X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/5f1d2739d5633ab2b40acd3f413f41dfdbb7e696..b3243354b3f123f78c4f1d172455c4866e5e5477:/tools/salt-install/provision.sh?ds=sidebyside diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh index 92763d0208..f90386652b 100755 --- a/tools/salt-install/provision.sh +++ b/tools/salt-install/provision.sh @@ -192,6 +192,8 @@ SSL_MODE="self-signed" USE_LETSENCRYPT_ROUTE53="no" CUSTOM_CERTS_DIR="${SCRIPT_DIR}/local_config_dir/certs" +GRAFANA_DASHBOARDS_DIR="${SCRIPT_DIR}/local_config_dir/dashboards" + ## These are ARVADOS-related parameters # For a stable release, change RELEASE "production" and VERSION to the # package version (including the iteration, e.g. X.Y.Z-1) of the @@ -222,6 +224,7 @@ LOCALE_TAG="v0.3.4" LETSENCRYPT_TAG="v2.1.0" LOGROTATE_TAG="v0.14.0" PROMETHEUS_TAG="v5.6.5" +GRAFANA_TAG="v3.1.3" # Salt's dir DUMP_SALT_CONFIG_DIR="" @@ -284,7 +287,7 @@ else USE_SINGLE_HOSTNAME="no" # We set this variable, anyway, so sed lines do not fail and we don't need to add more # conditionals - HOSTNAME_EXT="${CLUSTER}.${DOMAIN}" + HOSTNAME_EXT="${DOMAIN}" fi if [ "${DUMP_CONFIG}" = "yes" ]; then @@ -365,6 +368,11 @@ test -d prometheus && ( cd prometheus && git fetch ) \ || git clone --quiet https://github.com/saltstack-formulas/prometheus-formula.git ${F_DIR}/prometheus ( cd prometheus && git checkout --quiet tags/"${PROMETHEUS_TAG}" ) +echo "...grafana" +test -d grafana && ( cd grafana && git fetch ) \ + || git clone --quiet https://github.com/saltstack-formulas/grafana-formula.git ${F_DIR}/grafana +( cd grafana && git checkout --quiet "${GRAFANA_TAG}" ) + echo "...letsencrypt" test -d letsencrypt && ( cd letsencrypt && git fetch ) \ || git clone --quiet https://github.com/saltstack-formulas/letsencrypt-formula.git ${F_DIR}/letsencrypt @@ -388,10 +396,12 @@ fi if [ "x${VAGRANT}" = "xyes" ]; then EXTRA_STATES_DIR="/home/vagrant/${CONFIG_DIR}/states" SOURCE_PILLARS_DIR="/home/vagrant/${CONFIG_DIR}/pillars" + SOURCE_TOFS_DIR="/home/vagrant/${CONFIG_DIR}/tofs" SOURCE_TESTS_DIR="/home/vagrant/${TESTS_DIR}" else EXTRA_STATES_DIR="${SCRIPT_DIR}/${CONFIG_DIR}/states" SOURCE_PILLARS_DIR="${SCRIPT_DIR}/${CONFIG_DIR}/pillars" + SOURCE_TOFS_DIR="${SCRIPT_DIR}/${CONFIG_DIR}/tofs" SOURCE_TESTS_DIR="${SCRIPT_DIR}/${TESTS_DIR}" fi @@ -445,8 +455,11 @@ for f in $(ls "${SOURCE_PILLARS_DIR}"/*); do s#__SSL_KEY_ENCRYPTED__#${SSL_KEY_ENCRYPTED}#g; s#__SSL_KEY_AWS_REGION__#${SSL_KEY_AWS_REGION}#g; s#__SSL_KEY_AWS_SECRET_NAME__#${SSL_KEY_AWS_SECRET_NAME}#g; - s#__PROMETHEUS_UI_USERNAME__#${PROMETHEUS_UI_USERNAME}#g; - s#__PROMETHEUS_UI_PASSWORD__#${PROMETHEUS_UI_PASSWORD}#g" \ + s#__CONTROLLER_NGINX_WORKERS__#${CONTROLLER_NGINX_WORKERS}#g; + s#__CONTROLLER_MAX_CONCURRENT_REQUESTS__#${CONTROLLER_MAX_CONCURRENT_REQUESTS}#g; + s#__MONITORING_USERNAME__#${MONITORING_USERNAME}#g; + s#__MONITORING_EMAIL__#${MONITORING_EMAIL}#g; + s#__MONITORING_PASSWORD__#${MONITORING_PASSWORD}#g" \ "${f}" > "${P_DIR}"/$(basename "${f}") done @@ -521,8 +534,11 @@ if [ -d "${SOURCE_STATES_DIR}" ]; then s#__SSL_KEY_ENCRYPTED__#${SSL_KEY_ENCRYPTED}#g; s#__SSL_KEY_AWS_REGION__#${SSL_KEY_AWS_REGION}#g; s#__SSL_KEY_AWS_SECRET_NAME__#${SSL_KEY_AWS_SECRET_NAME}#g; - s#__PROMETHEUS_UI_USERNAME__#${PROMETHEUS_UI_USERNAME}#g; - s#__PROMETHEUS_UI_PASSWORD__#${PROMETHEUS_UI_PASSWORD}#g" \ + s#__CONTROLLER_NGINX_WORKERS__#${CONTROLLER_NGINX_WORKERS}#g; + s#__CONTROLLER_MAX_CONCURRENT_REQUESTS__#${CONTROLLER_MAX_CONCURRENT_REQUESTS}#g; + s#__MONITORING_USERNAME__#${MONITORING_USERNAME}#g; + s#__MONITORING_EMAIL__#${MONITORING_EMAIL}#g; + s#__MONITORING_PASSWORD__#${MONITORING_PASSWORD}#g" \ "${f}" > "${F_DIR}/extra/extra"/$(basename "${f}") done fi @@ -531,6 +547,12 @@ fi # As we need to separate both states and pillars in case we want specific # roles, we iterate on both at the same time +# Formula template overrides (TOFS) +# See: https://template-formula.readthedocs.io/en/latest/TOFS_pattern.html#template-override +if [ -d ${SOURCE_TOFS_DIR} ]; then + find ${SOURCE_TOFS_DIR} -mindepth 1 -maxdepth 1 -type d -exec cp -r "{}" ${S_DIR} \; +fi + # States cat > ${S_DIR}/top.sls << EOFTSLS base: @@ -637,7 +659,7 @@ if [ -z "${ROLES}" ]; then CERT_NAME=${HOSTNAME_EXT} else # We are in a multiple-hostnames env - CERT_NAME=${c}.${CLUSTER}.${DOMAIN} + CERT_NAME=${c}.${DOMAIN} fi # As the pillar differs whether we use LE or custom certs, we need to do a final edition on them @@ -709,31 +731,49 @@ else grep -q "prometheus_pg_exporter" ${P_DIR}/top.sls || echo " - prometheus_pg_exporter" >> ${P_DIR}/top.sls ;; "monitoring") + ### Support files ### + GRAFANA_DASHBOARDS_DEST_DIR=/srv/salt/dashboards + mkdir -p "${GRAFANA_DASHBOARDS_DEST_DIR}" + rm -f "${GRAFANA_DASHBOARDS_DEST_DIR}"/* + # "ArvadosPromDataSource" is the hardcoded UID for Prometheus' datasource + # in Grafana. + for f in $(ls "${GRAFANA_DASHBOARDS_DIR}"/*.json); do + sed 's#${DS_PROMETHEUS}#ArvadosPromDataSource#g' \ + "${f}" > "${GRAFANA_DASHBOARDS_DEST_DIR}"/$(basename "${f}") + done + ### States ### - grep -q "nginx" ${S_DIR}/top.sls || echo " - nginx" >> ${S_DIR}/top.sls + grep -q "\- nginx$" ${S_DIR}/top.sls || echo " - nginx" >> ${S_DIR}/top.sls grep -q "extra.nginx_prometheus_configuration" ${S_DIR}/top.sls || echo " - extra.nginx_prometheus_configuration" >> ${S_DIR}/top.sls + + grep -q "\- grafana$" ${S_DIR}/top.sls || echo " - grafana" >> ${S_DIR}/top.sls + grep -q "extra.grafana_datasource" ${S_DIR}/top.sls || echo " - extra.grafana_datasource" >> ${S_DIR}/top.sls + grep -q "extra.grafana_dashboards" ${S_DIR}/top.sls || echo " - extra.grafana_dashboards" >> ${S_DIR}/top.sls + grep -q "extra.grafana_admin_user" ${S_DIR}/top.sls || echo " - extra.grafana_admin_user" >> ${S_DIR}/top.sls + if [ "${SSL_MODE}" = "lets-encrypt" ]; then grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls if [ "x${USE_LETSENCRYPT_ROUTE53}" = "xyes" ]; then grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - aws_credentials" >> ${S_DIR}/top.sls fi elif [ "${SSL_MODE}" = "bring-your-own" ]; then - for SVC in prometheus; do + for SVC in grafana prometheus; do copy_custom_cert ${CUSTOM_CERTS_DIR} ${SVC} done fi ### Pillars ### grep -q "prometheus_server" ${P_DIR}/top.sls || echo " - prometheus_server" >> ${P_DIR}/top.sls - for SVC in prometheus; do + grep -q "grafana" ${P_DIR}/top.sls || echo " - grafana" >> ${P_DIR}/top.sls + for SVC in grafana prometheus; do grep -q "nginx_${SVC}_configuration" ${P_DIR}/top.sls || echo " - nginx_${SVC}_configuration" >> ${P_DIR}/top.sls done if [ "${SSL_MODE}" = "lets-encrypt" ]; then grep -q "letsencrypt" ${P_DIR}/top.sls || echo " - letsencrypt" >> ${P_DIR}/top.sls - for SVC in prometheus; do + for SVC in grafana prometheus; do grep -q "letsencrypt_${SVC}_configuration" ${P_DIR}/top.sls || echo " - letsencrypt_${SVC}_configuration" >> ${P_DIR}/top.sls - sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${SVC}.${CLUSTER}.${DOMAIN}*/g; - s#__CERT_PEM__#/etc/letsencrypt/live/${SVC}.${CLUSTER}.${DOMAIN}/fullchain.pem#g; - s#__CERT_KEY__#/etc/letsencrypt/live/${SVC}.${CLUSTER}.${DOMAIN}/privkey.pem#g" \ + sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${SVC}.${DOMAIN}*/g; + s#__CERT_PEM__#/etc/letsencrypt/live/${SVC}.${DOMAIN}/fullchain.pem#g; + s#__CERT_KEY__#/etc/letsencrypt/live/${SVC}.${DOMAIN}/privkey.pem#g" \ ${P_DIR}/nginx_${SVC}_configuration.sls done if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then @@ -741,7 +781,7 @@ else fi elif [ "${SSL_MODE}" = "bring-your-own" ]; then grep -q "ssl_key_encrypted" ${P_DIR}/top.sls || echo " - ssl_key_encrypted" >> ${P_DIR}/top.sls - for SVC in prometheus; do + for SVC in grafana prometheus; do sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${SVC}.pem/g; s#__CERT_PEM__#/etc/nginx/ssl/arvados-${SVC}.pem#g; s#__CERT_KEY__#/etc/nginx/ssl/arvados-${SVC}.key#g" \ @@ -796,7 +836,7 @@ else echo " - nginx.passenger" >> ${S_DIR}/top.sls fi else - grep -q "nginx" ${S_DIR}/top.sls || echo " - nginx" >> ${S_DIR}/top.sls + grep -q "\- nginx$" ${S_DIR}/top.sls || echo " - nginx" >> ${S_DIR}/top.sls fi if [ "${SSL_MODE}" = "lets-encrypt" ]; then if [ "x${USE_LETSENCRYPT_ROUTE53}" = "xyes" ]; then @@ -843,15 +883,15 @@ else # Special case for keepweb if [ ${R} = "keepweb" ]; then for kwsub in download collections; do - sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${kwsub}.${CLUSTER}.${DOMAIN}*/g; - s#__CERT_PEM__#/etc/letsencrypt/live/${kwsub}.${CLUSTER}.${DOMAIN}/fullchain.pem#g; - s#__CERT_KEY__#/etc/letsencrypt/live/${kwsub}.${CLUSTER}.${DOMAIN}/privkey.pem#g" \ + sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${kwsub}.${DOMAIN}*/g; + s#__CERT_PEM__#/etc/letsencrypt/live/${kwsub}.${DOMAIN}/fullchain.pem#g; + s#__CERT_KEY__#/etc/letsencrypt/live/${kwsub}.${DOMAIN}/privkey.pem#g" \ ${P_DIR}/nginx_${kwsub}_configuration.sls done else - sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${R}.${CLUSTER}.${DOMAIN}*/g; - s#__CERT_PEM__#/etc/letsencrypt/live/${R}.${CLUSTER}.${DOMAIN}/fullchain.pem#g; - s#__CERT_KEY__#/etc/letsencrypt/live/${R}.${CLUSTER}.${DOMAIN}/privkey.pem#g" \ + sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${R}.${DOMAIN}*/g; + s#__CERT_PEM__#/etc/letsencrypt/live/${R}.${DOMAIN}/fullchain.pem#g; + s#__CERT_KEY__#/etc/letsencrypt/live/${R}.${DOMAIN}/privkey.pem#g" \ ${P_DIR}/nginx_${R}_configuration.sls fi else @@ -916,11 +956,11 @@ fi # Leave a copy of the Arvados CA so the user can copy it where it's required if [ "${SSL_MODE}" = "self-signed" ]; then - echo "Copying the Arvados CA certificate '${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.crt' to the installer dir, so you can import it" + echo "Copying the Arvados CA certificate '${DOMAIN}-arvados-snakeoil-ca.crt' to the installer dir, so you can import it" if [ "x${VAGRANT}" = "xyes" ]; then - cp /etc/ssl/certs/arvados-snakeoil-ca.pem /vagrant/${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.pem + cp /etc/ssl/certs/arvados-snakeoil-ca.pem /vagrant/${DOMAIN}-arvados-snakeoil-ca.pem else - cp /etc/ssl/certs/arvados-snakeoil-ca.pem ${SCRIPT_DIR}/${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.crt + cp /etc/ssl/certs/arvados-snakeoil-ca.pem ${SCRIPT_DIR}/${DOMAIN}-arvados-snakeoil-ca.crt fi fi