From c3a5a3a4dd20432f4ba423614d2e5281e9a3bfe7 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Javier=20B=C3=A9rtoli?= Date: Tue, 18 May 2021 19:41:17 -0300 Subject: [PATCH] feat(provision): add AWS credentials for letsencrypt MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Wildcard certiticates need to be obtained through a DNS-01 challenge refs #17605 Arvados-DCO-1.1-Signed-off-by: Javier Bértoli --- .../aws/pillars/aws_credentials.sls | 9 ++++++ .../multi_host/aws/states/aws_credentials.sls | 30 +++++++++++++++++++ .../local.params.example.multiple_hosts | 8 +++++ tools/salt-install/provision.sh | 24 +++++++++++---- 4 files changed, 66 insertions(+), 5 deletions(-) create mode 100644 tools/salt-install/config_examples/multi_host/aws/pillars/aws_credentials.sls create mode 100644 tools/salt-install/config_examples/multi_host/aws/states/aws_credentials.sls diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/aws_credentials.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/aws_credentials.sls new file mode 100644 index 0000000000..35cdbf7bde --- /dev/null +++ b/tools/salt-install/config_examples/multi_host/aws/pillars/aws_credentials.sls @@ -0,0 +1,9 @@ +--- +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: AGPL-3.0 + +aws_credentials: + region: __LE_AWS_REGION__ + access_key_id: __LE_AWS_ACCESS_KEY_ID__ + secret_access_key: __LE_AWS_SECRET_ACCESS_KEY__ diff --git a/tools/salt-install/config_examples/multi_host/aws/states/aws_credentials.sls b/tools/salt-install/config_examples/multi_host/aws/states/aws_credentials.sls new file mode 100644 index 0000000000..15a517a817 --- /dev/null +++ b/tools/salt-install/config_examples/multi_host/aws/states/aws_credentials.sls @@ -0,0 +1,30 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: AGPL-3.0 + +{%- set aws_credentials = pillar.get('aws_credentials', {}) %} + +extra_extra_aws_credentials_root_aws_config_file_managed: + file.managed: + - name: /root/.aws/config + - makedirs: true + - user: root + - group: root + - mode: '0600' + - replace: false + - contents: | + [default] + region= {{ aws_credentials.region }} + +extra_extra_aws_credentials_root_aws_credentials_file_managed: + file.managed: + - name: /root/.aws/credentials + - makedirs: true + - user: root + - group: root + - mode: '0600' + - replace: false + - contents: | + [default] + aws_access_key_id = {{ aws_credentials.access_key_id }} + aws_secret_access_key = {{ aws_credentials.secret_access_key }} diff --git a/tools/salt-install/local.params.example.multiple_hosts b/tools/salt-install/local.params.example.multiple_hosts index 6a5bc175ca..07af7cf7c8 100644 --- a/tools/salt-install/local.params.example.multiple_hosts +++ b/tools/salt-install/local.params.example.multiple_hosts @@ -62,6 +62,14 @@ DATABASE_PASSWORD=please_set_this_to_some_secure_value # variable to "no", provide and upload your own certificates to the instances and # modify the 'nginx_*' salt pillars accordingly USE_LETSENCRYPT="yes" +# For collections, we need to obtain a wildcard certificate for +# '*.collections..'. This is only possible through a DNS-01 challenge. +# For that reason, you'll need to provide AWS credentials with permissions to manage +# RRs in the route53 zone for the cluster. +# WARNING!: If AWS credentials files already exist in the hosts, they won't be replaced. +LE_AWS_REGION="us-east-1" +LE_AWS_ACCESS_KEY_ID="AKIABCDEFGHIJKLMNOPQ" +LE_AWS_SECRET_ACCESS_KEY="thisistherandomstringthatisyoursecretkey" # The directory to check for the config files (pillars, states) you want to use. # There are a few examples under 'config_examples'. diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh index 5cef4d0fc5..a2cc01e5d1 100755 --- a/tools/salt-install/provision.sh +++ b/tools/salt-install/provision.sh @@ -253,6 +253,9 @@ for f in $(ls "${SOURCE_PILLARS_DIR}"/*); do s#__INITIAL_USER_EMAIL__#${INITIAL_USER_EMAIL}#g; s#__INITIAL_USER_PASSWORD__#${INITIAL_USER_PASSWORD}#g; s#__INITIAL_USER__#${INITIAL_USER}#g; + s#__LE_AWS_REGION__#${LE_AWS_REGION}#g; + s#__LE_AWS_SECRET_ACCESS_KEY__#${LE_AWS_SECRET_ACCESS_KEY}#g; + s#__LE_AWS_ACCESS_KEY_ID__#${LE_AWS_ACCESS_KEY_ID}#g; s#__DATABASE_PASSWORD__#${DATABASE_PASSWORD}#g; s#__KEEPWEB_EXT_SSL_PORT__#${KEEPWEB_EXT_SSL_PORT}#g; s#__KEEP_EXT_SSL_PORT__#${KEEP_EXT_SSL_PORT}#g; @@ -372,8 +375,10 @@ fi if [ -z "${ROLES}" ]; then # States echo " - nginx.passenger" >> ${S_DIR}/top.sls + # Currently, only available on config_examples/multi_host/aws if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then - grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls + grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - aws_credentials" >> ${S_DIR}/top.sls + grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls fi echo " - postgres" >> ${S_DIR}/top.sls echo " - docker.software" >> ${S_DIR}/top.sls @@ -391,8 +396,10 @@ if [ -z "${ROLES}" ]; then echo " - nginx_workbench2_configuration" >> ${P_DIR}/top.sls echo " - nginx_workbench_configuration" >> ${P_DIR}/top.sls echo " - postgresql" >> ${P_DIR}/top.sls + # Currently, only available on config_examples/multi_host/aws if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then - grep -q "letsencrypt" ${P_DIR}/top.sls || echo " - letsencrypt" >> ${P_DIR}/top.sls + grep -q "aws_credentials" ${P_DIR}/top.sls || echo " - aws_credentials" >> ${P_DIR}/top.sls + grep -q "letsencrypt" ${P_DIR}/top.sls || echo " - letsencrypt" >> ${P_DIR}/top.sls fi else # If we add individual roles, make sure we add the repo first @@ -412,11 +419,14 @@ else grep -q "nginx.passenger" ${S_DIR}/top.sls || echo " - nginx.passenger" >> ${S_DIR}/top.sls ### If we don't install and run LE before arvados-api-server, it fails and breaks everything ### after it so we add this here, as we are, after all, sharing the host for api and controller + # Currently, only available on config_examples/multi_host/aws if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then - grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls + grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - aws_credentials" >> ${S_DIR}/top.sls + grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls fi grep -q "arvados.${R}" ${S_DIR}/top.sls || echo " - arvados.${R}" >> ${S_DIR}/top.sls # Pillars + grep -q "aws_credentials" ${P_DIR}/top.sls || echo " - aws_credentials" >> ${P_DIR}/top.sls grep -q "docker" ${P_DIR}/top.sls || echo " - docker" >> ${P_DIR}/top.sls grep -q "postgresql" ${P_DIR}/top.sls || echo " - postgresql" >> ${P_DIR}/top.sls grep -q "nginx_passenger" ${P_DIR}/top.sls || echo " - nginx_passenger" >> ${P_DIR}/top.sls @@ -425,15 +435,19 @@ else "controller" | "websocket" | "workbench" | "workbench2" | "keepweb" | "keepproxy") # States grep -q "nginx.passenger" ${S_DIR}/top.sls || echo " - nginx.passenger" >> ${S_DIR}/top.sls + # Currently, only available on config_examples/multi_host/aws if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then - grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls + grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - aws_credentials" >> ${S_DIR}/top.sls + grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls fi grep -q "arvados.${R}" ${S_DIR}/top.sls || echo " - arvados.${R}" >> ${S_DIR}/top.sls # Pillars grep -q "nginx_passenger" ${P_DIR}/top.sls || echo " - nginx_passenger" >> ${P_DIR}/top.sls grep -q "nginx_${R}_configuration" ${P_DIR}/top.sls || echo " - nginx_${R}_configuration" >> ${P_DIR}/top.sls + # Currently, only available on config_examples/multi_host/aws if [ "x${USE_LETSENCRYPT}" = "xyes" ]; then - grep -q "letsencrypt" ${P_DIR}/top.sls || echo " - letsencrypt" >> ${P_DIR}/top.sls + grep -q "aws_credentials" ${P_DIR}/top.sls || echo " - aws_credentials" >> ${P_DIR}/top.sls + grep -q "letsencrypt" ${P_DIR}/top.sls || echo " - letsencrypt" >> ${P_DIR}/top.sls grep -q "letsencrypt_${R}_configuration" ${P_DIR}/top.sls || echo " - letsencrypt_${R}_configuration" >> ${P_DIR}/top.sls fi ;; -- 2.30.2