#!/bin/bash SUDO="" LOG_FILE=/var/log/cloud-init-provision-salt-master-output.log exec > >(tee ${LOG_FILE}) 2>&1 echo "Started provision_salt_master.sh" #Install dependencies. The virtual env was used to reduce the python module conflicts between rpm and pip. echo "Install dependencies" yum install GitPython --enablerepo=epel -y yum install python-virtualenv -y virtualenv ~/awscli #check if proxy settings are ready if [ -s "/etc/pip.conf" ]; then ~/awscli/bin/pip install awscli else echo "pip proxy not ready" fi chmod +x ~/awscli/bin/aws #we need to refresh our bash session to pick up the proxy settings. if [ -s "/etc/profile.d/proxy.sh" ]; then source /etc/profile.d/proxy.sh else echo "System proxy not ready" fi ~/awscli/bin/aws secretsmanager get-secret-value --region us-gov-east-1 --secret-id saltmaster/ssh_key --query SecretString --output text > ~root/.ssh/github_read_only chmod 0600 ~root/.ssh/github_read_only #GPG Keys echo "GPG Keys" mkdir -p /etc/salt/gpgkeys chmod 0700 /etc/salt/gpgkeys ~/awscli/bin/aws secretsmanager get-secret-value --region us-gov-east-1 --secret-id saltmaster/gpg/private --query SecretString --output text > /etc/salt/gpgkeys/private ~/awscli/bin/aws secretsmanager get-secret-value --region us-gov-east-1 --secret-id saltmaster/gpg/ownertrust --query SecretString --output text > /etc/salt/gpgkeys/ownertrust chmod 0600 /etc/salt/gpgkeys/private chmod 0600 /etc/salt/gpgkeys/ownertrust gpg --import --yes --batch -q --homedir /etc/salt/gpgkeys/ /etc/salt/gpgkeys/private gpg --import-ownertrust --homedir /etc/salt/gpgkeys/ /etc/salt/gpgkeys/ownertrust #Salt Master Pub/Private ~/awscli/bin/aws secretsmanager get-secret-value --region us-gov-east-1 --secret-id saltmaster/master.pem --query SecretString --output text > /etc/salt/pki/master/master.pem ~/awscli/bin/aws secretsmanager get-secret-value --region us-gov-east-1 --secret-id saltmaster/master.pub --query SecretString --output text > /etc/salt/pki/master/master.pub chmod 0400 /etc/salt/pki/master/master.pem #clean up. These are not needed after initial bootstrapping. yum remove python-virtualenv -y rm -rf ~/awscli cat > ~/.ssh/config << 'EOF' Host github.mdr.defpoint.com IdentityFile ~/.ssh/github_read_only EOF chmod 0400 ~/.ssh/config cat - > ~/.ssh/known_hosts << 'EOF' github.mdr.defpoint.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBObDNqJCB+iXyR2hm0GRERmfEl33E7Kiu+UGmSHHC878NQjsvOtLxoRAPIU07bCzKutFNZCi+8bRkQWXtOT2InA= EOF cat > /etc/salt/master.d/gpg_pillar.conf << 'EOF' decrypt_pillar: - 'secrets' : gpg EOF #For both Test and Prod start out pointing to the Master branch. After inital startup, it is expected that a highstate will be run which will change the branch in Test to develop. cat - > /etc/salt/master.d/gitfs.conf << 'EOF' fileserver_backend: - gitfs - roots gitfs_saltenv_whitelist: - base - master - develop # File roots via Git gitfs_provider: gitpython gitfs_update_interval: 600 gitfs_base: master gitfs_remotes: - git@github.mdr.defpoint.com:mdr-engineering/msoc-infrastructure.git: - name: gitfs-base-msoc - base: master - root: salt/fileroots # File roots for the CM's - git@github.mdr.defpoint.com:mdr-engineering/msoc-moose-cm.git: - name: msoc-moose-cm - base: master - mountpoint: salt://customer_repos/msoc-moose-cm - git@github.mdr.defpoint.com:mdr-engineering/msoc-afs-cm.git: - name: msoc-afs-cm - base: master - mountpoint: salt://customer_repos/msoc-afs-cm - git@github.mdr.defpoint.com:mdr-engineering/msoc-nga-cm.git: - name: msoc-nga-cm - base: master - mountpoint: salt://customer_repos/msoc-nga-cm # File roots for the deployment servers - git@github.mdr.defpoint.com:mdr-engineering/msoc-nga-pop.git: - name: msoc-nga-pop - base: master - mountpoint: salt://deployment_servers/msoc-nga-pop - git@github.mdr.defpoint.com:mdr-engineering/msoc-afs-pop.git: - name: msoc-afs-pop - base: master - mountpoint: salt://deployment_servers/msoc-afs-pop # Pillar via Git configs git_pillar_provider: gitpython git_pillar_root: salt/pillar git_pillar_base: master git_pillar_branch: master ext_pillar: - git: - git@github.mdr.defpoint.com:mdr-engineering/msoc-infrastructure.git: - name: salt-piller-base - env: base EOF systemctl restart salt-master systemctl enable salt-master #This attempts to help out with accepting the minion key. sleep 60 salt-key -A -y salt-call state.highstate echo "Ending provision_salt_master.sh"