salt
/
salt-formula
Watch 2
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 7 Wiki Activity
Browse Source

Merge pull request #29 from salt-formulas/collect-salt-ca 

collect salt-ca and set trust [WIP]
pull/39/head
Filip Pytloun 7 years ago
parent
a1a09ef7c6 e07687e17e
commit
8a3fbe9cb5
6 changed files with 201 additions and 23 deletions
Unified View Show Diff Stats
  1. +5
    -0
      .kitchen.yml
  2. +69
    -19
      salt/minion/cert.sls
  3. +0
    -2
      salt/minion/init.sls
  4. +23
    -2
      tests/pillar/minion_pki_ca.sls
  5. +59
    -0
      tests/pillar/minion_pki_cert.sls
  6. +45
    -0
      tests/pillar/minion_pki_cert_extended.sls

+ 5
- 0
.kitchen.yml View File

salt_install: bootstrap salt_install: bootstrap
salt_bootstrap_url: https://bootstrap.saltstack.com salt_bootstrap_url: https://bootstrap.saltstack.com
salt_version: latest salt_version: latest
salt_minion_id: salt.ci.local
require_chef: false require_chef: false
log_level: error log_level: error
formula: salt formula: salt
base: base:
"*": "*":
- common - common
- minion_pki
- master_api - master_api
- master_acl - master_acl
- master_ssh_key - master_ssh_key
- master_ssh_password - master_ssh_password
- master_ssh_root - master_ssh_root
- master_handler - master_handler
- minion_pki_cert
pillars-from-files: pillars-from-files:
minion_pki.sls: tests/pillar/minion_pki_ca.sls
minion_pki_cert.sls: tests/pillar/minion_pki_cert.sls
master_api.sls: tests/pillar/master_api.sls master_api.sls: tests/pillar/master_api.sls
master_acl.sls: tests/pillar/master_acl.sls master_acl.sls: tests/pillar/master_acl.sls
master_ssh_key.sls: tests/pillar/master_ssh_minion_key.sls master_ssh_key.sls: tests/pillar/master_ssh_minion_key.sls

+ 69
- 19
salt/minion/cert.sls View File

{%- from "salt/map.jinja" import minion with context %} {%- from "salt/map.jinja" import minion with context %}

{%- if minion.enabled %} {%- if minion.enabled %}
{%- if minion.cert is defined %}


{%- for cert_name,cert in minion.get('cert', {}).iteritems() %} {%- for cert_name,cert in minion.get('cert', {}).iteritems() %}
{%- set rowloop = loop %} {%- set rowloop = loop %}
{%- set key_dir = key_file|replace(key_file.split('/')[-1], "") %} {%- set key_dir = key_file|replace(key_file.split('/')[-1], "") %}
{%- set cert_dir = cert_file|replace(cert_file.split('/')[-1], "") %} {%- set cert_dir = cert_file|replace(cert_file.split('/')[-1], "") %}
{%- set ca_dir = ca_file|replace(ca_file.split('/')[-1], "") %} {%- set ca_dir = ca_file|replace(ca_file.split('/')[-1], "") %}
{%- if grains.os_family == 'RedHat' %}
{%- set cacerts_dir='/etc/pki/ca-trust/source/anchors' %}
{%- else %}
{%- set cacerts_dir='/usr/local/share/ca-certificates' %}
{%- endif %}


{# Only ensure directories exists, don't touch permissions, etc. #} {# Only ensure directories exists, don't touch permissions, etc. #}
salt_minion_cert_{{ cert_name }}_dirs: salt_minion_cert_{{ cert_name }}_dirs:


{{ cert_file }}: {{ cert_file }}:
x509.certificate_managed: x509.certificate_managed:
- ca_server: {{ cert.host }}
{% if cert.host is defined %}- ca_server: {{ cert.host }}{%- endif %}
{% if cert.authority is defined and cert.signing_policy is defined %}
- signing_policy: {{ cert.authority }}_{{ cert.signing_policy }} - signing_policy: {{ cert.authority }}_{{ cert.signing_policy }}
{%- endif %}
- public_key: {{ key_file }} - public_key: {{ key_file }}
- CN: "{{ cert.common_name }}" - CN: "{{ cert.common_name }}"
{%- if cert.alternative_names is defined %}
{% if cert.state is defined %}- ST: {{ cert.state }}{%- endif %}
{% if cert.country is defined %}- C: {{ cert.country }}{%- endif %}
{% if cert.locality is defined %}- L: {{ cert.locality }}{%- endif %}
{% if cert.organization is defined %}- O: {{ cert.organization }}{%- endif %}
{% if cert.signing_private_key is defined and cert.signing_cert is defined %}
- signing_private_key: "{{ cert.signing_private_key }}"
- signing_cert: "{{ cert.signing_cert }}"
{%- endif %}
{% if cert.alternative_names is defined %}
- subjectAltName: "{{ cert.alternative_names }}" - subjectAltName: "{{ cert.alternative_names }}"
{%- endif %} {%- endif %}
{%- if cert.extended_key_usage is defined %} {%- if cert.extended_key_usage is defined %}
- watch: - watch:
- x509: {{ cert_file }} - x509: {{ cert_file }}


{%- if cert.host is defined %}
{%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries').get(cert.host, {}).iteritems() %} {%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries').get(cert.host, {}).iteritems() %}


{%- if '/etc/pki/ca/'+cert.authority in ca_path %} {%- if '/etc/pki/ca/'+cert.authority in ca_path %}
- watch: - watch:
- x509: {{ ca_file }} - x509: {{ ca_file }}


{%- if grains.os_family == 'Debian' %}

salt_ca_certificates_packages_{{ rowloop.index }}:
pkg.installed:
- name: ca-certificates

{{ ca_file }}_{{ rowloop.index }}_debian_symlink:
{{ ca_file }}_{{ rowloop.index }}_local_trusted_symlink:
file.symlink: file.symlink:
- name: "/usr/local/share/ca-certificates/ca-{{ cert.authority }}.crt"
- name: "{{ cacerts_dir }}/ca-{{ cert.authority }}.crt"
- target: {{ ca_file }} - target: {{ ca_file }}
- watch_in: - watch_in:
- cmd: salt_update_certificates_{{ rowloop.index }}
- require:
- pkg: salt_ca_certificates_packages_{{ rowloop.index }}

salt_update_certificates_{{ rowloop.index }}:
cmd.wait:
- name: update-ca-certificates

{%- endif %}
- cmd: salt_update_certificates


{%- endif %} {%- endif %}


{%- endfor %} {%- endfor %}
{%- endif %}


{%- if cert.all_file is defined %} {%- if cert.all_file is defined %}
salt_minion_cert_{{ cert_name }}_all: salt_minion_cert_{{ cert_name }}_all:
{%- endfor %} {%- endfor %}


{%- endif %} {%- endif %}

salt_ca_certificates_packages:
pkg.installed:
{%- if grains.os_family == 'Debian' %}
- name: ca-certificates
{%- elif grains.os_family == 'RedHat' %}
- name: ca-certificates
{%- else %}
- name: []
{%- endif %}

salt_update_certificates:
cmd.wait:
{%- if grains.os_family == 'Debian' %}
- name: "update-ca-certificates{% if minion.get('ca_certificates_cleanup') %} --fresh {% endif %}"
{%- elif grains.os_family == 'RedHat' %}
- name: "update-ca-trust extract"
{%- else %}
- name: true
{%- endif %}
- require:
- pkg: salt_ca_certificates_packages

{%- if minion.get('cert', {}).get('trust_salt_ca', 'True') %}
{%- for ca_host, certs in salt['mine.get']('*/ca*', 'x510.get_pem_entries').iteritems() %}
{%- for ca_path, ca_cert in certs.iteritems() %}
{%- set cacert_file="ca-"+ca_path.split("/")[4]+".crt" %}

salt_cert_{{ cacerts_dir }}/{{ cacert_file }}:
file.managed:
- name: {{ cacerts_dir }}/{{ cacert_file }}
- contents: |
{{ ca_cert | indent(8) }}
- makedirs: True
- show_changes: True
- follow_symlinks: True
- watch_in:
- cmd: salt_update_certificates

{%- endfor %}
{%- endfor %}
{%- endif %}

{%- endif %}


+ 0
- 2
salt/minion/init.sls View File

{%- if pillar.salt.minion.ca is defined %} {%- if pillar.salt.minion.ca is defined %}
- salt.minion.ca - salt.minion.ca
{%- endif %} {%- endif %}
{%- if pillar.salt.minion.cert is defined %}
- salt.minion.cert - salt.minion.cert
{%- endif %}

+ 23
- 2
tests/pillar/minion_pki_ca.sls View File

minion: minion:
enabled: true enabled: true
ca: ca:
vagrant:
common_name: Test CA
salt-ca-default:
common_name: Test CA Default
country: Czech country: Czech
state: Prague state: Prague
locality: Zizkov locality: Zizkov
ca_intermediate: ca_intermediate:
type: v3_intermediate_ca type: v3_intermediate_ca
minions: '*' minions: '*'
salt-ca-test:
common_name: Test CA Testing
country: Czech
state: Prague
locality: Karlin
days_valid:
authority: 3650
certificate: 90
signing_policy:
cert_server:
type: v3_edge_cert_server
minions: '*'
cert_client:
type: v3_edge_cert_client
minions: '*'
ca_edge:
type: v3_edge_ca
minions: '*'
ca_intermediate:
type: v3_intermediate_ca
minions: '*'

+ 59
- 0
tests/pillar/minion_pki_cert.sls View File

salt:
#master:
# enabled: true
# accept_policy:
# open_mode
# peer:
# '.*':
# - x509.sign_remote_certificate
minion:
enabled: true
cert:
ceph_cert:
alternative_names:
IP:127.0.0.1,DNS:salt.ci.local,DNS:ceph.ci.local,DNS:radosgw.ci.local,DNS:swift.ci.local
cert_file:
/srv/salt/pki/ci/ceph.ci.local.crt
common_name:
ceph_mon.ci.local
key_file:
/srv/salt/pki/ci/ceph.ci.local.key
country: CZ
state: Prague
locality: Karlin
signing_cert:
/etc/pki/ca/salt-ca-test/ca.crt
signing_private_key:
/etc/pki/ca/salt-ca-test/ca.key
# Kitchen-Salt CI trigger `salt-call --local`, below attributes
# can't be used as there is no required SaltMaster connectivity
authority:
salt-ca-test
#host:
# salt.ci.local
#signing_policy:
# cert_server
proxy_cert:
alternative_names:
IP:127.0.0.1,DNS:salt.ci.local,DNS:proxy.ci.local
cert_file:
/srv/salt/pki/ci/prx.ci.local.crt
common_name:
prx.ci.local
key_file:
/srv/salt/pki/ci/prx.ci.local.key
country: CZ
state: Prague
locality: Zizkov
signing_cert:
/etc/pki/ca/salt-ca-default/ca.crt
signing_private_key:
/etc/pki/ca/salt-ca-default/ca.key
# Kitchen-Salt CI trigger `salt-call --local`, below attributes
# can't be used as there is no required SaltMaster connectivity
authority:
salt-ca-default
#host:
# salt.ci.local
#signing_policy:
# cert_server

+ 45
- 0
tests/pillar/minion_pki_cert_extended.sls View File

salt:
#master:
# enabled: true
# accept_policy:
# open_mode
# peer:
# .*:
# - x509.sign_remote_certificate
minion:
enabled: true
cert:
ceph_cert:
all_file:
/srv/salt/pki/ci/ceph-with-key.ci.local.pem
alternative_names:
IP:127.0.0.1,DNS:salt.ci.local,DNS:ceph.ci.local,DNS:radosgw.ci.local,DNS:swift.ci.local
cert_file:
/srv/salt/pki/ci/ceph.ci.local.crt
common_name:
ceph_mon.ci.local
key_file:
/srv/salt/pki/ci/ceph.ci.local.key
authority:
salt-ca-test
host:
salt.ci.local
signing_policy:
cert_server
proxy_cert:
all_file:
/srv/salt/pki/ci/prx-with-key.ci.local.pem
alternative_names:
IP:127.0.0.1,DNS:salt.ci.local,DNS:proxy.ci.local
cert_file:
/srv/salt/pki/ci/prx.ci.local.crt
common_name:
prx.ci.local
key_file:
/srv/salt/pki/ci/prx.ci.local.key
authority:
salt-ca-default
host:
salt.ci.local
signing_policy:
cert_server

Write Preview
Loading…
Cancel
Save