Bug #18658
closed
[deployment][provision] custom SSL certificates are not properly deployed in multi-hosted environment
Description
The certificates are not deployed when performing a multi-hosted deployment, throwing the following error:
local:
Data failed to compile:
----------
No matching sls found for 'extra.custom_certs' in env 'base'
Updated by Ward Vandewege about 2 years ago
Reviewing 18658-fix-custom-certs-deployment-on-multi-host at 70a664a0965e8b1aa899b92854d86eededc6fc34
- typo s/Plese/Please/g (two occurrences in local.params.example.*)
- typo s/downoad/download/g (two occurrences in local.params.example.*)
- The default for CUSTOM_CERTS_DIR now looks like
- CUSTOM_CERTS_DIR="${SCRIPT_DIR}/certs"
but nowhere does it say what ${SCRIPT_DIR} is, which directory is this? Can you mention what it is in the comment please.
- The documentation does not state that, when using custom certs, the 'certs' directory also needs to be copied to the remote host before provision.sh is run there. Please add that.
- The provision.sh script does not abort when it can't find certs it needs:
$ ssh 18658-node-1 ./provision.sh --config local.params --roles database,api,controller,websocket,dispatcher Detected distro: ubuntu ... cp: cannot stat '/root/certs/controller.crt': No such file or directory '/root/certs/controller.key' -> '/srv/salt/certs/arvados-controller.key' cp: cannot stat '/root/certs/controller.crt': No such file or directory '/root/certs/controller.key' -> '/srv/salt/certs/arvados-controller.key' cp: cannot stat '/root/certs/websocket.crt': No such file or directory '/root/certs/websocket.key' -> '/srv/salt/certs/arvados-websocket.key' ... [INFO ] Loading fresh modules for state activity [INFO ] Creating module dir '/var/cache/salt/minion/extmods/clouds' [INFO ] Syncing clouds for environment 'base' [INFO ] Loading cache from salt://_clouds, for base ...
It then fails much further down. It needs to abort immediately if a cert can not be copied.
- The documentation for custom certs mentions 'keep.(crt|key)' as the certificate for keepproxy, but it appears that provision.sh actually uses 'keepproxy.(crt|key)'. Please make this consistent.
... cp: cannot stat '/root/certs/keepproxy.crt': No such file or directory cp: cannot stat '/root/certs/keepproxy.key': No such file or directory ...
Updated by Javier Bértoli about 2 years ago
Ward Vandewege wrote:
Reviewing 18658-fix-custom-certs-deployment-on-multi-host at 70a664a0965e8b1aa899b92854d86eededc6fc34
- typo s/Plese/Please/g (two occurrences in local.params.example.*)
- typo s/downoad/download/g (two occurrences in local.params.example.*)
- The default for CUSTOM_CERTS_DIR now looks like
- CUSTOM_CERTS_DIR="${SCRIPT_DIR}/certs"
but nowhere does it say what ${SCRIPT_DIR} is, which directory is this? Can you mention what it is in the comment please.
...
> * The provision.sh script does not abort when it can't find certs it needs:
[...]
It then fails much further down. It needs to abort immediately if a cert can not be copied.
- The documentation for custom certs mentions 'keep.(crt|key)' as the certificate for keepprooxy,l but it appears that provision.sh actually uses 'keepproxy.(crt|key)'. Please make this consistent.
[...]
Addressed these at commit cd68f9569
- The documentation does not state that, when using custom certs, the 'certs' directory also needs to be copied to the remote host before provision.sh is run there. Please add that.
It's already documented
Updated by Ward Vandewege about 2 years ago
Javier Bértoli wrote:
It's already documented
But it's not in the official documentation at doc.arvados.org, where we provide the copy command for people who are doing installs.
Anyway, thanks, please merge this into 2.3-release and main and I will fix the doc myself.
Updated by Javier Bértoli about 2 years ago
- % Done changed from 0 to 100
- Status changed from In Progress to Resolved
Applied in changeset arvados-private:commit:arvados|4f5540fdd686522e73f2c4416bd11d1000f99004.
Updated by