Merge "Enable and use salt_api proxy by default"
diff --git a/defaults/init.yml b/defaults/init.yml
index b37fbfb..0094ec3 100644
--- a/defaults/init.yml
+++ b/defaults/init.yml
@@ -11,6 +11,7 @@
- system.defaults.backupninja
- system.defaults.git
- system.defaults.glusterfs
+- system.defaults.nginx
- system.defaults.jenkins
- system.defaults.postgresql
- system.defaults.maas
@@ -58,3 +59,7 @@
single_address: '127.0.0.1'
# Cloudwatch api removed from Queens
openstack_heat_cloudwatch_api_enabled: True
+
+ salt_master_host: '127.0.0.1'
+ infra_config_address: '127.0.0.1'
+ reclass_config_master: '127.0.0.1'
diff --git a/defaults/jenkins.yml b/defaults/jenkins.yml
index eddf216..d01bf4e 100644
--- a/defaults/jenkins.yml
+++ b/defaults/jenkins.yml
@@ -3,4 +3,4 @@
jenkins_master_port: 8081
jenkins_master_protocol: http
jenkins_pipelines_branch: "master"
- jenkins_salt_api_url: "http://${_param:salt_master_host}:${_param:salt_master_api_port}"
+ jenkins_salt_api_url: "https://${_param:salt_master_host}:${_param:nginx_proxy_salt_api_site_port}"
diff --git a/defaults/nginx.yml b/defaults/nginx.yml
new file mode 100644
index 0000000..dd47452
--- /dev/null
+++ b/defaults/nginx.yml
@@ -0,0 +1,5 @@
+parameters:
+ _param:
+ nginx_proxy_salt_api_proxy_protocol: 'http'
+ nginx_proxy_salt_api_site_port: 8969
+ nginx_proxy_salt_api_site_protocol: 'https'
diff --git a/defaults/salt/init.yml b/defaults/salt/init.yml
index a720189..0b80c35 100644
--- a/defaults/salt/init.yml
+++ b/defaults/salt/init.yml
@@ -57,3 +57,4 @@
- '@jobs' # to allow access to the jobs runner and/or wheel mo
salt_minion_ca_authority: salt_master_ca
+ salt_master_api_bind_address: 0.0.0.0
diff --git a/docker/swarm/stack/jenkins/slave01.yml b/docker/swarm/stack/jenkins/slave01.yml
index 4791fe3..73e8140 100644
--- a/docker/swarm/stack/jenkins/slave01.yml
+++ b/docker/swarm/stack/jenkins/slave01.yml
@@ -27,7 +27,7 @@
- "node.hostname == ${_param:jenkins_slave01_node_name}"
image: ${_param:docker_image_jenkins_slave}
volumes:
- - /etc/ssl/certs/java/cacerts:/etc/ssl/certs/java/cacerts:ro
+ - /etc/ssl/certs/:/etc/ssl/certs/:ro
- /dev/urandom:/dev/random:ro
- /var/run/docker.sock:/var/run/docker.sock
- /usr/bin/docker:/usr/bin/docker:ro
diff --git a/docker/swarm/stack/jenkins/slave02.yml b/docker/swarm/stack/jenkins/slave02.yml
index 58b5a23..ee198cb 100644
--- a/docker/swarm/stack/jenkins/slave02.yml
+++ b/docker/swarm/stack/jenkins/slave02.yml
@@ -27,7 +27,7 @@
- "node.hostname == ${_param:jenkins_slave02_node_name}"
image: ${_param:docker_image_jenkins_slave}
volumes:
- - /etc/ssl/certs/java/cacerts:/etc/ssl/certs/java/cacerts:ro
+ - /etc/ssl/certs/:/etc/ssl/certs/:ro
- /dev/urandom:/dev/random:ro
- /var/run/docker.sock:/var/run/docker.sock
- /usr/bin/docker:/usr/bin/docker:ro
diff --git a/docker/swarm/stack/jenkins/slave03.yml b/docker/swarm/stack/jenkins/slave03.yml
index cc2acbd..b04ea2a 100644
--- a/docker/swarm/stack/jenkins/slave03.yml
+++ b/docker/swarm/stack/jenkins/slave03.yml
@@ -27,7 +27,7 @@
- "node.hostname == ${_param:jenkins_slave03_node_name}"
image: ${_param:docker_image_jenkins_slave}
volumes:
- - /etc/ssl/certs/java/cacerts:/etc/ssl/certs/java/cacerts:ro
+ - /etc/ssl/certs/:/etc/ssl/certs/:ro
- /dev/urandom:/dev/random:ro
- /var/run/docker.sock:/var/run/docker.sock
- /usr/bin/docker:/usr/bin/docker:ro
diff --git a/nginx/server/proxy/salt_api.yml b/nginx/server/proxy/salt_api.yml
new file mode 100644
index 0000000..f559ef4
--- /dev/null
+++ b/nginx/server/proxy/salt_api.yml
@@ -0,0 +1,28 @@
+parameters:
+ _param:
+ nginx_proxy_salt_api_proxy_port: ${_param:salt_master_api_port}
+ nginx_proxy_ssl:
+ enabled: true
+ authority: ${_param:salt_minion_ca_authority}
+ engine: salt
+ key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}.key
+ cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}.crt
+ all_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}-chain-with-key.pem
+ ca_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}-ca.pem
+ nginx:
+ server:
+ enabled: true
+ site:
+ nginx_proxy_salt_api:
+ enabled: true
+ type: nginx_proxy
+ name: salt_api
+ proxy:
+ host: ${_param:infra_config_hostname}.${_param:cluster_domain}
+ port: ${_param:nginx_proxy_salt_api_proxy_port}
+ protocol: ${_param:nginx_proxy_salt_api_proxy_protocol}
+ host:
+ name: ${_param:infra_config_hostname}.${_param:cluster_domain}
+ port: ${_param:nginx_proxy_salt_api_site_port}
+ protocol: ${_param:nginx_proxy_salt_api_site_protocol}
+ ssl: ${_param:nginx_proxy_ssl}
diff --git a/salt/master/api.yml b/salt/master/api.yml
index f0fa081..50a9d3e 100644
--- a/salt/master/api.yml
+++ b/salt/master/api.yml
@@ -1,9 +1,15 @@
+classes:
+# Enabled ssl api by default
+- system.salt.minion.cert.salt_api
+- system.nginx.server.single
+- system.nginx.server.proxy.ssl
+- system.nginx.server.proxy.salt_api
parameters:
salt:
api:
enabled: true
bind:
- address: 0.0.0.0
+ address: ${_param:salt_master_api_bind_address}
port: ${_param:salt_master_api_port}
master:
command_timeout: 600
diff --git a/salt/minion/cert/salt_api.yml b/salt/minion/cert/salt_api.yml
index acd9bba..71441b1 100644
--- a/salt/minion/cert/salt_api.yml
+++ b/salt/minion/cert/salt_api.yml
@@ -3,9 +3,20 @@
minion:
cert:
salt_api:
+ common_name: salt_api
host: ${_param:salt_minion_ca_host}
authority: ${_param:salt_minion_ca_authority}
- common_name: salt_api
+ key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}.key
+ cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}.crt
+ all_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}-chain-with-key.pem
+ ca_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}-ca.pem
signing_policy: cert_server
- alternative_names: IP:${_param:salt_master_host},IP:127.0.0.1,DNS:${_param:infra_config_hostname}.${_param:cluster_domain}
+ alternative_names: >
+ IP:${_param:salt_master_host},
+ IP:127.0.0.1,
+ IP:${_param:infra_config_address},
+ DNS:${_param:salt_master_host},
+ DNS:127.0.0.1,
+ DNS:${_param:infra_config_address},
+ DNS:${_param:infra_config_hostname}.${_param:cluster_domain}
mode: '0644'