18658: add missing state to deploy custom certs in multi-host env

Also, set the full path to the certs dir if not configured

Arvados-DCO-1.1-Signed-off-by: Javier Bértoli <jbertoli@curii.com>

diff --git a/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
new file mode 100644 (file)
index 0000000..3716503
--- /dev/null
+++ b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
@@ -0,0 +1,31 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+{%- set orig_cert_dir = salt['pillar.get']('extra_custom_certs_dir', '/srv/salt/certs')  %}
+{%- set dest_cert_dir = '/etc/nginx/ssl' %}
+{%- set certs = salt['pillar.get']('extra_custom_certs', [])  %}
+
+extra_custom_certs_file_directory_certs_dir:
+  file.directory:
+    - name: /etc/nginx/ssl
+    - require:
+      - pkg: nginx_install
+
+{%- for cert in certs %}
+  {%- set cert_file = 'arvados-' ~ cert ~ '.pem' %}
+  {#- set csr_file = 'arvados-' ~ cert ~ '.csr' #}
+  {%- set key_file = 'arvados-' ~ cert ~ '.key' %}
+  {% for c in [cert_file, key_file] %}
+extra_custom_certs_file_copy_{{ c }}:
+  file.copy:
+    - name: {{ dest_cert_dir }}/{{ c }}
+    - source: {{ orig_cert_dir }}/{{ c }}
+    - force: true
+    - user: root
+    - group: root
+    - unless: cmp {{ dest_cert_dir }}/{{ c }} {{ orig_cert_dir }}/{{ c }}
+    - require:
+      - file: extra_custom_certs_file_directory_certs_dir
+  {%- endfor %}
+{%- endfor %}

diff --git a/tools/salt-install/local.params.example.multiple_hosts b/tools/salt-install/local.params.example.multiple_hosts
index c770c8d74c0fc45421bd89c2b972aaa0273f1c2e..eb64bb6227b28cc09b0953cce2dbc712f87187ea 100644 (file)
--- a/tools/salt-install/local.params.example.multiple_hosts
+++ b/tools/salt-install/local.params.example.multiple_hosts
@@ -79,7 +79,8 @@ LE_AWS_SECRET_ACCESS_KEY="thisistherandomstringthatisyoursecretkey"
 # help you deploy them. In order to do that, you need to set `USE_LETSENCRYPT=no` above,
 # and copy the required certificates under the directory specified in the next line.
 # The certs will be copied from this directory by the provision script.
 # help you deploy them. In order to do that, you need to set `USE_LETSENCRYPT=no` above,
 # and copy the required certificates under the directory specified in the next line.
 # The certs will be copied from this directory by the provision script.

-CUSTOM_CERTS_DIR="./certs"
+# Plese set it to the FULL PATH to the certs dir if you're going to use a different dir
+# CUSTOM_CERTS_DIR="${SCRIPT_DIR}/certs"

 # The script expects cert/key files with these basenames (matching the role except for
 # keepweb, which is split in both downoad/collections):
 #  "controller"
 # The script expects cert/key files with these basenames (matching the role except for
 # keepweb, which is split in both downoad/collections):
 #  "controller"

diff --git a/tools/salt-install/local.params.example.single_host_multiple_hostnames b/tools/salt-install/local.params.example.single_host_multiple_hostnames
index cf79fe244c59451be42be35fd6c3c3779595ace5..6c9258a3c556c943797949616667da0f0f1869e4 100644 (file)
--- a/tools/salt-install/local.params.example.single_host_multiple_hostnames
+++ b/tools/salt-install/local.params.example.single_host_multiple_hostnames
@@ -52,7 +52,8 @@ USE_LETSENCRYPT="no"
 # help you deploy them. In order to do that, you need to set `USE_LETSENCRYPT=no` above,
 # and copy the required certificates under the directory specified in the next line.
 # The certs will be copied from this directory by the provision script.
 # help you deploy them. In order to do that, you need to set `USE_LETSENCRYPT=no` above,
 # and copy the required certificates under the directory specified in the next line.
 # The certs will be copied from this directory by the provision script.

-CUSTOM_CERTS_DIR="./certs"
+# Plese set it to the FULL PATH to the certs dir if you're going to use a different dir
+# CUSTOM_CERTS_DIR="${SCRIPT_DIR}/certs"

 # The script expects cert/key files with these basenames (matching the role except for
 # keepweb, which is split in both downoad/collections):
 #  "controller"
 # The script expects cert/key files with these basenames (matching the role except for
 # keepweb, which is split in both downoad/collections):
 #  "controller"

diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index 537f087b62c217b7250b4b97d0afd8e9f1883a75..d0c4cc2bd41db87fd6b17b41281756f6b2e2055b 100755 (executable)
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -166,7 +166,7 @@ WORKBENCH1_EXT_SSL_PORT=443
 WORKBENCH2_EXT_SSL_PORT=3001
 
 USE_LETSENCRYPT="no"
 WORKBENCH2_EXT_SSL_PORT=3001
 
 USE_LETSENCRYPT="no"

-CUSTOM_CERTS_DIR="./certs"
+CUSTOM_CERTS_DIR="${SCRIPT_DIR}/certs"

 
 ## These are ARVADOS-related parameters
 # For a stable release, change RELEASE "production" and VERSION to the
 
 ## These are ARVADOS-related parameters
 # For a stable release, change RELEASE "production" and VERSION to the