Commit Graph
64 Commits
Author SHA1 Message Date
Josh Patterson c755c8bc61 Gracefully skip SSL cert states when the CA is unavailable
The *.ssl x509.certificate_managed states hard-failed the state run when
the CA/manager minion was unreachable (ca_server did not respond), and the
paired private_key_managed states then failed on the prereq requisite. The
- timeout: 30 on these states was a no-op (Salt has no per-state timeout
requisite; only retry accepts until/attempts/interval/splay).

Add an onlyif CA-reachability gate to every certificate_managed state so the
state is skipped as a clean success when the CA does not answer a peer
test.ping within 3s and the cert already exists. When the cert is missing
(initial provisioning) the state still runs so the existing retry waits for
the CA. The reachability command is centralized as CA.reachable_cmd in
ca/map.jinja, and the master peer config now permits test.ping. The no-op
- timeout: 30 is removed from all cert states.
2026-07-16 13:46:12 -04:00
Mike Reeves 868cd11874 Add so-postgres Salt states and integration wiring
Phase 1 of the PostgreSQL central data platform:
- Salt states: init, enabled, disabled, config, ssl, auth, sostatus
- TLS via SO CA-signed certs with postgresql.conf template
- Two-tier auth: postgres superuser + so_postgres application user
- Firewall restricts port 5432 to manager-only (HA-ready)
- Wired into top.sls, pillar/top.sls, allowed_states, firewall
  containers map, docker defaults, CA signing policies, and setup
  scripts for all manager-type roles
2026-04-08 10:58:52 -04:00
Mike Reeves afc14ec29d Remove non-Oracle Linux 9 support from salt states
Simplifies salt states, map files, and modules to only support
Oracle Linux 9, removing all Debian/Ubuntu/CentOS/Rocky/AlmaLinux/RHEL
conditional branches.
2026-03-16 16:58:39 -04:00
Josh Patterson 959fd55e32 create dir if nonexistent 2026-01-20 14:30:11 -05:00
Josh Patterson 00fbc1c259 add back individual signing policies 2026-01-12 09:25:15 -05:00
Josh Patterson 702ba2e0a4 only allow ca.remove state to run if so-setup is running 2025-12-17 10:08:00 -05:00
Josh Patterson c0845e1612 restart docker if ca changes. cleanup dirs at key/crt location 2025-12-12 22:19:59 -05:00
Josh Patterson a2196085d5 import allowed_states 2025-12-12 18:50:37 -05:00
Josh Patterson ba62a8c10c need to restart docker service if ca changes 2025-12-12 18:50:22 -05:00
Josh Patterson 38f38e2789 fix allowed states for ca 2025-12-12 18:23:29 -05:00
Josh Patterson b9ff1704b0 the great ssl refactor 2025-12-11 17:30:06 -05:00
Josh Patterson 36a6a59d55 renew certs 7 days before expire 2025-12-01 11:54:10 -05:00
m0duspwnens a2bb220043 fix x509 mine_function 2024-06-18 12:33:33 -04:00
reyesj2 436cbc1f06 Add kafka signing_policy for client/server auth. Add kafka-client cert on manager so manager can interact with kafka using its own cert
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
2024-04-04 16:21:29 -04:00
Mike ReevesandGitHub 4fb9cce41c Update signing_policies.conf 2023-11-17 16:38:50 -05:00
m0duspwnens e58c1e189c use x509 instead of file for onchanges 2023-10-18 15:10:17 -04:00
m0duspwnens 1c1b23c328 fix mine update for ca 2023-10-18 15:07:18 -04:00
m0duspwnens 138aa9c554 update the mine with the ca when it is created or changed 2023-10-18 13:54:14 -04:00
m0duspwnens 869f60ccaa cipher deprecated for x509_+v2 2023-07-06 10:51:44 -04:00
m0duspwnens 6039a1430e x509 changes for salt 3006 2023-04-04 08:55:10 -04:00
Josh Brower 6945596eee Tweak elastic agent ssl gen 2022-09-14 08:10:42 -04:00
Mike Reeves 2bd9dd80e2 Move In Day 2022-09-07 09:06:25 -04:00
m0duspwnens 2aa19b78da dont remove ca-certificates.crt 2022-01-26 11:27:35 -05:00
m0duspwnens a43fb293fc remove role logic 2022-01-26 10:26:52 -05:00
m0duspwnens 8aa002b82e add states to remove ca and ssl keys and certs and call them during reinstall. 2022-01-26 09:33:19 -05:00
m0duspwnens a46a740170 account for salt 3004 adding new chars to random.get_str 2022-01-14 17:23:29 -05:00
m0duspwnens 2a5b4ef276 add mine function to signing_policies.conf. no longer need to check if mine in ca during manager install 2021-12-28 15:19:06 -05:00
m0duspwnens 2405de4b82 fix require 2021-12-28 11:00:35 -05:00
m0duspwnens f2adcf4ca5 ensure /etc/pki is created and simplify ca logic for non manager in ssl state 2021-12-28 10:41:57 -05:00
m0duspwnens f93c6146f5 docker binds requires 2021-10-21 15:24:55 -04:00
m0duspwnens 1d8e065902 fix salt retries - https://github.com/Security-Onion-Solutions/securityonion/issues/3948 2021-04-22 08:35:50 -04:00
m0duspwnens e6ecd609cc change timeouts to 30s 2021-01-29 13:44:11 -05:00
m0duspwnens 0936dbdb1c add timeouts and retries to ca/ssl states 2021-01-28 11:40:31 -05:00
m0duspwnens b693373d8d change how we allow or disallow states to be run https://github.com/Security-Onion-Solutions/securityonion/issues/2679 2021-01-20 15:09:53 -05:00
m0duspwnens 09cc8ae1fb fail the state if it isnt in top 2020-09-09 16:48:50 -04:00
m0duspwnens a229ae82ce only allow state to run if it is in top for the node 2020-09-02 16:15:52 -04:00
m0duspwnens 1f3ceb50da add replace: False to get rid of warning, eventhough it doesntt. bug report submitted on saltstack gh. 2020-08-10 13:04:19 -04:00
m0duspwnens c00b452f8d change module.run for ca state 2020-07-28 15:10:16 -04:00
m0duspwnens 7606cc0ad0 changes to ssl state for salt 3001 2020-07-27 15:51:31 -04:00
m0duspwnens b2e7a4221c master to manager for ssl signing policy 2020-07-09 17:19:17 -04:00
m0duspwnens 5ca3ecf4bd fix reference to master grain 2020-07-09 15:42:39 -04:00
m0duspwnens 3cf31e2460 https://github.com/Security-Onion-Solutions/securityonion/issues/404 2020-07-09 11:27:06 -04:00
Mike Reeves be5f4b04c6 Fix SSL Perms 2020-07-06 17:21:23 -04:00
Jason Ertel 97d127218a fix: stop updating salt mine - this is an attempt to sort out why the CA intermittently disappears from the mine 2020-06-15 17:40:58 -04:00
m0duspwnens 939ab918b4 update states using module.run - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/106 2019-11-07 17:31:06 -05:00
Mike Reeves 0f5c0373c5 SSL Issue 79 - Remove extensions from filebeat cert 2019-10-23 15:27:31 -04:00
Mike Reeves 3ecb6a7c3f SSL Issue 79 - Add extended type to all certs 2019-10-21 17:55:06 -04:00
Mike Reeves 06261b0b9a SSL Issue 79 - Add extended type to all certs 2019-10-21 17:54:09 -04:00
Mike Reeves 792cc7d4c4 SSL Issue 79 - Reduce valid time 2019-10-21 17:04:18 -04:00
Mike Reeves 53f7fcd07c Fleet Module - SSL additions 2018-12-05 15:54:43 -05:00