Ensure pki dir is in correct state and change modes for consul certs

master
Sean Johnson 4 years ago
parent 1d8915b636
commit 94b401406c
WARNING! Although there is a key with this ID in the database it does not verify this commit! This commit is SUSPICIOUS.
GPG Key ID: 9FA15B87469EA850
  1. 6
      app/consul/ca.sls
  2. 8
      app/consul/tls.sls
  3. 9
      base/files.sls

@ -6,13 +6,13 @@
file.directory:
- user: {{ salt.pillar.get("consul:user", "root") }}
- group: {{ salt.pillar.get("consul:group", "root") }}
- dir_mode: 0700
- file_mode: 0700
- dir_mode: 0660
- file_mode: 0660
- makedirs: true
{{ ca_path | path_join("certificate.pem") }}:
file.managed:
- user: {{ salt.pillar.get("consul:user", "root") }}
- group: {{ salt.pillar.get("consul:group", "root") }}
- mode: 0700
- mode: 0660
- contents_pillar: "consul:tls:ca:certificate"

@ -19,14 +19,14 @@ include:
file.managed:
- user: {{ salt.pillar.get("consul:user", "root") }}
- group: {{ salt.pillar.get("consul:group", "root") }}
- mode: 0700
- mode: 0660
- contents_pillar: "consul:tls:client:certificate"
{{ consul_key_file }}:
file.managed:
- user: {{ salt.pillar.get("consul:user", "root") }}
- group: {{ salt.pillar.get("consul:group", "root") }}
- mode: 0700
- mode: 0660
- contents_pillar: "consul:tls:client:key"
{% elif "consul_server" in grains["roles"] -%}
@ -35,14 +35,14 @@ include:
file.managed:
- user: {{ salt.pillar.get("consul:user", "root") }}
- group: {{ salt.pillar.get("consul:group", "root") }}
- mode: 0700
- mode: 0660
- contents_pillar: "consul:tls:server:certificate"
{{ consul_key_file }}:
file.managed:
- user: {{ salt.pillar.get("consul:user", "root") }}
- group: {{ salt.pillar.get("consul:group", "root") }}
- mode: 0700
- mode: 0660
- contents_pillar: "consul:tls:server:key"
{% endif %}

@ -7,6 +7,15 @@
- group: root
- mode: 0744
# /etc/pki is a directory that any application should be able to store their sensitive
# PKI things in, which means any user should be able to read the basedir contents, but
# not necessarily the inner contents beyond that.
/etc/pki:
file.directory:
- user: root
- group: root
- mode: 0644
logdna root tls certificate:
file.managed:
- name: /etc/ld-root-ca.crt

Loading…
Cancel
Save