In cases when a service whants to generate and sign a certificate
it requires a CA key along with a CA cert itself.
For example, Octavia needs it for signing a certificate it generates
for a newly spawned amphora.
This change add sending a CA key to the mine from where it can be
extracted in the cert.sls state.
Also allow managing permissions for a CA cert and key retrieved
from the mine.
Related PROD: PROD-11933
Change-Id: I911effb4a63ae048e348ed04b7aca33998e359aa
In case of trust_salt_ca usage, the salt.minion.cert state
generates broken certs body due to a space replacing.
Change-Id: Id49e42807ddbc2addaf59a4c4541b720bbf87527
This is useful when using proxies. The default Tornado backend does not
utilize proxy environment variables and isn't able to set no_proxy variable.
Change-Id: I4a51c6fc9abe65d46ed4f3adeb30f7a25337857e
Currently the CI job fails with module not found errror.
AttributeError: 'module' object has no attribute 'check_refresh
The reason is new version of salt tries to call
salt.utils.pkg.check_refresh which is not available in 2016.11.3 but is
available in 2016.11.6.
Reference:
1. https://github.com/saltstack/salt/blob/v2016.11.3/salt/states/pkg.py
2. https://github.com/saltstack/salt/blob/v2016.11.6/salt/states/pkg.py#L1819
The fix proposed here is to use pkg.installed instead of pkg.latest.
It's not a good idea to always update salt whenever the salt state is
run, this may introduce failures unknown to the user. There is a pipeline
to update packages which should be used for updating to latest.
pkg.latest generally isn't a good way to write idempotent formulas. See
official salt docs: "Generally it is better for the installed function
to be used, as latest will update the package whenever a new package is
available."
Change-Id: I8da5c36c1613e54768993080f2514afc920c49f8
1. Remove implicit creation of "local_trusted_symlink".
To install a system-wide certificates the linux.system.cert
state or 'trusted_ca_minion' option must be used.
2. A ca-cert file may exist on a file-system and
not be pulled from mine. So, in this case
the following state be incorrect:
- watch:
- x509: ca_file
To support this case, we need to replace `watch` statement
with `watch_in`.
Change-Id: If41d050b56913d72da1ef7981f30780fec5d6d95
1:
In case of trust_salt_ca usage, the salt.minion.cert state
generates broken certs body due to a space replacing:
-----BEGINCERTIFICATE-----
MIIFzzCCA7egAwIBAgIITiyuuFgl1S4wDQYJKoZIhvcNAQELBQAwSjELMAkGA1UE
BhMCY3oxFzAVBgNVBAMMDlNhbHQgT
....
To fix it the "x509.pem_managed" is used.
2:
If a symlink to CA cert is already exists, then the state is failing.
The force=True (replace) is used now to avoid the issue.
Change-Id: I4a2bd7c882e179560657a3dc7edf18c7e5835492
This option can configure default output of state calls. Terse (default
option) will make each call to be on single line and make salt output
better.
Change-Id: Id0987561e34a84fb26a796729d6ab3de3b9ae8e5
We can have this failing because of bad mine data:
salt['mine.get'](cert.host, 'x509.get_pem_entries')
Without this change, dependency between salt_minion_cert_*_all and
ca_file is just ignored and salt_minion_cert_*_all state fails because
it can't find appropriate file.
Change-Id: I2a5dd12e08159bf110ff0d9879ebf0ad5d9d97c1
It was failing with:
Rendering SLS 'base:salt.minion.cert' failed: Conflicting ID 'salt_ca_certificates_packages'
ca-certificates installation should be probably moved out of the loop in
the future.
Change-Id: I26aeae62cc1c1d407d36d1d6bf101db073d9e601
Unfortunately this is not idempotent, however we surely want to sync
everything when salt.minion state is executed.
Change-Id: I0faaf606b57dbd7d009156abfe50d2e5f350190e
By default the check is OK for a number of processes between 1 and 15
but on our machine the number is up to 48. So we set the limit
accordingly.
Change-Id: Iac3d2b91312dfe778ebcd39b5eb985348c7aee5a
Filip Pytloun
Elena Ezhova
Matthew Mosesohn
Kirill Bespalov
Sam Stoelinga
Ales Komarek
Martin Polreich
Jiri Broulik
Petr Michalec
Tomáš Kukrál
Alexander Noskov
Yuriy Taraday
Ruslan Usichenko
Swann Croiset
Guillaume Thouvenin
Ondrej Smola
Anežka Jadlovská