From 00fbc1c259460a35a9cdda9e46ebe7b0b2500f9e Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Mon, 12 Jan 2026 09:25:15 -0500 Subject: [PATCH] add back individual signing policies --- salt/ca/files/signing_policies.conf | 71 ++++++++++++++++++++++++++++- salt/elasticfleet/ssl.sls | 6 +-- salt/elasticsearch/ssl.sls | 2 +- salt/influxdb/ssl.sls | 2 +- salt/kafka/ssl.sls | 6 +-- salt/logstash/ssl.sls | 8 ++-- salt/nginx/ssl.sls | 2 +- salt/redis/ssl.sls | 2 +- salt/registry/ssl.sls | 2 +- salt/telegraf/ssl.sls | 2 +- 10 files changed, 86 insertions(+), 17 deletions(-) diff --git a/salt/ca/files/signing_policies.conf b/salt/ca/files/signing_policies.conf index b6e4c8e17..4fc04aacc 100644 --- a/salt/ca/files/signing_policies.conf +++ b/salt/ca/files/signing_policies.conf @@ -1,5 +1,5 @@ x509_signing_policies: - general: + filebeat: - minions: '*' - signing_private_key: /etc/pki/ca.key - signing_cert: /etc/pki/ca.crt @@ -12,3 +12,72 @@ x509_signing_policies: - authorityKeyIdentifier: keyid,issuer:always - days_valid: 820 - copypath: /etc/pki/issued_certs/ + registry: + - minions: '*' + - signing_private_key: /etc/pki/ca.key + - signing_cert: /etc/pki/ca.crt + - C: US + - ST: Utah + - L: Salt Lake City + - basicConstraints: "critical CA:false" + - keyUsage: "critical keyEncipherment" + - subjectKeyIdentifier: hash + - authorityKeyIdentifier: keyid,issuer:always + - extendedKeyUsage: serverAuth + - days_valid: 820 + - copypath: /etc/pki/issued_certs/ + managerssl: + - minions: '*' + - signing_private_key: /etc/pki/ca.key + - signing_cert: /etc/pki/ca.crt + - C: US + - ST: Utah + - L: Salt Lake City + - basicConstraints: "critical CA:false" + - keyUsage: "critical keyEncipherment digitalSignature" + - subjectKeyIdentifier: hash + - authorityKeyIdentifier: keyid,issuer:always + - extendedKeyUsage: serverAuth + - days_valid: 820 + - copypath: /etc/pki/issued_certs/ + influxdb: + - minions: '*' + - signing_private_key: /etc/pki/ca.key + - signing_cert: /etc/pki/ca.crt + - C: US + - ST: Utah + - L: Salt Lake City + - basicConstraints: "critical CA:false" + - keyUsage: "critical keyEncipherment" + - subjectKeyIdentifier: hash + - authorityKeyIdentifier: keyid,issuer:always + - extendedKeyUsage: serverAuth + - days_valid: 820 + - copypath: /etc/pki/issued_certs/ + elasticfleet: + - minions: '*' + - signing_private_key: /etc/pki/ca.key + - signing_cert: /etc/pki/ca.crt + - C: US + - ST: Utah + - L: Salt Lake City + - basicConstraints: "critical CA:false" + - keyUsage: "digitalSignature, nonRepudiation" + - subjectKeyIdentifier: hash + - authorityKeyIdentifier: keyid,issuer:always + - days_valid: 820 + - copypath: /etc/pki/issued_certs/ + kafka: + - minions: '*' + - signing_private_key: /etc/pki/ca.key + - signing_cert: /etc/pki/ca.crt + - C: US + - ST: Utah + - L: Salt Lake City + - basicConstraints: "critical CA:false" + - keyUsage: "digitalSignature, keyEncipherment" + - subjectKeyIdentifier: hash + - authorityKeyIdentifier: keyid,issuer:always + - extendedKeyUsage: "serverAuth, clientAuth" + - days_valid: 820 + - copypath: /etc/pki/issued_certs/ diff --git a/salt/elasticfleet/ssl.sls b/salt/elasticfleet/ssl.sls index c294d08ea..8d19ea68c 100644 --- a/salt/elasticfleet/ssl.sls +++ b/salt/elasticfleet/ssl.sls @@ -31,7 +31,7 @@ etc_elasticfleet_crt: x509.certificate_managed: - name: /etc/pki/elasticfleet-server.crt - ca_server: {{ CA.server }} - - signing_policy: general + - signing_policy: elasticfleet - private_key: /etc/pki/elasticfleet-server.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %} @@ -88,7 +88,7 @@ etc_elasticfleet_agent_crt: x509.certificate_managed: - name: /etc/pki/elasticfleet-agent.crt - ca_server: {{ CA.server }} - - signing_policy: general + - signing_policy: elasticfleet - private_key: /etc/pki/elasticfleet-agent.key - CN: {{ GLOBALS.hostname }} - days_remaining: 7 @@ -148,7 +148,7 @@ elasticfleet_kafka_crt: x509.certificate_managed: - name: /etc/pki/elasticfleet-kafka.crt - ca_server: {{ CA.server }} - - signing_policy: general + - signing_policy: kafka - private_key: /etc/pki/elasticfleet-kafka.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} diff --git a/salt/elasticsearch/ssl.sls b/salt/elasticsearch/ssl.sls index 6b71072fc..a2d327830 100644 --- a/salt/elasticsearch/ssl.sls +++ b/salt/elasticsearch/ssl.sls @@ -27,7 +27,7 @@ elasticsearch_crt: x509.certificate_managed: - name: /etc/pki/elasticsearch.crt - ca_server: {{ CA.server }} - - signing_policy: general + - signing_policy: registry - private_key: /etc/pki/elasticsearch.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} diff --git a/salt/influxdb/ssl.sls b/salt/influxdb/ssl.sls index 25dd35258..930879c75 100644 --- a/salt/influxdb/ssl.sls +++ b/salt/influxdb/ssl.sls @@ -27,7 +27,7 @@ influxdb_crt: x509.certificate_managed: - name: /etc/pki/influxdb.crt - ca_server: {{ CA.server }} - - signing_policy: general + - signing_policy: influxdb - private_key: /etc/pki/influxdb.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} diff --git a/salt/kafka/ssl.sls b/salt/kafka/ssl.sls index fc49fb09b..910c5b024 100644 --- a/salt/kafka/ssl.sls +++ b/salt/kafka/ssl.sls @@ -34,7 +34,7 @@ kafka_client_crt: - name: /etc/pki/kafka-client.crt - ca_server: {{ CA.server }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - - signing_policy: general + - signing_policy: kafka - private_key: /etc/pki/kafka-client.key - CN: {{ GLOBALS.hostname }} - days_remaining: 7 @@ -82,7 +82,7 @@ kafka_crt: - name: /etc/pki/kafka.crt - ca_server: {{ CA.server }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - - signing_policy: general + - signing_policy: kafka - private_key: /etc/pki/kafka.key - CN: {{ GLOBALS.hostname }} - days_remaining: 7 @@ -144,7 +144,7 @@ kafka_logstash_crt: - name: /etc/pki/kafka-logstash.crt - ca_server: {{ CA.server }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - - signing_policy: general + - signing_policy: kafka - private_key: /etc/pki/kafka-logstash.key - CN: {{ GLOBALS.hostname }} - days_remaining: 7 diff --git a/salt/logstash/ssl.sls b/salt/logstash/ssl.sls index c5865d00d..cb987221a 100644 --- a/salt/logstash/ssl.sls +++ b/salt/logstash/ssl.sls @@ -31,7 +31,7 @@ etc_elasticfleet_logstash_crt: x509.certificate_managed: - name: /etc/pki/elasticfleet-logstash.crt - ca_server: {{ CA.server }} - - signing_policy: general + - signing_policy: elasticfleet - private_key: /etc/pki/elasticfleet-logstash.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }},DNS:{{ GLOBALS.url_base }},IP:{{ GLOBALS.node_ip }}{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %},DNS:{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(',DNS:') }}{% endif %} @@ -92,7 +92,7 @@ etc_elasticfleetlumberjack_crt: x509.certificate_managed: - name: /etc/pki/elasticfleet-lumberjack.crt - ca_server: {{ CA.server }} - - signing_policy: general + - signing_policy: elasticfleet - private_key: /etc/pki/elasticfleet-lumberjack.key - CN: {{ GLOBALS.node_ip }} - subjectAltName: DNS:{{ GLOBALS.hostname }} @@ -161,7 +161,7 @@ etc_filebeat_crt: x509.certificate_managed: - name: /etc/pki/filebeat.crt - ca_server: {{ CA.server }} - - signing_policy: general + - signing_policy: filebeat - private_key: /etc/pki/filebeat.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} @@ -242,7 +242,7 @@ conf_filebeat_crt: x509.certificate_managed: - name: /opt/so/conf/filebeat/etc/pki/filebeat.crt - ca_server: {{ CA.server }} - - signing_policy: general + - signing_policy: filebeat - private_key: /opt/so/conf/filebeat/etc/pki/filebeat.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} diff --git a/salt/nginx/ssl.sls b/salt/nginx/ssl.sls index 1c77dc28b..c699e1be3 100644 --- a/salt/nginx/ssl.sls +++ b/salt/nginx/ssl.sls @@ -53,7 +53,7 @@ managerssl_crt: x509.certificate_managed: - name: /etc/pki/managerssl.crt - ca_server: {{ CA.server }} - - signing_policy: general + - signing_policy: managerssl - private_key: /etc/pki/managerssl.key - CN: {{ GLOBALS.hostname }} - subjectAltName: "DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}, DNS:{{ GLOBALS.url_base }}" diff --git a/salt/redis/ssl.sls b/salt/redis/ssl.sls index 58af6486d..cd68d900f 100644 --- a/salt/redis/ssl.sls +++ b/salt/redis/ssl.sls @@ -27,7 +27,7 @@ redis_crt: - name: /etc/pki/redis.crt - ca_server: {{ CA.server }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - - signing_policy: general + - signing_policy: registry - private_key: /etc/pki/redis.key - CN: {{ GLOBALS.hostname }} - days_remaining: 7 diff --git a/salt/registry/ssl.sls b/salt/registry/ssl.sls index 2bb116f29..b739e9cc4 100644 --- a/salt/registry/ssl.sls +++ b/salt/registry/ssl.sls @@ -47,7 +47,7 @@ registry_crt: - name: /etc/pki/registry.crt - ca_server: {{ CA.server }} - subjectAltName: DNS:{{ GLOBALS.manager }}, IP:{{ GLOBALS.manager_ip }} - - signing_policy: general + - signing_policy: registry - private_key: /etc/pki/registry.key - CN: {{ GLOBALS.manager }} - days_remaining: 7 diff --git a/salt/telegraf/ssl.sls b/salt/telegraf/ssl.sls index fc9c00927..cd02cfe2b 100644 --- a/salt/telegraf/ssl.sls +++ b/salt/telegraf/ssl.sls @@ -27,7 +27,7 @@ telegraf_crt: x509.certificate_managed: - name: /etc/pki/telegraf.crt - ca_server: {{ CA.server }} - - signing_policy: general + - signing_policy: influxdb - private_key: /etc/pki/telegraf.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}