From: Javier Bértoli <jbertoli@curii.com>
Date: Wed, 21 Jul 2021 17:47:58 +0000 (-0300)
Subject: 17750: Update nginx/ssl example pillars and states
X-Git-Url: https://git.arvados.org/arvados-formula.git/commitdiff_plain/aea99ea5eafb8d2256a6441a72021eaf9db7cbb2

17750: Update nginx/ssl example pillars and states

Arvados-DCO-1.1-Signed-off-by: Javier Bértoli <jbertoli@curii.com>
---

diff --git a/test/salt/pillar/examples/nginx_controller_configuration.sls b/test/salt/pillar/examples/nginx_controller_configuration.sls
index 88d69f4..787af82 100644
--- a/test/salt/pillar/examples/nginx_controller_configuration.sls
+++ b/test/salt/pillar/examples/nginx_controller_configuration.sls
@@ -36,6 +36,8 @@ nginx:
       arvados_controller_ssl.conf:
         enabled: true
         overwrite: true
+        requires:
+          file: nginx_snippet_arvados-snakeoil.conf
         config:
           - server:
             - server_name: fixme.example.net
@@ -53,8 +55,7 @@ nginx:
               - proxy_set_header: 'X-Forwarded-For $proxy_add_x_forwarded_for'
               - proxy_set_header: 'X-External-Client $external_client'
             - include: 'snippets/ssl_hardening_default.conf'
-            # - include: 'snippets/letsencrypt.conf'
-            - include: 'snippets/ssl_snakeoil.conf'
+            - include: 'snippets/arvados-snakeoil.conf'
             - access_log: /var/log/nginx/fixme.example.net.access.log combined
             - error_log: /var/log/nginx/fixme.example.net.error.log
             - client_max_body_size: 128m
diff --git a/test/salt/pillar/examples/nginx_keepproxy_configuration.sls b/test/salt/pillar/examples/nginx_keepproxy_configuration.sls
index 8500afb..d9ed0c6 100644
--- a/test/salt/pillar/examples/nginx_keepproxy_configuration.sls
+++ b/test/salt/pillar/examples/nginx_keepproxy_configuration.sls
@@ -32,6 +32,8 @@ nginx:
       arvados_keepproxy_ssl.conf:
         enabled: true
         overwrite: true
+        requires:
+          file: nginx_snippet_arvados-snakeoil.conf
         config:
           - server:
             - server_name: keep.fixme.example.net
@@ -53,7 +55,6 @@ nginx:
             - proxy_http_version: '1.1'
             - proxy_request_buffering: 'off'
             - include: 'snippets/ssl_hardening_default.conf'
-            # - include: 'snippets/letsencrypt.conf'
-            - include: 'snippets/ssl_snakeoil.conf'
+            - include: 'snippets/arvados-snakeoil.conf'
             - access_log: /var/log/nginx/keepproxy.fixme.example.net.access.log combined
             - error_log: /var/log/nginx/keepproxy.fixme.example.net.error.log
diff --git a/test/salt/pillar/examples/nginx_keepweb_configuration.sls b/test/salt/pillar/examples/nginx_keepweb_configuration.sls
index 5385430..be18c4d 100644
--- a/test/salt/pillar/examples/nginx_keepweb_configuration.sls
+++ b/test/salt/pillar/examples/nginx_keepweb_configuration.sls
@@ -33,6 +33,8 @@ nginx:
       arvados_collections_download_ssl.conf:
         enabled: true
         overwrite: true
+        requires:
+          file: nginx_snippet_arvados-snakeoil.conf
         config:
           - server:
             - server_name: collections.fixme.example.net download.fixme.example.net
@@ -53,7 +55,6 @@ nginx:
             - proxy_http_version: '1.1'
             - proxy_request_buffering: 'off'
             - include: 'snippets/ssl_hardening_default.conf'
-            # - include: 'snippets/letsencrypt.conf'
-            - include: 'snippets/ssl_snakeoil.conf'
+            - include: 'snippets/arvados-snakeoil.conf'
             - access_log: /var/log/nginx/collections.fixme.example.net.access.log combined
             - error_log: /var/log/nginx/collections.fixme.example.net.error.log
diff --git a/test/salt/pillar/examples/nginx_passenger.sls b/test/salt/pillar/examples/nginx_passenger.sls
index 8437d33..6bbd989 100644
--- a/test/salt/pillar/examples/nginx_passenger.sls
+++ b/test/salt/pillar/examples/nginx_passenger.sls
@@ -60,8 +60,8 @@ nginx:
       # replace with the IP address of your resolver
       # - resolver: 127.0.0.1
 
-    ssl_snakeoil.conf:
-      - ssl_certificate: /etc/ssl/certs/arvados-snakeoil-cert.pem
+    arvados-snakeoil.conf:
+      - ssl_certificate: /etc/ssl/private/arvados-snakeoil-cert.pem
       - ssl_certificate_key: /etc/ssl/private/arvados-snakeoil-cert.key
 
   ### SITES
diff --git a/test/salt/pillar/examples/nginx_webshell_configuration.sls b/test/salt/pillar/examples/nginx_webshell_configuration.sls
index 661ce2c..d228715 100644
--- a/test/salt/pillar/examples/nginx_webshell_configuration.sls
+++ b/test/salt/pillar/examples/nginx_webshell_configuration.sls
@@ -58,6 +58,8 @@ nginx:
       arvados_webshell_ssl.conf:
         enabled: true
         overwrite: true
+        requires:
+          file: nginx_snippet_arvados-snakeoil.conf
         config:
           - server:
             - server_name: webshell.fixme.example.net
@@ -96,8 +98,7 @@ nginx:
                 - add_header: "'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'"
             {%- endfor %}
             - include: 'snippets/ssl_hardening_default.conf'
-            # - include: 'snippets/letsencrypt.conf'
-            - include: 'snippets/ssl_snakeoil.conf'
+            - include: 'snippets/arvados-snakeoil.conf'
             - access_log: /var/log/nginx/webshell.fixme.example.net.access.log combined
             - error_log: /var/log/nginx/webshell.fixme.example.net.error.log
 
diff --git a/test/salt/pillar/examples/nginx_websocket_configuration.sls b/test/salt/pillar/examples/nginx_websocket_configuration.sls
index 5c228ba..20682bb 100644
--- a/test/salt/pillar/examples/nginx_websocket_configuration.sls
+++ b/test/salt/pillar/examples/nginx_websocket_configuration.sls
@@ -32,6 +32,8 @@ nginx:
       arvados_websocket_ssl.conf:
         enabled: true
         overwrite: true
+        requires:
+          file: nginx_snippet_arvados-snakeoil.conf
         config:
           - server:
             - server_name: ws.fixme.example.net
@@ -54,7 +56,6 @@ nginx:
             - proxy_http_version: '1.1'
             - proxy_request_buffering: 'off'
             - include: 'snippets/ssl_hardening_default.conf'
-            # - include: 'snippets/letsencrypt.conf'
-            - include: 'snippets/ssl_snakeoil.conf'
+            - include: 'snippets/arvados-snakeoil.conf'
             - access_log: /var/log/nginx/ws.fixme.example.net.access.log combined
             - error_log: /var/log/nginx/ws.fixme.example.net.error.log
diff --git a/test/salt/pillar/examples/nginx_workbench2_configuration.sls b/test/salt/pillar/examples/nginx_workbench2_configuration.sls
index 13c1da0..3c3ba4e 100644
--- a/test/salt/pillar/examples/nginx_workbench2_configuration.sls
+++ b/test/salt/pillar/examples/nginx_workbench2_configuration.sls
@@ -36,6 +36,8 @@ nginx:
       arvados_workbench2_ssl.conf:
         enabled: true
         overwrite: true
+        requires:
+          file: nginx_snippet_arvados-snakeoil.conf
         config:
           - server:
             - server_name: workbench2.fixme.example.net
@@ -50,7 +52,6 @@ nginx:
             - location /config.json:
               - return: {{ "200 '" ~ '{"API_HOST":"fixme.example.net"}' ~ "'" }}
             - include: 'snippets/ssl_hardening_default.conf'
-            # - include: 'snippets/letsencrypt.conf'
-            - include: 'snippets/ssl_snakeoil.conf'
+            - include: 'snippets/arvados-snakeoil.conf'
             - access_log: /var/log/nginx/workbench2.fixme.example.net.access.log combined
             - error_log: /var/log/nginx/workbench2.fixme.example.net.error.log
diff --git a/test/salt/pillar/examples/nginx_workbench_configuration.sls b/test/salt/pillar/examples/nginx_workbench_configuration.sls
index 7c03d3a..37fa31c 100644
--- a/test/salt/pillar/examples/nginx_workbench_configuration.sls
+++ b/test/salt/pillar/examples/nginx_workbench_configuration.sls
@@ -36,6 +36,8 @@ nginx:
       arvados_workbench_ssl.conf:
         enabled: true
         overwrite: true
+        requires:
+          file: nginx_snippet_arvados-snakeoil.conf
         config:
           - server:
             - server_name: workbench.fixme.example.net
@@ -45,8 +47,7 @@ nginx:
             - passenger_enabled: 'on'
             - index: index.html index.htm
             - include: 'snippets/ssl_hardening_default.conf'
-            # - include: 'snippets/letsencrypt.conf'
-            - include: 'snippets/ssl_snakeoil.conf'
+            - include: 'snippets/arvados-snakeoil.conf'
             # yamllint disable-line rule:line-length
             - access_log: /var/log/nginx/workbench.fixme.example.net.access.log combined
             - error_log: /var/log/nginx/workbench.fixme.example.net.error.log
diff --git a/test/salt/states/examples/single_host/snakeoil_certs.sls b/test/salt/states/examples/single_host/snakeoil_certs.sls
index 87211f3..91617e4 100644
--- a/test/salt/states/examples/single_host/snakeoil_certs.sls
+++ b/test/salt/states/examples/single_host/snakeoil_certs.sls
@@ -12,9 +12,11 @@ include:
   - nginx.config
   - nginx.service
 
-{%- set arvados_ca_cert_file = '/etc/ssl/certs/arvados-snakeoil-ca.pem' %}
+# Debian uses different dirs for certs and keys, but being a Snake Oil example,
+# we'll keep it simple here.
+{%- set arvados_ca_cert_file = '/etc/ssl/private/arvados-snakeoil-ca.pem' %}
 {%- set arvados_ca_key_file = '/etc/ssl/private/arvados-snakeoil-ca.key' %}
-{%- set arvados_cert_file = '/etc/ssl/certs/arvados-snakeoil-cert.pem' %}
+{%- set arvados_cert_file = '/etc/ssl/private/arvados-snakeoil-cert.pem' %}
 {%- set arvados_csr_file = '/etc/ssl/private/arvados-snakeoil-cert.csr' %}
 {%- set arvados_key_file = '/etc/ssl/private/arvados-snakeoil-cert.key' %}
 
@@ -126,6 +128,9 @@ arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_c
     - require:
       - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_dependencies_pkg_installed
       - cmd: arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_ca_cmd_run
+    # We need this before we can add the nginx's snippet
+    - require_in:
+      - file: nginx_snippet_arvados-snakeoil.conf
 
 {%- if grains.get('os_family') == 'Debian' %}
 arvados_test_salt_states_examples_single_host_snakeoil_certs_ssl_cert_pkg_installed:
@@ -142,18 +147,6 @@ arvados_test_salt_states_examples_single_host_snakeoil_certs_certs_permissions_c
     - require:
       - cmd: arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_cert_cmd_run
       - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_ssl_cert_pkg_installed
-{%- endif %}
-
-arvados_test_salt_states_examples_single_host_snakeoil_certs_nginx_snakeoil_file_managed:
-  file.managed:
-    - name: /etc/nginx/snippets/arvados-snakeoil.conf
-    - contents: |
-        ssl_certificate {{ arvados_cert_file }};
-        ssl_certificate_key {{ arvados_key_file }};
-    - watch_in:
-      - service: nginx_service
-    - require:
-      - pkg: passenger_install
-      - file: arvados_test_salt_states_examples_single_host_snakeoil_certs_certs_permissions_cmd_run
     - require_in:
-      - file: nginx_config
+      - file: nginx_snippet_arvados-snakeoil.conf
+{%- endif %}