Project

General

Profile

Actions
Copy link

Feature #23464

closed

Port Salt ssl_key_encrypted to Ansible

Added by Brett Smith 21 days ago. Updated 1 day ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Stephen Smith
Category:
Deployment
Target version:
Development 2026-03-18
Story points:
-

Description

Port source:tools/salt-install/config_examples/multi_host/aws/states/ssl_key_encrypted.sls to Ansible, and clarify some names while we're at it. Start a new role arvados_aws_secret that:

  • Installs awscli and jq packages.
  • Installs the attached shell script as a static file to /usr/local/sbin/arvados-aws-secret.sh mode 0755.
  • Installs the attached systemd unit as a template to /etc/systemd/system/arvados_aws_secret.service. There are references to FIXME_quote that should be replaced with a filter that appropriately does backslash escaping for systemd unit files. Research what that is and fix these.
  • Makes /etc/systemd/system/password_secret_connector.service a symlink to arvados_aws_secret.service for compatibility with the Salt installer.
  • Enables and starts arvados_aws_secret.service.

You'll need to add copyright headers as appropriate to the attachments.

The template relies on aws_region and arvados_secret_id. Neither of these should have defaults. Calling the role without these set is an error.

A future ticket will call this role from arvados_nginx_frontend when TLS configuration requires it, but you can write the role standalone for now.

Files

Download all files
arvados-aws-secret.sh (229 Bytes) arvados-aws-secret.sh Brett Smith, 03/03/2026 10:14 PM
arvados_aws_secret.service.j2 (691 Bytes) arvados_aws_secret.service.j2 Brett Smith, 03/03/2026 10:14 PM

Subtasks 1 (0 open1 closed)

Task #23476: Review 23464-arvados-aws-secretResolvedBrett Smith03/23/2026Actions
Actions
Copy link
 #1

Updated by Brett Smith 21 days ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by Stephen Smith 8 days ago

  • Status changed from New to In Progress
Actions
Copy link
 #3

Updated by Stephen Smith 7 days ago ยท Edited

Changes at arvados|bd68d9262e6c142e6447fbdf881a73a56f497df9 branch 23464-arvados-aws-secret

Resources:
https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html#Command%20lines
https://www.freedesktop.org/software/systemd/man/latest/systemd.syntax.html#Quoting

I didn't see an easy way to do the escaping with built in filters, so I made a couple simple filter plugins.

As far as I can tell there isn't any reason to handle odd ones like bell or backspace, so I focused on quotes, backslash, %, $, and newline - that one is odd but it actually works so I don't see why not to include it. Escaping the newline with \ causes systemd to parse it, replacing the newline with a space, and the script still works. We can also just pre-emptively replace newlines with spaces if you prefer that.

The ExecStart escape seems to just be the regular escape rules but with $ doubled.

The filters don't add quotes, but leave that to the consumer, since for env, it seems to work better if the entire line is quoted, not just the value.

I tested this with the string hel"lo$ \w'or%ld\nnewline, written in the inventory as "hel\"lo$ \\w'or%ld\nnewline"

Resulting env: "AWS_REGION=hel\"lo$ \\w\'or%%ld newline"
(Everything escaped except $, only escaped in ExecStart lines)

Resulting ExecStarts: 

ExecStartPre=/usr/bin/mkfifo --mode=0600 %t/arvados/"hel\"lo$$ \\w\'or%%ld\
newline" 
ExecStart=/usr/local/sbin/arvados-aws-secret.sh "hel\"lo$$ \\w\'or%%ld\
newline"

(everything escaped including $)

Resulting fifo: hel"lo$ \w'or%ld newline: fifo (named pipe)
(correctly represents original var)

Actions
Copy link
 #4

Updated by Stephen Smith 7 days ago

  • Subtask #23476 added
Actions
Copy link
 #5

Updated by Stephen Smith 1 day ago

  • Status changed from In Progress to Resolved
Actions
Copy link

Also available in: Atom PDF