[arvados] created: 2.7.0-4998-g42d9629463
git repository hosting
git at public.arvados.org
Fri Oct 13 19:59:26 UTC 2023
at 42d962946371fa4d388f834da3f301b3912648f3 (commit)
commit 42d962946371fa4d388f834da3f301b3912648f3
Author: Lucas Di Pentima <lucas.dipentima at curii.com>
Date: Thu Oct 12 18:14:39 2023 -0300
20969: Reloads nginx when custom TLS cert and key files change.
The way it's implemented may appear overly complicated, but we do the extra
check to avoid restarting nginx with a crt file that doesn't correspond to
the key file. This will happen otherwise, as 'cmd.run' will get executed on
any of the files listed inside 'onchanges'.
Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <lucas.dipentima at curii.com>
diff --git a/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
index 5a7d9a269a..132a2d6382 100644
--- a/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
+++ b/tools/salt-install/config_examples/multi_host/aws/states/custom_certs.sls
@@ -24,18 +24,40 @@ extra_custom_certs_file_directory_certs_dir:
{%- for cert in certs %}
{%- set cert_file = 'arvados-' ~ cert ~ '.pem' %}
{%- set key_file = 'arvados-' ~ cert ~ '.key' %}
- {% for c in [cert_file, key_file] %}
-extra_custom_certs_file_copy_{{ c }}:
+extra_custom_certs_{{ cert }}_cert_file_copy:
file.copy:
- - name: {{ dest_cert_dir }}/{{ c }}
- - source: {{ orig_cert_dir }}/{{ c }}
+ - name: {{ dest_cert_dir }}/{{ cert_file }}
+ - source: {{ orig_cert_dir }}/{{ cert_file }}
- force: true
- user: root
- group: root
- mode: 0640
- - unless: cmp {{ dest_cert_dir }}/{{ c }} {{ orig_cert_dir }}/{{ c }}
+ - unless: cmp {{ dest_cert_dir }}/{{ cert_file }} {{ orig_cert_dir }}/{{ cert_file }}
- require:
- file: extra_custom_certs_file_directory_certs_dir
- {%- endfor %}
+
+extra_custom_certs_{{ cert }}_key_file_copy:
+ file.copy:
+ - name: {{ dest_cert_dir }}/{{ key_file }}
+ - source: {{ orig_cert_dir }}/{{ key_file }}
+ - force: true
+ - user: root
+ - group: root
+ - mode: 0640
+ - unless: cmp {{ dest_cert_dir }}/{{ key_file }} {{ orig_cert_dir }}/{{ key_file }}
+ - require:
+ - file: extra_custom_certs_file_directory_certs_dir
+
+extra_nginx_service_reload_on_{{ cert }}_certs_changes:
+ cmd.run:
+ - name: systemctl reload nginx
+ - require:
+ - file: extra_custom_certs_{{ cert }}_cert_file_copy
+ - file: extra_custom_certs_{{ cert }}_key_file_copy
+ - onchanges:
+ - file: extra_custom_certs_{{ cert }}_cert_file_copy
+ - file: extra_custom_certs_{{ cert }}_key_file_copy
+ - onlyif:
+ - test $(openssl rsa -modulus -noout -in {{ dest_cert_dir }}/{{ key_file }}) == $(openssl x509 -modulus -noout -in {{ dest_cert_dir }}/{{ cert_file }})
{%- endfor %}
{%- endif %}
diff --git a/tools/salt-install/config_examples/single_host/multiple_hostnames/states/custom_certs.sls b/tools/salt-install/config_examples/single_host/multiple_hostnames/states/custom_certs.sls
index 3b2be59f36..cf8874c2d5 100644
--- a/tools/salt-install/config_examples/single_host/multiple_hostnames/states/custom_certs.sls
+++ b/tools/salt-install/config_examples/single_host/multiple_hostnames/states/custom_certs.sls
@@ -15,19 +15,41 @@ extra_custom_certs_file_directory_certs_dir:
{%- for cert in certs %}
{%- set cert_file = 'arvados-' ~ cert ~ '.pem' %}
- {#- set csr_file = 'arvados-' ~ cert ~ '.csr' #}
{%- set key_file = 'arvados-' ~ cert ~ '.key' %}
- {% for c in [cert_file, key_file] %}
-extra_custom_certs_file_copy_{{ c }}:
+extra_custom_certs_{{ cert }}_cert_file_copy:
file.copy:
- - name: {{ dest_cert_dir }}/{{ c }}
- - source: {{ orig_cert_dir }}/{{ c }}
+ - name: {{ dest_cert_dir }}/{{ cert_file }}
+ - source: {{ orig_cert_dir }}/{{ cert_file }}
- force: true
- user: root
- group: root
- - unless: cmp {{ dest_cert_dir }}/{{ c }} {{ orig_cert_dir }}/{{ c }}
+ - mode: 0640
+ - unless: cmp {{ dest_cert_dir }}/{{ cert_file }} {{ orig_cert_dir }}/{{ cert_file }}
- require:
- file: extra_custom_certs_file_directory_certs_dir
- {%- endfor %}
+
+extra_custom_certs_{{ cert }}_key_file_copy:
+ file.copy:
+ - name: {{ dest_cert_dir }}/{{ key_file }}
+ - source: {{ orig_cert_dir }}/{{ key_file }}
+ - force: true
+ - user: root
+ - group: root
+ - mode: 0640
+ - unless: cmp {{ dest_cert_dir }}/{{ key_file }} {{ orig_cert_dir }}/{{ key_file }}
+ - require:
+ - file: extra_custom_certs_file_directory_certs_dir
+
+extra_nginx_service_reload_on_{{ cert }}_certs_changes:
+ cmd.run:
+ - name: systemctl reload nginx
+ - require:
+ - file: extra_custom_certs_{{ cert }}_cert_file_copy
+ - file: extra_custom_certs_{{ cert }}_key_file_copy
+ - onchanges:
+ - file: extra_custom_certs_{{ cert }}_cert_file_copy
+ - file: extra_custom_certs_{{ cert }}_key_file_copy
+ - onlyif:
+ - test $(openssl rsa -modulus -noout -in {{ dest_cert_dir }}/{{ key_file }}) == $(openssl x509 -modulus -noout -in {{ dest_cert_dir }}/{{ cert_file }})
{%- endfor %}
{%- endif %}
diff --git a/tools/salt-install/config_examples/single_host/single_hostname/states/custom_certs.sls b/tools/salt-install/config_examples/single_host/single_hostname/states/custom_certs.sls
index 3b2be59f36..cf8874c2d5 100644
--- a/tools/salt-install/config_examples/single_host/single_hostname/states/custom_certs.sls
+++ b/tools/salt-install/config_examples/single_host/single_hostname/states/custom_certs.sls
@@ -15,19 +15,41 @@ extra_custom_certs_file_directory_certs_dir:
{%- for cert in certs %}
{%- set cert_file = 'arvados-' ~ cert ~ '.pem' %}
- {#- set csr_file = 'arvados-' ~ cert ~ '.csr' #}
{%- set key_file = 'arvados-' ~ cert ~ '.key' %}
- {% for c in [cert_file, key_file] %}
-extra_custom_certs_file_copy_{{ c }}:
+extra_custom_certs_{{ cert }}_cert_file_copy:
file.copy:
- - name: {{ dest_cert_dir }}/{{ c }}
- - source: {{ orig_cert_dir }}/{{ c }}
+ - name: {{ dest_cert_dir }}/{{ cert_file }}
+ - source: {{ orig_cert_dir }}/{{ cert_file }}
- force: true
- user: root
- group: root
- - unless: cmp {{ dest_cert_dir }}/{{ c }} {{ orig_cert_dir }}/{{ c }}
+ - mode: 0640
+ - unless: cmp {{ dest_cert_dir }}/{{ cert_file }} {{ orig_cert_dir }}/{{ cert_file }}
- require:
- file: extra_custom_certs_file_directory_certs_dir
- {%- endfor %}
+
+extra_custom_certs_{{ cert }}_key_file_copy:
+ file.copy:
+ - name: {{ dest_cert_dir }}/{{ key_file }}
+ - source: {{ orig_cert_dir }}/{{ key_file }}
+ - force: true
+ - user: root
+ - group: root
+ - mode: 0640
+ - unless: cmp {{ dest_cert_dir }}/{{ key_file }} {{ orig_cert_dir }}/{{ key_file }}
+ - require:
+ - file: extra_custom_certs_file_directory_certs_dir
+
+extra_nginx_service_reload_on_{{ cert }}_certs_changes:
+ cmd.run:
+ - name: systemctl reload nginx
+ - require:
+ - file: extra_custom_certs_{{ cert }}_cert_file_copy
+ - file: extra_custom_certs_{{ cert }}_key_file_copy
+ - onchanges:
+ - file: extra_custom_certs_{{ cert }}_cert_file_copy
+ - file: extra_custom_certs_{{ cert }}_key_file_copy
+ - onlyif:
+ - test $(openssl rsa -modulus -noout -in {{ dest_cert_dir }}/{{ key_file }}) == $(openssl x509 -modulus -noout -in {{ dest_cert_dir }}/{{ cert_file }})
{%- endfor %}
{%- endif %}
diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index beac6b0353..a93899a61a 100755
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -676,7 +676,7 @@ if [ -z "${ROLES:-}" ]; then
grep -q ${CERT_NAME} ${P_DIR}/extra_custom_certs.sls || echo " - ${CERT_NAME}" >> ${P_DIR}/extra_custom_certs.sls
# As the pillar differs whether we use LE or custom certs, we need to do a final edition on them
- sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${CERT_NAME}.pem/g;
+ sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_${CERT_NAME}_cert_file_copy/g;
s#__CERT_PEM__#/etc/nginx/ssl/arvados-${CERT_NAME}.pem#g;
s#__CERT_KEY__#/etc/nginx/ssl/arvados-${CERT_NAME}.key#g" \
${P_DIR}/nginx_${c}_configuration.sls
@@ -766,7 +766,7 @@ else
elif [ "${SSL_MODE}" = "bring-your-own" ]; then
grep -q "ssl_key_encrypted" ${PILLARS_TOP} || echo " - ssl_key_encrypted" >> ${PILLARS_TOP}
for SVC in grafana prometheus; do
- sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${SVC}.pem/g;
+ sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_${SVC}_cert_file_copy/g;
s#__CERT_PEM__#/etc/nginx/ssl/arvados-${SVC}.pem#g;
s#__CERT_KEY__#/etc/nginx/ssl/arvados-${SVC}.key#g" \
${P_DIR}/nginx_${SVC}_configuration.sls
@@ -804,7 +804,7 @@ else
fi
elif [ "${SSL_MODE}" = "bring-your-own" ]; then
grep -q "ssl_key_encrypted" ${PILLARS_TOP} || echo " - ssl_key_encrypted" >> ${PILLARS_TOP}
- sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${R}.pem/g;
+ sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_${R}_cert_file_copy/g;
s#__CERT_PEM__#/etc/nginx/ssl/arvados-${R}.pem#g;
s#__CERT_KEY__#/etc/nginx/ssl/arvados-${R}.key#g" \
${P_DIR}/nginx_${R}_configuration.sls
@@ -860,7 +860,7 @@ else
${P_DIR}/nginx_${R}_configuration.sls
else
grep -q "ssl_key_encrypted" ${PILLARS_TOP} || echo " - ssl_key_encrypted" >> ${PILLARS_TOP}
- sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${R}.pem/g;
+ sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_${R}_cert_file_copy/g;
s#__CERT_PEM__#/etc/nginx/ssl/arvados-${R}.pem#g;
s#__CERT_KEY__#/etc/nginx/ssl/arvados-${R}.key#g" \
${P_DIR}/nginx_${R}_configuration.sls
@@ -949,14 +949,14 @@ else
# Special case for keepweb
if [ ${R} = "keepweb" ]; then
for kwsub in download collections; do
- sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${kwsub}.pem/g;
+ sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_${kwsub}_cert_file_copy/g;
s#__CERT_PEM__#/etc/nginx/ssl/arvados-${kwsub}.pem#g;
s#__CERT_KEY__#/etc/nginx/ssl/arvados-${kwsub}.key#g" \
${P_DIR}/nginx_${kwsub}_configuration.sls
grep -q ${kwsub} ${P_DIR}/extra_custom_certs.sls || echo " - ${kwsub}" >> ${P_DIR}/extra_custom_certs.sls
done
else
- sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${R}.pem/g;
+ sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_${R}_cert_file_copy/g;
s#__CERT_PEM__#/etc/nginx/ssl/arvados-${R}.pem#g;
s#__CERT_KEY__#/etc/nginx/ssl/arvados-${R}.key#g" \
${P_DIR}/nginx_${R}_configuration.sls
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list