feat: starttls #558
feat: starttls #558
Conversation
|
in e655530 pebble is running but hitting: tried with |
bugs->bugs cert $host->$host cert loadbalancer->all certs
salt/tls/init.sls
Outdated
| {% if salt["match.compound"](pillar["roles"]["salt-master"]["pattern"]) %} | ||
| # HTTP-validated domains | ||
| {% for domain in [ | ||
| 'pypa.io', |
There was a problem hiding this comment.
Lists like these are always a good sign that something should be in pillar rather than a state.
I'd suggest moving this list into a subkey of
Line 4 in 7fcd4a3
Maybe acme_certs.
Something like:
tls:
acme_certs:
example.com:
validation: http
roles:
- loadbalancer
- example
additional_sans:
- www.example.com
This would also simplify the logic in your pillar extension to allow us to determine where certs are validated (once dns is supported) and distributed.
salt/_extensions/pillar/ca.py
Outdated
| print(f"Processing ACME certificates for minion: {minion_id}") | ||
| all_acme_certs = _find_acme_certs() | ||
|
|
||
| # Check if this is a loadbalancer (gets all certs) |
There was a problem hiding this comment.
This is all a lot of work, when we could theoretically just assign certs explicitly to roles, see other comment.
salt/_extensions/pillar/ca.py
Outdated
| for domain, domain_config in acme_certs.items(): | ||
| cert_roles = domain_config.get("roles", []) | ||
| if any(role in minion_roles for role in cert_roles): | ||
| data["tls"]["acme_certs"][domain] = domain_config |
There was a problem hiding this comment.
i'd have thought that this would be populating the actual certificate data into pillar so the minion can use it.
pillar/base/tls.sls
Outdated
| @@ -61,3 +61,77 @@ tls: | |||
| svn.psf.io: | |||
| roles: | |||
| - hg | |||
|
|
|||
| acme_certs: | |||
| bugs.python.org: | |||
There was a problem hiding this comment.
I don't see a reason to have a separate instance here just for bugs.python.org. The same cert can be used for the load balancer and the roundup box.
Description
Closes