Added Salt PKI setup, orchestration skeleton

README.rst

@@ -120,6 +120,15 @@ Salt minion with graphing dependencies
 .. literalinclude:: tests/pillar/minion_graph.sls
    :language: yaml
 
+Salt minion with PKI CA
+
+.. literalinclude:: tests/pillar/minion_pki_ca.sls
+   :language: yaml
+
+Salt minion with PKI certificate
+
+.. literalinclude:: tests/pillar/minion_pki_cert.sls
+   :language: yaml
 
 Salt control (cloud/kvm/docker)
 -------------------------------

metadata/service/support.yml

@@ -1,5 +1,7 @@
 parameters:
   salt:
+    _orchestrate:
+      priority: 20
     _support:
       collectd:
         enabled: false

salt/files/_signing_policies.conf

@@ -0,0 +1,18 @@
+{%- from "salt/map.jinja" import minion with context %}
+
+x509_signing_policies:
+{%- for ca_name,ca in minion.ca.items() %}
+  {{ ca_name }}:
+    - minions: '*'
+    - signing_private_key: /etc/pki/ca/{{ ca_name }}/ca.key
+    - signing_cert: /etc/pki/ca/{{ ca_name }}/ca.crt
+    - C: {{ ca.country }}
+    - ST: {{ ca.state }}
+    - L: {{ ca.locality }}
+    - basicConstraints: "critical CA:false"
+    - keyUsage: "critical cRLSign, keyCertSign"
+    - subjectKeyIdentifier: hash
+    - authorityKeyIdentifier: keyid,issuer:always
+    - days_valid: {{ ca.days_valid.certificate }}
+    - copypath: /etc/pki/ca/{{ ca_name }}/certs/
+{%- endfor %}

salt/files/minion.conf

@@ -57,7 +57,6 @@ mine_interval: {{ minion.mine.get('interval', 30) }}
 
 {%- endif %}
 
-
 {%- if minion.sentry is defined %}
 sentry_handler:
 {% for server in minion.sentry.servers %}

salt/files/orchestrate.sls

@@ -0,0 +1,43 @@
+{%- from "salt/map.jinja" import master with context %}
+{%- if master.enabled %}
+
+{{ formula_dict }}
+
+{%- for environment_name, environment in master.get('environment', {}).iteritems() %}
+
+{%- if master.base_environment == environment_name %}
+
+{%- set formula_dict = environment.get('formula', {}) %}
+{%- set new_formula_dict = {} %}
+
+{%- for formula_name, formula in formula_dict.iteritems() %}
+
+{%- set _tmp = new_formula_dict.update({formula_name: formula.get('orchestrate_order', 100)}) %}
+
+{%- endfor %}
+
+{%- set sorted_formula_list = new_formula_dict|dictsort(false, 'value') %}
+	
+{%- for formula in sorted_formula_list %}
+
+{%- if salt['file.file_exists']('/srv/salt/env/'+environment_name+'/'+formula.0+'/orchestrate.sls') %}
+
+{{ salt['cmd.run']('cat /srv/salt/env/'+environment_name+'/'+formula.0+'/orchestrate.sls') }}
+
+{%- else %}
+
+{{ formula.0 }}:
+  salt.state:
+    - tgt: 'services:{{ formula.0 }}'
+    - tgt_type: grain
+    - sls: {{ formula.0 }}
+
+{%- endif %}
+
+{%- endfor %}
+
+{%- endif %}
+
+{%- endfor %}
+
+{%- endif %}

salt/master/ca.sls

@@ -1,23 +0,0 @@
-{%- from "salt/map.jinja" import master with context %}
-{%- if master.enabled %}
-
-{%- if pillar.django_pki is defined %}
-{%- if pillar.django_pki.server.enabled %}
-
-include:
-- salt.master.service
-
-{#
-{%- for environment_name, environment in master.environment.iteritems() %}
-
-/srv/salt/env/{{ environment_name }}/pki:
-  file.symlink:
-  - target: /srv/django_pki/site/pki
-
-{%- endfor %}
-#}
-
-{%- endif %}
-{%- endif %}
-
-{%- endif %}

salt/master/init.sls

@@ -3,5 +3,9 @@ include:
 - salt.master.env
 - salt.master.pillar
 - salt.master.minion
+{%- if pillar.salt.master.windows_repo is defined %}
 - salt.master.win_repo
-- salt.master.ca
+{%- endif %}
+{#
+- salt.master.orchestrate
+#}

salt/master/orchestrate.sls

@@ -0,0 +1,32 @@
+{%- from "salt/map.jinja" import master with context %}
+{%- if master.enabled %}
+
+{%- for environment_name, environment in master.get('environment', {}).iteritems() %}
+
+{%- if master.base_environment == environment_name %}
+
+{%- set formula_dict = {} %}
+{%- for formula_name, formula in formula_dict.iteritems() %}
+
+{%- if salt['file.file_exists']('salt://'+formula_name+'/meta/salt.yml') %}
+{%- set grains_fragment_file = formula_name+'/meta/salt.yml' %}
+{%- macro load_grains_file() %}{% include grains_fragment_file %}{% endmacro %}
+{%- set grains_yaml = load_grains_file()|load_yaml %}
+{% _dummy = formula_dict.update{formula_name: grains_yaml.orchestrate }}
+{%- else %}
+{%- endif %}
+{%- endfor %}
+
+/srv/salt/env/{{ environment_name}}/orchestrate.sls:
+  file.managed:
+  - source: salt://salt/files/orchestrate.sls
+  - user: root
+  - template: jinja
+  - defaults:
+      formula_dict: {{ formula_dict|yaml }}
+
+{%- endif %}
+
+{%- endfor %}
+
+{%- endif %}

salt/meta/salt.yml

@@ -0,0 +1,9 @@
+orchestrate:
+  master:
+    priority: 10
+  minion:
+    priority: 20
+  syndic:
+    priority: 200
+  control:
+    priority: 400

salt/minion.sls

@@ -1,70 +0,0 @@
-{%- from "salt/map.jinja" import minion with context %}
-{%- if minion.enabled %}
-
-salt_minion_packages:
-  pkg.latest:
-  - names: {{ minion.pkgs }}
-
-salt_minion_grains_dir:
-  file.directory:
-  - name: /etc/salt/grains.d
-  - mode: 700
-  - makedirs: true
-  - user: root
-
-salt_minion_grains_placeholder:
-  file.touch:
-  - name: /etc/salt/grains.d/placeholder
-  - require:
-    - file: salt_minion_grains_dir
-
-salt_minion_grains_file:
-  cmd.run:
-  - name: cat /etc/salt/grains.d/* > /etc/salt/grains
-  - require:
-    - file: salt_minion_grains_placeholder
-
-/etc/salt/minion.d/minion.conf:
-  file.managed:
-  - source: salt://salt/files/minion.conf
-  - user: root
-  - group: root
-  - template: jinja
-  - require:
-    - pkg: salt_minion_packages
-    - file: salt_minion_grains_dir
-  - watch_in:
-    - service: salt_minion_service
-
-salt_minion_service:
-  service.running:
-  - name: {{ minion.service }}
-  - enable: true
-
-{%- if minion.graph_states %}
-
-salt_graph_packages:
-  pkg.latest:
-  - names: {{ minion.graph_pkgs }}
-  - require:
-    - pkg: salt_minion_packages
-
-salt_graph_states_packages:
-  pkg.latest:
-  - names: {{ minion.graph_states_pkgs }}
-
-/root/salt-state-graph.py:
-  file.managed:
-  - source: salt://salt/files/salt-state-graph.py
-  - require:
-    - pkg: salt_graph_packages
-
-/root/salt-state-graph.sh:
-  file.managed:
-  - source: salt://salt/files/salt-state-graph.sh
-  - require:
-    - pkg: salt_graph_packages
-
-{%- endif %}
-
-{%- endif %}

salt/minion/ca.sls

@@ -0,0 +1,56 @@
+{%- from "salt/map.jinja" import minion with context %}
+{%- if minion.enabled %}
+
+include:
+- salt.minion.service
+
+/etc/salt/minion.d/_signing_policies.conf:
+  file.managed:
+  - source: salt://salt/files/_signing_policies.conf
+  - template: jinja
+  - require:
+    - pkg: salt_minion_packages
+  - watch_in:
+    - service: salt_minion_service
+
+{%- for ca_name,ca in minion.ca.iteritems() %}
+
+/etc/pki/ca/{{ ca_name }}/certs:
+  file.directory:
+  - makedirs: true
+
+/etc/pki/ca/{{ ca_name }}/ca.key:
+  x509.private_key_managed:
+  - bits: 4096
+  - backup: True
+  - require:
+    - file: /etc/pki/ca/{{ ca_name }}/certs
+
+/etc/pki/ca/{{ ca_name }}/ca.crt:
+  x509.certificate_managed:
+  - signing_private_key: /etc/pki/ca/{{ ca_name }}/ca.key
+  - CN: {{ ca.common_name }}
+  - C: {{ ca.country }}
+  - ST: {{ ca.state }}
+  - L: {{ ca.locality }}
+  - basicConstraints: "critical CA:true"
+  - keyUsage: "critical cRLSign, keyCertSign"
+  - subjectKeyIdentifier: hash
+  - authorityKeyIdentifier: keyid,issuer:always
+  - days_valid: {{ ca.days_valid.authority }}
+  - days_remaining: 0
+  - backup: True
+  - require:
+    - x509: /etc/pki/ca/{{ ca_name }}/ca.key
+
+mine.send:
+  module.run:
+  - func: x509.get_pem_entries
+  - kwargs:
+      glob_path: /etc/pki/ca/{{ ca_name }}/ca.crt
+  - onchanges:
+    - x509: /etc/pki/ca/{{ ca_name }}/ca.crt
+
+{%- endfor %}
+
+{%- endif %}

salt/minion/cert.sls

@@ -0,0 +1,41 @@
+{%- from "salt/map.jinja" import minion with context %}
+{%- if minion.enabled %}
+
+include:
+- salt.minion.service
+
+{%- for cert_name,cert in minion.cert.iteritems() %}
+
+/etc/pki/cert/{{ cert.authority }}:
+  file.directory:
+  - makedirs: true
+
+/etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.key:
+  x509.private_key_managed:
+  - bits: 4096
+
+/etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.crt:
+  x509.certificate_managed:
+  - ca_server: wst01.newt.cz
+  - signing_policy: {{ cert.authority }}
+  - public_key: /etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.key
+  - CN: {{ cert.common_name }}
+  - days_remaining: 30
+  - backup: True
+
+{%- endfor %}
+
+{#
+/usr/local/share/ca-certificates:
+  file.directory: []
+
+{%- for ca_path,ca in salt['mine.get']('ca', 'x509.get_pem_entries')['ca'].iteritems() %}
+
+/usr/local/share/ca-certificates/{{ ca }}.crt:
+  x509.pem_managed:
+  - text: {{ salt['mine.get']('ca', 'x509.get_pem_entries')['ca']['/etc/pki/ca.crt']|replace('\n', '') }}
+
+{%- endfor %}
+#}
+
+{%- endif %}

salt/minion/grains.sls

@@ -0,0 +1,30 @@
+{%- from "salt/map.jinja" import minion with context %}
+{%- if minion.enabled %}
+
+include:
+- salt.minion.service
+
+salt_minion_grains_dir:
+  file.directory:
+  - name: /etc/salt/grains.d
+  - mode: 700
+  - makedirs: true
+  - user: root
+  - require:
+    - pkg: salt_minion_packages
+
+salt_minion_grains_placeholder:
+  file.touch:
+  - name: /etc/salt/grains.d/placeholder
+  - require:
+    - file: salt_minion_grains_dir
+
+salt_minion_grains_file:
+  cmd.run:
+  - name: cat /etc/salt/grains.d/* > /etc/salt/grains
+  - require:
+    - file: salt_minion_grains_dir
+  - watch_in:
+    - service: salt_minion_service
+
+{%- endif %}

salt/minion/graph.sls

@@ -0,0 +1,26 @@
+{%- from "salt/map.jinja" import minion with context %}
+{%- if minion.enabled %}
+
+salt_graph_packages:
+  pkg.latest:
+  - names: {{ minion.graph_pkgs }}
+  - require:
+    - pkg: salt_minion_packages
+
+salt_graph_states_packages:
+  pkg.latest:
+  - names: {{ minion.graph_states_pkgs }}
+
+/root/salt-state-graph.py:
+  file.managed:
+  - source: salt://salt/files/salt-state-graph.py
+  - require:
+    - pkg: salt_graph_packages
+
+/root/salt-state-graph.sh:
+  file.managed:
+  - source: salt://salt/files/salt-state-graph.sh
+  - require:
+    - pkg: salt_graph_packages
+
+{%- endif %}

salt/minion/init.sls

@@ -0,0 +1,12 @@
+include:
+- salt.minion.service
+- salt.minion.grains
+{%- if pillar.salt.minion.graph_states %}
+- salt.minion.graph
+{%- endif %}
+{%- if pillar.salt.minion.ca is defined %}
+- salt.minion.ca
+{%- endif %}
+{%- if pillar.salt.minion.cert is defined %}
+- salt.minion.cert
+{%- endif %}

salt/minion/service.sls

@@ -0,0 +1,24 @@
+{%- from "salt/map.jinja" import minion with context %}
+{%- if minion.enabled %}
+
+salt_minion_packages:
+  pkg.latest:
+  - names: {{ minion.pkgs }}
+
+/etc/salt/minion.d/minion.conf:
+  file.managed:
+  - source: salt://salt/files/minion.conf
+  - user: root
+  - group: root
+  - template: jinja
+  - require:
+    - pkg: salt_minion_packages
+  - watch_in:
+    - service: salt_minion_service
+
+salt_minion_service:
+  service.running:
+  - name: {{ minion.service }}
+  - enable: true
+
+{%- endif %}

tests/pillar/control_virt.sls

@@ -1,6 +1,8 @@
 salt:
   minion:
     enabled: true
+    master:
+      host: config01.dc01.domain.com
   control:
     enabled: true
     virt_enabled: true
@@ -8,15 +10,12 @@ salt:
       small:
         cpu: 1
         ram: 1
-        hdd: 10
       medium:
         cpu: 2
         ram: 4
-        hdd: 20
       large:
         cpu: 4
         ram: 8
-        hdd: 70
     cluster:
       vpc20_infra:
         domain: neco.virt.domain.com
@@ -27,9 +26,9 @@ salt:
         node:
           ubuntu1:
             provider: node01.domain.com
-            image: "salt://ubuntu.qcow"
+            image: ubuntu.qcow
             size: medium
           ubuntu2:
             provider: node02.domain.com
-            image: "http://ubuntu.com"
-            size: small
+            image: bubuntu.qcomw
+            size: small

tests/pillar/minion_pki_ca.sls

@@ -0,0 +1,12 @@
+salt:
+  minion:
+    enabled: true
+    ca:
+      vagrant:
+        common_name: Test CA
+        country: Czech
+        state: Prague
+        locality: Zizkov
+        days_valid:
+          authority: 3650
+          certificate: 90

tests/pillar/minion_pki_cert.sls

@@ -0,0 +1,7 @@
+salt:
+  minion:
+    enabled: true
+    cert:
+      test_service:
+        authority: Company CA
+        common_name: test.service.domain.tld