Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/lkubb/salt-private-ca-formula

Manage a private Certificate Authority with Salt.
https://github.com/lkubb/salt-private-ca-formula

certificate-authority devops homelab saltstack saltstack-formula x509

Last synced: 10 days ago
JSON representation

Manage a private Certificate Authority with Salt.

Host: GitHub
URL: https://github.com/lkubb/salt-private-ca-formula
Owner: lkubb
License: other
Created: 2022-12-12T00:13:16.000Z (almost 2 years ago)
Default Branch: master
Last Pushed: 2024-03-05T09:26:32.000Z (8 months ago)
Last Synced: 2024-10-11T19:41:27.114Z (about 1 month ago)
Topics: certificate-authority, devops, homelab, saltstack, saltstack-formula, x509
Language: Python
Homepage:
Size: 301 KB
Stars: 0
Watchers: 1
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: docs/README.rst
- License: LICENSE
- Codeowners: CODEOWNERS

Awesome Lists containing this project

README

        .. _readme:

Private CA Formula

==================

|img_sr| |img_pc|

.. |img_sr| image:: https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg

   :alt: Semantic Release

   :scale: 100%

   :target: https://github.com/semantic-release/semantic-release

.. |img_pc| image:: https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white

   :alt: pre-commit

   :scale: 100%

   :target: https://github.com/pre-commit/pre-commit

Manage a private Certificate Authority with Salt.

Note that this formula contains rewritten ``x509`` modules which will become

available in Salt v3006 by default. See `#63099 `_.

.. contents:: **Table of Contents**

   :depth: 1

General notes

-------------

See the full `SaltStack Formulas installation and usage instructions

`_.

If you are interested in writing or contributing to formulas, please pay attention to the `Writing Formula Section

`_.

If you want to use this formula, please pay attention to the ``FORMULA`` file and/or ``git tag``,

which contains the currently released version. This formula is versioned according to `Semantic Versioning `_.

See `Formula Versioning Section `_ for more details.

If you need (non-default) configuration, please refer to:

- `how to configure the formula with map.jinja `_

- the ``pillar.example`` file

- the `Special notes`_ section

Special notes

-------------

* One parameter is required: ``pca:ca:minion_id``.

* To make full use of your private CA, make sure to allow peer communication in your Salt master configuration:

.. code-block:: yaml

   peer:

     # you can restrict this with minion ID globbing

     .*:

       - x509.sign_remote_certificate

* You will also need to define ``x509_signing_policies`` in your CA minion config/pillar. See the `state module documentation `_ for further details.

Configuration

-------------

An example pillar is provided, please see `pillar.example`. Note that you do not need to specify everything by pillar. Often, it's much easier and less resource-heavy to use the ``parameters//.yaml`` files for non-sensitive settings. The underlying logic is explained in `map.jinja`.

Available states

----------------

The following states are found in this formula:

.. contents::

   :local:

``pca``

^^^^^^^

Always ensures the Salt CA is present in the system's CA bundle

and thus trusted.

If the configured CA minion's ID matches this minion's ID,

includes `pca.ca`_ as well.

``pca.base``

^^^^^^^^^^^^

Ensures an existing Salt CA is trusted.

Pulls the root certificate to trust from the mine.

Should work for Linux/BSD and MacOS. For the latter,

this requires the `macprofile module `_,

which will install the necessary profile interactively.

``pca.ca``

^^^^^^^^^^

Configures a certificate authority:

* creates a root certificate or a CSR, if not ``ca:self_signed``

* if not ``ca:self_signed``, saves the configured root certificate

* publishes the root certificate to the mine

``pca.clean``

^^^^^^^^^^^^^

Does nothing currently.

Contributing to this repo

-------------------------

Commit messages

^^^^^^^^^^^^^^^

**Commit message formatting is significant!**

Please see `How to contribute `_ for more details.

pre-commit

^^^^^^^^^^

`pre-commit `_ is configured for this formula, which you may optionally use to ease the steps involved in submitting your changes.

First install  the ``pre-commit`` package manager using the appropriate `method `_, then run ``bin/install-hooks`` and

now ``pre-commit`` will run automatically on each ``git commit``. ::

  $ bin/install-hooks

  pre-commit installed at .git/hooks/pre-commit

  pre-commit installed at .git/hooks/commit-msg

State documentation

~~~~~~~~~~~~~~~~~~~

There is a script that semi-autodocuments available states: ``bin/slsdoc``.

If a ``.sls`` file begins with a Jinja comment, it will dump that into the docs. It can be configured differently depending on the formula. See the script source code for details currently.

This means if you feel a state should be documented, make sure to write a comment explaining it.

Testing

-------

Linux testing is done with ``kitchen-salt``.

Requirements

^^^^^^^^^^^^

* Ruby

* Docker

.. code-block:: bash

   $ gem install bundler

   $ bundle install

   $ bin/kitchen test [platform]

Where ``[platform]`` is the platform name defined in ``kitchen.yml``,

e.g. ``debian-9-2019-2-py3``.

``bin/kitchen converge``

^^^^^^^^^^^^^^^^^^^^^^^^

Creates the docker instance and runs the ``pca`` main state, ready for testing.

``bin/kitchen verify``

^^^^^^^^^^^^^^^^^^^^^^

Runs the ``inspec`` tests on the actual instance.

``bin/kitchen destroy``

^^^^^^^^^^^^^^^^^^^^^^^

Removes the docker instance.

``bin/kitchen test``

^^^^^^^^^^^^^^^^^^^^

Runs all of the stages above in one go: i.e. ``destroy`` + ``converge`` + ``verify`` + ``destroy``.

``bin/kitchen login``

^^^^^^^^^^^^^^^^^^^^^

Gives you SSH access to the instance for manual testing.