Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions consul-template/defaults.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,3 +13,36 @@ consul_template:
template:
source: /etc/consul-template/tmpl-source/example.ctmpl
destination: /etc/consul-template/example
secure_download: true
hashicorp_gpg_key: |
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQENBFMORM0BCADBRyKO1MhCirazOSVwcfTr1xUxjPvfxD3hjUwHtjsOy/bT6p9f
W2mRPfwnq2JB5As+paL3UGDsSRDnK9KAxQb0NNF4+eVhr/EJ18s3wwXXDMjpIifq
fIm2WyH3G+aRLTLPIpscUNKDyxFOUbsmgXAmJ46Re1fn8uKxKRHbfa39aeuEYWFA
3drdL1WoUngvED7f+RnKBK2G6ZEpO+LDovQk19xGjiMTtPJrjMjZJ3QXqPvx5wca
KSZLr4lMTuoTI/ZXyZy5bD4tShiZz6KcyX27cD70q2iRcEZ0poLKHyEIDAi3TM5k
SwbbWBFd5RNPOR0qzrb/0p9ksKK48IIfH2FvABEBAAG0K0hhc2hpQ29ycCBTZWN1
cml0eSA8c2VjdXJpdHlAaGFzaGljb3JwLmNvbT6JATgEEwECACIFAlMORM0CGwMG
CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEFGFLYc0j/xMyWIIAIPhcVqiQ59n
Jc07gjUX0SWBJAxEG1lKxfzS4Xp+57h2xxTpdotGQ1fZwsihaIqow337YHQI3q0i
SqV534Ms+j/tU7X8sq11xFJIeEVG8PASRCwmryUwghFKPlHETQ8jJ+Y8+1asRydi
psP3B/5Mjhqv/uOK+Vy3zAyIpyDOMtIpOVfjSpCplVRdtSTFWBu9Em7j5I2HMn1w
sJZnJgXKpybpibGiiTtmnFLOwibmprSu04rsnP4ncdC2XRD4wIjoyA+4PKgX3sCO
klEzKryWYBmLkJOMDdo52LttP3279s7XrkLEE7ia0fXa2c12EQ0f0DQ1tGUvyVEW
WmJVccm5bq25AQ0EUw5EzQEIANaPUY04/g7AmYkOMjaCZ6iTp9hB5Rsj/4ee/ln9
wArzRO9+3eejLWh53FoN1rO+su7tiXJA5YAzVy6tuolrqjM8DBztPxdLBbEi4V+j
2tK0dATdBQBHEh3OJApO2UBtcjaZBT31zrG9K55D+CrcgIVEHAKY8Cb4kLBkb5wM
skn+DrASKU0BNIV1qRsxfiUdQHZfSqtp004nrql1lbFMLFEuiY8FZrkkQ9qduixo
mTT6f34/oiY+Jam3zCK7RDN/OjuWheIPGj/Qbx9JuNiwgX6yRj7OE1tjUx6d8g9y
0H1fmLJbb3WZZbuuGFnK6qrE3bGeY8+AWaJAZ37wpWh1p0cAEQEAAYkBHwQYAQIA
CQUCUw5EzQIbDAAKCRBRhS2HNI/8TJntCAClU7TOO/X053eKF1jqNW4A1qpxctVc
z8eTcY8Om5O4f6a/rfxfNFKn9Qyja/OG1xWNobETy7MiMXYjaa8uUx5iFy6kMVaP
0BXJ59NLZjMARGw6lVTYDTIvzqqqwLxgliSDfSnqUhubGwvykANPO+93BBx89MRG
unNoYGXtPlhNFrAsB1VR8+EyKLv2HQtGCPSFBhrjuzH3gxGibNDDdFQLxxuJWepJ
EK1UbTS4ms0NgZ2Uknqn1WRU1Ki7rE4sTy68iZtWpKQXZEJa0IGnuI2sSINGcXCJ
oEIgXTMyCILo34Fa/C6VCm2WBgz9zZO8/rHIiQm1J5zqz0DrDwKBUM9C
=LYpS
-----END PGP PUBLIC KEY BLOCK-----
hashicorp_key_id: 51852D87348FFC4C
1 change: 1 addition & 0 deletions consul-template/files/hashicorp.asc.jinja
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{{ consul_template.hashicorp_gpg_key }}
84 changes: 53 additions & 31 deletions consul-template/install.sls
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
{% from "consul-template/map.jinja" import consul_template with context %}
{% from slspath + '/map.jinja' import consul_template with context %}

{% set version = consul_template.version %}

consul-template-config-dir:
file.directory:
Expand All @@ -10,37 +12,57 @@ consul-template-template-dir:
- makedirs: True

# Install template renderer
consul-template-download:
/opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS:
file.managed:
- name: /tmp/consul_template_{{ consul_template.version }}_linux_amd64.zip
- source: https://releases.hashicorp.com/consul-template/{{ consul_template.version }}/consul-template_{{ consul_template.version }}_linux_amd64.zip
- source_hash: sha256={{ consul_template.hash }}
- unless: test -f /usr/local/bin/consul-template-{{ consul_template.version }}

consul-template-extract:
cmd.wait:
- name: unzip /tmp/consul_template_{{ consul_template.version }}_linux_amd64.zip -d /tmp
- watch:
- file: consul-template-download

consul-template-install:
file.rename:
- name: /usr/local/bin/consul-template-{{ consul_template.version }}
- source: /tmp/consul-template
- require:
- file: /usr/local/bin
- watch:
- cmd: consul-template-extract
- source: https://releases.hashicorp.com/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS
- makedirs: true
- skip_verify: true

consul-template-clean:
file.absent:
- name: /tmp/consul_template_{{ consul_template.version }}_linux_amd64.zip
- watch:
- file: consul-template-install
/opt/consul-template/{{ version }}/bin:
archive.extracted:
- source: https://releases.hashicorp.com/consul-template/{{ version }}/consul-template_{{ version }}_linux_amd64.zip
- source_hash: /opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS
- enforce_toplevel: false
- require:
- /opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS

consul-template-link:
/usr/local/bin/consul-template:
file.symlink:
- target: consul-template-{{ consul_template.version }}
- name: /usr/local/bin/consul-template
- watch:
- file: consul-template-install
- target: /opt/consul-template/{{ version }}/bin/consul-template
- force: true
- require:
- /opt/consul-template/{{ version }}/bin

{% if consul_template.secure_download -%}
/opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS.sig:
file.managed:
- source: https://releases.hashicorp.com/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS.sig
- skip_verify: true
- require:
- /opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS


/tmp/hashicorp.asc:
file.managed:
- source: salt://{{ slspath }}/files/hashicorp.asc.jinja
- template: jinja
- context:
consul_template:
{{ consul_template | yaml }}

import key:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nledez could you try to use the gpg state here instead of calling the command line directly?

cmd.run:
- name: gpg --import /tmp/hashicorp.asc
- unless: gpg --list-keys {{ consul_template.hashicorp_key_id }}
- require:
- /tmp/hashicorp.asc

verify shasums sig:
cmd.run:
- name: gpg --verify /opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS.sig /opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nledez could you try to use the verify function in the salt GPG module instead of calling a command here directly?

- require:
- /opt/consul-template/{{ version }}/consul-template_{{ version }}_SHA256SUMS.sig
- import key
- prereq:
- /usr/local/bin/consul-template
{%- endif %}
33 changes: 33 additions & 0 deletions consul/defaults.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,36 @@ consul:
datacenter: "main"
register: []
scripts: []
secure_download: true
hashicorp_gpg_key: |
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1

mQENBFMORM0BCADBRyKO1MhCirazOSVwcfTr1xUxjPvfxD3hjUwHtjsOy/bT6p9f
W2mRPfwnq2JB5As+paL3UGDsSRDnK9KAxQb0NNF4+eVhr/EJ18s3wwXXDMjpIifq
fIm2WyH3G+aRLTLPIpscUNKDyxFOUbsmgXAmJ46Re1fn8uKxKRHbfa39aeuEYWFA
3drdL1WoUngvED7f+RnKBK2G6ZEpO+LDovQk19xGjiMTtPJrjMjZJ3QXqPvx5wca
KSZLr4lMTuoTI/ZXyZy5bD4tShiZz6KcyX27cD70q2iRcEZ0poLKHyEIDAi3TM5k
SwbbWBFd5RNPOR0qzrb/0p9ksKK48IIfH2FvABEBAAG0K0hhc2hpQ29ycCBTZWN1
cml0eSA8c2VjdXJpdHlAaGFzaGljb3JwLmNvbT6JATgEEwECACIFAlMORM0CGwMG
CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEFGFLYc0j/xMyWIIAIPhcVqiQ59n
Jc07gjUX0SWBJAxEG1lKxfzS4Xp+57h2xxTpdotGQ1fZwsihaIqow337YHQI3q0i
SqV534Ms+j/tU7X8sq11xFJIeEVG8PASRCwmryUwghFKPlHETQ8jJ+Y8+1asRydi
psP3B/5Mjhqv/uOK+Vy3zAyIpyDOMtIpOVfjSpCplVRdtSTFWBu9Em7j5I2HMn1w
sJZnJgXKpybpibGiiTtmnFLOwibmprSu04rsnP4ncdC2XRD4wIjoyA+4PKgX3sCO
klEzKryWYBmLkJOMDdo52LttP3279s7XrkLEE7ia0fXa2c12EQ0f0DQ1tGUvyVEW
WmJVccm5bq25AQ0EUw5EzQEIANaPUY04/g7AmYkOMjaCZ6iTp9hB5Rsj/4ee/ln9
wArzRO9+3eejLWh53FoN1rO+su7tiXJA5YAzVy6tuolrqjM8DBztPxdLBbEi4V+j
2tK0dATdBQBHEh3OJApO2UBtcjaZBT31zrG9K55D+CrcgIVEHAKY8Cb4kLBkb5wM
skn+DrASKU0BNIV1qRsxfiUdQHZfSqtp004nrql1lbFMLFEuiY8FZrkkQ9qduixo
mTT6f34/oiY+Jam3zCK7RDN/OjuWheIPGj/Qbx9JuNiwgX6yRj7OE1tjUx6d8g9y
0H1fmLJbb3WZZbuuGFnK6qrE3bGeY8+AWaJAZ37wpWh1p0cAEQEAAYkBHwQYAQIA
CQUCUw5EzQIbDAAKCRBRhS2HNI/8TJntCAClU7TOO/X053eKF1jqNW4A1qpxctVc
z8eTcY8Om5O4f6a/rfxfNFKn9Qyja/OG1xWNobETy7MiMXYjaa8uUx5iFy6kMVaP
0BXJ59NLZjMARGw6lVTYDTIvzqqqwLxgliSDfSnqUhubGwvykANPO+93BBx89MRG
unNoYGXtPlhNFrAsB1VR8+EyKLv2HQtGCPSFBhrjuzH3gxGibNDDdFQLxxuJWepJ
EK1UbTS4ms0NgZ2Uknqn1WRU1Ki7rE4sTy68iZtWpKQXZEJa0IGnuI2sSINGcXCJ
oEIgXTMyCILo34Fa/C6VCm2WBgz9zZO8/rHIiQm1J5zqz0DrDwKBUM9C
=LYpS
-----END PGP PUBLIC KEY BLOCK-----
hashicorp_key_id: 51852D87348FFC4C
1 change: 1 addition & 0 deletions consul/files/hashicorp.asc.jinja
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
{{ consul.hashicorp_gpg_key }}
78 changes: 50 additions & 28 deletions consul/install.sls
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
{%- from slspath + '/map.jinja' import consul with context -%}

{% set version = consul.version %}

consul-dep-unzip:
pkg.installed:
- name: unzip
Expand Down Expand Up @@ -42,37 +44,57 @@ consul-data-dir:
- mode: 0750

# Install agent
consul-download:
/opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS:
file.managed:
- name: /tmp/consul_{{ consul.version }}_linux_{{ consul.arch }}.zip
- source: https://{{ consul.download_host }}/consul/{{ consul.version }}/consul_{{ consul.version }}_linux_{{ consul.arch }}.zip
- source_hash: https://releases.hashicorp.com/consul/{{ consul.version }}/consul_{{ consul.version }}_SHA256SUMS
- unless: test -f /usr/local/bin/consul-{{ consul.version }}
- source: https://releases.hashicorp.com/consul/{{ version }}/consul_{{ version }}_SHA256SUMS
- makedirs: true
- skip_verify: true

consul-extract:
cmd.wait:
- name: unzip /tmp/consul_{{ consul.version }}_linux_{{ consul.arch }}.zip -d /tmp
- watch:
- file: consul-download
/opt/consul/{{ version }}/bin:
archive.extracted:
- source: https://releases.hashicorp.com/consul/{{ version }}/consul_{{ version }}_linux_amd64.zip
- source_hash: /opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nledez I don't think we need to keep the checksums file around in the filesystem after we use them. You could point it to the upstream directly. However I assume you are explicitly downloading them to enforce the GPG check, right?

- enforce_toplevel: false
- require:
- /opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS

consul-install:
file.rename:
- name: /usr/local/bin/consul-{{ consul.version }}
- source: /tmp/consul
/usr/local/bin/consul:
file.symlink:
- target: /opt/consul/{{ version }}/bin/consul
- force: true
- require:
- file: /usr/local/bin
- watch:
- cmd: consul-extract
- /opt/consul/{{ version }}/bin

consul-clean:
file.absent:
- name: /tmp/consul_{{ consul.version }}_linux_{{ consul.arch }}.zip
- watch:
- file: consul-install
{% if consul.secure_download -%}
/opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS.sig:
file.managed:
- source: https://releases.hashicorp.com/consul/{{ version }}/consul_{{ version }}_SHA256SUMS.sig
- skip_verify: true
- require:
- /opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS

consul-link:
file.symlink:
- target: consul-{{ consul.version }}
- name: /usr/local/bin/consul
- watch:
- file: consul-install

/tmp/hashicorp.asc:
file.managed:
- source: salt://{{ slspath }}/files/hashicorp.asc.jinja
- template: jinja
- context:
consul:
{{ consul | yaml }}

import key:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nledez same comment here regarding importing the GPG using using a salt state instead of running a command directly

cmd.run:
- name: gpg --import /tmp/hashicorp.asc
- unless: gpg --list-keys {{ consul.hashicorp_key_id }}
- require:
- /tmp/hashicorp.asc

verify shasums sig:
cmd.run:
- name: gpg --verify /opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS.sig /opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nledez same comment here regarding using the Salt module instead of a command.

- require:
- /opt/consul/{{ version }}/consul_{{ version }}_SHA256SUMS.sig
- import key
- prereq:
- /usr/local/bin/consul
{%- endif %}