From 5c9e680e69999e0278210739f7cb0de3896d4a68 Mon Sep 17 00:00:00 2001 From: Daniel Dehennin Date: Thu, 6 May 2021 10:05:08 +0200 Subject: [PATCH] feat(update): integrate certificates on supported systems The update of system wide certificate bundle is only supported on Debian family for now. The split of the update to a dedicated `.sls` file permits to only use `onchanges` requisite. --- cert/deployed/files.sls | 17 ----------------- cert/init.sls | 2 +- cert/parameters/defaults.yaml | 1 + cert/parameters/os_family/Debian.yaml | 1 + cert/updated/init.sls | 5 +++++ cert/updated/system.sls | 19 +++++++++++++++++++ docs/README.rst | 5 +++++ 7 files changed, 32 insertions(+), 18 deletions(-) create mode 100644 cert/updated/init.sls create mode 100644 cert/updated/system.sls diff --git a/cert/deployed/files.sls b/cert/deployed/files.sls index b68d273..65b4b95 100644 --- a/cert/deployed/files.sls +++ b/cert/deployed/files.sls @@ -9,13 +9,8 @@ # Deploy certificates # Place all files in a files_roots/cert, e.g. /srv/salt/files/cert/ -# Make sure we only run update-ca-certificates if certificates were managed -{% set vals = { 'managed_certs': False } %} - {% for name, data in mapdata.get('certlist', {}).items() %} - {% do vals.update({'managed_certs': True}) %} - {% set cert = data.get('cert', False) %} {% set key = data.get('key', False) %} {% set cert_ext = data.get('cert_ext', mapdata.cert_ext) %} @@ -48,10 +43,6 @@ - group: {{ cert_group }} - mode: {{ cert_mode }} {% endif %} - {% if grains['os_family']=="Debian" %} - - onchanges_in: - - cmd: update-ca-certificates - {% endif %} {% if key %} {{ key_dir }}/{{ name }}{{ key_ext }}: @@ -71,11 +62,3 @@ {% endif %} {% endfor %} - -# We only want to run the update-ca-certificates if a cert was added or removed. -{% if grains['os_family']=="Debian" and vals['managed_certs'] %} -update-ca-certificates: - cmd.run: - - runas: root - - name: update-ca-certificates --fresh -{% endif %} # / grains['os_family']=="Debian" diff --git a/cert/init.sls b/cert/init.sls index d670ca9..06f7d8e 100644 --- a/cert/init.sls +++ b/cert/init.sls @@ -4,4 +4,4 @@ include: - .package - .deployed - + - .updated diff --git a/cert/parameters/defaults.yaml b/cert/parameters/defaults.yaml index 1890823..abddad4 100644 --- a/cert/parameters/defaults.yaml +++ b/cert/parameters/defaults.yaml @@ -17,5 +17,6 @@ values: cert_mode: 644 key_mode: 600 remove: false + certs_update_cmd: "" certlist: {} ... diff --git a/cert/parameters/os_family/Debian.yaml b/cert/parameters/os_family/Debian.yaml index 768a196..b5232d2 100644 --- a/cert/parameters/os_family/Debian.yaml +++ b/cert/parameters/os_family/Debian.yaml @@ -13,6 +13,7 @@ --- values: cert_dir: "/usr/local/share/ca-certificates" + certs_update_cmd: "update-ca-certificates --fresh" key_group: "ssl-cert" key_mode: 640 pkgs: diff --git a/cert/updated/init.sls b/cert/updated/init.sls new file mode 100644 index 0000000..e36f80a --- /dev/null +++ b/cert/updated/init.sls @@ -0,0 +1,5 @@ +# -*- mode: salt; coding: utf-8 -*- +# vim: ft=sls + +include: + - .system diff --git a/cert/updated/system.sls b/cert/updated/system.sls new file mode 100644 index 0000000..e7ad9b2 --- /dev/null +++ b/cert/updated/system.sls @@ -0,0 +1,19 @@ +# -*- mode: salt; coding: utf-8 -*- +# vim: ft=sls + +{#- Get the `tplroot` from `tpldir` #} +{%- set tplroot = tpldir.split('/')[0] %} +{%- set sls_deployed_files = tplroot ~ '.deployed.files' %} +{%- from tplroot ~ "/map.jinja" import mapdata without context %} + +include: + - {{ sls_deployed_files }} + +{%- if mapdata.certs_update_cmd %} +cert-updated-system-cmd.run: + cmd.run: + - name: {{ mapdata.certs_update_cmd }} + - runas: root + - onchanges: + - sls: {{ sls_deployed_files }} +{%- endif %} diff --git a/docs/README.rst b/docs/README.rst index c803fd6..2a23a2e 100644 --- a/docs/README.rst +++ b/docs/README.rst @@ -67,6 +67,11 @@ This state will install the required packages to manage certificates. This state will write the certificates and there matching keys, if any, are store on disk and integrated in the system. +``cert.updated`` +^^^^^^^^^^^^^^^^ + +This state will run the ``certs_update_cmd`` command to integrate the deployed certificates on supported systems. + Available modules -----------------