1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: Apache-2.0
5 # WARNING: This file is only used for testing purposes, and should not be used
6 # in a production environment
8 {%- set curr_tpldir = tpldir %}
9 {%- set tpldir = 'arvados' %}
10 {%- from "arvados/map.jinja" import arvados with context %}
11 {%- set tpldir = curr_tpldir %}
13 {%- set orig_cert_dir = salt['pillar.get']('extra_custom_certs_dir', '/srv/salt/certs') %}
20 # Debian uses different dirs for certs and keys, but being a Snake Oil example,
21 # we'll keep it simple here.
22 {%- set arvados_ca_cert_file = '/etc/ssl/private/arvados-snakeoil-ca.pem' %}
23 {%- set arvados_ca_key_file = '/etc/ssl/private/arvados-snakeoil-ca.key' %}
25 {%- if grains.get('os_family') == 'Debian' %}
26 {%- set arvados_ca_cert_dest = '/usr/local/share/ca-certificates/arvados-snakeoil-ca.crt' %}
27 {%- set update_ca_cert = '/usr/sbin/update-ca-certificates' %}
28 {%- set openssl_conf = '/etc/ssl/openssl.cnf' %}
30 extra_snakeoil_certs_ssl_cert_pkg_installed:
37 {%- set arvados_ca_cert_dest = '/etc/pki/ca-trust/source/anchors/arvados-snakeoil-ca.pem' %}
38 {%- set update_ca_cert = '/usr/bin/update-ca-trust' %}
39 {%- set openssl_conf = '/etc/pki/tls/openssl.cnf' %}
43 extra_snakeoil_certs_dependencies_pkg_installed:
49 # Remove the RANDFILE parameter in openssl.cnf as it makes openssl fail in Ubuntu 18.04
50 # Saving and restoring the rng state is not necessary anymore in the openssl 1.1.1
51 # random generator, cf
52 # https://github.com/openssl/openssl/issues/7754
54 extra_snakeoil_certs_file_comment_etc_openssl_conf:
56 - name: /etc/ssl/openssl.cnf
58 - onlyif: grep -q ^RANDFILE /etc/ssl/openssl.cnf
60 - cmd: extra_snakeoil_certs_arvados_snakeoil_ca_cmd_run
62 extra_snakeoil_certs_arvados_snakeoil_ca_cmd_run:
63 # Taken from https://github.com/arvados/arvados/blob/master/tools/arvbox/lib/arvbox/docker/service/certificate/run
66 # These dirs are not too CentOS-ish, but this is a helper script
67 # and they should be enough
68 mkdir -p /etc/ssl/certs/ /etc/ssl/private/ && \
74 -subj "/C=CC/ST=Some State/O=Arvados Formula/OU=arvados-formula/CN=snakeoil-ca-{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}" \
75 -extensions x509_ext \
76 -config <(cat {{ openssl_conf }} \
77 <(printf "\n[x509_ext]\nbasicConstraints=critical,CA:true,pathlen:0\nkeyUsage=critical,keyCertSign,cRLSign")) \
78 -out {{ arvados_ca_cert_file }} \
79 -keyout {{ arvados_ca_key_file }} \
81 cp {{ arvados_ca_cert_file }} {{ arvados_ca_cert_dest }} && \
84 - test -f {{ arvados_ca_cert_file }}
85 - openssl verify -CAfile {{ arvados_ca_cert_file }} {{ arvados_ca_cert_file }}
87 - pkg: extra_snakeoil_certs_dependencies_pkg_installed
89 {%- set arvados_cert_file = orig_cert_dir ~ '/arvados-__HOSTNAME_EXT__.pem' %}
90 {%- set arvados_csr_file = orig_cert_dir ~ '/arvadoos-__HOSTNAME_EXT__.csr' %}
91 {%- set arvados_key_file = orig_cert_dir ~ '/arvados-__HOSTNAME_EXT__.key' %}
93 extra_snakeoil_certs_arvados_snakeoil_cert___HOSTNAME_EXT___cmd_run:
96 cat > /tmp/__HOSTNAME_EXT__.openssl.cnf <<-CNF
101 distinguished_name = dn
102 req_extensions = rext
104 subjectAltName = @alt_names
109 O = Arvados Provision Example Single Host / Single Hostname
110 OU = arvados-provision-example-single_host_single_hostname
111 CN = {{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
112 emailAddress = admin@{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
114 {%- for entry in grains.get('ipv4') %}
115 IP.{{ loop.index }} = {{ entry }}
117 DNS.1 = {{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
118 DNS.2 = '__HOSTNAME_EXT__'
119 DNS.3 = '__HOSTNAME_INT__'
124 -config /tmp/__HOSTNAME_EXT__.openssl.cnf \
128 -out {{ arvados_csr_file }} \
129 -keyout {{ arvados_key_file }} > /tmp/snake_oil_certs.__HOSTNAME_EXT__.output 2>&1 && \
134 -in {{ arvados_csr_file }} \
135 -out {{ arvados_cert_file }} \
136 -extfile /tmp/__HOSTNAME_EXT__.openssl.cnf \
138 -CA {{ arvados_ca_cert_file }} \
139 -CAkey {{ arvados_ca_key_file }} \
140 -set_serial $(date +%s) && \
141 chmod 0644 {{ arvados_cert_file }} && \
142 chmod 0640 {{ arvados_key_file }}
144 - test -f {{ arvados_key_file }}
145 - openssl verify -CAfile {{ arvados_ca_cert_file }} {{ arvados_cert_file }}
147 - pkg: extra_snakeoil_certs_dependencies_pkg_installed
148 - cmd: extra_snakeoil_certs_arvados_snakeoil_ca_cmd_run
150 - file: extra_custom_certs_file_copy_arvados-__HOSTNAME_EXT__.pem
151 - file: extra_custom_certs_file_copy_arvados-__HOSTNAME_EXT__.key
153 {%- if grains.get('os_family') == 'Debian' %}
154 extra_snakeoil_certs_certs_permissions___HOSTNAME_EXT___cmd_run:
156 - name: {{ arvados_key_file }}
160 - cmd: extra_snakeoil_certs_arvados_snakeoil_cert___HOSTNAME_EXT___cmd_run
161 - pkg: extra_snakeoil_certs_ssl_cert_pkg_installed