Browse Source

Merge "Repair multi-ca generating states"

pull/73/head
Aleksey Zvyagintsev 6 years ago
parent
commit
ff1730eca2
2 changed files with 20 additions and 9 deletions
  1. +18
    -6
      salt/minion/ca.sls
  2. +2
    -3
      salt/minion/cert.sls

+ 18
- 6
salt/minion/ca.sls View File

include: include:
- salt.minion.service - salt.minion.service


{%- set all_ca_certs_dir = '/etc/pki/all_cas' %}

{%- for ca_name,ca in minion.ca.iteritems() %} {%- for ca_name,ca in minion.ca.iteritems() %}


{%- set ca_file = ca.get('ca_file', '/etc/pki/ca/' ~ ca_name ~ '/ca.crt') %} {%- set ca_file = ca.get('ca_file', '/etc/pki/ca/' ~ ca_name ~ '/ca.crt') %}
- require: - require:
- x509: {{ ca_file }} - x509: {{ ca_file }}


salt_system_ca_mine_send_ca_{{ ca_name }}:
module.run:
- name: mine.send
- func: x509.get_pem_entries
- kwargs:
glob_path: {{ ca_file }}
copy_to_{{all_ca_certs_dir}}/{{ ca_name }}:
file.copy:
- name: {{ all_ca_certs_dir }}/{{ ca_name }}.crt
- source: {{ ca_file }}
- makedirs: True
- force: True
- unless:
- diff -q {{ ca_file }} {{ all_ca_certs_dir }}/{{ ca_name }}.crt
- require: - require:
- x509: {{ ca_file }} - x509: {{ ca_file }}


{%- endfor %} {%- endfor %}


salt_system_ca_mine_send_ca:
module.run:
- name: mine.send
- func: x509.get_pem_entries
- kwargs:
mine_function: x509.get_pem_entries
glob_path: {{ all_ca_certs_dir }}/*

{%- endif %} {%- endif %}

+ 2
- 3
salt/minion/cert.sls View File

{%- if cert.host is defined and ca_file not in created_ca_files %} {%- if cert.host is defined and ca_file not in created_ca_files %}
{%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries').get(cert.host, {}).iteritems() %} {%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries').get(cert.host, {}).iteritems() %}


{%- if '/etc/pki/ca/'+cert.authority in ca_path %}
{%- if '/etc/pki/all_cas/'+cert.authority in ca_path %}


{{ ca_file }}: {{ ca_file }}:
x509.pem_managed: x509.pem_managed:
- cmd: salt_minion_cert_{{ cert_name }}_all - cmd: salt_minion_cert_{{ cert_name }}_all
{%- endif %} {%- endif %}



# TODO: Squash this with the previous state after switch to Salt version >= 2016.11.2 # TODO: Squash this with the previous state after switch to Salt version >= 2016.11.2
{{ ca_file }}_cert_permissions: {{ ca_file }}_cert_permissions:
file.managed: file.managed:
{%- if ca_path.endswith('ca.crt') %} {%- if ca_path.endswith('ca.crt') %}


{# authority name can be obtained only from a cacert path in case of mine.get #} {# authority name can be obtained only from a cacert path in case of mine.get #}
{%- set ca_authority = ca_path.split("/")[-2] %}
{%- set ca_authority = ca_path.split("/")[-1].split(".")[0] %}
{%- set cacert_file="%s/ca-%s.crt" % (cacerts_dir,ca_authority) %} {%- set cacert_file="%s/ca-%s.crt" % (cacerts_dir,ca_authority) %}


salt_trust_ca_{{ cacert_file }}: salt_trust_ca_{{ cacert_file }}:

Loading…
Cancel
Save