test/salt/states/example_add_snakeoil_certs/init.sls

   1 {% set curr_tpldir = tpldir %}
   2 {% set tpldir = 'arvados' %}
   3 {% from "arvados/map.jinja" import arvados with context %}
   4 {% set tpldir = curr_tpldir %}
   5
   6 snake_oil_certs:
   7   pkg.installed:
   8     - name: openssl
   9   cmd.run:
  10     - name: |
  11         cat > /tmp/openssl.cnf <<-CNF
  12         [req]
  13         default_bits = 2048
  14         prompt = no
  15         default_md = sha256
  16         x509_extensions = v3_req
  17         distinguished_name = dn
  18
  19         [dn]
  20         C   = CC
  21         ST  = SomeState
  22         L   = SomeLocation
  23         O   = ArvadosFormula
  24         OU  = R&D
  25         CN  = {{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
  26         emailAddress = admin@{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
  27
  28         [v3_req]
  29         subjectAltName = @alt_names
  30
  31         [alt_names]
  32         {%- for entry in grains.get('ipv4') %}
  33         IP.{{ loop.index }} = {{entry }}
  34         {%- endfor %}
  35         {%- for entry in [
  36             'keep',
  37             'keep0',
  38             'collections',
  39             'download',
  40             'ws',
  41             'workbench',
  42             'workbench2',
  43           ]
  44         %}
  45         DNS.{{ loop.index }} = {{ entry }}.{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
  46         {%- endfor %}
  47         CNF
  48
  49         mkdir -p /etc/ssl/certs/  /etc/ssl/private/ && \
  50         openssl req -config /tmp/openssl.cnf -new -x509 -days 3650 -nodes -sha256 \
  51           -out /etc/ssl/certs/ssl-cert-snakeoil.pem \
  52           -keyout /etc/ssl/private/ssl-cert-snakeoil.key > /tmp/snake_oil_certs.output 2>&1
  53     - unless: test -f /etc/ssl/private/ssl-cert-snakeoil.key
  54     - require:
  55       - pkg: openssl