From 729843af064ef140dc046b3009a9230626e23bf4 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Javier=20B=C3=A9rtoli?= Date: Thu, 20 Jan 2022 12:22:16 -0300 Subject: [PATCH] 18658: add missing state to deploy custom certs in multi-host env MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Also, set the full path to the certs dir if not configured Arvados-DCO-1.1-Signed-off-by: Javier Bértoli --- .../multi_host/aws/states/custom_certs.sls | 31 +++++++++++++++++++ .../local.params.example.multiple_hosts | 3 +- ...ams.example.single_host_multiple_hostnames | 3 +- tools/salt-install/provision.sh | 2 +- 4 files changed, 36 insertions(+), 3 deletions(-) create mode 100644 tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls diff --git a/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls new file mode 100644 index 0000000000..3716503391 --- /dev/null +++ b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls @@ -0,0 +1,31 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: Apache-2.0 + +{%- set orig_cert_dir = salt['pillar.get']('extra_custom_certs_dir', '/srv/salt/certs') %} +{%- set dest_cert_dir = '/etc/nginx/ssl' %} +{%- set certs = salt['pillar.get']('extra_custom_certs', []) %} + +extra_custom_certs_file_directory_certs_dir: + file.directory: + - name: /etc/nginx/ssl + - require: + - pkg: nginx_install + +{%- for cert in certs %} + {%- set cert_file = 'arvados-' ~ cert ~ '.pem' %} + {#- set csr_file = 'arvados-' ~ cert ~ '.csr' #} + {%- set key_file = 'arvados-' ~ cert ~ '.key' %} + {% for c in [cert_file, key_file] %} +extra_custom_certs_file_copy_{{ c }}: + file.copy: + - name: {{ dest_cert_dir }}/{{ c }} + - source: {{ orig_cert_dir }}/{{ c }} + - force: true + - user: root + - group: root + - unless: cmp {{ dest_cert_dir }}/{{ c }} {{ orig_cert_dir }}/{{ c }} + - require: + - file: extra_custom_certs_file_directory_certs_dir + {%- endfor %} +{%- endfor %} diff --git a/tools/salt-install/local.params.example.multiple_hosts b/tools/salt-install/local.params.example.multiple_hosts index c770c8d74c..eb64bb6227 100644 --- a/tools/salt-install/local.params.example.multiple_hosts +++ b/tools/salt-install/local.params.example.multiple_hosts @@ -79,7 +79,8 @@ LE_AWS_SECRET_ACCESS_KEY="thisistherandomstringthatisyoursecretkey" # help you deploy them. In order to do that, you need to set `USE_LETSENCRYPT=no` above, # and copy the required certificates under the directory specified in the next line. # The certs will be copied from this directory by the provision script. -CUSTOM_CERTS_DIR="./certs" +# Plese set it to the FULL PATH to the certs dir if you're going to use a different dir +# CUSTOM_CERTS_DIR="${SCRIPT_DIR}/certs" # The script expects cert/key files with these basenames (matching the role except for # keepweb, which is split in both downoad/collections): # "controller" diff --git a/tools/salt-install/local.params.example.single_host_multiple_hostnames b/tools/salt-install/local.params.example.single_host_multiple_hostnames index cf79fe244c..6c9258a3c5 100644 --- a/tools/salt-install/local.params.example.single_host_multiple_hostnames +++ b/tools/salt-install/local.params.example.single_host_multiple_hostnames @@ -52,7 +52,8 @@ USE_LETSENCRYPT="no" # help you deploy them. In order to do that, you need to set `USE_LETSENCRYPT=no` above, # and copy the required certificates under the directory specified in the next line. # The certs will be copied from this directory by the provision script. -CUSTOM_CERTS_DIR="./certs" +# Plese set it to the FULL PATH to the certs dir if you're going to use a different dir +# CUSTOM_CERTS_DIR="${SCRIPT_DIR}/certs" # The script expects cert/key files with these basenames (matching the role except for # keepweb, which is split in both downoad/collections): # "controller" diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh index 537f087b62..d0c4cc2bd4 100755 --- a/tools/salt-install/provision.sh +++ b/tools/salt-install/provision.sh @@ -166,7 +166,7 @@ WORKBENCH1_EXT_SSL_PORT=443 WORKBENCH2_EXT_SSL_PORT=3001 USE_LETSENCRYPT="no" -CUSTOM_CERTS_DIR="./certs" +CUSTOM_CERTS_DIR="${SCRIPT_DIR}/certs" ## These are ARVADOS-related parameters # For a stable release, change RELEASE "production" and VERSION to the -- 2.30.2