New version of salt-formula from Saltstack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
преди 8 години
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201
  1. {%- from "salt/map.jinja" import minion with context %}
  2. {%- if minion.enabled %}
  3. {%- if grains.os_family == 'RedHat' %}
  4. {%- set cacerts_dir='/etc/pki/ca-trust/source/anchors' %}
  5. {%- else %}
  6. {%- set cacerts_dir='/usr/local/share/ca-certificates' %}
  7. {%- endif %}
  8. {%- if minion.cert is defined %}
  9. {%- for cert_name,cert in minion.get('cert', {}).iteritems() %}
  10. {%- set rowloop = loop %}
  11. {%- set key_file = cert.get('key_file', '/etc/ssl/private/' + cert.common_name + '.key') %}
  12. {%- set cert_file = cert.get('cert_file', '/etc/ssl/certs/' + cert.common_name + '.crt') %}
  13. {%- set ca_file = cert.get('ca_file', '/etc/ssl/certs/ca-' + cert.authority + '.crt') %}
  14. {%- set key_dir = key_file|replace(key_file.split('/')[-1], "") %}
  15. {%- set cert_dir = cert_file|replace(cert_file.split('/')[-1], "") %}
  16. {%- set ca_dir = ca_file|replace(ca_file.split('/')[-1], "") %}
  17. {# Only ensure directories exists, don't touch permissions, etc. #}
  18. salt_minion_cert_{{ cert_name }}_dirs:
  19. file.directory:
  20. - names:
  21. - {{ key_dir }}
  22. - {{ cert_dir }}
  23. - {{ ca_dir }}
  24. - makedirs: true
  25. - replace: false
  26. {{ key_file }}:
  27. x509.private_key_managed:
  28. - bits: {{ cert.get('bits', 4096) }}
  29. require:
  30. - file: salt_minion_cert_{{ cert_name }}_dirs
  31. {{ key_file }}_key_permissions:
  32. file.managed:
  33. - name: {{ key_file }}
  34. - mode: {{ cert.get("mode", 0600) }}
  35. {%- if salt['user.info'](cert.get("user", "root")) %}
  36. - user: {{ cert.get("user", "root") }}
  37. {%- endif %}
  38. {%- if salt['group.info'](cert.get("group", "root")) %}
  39. - group: {{ cert.get("group", "root") }}
  40. {%- endif %}
  41. - replace: false
  42. - watch:
  43. - x509: {{ key_file }}
  44. {{ cert_file }}:
  45. x509.certificate_managed:
  46. {% if cert.host is defined %}- ca_server: {{ cert.host }}{%- endif %}
  47. {% if cert.authority is defined and cert.signing_policy is defined %}
  48. - signing_policy: {{ cert.authority }}_{{ cert.signing_policy }}
  49. {%- endif %}
  50. - public_key: {{ key_file }}
  51. - CN: "{{ cert.common_name }}"
  52. {% if cert.state is defined %}- ST: {{ cert.state }}{%- endif %}
  53. {% if cert.country is defined %}- C: {{ cert.country }}{%- endif %}
  54. {% if cert.locality is defined %}- L: {{ cert.locality }}{%- endif %}
  55. {% if cert.organization is defined %}- O: {{ cert.organization }}{%- endif %}
  56. {% if cert.signing_private_key is defined and cert.signing_cert is defined %}
  57. - signing_private_key: "{{ cert.signing_private_key }}"
  58. - signing_cert: "{{ cert.signing_cert }}"
  59. {%- endif %}
  60. {% if cert.alternative_names is defined %}
  61. - subjectAltName: "{{ cert.alternative_names }}"
  62. {%- endif %}
  63. {%- if cert.extended_key_usage is defined %}
  64. - extendedKeyUsage: "{{ cert.extended_key_usage }}"
  65. {%- endif %}
  66. {%- if cert.key_usage is defined %}
  67. - keyUsage: "{{ cert.key_usage }}"
  68. {%- endif %}
  69. - days_remaining: 30
  70. - backup: True
  71. - watch:
  72. - x509: {{ key_file }}
  73. {{ cert_file }}_cert_permissions:
  74. file.managed:
  75. - name: {{ cert_file }}
  76. - mode: {{ cert.get("mode", 0600) }}
  77. {%- if salt['user.info'](cert.get("user", "root")) %}
  78. - user: {{ cert.get("user", "root") }}
  79. {%- endif %}
  80. {%- if salt['group.info'](cert.get("group", "root")) %}
  81. - group: {{ cert.get("group", "root") }}
  82. {%- endif %}
  83. - replace: false
  84. - watch:
  85. - x509: {{ cert_file }}
  86. {%- if cert.host is defined %}
  87. {%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries').get(cert.host, {}).iteritems() %}
  88. {%- if '/etc/pki/ca/'+cert.authority in ca_path %}
  89. {{ ca_file }}_{{ rowloop.index }}:
  90. x509.pem_managed:
  91. - name: {{ ca_file }}
  92. - text: {{ ca_cert|replace('\n', '') }}
  93. - watch:
  94. - x509: {{ cert_file }}
  95. {%- if cert.all_file is defined %}
  96. - watch_in:
  97. - cmd: salt_minion_cert_{{ cert_name }}_all
  98. {%- endif %}
  99. {{ ca_file }}_cert_permissions_{{ rowloop.index }}:
  100. file.managed:
  101. - name: {{ ca_file }}
  102. - mode: 0644
  103. - watch:
  104. - x509: {{ ca_file }}
  105. {%- endif %}
  106. {%- endfor %}
  107. {%- endif %}
  108. {%- if cert.all_file is defined %}
  109. salt_minion_cert_{{ cert_name }}_all:
  110. cmd.wait:
  111. - name: cat {{ key_file }} {{ cert_file }} {{ ca_file }} > {{ cert.all_file }}
  112. - watch:
  113. - x509: {{ key_file }}
  114. - x509: {{ cert_file }}
  115. {{ cert.all_file }}_cert_permissions:
  116. file.managed:
  117. - name: {{ cert.all_file }}
  118. - mode: {{ cert.get("mode", 0600) }}
  119. {%- if salt['user.info'](cert.get("user", "root")) %}
  120. - user: {{ cert.get("user", "root") }}
  121. {%- endif %}
  122. {%- if salt['group.info'](cert.get("group", "root")) %}
  123. - group: {{ cert.get("group", "root") }}
  124. {%- endif %}
  125. - replace: false
  126. - watch:
  127. - cmd: salt_minion_cert_{{ cert_name }}_all
  128. {%- endif %}
  129. {%- endfor %}
  130. {%- endif %}
  131. salt_ca_certificates_packages:
  132. pkg.installed:
  133. {%- if grains.os_family == 'Debian' %}
  134. - name: ca-certificates
  135. {%- elif grains.os_family == 'RedHat' %}
  136. - name: ca-certificates
  137. {%- else %}
  138. - name: []
  139. {%- endif %}
  140. salt_update_certificates:
  141. cmd.wait:
  142. {%- if grains.os_family == 'Debian' %}
  143. - name: "update-ca-certificates{% if minion.get('ca_certificates_cleanup') %} --fresh {% endif %}"
  144. {%- elif grains.os_family == 'RedHat' %}
  145. - name: "update-ca-trust extract"
  146. {%- else %}
  147. - name: true
  148. {%- endif %}
  149. - require:
  150. - pkg: salt_ca_certificates_packages
  151. {%- if minion.get('cert', {}).get('trust_salt_ca', 'True') %}
  152. {%- for trusted_ca_minion in minion.get('trusted_ca_minions', []) %}
  153. {%- for ca_host, certs in salt['mine.get'](trusted_ca_minion+'*', 'x509.get_pem_entries').iteritems() %}
  154. {%- for ca_path, ca_cert in certs.iteritems() %}
  155. {%- if not 'ca.crt' in ca_path %}{% continue %}{% endif %}
  156. {%- set cacert_file="ca-"+ca_path.split("/")[4]+".crt" %}
  157. salt_cert_{{ cacerts_dir }}/{{ cacert_file }}:
  158. file.managed:
  159. - name: {{ cacerts_dir }}/{{ cacert_file }}
  160. - contents: |
  161. {{ ca_cert | indent(8) }}
  162. - makedirs: True
  163. - show_changes: True
  164. - follow_symlinks: True
  165. - watch_in:
  166. - cmd: salt_update_certificates
  167. {%- endfor %}
  168. {%- endfor %}
  169. {%- endfor %}
  170. {%- endif %}
  171. {%- endif %}