Procházet zdrojové kódy

Added Salt PKI setup, orchestration skeleton

tags/0.4
Ales Komarek před 8 roky
rodič
revize
5d17e4b42c
19 změnil soubory, kde provedl 331 přidání a 101 odebrání
  1. +9
    -0
      README.rst
  2. +2
    -0
      metadata/service/support.yml
  3. +18
    -0
      salt/files/_signing_policies.conf
  4. +0
    -1
      salt/files/minion.conf
  5. +43
    -0
      salt/files/orchestrate.sls
  6. +0
    -23
      salt/master/ca.sls
  7. +5
    -1
      salt/master/init.sls
  8. +32
    -0
      salt/master/orchestrate.sls
  9. +9
    -0
      salt/meta/salt.yml
  10. +0
    -70
      salt/minion.sls
  11. +56
    -0
      salt/minion/ca.sls
  12. +41
    -0
      salt/minion/cert.sls
  13. +30
    -0
      salt/minion/grains.sls
  14. +26
    -0
      salt/minion/graph.sls
  15. +12
    -0
      salt/minion/init.sls
  16. +24
    -0
      salt/minion/service.sls
  17. +5
    -6
      tests/pillar/control_virt.sls
  18. +12
    -0
      tests/pillar/minion_pki_ca.sls
  19. +7
    -0
      tests/pillar/minion_pki_cert.sls

+ 9
- 0
README.rst Zobrazit soubor

@@ -120,6 +120,15 @@ Salt minion with graphing dependencies
.. literalinclude:: tests/pillar/minion_graph.sls
:language: yaml

Salt minion with PKI CA

.. literalinclude:: tests/pillar/minion_pki_ca.sls
:language: yaml

Salt minion with PKI certificate

.. literalinclude:: tests/pillar/minion_pki_cert.sls
:language: yaml

Salt control (cloud/kvm/docker)
-------------------------------

+ 2
- 0
metadata/service/support.yml Zobrazit soubor

@@ -1,5 +1,7 @@
parameters:
salt:
_orchestrate:
priority: 20
_support:
collectd:
enabled: false

+ 18
- 0
salt/files/_signing_policies.conf Zobrazit soubor

@@ -0,0 +1,18 @@
{%- from "salt/map.jinja" import minion with context %}

x509_signing_policies:
{%- for ca_name,ca in minion.ca.items() %}
{{ ca_name }}:
- minions: '*'
- signing_private_key: /etc/pki/ca/{{ ca_name }}/ca.key
- signing_cert: /etc/pki/ca/{{ ca_name }}/ca.crt
- C: {{ ca.country }}
- ST: {{ ca.state }}
- L: {{ ca.locality }}
- basicConstraints: "critical CA:false"
- keyUsage: "critical cRLSign, keyCertSign"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- days_valid: {{ ca.days_valid.certificate }}
- copypath: /etc/pki/ca/{{ ca_name }}/certs/
{%- endfor %}

+ 0
- 1
salt/files/minion.conf Zobrazit soubor

@@ -57,7 +57,6 @@ mine_interval: {{ minion.mine.get('interval', 30) }}

{%- endif %}


{%- if minion.sentry is defined %}
sentry_handler:
{% for server in minion.sentry.servers %}

+ 43
- 0
salt/files/orchestrate.sls Zobrazit soubor

@@ -0,0 +1,43 @@
{%- from "salt/map.jinja" import master with context %}
{%- if master.enabled %}

{{ formula_dict }}

{%- for environment_name, environment in master.get('environment', {}).iteritems() %}

{%- if master.base_environment == environment_name %}

{%- set formula_dict = environment.get('formula', {}) %}
{%- set new_formula_dict = {} %}

{%- for formula_name, formula in formula_dict.iteritems() %}

{%- set _tmp = new_formula_dict.update({formula_name: formula.get('orchestrate_order', 100)}) %}

{%- endfor %}

{%- set sorted_formula_list = new_formula_dict|dictsort(false, 'value') %}
{%- for formula in sorted_formula_list %}

{%- if salt['file.file_exists']('/srv/salt/env/'+environment_name+'/'+formula.0+'/orchestrate.sls') %}

{{ salt['cmd.run']('cat /srv/salt/env/'+environment_name+'/'+formula.0+'/orchestrate.sls') }}

{%- else %}

{{ formula.0 }}:
salt.state:
- tgt: 'services:{{ formula.0 }}'
- tgt_type: grain
- sls: {{ formula.0 }}

{%- endif %}

{%- endfor %}

{%- endif %}

{%- endfor %}

{%- endif %}

+ 0
- 23
salt/master/ca.sls Zobrazit soubor

@@ -1,23 +0,0 @@
{%- from "salt/map.jinja" import master with context %}
{%- if master.enabled %}

{%- if pillar.django_pki is defined %}
{%- if pillar.django_pki.server.enabled %}

include:
- salt.master.service

{#
{%- for environment_name, environment in master.environment.iteritems() %}

/srv/salt/env/{{ environment_name }}/pki:
file.symlink:
- target: /srv/django_pki/site/pki

{%- endfor %}
#}

{%- endif %}
{%- endif %}

{%- endif %}

+ 5
- 1
salt/master/init.sls Zobrazit soubor

@@ -3,5 +3,9 @@ include:
- salt.master.env
- salt.master.pillar
- salt.master.minion
{%- if pillar.salt.master.windows_repo is defined %}
- salt.master.win_repo
- salt.master.ca
{%- endif %}
{#
- salt.master.orchestrate
#}

+ 32
- 0
salt/master/orchestrate.sls Zobrazit soubor

@@ -0,0 +1,32 @@
{%- from "salt/map.jinja" import master with context %}
{%- if master.enabled %}

{%- for environment_name, environment in master.get('environment', {}).iteritems() %}

{%- if master.base_environment == environment_name %}

{%- set formula_dict = {} %}
{%- for formula_name, formula in formula_dict.iteritems() %}

{%- if salt['file.file_exists']('salt://'+formula_name+'/meta/salt.yml') %}
{%- set grains_fragment_file = formula_name+'/meta/salt.yml' %}
{%- macro load_grains_file() %}{% include grains_fragment_file %}{% endmacro %}
{%- set grains_yaml = load_grains_file()|load_yaml %}
{% _dummy = formula_dict.update{formula_name: grains_yaml.orchestrate }}
{%- else %}
{%- endif %}
{%- endfor %}

/srv/salt/env/{{ environment_name}}/orchestrate.sls:
file.managed:
- source: salt://salt/files/orchestrate.sls
- user: root
- template: jinja
- defaults:
formula_dict: {{ formula_dict|yaml }}

{%- endif %}

{%- endfor %}

{%- endif %}

+ 9
- 0
salt/meta/salt.yml Zobrazit soubor

@@ -0,0 +1,9 @@
orchestrate:
master:
priority: 10
minion:
priority: 20
syndic:
priority: 200
control:
priority: 400

+ 0
- 70
salt/minion.sls Zobrazit soubor

@@ -1,70 +0,0 @@
{%- from "salt/map.jinja" import minion with context %}
{%- if minion.enabled %}

salt_minion_packages:
pkg.latest:
- names: {{ minion.pkgs }}

salt_minion_grains_dir:
file.directory:
- name: /etc/salt/grains.d
- mode: 700
- makedirs: true
- user: root

salt_minion_grains_placeholder:
file.touch:
- name: /etc/salt/grains.d/placeholder
- require:
- file: salt_minion_grains_dir

salt_minion_grains_file:
cmd.run:
- name: cat /etc/salt/grains.d/* > /etc/salt/grains
- require:
- file: salt_minion_grains_placeholder

/etc/salt/minion.d/minion.conf:
file.managed:
- source: salt://salt/files/minion.conf
- user: root
- group: root
- template: jinja
- require:
- pkg: salt_minion_packages
- file: salt_minion_grains_dir
- watch_in:
- service: salt_minion_service

salt_minion_service:
service.running:
- name: {{ minion.service }}
- enable: true

{%- if minion.graph_states %}

salt_graph_packages:
pkg.latest:
- names: {{ minion.graph_pkgs }}
- require:
- pkg: salt_minion_packages

salt_graph_states_packages:
pkg.latest:
- names: {{ minion.graph_states_pkgs }}

/root/salt-state-graph.py:
file.managed:
- source: salt://salt/files/salt-state-graph.py
- require:
- pkg: salt_graph_packages

/root/salt-state-graph.sh:
file.managed:
- source: salt://salt/files/salt-state-graph.sh
- require:
- pkg: salt_graph_packages

{%- endif %}

{%- endif %}

+ 56
- 0
salt/minion/ca.sls Zobrazit soubor

@@ -0,0 +1,56 @@
{%- from "salt/map.jinja" import minion with context %}
{%- if minion.enabled %}

include:
- salt.minion.service

/etc/salt/minion.d/_signing_policies.conf:
file.managed:
- source: salt://salt/files/_signing_policies.conf
- template: jinja
- require:
- pkg: salt_minion_packages
- watch_in:
- service: salt_minion_service

{%- for ca_name,ca in minion.ca.iteritems() %}

/etc/pki/ca/{{ ca_name }}/certs:
file.directory:
- makedirs: true

/etc/pki/ca/{{ ca_name }}/ca.key:
x509.private_key_managed:
- bits: 4096
- backup: True
- require:
- file: /etc/pki/ca/{{ ca_name }}/certs

/etc/pki/ca/{{ ca_name }}/ca.crt:
x509.certificate_managed:
- signing_private_key: /etc/pki/ca/{{ ca_name }}/ca.key
- CN: {{ ca.common_name }}
- C: {{ ca.country }}
- ST: {{ ca.state }}
- L: {{ ca.locality }}
- basicConstraints: "critical CA:true"
- keyUsage: "critical cRLSign, keyCertSign"
- subjectKeyIdentifier: hash
- authorityKeyIdentifier: keyid,issuer:always
- days_valid: {{ ca.days_valid.authority }}
- days_remaining: 0
- backup: True
- require:
- x509: /etc/pki/ca/{{ ca_name }}/ca.key

mine.send:
module.run:
- func: x509.get_pem_entries
- kwargs:
glob_path: /etc/pki/ca/{{ ca_name }}/ca.crt
- onchanges:
- x509: /etc/pki/ca/{{ ca_name }}/ca.crt

{%- endfor %}

{%- endif %}

+ 41
- 0
salt/minion/cert.sls Zobrazit soubor

@@ -0,0 +1,41 @@
{%- from "salt/map.jinja" import minion with context %}
{%- if minion.enabled %}

include:
- salt.minion.service

{%- for cert_name,cert in minion.cert.iteritems() %}

/etc/pki/cert/{{ cert.authority }}:
file.directory:
- makedirs: true

/etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.key:
x509.private_key_managed:
- bits: 4096

/etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.crt:
x509.certificate_managed:
- ca_server: wst01.newt.cz
- signing_policy: {{ cert.authority }}
- public_key: /etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.key
- CN: {{ cert.common_name }}
- days_remaining: 30
- backup: True

{%- endfor %}

{#
/usr/local/share/ca-certificates:
file.directory: []

{%- for ca_path,ca in salt['mine.get']('ca', 'x509.get_pem_entries')['ca'].iteritems() %}

/usr/local/share/ca-certificates/{{ ca }}.crt:
x509.pem_managed:
- text: {{ salt['mine.get']('ca', 'x509.get_pem_entries')['ca']['/etc/pki/ca.crt']|replace('\n', '') }}

{%- endfor %}
#}

{%- endif %}

+ 30
- 0
salt/minion/grains.sls Zobrazit soubor

@@ -0,0 +1,30 @@
{%- from "salt/map.jinja" import minion with context %}
{%- if minion.enabled %}

include:
- salt.minion.service

salt_minion_grains_dir:
file.directory:
- name: /etc/salt/grains.d
- mode: 700
- makedirs: true
- user: root
- require:
- pkg: salt_minion_packages

salt_minion_grains_placeholder:
file.touch:
- name: /etc/salt/grains.d/placeholder
- require:
- file: salt_minion_grains_dir

salt_minion_grains_file:
cmd.run:
- name: cat /etc/salt/grains.d/* > /etc/salt/grains
- require:
- file: salt_minion_grains_dir
- watch_in:
- service: salt_minion_service

{%- endif %}

+ 26
- 0
salt/minion/graph.sls Zobrazit soubor

@@ -0,0 +1,26 @@
{%- from "salt/map.jinja" import minion with context %}
{%- if minion.enabled %}

salt_graph_packages:
pkg.latest:
- names: {{ minion.graph_pkgs }}
- require:
- pkg: salt_minion_packages

salt_graph_states_packages:
pkg.latest:
- names: {{ minion.graph_states_pkgs }}

/root/salt-state-graph.py:
file.managed:
- source: salt://salt/files/salt-state-graph.py
- require:
- pkg: salt_graph_packages

/root/salt-state-graph.sh:
file.managed:
- source: salt://salt/files/salt-state-graph.sh
- require:
- pkg: salt_graph_packages

{%- endif %}

+ 12
- 0
salt/minion/init.sls Zobrazit soubor

@@ -0,0 +1,12 @@
include:
- salt.minion.service
- salt.minion.grains
{%- if pillar.salt.minion.graph_states %}
- salt.minion.graph
{%- endif %}
{%- if pillar.salt.minion.ca is defined %}
- salt.minion.ca
{%- endif %}
{%- if pillar.salt.minion.cert is defined %}
- salt.minion.cert
{%- endif %}

+ 24
- 0
salt/minion/service.sls Zobrazit soubor

@@ -0,0 +1,24 @@
{%- from "salt/map.jinja" import minion with context %}
{%- if minion.enabled %}

salt_minion_packages:
pkg.latest:
- names: {{ minion.pkgs }}

/etc/salt/minion.d/minion.conf:
file.managed:
- source: salt://salt/files/minion.conf
- user: root
- group: root
- template: jinja
- require:
- pkg: salt_minion_packages
- watch_in:
- service: salt_minion_service

salt_minion_service:
service.running:
- name: {{ minion.service }}
- enable: true

{%- endif %}

+ 5
- 6
tests/pillar/control_virt.sls Zobrazit soubor

@@ -1,6 +1,8 @@
salt:
minion:
enabled: true
master:
host: config01.dc01.domain.com
control:
enabled: true
virt_enabled: true
@@ -8,15 +10,12 @@ salt:
small:
cpu: 1
ram: 1
hdd: 10
medium:
cpu: 2
ram: 4
hdd: 20
large:
cpu: 4
ram: 8
hdd: 70
cluster:
vpc20_infra:
domain: neco.virt.domain.com
@@ -27,9 +26,9 @@ salt:
node:
ubuntu1:
provider: node01.domain.com
image: "salt://ubuntu.qcow"
image: ubuntu.qcow
size: medium
ubuntu2:
provider: node02.domain.com
image: "http://ubuntu.com"
size: small
image: bubuntu.qcomw
size: small

+ 12
- 0
tests/pillar/minion_pki_ca.sls Zobrazit soubor

@@ -0,0 +1,12 @@
salt:
minion:
enabled: true
ca:
vagrant:
common_name: Test CA
country: Czech
state: Prague
locality: Zizkov
days_valid:
authority: 3650
certificate: 90

+ 7
- 0
tests/pillar/minion_pki_cert.sls Zobrazit soubor

@@ -0,0 +1,7 @@
salt:
minion:
enabled: true
cert:
test_service:
authority: Company CA
common_name: test.service.domain.tld

Načítá se…
Zrušit
Uložit