From f023eb5138f8886820f33901b46b67ba9a0d24a2 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Javier=20B=C3=A9rtoli?= Date: Wed, 27 Jan 2021 09:54:49 -0300 Subject: [PATCH] feat(provision): refactor to add other setup examples MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit refs #17246 Arvados-DCO-1.1-Signed-off-by: Javier Bértoli --- .../{ => pillars}/arvados.sls | 16 +- .../{ => pillars}/docker.sls | 0 .../{ => pillars}/locale.sls | 0 .../{ => pillars}/nginx_api_configuration.sls | 0 .../nginx_controller_configuration.sls | 0 .../nginx_keepproxy_configuration.sls | 0 .../nginx_keepweb_configuration.sls | 0 .../{ => pillars}/nginx_passenger.sls | 0 .../nginx_webshell_configuration.sls | 0 .../nginx_websocket_configuration.sls | 0 .../nginx_workbench2_configuration.sls | 0 .../nginx_workbench_configuration.sls | 0 .../{ => pillars}/postgresql.sls | 0 .../single_hostname/{ => pillars}/arvados.sls | 52 +++--- .../single_hostname/{ => pillars}/docker.sls | 0 .../single_hostname/{ => pillars}/locale.sls | 0 .../{ => pillars}/nginx_api_configuration.sls | 2 +- .../nginx_controller_configuration.sls | 10 +- .../nginx_keepproxy_configuration.sls | 18 +- .../nginx_keepweb_configuration.sls | 18 +- .../{ => pillars}/nginx_passenger.sls | 0 .../nginx_webshell_configuration.sls | 17 +- .../nginx_websocket_configuration.sls | 18 +- .../nginx_workbench2_configuration.sls | 16 +- .../nginx_workbench_configuration.sls | 20 +-- .../{ => pillars}/postgresql.sls | 0 .../single_hostname/states/host_entries.sls | 32 ++++ .../single_hostname/states/snakeoil_certs.sls | 156 ++++++++++++++++++ tools/salt-install/local.params.example | 14 +- tools/salt-install/provision.sh | 57 ++++++- tools/salt-install/tests/run-test.sh | 4 +- 31 files changed, 296 insertions(+), 154 deletions(-) rename tools/salt-install/config_examples/single_host/multiple_hostnames/{ => pillars}/arvados.sls (90%) rename tools/salt-install/config_examples/single_host/multiple_hostnames/{ => pillars}/docker.sls (100%) rename tools/salt-install/config_examples/single_host/multiple_hostnames/{ => pillars}/locale.sls (100%) rename tools/salt-install/config_examples/single_host/multiple_hostnames/{ => pillars}/nginx_api_configuration.sls (100%) rename tools/salt-install/config_examples/single_host/multiple_hostnames/{ => pillars}/nginx_controller_configuration.sls (100%) rename tools/salt-install/config_examples/single_host/multiple_hostnames/{ => pillars}/nginx_keepproxy_configuration.sls (100%) rename tools/salt-install/config_examples/single_host/multiple_hostnames/{ => pillars}/nginx_keepweb_configuration.sls (100%) rename tools/salt-install/config_examples/single_host/multiple_hostnames/{ => pillars}/nginx_passenger.sls (100%) rename tools/salt-install/config_examples/single_host/multiple_hostnames/{ => pillars}/nginx_webshell_configuration.sls (100%) rename tools/salt-install/config_examples/single_host/multiple_hostnames/{ => pillars}/nginx_websocket_configuration.sls (100%) rename tools/salt-install/config_examples/single_host/multiple_hostnames/{ => pillars}/nginx_workbench2_configuration.sls (100%) rename tools/salt-install/config_examples/single_host/multiple_hostnames/{ => pillars}/nginx_workbench_configuration.sls (100%) rename tools/salt-install/config_examples/single_host/multiple_hostnames/{ => pillars}/postgresql.sls (100%) rename tools/salt-install/config_examples/single_host/single_hostname/{ => pillars}/arvados.sls (68%) rename tools/salt-install/config_examples/single_host/single_hostname/{ => pillars}/docker.sls (100%) rename tools/salt-install/config_examples/single_host/single_hostname/{ => pillars}/locale.sls (100%) rename tools/salt-install/config_examples/single_host/single_hostname/{ => pillars}/nginx_api_configuration.sls (93%) rename tools/salt-install/config_examples/single_host/single_hostname/{ => pillars}/nginx_controller_configuration.sls (87%) rename tools/salt-install/config_examples/single_host/single_hostname/{ => pillars}/nginx_keepproxy_configuration.sls (73%) rename tools/salt-install/config_examples/single_host/single_hostname/{ => pillars}/nginx_keepweb_configuration.sls (72%) rename tools/salt-install/config_examples/single_host/single_hostname/{ => pillars}/nginx_passenger.sls (100%) rename tools/salt-install/config_examples/single_host/single_hostname/{ => pillars}/nginx_webshell_configuration.sls (84%) rename tools/salt-install/config_examples/single_host/single_hostname/{ => pillars}/nginx_websocket_configuration.sls (74%) rename tools/salt-install/config_examples/single_host/single_hostname/{ => pillars}/nginx_workbench2_configuration.sls (70%) rename tools/salt-install/config_examples/single_host/single_hostname/{ => pillars}/nginx_workbench_configuration.sls (76%) rename tools/salt-install/config_examples/single_host/single_hostname/{ => pillars}/postgresql.sls (100%) create mode 100644 tools/salt-install/config_examples/single_host/single_hostname/states/host_entries.sls create mode 100644 tools/salt-install/config_examples/single_host/single_hostname/states/snakeoil_certs.sls diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/arvados.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/arvados.sls similarity index 90% rename from tools/salt-install/config_examples/single_host/multiple_hostnames/arvados.sls rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/arvados.sls index 4aa4735d83..6c6dec26fc 100644 --- a/tools/salt-install/config_examples/single_host/multiple_hostnames/arvados.sls +++ b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/arvados.sls @@ -78,19 +78,15 @@ arvados: ### TOKENS tokens: - system_root: changemesystemroottoken - management: changememanagementtoken - rails_secret: changemerailssecrettoken - anonymous_user: changemeanonymoususertoken + system_root: __SYSTEM_ROOT_TOKEN__ + management: __MANAGEMENT_TOKEN__ + rails_secret: __RAILS_SECRET_TOKEN__ + anonymous_user: __ANONYMOUS_USER_TOKEN__ ### KEYS secrets: - blob_signing_key: changemeblobsigningkey - workbench_secret_key: changemeworkbenchsecretkey - dispatcher_access_key: changemedispatcheraccesskey - dispatcher_secret_key: changeme_dispatchersecretkey - keep_access_key: changemekeepaccesskey - keep_secret_key: changemekeepsecretkey + blob_signing_key: __BLOB_SIGNING_KEY__ + workbench_secret_key: __WORKBENCH_SECRET_KEY__ Login: Test: diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/docker.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/docker.sls similarity index 100% rename from tools/salt-install/config_examples/single_host/multiple_hostnames/docker.sls rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/docker.sls diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/locale.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/locale.sls similarity index 100% rename from tools/salt-install/config_examples/single_host/multiple_hostnames/locale.sls rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/locale.sls diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_api_configuration.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_api_configuration.sls similarity index 100% rename from tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_api_configuration.sls rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_api_configuration.sls diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_controller_configuration.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_controller_configuration.sls similarity index 100% rename from tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_controller_configuration.sls rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_controller_configuration.sls diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_keepproxy_configuration.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_keepproxy_configuration.sls similarity index 100% rename from tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_keepproxy_configuration.sls rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_keepproxy_configuration.sls diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_keepweb_configuration.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_keepweb_configuration.sls similarity index 100% rename from tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_keepweb_configuration.sls rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_keepweb_configuration.sls diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_passenger.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_passenger.sls similarity index 100% rename from tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_passenger.sls rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_passenger.sls diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_webshell_configuration.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_webshell_configuration.sls similarity index 100% rename from tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_webshell_configuration.sls rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_webshell_configuration.sls diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_websocket_configuration.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_websocket_configuration.sls similarity index 100% rename from tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_websocket_configuration.sls rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_websocket_configuration.sls diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_workbench2_configuration.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_workbench2_configuration.sls similarity index 100% rename from tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_workbench2_configuration.sls rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_workbench2_configuration.sls diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_workbench_configuration.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_workbench_configuration.sls similarity index 100% rename from tools/salt-install/config_examples/single_host/multiple_hostnames/nginx_workbench_configuration.sls rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/nginx_workbench_configuration.sls diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/postgresql.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/postgresql.sls similarity index 100% rename from tools/salt-install/config_examples/single_host/multiple_hostnames/postgresql.sls rename to tools/salt-install/config_examples/single_host/multiple_hostnames/pillars/postgresql.sls diff --git a/tools/salt-install/config_examples/single_host/single_hostname/arvados.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/arvados.sls similarity index 68% rename from tools/salt-install/config_examples/single_host/single_hostname/arvados.sls rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/arvados.sls index e5e4586657..f3d2bcb9ea 100644 --- a/tools/salt-install/config_examples/single_host/single_hostname/arvados.sls +++ b/tools/salt-install/config_examples/single_host/single_hostname/pillars/arvados.sls @@ -78,19 +78,15 @@ arvados: ### TOKENS tokens: - system_root: changemesystemroottoken - management: changememanagementtoken - rails_secret: changemerailssecrettoken - anonymous_user: changemeanonymoususertoken + system_root: __SYSTEM_ROOT_TOKEN__ + management: __MANAGEMENT_TOKEN__ + rails_secret: __RAILS_SECRET_TOKEN__ + anonymous_user: __ANONYMOUS_USER_TOKEN__ ### KEYS secrets: - blob_signing_key: changemeblobsigningkey - workbench_secret_key: changemeworkbenchsecretkey - dispatcher_access_key: changemedispatcheraccesskey - dispatcher_secret_key: changeme_dispatchersecretkey - keep_access_key: changemekeepaccesskey - keep_secret_key: changemekeepsecretkey + blob_signing_key: __BLOB_SIGNING_KEY__ + workbench_secret_key: __WORKBENCH_SECRET_KEY__ Login: Test: @@ -107,7 +103,7 @@ arvados: # -nyw5e- __CLUSTER__-nyw5e-000000000000000: AccessViaHosts: - 'http://__HOSTNAME__:25107': + 'http://__HOSTNAME_INT__:25107': ReadOnly: false Replication: 2 Driver: Directory @@ -122,38 +118,32 @@ arvados: Services: Controller: - ExternalURL: 'https://__HOSTNAME__:__CONTROLLER_EXT_SSL_PORT__' + ExternalURL: 'https://__HOSTNAME_EXT__:__CONTROLLER_EXT_SSL_PORT__' InternalURLs: - 'http://controller.internal:8003': {} - DispatchCloud: - InternalURLs: - 'http://__HOSTNAME__:9006': {} - Keepbalance: - InternalURLs: - 'http://__HOSTNAME__:9005': {} + 'http://__HOSTNAME_INT__:8003': {} Keepproxy: - ExternalURL: 'https://__HOSTNAME__:__KEEP_EXT_SSL_PORT__' + ExternalURL: 'https://__HOSTNAME_EXT__:__KEEP_EXT_SSL_PORT__' InternalURLs: - 'http://keep.internal:25100': {} + 'http://__HOSTNAME_INT__:25100': {} Keepstore: InternalURLs: - 'http://keep0.internal:25107': {} + 'http://__HOSTNAME_INT__:25107': {} RailsAPI: InternalURLs: - 'http://api.internal:8004': {} + 'http://__HOSTNAME_INT__:8004': {} WebDAV: - ExternalURL: 'https://__HOSTNAME__:__KEEPWEB_EXT_SSL_PORT__' + ExternalURL: 'https://__HOSTNAME_EXT__:__KEEPWEB_EXT_SSL_PORT__' InternalURLs: - 'http://collections.internal:9002': {} + 'http://__HOSTNAME_INT__:9003': {} WebDAVDownload: - ExternalURL: 'https://__HOSTNAME__:__KEEPWEB_EXT_SSL_PORT__' + ExternalURL: 'https://__HOSTNAME_EXT__:__KEEPWEB_EXT_SSL_PORT__' WebShell: - ExternalURL: 'https://__HOSTNAME__:__WEBSHELL_EXT_SSL_PORT__' + ExternalURL: 'https://__HOSTNAME_EXT__:__WEBSHELL_EXT_SSL_PORT__' Websocket: - ExternalURL: 'wss://__HOSTNAME__:__WEBSOCKET_EXT_SSL_PORT__/websocket' + ExternalURL: 'wss://__HOSTNAME_EXT__:__WEBSOCKET_EXT_SSL_PORT__/websocket' InternalURLs: - 'http://ws.internal:8005': {} + 'http://__HOSTNAME_INT__:8005': {} Workbench1: - ExternalURL: 'https://__HOSTNAME__:__WORKBENCH1_EXT_SSL_PORT__' + ExternalURL: 'https://__HOSTNAME_EXT__:__WORKBENCH1_EXT_SSL_PORT__' Workbench2: - ExternalURL: 'https://__HOSTNAME__:__WORKBENCH2_EXT_SSL_PORT__' + ExternalURL: 'https://__HOSTNAME_EXT__:__WORKBENCH2_EXT_SSL_PORT__' diff --git a/tools/salt-install/config_examples/single_host/single_hostname/docker.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/docker.sls similarity index 100% rename from tools/salt-install/config_examples/single_host/single_hostname/docker.sls rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/docker.sls diff --git a/tools/salt-install/config_examples/single_host/single_hostname/locale.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/locale.sls similarity index 100% rename from tools/salt-install/config_examples/single_host/single_hostname/locale.sls rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/locale.sls diff --git a/tools/salt-install/config_examples/single_host/single_hostname/nginx_api_configuration.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_api_configuration.sls similarity index 93% rename from tools/salt-install/config_examples/single_host/single_hostname/nginx_api_configuration.sls rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_api_configuration.sls index b2f12c7739..18f09af503 100644 --- a/tools/salt-install/config_examples/single_host/single_hostname/nginx_api_configuration.sls +++ b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_api_configuration.sls @@ -18,7 +18,7 @@ nginx: overwrite: true config: - server: - - listen: 'api.internal:8004' + - listen: '__HOSTNAME_INT__:8004' - server_name: api - root: /var/www/arvados-api/current/public - index: index.html index.htm diff --git a/tools/salt-install/config_examples/single_host/single_hostname/nginx_controller_configuration.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_controller_configuration.sls similarity index 87% rename from tools/salt-install/config_examples/single_host/single_hostname/nginx_controller_configuration.sls rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_controller_configuration.sls index 2eb33b8355..b7b75ab9c2 100644 --- a/tools/salt-install/config_examples/single_host/single_hostname/nginx_controller_configuration.sls +++ b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_controller_configuration.sls @@ -14,7 +14,7 @@ nginx: default: 1 '127.0.0.0/8': 0 upstream controller_upstream: - - server: 'controller.internal:8003 fail_timeout=10s' + - server: '__HOSTNAME_INT__:8003 fail_timeout=10s' ### SITES servers: @@ -25,9 +25,9 @@ nginx: overwrite: true config: - server: - - server_name: __HOSTNAME__ + - server_name: _ - listen: - - 80 default + - 80 default_server - location /.well-known: - root: /var/www - location /: @@ -38,9 +38,9 @@ nginx: overwrite: true config: - server: - - server_name: __HOSTNAME__ + - server_name: __HOSTNAME_EXT__ - listen: - - __CONTROLLER_EXT_SSL_PORT__ http2 ssl + - __CONTROLLER_EXT_SSL_PORT__ http2 ssl default_server - index: index.html index.htm - location /: - proxy_pass: 'http://controller_upstream' diff --git a/tools/salt-install/config_examples/single_host/single_hostname/nginx_keepproxy_configuration.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_keepproxy_configuration.sls similarity index 73% rename from tools/salt-install/config_examples/single_host/single_hostname/nginx_keepproxy_configuration.sls rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_keepproxy_configuration.sls index b26de2710e..81d72aac74 100644 --- a/tools/salt-install/config_examples/single_host/single_hostname/nginx_keepproxy_configuration.sls +++ b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_keepproxy_configuration.sls @@ -11,30 +11,16 @@ nginx: ### STREAMS http: upstream keepproxy_upstream: - - server: 'keep.internal:25100 fail_timeout=10s' + - server: '__HOSTNAME_INT__:25100 fail_timeout=10s' servers: managed: - ### DEFAULT - arvados_keepproxy_default: - enabled: true - overwrite: true - config: - - server: - - server_name: __HOSTNAME__ - - listen: - - __KEEP_EXT_SSL_PORT__ - - location /.well-known: - - root: /var/www - - location /: - - return: '301 https://$host$request_uri' - arvados_keepproxy_ssl: enabled: true overwrite: true config: - server: - - server_name: __HOSTNAME__ + - server_name: __HOSTNAME_EXT__ - listen: - __KEEP_EXT_SSL_PORT__ http2 ssl - index: index.html index.htm diff --git a/tools/salt-install/config_examples/single_host/single_hostname/nginx_keepweb_configuration.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_keepweb_configuration.sls similarity index 72% rename from tools/salt-install/config_examples/single_host/single_hostname/nginx_keepweb_configuration.sls rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_keepweb_configuration.sls index 98a3cdf94e..fcb56c9949 100644 --- a/tools/salt-install/config_examples/single_host/single_hostname/nginx_keepweb_configuration.sls +++ b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_keepweb_configuration.sls @@ -11,31 +11,17 @@ nginx: ### STREAMS http: upstream collections_downloads_upstream: - - server: 'collections.internal:9002 fail_timeout=10s' + - server: '__HOSTNAME_INT__:9003 fail_timeout=10s' servers: managed: - ### COLLECTIONS / DOWNLOAD - arvados_collections_download_default: - enabled: true - overwrite: true - config: - - server: - - server_name: __HOSTNAME__ - - listen: - - __KEEPWEB_EXT_SSL_PORT__ - - location /.well-known: - - root: /var/www - - location /: - - return: '301 https://$host$request_uri' - ### COLLECTIONS / DOWNLOAD arvados_collections_download_ssl: enabled: true overwrite: true config: - server: - - server_name: __HOSTNAME__ + - server_name: __HOSTNAME_EXT__ - listen: - __KEEPWEB_EXT_SSL_PORT__ http2 ssl - index: index.html index.htm diff --git a/tools/salt-install/config_examples/single_host/single_hostname/nginx_passenger.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_passenger.sls similarity index 100% rename from tools/salt-install/config_examples/single_host/single_hostname/nginx_passenger.sls rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_passenger.sls diff --git a/tools/salt-install/config_examples/single_host/single_hostname/nginx_webshell_configuration.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_webshell_configuration.sls similarity index 84% rename from tools/salt-install/config_examples/single_host/single_hostname/nginx_webshell_configuration.sls rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_webshell_configuration.sls index dac6061234..f0e7a19a4a 100644 --- a/tools/salt-install/config_examples/single_host/single_hostname/nginx_webshell_configuration.sls +++ b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_webshell_configuration.sls @@ -12,30 +12,17 @@ nginx: ### STREAMS http: upstream webshell_upstream: - - server: 'shell.internal:4200 fail_timeout=10s' + - server: '__HOSTNAME_INT__:4200 fail_timeout=10s' ### SITES servers: managed: - arvados_webshell_default: - enabled: true - overwrite: true - config: - - server: - - server_name: __HOSTNAME__ - - listen: - - __WEBSHELL_EXT_SSL_PORT__ - - location /.well-known: - - root: /var/www - - location /: - - return: '301 https://$host$request_uri' - arvados_webshell_ssl: enabled: true overwrite: true config: - server: - - server_name: __HOSTNAME__ + - server_name: __HOSTNAME__EXT__ - listen: - __WEBSHELL_EXT_SSL_PORT__ http2 ssl - index: index.html index.htm diff --git a/tools/salt-install/config_examples/single_host/single_hostname/nginx_websocket_configuration.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_websocket_configuration.sls similarity index 74% rename from tools/salt-install/config_examples/single_host/single_hostname/nginx_websocket_configuration.sls rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_websocket_configuration.sls index 827524cbe6..7c4ff7835c 100644 --- a/tools/salt-install/config_examples/single_host/single_hostname/nginx_websocket_configuration.sls +++ b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_websocket_configuration.sls @@ -11,30 +11,16 @@ nginx: ### STREAMS http: upstream websocket_upstream: - - server: 'ws.internal:8005 fail_timeout=10s' + - server: '__HOSTNAME_INT__:8005 fail_timeout=10s' servers: managed: - ### DEFAULT - arvados_websocket_default: - enabled: true - overwrite: true - config: - - server: - - server_name: __HOSTNAME__ - - listen: - - __WEBSOCKET_EXT_SSL_PORT__ - - location /.well-known: - - root: /var/www - - location /: - - return: '301 https://$host$request_uri' - arvados_websocket_ssl: enabled: true overwrite: true config: - server: - - server_name: __HOSTNAME__ + - server_name: __HOSTNAME_EXT__ - listen: - __WEBSOCKET_EXT_SSL_PORT__ http2 ssl - index: index.html index.htm diff --git a/tools/salt-install/config_examples/single_host/single_hostname/nginx_workbench2_configuration.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_workbench2_configuration.sls similarity index 70% rename from tools/salt-install/config_examples/single_host/single_hostname/nginx_workbench2_configuration.sls rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_workbench2_configuration.sls index 7f90cbc825..f783e523fa 100644 --- a/tools/salt-install/config_examples/single_host/single_hostname/nginx_workbench2_configuration.sls +++ b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_workbench2_configuration.sls @@ -13,26 +13,12 @@ nginx: ### SITES servers: managed: - ### DEFAULT - arvados_workbench2_default: - enabled: true - overwrite: true - config: - - server: - - server_name: __HOSTNAME__ - - listen: - - __WORKBENCH2_EXT_SSL_PORT__ - - location /.well-known: - - root: /var/www - - location /: - - return: '301 https://$host$request_uri' - arvados_workbench2_ssl: enabled: true overwrite: true config: - server: - - server_name: workbench2.__HOSTNAME__ + - server_name: __HOSTNAME_EXT__ - listen: - __WORKBENCH2_EXT_SSL_PORT__ http2 ssl - index: index.html index.htm diff --git a/tools/salt-install/config_examples/single_host/single_hostname/nginx_workbench_configuration.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_workbench_configuration.sls similarity index 76% rename from tools/salt-install/config_examples/single_host/single_hostname/nginx_workbench_configuration.sls rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_workbench_configuration.sls index 0cbd3e14a9..9ed6e3b87a 100644 --- a/tools/salt-install/config_examples/single_host/single_hostname/nginx_workbench_configuration.sls +++ b/tools/salt-install/config_examples/single_host/single_hostname/pillars/nginx_workbench_configuration.sls @@ -17,31 +17,17 @@ nginx: ### STREAMS http: upstream workbench_upstream: - - server: 'workbench.internal:9000 fail_timeout=10s' + - server: '__HOSTNAME_INT__:9000 fail_timeout=10s' ### SITES servers: managed: - ### DEFAULT - arvados_workbench_default: - enabled: true - overwrite: true - config: - - server: - - server_name: __HOSTNAME__ - - listen: - - __WORKBENCH_EXT_SSL_PORT__ - - location /.well-known: - - root: /var/www - - location /: - - return: '301 https://$host$request_uri' - arvados_workbench_ssl: enabled: true overwrite: true config: - server: - - server_name: workbench.__HOSTNAME__ + - server_name: __HOSTNAME_EXT__ - listen: - __WORKBENCH1_EXT_SSL_PORT__ http2 ssl - index: index.html index.htm @@ -63,7 +49,7 @@ nginx: overwrite: true config: - server: - - listen: 'workbench.internal:9000' + - listen: '__HOSTNAME_INT__:9000' - server_name: workbench - root: /var/www/arvados-workbench/current/public - index: index.html index.htm diff --git a/tools/salt-install/config_examples/single_host/single_hostname/postgresql.sls b/tools/salt-install/config_examples/single_host/single_hostname/pillars/postgresql.sls similarity index 100% rename from tools/salt-install/config_examples/single_host/single_hostname/postgresql.sls rename to tools/salt-install/config_examples/single_host/single_hostname/pillars/postgresql.sls diff --git a/tools/salt-install/config_examples/single_host/single_hostname/states/host_entries.sls b/tools/salt-install/config_examples/single_host/single_hostname/states/host_entries.sls new file mode 100644 index 0000000000..7e3957c575 --- /dev/null +++ b/tools/salt-install/config_examples/single_host/single_hostname/states/host_entries.sls @@ -0,0 +1,32 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: AGPL-3.0 + +{%- set curr_tpldir = tpldir %} +{%- set tpldir = 'arvados' %} +{%- from "arvados/map.jinja" import arvados with context %} +{%- set tpldir = curr_tpldir %} + +arvados_test_salt_states_examples_single_host_etc_hosts_host_present: + host.present: + - ip: 127.0.0.2 + - names: + - {{ arvados.cluster.name }}.{{ arvados.cluster.domain }} + # FIXME! This just works for our testings. + # Won't work if the cluster name != host name + {%- for entry in [ + 'api', + 'collections', + 'controller', + 'download', + 'keep', + 'keepweb', + 'keep0', + 'shell', + 'workbench', + 'workbench2', + 'ws', + ] + %} + - {{ entry }} + {%- endfor %} diff --git a/tools/salt-install/config_examples/single_host/single_hostname/states/snakeoil_certs.sls b/tools/salt-install/config_examples/single_host/single_hostname/states/snakeoil_certs.sls new file mode 100644 index 0000000000..375cc84eb4 --- /dev/null +++ b/tools/salt-install/config_examples/single_host/single_hostname/states/snakeoil_certs.sls @@ -0,0 +1,156 @@ +# Copyright (C) The Arvados Authors. All rights reserved. +# +# SPDX-License-Identifier: AGPL-3.0 + +{%- set curr_tpldir = tpldir %} +{%- set tpldir = 'arvados' %} +{%- from "arvados/map.jinja" import arvados with context %} +{%- set tpldir = curr_tpldir %} + +include: + - nginx.service + +{%- set arvados_ca_cert_file = '/etc/ssl/certs/arvados-snakeoil-ca.pem' %} +{%- set arvados_ca_key_file = '/etc/ssl/private/arvados-snakeoil-ca.key' %} +{%- set arvados_cert_file = '/etc/ssl/certs/arvados-snakeoil-cert.pem' %} +{%- set arvados_csr_file = '/etc/ssl/private/arvados-snakeoil-cert.csr' %} +{%- set arvados_key_file = '/etc/ssl/private/arvados-snakeoil-cert.key' %} + +{%- if grains.get('os_family') == 'Debian' %} + {%- set arvados_ca_cert_dest = '/usr/local/share/ca-certificates/arvados-snakeoil-ca.crt' %} + {%- set update_ca_cert = '/usr/sbin/update-ca-certificates' %} + {%- set openssl_conf = '/etc/ssl/openssl.cnf' %} +{%- else %} + {%- set arvados_ca_cert_dest = '/etc/pki/ca-trust/source/anchors/arvados-snakeoil-ca.pem' %} + {%- set update_ca_cert = '/usr/bin/update-ca-trust' %} + {%- set openssl_conf = '/etc/pki/tls/openssl.cnf' %} +{%- endif %} + +arvados_test_salt_states_examples_single_host_snakeoil_certs_dependencies_pkg_installed: + pkg.installed: + - pkgs: + - openssl + - ca-certificates + +arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_ca_cmd_run: + # Taken from https://github.com/arvados/arvados/blob/master/tools/arvbox/lib/arvbox/docker/service/certificate/run + cmd.run: + - name: | + # These dirs are not to CentOS-ish, but this is a helper script + # and they should be enough + mkdir -p /etc/ssl/certs/ /etc/ssl/private/ && \ + openssl req \ + -new \ + -nodes \ + -sha256 \ + -x509 \ + -subj "/C=CC/ST=Some State/O=Arvados Formula/OU=arvados-formula/CN=snakeoil-ca-{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}" \ + -extensions x509_ext \ + -config <(cat {{ openssl_conf }} \ + <(printf "\n[x509_ext]\nbasicConstraints=critical,CA:true,pathlen:0\nkeyUsage=critical,keyCertSign,cRLSign")) \ + -out {{ arvados_ca_cert_file }} \ + -keyout {{ arvados_ca_key_file }} \ + -days 365 && \ + cp {{ arvados_ca_cert_file }} {{ arvados_ca_cert_dest }} && \ + {{ update_ca_cert }} + - unless: + - test -f {{ arvados_ca_cert_file }} + - openssl verify -CAfile {{ arvados_ca_cert_file }} {{ arvados_ca_cert_file }} + - require: + - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_dependencies_pkg_installed + +arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_cert_cmd_run: + cmd.run: + - name: | + cat > /tmp/openssl.cnf <<-CNF + [req] + default_bits = 2048 + prompt = no + default_md = sha256 + req_extensions = rext + distinguished_name = dn + [dn] + C = CC + ST = Some State + L = Some Location + O = Arvados Formula + OU = arvados-formula + CN = {{ arvados.cluster.name }}.{{ arvados.cluster.domain }} + emailAddress = admin@{{ arvados.cluster.name }}.{{ arvados.cluster.domain }} + [rext] + subjectAltName = @alt_names + [alt_names] + {%- for entry in grains.get('ipv4') %} + IP.{{ loop.index }} = {{ entry }} + {%- endfor %} + {%- for entry in [ + 'keep', + 'collections', + 'download', + 'keepweb', + 'ws', + 'workbench', + 'workbench2', + ] + %} + DNS.{{ loop.index }} = {{ entry }} + {%- endfor %} + DNS.8 = {{ arvados.cluster.name }}.{{ arvados.cluster.domain }} + DNS.9 = '__HOSTNAME_EXT__' + DNS.10 = '__HOSTNAME_INT__' + CNF + + # The req + openssl req \ + -config /tmp/openssl.cnf \ + -new \ + -nodes \ + -sha256 \ + -out {{ arvados_csr_file }} \ + -keyout {{ arvados_key_file }} > /tmp/snake_oil_certs.output 2>&1 && \ + # The cert + openssl x509 \ + -req \ + -days 365 \ + -in {{ arvados_csr_file }} \ + -out {{ arvados_cert_file }} \ + -extfile /tmp/openssl.cnf \ + -extensions rext \ + -CA {{ arvados_ca_cert_file }} \ + -CAkey {{ arvados_ca_key_file }} \ + -set_serial $(date +%s) && \ + chmod 0644 {{ arvados_cert_file }} && \ + chmod 0640 {{ arvados_key_file }} + - unless: + - test -f {{ arvados_key_file }} + - openssl verify -CAfile {{ arvados_ca_cert_file }} {{ arvados_cert_file }} + - require: + - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_dependencies_pkg_installed + - cmd: arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_ca_cmd_run + +{%- if grains.get('os_family') == 'Debian' %} +arvados_test_salt_states_examples_single_host_snakeoil_certs_ssl_cert_pkg_installed: + pkg.installed: + - name: ssl-cert + - require_in: + - sls: postgres + +arvados_test_salt_states_examples_single_host_snakeoil_certs_certs_permissions_cmd_run: + cmd.run: + - name: | + chown root:ssl-cert {{ arvados_key_file }} + - require: + - cmd: arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_cert_cmd_run + - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_ssl_cert_pkg_installed +{%- endif %} + +arvados_test_salt_states_examples_single_host_snakeoil_certs_nginx_snakeoil_file_managed: + file.managed: + - name: /etc/nginx/snippets/arvados-snakeoil.conf + - contents: | + ssl_certificate {{ arvados_cert_file }}; + ssl_certificate_key {{ arvados_key_file }}; + - watch_in: + - service: nginx_service + + diff --git a/tools/salt-install/local.params.example b/tools/salt-install/local.params.example index a88301b2a6..bd9b1c4115 100644 --- a/tools/salt-install/local.params.example +++ b/tools/salt-install/local.params.example @@ -13,9 +13,11 @@ DOMAIN="some.domain" # When setting the cluster in a single host, you can use a single hostname # to access all the instances. When using virtualization (ie AWS), this should be -# the EXTERNAL hostname for the instance. +# the EXTERNAL/PUBLIC hostname for the instance. # If empty, the INTERNAL HOST IP will be used -HOSTNAME="" +HOSTNAME_EXT="" +# The internal hostname for the host +HOSTNAME_INT="127.0.1.1" CONTROLLER_EXT_SSL_PORT=8000 KEEP_EXT_SSL_PORT=25101 # Both for collections and downloads @@ -32,6 +34,14 @@ INITIAL_USER="admin" INITIAL_USER_EMAIL="admin@fixme.localdomain" INITIAL_USER_PASSWORD="password" +# YOU SHOULD CHANGE THESE TO SOME RANDOM STRINGS +BLOB_SIGNING_KEY=blobsigningkeymushaveatleast32characters +MANAGEMENT_TOKEN=managementtokenmushaveatleast32characters +SYSTEM_ROOT_TOKEN=systemroottokenmushaveatleast32characters +RAILS_SECRET_TOKEN=railssecrettokenmushaveatleast32characters +ANONYMOUS_USER_TOKEN=anonymoususertokenmushaveatleast32characters +WORKBENCH_SECRET_KEY=workbenchsecretkeymushaveatleast32characters + # The example config files you want to use. There are a few examples # under 'config_examples' CONFIG_DIR="config_examples/single_host/single_hostname" diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh index f3df4109a0..facb2e88ef 100755 --- a/tools/salt-install/provision.sh +++ b/tools/salt-install/provision.sh @@ -107,7 +107,8 @@ TESTS_DIR="tests" CLUSTER="" DOMAIN="" -HOSTNAME="" +HOSTNAME_EXT="" +HOSTNAME_INT="127.0.1.1" INITIAL_USER="" INITIAL_USER_EMAIL="" INITIAL_USER_PASSWORD="" @@ -229,14 +230,16 @@ if [ "x${BRANCH}" != "x" ]; then fi if [ "x${VAGRANT}" = "xyes" ]; then - SOURCE_PILLARS_DIR="/vagrant/${CONFIG_DIR}" + SOURCE_PILLARS_DIR="/vagrant/${CONFIG_DIR}/pillars" + SOURCE_STATES_DIR="/vagrant/${CONFIG_DIR}/states" TESTS_DIR="/vagrant/${TESTS_DIR}" else - SOURCE_PILLARS_DIR="${SCRIPT_DIR}/${CONFIG_DIR}" + SOURCE_PILLARS_DIR="${SCRIPT_DIR}/${CONFIG_DIR}/pillars" + SOURCE_STATES_DIR="${SCRIPT_DIR}/${CONFIG_DIR}/states" TESTS_DIR="${SCRIPT_DIR}/${TESTS_DIR}" fi -# Replace cluster and domain name in the example pillars and test files +# Replace cluster and domain name in the example pillars for f in "${SOURCE_PILLARS_DIR}"/*; do sed "s/__CLUSTER__/${CLUSTER}/g; s/__DOMAIN__/${DOMAIN}/g; @@ -244,25 +247,35 @@ for f in "${SOURCE_PILLARS_DIR}"/*; do s/__CONTROLLER_EXT_SSL_PORT__/${CONTROLLER_EXT_SSL_PORT}/g; s/__KEEP_EXT_SSL_PORT__/${KEEP_EXT_SSL_PORT}/g; s/__WEBSHELL_EXT_SSL_PORT__/${WEBSHELL_EXT_SSL_PORT}/g; - s/__WORKBENCH1_EXT__SSL_PORT__/${WORKBENCH1_EXT__SSL_PORT}/g; - s/__WORKBENCH2_EXT__SSL_PORT__/${WORKBENCH2_EXT__SSL_PORT}/g; + s/__WORKBENCH1_EXT_SSL_PORT__/${WORKBENCH1_EXT_SSL_PORT}/g; + s/__WORKBENCH2_EXT_SSL_PORT__/${WORKBENCH2_EXT_SSL_PORT}/g; s/__WEBSOCKET_EXT_SSL_PORT__/${WEBSOCKET_EXT_SSL_PORT}/g; - s/__HOSTNAME__/${HOSTNAME}/g; + s/__HOSTNAME_EXT__/${HOSTNAME_EXT}/g; + s/__HOSTNAME_INT__/${HOSTNAME_INT}/g; s/__KEEPWEB_EXT_SSL_PORT__/${KEEPWEB_EXT_SSL_PORT}/g; s/__HOST_SSL_PORT__/${HOST_SSL_PORT}/g; s/__INITIAL_USER__/${INITIAL_USER}/g; s/__INITIAL_USER_EMAIL__/${INITIAL_USER_EMAIL}/g; s/__INITIAL_USER_PASSWORD__/${INITIAL_USER_PASSWORD}/g; + s/__BLOB_SIGNING_KEY__/${BLOB_SIGNING_KEY}/g; + s/__MANAGEMENT_TOKEN__/${MANAGEMENT_TOKEN}/g; + s/__SYSTEM_ROOT_TOKEN__/${SYSTEM_ROOT_TOKEN}/g; + s/__RAILS_SECRET_TOKEN__/${RAILS_SECRET_TOKEN}/g; + s/__ANONYMOUS_USER_TOKEN__/${ANONYMOUS_USER_TOKEN}/g; + s/__WORKBENCH_SECRET_KEY__/${WORKBENCH_SECRET_KEY}/g; s/__VERSION__/${VERSION}/g" \ "${f}" > "${P_DIR}"/$(basename "${f}") done mkdir -p /tmp/cluster_tests -# Replace cluster and domain name in the example pillars and test files +# Replace cluster and domain name in the test files for f in "${TESTS_DIR}"/*; do sed "s/__CLUSTER__/${CLUSTER}/g; s/__DOMAIN__/${DOMAIN}/g; + s/__HOSTNAME_INT__/${HOSTNAME_INT}/g; s/__HOST_SSL_PORT__/${HOST_SSL_PORT}/g; + s/__CONTROLLER_EXT_SSL_PORT__/${CONTROLLER_EXT_SSL_PORT}/g; + s/__SYSTEM_ROOT_TOKEN__/${SYSTEM_ROOT_TOKEN}/g; s/__INITIAL_USER__/${INITIAL_USER}/g; s/__INITIAL_USER_EMAIL__/${INITIAL_USER_EMAIL}/g; s/__INITIAL_USER_PASSWORD__/${INITIAL_USER_PASSWORD}/g" \ @@ -270,6 +283,34 @@ for f in "${TESTS_DIR}"/*; do done chmod 755 /tmp/cluster_tests/run-test.sh +# Replace helper state files that differ from the formula's examples +for f in "${SOURCE_STATES_DIR}"/*; do + sed "s/__CLUSTER__/${CLUSTER}/g; + s/__DOMAIN__/${DOMAIN}/g; + s/__RELEASE__/${RELEASE}/g; + s/__CONTROLLER_EXT_SSL_PORT__/${CONTROLLER_EXT_SSL_PORT}/g; + s/__KEEP_EXT_SSL_PORT__/${KEEP_EXT_SSL_PORT}/g; + s/__WEBSHELL_EXT_SSL_PORT__/${WEBSHELL_EXT_SSL_PORT}/g; + s/__WORKBENCH1_EXT_SSL_PORT__/${WORKBENCH1_EXT_SSL_PORT}/g; + s/__WORKBENCH2_EXT_SSL_PORT__/${WORKBENCH2_EXT_SSL_PORT}/g; + s/__WEBSOCKET_EXT_SSL_PORT__/${WEBSOCKET_EXT_SSL_PORT}/g; + s/__HOSTNAME_EXT__/${HOSTNAME_EXT}/g; + s/__HOSTNAME_INT__/${HOSTNAME_INT}/g; + s/__KEEPWEB_EXT_SSL_PORT__/${KEEPWEB_EXT_SSL_PORT}/g; + s/__HOST_SSL_PORT__/${HOST_SSL_PORT}/g; + s/__INITIAL_USER__/${INITIAL_USER}/g; + s/__INITIAL_USER_EMAIL__/${INITIAL_USER_EMAIL}/g; + s/__INITIAL_USER_PASSWORD__/${INITIAL_USER_PASSWORD}/g; + s/__BLOB_SIGNING_KEY__/${BLOB_SIGNING_KEY}/g; + s/__MANAGEMENT_TOKEN__/${MANAGEMENT_TOKEN}/g; + s/__SYSTEM_ROOT_TOKEN__/${SYSTEM_ROOT_TOKEN}/g; + s/__RAILS_SECRET_TOKEN__/${RAILS_SECRET_TOKEN}/g; + s/__ANONYMOUS_USER_TOKEN__/${ANONYMOUS_USER_TOKEN}/g; + s/__WORKBENCH_SECRET_KEY__/${WORKBENCH_SECRET_KEY}/g; + s/__VERSION__/${VERSION}/g" \ + "${f}" > "${F_DIR}"/arvados-formula/test/salt/states/examples/single_host/$(basename "${f}") +done + # FIXME! #16992 Temporary fix for psql call in arvados-api-server if [ -e /root/.psqlrc ]; then if ! ( grep 'pset pager off' /root/.psqlrc ); then diff --git a/tools/salt-install/tests/run-test.sh b/tools/salt-install/tests/run-test.sh index 8d9de6fdf0..16ee2851ef 100755 --- a/tools/salt-install/tests/run-test.sh +++ b/tools/salt-install/tests/run-test.sh @@ -3,8 +3,8 @@ # # SPDX-License-Identifier: Apache-2.0 -export ARVADOS_API_TOKEN=changemesystemroottoken -export ARVADOS_API_HOST=__CLUSTER__.__DOMAIN__:__HOST_SSL_PORT__ +export ARVADOS_API_TOKEN=__SYSTEM_ROOT_TOKEN__ +export ARVADOS_API_HOST=__HOSTNAME_INT__:__CONTROLLER_EXT_SSL_PORT__ export ARVADOS_API_HOST_INSECURE=true set -o pipefail -- 2.30.2