diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 6641ff186..7a1bb0c99 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -18,6 +18,8 @@ {% if grains.id.split('_')|last in ['manager', 'eval', 'standalone', 'import', 'helixsensor'] %} {% set trusttheca_text = salt['cp.get_file_str']('/etc/pki/ca.crt')|replace('\n', '') %} {% set ca_server = grains.id %} +include: + - ca {% else %} {% set x509dict = salt['mine.get']('*', 'x509.get_pem_entries') %} {% for host in x509dict %} @@ -30,9 +32,6 @@ {% set ca_server = global_ca_server[0] %} {% endif %} -include: - - ca - # Trust the CA trusttheca: x509.pem_managed: @@ -70,7 +69,7 @@ removeesp12dir: influxdb_key: x509.private_key_managed: - name: /etc/pki/influxdb.key - - CN: {{ manager }} + - CN: {{ HOSTNAME }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -92,8 +91,8 @@ influxdb_crt: - ca_server: {{ ca_server }} - signing_policy: influxdb - public_key: /etc/pki/influxdb.key - - CN: {{ manager }} - - subjectAltName: DNS:{{ manager }}, IP:{{ managerip }} + - CN: {{ HOSTNAME }} + - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -120,7 +119,7 @@ influxkeyperms: redis_key: x509.private_key_managed: - name: /etc/pki/redis.key - - CN: {{ COMMONNAME }} + - CN: {{ HOSTNAME }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -139,9 +138,10 @@ redis_crt: x509.certificate_managed: - name: /etc/pki/redis.crt - ca_server: {{ ca_server }} + - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} - signing_policy: registry - public_key: /etc/pki/redis.key - - CN: {{ COMMONNAME }} + - CN: {{ HOSTNAME }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -190,7 +190,8 @@ etc_filebeat_crt: - ca_server: {{ ca_server }} - signing_policy: filebeat - public_key: /etc/pki/filebeat.key - - CN: {{ COMMONNAME }} + - CN: {{ HOSTNAME }} + - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -310,33 +311,6 @@ minio_key: attempts: 5 interval: 30 -# Create a cert for minio -minio_crt: - x509.certificate_managed: - - name: /etc/pki/minio.crt - - ca_server: {{ ca_server }} - - signing_policy: registry - - public_key: /etc/pki/minio.key - - CN: {{ manager }} - - days_remaining: 0 - - days_valid: 820 - - backup: True - - unless: - # https://github.com/saltstack/salt/issues/52167 - # Will trigger 5 days (432000 sec) from cert expiration - - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/minio.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 30 - - retry: - attempts: 5 - interval: 30 - -miniokeyperms: - file.managed: - - replace: False - - name: /etc/pki/minio.key - - mode: 640 - - group: 939 - {% endif %} # Create a cert for elasticsearch /etc/pki/elasticsearch.key: x509.private_key_managed: @@ -360,7 +334,8 @@ miniokeyperms: - ca_server: {{ ca_server }} - signing_policy: registry - public_key: /etc/pki/elasticsearch.key - - CN: {{ COMMONNAME }} + - CN: {{ HOSTNAME }} + - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} - days_remaining: 0 - days_valid: 820 - backup: True @@ -418,7 +393,7 @@ managerssl_crt: - ca_server: {{ ca_server }} - signing_policy: managerssl - public_key: /etc/pki/managerssl.key - - CN: {{ manager }} + - CN: {{ HOSTNAME }} - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %} - days_remaining: 0 - days_valid: 820 @@ -443,7 +418,7 @@ msslkeyperms: fleet_key: x509.private_key_managed: - name: /etc/pki/fleet.key - - CN: {{ manager }} + - CN: {{ HOSTNAME }} - bits: 4096 - days_remaining: 0 - days_valid: 820 @@ -462,8 +437,8 @@ fleet_crt: x509.certificate_managed: - name: /etc/pki/fleet.crt - signing_private_key: /etc/pki/fleet.key - - CN: {{ manager }} - - subjectAltName: DNS:{{ manager }},IP:{{ managerip }}{% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }}{% endif %} + - CN: {{ HOSTNAME }} + - subjectAltName: DNS:{{ HOSTNAME }},IP:{{ MAINIP }}{% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }}{% endif %} - days_remaining: 0 - days_valid: 820 - backup: True @@ -516,7 +491,7 @@ conf_filebeat_crt: - ca_server: {{ ca_server }} - signing_policy: filebeat - public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key - - CN: {{ COMMONNAME }} + - CN: {{ HOSTNAME }} - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} - days_remaining: 0 - days_valid: 820 @@ -675,6 +650,7 @@ fleetkeyperms: - signing_policy: registry - public_key: /etc/pki/elasticsearch.key - CN: {{ HOSTNAME }} + - subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} - days_remaining: 0 - days_valid: 820 - backup: True