--- /dev/null
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+{%- set ssl_key_encrypted = pillar.get('ssl_key_encrypted', {'enabled': False}) %}
+
+{%- if ssl_key_encrypted.enabled %}
+
+extra_ssl_key_encrypted_password_fifo_file:
+ file.mknod:
+ - ntype: p
+ - name: {{ ssl_key_encrypted.ssl_password_file }}
+ - user: root
+ - group: root
+ - mode: '0600'
+
+extra_ssl_key_encrypted_required_pkgs:
+ pkg.installed:
+ - name: jq
+
+extra_ssl_key_encrypted_password_retrieval_script:
+ file.managed:
+ - name: {{ ssl_key_encrypted.ssl_password_connector_script }}
+ - user: root
+ - group: root
+ - mode: '0750'
+ - require:
+ - pkg: extra_ssl_key_encrypted_required_pkgs
+ - file: extra_ssl_key_encrypted_password_fifo_file
+ - contents: |
+ #!/bin/bash
+
+ while [ true ]; do
+ # AWS_SHARED_CREDENTIALS_FILE is set to an non-existant path to avoid awscli
+ # loading invalid credentials on nodes who use ~/.aws/credentials for other
+ # purposes (e.g.: the dispatcher credentials)
+ # Access to the secrets manager is given by using an instance profile.
+ AWS_SHARED_CREDENTIALS_FILE=~/nonexistant aws secretsmanager get-secret-value --secret-id {{ ssl_key_encrypted.aws_secret_name }} --region us-east-1 | jq -r .SecretString > {{ ssl_key_encrypted.ssl_password_file }}
+ sleep 1
+ done
+
+extra_ssl_key_encrypted_password_retrieval_service_unit:
+ file.managed:
+ - name: /etc/systemd/system/password_secret_connector.service
+ - user: root
+ - group: root
+ - mode: '0644'
+ - require:
+ - file: extra_ssl_key_encrypted_password_retrieval_script
+ - contents: |
+ [Unit]
+ Description=Arvados SSL private key password retrieval service
+ After=network.target
+ AssertPathExists={{ ssl_key_encrypted.ssl_password_file }}
+ [Service]
+ ExecStart=/bin/bash {{ ssl_key_encrypted.ssl_password_connector_script }}
+ [Install]
+ WantedBy=multi-user.target
+
+extra_ssl_key_encrypted_password_retrieval_service:
+ service.running:
+ - name: password_secret_connector
+ - enable: true
+ - require:
+ - file: extra_ssl_key_encrypted_password_retrieval_service_unit
+ - watch:
+ - file: extra_ssl_key_encrypted_password_retrieval_service_unit
+ - file: extra_ssl_key_encrypted_password_retrieval_script
+
+{%- endif %}
\ No newline at end of file
s#__WORKBENCH1_INT_IP__#${WORKBENCH1_INT_IP}#g;
s#__WORKBENCH2_INT_IP__#${WORKBENCH2_INT_IP}#g;
s#__DATABASE_INT_IP__#${DATABASE_INT_IP}#g;
- s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g" \
+ s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g;
+ s#__SSL_KEY_ENCRYPTED__#${SSL_KEY_ENCRYPTED}#g;
+ s#__SSL_KEY_AWS_SECRET_NAME__#${SSL_KEY_AWS_SECRET_NAME}#g" \
"${f}" > "${P_DIR}"/$(basename "${f}")
done
s#__WEBSOCKET_EXT_SSL_PORT__#${WEBSOCKET_EXT_SSL_PORT}#g;
s#__WORKBENCH1_EXT_SSL_PORT__#${WORKBENCH1_EXT_SSL_PORT}#g;
s#__WORKBENCH2_EXT_SSL_PORT__#${WORKBENCH2_EXT_SSL_PORT}#g;
- s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g" \
+ s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g;
+ s#__SSL_KEY_ENCRYPTED__#${SSL_KEY_ENCRYPTED}#g;
+ s#__SSL_KEY_AWS_SECRET_NAME__#${SSL_KEY_AWS_SECRET_NAME}#g" \
"${f}" > "${F_DIR}/extra/extra"/$(basename "${f}")
done
fi
if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then
grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - extra.aws_credentials" >> ${S_DIR}/top.sls
fi
- grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls
+ grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls
else
mkdir -p /srv/salt/certs
chmod 700 /srv/salt/certs
cp -rv ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/
chmod 600 /srv/salt/certs/*
# We add the custom_certs state
- grep -q "custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls
+ grep -q "custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls
+ if [ "${SSL_KEY_ENCRYPTED}" = "yes" ]; then
+ grep -q "ssl_key_encrypted" ${S_DIR}/top.sls || echo " - extra.ssl_key_encrypted" >> ${S_DIR}/top.sls
+ fi
fi
# In self-signed mode, the certificate files will be created and put in the
# destination directory by the snakeoil_certs.sls state file
echo " - arvados.repo" >> ${S_DIR}/top.sls
# We add the extra_custom_certs state
grep -q "extra.custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls
+ if [ "${SSL_KEY_ENCRYPTED}" = "yes" ]; then
+ grep -q "ssl_key_encrypted" ${S_DIR}/top.sls || echo " - extra.ssl_key_encrypted" >> ${S_DIR}/top.sls
+ fi
# And we add the basic part for the certs pillar
if [ "${SSL_MODE}" != "lets-encrypt" ]; then
${P_DIR}/nginx_${R}_configuration.sls
fi
else
+ grep -q "ssl_key_encrypted" ${P_DIR}/top.sls || echo " - ssl_key_encrypted" >> ${P_DIR}/top.sls
# As the pillar differ whether we use LE or custom certs, we need to do a final edition on them
# Special case for keepweb
if [ ${R} = "keepweb" ]; then