1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: Apache-2.0
5 {%- set ssl_key_encrypted = pillar.get('ssl_key_encrypted', {'enabled': False}) %}
7 {%- if ssl_key_encrypted.enabled %}
9 extra_ssl_key_encrypted_required_pkgs:
13 extra_ssl_key_encrypted_password_retrieval_script:
15 - name: {{ ssl_key_encrypted.privkey_password_script }}
20 - pkg: extra_ssl_key_encrypted_required_pkgs
24 # RUNTIME_DIRECTORY is provided by systemd.
25 # NOTE: We assume systemd's set up in a way that there's just one
26 # runtime dir for this particular unit, otherwise this variable could
27 # contain multiple paths separated by a colon.
28 PASSWORD_FILE="${RUNTIME_DIRECTORY}/{{ ssl_key_encrypted.privkey_password_filename }}"
31 # AWS_SHARED_CREDENTIALS_FILE is set to /dev/null to avoid AWS's CLI
32 # loading invalid credentials on nodes who use ~/.aws/credentials for other
33 # purposes (e.g.: the dispatcher credentials)
34 # Access to the secrets manager is given by using an instance profile.
35 AWS_SHARED_CREDENTIALS_FILE=/dev/null aws secretsmanager get-secret-value --secret-id '{{ ssl_key_encrypted.aws_secret_name }}' --region '{{ ssl_key_encrypted.aws_region }}' | jq -r .SecretString > "${PASSWORD_FILE}"
39 extra_ssl_key_encrypted_password_retrieval_service_unit:
41 - name: /etc/systemd/system/password_secret_connector.service
46 - file: extra_ssl_key_encrypted_password_retrieval_script
49 Description=Arvados SSL private key password retrieval service
52 RuntimeDirectory=arvados
53 ExecStartPre={{ ('/usr/bin/mkfifo --mode=0600 %t/arvados/' ~ ssl_key_encrypted.privkey_password_filename) | yaml_dquote }}
54 ExecStart={{ ('/bin/bash ' ~ ssl_key_encrypted.privkey_password_script) | yaml_dquote }}
56 WantedBy=multi-user.target
58 extra_ssl_key_encrypted_password_retrieval_service:
60 - name: password_secret_connector
63 - file: extra_ssl_key_encrypted_password_retrieval_service_unit
65 - file: extra_ssl_key_encrypted_password_retrieval_service_unit
66 - file: extra_ssl_key_encrypted_password_retrieval_script