From 511fc7559a6ad00468c9a452bdd1de63ad2c1f77 Mon Sep 17 00:00:00 2001 From: Lucas Di Pentima Date: Fri, 10 Feb 2023 15:16:31 -0300 Subject: [PATCH] 20035: Improves the connector script in various ways. * Passes /dev/null to AWS CLI as credential file instead of an non-existent path. * Single-quotes every Jinja variable to avoid side shell related effects. * Passes AWS region name as a pillar. Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima --- .../multi_host/aws/pillars/ssl_key_encrypted.sls | 1 + .../multi_host/aws/states/ssl_key_encrypted.sls | 4 ++-- tools/salt-install/local.params.example.multiple_hosts | 1 + tools/salt-install/provision.sh | 2 ++ 4 files changed, 6 insertions(+), 2 deletions(-) diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls index afec37cbce..920457737d 100644 --- a/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls +++ b/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls @@ -6,5 +6,6 @@ ssl_key_encrypted: enabled: __SSL_KEY_ENCRYPTED__ aws_secret_name: __SSL_KEY_AWS_SECRET_NAME__ + aws_region: __SSL_KEY_AWS_REGION__ ssl_password_file: /etc/nginx/ssl/ssl_key_password.txt ssl_password_connector_script: /usr/local/sbin/password_secret_connector.sh diff --git a/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls b/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls index 5bc08f09ef..ae1c762e1e 100644 --- a/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls +++ b/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls @@ -31,11 +31,11 @@ extra_ssl_key_encrypted_password_retrieval_script: #!/bin/bash while [ true ]; do - # AWS_SHARED_CREDENTIALS_FILE is set to an non-existant path to avoid awscli + # AWS_SHARED_CREDENTIALS_FILE is set to /dev/null to avoid AWS's CLI # loading invalid credentials on nodes who use ~/.aws/credentials for other # purposes (e.g.: the dispatcher credentials) # Access to the secrets manager is given by using an instance profile. - AWS_SHARED_CREDENTIALS_FILE=~/nonexistant aws secretsmanager get-secret-value --secret-id {{ ssl_key_encrypted.aws_secret_name }} --region us-east-1 | jq -r .SecretString > {{ ssl_key_encrypted.ssl_password_file }} + AWS_SHARED_CREDENTIALS_FILE=/dev/null aws secretsmanager get-secret-value --secret-id '{{ ssl_key_encrypted.aws_secret_name }}' --region '{{ ssl_key_encrypted.aws_region }}' | jq -r .SecretString > '{{ ssl_key_encrypted.ssl_password_file }}' sleep 1 done diff --git a/tools/salt-install/local.params.example.multiple_hosts b/tools/salt-install/local.params.example.multiple_hosts index b679337a1b..0064a78c5e 100644 --- a/tools/salt-install/local.params.example.multiple_hosts +++ b/tools/salt-install/local.params.example.multiple_hosts @@ -118,6 +118,7 @@ LE_AWS_SECRET_ACCESS_KEY="thisistherandomstringthatisyoursecretkey" # a custom AWS secret name for each node to retrieve the password. SSL_KEY_ENCRYPTED="no" SSL_KEY_AWS_SECRET_NAME="${CLUSTER}-arvados-ssl-privkey-password" +SSL_KEY_AWS_REGION="us-east-1" # The directory to check for the config files (pillars, states) you want to use. # There are a few examples under 'config_examples'. diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh index 7a60363d69..8f69a5f8a6 100755 --- a/tools/salt-install/provision.sh +++ b/tools/salt-install/provision.sh @@ -440,6 +440,7 @@ for f in $(ls "${SOURCE_PILLARS_DIR}"/*); do s#__DATABASE_INT_IP__#${DATABASE_INT_IP}#g; s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g; s#__SSL_KEY_ENCRYPTED__#${SSL_KEY_ENCRYPTED}#g; + s#__SSL_KEY_AWS_REGION__#${SSL_KEY_AWS_REGION}#g; s#__SSL_KEY_AWS_SECRET_NAME__#${SSL_KEY_AWS_SECRET_NAME}#g" \ "${f}" > "${P_DIR}"/$(basename "${f}") done @@ -513,6 +514,7 @@ if [ -d "${SOURCE_STATES_DIR}" ]; then s#__WORKBENCH2_EXT_SSL_PORT__#${WORKBENCH2_EXT_SSL_PORT}#g; s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g; s#__SSL_KEY_ENCRYPTED__#${SSL_KEY_ENCRYPTED}#g; + s#__SSL_KEY_AWS_REGION__#${SSL_KEY_AWS_REGION}#g; s#__SSL_KEY_AWS_SECRET_NAME__#${SSL_KEY_AWS_SECRET_NAME}#g" \ "${f}" > "${F_DIR}/extra/extra"/$(basename "${f}") done -- 2.30.2