ExternalMirrors
/
salt-formula
mirror of https://github.com/salt-formulas/salt-formula-salt
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 7 Wiki Activity
New version of salt-formula from Saltstack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
192 Commits
26 Branches
Branch: fix/ca_cert_render_issue
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'fix/ca_cert_render_issue'
${ noResults }
salt-formula/salt/minion/cert.sls

209 lines
6.2KB
Raw Permalink Blame History 

  1. {%- from "salt/map.jinja" import minion with context %}

  2. 

  3. {%- if minion.enabled %}

  4. 

  5. {%- if grains.os_family == 'RedHat' %}

  6. {%- set cacerts_dir='/etc/pki/ca-trust/source/anchors' %}

  7. {%- else %}

  8. {%- set cacerts_dir='/usr/local/share/ca-certificates' %}

  9. {%- endif %}

  10. 

  11. {%- if minion.cert is defined %}

  12. 

  13. {%- set created_ca_files = [] %}

  14. 

  15. {%- for cert_name,cert in minion.get('cert', {}).iteritems() %}

  16. {%- set rowloop = loop %}

  17. 

  18. {%- set key_file  = cert.get('key_file', '/etc/ssl/private/' + cert.common_name + '.key') %}

  19. {%- set cert_file = cert.get('cert_file', '/etc/ssl/certs/' + cert.common_name + '.crt') %}

  20. {%- set ca_file = cert.get('ca_file', '/etc/ssl/certs/ca-' + cert.authority + '.crt') %}

  21. {%- set key_dir = key_file|replace(key_file.split('/')[-1], "") %}

  22. {%- set cert_dir = cert_file|replace(cert_file.split('/')[-1], "") %}

  23. {%- set ca_dir = ca_file|replace(ca_file.split('/')[-1], "") %}

  24. 

  25. {# Only ensure directories exists, don't touch permissions, etc. #}

  26. salt_minion_cert_{{ cert_name }}_dirs:

  27.   file.directory:

  28.     - names:

  29.       - {{ key_dir }}

  30.       - {{ cert_dir }}

  31.       - {{ ca_dir }}

  32.     - makedirs: true

  33.     - replace: false

  34. 

  35. {{ key_file }}:

  36.   x509.private_key_managed:

  37.     - bits: {{ cert.get('bits', 4096) }}

  38.   require:

  39.     - file: salt_minion_cert_{{ cert_name }}_dirs

  40. 

  41. {{ key_file }}_key_permissions:

  42.   file.managed:

  43.     - name: {{ key_file }}

  44.     - mode: {{ cert.get("mode", 0600) }}

  45.     {%- if salt['user.info'](cert.get("user", "root")) %}

  46.     - user: {{ cert.get("user", "root") }}

  47.     {%- endif %}

  48.     {%- if salt['group.info'](cert.get("group", "root")) %}

  49.     - group: {{ cert.get("group", "root") }}

  50.     {%- endif %}

  51.     - replace: false

  52.     - watch:

  53.       - x509: {{ key_file }}

  54. 

  55. {{ cert_file }}:

  56.   x509.certificate_managed:

  57.     {% if cert.host is defined %}- ca_server: {{ cert.host }}{%- endif %}

  58.     {% if cert.authority is defined and cert.signing_policy is defined %}

  59.     - signing_policy: {{ cert.authority }}_{{ cert.signing_policy }}

  60.     {%- endif %}

  61.     - public_key: {{ key_file }}

  62.     - CN: "{{ cert.common_name }}"

  63.     {% if cert.state is defined %}- ST: {{ cert.state }}{%- endif %}

  64.     {% if cert.country is defined %}- C: {{ cert.country }}{%- endif %}

  65.     {% if cert.locality is defined %}- L: {{ cert.locality }}{%- endif %}

  66.     {% if cert.organization is defined %}- O: {{ cert.organization }}{%- endif %}

  67.     {% if cert.signing_private_key is defined and cert.signing_cert is defined %}

  68.     - signing_private_key: "{{ cert.signing_private_key }}"

  69.     - signing_cert: "{{ cert.signing_cert }}"

  70.     {%- endif %}

  71.     {% if cert.alternative_names is defined %}

  72.     - subjectAltName: "{{ cert.alternative_names }}"

  73.     {%- endif %}

  74.     {%- if cert.extended_key_usage is defined %}

  75.     - extendedKeyUsage: "{{ cert.extended_key_usage }}"

  76.     {%- endif %}

  77.     {%- if cert.key_usage is defined %}

  78.     - keyUsage: "{{ cert.key_usage }}"

  79.     {%- endif %}

  80.     - days_remaining: 30

  81.     - backup: True

  82.     - watch:

  83.       - x509: {{ key_file }}

  84. 

  85. {{ cert_file }}_cert_permissions:

  86.   file.managed:

  87.     - name: {{ cert_file }}

  88.     - mode: {{ cert.get("mode", 0600) }}

  89.     {%- if salt['user.info'](cert.get("user", "root")) %}

  90.     - user: {{ cert.get("user", "root") }}

  91.     {%- endif %}

  92.     {%- if salt['group.info'](cert.get("group", "root")) %}

  93.     - group: {{ cert.get("group", "root") }}

  94.     {%- endif %}

  95.     - replace: false

  96.     - watch:

  97.       - x509: {{ cert_file }}

  98. 

  99. {%- if cert.host is defined and ca_file not in created_ca_files %}

  100. {%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries').get(cert.host, {}).iteritems() %}

  101. 

  102. {%- if '/etc/pki/ca/'+cert.authority in ca_path %}

  103. 

  104. {{ ca_file }}:

  105.   x509.pem_managed:

  106.     - name: {{ ca_file }}

  107.     - text: {{ ca_cert|replace('\n', '') }}

  108.     - watch:

  109.       - x509: {{ cert_file }}

  110. 

  111. {{ ca_file }}_cert_permissions:

  112.   file.managed:

  113.     - name: {{ ca_file }}

  114.     - mode: 0644

  115.     - watch:

  116.       - x509: {{ ca_file }}

  117. 

  118. {{ ca_file }}_local_trusted_symlink:

  119.   file.symlink:

  120.     - name: "{{ cacerts_dir }}/ca-{{ cert.authority }}.crt"

  121.     - target: {{ ca_file }}

  122.     - watch_in:

  123.       - cmd: salt_update_certificates

  124. 

  125. {%- endif %}

  126. 

  127. {%- endfor %}

  128. {%- do created_ca_files.append(ca_file) %}

  129. {%- endif %}

  130. 

  131. {%- if cert.all_file is defined %}

  132. salt_minion_cert_{{ cert_name }}_all:

  133.   cmd.wait:

  134.     - name: cat {{ key_file }} {{ cert_file }} {{ ca_file }} > {{ cert.all_file }}

  135.     - watch:

  136.       - x509: {{ key_file }}

  137.       - x509: {{ cert_file }}

  138.       - x509: {{ ca_file }}

  139. 

  140. {{ cert.all_file }}_cert_permissions:

  141.   file.managed:

  142.     - name: {{ cert.all_file }}

  143.     - mode: {{ cert.get("mode", 0600) }}

  144.     {%- if salt['user.info'](cert.get("user", "root")) %}

  145.     - user: {{ cert.get("user", "root") }}

  146.     {%- endif %}

  147.     {%- if salt['group.info'](cert.get("group", "root")) %}

  148.     - group: {{ cert.get("group", "root") }}

  149.     {%- endif %}

  150.     - replace: false

  151.     - watch:

  152.       - cmd: salt_minion_cert_{{ cert_name }}_all

  153. {%- endif %}

  154. 

  155. {%- endfor %}

  156. 

  157. {%- endif %}

  158. 

  159. salt_ca_certificates_packages:

  160.   pkg.installed:

  161. {%- if grains.os_family == 'Debian' %}

  162.     - name: ca-certificates

  163. {%- elif grains.os_family == 'RedHat' %}

  164.     - name: ca-certificates

  165. {%- else %}

  166.     - name: []

  167. {%- endif %}

  168. 

  169. salt_update_certificates:

  170.   cmd.wait:

  171. {%- if grains.os_family == 'Debian' %}

  172.     - name: "update-ca-certificates{% if minion.get('ca_certificates_cleanup') %} --fresh {% endif %}"

  173. {%- elif grains.os_family == 'RedHat' %}

  174.     - name: "update-ca-trust extract"

  175. {%- else %}

  176.     - name: true

  177. {%- endif %}

  178.     - require:

  179.       - pkg: salt_ca_certificates_packages

  180. 

  181. {%- if minion.get('cert', {}).get('trust_salt_ca', 'True') %}

  182. 

  183. {%- for trusted_ca_minion in minion.get('trusted_ca_minions', []) %}

  184. {%- for ca_host, certs in salt['mine.get'](trusted_ca_minion+'*', 'x509.get_pem_entries').iteritems() %}

  185. 

  186. {%- for ca_path, ca_cert in certs.iteritems() %}

  187. {%- if not 'ca.crt' in  ca_path %}{% continue %}{% endif %}

  188. 

  189. {%- set cacert_file="ca-"+ca_path.split("/")[4]+".crt" %}

  190. 

  191. salt_cert_{{ cacerts_dir }}/{{ cacert_file }}:

  192.   file.managed:

  193.   - name: {{ cacerts_dir }}/{{ cacert_file }}

  194.   - contents: |

  195.       {{ ca_cert|replace('  ', '')|indent(6) }}

  196.   - makedirs: True

  197.   - show_changes: True

  198.   - follow_symlinks: True

  199.   - watch_in:

  200.     - cmd: salt_update_certificates

  201. 

  202. {%- endfor %}

  203. {%- endfor %}

  204. {%- endfor %}

  205. {%- endif %}

  206. 

  207. {%- endif %}