From 6d59b3699e6a8d43bf556e9bde033696b4ce7a97 Mon Sep 17 00:00:00 2001
From: Alexandre Allard <alexandre.allard@scality.com>
Date: Tue, 3 Nov 2020 16:01:03 +0100
Subject: [PATCH] salt, build: add certs renewal orchestrate

This orchestrate will be called by the reactor
when it will receive an event for an expired
certificates.
It will run `sls` defined under `certs_renewal`
pillar entry for each expired certificate.

Refs: #1887
---
 buildchain/buildchain/salt_tree.py        |  2 ++
 salt/metalk8s/orchestrate/certs/renew.sls | 15 +++++++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 salt/metalk8s/orchestrate/certs/renew.sls

diff --git a/buildchain/buildchain/salt_tree.py b/buildchain/buildchain/salt_tree.py
index cb80e36c94..ff3213eaed 100644
--- a/buildchain/buildchain/salt_tree.py
+++ b/buildchain/buildchain/salt_tree.py
@@ -573,6 +573,8 @@ def _get_parts(self) -> Iterator[str]:
     Path('salt/metalk8s/orchestrate/bootstrap/pre-downgrade.sls'),
     Path('salt/metalk8s/orchestrate/bootstrap/pre-upgrade.sls'),
 
+    Path('salt/metalk8s/orchestrate/certs/renew.sls'),
+
     Path('salt/metalk8s/orchestrate/downgrade/init.sls'),
     Path('salt/metalk8s/orchestrate/downgrade/precheck.sls'),
     Path('salt/metalk8s/orchestrate/downgrade/pre.sls'),
diff --git a/salt/metalk8s/orchestrate/certs/renew.sls b/salt/metalk8s/orchestrate/certs/renew.sls
new file mode 100644
index 0000000000..7f8662e40f
--- /dev/null
+++ b/salt/metalk8s/orchestrate/certs/renew.sls
@@ -0,0 +1,15 @@
+{%- set target_pillar = salt.saltutil.runner(
+  'pillar.show_pillar', kwarg={'minion': pillar.orchestrate.target}
+) %}
+{%- set sls = [] %}
+
+{%- for cert in target_pillar.certs_renewal %}
+  {%- if cert["name"] in pillar.orchestrate.certificates %}
+    {%- do sls.extend(cert["sls"]) %}
+  {%- endif %}
+{%- endfor %}
+
+Renew expired certificates:
+  salt.state:
+    - tgt: {{ pillar.orchestrate.target }}
+    - sls: {{ sls | unique | json }}