New version of salt-formula from Saltstack
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.

227 Zeilen
7.0KB

  1. {%- from "salt/map.jinja" import minion with context %}
  2. {%- if minion.enabled %}
  3. {%- if grains.os_family == 'RedHat' %}
  4. {%- set cacerts_dir='/etc/pki/ca-trust/source/anchors' %}
  5. {%- else %}
  6. {%- set cacerts_dir='/usr/local/share/ca-certificates' %}
  7. {%- endif %}
  8. {%- if minion.cert is defined %}
  9. {%- set created_ca_files = [] %}
  10. {%- for cert_name,cert in minion.get('cert', {}).iteritems() %}
  11. {%- if cert.get('enabled', True) %}
  12. {%- set rowloop = loop %}
  13. {%- set key_file = cert.get('key_file', '/etc/ssl/private/' + cert.common_name + '.key') %}
  14. {%- set cert_file = cert.get('cert_file', '/etc/ssl/certs/' + cert.common_name + '.crt') %}
  15. {%- set ca_file = cert.get('ca_file', '/etc/ssl/certs/ca-' + cert.authority + '.crt') %}
  16. {%- set key_dir = salt['file.dirname'](key_file) %}
  17. {%- set cert_dir = salt['file.dirname'](cert_file) %}
  18. {%- set ca_dir = salt['file.dirname'](ca_file) %}
  19. {# Only ensure directories exists, don't touch permissions, etc. #}
  20. salt_minion_cert_{{ cert_name }}_dirs:
  21. file.directory:
  22. - names:
  23. - {{ key_dir }}
  24. - {{ cert_dir }}
  25. - {{ ca_dir }}
  26. - makedirs: true
  27. - replace: false
  28. {{ key_file }}:
  29. x509.private_key_managed:
  30. - bits: {{ cert.get('bits', 4096) }}
  31. - require:
  32. - file: salt_minion_cert_{{ cert_name }}_dirs
  33. {%- if cert.all_file is defined %}
  34. - watch_in:
  35. - cmd: salt_minion_cert_{{ cert_name }}_all
  36. {%- endif %}
  37. # TODO: Squash this with the previous state after switch to Salt version >= 2016.11.2
  38. {{ key_file }}_key_permissions:
  39. file.managed:
  40. - name: {{ key_file }}
  41. - mode: {{ cert.get("mode", 0600) }}
  42. {%- if salt['user.info'](cert.get("user", "root")) %}
  43. - user: {{ cert.get("user", "root") }}
  44. {%- endif %}
  45. {%- if salt['group.info'](cert.get("group", "root")) %}
  46. - group: {{ cert.get("group", "root") }}
  47. {%- endif %}
  48. - replace: false
  49. - require:
  50. - x509: {{ key_file }}
  51. {{ cert_file }}:
  52. x509.certificate_managed:
  53. {% if cert.host is defined %}- ca_server: {{ cert.host }}{%- endif %}
  54. {% if cert.authority is defined and cert.signing_policy is defined %}
  55. - signing_policy: {{ cert.authority }}_{{ cert.signing_policy }}
  56. {%- endif %}
  57. - public_key: {{ key_file }}
  58. - CN: "{{ cert.common_name }}"
  59. {% if cert.state is defined %}- ST: {{ cert.state }}{%- endif %}
  60. {% if cert.country is defined %}- C: {{ cert.country }}{%- endif %}
  61. {% if cert.locality is defined %}- L: {{ cert.locality }}{%- endif %}
  62. {% if cert.organization is defined %}- O: {{ cert.organization }}{%- endif %}
  63. {% if cert.organization_name is defined %}- organizationName: {{ cert.organization_name }}{%- endif %}
  64. {% if cert.signing_private_key is defined and cert.signing_cert is defined %}
  65. - signing_private_key: "{{ cert.signing_private_key }}"
  66. - signing_cert: "{{ cert.signing_cert }}"
  67. {%- endif %}
  68. {% if cert.alternative_names is defined %}
  69. - subjectAltName: "{{ cert.alternative_names }}"
  70. {%- endif %}
  71. {%- if cert.extended_key_usage is defined %}
  72. - extendedKeyUsage: "{{ cert.extended_key_usage }}"
  73. {%- endif %}
  74. {%- if cert.key_usage is defined %}
  75. - keyUsage: "{{ cert.key_usage }}"
  76. {%- endif %}
  77. - days_remaining: 30
  78. - backup: True
  79. - watch:
  80. - x509: {{ key_file }}
  81. {%- if cert.all_file is defined %}
  82. - watch_in:
  83. - cmd: salt_minion_cert_{{ cert_name }}_all
  84. {%- endif %}
  85. {%- if grains['saltversioninfo'][0] >= 2017 %}
  86. - retry:
  87. attempts: 5
  88. until: True
  89. interval: 60
  90. {%- endif %}
  91. # TODO: Squash this with the previous state after switch to Salt version >= 2016.11.2
  92. {{ cert_file }}_cert_permissions:
  93. file.managed:
  94. - name: {{ cert_file }}
  95. - mode: {{ cert.get("mode", 0600) }}
  96. {%- if salt['user.info'](cert.get("user", "root")) %}
  97. - user: {{ cert.get("user", "root") }}
  98. {%- endif %}
  99. {%- if salt['group.info'](cert.get("group", "root")) %}
  100. - group: {{ cert.get("group", "root") }}
  101. {%- endif %}
  102. - replace: false
  103. - require:
  104. - x509: {{ cert_file }}
  105. {%- if cert.host is defined and ca_file not in created_ca_files %}
  106. {%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries').get(cert.host, {}).iteritems() %}
  107. {%- if '/etc/pki/all_cas/'+cert.authority in ca_path %}
  108. {{ ca_file }}:
  109. x509.pem_managed:
  110. - name: {{ ca_file }}
  111. - text: {{ ca_cert|replace('\n', '') }}
  112. - watch:
  113. - x509: {{ cert_file }}
  114. {%- if cert.all_file is defined %}
  115. - watch_in:
  116. - cmd: salt_minion_cert_{{ cert_name }}_all
  117. {%- endif %}
  118. # TODO: Squash this with the previous state after switch to Salt version >= 2016.11.2
  119. {{ ca_file }}_cert_permissions:
  120. file.managed:
  121. - name: {{ ca_file }}
  122. - mode: 0644
  123. {%- if salt['user.info'](cert.get("user", "root")) %}
  124. - user: {{ cert.get("user", "root") }}
  125. {%- endif %}
  126. {%- if salt['group.info'](cert.get("group", "root")) %}
  127. - group: {{ cert.get("group", "root") }}
  128. {%- endif %}
  129. - require:
  130. - x509: {{ ca_file }}
  131. {%- endif %}
  132. {%- endfor %}
  133. {%- do created_ca_files.append(ca_file) %}
  134. {%- endif %}
  135. {%- if cert.all_file is defined %}
  136. salt_minion_cert_{{ cert_name }}_all:
  137. cmd.wait:
  138. - name: cat {{ key_file }} {{ cert_file }} {{ ca_file }} > {{ cert.all_file }}
  139. {{ cert.all_file }}_cert_permissions:
  140. file.managed:
  141. - name: {{ cert.all_file }}
  142. - mode: {{ cert.get("mode", 0600) }}
  143. {%- if salt['user.info'](cert.get("user", "root")) %}
  144. - user: {{ cert.get("user", "root") }}
  145. {%- endif %}
  146. {%- if salt['group.info'](cert.get("group", "root")) %}
  147. - group: {{ cert.get("group", "root") }}
  148. {%- endif %}
  149. - replace: false
  150. - require:
  151. - cmd: salt_minion_cert_{{ cert_name }}_all
  152. {%- endif %}
  153. {%- endif %}
  154. {%- endfor %}
  155. {%- endif %}
  156. salt_ca_certificates_packages:
  157. pkg.installed:
  158. - names: {{ minion.cert_pkgs }}
  159. salt_update_certificates:
  160. cmd.wait:
  161. {%- if grains.os_family == 'Debian' %}
  162. - name: "update-ca-certificates{% if minion.get('ca_certificates_cleanup') %} --fresh {% endif %}"
  163. {%- elif grains.os_family == 'RedHat' %}
  164. - name: "update-ca-trust extract"
  165. {%- else %}
  166. - name: true
  167. {%- endif %}
  168. - require:
  169. - pkg: salt_ca_certificates_packages
  170. {%- if minion.get('trust_salt_ca', True) %}
  171. {%- for trusted_ca_minion in minion.get('trusted_ca_minions', []) %}
  172. {%- for ca_host, certs in salt['mine.get'](trusted_ca_minion+'*', 'x509.get_pem_entries').iteritems() %}
  173. {%- for ca_path, ca_cert in certs.iteritems() %}
  174. {%- if ca_path.endswith('ca.crt') %}
  175. {# authority name can be obtained only from a cacert path in case of mine.get #}
  176. {%- set ca_authority = ca_path.split("/")[-1].split(".")[0] %}
  177. {%- set cacert_file="%s/ca-%s.crt" % (cacerts_dir,ca_authority) %}
  178. salt_trust_ca_{{ cacert_file }}:
  179. x509.pem_managed:
  180. - name: {{ cacert_file }}
  181. - text: {{ ca_cert|replace('\n', '') }}
  182. - watch_in:
  183. - file: salt_trust_ca_{{ cacert_file }}_permissions
  184. - cmd: salt_update_certificates
  185. salt_trust_ca_{{ cacert_file }}_permissions:
  186. file.managed:
  187. - name: {{ cacert_file }}
  188. - mode: 0444
  189. {%- endif %}
  190. {%- endfor %}
  191. {%- endfor %}
  192. {%- endfor %}
  193. {%- endif %}
  194. {%- endif %}