[master] New pem managed state

[flajr]

…l info in the comment

What does this PR do?

Create new state that will handle certificates as files and provide easier management with few conditions and human readable info in the comment. Under the hood use standard file.managed state to provide any necessary and already implemented magic.

Reason for this state is easier management of files with PEM formats (certificates), which can hold just one certificate or combinations of privkey->certificate->chain

Requirement is cryptography package, which is checked. Maybe few more conditions and informations to the output comment can be add later. E.g if chain is detected, then right order of chain is required with another condition check.

This provides easy and quick status to any admin dealing with certificate files which he already have at hand.

Name of the module pem can be certainly changed if required but is relatively appropriate.

Examples

No changes - certificates are same

----------
          ID: /etc/ssl/postfix/domain.com/domain.com.pem
    Function: pem.managed
      Result: True
     Comment: Existing cert info:
              - Subject: CN=*.domain.com
              - Not valid after: 2024-08-08 23:59:59
              New cert info:
              + Subject: CN=*.domain.com
              + Not valid after: 2024-08-08 23:59:59
              The file /etc/ssl/postfix/domain.com/domain.com.pem is in the correct state
     Started: 11:30:39.960125
    Duration: 167.712 ms
     Changes:

Certificates are not the same - test=true

----------
          ID: /etc/ssl/postfix/domain.com/domain.com.pem
    Function: pem.managed
      Result: None
     Comment: Existing cert info:
              - Subject: CN=*.domain.com
              - Not valid after: 2024-08-08 23:59:59
              New cert info:
              + Subject: CN=*.domain.com
              + Not valid after: 2024-09-09 23:59:59
              The file /etc/ssl/postfix/domain.com/domain.com.pem is set to be changed
              Note: No changes made, actual changes may
              be different due to other states.
     Started: 11:30:39.728193
    Duration: 231.621 ms
     Changes:
              ----------
              diff:
              # normal diff output from file.managed

Certificates do not pass conditions

----------
          ID: /etc/ssl/postfix/domain.com/domain.com.pem
    Function: pem.managed
      Result: False
     Comment: Existing cert info:
              - Subject: CN=*.domain.com
              - Not valid after: 2024-08-08 23:59:59
              New cert info:
              + Subject: CN=*.someother.com
              + Not valid after: 2024-04-04 23:59:59
              New certificate expires sooner than existing one (skip with pillar='{skip_conditions: True}')
              Certificates CN does not match (skip with pillar='{skip_conditions: True}')
     Started: 13:22:26.868966
    Duration: 98.669 ms
     Changes:

Merge requirements satisfied?

• Docs
• Changelog - https://docs.saltproject.io/en/master/topics/development/changelog.html
• Tests written/updated

Commits signed with GPG?

No

[welcome]

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey.
Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

• Community Wiki
• Salt’s Contributor Guide
• Join our Community Slack
• IRC on LiberaChat
• Salt Project YouTube channel
• Salt Project Twitch channel

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar.
If you have additional questions, email us at saltproject@vmware.com. We’re glad you’ve joined our community and look forward to doing awesome things with you!

[flajr]

Can someone point me how to solve problems in pipeline please?

[twangboy]

I think you also need to add it to salt/doc/ref/states/all/index.rst

[twangboy]

I think all we need now is a changelog.

[flajr]

It was not working as expected when passing content and also some errors with cryptography package were not catched. Now it should be more stable. Thank you for your time spent on this.

[twangboy]

We'll be discussing this in our Standup Today. We have moved many modules out of Salt to be supported by the community as Salt Extensions. This may be a candidate for a Salt Extension.

[dwoz]

I think this contribution would be better made as a salt extension rather than landing in the core Salt codebase.

[flajr]

I am little bit lost, where should I contribute this code as part of salt extension. New repository should be created, or contribute to any of existing one https://github.com/orgs/salt-extensions/repositories ?

[twangboy]

I think this would be a new repository in the salt-extensions org. @nicholasmhughes can create it and make you the maintainer