1 # Copyright (C) The Arvados Authors. All rights reserved.
3 # SPDX-License-Identifier: Apache-2.0
5 {%- set orig_cert_dir = salt['pillar.get']('extra_custom_certs_dir', '/srv/salt/certs') %}
6 {%- set dest_cert_dir = '/etc/nginx/ssl' %}
7 {%- set certs = salt['pillar.get']('extra_custom_certs', []) %}
10 extra_custom_certs_file_directory_certs_dir:
12 - name: /etc/nginx/ssl
24 {%- for cert in certs %}
25 {%- set cert_file = 'arvados-' ~ cert ~ '.pem' %}
26 {%- set key_file = 'arvados-' ~ cert ~ '.key' %}
27 extra_custom_certs_{{ cert }}_cert_file_copy:
29 - name: {{ dest_cert_dir }}/{{ cert_file }}
30 - source: {{ orig_cert_dir }}/{{ cert_file }}
35 - unless: cmp {{ dest_cert_dir }}/{{ cert_file }} {{ orig_cert_dir }}/{{ cert_file }}
37 - file: extra_custom_certs_file_directory_certs_dir
39 extra_custom_certs_{{ cert }}_key_file_copy:
41 - name: {{ dest_cert_dir }}/{{ key_file }}
42 - source: {{ orig_cert_dir }}/{{ key_file }}
47 - unless: cmp {{ dest_cert_dir }}/{{ key_file }} {{ orig_cert_dir }}/{{ key_file }}
49 - file: extra_custom_certs_file_directory_certs_dir
51 extra_nginx_service_reload_on_{{ cert }}_certs_changes:
53 - name: systemctl reload nginx
55 - file: extra_custom_certs_{{ cert }}_cert_file_copy
56 - file: extra_custom_certs_{{ cert }}_key_file_copy
58 - file: extra_custom_certs_{{ cert }}_cert_file_copy
59 - file: extra_custom_certs_{{ cert }}_key_file_copy
61 - test $(openssl rsa -modulus -noout -in {{ dest_cert_dir }}/{{ key_file }}) == $(openssl x509 -modulus -noout -in {{ dest_cert_dir }}/{{ cert_file }})