MCPcopy
hub / github.com/saltstack/salt / certificate_managed_wrapper

Function certificate_managed_wrapper

salt/client/ssh/wrapper/ssh_pki.py:296–650  ·  view source on GitHub ↗

This function essentially behaves like a sophisticated Jinja macro. It is intended to provide a replacement for the ``ssh_pki.certificate_managed`` state with peer publishing or some backends, which does not work via salt-ssh. It performs necessary checks during rendering and return

(
    name,
    ca_server,
    signing_policy,
    backend=None,
    backend_args=None,
    private_key_managed=None,
    private_key=None,
    private_key_passphrase=None,
    public_key=None,
    certificate_managed=None,
    test=None,
)

Source from the content-addressed store, hash-verified

294
295
296def certificate_managed_wrapper(
297 name,
298 ca_server,
299 signing_policy,
300 backend=None,
301 backend_args=None,
302 private_key_managed=None,
303 private_key=None,
304 private_key_passphrase=None,
305 public_key=None,
306 certificate_managed=None,
307 test=None,
308):
309 """
310 This function essentially behaves like a sophisticated Jinja macro.
311 It is intended to provide a replacement for the ``ssh_pki.certificate_managed``
312 state with peer publishing or some backends, which does not work via salt-ssh.
313 It performs necessary checks during rendering and returns an appropriate
314 highstate structure that does work via salt-ssh (if a certificate needs to be
315 reissued, it is done during rendering and the actual state just manages the file).
316
317 Required arguments are ``name``, ``ca_server`` and ``signing_policy``.
318 If you want this function to manage a private key, it should be specified
319 in ``private_key_managed``, which should contain all arguments to the
320 respective state. Note that the private key will not be checked for changes.
321 If you want to use a public key as a source, it must exist during state
322 rendering and you cannot manage a private key.
323
324 All optional keyword arguments to ``certificate_managed`` can be specified
325 in the dict param ``certificate_managed``.
326 Key rotation can be activated by including ``new: true`` in the dict for
327 ``private_key_managed``.
328
329 As an example, for Jinja templates, you can serialize this function's output
330 directly into the state file. Note that you need to pass ``opts.get("test")``
331 explicitly for test mode to work reliably!
332
333 .. code-block:: jinja
334
335 {%- set private_key_params = {
336 "name": "/root/.ssh/id_foo",
337 "algo": "ed25519",
338 "new": true
339 } %}
340 {%- set certificate_params = {
341 "ttl_remaining": "7d",
342 "ttl": "30d",
343 "valid_principals": ["min.ion.example.org"]
344 } %}
345 {{
346 salt["ssh_pki.certificate_managed_wrapper"](
347 "/root/.ssh/id_foo.crt",
348 ca_server="ca_minion",
349 signing_policy="user_cert",
350 private_key_managed=private_key_params,
351 certificate_managed=certificate_params,
352 test=opts.get("test")
353 ) | yaml(false)

Callers

nothing calls this directly

Calls 9

SaltInvocationErrorClass · 0.90
_load_privkeyFunction · 0.70
getMethod · 0.45
itemsMethod · 0.45
extendMethod · 0.45
appendMethod · 0.45
errorMethod · 0.45

Tested by

no test coverage detected