From ee822734b85d93c7f5aedf25abbb8eb9c0baf46c Mon Sep 17 00:00:00 2001
From: =?utf8?q?Javier=20B=C3=A9rtoli?= <javier@netmanagers.com.ar>
Date: Mon, 3 May 2021 19:05:19 -0300
Subject: [PATCH] feat(config): enable strict config-check before deploying

* modify pillars and examples to pass config-check

BREAKING CHANGE: the configuration file now is checked before deployment
to make sure it's valid. As keys and tokens now are checked to make sure
they comply with Arvados' requirements, old configurations might fail to
deploy
---
 arvados/config/file.sls                       |  2 +-
 arvados/defaults.yaml                         |  3 +-
 arvados/files/default/config.tmpl.jinja       |  2 -
 pillar.example                                | 65 +++++++++++--------
 .../workbench/controls/config_spec.rb         |  2 +-
 test/salt/pillar/arvados.sls                  | 12 ++--
 test/salt/pillar/arvados_dev.sls              | 12 ++--
 7 files changed, 49 insertions(+), 49 deletions(-)

diff --git a/arvados/config/file.sls b/arvados/config/file.sls
index fb9ab67..4d99721 100644
--- a/arvados/config/file.sls
+++ b/arvados/config/file.sls
@@ -25,6 +25,6 @@ arvados-config-file-file-managed:
     - template: jinja
     - context:
         arvados: {{ arvados | json }}
-    - check_cmd: /usr/bin/arvados-server config-dump -config
+    - check_cmd: {{ arvados.config.check_command }}
     - require:
       - pkg: arvados-config-package-install-pkg-installed
diff --git a/arvados/defaults.yaml b/arvados/defaults.yaml
index da441d0..d737ee4 100644
--- a/arvados/defaults.yaml
+++ b/arvados/defaults.yaml
@@ -37,14 +37,13 @@ arvados:
     user: root
     group: root
     mode: 640
+    check_command: /usr/bin/arvados-server config-check -config
 
   # Experimental feature
   # only available when 'release: development'
   auto_reload_config: false
 
   cluster:
-    force_legacy_api14: false
-
     database:
       connection_pool_max: 32
 
diff --git a/arvados/files/default/config.tmpl.jinja b/arvados/files/default/config.tmpl.jinja
index 9c9db2f..017c672 100644
--- a/arvados/files/default/config.tmpl.jinja
+++ b/arvados/files/default/config.tmpl.jinja
@@ -19,8 +19,6 @@ Clusters:
     SystemRootToken: {{ arvados.cluster.tokens.system_root | yaml_encode }}
     ManagementToken: {{ arvados.cluster.tokens.management | yaml_encode }}
 
-    ForceLegacyAPI14: {{ arvados.cluster.force_legacy_api14 }}
-
     API:
     {%- if 'API' in arvados.cluster %}
       {{ arvados.cluster.API | default('') | yaml(False) | indent(6) }}
diff --git a/pillar.example b/pillar.example
index b8acf45..4105b66 100644
--- a/pillar.example
+++ b/pillar.example
@@ -8,23 +8,23 @@ arvados:
   ### GENERAL CONFIG
   # version: '2.1.0'
   # release: production
-  ## It makes little sense to disable this flag, but you can, if you want :)
+  ### It makes little sense to disable this flag, but you can, if you want :)
   # use_upstream_repo: true
 
-  ## Repo URL is built with grains values. If desired, it can be completely
-  ## overwritten with the pillar parameter 'repo_url'
+  ### Repo URL is built with grains values. If desired, it can be completely
+  ### overwritten with the pillar parameter 'repo_url'
   # repo:
   #   humanname: Arvados Official Repository
 
-  ## IMPORTANT!!!!!
-  ## api, workbench and shell require some gems, so you need to make sure ruby
-  ## and deps are installed in order to install and compile the gems.
-  ## We default to `false` in these two variables as it's expected you already
-  ## manage OS packages with some other tool and you don't want us messing up
-  ## with your setup.
+  # IMPORTANT!!!!!
+  # api, workbench and shell require some gems, so you need to make sure ruby
+  # and deps are installed in order to install and compile the gems.
+  # We default to `false` in these two variables as it's expected you already
+  # manage OS packages with some other tool and you don't want us messing up
+  # with your setup.
   ruby:
-    ## We set these to `true` here for testing purposes.
-    ## They both default to `false`.
+    # We set these to `true` here for testing purposes.
+    # They both default to `false`.
     manage_ruby: true
     use_rvm: false     # If you want to use rvm. Defaults to true for centos-7
     # pkg: ruby        # Can specify a version like ruby-2.5.7 for rvm
@@ -47,11 +47,26 @@ arvados:
   # config:
   #   file: /etc/arvados/config.yml
   #   user: root
-  ## IMPORTANT!!!!!
-  ## If you're intalling any of the rails apps (api, workbench), the group
-  ## should be set to that of the web server, usually `www-data`
+  ### IMPORTANT!!!!!
+  ### If you're intalling any of the rails apps (api, workbench), the group
+  ### should be set to that of the web server, usually `www-data`
   #   group: root
   #   mode: 640
+  #
+  ### This is the command run to verify the configuration is correct before
+  ### deploying it. By default it uses `-strict=true`, so it will error on
+  ### warnings (ie, unknown/deprecated parameters)
+  #
+  #   check_command: /usr/bin/arvados-server config-check -config
+  #
+  ### To fail only on errors, you can use
+  #
+  #   check_command: /usr/bin/arvados-server config-check -strict=false -config
+  #
+  ### and to disable configuration checking (not recommended), just set it to
+  ### any command that returns true
+  #
+  #   check_command: /bin/true
 
   ### ARVADOS CLUSTER CONFIG
   cluster:
@@ -68,9 +83,9 @@ arvados:
       # You can pass extra database connections parameters here,
       # which will be rendered as yaml.
       # extra_conn_params:
-      #  sslmode: prefer
-      #  verify-ca: false
-      #  client_encoding: UTF8
+      #   sslmode: prefer
+      #   verify-ca: false
+      #   client_encoding: UTF8
 
 
     tls:
@@ -84,25 +99,21 @@ arvados:
       # Secrets and tokens have to be +32 alphanumeric,
       # it does not accept underscores or special characters.
       # See https://dev.arvados.org/issues/17150
-      system_root: changemesystemroottoken
-      management: changememanagementtoken
+      system_root: systemroottokenmushaveatleast32characters
+      management: managementtokenmushaveatleast32characters
       # The AnonymousUserToken can be set here or in the
-      # USers dictionary below. The latter will be used if set.
-      anonymous_user: changemeanonymoususertoken
+      # Users dictionary below. The latter will be used if set.
+      anonymous_user: anonymoususertokenmushaveatleast32characters
 
     ### KEYS
     secrets:
-      blob_signing_key: changemeblobsigningkey
-      workbench_secret_key: changemeworkbenchsecretkey
+      blob_signing_key: blobsigningkeymushaveatleast32characters
+      workbench_secret_key: workbenchsecretkeymushaveatleast32characters
       dispatcher_access_key: changemedispatcheraccesskey
       dispatcher_secret_key: changemedispatchersecretkey
       keep_access_key: changemekeepaccesskey
       keep_secret_key: changemekeepsecretkey
 
-    AuditLogs:
-      Section_to_ignore:
-        - some_random_value
-
     ### VOLUMES
     ## This should usually match all your `keepstore` instances
     Volumes:
diff --git a/test/integration/workbench/controls/config_spec.rb b/test/integration/workbench/controls/config_spec.rb
index 9a14383..8e33e84 100644
--- a/test/integration/workbench/controls/config_spec.rb
+++ b/test/integration/workbench/controls/config_spec.rb
@@ -2,7 +2,7 @@
 
 workbench_config = <<-WORKBENCH_STANZA
     Workbench:
-      SecretKeyBase: "changemeworkbenchsecretkey"
+      SecretKeyBase: "workbenchsecretkeymushaveatleast32characters"
       SiteName: FIXME
 WORKBENCH_STANZA
 
diff --git a/test/salt/pillar/arvados.sls b/test/salt/pillar/arvados.sls
index 635b894..d8117c6 100644
--- a/test/salt/pillar/arvados.sls
+++ b/test/salt/pillar/arvados.sls
@@ -57,23 +57,19 @@ arvados:
 
     ### TOKENS
     tokens:
-      system_root: changemesystemroottoken
-      management: changememanagementtoken
+      system_root: systemroottokenmushaveatleast32characters
+      management: managementtokenmushaveatleast32characters
       anonymous_user: anonymoususertokensetinthetokensdict
 
     ### KEYS
     secrets:
-      blob_signing_key: changemeblobsigningkey
-      workbench_secret_key: changemeworkbenchsecretkey
+      blob_signing_key: blobsigningkeymushaveatleast32characters
+      workbench_secret_key: workbenchsecretkeymushaveatleast32characters
       dispatcher_access_key: changemedispatcheraccesskey
       dispatcher_secret_key: changemedispatchersecretkey
       keep_access_key: changemekeepaccesskey
       keep_secret_key: changemekeepsecretkey
 
-    AuditLogs:
-      Section_to_ignore:
-        - some_random_value
-
     ### VOLUMES
     ## This should usually match all your `keepstore` instances
     Volumes:
diff --git a/test/salt/pillar/arvados_dev.sls b/test/salt/pillar/arvados_dev.sls
index 1dcc78b..2160b93 100644
--- a/test/salt/pillar/arvados_dev.sls
+++ b/test/salt/pillar/arvados_dev.sls
@@ -83,22 +83,18 @@ arvados:
 
     ### TOKENS
     tokens:
-      system_root: changemesystemroottoken
-      management: changememanagementtoken
+      system_root: systemroottokenmushaveatleast32characters
+      management: managementtokenmushaveatleast32characters
 
     ### KEYS
     secrets:
-      blob_signing_key: changemeblobsigningkey
-      workbench_secret_key: changemeworkbenchsecretkey
+      blob_signing_key: blobsigningkeymushaveatleast32characters
+      workbench_secret_key: workbenchsecretkeymushaveatleast32characters
       dispatcher_access_key: changemedispatcheraccesskey
       dispatcher_secret_key: changemedispatchersecretkey
       keep_access_key: changemekeepaccesskey
       keep_secret_key: changemekeepsecretkey
 
-    AuditLogs:
-      Section_to_ignore:
-        - some_random_value
-
     ### VOLUMES
     ## This should usually match all your `keepstore` instances
     Volumes:
-- 
2.30.2