From c0845e161226e6725d23319d61fed0b29f3a09e2 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Fri, 12 Dec 2025 22:19:59 -0500 Subject: [PATCH] restart docker if ca changes. cleanup dirs at key/crt location --- salt/ca/trustca.sls | 3 ++- salt/registry/ssl.sls | 30 ++++++++++++++++++++++++++---- 2 files changed, 28 insertions(+), 5 deletions(-) diff --git a/salt/ca/trustca.sls b/salt/ca/trustca.sls index 3914a1f43..e43cd7ae0 100644 --- a/salt/ca/trustca.sls +++ b/salt/ca/trustca.sls @@ -18,8 +18,9 @@ trusttheca: file.managed: - name: /etc/pki/tls/certs/intca.crt - source: salt://ca/files/ca.crt - - listen_in: + - watch_in: - service: docker_running + - show_changes: False {% if GLOBALS.os_family == 'Debian' %} symlinkca: diff --git a/salt/registry/ssl.sls b/salt/registry/ssl.sls index 8d53b4214..2bb116f29 100644 --- a/salt/registry/ssl.sls +++ b/salt/registry/ssl.sls @@ -8,19 +8,38 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'ca/map.jinja' import CA %} +include: + - ca + +# Delete directory if it exists at the key path +registry_key_cleanup: + file.absent: + - name: /etc/pki/registry.key + - onlyif: + - test -d /etc/pki/registry.key + registry_key: x509.private_key_managed: - name: /etc/pki/registry.key - keysize: 4096 - backup: True - new: True + - require: + - file: registry_key_cleanup {% if salt['file.file_exists']('/etc/pki/registry.key') -%} - prereq: - x509: /etc/pki/registry.crt {%- endif %} - retry: - attempts: 5 - interval: 30 + attempts: 15 + interval: 10 + +# Delete directory if it exists at the crt path +registry_crt_cleanup: + file.absent: + - name: /etc/pki/registry.crt + - onlyif: + - test -d /etc/pki/registry.crt # Create a cert for the docker registry registry_crt: @@ -34,10 +53,13 @@ registry_crt: - days_remaining: 7 - days_valid: 820 - backup: True + - require: + - file: registry_crt_cleanup - timeout: 30 - retry: - attempts: 5 - interval: 30 + attempts: 15 + interval: 10 + regkeyperms: file.managed: