瀏覽代碼

Merge pull request #1 from tcpcloud/cert

Enhance minion.cert
tags/0.4
mceloud 8 年之前
父節點
當前提交
9faaed29fd
共有 1 個檔案被更改,包括 70 行新增22 行删除
  1. +70
    -22
      salt/minion/cert.sls

+ 70
- 22
salt/minion/cert.sls 查看文件

{%- for cert_name,cert in minion.get('cert', {}).iteritems() %} {%- for cert_name,cert in minion.get('cert', {}).iteritems() %}
{%- set rowloop = loop %} {%- set rowloop = loop %}


/etc/ssl/private/{{ cert.common_name }}.key:
{%- set key_file = cert.get('key_file', '/etc/ssl/private/' + cert.common_name + '.key') %}
{%- set cert_file = cert.get('cert_file', '/etc/ssl/certs/' + cert.common_name + '.crt') %}
{%- set key_dir = key_file|replace(key_file.split('/')[-1], "") %}
{%- set cert_dir = cert_file|replace(cert_file.split('/')[-1], "") %}

{# Only ensure directories exists, don't touch permissions, etc. #}
salt_minion_cert_{{ cert_name }}_dirs:
file.directory:
- names:
- {{ key_dir }}
- {{ cert_dir }}
- makedirs: true
- replace: false

{{ key_file }}:
x509.private_key_managed: x509.private_key_managed:
- bits: 4096
- bits: {{ cert.get('bits', 4096) }}
require:
- file: salt_minion_cert_{{ cert_name }}_dirs


{{ cert.common_name }}_rights:
{{ key_file }}_key_permissions:
file.managed: file.managed:
- name: /etc/ssl/private/{{ cert.common_name }}.key
- mode: 600
- replace: False
- require:
- x509: /etc/ssl/private/{{ cert.common_name }}.key
- name: {{ key_file }}
- mode: {{ cert.get("mode", 0600) }}
{%- if salt['user.info'](cert.get("user", "root")) %}
- user: {{ cert.get("user", "root") }}
{%- endif %}
{%- if salt['group.info'](cert.get("group", "root")) %}
- group: {{ cert.get("group", "root") }}
{%- endif %}
- replace: false
- watch:
- x509: {{ key_file }}


/etc/ssl/certs/{{ cert.common_name }}.crt:
{{ cert_file }}:
x509.certificate_managed: x509.certificate_managed:
- ca_server: {{ cert.host }}
- signing_policy: {{ cert.authority }}_{{ cert.signing_policy }}
- public_key: /etc/ssl/private/{{ cert.common_name }}.key
- CN: {{ cert.common_name }}
{%- if cert.alternative_names is defined %}
- subjectAltName: {{ cert.alternative_names }}
{%- endif %}
- days_remaining: 30
- backup: True
- ca_server: {{ cert.host }}
- signing_policy: {{ cert.authority }}_{{ cert.signing_policy }}
- public_key: {{ key_file }}
- CN: {{ cert.common_name }}
{%- if cert.alternative_names is defined %}
- subjectAltName: {{ cert.alternative_names }}
{%- endif %}
- days_remaining: 30
- backup: True
- watch:
- x509: {{ key_file }}

{{ cert_file }}_cert_permissions:
file.managed:
- name: {{ cert_file }}
- mode: {{ cert.get("mode", 0600) }}
{%- if salt['user.info'](cert.get("user", "root")) %}
- user: {{ cert.get("user", "root") }}
{%- endif %}
{%- if salt['group.info'](cert.get("group", "root")) %}
- group: {{ cert.get("group", "root") }}
{%- endif %}
- replace: false
- watch:
- x509: {{ cert_file }}


{%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries')[cert.host].iteritems() %} {%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries')[cert.host].iteritems() %}


{%- if '/etc/pki/ca/'+cert.authority in ca_path %} {%- if '/etc/pki/ca/'+cert.authority in ca_path %}
{%- set ca_file = cert.get('ca_file', '/etc/ssl/certs/ca-' + cert.authority + '.crt') %}


ca_cert_{{ cert.authority }}_{{ rowloop.index }}:
{{ ca_file }}_{{ rowloop.index }}:
x509.pem_managed: x509.pem_managed:
- name: /etc/ssl/certs/ca-{{ cert.authority }}.crt
- text: {{ ca_cert|replace('\n', '') }}
- name: {{ ca_file }}
- text: {{ ca_cert|replace('\n', '') }}
- watch:
- x509: {{ cert_file }}

{{ ca_file }}_cert_permissions:
file.managed:
- name: {{ ca_file }}
- mode: 0644
- watch:
- x509: {{ ca_file }}


{%- endif %} {%- endif %}




{%- endfor %} {%- endfor %}


{%- endif %}
{%- endif %}

Loading…
取消
儲存