New version of salt-formula from Saltstack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

cert.sls 4.4KB

8 년 전
8 년 전
8 년 전
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150
  1. {%- from "salt/map.jinja" import minion with context %}
  2. {%- if minion.enabled %}
  3. {%- for cert_name,cert in minion.get('cert', {}).iteritems() %}
  4. {%- set rowloop = loop %}
  5. {%- set key_file = cert.get('key_file', '/etc/ssl/private/' + cert.common_name + '.key') %}
  6. {%- set cert_file = cert.get('cert_file', '/etc/ssl/certs/' + cert.common_name + '.crt') %}
  7. {%- set ca_file = cert.get('ca_file', '/etc/ssl/certs/ca-' + cert.authority + '.crt') %}
  8. {%- set key_dir = key_file|replace(key_file.split('/')[-1], "") %}
  9. {%- set cert_dir = cert_file|replace(cert_file.split('/')[-1], "") %}
  10. {%- set ca_dir = ca_file|replace(ca_file.split('/')[-1], "") %}
  11. {# Only ensure directories exists, don't touch permissions, etc. #}
  12. salt_minion_cert_{{ cert_name }}_dirs:
  13. file.directory:
  14. - names:
  15. - {{ key_dir }}
  16. - {{ cert_dir }}
  17. - {{ ca_dir }}
  18. - makedirs: true
  19. - replace: false
  20. {{ key_file }}:
  21. x509.private_key_managed:
  22. - bits: {{ cert.get('bits', 4096) }}
  23. require:
  24. - file: salt_minion_cert_{{ cert_name }}_dirs
  25. {{ key_file }}_key_permissions:
  26. file.managed:
  27. - name: {{ key_file }}
  28. - mode: {{ cert.get("mode", 0600) }}
  29. {%- if salt['user.info'](cert.get("user", "root")) %}
  30. - user: {{ cert.get("user", "root") }}
  31. {%- endif %}
  32. {%- if salt['group.info'](cert.get("group", "root")) %}
  33. - group: {{ cert.get("group", "root") }}
  34. {%- endif %}
  35. - replace: false
  36. - watch:
  37. - x509: {{ key_file }}
  38. {{ cert_file }}:
  39. x509.certificate_managed:
  40. - ca_server: {{ cert.host }}
  41. - signing_policy: {{ cert.authority }}_{{ cert.signing_policy }}
  42. - public_key: {{ key_file }}
  43. - CN: "{{ cert.common_name }}"
  44. {%- if cert.alternative_names is defined %}
  45. - subjectAltName: "{{ cert.alternative_names }}"
  46. {%- endif %}
  47. {%- if cert.extended_key_usage is defined %}
  48. - extendedKeyUsage: "{{ cert.extended_key_usage }}"
  49. {%- endif %}
  50. {%- if cert.key_usage is defined %}
  51. - keyUsage: "{{ cert.key_usage }}"
  52. {%- endif %}
  53. - days_remaining: 30
  54. - backup: True
  55. - watch:
  56. - x509: {{ key_file }}
  57. {{ cert_file }}_cert_permissions:
  58. file.managed:
  59. - name: {{ cert_file }}
  60. - mode: {{ cert.get("mode", 0600) }}
  61. {%- if salt['user.info'](cert.get("user", "root")) %}
  62. - user: {{ cert.get("user", "root") }}
  63. {%- endif %}
  64. {%- if salt['group.info'](cert.get("group", "root")) %}
  65. - group: {{ cert.get("group", "root") }}
  66. {%- endif %}
  67. - replace: false
  68. - watch:
  69. - x509: {{ cert_file }}
  70. {%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries').get(cert.host, {}).iteritems() %}
  71. {%- if '/etc/pki/ca/'+cert.authority in ca_path %}
  72. {{ ca_file }}_{{ rowloop.index }}:
  73. x509.pem_managed:
  74. - name: {{ ca_file }}
  75. - text: {{ ca_cert|replace('\n', '') }}
  76. - watch:
  77. - x509: {{ cert_file }}
  78. {%- if cert.all_file is defined %}
  79. - watch_in:
  80. - cmd: salt_minion_cert_{{ cert_name }}_all
  81. {%- endif %}
  82. {{ ca_file }}_cert_permissions_{{ rowloop.index }}:
  83. file.managed:
  84. - name: {{ ca_file }}
  85. - mode: 0644
  86. - watch:
  87. - x509: {{ ca_file }}
  88. {%- if grains.os_family == 'Debian' %}
  89. salt_ca_certificates_packages_{{ rowloop.index }}:
  90. pkg.installed:
  91. - name: ca-certificates
  92. {{ ca_file }}_{{ rowloop.index }}_debian_symlink:
  93. file.symlink:
  94. - name: "/usr/local/share/ca-certificates/ca-{{ cert.authority }}.crt"
  95. - target: {{ ca_file }}
  96. - watch_in:
  97. - cmd: salt_update_certificates_{{ rowloop.index }}
  98. - require:
  99. - pkg: salt_ca_certificates_packages_{{ rowloop.index }}
  100. salt_update_certificates_{{ rowloop.index }}:
  101. cmd.wait:
  102. - name: update-ca-certificates
  103. {%- endif %}
  104. {%- endif %}
  105. {%- endfor %}
  106. {%- if cert.all_file is defined %}
  107. salt_minion_cert_{{ cert_name }}_all:
  108. cmd.wait:
  109. - name: cat {{ key_file }} {{ cert_file }} {{ ca_file }} > {{ cert.all_file }}
  110. - watch:
  111. - x509: {{ key_file }}
  112. - x509: {{ cert_file }}
  113. {{ cert.all_file }}_cert_permissions:
  114. file.managed:
  115. - name: {{ cert.all_file }}
  116. - mode: {{ cert.get("mode", 0600) }}
  117. {%- if salt['user.info'](cert.get("user", "root")) %}
  118. - user: {{ cert.get("user", "root") }}
  119. {%- endif %}
  120. {%- if salt['group.info'](cert.get("group", "root")) %}
  121. - group: {{ cert.get("group", "root") }}
  122. {%- endif %}
  123. - replace: false
  124. - watch:
  125. - cmd: salt_minion_cert_{{ cert_name }}_all
  126. {%- endif %}
  127. {%- endfor %}
  128. {%- endif %}