This function essentially behaves like a sophisticated Jinja macro. It is intended to provide a replacement for the ``ssh_pki.certificate_managed`` state with peer publishing or some backends, which does not work via salt-ssh. It performs necessary checks during rendering and return
(
name,
ca_server,
signing_policy,
backend=None,
backend_args=None,
private_key_managed=None,
private_key=None,
private_key_passphrase=None,
public_key=None,
certificate_managed=None,
test=None,
)
| 294 | |
| 295 | |
| 296 | def certificate_managed_wrapper( |
| 297 | name, |
| 298 | ca_server, |
| 299 | signing_policy, |
| 300 | backend=None, |
| 301 | backend_args=None, |
| 302 | private_key_managed=None, |
| 303 | private_key=None, |
| 304 | private_key_passphrase=None, |
| 305 | public_key=None, |
| 306 | certificate_managed=None, |
| 307 | test=None, |
| 308 | ): |
| 309 | """ |
| 310 | This function essentially behaves like a sophisticated Jinja macro. |
| 311 | It is intended to provide a replacement for the ``ssh_pki.certificate_managed`` |
| 312 | state with peer publishing or some backends, which does not work via salt-ssh. |
| 313 | It performs necessary checks during rendering and returns an appropriate |
| 314 | highstate structure that does work via salt-ssh (if a certificate needs to be |
| 315 | reissued, it is done during rendering and the actual state just manages the file). |
| 316 | |
| 317 | Required arguments are ``name``, ``ca_server`` and ``signing_policy``. |
| 318 | If you want this function to manage a private key, it should be specified |
| 319 | in ``private_key_managed``, which should contain all arguments to the |
| 320 | respective state. Note that the private key will not be checked for changes. |
| 321 | If you want to use a public key as a source, it must exist during state |
| 322 | rendering and you cannot manage a private key. |
| 323 | |
| 324 | All optional keyword arguments to ``certificate_managed`` can be specified |
| 325 | in the dict param ``certificate_managed``. |
| 326 | Key rotation can be activated by including ``new: true`` in the dict for |
| 327 | ``private_key_managed``. |
| 328 | |
| 329 | As an example, for Jinja templates, you can serialize this function's output |
| 330 | directly into the state file. Note that you need to pass ``opts.get("test")`` |
| 331 | explicitly for test mode to work reliably! |
| 332 | |
| 333 | .. code-block:: jinja |
| 334 | |
| 335 | {%- set private_key_params = { |
| 336 | "name": "/root/.ssh/id_foo", |
| 337 | "algo": "ed25519", |
| 338 | "new": true |
| 339 | } %} |
| 340 | {%- set certificate_params = { |
| 341 | "ttl_remaining": "7d", |
| 342 | "ttl": "30d", |
| 343 | "valid_principals": ["min.ion.example.org"] |
| 344 | } %} |
| 345 | {{ |
| 346 | salt["ssh_pki.certificate_managed_wrapper"]( |
| 347 | "/root/.ssh/id_foo.crt", |
| 348 | ca_server="ca_minion", |
| 349 | signing_policy="user_cert", |
| 350 | private_key_managed=private_key_params, |
| 351 | certificate_managed=certificate_params, |
| 352 | test=opts.get("test") |
| 353 | ) | yaml(false) |
nothing calls this directly
no test coverage detected