diff --git a/salt/ca/init.sls b/salt/ca/init.sls index 07cb75f31..ca5223d39 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -42,6 +42,9 @@ pki_private_key: - replace: False - require: - file: /etc/pki + - timeout: 60 + - retry: 5 + - interval: 30 x509_pem_entries: module.run: diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index d6c06d6fd..f12e5ebcb 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -67,6 +67,9 @@ removeesp12dir: - prereq: - x509: /etc/pki/influxdb.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 # Create a cert for the talking to influxdb /etc/pki/influxdb.crt: @@ -82,6 +85,9 @@ removeesp12dir: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/influxdb.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 influxkeyperms: file.managed: @@ -104,6 +110,9 @@ influxkeyperms: - prereq: - x509: /etc/pki/redis.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 /etc/pki/redis.crt: x509.certificate_managed: @@ -118,6 +127,9 @@ influxkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 rediskeyperms: file.managed: @@ -140,6 +152,9 @@ rediskeyperms: - prereq: - x509: /etc/pki/filebeat.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 # Request a cert and drop it where it needs to go to be distributed /etc/pki/filebeat.crt: @@ -159,6 +174,9 @@ rediskeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 cmd.run: - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt" - onchanges: @@ -213,6 +231,9 @@ fbcrtlink: - prereq: - x509: /etc/pki/registry.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 # Create a cert for the docker registry /etc/pki/registry.crt: @@ -228,6 +249,9 @@ fbcrtlink: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/registry.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 regkeyperms: file.managed: @@ -248,6 +272,9 @@ regkeyperms: - prereq: - x509: /etc/pki/minio.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 # Create a cert for minio /etc/pki/minio.crt: @@ -263,6 +290,9 @@ regkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/minio.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 miniokeyperms: file.managed: @@ -284,6 +314,9 @@ miniokeyperms: - prereq: - x509: /etc/pki/elasticsearch.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 /etc/pki/elasticsearch.crt: x509.certificate_managed: @@ -298,6 +331,9 @@ miniokeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 cmd.run: - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:" - onchanges: @@ -329,6 +365,9 @@ elasticp12perms: - prereq: - x509: /etc/pki/managerssl.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 # Create a cert for the reverse proxy /etc/pki/managerssl.crt: @@ -345,6 +384,9 @@ elasticp12perms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 msslkeyperms: file.managed: @@ -366,6 +408,9 @@ msslkeyperms: - prereq: - x509: /etc/pki/fleet.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 /etc/pki/fleet.crt: x509.certificate_managed: @@ -379,6 +424,9 @@ msslkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/fleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 fleetkeyperms: file.managed: @@ -407,6 +455,9 @@ fbcertdir: - prereq: - x509: /opt/so/conf/filebeat/etc/pki/filebeat.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 # Request a cert and drop it where it needs to go to be distributed /opt/so/conf/filebeat/etc/pki/filebeat.crt: @@ -426,6 +477,9 @@ fbcertdir: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 # Convert the key to pkcs#8 so logstash will work correctly. filebeatpkcs: @@ -465,6 +519,9 @@ chownfilebeatp8: - prereq: - x509: /etc/pki/managerssl.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 # Create a cert for the reverse proxy /etc/pki/managerssl.crt: @@ -481,6 +538,9 @@ chownfilebeatp8: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 msslkeyperms: file.managed: @@ -502,6 +562,9 @@ msslkeyperms: - prereq: - x509: /etc/pki/fleet.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 /etc/pki/fleet.crt: x509.certificate_managed: @@ -515,6 +578,9 @@ msslkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/fleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 fleetkeyperms: file.managed: @@ -539,6 +605,9 @@ fleetkeyperms: - prereq: - x509: /etc/pki/elasticsearch.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 /etc/pki/elasticsearch.crt: x509.certificate_managed: @@ -553,6 +622,9 @@ fleetkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 cmd.run: - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:" - onchanges: