salt icon indicating copy to clipboard operation
salt copied to clipboard

[master] Add `x509_v2` SSH wrapper, emulate `x509.certificate_managed` during `state.apply`

Open lkubb opened this issue 2 years ago • 1 comments

What does this PR do?

  • Adds wrapper functions for x509.create_certificate and x509.get_signing_policy
  • Introduces a workaround for state modules not having wrappers for certificate_managed (essentially a very sophisticated Jinja macro) - certificates can now be managed via salt-ssh state.apply even when they are issued on a remote (this should also work for other salt-ssh minions from the roster as the CA, but it's hard to write tests for)
  • Fixes a bug that meant passing encoding to file.managed via the x509_v2 state module was impossible (I don't think anyone uses this though)

What issues does this PR fix or reference?

Fixes: https://github.com/saltstack/salt/issues/65728 Fixes: https://github.com/saltstack/salt/issues/40943 (actually fixes the author's issue - the title asks for a different thing than is necessary)

Previous Behavior

  • The x509_v2 modules could not request remotely signed certificates when run via salt-ssh

New Behavior

  • Certificates on SSH minions can be managed, even when a different minion issues them and even statefully

Merge requirements satisfied?

  • [x] Docs
  • [x] Changelog
  • [x] Tests written/updated

Commits signed with GPG?

Yes

lkubb avatar Nov 30 '23 17:11 lkubb

~~If this is going to be merged, I would advise to wait until https://github.com/saltstack/salt/pull/65838 has found its way into master and this has been rebased to avoid the maintainers having to deal with merge conflicts.~~

Rebased.

lkubb avatar Mar 07 '24 11:03 lkubb