From 7606cc0ad09b24994f562ed51130b857e6c25c21 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 27 Jul 2020 15:51:31 -0400 Subject: [PATCH] changes to ssl state for salt 3001 --- salt/ca/init.sls | 28 ++++----- salt/ssl/init.sls | 155 ++++++++++++++++++++++++++++++++++++---------- 2 files changed, 136 insertions(+), 47 deletions(-) diff --git a/salt/ca/init.sls b/salt/ca/init.sls index da442cc2a..0f7a9cbee 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -10,12 +10,16 @@ file.directory: [] pki_private_key: - x509.private_key_managed: - - name: /etc/pki/ca.key - - bits: 4096 - - passphrase: - - cipher: aes_256_cbc - - backup: True + x509.private_key_managed: + - name: /etc/pki/ca.key + - bits: 4096 + - passphrase: + - cipher: aes_256_cbc + - backup: True + {% if salt['file.file_exists']('/etc/pki/ca.key') -%} + - prereq: + - x509: /etc/pki/ca.crt + {%- endif %} /etc/pki/ca.crt: x509.certificate_managed: @@ -32,22 +36,18 @@ pki_private_key: - days_valid: 3650 - days_remaining: 0 - backup: True - - managed_private_key: - name: /etc/pki/ca.key - bits: 4096 - backup: True - require: - file: /etc/pki -send_x509_pem_entries_to_mine: +x509_pem_entries: module.run: - mine.send: - - func: x509.get_pem_entries - - glob_path: /etc/pki/ca.crt + name: x509.get_pem_entries + glob_path: /etc/pki/ca.crt cakeyperms: file.managed: - replace: False - name: /etc/pki/ca.key - mode: 640 - - group: 939 + - group: 939 \ No newline at end of file diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index efa3032dc..d76ebcb57 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -37,6 +37,19 @@ m2cryptopkgs: - python-m2crypto {% endif %} +/etc/pki/influxdb.key: + x509.private_key_managed: + - CN: {{ manager }} + - bits: 4096 + - days_remaining: 0 + - days_valid: 820 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/influxdb.key') -%} + - prereq: + - x509: /etc/pki/influxdb.crt + {%- endif %} + # Create a cert for the talking to influxdb /etc/pki/influxdb.crt: x509.certificate_managed: @@ -47,10 +60,10 @@ m2cryptopkgs: - days_remaining: 0 - days_valid: 820 - backup: True - - managed_private_key: - name: /etc/pki/influxdb.key - bits: 4096 - backup: True + - unless: + # https://github.com/saltstack/salt/issues/52167 + # Will trigger 5 days (432000 sec) from cert expiration + - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/influxdb.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' influxkeyperms: file.managed: @@ -61,6 +74,19 @@ influxkeyperms: {% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone'] %} +/etc/pki/filebeat.key: + x509.private_key_managed: + - CN: {{ manager }} + - bits: 4096 + - days_remaining: 0 + - days_valid: 820 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/filebeat.key') -%} + - prereq: + - x509: /etc/pki/filebeat.crt + {%- endif %} + # Request a cert and drop it where it needs to go to be distributed /etc/pki/filebeat.crt: x509.certificate_managed: @@ -75,13 +101,14 @@ influxkeyperms: - days_remaining: 0 - days_valid: 820 - backup: True - - managed_private_key: - name: /etc/pki/filebeat.key - bits: 4096 - backup: True + - unless: + # https://github.com/saltstack/salt/issues/52167 + # Will trigger 5 days (432000 sec) from cert expiration + - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' cmd.run: - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt" + fbperms: file.managed: - replace: False @@ -113,6 +140,19 @@ fbcrtlink: - name: /opt/so/saltstack/local/salt/filebeat/files/filebeat.crt - target: /etc/pki/filebeat.crt +/etc/pki/registry.key: + x509.private_key_managed: + - CN: {{ manager }} + - bits: 4096 + - days_remaining: 0 + - days_valid: 820 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/registry.key') -%} + - prereq: + - x509: /etc/pki/registry.crt + {%- endif %} + # Create a cert for the docker registry /etc/pki/registry.crt: x509.certificate_managed: @@ -123,10 +163,10 @@ fbcrtlink: - days_remaining: 0 - days_valid: 820 - backup: True - - managed_private_key: - name: /etc/pki/registry.key - bits: 4096 - backup: True + - unless: + # https://github.com/saltstack/salt/issues/52167 + # Will trigger 5 days (432000 sec) from cert expiration + - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/registry.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' regkeyperms: file.managed: @@ -135,6 +175,19 @@ regkeyperms: - mode: 640 - group: 939 +/etc/pki/managerssl.key: + x509.private_key_managed: + - CN: {{ manager }} + - bits: 4096 + - days_remaining: 0 + - days_valid: 820 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%} + - prereq: + - x509: /etc/pki/managerssl.crt + {%- endif %} + # Create a cert for the reverse proxy /etc/pki/managerssl.crt: x509.certificate_managed: @@ -146,10 +199,10 @@ regkeyperms: - days_remaining: 0 - days_valid: 820 - backup: True - - managed_private_key: - name: /etc/pki/managerssl.key - bits: 4096 - backup: True + - unless: + # https://github.com/saltstack/salt/issues/52167 + # Will trigger 5 days (432000 sec) from cert expiration + - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' msslkeyperms: file.managed: @@ -166,6 +219,11 @@ msslkeyperms: - days_remaining: 0 - days_valid: 820 - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/fleet.key') -%} + - prereq: + - x509: /etc/pki/fleet.crt + {%- endif %} /etc/pki/fleet.crt: x509.certificate_managed: @@ -175,10 +233,10 @@ msslkeyperms: - days_remaining: 0 - days_valid: 820 - backup: True - - managed_private_key: - name: /etc/pki/fleet.key - bits: 4096 - backup: True + - unless: + # https://github.com/saltstack/salt/issues/52167 + # Will trigger 5 days (432000 sec) from cert expiration + - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' fleetkeyperms: file.managed: @@ -195,6 +253,19 @@ fbcertdir: - name: /opt/so/conf/filebeat/etc/pki - makedirs: True +/etc/pki/filebeat.key: + x509.private_key_managed: + - CN: {{ manager }} + - bits: 4096 + - days_remaining: 0 + - days_valid: 820 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/filebeat.key') -%} + - prereq: + - x509: /etc/pki/filebeat.crt + {%- endif %} + # Request a cert and drop it where it needs to go to be distributed /opt/so/conf/filebeat/etc/pki/filebeat.crt: x509.certificate_managed: @@ -209,10 +280,10 @@ fbcertdir: - days_remaining: 0 - days_valid: 820 - backup: True - - managed_private_key: - name: /opt/so/conf/filebeat/etc/pki/filebeat.key - bits: 4096 - backup: True + - unless: + # https://github.com/saltstack/salt/issues/52167 + # Will trigger 5 days (432000 sec) from cert expiration + - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' # Convert the key to pkcs#8 so logstash will work correctly. filebeatpkcs: @@ -238,6 +309,19 @@ chownfilebeatp8: {% if grains['role'] == 'so-fleet' %} +/etc/pki/managerssl.key: + x509.private_key_managed: + - CN: {{ manager }} + - bits: 4096 + - days_remaining: 0 + - days_valid: 820 + - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%} + - prereq: + - x509: /etc/pki/managerssl.crt + {%- endif %} + # Create a cert for the reverse proxy /etc/pki/managerssl.crt: x509.certificate_managed: @@ -249,10 +333,10 @@ chownfilebeatp8: - days_remaining: 0 - days_valid: 820 - backup: True - - managed_private_key: - name: /etc/pki/managerssl.key - bits: 4096 - backup: True + - unless: + # https://github.com/saltstack/salt/issues/52167 + # Will trigger 5 days (432000 sec) from cert expiration + - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' msslkeyperms: file.managed: @@ -264,11 +348,16 @@ msslkeyperms: # Create a private key and cert for Fleet /etc/pki/fleet.key: x509.private_key_managed: - - CN: {{ HOSTNAME }} + - CN: {{ manager }} - bits: 4096 - days_remaining: 0 - days_valid: 820 - backup: True + - new: True + {% if salt['file.file_exists']('/etc/pki/fleet.key') -%} + - prereq: + - x509: /etc/pki/fleet.crt + {%- endif %} /etc/pki/fleet.crt: x509.certificate_managed: @@ -278,10 +367,10 @@ msslkeyperms: - days_remaining: 0 - days_valid: 820 - backup: True - - managed_private_key: - name: /etc/pki/fleet.key - bits: 4096 - backup: True + - unless: + # https://github.com/saltstack/salt/issues/52167 + # Will trigger 5 days (432000 sec) from cert expiration + - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' fleetkeyperms: file.managed: