From: Tom Clegg <tom@curii.com>
Date: Mon, 18 Jul 2022 17:35:48 +0000 (-0400)
Subject: 16552: Change -tls=acmetool to -tls=/path/to/certdir.
X-Git-Tag: 2.5.0~116^2
X-Git-Url: https://git.arvados.org/arvados.git/commitdiff_plain/2f0c775a9e1ab8c3abdd94c854326fab771c4b5e

16552: Change -tls=acmetool to -tls=/path/to/certdir.

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>
---

diff --git a/cmd/arvados-package/install.go b/cmd/arvados-package/install.go
index 9273ac9c73..38efae0461 100644
--- a/cmd/arvados-package/install.go
+++ b/cmd/arvados-package/install.go
@@ -92,7 +92,7 @@ rm /etc/apt/sources.list.d/arvados-local.list
 	if opts.Live != "" {
 		cmd.Args = append(cmd.Args,
 			"--env=domain="+opts.Live,
-			"--env=initargs=-tls=acme",
+			"--env=initargs=-tls=/var/lib/acme/live/"+opts.Live,
 			"--env=bootargs=",
 			"--publish=:443:443",
 			"--publish=:4440-4460:4440-4460",
diff --git a/doc/install/automatic.html.textile.liquid b/doc/install/automatic.html.textile.liquid
index f520ffb50a..d72f8f69ee 100644
--- a/doc/install/automatic.html.textile.liquid
+++ b/doc/install/automatic.html.textile.liquid
@@ -31,7 +31,7 @@ h2. Initialize the cluster
 # echo > /etc/apt/sources.list.d/arvados.list "deb http://apt.arvados.org/buster buster main"
 # apt-get update
 # apt-get install arvados-server-easy
-# arvados-server init -cluster-id x9999 -domain x9999.example.com -tls auto -admin-email example@gmail.com.example
+# arvados-server init -cluster-id x9999 -domain x9999.example.com -tls acme -admin-email example@gmail.com.example
 </pre>
 
 When the "init" command is finished, navigate to the link shown in the terminal (e.g., @https://x9999.example.com/token?api_token=zzzzzzzzzzzzzzzzzzzzzz@). This will log you in to your admin account.
diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index 8d5bbc258e..b23c6a1274 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -900,8 +900,8 @@ Clusters:
       Repositories: /var/lib/arvados/git/repositories
 
     TLS:
-      # Use "file:///var/lib/acme/live/example.com/cert" and ".../key"
-      # to load externally managed certificates.
+      # Use "file:///var/lib/acme/live/example.com/cert" and
+      # ".../privkey" to load externally managed certificates.
       Certificate: ""
       Key: ""
 
diff --git a/lib/install/init.go b/lib/install/init.go
index a928f22529..d322e753eb 100644
--- a/lib/install/init.go
+++ b/lib/install/init.go
@@ -44,6 +44,7 @@ type initCommand struct {
 	LoginGoogle             bool
 	LoginGoogleClientID     string
 	LoginGoogleClientSecret string
+	TLSDir                  string
 }
 
 func (initcmd *initCommand) RunCommand(prog string, args []string, stdin io.Reader, stdout, stderr io.Writer) int {
@@ -72,7 +73,7 @@ func (initcmd *initCommand) RunCommand(prog string, args []string, stdin io.Read
 	flags.StringVar(&initcmd.Domain, "domain", hostname, "cluster public DNS `name`, like x1234.arvadosapi.com")
 	flags.StringVar(&initcmd.Login, "login", "", "login `backend`: test, pam, 'google {client-id} {client-secret}', or ''")
 	flags.StringVar(&initcmd.AdminEmail, "admin-email", "", "give admin privileges to user with given `email`")
-	flags.StringVar(&initcmd.TLS, "tls", "none", "tls certificate `source`: acme, acmetool, insecure, or none")
+	flags.StringVar(&initcmd.TLS, "tls", "none", "tls certificate `source`: acme, insecure, none, or /path/to/dir containing privkey and cert files")
 	flags.BoolVar(&initcmd.Start, "start", true, "start systemd service after creating config")
 	if ok, code := cmd.ParseFlags(flags, prog, args, "", stderr); !ok {
 		return code
@@ -101,6 +102,16 @@ func (initcmd *initCommand) RunCommand(prog string, args []string, stdin io.Read
 		return 1
 	}
 
+	switch initcmd.TLS {
+	case "none", "acme", "insecure":
+	default:
+		if !strings.HasPrefix(initcmd.TLS, "/") {
+			err = fmt.Errorf("invalid argument to -tls: %q; see %s -help", initcmd.TLS, prog)
+			return 1
+		}
+		initcmd.TLSDir = initcmd.TLS
+	}
+
 	confdir := "/etc/arvados"
 	conffile := confdir + "/config.yml"
 	if _, err = os.Stat(conffile); err == nil {
@@ -217,9 +228,9 @@ func (initcmd *initCommand) RunCommand(prog string, args []string, stdin io.Read
       {{else if eq .TLS "acme"}}
       ACME:
         Server: LE
-      {{else if eq .TLS "acmetool"}}
-      Certificate: {{printf "%q" (print "/var/lib/acme/live/" .Domain "/cert")}}
-      Key: {{printf "%q" (print "/var/lib/acme/live/" .Domain "/privkey")}}
+      {{else if ne .TLSDir ""}}
+      Certificate: {{printf "%q" (print .TLSDir "/cert")}}
+      Key: {{printf "%q" (print .TLSDir "/privkey")}}
       {{else}}
       {}
       {{end}}