Bläddra i källkod

Revert "Fix salt.minion.cert CA certs generation"

This reverts commit 6b2a592dc9.
doc/update-readme-tursted-ca-minions
Filip Pytloun 7 år sedan
förälder
incheckning
7d648874b0
1 ändrade filer med 17 tillägg och 22 borttagningar
  1. +17
    -22
      salt/minion/cert.sls

+ 17
- 22
salt/minion/cert.sls Visa fil

{%- set key_file = cert.get('key_file', '/etc/ssl/private/' + cert.common_name + '.key') %} {%- set key_file = cert.get('key_file', '/etc/ssl/private/' + cert.common_name + '.key') %}
{%- set cert_file = cert.get('cert_file', '/etc/ssl/certs/' + cert.common_name + '.crt') %} {%- set cert_file = cert.get('cert_file', '/etc/ssl/certs/' + cert.common_name + '.crt') %}
{%- set ca_file = cert.get('ca_file', '/etc/ssl/certs/ca-' + cert.authority + '.crt') %} {%- set ca_file = cert.get('ca_file', '/etc/ssl/certs/ca-' + cert.authority + '.crt') %}

{%- set key_dir = salt['file.dirname'](key_file) %}
{%- set cert_dir = salt['file.dirname'](cert_file) %}
{%- set ca_dir = salt['file.dirname'](ca_file) %}
{%- set key_dir = key_file|replace(key_file.split('/')[-1], "") %}
{%- set cert_dir = cert_file|replace(cert_file.split('/')[-1], "") %}
{%- set ca_dir = ca_file|replace(ca_file.split('/')[-1], "") %}


{# Only ensure directories exists, don't touch permissions, etc. #} {# Only ensure directories exists, don't touch permissions, etc. #}
salt_minion_cert_{{ cert_name }}_dirs: salt_minion_cert_{{ cert_name }}_dirs:
file.symlink: file.symlink:
- name: "{{ cacerts_dir }}/ca-{{ cert.authority }}.crt" - name: "{{ cacerts_dir }}/ca-{{ cert.authority }}.crt"
- target: {{ ca_file }} - target: {{ ca_file }}
- force: True
- watch_in: - watch_in:
- cmd: salt_update_certificates - cmd: salt_update_certificates


- require: - require:
- pkg: salt_ca_certificates_packages - pkg: salt_ca_certificates_packages


{%- if minion.get('trust_salt_ca', True) %}
{%- if minion.get('cert', {}).get('trust_salt_ca', 'True') %}


{%- for trusted_ca_minion in minion.get('trusted_ca_minions', []) %} {%- for trusted_ca_minion in minion.get('trusted_ca_minions', []) %}
{%- for ca_host, certs in salt['mine.get'](trusted_ca_minion+'*', 'x509.get_pem_entries').iteritems() %} {%- for ca_host, certs in salt['mine.get'](trusted_ca_minion+'*', 'x509.get_pem_entries').iteritems() %}

{%- for ca_path, ca_cert in certs.iteritems() %} {%- for ca_path, ca_cert in certs.iteritems() %}
{%- if ca_path.startswith('/etc/pki/ca/') and ca_path.endswith('ca.crt') %}
{%- if not 'ca.crt' in ca_path %}{% continue %}{% endif %}


{# authority name can be obtained only from a cacert path in case of mine.get #}
{%- set ca_authority = ca_path.split("/")[4] %}
{%- set cacert_file="%s/ca-%s.crt" % (cacerts_dir,ca_authority) %}
{%- set cacert_file="ca-"+ca_path.split("/")[4]+".crt" %}


salt_trust_ca_{{ cacert_file }}:
x509.pem_managed:
- name: {{ cacert_file }}
- text: {{ ca_cert|replace('\n', '') }}
- watch_in:
- file: salt_trust_ca_{{ cacert_file }}_permissions
- cmd: salt_update_certificates

salt_trust_ca_{{ cacert_file }}_permissions:
salt_cert_{{ cacerts_dir }}/{{ cacert_file }}:
file.managed: file.managed:
- name: {{ cacert_file }}
- mode: 0444
- name: {{ cacerts_dir }}/{{ cacert_file }}
- contents: |
{{ ca_cert|replace(' ', '')|indent(6) }}
- makedirs: True
- show_changes: True
- follow_symlinks: True
- watch_in:
- cmd: salt_update_certificates


{%- endif %}
{%- endfor %} {%- endfor %}
{%- endfor %} {%- endfor %}
{%- endfor %} {%- endfor %}
{%- endif %} {%- endif %}


{%- endif %} {%- endif %}


Laddar…
Avbryt
Spara