{%- for cert in certs %}
{%- set cert_file = 'arvados-' ~ cert ~ '.pem' %}
{%- set key_file = 'arvados-' ~ cert ~ '.key' %}
- {% for c in [cert_file, key_file] %}
-extra_custom_certs_file_copy_{{ c }}:
+extra_custom_certs_{{ cert }}_cert_file_copy:
file.copy:
- - name: {{ dest_cert_dir }}/{{ c }}
- - source: {{ orig_cert_dir }}/{{ c }}
+ - name: {{ dest_cert_dir }}/{{ cert_file }}
+ - source: {{ orig_cert_dir }}/{{ cert_file }}
- force: true
- user: root
- group: root
- mode: 0640
- - unless: cmp {{ dest_cert_dir }}/{{ c }} {{ orig_cert_dir }}/{{ c }}
+ - unless: cmp {{ dest_cert_dir }}/{{ cert_file }} {{ orig_cert_dir }}/{{ cert_file }}
- require:
- file: extra_custom_certs_file_directory_certs_dir
- {%- endfor %}
+
+extra_custom_certs_{{ cert }}_key_file_copy:
+ file.copy:
+ - name: {{ dest_cert_dir }}/{{ key_file }}
+ - source: {{ orig_cert_dir }}/{{ key_file }}
+ - force: true
+ - user: root
+ - group: root
+ - mode: 0640
+ - unless: cmp {{ dest_cert_dir }}/{{ key_file }} {{ orig_cert_dir }}/{{ key_file }}
+ - require:
+ - file: extra_custom_certs_file_directory_certs_dir
+
+extra_nginx_service_reload_on_{{ cert }}_certs_changes:
+ cmd.run:
+ - name: systemctl reload nginx
+ - require:
+ - file: extra_custom_certs_{{ cert }}_cert_file_copy
+ - file: extra_custom_certs_{{ cert }}_key_file_copy
+ - onchanges:
+ - file: extra_custom_certs_{{ cert }}_cert_file_copy
+ - file: extra_custom_certs_{{ cert }}_key_file_copy
+ - onlyif:
+ - test $(openssl rsa -modulus -noout -in {{ dest_cert_dir }}/{{ key_file }}) == $(openssl x509 -modulus -noout -in {{ dest_cert_dir }}/{{ cert_file }})
{%- endfor %}
{%- endif %}
{%- for cert in certs %}
{%- set cert_file = 'arvados-' ~ cert ~ '.pem' %}
- {#- set csr_file = 'arvados-' ~ cert ~ '.csr' #}
{%- set key_file = 'arvados-' ~ cert ~ '.key' %}
- {% for c in [cert_file, key_file] %}
-extra_custom_certs_file_copy_{{ c }}:
+extra_custom_certs_{{ cert }}_cert_file_copy:
file.copy:
- - name: {{ dest_cert_dir }}/{{ c }}
- - source: {{ orig_cert_dir }}/{{ c }}
+ - name: {{ dest_cert_dir }}/{{ cert_file }}
+ - source: {{ orig_cert_dir }}/{{ cert_file }}
- force: true
- user: root
- group: root
- - unless: cmp {{ dest_cert_dir }}/{{ c }} {{ orig_cert_dir }}/{{ c }}
+ - mode: 0640
+ - unless: cmp {{ dest_cert_dir }}/{{ cert_file }} {{ orig_cert_dir }}/{{ cert_file }}
- require:
- file: extra_custom_certs_file_directory_certs_dir
- {%- endfor %}
+
+extra_custom_certs_{{ cert }}_key_file_copy:
+ file.copy:
+ - name: {{ dest_cert_dir }}/{{ key_file }}
+ - source: {{ orig_cert_dir }}/{{ key_file }}
+ - force: true
+ - user: root
+ - group: root
+ - mode: 0640
+ - unless: cmp {{ dest_cert_dir }}/{{ key_file }} {{ orig_cert_dir }}/{{ key_file }}
+ - require:
+ - file: extra_custom_certs_file_directory_certs_dir
+
+extra_nginx_service_reload_on_{{ cert }}_certs_changes:
+ cmd.run:
+ - name: systemctl reload nginx
+ - require:
+ - file: extra_custom_certs_{{ cert }}_cert_file_copy
+ - file: extra_custom_certs_{{ cert }}_key_file_copy
+ - onchanges:
+ - file: extra_custom_certs_{{ cert }}_cert_file_copy
+ - file: extra_custom_certs_{{ cert }}_key_file_copy
+ - onlyif:
+ - test $(openssl rsa -modulus -noout -in {{ dest_cert_dir }}/{{ key_file }}) == $(openssl x509 -modulus -noout -in {{ dest_cert_dir }}/{{ cert_file }})
{%- endfor %}
{%- endif %}
{%- for cert in certs %}
{%- set cert_file = 'arvados-' ~ cert ~ '.pem' %}
- {#- set csr_file = 'arvados-' ~ cert ~ '.csr' #}
{%- set key_file = 'arvados-' ~ cert ~ '.key' %}
- {% for c in [cert_file, key_file] %}
-extra_custom_certs_file_copy_{{ c }}:
+extra_custom_certs_{{ cert }}_cert_file_copy:
file.copy:
- - name: {{ dest_cert_dir }}/{{ c }}
- - source: {{ orig_cert_dir }}/{{ c }}
+ - name: {{ dest_cert_dir }}/{{ cert_file }}
+ - source: {{ orig_cert_dir }}/{{ cert_file }}
- force: true
- user: root
- group: root
- - unless: cmp {{ dest_cert_dir }}/{{ c }} {{ orig_cert_dir }}/{{ c }}
+ - mode: 0640
+ - unless: cmp {{ dest_cert_dir }}/{{ cert_file }} {{ orig_cert_dir }}/{{ cert_file }}
- require:
- file: extra_custom_certs_file_directory_certs_dir
- {%- endfor %}
+
+extra_custom_certs_{{ cert }}_key_file_copy:
+ file.copy:
+ - name: {{ dest_cert_dir }}/{{ key_file }}
+ - source: {{ orig_cert_dir }}/{{ key_file }}
+ - force: true
+ - user: root
+ - group: root
+ - mode: 0640
+ - unless: cmp {{ dest_cert_dir }}/{{ key_file }} {{ orig_cert_dir }}/{{ key_file }}
+ - require:
+ - file: extra_custom_certs_file_directory_certs_dir
+
+extra_nginx_service_reload_on_{{ cert }}_certs_changes:
+ cmd.run:
+ - name: systemctl reload nginx
+ - require:
+ - file: extra_custom_certs_{{ cert }}_cert_file_copy
+ - file: extra_custom_certs_{{ cert }}_key_file_copy
+ - onchanges:
+ - file: extra_custom_certs_{{ cert }}_cert_file_copy
+ - file: extra_custom_certs_{{ cert }}_key_file_copy
+ - onlyif:
+ - test $(openssl rsa -modulus -noout -in {{ dest_cert_dir }}/{{ key_file }}) == $(openssl x509 -modulus -noout -in {{ dest_cert_dir }}/{{ cert_file }})
{%- endfor %}
{%- endif %}
grep -q ${CERT_NAME} ${P_DIR}/extra_custom_certs.sls || echo " - ${CERT_NAME}" >> ${P_DIR}/extra_custom_certs.sls
# As the pillar differs whether we use LE or custom certs, we need to do a final edition on them
- sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${CERT_NAME}.pem/g;
+ sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_${CERT_NAME}_cert_file_copy/g;
s#__CERT_PEM__#/etc/nginx/ssl/arvados-${CERT_NAME}.pem#g;
s#__CERT_KEY__#/etc/nginx/ssl/arvados-${CERT_NAME}.key#g" \
${P_DIR}/nginx_${c}_configuration.sls
elif [ "${SSL_MODE}" = "bring-your-own" ]; then
grep -q "ssl_key_encrypted" ${PILLARS_TOP} || echo " - ssl_key_encrypted" >> ${PILLARS_TOP}
for SVC in grafana prometheus; do
- sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${SVC}.pem/g;
+ sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_${SVC}_cert_file_copy/g;
s#__CERT_PEM__#/etc/nginx/ssl/arvados-${SVC}.pem#g;
s#__CERT_KEY__#/etc/nginx/ssl/arvados-${SVC}.key#g" \
${P_DIR}/nginx_${SVC}_configuration.sls
fi
elif [ "${SSL_MODE}" = "bring-your-own" ]; then
grep -q "ssl_key_encrypted" ${PILLARS_TOP} || echo " - ssl_key_encrypted" >> ${PILLARS_TOP}
- sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${R}.pem/g;
+ sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_${R}_cert_file_copy/g;
s#__CERT_PEM__#/etc/nginx/ssl/arvados-${R}.pem#g;
s#__CERT_KEY__#/etc/nginx/ssl/arvados-${R}.key#g" \
${P_DIR}/nginx_${R}_configuration.sls
${P_DIR}/nginx_${R}_configuration.sls
else
grep -q "ssl_key_encrypted" ${PILLARS_TOP} || echo " - ssl_key_encrypted" >> ${PILLARS_TOP}
- sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${R}.pem/g;
+ sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_${R}_cert_file_copy/g;
s#__CERT_PEM__#/etc/nginx/ssl/arvados-${R}.pem#g;
s#__CERT_KEY__#/etc/nginx/ssl/arvados-${R}.key#g" \
${P_DIR}/nginx_${R}_configuration.sls
# Special case for keepweb
if [ ${R} = "keepweb" ]; then
for kwsub in download collections; do
- sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${kwsub}.pem/g;
+ sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_${kwsub}_cert_file_copy/g;
s#__CERT_PEM__#/etc/nginx/ssl/arvados-${kwsub}.pem#g;
s#__CERT_KEY__#/etc/nginx/ssl/arvados-${kwsub}.key#g" \
${P_DIR}/nginx_${kwsub}_configuration.sls
grep -q ${kwsub} ${P_DIR}/extra_custom_certs.sls || echo " - ${kwsub}" >> ${P_DIR}/extra_custom_certs.sls
done
else
- sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${R}.pem/g;
+ sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_${R}_cert_file_copy/g;
s#__CERT_PEM__#/etc/nginx/ssl/arvados-${R}.pem#g;
s#__CERT_KEY__#/etc/nginx/ssl/arvados-${R}.key#g" \
${P_DIR}/nginx_${R}_configuration.sls