21678: Improves credentials passing even further.

By using a here-doc, the token doesn't get leaked on any of the process lists.
This also has the advantage of not needing any config file management.

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima@curii.com>

diff --git a/tools/salt-install/installer.sh b/tools/salt-install/installer.sh
index 9930fd7708a8a8f315b4a97f79a6125ea7062bc9..e97917d3330c47b3a6e5da29d07b0298ae7e88f8 100755 (executable)
--- a/tools/salt-install/installer.sh
+++ b/tools/salt-install/installer.sh
@@ -465,19 +465,13 @@ diagnostics-internal)
   declare TESTNODE=$(echo ${ROLE2NODES['shell']} | cut -d\, -f1)
   declare SSH=$(ssh_cmd "$TESTNODE")
 
-  # Set up credentials
-  declare CONFFILE=$(mktemp)
-  trap 'rm "$CONFFILE"' EXIT INT TERM QUIT
-  {
-    echo "ARVADOS_API_HOST=$ARVADOS_API_HOST"
-    echo "ARVADOS_API_TOKEN=$ARVADOS_API_TOKEN"
-  } > $CONFFILE
-  $SSH $DEPLOY_USER@$TESTNODE "sudo bash -c 'mkdir -m 0700 -p ~/.config/arvados'"
-  cat $CONFFILE | $SSH $DEPLOY_USER@$TESTNODE "sudo bash -c 'cat > ~/.config/arvados/settings.conf'"
-
   # Run diagnostics
   echo "Running diagnostics in $TESTNODE..."
-  $SSH $DEPLOY_USER@$TESTNODE "sudo arvados-client diagnostics -internal-client"
+  $SSH $DEPLOY_USER@$TESTNODE bash <<EOF
+  export ARVADOS_API_HOST="${DOMAIN}:${CONTROLLER_EXT_SSL_PORT}" 
+  export ARVADOS_API_TOKEN="$SYSTEM_ROOT_TOKEN" 
+  sudo --preserve-env=ARVADOS_API_HOST,ARVADOS_API_TOKEN arvados-client diagnostics -internal-client
+EOF
 
   ;;