From cd1db36c1332854126aaaeb5ab464d42546c4731 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 29 Jun 2023 15:26:16 -0400
Subject: [PATCH] add back unless in ssl state

---
 salt/ssl/init.sls | 50 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls
index 376900f33..4bb706d63 100644
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -76,6 +76,12 @@ influxdb_crt:
     - days_remaining: 0
     - days_valid: 820
     - backup: True
+{% if grains.role not in ['so-heavynode'] %}
+    - unless:
+      # https://github.com/saltstack/salt/issues/52167
+      # Will trigger 5 days (432000 sec) from cert expiration
+      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/influxdb.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
+{% endif %}
     - timeout: 30
     - retry:
         attempts: 5
@@ -115,6 +121,12 @@ redis_crt:
     - days_remaining: 0
     - days_valid: 820
     - backup: True
+{% if grains.role not in ['so-heavynode'] %}
+    - unless:
+      # https://github.com/saltstack/salt/issues/52167
+      # Will trigger 5 days (432000 sec) from cert expiration
+      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
+{% endif %}
     - timeout: 30
     - retry:
         attempts: 5
@@ -157,6 +169,12 @@ etc_elasticfleet_crt:
     - days_remaining: 0
     - days_valid: 820
     - backup: True
+{% if grains.role not in ['so-heavynode'] %}
+    - unless:
+      # https://github.com/saltstack/salt/issues/52167
+      # Will trigger 5 days (432000 sec) from cert expiration
+      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticfleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
+{% endif %}
     - timeout: 30
     - retry:
         attempts: 5
@@ -232,6 +250,12 @@ etc_elasticfleetlogstash_crt:
     - days_remaining: 0
     - days_valid: 820
     - backup: True
+{% if grains.role not in ['so-heavynode'] %}
+    - unless:
+      # https://github.com/saltstack/salt/issues/52167
+      # Will trigger 5 days (432000 sec) from cert expiration
+      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticfleet-logstash.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
+{% endif %}
     - timeout: 30
     - retry:
         attempts: 5
@@ -335,6 +359,12 @@ etc_filebeat_crt:
     - days_remaining: 0
     - days_valid: 820
     - backup: True
+{% if grains.role not in ['so-heavynode'] %}
+    - unless:
+      # https://github.com/saltstack/salt/issues/52167
+      # Will trigger 5 days (432000 sec) from cert expiration
+      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
+{% endif %}
     - timeout: 30
     - retry:
         attempts: 5
@@ -406,6 +436,10 @@ registry_crt:
     - days_remaining: 0
     - days_valid: 820
     - backup: True
+    - unless:
+      # https://github.com/saltstack/salt/issues/52167
+      # Will trigger 5 days (432000 sec) from cert expiration
+      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/registry.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
     - timeout: 30
     - retry:
         attempts: 5
@@ -444,6 +478,12 @@ regkeyperms:
     - days_remaining: 0
     - days_valid: 820
     - backup: True
+{% if grains.role not in ['so-heavynode'] %}
+    - unless:
+      # https://github.com/saltstack/salt/issues/52167
+      # Will trigger 5 days (432000 sec) from cert expiration
+      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
+{% endif %}
     - timeout: 30
     - retry:
         attempts: 5
@@ -505,6 +545,12 @@ conf_filebeat_crt:
     - days_remaining: 0
     - days_valid: 820
     - backup: True
+{% if grains.role not in ['so-heavynode'] %}
+    - unless:
+      # https://github.com/saltstack/salt/issues/52167
+      # Will trigger 5 days (432000 sec) from cert expiration
+      - 'enddate=$(date -d "$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
+{% endif %}
     - timeout: 30
     - retry:
         attempts: 5
@@ -559,6 +605,10 @@ chownfilebeatp8:
     - days_remaining: 0
     - days_valid: 820
     - backup: True
+    - unless:
+      # https://github.com/saltstack/salt/issues/52167
+      # Will trigger 5 days (432000 sec) from cert expiration
+      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
     - timeout: 30
     - retry:
         attempts: 5