Ensure pki dir is in correct state and change modes for consul certs

4 years ago · 94b401406c
parent 1d8915b636
commit 94b401406c
3 changed files with 16 additions and 7 deletions
--- a/app/consul/ca.sls
+++ b/app/consul/ca.sls
@ -6,13 +6,13 @@
  file.directory:
    - user: {{ salt.pillar.get("consul:user", "root") }}
    - group: {{ salt.pillar.get("consul:group", "root") }}
-    - dir_mode: 0700
-    - file_mode: 0700
+    - dir_mode: 0660
+    - file_mode: 0660
    - makedirs: true

 {{ ca_path | path_join("certificate.pem") }}:
  file.managed:
    - user: {{ salt.pillar.get("consul:user", "root") }}
    - group: {{ salt.pillar.get("consul:group", "root") }}
-    - mode: 0700
+    - mode: 0660
    - contents_pillar: "consul:tls:ca:certificate"
--- a/app/consul/tls.sls
+++ b/app/consul/tls.sls
@ -19,14 +19,14 @@ include:
  file.managed:
    - user: {{ salt.pillar.get("consul:user", "root") }}
    - group: {{ salt.pillar.get("consul:group", "root") }}
-    - mode: 0700
+    - mode: 0660
    - contents_pillar: "consul:tls:client:certificate"

 {{ consul_key_file }}:
  file.managed:
    - user: {{ salt.pillar.get("consul:user", "root") }}
    - group: {{ salt.pillar.get("consul:group", "root") }}
-    - mode: 0700
+    - mode: 0660
    - contents_pillar: "consul:tls:client:key"

 {% elif "consul_server" in grains["roles"] -%}
@ -35,14 +35,14 @@ include:
  file.managed:
    - user: {{ salt.pillar.get("consul:user", "root") }}
    - group: {{ salt.pillar.get("consul:group", "root") }}
-    - mode: 0700
+    - mode: 0660
    - contents_pillar: "consul:tls:server:certificate"

 {{ consul_key_file }}:
  file.managed:
    - user: {{ salt.pillar.get("consul:user", "root") }}
    - group: {{ salt.pillar.get("consul:group", "root") }}
-    - mode: 0700
+    - mode: 0660
    - contents_pillar: "consul:tls:server:key"

 {% endif %}
--- a/base/files.sls
+++ b/base/files.sls
@ -7,6 +7,15 @@
    - group: root
    - mode: 0744

+# /etc/pki is a directory that any application should be able to store their sensitive
+# PKI things in, which means any user should be able to read the basedir contents, but
+# not necessarily the inner contents beyond that.
+/etc/pki:
+  file.directory:
+    - user: root
+    - group: root
+    - mode: 0644
+
 logdna root tls certificate:
  file.managed:
    - name: /etc/ld-root-ca.crt