Skip to content

[master] Add x509_v2 SSH wrapper, emulate x509.certificate_managed during state.apply#65654

Closed
lkubb wants to merge 9 commits intosaltstack:masterfrom
lkubb:x509v2-ssh-wrapper
Closed

[master] Add x509_v2 SSH wrapper, emulate x509.certificate_managed during state.apply#65654
lkubb wants to merge 9 commits intosaltstack:masterfrom
lkubb:x509v2-ssh-wrapper

Conversation

@lkubb
Copy link
Contributor

@lkubb lkubb commented Nov 30, 2023
edited
Loading

What does this PR do?

  • Adds wrapper functions for x509.create_certificate and x509.get_signing_policy
  • Introduces a workaround for state modules not having wrappers for certificate_managed (essentially a very sophisticated Jinja macro) - certificates can now be managed via salt-ssh state.apply even when they are issued on a remote (this should also work for other salt-ssh minions from the roster as the CA, but it's hard to write tests for)
  • Fixes a bug that meant passing encoding to file.managed via the x509_v2 state module was impossible (I don't think anyone uses this though)

What issues does this PR fix or reference?

Fixes: #65728
Fixes: #40943 (actually fixes the author's issue - the title asks for a different thing than is necessary)

Previous Behavior

  • The x509_v2 modules could not request remotely signed certificates when run via salt-ssh

New Behavior

  • Certificates on SSH minions can be managed, even when a different minion issues them and even statefully

Merge requirements satisfied?

  • Docs
  • Changelog
  • Tests written/updated

Commits signed with GPG?

Yes

@salt-project-bot-prod-environment salt-project-bot-prod-environment bot changed the title Add x509_v2 SSH wrapper, emulate x509.certificate_managed during state.apply [master] Add x509_v2 SSH wrapper, emulate x509.certificate_managed during state.apply Nov 30, 2023
@lkubb lkubb force-pushed the x509v2-ssh-wrapper branch 2 times, most recently from e171d03 to a832a20 Compare November 30, 2023 18:07
@lkubb lkubb force-pushed the x509v2-ssh-wrapper branch from a832a20 to 540ad4d Compare November 30, 2023 19:24
@lkubb lkubb force-pushed the x509v2-ssh-wrapper branch 2 times, most recently from 639ae1e to 83ea4eb Compare November 30, 2023 23:20
lkubb added 9 commits January 28, 2026 19:15
@lkubb
Refactor certificate_managed changes checks
2a9d037 
to be able to use them in a wrapper module
@lkubb
Add x509_v2 SSH wrapper
ca80863 
Also fixes an issue where ``encoding`` could not be passed to
``file.managed`` states.
@lkubb
Handle existing invalid files better
0b45459
@lkubb
Skip tests if host lacks the correct cryptography version
e052490
@lkubb
Remove _check_ret calls since they're not needed anymore
b49533b 
after saltstack#64542 was merged
@lkubb
Skip new tests on cryptography <3.1
e922a94 
`x509_v2` requires 3.1 because of PKCS7 import
This is only an issue on Debian 10 and Ubuntu 20.04.
@lkubb
Add changelog
a535e45
@lkubb
Fixes/corrections after rebase
ac31275
@lkubb
Try to fix FIPS runs
ec3f1a3
@lkubb lkubb force-pushed the x509v2-ssh-wrapper branch from 2e464ee to ec3f1a3 Compare January 28, 2026 18:15
@lkubb
Copy link
Contributor Author

lkubb commented Jan 30, 2026

Since #64708 is merged now, which is based on this PR, everything here has been merged already. Closing. Thanks! :)

@lkubb lkubb closed this Jan 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@twangboy twangboy twangboy approved these changes

@dwoz dwoz Awaiting requested review from dwoz

+1 more reviewer

@s0undt3ch s0undt3ch s0undt3ch left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

test:full Run the full test suite

Projects

None yet

Milestone

Argon v3008.0

4 participants

@lkubb @s0undt3ch @dwoz @twangboy