Home Explore Help
Register Sign In
nee2c
/
salt
mirror of https://github.com/nee2c/salt.git
1
0
Fork 0
Files Issues 0 Wiki
Branch: master
Branches Tags
salt
/
doc
/
topics
/
venafi
/
index.rst

index.rst 4.4 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151 
  1. =====================
    2. 

  2. Venafi Tools for Salt
    3. 

  3. =====================
    4. 

  4. 

  5. Introduction
    6. 

  6. ~~~~~~~~~~~~
    7. 

  7. 

  8. First, you need to configure the ``master`` file. This is because
    9. 

  9. all module functions require either a configured ``api_key`` (for Cloud) or
    10. 

  10. ``a ttp_user`` with a ``tpp_password`` and a ``base_url`` (for Trust Platform).
    11. 

  11. 

  12. For Venafi Cloud:
    13. 

  13. 

  14. .. code-block:: yaml
    15. 

  15. 

  16.     venafi:
    17. 

  17.       api_key: abcdef01-2345-6789-abcd-ef0123456789
    18. 

  18.       base_url: "https://cloud.venafi.example.com/"    (optional)
    19. 

  19. 

  20. If you don't have a Venafi Cloud account, you can sign up for one on the `enrollment page`_.
    21. 

  21. 

  22. .. _enrollment page: https://www.venafi.com/platform/cloud/devops
    23. 

  23. 

  24. For Venafi Platform:
    25. 

  25. 

  26. .. code-block:: yaml
    27. 

  27. 

  28.     venafi:
    29. 

  29.       base_url: "https://tpp.example.com/"
    30. 

  30.       tpp_user: admin
    31. 

  31.       tpp_password: "Str0ngPa$$w0rd"
    32. 

  32.       trust_bundle: "/opt/venafi/bundle.pem"
    33. 

  33. 

  34. *It is not common for the Venafi Platform's REST API (WebSDK) to be secured using a certificate issued by a publicly trusted CA, therefore establishing trust for that server certificate is a critical part of your configuration. Ideally this is done by obtaining the root CA certificate in the issuing chain in PEM format and copying that file to your Salt Master (e.g. /opt/venafi/bundle.pem). You then reference that file using the 'trust_bundle' parameter as shown above.*
    35. 

  35. 

  36. For the Venafi module to create keys and certificates it is necessary to enable external pillars. This is done by adding the following to the ``/etc/salt/master`` file:
    37. 

  37. 

  38. .. code-block:: yaml
    39. 

  39. 

  40.     ext_pillar:
    41. 

  41.       - venafi: True
    42. 

  42. 

  43. 

  44. Runner Functions
    45. 

  45. ~~~~~~~~~~~~~~~~
    46. 

  46. 

  47. request
    48. 

  48. -------
    49. 

  49. This command is used to enroll a certificate from Venafi Cloud or Venafi Platform.
    50. 

  50. 

  51. ``minion_id``
    52. 

  52.     ID of the minion for which the certificate is being issued. Required.
    53. 

  53. 

  54. ``dns_name``
    55. 

  55.     DNS subject name for the certificate. Required if ``csr_path`` is not specified.
    56. 

  56. 

  57. ``csr_path``
    58. 

  58.     Full path name of certificate signing request file to enroll. Required if ``dns_name`` is not specified.
    59. 

  59. 

  60. ``zone``
    61. 

  61.     Venafi Cloud zone ID or Venafi Platform folder that specify key and certificate policy. Defaults to "Default". For Venafi Cloud, the Zone ID can be found in the Zone page for your Venafi Cloud project.
    62. 

  62. 

  63. ``org_unit``
    64. 

  64.     Business Unit, Department, etc. Do not specify if it does not apply.
    65. 

  65. 

  66. ``org``
    67. 

  67.     Exact legal name of your organization. Do not abbreviate.
    68. 

  68. 

  69. ``loc``
    70. 

  70.     City/locality where your organization is legally located.
    71. 

  71. 

  72. ``state``
    73. 

  73.     State or province where your organization is legally located. Must not be abbreviated.
    74. 

  74. 

  75. ``country``
    76. 

  76.     Country where your organization is legally located; two-letter ISO code.
    77. 

  77. 

  78. ``key_password``
    79. 

  79.     Password for encrypting the private key.
    80. 

  80. 

  81. The syntax for requesting a new certificate with private key generation looks like this:
    82. 

  82. 

  83. .. code-block:: bash
    84. 

  84. 

  85.     salt-run venafi.request minion.example.com dns_name=www.example.com \
    86. 

  86.     country=US state=California loc=Sacramento org="Company Name" org_unit=DevOps \
    87. 

  87.     zone=Internet key_password=SecretSauce
    88. 

  88. 

  89. And the syntax for requesting a new certificate using a previously generated CSR looks like this:
    90. 

  90. 

  91. .. code-block:: bash
    92. 

  92. 

  93.     salt-run venafi.request minion.example.com csr_path=/tmp/minion.req zone=Internet
    94. 

  94. 

  95. 

  96. show_cert
    97. 

  97. ---------
    98. 

  98. This command is used to show last issued certificate for domain.
    99. 

  99. 

  100. ``dns_name``
    101. 

  101.     DNS subject name of the certificate to look up.
    102. 

  102. 

  103. .. code-block:: bash
    104. 

  104. 

  105.   salt-run venafi.show_cert www.example.com
    106. 

  106. 

  107. 

  108. list_domain_cache
    109. 

  109. -----------------
    110. 

  110. This command lists domains that have been cached on this Salt Master.
    111. 

  111. 

  112. .. code-block:: bash
    113. 

  113. 

  114.   salt-run venafi.list_domain_cache
    115. 

  115. 

  116. 

  117. del_cached_domain
    118. 

  118. -----------------
    119. 

  119. This command deletes a domain from the Salt Master's cache.
    120. 

  120. 

  121. ``domains``
    122. 

  122.     A domain name, or a comma-separated list of domain names, to delete from this master's cache.
    123. 

  123. 

  124. .. code-block:: bash
    125. 

  125. 

  126.   salt-run venafi.del_cached_domain www.example.com
    127. 

  127. 

  128. 

  129. Transfer certificate to a minion
    130. 

  130. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    131. 

  131. 

  132. To transfer a cached certificate to a minion, you can use Venafi pillar.
    133. 

  133. 

  134. Example state (SLS) file:
    135. 

  135. 

  136. .. code-block:: yaml
    137. 

  137. 

  138.     /etc/ssl/cert/www.example.com.crt:
    139. 

  139.       file.managed:
    140. 

  140.           - contents_pillar: venafi:www.example.com:cert
    141. 

  141.           - replace: True
    142. 

  142. 

  143.     /etc/ssl/cert/www.example.com.key:
    144. 

  144.       file.managed:
    145. 

  145.           - contents_pillar: venafi:www.example.com:pkey
    146. 

  146.           - replace: True
    147. 

  147. 

  148.     /etc/ssl/cert/www.example.com-chain.pem:
    149. 

  149.       file.managed:
    150. 

  150.           - contents_pillar: venafi:www.example.com:chain
    151. 

  151.           - replace: True
    152.