ExternalMirrors
/
salt-formula
огледало од https://github.com/salt-formulas/salt-formula-salt
Прати 1
Волим 0
Креирај огранак 0
Код Дискусије 0 Издања 7 Вики Activity
New version of salt-formula from Saltstack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
315 Комити
26 Гране
Дрво: 0cbc6790e4
Гране Ознаке
${ item.name }
Create branch ${ searchTerm }
from '0cbc6790e4'
${ noResults }
salt-formula/salt/minion/cert.sls

220 lines
6.8KB
Датотека Blame Историја 

  1. {%- from "salt/map.jinja" import minion with context %}

  2. 

  3. {%- if minion.enabled %}

  4. 

  5. {%- if grains.os_family == 'RedHat' %}

  6. {%- set cacerts_dir='/etc/pki/ca-trust/source/anchors' %}

  7. {%- else %}

  8. {%- set cacerts_dir='/usr/local/share/ca-certificates' %}

  9. {%- endif %}

  10. 

  11. {%- if minion.cert is defined %}

  12. 

  13. {%- set created_ca_files = [] %}

  14. 

  15. {%- for cert_name,cert in minion.get('cert', {}).iteritems() %}

  16. {%- set rowloop = loop %}

  17. 

  18. {%- set key_file  = cert.get('key_file', '/etc/ssl/private/' + cert.common_name + '.key') %}

  19. {%- set cert_file = cert.get('cert_file', '/etc/ssl/certs/' + cert.common_name + '.crt') %}

  20. {%- set ca_file = cert.get('ca_file', '/etc/ssl/certs/ca-' + cert.authority + '.crt') %}

  21. {%- set key_dir = salt['file.dirname'](key_file) %}

  22. {%- set cert_dir = salt['file.dirname'](cert_file) %}

  23. {%- set ca_dir = salt['file.dirname'](ca_file) %}

  24. 

  25. {# Only ensure directories exists, don't touch permissions, etc. #}

  26. salt_minion_cert_{{ cert_name }}_dirs:

  27.   file.directory:

  28.     - names:

  29.       - {{ key_dir }}

  30.       - {{ cert_dir }}

  31.       - {{ ca_dir }}

  32.     - makedirs: true

  33.     - replace: false

  34. 

  35. {{ key_file }}:

  36.   x509.private_key_managed:

  37.     - bits: {{ cert.get('bits', 4096) }}

  38.     - require:

  39.       - file: salt_minion_cert_{{ cert_name }}_dirs

  40.     {%- if cert.all_file is defined %}

  41.     - watch_in:

  42.       - cmd: salt_minion_cert_{{ cert_name }}_all

  43.     {%- endif %}

  44. 

  45. # TODO: Squash this with the previous state after switch to Salt version >= 2016.11.2

  46. {{ key_file }}_key_permissions:

  47.   file.managed:

  48.     - name: {{ key_file }}

  49.     - mode: {{ cert.get("mode", 0600) }}

  50.     {%- if salt['user.info'](cert.get("user", "root")) %}

  51.     - user: {{ cert.get("user", "root") }}

  52.     {%- endif %}

  53.     {%- if salt['group.info'](cert.get("group", "root")) %}

  54.     - group: {{ cert.get("group", "root") }}

  55.     {%- endif %}

  56.     - replace: false

  57.     - require:

  58.       - x509: {{ key_file }}

  59. 

  60. {{ cert_file }}:

  61.   x509.certificate_managed:

  62.     {% if cert.host is defined %}- ca_server: {{ cert.host }}{%- endif %}

  63.     {% if cert.authority is defined and cert.signing_policy is defined %}

  64.     - signing_policy: {{ cert.authority }}_{{ cert.signing_policy }}

  65.     {%- endif %}

  66.     - public_key: {{ key_file }}

  67.     - CN: "{{ cert.common_name }}"

  68.     {% if cert.state is defined %}- ST: {{ cert.state }}{%- endif %}

  69.     {% if cert.country is defined %}- C: {{ cert.country }}{%- endif %}

  70.     {% if cert.locality is defined %}- L: {{ cert.locality }}{%- endif %}

  71.     {% if cert.organization is defined %}- O: {{ cert.organization }}{%- endif %}

  72.     {% if cert.organization_name is defined %}- organizationName: {{ cert.organization_name }}{%- endif %}

  73.     {% if cert.signing_private_key is defined and cert.signing_cert is defined %}

  74.     - signing_private_key: "{{ cert.signing_private_key }}"

  75.     - signing_cert: "{{ cert.signing_cert }}"

  76.     {%- endif %}

  77.     {% if cert.alternative_names is defined %}

  78.     - subjectAltName: "{{ cert.alternative_names }}"

  79.     {%- endif %}

  80.     {%- if cert.extended_key_usage is defined %}

  81.     - extendedKeyUsage: "{{ cert.extended_key_usage }}"

  82.     {%- endif %}

  83.     {%- if cert.key_usage is defined %}

  84.     - keyUsage: "{{ cert.key_usage }}"

  85.     {%- endif %}

  86.     - days_remaining: 30

  87.     - backup: True

  88.     - watch:

  89.       - x509: {{ key_file }}

  90.     {%- if cert.all_file is defined %}

  91.     - watch_in:

  92.       - cmd: salt_minion_cert_{{ cert_name }}_all

  93.     {%- endif %}

  94. 

  95. # TODO: Squash this with the previous state after switch to Salt version >= 2016.11.2

  96. {{ cert_file }}_cert_permissions:

  97.   file.managed:

  98.     - name: {{ cert_file }}

  99.     - mode: {{ cert.get("mode", 0600) }}

  100.     {%- if salt['user.info'](cert.get("user", "root")) %}

  101.     - user: {{ cert.get("user", "root") }}

  102.     {%- endif %}

  103.     {%- if salt['group.info'](cert.get("group", "root")) %}

  104.     - group: {{ cert.get("group", "root") }}

  105.     {%- endif %}

  106.     - replace: false

  107.     - require:

  108.       - x509: {{ cert_file }}

  109. 

  110. {%- if cert.host is defined and ca_file not in created_ca_files %}

  111. {%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries').get(cert.host, {}).iteritems() %}

  112. 

  113. {%- if '/etc/pki/ca/'+cert.authority in ca_path %}

  114. 

  115. {{ ca_file }}:

  116.   x509.pem_managed:

  117.     - name: {{ ca_file }}

  118.     - text: {{ ca_cert|replace('\n', '') }}

  119.     - watch:

  120.       - x509: {{ cert_file }}

  121.     {%- if cert.all_file is defined %}

  122.     - watch_in:

  123.       - cmd: salt_minion_cert_{{ cert_name }}_all

  124.     {%- endif %}

  125. 

  126. 

  127. # TODO: Squash this with the previous state after switch to Salt version >= 2016.11.2

  128. {{ ca_file }}_cert_permissions:

  129.   file.managed:

  130.     - name: {{ ca_file }}

  131.     - mode: 0644

  132.     {%- if salt['user.info'](cert.get("user", "root")) %}

  133.     - user: {{ cert.get("user", "root") }}

  134.     {%- endif %}

  135.     {%- if salt['group.info'](cert.get("group", "root")) %}

  136.     - group: {{ cert.get("group", "root") }}

  137.     {%- endif %}

  138.     - require:

  139.       - x509: {{ ca_file }}

  140. 

  141. {%- endif %}

  142. 

  143. {%- endfor %}

  144. 

  145. {%- do created_ca_files.append(ca_file) %}

  146. {%- endif %}

  147. 

  148. {%- if cert.all_file is defined %}

  149. 

  150. salt_minion_cert_{{ cert_name }}_all:

  151.   cmd.wait:

  152.     - name: cat {{ key_file }} {{ cert_file }} {{ ca_file }} > {{ cert.all_file }}

  153. 

  154. {{ cert.all_file }}_cert_permissions:

  155.   file.managed:

  156.     - name: {{ cert.all_file }}

  157.     - mode: {{ cert.get("mode", 0600) }}

  158.     {%- if salt['user.info'](cert.get("user", "root")) %}

  159.     - user: {{ cert.get("user", "root") }}

  160.     {%- endif %}

  161.     {%- if salt['group.info'](cert.get("group", "root")) %}

  162.     - group: {{ cert.get("group", "root") }}

  163.     {%- endif %}

  164.     - replace: false

  165.     - require:

  166.       - cmd: salt_minion_cert_{{ cert_name }}_all

  167. {%- endif %}

  168. 

  169. {%- endfor %}

  170. 

  171. {%- endif %}

  172. 

  173. salt_ca_certificates_packages:

  174.   pkg.installed:

  175.     - names: {{ minion.cert_pkgs }}

  176. 

  177. salt_update_certificates:

  178.   cmd.wait:

  179. {%- if grains.os_family == 'Debian' %}

  180.     - name: "update-ca-certificates{% if minion.get('ca_certificates_cleanup') %} --fresh {% endif %}"

  181. {%- elif grains.os_family == 'RedHat' %}

  182.     - name: "update-ca-trust extract"

  183. {%- else %}

  184.     - name: true

  185. {%- endif %}

  186.     - require:

  187.       - pkg: salt_ca_certificates_packages

  188. 

  189. {%- if minion.get('trust_salt_ca', True) %}

  190. 

  191. {%- for trusted_ca_minion in minion.get('trusted_ca_minions', []) %}

  192. {%- for ca_host, certs in salt['mine.get'](trusted_ca_minion+'*', 'x509.get_pem_entries').iteritems() %}

  193. {%- for ca_path, ca_cert in certs.iteritems() %}

  194. {%- if ca_path.endswith('ca.crt') %}

  195. 

  196. {# authority name can be obtained only from a cacert path in case of mine.get #}

  197. {%- set ca_authority = ca_path.split("/")[-2] %}

  198. {%- set cacert_file="%s/ca-%s.crt" % (cacerts_dir,ca_authority) %}

  199. 

  200. salt_trust_ca_{{ cacert_file }}:

  201.   x509.pem_managed:

  202.     - name: {{ cacert_file }}

  203.     - text: {{ ca_cert|replace('\n', '') }}

  204.     - watch_in:

  205.       - file: salt_trust_ca_{{ cacert_file }}_permissions

  206.       - cmd: salt_update_certificates

  207. 

  208. salt_trust_ca_{{ cacert_file }}_permissions:

  209.   file.managed:

  210.     - name: {{ cacert_file }}

  211.     - mode: 0444

  212. 

  213. {%- endif %}

  214. {%- endfor %}

  215. {%- endfor %}

  216. {%- endfor %}

  217. {%- endif %}

  218. 

  219. {%- endif %}