[arvados] updated: 2.5.0-122-ge1577a7fb
git repository hosting
git at public.arvados.org
Mon Feb 13 20:47:38 UTC 2023
Summary of changes:
.../aws/pillars/nginx_collections_configuration.sls | 2 +-
.../aws/pillars/nginx_controller_configuration.sls | 2 +-
.../aws/pillars/nginx_download_configuration.sls | 2 +-
.../aws/pillars/nginx_keepproxy_configuration.sls | 2 +-
.../aws/pillars/nginx_webshell_configuration.sls | 2 +-
.../aws/pillars/nginx_websocket_configuration.sls | 2 +-
.../aws/pillars/nginx_workbench2_configuration.sls | 2 +-
.../aws/pillars/nginx_workbench_configuration.sls | 2 +-
.../multi_host/aws/pillars/ssl_key_encrypted.sls | 4 ++--
.../multi_host/aws/states/ssl_key_encrypted.sls | 21 ++++++++-------------
10 files changed, 18 insertions(+), 23 deletions(-)
via e1577a7fbba344f1c7d784d085d5f8b099bc28bf (commit)
from e51ba73431f40cfcb6a8f2c80bb5373f23609fcd (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit e1577a7fbba344f1c7d784d085d5f8b099bc28bf
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Mon Feb 13 17:37:05 2023 -0300
20035: Manages named pipe file from systemd instead of salt.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls
index f5670aea2..b349ded32 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls
@@ -50,7 +50,7 @@ nginx:
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
{%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
- - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }}
+ - ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
{%- endif %}
- access_log: /var/log/nginx/collections.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/collections.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls
index 5df03fe53..a48810e83 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls
@@ -67,7 +67,7 @@ nginx:
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
{%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
- - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }}
+ - ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
{%- endif %}
- access_log: /var/log/nginx/controller.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/controller.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls
index fd8405fb6..a183475a4 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls
@@ -50,7 +50,7 @@ nginx:
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
{%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
- - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }}
+ - ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
{%- endif %}
- access_log: /var/log/nginx/download.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/download.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls
index 16d0c70c6..c8deaebe9 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls
@@ -58,7 +58,7 @@ nginx:
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
{%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
- - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }}
+ - ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
{%- endif %}
- access_log: /var/log/nginx/keepproxy.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/keepproxy.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls
index fb134cca9..3a0a23d95 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls
@@ -74,7 +74,7 @@ nginx:
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
{%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
- - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }}
+ - ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
{%- endif %}
- access_log: /var/log/nginx/webshell.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/webshell.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls
index 867a8e1b0..36246d751 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls
@@ -59,7 +59,7 @@ nginx:
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
{%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
- - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }}
+ - ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
{%- endif %}
- access_log: /var/log/nginx/ws.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/ws.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls
index 8ae4210e5..47eafeeec 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls
@@ -49,7 +49,7 @@ nginx:
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
{%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
- - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }}
+ - ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
{%- endif %}
- access_log: /var/log/nginx/workbench2.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/workbench2.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls
index f61763648..82fd24756 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls
@@ -60,7 +60,7 @@ nginx:
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
{%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
- - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }}
+ - ssl_password_file: {{ '/run/arvados/' | path_join(ssl_key_encrypted_pillar.ssl_key_encrypted.privkey_password_filename) }}
{%- endif %}
- access_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls
index 920457737..6353ce71e 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls
@@ -7,5 +7,5 @@ ssl_key_encrypted:
enabled: __SSL_KEY_ENCRYPTED__
aws_secret_name: __SSL_KEY_AWS_SECRET_NAME__
aws_region: __SSL_KEY_AWS_REGION__
- ssl_password_file: /etc/nginx/ssl/ssl_key_password.txt
- ssl_password_connector_script: /usr/local/sbin/password_secret_connector.sh
+ privkey_password_filename: ssl-privkey-password
+ privkey_password_script: /usr/local/sbin/password_secret_connector.sh
diff --git a/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls b/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls
index ae1c762e1..d616398a0 100644
--- a/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls
@@ -6,36 +6,30 @@
{%- if ssl_key_encrypted.enabled %}
-extra_ssl_key_encrypted_password_fifo_file:
- file.mknod:
- - ntype: p
- - name: {{ ssl_key_encrypted.ssl_password_file }}
- - user: root
- - group: root
- - mode: '0600'
-
extra_ssl_key_encrypted_required_pkgs:
pkg.installed:
- name: jq
extra_ssl_key_encrypted_password_retrieval_script:
file.managed:
- - name: {{ ssl_key_encrypted.ssl_password_connector_script }}
+ - name: {{ ssl_key_encrypted.privkey_password_script }}
- user: root
- group: root
- mode: '0750'
- require:
- pkg: extra_ssl_key_encrypted_required_pkgs
- - file: extra_ssl_key_encrypted_password_fifo_file
- contents: |
#!/bin/bash
+ # RUNTIME_DIRECTORY is provided by systemd
+ PASSWORD_FILE="${RUNTIME_DIRECTORY}/{{ ssl_key_encrypted.privkey_password_filename }}"
+
while [ true ]; do
# AWS_SHARED_CREDENTIALS_FILE is set to /dev/null to avoid AWS's CLI
# loading invalid credentials on nodes who use ~/.aws/credentials for other
# purposes (e.g.: the dispatcher credentials)
# Access to the secrets manager is given by using an instance profile.
- AWS_SHARED_CREDENTIALS_FILE=/dev/null aws secretsmanager get-secret-value --secret-id '{{ ssl_key_encrypted.aws_secret_name }}' --region '{{ ssl_key_encrypted.aws_region }}' | jq -r .SecretString > '{{ ssl_key_encrypted.ssl_password_file }}'
+ AWS_SHARED_CREDENTIALS_FILE=/dev/null aws secretsmanager get-secret-value --secret-id '{{ ssl_key_encrypted.aws_secret_name }}' --region '{{ ssl_key_encrypted.aws_region }}' | jq -r .SecretString > "${PASSWORD_FILE}"
sleep 1
done
@@ -51,9 +45,10 @@ extra_ssl_key_encrypted_password_retrieval_service_unit:
[Unit]
Description=Arvados SSL private key password retrieval service
After=network.target
- AssertPathExists={{ ssl_key_encrypted.ssl_password_file }}
[Service]
- ExecStart=/bin/bash {{ ssl_key_encrypted.ssl_password_connector_script }}
+ RuntimeDirectory=arvados
+ ExecStartPre=/usr/bin/mkfifo --mode=0600 %t/arvados/{{ ssl_key_encrypted.privkey_password_filename }}
+ ExecStart=/bin/bash {{ ssl_key_encrypted.privkey_password_script }}
[Install]
WantedBy=multi-user.target
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list