projects / arvados.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f3a1fcb)
20035: Improves the connector script in various ways.
authorLucas Di Pentima <lucas.dipentima@curii.com>
Fri, 10 Feb 2023 18:16:31 +0000 (15:16 -0300)
committerLucas Di Pentima <lucas.dipentima@curii.com>
Fri, 10 Feb 2023 18:22:11 +0000 (15:22 -0300)
* Passes /dev/null to AWS CLI as credential file instead of an non-existent
  path.
* Single-quotes every Jinja variable to avoid side shell related effects.
* Passes AWS region name as a pillar.

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima@curii.com>

tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls patch | blob | history
tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls patch | blob | history
tools/salt-install/local.params.example.multiple_hosts patch | blob | history
tools/salt-install/provision.sh patch | blob | history

diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls
index afec37cbce30f7a4da3b55724698ec1273d73270..920457737dbe1816e675bfdf775bf23a84d9c3c6 100644 (file)
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls
@@ -6,5 +6,6 @@
 ssl_key_encrypted:
   enabled: __SSL_KEY_ENCRYPTED__
   aws_secret_name: __SSL_KEY_AWS_SECRET_NAME__
+  aws_region: __SSL_KEY_AWS_REGION__
   ssl_password_file: /etc/nginx/ssl/ssl_key_password.txt
   ssl_password_connector_script: /usr/local/sbin/password_secret_connector.sh
diff --git a/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls b/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls
index 5bc08f09ef79ccc7560614b23ad4cfa7be189c6f..ae1c762e1e31fd10c761ff6dae94df8cc26f6150 100644 (file)
--- a/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls
@@ -31,11 +31,11 @@ extra_ssl_key_encrypted_password_retrieval_script:
         #!/bin/bash
 
         while [ true ]; do
-          # AWS_SHARED_CREDENTIALS_FILE is set to an non-existant path to avoid awscli
+          # AWS_SHARED_CREDENTIALS_FILE is set to /dev/null to avoid AWS's CLI
           # loading invalid credentials on nodes who use ~/.aws/credentials for other
           # purposes (e.g.: the dispatcher credentials)
           # Access to the secrets manager is given by using an instance profile.
-          AWS_SHARED_CREDENTIALS_FILE=~/nonexistant aws secretsmanager get-secret-value --secret-id {{ ssl_key_encrypted.aws_secret_name }} --region us-east-1 | jq -r .SecretString > {{ ssl_key_encrypted.ssl_password_file }}
+          AWS_SHARED_CREDENTIALS_FILE=/dev/null aws secretsmanager get-secret-value --secret-id '{{ ssl_key_encrypted.aws_secret_name }}' --region '{{ ssl_key_encrypted.aws_region }}' | jq -r .SecretString > '{{ ssl_key_encrypted.ssl_password_file }}'
           sleep 1
         done
 
diff --git a/tools/salt-install/local.params.example.multiple_hosts b/tools/salt-install/local.params.example.multiple_hosts
index b679337a1ba4d2705d827e157073cd20c71c041e..0064a78c5e5fc006366bc86ac855be89ed791d56 100644 (file)
--- a/tools/salt-install/local.params.example.multiple_hosts
+++ b/tools/salt-install/local.params.example.multiple_hosts
@@ -118,6 +118,7 @@ LE_AWS_SECRET_ACCESS_KEY="thisistherandomstringthatisyoursecretkey"
 # a custom AWS secret name for each node to retrieve the password.
 SSL_KEY_ENCRYPTED="no"
 SSL_KEY_AWS_SECRET_NAME="${CLUSTER}-arvados-ssl-privkey-password"
+SSL_KEY_AWS_REGION="us-east-1"
 
 # The directory to check for the config files (pillars, states) you want to use.
 # There are a few examples under 'config_examples'.
diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index 7a60363d696306fa1073e66ce2dc39a9ccda8808..8f69a5f8a6396ff72179a7c69e1eea0a5a1ead21 100755 (executable)
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -440,6 +440,7 @@ for f in $(ls "${SOURCE_PILLARS_DIR}"/*); do
        s#__DATABASE_INT_IP__#${DATABASE_INT_IP}#g;
        s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g;
        s#__SSL_KEY_ENCRYPTED__#${SSL_KEY_ENCRYPTED}#g;
+       s#__SSL_KEY_AWS_REGION__#${SSL_KEY_AWS_REGION}#g;
        s#__SSL_KEY_AWS_SECRET_NAME__#${SSL_KEY_AWS_SECRET_NAME}#g" \
   "${f}" > "${P_DIR}"/$(basename "${f}")
 done
@@ -513,6 +514,7 @@ if [ -d "${SOURCE_STATES_DIR}" ]; then
          s#__WORKBENCH2_EXT_SSL_PORT__#${WORKBENCH2_EXT_SSL_PORT}#g;
          s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g;
          s#__SSL_KEY_ENCRYPTED__#${SSL_KEY_ENCRYPTED}#g;
+         s#__SSL_KEY_AWS_REGION__#${SSL_KEY_AWS_REGION}#g;
          s#__SSL_KEY_AWS_SECRET_NAME__#${SSL_KEY_AWS_SECRET_NAME}#g" \
     "${f}" > "${F_DIR}/extra/extra"/$(basename "${f}")
   done