[ARVADOS] updated: 2.3.2-39-g7e7661fe6
Git user
git at public.arvados.org
Mon Feb 28 17:14:44 UTC 2022
Summary of changes:
.../single_hostname/states/snakeoil_certs.sls | 3 ---
...ocal.params.example.single_host_single_hostname | 16 +++++++++++---
tools/salt-install/provision.sh | 25 +++++++++++-----------
3 files changed, 26 insertions(+), 18 deletions(-)
via 7e7661fe61c83803fe12cdec91d95160bb9d1563 (commit)
via c3dc6cfd4e018b532b17cc23ed4072bab5b79d54 (commit)
via 98c39e6e950a59d9d62af9c2ce1c82e1736ab90f (commit)
via 3d3790ee666b230d9bf1902831725df58107a67a (commit)
from 205843e111d2977b1735f579b479c5728d16a34e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 7e7661fe61c83803fe12cdec91d95160bb9d1563
Author: Javier Bértoli <jbertoli at curii.com>
Date: Mon Feb 28 14:10:46 2022 -0300
18785: add missing lines addressing review suggestions
Arvados-DCO-1.1-Signed-off-by: Javier Bértoli <jbertoli at curii.com>
diff --git a/tools/salt-install/local.params.example.single_host_single_hostname b/tools/salt-install/local.params.example.single_host_single_hostname
index 6a7460de8..d01c73d2c 100644
--- a/tools/salt-install/local.params.example.single_host_single_hostname
+++ b/tools/salt-install/local.params.example.single_host_single_hostname
@@ -59,27 +59,18 @@ SSL_MODE="self-signed"
# A single certificate for the external hostname of the host will be retrieved, using
# "standalone" mode of LE.
-# If you going to provide your own certificates for Arvados, the provision script can
-# help you deploy them. In order to do that, you need to set `SSL_MODE=bring-your-own` above,
-# and copy the required certificates under the directory specified in the next line.
-# The certs will be copied from this directory by the provision script.
+# If you going to provide your own certificate for Arvados, the provision script can
+# help you deploy it. In order to do that, you need to set `SSL_MODE=bring-your-own` above,
+# and copy the required certificate under the directory specified in the next line.
+# The cert will be copied from this directory by the provision script.
# Please set it to the FULL PATH to the certs dir if you're going to use a different dir
# Default is "${SCRIPT_DIR}/certs", where the variable "SCRIPT_DIR" has the path to the
# directory where the "provision.sh" script was copied in the destination host.
# CUSTOM_CERTS_DIR="${SCRIPT_DIR}/certs"
-# The script expects cert/key files with these basenames (matching the role except for
-# keepweb, which is split in both download/collections):
-# "controller"
-# "websocket"
-# "workbench"
-# "workbench2"
-# "webshell"
-# "download" # Part of keepweb
-# "collections" # Part of keepweb
-# "keepproxy" # Keepproxy
-# Ie., 'keep', the script will lookup for
-# ${CUSTOM_CERTS_DIR}/keepproxy.crt
-# ${CUSTOM_CERTS_DIR}/keepproxy.key
+# The script expects cert/key files with the filename matcing ${HOSTNAME_EXT} above
+# Ie., for "HOSTNAME_EXT='my-arvados.example.net', the script will lookup for
+# ${CUSTOM_CERTS_DIR}/my-arvados.example.net.crt
+# ${CUSTOM_CERTS_DIR}/my-arvados.example.net.key
# The certs will be copied from this directory by the provision script.
# The directory to check for the config files (pillars, states) you want to use.
commit c3dc6cfd4e018b532b17cc23ed4072bab5b79d54
Author: Javier Bértoli <jbertoli at curii.com>
Date: Mon Feb 28 14:04:17 2022 -0300
18785: add conditional logic for bring-your-own certificates
Arvados-DCO-1.1-Signed-off-by: Javier Bértoli <jbertoli at curii.com>
diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index aa330b9f1..f1ca3c9ec 100755
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -511,14 +511,13 @@ fi
if [ -z "${ROLES}" ]; then
# States
echo " - nginx.passenger" >> ${S_DIR}/top.sls
- # Currently, only available on config_examples/multi_host/aws
if [ "${SSL_MODE}" = "lets-encrypt" ]; then
if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then
grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - extra.aws_credentials" >> ${S_DIR}/top.sls
fi
grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls
else
- # Use custom certs
+ # Use custom certs, as both bring-your-own and self-signed are copied using this state
# Copy certs to formula extra/files
# In dev mode, the files will be created and put in the destination directory by the
# snakeoil_certs.sls state file
@@ -573,18 +572,20 @@ if [ -z "${ROLES}" ]; then
echo "extra_custom_certs_dir: /srv/salt/certs" > ${P_DIR}/extra_custom_certs.sls
echo "extra_custom_certs:" >> ${P_DIR}/extra_custom_certs.sls
- # Are we in a single-host-single-hostname env?
- if [ "${USE_SINGLE_HOSTNAME}" = "yes" ]; then
- # Are we in a single-host-single-hostname env?
- CERT_NAME=${HOSTNAME_EXT}
- else
- # We are in a multiple-hostnames env
- CERT_NAME=${c}
- fi
for c in controller websocket workbench workbench2 webshell keepweb keepproxy; do
- if [ "${SSL_MODE}" = "bring-your-own" ]; then
- copy_custom_cert ${CUSTOM_CERTS_DIR} $c
+ # Are we in a single-host-single-hostname env?
+ if [ "${USE_SINGLE_HOSTNAME}" = "yes" ]; then
+ # Are we in a single-host-single-hostname env?
+ CERT_NAME=${HOSTNAME_EXT}
+ else
+ # We are in a multiple-hostnames env
+ CERT_NAME=${c}
fi
+
+ if [[ "${SSL_MODE}" = "bring-your-own" || "${SSL_MODE}" == "self-signed" ]]; then
+ copy_custom_cert ${CUSTOM_CERTS_DIR} ${CERT_NAME}
+ fi
+
grep -q ${CERT_NAME} ${P_DIR}/extra_custom_certs.sls || echo " - ${CERT_NAME}" >> ${P_DIR}/extra_custom_certs.sls
# As the pillar differs whether we use LE or custom certs, we need to do a final edition on them
commit 98c39e6e950a59d9d62af9c2ce1c82e1736ab90f
Author: Javier Bértoli <jbertoli at curii.com>
Date: Mon Feb 28 14:01:08 2022 -0300
18785: remove comment addressing review suggestions
Arvados-DCO-1.1-Signed-off-by: Javier Bértoli <jbertoli at curii.com>
diff --git a/tools/salt-install/config_examples/single_host/single_hostname/states/snakeoil_certs.sls b/tools/salt-install/config_examples/single_host/single_hostname/states/snakeoil_certs.sls
index a45c07bbb..4cbdee32f 100644
--- a/tools/salt-install/config_examples/single_host/single_hostname/states/snakeoil_certs.sls
+++ b/tools/salt-install/config_examples/single_host/single_hostname/states/snakeoil_certs.sls
@@ -2,9 +2,6 @@
#
# SPDX-License-Identifier: Apache-2.0
-# WARNING: This file is only used for testing purposes, and should not be used
-# in a production environment
-
{%- set curr_tpldir = tpldir %}
{%- set tpldir = 'arvados' %}
{%- from "arvados/map.jinja" import arvados with context %}
commit 3d3790ee666b230d9bf1902831725df58107a67a
Author: Javier Bértoli <jbertoli at curii.com>
Date: Mon Feb 28 13:58:36 2022 -0300
18785: add missing lines addressing review suggestions
Arvados-DCO-1.1-Signed-off-by: Javier Bértoli <jbertoli at curii.com>
diff --git a/tools/salt-install/local.params.example.single_host_single_hostname b/tools/salt-install/local.params.example.single_host_single_hostname
index c126c219f..6a7460de8 100644
--- a/tools/salt-install/local.params.example.single_host_single_hostname
+++ b/tools/salt-install/local.params.example.single_host_single_hostname
@@ -62,6 +62,25 @@ SSL_MODE="self-signed"
# If you going to provide your own certificates for Arvados, the provision script can
# help you deploy them. In order to do that, you need to set `SSL_MODE=bring-your-own` above,
# and copy the required certificates under the directory specified in the next line.
+# The certs will be copied from this directory by the provision script.
+# Please set it to the FULL PATH to the certs dir if you're going to use a different dir
+# Default is "${SCRIPT_DIR}/certs", where the variable "SCRIPT_DIR" has the path to the
+# directory where the "provision.sh" script was copied in the destination host.
+# CUSTOM_CERTS_DIR="${SCRIPT_DIR}/certs"
+# The script expects cert/key files with these basenames (matching the role except for
+# keepweb, which is split in both download/collections):
+# "controller"
+# "websocket"
+# "workbench"
+# "workbench2"
+# "webshell"
+# "download" # Part of keepweb
+# "collections" # Part of keepweb
+# "keepproxy" # Keepproxy
+# Ie., 'keep', the script will lookup for
+# ${CUSTOM_CERTS_DIR}/keepproxy.crt
+# ${CUSTOM_CERTS_DIR}/keepproxy.key
+
# The certs will be copied from this directory by the provision script.
# The directory to check for the config files (pillars, states) you want to use.
# There are a few examples under 'config_examples'.
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list