feat(provision): refactor to add other setup examples

refs #17246
Arvados-DCO-1.1-Signed-off-by: Javier Bértoli <jbertoli@curii.com>

diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/arvados.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/arvados.sls
similarity index 90%
rename from tools/salt-install/config_examples/single_host/multiple_hostnames/arvados.sls
rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/arvados.sls
index 4aa4735d83e6bbabc3a47f234cd077291d00687d..6c6dec26fc7273d6ad7723df9d2d4fc5b819fb7a 100644 (file)
--- a/tools/salt-install/config_examples/single_host/multiple_hostnames/arvados.sls
+++ b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/arvados.sls
@@ -78,19 +78,15 @@ arvados:
 
     ### TOKENS
     tokens:
-      system_root: changemesystemroottoken
-      management: changememanagementtoken
-      rails_secret: changemerailssecrettoken
-      anonymous_user: changemeanonymoususertoken
+      system_root: __SYSTEM_ROOT_TOKEN__
+      management: __MANAGEMENT_TOKEN__
+      rails_secret: __RAILS_SECRET_TOKEN__
+      anonymous_user: __ANONYMOUS_USER_TOKEN__
 
     ### KEYS
     secrets:
-      blob_signing_key: changemeblobsigningkey
-      workbench_secret_key: changemeworkbenchsecretkey
-      dispatcher_access_key: changemedispatcheraccesskey
-      dispatcher_secret_key: changeme_dispatchersecretkey
-      keep_access_key: changemekeepaccesskey
-      keep_secret_key: changemekeepsecretkey
+      blob_signing_key: __BLOB_SIGNING_KEY__
+      workbench_secret_key: __WORKBENCH_SECRET_KEY__
 
     Login:
       Test:

diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/docker.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/docker.sls
similarity index 100%
rename from tools/salt-install/config_examples/single_host/multiple_hostnames/docker.sls
rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/docker.sls

diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/locale.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/locale.sls
similarity index 100%
rename from tools/salt-install/config_examples/single_host/multiple_hostnames/locale.sls
rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/locale.sls

diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_api_configuration.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_api_configuration.sls
similarity index 100%
rename from tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_api_configuration.sls
rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_api_configuration.sls

diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_controller_configuration.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_controller_configuration.sls
similarity index 100%
rename from tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_controller_configuration.sls
rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_controller_configuration.sls

diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_keepproxy_configuration.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_keepproxy_configuration.sls
similarity index 100%
rename from tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_keepproxy_configuration.sls
rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_keepproxy_configuration.sls

diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_keepweb_configuration.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_keepweb_configuration.sls
similarity index 100%
rename from tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_keepweb_configuration.sls
rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_keepweb_configuration.sls

diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_passenger.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_passenger.sls
similarity index 100%
rename from tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_passenger.sls
rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_passenger.sls

diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_webshell_configuration.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_webshell_configuration.sls
similarity index 100%
rename from tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_webshell_configuration.sls
rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_webshell_configuration.sls

diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_websocket_configuration.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_websocket_configuration.sls
similarity index 100%
rename from tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_websocket_configuration.sls
rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_websocket_configuration.sls

diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_workbench2_configuration.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_workbench2_configuration.sls
similarity index 100%
rename from tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_workbench2_configuration.sls
rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_workbench2_configuration.sls

diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_workbench_configuration.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_workbench_configuration.sls
similarity index 100%
rename from tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_workbench_configuration.sls
rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_workbench_configuration.sls

diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/postgresql.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/postgresql.sls
similarity index 100%
rename from tools/salt-install/config_examples/single_host/multiple_hostnames/postgresql.sls
rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/postgresql.sls

diff --git a/tools/salt-install/config_examples/single_host/single_hostname/arvados.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/arvados.sls
similarity index 68%
rename from tools/salt-install/config_examples/single_host/single_hostname/arvados.sls
rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/arvados.sls
index e5e458665778c8fc714661b52099f8e975c5d5cb..f3d2bcb9ead5dbe6148c48cd2c09a53706865112 100644 (file)
--- a/tools/salt-install/config_examples/single_host/single_hostname/arvados.sls
+++ b/tools/salt-install/config_examples/single_host/single_hostname/pillars/arvados.sls
@@ -78,19 +78,15 @@ arvados:
 
     ### TOKENS
     tokens:
-      system_root: changemesystemroottoken
-      management: changememanagementtoken
-      rails_secret: changemerailssecrettoken
-      anonymous_user: changemeanonymoususertoken
+      system_root: __SYSTEM_ROOT_TOKEN__
+      management: __MANAGEMENT_TOKEN__
+      rails_secret: __RAILS_SECRET_TOKEN__
+      anonymous_user: __ANONYMOUS_USER_TOKEN__
 
     ### KEYS
     secrets:
-      blob_signing_key: changemeblobsigningkey
-      workbench_secret_key: changemeworkbenchsecretkey
-      dispatcher_access_key: changemedispatcheraccesskey
-      dispatcher_secret_key: changeme_dispatchersecretkey
-      keep_access_key: changemekeepaccesskey
-      keep_secret_key: changemekeepsecretkey
+      blob_signing_key: __BLOB_SIGNING_KEY__
+      workbench_secret_key: __WORKBENCH_SECRET_KEY__
 
     Login:
       Test:
@@ -107,7 +103,7 @@ arvados:
       # <cluster>-nyw5e-<volume>
       __CLUSTER__-nyw5e-000000000000000:
         AccessViaHosts:
-          'http://__HOSTNAME__:25107':
+          'http://__HOSTNAME_INT__:25107':
             ReadOnly: false
         Replication: 2
         Driver: Directory
@@ -122,38 +118,32 @@ arvados:
 
     Services:
       Controller:
-        ExternalURL: 'https://__HOSTNAME__:__CONTROLLER_EXT_SSL_PORT__'
+        ExternalURL: 'https://__HOSTNAME_EXT__:__CONTROLLER_EXT_SSL_PORT__'
         InternalURLs:
-          'http://controller.internal:8003': {}
-      DispatchCloud:
-        InternalURLs:
-          'http://__HOSTNAME__:9006': {}
-      Keepbalance:
-        InternalURLs:
-          'http://__HOSTNAME__:9005': {}
+          'http://__HOSTNAME_INT__:8003': {}
       Keepproxy:
-        ExternalURL: 'https://__HOSTNAME__:__KEEP_EXT_SSL_PORT__'
+        ExternalURL: 'https://__HOSTNAME_EXT__:__KEEP_EXT_SSL_PORT__'
         InternalURLs:
-          'http://keep.internal:25100': {}
+          'http://__HOSTNAME_INT__:25100': {}
       Keepstore:
         InternalURLs:
-          'http://keep0.internal:25107': {}
+          'http://__HOSTNAME_INT__:25107': {}
       RailsAPI:
         InternalURLs:
-          'http://api.internal:8004': {}
+          'http://__HOSTNAME_INT__:8004': {}
       WebDAV:
-        ExternalURL: 'https://__HOSTNAME__:__KEEPWEB_EXT_SSL_PORT__'
+        ExternalURL: 'https://__HOSTNAME_EXT__:__KEEPWEB_EXT_SSL_PORT__'
         InternalURLs:
-          'http://collections.internal:9002': {}
+          'http://__HOSTNAME_INT__:9003': {}
       WebDAVDownload:
-        ExternalURL: 'https://__HOSTNAME__:__KEEPWEB_EXT_SSL_PORT__'
+        ExternalURL: 'https://__HOSTNAME_EXT__:__KEEPWEB_EXT_SSL_PORT__'
       WebShell:
-        ExternalURL: 'https://__HOSTNAME__:__WEBSHELL_EXT_SSL_PORT__'
+        ExternalURL: 'https://__HOSTNAME_EXT__:__WEBSHELL_EXT_SSL_PORT__'
       Websocket:
-        ExternalURL: 'wss://__HOSTNAME__:__WEBSOCKET_EXT_SSL_PORT__/websocket'
+        ExternalURL: 'wss://__HOSTNAME_EXT__:__WEBSOCKET_EXT_SSL_PORT__/websocket'
         InternalURLs:
-          'http://ws.internal:8005': {}
+          'http://__HOSTNAME_INT__:8005': {}
       Workbench1:
-        ExternalURL: 'https://__HOSTNAME__:__WORKBENCH1_EXT_SSL_PORT__'
+        ExternalURL: 'https://__HOSTNAME_EXT__:__WORKBENCH1_EXT_SSL_PORT__'
       Workbench2:
-        ExternalURL: 'https://__HOSTNAME__:__WORKBENCH2_EXT_SSL_PORT__'
+        ExternalURL: 'https://__HOSTNAME_EXT__:__WORKBENCH2_EXT_SSL_PORT__'

diff --git a/tools/salt-install/config_examples/single_host/single_hostname/docker.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/docker.sls
similarity index 100%
rename from tools/salt-install/config_examples/single_host/single_hostname/docker.sls
rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/docker.sls

diff --git a/tools/salt-install/config_examples/single_host/single_hostname/locale.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/locale.sls
similarity index 100%
rename from tools/salt-install/config_examples/single_host/single_hostname/locale.sls
rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/locale.sls

diff --git a/tools/salt-install/config_examples/single_host/single_hostname/nginx_api_configuration.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_api_configuration.sls
similarity index 93%
rename from tools/salt-install/config_examples/single_host/single_hostname/nginx_api_configuration.sls
rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_api_configuration.sls
index b2f12c77399bdd9df8c48f7d3ac9f9004670f1aa..18f09af50329e4af62674e5f79393e8348e8a7c3 100644 (file)
--- a/tools/salt-install/config_examples/single_host/single_hostname/nginx_api_configuration.sls
+++ b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_api_configuration.sls
@@ -18,7 +18,7 @@ nginx:
         overwrite: true
         config:
           - server:
-            - listen: 'api.internal:8004'
+            - listen: '__HOSTNAME_INT__:8004'
             - server_name: api
             - root: /var/www/arvados-api/current/public
             - index:  index.html index.htm

diff --git a/tools/salt-install/config_examples/single_host/single_hostname/nginx_controller_configuration.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_controller_configuration.sls
similarity index 87%
rename from tools/salt-install/config_examples/single_host/single_hostname/nginx_controller_configuration.sls
rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_controller_configuration.sls
index 2eb33b8355ef573a8b179499eae3e7a25d24ad7f..b7b75ab9c289e6e1c4f35d3edbb98b40d56bd382 100644 (file)
--- a/tools/salt-install/config_examples/single_host/single_hostname/nginx_controller_configuration.sls
+++ b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_controller_configuration.sls
@@ -14,7 +14,7 @@ nginx:
           default: 1
           '127.0.0.0/8': 0
         upstream controller_upstream:
-          - server: 'controller.internal:8003  fail_timeout=10s'
+          - server: '__HOSTNAME_INT__:8003  fail_timeout=10s'
 
   ### SITES
   servers:
@@ -25,9 +25,9 @@ nginx:
         overwrite: true
         config:
           - server:
-            - server_name: __HOSTNAME__
+            - server_name: _
             - listen:
-              - 80 default
+              - 80 default_server
             - location /.well-known:
               - root: /var/www
             - location /:
@@ -38,9 +38,9 @@ nginx:
         overwrite: true
         config:
           - server:
-            - server_name: __HOSTNAME__
+            - server_name: __HOSTNAME_EXT__
             - listen:
-              - __CONTROLLER_EXT_SSL_PORT__ http2 ssl
+              - __CONTROLLER_EXT_SSL_PORT__ http2 ssl default_server
             - index: index.html index.htm
             - location /:
               - proxy_pass: 'http://controller_upstream'

diff --git a/tools/salt-install/config_examples/single_host/single_hostname/nginx_keepproxy_configuration.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_keepproxy_configuration.sls
similarity index 73%
rename from tools/salt-install/config_examples/single_host/single_hostname/nginx_keepproxy_configuration.sls
rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_keepproxy_configuration.sls
index b26de2710efe44b9b2f0ed0f221da353903ce57b..81d72aac74109531a073aea84b13be8d8d56c002 100644 (file)
--- a/tools/salt-install/config_examples/single_host/single_hostname/nginx_keepproxy_configuration.sls
+++ b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_keepproxy_configuration.sls
@@ -11,30 +11,16 @@ nginx:
       ### STREAMS
       http:
         upstream keepproxy_upstream:
-          - server: 'keep.internal:25100 fail_timeout=10s'
+          - server: '__HOSTNAME_INT__:25100 fail_timeout=10s'
 
   servers:
     managed:
-      ### DEFAULT
-      arvados_keepproxy_default:
-        enabled: true
-        overwrite: true
-        config:
-          - server:
-            - server_name: __HOSTNAME__
-            - listen:
-              - __KEEP_EXT_SSL_PORT__
-            - location /.well-known:
-              - root: /var/www
-            - location /:
-              - return: '301 https://$host$request_uri'
-
       arvados_keepproxy_ssl:
         enabled: true
         overwrite: true
         config:
           - server:
-            - server_name: __HOSTNAME__
+            - server_name: __HOSTNAME_EXT__
             - listen:
               - __KEEP_EXT_SSL_PORT__ http2 ssl
             - index: index.html index.htm

diff --git a/tools/salt-install/config_examples/single_host/single_hostname/nginx_keepweb_configuration.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_keepweb_configuration.sls
similarity index 72%
rename from tools/salt-install/config_examples/single_host/single_hostname/nginx_keepweb_configuration.sls
rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_keepweb_configuration.sls
index 98a3cdf94ef659a8fac100ff54dc05ba6933eb41..fcb56c994964bed01a55c6818ea82bae75a962ac 100644 (file)
--- a/tools/salt-install/config_examples/single_host/single_hostname/nginx_keepweb_configuration.sls
+++ b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_keepweb_configuration.sls
@@ -11,31 +11,17 @@ nginx:
       ### STREAMS
       http:
         upstream collections_downloads_upstream:
-          - server: 'collections.internal:9002 fail_timeout=10s'
+          - server: '__HOSTNAME_INT__:9003 fail_timeout=10s'
 
   servers:
     managed:
-      ### COLLECTIONS / DOWNLOAD
-      arvados_collections_download_default:
-        enabled: true
-        overwrite: true
-        config:
-          - server:
-            - server_name: __HOSTNAME__
-            - listen:
-              - __KEEPWEB_EXT_SSL_PORT__
-            - location /.well-known:
-              - root: /var/www
-            - location /:
-              - return: '301 https://$host$request_uri'
-
       ### COLLECTIONS / DOWNLOAD
       arvados_collections_download_ssl:
         enabled: true
         overwrite: true
         config:
           - server:
-            - server_name: __HOSTNAME__
+            - server_name: __HOSTNAME_EXT__
             - listen:
               - __KEEPWEB_EXT_SSL_PORT__ http2 ssl
             - index: index.html index.htm

diff --git a/tools/salt-install/config_examples/single_host/single_hostname/nginx_passenger.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_passenger.sls
similarity index 100%
rename from tools/salt-install/config_examples/single_host/single_hostname/nginx_passenger.sls
rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_passenger.sls

diff --git a/tools/salt-install/config_examples/single_host/single_hostname/nginx_webshell_configuration.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_webshell_configuration.sls
similarity index 84%
rename from tools/salt-install/config_examples/single_host/single_hostname/nginx_webshell_configuration.sls
rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_webshell_configuration.sls
index dac606123452bb80fde3e81152eaa2d2117dc32c..f0e7a19a4aa928004e8e205b07f008dfe8a728b5 100644 (file)
--- a/tools/salt-install/config_examples/single_host/single_hostname/nginx_webshell_configuration.sls
+++ b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_webshell_configuration.sls
@@ -12,30 +12,17 @@ nginx:
       ### STREAMS
       http:
         upstream webshell_upstream:
-          - server: 'shell.internal:4200 fail_timeout=10s'
+          - server: '__HOSTNAME_INT__:4200 fail_timeout=10s'
 
   ### SITES
   servers:
     managed:
-      arvados_webshell_default:
-        enabled: true
-        overwrite: true
-        config:
-          - server:
-            - server_name: __HOSTNAME__
-            - listen:
-              - __WEBSHELL_EXT_SSL_PORT__
-            - location /.well-known:
-              - root: /var/www
-            - location /:
-              - return: '301 https://$host$request_uri'
-
       arvados_webshell_ssl:
         enabled: true
         overwrite: true
         config:
           - server:
-            - server_name: __HOSTNAME__
+            - server_name: __HOSTNAME__EXT__
             - listen:
               - __WEBSHELL_EXT_SSL_PORT__ http2 ssl
             - index: index.html index.htm

diff --git a/tools/salt-install/config_examples/single_host/single_hostname/nginx_websocket_configuration.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_websocket_configuration.sls
similarity index 74%
rename from tools/salt-install/config_examples/single_host/single_hostname/nginx_websocket_configuration.sls
rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_websocket_configuration.sls
index 827524cbe60fa53fcb7d4b1e8febe460d022232b..7c4ff7835c580a78d6ffd91b391f194518f75f66 100644 (file)
--- a/tools/salt-install/config_examples/single_host/single_hostname/nginx_websocket_configuration.sls
+++ b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_websocket_configuration.sls
@@ -11,30 +11,16 @@ nginx:
       ### STREAMS
       http:
         upstream websocket_upstream:
-          - server: 'ws.internal:8005 fail_timeout=10s'
+          - server: '__HOSTNAME_INT__:8005 fail_timeout=10s'
 
   servers:
     managed:
-      ### DEFAULT
-      arvados_websocket_default:
-        enabled: true
-        overwrite: true
-        config:
-          - server:
-            - server_name: __HOSTNAME__
-            - listen:
-              - __WEBSOCKET_EXT_SSL_PORT__
-            - location /.well-known:
-              - root: /var/www
-            - location /:
-              - return: '301 https://$host$request_uri'
-
       arvados_websocket_ssl:
         enabled: true
         overwrite: true
         config:
           - server:
-            - server_name: __HOSTNAME__
+            - server_name: __HOSTNAME_EXT__
             - listen:
               - __WEBSOCKET_EXT_SSL_PORT__ http2 ssl
             - index: index.html index.htm

diff --git a/tools/salt-install/config_examples/single_host/single_hostname/nginx_workbench2_configuration.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_workbench2_configuration.sls
similarity index 70%
rename from tools/salt-install/config_examples/single_host/single_hostname/nginx_workbench2_configuration.sls
rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_workbench2_configuration.sls
index 7f90cbc825e4cdcb3aa509632b839dd02fa624be..f783e523fa2d588e3136d84cba41a916b55daa5a 100644 (file)
--- a/tools/salt-install/config_examples/single_host/single_hostname/nginx_workbench2_configuration.sls
+++ b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_workbench2_configuration.sls
@@ -13,26 +13,12 @@ nginx:
   ### SITES
   servers:
     managed:
-      ### DEFAULT
-      arvados_workbench2_default:
-        enabled: true
-        overwrite: true
-        config:
-          - server:
-            - server_name: __HOSTNAME__
-            - listen:
-              - __WORKBENCH2_EXT_SSL_PORT__
-            - location /.well-known:
-              - root: /var/www
-            - location /:
-              - return: '301 https://$host$request_uri'
-
       arvados_workbench2_ssl:
         enabled: true
         overwrite: true
         config:
           - server:
-            - server_name: workbench2.__HOSTNAME__
+            - server_name: __HOSTNAME_EXT__
             - listen:
               - __WORKBENCH2_EXT_SSL_PORT__ http2 ssl
             - index: index.html index.htm

diff --git a/tools/salt-install/config_examples/single_host/single_hostname/nginx_workbench_configuration.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_workbench_configuration.sls
similarity index 76%
rename from tools/salt-install/config_examples/single_host/single_hostname/nginx_workbench_configuration.sls
rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_workbench_configuration.sls
index 0cbd3e14a9d4aacc682cbb063dc25ea0383f6084..9ed6e3b87aa61abcb1be03efb1a2a8e9ad2c2870 100644 (file)
--- a/tools/salt-install/config_examples/single_host/single_hostname/nginx_workbench_configuration.sls
+++ b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_workbench_configuration.sls
@@ -17,31 +17,17 @@ nginx:
       ### STREAMS
       http:
         upstream workbench_upstream:
-          - server: 'workbench.internal:9000 fail_timeout=10s'
+          - server: '__HOSTNAME_INT__:9000 fail_timeout=10s'
 
   ### SITES
   servers:
     managed:
-      ### DEFAULT
-      arvados_workbench_default:
-        enabled: true
-        overwrite: true
-        config:
-          - server:
-            - server_name: __HOSTNAME__
-            - listen:
-              - __WORKBENCH_EXT_SSL_PORT__
-            - location /.well-known:
-              - root: /var/www
-            - location /:
-              - return: '301 https://$host$request_uri'
-
       arvados_workbench_ssl:
         enabled: true
         overwrite: true
         config:
           - server:
-            - server_name: workbench.__HOSTNAME__
+            - server_name: __HOSTNAME_EXT__
             - listen:
               - __WORKBENCH1_EXT_SSL_PORT__ http2 ssl
             - index: index.html index.htm
@@ -63,7 +49,7 @@ nginx:
         overwrite: true
         config:
           - server:
-            - listen: 'workbench.internal:9000'
+            - listen: '__HOSTNAME_INT__:9000'
             - server_name: workbench
             - root: /var/www/arvados-workbench/current/public
             - index:  index.html index.htm

diff --git a/tools/salt-install/config_examples/single_host/single_hostname/postgresql.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/postgresql.sls
similarity index 100%
rename from tools/salt-install/config_examples/single_host/single_hostname/postgresql.sls
rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/postgresql.sls

diff --git a/tools/salt-install/config_examples/single_host/single_hostname/states/host_entries.sls b/tools/salt-install/config_examples/single_host/single_hostname/states/host_entries.sls
new file mode 100644 (file)
index 0000000..7e3957c
--- /dev/null
+++ b/tools/salt-install/config_examples/single_host/single_hostname/states/host_entries.sls
@@ -0,0 +1,32 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+{%- set curr_tpldir = tpldir %}
+{%- set tpldir = 'arvados' %}
+{%- from "arvados/map.jinja" import arvados with context %}
+{%- set tpldir = curr_tpldir %}
+
+arvados_test_salt_states_examples_single_host_etc_hosts_host_present:
+  host.present:
+    - ip: 127.0.0.2
+    - names:
+      - {{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
+      # FIXME! This just works for our testings.
+      # Won't work if the cluster name != host name
+      {%- for entry in [
+          'api',
+          'collections',
+          'controller',
+          'download',
+          'keep',
+          'keepweb',
+          'keep0',
+          'shell',
+          'workbench',
+          'workbench2',
+          'ws',
+        ]
+      %}
+      - {{ entry }}
+      {%- endfor %}

diff --git a/tools/salt-install/config_examples/single_host/single_hostname/states/snakeoil_certs.sls b/tools/salt-install/config_examples/single_host/single_hostname/states/snakeoil_certs.sls
new file mode 100644 (file)
index 0000000..375cc84
--- /dev/null
+++ b/tools/salt-install/config_examples/single_host/single_hostname/states/snakeoil_certs.sls
@@ -0,0 +1,156 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+{%- set curr_tpldir = tpldir %}
+{%- set tpldir = 'arvados' %}
+{%- from "arvados/map.jinja" import arvados with context %}
+{%- set tpldir = curr_tpldir %}
+
+include:
+  - nginx.service
+
+{%- set arvados_ca_cert_file = '/etc/ssl/certs/arvados-snakeoil-ca.pem' %}
+{%- set arvados_ca_key_file = '/etc/ssl/private/arvados-snakeoil-ca.key' %}
+{%- set arvados_cert_file = '/etc/ssl/certs/arvados-snakeoil-cert.pem' %}
+{%- set arvados_csr_file = '/etc/ssl/private/arvados-snakeoil-cert.csr' %}
+{%- set arvados_key_file = '/etc/ssl/private/arvados-snakeoil-cert.key' %}
+
+{%- if grains.get('os_family') == 'Debian' %}
+  {%- set arvados_ca_cert_dest = '/usr/local/share/ca-certificates/arvados-snakeoil-ca.crt' %}
+  {%- set update_ca_cert = '/usr/sbin/update-ca-certificates' %}
+  {%- set openssl_conf = '/etc/ssl/openssl.cnf' %}
+{%- else %}
+  {%- set arvados_ca_cert_dest = '/etc/pki/ca-trust/source/anchors/arvados-snakeoil-ca.pem' %}
+  {%- set update_ca_cert = '/usr/bin/update-ca-trust' %}
+  {%- set openssl_conf = '/etc/pki/tls/openssl.cnf' %}
+{%- endif %}
+
+arvados_test_salt_states_examples_single_host_snakeoil_certs_dependencies_pkg_installed:
+  pkg.installed:
+    - pkgs:
+      - openssl
+      - ca-certificates
+
+arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_ca_cmd_run:
+  # Taken from https://github.com/arvados/arvados/blob/master/tools/arvbox/lib/arvbox/docker/service/certificate/run
+  cmd.run:
+    - name: |
+        # These dirs are not to CentOS-ish, but this is a helper script
+        # and they should be enough
+        mkdir -p /etc/ssl/certs/ /etc/ssl/private/ && \
+        openssl req \
+          -new \
+          -nodes \
+          -sha256 \
+          -x509 \
+          -subj "/C=CC/ST=Some State/O=Arvados Formula/OU=arvados-formula/CN=snakeoil-ca-{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}" \
+          -extensions x509_ext \
+          -config <(cat {{ openssl_conf }} \
+                  <(printf "\n[x509_ext]\nbasicConstraints=critical,CA:true,pathlen:0\nkeyUsage=critical,keyCertSign,cRLSign")) \
+          -out {{ arvados_ca_cert_file }} \
+          -keyout {{ arvados_ca_key_file }} \
+          -days 365 && \
+        cp {{ arvados_ca_cert_file }} {{ arvados_ca_cert_dest }} && \
+        {{ update_ca_cert }}
+    - unless:
+      - test -f {{ arvados_ca_cert_file }}
+      - openssl verify -CAfile {{ arvados_ca_cert_file }} {{ arvados_ca_cert_file }}
+    - require:
+      - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_dependencies_pkg_installed
+
+arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_cert_cmd_run:
+  cmd.run:
+    - name: |
+        cat > /tmp/openssl.cnf <<-CNF
+        [req]
+        default_bits = 2048
+        prompt = no
+        default_md = sha256
+        req_extensions = rext
+        distinguished_name = dn
+        [dn]
+        C   = CC
+        ST  = Some State
+        L   = Some Location
+        O   = Arvados Formula
+        OU  = arvados-formula
+        CN  = {{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
+        emailAddress = admin@{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
+        [rext]
+        subjectAltName = @alt_names
+        [alt_names]
+        {%- for entry in grains.get('ipv4') %}
+        IP.{{ loop.index }} = {{ entry }}
+        {%- endfor %}
+        {%- for entry in [
+            'keep',
+            'collections',
+            'download',
+            'keepweb',
+            'ws',
+            'workbench',
+            'workbench2',
+          ]
+        %}
+        DNS.{{ loop.index }} = {{ entry }}
+        {%- endfor %}
+        DNS.8 = {{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
+        DNS.9 = '__HOSTNAME_EXT__'
+        DNS.10 = '__HOSTNAME_INT__'
+        CNF
+
+        # The req
+        openssl req \
+          -config /tmp/openssl.cnf \
+          -new \
+          -nodes \
+          -sha256 \
+          -out {{ arvados_csr_file }} \
+          -keyout {{ arvados_key_file }} > /tmp/snake_oil_certs.output 2>&1 && \
+        # The cert
+        openssl x509 \
+          -req \
+          -days 365 \
+          -in {{ arvados_csr_file }} \
+          -out {{ arvados_cert_file }} \
+          -extfile /tmp/openssl.cnf \
+          -extensions rext \
+          -CA {{ arvados_ca_cert_file }} \
+          -CAkey {{ arvados_ca_key_file }} \
+          -set_serial $(date +%s) && \
+        chmod 0644 {{ arvados_cert_file }} && \
+        chmod 0640 {{ arvados_key_file }}
+    - unless:
+      - test -f {{ arvados_key_file }}
+      - openssl verify -CAfile {{ arvados_ca_cert_file }} {{ arvados_cert_file }}
+    - require:
+      - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_dependencies_pkg_installed
+      - cmd: arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_ca_cmd_run
+
+{%- if grains.get('os_family') == 'Debian' %}
+arvados_test_salt_states_examples_single_host_snakeoil_certs_ssl_cert_pkg_installed:
+  pkg.installed:
+    - name: ssl-cert
+    - require_in:
+      - sls: postgres
+
+arvados_test_salt_states_examples_single_host_snakeoil_certs_certs_permissions_cmd_run:
+  cmd.run:
+    - name: |
+        chown root:ssl-cert {{ arvados_key_file }}
+    - require:
+      - cmd: arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_cert_cmd_run
+      - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_ssl_cert_pkg_installed
+{%- endif %}
+
+arvados_test_salt_states_examples_single_host_snakeoil_certs_nginx_snakeoil_file_managed:
+  file.managed:
+    - name: /etc/nginx/snippets/arvados-snakeoil.conf
+    - contents: |
+        ssl_certificate {{ arvados_cert_file }};
+        ssl_certificate_key {{ arvados_key_file }};
+    - watch_in:
+      - service: nginx_service
+
+

diff --git a/tools/salt-install/local.params.example b/tools/salt-install/local.params.example
index a88301b2a67605ad66111e1a5e41959ad0faf63b..bd9b1c411551bcffb22104e5746267578c214672 100644 (file)
--- a/tools/salt-install/local.params.example
+++ b/tools/salt-install/local.params.example
@@ -13,9 +13,11 @@ DOMAIN="some.domain"
 
 # When setting the cluster in a single host, you can use a single hostname
 # to access all the instances. When using virtualization (ie AWS), this should be
-# the EXTERNAL hostname for the instance.
+# the EXTERNAL/PUBLIC hostname for the instance.
 # If empty, the INTERNAL HOST IP will be used
-HOSTNAME=""
+HOSTNAME_EXT=""
+# The internal hostname for the host
+HOSTNAME_INT="127.0.1.1"
 CONTROLLER_EXT_SSL_PORT=8000
 KEEP_EXT_SSL_PORT=25101
 # Both for collections and downloads
@@ -32,6 +34,14 @@ INITIAL_USER="admin"
 INITIAL_USER_EMAIL="admin@fixme.localdomain"
 INITIAL_USER_PASSWORD="password"
 
+# YOU SHOULD CHANGE THESE TO SOME RANDOM STRINGS
+BLOB_SIGNING_KEY=blobsigningkeymushaveatleast32characters
+MANAGEMENT_TOKEN=managementtokenmushaveatleast32characters
+SYSTEM_ROOT_TOKEN=systemroottokenmushaveatleast32characters
+RAILS_SECRET_TOKEN=railssecrettokenmushaveatleast32characters
+ANONYMOUS_USER_TOKEN=anonymoususertokenmushaveatleast32characters
+WORKBENCH_SECRET_KEY=workbenchsecretkeymushaveatleast32characters
+
 # The example config files you want to use. There are a few examples
 # under 'config_examples' 
 CONFIG_DIR="config_examples/single_host/single_hostname"

diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index f3df4109a05cd88980662f4cdcbe0a592e6b3664..facb2e88ef51b9fec772475e803b05c2abf772cf 100755 (executable)
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -107,7 +107,8 @@ TESTS_DIR="tests"
 
 CLUSTER=""
 DOMAIN=""
-HOSTNAME=""
+HOSTNAME_EXT=""
+HOSTNAME_INT="127.0.1.1"
 INITIAL_USER=""
 INITIAL_USER_EMAIL=""
 INITIAL_USER_PASSWORD=""
@@ -229,14 +230,16 @@ if [ "x${BRANCH}" != "x" ]; then
 fi
 
 if [ "x${VAGRANT}" = "xyes" ]; then
-  SOURCE_PILLARS_DIR="/vagrant/${CONFIG_DIR}"
+  SOURCE_PILLARS_DIR="/vagrant/${CONFIG_DIR}/pillars"
+  SOURCE_STATES_DIR="/vagrant/${CONFIG_DIR}/states"
   TESTS_DIR="/vagrant/${TESTS_DIR}"
 else
-  SOURCE_PILLARS_DIR="${SCRIPT_DIR}/${CONFIG_DIR}"
+  SOURCE_PILLARS_DIR="${SCRIPT_DIR}/${CONFIG_DIR}/pillars"
+  SOURCE_STATES_DIR="${SCRIPT_DIR}/${CONFIG_DIR}/states"
   TESTS_DIR="${SCRIPT_DIR}/${TESTS_DIR}"
 fi
 
-# Replace cluster and domain name in the example pillars and test files
+# Replace cluster and domain name in the example pillars
 for f in "${SOURCE_PILLARS_DIR}"/*; do
   sed "s/__CLUSTER__/${CLUSTER}/g;
        s/__DOMAIN__/${DOMAIN}/g;
@@ -244,25 +247,35 @@ for f in "${SOURCE_PILLARS_DIR}"/*; do
        s/__CONTROLLER_EXT_SSL_PORT__/${CONTROLLER_EXT_SSL_PORT}/g;
        s/__KEEP_EXT_SSL_PORT__/${KEEP_EXT_SSL_PORT}/g;
        s/__WEBSHELL_EXT_SSL_PORT__/${WEBSHELL_EXT_SSL_PORT}/g;
-       s/__WORKBENCH1_EXT__SSL_PORT__/${WORKBENCH1_EXT__SSL_PORT}/g;
-       s/__WORKBENCH2_EXT__SSL_PORT__/${WORKBENCH2_EXT__SSL_PORT}/g;
+       s/__WORKBENCH1_EXT_SSL_PORT__/${WORKBENCH1_EXT_SSL_PORT}/g;
+       s/__WORKBENCH2_EXT_SSL_PORT__/${WORKBENCH2_EXT_SSL_PORT}/g;
        s/__WEBSOCKET_EXT_SSL_PORT__/${WEBSOCKET_EXT_SSL_PORT}/g;
-       s/__HOSTNAME__/${HOSTNAME}/g;
+       s/__HOSTNAME_EXT__/${HOSTNAME_EXT}/g;
+       s/__HOSTNAME_INT__/${HOSTNAME_INT}/g;
        s/__KEEPWEB_EXT_SSL_PORT__/${KEEPWEB_EXT_SSL_PORT}/g;
        s/__HOST_SSL_PORT__/${HOST_SSL_PORT}/g;
        s/__INITIAL_USER__/${INITIAL_USER}/g;
        s/__INITIAL_USER_EMAIL__/${INITIAL_USER_EMAIL}/g;
        s/__INITIAL_USER_PASSWORD__/${INITIAL_USER_PASSWORD}/g;
+       s/__BLOB_SIGNING_KEY__/${BLOB_SIGNING_KEY}/g;
+       s/__MANAGEMENT_TOKEN__/${MANAGEMENT_TOKEN}/g;
+       s/__SYSTEM_ROOT_TOKEN__/${SYSTEM_ROOT_TOKEN}/g;
+       s/__RAILS_SECRET_TOKEN__/${RAILS_SECRET_TOKEN}/g;
+       s/__ANONYMOUS_USER_TOKEN__/${ANONYMOUS_USER_TOKEN}/g;
+       s/__WORKBENCH_SECRET_KEY__/${WORKBENCH_SECRET_KEY}/g;
        s/__VERSION__/${VERSION}/g" \
   "${f}" > "${P_DIR}"/$(basename "${f}")
 done
 
 mkdir -p /tmp/cluster_tests
-# Replace cluster and domain name in the example pillars and test files
+# Replace cluster and domain name in the test files
 for f in "${TESTS_DIR}"/*; do
   sed "s/__CLUSTER__/${CLUSTER}/g;
        s/__DOMAIN__/${DOMAIN}/g;
+       s/__HOSTNAME_INT__/${HOSTNAME_INT}/g;
        s/__HOST_SSL_PORT__/${HOST_SSL_PORT}/g;
+       s/__CONTROLLER_EXT_SSL_PORT__/${CONTROLLER_EXT_SSL_PORT}/g;
+       s/__SYSTEM_ROOT_TOKEN__/${SYSTEM_ROOT_TOKEN}/g;
        s/__INITIAL_USER__/${INITIAL_USER}/g;
        s/__INITIAL_USER_EMAIL__/${INITIAL_USER_EMAIL}/g;
        s/__INITIAL_USER_PASSWORD__/${INITIAL_USER_PASSWORD}/g" \
@@ -270,6 +283,34 @@ for f in "${TESTS_DIR}"/*; do
 done
 chmod 755 /tmp/cluster_tests/run-test.sh
 
+# Replace helper state files that differ from the formula's examples
+for f in "${SOURCE_STATES_DIR}"/*; do
+  sed "s/__CLUSTER__/${CLUSTER}/g;
+       s/__DOMAIN__/${DOMAIN}/g;
+       s/__RELEASE__/${RELEASE}/g;
+       s/__CONTROLLER_EXT_SSL_PORT__/${CONTROLLER_EXT_SSL_PORT}/g;
+       s/__KEEP_EXT_SSL_PORT__/${KEEP_EXT_SSL_PORT}/g;
+       s/__WEBSHELL_EXT_SSL_PORT__/${WEBSHELL_EXT_SSL_PORT}/g;
+       s/__WORKBENCH1_EXT_SSL_PORT__/${WORKBENCH1_EXT_SSL_PORT}/g;
+       s/__WORKBENCH2_EXT_SSL_PORT__/${WORKBENCH2_EXT_SSL_PORT}/g;
+       s/__WEBSOCKET_EXT_SSL_PORT__/${WEBSOCKET_EXT_SSL_PORT}/g;
+       s/__HOSTNAME_EXT__/${HOSTNAME_EXT}/g;
+       s/__HOSTNAME_INT__/${HOSTNAME_INT}/g;
+       s/__KEEPWEB_EXT_SSL_PORT__/${KEEPWEB_EXT_SSL_PORT}/g;
+       s/__HOST_SSL_PORT__/${HOST_SSL_PORT}/g;
+       s/__INITIAL_USER__/${INITIAL_USER}/g;
+       s/__INITIAL_USER_EMAIL__/${INITIAL_USER_EMAIL}/g;
+       s/__INITIAL_USER_PASSWORD__/${INITIAL_USER_PASSWORD}/g;
+       s/__BLOB_SIGNING_KEY__/${BLOB_SIGNING_KEY}/g;
+       s/__MANAGEMENT_TOKEN__/${MANAGEMENT_TOKEN}/g;
+       s/__SYSTEM_ROOT_TOKEN__/${SYSTEM_ROOT_TOKEN}/g;
+       s/__RAILS_SECRET_TOKEN__/${RAILS_SECRET_TOKEN}/g;
+       s/__ANONYMOUS_USER_TOKEN__/${ANONYMOUS_USER_TOKEN}/g;
+       s/__WORKBENCH_SECRET_KEY__/${WORKBENCH_SECRET_KEY}/g;
+       s/__VERSION__/${VERSION}/g" \
+  "${f}" > "${F_DIR}"/arvados-formula/test/salt/states/examples/single_host/$(basename "${f}")
+done
+
 # FIXME! #16992 Temporary fix for psql call in arvados-api-server
 if [ -e /root/.psqlrc ]; then
   if ! ( grep 'pset pager off' /root/.psqlrc ); then

diff --git a/tools/salt-install/tests/run-test.sh b/tools/salt-install/tests/run-test.sh
index 8d9de6fdf0b12e338208fa8ba2fcd89b5b995139..16ee2851ef8b01bd71642e08b4a717be77e48c19 100755 (executable)
--- a/tools/salt-install/tests/run-test.sh
+++ b/tools/salt-install/tests/run-test.sh
@@ -3,8 +3,8 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-export ARVADOS_API_TOKEN=changemesystemroottoken
-export ARVADOS_API_HOST=__CLUSTER__.__DOMAIN__:__HOST_SSL_PORT__
+export ARVADOS_API_TOKEN=__SYSTEM_ROOT_TOKEN__
+export ARVADOS_API_HOST=__HOSTNAME_INT__:__CONTROLLER_EXT_SSL_PORT__
 export ARVADOS_API_HOST_INSECURE=true
 
 set -o pipefail