[arvados] updated: 2.1.0-2727-g2f0c775a9
git repository hosting
git at public.arvados.org
Mon Jul 18 17:42:12 UTC 2022
Summary of changes:
cmd/arvados-package/install.go | 2 +-
doc/install/automatic.html.textile.liquid | 2 +-
lib/boot/cert.go | 11 +++++++++--
lib/config/config.default.yml | 30 +++++++++++++++++-------------
lib/install/init.go | 22 +++++++++++++++++-----
lib/service/tls.go | 2 +-
sdk/go/arvados/config.go | 5 +++--
7 files changed, 49 insertions(+), 25 deletions(-)
via 2f0c775a9e1ab8c3abdd94c854326fab771c4b5e (commit)
via 53effa806b73a1c728fba9160b23000c8f7cc5e0 (commit)
from 52fd35cf046bbb1b20a7b884f485fc65de71a86a (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 2f0c775a9e1ab8c3abdd94c854326fab771c4b5e
Author: Tom Clegg <tom at curii.com>
Date: Mon Jul 18 13:35:48 2022 -0400
16552: Change -tls=acmetool to -tls=/path/to/certdir.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>
diff --git a/cmd/arvados-package/install.go b/cmd/arvados-package/install.go
index 9273ac9c7..38efae046 100644
--- a/cmd/arvados-package/install.go
+++ b/cmd/arvados-package/install.go
@@ -92,7 +92,7 @@ rm /etc/apt/sources.list.d/arvados-local.list
if opts.Live != "" {
cmd.Args = append(cmd.Args,
"--env=domain="+opts.Live,
- "--env=initargs=-tls=acme",
+ "--env=initargs=-tls=/var/lib/acme/live/"+opts.Live,
"--env=bootargs=",
"--publish=:443:443",
"--publish=:4440-4460:4440-4460",
diff --git a/doc/install/automatic.html.textile.liquid b/doc/install/automatic.html.textile.liquid
index f520ffb50..d72f8f69e 100644
--- a/doc/install/automatic.html.textile.liquid
+++ b/doc/install/automatic.html.textile.liquid
@@ -31,7 +31,7 @@ h2. Initialize the cluster
# echo > /etc/apt/sources.list.d/arvados.list "deb http://apt.arvados.org/buster buster main"
# apt-get update
# apt-get install arvados-server-easy
-# arvados-server init -cluster-id x9999 -domain x9999.example.com -tls auto -admin-email example at gmail.com.example
+# arvados-server init -cluster-id x9999 -domain x9999.example.com -tls acme -admin-email example at gmail.com.example
</pre>
When the "init" command is finished, navigate to the link shown in the terminal (e.g., @https://x9999.example.com/token?api_token=zzzzzzzzzzzzzzzzzzzzzz@). This will log you in to your admin account.
diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index 8d5bbc258..b23c6a127 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -900,8 +900,8 @@ Clusters:
Repositories: /var/lib/arvados/git/repositories
TLS:
- # Use "file:///var/lib/acme/live/example.com/cert" and ".../key"
- # to load externally managed certificates.
+ # Use "file:///var/lib/acme/live/example.com/cert" and
+ # ".../privkey" to load externally managed certificates.
Certificate: ""
Key: ""
diff --git a/lib/install/init.go b/lib/install/init.go
index a928f2252..d322e753e 100644
--- a/lib/install/init.go
+++ b/lib/install/init.go
@@ -44,6 +44,7 @@ type initCommand struct {
LoginGoogle bool
LoginGoogleClientID string
LoginGoogleClientSecret string
+ TLSDir string
}
func (initcmd *initCommand) RunCommand(prog string, args []string, stdin io.Reader, stdout, stderr io.Writer) int {
@@ -72,7 +73,7 @@ func (initcmd *initCommand) RunCommand(prog string, args []string, stdin io.Read
flags.StringVar(&initcmd.Domain, "domain", hostname, "cluster public DNS `name`, like x1234.arvadosapi.com")
flags.StringVar(&initcmd.Login, "login", "", "login `backend`: test, pam, 'google {client-id} {client-secret}', or ''")
flags.StringVar(&initcmd.AdminEmail, "admin-email", "", "give admin privileges to user with given `email`")
- flags.StringVar(&initcmd.TLS, "tls", "none", "tls certificate `source`: acme, acmetool, insecure, or none")
+ flags.StringVar(&initcmd.TLS, "tls", "none", "tls certificate `source`: acme, insecure, none, or /path/to/dir containing privkey and cert files")
flags.BoolVar(&initcmd.Start, "start", true, "start systemd service after creating config")
if ok, code := cmd.ParseFlags(flags, prog, args, "", stderr); !ok {
return code
@@ -101,6 +102,16 @@ func (initcmd *initCommand) RunCommand(prog string, args []string, stdin io.Read
return 1
}
+ switch initcmd.TLS {
+ case "none", "acme", "insecure":
+ default:
+ if !strings.HasPrefix(initcmd.TLS, "/") {
+ err = fmt.Errorf("invalid argument to -tls: %q; see %s -help", initcmd.TLS, prog)
+ return 1
+ }
+ initcmd.TLSDir = initcmd.TLS
+ }
+
confdir := "/etc/arvados"
conffile := confdir + "/config.yml"
if _, err = os.Stat(conffile); err == nil {
@@ -217,9 +228,9 @@ func (initcmd *initCommand) RunCommand(prog string, args []string, stdin io.Read
{{else if eq .TLS "acme"}}
ACME:
Server: LE
- {{else if eq .TLS "acmetool"}}
- Certificate: {{printf "%q" (print "/var/lib/acme/live/" .Domain "/cert")}}
- Key: {{printf "%q" (print "/var/lib/acme/live/" .Domain "/privkey")}}
+ {{else if ne .TLSDir ""}}
+ Certificate: {{printf "%q" (print .TLSDir "/cert")}}
+ Key: {{printf "%q" (print .TLSDir "/privkey")}}
{{else}}
{}
{{end}}
commit 53effa806b73a1c728fba9160b23000c8f7cc5e0
Author: Tom Clegg <tom at curii.com>
Date: Sun Jul 17 23:16:59 2022 -0400
16552: Rename ACME config options.
Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>
diff --git a/lib/boot/cert.go b/lib/boot/cert.go
index 10fd0aa9f..175a35080 100644
--- a/lib/boot/cert.go
+++ b/lib/boot/cert.go
@@ -36,7 +36,7 @@ func (createCertificates) String() string {
}
func (createCertificates) Run(ctx context.Context, fail func(error), super *Supervisor) error {
- if super.cluster.TLS.Automatic {
+ if super.cluster.TLS.ACME.Server != "" {
return bootAutoCert(ctx, fail, super)
} else if super.cluster.TLS.Key == "" && super.cluster.TLS.Certificate == "" {
return createSelfSignedCert(ctx, fail, super)
@@ -78,8 +78,15 @@ func bootAutoCert(ctx context.Context, fail func(error), super *Supervisor) erro
}
},
}
- if super.cluster.TLS.Staging {
+ if srv := super.cluster.TLS.ACME.Server; srv == "LE" {
+ // Leaving mgr.Client == nil means use Let's Encrypt
+ // production environment
+ } else if srv == "LE-staging" {
mgr.Client = &acme.Client{DirectoryURL: stagingDirectoryURL}
+ } else if strings.HasPrefix(srv, "https://") {
+ mgr.Client = &acme.Client{DirectoryURL: srv}
+ } else {
+ return fmt.Errorf("autocert setup: invalid directory URL in TLS.ACME.Server: %q", srv)
}
go func() {
err := http.ListenAndServe(":80", mgr.HTTPHandler(nil))
diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index c8c02cc60..8d5bbc258 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -909,17 +909,21 @@ Clusters:
# use this in production.
Insecure: false
- # Agree to Let's Encrypt terms of service and obtain
- # certificates automatically for ExternalURL domains.
- #
- # Note: this feature is not yet implemented in released
- # versions, only in the alpha/prerelease arvados-server-easy
- # package.
- Automatic: false
-
- # Use Let's Encrypt staging environment instead of production
- # environment.
- Staging: false
+ ACME:
+ # Obtain certificates automatically for ExternalURL domains
+ # using an ACME server and http-01 validation.
+ #
+ # To use Let's Encrypt, specify "LE". To use the Let's
+ # Encrypt staging environment, specify "LE-staging". To use a
+ # different ACME server, specify the full directory URL
+ # ("https://...").
+ #
+ # Note: this feature is not yet implemented in released
+ # versions, only in the alpha/prerelease arvados-server-easy
+ # package.
+ #
+ # Implies agreement with the server's terms of service.
+ Server: ""
Containers:
# List of supported Docker Registry image formats that compute nodes
diff --git a/lib/install/init.go b/lib/install/init.go
index 792262b59..a928f2252 100644
--- a/lib/install/init.go
+++ b/lib/install/init.go
@@ -72,7 +72,7 @@ func (initcmd *initCommand) RunCommand(prog string, args []string, stdin io.Read
flags.StringVar(&initcmd.Domain, "domain", hostname, "cluster public DNS `name`, like x1234.arvadosapi.com")
flags.StringVar(&initcmd.Login, "login", "", "login `backend`: test, pam, 'google {client-id} {client-secret}', or ''")
flags.StringVar(&initcmd.AdminEmail, "admin-email", "", "give admin privileges to user with given `email`")
- flags.StringVar(&initcmd.TLS, "tls", "none", "tls certificate `source`: acme, auto, insecure, or none")
+ flags.StringVar(&initcmd.TLS, "tls", "none", "tls certificate `source`: acme, acmetool, insecure, or none")
flags.BoolVar(&initcmd.Start, "start", true, "start systemd service after creating config")
if ok, code := cmd.ParseFlags(flags, prog, args, "", stderr); !ok {
return code
@@ -214,9 +214,10 @@ func (initcmd *initCommand) RunCommand(prog string, args []string, stdin io.Read
TLS:
{{if eq .TLS "insecure"}}
Insecure: true
- {{else if eq .TLS "auto"}}
- Automatic: true
{{else if eq .TLS "acme"}}
+ ACME:
+ Server: LE
+ {{else if eq .TLS "acmetool"}}
Certificate: {{printf "%q" (print "/var/lib/acme/live/" .Domain "/cert")}}
Key: {{printf "%q" (print "/var/lib/acme/live/" .Domain "/privkey")}}
{{else}}
diff --git a/lib/service/tls.go b/lib/service/tls.go
index 234ee5787..88a2858be 100644
--- a/lib/service/tls.go
+++ b/lib/service/tls.go
@@ -21,7 +21,7 @@ import (
)
func makeTLSConfig(cluster *arvados.Cluster, logger logrus.FieldLogger) (*tls.Config, error) {
- if cluster.TLS.Automatic {
+ if cluster.TLS.ACME.Server != "" {
return makeAutocertConfig(cluster, logger)
} else {
return makeFileLoaderConfig(cluster, logger)
diff --git a/sdk/go/arvados/config.go b/sdk/go/arvados/config.go
index d9aa92b65..6d8f39dfb 100644
--- a/sdk/go/arvados/config.go
+++ b/sdk/go/arvados/config.go
@@ -227,8 +227,9 @@ type Cluster struct {
Certificate string
Key string
Insecure bool
- Automatic bool
- Staging bool
+ ACME struct {
+ Server string
+ }
}
Users struct {
ActivatedUsersAreVisibleToOthers bool
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list