X-Git-Url: https://git.arvados.org/arvados-formula.git/blobdiff_plain/2ac8a85f91b60ebe5fb337bfcbeb09836842ed85..6c52de7c70c90784df58e6dbc6c43a71b9cc7e7c:/test/salt/states/example_add_snakeoil_certs/init.sls

diff --git a/test/salt/states/example_add_snakeoil_certs/init.sls b/test/salt/states/example_add_snakeoil_certs/init.sls
index 278ccd0..158abcc 100644
--- a/test/salt/states/example_add_snakeoil_certs/init.sls
+++ b/test/salt/states/example_add_snakeoil_certs/init.sls
@@ -1,7 +1,7 @@
-{% set curr_tpldir = tpldir %}
-{% set tpldir = 'arvados' %}
-{% from "arvados/map.jinja" import arvados with context %}
-{% set tpldir = curr_tpldir %}
+{%- set curr_tpldir = tpldir %}
+{%- set tpldir = 'arvados' %}
+{%- from "arvados/map.jinja" import arvados with context %}
+{%- set tpldir = curr_tpldir %}
 
 snake_oil_certs:
   pkg.installed:
@@ -15,7 +15,6 @@ snake_oil_certs:
         default_md = sha256
         x509_extensions = v3_req
         distinguished_name = dn
-        
         [dn]
         C   = CC
         ST  = SomeState
@@ -24,13 +23,11 @@ snake_oil_certs:
         OU  = R&D
         CN  = {{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
         emailAddress = admin@{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
-        
         [v3_req]
         subjectAltName = @alt_names
-        
         [alt_names]
         {%- for entry in grains.get('ipv4') %}
-        IP.{{ loop.index }} = {{entry }}
+        IP.{{ loop.index }} = {{ entry }}
         {%- endfor %}
         {%- for entry in [
             'keep',
@@ -49,7 +46,24 @@ snake_oil_certs:
         mkdir -p /etc/ssl/certs/  /etc/ssl/private/ && \
         openssl req -config /tmp/openssl.cnf -new -x509 -days 3650 -nodes -sha256 \
           -out /etc/ssl/certs/ssl-cert-snakeoil.pem \
-          -keyout /etc/ssl/private/ssl-cert-snakeoil.key > /tmp/snake_oil_certs.output 2>&1
+          -keyout /etc/ssl/private/ssl-cert-snakeoil.key > /tmp/snake_oil_certs.output 2>&1 && \
+        chmod 0644 /etc/ssl/certs/ssl-cert-snakeoil.pem && \
+        chmod 0640 /etc/ssl/private/ssl-cert-snakeoil.key
     - unless: test -f /etc/ssl/private/ssl-cert-snakeoil.key
     - require:
       - pkg: openssl
+
+{%- if grains.get('os_family') == 'Debian' %}
+ssl_certs:
+  pkg.installed:
+    - name: ssl-cert
+    - require_in:
+      - sls: postgres
+
+snake_oil_certs_permissions:
+  cmd.run:
+    - name: |
+        chown root:ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key
+    - require:
+      - pkg: ssl_certs
+{%- endif %}