Browse Source
Repair multi-ca generating states
Salt (ca.sls) supports generation a few CA.cert but it works incorrectly. When we generate a few ca.cert, salt must upload it to mine. But it overwrites previous ones. Related-Prod: PROD-21740 Change-Id: I60f1089cc58758d3be65371deaaa69348fde86a4pull/73/head
Oleksandr Shyshko
6 years ago
2 changed files with 20 additions and 9 deletions
+ 18
- 6
salt/minion/ca.sls
View File
| @@ -4,6 +4,8 @@ | |||
| include: | |||
| - salt.minion.service | |||
| {%- set all_ca_certs_dir = '/etc/pki/all_cas' %} | |||
| {%- for ca_name,ca in minion.ca.iteritems() %} | |||
| {%- set ca_file = ca.get('ca_file', '/etc/pki/ca/' ~ ca_name ~ '/ca.crt') %} | |||
| @@ -87,15 +89,25 @@ salt_minion_cert_{{ ca_name }}_dirs: | |||
| - require: | |||
| - x509: {{ ca_file }} | |||
| salt_system_ca_mine_send_ca_{{ ca_name }}: | |||
| module.run: | |||
| - name: mine.send | |||
| - func: x509.get_pem_entries | |||
| - kwargs: | |||
| glob_path: {{ ca_file }} | |||
| copy_to_{{all_ca_certs_dir}}/{{ ca_name }}: | |||
| file.copy: | |||
| - name: {{ all_ca_certs_dir }}/{{ ca_name }}.crt | |||
| - source: {{ ca_file }} | |||
| - makedirs: True | |||
| - force: True | |||
| - unless: | |||
| - diff -q {{ ca_file }} {{ all_ca_certs_dir }}/{{ ca_name }}.crt | |||
| - require: | |||
| - x509: {{ ca_file }} | |||
| {%- endfor %} | |||
| salt_system_ca_mine_send_ca: | |||
| module.run: | |||
| - name: mine.send | |||
| - func: x509.get_pem_entries | |||
| - kwargs: | |||
| mine_function: x509.get_pem_entries | |||
| glob_path: {{ all_ca_certs_dir }}/* | |||
| {%- endif %} | |||
+ 2
- 3
salt/minion/cert.sls
View File
| @@ -110,7 +110,7 @@ salt_minion_cert_{{ cert_name }}_dirs: | |||
| {%- if cert.host is defined and ca_file not in created_ca_files %} | |||
| {%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries').get(cert.host, {}).iteritems() %} | |||
| {%- if '/etc/pki/ca/'+cert.authority in ca_path %} | |||
| {%- if '/etc/pki/all_cas/'+cert.authority in ca_path %} | |||
| {{ ca_file }}: | |||
| x509.pem_managed: | |||
| @@ -123,7 +123,6 @@ salt_minion_cert_{{ cert_name }}_dirs: | |||
| - cmd: salt_minion_cert_{{ cert_name }}_all | |||
| {%- endif %} | |||
| # TODO: Squash this with the previous state after switch to Salt version >= 2016.11.2 | |||
| {{ ca_file }}_cert_permissions: | |||
| file.managed: | |||
| @@ -194,7 +193,7 @@ salt_update_certificates: | |||
| {%- if ca_path.endswith('ca.crt') %} | |||
| {# authority name can be obtained only from a cacert path in case of mine.get #} | |||
| {%- set ca_authority = ca_path.split("/")[-2] %} | |||
| {%- set ca_authority = ca_path.split("/")[-1].split(".")[0] %} | |||
| {%- set cacert_file="%s/ca-%s.crt" % (cacerts_dir,ca_authority) %} | |||
| salt_trust_ca_{{ cacert_file }}: | |||
Loading…