New version of salt-formula from Saltstack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

71 lines
1.7KB

  1. {%- from "salt/map.jinja" import minion with context %}
  2. {%- if minion.enabled %}
  3. include:
  4. - salt.minion.service
  5. {%- for ca_name,ca in minion.ca.iteritems() %}
  6. /etc/pki/ca/{{ ca_name }}/certs:
  7. file.directory:
  8. - makedirs: true
  9. /etc/pki/ca/{{ ca_name }}/ca.key:
  10. x509.private_key_managed:
  11. - bits: 4096
  12. - backup: True
  13. - require:
  14. - file: /etc/pki/ca/{{ ca_name }}/certs
  15. /etc/pki/ca/{{ ca_name }}/ca.crt:
  16. x509.certificate_managed:
  17. - signing_private_key: /etc/pki/ca/{{ ca_name }}/ca.key
  18. - CN: "{{ ca.common_name }}"
  19. {%- if ca.country is defined %}
  20. - C: {{ ca.country }}
  21. {%- endif %}
  22. {%- if ca.state is defined %}
  23. - ST: {{ ca.state }}
  24. {%- endif %}
  25. {%- if ca.locality is defined %}
  26. - L: {{ ca.locality }}
  27. {%- endif %}
  28. {%- if ca.organization is defined %}
  29. - O: {{ ca.organization }}
  30. {%- endif %}
  31. {%- if ca.organization_unit is defined %}
  32. - OU: {{ ca.organization_unit }}
  33. {%- endif %}
  34. - basicConstraints: "critical,CA:TRUE"
  35. - keyUsage: "critical,cRLSign,keyCertSign"
  36. - subjectKeyIdentifier: hash
  37. - authorityKeyIdentifier: keyid,issuer:always
  38. - days_valid: {{ ca.days_valid.authority }}
  39. - days_remaining: 0
  40. - backup: True
  41. - require:
  42. - x509: /etc/pki/ca/{{ ca_name }}/ca.key
  43. salt_system_ca_mine_send_ca_{{ ca_name }}:
  44. module.run:
  45. - name: mine.send
  46. - func: x509.get_pem_entries
  47. - kwargs:
  48. glob_path: /etc/pki/ca/{{ ca_name }}/ca.crt
  49. - require:
  50. - x509: /etc/pki/ca/{{ ca_name }}/ca.crt
  51. salt_system_ca_mine_send_ca_key_{{ ca_name }}:
  52. module.run:
  53. - name: mine.send
  54. - func: x509_get_private_key
  55. - kwargs:
  56. mine_function: x509.get_pem_entries
  57. glob_path: /etc/pki/ca/{{ ca_name }}/ca.key
  58. - require:
  59. - x509: /etc/pki/ca/{{ ca_name }}/ca.key
  60. {%- endfor %}
  61. {%- endif %}