[arvados] created: 2.5.0-121-ge51ba7343
git repository hosting
git at public.arvados.org
Mon Feb 13 19:04:33 UTC 2023
at e51ba73431f40cfcb6a8f2c80bb5373f23609fcd (commit)
commit e51ba73431f40cfcb6a8f2c80bb5373f23609fcd
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Fri Feb 10 16:23:13 2023 -0300
20035: Enhances code redability, quotes jinja vars as yaml values.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls
index 1719b0a64..f5670aea2 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls
@@ -3,7 +3,7 @@
#
# SPDX-License-Identifier: AGPL-3.0
-{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+{%- import_yaml "ssl_key_encrypted.sls" as ssl_key_encrypted_pillar %}
### NGINX
nginx:
@@ -49,8 +49,8 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
- {%- if imported.ssl_key_encrypted.enabled %}
- - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }}
{%- endif %}
- access_log: /var/log/nginx/collections.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/collections.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls
index b946c61a0..5df03fe53 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls
@@ -3,7 +3,7 @@
#
# SPDX-License-Identifier: AGPL-3.0
-{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+{%- import_yaml "ssl_key_encrypted.sls" as ssl_key_encrypted_pillar %}
### NGINX
nginx:
@@ -66,8 +66,8 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
- {%- if imported.ssl_key_encrypted.enabled %}
- - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }}
{%- endif %}
- access_log: /var/log/nginx/controller.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/controller.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls
index 59c93962c..fd8405fb6 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls
@@ -3,7 +3,7 @@
#
# SPDX-License-Identifier: AGPL-3.0
-{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+{%- import_yaml "ssl_key_encrypted.sls" as ssl_key_encrypted_pillar %}
### NGINX
nginx:
@@ -49,8 +49,8 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
- {%- if imported.ssl_key_encrypted.enabled %}
- - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }}
{%- endif %}
- access_log: /var/log/nginx/download.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/download.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls
index 690d9413b..16d0c70c6 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls
@@ -3,7 +3,7 @@
#
# SPDX-License-Identifier: AGPL-3.0
-{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+{%- import_yaml "ssl_key_encrypted.sls" as ssl_key_encrypted_pillar %}
### NGINX
nginx:
@@ -57,8 +57,8 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
- {%- if imported.ssl_key_encrypted.enabled %}
- - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }}
{%- endif %}
- access_log: /var/log/nginx/keepproxy.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/keepproxy.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls
index 13a96eb33..fb134cca9 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls
@@ -3,7 +3,7 @@
#
# SPDX-License-Identifier: AGPL-3.0
-{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+{%- import_yaml "ssl_key_encrypted.sls" as ssl_key_encrypted_pillar %}
### NGINX
nginx:
@@ -73,8 +73,8 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
- {%- if imported.ssl_key_encrypted.enabled %}
- - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }}
{%- endif %}
- access_log: /var/log/nginx/webshell.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/webshell.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls
index 078f916cb..867a8e1b0 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls
@@ -3,7 +3,7 @@
#
# SPDX-License-Identifier: AGPL-3.0
-{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+{%- import_yaml "ssl_key_encrypted.sls" as ssl_key_encrypted_pillar %}
### NGINX
nginx:
@@ -58,8 +58,8 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
- {%- if imported.ssl_key_encrypted.enabled %}
- - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }}
{%- endif %}
- access_log: /var/log/nginx/ws.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/ws.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls
index 021c8685d..8ae4210e5 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls
@@ -3,7 +3,7 @@
#
# SPDX-License-Identifier: AGPL-3.0
-{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+{%- import_yaml "ssl_key_encrypted.sls" as ssl_key_encrypted_pillar %}
### ARVADOS
arvados:
@@ -48,8 +48,8 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
- {%- if imported.ssl_key_encrypted.enabled %}
- - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }}
{%- endif %}
- access_log: /var/log/nginx/workbench2.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/workbench2.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls
index 92b5d0356..f61763648 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls
@@ -3,7 +3,7 @@
#
# SPDX-License-Identifier: AGPL-3.0
-{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+{%- import_yaml "ssl_key_encrypted.sls" as ssl_key_encrypted_pillar %}
### ARVADOS
arvados:
@@ -59,8 +59,8 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
- {%- if imported.ssl_key_encrypted.enabled %}
- - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- if ssl_key_encrypted_pillar.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ ssl_key_encrypted_pillar.ssl_key_encrypted.ssl_password_file | yaml_dquote }}
{%- endif %}
- access_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__.error.log
commit 1d8b1200de6bc1fc6df70f611446e1e6466244fd
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Fri Feb 10 16:10:27 2023 -0300
20035: Improves file/dir permission setting.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/tools/salt-install/installer.sh b/tools/salt-install/installer.sh
index e72786ac0..21f36faac 100755
--- a/tools/salt-install/installer.sh
+++ b/tools/salt-install/installer.sh
@@ -73,14 +73,12 @@ sync() {
# and then clone a regular repository (with a checkout)
# from that.
- ssh $DEPLOY_USER@$NODE git init --bare ${GITTARGET}.git
- ssh $DEPLOY_USER@$NODE chmod 700 ${GITTARGET}.git
+ ssh $DEPLOY_USER@$NODE git init --bare --shared=0600 ${GITTARGET}.git
if ! git remote add $NODE $DEPLOY_USER@$NODE:${GITTARGET}.git ; then
git remote set-url $NODE $DEPLOY_USER@$NODE:${GITTARGET}.git
fi
git push $NODE $BRANCH
- ssh $DEPLOY_USER@$NODE git clone ${GITTARGET}.git ${GITTARGET}
- ssh $DEPLOY_USER@$NODE chmod 700 ${GITTARGET}
+ ssh $DEPLOY_USER@$NODE "umask 0077 && git clone ${GITTARGET}.git ${GITTARGET}"
fi
# The update case.
@@ -174,8 +172,7 @@ case "$subcmd" in
fi
echo "Initializing $SETUPDIR"
- git init $SETUPDIR
- chmod 700 $SETUPDIR
+ git init --shared=0600 $SETUPDIR
cp -r *.sh tests $SETUPDIR
cp local.params.example.$PARAMS $SETUPDIR/${CONFIG_FILE}
diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index 8f69a5f8a..86335ff8e 100755
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -141,19 +141,16 @@ copy_custom_cert() {
cert_dir=${1}
cert_name=${2}
- mkdir -p /srv/salt/certs
- chmod 700 /srv/salt/certs
+ mkdir -p --mode=0700 /srv/salt/certs
if [ -f ${cert_dir}/${cert_name}.crt ]; then
- cp -v ${cert_dir}/${cert_name}.crt /srv/salt/certs/arvados-${cert_name}.pem
- chmod 600 /srv/salt/certs/arvados-${cert_name}.pem
+ install --mode=0600 ${cert_dir}/${cert_name}.crt /srv/salt/certs/arvados-${cert_name}.pem
else
echo "${cert_dir}/${cert_name}.crt does not exist. Exiting"
exit 1
fi
if [ -f ${cert_dir}/${cert_name}.key ]; then
- cp -v ${cert_dir}/${cert_name}.key /srv/salt/certs/arvados-${cert_name}.key
- chmod 600 /srv/salt/certs/arvados-${cert_name}.key
+ install --mode=0600 ${cert_dir}/${cert_name}.key /srv/salt/certs/arvados-${cert_name}.key
else
echo "${cert_dir}/${cert_name}.key does not exist. Exiting"
exit 1
@@ -569,12 +566,10 @@ if [ -z "${ROLES}" ]; then
fi
grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls
else
- mkdir -p /srv/salt/certs
- chmod 700 /srv/salt/certs
+ mkdir -p --mode=0700 /srv/salt/certs
if [ "${SSL_MODE}" = "bring-your-own" ]; then
# Copy certs to formula extra/files
- cp -rv ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/
- chmod 600 /srv/salt/certs/*
+ install --mode=0600 ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/
# We add the custom_certs state
grep -q "custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls
if [ "${SSL_KEY_ENCRYPTED}" = "yes" ]; then
commit 511fc7559a6ad00468c9a452bdd1de63ad2c1f77
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Fri Feb 10 15:16:31 2023 -0300
20035: Improves the connector script in various ways.
* Passes /dev/null to AWS CLI as credential file instead of an non-existent
path.
* Single-quotes every Jinja variable to avoid side shell related effects.
* Passes AWS region name as a pillar.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls
index afec37cbc..920457737 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls
@@ -6,5 +6,6 @@
ssl_key_encrypted:
enabled: __SSL_KEY_ENCRYPTED__
aws_secret_name: __SSL_KEY_AWS_SECRET_NAME__
+ aws_region: __SSL_KEY_AWS_REGION__
ssl_password_file: /etc/nginx/ssl/ssl_key_password.txt
ssl_password_connector_script: /usr/local/sbin/password_secret_connector.sh
diff --git a/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls b/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls
index 5bc08f09e..ae1c762e1 100644
--- a/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls
@@ -31,11 +31,11 @@ extra_ssl_key_encrypted_password_retrieval_script:
#!/bin/bash
while [ true ]; do
- # AWS_SHARED_CREDENTIALS_FILE is set to an non-existant path to avoid awscli
+ # AWS_SHARED_CREDENTIALS_FILE is set to /dev/null to avoid AWS's CLI
# loading invalid credentials on nodes who use ~/.aws/credentials for other
# purposes (e.g.: the dispatcher credentials)
# Access to the secrets manager is given by using an instance profile.
- AWS_SHARED_CREDENTIALS_FILE=~/nonexistant aws secretsmanager get-secret-value --secret-id {{ ssl_key_encrypted.aws_secret_name }} --region us-east-1 | jq -r .SecretString > {{ ssl_key_encrypted.ssl_password_file }}
+ AWS_SHARED_CREDENTIALS_FILE=/dev/null aws secretsmanager get-secret-value --secret-id '{{ ssl_key_encrypted.aws_secret_name }}' --region '{{ ssl_key_encrypted.aws_region }}' | jq -r .SecretString > '{{ ssl_key_encrypted.ssl_password_file }}'
sleep 1
done
diff --git a/tools/salt-install/local.params.example.multiple_hosts b/tools/salt-install/local.params.example.multiple_hosts
index b679337a1..0064a78c5 100644
--- a/tools/salt-install/local.params.example.multiple_hosts
+++ b/tools/salt-install/local.params.example.multiple_hosts
@@ -118,6 +118,7 @@ LE_AWS_SECRET_ACCESS_KEY="thisistherandomstringthatisyoursecretkey"
# a custom AWS secret name for each node to retrieve the password.
SSL_KEY_ENCRYPTED="no"
SSL_KEY_AWS_SECRET_NAME="${CLUSTER}-arvados-ssl-privkey-password"
+SSL_KEY_AWS_REGION="us-east-1"
# The directory to check for the config files (pillars, states) you want to use.
# There are a few examples under 'config_examples'.
diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index 7a60363d6..8f69a5f8a 100755
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -440,6 +440,7 @@ for f in $(ls "${SOURCE_PILLARS_DIR}"/*); do
s#__DATABASE_INT_IP__#${DATABASE_INT_IP}#g;
s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g;
s#__SSL_KEY_ENCRYPTED__#${SSL_KEY_ENCRYPTED}#g;
+ s#__SSL_KEY_AWS_REGION__#${SSL_KEY_AWS_REGION}#g;
s#__SSL_KEY_AWS_SECRET_NAME__#${SSL_KEY_AWS_SECRET_NAME}#g" \
"${f}" > "${P_DIR}"/$(basename "${f}")
done
@@ -513,6 +514,7 @@ if [ -d "${SOURCE_STATES_DIR}" ]; then
s#__WORKBENCH2_EXT_SSL_PORT__#${WORKBENCH2_EXT_SSL_PORT}#g;
s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g;
s#__SSL_KEY_ENCRYPTED__#${SSL_KEY_ENCRYPTED}#g;
+ s#__SSL_KEY_AWS_REGION__#${SSL_KEY_AWS_REGION}#g;
s#__SSL_KEY_AWS_SECRET_NAME__#${SSL_KEY_AWS_SECRET_NAME}#g" \
"${f}" > "${F_DIR}/extra/extra"/$(basename "${f}")
done
commit f3a1fcb306856fc904c7e8051ccb69ea85e5640f
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Tue Feb 7 16:15:40 2023 -0300
20035: Updates nginx pillars to read the certificate privkey password.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls
index 00be378c1..1719b0a64 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_collections_configuration.sls
@@ -3,6 +3,8 @@
#
# SPDX-License-Identifier: AGPL-3.0
+{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+
### NGINX
nginx:
servers:
@@ -47,5 +49,8 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
+ {%- if imported.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- endif %}
- access_log: /var/log/nginx/collections.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/collections.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls
index 5df1870c8..b946c61a0 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_controller_configuration.sls
@@ -3,6 +3,8 @@
#
# SPDX-License-Identifier: AGPL-3.0
+{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+
### NGINX
nginx:
### SERVER
@@ -64,6 +66,9 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
+ {%- if imported.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- endif %}
- access_log: /var/log/nginx/controller.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/controller.__CLUSTER__.__DOMAIN__.error.log
- client_max_body_size: 128m
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls
index 9246fc11c..59c93962c 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_download_configuration.sls
@@ -3,6 +3,8 @@
#
# SPDX-License-Identifier: AGPL-3.0
+{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+
### NGINX
nginx:
servers:
@@ -47,5 +49,8 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
+ {%- if imported.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- endif %}
- access_log: /var/log/nginx/download.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/download.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls
index 2f00524f9..690d9413b 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_keepproxy_configuration.sls
@@ -3,6 +3,8 @@
#
# SPDX-License-Identifier: AGPL-3.0
+{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+
### NGINX
nginx:
### SERVER
@@ -55,5 +57,8 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
+ {%- if imported.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- endif %}
- access_log: /var/log/nginx/keepproxy.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/keepproxy.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls
index d631c89a8..13a96eb33 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_webshell_configuration.sls
@@ -3,6 +3,8 @@
#
# SPDX-License-Identifier: AGPL-3.0
+{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+
### NGINX
nginx:
### SERVER
@@ -71,6 +73,9 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
+ {%- if imported.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- endif %}
- access_log: /var/log/nginx/webshell.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/webshell.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls
index 9658c620c..078f916cb 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_websocket_configuration.sls
@@ -3,6 +3,8 @@
#
# SPDX-License-Identifier: AGPL-3.0
+{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+
### NGINX
nginx:
### SERVER
@@ -56,5 +58,8 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
+ {%- if imported.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- endif %}
- access_log: /var/log/nginx/ws.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/ws.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls
index a821b521f..021c8685d 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench2_configuration.sls
@@ -3,6 +3,8 @@
#
# SPDX-License-Identifier: AGPL-3.0
+{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+
### ARVADOS
arvados:
config:
@@ -46,5 +48,8 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
+ {%- if imported.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- endif %}
- access_log: /var/log/nginx/workbench2.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/workbench2.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls
index 32904a12b..92b5d0356 100644
--- a/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls
@@ -3,6 +3,8 @@
#
# SPDX-License-Identifier: AGPL-3.0
+{%- import_yaml "ssl_key_encrypted.sls" as imported %}
+
### ARVADOS
arvados:
config:
@@ -57,6 +59,9 @@ nginx:
- include: snippets/ssl_hardening_default.conf
- ssl_certificate: __CERT_PEM__
- ssl_certificate_key: __CERT_KEY__
+ {%- if imported.ssl_key_encrypted.enabled %}
+ - ssl_password_file: {{ imported.ssl_key_encrypted.ssl_password_file }}
+ {%- endif %}
- access_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__.access.log combined
- error_log: /var/log/nginx/workbench.__CLUSTER__.__DOMAIN__.error.log
diff --git a/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
index d2345273f..5a7d9a269 100644
--- a/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
@@ -23,7 +23,6 @@ extra_custom_certs_file_directory_certs_dir:
{%- for cert in certs %}
{%- set cert_file = 'arvados-' ~ cert ~ '.pem' %}
- {#- set csr_file = 'arvados-' ~ cert ~ '.csr' #}
{%- set key_file = 'arvados-' ~ cert ~ '.key' %}
{% for c in [cert_file, key_file] %}
extra_custom_certs_file_copy_{{ c }}:
commit 1c50d29ea10fa90a379ee1d3fe7d8e05681d8622
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Tue Feb 7 16:13:18 2023 -0300
20035: Adds pillars & states to retrieve the password from AWS secrets manager.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls b/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls
new file mode 100644
index 000000000..afec37cbc
--- /dev/null
+++ b/tools/salt-install/config_examples/multi_host/aws/pillars/ssl_key_encrypted.sls
@@ -0,0 +1,10 @@
+---
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+ssl_key_encrypted:
+ enabled: __SSL_KEY_ENCRYPTED__
+ aws_secret_name: __SSL_KEY_AWS_SECRET_NAME__
+ ssl_password_file: /etc/nginx/ssl/ssl_key_password.txt
+ ssl_password_connector_script: /usr/local/sbin/password_secret_connector.sh
diff --git a/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls b/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls
new file mode 100644
index 000000000..5bc08f09e
--- /dev/null
+++ b/tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls
@@ -0,0 +1,70 @@
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+{%- set ssl_key_encrypted = pillar.get('ssl_key_encrypted', {'enabled': False}) %}
+
+{%- if ssl_key_encrypted.enabled %}
+
+extra_ssl_key_encrypted_password_fifo_file:
+ file.mknod:
+ - ntype: p
+ - name: {{ ssl_key_encrypted.ssl_password_file }}
+ - user: root
+ - group: root
+ - mode: '0600'
+
+extra_ssl_key_encrypted_required_pkgs:
+ pkg.installed:
+ - name: jq
+
+extra_ssl_key_encrypted_password_retrieval_script:
+ file.managed:
+ - name: {{ ssl_key_encrypted.ssl_password_connector_script }}
+ - user: root
+ - group: root
+ - mode: '0750'
+ - require:
+ - pkg: extra_ssl_key_encrypted_required_pkgs
+ - file: extra_ssl_key_encrypted_password_fifo_file
+ - contents: |
+ #!/bin/bash
+
+ while [ true ]; do
+ # AWS_SHARED_CREDENTIALS_FILE is set to an non-existant path to avoid awscli
+ # loading invalid credentials on nodes who use ~/.aws/credentials for other
+ # purposes (e.g.: the dispatcher credentials)
+ # Access to the secrets manager is given by using an instance profile.
+ AWS_SHARED_CREDENTIALS_FILE=~/nonexistant aws secretsmanager get-secret-value --secret-id {{ ssl_key_encrypted.aws_secret_name }} --region us-east-1 | jq -r .SecretString > {{ ssl_key_encrypted.ssl_password_file }}
+ sleep 1
+ done
+
+extra_ssl_key_encrypted_password_retrieval_service_unit:
+ file.managed:
+ - name: /etc/systemd/system/password_secret_connector.service
+ - user: root
+ - group: root
+ - mode: '0644'
+ - require:
+ - file: extra_ssl_key_encrypted_password_retrieval_script
+ - contents: |
+ [Unit]
+ Description=Arvados SSL private key password retrieval service
+ After=network.target
+ AssertPathExists={{ ssl_key_encrypted.ssl_password_file }}
+ [Service]
+ ExecStart=/bin/bash {{ ssl_key_encrypted.ssl_password_connector_script }}
+ [Install]
+ WantedBy=multi-user.target
+
+extra_ssl_key_encrypted_password_retrieval_service:
+ service.running:
+ - name: password_secret_connector
+ - enable: true
+ - require:
+ - file: extra_ssl_key_encrypted_password_retrieval_service_unit
+ - watch:
+ - file: extra_ssl_key_encrypted_password_retrieval_service_unit
+ - file: extra_ssl_key_encrypted_password_retrieval_script
+
+{%- endif %}
\ No newline at end of file
diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index 435c56d05..7a60363d6 100755
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -438,7 +438,9 @@ for f in $(ls "${SOURCE_PILLARS_DIR}"/*); do
s#__WORKBENCH1_INT_IP__#${WORKBENCH1_INT_IP}#g;
s#__WORKBENCH2_INT_IP__#${WORKBENCH2_INT_IP}#g;
s#__DATABASE_INT_IP__#${DATABASE_INT_IP}#g;
- s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g" \
+ s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g;
+ s#__SSL_KEY_ENCRYPTED__#${SSL_KEY_ENCRYPTED}#g;
+ s#__SSL_KEY_AWS_SECRET_NAME__#${SSL_KEY_AWS_SECRET_NAME}#g" \
"${f}" > "${P_DIR}"/$(basename "${f}")
done
@@ -509,7 +511,9 @@ if [ -d "${SOURCE_STATES_DIR}" ]; then
s#__WEBSOCKET_EXT_SSL_PORT__#${WEBSOCKET_EXT_SSL_PORT}#g;
s#__WORKBENCH1_EXT_SSL_PORT__#${WORKBENCH1_EXT_SSL_PORT}#g;
s#__WORKBENCH2_EXT_SSL_PORT__#${WORKBENCH2_EXT_SSL_PORT}#g;
- s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g" \
+ s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g;
+ s#__SSL_KEY_ENCRYPTED__#${SSL_KEY_ENCRYPTED}#g;
+ s#__SSL_KEY_AWS_SECRET_NAME__#${SSL_KEY_AWS_SECRET_NAME}#g" \
"${f}" > "${F_DIR}/extra/extra"/$(basename "${f}")
done
fi
@@ -561,7 +565,7 @@ if [ -z "${ROLES}" ]; then
if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then
grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - extra.aws_credentials" >> ${S_DIR}/top.sls
fi
- grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls
+ grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls
else
mkdir -p /srv/salt/certs
chmod 700 /srv/salt/certs
@@ -570,7 +574,10 @@ if [ -z "${ROLES}" ]; then
cp -rv ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/
chmod 600 /srv/salt/certs/*
# We add the custom_certs state
- grep -q "custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls
+ grep -q "custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls
+ if [ "${SSL_KEY_ENCRYPTED}" = "yes" ]; then
+ grep -q "ssl_key_encrypted" ${S_DIR}/top.sls || echo " - extra.ssl_key_encrypted" >> ${S_DIR}/top.sls
+ fi
fi
# In self-signed mode, the certificate files will be created and put in the
# destination directory by the snakeoil_certs.sls state file
@@ -667,6 +674,9 @@ else
echo " - arvados.repo" >> ${S_DIR}/top.sls
# We add the extra_custom_certs state
grep -q "extra.custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls
+ if [ "${SSL_KEY_ENCRYPTED}" = "yes" ]; then
+ grep -q "ssl_key_encrypted" ${S_DIR}/top.sls || echo " - extra.ssl_key_encrypted" >> ${S_DIR}/top.sls
+ fi
# And we add the basic part for the certs pillar
if [ "${SSL_MODE}" != "lets-encrypt" ]; then
@@ -789,6 +799,7 @@ else
${P_DIR}/nginx_${R}_configuration.sls
fi
else
+ grep -q "ssl_key_encrypted" ${P_DIR}/top.sls || echo " - ssl_key_encrypted" >> ${P_DIR}/top.sls
# As the pillar differ whether we use LE or custom certs, we need to do a final edition on them
# Special case for keepweb
if [ ${R} = "keepweb" ]; then
commit cfba0af9859716e3a771dc03d205379ac6b8834f
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Tue Feb 7 16:11:17 2023 -0300
20035: Adds configuration to enable the use of encryped SSL private keys.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/tools/salt-install/local.params.example.multiple_hosts b/tools/salt-install/local.params.example.multiple_hosts
index 80df62d57..b679337a1 100644
--- a/tools/salt-install/local.params.example.multiple_hosts
+++ b/tools/salt-install/local.params.example.multiple_hosts
@@ -114,6 +114,11 @@ LE_AWS_SECRET_ACCESS_KEY="thisistherandomstringthatisyoursecretkey"
# ${CUSTOM_CERTS_DIR}/keepproxy.crt
# ${CUSTOM_CERTS_DIR}/keepproxy.key
+# Set the following to "yes" if the key files are encrypted and optionally set
+# a custom AWS secret name for each node to retrieve the password.
+SSL_KEY_ENCRYPTED="no"
+SSL_KEY_AWS_SECRET_NAME="${CLUSTER}-arvados-ssl-privkey-password"
+
# The directory to check for the config files (pillars, states) you want to use.
# There are a few examples under 'config_examples'.
# CONFIG_DIR="local_config_dir"
diff --git a/tools/salt-install/local.params.example.single_host_multiple_hostnames b/tools/salt-install/local.params.example.single_host_multiple_hostnames
index b89ced9b5..56ecf9f92 100644
--- a/tools/salt-install/local.params.example.single_host_multiple_hostnames
+++ b/tools/salt-install/local.params.example.single_host_multiple_hostnames
@@ -58,6 +58,11 @@ SSL_MODE="self-signed"
# See https://doc.arvados.org/intall/salt-single-host.html#bring-your-own for more information.
# CUSTOM_CERTS_DIR="${SCRIPT_DIR}/local_config_dir/certs"
+# Set the following to "yes" if the key files are encrypted and optionally set
+# a custom AWS secret name for each node to retrieve the password.
+SSL_KEY_ENCRYPTED="no"
+SSL_KEY_AWS_SECRET_NAME="${CLUSTER}-arvados-ssl-privkey-password"
+
# The directory to check for the config files (pillars, states) you want to use.
# There are a few examples under 'config_examples'.
# CONFIG_DIR="local_config_dir"
diff --git a/tools/salt-install/local.params.example.single_host_single_hostname b/tools/salt-install/local.params.example.single_host_single_hostname
index eaa71e7a2..54a78b619 100644
--- a/tools/salt-install/local.params.example.single_host_single_hostname
+++ b/tools/salt-install/local.params.example.single_host_single_hostname
@@ -68,6 +68,11 @@ SSL_MODE="self-signed"
# See https://doc.arvados.org/intall/salt-single-host.html#bring-your-own for more information.
# CUSTOM_CERTS_DIR="${SCRIPT_DIR}/local_config_dir/certs"
+# Set the following to "yes" if the key files are encrypted and optionally set
+# a custom AWS secret name for each node to retrieve the password.
+SSL_KEY_ENCRYPTED="no"
+SSL_KEY_AWS_SECRET_NAME="${CLUSTER}-arvados-ssl-privkey-password"
+
# The directory to check for the config files (pillars, states) you want to use.
# There are a few examples under 'config_examples'.
# CONFIG_DIR="local_config_dir"
commit 1bd3fa5209c808445ee8fa3bcfde8e88b0fd32d7
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Mon Feb 6 15:00:01 2023 -0300
20035: Manages AWS secret and gives read access to service nodes.
The secret's value will have to be set manually by the operator, so that
no traces of it is kept on disk.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/tools/salt-install/terraform/aws/services/locals.tf b/tools/salt-install/terraform/aws/services/locals.tf
index 80dc33784..6a81967cf 100644
--- a/tools/salt-install/terraform/aws/services/locals.tf
+++ b/tools/salt-install/terraform/aws/services/locals.tf
@@ -8,5 +8,8 @@ locals {
use_external_db = data.terraform_remote_state.data-storage.outputs.use_external_db
public_ip = data.terraform_remote_state.vpc.outputs.public_ip
private_ip = data.terraform_remote_state.vpc.outputs.private_ip
+ pubkey_path = pathexpand(var.pubkey_path)
+ pubkey_name = "arvados-deployer-key"
hostnames = [ for hostname, eip_id in data.terraform_remote_state.vpc.outputs.eip_id: hostname ]
+ ssl_password_secret_name = "${local.cluster_name}-${var.ssl_password_secret_name_suffix}"
}
diff --git a/tools/salt-install/terraform/aws/services/main.tf b/tools/salt-install/terraform/aws/services/main.tf
index 34eba5e61..9c27b9726 100644
--- a/tools/salt-install/terraform/aws/services/main.tf
+++ b/tools/salt-install/terraform/aws/services/main.tf
@@ -19,10 +19,6 @@ provider "aws" {
}
}
-locals {
- pubkey_path = pathexpand(var.pubkey_path)
- pubkey_name = "arvados-deployer-key"
-}
resource "aws_key_pair" "deployer" {
key_name = local.pubkey_name
public_key = file(local.pubkey_path)
@@ -38,6 +34,15 @@ resource "aws_iam_instance_profile" "dispatcher_instance_profile" {
role = aws_iam_role.cloud_dispatcher_iam_role.name
}
+resource "aws_secretsmanager_secret" "ssl_password_secret" {
+ name = local.ssl_password_secret_name
+}
+
+resource "aws_iam_instance_profile" "default_instance_profile" {
+ name = "${local.cluster_name}_default_instance_profile"
+ role = aws_iam_role.default_iam_role.name
+}
+
resource "aws_instance" "arvados_service" {
for_each = toset(local.hostnames)
ami = data.aws_ami.debian-11.image_id
@@ -50,7 +55,7 @@ resource "aws_instance" "arvados_service" {
subnet_id = data.terraform_remote_state.vpc.outputs.arvados_subnet_id
vpc_security_group_ids = [ data.terraform_remote_state.vpc.outputs.arvados_sg_id ]
# This should be done in a more readable way
- iam_instance_profile = each.value == "controller" ? aws_iam_instance_profile.dispatcher_instance_profile.name : length(regexall("^keep[0-9]+", each.value)) > 0 ? aws_iam_instance_profile.keepstore_instance_profile.name : ""
+ iam_instance_profile = each.value == "controller" ? aws_iam_instance_profile.dispatcher_instance_profile.name : length(regexall("^keep[0-9]+", each.value)) > 0 ? aws_iam_instance_profile.keepstore_instance_profile.name : aws_iam_instance_profile.default_instance_profile.name
tags = {
Name = "arvados_service_${each.value}"
}
@@ -106,3 +111,32 @@ resource "aws_eip_association" "eip_assoc" {
instance_id = aws_instance.arvados_service[each.value].id
allocation_id = data.terraform_remote_state.vpc.outputs.eip_id[each.value]
}
+
+resource "aws_iam_role" "default_iam_role" {
+ name = "${local.cluster_name}-default-iam-role"
+ assume_role_policy = "${file("../assumerolepolicy.json")}"
+}
+
+resource "aws_iam_policy" "ssl_privkey_password_access" {
+ name = "${local.cluster_name}_ssl_privkey_password_access"
+ policy = jsonencode({
+ Version: "2012-10-17",
+ Statement: [{
+ Effect: "Allow",
+ Action: "secretsmanager:GetSecretValue",
+ Resource: "${aws_secretsmanager_secret.ssl_password_secret.arn}"
+ }]
+ })
+}
+
+# Every service node needs access to the SSL privkey password secret for
+# nginx to be able to use it.
+resource "aws_iam_policy_attachment" "ssl_privkey_password_access_attachment" {
+ name = "${local.cluster_name}_ssl_privkey_password_access_attachment"
+ roles = [
+ aws_iam_role.cloud_dispatcher_iam_role.name,
+ aws_iam_role.default_iam_role.name,
+ data.terraform_remote_state.data-storage.outputs.keepstore_iam_role_name,
+ ]
+ policy_arn = aws_iam_policy.ssl_privkey_password_access.arn
+}
diff --git a/tools/salt-install/terraform/aws/services/outputs.tf b/tools/salt-install/terraform/aws/services/outputs.tf
index 845687613..0c29420e8 100644
--- a/tools/salt-install/terraform/aws/services/outputs.tf
+++ b/tools/salt-install/terraform/aws/services/outputs.tf
@@ -58,3 +58,7 @@ output "deploy_user" {
output "region_name" {
value = data.terraform_remote_state.vpc.outputs.region_name
}
+
+output "ssl_password_secret_name" {
+ value = aws_secretsmanager_secret.ssl_password_secret.name
+}
\ No newline at end of file
diff --git a/tools/salt-install/terraform/aws/services/terraform.tfvars b/tools/salt-install/terraform/aws/services/terraform.tfvars
index 374ecbe08..79f3dc318 100644
--- a/tools/salt-install/terraform/aws/services/terraform.tfvars
+++ b/tools/salt-install/terraform/aws/services/terraform.tfvars
@@ -7,3 +7,7 @@
# Set the instance type for your hosts. Default: m5a.large
# default_instance_type = "t2.micro"
+
+# AWS secret's name which holds the SSL certificate private key's password.
+# Default: "arvados-ssl-privkey-password"
+# ssl_password_secret_name_suffix = "some-name-suffix"
\ No newline at end of file
diff --git a/tools/salt-install/terraform/aws/services/variables.tf b/tools/salt-install/terraform/aws/services/variables.tf
index 89b1886c1..e520a9ab8 100644
--- a/tools/salt-install/terraform/aws/services/variables.tf
+++ b/tools/salt-install/terraform/aws/services/variables.tf
@@ -13,3 +13,9 @@ variable "pubkey_path" {
type = string
default = "~/.ssh/id_rsa.pub"
}
+
+variable "ssl_password_secret_name_suffix" {
+ description = "Name suffix for the SSL certificate's private key password AWS secret."
+ type = string
+ default = "arvados-ssl-privkey-password"
+}
\ No newline at end of file
commit ca210064364c6f45db1e2d6a936f21940a3cf03f
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Thu Feb 2 15:16:19 2023 -0300
20035: Ensures proper permissions on places where certificate's keys are saved.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
index 3b2be59f3..d2345273f 100644
--- a/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
@@ -10,8 +10,16 @@
extra_custom_certs_file_directory_certs_dir:
file.directory:
- name: /etc/nginx/ssl
+ - user: root
+ - group: root
+ - dir_mode: 0750
+ - file_mode: 0640
- require:
- pkg: nginx_install
+ - recurse:
+ - user
+ - group
+ - mode
{%- for cert in certs %}
{%- set cert_file = 'arvados-' ~ cert ~ '.pem' %}
@@ -25,6 +33,7 @@ extra_custom_certs_file_copy_{{ c }}:
- force: true
- user: root
- group: root
+ - mode: 0640
- unless: cmp {{ dest_cert_dir }}/{{ c }} {{ orig_cert_dir }}/{{ c }}
- require:
- file: extra_custom_certs_file_directory_certs_dir
diff --git a/tools/salt-install/installer.sh b/tools/salt-install/installer.sh
index 0cb4b6e09..e72786ac0 100755
--- a/tools/salt-install/installer.sh
+++ b/tools/salt-install/installer.sh
@@ -74,11 +74,13 @@ sync() {
# from that.
ssh $DEPLOY_USER@$NODE git init --bare ${GITTARGET}.git
+ ssh $DEPLOY_USER@$NODE chmod 700 ${GITTARGET}.git
if ! git remote add $NODE $DEPLOY_USER@$NODE:${GITTARGET}.git ; then
git remote set-url $NODE $DEPLOY_USER@$NODE:${GITTARGET}.git
fi
git push $NODE $BRANCH
ssh $DEPLOY_USER@$NODE git clone ${GITTARGET}.git ${GITTARGET}
+ ssh $DEPLOY_USER@$NODE chmod 700 ${GITTARGET}
fi
# The update case.
@@ -108,7 +110,7 @@ deploynode() {
logfile=deploy-${NODE}-$(date -Iseconds).log
if [[ "$NODE" = localhost ]] ; then
- SUDO=''
+ SUDO=''
if [[ $(whoami) != 'root' ]] ; then
SUDO=sudo
fi
@@ -173,6 +175,7 @@ case "$subcmd" in
echo "Initializing $SETUPDIR"
git init $SETUPDIR
+ chmod 700 $SETUPDIR
cp -r *.sh tests $SETUPDIR
cp local.params.example.$PARAMS $SETUPDIR/${CONFIG_FILE}
diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index 77c201615..435c56d05 100755
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -142,15 +142,18 @@ copy_custom_cert() {
cert_name=${2}
mkdir -p /srv/salt/certs
+ chmod 700 /srv/salt/certs
if [ -f ${cert_dir}/${cert_name}.crt ]; then
cp -v ${cert_dir}/${cert_name}.crt /srv/salt/certs/arvados-${cert_name}.pem
+ chmod 600 /srv/salt/certs/arvados-${cert_name}.pem
else
echo "${cert_dir}/${cert_name}.crt does not exist. Exiting"
exit 1
fi
if [ -f ${cert_dir}/${cert_name}.key ]; then
cp -v ${cert_dir}/${cert_name}.key /srv/salt/certs/arvados-${cert_name}.key
+ chmod 600 /srv/salt/certs/arvados-${cert_name}.key
else
echo "${cert_dir}/${cert_name}.key does not exist. Exiting"
exit 1
@@ -561,9 +564,11 @@ if [ -z "${ROLES}" ]; then
grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls
else
mkdir -p /srv/salt/certs
+ chmod 700 /srv/salt/certs
if [ "${SSL_MODE}" = "bring-your-own" ]; then
# Copy certs to formula extra/files
cp -rv ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/
+ chmod 600 /srv/salt/certs/*
# We add the custom_certs state
grep -q "custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls
fi
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list