the great ssl refactor

salt/telegraf/config.sls

@@ -8,9 +8,6 @@
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'telegraf/map.jinja' import TELEGRAFMERGED %}
 
-include:
-  - ssl
-
 # add Telegraf to monitor all the things
 tgraflogdir:
   file.directory:

salt/telegraf/enabled.sls

@@ -9,8 +9,9 @@
 {%   from 'docker/docker.map.jinja' import DOCKER %}
 {%   from 'telegraf/map.jinja' import TELEGRAFMERGED %}
 
-
 include:
+  - ca
+  - telegraf.ssl
   - telegraf.config
   - telegraf.sostatus
 
@@ -42,13 +43,9 @@ so-telegraf:
       - /proc:/host/proc:ro
       - /nsm:/host/nsm:ro
       - /etc:/host/etc:ro
-      {% if GLOBALS.role in ['so-manager', 'so-eval', 'so-managersearch' ] %}
-      - /etc/pki/ca.crt:/etc/telegraf/ca.crt:ro
-      {% else %}
       - /etc/pki/tls/certs/intca.crt:/etc/telegraf/ca.crt:ro
-      {% endif %}
-      - /etc/pki/influxdb.crt:/etc/telegraf/telegraf.crt:ro
-      - /etc/pki/influxdb.key:/etc/telegraf/telegraf.key:ro
+      - /etc/pki/telegraf.crt:/etc/telegraf/telegraf.crt:ro
+      - /etc/pki/telegraf.key:/etc/telegraf/telegraf.key:ro
       - /opt/so/conf/telegraf/scripts:/scripts:ro
       - /opt/so/log/stenographer:/var/log/stenographer:ro
       - /opt/so/log/suricata:/var/log/suricata:ro
@@ -71,21 +68,20 @@ so-telegraf:
       {% endfor %}
     {% endif %}
     - watch:
+      - file: trusttheca
+      - x509: telegraf_crt
+      - x509: telegraf_key
       - file: tgrafconf
       - file: node_config
     {% for script in TELEGRAFMERGED.scripts[GLOBALS.role.split('-')[1]] %}
       - file: tgraf_sync_script_{{script}}
     {% endfor %}
-    - require: 
+    - require:
+      - file: trusttheca
+      - x509: telegraf_crt
+      - x509: telegraf_key
       - file: tgrafconf
       - file: node_config
-      {% if GLOBALS.role in ['so-manager', 'so-eval', 'so-managersearch' ] %}
-      - x509: pki_public_ca_crt
-      {% else %}
-      - x509: trusttheca
-      {% endif %}
-      - x509: influxdb_crt
-      - x509: influxdb_key
 
 delete_so-telegraf_so-status.disabled:
   file.uncomment:

salt/telegraf/ssl.sls

@@ -0,0 +1,55 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+{% from 'allowed_states.map.jinja' import allowed_states %}
+{% if sls.split('.')[0] in allowed_states %}
+{%   from 'vars/globals.map.jinja' import GLOBALS %}
+{%   from 'ca/map.jinja' import CA %}
+
+telegraf_key:
+  x509.private_key_managed:
+    - name: /etc/pki/telegraf.key
+    - keysize: 4096
+    - backup: True
+    - new: True
+    {% if salt['file.file_exists']('/etc/pki/telegraf.key') -%}
+    - prereq:
+      - x509: /etc/pki/telegraf.crt
+    {%- endif %}
+    - retry:
+        attempts: 5
+        interval: 30
+
+# Create a cert for the talking to telegraf
+telegraf_crt:
+  x509.certificate_managed:
+    - name: /etc/pki/telegraf.crt
+    - ca_server: {{ CA.server }}
+    - signing_policy: general
+    - private_key: /etc/pki/telegraf.key
+    - CN: {{ GLOBALS.hostname }}
+    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} 
+    - days_remaining: 7
+    - days_valid: 820
+    - backup: True
+    - timeout: 30
+    - retry:
+        attempts: 5
+        interval: 30
+
+telegraf_key_perms:
+  file.managed:
+    - replace: False
+    - name: /etc/pki/telegraf.key
+    - mode: 640
+    - group: 939
+
+{% else %}
+
+{{sls}}_state_not_allowed:
+  test.fail_without_changes:
+    - name: {{sls}}_state_not_allowed
+
+{% endif %}