test/salt/states/examples/single_host/snakeoil_certs.sls

   1 {%- set curr_tpldir = tpldir %}
   2 {%- set tpldir = 'arvados' %}
   3 {%- from "arvados/map.jinja" import arvados with context %}
   4 {%- set tpldir = curr_tpldir %}
   5
   6 arvados_test_salt_states_examples_single_host_snakeoil_certs_openssl_pkg_installed:
   7   pkg.installed:
   8     - name: openssl
   9
  10 arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_cert_cmd_run:
  11   cmd.run:
  12     - name: |
  13         cat > /tmp/openssl.cnf <<-CNF
  14         [req]
  15         default_bits = 2048
  16         prompt = no
  17         default_md = sha256
  18         x509_extensions = v3_req
  19         distinguished_name = dn
  20         [dn]
  21         C   = CC
  22         ST  = SomeState
  23         L   = SomeLocation
  24         O   = ArvadosFormula
  25         OU  = R&D
  26         CN  = {{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
  27         emailAddress = admin@{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
  28         [v3_req]
  29         subjectAltName = @alt_names
  30         [alt_names]
  31         {%- for entry in grains.get('ipv4') %}
  32         IP.{{ loop.index }} = {{ entry }}
  33         {%- endfor %}
  34         {%- for entry in [
  35             'keep',
  36             'collections',
  37             'download',
  38             'ws',
  39             'workbench',
  40             'workbench2',
  41           ]
  42         %}
  43         DNS.{{ loop.index }} = {{ entry }}.{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
  44         {%- endfor %}
  45         CNF
  46
  47         mkdir -p /etc/ssl/certs/  /etc/ssl/private/ && \
  48         openssl req -config /tmp/openssl.cnf -new -x509 -days 3650 -nodes -sha256 \
  49           -out /etc/ssl/certs/arvados-snakeoil-cert.pem \
  50           -keyout /etc/ssl/private/arvados-snakeoil-cert.key > /tmp/snake_oil_certs.output 2>&1 && \
  51         chmod 0644 /etc/ssl/certs/arvados-snakeoil-cert.pem && \
  52         chmod 0640 /etc/ssl/private/arvados-snakeoil-cert.key
  53     - unless: test -f /etc/ssl/private/arvados-snakeoil-cert.key
  54     - require:
  55       - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_openssl_pkg_installed
  56
  57 {%- if grains.get('os_family') == 'Debian' %}
  58 arvados_test_salt_states_examples_single_host_snakeoil_certs_ssl_cert_pkg_installed:
  59   pkg.installed:
  60     - name: ssl-cert
  61     - require_in:
  62       - sls: postgres
  63
  64 snake_oil_certs_permissions:
  65   cmd.run:
  66     - name: |
  67         chown root:ssl-cert /etc/ssl/private/arvados-snakeoil-cert.key
  68     - require:
  69       - cmd: arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_cert_cmd_run
  70       - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_ssl_cert_pkg_installed
  71 {%- endif %}