.. literalinclude:: tests/pillar/minion_graph.sls | .. literalinclude:: tests/pillar/minion_graph.sls | ||||
:language: yaml | :language: yaml | ||||
Salt minion with PKI CA | |||||
.. literalinclude:: tests/pillar/minion_pki_ca.sls | |||||
:language: yaml | |||||
Salt minion with PKI certificate | |||||
.. literalinclude:: tests/pillar/minion_pki_cert.sls | |||||
:language: yaml | |||||
Salt control (cloud/kvm/docker) | Salt control (cloud/kvm/docker) | ||||
------------------------------- | ------------------------------- |
parameters: | parameters: | ||||
salt: | salt: | ||||
_orchestrate: | |||||
priority: 20 | |||||
_support: | _support: | ||||
collectd: | collectd: | ||||
enabled: false | enabled: false |
{%- from "salt/map.jinja" import minion with context %} | |||||
x509_signing_policies: | |||||
{%- for ca_name,ca in minion.ca.items() %} | |||||
{{ ca_name }}: | |||||
- minions: '*' | |||||
- signing_private_key: /etc/pki/ca/{{ ca_name }}/ca.key | |||||
- signing_cert: /etc/pki/ca/{{ ca_name }}/ca.crt | |||||
- C: {{ ca.country }} | |||||
- ST: {{ ca.state }} | |||||
- L: {{ ca.locality }} | |||||
- basicConstraints: "critical CA:false" | |||||
- keyUsage: "critical cRLSign, keyCertSign" | |||||
- subjectKeyIdentifier: hash | |||||
- authorityKeyIdentifier: keyid,issuer:always | |||||
- days_valid: {{ ca.days_valid.certificate }} | |||||
- copypath: /etc/pki/ca/{{ ca_name }}/certs/ | |||||
{%- endfor %} |
{%- endif %} | {%- endif %} | ||||
{%- if minion.sentry is defined %} | {%- if minion.sentry is defined %} | ||||
sentry_handler: | sentry_handler: | ||||
{% for server in minion.sentry.servers %} | {% for server in minion.sentry.servers %} |
{%- from "salt/map.jinja" import master with context %} | |||||
{%- if master.enabled %} | |||||
{{ formula_dict }} | |||||
{%- for environment_name, environment in master.get('environment', {}).iteritems() %} | |||||
{%- if master.base_environment == environment_name %} | |||||
{%- set formula_dict = environment.get('formula', {}) %} | |||||
{%- set new_formula_dict = {} %} | |||||
{%- for formula_name, formula in formula_dict.iteritems() %} | |||||
{%- set _tmp = new_formula_dict.update({formula_name: formula.get('orchestrate_order', 100)}) %} | |||||
{%- endfor %} | |||||
{%- set sorted_formula_list = new_formula_dict|dictsort(false, 'value') %} | |||||
{%- for formula in sorted_formula_list %} | |||||
{%- if salt['file.file_exists']('/srv/salt/env/'+environment_name+'/'+formula.0+'/orchestrate.sls') %} | |||||
{{ salt['cmd.run']('cat /srv/salt/env/'+environment_name+'/'+formula.0+'/orchestrate.sls') }} | |||||
{%- else %} | |||||
{{ formula.0 }}: | |||||
salt.state: | |||||
- tgt: 'services:{{ formula.0 }}' | |||||
- tgt_type: grain | |||||
- sls: {{ formula.0 }} | |||||
{%- endif %} | |||||
{%- endfor %} | |||||
{%- endif %} | |||||
{%- endfor %} | |||||
{%- endif %} |
{%- from "salt/map.jinja" import master with context %} | |||||
{%- if master.enabled %} | |||||
{%- if pillar.django_pki is defined %} | |||||
{%- if pillar.django_pki.server.enabled %} | |||||
include: | |||||
- salt.master.service | |||||
{# | |||||
{%- for environment_name, environment in master.environment.iteritems() %} | |||||
/srv/salt/env/{{ environment_name }}/pki: | |||||
file.symlink: | |||||
- target: /srv/django_pki/site/pki | |||||
{%- endfor %} | |||||
#} | |||||
{%- endif %} | |||||
{%- endif %} | |||||
{%- endif %} |
- salt.master.env | - salt.master.env | ||||
- salt.master.pillar | - salt.master.pillar | ||||
- salt.master.minion | - salt.master.minion | ||||
{%- if pillar.salt.master.windows_repo is defined %} | |||||
- salt.master.win_repo | - salt.master.win_repo | ||||
- salt.master.ca | |||||
{%- endif %} | |||||
{# | |||||
- salt.master.orchestrate | |||||
#} |
{%- from "salt/map.jinja" import master with context %} | |||||
{%- if master.enabled %} | |||||
{%- for environment_name, environment in master.get('environment', {}).iteritems() %} | |||||
{%- if master.base_environment == environment_name %} | |||||
{%- set formula_dict = {} %} | |||||
{%- for formula_name, formula in formula_dict.iteritems() %} | |||||
{%- if salt['file.file_exists']('salt://'+formula_name+'/meta/salt.yml') %} | |||||
{%- set grains_fragment_file = formula_name+'/meta/salt.yml' %} | |||||
{%- macro load_grains_file() %}{% include grains_fragment_file %}{% endmacro %} | |||||
{%- set grains_yaml = load_grains_file()|load_yaml %} | |||||
{% _dummy = formula_dict.update{formula_name: grains_yaml.orchestrate }} | |||||
{%- else %} | |||||
{%- endif %} | |||||
{%- endfor %} | |||||
/srv/salt/env/{{ environment_name}}/orchestrate.sls: | |||||
file.managed: | |||||
- source: salt://salt/files/orchestrate.sls | |||||
- user: root | |||||
- template: jinja | |||||
- defaults: | |||||
formula_dict: {{ formula_dict|yaml }} | |||||
{%- endif %} | |||||
{%- endfor %} | |||||
{%- endif %} |
orchestrate: | |||||
master: | |||||
priority: 10 | |||||
minion: | |||||
priority: 20 | |||||
syndic: | |||||
priority: 200 | |||||
control: | |||||
priority: 400 |
{%- from "salt/map.jinja" import minion with context %} | |||||
{%- if minion.enabled %} | |||||
salt_minion_packages: | |||||
pkg.latest: | |||||
- names: {{ minion.pkgs }} | |||||
salt_minion_grains_dir: | |||||
file.directory: | |||||
- name: /etc/salt/grains.d | |||||
- mode: 700 | |||||
- makedirs: true | |||||
- user: root | |||||
salt_minion_grains_placeholder: | |||||
file.touch: | |||||
- name: /etc/salt/grains.d/placeholder | |||||
- require: | |||||
- file: salt_minion_grains_dir | |||||
salt_minion_grains_file: | |||||
cmd.run: | |||||
- name: cat /etc/salt/grains.d/* > /etc/salt/grains | |||||
- require: | |||||
- file: salt_minion_grains_placeholder | |||||
/etc/salt/minion.d/minion.conf: | |||||
file.managed: | |||||
- source: salt://salt/files/minion.conf | |||||
- user: root | |||||
- group: root | |||||
- template: jinja | |||||
- require: | |||||
- pkg: salt_minion_packages | |||||
- file: salt_minion_grains_dir | |||||
- watch_in: | |||||
- service: salt_minion_service | |||||
salt_minion_service: | |||||
service.running: | |||||
- name: {{ minion.service }} | |||||
- enable: true | |||||
{%- if minion.graph_states %} | |||||
salt_graph_packages: | |||||
pkg.latest: | |||||
- names: {{ minion.graph_pkgs }} | |||||
- require: | |||||
- pkg: salt_minion_packages | |||||
salt_graph_states_packages: | |||||
pkg.latest: | |||||
- names: {{ minion.graph_states_pkgs }} | |||||
/root/salt-state-graph.py: | |||||
file.managed: | |||||
- source: salt://salt/files/salt-state-graph.py | |||||
- require: | |||||
- pkg: salt_graph_packages | |||||
/root/salt-state-graph.sh: | |||||
file.managed: | |||||
- source: salt://salt/files/salt-state-graph.sh | |||||
- require: | |||||
- pkg: salt_graph_packages | |||||
{%- endif %} | |||||
{%- endif %} |
{%- from "salt/map.jinja" import minion with context %} | |||||
{%- if minion.enabled %} | |||||
include: | |||||
- salt.minion.service | |||||
/etc/salt/minion.d/_signing_policies.conf: | |||||
file.managed: | |||||
- source: salt://salt/files/_signing_policies.conf | |||||
- template: jinja | |||||
- require: | |||||
- pkg: salt_minion_packages | |||||
- watch_in: | |||||
- service: salt_minion_service | |||||
{%- for ca_name,ca in minion.ca.iteritems() %} | |||||
/etc/pki/ca/{{ ca_name }}/certs: | |||||
file.directory: | |||||
- makedirs: true | |||||
/etc/pki/ca/{{ ca_name }}/ca.key: | |||||
x509.private_key_managed: | |||||
- bits: 4096 | |||||
- backup: True | |||||
- require: | |||||
- file: /etc/pki/ca/{{ ca_name }}/certs | |||||
/etc/pki/ca/{{ ca_name }}/ca.crt: | |||||
x509.certificate_managed: | |||||
- signing_private_key: /etc/pki/ca/{{ ca_name }}/ca.key | |||||
- CN: {{ ca.common_name }} | |||||
- C: {{ ca.country }} | |||||
- ST: {{ ca.state }} | |||||
- L: {{ ca.locality }} | |||||
- basicConstraints: "critical CA:true" | |||||
- keyUsage: "critical cRLSign, keyCertSign" | |||||
- subjectKeyIdentifier: hash | |||||
- authorityKeyIdentifier: keyid,issuer:always | |||||
- days_valid: {{ ca.days_valid.authority }} | |||||
- days_remaining: 0 | |||||
- backup: True | |||||
- require: | |||||
- x509: /etc/pki/ca/{{ ca_name }}/ca.key | |||||
mine.send: | |||||
module.run: | |||||
- func: x509.get_pem_entries | |||||
- kwargs: | |||||
glob_path: /etc/pki/ca/{{ ca_name }}/ca.crt | |||||
- onchanges: | |||||
- x509: /etc/pki/ca/{{ ca_name }}/ca.crt | |||||
{%- endfor %} | |||||
{%- endif %} |
{%- from "salt/map.jinja" import minion with context %} | |||||
{%- if minion.enabled %} | |||||
include: | |||||
- salt.minion.service | |||||
{%- for cert_name,cert in minion.cert.iteritems() %} | |||||
/etc/pki/cert/{{ cert.authority }}: | |||||
file.directory: | |||||
- makedirs: true | |||||
/etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.key: | |||||
x509.private_key_managed: | |||||
- bits: 4096 | |||||
/etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.crt: | |||||
x509.certificate_managed: | |||||
- ca_server: wst01.newt.cz | |||||
- signing_policy: {{ cert.authority }} | |||||
- public_key: /etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.key | |||||
- CN: {{ cert.common_name }} | |||||
- days_remaining: 30 | |||||
- backup: True | |||||
{%- endfor %} | |||||
{# | |||||
/usr/local/share/ca-certificates: | |||||
file.directory: [] | |||||
{%- for ca_path,ca in salt['mine.get']('ca', 'x509.get_pem_entries')['ca'].iteritems() %} | |||||
/usr/local/share/ca-certificates/{{ ca }}.crt: | |||||
x509.pem_managed: | |||||
- text: {{ salt['mine.get']('ca', 'x509.get_pem_entries')['ca']['/etc/pki/ca.crt']|replace('\n', '') }} | |||||
{%- endfor %} | |||||
#} | |||||
{%- endif %} |
{%- from "salt/map.jinja" import minion with context %} | |||||
{%- if minion.enabled %} | |||||
include: | |||||
- salt.minion.service | |||||
salt_minion_grains_dir: | |||||
file.directory: | |||||
- name: /etc/salt/grains.d | |||||
- mode: 700 | |||||
- makedirs: true | |||||
- user: root | |||||
- require: | |||||
- pkg: salt_minion_packages | |||||
salt_minion_grains_placeholder: | |||||
file.touch: | |||||
- name: /etc/salt/grains.d/placeholder | |||||
- require: | |||||
- file: salt_minion_grains_dir | |||||
salt_minion_grains_file: | |||||
cmd.run: | |||||
- name: cat /etc/salt/grains.d/* > /etc/salt/grains | |||||
- require: | |||||
- file: salt_minion_grains_dir | |||||
- watch_in: | |||||
- service: salt_minion_service | |||||
{%- endif %} |
{%- from "salt/map.jinja" import minion with context %} | |||||
{%- if minion.enabled %} | |||||
salt_graph_packages: | |||||
pkg.latest: | |||||
- names: {{ minion.graph_pkgs }} | |||||
- require: | |||||
- pkg: salt_minion_packages | |||||
salt_graph_states_packages: | |||||
pkg.latest: | |||||
- names: {{ minion.graph_states_pkgs }} | |||||
/root/salt-state-graph.py: | |||||
file.managed: | |||||
- source: salt://salt/files/salt-state-graph.py | |||||
- require: | |||||
- pkg: salt_graph_packages | |||||
/root/salt-state-graph.sh: | |||||
file.managed: | |||||
- source: salt://salt/files/salt-state-graph.sh | |||||
- require: | |||||
- pkg: salt_graph_packages | |||||
{%- endif %} |
include: | |||||
- salt.minion.service | |||||
- salt.minion.grains | |||||
{%- if pillar.salt.minion.graph_states %} | |||||
- salt.minion.graph | |||||
{%- endif %} | |||||
{%- if pillar.salt.minion.ca is defined %} | |||||
- salt.minion.ca | |||||
{%- endif %} | |||||
{%- if pillar.salt.minion.cert is defined %} | |||||
- salt.minion.cert | |||||
{%- endif %} |
{%- from "salt/map.jinja" import minion with context %} | |||||
{%- if minion.enabled %} | |||||
salt_minion_packages: | |||||
pkg.latest: | |||||
- names: {{ minion.pkgs }} | |||||
/etc/salt/minion.d/minion.conf: | |||||
file.managed: | |||||
- source: salt://salt/files/minion.conf | |||||
- user: root | |||||
- group: root | |||||
- template: jinja | |||||
- require: | |||||
- pkg: salt_minion_packages | |||||
- watch_in: | |||||
- service: salt_minion_service | |||||
salt_minion_service: | |||||
service.running: | |||||
- name: {{ minion.service }} | |||||
- enable: true | |||||
{%- endif %} |
salt: | salt: | ||||
minion: | minion: | ||||
enabled: true | enabled: true | ||||
master: | |||||
host: config01.dc01.domain.com | |||||
control: | control: | ||||
enabled: true | enabled: true | ||||
virt_enabled: true | virt_enabled: true | ||||
small: | small: | ||||
cpu: 1 | cpu: 1 | ||||
ram: 1 | ram: 1 | ||||
hdd: 10 | |||||
medium: | medium: | ||||
cpu: 2 | cpu: 2 | ||||
ram: 4 | ram: 4 | ||||
hdd: 20 | |||||
large: | large: | ||||
cpu: 4 | cpu: 4 | ||||
ram: 8 | ram: 8 | ||||
hdd: 70 | |||||
cluster: | cluster: | ||||
vpc20_infra: | vpc20_infra: | ||||
domain: neco.virt.domain.com | domain: neco.virt.domain.com | ||||
node: | node: | ||||
ubuntu1: | ubuntu1: | ||||
provider: node01.domain.com | provider: node01.domain.com | ||||
image: "salt://ubuntu.qcow" | |||||
image: ubuntu.qcow | |||||
size: medium | size: medium | ||||
ubuntu2: | ubuntu2: | ||||
provider: node02.domain.com | provider: node02.domain.com | ||||
image: "http://ubuntu.com" | |||||
size: small | |||||
image: bubuntu.qcomw | |||||
size: small |
salt: | |||||
minion: | |||||
enabled: true | |||||
ca: | |||||
vagrant: | |||||
common_name: Test CA | |||||
country: Czech | |||||
state: Prague | |||||
locality: Zizkov | |||||
days_valid: | |||||
authority: 3650 | |||||
certificate: 90 |
salt: | |||||
minion: | |||||
enabled: true | |||||
cert: | |||||
test_service: | |||||
authority: Company CA | |||||
common_name: test.service.domain.tld |