-
-
Save anonymous/80aea9eb5a69208015b0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import os | |
| import logging | |
| import salt.utils | |
| log = logging.getLogger(__name__) | |
| def ext_pillar( minion_id, pillar, ca_name, **kwargs ): | |
| alt_names = [] | |
| domain = ".".join(minion_id.split(".")[1:]) | |
| # add VRRP names as alt names | |
| try: | |
| if 'cluster' in pillar and len(pillar['cluster']['dns']) > 0: | |
| cluster_dns = pillar['cluster']['dns'] | |
| alt_names.append("DNS:%s" % minion_id) # CN is ignored when alt_names is present so add minion_id here as well | |
| alt_names.append("DNS:%s" % cluster_dns) | |
| alt_names.append("DNS:%s.%s" % (cluster_dns, domain) ) | |
| except KeyError: | |
| # not a cluster | |
| pass | |
| # add pillar dns:alt as alt names | |
| try: | |
| if 'dns' in pillar and len(pillar['dns']['alt']) > 0: | |
| alt_dns = pillar['dns']['alt'] | |
| alt_names.append("DNS:%s" % minion_id) # CN is ignored when alt_names is present so add minion_id here as well | |
| alt_names.append("DNS:%s" % alt_dns) | |
| # if it's just an extra hostname instead of an FQDN, | |
| # make sure to add it scoped to the local domain as well | |
| if not '.' in alt_dns: | |
| alt_names.append("DNS:%s.%s" % (alt_dns, domain) ) | |
| except KeyError: | |
| # no alt dns name defined for minion | |
| pass | |
| # CN is ignored if subjectAltName is supplied, | |
| # so we need to set it to none if there are no | |
| # alt names | |
| # if no alt names, set to none | |
| if not alt_names: | |
| alt_names = None | |
| ca_pillar = {} | |
| ca_pillar['ca'] = {} | |
| ca_pillar['ca']['certs'] = {} | |
| ca_pillar['ca']['certs'][minion_id] = {} | |
| ca_file = "/etc/pki/%(ca_name)s/%(ca_name)s_ca_cert.crt" % { 'ca_name': ca_name } | |
| pem_file = "/etc/pki/%(ca_name)s/certs/%(minion_id)s.crt" % { 'ca_name': ca_name, 'minion_id': minion_id } | |
| key_file = "/etc/pki/%(ca_name)s/certs/%(minion_id)s.key" % { 'ca_name': ca_name, 'minion_id': minion_id } | |
| # Check if the CA exists | |
| if not os.path.exists(ca_file): | |
| __salt__['tls.create_ca'](ca_name, | |
| days=3650, CN='PRIVATE CA', | |
| C='country', ST='province', L='city', O='company', | |
| OU='organization', emailAddress='email@domain.com') | |
| # Check if we have to create a new certificate for this minion | |
| if not os.path.exists(key_file): # or reissue: | |
| __salt__['tls.create_csr'](ca_name, CN=minion_id, C='country', ST='province', L='city', O='company', OU='organization', emailAddress='email@domain.com', subjectAltName=alt_names) | |
| if not os.path.exists(pem_file): # or reissue: | |
| __salt__['tls.create_ca_signed_cert'](ca_name, minion_id, days=3650) | |
| with salt.utils.fopen(pem_file, "r") as ifile: | |
| ca_pillar['ca']['certs'][minion_id]['pem'] = ifile.read() | |
| with salt.utils.fopen(key_file, "r") as ifile: | |
| ca_pillar['ca']['certs'][minion_id]['key'] = ifile.read() | |
| with salt.utils.fopen(ca_file, "r") as ifile: | |
| ca_pillar['ca']['%s.pem' % ca_name] = ifile.read() | |
| return ca_pillar |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment