From f3a1fcb306856fc904c7e8051ccb69ea85e5640f Mon Sep 17 00:00:00 2001 From: Lucas Di Pentima Date: Tue, 7 Feb 2023 16:15:40 -0300 Subject: [PATCH] 20035: Updates nginx pillars to read the certificate privkey password. Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima --- .../aws/pillars/nginx_collections_configuration.sls | 5 +++++ .../aws/pillars/nginx_controller_configuration.sls | 5 +++++ .../multi_host/aws/pillars/nginx_download_configuration.sls | 5 +++++ .../multi_host/aws/pillars/nginx_keepproxy_configuration.sls | 5 +++++ .../multi_host/aws/pillars/nginx_webshell_configuration.sls | 5 +++++ .../multi_host/aws/pillars/nginx_websocket_configuration.sls | 5 +++++ .../aws/pillars/nginx_workbench2_configuration.sls | 5 +++++ .../multi_host/aws/pillars/nginx_workbench_configuration.sls | 5 +++++ .../config_examples/multi_host/aws/states/custom_certs.sls | 1 - 9 files changed, 40 insertions(+), 1 deletion(-) diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls index 00be378c19..1719b0a64c 100644 --- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls +++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls @@ -3,6 +3,8 @@ # # SPDX-License-Identifier: AGPL-3.0 +{%- import_yaml "ssl_key_encrypted.sls" as imported %} + ### NGINX nginx: servers: @@ -47,5 +49,8 @@ nginx: - include: snippets/ssl_hardening_default.conf - ssl_certificate: __CERT_PEM__ - ssl_certificate_key: __CERT_KEY__ + {%- if imported.ssl_key_encrypted.enabled %} + - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }} + {%- endif %} - access_log: /var/log/nginx/collections.__CLUSTER__.__DOMAIN__.access.log combined - error_log: /var/log/nginx/collections.__CLUSTER__.__DOMAIN__.error.log diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls index 5df1870c80..b946c61a07 100644 --- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls +++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls @@ -3,6 +3,8 @@ # # SPDX-License-Identifier: AGPL-3.0 +{%- import_yaml "ssl_key_encrypted.sls" as imported %} + ### NGINX nginx: ### SERVER @@ -64,6 +66,9 @@ nginx: - include: snippets/ssl_hardening_default.conf - ssl_certificate: __CERT_PEM__ - ssl_certificate_key: __CERT_KEY__ + {%- if imported.ssl_key_encrypted.enabled %} + - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }} + {%- endif %} - access_log: /var/log/nginx/controller.__CLUSTER__.__DOMAIN__.access.log combined - error_log: /var/log/nginx/controller.__CLUSTER__.__DOMAIN__.error.log - client_max_body_size: 128m diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls index 9246fc11cb..59c93962c9 100644 --- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls +++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls @@ -3,6 +3,8 @@ # # SPDX-License-Identifier: AGPL-3.0 +{%- import_yaml "ssl_key_encrypted.sls" as imported %} + ### NGINX nginx: servers: @@ -47,5 +49,8 @@ nginx: - include: snippets/ssl_hardening_default.conf - ssl_certificate: __CERT_PEM__ - ssl_certificate_key: __CERT_KEY__ + {%- if imported.ssl_key_encrypted.enabled %} + - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }} + {%- endif %} - access_log: /var/log/nginx/download.__CLUSTER__.__DOMAIN__.access.log combined - error_log: /var/log/nginx/download.__CLUSTER__.__DOMAIN__.error.log diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls index 2f00524f98..690d9413b4 100644 --- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls +++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls @@ -3,6 +3,8 @@ # # SPDX-License-Identifier: AGPL-3.0 +{%- import_yaml "ssl_key_encrypted.sls" as imported %} + ### NGINX nginx: ### SERVER @@ -55,5 +57,8 @@ nginx: - include: snippets/ssl_hardening_default.conf - ssl_certificate: __CERT_PEM__ - ssl_certificate_key: __CERT_KEY__ + {%- if imported.ssl_key_encrypted.enabled %} + - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }} + {%- endif %} - access_log: /var/log/nginx/keepproxy.__CLUSTER__.__DOMAIN__.access.log combined - error_log: /var/log/nginx/keepproxy.__CLUSTER__.__DOMAIN__.error.log diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls index d631c89a81..13a96eb33e 100644 --- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls +++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls @@ -3,6 +3,8 @@ # # SPDX-License-Identifier: AGPL-3.0 +{%- import_yaml "ssl_key_encrypted.sls" as imported %} + ### NGINX nginx: ### SERVER @@ -71,6 +73,9 @@ nginx: - include: snippets/ssl_hardening_default.conf - ssl_certificate: __CERT_PEM__ - ssl_certificate_key: __CERT_KEY__ + {%- if imported.ssl_key_encrypted.enabled %} + - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }} + {%- endif %} - access_log: /var/log/nginx/webshell.__CLUSTER__.__DOMAIN__.access.log combined - error_log: /var/log/nginx/webshell.__CLUSTER__.__DOMAIN__.error.log diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls index 9658c620cf..078f916cbe 100644 --- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls +++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls @@ -3,6 +3,8 @@ # # SPDX-License-Identifier: AGPL-3.0 +{%- import_yaml "ssl_key_encrypted.sls" as imported %} + ### NGINX nginx: ### SERVER @@ -56,5 +58,8 @@ nginx: - include: snippets/ssl_hardening_default.conf - ssl_certificate: __CERT_PEM__ - ssl_certificate_key: __CERT_KEY__ + {%- if imported.ssl_key_encrypted.enabled %} + - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }} + {%- endif %} - access_log: /var/log/nginx/ws.__CLUSTER__.__DOMAIN__.access.log combined - error_log: /var/log/nginx/ws.__CLUSTER__.__DOMAIN__.error.log diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls index a821b521fa..021c8685d8 100644 --- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls +++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls @@ -3,6 +3,8 @@ # # SPDX-License-Identifier: AGPL-3.0 +{%- import_yaml "ssl_key_encrypted.sls" as imported %} + ### ARVADOS arvados: config: @@ -46,5 +48,8 @@ nginx: - include: snippets/ssl_hardening_default.conf - ssl_certificate: __CERT_PEM__ - ssl_certificate_key: __CERT_KEY__ + {%- if imported.ssl_key_encrypted.enabled %} + - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }} + {%- endif %} - access_log: /var/log/nginx/workbench2.__CLUSTER__.__DOMAIN__.access.log combined - error_log: /var/log/nginx/workbench2.__CLUSTER__.__DOMAIN__.error.log diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls index 32904a12b2..92b5d0356b 100644 --- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls +++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls @@ -3,6 +3,8 @@ # # SPDX-License-Identifier: AGPL-3.0 +{%- import_yaml "ssl_key_encrypted.sls" as imported %} + ### ARVADOS arvados: config: @@ -57,6 +59,9 @@ nginx: - include: snippets/ssl_hardening_default.conf - ssl_certificate: __CERT_PEM__ - ssl_certificate_key: __CERT_KEY__ + {%- if imported.ssl_key_encrypted.enabled %} + - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }} + {%- endif %} - access_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__.access.log combined - error_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__.error.log diff --git a/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls index d2345273f5..5a7d9a269a 100644 --- a/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls +++ b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls @@ -23,7 +23,6 @@ extra_custom_certs_file_directory_certs_dir: {%- for cert in certs %} {%- set cert_file = 'arvados-' ~ cert ~ '.pem' %} - {#- set csr_file = 'arvados-' ~ cert ~ '.csr' #} {%- set key_file = 'arvados-' ~ cert ~ '.key' %} {% for c in [cert_file, key_file] %} extra_custom_certs_file_copy_{{ c }}: -- 2.30.2