Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>
}
func (createCertificates) Run(ctx context.Context, fail func(error), super *Supervisor) error {
}
func (createCertificates) Run(ctx context.Context, fail func(error), super *Supervisor) error {
- if super.cluster.TLS.Automatic {
+ if super.cluster.TLS.ACME.Server != "" {
return bootAutoCert(ctx, fail, super)
} else if super.cluster.TLS.Key == "" && super.cluster.TLS.Certificate == "" {
return createSelfSignedCert(ctx, fail, super)
return bootAutoCert(ctx, fail, super)
} else if super.cluster.TLS.Key == "" && super.cluster.TLS.Certificate == "" {
return createSelfSignedCert(ctx, fail, super)
- if super.cluster.TLS.Staging {
+ if srv := super.cluster.TLS.ACME.Server; srv == "LE" {
+ // Leaving mgr.Client == nil means use Let's Encrypt
+ // production environment
+ } else if srv == "LE-staging" {
mgr.Client = &acme.Client{DirectoryURL: stagingDirectoryURL}
mgr.Client = &acme.Client{DirectoryURL: stagingDirectoryURL}
+ } else if strings.HasPrefix(srv, "https://") {
+ mgr.Client = &acme.Client{DirectoryURL: srv}
+ } else {
+ return fmt.Errorf("autocert setup: invalid directory URL in TLS.ACME.Server: %q", srv)
}
go func() {
err := http.ListenAndServe(":80", mgr.HTTPHandler(nil))
}
go func() {
err := http.ListenAndServe(":80", mgr.HTTPHandler(nil))
# use this in production.
Insecure: false
# use this in production.
Insecure: false
- # Agree to Let's Encrypt terms of service and obtain
- # certificates automatically for ExternalURL domains.
- #
- # Note: this feature is not yet implemented in released
- # versions, only in the alpha/prerelease arvados-server-easy
- # package.
- Automatic: false
-
- # Use Let's Encrypt staging environment instead of production
- # environment.
- Staging: false
+ ACME:
+ # Obtain certificates automatically for ExternalURL domains
+ # using an ACME server and http-01 validation.
+ #
+ # To use Let's Encrypt, specify "LE". To use the Let's
+ # Encrypt staging environment, specify "LE-staging". To use a
+ # different ACME server, specify the full directory URL
+ # ("https://...").
+ #
+ # Note: this feature is not yet implemented in released
+ # versions, only in the alpha/prerelease arvados-server-easy
+ # package.
+ #
+ # Implies agreement with the server's terms of service.
+ Server: ""
Containers:
# List of supported Docker Registry image formats that compute nodes
Containers:
# List of supported Docker Registry image formats that compute nodes
flags.StringVar(&initcmd.Domain, "domain", hostname, "cluster public DNS `name`, like x1234.arvadosapi.com")
flags.StringVar(&initcmd.Login, "login", "", "login `backend`: test, pam, 'google {client-id} {client-secret}', or ''")
flags.StringVar(&initcmd.AdminEmail, "admin-email", "", "give admin privileges to user with given `email`")
flags.StringVar(&initcmd.Domain, "domain", hostname, "cluster public DNS `name`, like x1234.arvadosapi.com")
flags.StringVar(&initcmd.Login, "login", "", "login `backend`: test, pam, 'google {client-id} {client-secret}', or ''")
flags.StringVar(&initcmd.AdminEmail, "admin-email", "", "give admin privileges to user with given `email`")
- flags.StringVar(&initcmd.TLS, "tls", "none", "tls certificate `source`: acme, auto, insecure, or none")
+ flags.StringVar(&initcmd.TLS, "tls", "none", "tls certificate `source`: acme, acmetool, insecure, or none")
flags.BoolVar(&initcmd.Start, "start", true, "start systemd service after creating config")
if ok, code := cmd.ParseFlags(flags, prog, args, "", stderr); !ok {
return code
flags.BoolVar(&initcmd.Start, "start", true, "start systemd service after creating config")
if ok, code := cmd.ParseFlags(flags, prog, args, "", stderr); !ok {
return code
TLS:
{{if eq .TLS "insecure"}}
Insecure: true
TLS:
{{if eq .TLS "insecure"}}
Insecure: true
- {{else if eq .TLS "auto"}}
- Automatic: true
{{else if eq .TLS "acme"}}
{{else if eq .TLS "acme"}}
+ ACME:
+ Server: LE
+ {{else if eq .TLS "acmetool"}}
Certificate: {{printf "%q" (print "/var/lib/acme/live/" .Domain "/cert")}}
Key: {{printf "%q" (print "/var/lib/acme/live/" .Domain "/privkey")}}
{{else}}
Certificate: {{printf "%q" (print "/var/lib/acme/live/" .Domain "/cert")}}
Key: {{printf "%q" (print "/var/lib/acme/live/" .Domain "/privkey")}}
{{else}}
)
func makeTLSConfig(cluster *arvados.Cluster, logger logrus.FieldLogger) (*tls.Config, error) {
)
func makeTLSConfig(cluster *arvados.Cluster, logger logrus.FieldLogger) (*tls.Config, error) {
- if cluster.TLS.Automatic {
+ if cluster.TLS.ACME.Server != "" {
return makeAutocertConfig(cluster, logger)
} else {
return makeFileLoaderConfig(cluster, logger)
return makeAutocertConfig(cluster, logger)
} else {
return makeFileLoaderConfig(cluster, logger)
Certificate string
Key string
Insecure bool
Certificate string
Key string
Insecure bool
- Automatic bool
- Staging bool
+ ACME struct {
+ Server string
+ }
}
Users struct {
ActivatedUsersAreVisibleToOthers bool
}
Users struct {
ActivatedUsersAreVisibleToOthers bool