projects / arvados-formula.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw (from parent 1: bc5882b)
Merge pull request #9 from netmanagers/master
authorJavier BĂ©rtoli <javier@netmanagers.com.ar>
Tue, 24 Nov 2020 16:57:05 +0000 (13:57 -0300)
committerGitHub <noreply@github.com>
Tue, 24 Nov 2020 16:57:05 +0000 (13:57 -0300)
Various fixes for crunch-dispatch-local and tests

29 files changed:
arvados/api/package/clean.sls patch | blob | history
arvados/api/package/install.sls patch | blob | history
arvados/dispatcher/service/file.sls patch | blob | history
arvados/dispatcher/service/files/default/crunch-dispatch-local-credentials.tmpl [new file with mode: 0644] patch | blob
arvados/dispatcher/service/files/default/crunch-dispatch-local-service.tmpl patch | blob | history
arvados/dispatcher/service/files/default/crunch-run-sh.tmpl patch | blob | history
arvados/repo/clean.sls patch | blob | history
arvados/repo/install.sls patch | blob | history
arvados/ruby/package/clean.sls patch | blob | history
arvados/shell/package/clean.sls patch | blob | history
arvados/shell/package/install.sls patch | blob | history
kitchen.yml patch | blob | history
pillar.example patch | blob | history
test/integration/api/controls/config_spec.rb patch | blob | history
test/integration/keepweb/controls/config_spec.rb patch | blob | history
test/integration/websocket/controls/config_spec.rb patch | blob | history
test/integration/workbench/controls/config_spec.rb patch | blob | history
test/salt/pillar/arvados.sls patch | blob | history
test/salt/pillar/arvados_dev.sls patch | blob | history
test/salt/pillar/examples/nginx_api_configuration.sls patch | blob | history
test/salt/pillar/examples/nginx_controller_configuration.sls patch | blob | history
test/salt/pillar/examples/nginx_keepproxy_configuration.sls patch | blob | history
test/salt/pillar/examples/nginx_keepweb_configuration.sls patch | blob | history
test/salt/pillar/examples/nginx_passenger.sls patch | blob | history
test/salt/pillar/examples/nginx_webshell_configuration.sls patch | blob | history
test/salt/pillar/examples/nginx_websocket_configuration.sls patch | blob | history
test/salt/pillar/examples/nginx_workbench_configuration.sls patch | blob | history
test/salt/states/example_add_snakeoil_certs/init.sls patch | blob | history
test/salt/states/example_single_host_host_entries/init.sls [new file with mode: 0644] patch | blob

diff --git a/arvados/api/package/clean.sls b/arvados/api/package/clean.sls
index 74d807e6ae502b84cfd80a5972cc9e52003129fa..52e3650612d571248e703495bd42b92a6cd8ff55 100644 (file)
--- a/arvados/api/package/clean.sls
+++ b/arvados/api/package/clean.sls
@@ -5,13 +5,13 @@
 {%- set tplroot = tpldir.split('/')[0] %}
 {%- from tplroot ~ "/map.jinja" import arvados with context %}
 
-{% for gm in arvados.api.gem.name %}
+{%- for gm in arvados.api.gem.name %}
 arvados-api-package-clean-gem-{{ gm }}-removed:
   gem.removed:
     - name: {{ gm }}
     - require_in:
       - pkg: arvados-api-package-clean-gems-deps-pkg-removed
-{% endfor %}
+{%- endfor %}
 
 arvados-api-package-clean-gems-deps-pkg-removed:
   pkg.removed:
diff --git a/arvados/api/package/install.sls b/arvados/api/package/install.sls
index c157acd0a50164be6d863cf00e116e3dd9850305..068d4a1afd4d14fcc0025bb9d8b6547b3cbed21a 100644 (file)
--- a/arvados/api/package/install.sls
+++ b/arvados/api/package/install.sls
@@ -21,7 +21,7 @@ arvados-api-package-install-gems-deps-pkg-installed:
     - pkgs: {{ arvados.ruby.gems_deps | unique | json }}
     - only_if: test "{{ arvados.ruby.manage_gems_deps | lower }}" = "true"
 
-{% for gm in arvados.api.gem.name | unique %}
+{%- for gm in arvados.api.gem.name | unique %}
 arvados-api-package-install-gem-{{ gm }}-installed:
   gem.installed:
     - name: {{ gm }}
@@ -32,7 +32,7 @@ arvados-api-package-install-gem-{{ gm }}-installed:
       {%- endif %}
     - require_in:
       - pkg: arvados-api-package-install-pkg-installed
-{% endfor %}
+{%- endfor %}
 
 arvados-api-package-install-pkg-installed:
   pkg.installed:
diff --git a/arvados/dispatcher/service/file.sls b/arvados/dispatcher/service/file.sls
index df752863d3b0eedfe76e53b190e5307016f64d31..411848f8aa4ad6c0a58c3b6826d9fd53b25de591 100644 (file)
--- a/arvados/dispatcher/service/file.sls
+++ b/arvados/dispatcher/service/file.sls
@@ -25,6 +25,23 @@ arvados-dispatcher-service-file-file-managed-crunch-run-sh:
     - user: root
     - group: root
     - makedirs: True
+    - context:
+        arvados: {{ arvados | json }}
+    - require:
+      - pkg: arvados-dispatcher-package-install-pkg-installed
+
+arvados-dispatcher-service-file-file-managed-crunch-dispatch-local-credentials:
+  file.managed:
+    - name: /etc/arvados/crunch-dispatch-local-credentials
+    - source: {{ files_switch(['crunch-dispatch-local-credentials.tmpl'],
+                              lookup='arvados-dispatcher-service-file-file-managed-crunch-dispatch-local-credentials',
+                              use_subpath=True
+                 )
+              }}
+    - mode: '0640'
+    - user: root
+    - group: root
+    - makedirs: True
     - template: jinja
     - context:
         arvados: {{ arvados | json }}
@@ -48,6 +65,7 @@ arvados-dispatcher-service-file-file-managed-crunch-dispatch-local-service:
         arvados: {{ arvados | json }}
     - require:
       - file: arvados-dispatcher-service-file-file-managed-crunch-run-sh
+      - file: arvados-dispatcher-service-file-file-managed-crunch-dispatch-local-credentials
       - pkg: arvados-dispatcher-package-install-pkg-installed
   cmd.run:
     - name: systemctl daemon-reload
diff --git a/arvados/dispatcher/service/files/default/crunch-dispatch-local-credentials.tmpl b/arvados/dispatcher/service/files/default/crunch-dispatch-local-credentials.tmpl
new file mode 100644 (file)
index 0000000..a852bc8
--- /dev/null
+++ b/arvados/dispatcher/service/files/default/crunch-dispatch-local-credentials.tmpl
@@ -0,0 +1,7 @@
+########################################################################
+# File managed by Salt at <{{ source }}>.
+# Your changes will be overwritten.
+########################################################################
+ARVADOS_API_HOST={{ arvados.cluster.Services.Controller.ExternalURL | regex_replace('^http(s?)://', '', ignorecase=true) }}
+ARVADOS_API_HOST_INSECURE={{ '1' if arvados.cluster.tls.insecure | default('0') }}
+ARVADOS_API_TOKEN={{ arvados.cluster.tokens.system_root }}
diff --git a/arvados/dispatcher/service/files/default/crunch-dispatch-local-service.tmpl b/arvados/dispatcher/service/files/default/crunch-dispatch-local-service.tmpl
index f0cda3ef864c69a75e82a9fe54ac17e7c9211aaf..cb30224889b4821c1db3a5750276c8e862239c4b 100644 (file)
--- a/arvados/dispatcher/service/files/default/crunch-dispatch-local-service.tmpl
+++ b/arvados/dispatcher/service/files/default/crunch-dispatch-local-service.tmpl
@@ -15,7 +15,7 @@ StartLimitIntervalSec=0
 
 [Service]
 Type=simple
-EnvironmentFile=-/etc/arvados/environment
+EnvironmentFile=-/etc/arvados/crunch-dispatch-local-credentials
 ExecStart=/usr/bin/crunch-dispatch-local -poll-interval=1 -crunch-run-command=/usr/local/bin/crunch-run.sh
 # Set a reasonable default for the open file limit
 LimitNOFILE=65536
diff --git a/arvados/dispatcher/service/files/default/crunch-run-sh.tmpl b/arvados/dispatcher/service/files/default/crunch-run-sh.tmpl
index 5c15293eff9f04f35c40ad9f5c693b28124a00af..edfe44ed93b60059ec544afd258912b393f16455 100644 (file)
--- a/arvados/dispatcher/service/files/default/crunch-run-sh.tmpl
+++ b/arvados/dispatcher/service/files/default/crunch-run-sh.tmpl
@@ -1,6 +1,6 @@
+#!/bin/sh
 ########################################################################
 # File managed by Salt at <{{ source }}>.
 # Your changes will be overwritten.
 ########################################################################
-#!/bin/sh
-exec /usr/bin/crunch-run -container-enable-networking=default -container-network-mode=host $@
+exec /usr/bin/crunch-run -container-enable-networking=default -container-network-mode=host ${@}
diff --git a/arvados/repo/clean.sls b/arvados/repo/clean.sls
index 55cf601f840fb1152d0cd88f2d1b80e6ed937bfb..3ab71182c229876c6e94cce4a49631b02c82b1f4 100644 (file)
--- a/arvados/repo/clean.sls
+++ b/arvados/repo/clean.sls
@@ -5,8 +5,8 @@
 {%- set tplroot = tpldir.split('/')[0] %}
 {%- from tplroot ~ "/map.jinja" import arvados with context %}
 
-{% if arvados.use_upstream_repo -%}
-  {% if grains.get('os_family') == 'Debian' -%}
+{%- if arvados.use_upstream_repo %}
+  {%- if grains.get('os_family') == 'Debian' %}
 arvados-repo-clean-repo-absent:
   pkgrepo.absent:
     - file: {{ arvados.repo.file }}
diff --git a/arvados/repo/install.sls b/arvados/repo/install.sls
index 57d1ed222ef2a5409f47489124fd180fb9011037..1146f30e5f2d004171923edb84232f9725182a03 100644 (file)
--- a/arvados/repo/install.sls
+++ b/arvados/repo/install.sls
@@ -5,8 +5,8 @@
 {%- set tplroot = tpldir.split('/')[0] %}
 {%- from tplroot ~ "/map.jinja" import arvados with context %}
 
-{%- if arvados.use_upstream_repo -%}
-  {%- if grains.get('os_family') == 'Debian' -%}
+{%- if arvados.use_upstream_repo %}
+  {%- if grains.get('os_family') == 'Debian' %}
     {%- if arvados.release == 'testing' %}
       {%- set release = grains.get('lsb_distrib_codename') ~ '-testing' %}
     {%- elif arvados.release == 'development' %}
diff --git a/arvados/ruby/package/clean.sls b/arvados/ruby/package/clean.sls
index 85941be14d6ff9d0d2db6c2f3fc1a6019cc1ac2e..cd5f32a02f662a65262d388ee8656c636fba992d 100644 (file)
--- a/arvados/ruby/package/clean.sls
+++ b/arvados/ruby/package/clean.sls
@@ -5,13 +5,13 @@
 {%- set tplroot = tpldir.split('/')[0] %}
 {%- from tplroot ~ "/map.jinja" import arvados with context %}
 
-{% for gm in arvados.shell.gem.name %}
+{%- for gm in arvados.shell.gem.name %}
 arvados-shell-package-clean-gem-{{ gm }}-removed:
   gem.removed:
     - name: {{ gm }}
     - require_in:
       - pkg: arvados-shell-package-clean-gems-deps-pkg-removed
-{% endfor %}
+{%- endfor %}
 
 arvados-shell-package-clean-gems-deps-pkg-removed:
   pkg.removed:
diff --git a/arvados/shell/package/clean.sls b/arvados/shell/package/clean.sls
index 85941be14d6ff9d0d2db6c2f3fc1a6019cc1ac2e..cd5f32a02f662a65262d388ee8656c636fba992d 100644 (file)
--- a/arvados/shell/package/clean.sls
+++ b/arvados/shell/package/clean.sls
@@ -5,13 +5,13 @@
 {%- set tplroot = tpldir.split('/')[0] %}
 {%- from tplroot ~ "/map.jinja" import arvados with context %}
 
-{% for gm in arvados.shell.gem.name %}
+{%- for gm in arvados.shell.gem.name %}
 arvados-shell-package-clean-gem-{{ gm }}-removed:
   gem.removed:
     - name: {{ gm }}
     - require_in:
       - pkg: arvados-shell-package-clean-gems-deps-pkg-removed
-{% endfor %}
+{%- endfor %}
 
 arvados-shell-package-clean-gems-deps-pkg-removed:
   pkg.removed:
diff --git a/arvados/shell/package/install.sls b/arvados/shell/package/install.sls
index 8ebfd5916419c95737bdc26971921c239f1b15c5..b1ad75ee68a468d76663337ac84b21e4ce1595c3 100644 (file)
--- a/arvados/shell/package/install.sls
+++ b/arvados/shell/package/install.sls
@@ -37,7 +37,7 @@ arvados-shell-package-install-gems-deps-pkg-installed:
     - pkgs: {{ arvados.ruby.gems_deps | json }}
     - only_if: test "{{ arvados.ruby.manage_gems_deps | lower }}" = "true"
 
-{% for gm in arvados.shell.gem.name %}
+{%- for gm in arvados.shell.gem.name %}
 arvados-shell-package-install-gem-{{ gm }}-installed:
   gem.installed:
     - name: {{ gm }}
@@ -46,4 +46,4 @@ arvados-shell-package-install-gem-{{ gm }}-installed:
       - {{ ruby_dep }}: arvados-ruby-package-install-ruby-{{ ruby_dep }}-installed
       {%- endif %}
       - pkg: arvados-shell-package-install-gems-deps-pkg-installed
-{% endfor %}
+{%- endfor %}
diff --git a/kitchen.yml b/kitchen.yml
index 0a9c7ab29210798a6983ff5d1953245b32959e4b..4067e1c7f6ec5fc3c1bb6742b52b17917b0408e0 100644 (file)
--- a/kitchen.yml
+++ b/kitchen.yml
@@ -104,6 +104,7 @@ suites:
       state_top:
         base:
           '*':
+            - example_single_host_host_entries
             - example_add_snakeoil_certs
             - locale
             - nginx.passenger
@@ -145,6 +146,8 @@ suites:
         example_nginx_controller.sls: test/salt/pillar/examples/nginx_controller_configuration.sls
         # yamllint enable rule:line-length
       dependencies:
+        - name: example_single_host_host_entries
+          path: test/salt/states
         - name: example_add_snakeoil_certs
           path: test/salt/states
         - name: locale
@@ -172,6 +175,7 @@ suites:
       state_top:
         base:
           '*':
+            - example_single_host_host_entries
             - example_add_snakeoil_certs
             - nginx.passenger
             - arvados.repo
@@ -193,6 +197,8 @@ suites:
         example_nginx_workbench2.sls: test/salt/pillar/examples/nginx_workbench2_configuration.sls
         # yamllint enable rule:line-length
       dependencies:
+        - name: example_single_host_host_entries
+          path: test/salt/states
         - name: example_add_snakeoil_certs
           path: test/salt/states
         - name: nginx
diff --git a/pillar.example b/pillar.example
index 3fc4b8bcd2ae71a58bd4014801ae6296cf54767b..dcf7b5efb5e987b163dedf5fdc969a1e35505730 100644 (file)
--- a/pillar.example
+++ b/pillar.example
@@ -82,19 +82,22 @@ arvados:
 
     ### TOKENS
     tokens:
-      system_root: changeme_system_root_token
-      management: changeme_management_token
-      rails_secret: changeme_rails_secret_token
-      anonymous_user: changeme_anonymous_user_token
+      # SystemRootToken has to be alphanumeric, it does not accept underscores
+      # or special characters. See
+      # https://dev.arvados.org/issues/17150
+      system_root: changemesystemroottoken
+      management: changememanagementtoken
+      rails_secret: changemerailssecrettoken
+      anonymous_user: changemeanonymoususertoken
 
     ### KEYS
     secrets:
-      blob_signing_key: changeme_blob_signing_key
-      workbench_secret_key: changeme_workbench_secret_key
-      dispatcher_access_key: changeme_dispatcher_access_key
-      dispatcher_secret_key: changeme_dispatcher_secret_key
-      keep_access_key: changeme_keep_access_key
-      keep_secret_key: changeme_keep_secret_key
+      blob_signing_key: changemeblobsigningkey
+      workbench_secret_key: changemeworkbenchsecretkey
+      dispatcher_access_key: changemedispatcheraccesskey
+      dispatcher_secret_key: changemedispatchersecretkey
+      keep_access_key: changemekeepaccesskey
+      keep_secret_key: changemekeepsecretkey
 
     AuditLogs:
       Section_to_ignore:
diff --git a/test/integration/api/controls/config_spec.rb b/test/integration/api/controls/config_spec.rb
index 5d8afc4158db3eedea665c594a4077b34097e3c6..4585b95b8c829144f8ac1a1cfb117ff5503434b6 100644 (file)
--- a/test/integration/api/controls/config_spec.rb
+++ b/test/integration/api/controls/config_spec.rb
@@ -2,13 +2,13 @@
 
 api_stanza = <<-API_STANZA
     API:
-      RailsSessionSecretToken: "changeme_rails_secret_token"
+      RailsSessionSecretToken: "changemerailssecrettoken"
 API_STANZA
 
 rails_stanza = <<-RAILS_STANZA
       RailsAPI:
         InternalURLs:
-          http://127.0.0.2:8004: {}
+          http://api.internal:8004: {}
 RAILS_STANZA
 
 group = case os[:name]
diff --git a/test/integration/keepweb/controls/config_spec.rb b/test/integration/keepweb/controls/config_spec.rb
index 6ac0db84ed5abe48af4d01dd493563b7d370205a..3a746366b826388cb4f691a2b45517ba8a984298 100644 (file)
--- a/test/integration/keepweb/controls/config_spec.rb
+++ b/test/integration/keepweb/controls/config_spec.rb
@@ -4,7 +4,7 @@ keepweb_stanza = <<-KEEPWEB_STANZA
       WebDAV:
         ExternalURL: https://collections.fixme.example.net
         InternalURLs:
-          http://127.0.0.2:9002: {}
+          http://collections.internal:9002: {}
       WebDAVDownload:
         ExternalURL: https://download.fixme.example.net
 KEEPWEB_STANZA
diff --git a/test/integration/websocket/controls/config_spec.rb b/test/integration/websocket/controls/config_spec.rb
index 0152476de14d594f2ef875a6243ca96d3ea93186..d5289c9c1788c5a87c8b8f3dd2f0f25a00728d25 100644 (file)
--- a/test/integration/websocket/controls/config_spec.rb
+++ b/test/integration/websocket/controls/config_spec.rb
@@ -4,7 +4,7 @@ websocket_stanza = <<-WEBSOCKET_STANZA
       Websocket:
         ExternalURL: wss://ws.fixme.example.net/websocket
         InternalURLs:
-          http://127.0.0.2:8005: {}
+          http://ws.internal:8005: {}
 WEBSOCKET_STANZA
 
 group = case os[:name]
diff --git a/test/integration/workbench/controls/config_spec.rb b/test/integration/workbench/controls/config_spec.rb
index f8be4d469870425ba9cbf97bbbccf0b8f96c3bea..9a14383d7ed27d0210a804993e7ecb316cdf8b97 100644 (file)
--- a/test/integration/workbench/controls/config_spec.rb
+++ b/test/integration/workbench/controls/config_spec.rb
@@ -2,7 +2,7 @@
 
 workbench_config = <<-WORKBENCH_STANZA
     Workbench:
-      SecretKeyBase: "changeme_workbench_secret_key"
+      SecretKeyBase: "changemeworkbenchsecretkey"
       SiteName: FIXME
 WORKBENCH_STANZA
 
diff --git a/test/salt/pillar/arvados.sls b/test/salt/pillar/arvados.sls
index e0184103d7d9267328318d7a5676ee55f06a3f40..9e1ccbc0b220b7a9bcc890f27821509b092ace91 100644 (file)
--- a/test/salt/pillar/arvados.sls
+++ b/test/salt/pillar/arvados.sls
@@ -58,19 +58,19 @@ arvados:
 
     ### TOKENS
     tokens:
-      system_root: changeme_system_root_token
-      management: changeme_management_token
-      rails_secret: changeme_rails_secret_token
-      anonymous_user: changeme_anonymous_user_token
+      system_root: changemesystemroottoken
+      management: changememanagementtoken
+      rails_secret: changemerailssecrettoken
+      anonymous_user: changemeanonymoususertoken
 
     ### KEYS
     secrets:
-      blob_signing_key: changeme_blob_signing_key
-      workbench_secret_key: changeme_workbench_secret_key
-      dispatcher_access_key: changeme_dispatcher_access_key
-      dispatcher_secret_key: changeme_dispatcher_secret_key
-      keep_access_key: changeme_keep_access_key
-      keep_secret_key: changeme_keep_secret_key
+      blob_signing_key: changemeblobsigningkey
+      workbench_secret_key: changemeworkbenchsecretkey
+      dispatcher_access_key: changemedispatcheraccesskey
+      dispatcher_secret_key: changemedispatchersecretkey
+      keep_access_key: changemekeepaccesskey
+      keep_secret_key: changemekeepsecretkey
 
     AuditLogs:
       Section_to_ignore:
@@ -100,7 +100,7 @@ arvados:
       Controller:
         ExternalURL: https://fixme.example.net
         InternalURLs:
-          http://127.0.0.2:8003: {}
+          http://controller.internal:8003: {}
       DispatchCloud:
         InternalURLs:
           http://fixme.example.net:9006: {}
@@ -110,17 +110,17 @@ arvados:
       Keepproxy:
         ExternalURL: https://keep.fixme.example.net
         InternalURLs:
-          http://127.0.0.2:25100: {}
+          http://keep.internal:25100: {}
       Keepstore:
         InternalURLs:
           http://keep0.fixme.example.net:25107: {}
       RailsAPI:
         InternalURLs:
-          http://127.0.0.2:8004: {}
+          http://api.internal:8004: {}
       WebDAV:
         ExternalURL: https://collections.fixme.example.net
         InternalURLs:
-          http://127.0.0.2:9002: {}
+          http://collections.internal:9002: {}
       WebDAVDownload:
         ExternalURL: https://download.fixme.example.net
       WebShell:
@@ -128,7 +128,7 @@ arvados:
       Websocket:
         ExternalURL: wss://ws.fixme.example.net/websocket
         InternalURLs:
-          http://127.0.0.2:8005: {}
+          http://ws.internal:8005: {}
       Workbench1:
         ExternalURL: https://workbench.fixme.example.net
       Workbench2:
diff --git a/test/salt/pillar/arvados_dev.sls b/test/salt/pillar/arvados_dev.sls
index 14450bea88e54c956285d7b206089b8dbce0039b..51d650e027c8045e7494f31259577be98f335b4c 100644 (file)
--- a/test/salt/pillar/arvados_dev.sls
+++ b/test/salt/pillar/arvados_dev.sls
@@ -76,19 +76,19 @@ arvados:
 
     ### TOKENS
     tokens:
-      system_root: changeme_system_root_token
-      management: changeme_management_token
-      rails_secret: changeme_rails_secret_token
-      anonymous_user: changeme_anonymous_user_token
+      system_root: changemesystemroottoken
+      management: changememanagementtoken
+      rails_secret: changemerailssecrettoken
+      anonymous_user: changemeanonymoususertoken
 
     ### KEYS
     secrets:
-      blob_signing_key: changeme_blob_signing_key
-      workbench_secret_key: changeme_workbench_secret_key
-      dispatcher_access_key: changeme_dispatcher_access_key
-      dispatcher_secret_key: changeme_dispatcher_secret_key
-      keep_access_key: changeme_keep_access_key
-      keep_secret_key: changeme_keep_secret_key
+      blob_signing_key: changemeblobsigningkey
+      workbench_secret_key: changemeworkbenchsecretkey
+      dispatcher_access_key: changemedispatcheraccesskey
+      dispatcher_secret_key: changemedispatchersecretkey
+      keep_access_key: changemekeepaccesskey
+      keep_secret_key: changemekeepsecretkey
 
     AuditLogs:
       Section_to_ignore:
@@ -118,7 +118,7 @@ arvados:
       Controller:
         ExternalURL: https://fixme.example.net
         InternalURLs:
-          http://127.0.0.2:8003: {}
+          http://controller.internal:8003: {}
       DispatchCloud:
         InternalURLs:
           http://fixme.example.net:9006: {}
@@ -128,17 +128,17 @@ arvados:
       Keepproxy:
         ExternalURL: https://keep.fixme.example.net
         InternalURLs:
-          http://127.0.0.2:25100: {}
+          http://keep.internal:25100: {}
       Keepstore:
         InternalURLs:
           http://keep0.fixme.example.net:25107: {}
       RailsAPI:
         InternalURLs:
-          http://127.0.0.2:8004: {}
+          http://api.internal:8004: {}
       WebDAV:
         ExternalURL: https://collections.fixme.example.net
         InternalURLs:
-          http://127.0.0.2:9002: {}
+          http://collections.internal:9002: {}
       WebDAVDownload:
         ExternalURL: https://download.fixme.example.net
       WebShell:
@@ -146,7 +146,7 @@ arvados:
       Websocket:
         ExternalURL: wss://ws.fixme.example.net/websocket
         InternalURLs:
-          http://127.0.0.2:8005: {}
+          http://ws.internal:8005: {}
       Workbench1:
         ExternalURL: https://workbench.fixme.example.net
       Workbench2:
diff --git a/test/salt/pillar/examples/nginx_api_configuration.sls b/test/salt/pillar/examples/nginx_api_configuration.sls
index 3313eab0b41ea6eed0bfca04e400918e0923123b..e64ed11be953a58083bc04a9e28a952b6f608908 100644 (file)
--- a/test/salt/pillar/examples/nginx_api_configuration.sls
+++ b/test/salt/pillar/examples/nginx_api_configuration.sls
@@ -20,7 +20,7 @@ nginx:
         overwrite: true
         config:
           - server:
-            - listen: '127.0.0.2:8004'
+            - listen: 'api.internal:8004'
             - server_name: api
             - root: /var/www/arvados-api/current/public
             - index:  index.html index.htm
diff --git a/test/salt/pillar/examples/nginx_controller_configuration.sls b/test/salt/pillar/examples/nginx_controller_configuration.sls
index 3e95cce58649daa8c943c0c7670b5b6807d34b5a..a79bd41e9a735e5c315f4ee66ad859b338801449 100644 (file)
--- a/test/salt/pillar/examples/nginx_controller_configuration.sls
+++ b/test/salt/pillar/examples/nginx_controller_configuration.sls
@@ -10,7 +10,7 @@ nginx:
           default: 1
           '127.0.0.0/8': 0
         upstream controller_upstream:
-          - server: '127.0.0.2:8003  fail_timeout=10s'
+          - server: 'controller.internal:8003  fail_timeout=10s'
 
   ### SITES
   servers:
diff --git a/test/salt/pillar/examples/nginx_keepproxy_configuration.sls b/test/salt/pillar/examples/nginx_keepproxy_configuration.sls
index c20d7bc04dcfa173017d560075f596ab2ee10be9..f1729e7172b248c726be4211df96599f2db3d01d 100644 (file)
--- a/test/salt/pillar/examples/nginx_keepproxy_configuration.sls
+++ b/test/salt/pillar/examples/nginx_keepproxy_configuration.sls
@@ -7,7 +7,7 @@ nginx:
       ### STREAMS
       http:
         upstream keepproxy_upstream:
-          - server: '127.0.0.2:25100 fail_timeout=10s'
+          - server: 'keep.internal:25100 fail_timeout=10s'
 
   servers:
     managed:
diff --git a/test/salt/pillar/examples/nginx_keepweb_configuration.sls b/test/salt/pillar/examples/nginx_keepweb_configuration.sls
index dfb02f64230292dfc7512bc28aa02d2e0110eb49..1250d89d2700895ca35837cda677485c0ee670e4 100644 (file)
--- a/test/salt/pillar/examples/nginx_keepweb_configuration.sls
+++ b/test/salt/pillar/examples/nginx_keepweb_configuration.sls
@@ -7,7 +7,7 @@ nginx:
       ### STREAMS
       http:
         upstream collections_downloads_upstream:
-          - server: '127.0.0.2:9002 fail_timeout=10s'
+          - server: 'collections.internal:9002 fail_timeout=10s'
 
   servers:
     managed:
diff --git a/test/salt/pillar/examples/nginx_passenger.sls b/test/salt/pillar/examples/nginx_passenger.sls
index 1cc9cce5dd663864428c09b21d2920fac44db180..8c41acbd461040c3f86479e02e4f041ddc5cb604 100644 (file)
--- a/test/salt/pillar/examples/nginx_passenger.sls
+++ b/test/salt/pillar/examples/nginx_passenger.sls
@@ -39,8 +39,9 @@ nginx:
       - add_header: 'Strict-Transport-Security "max-age=63072000" always'
 
       # OCSP stapling
-      - ssl_stapling: 'on'
-      - ssl_stapling_verify: 'on'
+      # FIXME! Stapling does not work with self-signed certificates, so disabling for tests
+      # - ssl_stapling: 'on'
+      # - ssl_stapling_verify: 'on'
 
       # verify chain of trust of OCSP response using Root CA and Intermediate certs
       # - ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates
diff --git a/test/salt/pillar/examples/nginx_webshell_configuration.sls b/test/salt/pillar/examples/nginx_webshell_configuration.sls
index c1a8907d2239bfe00c2d21a7328c8ddc0b9faaef..022cd36ac5635acb7ddad417ce7b90a3c1707cf9 100644 (file)
--- a/test/salt/pillar/examples/nginx_webshell_configuration.sls
+++ b/test/salt/pillar/examples/nginx_webshell_configuration.sls
@@ -8,7 +8,7 @@ nginx:
       ### STREAMS
       http:
         upstream webshell_upstream:
-          - server: '127.0.0.2:4200 fail_timeout=10s'
+          - server: 'shell.internal:4200 fail_timeout=10s'
 
   ### SITES
   servers:
diff --git a/test/salt/pillar/examples/nginx_websocket_configuration.sls b/test/salt/pillar/examples/nginx_websocket_configuration.sls
index 48e9db26c8e8d496088306d180ced0f4410ea708..f50f40ea1988261d050982b769cbb1b2e11b1fa9 100644 (file)
--- a/test/salt/pillar/examples/nginx_websocket_configuration.sls
+++ b/test/salt/pillar/examples/nginx_websocket_configuration.sls
@@ -7,7 +7,7 @@ nginx:
       ### STREAMS
       http:
         upstream websocket_upstream:
-          - server: '127.0.0.2:8005 fail_timeout=10s'
+          - server: 'ws.internal:8005 fail_timeout=10s'
 
   servers:
     managed:
diff --git a/test/salt/pillar/examples/nginx_workbench_configuration.sls b/test/salt/pillar/examples/nginx_workbench_configuration.sls
index 5b8e0e2fee9b3a271ff8c9a62448551bb14a1e7e..fbadc58259f2ec8ca810a0b7673b122329aad491 100644 (file)
--- a/test/salt/pillar/examples/nginx_workbench_configuration.sls
+++ b/test/salt/pillar/examples/nginx_workbench_configuration.sls
@@ -19,7 +19,7 @@ nginx:
       ### STREAMS
       http:
         upstream workbench_upstream:
-          - server: '127.0.0.2:9000 fail_timeout=10s'
+          - server: 'workbench.internal:9000 fail_timeout=10s'
 
   ### SITES
   servers:
@@ -67,7 +67,7 @@ nginx:
         overwrite: true
         config:
           - server:
-            - listen: '127.0.0.2:9000'
+            - listen: 'workbench.internal:9000'
             - server_name: workbench
             - root: /var/www/arvados-workbench/current/public
             - index:  index.html index.htm
diff --git a/test/salt/states/example_add_snakeoil_certs/init.sls b/test/salt/states/example_add_snakeoil_certs/init.sls
index e004128c460596003817161ab56c0d878de75efd..158abcc7783244e572bc1df12f61fdecc38b8cbf 100644 (file)
--- a/test/salt/states/example_add_snakeoil_certs/init.sls
+++ b/test/salt/states/example_add_snakeoil_certs/init.sls
@@ -1,32 +1,69 @@
+{%- set curr_tpldir = tpldir %}
+{%- set tpldir = 'arvados' %}
+{%- from "arvados/map.jinja" import arvados with context %}
+{%- set tpldir = curr_tpldir %}
+
 snake_oil_certs:
-{%- if grains.os_family in ('RedHat',) %}
   pkg.installed:
     - name: openssl
   cmd.run:
     - name: |
         cat > /tmp/openssl.cnf <<-CNF
-        RANDFILE                = /dev/urandom
-        [ req ]
-        default_bits            = 2048
-        default_keyfile         = privkey.pem
-        distinguished_name      = req_distinguished_name
-        prompt                  = no
-        policy                  = policy_anything
-        req_extensions          = v3_req
-        x509_extensions         = v3_req
-        [ req_distinguished_name ]
-        commonName                      = {{ grains.fqdn }}
-        [ v3_req ]
-        basicConstraints        = CA:FALSE
+        [req]
+        default_bits = 2048
+        prompt = no
+        default_md = sha256
+        x509_extensions = v3_req
+        distinguished_name = dn
+        [dn]
+        C   = CC
+        ST  = SomeState
+        L   = SomeLocation
+        O   = ArvadosFormula
+        OU  = R&D
+        CN  = {{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
+        emailAddress = admin@{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
+        [v3_req]
+        subjectAltName = @alt_names
+        [alt_names]
+        {%- for entry in grains.get('ipv4') %}
+        IP.{{ loop.index }} = {{ entry }}
+        {%- endfor %}
+        {%- for entry in [
+            'keep',
+            'keep0',
+            'collections',
+            'download',
+            'ws',
+            'workbench',
+            'workbench2',
+          ]
+        %}
+        DNS.{{ loop.index }} = {{ entry }}.{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
+        {%- endfor %}
         CNF
+
         mkdir -p /etc/ssl/certs/  /etc/ssl/private/ && \
         openssl req -config /tmp/openssl.cnf -new -x509 -days 3650 -nodes -sha256 \
           -out /etc/ssl/certs/ssl-cert-snakeoil.pem \
-          -keyout /etc/ssl/private/ssl-cert-snakeoil.key > /tmp/snake_oil_certs.output 2>&1
+          -keyout /etc/ssl/private/ssl-cert-snakeoil.key > /tmp/snake_oil_certs.output 2>&1 && \
+        chmod 0644 /etc/ssl/certs/ssl-cert-snakeoil.pem && \
+        chmod 0640 /etc/ssl/private/ssl-cert-snakeoil.key
     - unless: test -f /etc/ssl/private/ssl-cert-snakeoil.key
     - require:
       - pkg: openssl
-{%- else %}
+
+{%- if grains.get('os_family') == 'Debian' %}
+ssl_certs:
   pkg.installed:
     - name: ssl-cert
+    - require_in:
+      - sls: postgres
+
+snake_oil_certs_permissions:
+  cmd.run:
+    - name: |
+        chown root:ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key
+    - require:
+      - pkg: ssl_certs
 {%- endif %}
diff --git a/test/salt/states/example_single_host_host_entries/init.sls b/test/salt/states/example_single_host_host_entries/init.sls
new file mode 100644 (file)
index 0000000..6425448
--- /dev/null
+++ b/test/salt/states/example_single_host_host_entries/init.sls
@@ -0,0 +1,28 @@
+{%- set curr_tpldir = tpldir %}
+{%- set tpldir = 'arvados' %}
+{%- from "arvados/map.jinja" import arvados with context %}
+{%- set tpldir = curr_tpldir %}
+
+arvados_hosts_entries:
+  host.present:
+    - ip: {{ grains.get('ipv4')[0] }}
+    - names:
+      - {{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
+      # FIXME! This just works for our testings.
+      # Won't work if the cluster name != host name
+      {%- for entry in [
+          'api',
+          'collections',
+          'controller',
+          'download',
+          'keep',
+          'keep0',
+          'shell',
+          'workbench',
+          'workbench2',
+          'ws',
+        ]
+      %}
+      - {{ entry }}.internal
+      - {{ entry }}.{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
+      {%- endfor %}