init.sls 2.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
  1. #
  2. # SSL Certificates
  3. #
  4. openssl:
  5. pkg.installed:
  6. - name: openssl
  7. c_rehash:
  8. cmd.wait:
  9. - name: /usr/bin/c_rehash >/dev/null 2>/dev/null
  10. - watch: []
  11. # FFHO internal CA
  12. /etc/ssl/certs/ffho-cacert.pem:
  13. file.managed:
  14. - source: salt://certs/ffho-cacert.pem
  15. - user: root
  16. - group: root
  17. - mode: 644
  18. - watch_in:
  19. - cmd: c_rehash
  20. # StartSSL Class1intermediate CA certificate
  21. /etc/ssl/certs/StartSSL_Class1_CA.pem:
  22. file.managed:
  23. - source: salt://certs/StartSSL_Class1_CA.pem
  24. - user: root
  25. - group: root
  26. - mode: 644
  27. - watch_in:
  28. - cmd: c_rehash
  29. # StartSSL Class2 intermediate CA certificate
  30. /etc/ssl/certs/StartSSL_Class2_CA.pem:
  31. file.managed:
  32. - source: salt://certs/StartSSL_Class2_CA.pem
  33. - user: root
  34. - group: root
  35. - mode: 644
  36. - watch_in:
  37. - cmd: c_rehash
  38. {% set certs = {} %}
  39. # Are there any certificates defined or referenced in the node pillar?
  40. {% set node_config = salt['pillar.get']('nodes:' ~ grains['id']) %}
  41. {% for cn, cert_config in node_config.get ('certs', {}).items () %}
  42. {% set pillar_name = None %}
  43. {# "cert" and "privkey" provided in node config? #}
  44. {% if 'cert' in cert_config and 'privkey' in cert_config %}
  45. {% set pillar_name = 'nodes:' ~ grains['id'] ~ ':certs:' ~ cn %}
  46. {# <cn> only referenced in node config and cert/privkey stored in "cert" pillar? #}
  47. {% elif cert_config.get ('install', False) == True %}
  48. {% set pillar_name = 'cert:' ~ cn %}
  49. {% endif %}
  50. {% if pillar_name != None %}
  51. {% do certs.update ({ cn : pillar_name }) %}
  52. {% endif %}
  53. {% endfor %}
  54. # Are there any cert defined or referenced for this node or roles of this node?
  55. {% set node_roles = node_config.get ('roles', []) %}
  56. {% for cn, cert_config in salt['pillar.get']('cert', {}).items () %}
  57. {% for role in cert_config.get ('apply', {}).get ('roles', []) %}
  58. {% if role in node_roles %}
  59. {% do certs.update ({ cn : 'cert:' ~ cn }) %}
  60. {% endif %}
  61. {% endfor %}
  62. {% endfor %}
  63. # Install found certificates
  64. {% for cn, pillar_name in certs.items () %}
  65. /etc/ssl/certs/{{ cn }}.cert.pem:
  66. file.managed:
  67. {% if salt['pillar.get'](pillar_name ~ ':cert') == "file" %}
  68. - source: salt://certs/certs/{{ cn }}.cert.pem
  69. {% else %}
  70. - contents_pillar: {{ pillar_name }}:cert
  71. {% endif %}
  72. - user: root
  73. - group: root
  74. - mode: 644
  75. /etc/ssl/private/{{ cn }}.key.pem:
  76. file.managed:
  77. - contents_pillar: {{ pillar_name }}:privkey
  78. - user: root
  79. - group: ssl-cert
  80. - mode: 440
  81. {% endfor %}