Enhance minion.cert
- allow defining custom key/cert path
- ensure key/cert directories
- set key/cert permissions by metadata
diff --git a/salt/minion/cert.sls b/salt/minion/cert.sls
index d4e990c..594d686 100644
--- a/salt/minion/cert.sls
+++ b/salt/minion/cert.sls
@@ -4,38 +4,86 @@
{%- for cert_name,cert in minion.get('cert', {}).iteritems() %}
{%- set rowloop = loop %}
-/etc/ssl/private/{{ cert.common_name }}.key:
+{%- set key_file = cert.get('key_file', '/etc/ssl/private/' + cert.common_name + '.key') %}
+{%- set cert_file = cert.get('cert_file', '/etc/ssl/certs/' + cert.common_name + '.crt') %}
+{%- set key_dir = key_file|replace(key_file.split('/')[-1], "") %}
+{%- set cert_dir = cert_file|replace(cert_file.split('/')[-1], "") %}
+
+{# Only ensure directories exists, don't touch permissions, etc. #}
+salt_minion_cert_{{ cert_name }}_dirs:
+ file.directory:
+ - names:
+ - {{ key_dir }}
+ - {{ cert_dir }}
+ - makedirs: true
+ - replace: false
+
+{{ key_file }}:
x509.private_key_managed:
- - bits: 4096
+ - bits: {{ cert.get('bits', 4096) }}
+ require:
+ - file: salt_minion_cert_{{ cert_name }}_dirs
-{{ cert.common_name }}_rights:
+{{ key_file }}_key_permissions:
file.managed:
- - name: /etc/ssl/private/{{ cert.common_name }}.key
- - mode: 600
- - replace: False
- - require:
- - x509: /etc/ssl/private/{{ cert.common_name }}.key
+ - name: {{ key_file }}
+ - mode: {{ cert.get("mode", 0600) }}
+ {%- if salt['user.info'](cert.get("user", "root")) %}
+ - user: {{ cert.get("user", "root") }}
+ {%- endif %}
+ {%- if salt['group.info'](cert.get("group", "root")) %}
+ - group: {{ cert.get("group", "root") }}
+ {%- endif %}
+ - replace: false
+ - watch:
+ - x509: {{ key_file }}
-/etc/ssl/certs/{{ cert.common_name }}.crt:
+{{ cert_file }}:
x509.certificate_managed:
- - ca_server: {{ cert.host }}
- - signing_policy: {{ cert.authority }}_{{ cert.signing_policy }}
- - public_key: /etc/ssl/private/{{ cert.common_name }}.key
- - CN: {{ cert.common_name }}
- {%- if cert.alternative_names is defined %}
- - subjectAltName: {{ cert.alternative_names }}
- {%- endif %}
- - days_remaining: 30
- - backup: True
+ - ca_server: {{ cert.host }}
+ - signing_policy: {{ cert.authority }}_{{ cert.signing_policy }}
+ - public_key: {{ key_file }}
+ - CN: {{ cert.common_name }}
+ {%- if cert.alternative_names is defined %}
+ - subjectAltName: {{ cert.alternative_names }}
+ {%- endif %}
+ - days_remaining: 30
+ - backup: True
+ - watch:
+ - x509: {{ key_file }}
+
+{{ cert_file }}_cert_permissions:
+ file.managed:
+ - name: {{ cert_file }}
+ - mode: {{ cert.get("mode", 0600) }}
+ {%- if salt['user.info'](cert.get("user", "root")) %}
+ - user: {{ cert.get("user", "root") }}
+ {%- endif %}
+ {%- if salt['group.info'](cert.get("group", "root")) %}
+ - group: {{ cert.get("group", "root") }}
+ {%- endif %}
+ - replace: false
+ - watch:
+ - x509: {{ cert_file }}
{%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries')[cert.host].iteritems() %}
{%- if '/etc/pki/ca/'+cert.authority in ca_path %}
+{%- set ca_file = cert.get('ca_file', '/etc/ssl/certs/ca-' + cert.authority + '.crt') %}
-ca_cert_{{ cert.authority }}_{{ rowloop.index }}:
+{{ ca_file }}_{{ rowloop.index }}:
x509.pem_managed:
- - name: /etc/ssl/certs/ca-{{ cert.authority }}.crt
- - text: {{ ca_cert|replace('\n', '') }}
+ - name: {{ ca_file }}
+ - text: {{ ca_cert|replace('\n', '') }}
+ - watch:
+ - x509: {{ cert_file }}
+
+{{ ca_file }}_cert_permissions:
+ file.managed:
+ - name: {{ ca_file }}
+ - mode: 0644
+ - watch:
+ - x509: {{ ca_file }}
{%- endif %}
@@ -43,4 +91,4 @@
{%- endfor %}
-{%- endif %}
\ No newline at end of file
+{%- endif %}