.conf'
+            - include: 'snippets/arvados-snakeoil.conf'
             - access_log: /var/log/nginx/webshell.fixme.example.net.access.log combined
             - error_log: /var/log/nginx/webshell.fixme.example.net.error.log
 

diff --git a/test/salt/pillar/examples/nginx_websocket_configuration.sls b/test/salt/pillar/examples/nginx_websocket_configuration.sls
index 5c228bada0c87b6d9031789986a959d2dfeeff43..20682bbf2edd4fc19e6a07b0abe2c88ccd1528d9 100644 (file)
--- a/test/salt/pillar/examples/nginx_websocket_configuration.sls
+++ b/test/salt/pillar/examples/nginx_websocket_configuration.sls
@@ -32,6 +32,8 @@ nginx:
       arvados_websocket_ssl.conf:
         enabled: true
         overwrite: true
+        requires:
+          file: nginx_snippet_arvados-snakeoil.conf
         config:
           - server:
             - server_name: ws.fixme.example.net
@@ -54,7 +56,6 @@ nginx:
             - proxy_http_version: '1.1'
             - proxy_request_buffering: 'off'
             - include: 'snippets/ssl_hardening_default.conf'
-            # - include: 'snippets/letsencrypt.conf'
-            - include: 'snippets/ssl_snakeoil.conf'
+            - include: 'snippets/arvados-snakeoil.conf'
             - access_log: /var/log/nginx/ws.fixme.example.net.access.log combined
             - error_log: /var/log/nginx/ws.fixme.example.net.error.log

diff --git a/test/salt/pillar/examples/nginx_workbench2_configuration.sls b/test/salt/pillar/examples/nginx_workbench2_configuration.sls
index 13c1da0c164338fde0bdab0039f52f08b308e054..3c3ba4e2f0ede750091fb5c5b4a3e648b7eb1094 100644 (file)
--- a/test/salt/pillar/examples/nginx_workbench2_configuration.sls
+++ b/test/salt/pillar/examples/nginx_workbench2_configuration.sls
@@ -36,6 +36,8 @@ nginx:
       arvados_workbench2_ssl.conf:
         enabled: true
         overwrite: true
+        requires:
+          file: nginx_snippet_arvados-snakeoil.conf
         config:
           - server:
             - server_name: workbench2.fixme.example.net
@@ -50,7 +52,6 @@ nginx:
             - location /config.json:
               - return: {{ "200 '" ~ '{"API_HOST":"fixme.example.net"}' ~ "'" }}
             - include: 'snippets/ssl_hardening_default.conf'
-            # - include: 'snippets/letsencrypt.conf'
-            - include: 'snippets/ssl_snakeoil.conf'
+            - include: 'snippets/arvados-snakeoil.conf'
             - access_log: /var/log/nginx/workbench2.fixme.example.net.access.log combined
             - error_log: /var/log/nginx/workbench2.fixme.example.net.error.log

diff --git a/test/salt/pillar/examples/nginx_workbench_configuration.sls b/test/salt/pillar/examples/nginx_workbench_configuration.sls
index 7c03d3a6af08a1365df849a0cd061a82b52bcb9d..37fa31c170efeb60debfdde3d707a0037768389f 100644 (file)
--- a/test/salt/pillar/examples/nginx_workbench_configuration.sls
+++ b/test/salt/pillar/examples/nginx_workbench_configuration.sls
@@ -36,6 +36,8 @@ nginx:
       arvados_workbench_ssl.conf:
         enabled: true
         overwrite: true
+        requires:
+          file: nginx_snippet_arvados-snakeoil.conf
         config:
           - server:
             - server_name: workbench.fixme.example.net
@@ -45,8 +47,7 @@ nginx:
             - passenger_enabled: 'on'
             - index: index.html index.htm
             - include: 'snippets/ssl_hardening_default.conf'
-            # - include: 'snippets/letsencrypt.conf'
-            - include: 'snippets/ssl_snakeoil.conf'
+            - include: 'snippets/arvados-snakeoil.conf'
             # yamllint disable-line rule:line-length
             - access_log: /var/log/nginx/workbench.fixme.example.net.access.log combined
             - error_log: /var/log/nginx/workbench.fixme.example.net.error.log

diff --git a/test/salt/states/examples/single_host/snakeoil_certs.sls b/test/salt/states/examples/single_host/snakeoil_certs.sls
index 87211f3185fc0ef5ecc8c54cf46801aab83e7b34..91617e4fa4765e5e3365a4269937ac6987a94d17 100644 (file)
--- a/test/salt/states/examples/single_host/snakeoil_certs.sls
+++ b/test/salt/states/examples/single_host/snakeoil_certs.sls
@@ -12,9 +12,11 @@ include:
   - nginx.config
   - nginx.service
 
-{%- set arvados_ca_cert_file = '/etc/ssl/certs/arvados-snakeoil-ca.pem' %}
+# Debian uses different dirs for certs and keys, but being a Snake Oil example,
+# we'll keep it simple here.
+{%- set arvados_ca_cert_file = '/etc/ssl/private/arvados-snakeoil-ca.pem' %}
 {%- set arvados_ca_key_file = '/etc/ssl/private/arvados-snakeoil-ca.key' %}
-{%- set arvados_cert_file = '/etc/ssl/certs/arvados-snakeoil-cert.pem' %}
+{%- set arvados_cert_file = '/etc/ssl/private/arvados-snakeoil-cert.pem' %}
 {%- set arvados_csr_file = '/etc/ssl/private/arvados-snakeoil-cert.csr' %}
 {%- set arvados_key_file = '/etc/ssl/private/arvados-snakeoil-cert.key' %}
 
@@ -126,6 +128,9 @@ arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_c
     - require:
       - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_dependencies_pkg_installed
       - cmd: arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_ca_cmd_run
+    # We need this before we can add the nginx's snippet
+    - require_in:
+      - file: nginx_snippet_arvados-snakeoil.conf
 
 {%- if grains.get('os_family') == 'Debian' %}
 arvados_test_salt_states_examples_single_host_snakeoil_certs_ssl_cert_pkg_installed:
@@ -142,18 +147,6 @@ arvados_test_salt_states_examples_single_host_snakeoil_certs_certs_permissions_c
     - require:
       - cmd: arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_cert_cmd_run
       - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_ssl_cert_pkg_installed
-{%- endif %}
-
-arvados_test_salt_states_examples_single_host_snakeoil_certs_nginx_snakeoil_file_managed:
-  file.managed:
-    - name: /etc/nginx/snippets/arvados-snakeoil.conf
-    - contents: |
-        ssl_certificate {{ arvados_cert_file }};
-        ssl_certificate_key {{ arvados_key_file }};
-    - watch_in:
-      - service: nginx_service
-    - require:
-      - pkg: passenger_install
-      - file: arvados_test_salt_states_examples_single_host_snakeoil_certs_certs_permissions_cmd_run
     - require_in:
-      - file: nginx_config
+      - file: nginx_snippet_arvados-snakeoil.conf
+{%- endif %}