New version of salt-formula from Saltstack
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.

114 Zeilen
3.1KB

  1. {%- from "salt/map.jinja" import minion with context %}
  2. {%- if minion.enabled %}
  3. include:
  4. - salt.minion.service
  5. {%- set all_ca_certs_dir = '/etc/pki/all_cas' %}
  6. {%- for ca_name,ca in minion.ca.iteritems() %}
  7. {%- set ca_file = ca.get('ca_file', '/etc/pki/ca/' ~ ca_name ~ '/ca.crt') %}
  8. {%- set ca_key_file = ca.get('ca_key_file', '/etc/pki/ca/' ~ ca_name ~ '/ca.key') %}
  9. {%- set ca_key_usage = ca.get('key_usage',"critical,cRLSign,keyCertSign") %}
  10. {%- set ca_dir = salt['file.dirname'](ca_file) %}
  11. {%- set ca_key_dir = salt['file.dirname'](ca_key_file) %}
  12. {%- set ca_certs_dir = ca_dir ~ '/certs' %}
  13. salt_minion_cert_{{ ca_name }}_dirs:
  14. file.directory:
  15. - names:
  16. - {{ ca_dir }}
  17. - {{ ca_key_dir }}
  18. - {{ ca_certs_dir }}
  19. - makedirs: true
  20. {{ ca_key_file }}:
  21. x509.private_key_managed:
  22. - bits: 4096
  23. - backup: True
  24. - require:
  25. - file: {{ ca_certs_dir }}
  26. # TODO: Squash this with the previous state after switch to Salt version >= 2016.11.2
  27. {{ ca_name }}_key_permissions:
  28. file.managed:
  29. - name: {{ ca_key_file }}
  30. - mode: {{ ca.get("mode", 0600) }}
  31. {%- if salt['user.info'](ca.get("user", "root")) %}
  32. - user: {{ ca.get("user", "root") }}
  33. {%- endif %}
  34. {%- if salt['group.info'](ca.get("group", "root")) %}
  35. - group: {{ ca.get("group", "root") }}
  36. {%- endif %}
  37. - replace: false
  38. - require:
  39. - x509: {{ ca_key_file }}
  40. {{ ca_file }}:
  41. x509.certificate_managed:
  42. - signing_private_key: {{ ca_key_file }}
  43. - CN: "{{ ca.common_name }}"
  44. {%- if ca.country is defined %}
  45. - C: {{ ca.country }}
  46. {%- endif %}
  47. {%- if ca.state is defined %}
  48. - ST: {{ ca.state }}
  49. {%- endif %}
  50. {%- if ca.locality is defined %}
  51. - L: {{ ca.locality }}
  52. {%- endif %}
  53. {%- if ca.organization is defined %}
  54. - O: {{ ca.organization }}
  55. {%- endif %}
  56. {%- if ca.organization_unit is defined %}
  57. - OU: {{ ca.organization_unit }}
  58. {%- endif %}
  59. - basicConstraints: "critical,CA:TRUE"
  60. - keyUsage: {{ ca_key_usage }}
  61. - subjectKeyIdentifier: hash
  62. - authorityKeyIdentifier: keyid,issuer:always
  63. - days_valid: {{ ca.days_valid.authority }}
  64. - days_remaining: 0
  65. - backup: True
  66. - require:
  67. - x509: {{ ca_key_file }}
  68. # TODO: Squash this with the previous state after switch to Salt version >= 2016.11.2
  69. {{ ca_name }}_cert_permissions:
  70. file.managed:
  71. - name: {{ ca_file }}
  72. - mode: 0644
  73. {%- if salt['user.info'](ca.get("user", "root")) %}
  74. - user: {{ ca.get("user", "root") }}
  75. {%- endif %}
  76. {%- if salt['group.info'](ca.get("group", "root")) %}
  77. - group: {{ ca.get("group", "root") }}
  78. {%- endif %}
  79. - require:
  80. - x509: {{ ca_file }}
  81. copy_to_{{all_ca_certs_dir}}/{{ ca_name }}:
  82. file.copy:
  83. - name: {{ all_ca_certs_dir }}/{{ ca_name }}.crt
  84. - source: {{ ca_file }}
  85. - makedirs: True
  86. - force: True
  87. - unless:
  88. - diff -q {{ ca_file }} {{ all_ca_certs_dir }}/{{ ca_name }}.crt
  89. - require:
  90. - x509: {{ ca_file }}
  91. {%- endfor %}
  92. salt_system_ca_mine_send_ca:
  93. module.run:
  94. - name: mine.send
  95. - func: x509.get_pem_entries
  96. - kwargs:
  97. mine_function: x509.get_pem_entries
  98. glob_path: {{ all_ca_certs_dir }}/*
  99. {%- endif %}