17605: allow to use a IAM user for letsencrypt

Arvados-DCO-1.1-Signed-off-by: Javier Bértoli <jbertoli@curii.com>

diff --git a/tools/salt-install/config_examples/multi_host/aws/states/aws_credentials.sls b/tools/salt-install/config_examples/multi_host/aws/states/aws_credentials.sls
index 15a517a81738f6149386a1667c812266cbc02068..ec9fc409a06e426e6f5a09ae04663f5a8d868a1f 100644 (file)
--- a/tools/salt-install/config_examples/multi_host/aws/states/aws_credentials.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/states/aws_credentials.sls
@@ -4,6 +4,7 @@
 
 {%- set aws_credentials = pillar.get('aws_credentials', {}) %}
 
+{%- if aws_credentials %}
 extra_extra_aws_credentials_root_aws_config_file_managed:
   file.managed:
     - name: /root/.aws/config
@@ -28,3 +29,4 @@ extra_extra_aws_credentials_root_aws_credentials_file_managed:
         [default]
         aws_access_key_id = {{ aws_credentials.access_key_id }}
         aws_secret_access_key = {{ aws_credentials.secret_access_key }}
+{%- endif %}

diff --git a/tools/salt-install/local.params.example.multiple_hosts b/tools/salt-install/local.params.example.multiple_hosts
index 07af7cf7c8b2955300e74e33c9a238493f11f0a6..86f28be37c1bc1c5c66942f09c090cd4df401a36 100644 (file)
--- a/tools/salt-install/local.params.example.multiple_hosts
+++ b/tools/salt-install/local.params.example.multiple_hosts
@@ -62,6 +62,7 @@ DATABASE_PASSWORD=please_set_this_to_some_secure_value
 # variable to "no", provide and upload your own certificates to the instances and
 # modify the 'nginx_*' salt pillars accordingly
 USE_LETSENCRYPT="yes"
+USE_LETSENCRYPT_IAM_USER="yes"
 # For collections, we need to obtain a wildcard certificate for
 # '*.collections.<cluster>.<domain>'. This is only possible through a DNS-01 challenge.
 # For that reason, you'll need to provide AWS credentials with permissions to manage

diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index a2cc01e5d19dc1cf60d4e8e5e7b13b716a843df3..ae4fb16c858394dafa56fe50b3fe9688d9fcfa4b 100755 (executable)
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -377,7 +377,9 @@ if [ -z "${ROLES}" ]; then
   echo "    - nginx.passenger" >> ${S_DIR}/top.sls
   # Currently, only available on config_examples/multi_host/aws
   if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then
-    grep -q "aws_credentials" ${S_DIR}/top.sls || echo "    - aws_credentials" >> ${S_DIR}/top.sls
+    if [ "x${USE_LETSENCRYPT_IAM_USER}" = "xno" ]; then
+      grep -q "aws_credentials" ${S_DIR}/top.sls || echo "    - aws_credentials" >> ${S_DIR}/top.sls
+    fi
     grep -q "letsencrypt"     ${S_DIR}/top.sls || echo "    - letsencrypt" >> ${S_DIR}/top.sls
   fi
   echo "    - postgres" >> ${S_DIR}/top.sls
@@ -398,7 +400,9 @@ if [ -z "${ROLES}" ]; then
   echo "    - postgresql" >> ${P_DIR}/top.sls
   # Currently, only available on config_examples/multi_host/aws
   if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then
-    grep -q "aws_credentials" ${P_DIR}/top.sls || echo "    - aws_credentials" >> ${P_DIR}/top.sls
+    if [ "x${USE_LETSENCRYPT_IAM_USER}" = "xno" ]; then
+      grep -q "aws_credentials" ${P_DIR}/top.sls || echo "    - aws_credentials" >> ${P_DIR}/top.sls
+    fi
     grep -q "letsencrypt"     ${P_DIR}/top.sls || echo "    - letsencrypt" >> ${P_DIR}/top.sls
   fi
 else
@@ -421,7 +425,9 @@ else
         ### after it so we add this here, as we are, after all, sharing the host for api and controller
         # Currently, only available on config_examples/multi_host/aws
         if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then
-          grep -q "aws_credentials" ${S_DIR}/top.sls || echo "    - aws_credentials" >> ${S_DIR}/top.sls
+          if [ "x${USE_LETSENCRYPT_IAM_USER}" = "xno" ]; then
+            grep -q "aws_credentials" ${S_DIR}/top.sls || echo "    - aws_credentials" >> ${S_DIR}/top.sls
+          fi
           grep -q "letsencrypt"     ${S_DIR}/top.sls || echo "    - letsencrypt" >> ${S_DIR}/top.sls
         fi
         grep -q "arvados.${R}" ${S_DIR}/top.sls    || echo "    - arvados.${R}" >> ${S_DIR}/top.sls
@@ -437,7 +443,9 @@ else
         grep -q "nginx.passenger" ${S_DIR}/top.sls || echo "    - nginx.passenger" >> ${S_DIR}/top.sls
         # Currently, only available on config_examples/multi_host/aws
         if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then
-          grep -q "aws_credentials" ${S_DIR}/top.sls || echo "    - aws_credentials" >> ${S_DIR}/top.sls
+          if [ "x${USE_LETSENCRYPT_IAM_USER}" = "xno" ]; then
+            grep -q "aws_credentials" ${S_DIR}/top.sls || echo "    - aws_credentials" >> ${S_DIR}/top.sls
+          fi
           grep -q "letsencrypt"     ${S_DIR}/top.sls || echo "    - letsencrypt" >> ${S_DIR}/top.sls
         fi
         grep -q "arvados.${R}" ${S_DIR}/top.sls    || echo "    - arvados.${R}" >> ${S_DIR}/top.sls
@@ -446,7 +454,9 @@ else
         grep -q "nginx_${R}_configuration" ${P_DIR}/top.sls || echo "    - nginx_${R}_configuration" >> ${P_DIR}/top.sls
         # Currently, only available on config_examples/multi_host/aws
         if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then
-          grep -q "aws_credentials" ${P_DIR}/top.sls || echo "    - aws_credentials" >> ${P_DIR}/top.sls
+          if [ "x${USE_LETSENCRYPT_IAM_USER}" = "xno" ]; then
+            grep -q "aws_credentials" ${P_DIR}/top.sls || echo "    - aws_credentials" >> ${P_DIR}/top.sls
+          fi
           grep -q "letsencrypt"     ${P_DIR}/top.sls || echo "    - letsencrypt" >> ${P_DIR}/top.sls
           grep -q "letsencrypt_${R}_configuration" ${P_DIR}/top.sls || echo "    - letsencrypt_${R}_configuration" >> ${P_DIR}/top.sls
         fi