Elastic Fleet Certs Refactor

2026-04-24 13:42:05 +02:00 · 2023-07-07 16:44:16 -04:00
parent 35e7659904
commit ff3bb11fbb
6 changed files with 169 additions and 110 deletions
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -7,6 +7,7 @@
 {% if sls in allowed_states %}
 {% from 'vars/globals.map.jinja' import GLOBALS %}

+{% set CUSTOMFQDN = salt['pillar.get']('elasticfleet:config:server:custom_fqdn') %}

 {% set global_ca_text = [] %}
 {% set global_ca_server = [] %}
@@ -141,15 +142,16 @@ rediskeyperms:
 {% endif %}

 {% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode', 'so-fleet', 'so-receiver'] %}
-# Create cert for Elastic Fleet Host

+{% if grains['role'] not in [ 'so-heavynode', 'so-receiver'] %}
+# Start -- Elastic Fleet Host Cert
 etc_elasticfleet_key:
  x509.private_key_managed:
-    - name: /etc/pki/elasticfleet.key
+    - name: /etc/pki/elasticfleet-server.key
    - keysize: 4096
    - backup: True
    - new: True
-    {% if salt['file.file_exists']('/etc/pki/elasticfleet.key') -%}
+    {% if salt['file.file_exists']('/etc/pki/elasticfleet-server.key') -%}
    - prereq:
      - x509: etc_elasticfleet_crt
    {%- endif %}
@@ -157,44 +159,33 @@ etc_elasticfleet_key:
        attempts: 5
        interval: 30

-# Request a cert and drop it where it needs to go to be distributed
 etc_elasticfleet_crt:
  x509.certificate_managed:
-    - name: /etc/pki/elasticfleet.crt
+    - name: /etc/pki/elasticfleet-server.crt
    - ca_server: {{ ca_server }}
    - signing_policy: elasticfleet
-    - private_key: /etc/pki/elasticfleet.key
+    - private_key: /etc/pki/elasticfleet-server.key
    - CN: {{ GLOBALS.hostname }}
-    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
+    - subjectAltName: IP:{{ GLOBALS.node_ip }} {% if CUSTOMFQDN != "" %},DNS:{{ CUSTOMFQDN }}{% endif %}