salt, build: Add reactor for certs renewal

This reactor will be called when an expired certificate event will be received. It will then launch an orchestrate `orchestrate.certs.renew`, passing the list of expired certificates, to renew them. Refs: #1887
scality · Dec 11, 2020 · 3db8c10 · 3db8c10
1 parent f93281c
commit 3db8c10
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/buildchain/buildchain/salt_tree.py b/buildchain/buildchain/salt_tree.py
@@ -602,6 +602,18 @@ def _get_parts(self) -> Iterator[str]:
 
     Path('salt/metalk8s/service-configuration/deployed/init.sls'),
 
+    targets.TemplateFile(
+        task_name='salt/metalk8s/reactor/certs/renew.sls',
+        source=constants.ROOT.joinpath(
+            'salt', 'metalk8s', 'reactor', 'certs', 'renew.sls.in'
+        ),
+        destination=constants.ISO_ROOT.joinpath(
+            'salt', 'metalk8s', 'reactor', 'certs', 'renew.sls'
+        ),
+        context={'VERSION': versions.VERSION},
+        file_dep=[versions.VERSION_FILE],
+    ),
+
     Path('salt/metalk8s/repo/configured.sls'),
     Path('salt/metalk8s/repo/deployed.sls'),
     Path('salt/metalk8s/repo/files/apt.sources.list.j2'),

diff --git a/salt/metalk8s/reactor/certs/renew.sls.in b/salt/metalk8s/reactor/certs/renew.sls.in
@@ -0,0 +1,17 @@
+{%- set target = data["id"] %}
+{%- set certificates = data["certificates"] |
+                       map(attribute="cert_path") | list %}
+
+# workaround for https://github.com/saltstack/salt/issues/50827,
+# saltenv is not passed to the reactor
+{%- set saltenv = "metalk8s-@@VERSION" %}
+
+Renew expired certificates:
+  runner.state.orchestrate:
+    - args:
+      - mods: metalk8s.orchestrate.certs.renew
+      - saltenv: {{ saltenv }}
+      - pillar:
+          orchestrate:
+            target: {{ target }}
+            certificates: {{ certificates | json }}