salt, build: add certs renewal orchestrate

This orchestrate will be called by the reactor when it will receive an event for an expired certificates. It will run `sls` defined under `certs_renewal` pillar entry for each expired certificate. Refs: #1887
scality · Nov 3, 2020 · 6d59b36 · 6d59b36
1 parent f2e1b52
commit 6d59b36
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 0 deletions.
diff --git a/buildchain/buildchain/salt_tree.py b/buildchain/buildchain/salt_tree.py
@@ -573,6 +573,8 @@ def _get_parts(self) -> Iterator[str]:
     Path('salt/metalk8s/orchestrate/bootstrap/pre-downgrade.sls'),
     Path('salt/metalk8s/orchestrate/bootstrap/pre-upgrade.sls'),
 
+    Path('salt/metalk8s/orchestrate/certs/renew.sls'),
+
     Path('salt/metalk8s/orchestrate/downgrade/init.sls'),
     Path('salt/metalk8s/orchestrate/downgrade/precheck.sls'),
     Path('salt/metalk8s/orchestrate/downgrade/pre.sls'),

diff --git a/salt/metalk8s/orchestrate/certs/renew.sls b/salt/metalk8s/orchestrate/certs/renew.sls
@@ -0,0 +1,15 @@
+{%- set target_pillar = salt.saltutil.runner(
+  'pillar.show_pillar', kwarg={'minion': pillar.orchestrate.target}
+) %}
+{%- set sls = [] %}
+
+{%- for cert in target_pillar.certs_renewal %}
+  {%- if cert["name"] in pillar.orchestrate.certificates %}
+    {%- do sls.extend(cert["sls"]) %}
+  {%- endif %}
+{%- endfor %}
+
+Renew expired certificates:
+  salt.state:
+    - tgt: {{ pillar.orchestrate.target }}
+    - sls: {{ sls | unique | json }}