Merge pull request #10 from netmanagers/master

Add a CA to the example files, required for some Arvados components

docs/README.rst

@@ -44,7 +44,22 @@ Please see `How to contribute <https://github.com/saltstack-formulas/.github/blo
 Special notes
 -------------
 
-None.
+In the `Arvados repository <https://github.com/arvados/arvados/>`_ you can find `a provision script <https://github.com/arvados/arvados/tree/master/tools/salt-install>`_
+to deploy a single-node, all-in-one Arvados cluster (The script uses this formula to get a cluster up and running in Saltstack's master-less mode).
+
+The `single-node` install does not include SLURM: it is intended for an `all-in-one-host` installation,
+so it uses `crunch-dispatch-local` to run containers in the same instance.
+
+The provision script can be run anywhere, so you can run it in an AWS instance and you'll get a `single-node` Arvados cluster there.
+
+The Arvados formula allows you to `install any dispatcher available <https://github.com/saltstack-formulas/arvados-formula/blob/master/pillar.example#L182-L191>`_,
+provided you configure the pillars the way you need them.
+
+Arvados currently has three dispatchers:
+
+* **crunch-dispatch-local** (for single node installations),
+* **arvados-dispatch-cloud** (for dynamic compute on AWS or Azure) and
+* **crunch-dispatch-slurm** (for SLURM integration).
 
 Requisites
 ----------
@@ -56,7 +71,10 @@ We suggest you use the `postgres-formula <https://github.com/saltstack-formulas/
 the `nginx-formula <https://github.com/saltstack-formulas/nginx-formula/>`_ and the
 `letsencrypt-formula <https://github.com/saltstack-formulas/letsencrypt-formula/>`_ to satisfy these dependencies.
 In the **test/salt/pillar/examples/** directory there are example pillar YAMLs to set up these packages, using the mentioned formulas
-as Arvados needs them.
+as Arvados needs them.a
+
+In the **test/salt/states/examples/** directory there are some example helper states to set up a few requirements for single-node
+(all-in-one) Arvados host.
 
 Usage
 -----

kitchen.yml

@@ -104,16 +104,14 @@ suites:
       state_top:
         base:
           '*':
-            - example_single_host_host_entries
-            - example_add_snakeoil_certs
+            - single_host.host_entries
+            - single_host.snakeoil_certs
             - locale
             - nginx.passenger
             - postgres
             - arvados.repo
             - arvados.api
             - arvados.websocket
-            # keepproxy complains when using snakeoil certs, so we can't
-            # properly test it here until next version removes this limitation
             - arvados.keepproxy
             - arvados.keepweb
             - arvados.controller
@@ -146,10 +144,8 @@ suites:
         example_nginx_controller.sls: test/salt/pillar/examples/nginx_controller_configuration.sls
         # yamllint enable rule:line-length
       dependencies:
-        - name: example_single_host_host_entries
-          path: test/salt/states
-        - name: example_add_snakeoil_certs
-          path: test/salt/states
+        - name: single_host
+          path: test/salt/states/examples
         - name: locale
           repo: git
           source: https://github.com/saltstack-formulas/locale-formula.git
@@ -175,8 +171,8 @@ suites:
       state_top:
         base:
           '*':
-            - example_single_host_host_entries
-            - example_add_snakeoil_certs
+            - single_host.host_entries
+            - single_host.snakeoil_certs
             - nginx.passenger
             - arvados.repo
             - arvados.workbench
@@ -197,10 +193,8 @@ suites:
         example_nginx_workbench2.sls: test/salt/pillar/examples/nginx_workbench2_configuration.sls
         # yamllint enable rule:line-length
       dependencies:
-        - name: example_single_host_host_entries
-          path: test/salt/states
-        - name: example_add_snakeoil_certs
-          path: test/salt/states
+        - name: single_host
+          path: test/salt/states/examples
         - name: nginx
           repo: git
           source: https://github.com/netmanagers/nginx-formula.git

test/salt/pillar/examples/README.rst

@@ -0,0 +1,7 @@
+Pillar examples
+===============
+
+The files in this directory are pillar examples for the other formulas used to install
+Arvados (`locale-formula <https://github.com/saltstack-formulas/locale-formula/>`_,
+`postgres-formula <https://github.com/saltstack-formulas/postgres-formula/>`_ and
+`nginx-formula <https://github.com/saltstack-formulas/nginx-formula/>`_.

test/salt/pillar/examples/nginx_passenger.sls

@@ -53,8 +53,8 @@ nginx:
       # - resolver: 127.0.0.1
 
     ssl_snakeoil.conf:
-      - ssl_certificate: /etc/ssl/certs/ssl-cert-snakeoil.pem
-      - ssl_certificate_key: /etc/ssl/private/ssl-cert-snakeoil.key
+      - ssl_certificate: /etc/ssl/certs/arvados-snakeoil-cert.pem
+      - ssl_certificate_key: /etc/ssl/private/arvados-snakeoil-cert.key
 
   ### SITES
   servers:

test/salt/pillar/examples/postgresql.sls

@@ -7,8 +7,8 @@ postgres:
   postgresconf: |-
     listen_addresses = '*'  # listen on all interfaces
     #ssl = on
-    #ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
-    #ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
+    #ssl_cert_file = '/etc/ssl/certs/arvados-snakeoil-cert.pem'
+    #ssl_key_file = '/etc/ssl/private/arvados-snakeoil-cert.key'
   acls:
     - ['local', 'all', 'postgres', 'peer']
     - ['local', 'all', 'all', 'peer']

test/salt/states/examples/single_host/README.rst

@@ -0,0 +1,17 @@
+Helper states for all-in-one setup
+==================================
+
+These states are helpful for setting up an all-in-one Arvados host.
+
+* `host_entries.sls`: adds a bunch of host entries in the `/etc/hosts` file of
+  the host instance, so all Arvados' components can find each other correctly,
+  using meaningful names.
+
+* `snakeoil_certs.sls`: Arvados uses SSL/TLS for communications, so you'll need
+  certificates for the different hosts. If you can't provide valid certificates
+  issued by a recognized CA, this state will create a SnakeOil CA and issue 
+  certificates signed by it.
+
+  The certs can't be self-signed because some of the libraries that Arvados
+  uses require certs issued by a CA. For this reason, if you use this state,
+  you'll need to copy the created CA cert to your certificates' directory.

test/salt/states/example_single_host_host_entries/init.sls → test/salt/states/examples/single_host/host_entries.sls

@@ -3,7 +3,7 @@
 {%- from "arvados/map.jinja" import arvados with context %}
 {%- set tpldir = curr_tpldir %}
 
-arvados_hosts_entries:
+arvados_test_salt_states_examples_single_host_etc_hosts_host_present:
   host.present:
     - ip: {{ grains.get('ipv4')[0] }}
     - names:

test/salt/states/examples/single_host/snakeoil_certs.sls

@@ -0,0 +1,148 @@
+{%- set curr_tpldir = tpldir %}
+{%- set tpldir = 'arvados' %}
+{%- from "arvados/map.jinja" import arvados with context %}
+{%- set tpldir = curr_tpldir %}
+
+include:
+  - nginx.service
+
+{%- set arvados_ca_cert_file = '/etc/ssl/certs/arvados-snakeoil-ca.pem' %}
+{%- set arvados_ca_key_file = '/etc/ssl/private/arvados-snakeoil-ca.key' %}
+{%- set arvados_cert_file = '/etc/ssl/certs/arvados-snakeoil-cert.pem' %}
+{%- set arvados_csr_file = '/etc/ssl/private/arvados-snakeoil-cert.csr' %}
+{%- set arvados_key_file = '/etc/ssl/private/arvados-snakeoil-cert.key' %}
+
+{%- if grains.get('os_family') == 'Debian' %}
+  {%- set arvados_ca_cert_dest = '/usr/local/share/ca-certificates/arvados-snakeoil-ca.crt' %}
+  {%- set update_ca_cert = '/usr/sbin/update-ca-certificates' %}
+  {%- set openssl_conf = '/etc/ssl/openssl.cnf' %}
+{%- else %}
+  {%- set arvados_ca_cert_dest = '/etc/pki/ca-trust/source/anchors/arvados-snakeoil-ca.pem' %}
+  {%- set update_ca_cert = '/usr/bin/update-ca-trust' %}
+  {%- set openssl_conf = '/etc/pki/tls/openssl.cnf' %}
+{%- endif %}
+
+arvados_test_salt_states_examples_single_host_snakeoil_certs_dependencies_pkg_installed:
+  pkg.installed:
+    - pkgs:
+      - openssl
+      - ca-certificates
+
+arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_ca_cmd_run:
+  # Taken from https://github.com/arvados/arvados/blob/master/tools/arvbox/lib/arvbox/docker/service/certificate/run
+  cmd.run:
+    - name: |
+        # These dirs are not to CentOS-ish, but this is a helper script
+        # and they should be enough
+        mkdir -p /etc/ssl/certs/ /etc/ssl/private/ && \
+        openssl req \
+          -new \
+          -nodes \
+          -sha256 \
+          -x509 \
+          -subj "/C=CC/ST=Some State/O=Arvados Formula/OU=arvados-formula/CN=snakeoil-ca-{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}" \
+          -extensions x509_ext \
+          -config <(cat {{ openssl_conf }} \
+                  <(printf "\n[x509_ext]\nbasicConstraints=critical,CA:true,pathlen:0\nkeyUsage=critical,keyCertSign,cRLSign")) \
+          -out {{ arvados_ca_cert_file }} \
+          -keyout {{ arvados_ca_key_file }} \
+          -days 3650 && \
+        cp {{ arvados_ca_cert_file }} {{ arvados_ca_cert_dest }} && \
+        {{ update_ca_cert }}
+    - unless:
+      - test -f {{ arvados_ca_cert_file }}
+      - openssl verify -CAfile {{ arvados_ca_cert_file }} {{ arvados_ca_cert_file }}
+    - require:
+      - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_dependencies_pkg_installed
+
+arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_cert_cmd_run:
+  cmd.run:
+    - name: |
+        cat > /tmp/openssl.cnf <<-CNF
+        [req]
+        default_bits = 2048
+        prompt = no
+        default_md = sha256
+        req_extensions = rext
+        distinguished_name = dn
+        [dn]
+        C   = CC
+        ST  = Some State
+        L   = Some Location
+        O   = Arvados Formula
+        OU  = arvados-formula
+        CN  = {{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
+        emailAddress = admin@{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
+        [rext]
+        subjectAltName = @alt_names
+        [alt_names]
+        {%- for entry in grains.get('ipv4') %}
+        IP.{{ loop.index }} = {{ entry }}
+        {%- endfor %}
+        {%- for entry in [
+            'keep',
+            'collections',
+            'download',
+            'ws',
+            'workbench',
+            'workbench2',
+          ]
+        %}
+        DNS.{{ loop.index }} = {{ entry }}.{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
+        {%- endfor %}
+        CNF
+
+        # The req
+        openssl req \
+          -config /tmp/openssl.cnf \
+          -new \
+          -nodes \
+          -sha256 \
+          -out {{ arvados_csr_file }} \
+          -keyout {{ arvados_key_file }} > /tmp/snake_oil_certs.output 2>&1 && \
+        # The cert
+        openssl x509 \
+          -req \
+          -days 3650 \
+          -in {{ arvados_csr_file }} \
+          -out {{ arvados_cert_file }} \
+          -extfile /tmp/openssl.cnf \
+          -extensions rext \
+          -CA {{ arvados_ca_cert_file }} \
+          -CAkey {{ arvados_ca_key_file }} \
+          -set_serial $(date +%s) && \
+        chmod 0644 {{ arvados_cert_file }} && \
+        chmod 0640 {{ arvados_key_file }}
+    - unless:
+      - test -f {{ arvados_key_file }}
+      - openssl verify -CAfile {{ arvados_ca_cert_file }} {{ arvados_cert_file }}
+    - require:
+      - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_dependencies_pkg_installed
+      - cmd: arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_ca_cmd_run
+
+{%- if grains.get('os_family') == 'Debian' %}
+arvados_test_salt_states_examples_single_host_snakeoil_certs_ssl_cert_pkg_installed:
+  pkg.installed:
+    - name: ssl-cert
+    - require_in:
+      - sls: postgres
+
+arvados_test_salt_states_examples_single_host_snakeoil_certs_certs_permissions_cmd_run:
+  cmd.run:
+    - name: |
+        chown root:ssl-cert {{ arvados_key_file }}
+    - require:
+      - cmd: arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_cert_cmd_run
+      - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_ssl_cert_pkg_installed
+{%- endif %}
+
+arvados_test_salt_states_examples_single_host_snakeoil_certs_nginx_snakeoil_file_managed:
+  file.managed:
+    - name: /etc/nginx/snippets/arvados-snakeoil.conf
+    - contents: |
+        ssl_certificate {{ arvados_cert_file }};
+        ssl_certificate_key {{ arvados_key_file }};
+    - watch_in:
+      - service: nginx_service
+
+