From: Javier Bértoli Date: Wed, 29 Sep 2021 15:28:08 +0000 (-0300) Subject: 17742: add state to install custom certificates X-Git-Tag: 2.4.0~199^2~7 X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/03338fd9d7416560331bb96fd356f3d35de6760f 17742: add state to install custom certificates Arvados-DCO-1.1-Signed-off-by: Javier Bértoli --- diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/states/custom_certs.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/states/custom_certs.sls new file mode 100644 index 0000000000..3716503391 --- /dev/null +++ b/tools/salt-install/config_examples/single_host/multiple_hostnames/states/custom_certs.sls @@ -0,0 +1,31 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +{%- set orig_cert_dir = salt['pillar.get']('extra_custom_certs_dir', '/srv/salt/certs') %} +{%- set dest_cert_dir = '/etc/nginx/ssl' %} +{%- set certs = salt['pillar.get']('extra_custom_certs', []) %} + +extra_custom_certs_file_directory_certs_dir: + file.directory: + - name: /etc/nginx/ssl + - require: + - pkg: nginx_install + +{%- for cert in certs %} + {%- set cert_file = 'arvados-' ~ cert ~ '.pem' %} + {#- set csr_file = 'arvados-' ~ cert ~ '.csr' #} + {%- set key_file = 'arvados-' ~ cert ~ '.key' %} + {% for c in [cert_file, key_file] %} +extra_custom_certs_file_copy_{{ c }}: + file.copy: + - name: {{ dest_cert_dir }}/{{ c }} + - source: {{ orig_cert_dir }}/{{ c }} + - force: true + - user: root + - group: root + - unless: cmp {{ dest_cert_dir }}/{{ c }} {{ orig_cert_dir }}/{{ c }} + - require: + - file: extra_custom_certs_file_directory_certs_dir + {%- endfor %} +{%- endfor %} diff --git a/tools/salt-install/local.params.example.single_host_multiple_hostnames b/tools/salt-install/local.params.example.single_host_multiple_hostnames index e23634e8c4..46ac881870 100644 --- a/tools/salt-install/local.params.example.single_host_multiple_hostnames +++ b/tools/salt-install/local.params.example.single_host_multiple_hostnames @@ -45,9 +45,29 @@ DATABASE_PASSWORD=please_set_this_to_some_secure_value # salt formula (https://github.com/saltstack-formulas/letsencrypt-formula) to try to # automatically obtain and install SSL certificates for your instances or set this # variable to "no", provide and upload your own certificates to the instances and -# modify the 'nginx_*' salt pillars accordingly +# modify the 'nginx_*' salt pillars accordingly (see below, param CUSTOM_CERTS_DIR) USE_LETSENCRYPT="no" +# If you going to provide your own certificates for Arvados, the provision script can +# help you deploy them. In order to do that, you need to set `USE_LETSENCRYPT=no` above, +# and copy the required certificates under the directory specified in the next line. +# The certs will be copied from this directory by the provision script. +CUSTOM_CERTS_DIR="./certs" +# The script expects cert/key files with these basenames (matching the role except for +# keepweb, which is split in both downoad/collections): +# CUSTOM_CERTS_DIR. +# "controller" +# "websocket" +# "workbench" +# "workbench2" +# "webshell" +# "download" # Part of keepweb +# "collections" # Part of keepweb +# "keepproxy" +# Ie., 'keepproxy', the script will lookup for +# ${CUSTOM_CERTS_DIR}/keepproxy.crt +# ${CUSTOM_CERTS_DIR}/keepproxy.key + # The directory to check for the config files (pillars, states) you want to use. # There are a few examples under 'config_examples'. # CONFIG_DIR="local_config_dir"