SaltStack - managing combined CA file
70 views
Skip to first unread message
V O
Sep 25, 2020, 1:48:19 PM9/25/20
to Salt-users
I would like to create a combined .ca file by using the SaltStack.
I have the following state.sls, see below and basically just want to make this tutorial working in salt: https://www.cyberciti.biz/faq/how-to-enable-tlsssl-encryption-with-glusterfs-storage-cluster-on-linux/
my_state.sls:
glusterfs_key:
x509.private_key_managed:
- name: /etc/ssl/glusterfs.key
glusterfs_cert:
x509.certificate_managed:
- name: /etc/ssl/glusterfs.pem
- signing_private_key: /etc/ssl/glusterfs.key
- require:
- x509: glusterfs_key
glusterfs_ca_combined: # Does not work at all, but thats the Idea
x509.certificate_managed:
- name: /etc/ssl/glusterfs.ca
- append_certs:
- /etc/ssl/glusterfs.pem
- require:
- x509: glusterfs_cert
The only part that fails and I'm not able to finish is to combine all /etc/ssl/glusterfs.pem files from all minions into one file and place this on all minions again under the path /etc/ssl/glusterfs.ca. Any idea how this can be accomplished?
Thanks in advance
V O
Sep 25, 2020, 1:48:20 PM9/25/20
to Salt-users
jeremy....@gmail.com
Sep 27, 2020, 11:20:20 PM9/27/20
to Salt-users
Use mines.
The minions will "mine" their certs to advertise them to each other.
You can call these from states:
First provide custom module function to output the cert file.
Second apply the states to generate the certs, then mine.send to trigger the custom function.
Then add a template driven file.managed state to write the /etc/ssl/glusterfs.ca file from collected mine.get results.
Then add a reactor to the "dirty cert" event when mines are updated which applies the state that writes /etc/ssl/glusterfs.ca from the mines of all the minions' certs automatically.
V O
Sep 28, 2020, 4:46:00 AM9/28/20
to Salt-users
Hello,
thanks for your quick reply, can you provide some more details at this point?
I simply dont understand how I can use mine to collect the glusterfs.pem files from my minion as I currently do something like this:
collect_glusterfs_certs:
cmd.run:
- order: 1
- name: salt -C 'not salt' cp.push /etc/ssl/glusterfs.pem
concatenation_glusterfs_certs:
cmd.run:
- order: 2
- onlyif: 'test ! -e /var/cache/salt/master/minions/{master*,worker*}/files/etc/ssl/glusterfs.pem && test ! -e /srv/salt/glusterfs/glusterfs.ca'
- name: 'cat /var/cache/salt/master/minions/*/files/etc/ssl/glusterfs.pem > /srv/salt/glusterfs/glusterfs.ca'
thanks for your quick reply, can you provide some more details at this point?
I simply dont understand how I can use mine to collect the glusterfs.pem files from my minion as I currently do something like this:
collect_glusterfs_certs:
cmd.run:
- order: 1
- name: salt -C 'not salt' cp.push /etc/ssl/glusterfs.pem
concatenation_glusterfs_certs:
cmd.run:
- order: 2
- onlyif: 'test ! -e /var/cache/salt/master/minions/{master*,worker*}/files/etc/ssl/glusterfs.pem && test ! -e /srv/salt/glusterfs/glusterfs.ca'
- name: 'cat /var/cache/salt/master/minions/*/files/etc/ssl/glusterfs.pem > /srv/salt/glusterfs/glusterfs.ca'
jeremy....@gmail.com
Sep 28, 2020, 6:15:46 PM9/28/20
to Salt-users
You need to write a custom execution module.
put it, for example, in /srv/salt/base/_modules/gluster.py
# eg. something like
def get_cert():
with open('/etc/glusterfs.pem') as cert:
cert_text = cert.read()
return cert_text
salt mine uses functions, and sends the return values out for other minions to look up with mine.get.
Reply all
Reply to author
Forward
0 new messages