Merge pull request #1 from tcpcloud/cert

Enhance minion.cert

salt/minion/cert.sls

@@ -4,38 +4,86 @@
 {%- for cert_name,cert in minion.get('cert', {}).iteritems() %}
 {%- set rowloop = loop %}
 
-/etc/ssl/private/{{ cert.common_name }}.key:
+{%- set key_file  = cert.get('key_file', '/etc/ssl/private/' + cert.common_name + '.key') %}
+{%- set cert_file = cert.get('cert_file', '/etc/ssl/certs/' + cert.common_name + '.crt') %}
+{%- set key_dir = key_file|replace(key_file.split('/')[-1], "") %}
+{%- set cert_dir = cert_file|replace(cert_file.split('/')[-1], "") %}
+
+{# Only ensure directories exists, don't touch permissions, etc. #}
+salt_minion_cert_{{ cert_name }}_dirs:
+  file.directory:
+    - names:
+      - {{ key_dir }}
+      - {{ cert_dir }}
+    - makedirs: true
+    - replace: false
+
+{{ key_file }}:
   x509.private_key_managed:
-  - bits: 4096
+    - bits: {{ cert.get('bits', 4096) }}
+  require:
+    - file: salt_minion_cert_{{ cert_name }}_dirs
 
-{{ cert.common_name }}_rights:
+{{ key_file }}_key_permissions:
   file.managed:
-  - name: /etc/ssl/private/{{ cert.common_name }}.key
-  - mode: 600
-  - replace: False
-  - require:
-    - x509: /etc/ssl/private/{{ cert.common_name }}.key
+    - name: {{ key_file }}
+    - mode: {{ cert.get("mode", 0600) }}
+    {%- if salt['user.info'](cert.get("user", "root")) %}
+    - user: {{ cert.get("user", "root") }}
+    {%- endif %}
+    {%- if salt['group.info'](cert.get("group", "root")) %}
+    - group: {{ cert.get("group", "root") }}
+    {%- endif %}
+    - replace: false
+    - watch:
+      - x509: {{ key_file }}
 
-/etc/ssl/certs/{{ cert.common_name }}.crt:
+{{ cert_file }}:
   x509.certificate_managed:
-  - ca_server: {{ cert.host }}
-  - signing_policy: {{ cert.authority }}_{{ cert.signing_policy }}
-  - public_key: /etc/ssl/private/{{ cert.common_name }}.key
-  - CN: {{ cert.common_name }}
-  {%- if cert.alternative_names is defined %}
-  - subjectAltName: {{ cert.alternative_names }}
-  {%- endif %}
-  - days_remaining: 30
-  - backup: True
+    - ca_server: {{ cert.host }}
+    - signing_policy: {{ cert.authority }}_{{ cert.signing_policy }}
+    - public_key: {{ key_file }}
+    - CN: {{ cert.common_name }}
+    {%- if cert.alternative_names is defined %}
+    - subjectAltName: {{ cert.alternative_names }}
+    {%- endif %}
+    - days_remaining: 30
+    - backup: True
+    - watch:
+      - x509: {{ key_file }}
+
+{{ cert_file }}_cert_permissions:
+  file.managed:
+    - name: {{ cert_file }}
+    - mode: {{ cert.get("mode", 0600) }}
+    {%- if salt['user.info'](cert.get("user", "root")) %}
+    - user: {{ cert.get("user", "root") }}
+    {%- endif %}
+    {%- if salt['group.info'](cert.get("group", "root")) %}
+    - group: {{ cert.get("group", "root") }}
+    {%- endif %}
+    - replace: false
+    - watch:
+      - x509: {{ cert_file }}
 
 {%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries')[cert.host].iteritems() %}
 
 {%- if '/etc/pki/ca/'+cert.authority in ca_path %}
+{%- set ca_file = cert.get('ca_file', '/etc/ssl/certs/ca-' + cert.authority + '.crt') %}
 
-ca_cert_{{ cert.authority }}_{{ rowloop.index }}:
+{{ ca_file }}_{{ rowloop.index }}:
   x509.pem_managed:
-  - name: /etc/ssl/certs/ca-{{ cert.authority }}.crt
-  - text: {{ ca_cert|replace('\n', '') }}
+    - name: {{ ca_file }}
+    - text: {{ ca_cert|replace('\n', '') }}
+    - watch:
+      - x509: {{ cert_file }}
+
+{{ ca_file }}_cert_permissions:
+  file.managed:
+    - name: {{ ca_file }}
+    - mode: 0644
+    - watch:
+      - x509: {{ ca_file }}
 
 {%- endif %}
 
@@ -43,4 +91,4 @@ ca_cert_{{ cert.authority }}_{{ rowloop.index }}:
 
 {%- endfor %}
 
-{%- endif %}
+{%- endif %}