New version of salt-formula from Saltstack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

cert.sls 7.7KB

8 jaren geleden
8 jaren geleden
8 jaren geleden
8 jaren geleden
8 jaren geleden
8 jaren geleden
8 jaren geleden
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258
  1. {%- from "salt/map.jinja" import minion with context %}
  2. {%- if minion.enabled %}
  3. {%- if grains.os_family == 'RedHat' %}
  4. {%- set cacerts_dir='/etc/pki/ca-trust/source/anchors' %}
  5. {%- else %}
  6. {%- set cacerts_dir='/usr/local/share/ca-certificates' %}
  7. {%- endif %}
  8. {%- if minion.cert is defined %}
  9. {%- set created_ca_files = [] %}
  10. {%- set created_ca_key_files = [] %}
  11. {%- for cert_name,cert in minion.get('cert', {}).iteritems() %}
  12. {%- set rowloop = loop %}
  13. {%- set key_file = cert.get('key_file', '/etc/ssl/private/' + cert.common_name + '.key') %}
  14. {%- set cert_file = cert.get('cert_file', '/etc/ssl/certs/' + cert.common_name + '.crt') %}
  15. {%- set ca_file = cert.get('ca_file', '/etc/ssl/certs/ca-' + cert.authority + '.crt') %}
  16. {%- set ca_key_file = cert.get('ca_key_file', '/etc/ssl/certs/ca-' + cert.authority + '.key') %}
  17. {%- set key_dir = salt['file.dirname'](key_file) %}
  18. {%- set cert_dir = salt['file.dirname'](cert_file) %}
  19. {%- set ca_dir = salt['file.dirname'](ca_file) %}
  20. {%- set ca_key_dir = salt['file.dirname'](ca_key_file) %}
  21. {# Only ensure directories exists, don't touch permissions, etc. #}
  22. salt_minion_cert_{{ cert_name }}_dirs:
  23. file.directory:
  24. - names:
  25. - {{ key_dir }}
  26. - {{ cert_dir }}
  27. - {{ ca_dir }}
  28. - {{ ca_key_dir }}
  29. - makedirs: true
  30. - replace: false
  31. {{ key_file }}:
  32. x509.private_key_managed:
  33. - bits: {{ cert.get('bits', 4096) }}
  34. - require:
  35. - file: salt_minion_cert_{{ cert_name }}_dirs
  36. {%- if cert.all_file is defined %}
  37. - watch_in:
  38. - cmd: salt_minion_cert_{{ cert_name }}_all
  39. {%- endif %}
  40. {{ key_file }}_key_permissions:
  41. file.managed:
  42. - name: {{ key_file }}
  43. - mode: {{ cert.get("mode", 0600) }}
  44. {%- if salt['user.info'](cert.get("user", "root")) %}
  45. - user: {{ cert.get("user", "root") }}
  46. {%- endif %}
  47. {%- if salt['group.info'](cert.get("group", "root")) %}
  48. - group: {{ cert.get("group", "root") }}
  49. {%- endif %}
  50. - replace: false
  51. - watch:
  52. - x509: {{ key_file }}
  53. {{ cert_file }}:
  54. x509.certificate_managed:
  55. {% if cert.host is defined %}- ca_server: {{ cert.host }}{%- endif %}
  56. {% if cert.authority is defined and cert.signing_policy is defined %}
  57. - signing_policy: {{ cert.authority }}_{{ cert.signing_policy }}
  58. {%- endif %}
  59. - public_key: {{ key_file }}
  60. - CN: "{{ cert.common_name }}"
  61. {% if cert.state is defined %}- ST: {{ cert.state }}{%- endif %}
  62. {% if cert.country is defined %}- C: {{ cert.country }}{%- endif %}
  63. {% if cert.locality is defined %}- L: {{ cert.locality }}{%- endif %}
  64. {% if cert.organization is defined %}- O: {{ cert.organization }}{%- endif %}
  65. {% if cert.signing_private_key is defined and cert.signing_cert is defined %}
  66. - signing_private_key: "{{ cert.signing_private_key }}"
  67. - signing_cert: "{{ cert.signing_cert }}"
  68. {%- endif %}
  69. {% if cert.alternative_names is defined %}
  70. - subjectAltName: "{{ cert.alternative_names }}"
  71. {%- endif %}
  72. {%- if cert.extended_key_usage is defined %}
  73. - extendedKeyUsage: "{{ cert.extended_key_usage }}"
  74. {%- endif %}
  75. {%- if cert.key_usage is defined %}
  76. - keyUsage: "{{ cert.key_usage }}"
  77. {%- endif %}
  78. - days_remaining: 30
  79. - backup: True
  80. - watch:
  81. - x509: {{ key_file }}
  82. {%- if cert.all_file is defined %}
  83. - watch_in:
  84. - cmd: salt_minion_cert_{{ cert_name }}_all
  85. {%- endif %}
  86. {{ cert_file }}_cert_permissions:
  87. file.managed:
  88. - name: {{ cert_file }}
  89. - mode: {{ cert.get("mode", 0600) }}
  90. {%- if salt['user.info'](cert.get("user", "root")) %}
  91. - user: {{ cert.get("user", "root") }}
  92. {%- endif %}
  93. {%- if salt['group.info'](cert.get("group", "root")) %}
  94. - group: {{ cert.get("group", "root") }}
  95. {%- endif %}
  96. - replace: false
  97. - watch:
  98. - x509: {{ cert_file }}
  99. {%- if cert.host is defined and ca_file not in created_ca_files %}
  100. {%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries').get(cert.host, {}).iteritems() %}
  101. {%- if '/etc/pki/ca/'+cert.authority in ca_path %}
  102. {{ ca_file }}:
  103. x509.pem_managed:
  104. - name: {{ ca_file }}
  105. - text: {{ ca_cert|replace('\n', '') }}
  106. - watch:
  107. - x509: {{ cert_file }}
  108. {%- if cert.all_file is defined %}
  109. - watch_in:
  110. - cmd: salt_minion_cert_{{ cert_name }}_all
  111. {%- endif %}
  112. {{ ca_file }}_cert_permissions:
  113. file.managed:
  114. - name: {{ ca_file }}
  115. - mode: 0644
  116. {%- if salt['user.info'](cert.get("user", "root")) %}
  117. - user: {{ cert.get("user", "root") }}
  118. {%- endif %}
  119. {%- if salt['group.info'](cert.get("group", "root")) %}
  120. - group: {{ cert.get("group", "root") }}
  121. {%- endif %}
  122. - watch:
  123. - x509: {{ ca_file }}
  124. {%- endif %}
  125. {%- endfor %}
  126. {%- do created_ca_files.append(ca_file) %}
  127. {%- endif %}
  128. {%- if cert.host is defined and ca_key_file not in created_ca_key_files %}
  129. {%- for ca_key_path,ca_key in salt['mine.get'](cert.host, 'x509_get_private_key').get(cert.host, {}).iteritems() %}
  130. {%- if '/etc/pki/ca/'+cert.authority in ca_key_path %}
  131. {{ ca_key_file }}:
  132. x509.pem_managed:
  133. - name: {{ ca_key_file }}
  134. - text: {{ ca_key|replace('\n', '') }}
  135. - watch:
  136. - x509: {{ cert_file }}
  137. {{ ca_key_file }}_cert_permissions:
  138. file.managed:
  139. - name: {{ ca_key_file }}
  140. - mode: 0644
  141. {%- if salt['user.info'](cert.get("user", "root")) %}
  142. - user: {{ cert.get("user", "root") }}
  143. {%- endif %}
  144. {%- if salt['group.info'](cert.get("group", "root")) %}
  145. - group: {{ cert.get("group", "root") }}
  146. {%- endif %}
  147. - watch:
  148. - x509: {{ ca_key_file }}
  149. {%- endif %}
  150. {%- endfor %}
  151. {%- do created_ca_key_files.append(ca_key_file) %}
  152. {%- endif %}
  153. {%- if cert.all_file is defined %}
  154. salt_minion_cert_{{ cert_name }}_all:
  155. cmd.wait:
  156. - name: cat {{ key_file }} {{ cert_file }} {{ ca_file }} > {{ cert.all_file }}
  157. {{ cert.all_file }}_cert_permissions:
  158. file.managed:
  159. - name: {{ cert.all_file }}
  160. - mode: {{ cert.get("mode", 0600) }}
  161. {%- if salt['user.info'](cert.get("user", "root")) %}
  162. - user: {{ cert.get("user", "root") }}
  163. {%- endif %}
  164. {%- if salt['group.info'](cert.get("group", "root")) %}
  165. - group: {{ cert.get("group", "root") }}
  166. {%- endif %}
  167. - replace: false
  168. - watch:
  169. - cmd: salt_minion_cert_{{ cert_name }}_all
  170. {%- endif %}
  171. {%- endfor %}
  172. {%- endif %}
  173. salt_ca_certificates_packages:
  174. pkg.installed:
  175. {%- if grains.os_family == 'Debian' %}
  176. - name: ca-certificates
  177. {%- elif grains.os_family == 'RedHat' %}
  178. - name: ca-certificates
  179. {%- else %}
  180. - name: []
  181. {%- endif %}
  182. salt_update_certificates:
  183. cmd.wait:
  184. {%- if grains.os_family == 'Debian' %}
  185. - name: "update-ca-certificates{% if minion.get('ca_certificates_cleanup') %} --fresh {% endif %}"
  186. {%- elif grains.os_family == 'RedHat' %}
  187. - name: "update-ca-trust extract"
  188. {%- else %}
  189. - name: true
  190. {%- endif %}
  191. - require:
  192. - pkg: salt_ca_certificates_packages
  193. {%- if minion.get('trust_salt_ca', True) %}
  194. {%- for trusted_ca_minion in minion.get('trusted_ca_minions', []) %}
  195. {%- for ca_host, certs in salt['mine.get'](trusted_ca_minion+'*', 'x509.get_pem_entries').iteritems() %}
  196. {%- for ca_path, ca_cert in certs.iteritems() %}
  197. {%- if ca_path.startswith('/etc/pki/ca/') and ca_path.endswith('ca.crt') %}
  198. {# authority name can be obtained only from a cacert path in case of mine.get #}
  199. {%- set ca_authority = ca_path.split("/")[4] %}
  200. {%- set cacert_file="%s/ca-%s.crt" % (cacerts_dir,ca_authority) %}
  201. salt_trust_ca_{{ cacert_file }}:
  202. x509.pem_managed:
  203. - name: {{ cacert_file }}
  204. - text: {{ ca_cert|replace('\n', '') }}
  205. - makedirs: True
  206. - watch_in:
  207. - file: salt_trust_ca_{{ cacert_file }}_permissions
  208. - cmd: salt_update_certificates
  209. salt_trust_ca_{{ cacert_file }}_permissions:
  210. file.managed:
  211. - name: {{ cacert_file }}
  212. - mode: 0444
  213. {%- endif %}
  214. {%- endfor %}
  215. {%- endfor %}
  216. {%- endfor %}
  217. {%- endif %}
  218. {%- endif %}