projects / arvados.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
20318: Merge branch 'main' into 20318-disk-cache
[arvados.git] / tools / salt-install / config_examples / multi_host / aws / states / ssl_key_encrypted.sls
1 # Copyright (C) The Arvados Authors. All rights reserved.
2 #
3 # SPDX-License-Identifier: Apache-2.0
4
5 {%- set ssl_key_encrypted = pillar.get('ssl_key_encrypted', {'enabled': False}) %}
6
7 {%- if ssl_key_encrypted.enabled %}
8
9 extra_ssl_key_encrypted_required_pkgs:
10   pkg.installed:
11     - name: jq
12     - name: awscli
13
14 extra_ssl_key_encrypted_password_retrieval_script:
15   file.managed:
16     - name: {{ ssl_key_encrypted.privkey_password_script }}
17     - user: root
18     - group: root
19     - mode: '0750'
20     - require:
21       - pkg: extra_ssl_key_encrypted_required_pkgs
22     - contents: |
23         #!/bin/bash
24
25         # RUNTIME_DIRECTORY is provided by systemd.
26         # NOTE: We assume systemd's set up in a way that there's just one
27         # runtime dir for this particular unit, otherwise this variable could
28         # contain multiple paths separated by a colon.
29         PASSWORD_FILE="${RUNTIME_DIRECTORY}/{{ ssl_key_encrypted.privkey_password_filename }}"
30
31         while [ true ]; do
32           # AWS_SHARED_CREDENTIALS_FILE is set to /dev/null to avoid AWS's CLI
33           # loading invalid credentials on nodes who use ~/.aws/credentials for other
34           # purposes (e.g.: the dispatcher credentials)
35           # Access to the secrets manager is given by using an instance profile.
36           AWS_SHARED_CREDENTIALS_FILE=/dev/null aws secretsmanager get-secret-value --secret-id '{{ ssl_key_encrypted.aws_secret_name }}' --region '{{ ssl_key_encrypted.aws_region }}' | jq -r .SecretString > "${PASSWORD_FILE}"
37           sleep 1
38         done
39
40 extra_ssl_key_encrypted_password_retrieval_service_unit:
41   file.managed:
42     - name: /etc/systemd/system/password_secret_connector.service
43     - user: root
44     - group: root
45     - mode: '0644'
46     - require:
47       - file: extra_ssl_key_encrypted_password_retrieval_script
48     - contents: |
49         [Unit]
50         Description=Arvados SSL private key password retrieval service
51         After=network.target
52         [Service]
53         # WARNING: the script below assumes that RuntimeDirectory only holds one
54         # path value, won't work with multiple paths.
55         RuntimeDirectory=arvados
56         ExecStartPre=/usr/bin/mkfifo --mode=0600 {{ ('%t/arvados/' ~ ssl_key_encrypted.privkey_password_filename) | yaml_dquote }}
57         ExecStart=/bin/bash {{ ssl_key_encrypted.privkey_password_script | yaml_dquote }}
58         [Install]
59         WantedBy=multi-user.target
60
61 extra_ssl_key_encrypted_password_retrieval_service:
62   service.running:
63     - name: password_secret_connector
64     - enable: true
65     - require:
66       - file: extra_ssl_key_encrypted_password_retrieval_service_unit
67     - watch:
68       - file: extra_ssl_key_encrypted_password_retrieval_service_unit
69       - file: extra_ssl_key_encrypted_password_retrieval_script
70
71 {%- endif %}