Browse Source

Merge pull request #39 from salt-formulas/pr/fix_salt_ca_trust

fix, ca crt rollout for trusted_ca_minions
pr/fix/tests_minion_pki_cert
Filip Pytloun 7 years ago
parent
commit
5eb6f12d45
2 changed files with 16 additions and 6 deletions
  1. +14
    -6
      salt/minion/cert.sls
  2. +2
    -0
      tests/pillar/minion_pki_cert.sls

+ 14
- 6
salt/minion/cert.sls View File

@@ -1,6 +1,13 @@
{%- from "salt/map.jinja" import minion with context %}

{%- if minion.enabled %}

{%- if grains.os_family == 'RedHat' %}
{%- set cacerts_dir='/etc/pki/ca-trust/source/anchors' %}
{%- else %}
{%- set cacerts_dir='/usr/local/share/ca-certificates' %}
{%- endif %}

{%- if minion.cert is defined %}

{%- for cert_name,cert in minion.get('cert', {}).iteritems() %}
@@ -12,11 +19,6 @@
{%- set key_dir = key_file|replace(key_file.split('/')[-1], "") %}
{%- set cert_dir = cert_file|replace(cert_file.split('/')[-1], "") %}
{%- set ca_dir = ca_file|replace(ca_file.split('/')[-1], "") %}
{%- if grains.os_family == 'RedHat' %}
{%- set cacerts_dir='/etc/pki/ca-trust/source/anchors' %}
{%- else %}
{%- set cacerts_dir='/usr/local/share/ca-certificates' %}
{%- endif %}

{# Only ensure directories exists, don't touch permissions, etc. #}
salt_minion_cert_{{ cert_name }}_dirs:
@@ -177,8 +179,13 @@ salt_update_certificates:
- pkg: salt_ca_certificates_packages

{%- if minion.get('cert', {}).get('trust_salt_ca', 'True') %}
{%- for ca_host, certs in salt['mine.get']('*/ca*', 'x510.get_pem_entries').iteritems() %}

{%- for trusted_ca_minion in minion.get('trusted_ca_minions', []) %}
{%- for ca_host, certs in salt['mine.get'](trusted_ca_minion+'*', 'x509.get_pem_entries').iteritems() %}

{%- for ca_path, ca_cert in certs.iteritems() %}
{%- if not 'ca.crt' in ca_path %}{% continue %}{% endif %}

{%- set cacert_file="ca-"+ca_path.split("/")[4]+".crt" %}

salt_cert_{{ cacerts_dir }}/{{ cacert_file }}:
@@ -192,6 +199,7 @@ salt_cert_{{ cacerts_dir }}/{{ cacert_file }}:
- watch_in:
- cmd: salt_update_certificates

{%- endfor %}
{%- endfor %}
{%- endfor %}
{%- endif %}

+ 2
- 0
tests/pillar/minion_pki_cert.sls View File

@@ -9,6 +9,8 @@ salt:
minion:
enabled: true
cert:
trusted_ca_minions:
- cfg01
ceph_cert:
alternative_names:
IP:127.0.0.1,DNS:salt.ci.local,DNS:ceph.ci.local,DNS:radosgw.ci.local,DNS:swift.ci.local

Loading…
Cancel
Save