diff --git a/salt/elasticsearch/config.sls b/salt/elasticsearch/config.sls index dcd0283c0..68948e982 100644 --- a/salt/elasticsearch/config.sls +++ b/salt/elasticsearch/config.sls @@ -37,26 +37,7 @@ elasticsearch: - home: /opt/so/conf/elasticsearch - createhome: False -{% if GLOBALS.is_manager %} -# We have to add the Manager CA to the CA list -cascriptsync: - file.managed: - - name: /usr/sbin/so-catrust - - source: salt://elasticsearch/tools/sbin_jinja/so-catrust - - user: 939 - - group: 939 - - mode: 750 - - template: jinja - - defaults: - GLOBALS: {{ GLOBALS }} -# Run the CA magic -cascriptfun: - cmd.run: - - name: /usr/sbin/so-catrust - - require: - - file: cascriptsync -{% endif %} elasticsearch_sbin: file.recurse: diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index ca23179b7..54f629182 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -35,18 +35,39 @@ include: {% set ca_server = global_ca_server[0] %} {% endif %} +{% if GLOBALS.is_manager %} +# We have to add the Manager CA to the CA list +cascriptsync: + file.managed: + - name: /usr/sbin/so-catrust + - source: salt://ssl/tools/sbin_jinja/so-catrust + - user: 939 + - group: 939 + - mode: 750 + - template: jinja + - defaults: + GLOBALS: {{ GLOBALS }} + +# Run the CA magic +cascriptfun: + cmd.run: + - name: /usr/sbin/so-catrust + - require: + - file: cascriptsync +{% endif %} + {% if grains.role in ['so-manager', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-searchnode'] %} cacertz: file.managed: - name: /opt/so/conf/ca/cacerts - - source: salt://common/cacerts + - source: salt://ssl/cacerts - user: 939 - group: 939 capemz: file.managed: - name: /opt/so/conf/ca/tls-ca-bundle.pem - - source: salt://common/tls-ca-bundle.pem + - source: salt://ssl/tls-ca-bundle.pem - user: 939 - group: 939 {% endif %} diff --git a/salt/elasticsearch/tools/sbin_jinja/so-catrust b/salt/ssl/tools/sbin_jinja/so-catrust similarity index 70% rename from salt/elasticsearch/tools/sbin_jinja/so-catrust rename to salt/ssl/tools/sbin_jinja/so-catrust index aec97deeb..49a3f97f1 100644 --- a/salt/elasticsearch/tools/sbin_jinja/so-catrust +++ b/salt/ssl/tools/sbin_jinja/so-catrust @@ -11,14 +11,14 @@ set -e # Check to see if we have extracted the ca cert. -if [ ! -f /opt/so/saltstack/local/salt/common/cacerts ]; then +if [ ! -f /opt/so/saltstack/local/salt/ssl/cacerts ]; then docker run -v /etc/pki/ca.crt:/etc/ssl/ca.crt --name so-elasticsearchca --user root --entrypoint jdk/bin/keytool {{ GLOBALS.registry_host }}:5000/{{ GLOBALS.image_repo }}/so-elasticsearch:{{ GLOBALS.so_version }} -keystore /usr/share/elasticsearch/jdk/lib/security/cacerts -alias SOSCA -import -file /etc/ssl/ca.crt -storepass changeit -noprompt - docker cp so-elasticsearchca:/usr/share/elasticsearch/jdk/lib/security/cacerts /opt/so/saltstack/local/salt/common/cacerts - docker cp so-elasticsearchca:/etc/ssl/certs/ca-certificates.crt /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem + docker cp so-elasticsearchca:/usr/share/elasticsearch/jdk/lib/security/cacerts /opt/so/saltstack/local/salt/ssl/cacerts + docker cp so-elasticsearchca:/etc/ssl/certs/ca-certificates.crt /opt/so/saltstack/local/salt/ssl/tls-ca-bundle.pem docker rm so-elasticsearchca - echo "" >> /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem - echo "sosca" >> /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem - cat /etc/pki/ca.crt >> /opt/so/saltstack/local/salt/common/tls-ca-bundle.pem + echo "" >> /opt/so/saltstack/local/salt/ssl/tls-ca-bundle.pem + echo "sosca" >> /opt/so/saltstack/local/salt/ssl/tls-ca-bundle.pem + cat /etc/pki/ca.crt >> /opt/so/saltstack/local/salt/ssl/tls-ca-bundle.pem else exit 0 fi