ExternalMirrors
/
salt-formula
镜像来自 https://github.com/salt-formulas/salt-formula-salt
關注 1
收藏 0
複製 0
程式碼 問題 0 版本發佈 7 Wiki 活動
New version of salt-formula from Saltstack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
391 提交
26 分支
目錄樹: 9e4dd699e9
分支列表 標籤
${ item.name }
建立分支 ${ searchTerm }
從 '9e4dd699e9'
${ noResults }
salt-formula/salt/minion/cert.sls

225 line
7.0KB
原始文件 Blame 歷史記錄 

  1. {%- from "salt/map.jinja" import minion with context %}

  2. 

  3. {%- if minion.enabled %}

  4. 

  5. {%- if grains.os_family == 'RedHat' %}

  6. {%- set cacerts_dir='/etc/pki/ca-trust/source/anchors' %}

  7. {%- else %}

  8. {%- set cacerts_dir='/usr/local/share/ca-certificates' %}

  9. {%- endif %}

  10. 

  11. {%- if minion.cert is defined %}

  12. 

  13. {%- set created_ca_files = [] %}

  14. 

  15. {%- for cert_name,cert in minion.get('cert', {}).iteritems() %}

  16. {%- set rowloop = loop %}

  17. 

  18. {%- set key_file  = cert.get('key_file', '/etc/ssl/private/' + cert.common_name + '.key') %}

  19. {%- set cert_file = cert.get('cert_file', '/etc/ssl/certs/' + cert.common_name + '.crt') %}

  20. {%- set ca_file = cert.get('ca_file', '/etc/ssl/certs/ca-' + cert.authority + '.crt') %}

  21. {%- set key_dir = salt['file.dirname'](key_file) %}

  22. {%- set cert_dir = salt['file.dirname'](cert_file) %}

  23. {%- set ca_dir = salt['file.dirname'](ca_file) %}

  24. 

  25. {# Only ensure directories exists, don't touch permissions, etc. #}

  26. salt_minion_cert_{{ cert_name }}_dirs:

  27.   file.directory:

  28.     - names:

  29.       - {{ key_dir }}

  30.       - {{ cert_dir }}

  31.       - {{ ca_dir }}

  32.     - makedirs: true

  33.     - replace: false

  34. 

  35. {{ key_file }}:

  36.   x509.private_key_managed:

  37.     - bits: {{ cert.get('bits', 4096) }}

  38.     - require:

  39.       - file: salt_minion_cert_{{ cert_name }}_dirs

  40.     {%- if cert.all_file is defined %}

  41.     - watch_in:

  42.       - cmd: salt_minion_cert_{{ cert_name }}_all

  43.     {%- endif %}

  44. 

  45. # TODO: Squash this with the previous state after switch to Salt version >= 2016.11.2

  46. {{ key_file }}_key_permissions:

  47.   file.managed:

  48.     - name: {{ key_file }}

  49.     - mode: {{ cert.get("mode", 0600) }}

  50.     {%- if salt['user.info'](cert.get("user", "root")) %}

  51.     - user: {{ cert.get("user", "root") }}

  52.     {%- endif %}

  53.     {%- if salt['group.info'](cert.get("group", "root")) %}

  54.     - group: {{ cert.get("group", "root") }}

  55.     {%- endif %}

  56.     - replace: false

  57.     - require:

  58.       - x509: {{ key_file }}

  59. 

  60. {{ cert_file }}:

  61.   x509.certificate_managed:

  62.     {% if cert.host is defined %}- ca_server: {{ cert.host }}{%- endif %}

  63.     {% if cert.authority is defined and cert.signing_policy is defined %}

  64.     - signing_policy: {{ cert.authority }}_{{ cert.signing_policy }}

  65.     {%- endif %}

  66.     - public_key: {{ key_file }}

  67.     - CN: "{{ cert.common_name }}"

  68.     {% if cert.state is defined %}- ST: {{ cert.state }}{%- endif %}

  69.     {% if cert.country is defined %}- C: {{ cert.country }}{%- endif %}

  70.     {% if cert.locality is defined %}- L: {{ cert.locality }}{%- endif %}

  71.     {% if cert.organization is defined %}- O: {{ cert.organization }}{%- endif %}

  72.     {% if cert.organization_name is defined %}- organizationName: {{ cert.organization_name }}{%- endif %}

  73.     {% if cert.signing_private_key is defined and cert.signing_cert is defined %}

  74.     - signing_private_key: "{{ cert.signing_private_key }}"

  75.     - signing_cert: "{{ cert.signing_cert }}"

  76.     {%- endif %}

  77.     {% if cert.alternative_names is defined %}

  78.     - subjectAltName: "{{ cert.alternative_names }}"

  79.     {%- endif %}

  80.     {%- if cert.extended_key_usage is defined %}

  81.     - extendedKeyUsage: "{{ cert.extended_key_usage }}"

  82.     {%- endif %}

  83.     {%- if cert.key_usage is defined %}

  84.     - keyUsage: "{{ cert.key_usage }}"

  85.     {%- endif %}

  86.     - days_remaining: 30

  87.     - backup: True

  88.     - watch:

  89.       - x509: {{ key_file }}

  90.     {%- if cert.all_file is defined %}

  91.     - watch_in:

  92.       - cmd: salt_minion_cert_{{ cert_name }}_all

  93.     {%- endif %}

  94.     {%- if grains['saltversioninfo'][0] >= 2017 %}

  95.     - retry:

  96.         attepmts: 5

  97.         until: True

  98.         interval: 60

  99.     {%- endif %}

  100. 

  101. # TODO: Squash this with the previous state after switch to Salt version >= 2016.11.2

  102. {{ cert_file }}_cert_permissions:

  103.   file.managed:

  104.     - name: {{ cert_file }}

  105.     - mode: {{ cert.get("mode", 0600) }}

  106.     {%- if salt['user.info'](cert.get("user", "root")) %}

  107.     - user: {{ cert.get("user", "root") }}

  108.     {%- endif %}

  109.     {%- if salt['group.info'](cert.get("group", "root")) %}

  110.     - group: {{ cert.get("group", "root") }}

  111.     {%- endif %}

  112.     - replace: false

  113.     - require:

  114.       - x509: {{ cert_file }}

  115. 

  116. {%- if cert.host is defined and ca_file not in created_ca_files %}

  117. {%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries').get(cert.host, {}).iteritems() %}

  118. 

  119. {%- if '/etc/pki/all_cas/'+cert.authority in ca_path %}

  120. 

  121. {{ ca_file }}:

  122.   x509.pem_managed:

  123.     - name: {{ ca_file }}

  124.     - text: {{ ca_cert|replace('\n', '') }}

  125.     - watch:

  126.       - x509: {{ cert_file }}

  127.     {%- if cert.all_file is defined %}

  128.     - watch_in:

  129.       - cmd: salt_minion_cert_{{ cert_name }}_all

  130.     {%- endif %}

  131. 

  132. # TODO: Squash this with the previous state after switch to Salt version >= 2016.11.2

  133. {{ ca_file }}_cert_permissions:

  134.   file.managed:

  135.     - name: {{ ca_file }}

  136.     - mode: 0644

  137.     {%- if salt['user.info'](cert.get("user", "root")) %}

  138.     - user: {{ cert.get("user", "root") }}

  139.     {%- endif %}

  140.     {%- if salt['group.info'](cert.get("group", "root")) %}

  141.     - group: {{ cert.get("group", "root") }}

  142.     {%- endif %}

  143.     - require:

  144.       - x509: {{ ca_file }}

  145. 

  146. {%- endif %}

  147. 

  148. {%- endfor %}

  149. 

  150. {%- do created_ca_files.append(ca_file) %}

  151. {%- endif %}

  152. 

  153. {%- if cert.all_file is defined %}

  154. 

  155. salt_minion_cert_{{ cert_name }}_all:

  156.   cmd.wait:

  157.     - name: cat {{ key_file }} {{ cert_file }} {{ ca_file }} > {{ cert.all_file }}

  158. 

  159. {{ cert.all_file }}_cert_permissions:

  160.   file.managed:

  161.     - name: {{ cert.all_file }}

  162.     - mode: {{ cert.get("mode", 0600) }}

  163.     {%- if salt['user.info'](cert.get("user", "root")) %}

  164.     - user: {{ cert.get("user", "root") }}

  165.     {%- endif %}

  166.     {%- if salt['group.info'](cert.get("group", "root")) %}

  167.     - group: {{ cert.get("group", "root") }}

  168.     {%- endif %}

  169.     - replace: false

  170.     - require:

  171.       - cmd: salt_minion_cert_{{ cert_name }}_all

  172. {%- endif %}

  173. 

  174. {%- endfor %}

  175. 

  176. {%- endif %}

  177. 

  178. salt_ca_certificates_packages:

  179.   pkg.installed:

  180.     - names: {{ minion.cert_pkgs }}

  181. 

  182. salt_update_certificates:

  183.   cmd.wait:

  184. {%- if grains.os_family == 'Debian' %}

  185.     - name: "update-ca-certificates{% if minion.get('ca_certificates_cleanup') %} --fresh {% endif %}"

  186. {%- elif grains.os_family == 'RedHat' %}

  187.     - name: "update-ca-trust extract"

  188. {%- else %}

  189.     - name: true

  190. {%- endif %}

  191.     - require:

  192.       - pkg: salt_ca_certificates_packages

  193. 

  194. {%- if minion.get('trust_salt_ca', True) %}

  195. 

  196. {%- for trusted_ca_minion in minion.get('trusted_ca_minions', []) %}

  197. {%- for ca_host, certs in salt['mine.get'](trusted_ca_minion+'*', 'x509.get_pem_entries').iteritems() %}

  198. {%- for ca_path, ca_cert in certs.iteritems() %}

  199. {%- if ca_path.endswith('ca.crt') %}

  200. 

  201. {# authority name can be obtained only from a cacert path in case of mine.get #}

  202. {%- set ca_authority = ca_path.split("/")[-1].split(".")[0] %}

  203. {%- set cacert_file="%s/ca-%s.crt" % (cacerts_dir,ca_authority) %}

  204. 

  205. salt_trust_ca_{{ cacert_file }}:

  206.   x509.pem_managed:

  207.     - name: {{ cacert_file }}

  208.     - text: {{ ca_cert|replace('\n', '') }}

  209.     - watch_in:

  210.       - file: salt_trust_ca_{{ cacert_file }}_permissions

  211.       - cmd: salt_update_certificates

  212. 

  213. salt_trust_ca_{{ cacert_file }}_permissions:

  214.   file.managed:

  215.     - name: {{ cacert_file }}

  216.     - mode: 0444

  217. 

  218. {%- endif %}

  219. {%- endfor %}

  220. {%- endfor %}

  221. {%- endfor %}

  222. {%- endif %}

  223. 

  224. {%- endif %}