diff --git a/README.rst b/README.rst index fd3948a..67e3294 100644 --- a/README.rst +++ b/README.rst @@ -63,6 +63,11 @@ Install gitfs backend dulwich dependencies. Set ``salt:master:gitfs_provider: du Install gitfs backend GitPython dependenciess. Set ``salt:master:gitfs_provider: gitpython`` in your pillar. +``salt.gitfs.keys`` +---------------------- + +Install ssh keys to be used by gitfs + ``salt.gitfs.pygit2`` ---------------------- diff --git a/pillar.example b/pillar.example index ec2c51d..db8fc55 100644 --- a/pillar.example +++ b/pillar.example @@ -115,6 +115,16 @@ salt: user: ubuntu sudo: True priv: /etc/salt/ssh_keys/sshkey.pem + gitfs: + keys: + global: + # key and pub end up being the extension used on the key file. values other than key and pub are possible + key: | + -----BEGIN RSA PRIVATE KEY----- + ........... + -----END RSA PRIVATE KEY----- + pub: | + ........... salt_cloud_certs: aws: diff --git a/salt/files/gitfs_key.jinja b/salt/files/gitfs_key.jinja new file mode 100644 index 0000000..9d11fbb --- /dev/null +++ b/salt/files/gitfs_key.jinja @@ -0,0 +1 @@ +{{ pillar['salt']['gitfs']['keys'][key][type] }} \ No newline at end of file diff --git a/salt/files/master.d/f_defaults.conf b/salt/files/master.d/f_defaults.conf index 0f35b2a..fbec0a9 100644 --- a/salt/files/master.d/f_defaults.conf +++ b/salt/files/master.d/f_defaults.conf @@ -699,9 +699,37 @@ fileserver_backend: # Git File Server Backend Configuration # -# Gitfs can be provided by one of two python modules: GitPython or pygit2. If -# using pygit2, both libgit2 and git must also be installed. -{{ get_config('gitfs_provider', 'gitpython') }} +# Optional parameter used to specify the provider to be used for gitfs. Must +# be one of the following: pygit2, gitpython, or dulwich. If unset, then each +# will be tried in that same order, and the first one with a compatible +# version installed will be the provider that is used. +{{ get_config('gitfs_provider', 'pygit2') }} + +# Along with gitfs_password, is used to authenticate to HTTPS remotes. +{{ get_config('gitfs_user', 'git') }} + +# Along with gitfs_user, is used to authenticate to HTTPS remotes. +# This parameter is not required if the repository does not use authentication. +{{ get_config('gitfs_password', 'mypassword') }} + +# By default, Salt will not authenticate to an HTTP (non-HTTPS) remote. +# This parameter enables authentication over HTTP. Enable this at your own risk. +{{ get_config('gitfs_insecure_auth', 'False') }} + +# Along with gitfs_privkey (and optionally gitfs_passphrase), is used to authenticate +# to SSH remotes. This parameter (or its per-remote counterpart) is required for SSH remotes. +{{ get_config('gitfs_pubkey', '/path/to/key.pub') }} + +# Along with gitfs_pubkey (and optionally gitfs_passphrase), is used to authenticate +# to SSH remotes. This parameter (or its per-remote counterpart) is required for SSH remotes. +{{ get_config('gitfs_privkey', '/path/to/key') }} + +# This parameter is optional, required only when the SSH key being used to +# authenticate is protected by a passphrase. +{{ get_config('gitfs_passphrase', 'mypassphrase') }} + +# Along with gitfs_user, is used to authenticate to HTTPS remotes. +# This parameter is not required if the repository does not use authentication. # When using the git fileserver backend at least one git remote needs to be # defined. The user running the salt master will need read access to the repo. @@ -865,8 +893,67 @@ ext_pillar: {{ get_config('pillar_source_merging_strategy', 'smart') }} # Recursively merge lists by aggregating them instead of replacing them. -{{ get_config('pillar_merge_lists', 'False') }} +{{ get_config('pillar_merge_lists', False) }} +# Git External Pillar (git_pillar) Configuration Options +# +# Specify the provider to be used for git_pillar. Must be either pygit2 or +# gitpython. If unset, then both will be tried in that same order, and the +# first one with a compatible version installed will be the provider that +# is used. +{{ get_config('git_pillar_provider', 'pygit2') }} + +# If the desired branch matches this value, and the environment is omitted +# from the git_pillar configuration, then the environment for that git_pillar +# remote will be base. +{{ get_config('git_pillar_base', 'master') }} + +# If the branch is omitted from a git_pillar remote, then this branch will +# be used instead. +{{ get_config('git_pillar_branch', 'master') }} + +# Environment to use for git_pillar remotes. This is normally derived from +# the branch/tag (or from a per-remote env parameter), but if set this will +# override the process of deriving the env from the branch/tag name. +{{ get_config('git_pillar_env', '') }} + +# Path relative to the root of the repository where the git_pillar top file +# and SLS files are located. +{{ get_config('git_pillar_root', 'pillar') }} + +# Specifies whether or not to ignore SSL certificate errors when contacting +# the remote repository. +{{ get_config('git_pillar_ssl_verify', True) }} + +# When set to False, if there is an update/checkout lock for a git_pillar +# remote and the pid written to it is not running on the master, the lock +# file will be automatically cleared and a new lock will be obtained. +{{ get_config('git_pillar_global_lock', False) }} + +# Git External Pillar Authentication Options +# +# Along with git_pillar_password, is used to authenticate to HTTPS remotes. +{{ get_config('git_pillar_user', '') }} + +# Along with git_pillar_user, is used to authenticate to HTTPS remotes. +# This parameter is not required if the repository does not use authentication. +{{ get_config('git_pillar_password', '') }} + +# By default, Salt will not authenticate to an HTTP (non-HTTPS) remote. +# This parameter enables authentication over HTTP. +{{ get_config('git_pillar_insecure_auth', False) }} + +# Along with git_pillar_privkey (and optionally git_pillar_passphrase), +# is used to authenticate to SSH remotes. +{{ get_config('git_pillar_pubkey', '/path/to/key.pub') }} + +# Along with git_pillar_pubkey (and optionally git_pillar_passphrase), +# is used to authenticate to SSH remotes. +{{ get_config('git_pillar_privkey', '/path/to/key') }} + +# This parameter is optional, required only when the SSH key being used +# to authenticate is protected by a passphrase. +{{ get_config('git_pillar_passphrase', '') }} ##### Syndic settings ##### ########################################## diff --git a/salt/gitfs/keys.sls b/salt/gitfs/keys.sls new file mode 100644 index 0000000..badc467 --- /dev/null +++ b/salt/gitfs/keys.sls @@ -0,0 +1,20 @@ +{%- from "salt/map.jinja" import salt_settings with context %} + +{%- set gitfs_keys=salt['pillar.get']('salt:gitfs:keys') %} + +{%- for key, keyvalues in gitfs_keys.items() %} +{%- for type, keydata in keyvalues.items() %} +gitfs-key-{{ key }}-{{ type }}: + file.managed: + - name: {{ salt_settings.config_path }}/pki/gitfs/{{ key }}.{{ type }} + - source: salt://salt/files/gitfs_key.jinja + - template: jinja + - user: root + - group: root + - mode: 600 + - makedirs: True + - defaults: + key: {{ key }} + type: {{ type }} +{%- endfor %} +{%- endfor %} \ No newline at end of file