| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141 |
- {% import 'globals.jinja' as globals %}
- include:
- - constant_state
- - generic_packages.m2crypto
- /data/admin/pki/cacerts:
- file.directory:
- - mode: 755
- - require:
- - file: /data/admin/pki
- # Root CA
- /data/admin/pki/root:
- file.directory:
- - mode: 700
- - require:
- - file: /data/admin/pki
- /data/admin/pki/root/issued_certs:
- file.directory:
- - mode: 700
- - require:
- - file: /data/admin/pki/root
- {% if grains['id'] == globals.primary_admin_host %}
- /data/admin/pki/root/ca.key:
- x509.private_key_managed:
- - bits: 4096
- - backup: True
- - require:
- - file: /data/admin/pki/root
- /data/admin/pki/root/ca.crt:
- x509.certificate_managed:
- - signing_private_key: /data/admin/pki/root/ca.key
- - basicConstraints: "critical CA:true"
- - keyUsage: "critical cRLSign, keyCertSign"
- - subjectKeyIdentifier: hash
- - authorityKeyIdentifier: keyid,issuer:always
- - days_valid: 3650
- - days_remaining: 0
- - backup: True
- {%- for attr, value in pillar['global']['certificate_attributes']['root'].items() %}
- - {{ attr }}: {{ value }}
- {%- endfor %}
- - CN: Root Certificate Authority
- - require:
- - file: /data/admin/pki/cacerts
- - x509: /data/admin/pki/root/ca.key
- /data/admin/pki/cacerts/ca_root.crt:
- file.managed:
- - source: /data/admin/pki/root/ca.crt
- - require:
- - x509: /data/admin/pki/root/ca.crt
- - onchanges_in:
- - module: mine_send_cacerts
- {% endif %}
- # Deployment CA
- /data/admin/pki/deployment:
- file.directory:
- - mode: 700
- - require:
- - file: /data/admin/pki
- /data/admin/pki/deployment/issued_certs:
- file.directory:
- - mode: 700
- - require:
- - file: /data/admin/pki/deployment
- {% if grains['id'] == globals.primary_admin_host %}
- /data/admin/pki/deployment/ca.key:
- x509.private_key_managed:
- - bits: 4096
- - backup: True
- - require:
- - file: /data/admin/pki/deployment
- /data/admin/pki/deployment/ca.crt:
- x509.certificate_managed:
- - signing_cert: /data/admin/pki/root/ca.crt
- - signing_private_key: /data/admin/pki/root/ca.key
- - public_key: /data/admin/pki/deployment/ca.key
- - basicConstraints: "critical CA:true"
- - keyUsage: "critical cRLSign, keyCertSign"
- - subjectKeyIdentifier: hash
- - authorityKeyIdentifier: keyid,issuer:always
- - days_valid: 3650
- - days_remaining: 0
- - backup: True
- {%- for attr, value in pillar['global']['certificate_attributes']['deployment'].items() %}
- - {{ attr }}: {{ value }}
- {%- endfor %}
- - CN: Deployment Certificate Authority
- - require:
- - file: /data/admin/pki/cacerts
- - x509: /data/admin/pki/root/ca.key
- - x509: /data/admin/pki/root/ca.crt
- - x509: /data/admin/pki/deployment/ca.key
- /data/admin/pki/cacerts/ca_deployment.crt:
- file.managed:
- - source: /data/admin/pki/deployment/ca.crt
- - require:
- - x509: /data/admin/pki/deployment/ca.crt
- - onchanges_in:
- - module: mine_send_cacerts
- /etc/salt/minion.d/signing_policies.conf:
- file.managed:
- - source: salt://admin/files/signing_policies.conf
- - template: jinja
- - watch_in:
- - service: salt_minion
- {% else %}
- /etc/salt/minion.d/signing_policies.conf:
- file.absent:
- - watch_in:
- - service: salt_minion
- {% endif %}
- mine_send_cacerts:
- module.run:
- - name: mine.send
- - func: x509.get_pem_entries
- - kwargs:
- glob_path: /data/admin/pki/cacerts/*.crt
- - onchanges:
- - test: constant_state
|
