diff --git a/consul-template/defaults.yaml b/consul-template/defaults.yaml index c541ced7..0ff6e939 100644 --- a/consul-template/defaults.yaml +++ b/consul-template/defaults.yaml @@ -13,3 +13,36 @@ consul_template: template: source: /etc/consul-template/tmpl-source/example.ctmpl destination: /etc/consul-template/example + secure_download: true + hashicorp_gpg_key: | + -----BEGIN PGP PUBLIC KEY BLOCK----- + Version: GnuPG v1 + + mQENBFMORM0BCADBRyKO1MhCirazOSVwcfTr1xUxjPvfxD3hjUwHtjsOy/bT6p9f + W2mRPfwnq2JB5As+paL3UGDsSRDnK9KAxQb0NNF4+eVhr/EJ18s3wwXXDMjpIifq + fIm2WyH3G+aRLTLPIpscUNKDyxFOUbsmgXAmJ46Re1fn8uKxKRHbfa39aeuEYWFA + 3drdL1WoUngvED7f+RnKBK2G6ZEpO+LDovQk19xGjiMTtPJrjMjZJ3QXqPvx5wca + KSZLr4lMTuoTI/ZXyZy5bD4tShiZz6KcyX27cD70q2iRcEZ0poLKHyEIDAi3TM5k + SwbbWBFd5RNPOR0qzrb/0p9ksKK48IIfH2FvABEBAAG0K0hhc2hpQ29ycCBTZWN1 + cml0eSA8c2VjdXJpdHlAaGFzaGljb3JwLmNvbT6JATgEEwECACIFAlMORM0CGwMG + CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEFGFLYc0j/xMyWIIAIPhcVqiQ59n + Jc07gjUX0SWBJAxEG1lKxfzS4Xp+57h2xxTpdotGQ1fZwsihaIqow337YHQI3q0i + SqV534Ms+j/tU7X8sq11xFJIeEVG8PASRCwmryUwghFKPlHETQ8jJ+Y8+1asRydi + psP3B/5Mjhqv/uOK+Vy3zAyIpyDOMtIpOVfjSpCplVRdtSTFWBu9Em7j5I2HMn1w + sJZnJgXKpybpibGiiTtmnFLOwibmprSu04rsnP4ncdC2XRD4wIjoyA+4PKgX3sCO + klEzKryWYBmLkJOMDdo52LttP3279s7XrkLEE7ia0fXa2c12EQ0f0DQ1tGUvyVEW + WmJVccm5bq25AQ0EUw5EzQEIANaPUY04/g7AmYkOMjaCZ6iTp9hB5Rsj/4ee/ln9 + wArzRO9+3eejLWh53FoN1rO+su7tiXJA5YAzVy6tuolrqjM8DBztPxdLBbEi4V+j + 2tK0dATdBQBHEh3OJApO2UBtcjaZBT31zrG9K55D+CrcgIVEHAKY8Cb4kLBkb5wM + skn+DrASKU0BNIV1qRsxfiUdQHZfSqtp004nrql1lbFMLFEuiY8FZrkkQ9qduixo + mTT6f34/oiY+Jam3zCK7RDN/OjuWheIPGj/Qbx9JuNiwgX6yRj7OE1tjUx6d8g9y + 0H1fmLJbb3WZZbuuGFnK6qrE3bGeY8+AWaJAZ37wpWh1p0cAEQEAAYkBHwQYAQIA + CQUCUw5EzQIbDAAKCRBRhS2HNI/8TJntCAClU7TOO/X053eKF1jqNW4A1qpxctVc + z8eTcY8Om5O4f6a/rfxfNFKn9Qyja/OG1xWNobETy7MiMXYjaa8uUx5iFy6kMVaP + 0BXJ59NLZjMARGw6lVTYDTIvzqqqwLxgliSDfSnqUhubGwvykANPO+93BBx89MRG + unNoYGXtPlhNFrAsB1VR8+EyKLv2HQtGCPSFBhrjuzH3gxGibNDDdFQLxxuJWepJ + EK1UbTS4ms0NgZ2Uknqn1WRU1Ki7rE4sTy68iZtWpKQXZEJa0IGnuI2sSINGcXCJ + oEIgXTMyCILo34Fa/C6VCm2WBgz9zZO8/rHIiQm1J5zqz0DrDwKBUM9C + =LYpS + -----END PGP PUBLIC KEY BLOCK----- + hashicorp_key_id: 51852D87348FFC4C diff --git a/consul-template/files/hashicorp.asc.jinja b/consul-template/files/hashicorp.asc.jinja new file mode 100644 index 00000000..e8f34d17 --- /dev/null +++ b/consul-template/files/hashicorp.asc.jinja @@ -0,0 +1 @@ +{{ consul_template.hashicorp_gpg_key }} diff --git a/consul-template/install.sls b/consul-template/install.sls index 2185847b..b58cbacc 100644 --- a/consul-template/install.sls +++ b/consul-template/install.sls @@ -1,4 +1,6 @@ -{% from "consul-template/map.jinja" import consul_template with context %} +{% from slspath + '/map.jinja' import consul_template with context %} + +{% set version = consul_template.version %} consul-template-config-dir: file.directory: @@ -10,37 +12,57 @@ consul-template-template-dir: - makedirs: True # Install template renderer -consul-template-download: +/opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS: file.managed: - - name: /tmp/consul_template_{{ consul_template.version }}_linux_amd64.zip - - source: https://releases.hashicorp.com/consul-template/{{ consul_template.version }}/consul-template_{{ consul_template.version }}_linux_amd64.zip - - source_hash: sha256={{ consul_template.hash }} - - unless: test -f /usr/local/bin/consul-template-{{ consul_template.version }} - -consul-template-extract: - cmd.wait: - - name: unzip /tmp/consul_template_{{ consul_template.version }}_linux_amd64.zip -d /tmp - - watch: - - file: consul-template-download - -consul-template-install: - file.rename: - - name: /usr/local/bin/consul-template-{{ consul_template.version }} - - source: /tmp/consul-template - - require: - - file: /usr/local/bin - - watch: - - cmd: consul-template-extract + - source: https://releases.hashicorp.com/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS + - makedirs: true + - skip_verify: true -consul-template-clean: - file.absent: - - name: /tmp/consul_template_{{ consul_template.version }}_linux_amd64.zip - - watch: - - file: consul-template-install +/opt/consul-template/{{ version }}/bin: + archive.extracted: + - source: https://releases.hashicorp.com/consul-template/{{ version }}/consul-template_{{ version }}_linux_amd64.zip + - source_hash: /opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS + - enforce_toplevel: false + - require: + - /opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS -consul-template-link: +/usr/local/bin/consul-template: file.symlink: - - target: consul-template-{{ consul_template.version }} - - name: /usr/local/bin/consul-template - - watch: - - file: consul-template-install + - target: /opt/consul-template/{{ version }}/bin/consul-template + - force: true + - require: + - /opt/consul-template/{{ version }}/bin + +{% if consul_template.secure_download -%} +/opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS.sig: + file.managed: + - source: https://releases.hashicorp.com/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS.sig + - skip_verify: true + - require: + - /opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS + + +/tmp/hashicorp.asc: + file.managed: + - source: salt://{{ slspath }}/files/hashicorp.asc.jinja + - template: jinja + - context: + consul_template: + {{ consul_template | yaml }} + +import key: + cmd.run: + - name: gpg --import /tmp/hashicorp.asc + - unless: gpg --list-keys {{ consul_template.hashicorp_key_id }} + - require: + - /tmp/hashicorp.asc + +verify shasums sig: + cmd.run: + - name: gpg --verify /opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS.sig /opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS + - require: + - /opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS.sig + - import key + - prereq: + - /usr/local/bin/consul-template +{%- endif %} diff --git a/consul/defaults.yaml b/consul/defaults.yaml index cad462c9..fb989388 100644 --- a/consul/defaults.yaml +++ b/consul/defaults.yaml @@ -20,3 +20,36 @@ consul: datacenter: "main" register: [] scripts: [] + secure_download: true + hashicorp_gpg_key: | + -----BEGIN PGP PUBLIC KEY BLOCK----- + Version: GnuPG v1 + + mQENBFMORM0BCADBRyKO1MhCirazOSVwcfTr1xUxjPvfxD3hjUwHtjsOy/bT6p9f + W2mRPfwnq2JB5As+paL3UGDsSRDnK9KAxQb0NNF4+eVhr/EJ18s3wwXXDMjpIifq + fIm2WyH3G+aRLTLPIpscUNKDyxFOUbsmgXAmJ46Re1fn8uKxKRHbfa39aeuEYWFA + 3drdL1WoUngvED7f+RnKBK2G6ZEpO+LDovQk19xGjiMTtPJrjMjZJ3QXqPvx5wca + KSZLr4lMTuoTI/ZXyZy5bD4tShiZz6KcyX27cD70q2iRcEZ0poLKHyEIDAi3TM5k + SwbbWBFd5RNPOR0qzrb/0p9ksKK48IIfH2FvABEBAAG0K0hhc2hpQ29ycCBTZWN1 + cml0eSA8c2VjdXJpdHlAaGFzaGljb3JwLmNvbT6JATgEEwECACIFAlMORM0CGwMG + CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEFGFLYc0j/xMyWIIAIPhcVqiQ59n + Jc07gjUX0SWBJAxEG1lKxfzS4Xp+57h2xxTpdotGQ1fZwsihaIqow337YHQI3q0i + SqV534Ms+j/tU7X8sq11xFJIeEVG8PASRCwmryUwghFKPlHETQ8jJ+Y8+1asRydi + psP3B/5Mjhqv/uOK+Vy3zAyIpyDOMtIpOVfjSpCplVRdtSTFWBu9Em7j5I2HMn1w + sJZnJgXKpybpibGiiTtmnFLOwibmprSu04rsnP4ncdC2XRD4wIjoyA+4PKgX3sCO + klEzKryWYBmLkJOMDdo52LttP3279s7XrkLEE7ia0fXa2c12EQ0f0DQ1tGUvyVEW + WmJVccm5bq25AQ0EUw5EzQEIANaPUY04/g7AmYkOMjaCZ6iTp9hB5Rsj/4ee/ln9 + wArzRO9+3eejLWh53FoN1rO+su7tiXJA5YAzVy6tuolrqjM8DBztPxdLBbEi4V+j + 2tK0dATdBQBHEh3OJApO2UBtcjaZBT31zrG9K55D+CrcgIVEHAKY8Cb4kLBkb5wM + skn+DrASKU0BNIV1qRsxfiUdQHZfSqtp004nrql1lbFMLFEuiY8FZrkkQ9qduixo + mTT6f34/oiY+Jam3zCK7RDN/OjuWheIPGj/Qbx9JuNiwgX6yRj7OE1tjUx6d8g9y + 0H1fmLJbb3WZZbuuGFnK6qrE3bGeY8+AWaJAZ37wpWh1p0cAEQEAAYkBHwQYAQIA + CQUCUw5EzQIbDAAKCRBRhS2HNI/8TJntCAClU7TOO/X053eKF1jqNW4A1qpxctVc + z8eTcY8Om5O4f6a/rfxfNFKn9Qyja/OG1xWNobETy7MiMXYjaa8uUx5iFy6kMVaP + 0BXJ59NLZjMARGw6lVTYDTIvzqqqwLxgliSDfSnqUhubGwvykANPO+93BBx89MRG + unNoYGXtPlhNFrAsB1VR8+EyKLv2HQtGCPSFBhrjuzH3gxGibNDDdFQLxxuJWepJ + EK1UbTS4ms0NgZ2Uknqn1WRU1Ki7rE4sTy68iZtWpKQXZEJa0IGnuI2sSINGcXCJ + oEIgXTMyCILo34Fa/C6VCm2WBgz9zZO8/rHIiQm1J5zqz0DrDwKBUM9C + =LYpS + -----END PGP PUBLIC KEY BLOCK----- + hashicorp_key_id: 51852D87348FFC4C diff --git a/consul/files/hashicorp.asc.jinja b/consul/files/hashicorp.asc.jinja new file mode 100644 index 00000000..fa299df1 --- /dev/null +++ b/consul/files/hashicorp.asc.jinja @@ -0,0 +1 @@ +{{ consul.hashicorp_gpg_key }} diff --git a/consul/install.sls b/consul/install.sls index 047c4477..ef4ff721 100644 --- a/consul/install.sls +++ b/consul/install.sls @@ -1,5 +1,7 @@ {%- from slspath + '/map.jinja' import consul with context -%} +{% set version = consul.version %} + consul-dep-unzip: pkg.installed: - name: unzip @@ -42,37 +44,57 @@ consul-data-dir: - mode: 0750 # Install agent -consul-download: +/opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS: file.managed: - - name: /tmp/consul_{{ consul.version }}_linux_{{ consul.arch }}.zip - - source: https://{{ consul.download_host }}/consul/{{ consul.version }}/consul_{{ consul.version }}_linux_{{ consul.arch }}.zip - - source_hash: https://releases.hashicorp.com/consul/{{ consul.version }}/consul_{{ consul.version }}_SHA256SUMS - - unless: test -f /usr/local/bin/consul-{{ consul.version }} + - source: https://releases.hashicorp.com/consul/{{ version }}/consul_{{ version }}_SHA256SUMS + - makedirs: true + - skip_verify: true -consul-extract: - cmd.wait: - - name: unzip /tmp/consul_{{ consul.version }}_linux_{{ consul.arch }}.zip -d /tmp - - watch: - - file: consul-download +/opt/consul/{{ version }}/bin: + archive.extracted: + - source: https://releases.hashicorp.com/consul/{{ version }}/consul_{{ version }}_linux_amd64.zip + - source_hash: /opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS + - enforce_toplevel: false + - require: + - /opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS -consul-install: - file.rename: - - name: /usr/local/bin/consul-{{ consul.version }} - - source: /tmp/consul +/usr/local/bin/consul: + file.symlink: + - target: /opt/consul/{{ version }}/bin/consul + - force: true - require: - - file: /usr/local/bin - - watch: - - cmd: consul-extract + - /opt/consul/{{ version }}/bin -consul-clean: - file.absent: - - name: /tmp/consul_{{ consul.version }}_linux_{{ consul.arch }}.zip - - watch: - - file: consul-install +{% if consul.secure_download -%} +/opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS.sig: + file.managed: + - source: https://releases.hashicorp.com/consul/{{ version }}/consul_{{ version }}_SHA256SUMS.sig + - skip_verify: true + - require: + - /opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS -consul-link: - file.symlink: - - target: consul-{{ consul.version }} - - name: /usr/local/bin/consul - - watch: - - file: consul-install + +/tmp/hashicorp.asc: + file.managed: + - source: salt://{{ slspath }}/files/hashicorp.asc.jinja + - template: jinja + - context: + consul: + {{ consul | yaml }} + +import key: + cmd.run: + - name: gpg --import /tmp/hashicorp.asc + - unless: gpg --list-keys {{ consul.hashicorp_key_id }} + - require: + - /tmp/hashicorp.asc + +verify shasums sig: + cmd.run: + - name: gpg --verify /opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS.sig /opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS + - require: + - /opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS.sig + - import key + - prereq: + - /usr/local/bin/consul +{%- endif %}