[FEATURE REQUEST] x509_v2 SSH wrappers
#67412
lkubb
started this conversation in
Feature Requests
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Is your feature request related to a problem? Please describe.
I would like to manage X.509 certificates with Salt-SSH while still using remote signing via peer publishing.
Describe the solution you'd like
The wanted solution is twofold:
x509_v2.create_certificateandx509_v2.get_signing_policy(whenca_serveris specified).x509_v2.certificate_managedduring rendering (where we still have access to the event bus) and that can be called like a Jinja macro (returning the necessary highstate structure only).Describe alternatives you've considered
Nothing really. Signing locally on the minion is out of the question for security reasons and the
x509_v2.certificate_managedstate currently does not work with different backends (one could imagine it e.g. pulling certificates from Vault or somewhere else instead).Additional context
This has been asked for before, but what the author assumed would add the feature is only a necessary prerequisite: #40943
Point 2. is a workaround for state modules being run on the target without a communication channel back to the master. I have already written the implementation and verified that it works reasonably well. Essentially, it
publishwrapper to get the public key signedopts["test"]should be passed in to avoid unnecessary issuance, but in the worst case the signed certificate and private key will be discarded by the target)When using the default
jinja|yamlrenderer, it should be used like:But it should work with any renderer as long as it can call wrappers.
Beta Was this translation helpful? Give feedback.
All reactions