Exposing CA keys in a mine creates a security flaw, thus such
should be avoided.
This change removes code responsible for putting and retrieving
CA key from a mine and changes the ca.sls state to allow configuring
where CA cert and its key would be generated as well as their owners.
Fixes PROD-13439
Change-Id: I6d78b13dcb3754c51606edd7e2d8158e128244a4
Issues:
* cmd.wait doesn't work correctly with bg=True
* cmd.wait will be deprecated in next releases [1]
* watch/watch_in work differently than onchanges/onchanges_in as some
* module override mod_watch()
This patch does:
* Replaces cmd.wait to cmd.run with onchanges.
* On any config file changes salt_minion_service_restart will be
triggered so salt master will get state immediately because of bg=True
* salt_minion_service is used only for service enablement
[1] https://docs.saltstack.com/en/latest/ref/states/all/salt.states.cmd.html
Change-Id: I7b87b3614708b861e1767566426c7a67c337ba01
Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
In cases when a service whants to generate and sign a certificate
it requires a CA key along with a CA cert itself.
For example, Octavia needs it for signing a certificate it generates
for a newly spawned amphora.
This change add sending a CA key to the mine from where it can be
extracted in the cert.sls state.
Also allow managing permissions for a CA cert and key retrieved
from the mine.
Related PROD: PROD-11933
Change-Id: I911effb4a63ae048e348ed04b7aca33998e359aa
In case of trust_salt_ca usage, the salt.minion.cert state
generates broken certs body due to a space replacing.
Change-Id: Id49e42807ddbc2addaf59a4c4541b720bbf87527
This is useful when using proxies. The default Tornado backend does not
utilize proxy environment variables and isn't able to set no_proxy variable.
Change-Id: I4a51c6fc9abe65d46ed4f3adeb30f7a25337857e
Currently the CI job fails with module not found errror.
AttributeError: 'module' object has no attribute 'check_refresh
The reason is new version of salt tries to call
salt.utils.pkg.check_refresh which is not available in 2016.11.3 but is
available in 2016.11.6.
Reference:
1. https://github.com/saltstack/salt/blob/v2016.11.3/salt/states/pkg.py
2. https://github.com/saltstack/salt/blob/v2016.11.6/salt/states/pkg.py#L1819
The fix proposed here is to use pkg.installed instead of pkg.latest.
It's not a good idea to always update salt whenever the salt state is
run, this may introduce failures unknown to the user. There is a pipeline
to update packages which should be used for updating to latest.
pkg.latest generally isn't a good way to write idempotent formulas. See
official salt docs: "Generally it is better for the installed function
to be used, as latest will update the package whenever a new package is
available."
Change-Id: I8da5c36c1613e54768993080f2514afc920c49f8
1. Remove implicit creation of "local_trusted_symlink".
To install a system-wide certificates the linux.system.cert
state or 'trusted_ca_minion' option must be used.
2. A ca-cert file may exist on a file-system and
not be pulled from mine. So, in this case
the following state be incorrect:
- watch:
- x509: ca_file
To support this case, we need to replace `watch` statement
with `watch_in`.
Change-Id: If41d050b56913d72da1ef7981f30780fec5d6d95
1:
In case of trust_salt_ca usage, the salt.minion.cert state
generates broken certs body due to a space replacing:
-----BEGINCERTIFICATE-----
MIIFzzCCA7egAwIBAgIITiyuuFgl1S4wDQYJKoZIhvcNAQELBQAwSjELMAkGA1UE
BhMCY3oxFzAVBgNVBAMMDlNhbHQgT
....
To fix it the "x509.pem_managed" is used.
2:
If a symlink to CA cert is already exists, then the state is failing.
The force=True (replace) is used now to avoid the issue.
Change-Id: I4a2bd7c882e179560657a3dc7edf18c7e5835492