From b9dab553775db66389023c4af4166edc38fd9129 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Javier=20B=C3=A9rtoli?= Date: Thu, 20 May 2021 18:52:36 -0300 Subject: [PATCH] 17605: allow to use a IAM user for letsencrypt MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Arvados-DCO-1.1-Signed-off-by: Javier Bértoli --- .../multi_host/aws/states/aws_credentials.sls | 2 ++ .../local.params.example.multiple_hosts | 1 + tools/salt-install/provision.sh | 20 ++++++++++++++----- 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/tools/salt-install/config_examples/multi_host/aws/states/aws_credentials.sls b/tools/salt-install/config_examples/multi_host/aws/states/aws_credentials.sls index 15a517a817..ec9fc409a0 100644 --- a/tools/salt-install/config_examples/multi_host/aws/states/aws_credentials.sls +++ b/tools/salt-install/config_examples/multi_host/aws/states/aws_credentials.sls @@ -4,6 +4,7 @@ {%- set aws_credentials = pillar.get('aws_credentials', {}) %} +{%- if aws_credentials %} extra_extra_aws_credentials_root_aws_config_file_managed: file.managed: - name: /root/.aws/config @@ -28,3 +29,4 @@ extra_extra_aws_credentials_root_aws_credentials_file_managed: [default] aws_access_key_id = {{ aws_credentials.access_key_id }} aws_secret_access_key = {{ aws_credentials.secret_access_key }} +{%- endif %} diff --git a/tools/salt-install/local.params.example.multiple_hosts b/tools/salt-install/local.params.example.multiple_hosts index 07af7cf7c8..86f28be37c 100644 --- a/tools/salt-install/local.params.example.multiple_hosts +++ b/tools/salt-install/local.params.example.multiple_hosts @@ -62,6 +62,7 @@ DATABASE_PASSWORD=please_set_this_to_some_secure_value # variable to "no", provide and upload your own certificates to the instances and # modify the 'nginx_*' salt pillars accordingly USE_LETSENCRYPT="yes" +USE_LETSENCRYPT_IAM_USER="yes" # For collections, we need to obtain a wildcard certificate for # '*.collections..'. This is only possible through a DNS-01 challenge. # For that reason, you'll need to provide AWS credentials with permissions to manage diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh index a2cc01e5d1..ae4fb16c85 100755 --- a/tools/salt-install/provision.sh +++ b/tools/salt-install/provision.sh @@ -377,7 +377,9 @@ if [ -z "${ROLES}" ]; then echo " - nginx.passenger" >> ${S_DIR}/top.sls # Currently, only available on config_examples/multi_host/aws if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then - grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - aws_credentials" >> ${S_DIR}/top.sls + if [ "x${USE_LETSENCRYPT_IAM_USER}" = "xno" ]; then + grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - aws_credentials" >> ${S_DIR}/top.sls + fi grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls fi echo " - postgres" >> ${S_DIR}/top.sls @@ -398,7 +400,9 @@ if [ -z "${ROLES}" ]; then echo " - postgresql" >> ${P_DIR}/top.sls # Currently, only available on config_examples/multi_host/aws if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then - grep -q "aws_credentials" ${P_DIR}/top.sls || echo " - aws_credentials" >> ${P_DIR}/top.sls + if [ "x${USE_LETSENCRYPT_IAM_USER}" = "xno" ]; then + grep -q "aws_credentials" ${P_DIR}/top.sls || echo " - aws_credentials" >> ${P_DIR}/top.sls + fi grep -q "letsencrypt" ${P_DIR}/top.sls || echo " - letsencrypt" >> ${P_DIR}/top.sls fi else @@ -421,7 +425,9 @@ else ### after it so we add this here, as we are, after all, sharing the host for api and controller # Currently, only available on config_examples/multi_host/aws if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then - grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - aws_credentials" >> ${S_DIR}/top.sls + if [ "x${USE_LETSENCRYPT_IAM_USER}" = "xno" ]; then + grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - aws_credentials" >> ${S_DIR}/top.sls + fi grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls fi grep -q "arvados.${R}" ${S_DIR}/top.sls || echo " - arvados.${R}" >> ${S_DIR}/top.sls @@ -437,7 +443,9 @@ else grep -q "nginx.passenger" ${S_DIR}/top.sls || echo " - nginx.passenger" >> ${S_DIR}/top.sls # Currently, only available on config_examples/multi_host/aws if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then - grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - aws_credentials" >> ${S_DIR}/top.sls + if [ "x${USE_LETSENCRYPT_IAM_USER}" = "xno" ]; then + grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - aws_credentials" >> ${S_DIR}/top.sls + fi grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls fi grep -q "arvados.${R}" ${S_DIR}/top.sls || echo " - arvados.${R}" >> ${S_DIR}/top.sls @@ -446,7 +454,9 @@ else grep -q "nginx_${R}_configuration" ${P_DIR}/top.sls || echo " - nginx_${R}_configuration" >> ${P_DIR}/top.sls # Currently, only available on config_examples/multi_host/aws if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then - grep -q "aws_credentials" ${P_DIR}/top.sls || echo " - aws_credentials" >> ${P_DIR}/top.sls + if [ "x${USE_LETSENCRYPT_IAM_USER}" = "xno" ]; then + grep -q "aws_credentials" ${P_DIR}/top.sls || echo " - aws_credentials" >> ${P_DIR}/top.sls + fi grep -q "letsencrypt" ${P_DIR}/top.sls || echo " - letsencrypt" >> ${P_DIR}/top.sls grep -q "letsencrypt_${R}_configuration" ${P_DIR}/top.sls || echo " - letsencrypt_${R}_configuration" >> ${P_DIR}/top.sls fi -- 2.30.2