feat(update): integrate certificates on supported systems

The update of system wide certificate bundle is only supported on Debian family for now. The split of the update to a dedicated `.sls` file permits to only use `onchanges` requisite.
saltstack-formulas · May 6, 2021 · 5c9e680 · 5c9e680
1 parent 4c2d8da
commit 5c9e680
Show file tree

Hide file tree

Showing 7 changed files with 32 additions and 18 deletions.
diff --git a/cert/deployed/files.sls b/cert/deployed/files.sls
@@ -9,13 +9,8 @@
 # Deploy certificates
 # Place all files in a files_roots/cert, e.g. /srv/salt/files/cert/
 
-# Make sure we only run update-ca-certificates if certificates were managed
-{% set vals = { 'managed_certs': False } %}
-
 {% for name, data in mapdata.get('certlist', {}).items() %}
 
-  {% do vals.update({'managed_certs': True}) %}
-
   {% set cert = data.get('cert', False) %}
   {% set key = data.get('key', False) %}
   {% set cert_ext = data.get('cert_ext', mapdata.cert_ext) %}
@@ -48,10 +43,6 @@
     - group: {{ cert_group }}
     - mode: {{ cert_mode }}
   {% endif %}
-  {% if grains['os_family']=="Debian" %}
-    - onchanges_in:
-      - cmd: update-ca-certificates
-  {% endif %}
 
   {% if key %}
 {{ key_dir }}/{{ name }}{{ key_ext }}:
@@ -71,11 +62,3 @@
   {% endif %}
 
 {% endfor %}
-
-# We only want to run the update-ca-certificates if a cert was added or removed.
-{% if grains['os_family']=="Debian" and vals['managed_certs'] %}
-update-ca-certificates:
-  cmd.run:
-    - runas: root
-    - name: update-ca-certificates --fresh
-{% endif %} # / grains['os_family']=="Debian"
diff --git a/cert/init.sls b/cert/init.sls
@@ -4,4 +4,4 @@
 include:
   - .package
   - .deployed
-
+  - .updated
diff --git a/cert/parameters/defaults.yaml b/cert/parameters/defaults.yaml
@@ -17,5 +17,6 @@ values:
   cert_mode: 644
   key_mode: 600
   remove: false
+  certs_update_cmd: ""
   certlist: {}
 ...
diff --git a/cert/parameters/os_family/Debian.yaml b/cert/parameters/os_family/Debian.yaml
@@ -13,6 +13,7 @@
 ---
 values:
   cert_dir: "/usr/local/share/ca-certificates"
+  certs_update_cmd: "update-ca-certificates --fresh"
   key_group: "ssl-cert"
   key_mode: 640
   pkgs:

diff --git a/cert/updated/init.sls b/cert/updated/init.sls
@@ -0,0 +1,5 @@
+# -*- mode: salt; coding: utf-8 -*-
+# vim: ft=sls
+
+include:
+  - .system
diff --git a/cert/updated/system.sls b/cert/updated/system.sls
@@ -0,0 +1,19 @@
+# -*- mode: salt; coding: utf-8 -*-
+# vim: ft=sls
+
+{#- Get the `tplroot` from `tpldir` #}
+{%- set tplroot = tpldir.split('/')[0] %}
+{%- set sls_deployed_files = tplroot ~ '.deployed.files' %}
+{%- from tplroot ~ "/map.jinja" import mapdata without context %}
+
+include:
+  - {{ sls_deployed_files }}
+
+{%- if mapdata.certs_update_cmd %}
+cert-updated-system-cmd.run:
+  cmd.run:
+    - name: {{ mapdata.certs_update_cmd }}
+    - runas: root
+    - onchanges:
+        - sls: {{ sls_deployed_files }}
+{%- endif %}
diff --git a/docs/README.rst b/docs/README.rst
@@ -67,6 +67,11 @@ This state will install the required packages to manage certificates.
 
 This state will write the certificates and there matching keys, if any, are store on disk and integrated in the system.
 
+``cert.updated``
+^^^^^^^^^^^^^^^^
+
+This state will run the ``certs_update_cmd`` command to integrate the deployed certificates on supported systems.
+
 
 Available modules
 -----------------