-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpillar.example
152 lines (152 loc) · 6.45 KB
/
pillar.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
salt_pki:
# list of packages required for x509 to work
crypto_pkgs:
- python-m2crypto
# all PKI files will be stored under that path
base_dir: /etc/pki
# NB! root_ca and intermediate_ca pillar data must be available to all minions, formula require this data, to
# correctly install root and intermediate certificates into OS even for minions where it's not required
# to issue any certificates at all
root_ca:
# relative to base_dir
dir: root_ca
key: root_ca.key
cert: root_ca.crt
# minion which will serve as Root CA
# minion id expected here, not DNS name (if it differs from minion id), not IP address if DNS not present
ca_server: saltpki.domain.tld
# where to save signed certificates, relative to 'dir' above
copypath: issued_certs
# additional arguments for x509.certificate_managed state
# subject properties can be defined here, like CN, C, OU, etc.
# X509v3 extension also can be defined, like basicConstraints, crlDistributionPoints, subjectAltName, etc.
# for details check
# https://docs.saltstack.com/en/latest/ref/states/all/salt.states.x509.html#salt.states.x509.certificate_managed
# https://docs.saltstack.com/en/latest/ref/modules/all/salt.modules.x509.html#salt.modules.x509.create_certificate
kwargs:
CN: Salt Root CA
C: RU
ST: Moscow
L: Moscow
O: MyCompany
OU: SaltStack PKI
crlDistributionPoints: "URI:http://saltpki.domain.tld/root.crl"
# signing policies must be defined in the file 'signing_policies/root.jinja'
# with dictionaly below it is possible allow minions to use specific policy
# by default Root CA sing only Intermediate CA certificates, then Intermediate CA
# will sing regular server or client certificates
signing_policies:
# policy name from 'signing_policies/root.jinja'
intermediate:
# minions allowed to use this policy
# string type, match.glog is used by default, if '@' found in string then match.compound is used
minions: saltpki.domain.tld
# force subject properties for sertificate via signing policy
# those properties will be added to all certificates which match with this policy
subject_properties:
C: RU
ST: Moscow
L: Moscow
O: MyCompany
OU: SaltStack PKI
# there is can be multiple intermediate CA
intermediate_ca:
# all keyas are mandatory
- name: intermediate_ca
# relative to base_dir
dir: intermediate_ca
key: intermediate_ca.key
cert: intermediate_ca.crt
# minion which will serve as Intermediate CA
# minion id expected here, not DNS name (if it differs from minion id), not IP address if DNS not present
ca_server: saltpki.domain.tld
# where to save signed certificates, relative to 'dir' above
copypath: issued_certs
# additional arguments for x509.certificate_managed state
# parameters defined in policy will override parameters from pillars
kwargs:
CN: Salt Intermediate CA
crlDistributionPoints: "URI:http://saltpki.domain.tld/intermediate.crl"
signing_policies:
http_server:
# string type, match.glog is used by default, if '@' found in string then match.compound is used
minions: "*"
# force subject properties for sertificate via signing policy
# those properties will be added to all certificates which match with this policy
# NB you can not override those in certificate properties, so don't set i.e. CN here
subject_properties:
C: RU
ST: Moscow
L: Moscow
O: MyCompany
OU: SaltStack PKI
ca_certs:
# commands to add certificated into system CA store
# only add new certificates, fast
cmd_add: update-ca-certificates
# add and remove broken (non existent) certificates, slower
cmd_rebuild: update-ca-certificates -f
# directory where to store certificates
dir: /usr/local/share/ca-certificates
# additional certificaes which need to be deployed in system CA storage
certs:
# filename of certificate
# source file will be looked in salt://{{ tpldir }}/ca_certs/
- name: company_root_ca.crt
# present / absent, if not defined assume 'present'
ensure: present
- name: vault_intermediate_ca.crt
ensure: present
# those setings are used for each certificate if not overriden by pillar data
# they are supposed to be used in defaults.yaml but can be overriden by pillar data too
issue_defaults:
# NB signing policy can override cert parameters
key:
name: "{{ grains.id }}.key"
bits: 2048
new: true
mode: "0600"
makedirs: true
cert:
name: "{{ grains.id }}.crt"
mode: "0600"
makedirs: true
# how long certifcate is valid
days_valid: 30
# if certificate valid for less than 'days_remaining' it will not be reissued automagically
# relevant state must be called for this
days_remaining: 10
CN: "{{ grains.id }}"
issue:
myservice:
# restart or reload some service after certificates will be issued
service:
# optional name of service, if not provided branch name will be used 'myservice' in this example
name: my_service_name
# use reload instead of restart, not all services are support reload
reload: True
# include some local state / formula which will be called after certificates are issued
# i.e. this state can deploy certs to another location with different permissions
# and restart or reload relative service
# provided string will be used directly in 'include' statement
#
# include: myservice.tls
# will became
#
# include:
# - myservice.tls
include: myservice.tls
key:
# path where to save private key, relative to 'base_dir'
name: api/myservice.key
bits: 4096
cert:
# path where to save signed certificate, relative to 'base_dir'
name: api/myservice.crt
# which server use for signing
# minion id expected here, not DNS name (if it differs from minion id), not IP address if DNS not present
ca_server: saltpki.domain.tld
# which policy use for signing, it must be present on signing server
signing_policy: http_server
# any other paramater supported by 'x509.certificate_managed'
subjectAltName: "DNS:myservice.domain.tld"