tools/salt-install/provision.sh

   1 #!/bin/bash
   2
   3 # Copyright (C) The Arvados Authors. All rights reserved.
   4 #
   5 # SPDX-License-Identifier: CC-BY-SA-3.0
   6
   7 # If you want to test arvados in a single host, you can run this script, which
   8 # will install it using salt masterless
   9 # This script is run by the Vagrant file when you run it with
  10 #
  11 # vagrant up
  12
  13 set -o pipefail
  14
  15 # capture the directory that the script is running from
  16 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
  17
  18 usage() {
  19   echo >&2
  20   echo >&2 "Usage: ${0} [-h] [-h]"
  21   echo >&2
  22   echo >&2 "${0} options:"
  23   echo >&2 "  -d, --debug                                 Run salt installation in debug mode"
  24   echo >&2 "  -c <local.params>, --config <local.params>  Path to the local.params config file"
  25   echo >&2 "  -t, --test                                  Test installation running a CWL workflow"
  26   echo >&2 "  -r, --roles                                 List of Arvados roles to apply to the host, comma separated"
  27   echo >&2 "                                              Possible values are:"
  28   echo >&2 "                                                api"
  29   echo >&2 "                                                controller"
  30   echo >&2 "                                                dispatcher"
  31   echo >&2 "                                                keepproxy"
  32   echo >&2 "                                                keepbalance"
  33   echo >&2 "                                                keepstore"
  34   echo >&2 "                                                keepweb"
  35   echo >&2 "                                                monitoring"
  36   echo >&2 "                                                shell"
  37   echo >&2 "                                                webshell"
  38   echo >&2 "                                                websocket"
  39   echo >&2 "                                                workbench"
  40   echo >&2 "                                                workbench2"
  41   echo >&2 "                                              Defaults to applying them all"
  42   echo >&2 "  -h, --help                                  Display this help and exit"
  43   echo >&2 "  --dump-config <dest_dir>                    Dumps the pillars and states to a directory"
  44   echo >&2 "                                              This parameter does not perform any installation at all. It's"
  45   echo >&2 "                                              intended to give you a parsed set of configuration files so"
  46   echo >&2 "                                              you can inspect them or use them in you Saltstack infrastructure."
  47   echo >&2 "                                              It"
  48   echo >&2 "                                                - parses the pillar and states templates,"
  49   echo >&2 "                                                - downloads the helper formulas with their desired versions,"
  50   echo >&2 "                                                - prepares the 'top.sls' files both for pillars and states"
  51   echo >&2 "                                                  for the selected role(s)"
  52   echo >&2 "                                                - writes the resulting files into <dest_dir>"
  53   echo >&2 "  -v, --vagrant                               Run in vagrant and use the /vagrant shared dir"
  54   echo >&2 "  --development                               Run in dev mode, using snakeoil certs"
  55   echo >&2
  56 }
  57
  58 arguments() {
  59   # NOTE: This requires GNU getopt (part of the util-linux package on Debian-based distros).
  60   if ! which getopt > /dev/null; then
  61     echo >&2 "GNU getopt is required to run this script. Please install it and re-reun it"
  62     exit 1
  63   fi
  64
  65   TEMP=$(getopt -o c:dhp:r:tv \
  66     --long config:,debug,development,dump-config:,help,roles:,test,vagrant \
  67     -n "${0}" -- "${@}")
  68
  69   if [ ${?} != 0 ];
  70     then echo "Please check the parameters you entered and re-run again"
  71     exit 1
  72   fi
  73   # Note the quotes around `$TEMP': they are essential!
  74   eval set -- "$TEMP"
  75
  76   while [ ${#} -ge 1 ]; do
  77     case ${1} in
  78       -c | --config)
  79         CONFIG_FILE=${2}
  80         shift 2
  81         ;;
  82       -d | --debug)
  83         LOG_LEVEL="debug"
  84         shift
  85         set -x
  86         ;;
  87       --dump-config)
  88         if [[ ${2} = /* ]]; then
  89           DUMP_SALT_CONFIG_DIR=${2}
  90         else
  91           DUMP_SALT_CONFIG_DIR=${PWD}/${2}
  92         fi
  93         ## states
  94         S_DIR="${DUMP_SALT_CONFIG_DIR}/salt"
  95         ## formulas
  96         F_DIR="${DUMP_SALT_CONFIG_DIR}/formulas"
  97         ## pillars
  98         P_DIR="${DUMP_SALT_CONFIG_DIR}/pillars"
  99         ## tests
 100         T_DIR="${DUMP_SALT_CONFIG_DIR}/tests"
 101         DUMP_CONFIG="yes"
 102         shift 2
 103         ;;
 104       --development)
 105         DEV_MODE="yes"
 106         shift 1
 107         ;;
 108       -r | --roles)
 109         for i in ${2//,/ }
 110           do
 111             # Verify the role exists
 112             if [[ ! "database,api,controller,keepstore,websocket,keepweb,workbench2,webshell,keepbalance,keepproxy,shell,workbench,dispatcher,monitoring" == *"$i"* ]]; then
 113               echo "The role '${i}' is not a valid role"
 114               usage
 115               exit 1
 116             fi
 117             ROLES="${ROLES} ${i}"
 118           done
 119           shift 2
 120         ;;
 121       -t | --test)
 122         TEST="yes"
 123         shift
 124         ;;
 125       -v | --vagrant)
 126         VAGRANT="yes"
 127         shift
 128         ;;
 129       --)
 130         shift
 131         break
 132         ;;
 133       *)
 134         usage
 135         exit 1
 136         ;;
 137     esac
 138   done
 139 }
 140
 141 copy_custom_cert() {
 142   cert_dir=${1}
 143   cert_name=${2}
 144
 145   mkdir -p --mode=0700 /srv/salt/certs
 146
 147   if [ -f ${cert_dir}/${cert_name}.crt ]; then
 148     install --mode=0600 ${cert_dir}/${cert_name}.crt /srv/salt/certs/arvados-${cert_name}.pem
 149   else
 150     echo "${cert_dir}/${cert_name}.crt does not exist. Exiting"
 151     exit 1
 152   fi
 153   if [ -f ${cert_dir}/${cert_name}.key ]; then
 154     install --mode=0600 ${cert_dir}/${cert_name}.key /srv/salt/certs/arvados-${cert_name}.key
 155   else
 156     echo "${cert_dir}/${cert_name}.key does not exist. Exiting"
 157     exit 1
 158   fi
 159 }
 160
 161 DEV_MODE="no"
 162 CONFIG_FILE="${SCRIPT_DIR}/local.params"
 163 CONFIG_DIR="local_config_dir"
 164 DUMP_CONFIG="no"
 165 LOG_LEVEL="info"
 166 CONTROLLER_EXT_SSL_PORT=443
 167 TESTS_DIR="tests"
 168
 169 NGINX_INSTALL_SOURCE="install_from_repo"
 170
 171 CLUSTER=""
 172 DOMAIN=""
 173
 174 # Hostnames/IPs used for single-host deploys
 175 IP_INT="127.0.1.1"
 176
 177 # Initial user setup
 178 INITIAL_USER=""
 179 INITIAL_USER_EMAIL=""
 180 INITIAL_USER_PASSWORD=""
 181
 182 CONTROLLER_EXT_SSL_PORT=8000
 183 KEEP_EXT_SSL_PORT=25101
 184 # Both for collections and downloads
 185 KEEPWEB_EXT_SSL_PORT=9002
 186 WEBSHELL_EXT_SSL_PORT=4202
 187 WEBSOCKET_EXT_SSL_PORT=8002
 188 WORKBENCH1_EXT_SSL_PORT=443
 189 WORKBENCH2_EXT_SSL_PORT=3001
 190
 191 SSL_MODE="self-signed"
 192 USE_LETSENCRYPT_ROUTE53="no"
 193 CUSTOM_CERTS_DIR="${SCRIPT_DIR}/local_config_dir/certs"
 194
 195 GRAFANA_DASHBOARDS_DIR="${SCRIPT_DIR}/local_config_dir/dashboards"
 196
 197 ## These are ARVADOS-related parameters
 198 # For a stable release, change RELEASE "production" and VERSION to the
 199 # package version (including the iteration, e.g. X.Y.Z-1) of the
 200 # release.
 201 # The "local.params.example.*" files already set "RELEASE=production"
 202 # to deploy  production-ready packages
 203 RELEASE="development"
 204 VERSION="latest"
 205
 206 # These are arvados-formula-related parameters
 207 # An arvados-formula tag. For a stable release, this should be a
 208 # branch name (e.g. X.Y-dev) or tag for the release.
 209 # ARVADOS_TAG="2.2.0"
 210 # BRANCH="main"
 211
 212 # We pin the salt version to avoid potential incompatibilities when a new
 213 # stable version is released.
 214 SALT_VERSION="3004"
 215
 216 # Other formula versions we depend on
 217 #POSTGRES_TAG="v0.44.0"
 218 #POSTGRES_URL="https://github.com/saltstack-formulas/postgres-formula.git"
 219 POSTGRES_TAG="0.45.0-bugfix327"
 220 POSTGRES_URL="https://github.com/arvados/postgres-formula.git"
 221 NGINX_TAG="v2.8.1"
 222 DOCKER_TAG="v2.4.2"
 223 LOCALE_TAG="v0.3.4"
 224 LETSENCRYPT_TAG="v2.1.0"
 225 LOGROTATE_TAG="v0.14.0"
 226 PROMETHEUS_TAG="v5.6.5"
 227 GRAFANA_TAG="v3.1.3"
 228
 229 # Salt's dir
 230 DUMP_SALT_CONFIG_DIR=""
 231 ## states
 232 S_DIR="/srv/salt"
 233 ## formulas
 234 F_DIR="/srv/formulas"
 235 ## pillars
 236 P_DIR="/srv/pillars"
 237 ## tests
 238 T_DIR="/tmp/cluster_tests"
 239
 240 arguments ${@}
 241
 242 declare -A NODES
 243
 244 if [ -s ${CONFIG_FILE} ]; then
 245   source ${CONFIG_FILE}
 246 else
 247   echo >&2 "You don't seem to have a config file with initial values."
 248   echo >&2 "Please create a '${CONFIG_FILE}' file as described in"
 249   echo >&2 "  * https://doc.arvados.org/install/salt-single-host.html#single_host, or"
 250   echo >&2 "  * https://doc.arvados.org/install/salt-multi-host.html#multi_host_multi_hostnames"
 251   exit 1
 252 fi
 253
 254 if [ ! -d ${CONFIG_DIR} ]; then
 255   echo >&2 "You don't seem to have a config directory with pillars and states."
 256   echo >&2 "Please create a '${CONFIG_DIR}' directory (as configured in your '${CONFIG_FILE}'). Please see"
 257   echo >&2 "  * https://doc.arvados.org/install/salt-single-host.html#single_host, or"
 258   echo >&2 "  * https://doc.arvados.org/install/salt-multi-host.html#multi_host_multi_hostnames"
 259   exit 1
 260 fi
 261
 262 if grep -rni 'fixme' ${CONFIG_FILE} ${CONFIG_DIR} ; then
 263   echo >&2 "The config file ${CONFIG_FILE} has some parameters that need to be modified."
 264   echo >&2 "Please, fix them and re-run the provision script."
 265   exit 1
 266 fi
 267
 268 if ! grep -qE '^[[:alnum:]]{5}$' <<<${CLUSTER} ; then
 269   echo >&2 "ERROR: <CLUSTER> must be exactly 5 lowercase alphanumeric characters long"
 270   echo >&2 "Fix the cluster name in the 'local.params' file and re-run the provision script"
 271   exit 1
 272 fi
 273
 274 # Only used in single_host/single_name deploys
 275 if [ ! -z "${HOSTNAME_EXT}" ] ; then
 276   # We need to add some extra control vars to manage a single certificate vs. multiple
 277   USE_SINGLE_HOSTNAME="yes"
 278   # Make sure that the value configured as IP_INT is a real IP on the system.
 279   # If we don't error out early here when there is a mismatch, the formula will
 280   # fail with hard to interpret nginx errors later on.
 281   ip addr list |grep "${IP_INT}/" >/dev/null
 282   if [[ $? -ne 0 ]]; then
 283     echo "Unable to find the IP_INT address '${IP_INT}' on the system, please correct the value in local.params. Exiting..."
 284     exit 1
 285   fi
 286 else
 287   USE_SINGLE_HOSTNAME="no"
 288   # We set this variable, anyway, so sed lines do not fail and we don't need to add more
 289   # conditionals
 290   HOSTNAME_EXT="${CLUSTER}.${DOMAIN}"
 291 fi
 292
 293 if [ "${DUMP_CONFIG}" = "yes" ]; then
 294   echo "The provision installer will just dump a config under ${DUMP_SALT_CONFIG_DIR} and exit"
 295 else
 296   # Install a few dependency packages
 297   # First, let's figure out the OS we're working on
 298   OS_ID=$(grep ^ID= /etc/os-release |cut -f 2 -d=  |cut -f 2 -d \")
 299   echo "Detected distro: ${OS_ID}"
 300
 301   case ${OS_ID} in
 302     "centos")
 303       echo "WARNING! Disabling SELinux, see https://dev.arvados.org/issues/18019"
 304       sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/sysconfig/selinux
 305       setenforce permissive
 306       yum install -y  curl git jq
 307       ;;
 308     "debian"|"ubuntu")
 309       # Wait 2 minutes for any apt locks to clear
 310       # This option is supported from apt 1.9.1 and ignored in older apt versions.
 311       # Cf. https://blog.sinjakli.co.uk/2021/10/25/waiting-for-apt-locks-without-the-hacky-bash-scripts/
 312       DEBIAN_FRONTEND=noninteractive apt -o DPkg::Lock::Timeout=120 update
 313       DEBIAN_FRONTEND=noninteractive apt install -y curl git jq
 314       ;;
 315   esac
 316
 317   if which salt-call; then
 318     echo "Salt already installed"
 319   else
 320     curl -L https://bootstrap.saltstack.com -o /tmp/bootstrap_salt.sh
 321     sh /tmp/bootstrap_salt.sh -XdfP -x python3 stable ${SALT_VERSION}
 322     /bin/systemctl stop salt-minion.service
 323     /bin/systemctl disable salt-minion.service
 324   fi
 325
 326   # Set salt to masterless mode
 327   cat > /etc/salt/minion << EOFSM
 328 failhard: "True"
 329
 330 file_client: local
 331 file_roots:
 332   base:
 333     - ${S_DIR}
 334     - ${F_DIR}/*
 335
 336 pillar_roots:
 337   base:
 338     - ${P_DIR}
 339 EOFSM
 340 fi
 341
 342 mkdir -p ${S_DIR} ${F_DIR} ${P_DIR} ${T_DIR}
 343
 344 # Get the formula and dependencies
 345 cd ${F_DIR} || exit 1
 346 echo "Cloning formulas"
 347 test -d docker && ( cd docker && git fetch ) \
 348   || git clone --quiet https://github.com/saltstack-formulas/docker-formula.git ${F_DIR}/docker
 349 ( cd docker && git checkout --quiet tags/"${DOCKER_TAG}" )
 350
 351 echo "...locale"
 352 test -d locale && ( cd locale && git fetch ) \
 353   || git clone --quiet https://github.com/saltstack-formulas/locale-formula.git ${F_DIR}/locale
 354 ( cd locale && git checkout --quiet tags/"${LOCALE_TAG}" )
 355
 356 echo "...nginx"
 357 test -d nginx && ( cd nginx && git fetch ) \
 358   || git clone --quiet https://github.com/saltstack-formulas/nginx-formula.git ${F_DIR}/nginx
 359 ( cd nginx && git checkout --quiet tags/"${NGINX_TAG}" )
 360
 361 echo "...postgres"
 362 test -d postgres && ( cd postgres && git fetch ) \
 363   || git clone --quiet ${POSTGRES_URL} ${F_DIR}/postgres
 364 ( cd postgres && git checkout --quiet tags/"${POSTGRES_TAG}" )
 365
 366 echo "...prometheus"
 367 test -d prometheus && ( cd prometheus && git fetch ) \
 368   || git clone --quiet https://github.com/saltstack-formulas/prometheus-formula.git ${F_DIR}/prometheus
 369 ( cd prometheus && git checkout --quiet tags/"${PROMETHEUS_TAG}" )
 370
 371 echo "...grafana"
 372 test -d grafana && ( cd grafana && git fetch ) \
 373   || git clone --quiet https://github.com/saltstack-formulas/grafana-formula.git ${F_DIR}/grafana
 374 ( cd grafana && git checkout --quiet "${GRAFANA_TAG}" )
 375
 376 echo "...letsencrypt"
 377 test -d letsencrypt && ( cd letsencrypt && git fetch ) \
 378   || git clone --quiet https://github.com/saltstack-formulas/letsencrypt-formula.git ${F_DIR}/letsencrypt
 379 ( cd letsencrypt && git checkout --quiet tags/"${LETSENCRYPT_TAG}" )
 380
 381 echo "...logrotate"
 382 test -d logrotate && ( cd logrotate && git fetch ) \
 383   || git clone --quiet https://github.com/saltstack-formulas/logrotate-formula.git ${F_DIR}/logrotate
 384 ( cd logrotate && git checkout --quiet tags/"${LOGROTATE_TAG}" )
 385
 386 echo "...arvados"
 387 test -d arvados || git clone --quiet https://git.arvados.org/arvados-formula.git ${F_DIR}/arvados
 388
 389 # If we want to try a specific branch of the formula
 390 if [ "x${BRANCH}" != "x" ]; then
 391   ( cd ${F_DIR}/arvados && git checkout --quiet -t origin/"${BRANCH}" -b "${BRANCH}" )
 392 elif [ "x${ARVADOS_TAG}" != "x" ]; then
 393   ( cd ${F_DIR}/arvados && git checkout --quiet tags/"${ARVADOS_TAG}" -b "${ARVADOS_TAG}" )
 394 fi
 395
 396 if [ "x${VAGRANT}" = "xyes" ]; then
 397   EXTRA_STATES_DIR="/home/vagrant/${CONFIG_DIR}/states"
 398   SOURCE_PILLARS_DIR="/home/vagrant/${CONFIG_DIR}/pillars"
 399   SOURCE_TESTS_DIR="/home/vagrant/${TESTS_DIR}"
 400 else
 401   EXTRA_STATES_DIR="${SCRIPT_DIR}/${CONFIG_DIR}/states"
 402   SOURCE_PILLARS_DIR="${SCRIPT_DIR}/${CONFIG_DIR}/pillars"
 403   SOURCE_TESTS_DIR="${SCRIPT_DIR}/${TESTS_DIR}"
 404 fi
 405
 406 SOURCE_STATES_DIR="${EXTRA_STATES_DIR}"
 407
 408 echo "Writing pillars and states"
 409
 410 # Replace variables (cluster,  domain, etc) in the pillars, states and tests
 411 # to ease deployment for newcomers
 412 if [ ! -d "${SOURCE_PILLARS_DIR}" ]; then
 413   echo "${SOURCE_PILLARS_DIR} does not exist or is not a directory. Exiting."
 414   exit 1
 415 fi
 416 for f in $(ls "${SOURCE_PILLARS_DIR}"/*); do
 417   sed "s#__ANONYMOUS_USER_TOKEN__#${ANONYMOUS_USER_TOKEN}#g;
 418        s#__BLOB_SIGNING_KEY__#${BLOB_SIGNING_KEY}#g;
 419        s#__CONTROLLER_EXT_SSL_PORT__#${CONTROLLER_EXT_SSL_PORT}#g;
 420        s#__CLUSTER__#${CLUSTER}#g;
 421        s#__DOMAIN__#${DOMAIN}#g;
 422        s#__HOSTNAME_EXT__#${HOSTNAME_EXT}#g;
 423        s#__IP_INT__#${IP_INT}#g;
 424        s#__INITIAL_USER_EMAIL__#${INITIAL_USER_EMAIL}#g;
 425        s#__INITIAL_USER_PASSWORD__#${INITIAL_USER_PASSWORD}#g;
 426        s#__INITIAL_USER__#${INITIAL_USER}#g;
 427        s#__LE_AWS_REGION__#${LE_AWS_REGION}#g;
 428        s#__LE_AWS_SECRET_ACCESS_KEY__#${LE_AWS_SECRET_ACCESS_KEY}#g;
 429        s#__LE_AWS_ACCESS_KEY_ID__#${LE_AWS_ACCESS_KEY_ID}#g;
 430        s#__DATABASE_PASSWORD__#${DATABASE_PASSWORD}#g;
 431        s#__KEEPWEB_EXT_SSL_PORT__#${KEEPWEB_EXT_SSL_PORT}#g;
 432        s#__KEEP_EXT_SSL_PORT__#${KEEP_EXT_SSL_PORT}#g;
 433        s#__MANAGEMENT_TOKEN__#${MANAGEMENT_TOKEN}#g;
 434        s#__RELEASE__#${RELEASE}#g;
 435        s#__SYSTEM_ROOT_TOKEN__#${SYSTEM_ROOT_TOKEN}#g;
 436        s#__VERSION__#${VERSION}#g;
 437        s#__WEBSHELL_EXT_SSL_PORT__#${WEBSHELL_EXT_SSL_PORT}#g;
 438        s#__WEBSOCKET_EXT_SSL_PORT__#${WEBSOCKET_EXT_SSL_PORT}#g;
 439        s#__WORKBENCH1_EXT_SSL_PORT__#${WORKBENCH1_EXT_SSL_PORT}#g;
 440        s#__WORKBENCH2_EXT_SSL_PORT__#${WORKBENCH2_EXT_SSL_PORT}#g;
 441        s#__CLUSTER_INT_CIDR__#${CLUSTER_INT_CIDR}#g;
 442        s#__CONTROLLER_INT_IP__#${CONTROLLER_INT_IP}#g;
 443        s#__WEBSOCKET_INT_IP__#${WEBSOCKET_INT_IP}#g;
 444        s#__KEEP_INT_IP__#${KEEP_INT_IP}#g;
 445        s#__KEEPSTORE0_INT_IP__#${KEEPSTORE0_INT_IP}#g;
 446        s#__KEEPWEB_INT_IP__#${KEEPWEB_INT_IP}#g;
 447        s#__WEBSHELL_INT_IP__#${WEBSHELL_INT_IP}#g;
 448        s#__SHELL_INT_IP__#${SHELL_INT_IP}#g;
 449        s#__WORKBENCH1_INT_IP__#${WORKBENCH1_INT_IP}#g;
 450        s#__WORKBENCH2_INT_IP__#${WORKBENCH2_INT_IP}#g;
 451        s#__DATABASE_INT_IP__#${DATABASE_INT_IP}#g;
 452        s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g;
 453        s#__SSL_KEY_ENCRYPTED__#${SSL_KEY_ENCRYPTED}#g;
 454        s#__SSL_KEY_AWS_REGION__#${SSL_KEY_AWS_REGION}#g;
 455        s#__SSL_KEY_AWS_SECRET_NAME__#${SSL_KEY_AWS_SECRET_NAME}#g;
 456        s#__CONTROLLER_NGINX_WORKERS__#${CONTROLLER_NGINX_WORKERS}#g;
 457        s#__CONTROLLER_MAX_CONCURRENT_REQUESTS__#${CONTROLLER_MAX_CONCURRENT_REQUESTS}#g;
 458        s#__MONITORING_USERNAME__#${MONITORING_USERNAME}#g;
 459        s#__MONITORING_EMAIL__#${MONITORING_EMAIL}#g;
 460        s#__MONITORING_PASSWORD__#${MONITORING_PASSWORD}#g" \
 461   "${f}" > "${P_DIR}"/$(basename "${f}")
 462 done
 463
 464 if [ ! -d "${SOURCE_TESTS_DIR}" ]; then
 465   echo "WARNING: The tests directory was not copied to \"${SOURCE_TESTS_DIR}\"."
 466   if [ "x${TEST}" = "xyes" ]; then
 467     echo "WARNING: Disabling tests for this installation."
 468   fi
 469   TEST="no"
 470 else
 471   mkdir -p ${T_DIR}
 472   # Replace cluster and domain name in the test files
 473   for f in $(ls "${SOURCE_TESTS_DIR}"/*); do
 474     FILTERS="s#__CLUSTER__#${CLUSTER}#g;
 475          s#__CONTROLLER_EXT_SSL_PORT__#${CONTROLLER_EXT_SSL_PORT}#g;
 476          s#__DOMAIN__#${DOMAIN}#g;
 477          s#__IP_INT__#${IP_INT}#g;
 478          s#__INITIAL_USER_EMAIL__#${INITIAL_USER_EMAIL}#g;
 479          s#__INITIAL_USER_PASSWORD__#${INITIAL_USER_PASSWORD}#g
 480          s#__INITIAL_USER__#${INITIAL_USER}#g;
 481          s#__DATABASE_PASSWORD__#${DATABASE_PASSWORD}#g;
 482          s#__SYSTEM_ROOT_TOKEN__#${SYSTEM_ROOT_TOKEN}#g"
 483     if [ "$USE_SINGLE_HOSTNAME" = "yes" ]; then
 484       FILTERS="s#__CLUSTER__.__DOMAIN__#${HOSTNAME_EXT}#g;
 485          $FILTERS"
 486     fi
 487     sed "$FILTERS" \
 488       "${f}" > ${T_DIR}/$(basename "${f}")
 489   done
 490   chmod 755 ${T_DIR}/run-test.sh
 491 fi
 492
 493 # Replace helper state files that differ from the formula's examples
 494 if [ -d "${SOURCE_STATES_DIR}" ]; then
 495   mkdir -p "${F_DIR}"/extra/extra
 496   rm -f "${F_DIR}"/extra/extra/*
 497
 498   for f in $(ls "${SOURCE_STATES_DIR}"/*); do
 499     sed "s#__ANONYMOUS_USER_TOKEN__#${ANONYMOUS_USER_TOKEN}#g;
 500          s#__CLUSTER__#${CLUSTER}#g;
 501          s#__BLOB_SIGNING_KEY__#${BLOB_SIGNING_KEY}#g;
 502          s#__CONTROLLER_EXT_SSL_PORT__#${CONTROLLER_EXT_SSL_PORT}#g;
 503          s#__DOMAIN__#${DOMAIN}#g;
 504          s#__HOSTNAME_EXT__#${HOSTNAME_EXT}#g;
 505          s#__IP_INT__#${IP_INT}#g;
 506          s#__INITIAL_USER_EMAIL__#${INITIAL_USER_EMAIL}#g;
 507          s#__INITIAL_USER_PASSWORD__#${INITIAL_USER_PASSWORD}#g;
 508          s#__INITIAL_USER__#${INITIAL_USER}#g;
 509          s#__DATABASE_PASSWORD__#${DATABASE_PASSWORD}#g;
 510          s#__KEEPWEB_EXT_SSL_PORT__#${KEEPWEB_EXT_SSL_PORT}#g;
 511          s#__KEEP_EXT_SSL_PORT__#${KEEP_EXT_SSL_PORT}#g;
 512          s#__MANAGEMENT_TOKEN__#${MANAGEMENT_TOKEN}#g;
 513          s#__RELEASE__#${RELEASE}#g;
 514          s#__SYSTEM_ROOT_TOKEN__#${SYSTEM_ROOT_TOKEN}#g;
 515          s#__VERSION__#${VERSION}#g;
 516          s#__CLUSTER_INT_CIDR__#${CLUSTER_INT_CIDR}#g;
 517          s#__CONTROLLER_INT_IP__#${CONTROLLER_INT_IP}#g;
 518          s#__WEBSOCKET_INT_IP__#${WEBSOCKET_INT_IP}#g;
 519          s#__KEEP_INT_IP__#${KEEP_INT_IP}#g;
 520          s#__KEEPSTORE0_INT_IP__#${KEEPSTORE0_INT_IP}#g;
 521          s#__KEEPWEB_INT_IP__#${KEEPWEB_INT_IP}#g;
 522          s#__WEBSHELL_INT_IP__#${WEBSHELL_INT_IP}#g;
 523          s#__WORKBENCH1_INT_IP__#${WORKBENCH1_INT_IP}#g;
 524          s#__WORKBENCH2_INT_IP__#${WORKBENCH2_INT_IP}#g;
 525          s#__DATABASE_INT_IP__#${DATABASE_INT_IP}#g;
 526          s#__WEBSHELL_EXT_SSL_PORT__#${WEBSHELL_EXT_SSL_PORT}#g;
 527          s#__SHELL_INT_IP__#${SHELL_INT_IP}#g;
 528          s#__WEBSOCKET_EXT_SSL_PORT__#${WEBSOCKET_EXT_SSL_PORT}#g;
 529          s#__WORKBENCH1_EXT_SSL_PORT__#${WORKBENCH1_EXT_SSL_PORT}#g;
 530          s#__WORKBENCH2_EXT_SSL_PORT__#${WORKBENCH2_EXT_SSL_PORT}#g;
 531          s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g;
 532          s#__SSL_KEY_ENCRYPTED__#${SSL_KEY_ENCRYPTED}#g;
 533          s#__SSL_KEY_AWS_REGION__#${SSL_KEY_AWS_REGION}#g;
 534          s#__SSL_KEY_AWS_SECRET_NAME__#${SSL_KEY_AWS_SECRET_NAME}#g;
 535          s#__CONTROLLER_NGINX_WORKERS__#${CONTROLLER_NGINX_WORKERS}#g;
 536          s#__CONTROLLER_MAX_CONCURRENT_REQUESTS__#${CONTROLLER_MAX_CONCURRENT_REQUESTS}#g;
 537          s#__MONITORING_USERNAME__#${MONITORING_USERNAME}#g;
 538          s#__MONITORING_EMAIL__#${MONITORING_EMAIL}#g;
 539          s#__MONITORING_PASSWORD__#${MONITORING_PASSWORD}#g" \
 540     "${f}" > "${F_DIR}/extra/extra"/$(basename "${f}")
 541   done
 542 fi
 543
 544 # Now, we build the SALT states/pillars trees
 545 # As we need to separate both states and pillars in case we want specific
 546 # roles, we iterate on both at the same time
 547
 548 # States
 549 cat > ${S_DIR}/top.sls << EOFTSLS
 550 base:
 551   '*':
 552     - locale
 553 EOFTSLS
 554
 555 # Pillars
 556 cat > ${P_DIR}/top.sls << EOFPSLS
 557 base:
 558   '*':
 559     - locale
 560     - arvados
 561 EOFPSLS
 562
 563 # States, extra states
 564 if [ -d "${F_DIR}"/extra/extra ]; then
 565   SKIP_SNAKE_OIL="snakeoil_certs"
 566
 567   if [[ "$DEV_MODE" = "yes" || "${SSL_MODE}" == "self-signed" ]] ; then
 568     # In dev mode, we create some snake oil certs that we'll
 569     # use as CUSTOM_CERTS, so we don't skip the states file.
 570     # Same when using self-signed certificates.
 571     SKIP_SNAKE_OIL="dont_add_snakeoil_certs"
 572   fi
 573   for f in $(ls "${F_DIR}"/extra/extra/*.sls | egrep -v "${SKIP_SNAKE_OIL}|shell_"); do
 574   echo "    - extra.$(basename ${f} | sed 's/.sls$//g')" >> ${S_DIR}/top.sls
 575   done
 576   # Use byo or self-signed certificates
 577   if [ "${SSL_MODE}" != "lets-encrypt" ]; then
 578     mkdir -p "${F_DIR}"/extra/extra/files
 579   fi
 580 fi
 581
 582 # If we want specific roles for a node, just add the desired states
 583 # and its dependencies
 584 if [ -z "${ROLES}" ]; then
 585   # States
 586   echo "    - nginx.passenger" >> ${S_DIR}/top.sls
 587   if [ "${SSL_MODE}" = "lets-encrypt" ]; then
 588     if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then
 589       grep -q "aws_credentials" ${S_DIR}/top.sls || echo "    - extra.aws_credentials" >> ${S_DIR}/top.sls
 590     fi
 591     grep -q "letsencrypt" ${S_DIR}/top.sls || echo "    - letsencrypt" >> ${S_DIR}/top.sls
 592   else
 593     mkdir -p --mode=0700 /srv/salt/certs
 594     if [ "${SSL_MODE}" = "bring-your-own" ]; then
 595       # Copy certs to formula extra/files
 596       install --mode=0600 ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/
 597       # We add the custom_certs state
 598       grep -q "custom_certs" ${S_DIR}/top.sls || echo "    - extra.custom_certs" >> ${S_DIR}/top.sls
 599       if [ "${SSL_KEY_ENCRYPTED}" = "yes" ]; then
 600         grep -q "ssl_key_encrypted" ${S_DIR}/top.sls || echo "    - extra.ssl_key_encrypted" >> ${S_DIR}/top.sls
 601       fi
 602     fi
 603     # In self-signed mode, the certificate files will be created and put in the
 604     # destination directory by the snakeoil_certs.sls state file
 605   fi
 606
 607   echo "    - postgres" >> ${S_DIR}/top.sls
 608   echo "    - logrotate" >> ${S_DIR}/top.sls
 609   echo "    - docker.software" >> ${S_DIR}/top.sls
 610   echo "    - arvados" >> ${S_DIR}/top.sls
 611   echo "    - extra.shell_sudo_passwordless" >> ${S_DIR}/top.sls
 612   echo "    - extra.shell_cron_add_login_sync" >> ${S_DIR}/top.sls
 613   echo "    - extra.passenger_rvm" >> ${S_DIR}/top.sls
 614
 615   # Pillars
 616   echo "    - docker" >> ${P_DIR}/top.sls
 617   echo "    - nginx_api_configuration" >> ${P_DIR}/top.sls
 618   echo "    - logrotate_api" >> ${P_DIR}/top.sls
 619   echo "    - nginx_controller_configuration" >> ${P_DIR}/top.sls
 620   echo "    - nginx_keepproxy_configuration" >> ${P_DIR}/top.sls
 621   echo "    - nginx_keepweb_configuration" >> ${P_DIR}/top.sls
 622   echo "    - nginx_passenger" >> ${P_DIR}/top.sls
 623   echo "    - nginx_websocket_configuration" >> ${P_DIR}/top.sls
 624   echo "    - nginx_webshell_configuration" >> ${P_DIR}/top.sls
 625   echo "    - nginx_workbench2_configuration" >> ${P_DIR}/top.sls
 626   echo "    - nginx_workbench_configuration" >> ${P_DIR}/top.sls
 627   echo "    - logrotate_wb1" >> ${P_DIR}/top.sls
 628   echo "    - postgresql" >> ${P_DIR}/top.sls
 629
 630   # We need to tweak the Nginx's pillar depending whether we want plan nginx or nginx+passenger
 631   NGINX_INSTALL_SOURCE="install_from_phusionpassenger"
 632   sed -i "s/__NGINX_INSTALL_SOURCE__/${NGINX_INSTALL_SOURCE}/g" ${P_DIR}/nginx_passenger.sls
 633
 634   if [ "${SSL_MODE}" = "lets-encrypt" ]; then
 635     if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then
 636       grep -q "aws_credentials" ${P_DIR}/top.sls || echo "    - aws_credentials" >> ${P_DIR}/top.sls
 637     fi
 638     grep -q "letsencrypt" ${P_DIR}/top.sls || echo "    - letsencrypt" >> ${P_DIR}/top.sls
 639
 640     hosts=("controller" "websocket" "workbench" "workbench2" "webshell" "keepproxy")
 641     if [ ${USE_SINGLE_HOSTNAME} = "no" ]; then
 642       hosts+=("download" "collections")
 643     else
 644       hosts+=("keepweb")
 645     fi
 646
 647     for c in "${hosts[@]}"; do
 648       # Are we in a single-host-single-hostname env?
 649       if [ "${USE_SINGLE_HOSTNAME}" = "yes" ]; then
 650         # Are we in a single-host-single-hostname env?
 651         CERT_NAME=${HOSTNAME_EXT}
 652       else
 653         # We are in a multiple-hostnames env
 654         CERT_NAME=${c}.${CLUSTER}.${DOMAIN}
 655       fi
 656
 657       # As the pillar differs whether we use LE or custom certs, we need to do a final edition on them
 658       sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${CERT_NAME}*/g;
 659               s#__CERT_PEM__#/etc/letsencrypt/live/${CERT_NAME}/fullchain.pem#g;
 660               s#__CERT_KEY__#/etc/letsencrypt/live/${CERT_NAME}/privkey.pem#g" \
 661       ${P_DIR}/nginx_${c}_configuration.sls
 662     done
 663   else
 664     # Use custom certs (either dev mode or prod)
 665     grep -q "extra_custom_certs" ${P_DIR}/top.sls || echo "    - extra_custom_certs" >> ${P_DIR}/top.sls
 666     # And add the certs in the custom_certs pillar
 667     echo "extra_custom_certs_dir: /srv/salt/certs" > ${P_DIR}/extra_custom_certs.sls
 668     echo "extra_custom_certs:" >> ${P_DIR}/extra_custom_certs.sls
 669
 670     for c in controller websocket workbench workbench2 webshell keepweb keepproxy; do
 671       # Are we in a single-host-single-hostname env?
 672       if [ "${USE_SINGLE_HOSTNAME}" = "yes" ]; then
 673         # Are we in a single-host-single-hostname env?
 674         CERT_NAME=${HOSTNAME_EXT}
 675       else
 676         # We are in a multiple-hostnames env
 677         CERT_NAME=${c}
 678       fi
 679
 680       if [[ "$SSL_MODE" == "bring-your-own" ]]; then
 681         copy_custom_cert ${CUSTOM_CERTS_DIR} ${CERT_NAME}
 682       fi
 683
 684       grep -q ${CERT_NAME} ${P_DIR}/extra_custom_certs.sls || echo "  - ${CERT_NAME}" >> ${P_DIR}/extra_custom_certs.sls
 685
 686       # As the pillar differs whether we use LE or custom certs, we need to do a final edition on them
 687       sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${CERT_NAME}.pem/g;
 688               s#__CERT_PEM__#/etc/nginx/ssl/arvados-${CERT_NAME}.pem#g;
 689               s#__CERT_KEY__#/etc/nginx/ssl/arvados-${CERT_NAME}.key#g" \
 690       ${P_DIR}/nginx_${c}_configuration.sls
 691     done
 692   fi
 693 else
 694   # If we add individual roles, make sure we add the repo first
 695   echo "    - arvados.repo" >> ${S_DIR}/top.sls
 696   # We add the extra_custom_certs state
 697   grep -q "extra.custom_certs"    ${S_DIR}/top.sls || echo "    - extra.custom_certs" >> ${S_DIR}/top.sls
 698   if [ "${SSL_KEY_ENCRYPTED}" = "yes" ]; then
 699     grep -q "ssl_key_encrypted" ${S_DIR}/top.sls || echo "    - extra.ssl_key_encrypted" >> ${S_DIR}/top.sls
 700   fi
 701
 702   # And we add the basic part for the certs pillar
 703   if [ "${SSL_MODE}" != "lets-encrypt" ]; then
 704     # And add the certs in the custom_certs pillar
 705     echo "extra_custom_certs_dir: /srv/salt/certs" > ${P_DIR}/extra_custom_certs.sls
 706     echo "extra_custom_certs:" >> ${P_DIR}/extra_custom_certs.sls
 707     grep -q "extra_custom_certs" ${P_DIR}/top.sls || echo "    - extra_custom_certs" >> ${P_DIR}/top.sls
 708   fi
 709
 710   # Prometheus state on all nodes due to the node exporter below
 711   grep -q "\- prometheus$" ${S_DIR}/top.sls || echo "    - prometheus" >> ${S_DIR}/top.sls
 712   # Prometheus node exporter pillar
 713   grep -q "prometheus_node_exporter" ${P_DIR}/top.sls || echo "    - prometheus_node_exporter" >> ${P_DIR}/top.sls
 714
 715   for R in ${ROLES}; do
 716     case "${R}" in
 717       "database")
 718         # States
 719         grep -q "\- postgres$" ${S_DIR}/top.sls || echo "    - postgres" >> ${S_DIR}/top.sls
 720         grep -q "extra.prometheus_pg_exporter" ${S_DIR}/top.sls || echo "    - extra.prometheus_pg_exporter" >> ${S_DIR}/top.sls
 721         # Pillars
 722         grep -q "postgresql" ${P_DIR}/top.sls || echo "    - postgresql" >> ${P_DIR}/top.sls
 723         grep -q "prometheus_pg_exporter" ${P_DIR}/top.sls || echo "    - prometheus_pg_exporter" >> ${P_DIR}/top.sls
 724       ;;
 725       "monitoring")
 726         ### Support files ###
 727         GRAFANA_DASHBOARDS_DEST_DIR=/srv/salt/dashboards
 728         mkdir -p "${GRAFANA_DASHBOARDS_DEST_DIR}"
 729         rm -f "${GRAFANA_DASHBOARDS_DEST_DIR}"/*
 730         # "ArvadosPromDataSource" is the hardcoded UID for Prometheus' datasource
 731         # in Grafana.
 732         for f in $(ls "${GRAFANA_DASHBOARDS_DIR}"/*.json); do
 733           sed 's#${DS_PROMETHEUS}#ArvadosPromDataSource#g' \
 734           "${f}" > "${GRAFANA_DASHBOARDS_DEST_DIR}"/$(basename "${f}")
 735         done
 736
 737         ### States ###
 738         grep -q "\- nginx$" ${S_DIR}/top.sls || echo "    - nginx" >> ${S_DIR}/top.sls
 739         grep -q "extra.nginx_prometheus_configuration" ${S_DIR}/top.sls || echo "    - extra.nginx_prometheus_configuration" >> ${S_DIR}/top.sls
 740
 741         grep -q "\- grafana$" ${S_DIR}/top.sls || echo "    - grafana" >> ${S_DIR}/top.sls
 742         grep -q "extra.grafana_datasource" ${S_DIR}/top.sls || echo "    - extra.grafana_datasource" >> ${S_DIR}/top.sls
 743         grep -q "extra.grafana_dashboards" ${S_DIR}/top.sls || echo "    - extra.grafana_dashboards" >> ${S_DIR}/top.sls
 744         grep -q "extra.grafana_admin_user" ${S_DIR}/top.sls || echo "    - extra.grafana_admin_user" >> ${S_DIR}/top.sls
 745
 746         if [ "${SSL_MODE}" = "lets-encrypt" ]; then
 747           grep -q "letsencrypt"     ${S_DIR}/top.sls || echo "    - letsencrypt" >> ${S_DIR}/top.sls
 748           if [ "x${USE_LETSENCRYPT_ROUTE53}" = "xyes" ]; then
 749             grep -q "aws_credentials" ${S_DIR}/top.sls || echo "    - aws_credentials" >> ${S_DIR}/top.sls
 750           fi
 751         elif [ "${SSL_MODE}" = "bring-your-own" ]; then
 752           for SVC in grafana prometheus; do
 753             copy_custom_cert ${CUSTOM_CERTS_DIR} ${SVC}
 754           done
 755         fi
 756         ### Pillars ###
 757         grep -q "prometheus_server" ${P_DIR}/top.sls || echo "    - prometheus_server" >> ${P_DIR}/top.sls
 758         grep -q "grafana" ${P_DIR}/top.sls || echo "    - grafana" >> ${P_DIR}/top.sls
 759         for SVC in grafana prometheus; do
 760           grep -q "nginx_${SVC}_configuration" ${P_DIR}/top.sls || echo "    - nginx_${SVC}_configuration" >> ${P_DIR}/top.sls
 761         done
 762         if [ "${SSL_MODE}" = "lets-encrypt" ]; then
 763           grep -q "letsencrypt"     ${P_DIR}/top.sls || echo "    - letsencrypt" >> ${P_DIR}/top.sls
 764           for SVC in grafana prometheus; do
 765             grep -q "letsencrypt_${SVC}_configuration" ${P_DIR}/top.sls || echo "    - letsencrypt_${SVC}_configuration" >> ${P_DIR}/top.sls
 766             sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${SVC}.${CLUSTER}.${DOMAIN}*/g;
 767                     s#__CERT_PEM__#/etc/letsencrypt/live/${SVC}.${CLUSTER}.${DOMAIN}/fullchain.pem#g;
 768                     s#__CERT_KEY__#/etc/letsencrypt/live/${SVC}.${CLUSTER}.${DOMAIN}/privkey.pem#g" \
 769             ${P_DIR}/nginx_${SVC}_configuration.sls
 770           done
 771           if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then
 772             grep -q "aws_credentials" ${P_DIR}/top.sls || echo "    - aws_credentials" >> ${P_DIR}/top.sls
 773           fi
 774         elif [ "${SSL_MODE}" = "bring-your-own" ]; then
 775           grep -q "ssl_key_encrypted" ${P_DIR}/top.sls || echo "    - ssl_key_encrypted" >> ${P_DIR}/top.sls
 776           for SVC in grafana prometheus; do
 777             sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${SVC}.pem/g;
 778                     s#__CERT_PEM__#/etc/nginx/ssl/arvados-${SVC}.pem#g;
 779                     s#__CERT_KEY__#/etc/nginx/ssl/arvados-${SVC}.key#g" \
 780               ${P_DIR}/nginx_${SVC}_configuration.sls
 781             grep -q ${SVC} ${P_DIR}/extra_custom_certs.sls || echo "  - ${SVC}" >> ${P_DIR}/extra_custom_certs.sls
 782           done
 783         fi
 784       ;;
 785       "api")
 786         # States
 787         grep -q "    - logrotate" ${S_DIR}/top.sls || echo "    - logrotate" >> ${S_DIR}/top.sls
 788         if grep -q "    - nginx.*$" ${S_DIR}/top.sls; then
 789           sed -i s/"^    - nginx.*$"/"    - nginx.passenger"/g ${S_DIR}/top.sls
 790         else
 791           echo "    - nginx.passenger" >> ${S_DIR}/top.sls
 792         fi
 793         echo "    - extra.passenger_rvm" >> ${S_DIR}/top.sls
 794         ### If we don't install and run LE before arvados-api-server, it fails and breaks everything
 795         ### after it. So we add this here as we are, after all, sharing the host for api and controller
 796         if [ "${SSL_MODE}" = "lets-encrypt" ]; then
 797           if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then
 798             grep -q "aws_credentials" ${S_DIR}/top.sls || echo "    - aws_credentials" >> ${S_DIR}/top.sls
 799           fi
 800           grep -q "letsencrypt" ${S_DIR}/top.sls || echo "    - letsencrypt" >> ${S_DIR}/top.sls
 801         else
 802           # Use custom certs
 803           if [ "${SSL_MODE}" = "bring-your-own" ]; then
 804             copy_custom_cert ${CUSTOM_CERTS_DIR} controller
 805           fi
 806           grep -q controller ${P_DIR}/extra_custom_certs.sls || echo "  - controller" >> ${P_DIR}/extra_custom_certs.sls
 807         fi
 808         grep -q "arvados.${R}" ${S_DIR}/top.sls    || echo "    - arvados.${R}" >> ${S_DIR}/top.sls
 809         # Pillars
 810         grep -q "logrotate_api" ${P_DIR}/top.sls            || echo "    - logrotate_api" >> ${P_DIR}/top.sls
 811         grep -q "aws_credentials" ${P_DIR}/top.sls          || echo "    - aws_credentials" >> ${P_DIR}/top.sls
 812         grep -q "postgresql" ${P_DIR}/top.sls               || echo "    - postgresql" >> ${P_DIR}/top.sls
 813         grep -q "nginx_passenger" ${P_DIR}/top.sls          || echo "    - nginx_passenger" >> ${P_DIR}/top.sls
 814         grep -q "nginx_${R}_configuration" ${P_DIR}/top.sls || echo "    - nginx_${R}_configuration" >> ${P_DIR}/top.sls
 815
 816         # We need to tweak the Nginx's pillar depending whether we want plain nginx or nginx+passenger
 817         NGINX_INSTALL_SOURCE="install_from_phusionpassenger"
 818         sed -i "s/__NGINX_INSTALL_SOURCE__/${NGINX_INSTALL_SOURCE}/g" ${P_DIR}/nginx_passenger.sls
 819       ;;
 820       "controller" | "websocket" | "workbench" | "workbench2" | "webshell" | "keepweb" | "keepproxy")
 821         # States
 822         if [ "${R}" = "workbench" ]; then
 823           grep -q "    - logrotate" ${S_DIR}/top.sls || echo "    - logrotate" >> ${S_DIR}/top.sls
 824           NGINX_INSTALL_SOURCE="install_from_phusionpassenger"
 825           if grep -q "    - nginx$" ${S_DIR}/top.sls; then
 826             sed -i s/"^    - nginx.*$"/"    - nginx.passenger"/g ${S_DIR}/top.sls
 827           else
 828             echo "    - nginx.passenger" >> ${S_DIR}/top.sls
 829           fi
 830         else
 831           grep -q "\- nginx$" ${S_DIR}/top.sls || echo "    - nginx" >> ${S_DIR}/top.sls
 832         fi
 833         if [ "${SSL_MODE}" = "lets-encrypt" ]; then
 834           if [ "x${USE_LETSENCRYPT_ROUTE53}" = "xyes" ]; then
 835             grep -q "aws_credentials" ${S_DIR}/top.sls || echo "    - aws_credentials" >> ${S_DIR}/top.sls
 836           fi
 837           grep -q "letsencrypt"     ${S_DIR}/top.sls || echo "    - letsencrypt" >> ${S_DIR}/top.sls
 838         else
 839           # Use custom certs, special case for keepweb
 840           if [ ${R} = "keepweb" ]; then
 841             if [ "${SSL_MODE}" = "bring-your-own" ]; then
 842               copy_custom_cert ${CUSTOM_CERTS_DIR} download
 843               copy_custom_cert ${CUSTOM_CERTS_DIR} collections
 844             fi
 845           else
 846             if [ "${SSL_MODE}" = "bring-your-own" ]; then
 847               copy_custom_cert ${CUSTOM_CERTS_DIR} ${R}
 848             fi
 849           fi
 850         fi
 851         # webshell role is just a nginx vhost, so it has no state
 852         if [ "${R}" != "webshell" ]; then
 853           grep -q "arvados.${R}" ${S_DIR}/top.sls || echo "    - arvados.${R}" >> ${S_DIR}/top.sls
 854         fi
 855         # Pillars
 856         if [ "${R}" = "workbench" ]; then
 857           grep -q "logrotate_wb1" ${P_DIR}/top.sls || echo "    - logrotate_wb1" >> ${P_DIR}/top.sls
 858         fi
 859         grep -q "nginx_passenger" ${P_DIR}/top.sls          || echo "    - nginx_passenger" >> ${P_DIR}/top.sls
 860         grep -q "nginx_${R}_configuration" ${P_DIR}/top.sls || echo "    - nginx_${R}_configuration" >> ${P_DIR}/top.sls
 861         # Special case for keepweb
 862         if [ ${R} = "keepweb" ]; then
 863           grep -q "nginx_download_configuration" ${P_DIR}/top.sls || echo "    - nginx_download_configuration" >> ${P_DIR}/top.sls
 864           grep -q "nginx_collections_configuration" ${P_DIR}/top.sls || echo "    - nginx_collections_configuration" >> ${P_DIR}/top.sls
 865         fi
 866
 867         if [ "${SSL_MODE}" = "lets-encrypt" ]; then
 868           if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then
 869             grep -q "aws_credentials" ${P_DIR}/top.sls || echo "    - aws_credentials" >> ${P_DIR}/top.sls
 870           fi
 871           grep -q "letsencrypt"     ${P_DIR}/top.sls || echo "    - letsencrypt" >> ${P_DIR}/top.sls
 872           grep -q "letsencrypt_${R}_configuration" ${P_DIR}/top.sls || echo "    - letsencrypt_${R}_configuration" >> ${P_DIR}/top.sls
 873
 874           # As the pillar differ whether we use LE or custom certs, we need to do a final edition on them
 875           # Special case for keepweb
 876           if [ ${R} = "keepweb" ]; then
 877             for kwsub in download collections; do
 878               sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${kwsub}.${CLUSTER}.${DOMAIN}*/g;
 879                       s#__CERT_PEM__#/etc/letsencrypt/live/${kwsub}.${CLUSTER}.${DOMAIN}/fullchain.pem#g;
 880                       s#__CERT_KEY__#/etc/letsencrypt/live/${kwsub}.${CLUSTER}.${DOMAIN}/privkey.pem#g" \
 881               ${P_DIR}/nginx_${kwsub}_configuration.sls
 882             done
 883           else
 884             sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${R}.${CLUSTER}.${DOMAIN}*/g;
 885                     s#__CERT_PEM__#/etc/letsencrypt/live/${R}.${CLUSTER}.${DOMAIN}/fullchain.pem#g;
 886                     s#__CERT_KEY__#/etc/letsencrypt/live/${R}.${CLUSTER}.${DOMAIN}/privkey.pem#g" \
 887             ${P_DIR}/nginx_${R}_configuration.sls
 888           fi
 889         else
 890           grep -q "ssl_key_encrypted" ${P_DIR}/top.sls || echo "    - ssl_key_encrypted" >> ${P_DIR}/top.sls
 891           # As the pillar differ whether we use LE or custom certs, we need to do a final edition on them
 892           # Special case for keepweb
 893           if [ ${R} = "keepweb" ]; then
 894             for kwsub in download collections; do
 895               sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${kwsub}.pem/g;
 896                       s#__CERT_PEM__#/etc/nginx/ssl/arvados-${kwsub}.pem#g;
 897                       s#__CERT_KEY__#/etc/nginx/ssl/arvados-${kwsub}.key#g" \
 898               ${P_DIR}/nginx_${kwsub}_configuration.sls
 899               grep -q ${kwsub} ${P_DIR}/extra_custom_certs.sls || echo "  - ${kwsub}" >> ${P_DIR}/extra_custom_certs.sls
 900             done
 901           else
 902             sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${R}.pem/g;
 903                     s#__CERT_PEM__#/etc/nginx/ssl/arvados-${R}.pem#g;
 904                     s#__CERT_KEY__#/etc/nginx/ssl/arvados-${R}.key#g" \
 905             ${P_DIR}/nginx_${R}_configuration.sls
 906             grep -q ${R} ${P_DIR}/extra_custom_certs.sls || echo "  - ${R}" >> ${P_DIR}/extra_custom_certs.sls
 907           fi
 908         fi
 909         # We need to tweak the Nginx's pillar depending whether we want plain nginx or nginx+passenger
 910         sed -i "s/__NGINX_INSTALL_SOURCE__/${NGINX_INSTALL_SOURCE}/g" ${P_DIR}/nginx_passenger.sls
 911       ;;
 912       "shell")
 913         # States
 914         echo "    - extra.shell_sudo_passwordless" >> ${S_DIR}/top.sls
 915         echo "    - extra.shell_cron_add_login_sync" >> ${S_DIR}/top.sls
 916         grep -q "docker" ${S_DIR}/top.sls       || echo "    - docker.software" >> ${S_DIR}/top.sls
 917         grep -q "arvados.${R}" ${S_DIR}/top.sls || echo "    - arvados.${R}" >> ${S_DIR}/top.sls
 918         # Pillars
 919         grep -q "docker" ${P_DIR}/top.sls       || echo "    - docker" >> ${P_DIR}/top.sls
 920       ;;
 921       "dispatcher" | "keepbalance" | "keepstore")
 922         # States
 923         grep -q "arvados.${R}" ${S_DIR}/top.sls || echo "    - arvados.${R}" >> ${S_DIR}/top.sls
 924         # Pillars
 925         # ATM, no specific pillar needed
 926       ;;
 927       *)
 928         echo "Unknown role ${R}"
 929         exit 1
 930       ;;
 931     esac
 932   done
 933 fi
 934
 935 if [ "${DUMP_CONFIG}" = "yes" ]; then
 936   # We won't run the rest of the script because we're just dumping the config
 937   exit 0
 938 fi
 939
 940 # Now run the install
 941 salt-call --state-output=mixed --local state.apply -l ${LOG_LEVEL}
 942
 943 # Finally, make sure that /etc/hosts is not overwritten on reboot
 944 if [ -d /etc/cloud/cloud.cfg.d ]; then
 945   # TODO: will this work on CentOS?
 946   sed -i 's/^manage_etc_hosts: true/#manage_etc_hosts: true/g' /etc/cloud/cloud.cfg.d/*
 947 fi
 948
 949 # Leave a copy of the Arvados CA so the user can copy it where it's required
 950 if [ "${SSL_MODE}" = "self-signed" ]; then
 951   echo "Copying the Arvados CA certificate '${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.crt' to the installer dir, so you can import it"
 952   if [ "x${VAGRANT}" = "xyes" ]; then
 953     cp /etc/ssl/certs/arvados-snakeoil-ca.pem /vagrant/${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.pem
 954   else
 955     cp /etc/ssl/certs/arvados-snakeoil-ca.pem ${SCRIPT_DIR}/${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.crt
 956   fi
 957 fi
 958
 959 if [ "x${VAGRANT}" = "xyes" ]; then
 960     # If running in a vagrant VM, also add default user to docker group
 961     echo "Adding the vagrant user to the docker group"
 962     usermod -a -G docker vagrant
 963 fi
 964
 965 # Test that the installation finished correctly
 966 if [ "x${TEST}" = "xyes" ]; then
 967   cd ${T_DIR}
 968   # If we use RVM, we need to run this with it, or most ruby commands will fail
 969   RVM_EXEC=""
 970   if [ -x /usr/local/rvm/bin/rvm-exec ]; then
 971     RVM_EXEC="/usr/local/rvm/bin/rvm-exec"
 972   fi
 973   ${RVM_EXEC} ./run-test.sh
 974 fi