|
|
|
|
|
|
|
|
{%- for cert_name,cert in minion.get('cert', {}).iteritems() %} |
|
|
{%- for cert_name,cert in minion.get('cert', {}).iteritems() %} |
|
|
{%- set rowloop = loop %} |
|
|
{%- set rowloop = loop %} |
|
|
|
|
|
|
|
|
/etc/ssl/private/{{ cert.common_name }}.key: |
|
|
|
|
|
|
|
|
{%- set key_file = cert.get('key_file', '/etc/ssl/private/' + cert.common_name + '.key') %} |
|
|
|
|
|
{%- set cert_file = cert.get('cert_file', '/etc/ssl/certs/' + cert.common_name + '.crt') %} |
|
|
|
|
|
{%- set key_dir = key_file|replace(key_file.split('/')[-1], "") %} |
|
|
|
|
|
{%- set cert_dir = cert_file|replace(cert_file.split('/')[-1], "") %} |
|
|
|
|
|
|
|
|
|
|
|
{# Only ensure directories exists, don't touch permissions, etc. #} |
|
|
|
|
|
salt_minion_cert_{{ cert_name }}_dirs: |
|
|
|
|
|
file.directory: |
|
|
|
|
|
- names: |
|
|
|
|
|
- {{ key_dir }} |
|
|
|
|
|
- {{ cert_dir }} |
|
|
|
|
|
- makedirs: true |
|
|
|
|
|
- replace: false |
|
|
|
|
|
|
|
|
|
|
|
{{ key_file }}: |
|
|
x509.private_key_managed: |
|
|
x509.private_key_managed: |
|
|
- bits: 4096 |
|
|
|
|
|
|
|
|
- bits: {{ cert.get('bits', 4096) }} |
|
|
|
|
|
require: |
|
|
|
|
|
- file: salt_minion_cert_{{ cert_name }}_dirs |
|
|
|
|
|
|
|
|
{{ cert.common_name }}_rights: |
|
|
|
|
|
|
|
|
{{ key_file }}_key_permissions: |
|
|
file.managed: |
|
|
file.managed: |
|
|
- name: /etc/ssl/private/{{ cert.common_name }}.key |
|
|
|
|
|
- mode: 600 |
|
|
|
|
|
- replace: False |
|
|
|
|
|
- require: |
|
|
|
|
|
- x509: /etc/ssl/private/{{ cert.common_name }}.key |
|
|
|
|
|
|
|
|
- name: {{ key_file }} |
|
|
|
|
|
- mode: {{ cert.get("mode", 0600) }} |
|
|
|
|
|
{%- if salt['user.info'](cert.get("user", "root")) %} |
|
|
|
|
|
- user: {{ cert.get("user", "root") }} |
|
|
|
|
|
{%- endif %} |
|
|
|
|
|
{%- if salt['group.info'](cert.get("group", "root")) %} |
|
|
|
|
|
- group: {{ cert.get("group", "root") }} |
|
|
|
|
|
{%- endif %} |
|
|
|
|
|
- replace: false |
|
|
|
|
|
- watch: |
|
|
|
|
|
- x509: {{ key_file }} |
|
|
|
|
|
|
|
|
/etc/ssl/certs/{{ cert.common_name }}.crt: |
|
|
|
|
|
|
|
|
{{ cert_file }}: |
|
|
x509.certificate_managed: |
|
|
x509.certificate_managed: |
|
|
- ca_server: {{ cert.host }} |
|
|
|
|
|
- signing_policy: {{ cert.authority }}_{{ cert.signing_policy }} |
|
|
|
|
|
- public_key: /etc/ssl/private/{{ cert.common_name }}.key |
|
|
|
|
|
- CN: {{ cert.common_name }} |
|
|
|
|
|
{%- if cert.alternative_names is defined %} |
|
|
|
|
|
- subjectAltName: {{ cert.alternative_names }} |
|
|
|
|
|
{%- endif %} |
|
|
|
|
|
- days_remaining: 30 |
|
|
|
|
|
- backup: True |
|
|
|
|
|
|
|
|
- ca_server: {{ cert.host }} |
|
|
|
|
|
- signing_policy: {{ cert.authority }}_{{ cert.signing_policy }} |
|
|
|
|
|
- public_key: {{ key_file }} |
|
|
|
|
|
- CN: {{ cert.common_name }} |
|
|
|
|
|
{%- if cert.alternative_names is defined %} |
|
|
|
|
|
- subjectAltName: {{ cert.alternative_names }} |
|
|
|
|
|
{%- endif %} |
|
|
|
|
|
- days_remaining: 30 |
|
|
|
|
|
- backup: True |
|
|
|
|
|
- watch: |
|
|
|
|
|
- x509: {{ key_file }} |
|
|
|
|
|
|
|
|
|
|
|
{{ cert_file }}_cert_permissions: |
|
|
|
|
|
file.managed: |
|
|
|
|
|
- name: {{ cert_file }} |
|
|
|
|
|
- mode: {{ cert.get("mode", 0600) }} |
|
|
|
|
|
{%- if salt['user.info'](cert.get("user", "root")) %} |
|
|
|
|
|
- user: {{ cert.get("user", "root") }} |
|
|
|
|
|
{%- endif %} |
|
|
|
|
|
{%- if salt['group.info'](cert.get("group", "root")) %} |
|
|
|
|
|
- group: {{ cert.get("group", "root") }} |
|
|
|
|
|
{%- endif %} |
|
|
|
|
|
- replace: false |
|
|
|
|
|
- watch: |
|
|
|
|
|
- x509: {{ cert_file }} |
|
|
|
|
|
|
|
|
{%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries')[cert.host].iteritems() %} |
|
|
{%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries')[cert.host].iteritems() %} |
|
|
|
|
|
|
|
|
{%- if '/etc/pki/ca/'+cert.authority in ca_path %} |
|
|
{%- if '/etc/pki/ca/'+cert.authority in ca_path %} |
|
|
|
|
|
{%- set ca_file = cert.get('ca_file', '/etc/ssl/certs/ca-' + cert.authority + '.crt') %} |
|
|
|
|
|
|
|
|
ca_cert_{{ cert.authority }}_{{ rowloop.index }}: |
|
|
|
|
|
|
|
|
{{ ca_file }}_{{ rowloop.index }}: |
|
|
x509.pem_managed: |
|
|
x509.pem_managed: |
|
|
- name: /etc/ssl/certs/ca-{{ cert.authority }}.crt |
|
|
|
|
|
- text: {{ ca_cert|replace('\n', '') }} |
|
|
|
|
|
|
|
|
- name: {{ ca_file }} |
|
|
|
|
|
- text: {{ ca_cert|replace('\n', '') }} |
|
|
|
|
|
- watch: |
|
|
|
|
|
- x509: {{ cert_file }} |
|
|
|
|
|
|
|
|
|
|
|
{{ ca_file }}_cert_permissions: |
|
|
|
|
|
file.managed: |
|
|
|
|
|
- name: {{ ca_file }} |
|
|
|
|
|
- mode: 0644 |
|
|
|
|
|
- watch: |
|
|
|
|
|
- x509: {{ ca_file }} |
|
|
|
|
|
|
|
|
{%- endif %} |
|
|
{%- endif %} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
{%- endfor %} |
|
|
{%- endfor %} |
|
|
|
|
|
|
|
|
{%- endif %} |
|
|
|
|
|
|
|
|
{%- endif %} |