New version of salt-formula from Saltstack
Ви не можете вибрати більше 25 тем Теми мають розпочинатися з літери або цифри, можуть містити дефіси (-) і не повинні перевищувати 35 символів.

102 lines
2.7KB

  1. {%- from "salt/map.jinja" import minion with context %}
  2. {%- if minion.enabled %}
  3. include:
  4. - salt.minion.service
  5. {%- for ca_name,ca in minion.ca.iteritems() %}
  6. {%- set ca_file = ca.get('ca_file', '/etc/pki/ca/' ~ ca_name ~ '/ca.crt') %}
  7. {%- set ca_key_file = ca.get('ca_key_file', '/etc/pki/ca/' ~ ca_name ~ '/ca.key') %}
  8. {%- set ca_key_usage = ca.get('key_usage',"critical,cRLSign,keyCertSign") %}
  9. {%- set ca_dir = salt['file.dirname'](ca_file) %}
  10. {%- set ca_key_dir = salt['file.dirname'](ca_key_file) %}
  11. {%- set ca_certs_dir = ca_dir ~ '/certs' %}
  12. salt_minion_cert_{{ ca_name }}_dirs:
  13. file.directory:
  14. - names:
  15. - {{ ca_dir }}
  16. - {{ ca_key_dir }}
  17. - {{ ca_certs_dir }}
  18. - makedirs: true
  19. {{ ca_key_file }}:
  20. x509.private_key_managed:
  21. - bits: 4096
  22. - backup: True
  23. - require:
  24. - file: {{ ca_certs_dir }}
  25. # TODO: Squash this with the previous state after switch to Salt version >= 2016.11.2
  26. {{ ca_name }}_key_permissions:
  27. file.managed:
  28. - name: {{ ca_key_file }}
  29. - mode: {{ ca.get("mode", 0600) }}
  30. {%- if salt['user.info'](ca.get("user", "root")) %}
  31. - user: {{ ca.get("user", "root") }}
  32. {%- endif %}
  33. {%- if salt['group.info'](ca.get("group", "root")) %}
  34. - group: {{ ca.get("group", "root") }}
  35. {%- endif %}
  36. - replace: false
  37. - require:
  38. - x509: {{ ca_key_file }}
  39. {{ ca_file }}:
  40. x509.certificate_managed:
  41. - signing_private_key: {{ ca_key_file }}
  42. - CN: "{{ ca.common_name }}"
  43. {%- if ca.country is defined %}
  44. - C: {{ ca.country }}
  45. {%- endif %}
  46. {%- if ca.state is defined %}
  47. - ST: {{ ca.state }}
  48. {%- endif %}
  49. {%- if ca.locality is defined %}
  50. - L: {{ ca.locality }}
  51. {%- endif %}
  52. {%- if ca.organization is defined %}
  53. - O: {{ ca.organization }}
  54. {%- endif %}
  55. {%- if ca.organization_unit is defined %}
  56. - OU: {{ ca.organization_unit }}
  57. {%- endif %}
  58. - basicConstraints: "critical,CA:TRUE"
  59. - keyUsage: {{ ca_key_usage }}
  60. - subjectKeyIdentifier: hash
  61. - authorityKeyIdentifier: keyid,issuer:always
  62. - days_valid: {{ ca.days_valid.authority }}
  63. - days_remaining: 0
  64. - backup: True
  65. - require:
  66. - x509: {{ ca_key_file }}
  67. # TODO: Squash this with the previous state after switch to Salt version >= 2016.11.2
  68. {{ ca_name }}_cert_permissions:
  69. file.managed:
  70. - name: {{ ca_file }}
  71. - mode: 0644
  72. {%- if salt['user.info'](ca.get("user", "root")) %}
  73. - user: {{ ca.get("user", "root") }}
  74. {%- endif %}
  75. {%- if salt['group.info'](ca.get("group", "root")) %}
  76. - group: {{ ca.get("group", "root") }}
  77. {%- endif %}
  78. - require:
  79. - x509: {{ ca_file }}
  80. salt_system_ca_mine_send_ca_{{ ca_name }}:
  81. module.run:
  82. - name: mine.send
  83. - func: x509.get_pem_entries
  84. - kwargs:
  85. glob_path: {{ ca_file }}
  86. - require:
  87. - x509: {{ ca_file }}
  88. {%- endfor %}
  89. {%- endif %}