From 34eafabccfee8ae10b083a80e78b7410381e20c0 Mon Sep 17 00:00:00 2001 From: Nicolas Ledez Date: Sun, 4 Nov 2018 16:41:14 +0100 Subject: [PATCH 1/2] consul*/install.sls refactoring (use /opt & checksum check. Come from https://github.com/saltstack-formulas/vault-formula.git) --- consul-template/defaults.yaml | 34 +++++++++ consul-template/files/hashicorp.asc.jinja | 1 + consul-template/install.sls | 89 +++++++++++++++-------- consul/defaults.yaml | 34 +++++++++ consul/files/hashicorp.asc.jinja | 1 + consul/install.sls | 87 ++++++++++++++-------- 6 files changed, 185 insertions(+), 61 deletions(-) create mode 100644 consul-template/files/hashicorp.asc.jinja create mode 100644 consul/files/hashicorp.asc.jinja diff --git a/consul-template/defaults.yaml b/consul-template/defaults.yaml index c541ced7..3df66f10 100644 --- a/consul-template/defaults.yaml +++ b/consul-template/defaults.yaml @@ -13,3 +13,37 @@ consul_template: template: source: /etc/consul-template/tmpl-source/example.ctmpl destination: /etc/consul-template/example + secure_download: true + gpg_pkg: gnupg + hashicorp_gpg_key: | + -----BEGIN PGP PUBLIC KEY BLOCK----- + Version: GnuPG v1 + + mQENBFMORM0BCADBRyKO1MhCirazOSVwcfTr1xUxjPvfxD3hjUwHtjsOy/bT6p9f + W2mRPfwnq2JB5As+paL3UGDsSRDnK9KAxQb0NNF4+eVhr/EJ18s3wwXXDMjpIifq + fIm2WyH3G+aRLTLPIpscUNKDyxFOUbsmgXAmJ46Re1fn8uKxKRHbfa39aeuEYWFA + 3drdL1WoUngvED7f+RnKBK2G6ZEpO+LDovQk19xGjiMTtPJrjMjZJ3QXqPvx5wca + KSZLr4lMTuoTI/ZXyZy5bD4tShiZz6KcyX27cD70q2iRcEZ0poLKHyEIDAi3TM5k + SwbbWBFd5RNPOR0qzrb/0p9ksKK48IIfH2FvABEBAAG0K0hhc2hpQ29ycCBTZWN1 + cml0eSA8c2VjdXJpdHlAaGFzaGljb3JwLmNvbT6JATgEEwECACIFAlMORM0CGwMG + CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEFGFLYc0j/xMyWIIAIPhcVqiQ59n + Jc07gjUX0SWBJAxEG1lKxfzS4Xp+57h2xxTpdotGQ1fZwsihaIqow337YHQI3q0i + SqV534Ms+j/tU7X8sq11xFJIeEVG8PASRCwmryUwghFKPlHETQ8jJ+Y8+1asRydi + psP3B/5Mjhqv/uOK+Vy3zAyIpyDOMtIpOVfjSpCplVRdtSTFWBu9Em7j5I2HMn1w + sJZnJgXKpybpibGiiTtmnFLOwibmprSu04rsnP4ncdC2XRD4wIjoyA+4PKgX3sCO + klEzKryWYBmLkJOMDdo52LttP3279s7XrkLEE7ia0fXa2c12EQ0f0DQ1tGUvyVEW + WmJVccm5bq25AQ0EUw5EzQEIANaPUY04/g7AmYkOMjaCZ6iTp9hB5Rsj/4ee/ln9 + wArzRO9+3eejLWh53FoN1rO+su7tiXJA5YAzVy6tuolrqjM8DBztPxdLBbEi4V+j + 2tK0dATdBQBHEh3OJApO2UBtcjaZBT31zrG9K55D+CrcgIVEHAKY8Cb4kLBkb5wM + skn+DrASKU0BNIV1qRsxfiUdQHZfSqtp004nrql1lbFMLFEuiY8FZrkkQ9qduixo + mTT6f34/oiY+Jam3zCK7RDN/OjuWheIPGj/Qbx9JuNiwgX6yRj7OE1tjUx6d8g9y + 0H1fmLJbb3WZZbuuGFnK6qrE3bGeY8+AWaJAZ37wpWh1p0cAEQEAAYkBHwQYAQIA + CQUCUw5EzQIbDAAKCRBRhS2HNI/8TJntCAClU7TOO/X053eKF1jqNW4A1qpxctVc + z8eTcY8Om5O4f6a/rfxfNFKn9Qyja/OG1xWNobETy7MiMXYjaa8uUx5iFy6kMVaP + 0BXJ59NLZjMARGw6lVTYDTIvzqqqwLxgliSDfSnqUhubGwvykANPO+93BBx89MRG + unNoYGXtPlhNFrAsB1VR8+EyKLv2HQtGCPSFBhrjuzH3gxGibNDDdFQLxxuJWepJ + EK1UbTS4ms0NgZ2Uknqn1WRU1Ki7rE4sTy68iZtWpKQXZEJa0IGnuI2sSINGcXCJ + oEIgXTMyCILo34Fa/C6VCm2WBgz9zZO8/rHIiQm1J5zqz0DrDwKBUM9C + =LYpS + -----END PGP PUBLIC KEY BLOCK----- + hashicorp_key_id: 51852D87348FFC4C diff --git a/consul-template/files/hashicorp.asc.jinja b/consul-template/files/hashicorp.asc.jinja new file mode 100644 index 00000000..e8f34d17 --- /dev/null +++ b/consul-template/files/hashicorp.asc.jinja @@ -0,0 +1 @@ +{{ consul_template.hashicorp_gpg_key }} diff --git a/consul-template/install.sls b/consul-template/install.sls index 2185847b..2fe3b685 100644 --- a/consul-template/install.sls +++ b/consul-template/install.sls @@ -1,4 +1,6 @@ -{% from "consul-template/map.jinja" import consul_template with context %} +{% from slspath + '/map.jinja' import consul_template with context %} + +{% set version = consul_template.version %} consul-template-config-dir: file.directory: @@ -10,37 +12,62 @@ consul-template-template-dir: - makedirs: True # Install template renderer -consul-template-download: +/opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS: file.managed: - - name: /tmp/consul_template_{{ consul_template.version }}_linux_amd64.zip - - source: https://releases.hashicorp.com/consul-template/{{ consul_template.version }}/consul-template_{{ consul_template.version }}_linux_amd64.zip - - source_hash: sha256={{ consul_template.hash }} - - unless: test -f /usr/local/bin/consul-template-{{ consul_template.version }} - -consul-template-extract: - cmd.wait: - - name: unzip /tmp/consul_template_{{ consul_template.version }}_linux_amd64.zip -d /tmp - - watch: - - file: consul-template-download - -consul-template-install: - file.rename: - - name: /usr/local/bin/consul-template-{{ consul_template.version }} - - source: /tmp/consul-template - - require: - - file: /usr/local/bin - - watch: - - cmd: consul-template-extract + - source: https://releases.hashicorp.com/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS + - makedirs: true + - skip_verify: true -consul-template-clean: - file.absent: - - name: /tmp/consul_template_{{ consul_template.version }}_linux_amd64.zip - - watch: - - file: consul-template-install +/opt/consul-template/{{ version }}/bin: + archive.extracted: + - source: https://releases.hashicorp.com/consul-template/{{ version }}/consul-template_{{ version }}_linux_amd64.zip + - source_hash: /opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS + - enforce_toplevel: false + - require: + - /opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS -consul-template-link: +/usr/local/bin/consul-template: file.symlink: - - target: consul-template-{{ consul_template.version }} - - name: /usr/local/bin/consul-template - - watch: - - file: consul-template-install + - target: /opt/consul-template/{{ version }}/bin/consul-template + - force: true + - require: + - /opt/consul-template/{{ version }}/bin + +{% if consul_template.secure_download -%} +/opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS.sig: + file.managed: + - source: https://releases.hashicorp.com/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS.sig + - skip_verify: true + - require: + - /opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS + + +/tmp/hashicorp.asc: + file.managed: + - source: salt://{{ slspath }}/files/hashicorp.asc.jinja + - template: jinja + - context: + consul_template: + {{ consul_template | yaml }} + +consul_gpg_pkg: + pkg.installed: + - name: {{ consul_template.gpg_pkg }} + +import key: + cmd.run: + - name: gpg --import /tmp/hashicorp.asc + - unless: gpg --list-keys {{ consul_template.hashicorp_key_id }} + - require: + - /tmp/hashicorp.asc + - consul_gpg_pkg + +verify shasums sig: + cmd.run: + - name: gpg --verify /opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS.sig /opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS + - require: + - /opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS.sig + - import key + - prereq: + - /usr/local/bin/consul-template +{%- endif %} diff --git a/consul/defaults.yaml b/consul/defaults.yaml index cad462c9..672f2140 100644 --- a/consul/defaults.yaml +++ b/consul/defaults.yaml @@ -20,3 +20,37 @@ consul: datacenter: "main" register: [] scripts: [] + secure_download: true + gpg_pkg: gnupg + hashicorp_gpg_key: | + -----BEGIN PGP PUBLIC KEY BLOCK----- + Version: GnuPG v1 + + mQENBFMORM0BCADBRyKO1MhCirazOSVwcfTr1xUxjPvfxD3hjUwHtjsOy/bT6p9f + W2mRPfwnq2JB5As+paL3UGDsSRDnK9KAxQb0NNF4+eVhr/EJ18s3wwXXDMjpIifq + fIm2WyH3G+aRLTLPIpscUNKDyxFOUbsmgXAmJ46Re1fn8uKxKRHbfa39aeuEYWFA + 3drdL1WoUngvED7f+RnKBK2G6ZEpO+LDovQk19xGjiMTtPJrjMjZJ3QXqPvx5wca + KSZLr4lMTuoTI/ZXyZy5bD4tShiZz6KcyX27cD70q2iRcEZ0poLKHyEIDAi3TM5k + SwbbWBFd5RNPOR0qzrb/0p9ksKK48IIfH2FvABEBAAG0K0hhc2hpQ29ycCBTZWN1 + cml0eSA8c2VjdXJpdHlAaGFzaGljb3JwLmNvbT6JATgEEwECACIFAlMORM0CGwMG + CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEFGFLYc0j/xMyWIIAIPhcVqiQ59n + Jc07gjUX0SWBJAxEG1lKxfzS4Xp+57h2xxTpdotGQ1fZwsihaIqow337YHQI3q0i + SqV534Ms+j/tU7X8sq11xFJIeEVG8PASRCwmryUwghFKPlHETQ8jJ+Y8+1asRydi + psP3B/5Mjhqv/uOK+Vy3zAyIpyDOMtIpOVfjSpCplVRdtSTFWBu9Em7j5I2HMn1w + sJZnJgXKpybpibGiiTtmnFLOwibmprSu04rsnP4ncdC2XRD4wIjoyA+4PKgX3sCO + klEzKryWYBmLkJOMDdo52LttP3279s7XrkLEE7ia0fXa2c12EQ0f0DQ1tGUvyVEW + WmJVccm5bq25AQ0EUw5EzQEIANaPUY04/g7AmYkOMjaCZ6iTp9hB5Rsj/4ee/ln9 + wArzRO9+3eejLWh53FoN1rO+su7tiXJA5YAzVy6tuolrqjM8DBztPxdLBbEi4V+j + 2tK0dATdBQBHEh3OJApO2UBtcjaZBT31zrG9K55D+CrcgIVEHAKY8Cb4kLBkb5wM + skn+DrASKU0BNIV1qRsxfiUdQHZfSqtp004nrql1lbFMLFEuiY8FZrkkQ9qduixo + mTT6f34/oiY+Jam3zCK7RDN/OjuWheIPGj/Qbx9JuNiwgX6yRj7OE1tjUx6d8g9y + 0H1fmLJbb3WZZbuuGFnK6qrE3bGeY8+AWaJAZ37wpWh1p0cAEQEAAYkBHwQYAQIA + CQUCUw5EzQIbDAAKCRBRhS2HNI/8TJntCAClU7TOO/X053eKF1jqNW4A1qpxctVc + z8eTcY8Om5O4f6a/rfxfNFKn9Qyja/OG1xWNobETy7MiMXYjaa8uUx5iFy6kMVaP + 0BXJ59NLZjMARGw6lVTYDTIvzqqqwLxgliSDfSnqUhubGwvykANPO+93BBx89MRG + unNoYGXtPlhNFrAsB1VR8+EyKLv2HQtGCPSFBhrjuzH3gxGibNDDdFQLxxuJWepJ + EK1UbTS4ms0NgZ2Uknqn1WRU1Ki7rE4sTy68iZtWpKQXZEJa0IGnuI2sSINGcXCJ + oEIgXTMyCILo34Fa/C6VCm2WBgz9zZO8/rHIiQm1J5zqz0DrDwKBUM9C + =LYpS + -----END PGP PUBLIC KEY BLOCK----- + hashicorp_key_id: 51852D87348FFC4C diff --git a/consul/files/hashicorp.asc.jinja b/consul/files/hashicorp.asc.jinja new file mode 100644 index 00000000..fa299df1 --- /dev/null +++ b/consul/files/hashicorp.asc.jinja @@ -0,0 +1 @@ +{{ consul.hashicorp_gpg_key }} diff --git a/consul/install.sls b/consul/install.sls index 047c4477..cd1c5234 100644 --- a/consul/install.sls +++ b/consul/install.sls @@ -1,5 +1,7 @@ {%- from slspath + '/map.jinja' import consul with context -%} +{% set version = consul.version %} + consul-dep-unzip: pkg.installed: - name: unzip @@ -42,37 +44,62 @@ consul-data-dir: - mode: 0750 # Install agent -consul-download: +/opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS: file.managed: - - name: /tmp/consul_{{ consul.version }}_linux_{{ consul.arch }}.zip - - source: https://{{ consul.download_host }}/consul/{{ consul.version }}/consul_{{ consul.version }}_linux_{{ consul.arch }}.zip - - source_hash: https://releases.hashicorp.com/consul/{{ consul.version }}/consul_{{ consul.version }}_SHA256SUMS - - unless: test -f /usr/local/bin/consul-{{ consul.version }} - -consul-extract: - cmd.wait: - - name: unzip /tmp/consul_{{ consul.version }}_linux_{{ consul.arch }}.zip -d /tmp - - watch: - - file: consul-download - -consul-install: - file.rename: - - name: /usr/local/bin/consul-{{ consul.version }} - - source: /tmp/consul - - require: - - file: /usr/local/bin - - watch: - - cmd: consul-extract + - source: https://releases.hashicorp.com/consul/{{ version }}/consul_{{ version }}_SHA256SUMS + - makedirs: true + - skip_verify: true -consul-clean: - file.absent: - - name: /tmp/consul_{{ consul.version }}_linux_{{ consul.arch }}.zip - - watch: - - file: consul-install +/opt/consul/{{ version }}/bin: + archive.extracted: + - source: https://releases.hashicorp.com/consul/{{ version }}/consul_{{ version }}_linux_amd64.zip + - source_hash: /opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS + - enforce_toplevel: false + - require: + - /opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS -consul-link: +/usr/local/bin/consul: file.symlink: - - target: consul-{{ consul.version }} - - name: /usr/local/bin/consul - - watch: - - file: consul-install + - target: /opt/consul/{{ version }}/bin/consul + - force: true + - require: + - /opt/consul/{{ version }}/bin + +{% if consul.secure_download -%} +/opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS.sig: + file.managed: + - source: https://releases.hashicorp.com/consul/{{ version }}/consul_{{ version }}_SHA256SUMS.sig + - skip_verify: true + - require: + - /opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS + + +/tmp/hashicorp.asc: + file.managed: + - source: salt://{{ slspath }}/files/hashicorp.asc.jinja + - template: jinja + - context: + consul: + {{ consul | yaml }} + +consul_gpg_pkg: + pkg.installed: + - name: {{ consul.gpg_pkg }} + +import key: + cmd.run: + - name: gpg --import /tmp/hashicorp.asc + - unless: gpg --list-keys {{ consul.hashicorp_key_id }} + - require: + - /tmp/hashicorp.asc + - consul_gpg_pkg + +verify shasums sig: + cmd.run: + - name: gpg --verify /opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS.sig /opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS + - require: + - /opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS.sig + - import key + - prereq: + - /usr/local/bin/consul +{%- endif %} From e560367bead86fad9ede7997cc96fe20131e9f76 Mon Sep 17 00:00:00 2001 From: Nicolas Ledez Date: Sun, 4 Nov 2018 17:37:26 +0100 Subject: [PATCH 2/2] Fix consul_gpg_pkg error --- consul-template/defaults.yaml | 1 - consul-template/install.sls | 5 ----- consul/defaults.yaml | 1 - consul/install.sls | 5 ----- 4 files changed, 12 deletions(-) diff --git a/consul-template/defaults.yaml b/consul-template/defaults.yaml index 3df66f10..0ff6e939 100644 --- a/consul-template/defaults.yaml +++ b/consul-template/defaults.yaml @@ -14,7 +14,6 @@ consul_template: source: /etc/consul-template/tmpl-source/example.ctmpl destination: /etc/consul-template/example secure_download: true - gpg_pkg: gnupg hashicorp_gpg_key: | -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 diff --git a/consul-template/install.sls b/consul-template/install.sls index 2fe3b685..b58cbacc 100644 --- a/consul-template/install.sls +++ b/consul-template/install.sls @@ -50,17 +50,12 @@ consul-template-template-dir: consul_template: {{ consul_template | yaml }} -consul_gpg_pkg: - pkg.installed: - - name: {{ consul_template.gpg_pkg }} - import key: cmd.run: - name: gpg --import /tmp/hashicorp.asc - unless: gpg --list-keys {{ consul_template.hashicorp_key_id }} - require: - /tmp/hashicorp.asc - - consul_gpg_pkg verify shasums sig: cmd.run: diff --git a/consul/defaults.yaml b/consul/defaults.yaml index 672f2140..fb989388 100644 --- a/consul/defaults.yaml +++ b/consul/defaults.yaml @@ -21,7 +21,6 @@ consul: register: [] scripts: [] secure_download: true - gpg_pkg: gnupg hashicorp_gpg_key: | -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 diff --git a/consul/install.sls b/consul/install.sls index cd1c5234..ef4ff721 100644 --- a/consul/install.sls +++ b/consul/install.sls @@ -82,17 +82,12 @@ consul-data-dir: consul: {{ consul | yaml }} -consul_gpg_pkg: - pkg.installed: - - name: {{ consul.gpg_pkg }} - import key: cmd.run: - name: gpg --import /tmp/hashicorp.asc - unless: gpg --list-keys {{ consul.hashicorp_key_id }} - require: - /tmp/hashicorp.asc - - consul_gpg_pkg verify shasums sig: cmd.run: