From fcec3ef0a2623e8d51def868ccf4622b7c200be4 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Javier=20B=C3=A9rtoli?= <javier@netmanagers.com.ar>
Date: Wed, 2 Dec 2020 17:24:03 -0300
Subject: [PATCH] docs(examples): improve helper snakeoil ssl certs

Arvados requires the certs to be signed by a CA
---
 docs/README.rst                               |   2 +-
 .../examples/single_host/snakeoil_certs.sls   | 113 +++++++++++++++---
 2 files changed, 96 insertions(+), 19 deletions(-)

diff --git a/docs/README.rst b/docs/README.rst
index d05d5e8..0fb3eda 100644
--- a/docs/README.rst
+++ b/docs/README.rst
@@ -44,7 +44,7 @@ Please see `How to contribute <https://github.com/saltstack-formulas/.github/blo
 Special notes
 -------------
 
-In the `Arvados repository <https://github.com/arvados/arvados/>`_ you can find `a provision script <https://github.com/arvados/arvados/tree/master/tools/salt-install>`_ 
+In the `Arvados repository <https://github.com/arvados/arvados/>`_ you can find `a provision script <https://github.com/arvados/arvados/tree/master/tools/salt-install>`_
 to deploy a single-node, all-in-one Arvados cluster (The script uses this formula to get a cluster up and running in Saltstack's master-less mode).
 
 The `single-node` install does not include SLURM: it is intended for an `all-in-one-host` installation,
diff --git a/test/salt/states/examples/single_host/snakeoil_certs.sls b/test/salt/states/examples/single_host/snakeoil_certs.sls
index b76bdce..e6c6a96 100644
--- a/test/salt/states/examples/single_host/snakeoil_certs.sls
+++ b/test/salt/states/examples/single_host/snakeoil_certs.sls
@@ -3,9 +3,57 @@
 {%- from "arvados/map.jinja" import arvados with context %}
 {%- set tpldir = curr_tpldir %}
 
-arvados_test_salt_states_examples_single_host_snakeoil_certs_openssl_pkg_installed:
+include:
+  - nginx.service
+
+{%- set arvados_ca_cert_file = '/etc/ssl/certs/arvados-snakeoil-ca.pem' %}
+{%- set arvados_ca_key_file = '/etc/ssl/private/arvados-snakeoil-ca.key' %}
+{%- set arvados_cert_file = '/etc/ssl/certs/arvados-snakeoil-cert.pem' %}
+{%- set arvados_csr_file = '/etc/ssl/private/arvados-snakeoil-cert.csr' %}
+{%- set arvados_key_file = '/etc/ssl/private/arvados-snakeoil-cert.key' %}
+
+{%- if grains.get('os_family') == 'Debian' %}
+  {%- set arvados_ca_cert_dest = '/usr/local/share/ca-certificates/arvados-snakeoil-ca.crt' %}
+  {%- set update_ca_cert = '/usr/sbin/update-ca-certificates' %}
+  {%- set openssl_conf = '/etc/ssl/openssl.cnf' %}
+{%- else %}
+  {%- set arvados_ca_cert_dest = '/etc/pki/ca-trust/source/anchors/arvados-snakeoil-ca.pem' %}
+  {%- set update_ca_cert = '/usr/bin/update-ca-trust' %}
+  {%- set openssl_conf = '/etc/pki/tls/openssl.cnf' %}
+{%- endif %}
+
+arvados_test_salt_states_examples_single_host_snakeoil_certs_dependencies_pkg_installed:
   pkg.installed:
-    - name: openssl
+    - pkgs:
+      - openssl
+      - ca-certificates
+
+arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_ca_cmd_run:
+  # Taken from https://github.com/arvados/arvados/blob/master/tools/arvbox/lib/arvbox/docker/service/certificate/run
+  cmd.run:
+    - name: |
+        # These dirs are not to CentOS-ish, but this is a helper script
+        # and they should be enough
+        mkdir -p /etc/ssl/certs/ /etc/ssl/private/ && \
+        openssl req \
+          -new \
+          -nodes \
+          -sha256 \
+          -x509 \
+          -subj "/C=CC/ST=Some State/O=Arvados Formula/OU=arvados-formula/CN=snakeoil-ca-{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}" \
+          -extensions x509_ext \
+          -config <(cat {{ openssl_conf }} \
+                  <(printf "\n[x509_ext]\nbasicConstraints=critical,CA:true,pathlen:0\nkeyUsage=critical,keyCertSign,cRLSign")) \
+          -out {{ arvados_ca_cert_file }} \
+          -keyout {{ arvados_ca_key_file }} \
+          -days 3650 && \
+        cp {{ arvados_ca_cert_file }} {{ arvados_ca_cert_dest }} && \
+        {{ update_ca_cert }}
+    - unless:
+      - test -f {{ arvados_ca_cert_file }}
+      - openssl verify -CAfile {{ arvados_ca_cert_file }} {{ arvados_ca_cert_file }}
+    - require:
+      - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_dependencies_pkg_installed
 
 arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_cert_cmd_run:
   cmd.run:
@@ -15,17 +63,17 @@ arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_c
         default_bits = 2048
         prompt = no
         default_md = sha256
-        x509_extensions = v3_req
+        req_extensions = rext
         distinguished_name = dn
         [dn]
         C   = CC
-        ST  = SomeState
-        L   = SomeLocation
-        O   = ArvadosFormula
-        OU  = R&D
+        ST  = Some State
+        L   = Some Location
+        O   = Arvados Formula
+        OU  = arvados-formula
         CN  = {{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
         emailAddress = admin@{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
-        [v3_req]
+        [rext]
         subjectAltName = @alt_names
         [alt_names]
         {%- for entry in grains.get('ipv4') %}
@@ -44,15 +92,33 @@ arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_c
         {%- endfor %}
         CNF
 
-        mkdir -p /etc/ssl/certs/  /etc/ssl/private/ && \
-        openssl req -config /tmp/openssl.cnf -new -x509 -days 3650 -nodes -sha256 \
-          -out /etc/ssl/certs/arvados-snakeoil-cert.pem \
-          -keyout /etc/ssl/private/arvados-snakeoil-cert.key > /tmp/snake_oil_certs.output 2>&1 && \
-        chmod 0644 /etc/ssl/certs/arvados-snakeoil-cert.pem && \
-        chmod 0640 /etc/ssl/private/arvados-snakeoil-cert.key
-    - unless: test -f /etc/ssl/private/arvados-snakeoil-cert.key
+        # The req
+        openssl req \
+          -config /tmp/openssl.cnf \
+          -new \
+          -nodes \
+          -sha256 \
+          -out {{ arvados_csr_file }} \
+          -keyout {{ arvados_key_file }} > /tmp/snake_oil_certs.output 2>&1 && \
+        # The cert
+        openssl x509 \
+          -req \
+          -days 3650 \
+          -in {{ arvados_csr_file }} \
+          -out {{ arvados_cert_file }} \
+          -extfile /tmp/openssl.cnf \
+          -extensions rext \
+          -CA {{ arvados_ca_cert_file }} \
+          -CAkey {{ arvados_ca_key_file }} \
+          -set_serial $(date +%s) && \
+        chmod 0644 {{ arvados_cert_file }} && \
+        chmod 0640 {{ arvados_key_file }}
+    - unless:
+      - test -f {{ arvados_key_file }}
+      - openssl verify -CAfile {{ arvados_ca_cert_file }} {{ arvados_cert_file }}
     - require:
-      - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_openssl_pkg_installed
+      - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_dependencies_pkg_installed
+      - cmd: arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_ca_cmd_run
 
 {%- if grains.get('os_family') == 'Debian' %}
 arvados_test_salt_states_examples_single_host_snakeoil_certs_ssl_cert_pkg_installed:
@@ -61,11 +127,22 @@ arvados_test_salt_states_examples_single_host_snakeoil_certs_ssl_cert_pkg_instal
     - require_in:
       - sls: postgres
 
-snake_oil_certs_permissions:
+arvados_test_salt_states_examples_single_host_snakeoil_certs_certs_permissions_cmd_run:
   cmd.run:
     - name: |
-        chown root:ssl-cert /etc/ssl/private/arvados-snakeoil-cert.key
+        chown root:ssl-cert {{ arvados_key_file }}
     - require:
       - cmd: arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_cert_cmd_run
       - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_ssl_cert_pkg_installed
 {%- endif %}
+
+arvados_test_salt_states_examples_single_host_snakeoil_certs_nginx_snakeoil_file_managed:
+  file.managed:
+    - name: /etc/nginx/snippets/arvados-snakeoil.conf
+    - contents: |
+        ssl_certificate {{ arvados_cert_file }};
+        ssl_certificate_key {{ arvados_key_file }};
+    - watch_in:
+      - service: nginx_service
+
+
-- 
2.30.2