ExternalMirrors
/
salt-formula
spegling av https://github.com/salt-formulas/salt-formula-salt
Bevaka 1
Stjärnmärk 0
Förgrening 0
Kod Ärenden 0 Släpp 7 Wiki Aktiviteter
New version of salt-formula from Saltstack
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.
400 Incheckningar
26 Grenar
Träd: ca20bd6aa6
Grenar Taggar
${ item.name }
Skapa branchen ${ searchTerm }
från 'ca20bd6aa6'
${ noResults }
salt-formula/salt/minion/cert.sls

227 lines
7.0KB
Blame Historik 

  1. {%- from "salt/map.jinja" import minion with context %}

  2. 

  3. {%- if minion.enabled %}

  4. 

  5. {%- if grains.os_family == 'RedHat' %}

  6. {%- set cacerts_dir='/etc/pki/ca-trust/source/anchors' %}

  7. {%- else %}

  8. {%- set cacerts_dir='/usr/local/share/ca-certificates' %}

  9. {%- endif %}

  10. 

  11. {%- if minion.cert is defined %}

  12. 

  13. {%- set created_ca_files = [] %}

  14. 

  15. {%- for cert_name,cert in minion.get('cert', {}).iteritems() %}

  16. {%- if cert.get('enabled', True) %}

  17. {%- set rowloop = loop %}

  18. 

  19. {%- set key_file  = cert.get('key_file', '/etc/ssl/private/' + cert.common_name + '.key') %}

  20. {%- set cert_file = cert.get('cert_file', '/etc/ssl/certs/' + cert.common_name + '.crt') %}

  21. {%- set ca_file = cert.get('ca_file', '/etc/ssl/certs/ca-' + cert.authority + '.crt') %}

  22. {%- set key_dir = salt['file.dirname'](key_file) %}

  23. {%- set cert_dir = salt['file.dirname'](cert_file) %}

  24. {%- set ca_dir = salt['file.dirname'](ca_file) %}

  25. 

  26. {# Only ensure directories exists, don't touch permissions, etc. #}

  27. salt_minion_cert_{{ cert_name }}_dirs:

  28.   file.directory:

  29.     - names:

  30.       - {{ key_dir }}

  31.       - {{ cert_dir }}

  32.       - {{ ca_dir }}

  33.     - makedirs: true

  34.     - replace: false

  35. 

  36. {{ key_file }}:

  37.   x509.private_key_managed:

  38.     - bits: {{ cert.get('bits', 4096) }}

  39.     - require:

  40.       - file: salt_minion_cert_{{ cert_name }}_dirs

  41.     {%- if cert.all_file is defined %}

  42.     - watch_in:

  43.       - cmd: salt_minion_cert_{{ cert_name }}_all

  44.     {%- endif %}

  45. 

  46. # TODO: Squash this with the previous state after switch to Salt version >= 2016.11.2

  47. {{ key_file }}_key_permissions:

  48.   file.managed:

  49.     - name: {{ key_file }}

  50.     - mode: {{ cert.get("mode", 0600) }}

  51.     {%- if salt['user.info'](cert.get("user", "root")) %}

  52.     - user: {{ cert.get("user", "root") }}

  53.     {%- endif %}

  54.     {%- if salt['group.info'](cert.get("group", "root")) %}

  55.     - group: {{ cert.get("group", "root") }}

  56.     {%- endif %}

  57.     - replace: false

  58.     - require:

  59.       - x509: {{ key_file }}

  60. 

  61. {{ cert_file }}:

  62.   x509.certificate_managed:

  63.     {% if cert.host is defined %}- ca_server: {{ cert.host }}{%- endif %}

  64.     {% if cert.authority is defined and cert.signing_policy is defined %}

  65.     - signing_policy: {{ cert.authority }}_{{ cert.signing_policy }}

  66.     {%- endif %}

  67.     - public_key: {{ key_file }}

  68.     - CN: "{{ cert.common_name }}"

  69.     {% if cert.state is defined %}- ST: {{ cert.state }}{%- endif %}

  70.     {% if cert.country is defined %}- C: {{ cert.country }}{%- endif %}

  71.     {% if cert.locality is defined %}- L: {{ cert.locality }}{%- endif %}

  72.     {% if cert.organization is defined %}- O: {{ cert.organization }}{%- endif %}

  73.     {% if cert.organization_name is defined %}- organizationName: {{ cert.organization_name }}{%- endif %}

  74.     {% if cert.signing_private_key is defined and cert.signing_cert is defined %}

  75.     - signing_private_key: "{{ cert.signing_private_key }}"

  76.     - signing_cert: "{{ cert.signing_cert }}"

  77.     {%- endif %}

  78.     {% if cert.alternative_names is defined %}

  79.     - subjectAltName: "{{ cert.alternative_names }}"

  80.     {%- endif %}

  81.     {%- if cert.extended_key_usage is defined %}

  82.     - extendedKeyUsage: "{{ cert.extended_key_usage }}"

  83.     {%- endif %}

  84.     {%- if cert.key_usage is defined %}

  85.     - keyUsage: "{{ cert.key_usage }}"

  86.     {%- endif %}

  87.     - days_remaining: 30

  88.     - backup: True

  89.     - watch:

  90.       - x509: {{ key_file }}

  91.     {%- if cert.all_file is defined %}

  92.     - watch_in:

  93.       - cmd: salt_minion_cert_{{ cert_name }}_all

  94.     {%- endif %}

  95.     {%- if grains['saltversioninfo'][0] >= 2017 %}

  96.     - retry:

  97.         attempts: 5

  98.         until: True

  99.         interval: 60

  100.     {%- endif %}

  101. 

  102. # TODO: Squash this with the previous state after switch to Salt version >= 2016.11.2

  103. {{ cert_file }}_cert_permissions:

  104.   file.managed:

  105.     - name: {{ cert_file }}

  106.     - mode: {{ cert.get("mode", 0600) }}

  107.     {%- if salt['user.info'](cert.get("user", "root")) %}

  108.     - user: {{ cert.get("user", "root") }}

  109.     {%- endif %}

  110.     {%- if salt['group.info'](cert.get("group", "root")) %}

  111.     - group: {{ cert.get("group", "root") }}

  112.     {%- endif %}

  113.     - replace: false

  114.     - require:

  115.       - x509: {{ cert_file }}

  116. 

  117. {%- if cert.host is defined and ca_file not in created_ca_files %}

  118. {%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries').get(cert.host, {}).iteritems() %}

  119. 

  120. {%- if '/etc/pki/all_cas/'+cert.authority in ca_path %}

  121. 

  122. {{ ca_file }}:

  123.   x509.pem_managed:

  124.     - name: {{ ca_file }}

  125.     - text: {{ ca_cert|replace('\n', '') }}

  126.     - watch:

  127.       - x509: {{ cert_file }}

  128.     {%- if cert.all_file is defined %}

  129.     - watch_in:

  130.       - cmd: salt_minion_cert_{{ cert_name }}_all

  131.     {%- endif %}

  132. 

  133. # TODO: Squash this with the previous state after switch to Salt version >= 2016.11.2

  134. {{ ca_file }}_cert_permissions:

  135.   file.managed:

  136.     - name: {{ ca_file }}

  137.     - mode: 0644

  138.     {%- if salt['user.info'](cert.get("user", "root")) %}

  139.     - user: {{ cert.get("user", "root") }}

  140.     {%- endif %}

  141.     {%- if salt['group.info'](cert.get("group", "root")) %}

  142.     - group: {{ cert.get("group", "root") }}

  143.     {%- endif %}

  144.     - require:

  145.       - x509: {{ ca_file }}

  146. 

  147. {%- endif %}

  148. 

  149. {%- endfor %}

  150. 

  151. {%- do created_ca_files.append(ca_file) %}

  152. {%- endif %}

  153. 

  154. {%- if cert.all_file is defined %}

  155. 

  156. salt_minion_cert_{{ cert_name }}_all:

  157.   cmd.wait:

  158.     - name: cat {{ key_file }} {{ cert_file }} {{ ca_file }} > {{ cert.all_file }}

  159. 

  160. {{ cert.all_file }}_cert_permissions:

  161.   file.managed:

  162.     - name: {{ cert.all_file }}

  163.     - mode: {{ cert.get("mode", 0600) }}

  164.     {%- if salt['user.info'](cert.get("user", "root")) %}

  165.     - user: {{ cert.get("user", "root") }}

  166.     {%- endif %}

  167.     {%- if salt['group.info'](cert.get("group", "root")) %}

  168.     - group: {{ cert.get("group", "root") }}

  169.     {%- endif %}

  170.     - replace: false

  171.     - require:

  172.       - cmd: salt_minion_cert_{{ cert_name }}_all

  173. {%- endif %}

  174. {%- endif %}

  175. 

  176. {%- endfor %}

  177. 

  178. {%- endif %}

  179. 

  180. salt_ca_certificates_packages:

  181.   pkg.installed:

  182.     - names: {{ minion.cert_pkgs }}

  183. 

  184. salt_update_certificates:

  185.   cmd.wait:

  186. {%- if grains.os_family == 'Debian' %}

  187.     - name: "update-ca-certificates{% if minion.get('ca_certificates_cleanup') %} --fresh {% endif %}"

  188. {%- elif grains.os_family == 'RedHat' %}

  189.     - name: "update-ca-trust extract"

  190. {%- else %}

  191.     - name: true

  192. {%- endif %}

  193.     - require:

  194.       - pkg: salt_ca_certificates_packages

  195. 

  196. {%- if minion.get('trust_salt_ca', True) %}

  197. 

  198. {%- for trusted_ca_minion in minion.get('trusted_ca_minions', []) %}

  199. {%- for ca_host, certs in salt['mine.get'](trusted_ca_minion+'*', 'x509.get_pem_entries').iteritems() %}

  200. {%- for ca_path, ca_cert in certs.iteritems() %}

  201. {%- if ca_path.endswith('ca.crt') %}

  202. 

  203. {# authority name can be obtained only from a cacert path in case of mine.get #}

  204. {%- set ca_authority = ca_path.split("/")[-1].split(".")[0] %}

  205. {%- set cacert_file="%s/ca-%s.crt" % (cacerts_dir,ca_authority) %}

  206. 

  207. salt_trust_ca_{{ cacert_file }}:

  208.   x509.pem_managed:

  209.     - name: {{ cacert_file }}

  210.     - text: {{ ca_cert|replace('\n', '') }}

  211.     - watch_in:

  212.       - file: salt_trust_ca_{{ cacert_file }}_permissions

  213.       - cmd: salt_update_certificates

  214. 

  215. salt_trust_ca_{{ cacert_file }}_permissions:

  216.   file.managed:

  217.     - name: {{ cacert_file }}

  218.     - mode: 0444

  219. 

  220. {%- endif %}

  221. {%- endfor %}

  222. {%- endfor %}

  223. {%- endfor %}

  224. {%- endif %}

  225. 

  226. {%- endif %}