[ARVADOS] created: 2.3.2-8-g8723c1f14

Git user git at public.arvados.org
Thu Jan 20 15:24:02 UTC 2022 

        at  8723c1f14fe930d9dbb76f815558869e4c5b86c4 (commit)


commit 8723c1f14fe930d9dbb76f815558869e4c5b86c4
Author: Javier Bértoli <jbertoli at curii.com>
Date:   Thu Jan 20 12:22:16 2022 -0300

    18658: add missing state to deploy custom certs in multi-host env
    
    Also, set the full path to the certs dir if not configured
    
    Arvados-DCO-1.1-Signed-off-by: Javier Bértoli <jbertoli at curii.com>

diff --git a/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
new file mode 100644
index 000000000..371650339
--- /dev/null
+++ b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
@@ -0,0 +1,31 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+{%- set orig_cert_dir = salt['pillar.get']('extra_custom_certs_dir', '/srv/salt/certs')  %}
+{%- set dest_cert_dir = '/etc/nginx/ssl' %}
+{%- set certs = salt['pillar.get']('extra_custom_certs', [])  %}
+
+extra_custom_certs_file_directory_certs_dir:
+  file.directory:
+    - name: /etc/nginx/ssl
+    - require:
+      - pkg: nginx_install
+
+{%- for cert in certs %}
+  {%- set cert_file = 'arvados-' ~ cert ~ '.pem' %}
+  {#- set csr_file = 'arvados-' ~ cert ~ '.csr' #}
+  {%- set key_file = 'arvados-' ~ cert ~ '.key' %}
+  {% for c in [cert_file, key_file] %}
+extra_custom_certs_file_copy_{{ c }}:
+  file.copy:
+    - name: {{ dest_cert_dir }}/{{ c }}
+    - source: {{ orig_cert_dir }}/{{ c }}
+    - force: true
+    - user: root
+    - group: root
+    - unless: cmp {{ dest_cert_dir }}/{{ c }} {{ orig_cert_dir }}/{{ c }}
+    - require:
+      - file: extra_custom_certs_file_directory_certs_dir
+  {%- endfor %}
+{%- endfor %}
diff --git a/tools/salt-install/local.params.example.multiple_hosts b/tools/salt-install/local.params.example.multiple_hosts
index c770c8d74..eb64bb622 100644
--- a/tools/salt-install/local.params.example.multiple_hosts
+++ b/tools/salt-install/local.params.example.multiple_hosts
@@ -79,7 +79,8 @@ LE_AWS_SECRET_ACCESS_KEY="thisistherandomstringthatisyoursecretkey"
 # help you deploy them. In order to do that, you need to set `USE_LETSENCRYPT=no` above,
 # and copy the required certificates under the directory specified in the next line.
 # The certs will be copied from this directory by the provision script.
-CUSTOM_CERTS_DIR="./certs"
+# Plese set it to the FULL PATH to the certs dir if you're going to use a different dir
+# CUSTOM_CERTS_DIR="${SCRIPT_DIR}/certs"
 # The script expects cert/key files with these basenames (matching the role except for
 # keepweb, which is split in both downoad/collections):
 #  "controller"
diff --git a/tools/salt-install/local.params.example.single_host_multiple_hostnames b/tools/salt-install/local.params.example.single_host_multiple_hostnames
index cf79fe244..6c9258a3c 100644
--- a/tools/salt-install/local.params.example.single_host_multiple_hostnames
+++ b/tools/salt-install/local.params.example.single_host_multiple_hostnames
@@ -52,7 +52,8 @@ USE_LETSENCRYPT="no"
 # help you deploy them. In order to do that, you need to set `USE_LETSENCRYPT=no` above,
 # and copy the required certificates under the directory specified in the next line.
 # The certs will be copied from this directory by the provision script.
-CUSTOM_CERTS_DIR="./certs"
+# Plese set it to the FULL PATH to the certs dir if you're going to use a different dir
+# CUSTOM_CERTS_DIR="${SCRIPT_DIR}/certs"
 # The script expects cert/key files with these basenames (matching the role except for
 # keepweb, which is split in both downoad/collections):
 #  "controller"
diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index f0fbb4331..f5e3d4eb3 100755
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -166,7 +166,7 @@ WORKBENCH1_EXT_SSL_PORT=443
 WORKBENCH2_EXT_SSL_PORT=3001
 
 USE_LETSENCRYPT="no"
-CUSTOM_CERTS_DIR="./certs"
+CUSTOM_CERTS_DIR="${SCRIPT_DIR}/certs"
 
 ## These are ARVADOS-related parameters
 # For a stable release, change RELEASE "production" and VERSION to the

-----------------------------------------------------------------------


hooks/post-receive
--

More information about the arvados-commits mailing list