New version of salt-formula from Saltstack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394
  1. {%- from "salt/map.jinja" import minion with context %}
  2. {%- if minion.enabled %}
  3. {%- for cert_name,cert in minion.get('cert', {}).iteritems() %}
  4. {%- set rowloop = loop %}
  5. {%- set key_file = cert.get('key_file', '/etc/ssl/private/' + cert.common_name + '.key') %}
  6. {%- set cert_file = cert.get('cert_file', '/etc/ssl/certs/' + cert.common_name + '.crt') %}
  7. {%- set key_dir = key_file|replace(key_file.split('/')[-1], "") %}
  8. {%- set cert_dir = cert_file|replace(cert_file.split('/')[-1], "") %}
  9. {# Only ensure directories exists, don't touch permissions, etc. #}
  10. salt_minion_cert_{{ cert_name }}_dirs:
  11. file.directory:
  12. - names:
  13. - {{ key_dir }}
  14. - {{ cert_dir }}
  15. - makedirs: true
  16. - replace: false
  17. {{ key_file }}:
  18. x509.private_key_managed:
  19. - bits: {{ cert.get('bits', 4096) }}
  20. require:
  21. - file: salt_minion_cert_{{ cert_name }}_dirs
  22. {{ key_file }}_key_permissions:
  23. file.managed:
  24. - name: {{ key_file }}
  25. - mode: {{ cert.get("mode", 0600) }}
  26. {%- if salt['user.info'](cert.get("user", "root")) %}
  27. - user: {{ cert.get("user", "root") }}
  28. {%- endif %}
  29. {%- if salt['group.info'](cert.get("group", "root")) %}
  30. - group: {{ cert.get("group", "root") }}
  31. {%- endif %}
  32. - replace: false
  33. - watch:
  34. - x509: {{ key_file }}
  35. {{ cert_file }}:
  36. x509.certificate_managed:
  37. - ca_server: {{ cert.host }}
  38. - signing_policy: {{ cert.authority }}_{{ cert.signing_policy }}
  39. - public_key: {{ key_file }}
  40. - CN: {{ cert.common_name }}
  41. {%- if cert.alternative_names is defined %}
  42. - subjectAltName: {{ cert.alternative_names }}
  43. {%- endif %}
  44. - days_remaining: 30
  45. - backup: True
  46. - watch:
  47. - x509: {{ key_file }}
  48. {{ cert_file }}_cert_permissions:
  49. file.managed:
  50. - name: {{ cert_file }}
  51. - mode: {{ cert.get("mode", 0600) }}
  52. {%- if salt['user.info'](cert.get("user", "root")) %}
  53. - user: {{ cert.get("user", "root") }}
  54. {%- endif %}
  55. {%- if salt['group.info'](cert.get("group", "root")) %}
  56. - group: {{ cert.get("group", "root") }}
  57. {%- endif %}
  58. - replace: false
  59. - watch:
  60. - x509: {{ cert_file }}
  61. {%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries')[cert.host].iteritems() %}
  62. {%- if '/etc/pki/ca/'+cert.authority in ca_path %}
  63. {%- set ca_file = cert.get('ca_file', '/etc/ssl/certs/ca-' + cert.authority + '.crt') %}
  64. {{ ca_file }}_{{ rowloop.index }}:
  65. x509.pem_managed:
  66. - name: {{ ca_file }}
  67. - text: {{ ca_cert|replace('\n', '') }}
  68. - watch:
  69. - x509: {{ cert_file }}
  70. {{ ca_file }}_cert_permissions:
  71. file.managed:
  72. - name: {{ ca_file }}
  73. - mode: 0644
  74. - watch:
  75. - x509: {{ ca_file }}
  76. {%- endif %}
  77. {%- endfor %}
  78. {%- endfor %}
  79. {%- endif %}