fix salt retries - https://github.com/Security-Onion-Solutions/securityonion/issues/3948

2025-12-06 17:22:49 +01:00 · 2021-04-22 08:35:50 -04:00
parent 81581711da
commit 1d8e065902
2 changed files with 75 additions and 50 deletions
--- a/salt/ca/init.sls
+++ b/salt/ca/init.sls
@@ -43,8 +43,9 @@ pki_private_key:
    - require:
      - file: /etc/pki
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 x509_pem_entries:
  module.run:
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -68,8 +68,9 @@ removeesp12dir:
      - x509: /etc/pki/influxdb.crt
    {%- endif %}
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 # Create a cert for the talking to influxdb
 /etc/pki/influxdb.crt:
@@ -86,8 +87,9 @@ removeesp12dir:
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/influxdb.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 influxkeyperms:
  file.managed:
@@ -111,8 +113,9 @@ influxkeyperms:
      - x509: /etc/pki/redis.crt
    {%- endif %}
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 /etc/pki/redis.crt:
  x509.certificate_managed:
@@ -128,8 +131,9 @@ influxkeyperms:
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 rediskeyperms:
  file.managed:
@@ -153,8 +157,9 @@ rediskeyperms:
      - x509: /etc/pki/filebeat.crt
    {%- endif %}
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 # Request a cert and drop it where it needs to go to be distributed
 /etc/pki/filebeat.crt:
@@ -175,8 +180,9 @@ rediskeyperms:
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
  cmd.run:
    - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt"
    - onchanges:
@@ -232,8 +238,9 @@ fbcrtlink:
      - x509: /etc/pki/registry.crt
    {%- endif %}
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 # Create a cert for the docker registry
 /etc/pki/registry.crt:
@@ -250,8 +257,9 @@ fbcrtlink:
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/registry.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 regkeyperms:
  file.managed:
@@ -273,8 +281,9 @@ regkeyperms:
      - x509: /etc/pki/minio.crt
    {%- endif %}
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 # Create a cert for minio
 /etc/pki/minio.crt:
@@ -291,8 +300,9 @@ regkeyperms:
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/minio.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 miniokeyperms:
  file.managed:
@@ -315,8 +325,9 @@ miniokeyperms:
      - x509: /etc/pki/elasticsearch.crt
    {%- endif %}
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 /etc/pki/elasticsearch.crt:
  x509.certificate_managed:
@@ -332,8 +343,9 @@ miniokeyperms:
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
  cmd.run:
    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:"
    - onchanges:
@@ -366,8 +378,9 @@ elasticp12perms:
      - x509: /etc/pki/managerssl.crt
    {%- endif %}
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 # Create a cert for the reverse proxy
 /etc/pki/managerssl.crt:
@@ -385,8 +398,9 @@ elasticp12perms:
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 msslkeyperms:
  file.managed:
@@ -409,8 +423,9 @@ msslkeyperms:
      - x509: /etc/pki/fleet.crt
    {%- endif %}
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 /etc/pki/fleet.crt:
  x509.certificate_managed:
@@ -425,8 +440,9 @@ msslkeyperms:
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/fleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 fleetkeyperms:
  file.managed:
@@ -456,8 +472,9 @@ fbcertdir:
      - x509: /opt/so/conf/filebeat/etc/pki/filebeat.crt
    {%- endif %}
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 # Request a cert and drop it where it needs to go to be distributed
 /opt/so/conf/filebeat/etc/pki/filebeat.crt:
@@ -478,8 +495,9 @@ fbcertdir:
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 # Convert the key to pkcs#8 so logstash will work correctly.
 filebeatpkcs:
@@ -520,8 +538,9 @@ chownfilebeatp8:
      - x509: /etc/pki/managerssl.crt
    {%- endif %}
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 # Create a cert for the reverse proxy
 /etc/pki/managerssl.crt:
@@ -539,8 +558,9 @@ chownfilebeatp8:
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 msslkeyperms:
  file.managed:
@@ -563,8 +583,9 @@ msslkeyperms:
      - x509: /etc/pki/fleet.crt
    {%- endif %}
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 /etc/pki/fleet.crt:
  x509.certificate_managed:
@@ -579,8 +600,9 @@ msslkeyperms:
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/fleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 fleetkeyperms:
  file.managed:
@@ -606,8 +628,9 @@ fleetkeyperms:
      - x509: /etc/pki/elasticsearch.crt
    {%- endif %}
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
 /etc/pki/elasticsearch.crt:
  x509.certificate_managed:
@@ -623,8 +646,9 @@ fleetkeyperms:
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
    - timeout: 30
-    - retry: 5
+    - retry:
-    - interval: 30
+        attempts: 5
        interval: 30
  cmd.run:
    - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:"
    - onchanges: