Browse Source
[salt.minion.cert] Improve certificates management
1. Remove implicit creation of "local_trusted_symlink".
To install a system-wide certificates the linux.system.cert
state or 'trusted_ca_minion' option must be used.
2. A ca-cert file may exist on a file-system and
not be pulled from mine. So, in this case
the following state be incorrect:
- watch:
- x509: ca_file
To support this case, we need to replace `watch` statement
with `watch_in`.
Change-Id: If41d050b56913d72da1ef7981f30780fec5d6d95
pull/54/head
Kirill Bespalov
7 years ago
1 changed files with 16 additions and 14 deletions
+ 16
- 14
salt/minion/cert.sls
View File
| @@ -35,8 +35,12 @@ salt_minion_cert_{{ cert_name }}_dirs: | |||
| {{ key_file }}: | |||
| x509.private_key_managed: | |||
| - bits: {{ cert.get('bits', 4096) }} | |||
| require: | |||
| - file: salt_minion_cert_{{ cert_name }}_dirs | |||
| - require: | |||
| - file: salt_minion_cert_{{ cert_name }}_dirs | |||
| {%- if cert.all_file is defined %} | |||
| - watch_in: | |||
| - cmd: salt_minion_cert_{{ cert_name }}_all | |||
| {%- endif %} | |||
| {{ key_file }}_key_permissions: | |||
| file.managed: | |||
| @@ -81,6 +85,10 @@ salt_minion_cert_{{ cert_name }}_dirs: | |||
| - backup: True | |||
| - watch: | |||
| - x509: {{ key_file }} | |||
| {%- if cert.all_file is defined %} | |||
| - watch_in: | |||
| - cmd: salt_minion_cert_{{ cert_name }}_all | |||
| {%- endif %} | |||
| {{ cert_file }}_cert_permissions: | |||
| file.managed: | |||
| @@ -107,6 +115,11 @@ salt_minion_cert_{{ cert_name }}_dirs: | |||
| - text: {{ ca_cert|replace('\n', '') }} | |||
| - watch: | |||
| - x509: {{ cert_file }} | |||
| {%- if cert.all_file is defined %} | |||
| - watch_in: | |||
| - cmd: salt_minion_cert_{{ cert_name }}_all | |||
| {%- endif %} | |||
| {{ ca_file }}_cert_permissions: | |||
| file.managed: | |||
| @@ -115,13 +128,6 @@ salt_minion_cert_{{ cert_name }}_dirs: | |||
| - watch: | |||
| - x509: {{ ca_file }} | |||
| {{ ca_file }}_local_trusted_symlink: | |||
| file.symlink: | |||
| - name: "{{ cacerts_dir }}/ca-{{ cert.authority }}.crt" | |||
| - target: {{ ca_file }} | |||
| - watch_in: | |||
| - cmd: salt_update_certificates | |||
| {%- endif %} | |||
| {%- endfor %} | |||
| @@ -129,13 +135,10 @@ salt_minion_cert_{{ cert_name }}_dirs: | |||
| {%- endif %} | |||
| {%- if cert.all_file is defined %} | |||
| salt_minion_cert_{{ cert_name }}_all: | |||
| cmd.wait: | |||
| - name: cat {{ key_file }} {{ cert_file }} {{ ca_file }} > {{ cert.all_file }} | |||
| - watch: | |||
| - x509: {{ key_file }} | |||
| - x509: {{ cert_file }} | |||
| - x509: {{ ca_file }} | |||
| {{ cert.all_file }}_cert_permissions: | |||
| file.managed: | |||
| @@ -205,4 +208,3 @@ salt_cert_{{ cacerts_dir }}/{{ cacert_file }}: | |||
| {%- endif %} | |||
| {%- endif %} | |||
Loading…