-{% set curr_tpldir = tpldir %}
-{% set tpldir = 'arvados' %}
-{% from "arvados/map.jinja" import arvados with context %}
-{% set tpldir = curr_tpldir %}
+{%- set curr_tpldir = tpldir %}
+{%- set tpldir = 'arvados' %}
+{%- from "arvados/map.jinja" import arvados with context %}
+{%- set tpldir = curr_tpldir %}
snake_oil_certs:
pkg.installed:
default_md = sha256
x509_extensions = v3_req
distinguished_name = dn
-
[dn]
C = CC
ST = SomeState
OU = R&D
CN = {{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
emailAddress = admin@{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
-
[v3_req]
subjectAltName = @alt_names
-
[alt_names]
{%- for entry in grains.get('ipv4') %}
- IP.{{ loop.index }} = {{entry }}
+ IP.{{ loop.index }} = {{ entry }}
{%- endfor %}
{%- for entry in [
'keep',
mkdir -p /etc/ssl/certs/ /etc/ssl/private/ && \
openssl req -config /tmp/openssl.cnf -new -x509 -days 3650 -nodes -sha256 \
-out /etc/ssl/certs/ssl-cert-snakeoil.pem \
- -keyout /etc/ssl/private/ssl-cert-snakeoil.key > /tmp/snake_oil_certs.output 2>&1
+ -keyout /etc/ssl/private/ssl-cert-snakeoil.key > /tmp/snake_oil_certs.output 2>&1 && \
+ chmod 0644 /etc/ssl/certs/ssl-cert-snakeoil.pem && \
+ chmod 0640 /etc/ssl/private/ssl-cert-snakeoil.key
- unless: test -f /etc/ssl/private/ssl-cert-snakeoil.key
- require:
- pkg: openssl
+
+{%- if grains.get('os_family') == 'Debian' %}
+ssl_certs:
+ pkg.installed:
+ - name: ssl-cert
+ - require_in:
+ - sls: postgres
+
+snake_oil_certs_permissions:
+ cmd.run:
+ - name: |
+ chown root:ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key
+ - require:
+ - pkg: ssl_certs
+{%- endif %}