Skip to content

[master] Acme fixes#65721

Closed
jeffclay wants to merge 7 commits intosaltstack:masterfrom
jeffclay:acme-fixes
Closed

[master] Acme fixes#65721
jeffclay wants to merge 7 commits intosaltstack:masterfrom
jeffclay:acme-fixes

Conversation

@jeffclay
Copy link

@jeffclay jeffclay commented Dec 17, 2023

What does this PR do?

Acme State

Added dns_plugin_propogate_seconds option to cert().
Added option to replace an existing staging/test certificate with a production cert.

Acme Module

Added dns_plugin_propogate_seconds option to cert(). This was previously in the doc string but not actually coded anywhere.
Added revoke() with optional reason.
Added delete().

What issues does this PR fix or reference?

Fixes:
#63700
#64686

Previous Behavior

  1. dns_plugin_propogate_seconds only existed in doc strings.
  2. After creating a certificate using test_cert flag then removing the flag, the result was nothing happening due to:
    1. Acme state does check to see if cert exists and if it does it just checks if it needs renewed. No consideration for replacing a staging certificate.

      salt/salt/states/acme.py

      Line 104 in 75269c4

      if not __salt__["acme.has"](certname):
    2. Acme module did not have capability to revoke or delete a certificate.

New Behavior

  1. dns_plugin_propogate_seconds exists in Acme state and module
  2. Acme state has new bool option replace_staging that will revoke and delete a staging certificate as long as "STAGING" is in the cert issuer dictionary and test_cert is no longer requested.
  3. Acme module has new revoke capability which will delete a cert after revocation due to the --non-interactive cmd switch.
  4. Acme module has new delete capability which deletes certificates. (No need to call this after revoke in sls state or Acme state, just seemed like a natural thing to add along with revoke.)

Merge requirements satisfied?

[NOTICE] Bug fixes or features added to Salt require tests.

Commits signed with GPG?

Yes

Please review Salt's Contributing Guide for best practices.

See GitHub's page on GPG signing for more information about signing commits with GPG.

@jeffclay jeffclay requested a review from a team as a code owner December 17, 2023 06:00
@jeffclay jeffclay requested review from twangboy and removed request for a team December 17, 2023 06:00
@salt-project-bot-prod-environment salt-project-bot-prod-environment bot changed the title Acme fixes [master] Acme fixes Dec 17, 2023
@jeffclay
Copy link
Author

jeffclay commented Dec 17, 2023

This is a retry for PR #64685 since I mangled the re-base.

@dwoz dwoz modified the milestones: Argon v3008.0, Chlorine v3007.0 Dec 18, 2023
@jeffclay @dwoz
Add propagation delay and stage certificate replacement options
24fac5b 
Two new parameters were added to the ACME salt state to enhance configuration flexibility. The first, 'dns_plugin_propagate_seconds', allows specifying a delay for DNS propagation. The second, 'replace_staging', enables replacement of a same-name staging (test) certificate with a production one.
@jeffclay @dwoz
Add revoke and delete functions in acme module
2e86f28 
This commit introduces two new functions, "revoke" and "delete", to the ACME module, empowering users with the ability to revoke and delete certificates. An additional optional argument, "propagation_seconds", is also added for the Cloudflare DNS plugin which affects certificate renewal process.
@jeffclay @dwoz
Add changelogs for PR
02395d0
@jeffclay @dwoz
Document version addition in 'revoke' and 'delete' functions
1b3d513 
Added `versionadded` directive to the `revoke` and `delete` functions in the acme module
@jeffclay @dwoz
Fixing ci/cd error:
dc483fd 
/home/runner/work/salt/salt/salt/modules/acme.py:docstring of salt.modules.acme.delete:2: WARNING: Explicit markup ends without a blank line; unexpected unindent.
/home/runner/work/salt/salt/salt/modules/acme.py:docstring of salt.modules.acme.revoke:2: WARNING: Explicit markup ends without a blank line; unexpected unindent.
@jeffclay @dwoz
Add return statements in acme.py
7d42ba6 
The return statements have been added to the `delete` and `revocation` functions in the acme.py module. This ensures that each function will return a value of True upon successful completion
@jeffclay @dwoz
Refactor acme module unit tests
bf381f6 
The tests for the acme module have been simplified and streamlined for certificate revocation and deletion. The changes replace verbose setup dictionaries with more direct MagicMock patches and assertions, making the test cases more readable and maintainable. The code also better covers edge cases through more specific field checks in the assertion stage.
@jeffclay
Copy link
Author

jeffclay commented Dec 28, 2023

@dwoz Do I need to do anything here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@twangboy twangboy twangboy approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

Argon v3008.0

Development

Successfully merging this pull request may close these issues.

3 participants

@jeffclay @twangboy @dwoz