action #58676
closed[tools] manage certificates by salt (pillars)
0%
Description
Currently the key, certificate and CSR are all deployed manually to OSD. For now I'd like to start out with only storing the certificate in a pillar. Next up would be the CSR. For the key I'd highly recommend looking into https://docs.saltstack.com/en/latest/topics/pillar/#pillar-encryption first.
Updated by nicksinger about 5 years ago
- Copied from action #37644: [tools] osd SSL certificate is only valid for openqa.suse.de, not for openqa.nue.suse.com added
Updated by nicksinger almost 5 years ago
- Status changed from New to Feedback
Together with @okurz we came up with a possible solution. See:
- https://gitlab.suse.de/openqa/salt-states-openqa/-/merge_requests/277
- https://gitlab.suse.de/openqa/salt-pillars-openqa/-/merge_requests/227
Tests might fail since states need the updated pillars. On a local test run these changes looked promising and could work :)
Updated by okurz almost 5 years ago
pillars MR was merged. Created https://gitlab.suse.de/openqa/salt-states-openqa/-/merge_requests/278 as a replacement for https://gitlab.suse.de/openqa/salt-states-openqa/-/merge_requests/277 which also fixes tests. Have created a backup of certificates on osd, will merge and monitor on osd.
EDIT: https://gitlab.suse.de/openqa/salt-states-openqa/-/jobs/175786 shows
Detected conflicting IDs, SLS IDs need to be globally unique.
The conflicting ID is 'salt-master' and is found in SLS 'base:salt.master' and SLS 'base:openqa.server'
Weird that this never happened in before. Fixed in https://gitlab.suse.de/openqa/salt-states-openqa/-/commit/bfeec97896afc425541c1dbd309c136e83e7e156 .
Updated by okurz almost 5 years ago
- Status changed from Feedback to Resolved
Applied salt.master to update /etc/salt/master , restarted salt-master with systemctl restart salt-master and applied salt --no-color openqa.suse.de state.apply openqa.server. This seems to have worked and also no failed states remain.