tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls

   1 # Copyright (C) The Arvados Authors. All rights reserved.
   2 #
   3 # SPDX-License-Identifier: Apache-2.0
   4
   5 {%- set ssl_key_encrypted = pillar.get('ssl_key_encrypted', {'enabled': False}) %}
   6
   7 {%- if ssl_key_encrypted.enabled %}
   8
   9 extra_ssl_key_encrypted_required_pkgs:
  10   pkg.installed:
  11     - name: jq
  12
  13 extra_ssl_key_encrypted_password_retrieval_script:
  14   file.managed:
  15     - name: {{ ssl_key_encrypted.privkey_password_script }}
  16     - user: root
  17     - group: root
  18     - mode: '0750'
  19     - require:
  20       - pkg: extra_ssl_key_encrypted_required_pkgs
  21     - contents: |
  22         #!/bin/bash
  23
  24         # RUNTIME_DIRECTORY is provided by systemd.
  25         # NOTE: We assume systemd's set up in a way that there's just one
  26         # runtime dir for this particular unit, otherwise this variable could
  27         # contain multiple paths separated by a colon.
  28         PASSWORD_FILE="${RUNTIME_DIRECTORY}/{{ ssl_key_encrypted.privkey_password_filename }}"
  29
  30         while [ true ]; do
  31           # AWS_SHARED_CREDENTIALS_FILE is set to /dev/null to avoid AWS's CLI
  32           # loading invalid credentials on nodes who use ~/.aws/credentials for other
  33           # purposes (e.g.: the dispatcher credentials)
  34           # Access to the secrets manager is given by using an instance profile.
  35           AWS_SHARED_CREDENTIALS_FILE=/dev/null aws secretsmanager get-secret-value --secret-id '{{ ssl_key_encrypted.aws_secret_name }}' --region '{{ ssl_key_encrypted.aws_region }}' | jq -r .SecretString > "${PASSWORD_FILE}"
  36           sleep 1
  37         done
  38
  39 extra_ssl_key_encrypted_password_retrieval_service_unit:
  40   file.managed:
  41     - name: /etc/systemd/system/password_secret_connector.service
  42     - user: root
  43     - group: root
  44     - mode: '0644'
  45     - require:
  46       - file: extra_ssl_key_encrypted_password_retrieval_script
  47     - contents: |
  48         [Unit]
  49         Description=Arvados SSL private key password retrieval service
  50         After=network.target
  51         [Service]
  52         # WARNING: the script below assumes that RuntimeDirectory only holds one
  53         # path value, won't work with multiple paths.
  54         RuntimeDirectory=arvados
  55         ExecStartPre=/usr/bin/mkfifo --mode=0600 {{ ('%t/arvados/' ~ ssl_key_encrypted.privkey_password_filename) | yaml_dquote }}
  56         ExecStart=/bin/bash {{ ssl_key_encrypted.privkey_password_script | yaml_dquote }}
  57         [Install]
  58         WantedBy=multi-user.target
  59
  60 extra_ssl_key_encrypted_password_retrieval_service:
  61   service.running:
  62     - name: password_secret_connector
  63     - enable: true
  64     - require:
  65       - file: extra_ssl_key_encrypted_password_retrieval_service_unit
  66     - watch:
  67       - file: extra_ssl_key_encrypted_password_retrieval_service_unit
  68       - file: extra_ssl_key_encrypted_password_retrieval_script
  69
  70 {%- endif %}