salt/minion/ca.sls

{%- from "salt/map.jinja" import minion with context %}
{%- if minion.enabled %}

include:
- salt.minion.service

{%- set all_ca_certs_dir = '/etc/pki/all_cas' %}

{%- for ca_name,ca in minion.ca.iteritems() %}

{%- set ca_file = ca.get('ca_file', '/etc/pki/ca/' ~ ca_name ~ '/ca.crt') %}
{%- set ca_key_file = ca.get('ca_key_file', '/etc/pki/ca/' ~ ca_name ~ '/ca.key') %}
{%- set ca_key_usage = ca.get('key_usage',"critical,cRLSign,keyCertSign") %}

{%- set ca_dir = salt['file.dirname'](ca_file) %}
{%- set ca_key_dir = salt['file.dirname'](ca_key_file) %}
{%- set ca_certs_dir = ca_dir ~ '/certs' %}

salt_minion_cert_{{ ca_name }}_dirs:
  file.directory:
    - names:
      - {{ ca_dir }}
      - {{ ca_key_dir }}
      - {{ ca_certs_dir }}
    - makedirs: true

{{ ca_key_file }}:
  x509.private_key_managed:
  - bits: 4096
  - backup: True
  - require:
    - file: {{ ca_certs_dir }}

# TODO: Squash this with the previous state after switch to Salt version >= 2016.11.2
{{ ca_name }}_key_permissions:
  file.managed:
    - name: {{ ca_key_file }}
    - mode: {{ ca.get("mode", 0600) }}
    {%- if salt['user.info'](ca.get("user", "root")) %}
    - user: {{ ca.get("user", "root") }}
    {%- endif %}
    {%- if salt['group.info'](ca.get("group", "root")) %}
    - group: {{ ca.get("group", "root") }}
    {%- endif %}
    - replace: false
    - require:
      - x509: {{ ca_key_file }}

{{ ca_file }}:
  x509.certificate_managed:
    - signing_private_key: {{ ca_key_file }}
    - CN: "{{ ca.common_name }}"
    {%- if ca.country is defined %}
    - C: {{ ca.country }}
    {%- endif %}
    {%- if ca.state is defined %}
    - ST: {{ ca.state }}
    {%- endif %}
    {%- if ca.locality is defined %}
    - L: {{ ca.locality }}
    {%- endif %}
    {%- if ca.organization is defined %}
    - O: {{ ca.organization }}
    {%- endif %}
    {%- if ca.organization_unit is defined %}
    - OU: {{ ca.organization_unit }}
    {%- endif %}
    - basicConstraints: "critical,CA:TRUE"
    - keyUsage: {{ ca_key_usage }}
    - subjectKeyIdentifier: hash
    - authorityKeyIdentifier: keyid,issuer:always
    - days_valid: {{ ca.days_valid.authority }}
    - days_remaining: 0
    - backup: True
    - require:
      - x509: {{ ca_key_file }}
    {%- if grains['saltversioninfo'][0] >= 2017 %}
    - retry:
        attempts: 5
        until: True
        interval: 60
    {%- endif %}

# TODO: Squash this with the previous state after switch to Salt version >= 2016.11.2
{{ ca_name }}_cert_permissions:
  file.managed:
    - name: {{ ca_file }}
    - mode: 0644
    {%- if salt['user.info'](ca.get("user", "root")) %}
    - user: {{ ca.get("user", "root") }}
    {%- endif %}
    {%- if salt['group.info'](ca.get("group", "root")) %}
    - group: {{ ca.get("group", "root") }}
    {%- endif %}
    - require:
      - x509: {{ ca_file }}

copy_to_{{all_ca_certs_dir}}/{{ ca_name }}:
  file.copy:
  - name: {{ all_ca_certs_dir }}/{{ ca_name }}.crt
  - source: {{ ca_file }}
  - makedirs: True
  - force: True
  - unless:
    - diff -q {{ ca_file }} {{ all_ca_certs_dir }}/{{ ca_name }}.crt
  - require:
    - x509: {{ ca_file }}

{%- endfor %}

salt_system_ca_mine_send_ca:
  module.run:
  - name: mine.send
  - func: x509.get_pem_entries
  - kwargs:
      mine_function: x509.get_pem_entries
      glob_path: {{ all_ca_certs_dir }}/*

{%- endif %}