From e1577a7fbba344f1c7d784d085d5f8b099bc28bf Mon Sep 17 00:00:00 2001 From: Lucas Di Pentima Date: Mon, 13 Feb 2023 17:37:05 -0300 Subject: [PATCH] 20035: Manages named pipe file from systemd instead of salt. Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima --- .../nginx_collections_configuration.sls | 2 +- .../nginx_controller_configuration.sls | 2 +- .../pillars/nginx_download_configuration.sls | 2 +- .../pillars/nginx_keepproxy_configuration.sls | 2 +- .../pillars/nginx_webshell_configuration.sls | 2 +- .../pillars/nginx_websocket_configuration.sls | 2 +- .../nginx_workbench2_configuration.sls | 2 +- .../pillars/nginx_workbench_configuration.sls | 2 +- .../aws/pillars/ssl_key_encrypted.sls | 4 ++-- .../aws/states/ssl_key_encrypted.sls | 21 +++++++------------ 10 files changed, 18 insertions(+), 23 deletions(-) diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls index f5670aea29..b349ded328 100644 --- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls +++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls @@ -50,7 +50,7 @@ nginx: - ssl_certificate: __CERT_PEM__ - ssl_certificate_key: __CERT_KEY__ {%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %} - - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }} + - ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }} {%- endif %} - access_log: /var/log/nginx/collections.__CLUSTER__.__DOMAIN__.access.log combined - error_log: /var/log/nginx/collections.__CLUSTER__.__DOMAIN__.error.log diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls index 5df03fe538..a48810e833 100644 --- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls +++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls @@ -67,7 +67,7 @@ nginx: - ssl_certificate: __CERT_PEM__ - ssl_certificate_key: __CERT_KEY__ {%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %} - - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }} + - ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }} {%- endif %} - access_log: /var/log/nginx/controller.__CLUSTER__.__DOMAIN__.access.log combined - error_log: /var/log/nginx/controller.__CLUSTER__.__DOMAIN__.error.log diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls index fd8405fb6f..a183475a46 100644 --- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls +++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls @@ -50,7 +50,7 @@ nginx: - ssl_certificate: __CERT_PEM__ - ssl_certificate_key: __CERT_KEY__ {%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %} - - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }} + - ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }} {%- endif %} - access_log: /var/log/nginx/download.__CLUSTER__.__DOMAIN__.access.log combined - error_log: /var/log/nginx/download.__CLUSTER__.__DOMAIN__.error.log diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls index 16d0c70c6b..c8deaebe97 100644 --- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls +++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls @@ -58,7 +58,7 @@ nginx: - ssl_certificate: __CERT_PEM__ - ssl_certificate_key: __CERT_KEY__ {%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %} - - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }} + - ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }} {%- endif %} - access_log: /var/log/nginx/keepproxy.__CLUSTER__.__DOMAIN__.access.log combined - error_log: /var/log/nginx/keepproxy.__CLUSTER__.__DOMAIN__.error.log diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls index fb134cca9b..3a0a23d95f 100644 --- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls +++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls @@ -74,7 +74,7 @@ nginx: - ssl_certificate: __CERT_PEM__ - ssl_certificate_key: __CERT_KEY__ {%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %} - - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }} + - ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }} {%- endif %} - access_log: /var/log/nginx/webshell.__CLUSTER__.__DOMAIN__.access.log combined - error_log: /var/log/nginx/webshell.__CLUSTER__.__DOMAIN__.error.log diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls index 867a8e1b0f..36246d751d 100644 --- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls +++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls @@ -59,7 +59,7 @@ nginx: - ssl_certificate: __CERT_PEM__ - ssl_certificate_key: __CERT_KEY__ {%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %} - - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }} + - ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }} {%- endif %} - access_log: /var/log/nginx/ws.__CLUSTER__.__DOMAIN__.access.log combined - error_log: /var/log/nginx/ws.__CLUSTER__.__DOMAIN__.error.log diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls index 8ae4210e56..47eafeeece 100644 --- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls +++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls @@ -49,7 +49,7 @@ nginx: - ssl_certificate: __CERT_PEM__ - ssl_certificate_key: __CERT_KEY__ {%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %} - - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }} + - ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }} {%- endif %} - access_log: /var/log/nginx/workbench2.__CLUSTER__.__DOMAIN__.access.log combined - error_log: /var/log/nginx/workbench2.__CLUSTER__.__DOMAIN__.error.log diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls index f61763648f..82fd24756d 100644 --- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls +++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls @@ -60,7 +60,7 @@ nginx: - ssl_certificate: __CERT_PEM__ - ssl_certificate_key: __CERT_KEY__ {%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %} - - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }} + - ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }} {%- endif %} - access_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__.access.log combined - error_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__.error.log diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls index 920457737d..6353ce71ea 100644 --- a/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls +++ b/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls @@ -7,5 +7,5 @@ ssl_key_encrypted: enabled: __SSL_KEY_ENCRYPTED__ aws_secret_name: __SSL_KEY_AWS_SECRET_NAME__ aws_region: __SSL_KEY_AWS_REGION__ - ssl_password_file: /etc/nginx/ssl/ssl_key_password.txt - ssl_password_connector_script: /usr/local/sbin/password_secret_connector.sh + privkey_password_filename: ssl-privkey-password + privkey_password_script: /usr/local/sbin/password_secret_connector.sh diff --git a/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls b/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls index ae1c762e1e..d616398a01 100644 --- a/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls +++ b/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls @@ -6,36 +6,30 @@ {%- if ssl_key_encrypted.enabled %} -extra_ssl_key_encrypted_password_fifo_file: - file.mknod: - - ntype: p - - name: {{ ssl_key_encrypted.ssl_password_file }} - - user: root - - group: root - - mode: '0600' - extra_ssl_key_encrypted_required_pkgs: pkg.installed: - name: jq extra_ssl_key_encrypted_password_retrieval_script: file.managed: - - name: {{ ssl_key_encrypted.ssl_password_connector_script }} + - name: {{ ssl_key_encrypted.privkey_password_script }} - user: root - group: root - mode: '0750' - require: - pkg: extra_ssl_key_encrypted_required_pkgs - - file: extra_ssl_key_encrypted_password_fifo_file - contents: | #!/bin/bash + # RUNTIME_DIRECTORY is provided by systemd + PASSWORD_FILE="${RUNTIME_DIRECTORY}/{{ ssl_key_encrypted.privkey_password_filename }}" + while [ true ]; do # AWS_SHARED_CREDENTIALS_FILE is set to /dev/null to avoid AWS's CLI # loading invalid credentials on nodes who use ~/.aws/credentials for other # purposes (e.g.: the dispatcher credentials) # Access to the secrets manager is given by using an instance profile. - AWS_SHARED_CREDENTIALS_FILE=/dev/null aws secretsmanager get-secret-value --secret-id '{{ ssl_key_encrypted.aws_secret_name }}' --region '{{ ssl_key_encrypted.aws_region }}' | jq -r .SecretString > '{{ ssl_key_encrypted.ssl_password_file }}' + AWS_SHARED_CREDENTIALS_FILE=/dev/null aws secretsmanager get-secret-value --secret-id '{{ ssl_key_encrypted.aws_secret_name }}' --region '{{ ssl_key_encrypted.aws_region }}' | jq -r .SecretString > "${PASSWORD_FILE}" sleep 1 done @@ -51,9 +45,10 @@ extra_ssl_key_encrypted_password_retrieval_service_unit: [Unit] Description=Arvados SSL private key password retrieval service After=network.target - AssertPathExists={{ ssl_key_encrypted.ssl_password_file }} [Service] - ExecStart=/bin/bash {{ ssl_key_encrypted.ssl_password_connector_script }} + RuntimeDirectory=arvados + ExecStartPre=/usr/bin/mkfifo --mode=0600 %t/arvados/{{ ssl_key_encrypted.privkey_password_filename }} + ExecStart=/bin/bash {{ ssl_key_encrypted.privkey_password_script }} [Install] WantedBy=multi-user.target -- 2.39.5