[arvados] created: 2.5.0-114-g7c3ebf596
git repository hosting
git at public.arvados.org
Tue Feb 7 19:19:12 UTC 2023
at 7c3ebf596559bc4c890bfd1f8f40ca639ae90e3d (commit)
commit 7c3ebf596559bc4c890bfd1f8f40ca639ae90e3d
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Tue Feb 7 16:15:40 2023 -0300
20035: Updates nginx pillars to read the certificate privkey password.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls
index 00be378c1..1719b0a64 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls
@@ -3,6 +3,8 @@
#
# SPDX-License-Identifier: AGPL-3.0
+{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+
### NGINX
nginx:
servers:
@@ -47,5 +49,8 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
+ {%- if imported.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- endif %}
- access_log: /var/log/nginx/collections.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/collections.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls
index 5df1870c8..b946c61a0 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls
@@ -3,6 +3,8 @@
#
# SPDX-License-Identifier: AGPL-3.0
+{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+
### NGINX
nginx:
### SERVER
@@ -64,6 +66,9 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
+ {%- if imported.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- endif %}
- access_log: /var/log/nginx/controller.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/controller.__CLUSTER__.__DOMAIN__.error.log
- client_max_body_size: 128m
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls
index 9246fc11c..59c93962c 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls
@@ -3,6 +3,8 @@
#
# SPDX-License-Identifier: AGPL-3.0
+{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+
### NGINX
nginx:
servers:
@@ -47,5 +49,8 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
+ {%- if imported.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- endif %}
- access_log: /var/log/nginx/download.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/download.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls
index 2f00524f9..690d9413b 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls
@@ -3,6 +3,8 @@
#
# SPDX-License-Identifier: AGPL-3.0
+{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+
### NGINX
nginx:
### SERVER
@@ -55,5 +57,8 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
+ {%- if imported.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- endif %}
- access_log: /var/log/nginx/keepproxy.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/keepproxy.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls
index d631c89a8..13a96eb33 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls
@@ -3,6 +3,8 @@
#
# SPDX-License-Identifier: AGPL-3.0
+{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+
### NGINX
nginx:
### SERVER
@@ -71,6 +73,9 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
+ {%- if imported.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- endif %}
- access_log: /var/log/nginx/webshell.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/webshell.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls
index 9658c620c..078f916cb 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls
@@ -3,6 +3,8 @@
#
# SPDX-License-Identifier: AGPL-3.0
+{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+
### NGINX
nginx:
### SERVER
@@ -56,5 +58,8 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
+ {%- if imported.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- endif %}
- access_log: /var/log/nginx/ws.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/ws.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls
index a821b521f..021c8685d 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls
@@ -3,6 +3,8 @@
#
# SPDX-License-Identifier: AGPL-3.0
+{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+
### ARVADOS
arvados:
config:
@@ -46,5 +48,8 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
+ {%- if imported.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- endif %}
- access_log: /var/log/nginx/workbench2.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/workbench2.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls
index 32904a12b..92b5d0356 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls
@@ -3,6 +3,8 @@
#
# SPDX-License-Identifier: AGPL-3.0
+{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+
### ARVADOS
arvados:
config:
@@ -57,6 +59,9 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
+ {%- if imported.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- endif %}
- access_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
index d2345273f..5a7d9a269 100644
--- a/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
@@ -23,7 +23,6 @@ extra_custom_certs_file_directory_certs_dir:
{%- for cert in certs %}
{%- set cert_file = 'arvados-' ~ cert ~ '.pem' %}
- {#- set csr_file = 'arvados-' ~ cert ~ '.csr' #}
{%- set key_file = 'arvados-' ~ cert ~ '.key' %}
{% for c in [cert_file, key_file] %}
extra_custom_certs_file_copy_{{ c }}:
commit 0539755550220dfb165df4c2e52dad19ec695096
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Tue Feb 7 16:13:18 2023 -0300
20035: Adds pillars & states to retrieve the password from AWS secrets manager.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls
new file mode 100644
index 000000000..afec37cbc
--- /dev/null
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls
@@ -0,0 +1,10 @@
+---
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+ssl_key_encrypted:
+ enabled: __SSL_KEY_ENCRYPTED__
+ aws_secret_name: __SSL_KEY_AWS_SECRET_NAME__
+ ssl_password_file: /etc/nginx/ssl/ssl_key_password.txt
+ ssl_password_connector_script: /usr/local/sbin/password_secret_connector.sh
diff --git a/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls b/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls
new file mode 100644
index 000000000..5bc08f09e
--- /dev/null
+++ b/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls
@@ -0,0 +1,70 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+{%- set ssl_key_encrypted = pillar.get('ssl_key_encrypted', {'enabled': False}) %}
+
+{%- if ssl_key_encrypted.enabled %}
+
+extra_ssl_key_encrypted_password_fifo_file:
+ file.mknod:
+ - ntype: p
+ - name: {{ ssl_key_encrypted.ssl_password_file }}
+ - user: root
+ - group: root
+ - mode: '0600'
+
+extra_ssl_key_encrypted_required_pkgs:
+ pkg.installed:
+ - name: jq
+
+extra_ssl_key_encrypted_password_retrieval_script:
+ file.managed:
+ - name: {{ ssl_key_encrypted.ssl_password_connector_script }}
+ - user: root
+ - group: root
+ - mode: '0750'
+ - require:
+ - pkg: extra_ssl_key_encrypted_required_pkgs
+ - file: extra_ssl_key_encrypted_password_fifo_file
+ - contents: |
+ #!/bin/bash
+
+ while [ true ]; do
+ # AWS_SHARED_CREDENTIALS_FILE is set to an non-existant path to avoid awscli
+ # loading invalid credentials on nodes who use ~/.aws/credentials for other
+ # purposes (e.g.: the dispatcher credentials)
+ # Access to the secrets manager is given by using an instance profile.
+ AWS_SHARED_CREDENTIALS_FILE=~/nonexistant aws secretsmanager get-secret-value --secret-id {{ ssl_key_encrypted.aws_secret_name }} --region us-east-1 | jq -r .SecretString > {{ ssl_key_encrypted.ssl_password_file }}
+ sleep 1
+ done
+
+extra_ssl_key_encrypted_password_retrieval_service_unit:
+ file.managed:
+ - name: /etc/systemd/system/password_secret_connector.service
+ - user: root
+ - group: root
+ - mode: '0644'
+ - require:
+ - file: extra_ssl_key_encrypted_password_retrieval_script
+ - contents: |
+ [Unit]
+ Description=Arvados SSL private key password retrieval service
+ After=network.target
+ AssertPathExists={{ ssl_key_encrypted.ssl_password_file }}
+ [Service]
+ ExecStart=/bin/bash {{ ssl_key_encrypted.ssl_password_connector_script }}
+ [Install]
+ WantedBy=multi-user.target
+
+extra_ssl_key_encrypted_password_retrieval_service:
+ service.running:
+ - name: password_secret_connector
+ - enable: true
+ - require:
+ - file: extra_ssl_key_encrypted_password_retrieval_service_unit
+ - watch:
+ - file: extra_ssl_key_encrypted_password_retrieval_service_unit
+ - file: extra_ssl_key_encrypted_password_retrieval_script
+
+{%- endif %}
\ No newline at end of file
diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index 435c56d05..7a60363d6 100755
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -438,7 +438,9 @@ for f in $(ls "${SOURCE_PILLARS_DIR}"/*); do
s#__WORKBENCH1_INT_IP__#${WORKBENCH1_INT_IP}#g;
s#__WORKBENCH2_INT_IP__#${WORKBENCH2_INT_IP}#g;
s#__DATABASE_INT_IP__#${DATABASE_INT_IP}#g;
- s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g" \
+ s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g;
+ s#__SSL_KEY_ENCRYPTED__#${SSL_KEY_ENCRYPTED}#g;
+ s#__SSL_KEY_AWS_SECRET_NAME__#${SSL_KEY_AWS_SECRET_NAME}#g" \
"${f}" > "${P_DIR}"/$(basename "${f}")
done
@@ -509,7 +511,9 @@ if [ -d "${SOURCE_STATES_DIR}" ]; then
s#__WEBSOCKET_EXT_SSL_PORT__#${WEBSOCKET_EXT_SSL_PORT}#g;
s#__WORKBENCH1_EXT_SSL_PORT__#${WORKBENCH1_EXT_SSL_PORT}#g;
s#__WORKBENCH2_EXT_SSL_PORT__#${WORKBENCH2_EXT_SSL_PORT}#g;
- s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g" \
+ s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g;
+ s#__SSL_KEY_ENCRYPTED__#${SSL_KEY_ENCRYPTED}#g;
+ s#__SSL_KEY_AWS_SECRET_NAME__#${SSL_KEY_AWS_SECRET_NAME}#g" \
"${f}" > "${F_DIR}/extra/extra"/$(basename "${f}")
done
fi
@@ -561,7 +565,7 @@ if [ -z "${ROLES}" ]; then
if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then
grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - extra.aws_credentials" >> ${S_DIR}/top.sls
fi
- grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls
+ grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls
else
mkdir -p /srv/salt/certs
chmod 700 /srv/salt/certs
@@ -570,7 +574,10 @@ if [ -z "${ROLES}" ]; then
cp -rv ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/
chmod 600 /srv/salt/certs/*
# We add the custom_certs state
- grep -q "custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls
+ grep -q "custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls
+ if [ "${SSL_KEY_ENCRYPTED}" = "yes" ]; then
+ grep -q "ssl_key_encrypted" ${S_DIR}/top.sls || echo " - extra.ssl_key_encrypted" >> ${S_DIR}/top.sls
+ fi
fi
# In self-signed mode, the certificate files will be created and put in the
# destination directory by the snakeoil_certs.sls state file
@@ -667,6 +674,9 @@ else
echo " - arvados.repo" >> ${S_DIR}/top.sls
# We add the extra_custom_certs state
grep -q "extra.custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls
+ if [ "${SSL_KEY_ENCRYPTED}" = "yes" ]; then
+ grep -q "ssl_key_encrypted" ${S_DIR}/top.sls || echo " - extra.ssl_key_encrypted" >> ${S_DIR}/top.sls
+ fi
# And we add the basic part for the certs pillar
if [ "${SSL_MODE}" != "lets-encrypt" ]; then
@@ -789,6 +799,7 @@ else
${P_DIR}/nginx_${R}_configuration.sls
fi
else
+ grep -q "ssl_key_encrypted" ${P_DIR}/top.sls || echo " - ssl_key_encrypted" >> ${P_DIR}/top.sls
# As the pillar differ whether we use LE or custom certs, we need to do a final edition on them
# Special case for keepweb
if [ ${R} = "keepweb" ]; then
commit 89b73ea49989979c20770a53a1a471774f5f0be9
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Tue Feb 7 16:11:17 2023 -0300
20035: Adds configuration to enable the use of encryped SSL private keys.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/tools/salt-install/local.params.example.multiple_hosts b/tools/salt-install/local.params.example.multiple_hosts
index 80df62d57..b679337a1 100644
--- a/tools/salt-install/local.params.example.multiple_hosts
+++ b/tools/salt-install/local.params.example.multiple_hosts
@@ -114,6 +114,11 @@ LE_AWS_SECRET_ACCESS_KEY="thisistherandomstringthatisyoursecretkey"
# ${CUSTOM_CERTS_DIR}/keepproxy.crt
# ${CUSTOM_CERTS_DIR}/keepproxy.key
+# Set the following to "yes" if the key files are encrypted and optionally set
+# a custom AWS secret name for each node to retrieve the password.
+SSL_KEY_ENCRYPTED="no"
+SSL_KEY_AWS_SECRET_NAME="${CLUSTER}-arvados-ssl-privkey-password"
+
# The directory to check for the config files (pillars, states) you want to use.
# There are a few examples under 'config_examples'.
# CONFIG_DIR="local_config_dir"
diff --git a/tools/salt-install/local.params.example.single_host_multiple_hostnames b/tools/salt-install/local.params.example.single_host_multiple_hostnames
index b89ced9b5..56ecf9f92 100644
--- a/tools/salt-install/local.params.example.single_host_multiple_hostnames
+++ b/tools/salt-install/local.params.example.single_host_multiple_hostnames
@@ -58,6 +58,11 @@ SSL_MODE="self-signed"
# See https://doc.arvados.org/intall/salt-single-host.html#bring-your-own for more information.
# CUSTOM_CERTS_DIR="${SCRIPT_DIR}/local_config_dir/certs"
+# Set the following to "yes" if the key files are encrypted and optionally set
+# a custom AWS secret name for each node to retrieve the password.
+SSL_KEY_ENCRYPTED="no"
+SSL_KEY_AWS_SECRET_NAME="${CLUSTER}-arvados-ssl-privkey-password"
+
# The directory to check for the config files (pillars, states) you want to use.
# There are a few examples under 'config_examples'.
# CONFIG_DIR="local_config_dir"
diff --git a/tools/salt-install/local.params.example.single_host_single_hostname b/tools/salt-install/local.params.example.single_host_single_hostname
index eaa71e7a2..54a78b619 100644
--- a/tools/salt-install/local.params.example.single_host_single_hostname
+++ b/tools/salt-install/local.params.example.single_host_single_hostname
@@ -68,6 +68,11 @@ SSL_MODE="self-signed"
# See https://doc.arvados.org/intall/salt-single-host.html#bring-your-own for more information.
# CUSTOM_CERTS_DIR="${SCRIPT_DIR}/local_config_dir/certs"
+# Set the following to "yes" if the key files are encrypted and optionally set
+# a custom AWS secret name for each node to retrieve the password.
+SSL_KEY_ENCRYPTED="no"
+SSL_KEY_AWS_SECRET_NAME="${CLUSTER}-arvados-ssl-privkey-password"
+
# The directory to check for the config files (pillars, states) you want to use.
# There are a few examples under 'config_examples'.
# CONFIG_DIR="local_config_dir"
commit 04615eaf231ec690c97d9d4ce5734de006ab4a0f
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Mon Feb 6 15:00:01 2023 -0300
20035: Manages AWS secret and gives read access to service nodes.
The secret's value will have to be set manually by the operator, so that
no traces of it is kept on disk.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/tools/salt-install/terraform/aws/services/locals.tf b/tools/salt-install/terraform/aws/services/locals.tf
index 80dc33784..6a81967cf 100644
--- a/tools/salt-install/terraform/aws/services/locals.tf
+++ b/tools/salt-install/terraform/aws/services/locals.tf
@@ -8,5 +8,8 @@ locals {
use_external_db = data.terraform_remote_state.data-storage.outputs.use_external_db
public_ip = data.terraform_remote_state.vpc.outputs.public_ip
private_ip = data.terraform_remote_state.vpc.outputs.private_ip
+ pubkey_path = pathexpand(var.pubkey_path)
+ pubkey_name = "arvados-deployer-key"
hostnames = [ for hostname, eip_id in data.terraform_remote_state.vpc.outputs.eip_id: hostname ]
+ ssl_password_secret_name = "${local.cluster_name}-${var.ssl_password_secret_name_suffix}"
}
diff --git a/tools/salt-install/terraform/aws/services/main.tf b/tools/salt-install/terraform/aws/services/main.tf
index 34eba5e61..9c27b9726 100644
--- a/tools/salt-install/terraform/aws/services/main.tf
+++ b/tools/salt-install/terraform/aws/services/main.tf
@@ -19,10 +19,6 @@ provider "aws" {
}
}
-locals {
- pubkey_path = pathexpand(var.pubkey_path)
- pubkey_name = "arvados-deployer-key"
-}
resource "aws_key_pair" "deployer" {
key_name = local.pubkey_name
public_key = file(local.pubkey_path)
@@ -38,6 +34,15 @@ resource "aws_iam_instance_profile" "dispatcher_instance_profile" {
role = aws_iam_role.cloud_dispatcher_iam_role.name
}
+resource "aws_secretsmanager_secret" "ssl_password_secret" {
+ name = local.ssl_password_secret_name
+}
+
+resource "aws_iam_instance_profile" "default_instance_profile" {
+ name = "${local.cluster_name}_default_instance_profile"
+ role = aws_iam_role.default_iam_role.name
+}
+
resource "aws_instance" "arvados_service" {
for_each = toset(local.hostnames)
ami = data.aws_ami.debian-11.image_id
@@ -50,7 +55,7 @@ resource "aws_instance" "arvados_service" {
subnet_id = data.terraform_remote_state.vpc.outputs.arvados_subnet_id
vpc_security_group_ids = [ data.terraform_remote_state.vpc.outputs.arvados_sg_id ]
# This should be done in a more readable way
- iam_instance_profile = each.value == "controller" ? aws_iam_instance_profile.dispatcher_instance_profile.name : length(regexall("^keep[0-9]+", each.value)) > 0 ? aws_iam_instance_profile.keepstore_instance_profile.name : ""
+ iam_instance_profile = each.value == "controller" ? aws_iam_instance_profile.dispatcher_instance_profile.name : length(regexall("^keep[0-9]+", each.value)) > 0 ? aws_iam_instance_profile.keepstore_instance_profile.name : aws_iam_instance_profile.default_instance_profile.name
tags = {
Name = "arvados_service_${each.value}"
}
@@ -106,3 +111,32 @@ resource "aws_eip_association" "eip_assoc" {
instance_id = aws_instance.arvados_service[each.value].id
allocation_id = data.terraform_remote_state.vpc.outputs.eip_id[each.value]
}
+
+resource "aws_iam_role" "default_iam_role" {
+ name = "${local.cluster_name}-default-iam-role"
+ assume_role_policy = "${file("../assumerolepolicy.json")}"
+}
+
+resource "aws_iam_policy" "ssl_privkey_password_access" {
+ name = "${local.cluster_name}_ssl_privkey_password_access"
+ policy = jsonencode({
+ Version: "2012-10-17",
+ Statement: [{
+ Effect: "Allow",
+ Action: "secretsmanager:GetSecretValue",
+ Resource: "${aws_secretsmanager_secret.ssl_password_secret.arn}"
+ }]
+ })
+}
+
+# Every service node needs access to the SSL privkey password secret for
+# nginx to be able to use it.
+resource "aws_iam_policy_attachment" "ssl_privkey_password_access_attachment" {
+ name = "${local.cluster_name}_ssl_privkey_password_access_attachment"
+ roles = [
+ aws_iam_role.cloud_dispatcher_iam_role.name,
+ aws_iam_role.default_iam_role.name,
+ data.terraform_remote_state.data-storage.outputs.keepstore_iam_role_name,
+ ]
+ policy_arn = aws_iam_policy.ssl_privkey_password_access.arn
+}
diff --git a/tools/salt-install/terraform/aws/services/outputs.tf b/tools/salt-install/terraform/aws/services/outputs.tf
index 845687613..0c29420e8 100644
--- a/tools/salt-install/terraform/aws/services/outputs.tf
+++ b/tools/salt-install/terraform/aws/services/outputs.tf
@@ -58,3 +58,7 @@ output "deploy_user" {
output "region_name" {
value = data.terraform_remote_state.vpc.outputs.region_name
}
+
+output "ssl_password_secret_name" {
+ value = aws_secretsmanager_secret.ssl_password_secret.name
+}
\ No newline at end of file
diff --git a/tools/salt-install/terraform/aws/services/terraform.tfvars b/tools/salt-install/terraform/aws/services/terraform.tfvars
index 374ecbe08..79f3dc318 100644
--- a/tools/salt-install/terraform/aws/services/terraform.tfvars
+++ b/tools/salt-install/terraform/aws/services/terraform.tfvars
@@ -7,3 +7,7 @@
# Set the instance type for your hosts. Default: m5a.large
# default_instance_type = "t2.micro"
+
+# AWS secret's name which holds the SSL certificate private key's password.
+# Default: "arvados-ssl-privkey-password"
+# ssl_password_secret_name_suffix = "some-name-suffix"
\ No newline at end of file
diff --git a/tools/salt-install/terraform/aws/services/variables.tf b/tools/salt-install/terraform/aws/services/variables.tf
index 89b1886c1..e520a9ab8 100644
--- a/tools/salt-install/terraform/aws/services/variables.tf
+++ b/tools/salt-install/terraform/aws/services/variables.tf
@@ -13,3 +13,9 @@ variable "pubkey_path" {
type = string
default = "~/.ssh/id_rsa.pub"
}
+
+variable "ssl_password_secret_name_suffix" {
+ description = "Name suffix for the SSL certificate's private key password AWS secret."
+ type = string
+ default = "arvados-ssl-privkey-password"
+}
\ No newline at end of file
commit 18438ec87679b6bd360611ad0f2a8f95d711d75e
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Thu Feb 2 15:16:19 2023 -0300
20035: Ensures proper permissions on places where certificate's keys are saved.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
index 3b2be59f3..d2345273f 100644
--- a/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
@@ -10,8 +10,16 @@
extra_custom_certs_file_directory_certs_dir:
file.directory:
- name: /etc/nginx/ssl
+ - user: root
+ - group: root
+ - dir_mode: 0750
+ - file_mode: 0640
- require:
- pkg: nginx_install
+ - recurse:
+ - user
+ - group
+ - mode
{%- for cert in certs %}
{%- set cert_file = 'arvados-' ~ cert ~ '.pem' %}
@@ -25,6 +33,7 @@ extra_custom_certs_file_copy_{{ c }}:
- force: true
- user: root
- group: root
+ - mode: 0640
- unless: cmp {{ dest_cert_dir }}/{{ c }} {{ orig_cert_dir }}/{{ c }}
- require:
- file: extra_custom_certs_file_directory_certs_dir
diff --git a/tools/salt-install/installer.sh b/tools/salt-install/installer.sh
index 0cb4b6e09..e72786ac0 100755
--- a/tools/salt-install/installer.sh
+++ b/tools/salt-install/installer.sh
@@ -74,11 +74,13 @@ sync() {
# from that.
ssh $DEPLOY_USER@$NODE git init --bare ${GITTARGET}.git
+ ssh $DEPLOY_USER@$NODE chmod 700 ${GITTARGET}.git
if ! git remote add $NODE $DEPLOY_USER@$NODE:${GITTARGET}.git ; then
git remote set-url $NODE $DEPLOY_USER@$NODE:${GITTARGET}.git
fi
git push $NODE $BRANCH
ssh $DEPLOY_USER@$NODE git clone ${GITTARGET}.git ${GITTARGET}
+ ssh $DEPLOY_USER@$NODE chmod 700 ${GITTARGET}
fi
# The update case.
@@ -108,7 +110,7 @@ deploynode() {
logfile=deploy-${NODE}-$(date -Iseconds).log
if [[ "$NODE" = localhost ]] ; then
- SUDO=''
+ SUDO=''
if [[ $(whoami) != 'root' ]] ; then
SUDO=sudo
fi
@@ -173,6 +175,7 @@ case "$subcmd" in
echo "Initializing $SETUPDIR"
git init $SETUPDIR
+ chmod 700 $SETUPDIR
cp -r *.sh tests $SETUPDIR
cp local.params.example.$PARAMS $SETUPDIR/${CONFIG_FILE}
diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index 77c201615..435c56d05 100755
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -142,15 +142,18 @@ copy_custom_cert() {
cert_name=${2}
mkdir -p /srv/salt/certs
+ chmod 700 /srv/salt/certs
if [ -f ${cert_dir}/${cert_name}.crt ]; then
cp -v ${cert_dir}/${cert_name}.crt /srv/salt/certs/arvados-${cert_name}.pem
+ chmod 600 /srv/salt/certs/arvados-${cert_name}.pem
else
echo "${cert_dir}/${cert_name}.crt does not exist. Exiting"
exit 1
fi
if [ -f ${cert_dir}/${cert_name}.key ]; then
cp -v ${cert_dir}/${cert_name}.key /srv/salt/certs/arvados-${cert_name}.key
+ chmod 600 /srv/salt/certs/arvados-${cert_name}.key
else
echo "${cert_dir}/${cert_name}.key does not exist. Exiting"
exit 1
@@ -561,9 +564,11 @@ if [ -z "${ROLES}" ]; then
grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls
else
mkdir -p /srv/salt/certs
+ chmod 700 /srv/salt/certs
if [ "${SSL_MODE}" = "bring-your-own" ]; then
# Copy certs to formula extra/files
cp -rv ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/
+ chmod 600 /srv/salt/certs/*
# We add the custom_certs state
grep -q "custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls
fi
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list