X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/927524f1be454de021180b74999d682780b8cb6b..32030bce1b67218c91a8ed2a0287ec973221c5f7:/tools/salt-install/provision.sh diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh index 537f087b62..594dad2ebb 100755 --- a/tools/salt-install/provision.sh +++ b/tools/salt-install/provision.sh @@ -136,6 +136,26 @@ arguments() { done } +copy_custom_cert() { + cert_dir=${1} + cert_name=${2} + + mkdir -p /srv/salt/certs + + if [ -f ${cert_dir}/${cert_name}.crt ]; then + cp -v ${cert_dir}/${cert_name}.crt /srv/salt/certs/arvados-${cert_name}.pem + else + echo "${cert_dir}/${cert_name}.crt does not exist. Exiting" + exit 1 + fi + if [ -f ${cert_dir}/${cert_name}.key ]; then + cp -v ${cert_dir}/${cert_name}.key /srv/salt/certs/arvados-${cert_name}.key + else + echo "${cert_dir}/${cert_name}.key does not exist. Exiting" + exit 1 + fi +} + DEV_MODE="no" CONFIG_FILE="${SCRIPT_DIR}/local.params" CONFIG_DIR="local_config_dir" @@ -166,7 +186,7 @@ WORKBENCH1_EXT_SSL_PORT=443 WORKBENCH2_EXT_SSL_PORT=3001 USE_LETSENCRYPT="no" -CUSTOM_CERTS_DIR="./certs" +CUSTOM_CERTS_DIR="${SCRIPT_DIR}/certs" ## These are ARVADOS-related parameters # For a stable release, change RELEASE "production" and VERSION to the @@ -184,7 +204,7 @@ VERSION="latest" # BRANCH="main" # Other formula versions we depend on -POSTGRES_TAG="v0.41.6" +POSTGRES_TAG="v0.43.0" NGINX_TAG="temp-fix-missing-statements-in-pillar" DOCKER_TAG="v2.0.7" LOCALE_TAG="v0.3.4" @@ -547,6 +567,17 @@ if [ -z "${ROLES}" ]; then else # If we add individual roles, make sure we add the repo first echo " - arvados.repo" >> ${S_DIR}/top.sls + # We add the custom_certs state + grep -q "custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls + + # And we add the basic part for the certs pillar + if [ "x${USE_LETSENCRYPT}" != "xyes" ]; then + # And add the certs in the custom_certs pillar + echo "extra_custom_certs_dir: /srv/salt/certs" > ${P_DIR}/extra_custom_certs.sls + echo "extra_custom_certs:" >> ${P_DIR}/extra_custom_certs.sls + grep -q "extra_custom_certs" ${P_DIR}/top.sls || echo " - extra_custom_certs" >> ${P_DIR}/top.sls + fi + for R in ${ROLES}; do case "${R}" in "database") @@ -570,14 +601,12 @@ else grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls else # Use custom certs - cp -v ${CUSTOM_CERTS_DIR}/controller.* "${F_DIR}/extra/extra/files/" - # We add the custom_certs state - grep -q "custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls + copy_custom_cert ${CUSTOM_CERTS_DIR} controller + grep -q controller ${P_DIR}/extra_custom_certs.sls || echo " - controller" >> ${P_DIR}/extra_custom_certs.sls fi grep -q "arvados.${R}" ${S_DIR}/top.sls || echo " - arvados.${R}" >> ${S_DIR}/top.sls # Pillars grep -q "aws_credentials" ${P_DIR}/top.sls || echo " - aws_credentials" >> ${P_DIR}/top.sls - grep -q "docker" ${P_DIR}/top.sls || echo " - docker" >> ${P_DIR}/top.sls grep -q "postgresql" ${P_DIR}/top.sls || echo " - postgresql" >> ${P_DIR}/top.sls grep -q "nginx_passenger" ${P_DIR}/top.sls || echo " - nginx_passenger" >> ${P_DIR}/top.sls grep -q "nginx_${R}_configuration" ${P_DIR}/top.sls || echo " - nginx_${R}_configuration" >> ${P_DIR}/top.sls @@ -594,14 +623,11 @@ else else # Use custom certs, special case for keepweb if [ ${R} = "keepweb" ]; then - cp -v ${CUSTOM_CERTS_DIR}/download.* "${F_DIR}/extra/extra/files/" - cp -v ${CUSTOM_CERTS_DIR}/collections.* "${F_DIR}/extra/extra/files/" + copy_custom_cert ${CUSTOM_CERTS_DIR} download + copy_custom_cert ${CUSTOM_CERTS_DIR} collections else - cp -v ${CUSTOM_CERTS_DIR}/${R}.* "${F_DIR}/extra/extra/files/" + copy_custom_cert ${CUSTOM_CERTS_DIR} ${R} fi - # We add the custom_certs state - grep -q "custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls - fi # webshell role is just a nginx vhost, so it has no state if [ "${R}" != "webshell" ]; then @@ -640,8 +666,6 @@ else ${P_DIR}/nginx_${R}_configuration.sls fi else - grep -q ${R} ${P_DIR}/extra_custom_certs.sls || echo " - ${R}" >> ${P_DIR}/extra_custom_certs.sls - # As the pillar differ whether we use LE or custom certs, we need to do a final edition on them # Special case for keepweb if [ ${R} = "keepweb" ]; then @@ -650,12 +674,14 @@ else s#__CERT_PEM__#/etc/nginx/ssl/arvados-${kwsub}.pem#g; s#__CERT_KEY__#/etc/nginx/ssl/arvados-${kwsub}.key#g" \ ${P_DIR}/nginx_${kwsub}_configuration.sls + grep -q ${kwsub} ${P_DIR}/extra_custom_certs.sls || echo " - ${kwsub}" >> ${P_DIR}/extra_custom_certs.sls done else sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${R}.pem/g; s#__CERT_PEM__#/etc/nginx/ssl/arvados-${R}.pem#g; s#__CERT_KEY__#/etc/nginx/ssl/arvados-${R}.key#g" \ ${P_DIR}/nginx_${R}_configuration.sls + grep -q ${R} ${P_DIR}/extra_custom_certs.sls || echo " - ${R}" >> ${P_DIR}/extra_custom_certs.sls fi fi ;; @@ -664,11 +690,10 @@ else grep -q "docker" ${S_DIR}/top.sls || echo " - docker.software" >> ${S_DIR}/top.sls grep -q "arvados.${R}" ${S_DIR}/top.sls || echo " - arvados.${R}" >> ${S_DIR}/top.sls # Pillars - grep -q "" ${P_DIR}/top.sls || echo " - docker" >> ${P_DIR}/top.sls + grep -q "docker" ${P_DIR}/top.sls || echo " - docker" >> ${P_DIR}/top.sls ;; "dispatcher") # States - grep -q "docker" ${S_DIR}/top.sls || echo " - docker.software" >> ${S_DIR}/top.sls grep -q "arvados.${R}" ${S_DIR}/top.sls || echo " - arvados.${R}" >> ${S_DIR}/top.sls # Pillars # ATM, no specific pillar needed