20610: Adds node list & role->nodes map variables.
[arvados.git] / tools / salt-install / provision.sh
1 #!/bin/bash
2
3 # Copyright (C) The Arvados Authors. All rights reserved.
4 #
5 # SPDX-License-Identifier: CC-BY-SA-3.0
6
7 # If you want to test arvados in a single host, you can run this script, which
8 # will install it using salt masterless
9 # This script is run by the Vagrant file when you run it with
10 #
11 # vagrant up
12
13 set -o pipefail
14
15 # capture the directory that the script is running from
16 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
17
18 usage() {
19   echo >&2
20   echo >&2 "Usage: ${0} [-h] [-h]"
21   echo >&2
22   echo >&2 "${0} options:"
23   echo >&2 "  -d, --debug                                 Run salt installation in debug mode"
24   echo >&2 "  -c <local.params>, --config <local.params>  Path to the local.params config file"
25   echo >&2 "  -t, --test                                  Test installation running a CWL workflow"
26   echo >&2 "  -r, --roles                                 List of Arvados roles to apply to the host, comma separated"
27   echo >&2 "                                              Possible values are:"
28   echo >&2 "                                                api"
29   echo >&2 "                                                balancer"
30   echo >&2 "                                                controller"
31   echo >&2 "                                                dispatcher"
32   echo >&2 "                                                keepproxy"
33   echo >&2 "                                                keepbalance"
34   echo >&2 "                                                keepstore"
35   echo >&2 "                                                keepweb"
36   echo >&2 "                                                monitoring"
37   echo >&2 "                                                shell"
38   echo >&2 "                                                webshell"
39   echo >&2 "                                                websocket"
40   echo >&2 "                                                workbench"
41   echo >&2 "                                                workbench2"
42   echo >&2 "                                              Defaults to applying them all"
43   echo >&2 "  -h, --help                                  Display this help and exit"
44   echo >&2 "  --dump-config <dest_dir>                    Dumps the pillars and states to a directory"
45   echo >&2 "                                              This parameter does not perform any installation at all. It's"
46   echo >&2 "                                              intended to give you a parsed set of configuration files so"
47   echo >&2 "                                              you can inspect them or use them in you Saltstack infrastructure."
48   echo >&2 "                                              It"
49   echo >&2 "                                                - parses the pillar and states templates,"
50   echo >&2 "                                                - downloads the helper formulas with their desired versions,"
51   echo >&2 "                                                - prepares the 'top.sls' files both for pillars and states"
52   echo >&2 "                                                  for the selected role(s)"
53   echo >&2 "                                                - writes the resulting files into <dest_dir>"
54   echo >&2 "  -v, --vagrant                               Run in vagrant and use the /vagrant shared dir"
55   echo >&2 "  --development                               Run in dev mode, using snakeoil certs"
56   echo >&2
57 }
58
59 arguments() {
60   # NOTE: This requires GNU getopt (part of the util-linux package on Debian-based distros).
61   if ! which getopt > /dev/null; then
62     echo >&2 "GNU getopt is required to run this script. Please install it and re-reun it"
63     exit 1
64   fi
65
66   TEMP=$(getopt -o c:dhp:r:tv \
67     --long config:,debug,development,dump-config:,help,roles:,test,vagrant \
68     -n "${0}" -- "${@}")
69
70   if [ ${?} != 0 ];
71     then echo "Please check the parameters you entered and re-run again"
72     exit 1
73   fi
74   # Note the quotes around `$TEMP': they are essential!
75   eval set -- "$TEMP"
76
77   while [ ${#} -ge 1 ]; do
78     case ${1} in
79       -c | --config)
80         CONFIG_FILE=${2}
81         shift 2
82         ;;
83       -d | --debug)
84         LOG_LEVEL="debug"
85         shift
86         set -x
87         ;;
88       --dump-config)
89         if [[ ${2} = /* ]]; then
90           DUMP_SALT_CONFIG_DIR=${2}
91         else
92           DUMP_SALT_CONFIG_DIR=${PWD}/${2}
93         fi
94         ## states
95         S_DIR="${DUMP_SALT_CONFIG_DIR}/salt"
96         ## formulas
97         F_DIR="${DUMP_SALT_CONFIG_DIR}/formulas"
98         ## pillars
99         P_DIR="${DUMP_SALT_CONFIG_DIR}/pillars"
100         ## tests
101         T_DIR="${DUMP_SALT_CONFIG_DIR}/tests"
102         DUMP_CONFIG="yes"
103         shift 2
104         ;;
105       --development)
106         DEV_MODE="yes"
107         shift 1
108         ;;
109       -r | --roles)
110         for i in ${2//,/ }
111           do
112             # Verify the role exists
113             if [[ ! "database,api,balancer,controller,keepstore,websocket,keepweb,workbench2,webshell,keepbalance,keepproxy,shell,workbench,dispatcher,monitoring" == *"$i"* ]]; then
114               echo "The role '${i}' is not a valid role"
115               usage
116               exit 1
117             fi
118             ROLES="${ROLES} ${i}"
119           done
120           shift 2
121         ;;
122       -t | --test)
123         TEST="yes"
124         shift
125         ;;
126       -v | --vagrant)
127         VAGRANT="yes"
128         shift
129         ;;
130       --)
131         shift
132         break
133         ;;
134       *)
135         usage
136         exit 1
137         ;;
138     esac
139   done
140 }
141
142 copy_custom_cert() {
143   cert_dir=${1}
144   cert_name=${2}
145
146   mkdir -p --mode=0700 /srv/salt/certs
147
148   if [ -f ${cert_dir}/${cert_name}.crt ]; then
149     install --mode=0600 ${cert_dir}/${cert_name}.crt /srv/salt/certs/arvados-${cert_name}.pem
150   else
151     echo "${cert_dir}/${cert_name}.crt does not exist. Exiting"
152     exit 1
153   fi
154   if [ -f ${cert_dir}/${cert_name}.key ]; then
155     install --mode=0600 ${cert_dir}/${cert_name}.key /srv/salt/certs/arvados-${cert_name}.key
156   else
157     echo "${cert_dir}/${cert_name}.key does not exist. Exiting"
158     exit 1
159   fi
160 }
161
162 DEV_MODE="no"
163 CONFIG_FILE="${SCRIPT_DIR}/local.params"
164 CONFIG_DIR="local_config_dir"
165 DUMP_CONFIG="no"
166 LOG_LEVEL="info"
167 CONTROLLER_EXT_SSL_PORT=443
168 TESTS_DIR="tests"
169
170 NGINX_INSTALL_SOURCE="install_from_repo"
171
172 CLUSTER=""
173 DOMAIN=""
174
175 # Hostnames/IPs used for single-host deploys
176 IP_INT="127.0.1.1"
177
178 # Initial user setup
179 INITIAL_USER=""
180 INITIAL_USER_EMAIL=""
181 INITIAL_USER_PASSWORD=""
182
183 CONTROLLER_EXT_SSL_PORT=8000
184 KEEP_EXT_SSL_PORT=25101
185 # Both for collections and downloads
186 KEEPWEB_EXT_SSL_PORT=9002
187 WEBSHELL_EXT_SSL_PORT=4202
188 WEBSOCKET_EXT_SSL_PORT=8002
189 WORKBENCH1_EXT_SSL_PORT=443
190 WORKBENCH2_EXT_SSL_PORT=3001
191
192 SSL_MODE="self-signed"
193 USE_LETSENCRYPT_ROUTE53="no"
194 CUSTOM_CERTS_DIR="${SCRIPT_DIR}/local_config_dir/certs"
195
196 GRAFANA_DASHBOARDS_DIR="${SCRIPT_DIR}/local_config_dir/dashboards"
197
198 ## These are ARVADOS-related parameters
199 # For a stable release, change RELEASE "production" and VERSION to the
200 # package version (including the iteration, e.g. X.Y.Z-1) of the
201 # release.
202 # The "local.params.example.*" files already set "RELEASE=production"
203 # to deploy  production-ready packages
204 RELEASE="development"
205 VERSION="latest"
206
207 # These are arvados-formula-related parameters
208 # An arvados-formula tag. For a stable release, this should be a
209 # branch name (e.g. X.Y-dev) or tag for the release.
210 # ARVADOS_TAG="2.2.0"
211 # BRANCH="main"
212
213 # We pin the salt version to avoid potential incompatibilities when a new
214 # stable version is released.
215 SALT_VERSION="3004"
216
217 # Other formula versions we depend on
218 #POSTGRES_TAG="v0.44.0"
219 #POSTGRES_URL="https://github.com/saltstack-formulas/postgres-formula.git"
220 POSTGRES_TAG="0.45.0-bugfix327"
221 POSTGRES_URL="https://github.com/arvados/postgres-formula.git"
222 NGINX_TAG="v2.8.1"
223 DOCKER_TAG="v2.4.2"
224 LOCALE_TAG="v0.3.4"
225 LETSENCRYPT_TAG="v2.1.0"
226 LOGROTATE_TAG="v0.14.0"
227 PROMETHEUS_TAG="v5.6.5"
228 GRAFANA_TAG="v3.1.3"
229
230 # Salt's dir
231 DUMP_SALT_CONFIG_DIR=""
232 ## states
233 S_DIR="/srv/salt"
234 ## formulas
235 F_DIR="/srv/formulas"
236 ## pillars
237 P_DIR="/srv/pillars"
238 ## tests
239 T_DIR="/tmp/cluster_tests"
240
241 arguments ${@}
242
243 declare -A NODES
244 declare -A ROLES
245 declare NODELIST
246
247 if [[ -s ${CONFIG_FILE} && -s ${CONFIG_FILE}.secrets ]]; then
248   source ${CONFIG_FILE}.secrets
249   source ${CONFIG_FILE}
250 else
251   echo >&2 "You don't seem to have a config file with initial values."
252   echo >&2 "Please create a '${CONFIG_FILE}' & '${CONFIG_FILE}.secrets' files as described in"
253   echo >&2 "  * https://doc.arvados.org/install/salt-single-host.html#single_host, or"
254   echo >&2 "  * https://doc.arvados.org/install/salt-multi-host.html#multi_host_multi_hostnames"
255   exit 1
256 fi
257
258 if [ ! -d ${CONFIG_DIR} ]; then
259   echo >&2 "You don't seem to have a config directory with pillars and states."
260   echo >&2 "Please create a '${CONFIG_DIR}' directory (as configured in your '${CONFIG_FILE}'). Please see"
261   echo >&2 "  * https://doc.arvados.org/install/salt-single-host.html#single_host, or"
262   echo >&2 "  * https://doc.arvados.org/install/salt-multi-host.html#multi_host_multi_hostnames"
263   exit 1
264 fi
265
266 if grep -rni 'fixme' ${CONFIG_FILE}.secrets ${CONFIG_FILE} ${CONFIG_DIR} ; then
267   echo >&2 "The config files has some parameters that need to be modified."
268   echo >&2 "Please, fix them and re-run the provision script."
269   exit 1
270 fi
271
272 if ! grep -qE '^[[:alnum:]]{5}$' <<<${CLUSTER} ; then
273   echo >&2 "ERROR: <CLUSTER> must be exactly 5 lowercase alphanumeric characters long"
274   echo >&2 "Fix the cluster name in the 'local.params' file and re-run the provision script"
275   exit 1
276 fi
277
278 # Only used in single_host/single_name deploys
279 if [ ! -z "${HOSTNAME_EXT}" ] ; then
280   # We need to add some extra control vars to manage a single certificate vs. multiple
281   USE_SINGLE_HOSTNAME="yes"
282   # Make sure that the value configured as IP_INT is a real IP on the system.
283   # If we don't error out early here when there is a mismatch, the formula will
284   # fail with hard to interpret nginx errors later on.
285   ip addr list |grep "${IP_INT}/" >/dev/null
286   if [[ $? -ne 0 ]]; then
287     echo "Unable to find the IP_INT address '${IP_INT}' on the system, please correct the value in local.params. Exiting..."
288     exit 1
289   fi
290 else
291   USE_SINGLE_HOSTNAME="no"
292   # We set this variable, anyway, so sed lines do not fail and we don't need to add more
293   # conditionals
294   HOSTNAME_EXT="${DOMAIN}"
295 fi
296
297 if [ "${DUMP_CONFIG}" = "yes" ]; then
298   echo "The provision installer will just dump a config under ${DUMP_SALT_CONFIG_DIR} and exit"
299 else
300   # Install a few dependency packages
301   # First, let's figure out the OS we're working on
302   OS_ID=$(grep ^ID= /etc/os-release |cut -f 2 -d=  |cut -f 2 -d \")
303   echo "Detected distro: ${OS_ID}"
304
305   case ${OS_ID} in
306     "centos")
307       echo "WARNING! Disabling SELinux, see https://dev.arvados.org/issues/18019"
308       sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/sysconfig/selinux
309       setenforce permissive
310       yum install -y  curl git jq
311       ;;
312     "debian"|"ubuntu")
313       # Wait 2 minutes for any apt locks to clear
314       # This option is supported from apt 1.9.1 and ignored in older apt versions.
315       # Cf. https://blog.sinjakli.co.uk/2021/10/25/waiting-for-apt-locks-without-the-hacky-bash-scripts/
316       DEBIAN_FRONTEND=noninteractive apt -o DPkg::Lock::Timeout=120 update
317       DEBIAN_FRONTEND=noninteractive apt install -y curl git jq
318       ;;
319   esac
320
321   if which salt-call; then
322     echo "Salt already installed"
323   else
324     curl -L https://bootstrap.saltstack.com -o /tmp/bootstrap_salt.sh
325     sh /tmp/bootstrap_salt.sh -XdfP -x python3 old-stable ${SALT_VERSION}
326     /bin/systemctl stop salt-minion.service
327     /bin/systemctl disable salt-minion.service
328   fi
329
330   # Set salt to masterless mode
331   cat > /etc/salt/minion << EOFSM
332 failhard: "True"
333
334 file_client: local
335 file_roots:
336   base:
337     - ${S_DIR}
338     - ${F_DIR}/*
339
340 pillar_roots:
341   base:
342     - ${P_DIR}
343 EOFSM
344 fi
345
346 mkdir -p ${S_DIR} ${F_DIR} ${P_DIR} ${T_DIR}
347
348 # Get the formula and dependencies
349 cd ${F_DIR} || exit 1
350 echo "Cloning formulas"
351 test -d docker && ( cd docker && git fetch ) \
352   || git clone --quiet https://github.com/saltstack-formulas/docker-formula.git ${F_DIR}/docker
353 ( cd docker && git checkout --quiet tags/"${DOCKER_TAG}" )
354
355 echo "...locale"
356 test -d locale && ( cd locale && git fetch ) \
357   || git clone --quiet https://github.com/saltstack-formulas/locale-formula.git ${F_DIR}/locale
358 ( cd locale && git checkout --quiet tags/"${LOCALE_TAG}" )
359
360 echo "...nginx"
361 test -d nginx && ( cd nginx && git fetch ) \
362   || git clone --quiet https://github.com/saltstack-formulas/nginx-formula.git ${F_DIR}/nginx
363 ( cd nginx && git checkout --quiet tags/"${NGINX_TAG}" )
364
365 echo "...postgres"
366 test -d postgres && ( cd postgres && git fetch ) \
367   || git clone --quiet ${POSTGRES_URL} ${F_DIR}/postgres
368 ( cd postgres && git checkout --quiet tags/"${POSTGRES_TAG}" )
369
370 echo "...prometheus"
371 test -d prometheus && ( cd prometheus && git fetch ) \
372   || git clone --quiet https://github.com/saltstack-formulas/prometheus-formula.git ${F_DIR}/prometheus
373 ( cd prometheus && git checkout --quiet tags/"${PROMETHEUS_TAG}" )
374
375 echo "...grafana"
376 test -d grafana && ( cd grafana && git fetch ) \
377   || git clone --quiet https://github.com/saltstack-formulas/grafana-formula.git ${F_DIR}/grafana
378 ( cd grafana && git checkout --quiet "${GRAFANA_TAG}" )
379
380 echo "...letsencrypt"
381 test -d letsencrypt && ( cd letsencrypt && git fetch ) \
382   || git clone --quiet https://github.com/saltstack-formulas/letsencrypt-formula.git ${F_DIR}/letsencrypt
383 ( cd letsencrypt && git checkout --quiet tags/"${LETSENCRYPT_TAG}" )
384
385 echo "...logrotate"
386 test -d logrotate && ( cd logrotate && git fetch ) \
387   || git clone --quiet https://github.com/saltstack-formulas/logrotate-formula.git ${F_DIR}/logrotate
388 ( cd logrotate && git checkout --quiet tags/"${LOGROTATE_TAG}" )
389
390 echo "...arvados"
391 test -d arvados || git clone --quiet https://git.arvados.org/arvados-formula.git ${F_DIR}/arvados
392
393 # If we want to try a specific branch of the formula
394 if [ "x${BRANCH}" != "x" ]; then
395   ( cd ${F_DIR}/arvados && git checkout --quiet -t origin/"${BRANCH}" -b "${BRANCH}" )
396 elif [ "x${ARVADOS_TAG}" != "x" ]; then
397   ( cd ${F_DIR}/arvados && git checkout --quiet tags/"${ARVADOS_TAG}" -b "${ARVADOS_TAG}" )
398 fi
399
400 if [ "x${VAGRANT}" = "xyes" ]; then
401   EXTRA_STATES_DIR="/home/vagrant/${CONFIG_DIR}/states"
402   SOURCE_PILLARS_DIR="/home/vagrant/${CONFIG_DIR}/pillars"
403   SOURCE_TOFS_DIR="/home/vagrant/${CONFIG_DIR}/tofs"
404   SOURCE_TESTS_DIR="/home/vagrant/${TESTS_DIR}"
405 else
406   EXTRA_STATES_DIR="${SCRIPT_DIR}/${CONFIG_DIR}/states"
407   SOURCE_PILLARS_DIR="${SCRIPT_DIR}/${CONFIG_DIR}/pillars"
408   SOURCE_TOFS_DIR="${SCRIPT_DIR}/${CONFIG_DIR}/tofs"
409   SOURCE_TESTS_DIR="${SCRIPT_DIR}/${TESTS_DIR}"
410 fi
411
412 SOURCE_STATES_DIR="${EXTRA_STATES_DIR}"
413
414 echo "Writing pillars and states"
415
416 # Replace variables (cluster,  domain, etc) in the pillars, states and tests
417 # to ease deployment for newcomers
418 if [ ! -d "${SOURCE_PILLARS_DIR}" ]; then
419   echo "${SOURCE_PILLARS_DIR} does not exist or is not a directory. Exiting."
420   exit 1
421 fi
422 for f in $(ls "${SOURCE_PILLARS_DIR}"/*); do
423   sed "s#__ANONYMOUS_USER_TOKEN__#${ANONYMOUS_USER_TOKEN}#g;
424        s#__BLOB_SIGNING_KEY__#${BLOB_SIGNING_KEY}#g;
425        s#__CONTROLLER_EXT_SSL_PORT__#${CONTROLLER_EXT_SSL_PORT}#g;
426        s#__CLUSTER__#${CLUSTER}#g;
427        s#__DOMAIN__#${DOMAIN}#g;
428        s#__HOSTNAME_EXT__#${HOSTNAME_EXT}#g;
429        s#__IP_INT__#${IP_INT}#g;
430        s#__INITIAL_USER_EMAIL__#${INITIAL_USER_EMAIL}#g;
431        s#__INITIAL_USER_PASSWORD__#${INITIAL_USER_PASSWORD}#g;
432        s#__INITIAL_USER__#${INITIAL_USER}#g;
433        s#__LE_AWS_REGION__#${LE_AWS_REGION}#g;
434        s#__LE_AWS_SECRET_ACCESS_KEY__#${LE_AWS_SECRET_ACCESS_KEY}#g;
435        s#__LE_AWS_ACCESS_KEY_ID__#${LE_AWS_ACCESS_KEY_ID}#g;
436        s#__DATABASE_PASSWORD__#${DATABASE_PASSWORD}#g;
437        s#__KEEPWEB_EXT_SSL_PORT__#${KEEPWEB_EXT_SSL_PORT}#g;
438        s#__KEEP_EXT_SSL_PORT__#${KEEP_EXT_SSL_PORT}#g;
439        s#__MANAGEMENT_TOKEN__#${MANAGEMENT_TOKEN}#g;
440        s#__RELEASE__#${RELEASE}#g;
441        s#__SYSTEM_ROOT_TOKEN__#${SYSTEM_ROOT_TOKEN}#g;
442        s#__VERSION__#${VERSION}#g;
443        s#__WEBSHELL_EXT_SSL_PORT__#${WEBSHELL_EXT_SSL_PORT}#g;
444        s#__WEBSOCKET_EXT_SSL_PORT__#${WEBSOCKET_EXT_SSL_PORT}#g;
445        s#__WORKBENCH1_EXT_SSL_PORT__#${WORKBENCH1_EXT_SSL_PORT}#g;
446        s#__WORKBENCH2_EXT_SSL_PORT__#${WORKBENCH2_EXT_SSL_PORT}#g;
447        s#__CLUSTER_INT_CIDR__#${CLUSTER_INT_CIDR}#g;
448        s#__CONTROLLER_INT_IP__#${CONTROLLER_INT_IP}#g;
449        s#__WEBSOCKET_INT_IP__#${WEBSOCKET_INT_IP}#g;
450        s#__KEEP_INT_IP__#${KEEP_INT_IP}#g;
451        s#__KEEPSTORE0_INT_IP__#${KEEPSTORE0_INT_IP}#g;
452        s#__KEEPWEB_INT_IP__#${KEEPWEB_INT_IP}#g;
453        s#__WEBSHELL_INT_IP__#${WEBSHELL_INT_IP}#g;
454        s#__SHELL_INT_IP__#${SHELL_INT_IP}#g;
455        s#__WORKBENCH1_INT_IP__#${WORKBENCH1_INT_IP}#g;
456        s#__WORKBENCH2_INT_IP__#${WORKBENCH2_INT_IP}#g;
457        s#__DATABASE_INT_IP__#${DATABASE_INT_IP}#g;
458        s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g;
459        s#__SSL_KEY_ENCRYPTED__#${SSL_KEY_ENCRYPTED}#g;
460        s#__SSL_KEY_AWS_REGION__#${SSL_KEY_AWS_REGION}#g;
461        s#__SSL_KEY_AWS_SECRET_NAME__#${SSL_KEY_AWS_SECRET_NAME}#g;
462        s#__CONTROLLER_NGINX_WORKERS__#${CONTROLLER_NGINX_WORKERS}#g;
463        s#__CONTROLLER_MAX_CONCURRENT_REQUESTS__#${CONTROLLER_MAX_CONCURRENT_REQUESTS}#g;
464        s#__MONITORING_USERNAME__#${MONITORING_USERNAME}#g;
465        s#__MONITORING_EMAIL__#${MONITORING_EMAIL}#g;
466        s#__MONITORING_PASSWORD__#${MONITORING_PASSWORD}#g;
467        s#__DISPATCHER_SSH_PRIVKEY__#${DISPATCHER_SSH_PRIVKEY//$'\n'/\\n}#g;
468        s#__ENABLE_BALANCER__#${ENABLE_BALANCER}#g;
469        s#__BALANCER_NODENAME__#${BALANCER_NODENAME}#g;
470        s#__BALANCER_BACKENDS__#${BALANCER_BACKENDS}#g;
471        s#__NODELIST__#${NODELIST}#g;
472        s#__DISPATCHER_INT_IP__#${DISPATCHER_INT_IP}#g;
473        s#__KEEPBALANCE_INT_IP__#${KEEPBALANCE_INT_IP}#g;
474        s#__COMPUTE_AMI__#${COMPUTE_AMI}#g;
475        s#__COMPUTE_SG__#${COMPUTE_SG}#g;
476        s#__COMPUTE_SUBNET__#${COMPUTE_SUBNET}#g;
477        s#__COMPUTE_AWS_REGION__#${COMPUTE_AWS_REGION}#g;
478        s#__COMPUTE_USER__#${COMPUTE_USER}#g;
479        s#__KEEP_AWS_REGION__#${KEEP_AWS_REGION}#g" \
480   "${f}" > "${P_DIR}"/$(basename "${f}")
481 done
482
483 if [ ! -d "${SOURCE_TESTS_DIR}" ]; then
484   echo "WARNING: The tests directory was not copied to \"${SOURCE_TESTS_DIR}\"."
485   if [ "x${TEST}" = "xyes" ]; then
486     echo "WARNING: Disabling tests for this installation."
487   fi
488   TEST="no"
489 else
490   mkdir -p ${T_DIR}
491   # Replace cluster and domain name in the test files
492   for f in $(ls "${SOURCE_TESTS_DIR}"/*); do
493     FILTERS="s#__CLUSTER__#${CLUSTER}#g;
494          s#__CONTROLLER_EXT_SSL_PORT__#${CONTROLLER_EXT_SSL_PORT}#g;
495          s#__DOMAIN__#${DOMAIN}#g;
496          s#__IP_INT__#${IP_INT}#g;
497          s#__INITIAL_USER_EMAIL__#${INITIAL_USER_EMAIL}#g;
498          s#__INITIAL_USER_PASSWORD__#${INITIAL_USER_PASSWORD}#g
499          s#__INITIAL_USER__#${INITIAL_USER}#g;
500          s#__DATABASE_PASSWORD__#${DATABASE_PASSWORD}#g;
501          s#__SYSTEM_ROOT_TOKEN__#${SYSTEM_ROOT_TOKEN}#g"
502     if [ "$USE_SINGLE_HOSTNAME" = "yes" ]; then
503       FILTERS="s#__CLUSTER__.__DOMAIN__#${HOSTNAME_EXT}#g;
504          $FILTERS"
505     fi
506     sed "$FILTERS" \
507       "${f}" > ${T_DIR}/$(basename "${f}")
508   done
509   chmod 755 ${T_DIR}/run-test.sh
510 fi
511
512 # Replace helper state files that differ from the formula's examples
513 if [ -d "${SOURCE_STATES_DIR}" ]; then
514   mkdir -p "${F_DIR}"/extra/extra
515   rm -f "${F_DIR}"/extra/extra/*
516
517   for f in $(ls "${SOURCE_STATES_DIR}"/*); do
518     sed "s#__ANONYMOUS_USER_TOKEN__#${ANONYMOUS_USER_TOKEN}#g;
519          s#__CLUSTER__#${CLUSTER}#g;
520          s#__BLOB_SIGNING_KEY__#${BLOB_SIGNING_KEY}#g;
521          s#__CONTROLLER_EXT_SSL_PORT__#${CONTROLLER_EXT_SSL_PORT}#g;
522          s#__DOMAIN__#${DOMAIN}#g;
523          s#__HOSTNAME_EXT__#${HOSTNAME_EXT}#g;
524          s#__IP_INT__#${IP_INT}#g;
525          s#__INITIAL_USER_EMAIL__#${INITIAL_USER_EMAIL}#g;
526          s#__INITIAL_USER_PASSWORD__#${INITIAL_USER_PASSWORD}#g;
527          s#__INITIAL_USER__#${INITIAL_USER}#g;
528          s#__DATABASE_PASSWORD__#${DATABASE_PASSWORD}#g;
529          s#__KEEPWEB_EXT_SSL_PORT__#${KEEPWEB_EXT_SSL_PORT}#g;
530          s#__KEEP_EXT_SSL_PORT__#${KEEP_EXT_SSL_PORT}#g;
531          s#__MANAGEMENT_TOKEN__#${MANAGEMENT_TOKEN}#g;
532          s#__RELEASE__#${RELEASE}#g;
533          s#__SYSTEM_ROOT_TOKEN__#${SYSTEM_ROOT_TOKEN}#g;
534          s#__VERSION__#${VERSION}#g;
535          s#__CLUSTER_INT_CIDR__#${CLUSTER_INT_CIDR}#g;
536          s#__CONTROLLER_INT_IP__#${CONTROLLER_INT_IP}#g;
537          s#__WEBSOCKET_INT_IP__#${WEBSOCKET_INT_IP}#g;
538          s#__KEEP_INT_IP__#${KEEP_INT_IP}#g;
539          s#__KEEPSTORE0_INT_IP__#${KEEPSTORE0_INT_IP}#g;
540          s#__KEEPWEB_INT_IP__#${KEEPWEB_INT_IP}#g;
541          s#__WEBSHELL_INT_IP__#${WEBSHELL_INT_IP}#g;
542          s#__WORKBENCH1_INT_IP__#${WORKBENCH1_INT_IP}#g;
543          s#__WORKBENCH2_INT_IP__#${WORKBENCH2_INT_IP}#g;
544          s#__DATABASE_INT_IP__#${DATABASE_INT_IP}#g;
545          s#__WEBSHELL_EXT_SSL_PORT__#${WEBSHELL_EXT_SSL_PORT}#g;
546          s#__SHELL_INT_IP__#${SHELL_INT_IP}#g;
547          s#__WEBSOCKET_EXT_SSL_PORT__#${WEBSOCKET_EXT_SSL_PORT}#g;
548          s#__WORKBENCH1_EXT_SSL_PORT__#${WORKBENCH1_EXT_SSL_PORT}#g;
549          s#__WORKBENCH2_EXT_SSL_PORT__#${WORKBENCH2_EXT_SSL_PORT}#g;
550          s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g;
551          s#__SSL_KEY_ENCRYPTED__#${SSL_KEY_ENCRYPTED}#g;
552          s#__SSL_KEY_AWS_REGION__#${SSL_KEY_AWS_REGION}#g;
553          s#__SSL_KEY_AWS_SECRET_NAME__#${SSL_KEY_AWS_SECRET_NAME}#g;
554          s#__CONTROLLER_NGINX_WORKERS__#${CONTROLLER_NGINX_WORKERS}#g;
555          s#__CONTROLLER_MAX_CONCURRENT_REQUESTS__#${CONTROLLER_MAX_CONCURRENT_REQUESTS}#g;
556          s#__MONITORING_USERNAME__#${MONITORING_USERNAME}#g;
557          s#__MONITORING_EMAIL__#${MONITORING_EMAIL}#g;
558          s#__MONITORING_PASSWORD__#${MONITORING_PASSWORD}#g;
559          s#__DISPATCHER_SSH_PRIVKEY__#${DISPATCHER_SSH_PRIVKEY//$'\n'/\\n}#g;
560          s#__ENABLE_BALANCER__#${ENABLE_BALANCER}#g;
561          s#__BALANCER_NODENAME__#${BALANCER_NODENAME}#g;
562          s#__BALANCER_BACKENDS__#${BALANCER_BACKENDS}#g;
563          s#__NODELIST__#${NODELIST}#g;
564          s#__DISPATCHER_INT_IP__#${DISPATCHER_INT_IP}#g;
565          s#__KEEPBALANCE_INT_IP__#${KEEPBALANCE_INT_IP}#g;
566          s#__COMPUTE_AMI__#${COMPUTE_AMI}#g;
567          s#__COMPUTE_SG__#${COMPUTE_SG}#g;
568          s#__COMPUTE_SUBNET__#${COMPUTE_SUBNET}#g;
569          s#__COMPUTE_AWS_REGION__#${COMPUTE_AWS_REGION}#g;
570          s#__COMPUTE_USER__#${COMPUTE_USER}#g;
571          s#__KEEP_AWS_REGION__#${KEEP_AWS_REGION}#g" \
572     "${f}" > "${F_DIR}/extra/extra"/$(basename "${f}")
573   done
574 fi
575
576 # Now, we build the SALT states/pillars trees
577 # As we need to separate both states and pillars in case we want specific
578 # roles, we iterate on both at the same time
579
580 # Formula template overrides (TOFS)
581 # See: https://template-formula.readthedocs.io/en/latest/TOFS_pattern.html#template-override
582 if [ -d ${SOURCE_TOFS_DIR} ]; then
583   find ${SOURCE_TOFS_DIR} -mindepth 1 -maxdepth 1 -type d -exec cp -r "{}" ${S_DIR} \;
584 fi
585
586 # States
587 cat > ${S_DIR}/top.sls << EOFTSLS
588 base:
589   '*':
590     - locale
591 EOFTSLS
592
593 # Pillars
594 cat > ${P_DIR}/top.sls << EOFPSLS
595 base:
596   '*':
597     - locale
598     - arvados
599 EOFPSLS
600
601 # States, extra states
602 if [ -d "${F_DIR}"/extra/extra ]; then
603   SKIP_SNAKE_OIL="snakeoil_certs"
604
605   if [[ "$DEV_MODE" = "yes" || "${SSL_MODE}" == "self-signed" ]] ; then
606     # In dev mode, we create some snake oil certs that we'll
607     # use as CUSTOM_CERTS, so we don't skip the states file.
608     # Same when using self-signed certificates.
609     SKIP_SNAKE_OIL="dont_add_snakeoil_certs"
610   fi
611   for f in $(ls "${F_DIR}"/extra/extra/*.sls | egrep -v "${SKIP_SNAKE_OIL}|shell_"); do
612   echo "    - extra.$(basename ${f} | sed 's/.sls$//g')" >> ${S_DIR}/top.sls
613   done
614   # Use byo or self-signed certificates
615   if [ "${SSL_MODE}" != "lets-encrypt" ]; then
616     mkdir -p "${F_DIR}"/extra/extra/files
617   fi
618 fi
619
620 # If we want specific roles for a node, just add the desired states
621 # and its dependencies
622 if [ -z "${ROLES}" ]; then
623   # States
624   echo "    - nginx.passenger" >> ${S_DIR}/top.sls
625   if [ "${SSL_MODE}" = "lets-encrypt" ]; then
626     if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then
627       grep -q "aws_credentials" ${S_DIR}/top.sls || echo "    - extra.aws_credentials" >> ${S_DIR}/top.sls
628     fi
629     grep -q "letsencrypt" ${S_DIR}/top.sls || echo "    - letsencrypt" >> ${S_DIR}/top.sls
630   else
631     mkdir -p --mode=0700 /srv/salt/certs
632     if [ "${SSL_MODE}" = "bring-your-own" ]; then
633       # Copy certs to formula extra/files
634       install --mode=0600 ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/
635       # We add the custom_certs state
636       grep -q "custom_certs" ${S_DIR}/top.sls || echo "    - extra.custom_certs" >> ${S_DIR}/top.sls
637       if [ "${SSL_KEY_ENCRYPTED}" = "yes" ]; then
638         grep -q "ssl_key_encrypted" ${S_DIR}/top.sls || echo "    - extra.ssl_key_encrypted" >> ${S_DIR}/top.sls
639       fi
640     fi
641     # In self-signed mode, the certificate files will be created and put in the
642     # destination directory by the snakeoil_certs.sls state file
643   fi
644
645   echo "    - postgres" >> ${S_DIR}/top.sls
646   echo "    - logrotate" >> ${S_DIR}/top.sls
647   echo "    - docker.software" >> ${S_DIR}/top.sls
648   echo "    - arvados" >> ${S_DIR}/top.sls
649   echo "    - extra.shell_sudo_passwordless" >> ${S_DIR}/top.sls
650   echo "    - extra.shell_cron_add_login_sync" >> ${S_DIR}/top.sls
651   echo "    - extra.passenger_rvm" >> ${S_DIR}/top.sls
652
653   # Pillars
654   echo "    - docker" >> ${P_DIR}/top.sls
655   echo "    - nginx_api_configuration" >> ${P_DIR}/top.sls
656   echo "    - logrotate_api" >> ${P_DIR}/top.sls
657   echo "    - nginx_controller_configuration" >> ${P_DIR}/top.sls
658   echo "    - nginx_keepproxy_configuration" >> ${P_DIR}/top.sls
659   echo "    - nginx_keepweb_configuration" >> ${P_DIR}/top.sls
660   echo "    - nginx_passenger" >> ${P_DIR}/top.sls
661   echo "    - nginx_websocket_configuration" >> ${P_DIR}/top.sls
662   echo "    - nginx_webshell_configuration" >> ${P_DIR}/top.sls
663   echo "    - nginx_workbench2_configuration" >> ${P_DIR}/top.sls
664   echo "    - nginx_workbench_configuration" >> ${P_DIR}/top.sls
665   echo "    - logrotate_wb1" >> ${P_DIR}/top.sls
666   echo "    - postgresql" >> ${P_DIR}/top.sls
667
668   # We need to tweak the Nginx's pillar depending whether we want plan nginx or nginx+passenger
669   NGINX_INSTALL_SOURCE="install_from_phusionpassenger"
670   sed -i "s/__NGINX_INSTALL_SOURCE__/${NGINX_INSTALL_SOURCE}/g" ${P_DIR}/nginx_passenger.sls
671
672   if [ "${SSL_MODE}" = "lets-encrypt" ]; then
673     if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then
674       grep -q "aws_credentials" ${P_DIR}/top.sls || echo "    - aws_credentials" >> ${P_DIR}/top.sls
675     fi
676     grep -q "letsencrypt" ${P_DIR}/top.sls || echo "    - letsencrypt" >> ${P_DIR}/top.sls
677
678     hosts=("controller" "websocket" "workbench" "workbench2" "webshell" "keepproxy")
679     if [ ${USE_SINGLE_HOSTNAME} = "no" ]; then
680       hosts+=("download" "collections")
681     else
682       hosts+=("keepweb")
683     fi
684
685     for c in "${hosts[@]}"; do
686       # Are we in a single-host-single-hostname env?
687       if [ "${USE_SINGLE_HOSTNAME}" = "yes" ]; then
688         # Are we in a single-host-single-hostname env?
689         CERT_NAME=${HOSTNAME_EXT}
690       else
691         # We are in a multiple-hostnames env
692         CERT_NAME=${c}.${DOMAIN}
693       fi
694
695       # As the pillar differs whether we use LE or custom certs, we need to do a final edition on them
696       sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${CERT_NAME}*/g;
697               s#__CERT_PEM__#/etc/letsencrypt/live/${CERT_NAME}/fullchain.pem#g;
698               s#__CERT_KEY__#/etc/letsencrypt/live/${CERT_NAME}/privkey.pem#g" \
699       ${P_DIR}/nginx_${c}_configuration.sls
700     done
701   else
702     # Use custom certs (either dev mode or prod)
703     grep -q "extra_custom_certs" ${P_DIR}/top.sls || echo "    - extra_custom_certs" >> ${P_DIR}/top.sls
704     # And add the certs in the custom_certs pillar
705     echo "extra_custom_certs_dir: /srv/salt/certs" > ${P_DIR}/extra_custom_certs.sls
706     echo "extra_custom_certs:" >> ${P_DIR}/extra_custom_certs.sls
707
708     for c in controller websocket workbench workbench2 webshell keepweb keepproxy; do
709       # Are we in a single-host-single-hostname env?
710       if [ "${USE_SINGLE_HOSTNAME}" = "yes" ]; then
711         # Are we in a single-host-single-hostname env?
712         CERT_NAME=${HOSTNAME_EXT}
713       else
714         # We are in a multiple-hostnames env
715         CERT_NAME=${c}
716       fi
717
718       if [[ "$SSL_MODE" == "bring-your-own" ]]; then
719         copy_custom_cert ${CUSTOM_CERTS_DIR} ${CERT_NAME}
720       fi
721
722       grep -q ${CERT_NAME} ${P_DIR}/extra_custom_certs.sls || echo "  - ${CERT_NAME}" >> ${P_DIR}/extra_custom_certs.sls
723
724       # As the pillar differs whether we use LE or custom certs, we need to do a final edition on them
725       sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${CERT_NAME}.pem/g;
726               s#__CERT_PEM__#/etc/nginx/ssl/arvados-${CERT_NAME}.pem#g;
727               s#__CERT_KEY__#/etc/nginx/ssl/arvados-${CERT_NAME}.key#g" \
728       ${P_DIR}/nginx_${c}_configuration.sls
729     done
730   fi
731 else
732   # If we add individual roles, make sure we add the repo first
733   echo "    - arvados.repo" >> ${S_DIR}/top.sls
734   # We add the extra_custom_certs state
735   grep -q "extra.custom_certs"    ${S_DIR}/top.sls || echo "    - extra.custom_certs" >> ${S_DIR}/top.sls
736   if [ "${SSL_KEY_ENCRYPTED}" = "yes" ]; then
737     grep -q "ssl_key_encrypted" ${S_DIR}/top.sls || echo "    - extra.ssl_key_encrypted" >> ${S_DIR}/top.sls
738   fi
739
740   # And we add the basic part for the certs pillar
741   if [ "${SSL_MODE}" != "lets-encrypt" ]; then
742     # And add the certs in the custom_certs pillar
743     echo "extra_custom_certs_dir: /srv/salt/certs" > ${P_DIR}/extra_custom_certs.sls
744     echo "extra_custom_certs:" >> ${P_DIR}/extra_custom_certs.sls
745     grep -q "extra_custom_certs" ${P_DIR}/top.sls || echo "    - extra_custom_certs" >> ${P_DIR}/top.sls
746   fi
747
748   # Prometheus state on all nodes due to the node exporter below
749   grep -q "\- prometheus$" ${S_DIR}/top.sls || echo "    - prometheus" >> ${S_DIR}/top.sls
750   # Prometheus node exporter pillar
751   grep -q "prometheus_node_exporter" ${P_DIR}/top.sls || echo "    - prometheus_node_exporter" >> ${P_DIR}/top.sls
752
753   for R in ${ROLES}; do
754     case "${R}" in
755       "database")
756         # States
757         grep -q "\- postgres$" ${S_DIR}/top.sls || echo "    - postgres" >> ${S_DIR}/top.sls
758         grep -q "extra.prometheus_pg_exporter" ${S_DIR}/top.sls || echo "    - extra.prometheus_pg_exporter" >> ${S_DIR}/top.sls
759         # Pillars
760         grep -q "postgresql" ${P_DIR}/top.sls || echo "    - postgresql" >> ${P_DIR}/top.sls
761         grep -q "prometheus_pg_exporter" ${P_DIR}/top.sls || echo "    - prometheus_pg_exporter" >> ${P_DIR}/top.sls
762       ;;
763       "monitoring")
764         ### Support files ###
765         GRAFANA_DASHBOARDS_DEST_DIR=/srv/salt/dashboards
766         mkdir -p "${GRAFANA_DASHBOARDS_DEST_DIR}"
767         rm -f "${GRAFANA_DASHBOARDS_DEST_DIR}"/*
768         # "ArvadosPromDataSource" is the hardcoded UID for Prometheus' datasource
769         # in Grafana.
770         for f in $(ls "${GRAFANA_DASHBOARDS_DIR}"/*.json); do
771           sed 's#${DS_PROMETHEUS}#ArvadosPromDataSource#g' \
772           "${f}" > "${GRAFANA_DASHBOARDS_DEST_DIR}"/$(basename "${f}")
773         done
774
775         ### States ###
776         grep -q "\- nginx$" ${S_DIR}/top.sls || echo "    - nginx" >> ${S_DIR}/top.sls
777         grep -q "extra.nginx_prometheus_configuration" ${S_DIR}/top.sls || echo "    - extra.nginx_prometheus_configuration" >> ${S_DIR}/top.sls
778
779         grep -q "\- grafana$" ${S_DIR}/top.sls || echo "    - grafana" >> ${S_DIR}/top.sls
780         grep -q "extra.grafana_datasource" ${S_DIR}/top.sls || echo "    - extra.grafana_datasource" >> ${S_DIR}/top.sls
781         grep -q "extra.grafana_dashboards" ${S_DIR}/top.sls || echo "    - extra.grafana_dashboards" >> ${S_DIR}/top.sls
782         grep -q "extra.grafana_admin_user" ${S_DIR}/top.sls || echo "    - extra.grafana_admin_user" >> ${S_DIR}/top.sls
783
784         if [ "${SSL_MODE}" = "lets-encrypt" ]; then
785           grep -q "letsencrypt"     ${S_DIR}/top.sls || echo "    - letsencrypt" >> ${S_DIR}/top.sls
786           if [ "x${USE_LETSENCRYPT_ROUTE53}" = "xyes" ]; then
787             grep -q "aws_credentials" ${S_DIR}/top.sls || echo "    - aws_credentials" >> ${S_DIR}/top.sls
788           fi
789         elif [ "${SSL_MODE}" = "bring-your-own" ]; then
790           for SVC in grafana prometheus; do
791             copy_custom_cert ${CUSTOM_CERTS_DIR} ${SVC}
792           done
793         fi
794         ### Pillars ###
795         grep -q "prometheus_server" ${P_DIR}/top.sls || echo "    - prometheus_server" >> ${P_DIR}/top.sls
796         grep -q "grafana" ${P_DIR}/top.sls || echo "    - grafana" >> ${P_DIR}/top.sls
797         for SVC in grafana prometheus; do
798           grep -q "nginx_${SVC}_configuration" ${P_DIR}/top.sls || echo "    - nginx_${SVC}_configuration" >> ${P_DIR}/top.sls
799         done
800         if [ "${SSL_MODE}" = "lets-encrypt" ]; then
801           grep -q "letsencrypt"     ${P_DIR}/top.sls || echo "    - letsencrypt" >> ${P_DIR}/top.sls
802           for SVC in grafana prometheus; do
803             grep -q "letsencrypt_${SVC}_configuration" ${P_DIR}/top.sls || echo "    - letsencrypt_${SVC}_configuration" >> ${P_DIR}/top.sls
804             sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${SVC}.${DOMAIN}*/g;
805                     s#__CERT_PEM__#/etc/letsencrypt/live/${SVC}.${DOMAIN}/fullchain.pem#g;
806                     s#__CERT_KEY__#/etc/letsencrypt/live/${SVC}.${DOMAIN}/privkey.pem#g" \
807             ${P_DIR}/nginx_${SVC}_configuration.sls
808           done
809           if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then
810             grep -q "aws_credentials" ${P_DIR}/top.sls || echo "    - aws_credentials" >> ${P_DIR}/top.sls
811           fi
812         elif [ "${SSL_MODE}" = "bring-your-own" ]; then
813           grep -q "ssl_key_encrypted" ${P_DIR}/top.sls || echo "    - ssl_key_encrypted" >> ${P_DIR}/top.sls
814           for SVC in grafana prometheus; do
815             sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${SVC}.pem/g;
816                     s#__CERT_PEM__#/etc/nginx/ssl/arvados-${SVC}.pem#g;
817                     s#__CERT_KEY__#/etc/nginx/ssl/arvados-${SVC}.key#g" \
818               ${P_DIR}/nginx_${SVC}_configuration.sls
819             grep -q ${SVC} ${P_DIR}/extra_custom_certs.sls || echo "  - ${SVC}" >> ${P_DIR}/extra_custom_certs.sls
820           done
821         fi
822       ;;
823       "api")
824         # States
825         grep -q "    - logrotate" ${S_DIR}/top.sls || echo "    - logrotate" >> ${S_DIR}/top.sls
826         if grep -q "    - nginx.*$" ${S_DIR}/top.sls; then
827           sed -i s/"^    - nginx.*$"/"    - nginx.passenger"/g ${S_DIR}/top.sls
828         else
829           echo "    - nginx.passenger" >> ${S_DIR}/top.sls
830         fi
831         echo "    - extra.passenger_rvm" >> ${S_DIR}/top.sls
832         ### If we don't install and run LE before arvados-api-server, it fails and breaks everything
833         ### after it. So we add this here as we are, after all, sharing the host for api and controller
834         if [ "${ENABLE_BALANCER}" == "no" ]; then
835           if [ "${SSL_MODE}" = "lets-encrypt" ]; then
836             if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then
837               grep -q "aws_credentials" ${S_DIR}/top.sls || echo "    - aws_credentials" >> ${S_DIR}/top.sls
838             fi
839             grep -q "letsencrypt" ${S_DIR}/top.sls || echo "    - letsencrypt" >> ${S_DIR}/top.sls
840           else
841             # Use custom certs
842             if [ "${SSL_MODE}" = "bring-your-own" ]; then
843               copy_custom_cert ${CUSTOM_CERTS_DIR} controller
844             fi
845             grep -q controller ${P_DIR}/extra_custom_certs.sls || echo "  - controller" >> ${P_DIR}/extra_custom_certs.sls
846           fi
847         fi
848         grep -q "arvados.${R}" ${S_DIR}/top.sls    || echo "    - arvados.${R}" >> ${S_DIR}/top.sls
849         # Pillars
850         grep -q "logrotate_api" ${P_DIR}/top.sls            || echo "    - logrotate_api" >> ${P_DIR}/top.sls
851         grep -q "aws_credentials" ${P_DIR}/top.sls          || echo "    - aws_credentials" >> ${P_DIR}/top.sls
852         grep -q "postgresql" ${P_DIR}/top.sls               || echo "    - postgresql" >> ${P_DIR}/top.sls
853         grep -q "nginx_passenger" ${P_DIR}/top.sls          || echo "    - nginx_passenger" >> ${P_DIR}/top.sls
854         grep -q "nginx_${R}_configuration" ${P_DIR}/top.sls || echo "    - nginx_${R}_configuration" >> ${P_DIR}/top.sls
855
856         # We need to tweak the Nginx's pillar depending whether we want plain nginx or nginx+passenger
857         NGINX_INSTALL_SOURCE="install_from_phusionpassenger"
858         sed -i "s/__NGINX_INSTALL_SOURCE__/${NGINX_INSTALL_SOURCE}/g" ${P_DIR}/nginx_passenger.sls
859       ;;
860       "balancer")
861         ### States ###
862         grep -q "\- nginx$" ${S_DIR}/top.sls || echo "    - nginx" >> ${S_DIR}/top.sls
863
864         if [ "${SSL_MODE}" = "lets-encrypt" ]; then
865           grep -q "letsencrypt"     ${S_DIR}/top.sls || echo "    - letsencrypt" >> ${S_DIR}/top.sls
866           if [ "x${USE_LETSENCRYPT_ROUTE53}" = "xyes" ]; then
867             grep -q "aws_credentials" ${S_DIR}/top.sls || echo "    - aws_credentials" >> ${S_DIR}/top.sls
868           fi
869         elif [ "${SSL_MODE}" = "bring-your-own" ]; then
870           copy_custom_cert ${CUSTOM_CERTS_DIR} ${R}
871         fi
872
873         ### Pillars ###
874         grep -q "nginx_${R}_configuration" ${P_DIR}/top.sls || echo "    - nginx_${R}_configuration" >> ${P_DIR}/top.sls
875
876         if [ "${SSL_MODE}" = "lets-encrypt" ]; then
877           grep -q "letsencrypt"     ${P_DIR}/top.sls || echo "    - letsencrypt" >> ${P_DIR}/top.sls
878
879           grep -q "letsencrypt_${R}_configuration" ${P_DIR}/top.sls || echo "    - letsencrypt_${R}_configuration" >> ${P_DIR}/top.sls
880           sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${BALANCER_NODENAME}.${DOMAIN}*/g;
881                   s#__CERT_PEM__#/etc/letsencrypt/live/${BALANCER_NODENAME}.${DOMAIN}/fullchain.pem#g;
882                   s#__CERT_KEY__#/etc/letsencrypt/live/${BALANCER_NODENAME}.${DOMAIN}/privkey.pem#g" \
883           ${P_DIR}/nginx_${R}_configuration.sls
884
885           if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then
886             grep -q "aws_credentials" ${P_DIR}/top.sls || echo "    - aws_credentials" >> ${P_DIR}/top.sls
887           fi
888         elif [ "${SSL_MODE}" = "bring-your-own" ]; then
889           grep -q "ssl_key_encrypted" ${P_DIR}/top.sls || echo "    - ssl_key_encrypted" >> ${P_DIR}/top.sls
890           sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${R}.pem/g;
891                   s#__CERT_PEM__#/etc/nginx/ssl/arvados-${R}.pem#g;
892                   s#__CERT_KEY__#/etc/nginx/ssl/arvados-${R}.key#g" \
893             ${P_DIR}/nginx_${R}_configuration.sls
894           grep -q "${R}" ${P_DIR}/extra_custom_certs.sls || echo "  - ${R}" >> ${P_DIR}/extra_custom_certs.sls
895         fi
896       ;;
897       "controller")
898         ### States ###
899         grep -q "\- nginx$" ${S_DIR}/top.sls || echo "    - nginx" >> ${S_DIR}/top.sls
900         grep -q "arvados.${R}" ${S_DIR}/top.sls || echo "    - arvados.${R}" >> ${S_DIR}/top.sls
901
902         if [ "${ENABLE_BALANCER}" == "no" ]; then
903           if [ "${SSL_MODE}" = "lets-encrypt" ]; then
904             if [ "x${USE_LETSENCRYPT_ROUTE53}" = "xyes" ]; then
905               grep -q "aws_credentials" ${S_DIR}/top.sls || echo "    - aws_credentials" >> ${S_DIR}/top.sls
906             fi
907             grep -q "letsencrypt"     ${S_DIR}/top.sls || echo "    - letsencrypt" >> ${S_DIR}/top.sls
908           elif [ "${SSL_MODE}" = "bring-your-own" ]; then
909             copy_custom_cert ${CUSTOM_CERTS_DIR} ${R}
910           fi
911         fi
912
913         ### Pillars ###
914         grep -q "nginx_passenger" ${P_DIR}/top.sls          || echo "    - nginx_passenger" >> ${P_DIR}/top.sls
915         grep -q "nginx_${R}_configuration" ${P_DIR}/top.sls || echo "    - nginx_${R}_configuration" >> ${P_DIR}/top.sls
916
917         if [ "${ENABLE_BALANCER}" == "no" ]; then
918           if [ "${SSL_MODE}" = "lets-encrypt" ]; then
919             if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then
920               grep -q "aws_credentials" ${P_DIR}/top.sls || echo "    - aws_credentials" >> ${P_DIR}/top.sls
921             fi
922
923             grep -q "letsencrypt"     ${P_DIR}/top.sls || echo "    - letsencrypt" >> ${P_DIR}/top.sls
924             grep -q "letsencrypt_${R}_configuration" ${P_DIR}/top.sls || echo "    - letsencrypt_${R}_configuration" >> ${P_DIR}/top.sls
925             sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${R}.${DOMAIN}*/g;
926                     s#__CERT_PEM__#/etc/letsencrypt/live/${R}.${DOMAIN}/fullchain.pem#g;
927                     s#__CERT_KEY__#/etc/letsencrypt/live/${R}.${DOMAIN}/privkey.pem#g" \
928             ${P_DIR}/nginx_${R}_configuration.sls
929           else
930             grep -q "ssl_key_encrypted" ${P_DIR}/top.sls || echo "    - ssl_key_encrypted" >> ${P_DIR}/top.sls
931             sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${R}.pem/g;
932                     s#__CERT_PEM__#/etc/nginx/ssl/arvados-${R}.pem#g;
933                     s#__CERT_KEY__#/etc/nginx/ssl/arvados-${R}.key#g" \
934             ${P_DIR}/nginx_${R}_configuration.sls
935             grep -q ${R} ${P_DIR}/extra_custom_certs.sls || echo "  - ${R}" >> ${P_DIR}/extra_custom_certs.sls
936           fi
937         fi
938         # We need to tweak the Nginx's pillar depending whether we want plain nginx or nginx+passenger
939         sed -i "s/__NGINX_INSTALL_SOURCE__/${NGINX_INSTALL_SOURCE}/g" ${P_DIR}/nginx_passenger.sls
940       ;;
941       "websocket" | "workbench" | "workbench2" | "webshell" | "keepweb" | "keepproxy")
942         ### States ###
943         if [ "${R}" = "workbench" ]; then
944           grep -q "    - logrotate" ${S_DIR}/top.sls || echo "    - logrotate" >> ${S_DIR}/top.sls
945           NGINX_INSTALL_SOURCE="install_from_phusionpassenger"
946           if grep -q "    - nginx$" ${S_DIR}/top.sls; then
947             sed -i s/"^    - nginx.*$"/"    - nginx.passenger"/g ${S_DIR}/top.sls
948           else
949             echo "    - nginx.passenger" >> ${S_DIR}/top.sls
950           fi
951         else
952           grep -q "\- nginx$" ${S_DIR}/top.sls || echo "    - nginx" >> ${S_DIR}/top.sls
953         fi
954
955         if [ "${SSL_MODE}" = "lets-encrypt" ]; then
956           if [ "x${USE_LETSENCRYPT_ROUTE53}" = "xyes" ]; then
957             grep -q "aws_credentials" ${S_DIR}/top.sls || echo "    - aws_credentials" >> ${S_DIR}/top.sls
958           fi
959           grep -q "letsencrypt"     ${S_DIR}/top.sls || echo "    - letsencrypt" >> ${S_DIR}/top.sls
960         else
961           # Use custom certs, special case for keepweb
962           if [ ${R} = "keepweb" ]; then
963             if [ "${SSL_MODE}" = "bring-your-own" ]; then
964               copy_custom_cert ${CUSTOM_CERTS_DIR} download
965               copy_custom_cert ${CUSTOM_CERTS_DIR} collections
966             fi
967           else
968             if [ "${SSL_MODE}" = "bring-your-own" ]; then
969               copy_custom_cert ${CUSTOM_CERTS_DIR} ${R}
970             fi
971           fi
972         fi
973
974         # webshell role is just a nginx vhost, so it has no state
975         if [ "${R}" != "webshell" ]; then
976           grep -q "arvados.${R}" ${S_DIR}/top.sls || echo "    - arvados.${R}" >> ${S_DIR}/top.sls
977         fi
978
979         ### Pillars ###
980         if [ "${R}" = "workbench" ]; then
981           grep -q "logrotate_wb1" ${P_DIR}/top.sls || echo "    - logrotate_wb1" >> ${P_DIR}/top.sls
982         fi
983         grep -q "nginx_passenger" ${P_DIR}/top.sls          || echo "    - nginx_passenger" >> ${P_DIR}/top.sls
984         grep -q "nginx_${R}_configuration" ${P_DIR}/top.sls || echo "    - nginx_${R}_configuration" >> ${P_DIR}/top.sls
985         # Special case for keepweb
986         if [ ${R} = "keepweb" ]; then
987           grep -q "nginx_download_configuration" ${P_DIR}/top.sls || echo "    - nginx_download_configuration" >> ${P_DIR}/top.sls
988           grep -q "nginx_collections_configuration" ${P_DIR}/top.sls || echo "    - nginx_collections_configuration" >> ${P_DIR}/top.sls
989         fi
990
991         if [ "${SSL_MODE}" = "lets-encrypt" ]; then
992           if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then
993             grep -q "aws_credentials" ${P_DIR}/top.sls || echo "    - aws_credentials" >> ${P_DIR}/top.sls
994           fi
995           grep -q "letsencrypt"     ${P_DIR}/top.sls || echo "    - letsencrypt" >> ${P_DIR}/top.sls
996           grep -q "letsencrypt_${R}_configuration" ${P_DIR}/top.sls || echo "    - letsencrypt_${R}_configuration" >> ${P_DIR}/top.sls
997
998           # As the pillar differ whether we use LE or custom certs, we need to do a final edition on them
999           # Special case for keepweb
1000           if [ ${R} = "keepweb" ]; then
1001             for kwsub in download collections; do
1002               sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${kwsub}.${DOMAIN}*/g;
1003                       s#__CERT_PEM__#/etc/letsencrypt/live/${kwsub}.${DOMAIN}/fullchain.pem#g;
1004                       s#__CERT_KEY__#/etc/letsencrypt/live/${kwsub}.${DOMAIN}/privkey.pem#g" \
1005               ${P_DIR}/nginx_${kwsub}_configuration.sls
1006             done
1007           else
1008             sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${R}.${DOMAIN}*/g;
1009                     s#__CERT_PEM__#/etc/letsencrypt/live/${R}.${DOMAIN}/fullchain.pem#g;
1010                     s#__CERT_KEY__#/etc/letsencrypt/live/${R}.${DOMAIN}/privkey.pem#g" \
1011             ${P_DIR}/nginx_${R}_configuration.sls
1012           fi
1013         else
1014           grep -q "ssl_key_encrypted" ${P_DIR}/top.sls || echo "    - ssl_key_encrypted" >> ${P_DIR}/top.sls
1015           # As the pillar differ whether we use LE or custom certs, we need to do a final edition on them
1016           # Special case for keepweb
1017           if [ ${R} = "keepweb" ]; then
1018             for kwsub in download collections; do
1019               sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${kwsub}.pem/g;
1020                       s#__CERT_PEM__#/etc/nginx/ssl/arvados-${kwsub}.pem#g;
1021                       s#__CERT_KEY__#/etc/nginx/ssl/arvados-${kwsub}.key#g" \
1022               ${P_DIR}/nginx_${kwsub}_configuration.sls
1023               grep -q ${kwsub} ${P_DIR}/extra_custom_certs.sls || echo "  - ${kwsub}" >> ${P_DIR}/extra_custom_certs.sls
1024             done
1025           else
1026             sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${R}.pem/g;
1027                     s#__CERT_PEM__#/etc/nginx/ssl/arvados-${R}.pem#g;
1028                     s#__CERT_KEY__#/etc/nginx/ssl/arvados-${R}.key#g" \
1029             ${P_DIR}/nginx_${R}_configuration.sls
1030             grep -q ${R} ${P_DIR}/extra_custom_certs.sls || echo "  - ${R}" >> ${P_DIR}/extra_custom_certs.sls
1031           fi
1032         fi
1033         # We need to tweak the Nginx's pillar depending whether we want plain nginx or nginx+passenger
1034         sed -i "s/__NGINX_INSTALL_SOURCE__/${NGINX_INSTALL_SOURCE}/g" ${P_DIR}/nginx_passenger.sls
1035       ;;
1036       "shell")
1037         # States
1038         echo "    - extra.shell_sudo_passwordless" >> ${S_DIR}/top.sls
1039         echo "    - extra.shell_cron_add_login_sync" >> ${S_DIR}/top.sls
1040         grep -q "docker" ${S_DIR}/top.sls       || echo "    - docker.software" >> ${S_DIR}/top.sls
1041         grep -q "arvados.${R}" ${S_DIR}/top.sls || echo "    - arvados.${R}" >> ${S_DIR}/top.sls
1042         # Pillars
1043         grep -q "docker" ${P_DIR}/top.sls       || echo "    - docker" >> ${P_DIR}/top.sls
1044       ;;
1045       "dispatcher" | "keepbalance" | "keepstore")
1046         # States
1047         grep -q "arvados.${R}" ${S_DIR}/top.sls || echo "    - arvados.${R}" >> ${S_DIR}/top.sls
1048         # Pillars
1049         # ATM, no specific pillar needed
1050       ;;
1051       *)
1052         echo "Unknown role ${R}"
1053         exit 1
1054       ;;
1055     esac
1056   done
1057 fi
1058
1059 if [ "${DUMP_CONFIG}" = "yes" ]; then
1060   # We won't run the rest of the script because we're just dumping the config
1061   exit 0
1062 fi
1063
1064 # Now run the install
1065 salt-call --state-output=mixed --local state.apply -l ${LOG_LEVEL}
1066
1067 # Finally, make sure that /etc/hosts is not overwritten on reboot
1068 if [ -d /etc/cloud/cloud.cfg.d ]; then
1069   # TODO: will this work on CentOS?
1070   sed -i 's/^manage_etc_hosts: true/#manage_etc_hosts: true/g' /etc/cloud/cloud.cfg.d/*
1071 fi
1072
1073 # Leave a copy of the Arvados CA so the user can copy it where it's required
1074 if [ "${SSL_MODE}" = "self-signed" ]; then
1075   echo "Copying the Arvados CA certificate '${DOMAIN}-arvados-snakeoil-ca.crt' to the installer dir, so you can import it"
1076   if [ "x${VAGRANT}" = "xyes" ]; then
1077     cp /etc/ssl/certs/arvados-snakeoil-ca.pem /vagrant/${DOMAIN}-arvados-snakeoil-ca.pem
1078   else
1079     cp /etc/ssl/certs/arvados-snakeoil-ca.pem ${SCRIPT_DIR}/${DOMAIN}-arvados-snakeoil-ca.crt
1080   fi
1081 fi
1082
1083 if [ "x${VAGRANT}" = "xyes" ]; then
1084     # If running in a vagrant VM, also add default user to docker group
1085     echo "Adding the vagrant user to the docker group"
1086     usermod -a -G docker vagrant
1087 fi
1088
1089 # Test that the installation finished correctly
1090 if [ "x${TEST}" = "xyes" ]; then
1091   cd ${T_DIR}
1092   # If we use RVM, we need to run this with it, or most ruby commands will fail
1093   RVM_EXEC=""
1094   if [ -x /usr/local/rvm/bin/rvm-exec ]; then
1095     RVM_EXEC="/usr/local/rvm/bin/rvm-exec"
1096   fi
1097   ${RVM_EXEC} ./run-test.sh
1098 fi