From 2ac8a85f91b60ebe5fb337bfcbeb09836842ed85 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Javier=20B=C3=A9rtoli?= Date: Sat, 21 Nov 2020 12:11:12 -0300 Subject: [PATCH] test(dispatcher): cert needs to match each hostname --- .../example_add_snakeoil_certs/init.sls | 59 +++++++++++++------ .../init.sls | 13 ++-- 2 files changed, 50 insertions(+), 22 deletions(-) rename test/salt/states/{hosts_entries => example_single_host_host_entries}/init.sls (59%) diff --git a/test/salt/states/example_add_snakeoil_certs/init.sls b/test/salt/states/example_add_snakeoil_certs/init.sls index e004128..278ccd0 100644 --- a/test/salt/states/example_add_snakeoil_certs/init.sls +++ b/test/salt/states/example_add_snakeoil_certs/init.sls @@ -1,24 +1,51 @@ +{% set curr_tpldir = tpldir %} +{% set tpldir = 'arvados' %} +{% from "arvados/map.jinja" import arvados with context %} +{% set tpldir = curr_tpldir %} + snake_oil_certs: -{%- if grains.os_family in ('RedHat',) %} pkg.installed: - name: openssl cmd.run: - name: | cat > /tmp/openssl.cnf <<-CNF - RANDFILE = /dev/urandom - [ req ] - default_bits = 2048 - default_keyfile = privkey.pem - distinguished_name = req_distinguished_name - prompt = no - policy = policy_anything - req_extensions = v3_req - x509_extensions = v3_req - [ req_distinguished_name ] - commonName = {{ grains.fqdn }} - [ v3_req ] - basicConstraints = CA:FALSE + [req] + default_bits = 2048 + prompt = no + default_md = sha256 + x509_extensions = v3_req + distinguished_name = dn + + [dn] + C = CC + ST = SomeState + L = SomeLocation + O = ArvadosFormula + OU = R&D + CN = {{ arvados.cluster.name }}.{{ arvados.cluster.domain }} + emailAddress = admin@{{ arvados.cluster.name }}.{{ arvados.cluster.domain }} + + [v3_req] + subjectAltName = @alt_names + + [alt_names] + {%- for entry in grains.get('ipv4') %} + IP.{{ loop.index }} = {{entry }} + {%- endfor %} + {%- for entry in [ + 'keep', + 'keep0', + 'collections', + 'download', + 'ws', + 'workbench', + 'workbench2', + ] + %} + DNS.{{ loop.index }} = {{ entry }}.{{ arvados.cluster.name }}.{{ arvados.cluster.domain }} + {%- endfor %} CNF + mkdir -p /etc/ssl/certs/ /etc/ssl/private/ && \ openssl req -config /tmp/openssl.cnf -new -x509 -days 3650 -nodes -sha256 \ -out /etc/ssl/certs/ssl-cert-snakeoil.pem \ @@ -26,7 +53,3 @@ snake_oil_certs: - unless: test -f /etc/ssl/private/ssl-cert-snakeoil.key - require: - pkg: openssl -{%- else %} - pkg.installed: - - name: ssl-cert -{%- endif %} diff --git a/test/salt/states/hosts_entries/init.sls b/test/salt/states/example_single_host_host_entries/init.sls similarity index 59% rename from test/salt/states/hosts_entries/init.sls rename to test/salt/states/example_single_host_host_entries/init.sls index 378571e..a043333 100644 --- a/test/salt/states/hosts_entries/init.sls +++ b/test/salt/states/example_single_host_host_entries/init.sls @@ -1,8 +1,15 @@ +{% set curr_tpldir = tpldir %} +{% set tpldir = 'arvados' %} +{% from "arvados/map.jinja" import arvados with context %} +{% set tpldir = curr_tpldir %} + arvados_hosts_entries: host.present: - ip: {{ grains.get('ipv4')[0] }} - names: - - {{ grains.get('fqdn') }} + - {{ arvados.cluster.name }}.{{ arvados.cluster.domain }} + # FIXME! This just works for our testings. + # Won't work if the cluster name != host name {%- for entry in [ 'keep', 'keep0', @@ -14,7 +21,5 @@ arvados_hosts_entries: ] %} - {{ entry }} - # FIXME! This just works for our testings. - # Won't work if the cluster name != host name - - {{ entry }}.{{ grains.get('host') }}.{{ grains.get('domain') }} + - {{ entry }}.{{ arvados.cluster.name }}.{{ arvados.cluster.domain }} {%- endfor %} -- 2.30.2