Make x509_v2 the default x509 modules

2025-04-10 14:51:40 +00:00 · 2024-04-17 02:35:24 +02:00 · 2024-04-17 02:35:24 +02:00 · 32ac3cf679
commit 32ac3cf679
parent 352b83aea7
10 changed files with 30 additions and 47 deletions
--- a/changelog/66384.changed.md
+++ b/changelog/66384.changed.md
@ -0,0 +1 @@
+Made x509_v2 the default x509 modules. Until they are removed in the next major release, you can still revert to the old modules by setting `features: {x509_v2: false}` in the configuration
--- a/salt/modules/x509.py
+++ b/salt/modules/x509.py
@ -13,9 +13,9 @@ Manage X509 certificates
    modules. For breaking changes between both versions,
    you can refer to the :ref:`x509_v2 execution module docs <x509-setup>`.

-    They will become the default ``x509`` modules in Salt 3008 (Argon).
-    You can explicitly switch to the new modules before that release
-    by setting ``features: {x509_v2: true}`` in your minion configuration.
+    They have become the default ``x509`` modules in Salt 3008.0 (Argon).
+    Until they are removed, you can still revert to the deprecated modules
+    by setting ``features: {x509_v2: false}`` in your minion configuration.
 """

 import ast
@ -92,7 +92,7 @@ def __virtual__():
    only load this module if m2crypto is available
    """
    # salt.features appears to not be setup when invoked via peer publishing
-    if __opts__.get("features", {}).get("x509_v2"):
+    if __opts__.get("features", {}).get("x509_v2", True):
        return (False, "Superseded, using x509_v2")
    if HAS_M2:
        salt.utils.versions.warn_until(
--- a/salt/modules/x509_v2.py
+++ b/salt/modules/x509_v2.py
@ -9,6 +9,10 @@ Manage X.509 certificates
    This module represents a complete rewrite of the original ``x509`` modules
    and is named ``x509_v2`` since it introduces breaking changes.

+.. versionchanged:: 3008.0
+
+    This module is now the default ``x509`` module and therefore does not need
+    to be enabled explicitly anymore.

 .. note::

@ -19,19 +23,6 @@ Manage X.509 certificates

 Configuration
 -------------
-Explicit activation
-~~~~~~~~~~~~~~~~~~~
-Since this module uses the same virtualname as the previous ``x509`` modules,
-but is incompatible with them, it needs to be explicitly activated on each
-minion by including the following line in the minion configuration:
-
-.. code-block:: yaml
-
-    # /etc/salt/minion.d/x509.conf
-
-    features:
-      x509_v2: true
-
 Peer communication
 ~~~~~~~~~~~~~~~~~~
 To be able to remotely sign certificates, it is required to configure the Salt
@ -163,6 +154,18 @@ Breaking changes versus the previous ``x509`` modules

 Note that when a ``ca_server`` is involved, both peers must use the updated module version.

+Revert to old modules
+~~~~~~~~~~~~~~~~~~~~~
+Until they are removed, you can still revert to the deprecated ``x509`` modules
+by setting the following minion configuration value:
+
+.. code-block:: yaml
+
+    # /etc/salt/minion.d/x509.conf
+
+    features:
+      x509_v2: false
+
 .. _x509-setup:
 """

@ -201,12 +204,8 @@ def __virtual__():
    if not HAS_CRYPTOGRAPHY:
        return (False, "Could not load cryptography")
    # salt.features appears to not be setup when invoked via peer publishing
-    if not __opts__.get("features", {}).get("x509_v2"):
-        return (
-            False,
-            "x509_v2 needs to be explicitly enabled by setting `x509_v2: true` "
-            "in the minion configuration value `features` until Salt 3008 (Argon).",
-        )
+    if not __opts__.get("features", {}).get("x509_v2", True):
+        return (False, "x509_v2 modules were explicitly disabled in `features:x509_v2`")
    return __virtualname__


--- a/salt/states/x509.py
+++ b/salt/states/x509.py
@ -13,9 +13,9 @@ Manage X509 Certificates
    modules. For breaking changes between both versions,
    you can refer to the :ref:`x509_v2 execution module docs <x509-setup>`.

-    They will become the default ``x509`` modules in Salt 3008 (Argon).
-    You can explicitly switch to the new modules before that release
-    by setting ``features: {x509_v2: true}`` in your minion configuration.
+    They have become the default ``x509`` modules in Salt 3008.0 (Argon).
+    Until they are removed, you can still revert to the deprecated modules
+    by setting ``features: {x509_v2: false}`` in your minion configuration.


 This module can enable managing a complete PKI infrastructure including creating private keys, CAs,
@ -204,7 +204,7 @@ def __virtual__():
    """
    only load this module if the corresponding execution module is loaded
    """
-    if __opts__["features"].get("x509_v2"):
+    if __opts__["features"].get("x509_v2", True):
        return (False, "Superseded, using x509_v2")
    if "x509.get_pem_entry" in __salt__:
        salt.utils.versions.warn_until(
--- a/salt/states/x509_v2.py
+++ b/salt/states/x509_v2.py
@ -211,12 +211,8 @@ __virtualname__ = "x509"
 def __virtual__():
    if not HAS_CRYPTOGRAPHY:
        return (False, "Could not load cryptography")
-    if not __opts__["features"].get("x509_v2"):
-        return (
-            False,
-            "x509_v2 needs to be explicitly enabled by setting `x509_v2: true` "
-            "in the minion configuration value `features` until Salt 3008 (Argon).",
-        )
+    if not __opts__["features"].get("x509_v2", True):
+        return (False, "x509_v2 modules were explicitly disabled in `features:x509_v2`")
    return __virtualname__


--- a/tests/integration/states/test_x509.py
+++ b/tests/integration/states/test_x509.py
@ -23,6 +23,7 @@ except ImportError:
 log = logging.getLogger(__name__)


+@pytest.mark.skip(reason="x509 modules are deprecated")
@pytest.mark.usefixtures("salt_sub_minion")
@pytest.mark.skipif(not HAS_M2CRYPTO, reason="Skip when no M2Crypto found")
 class x509Test(ModuleCase, SaltReturnAssertsMixin):
--- a/tests/pytests/functional/modules/test_x509_v2.py
+++ b/tests/pytests/functional/modules/test_x509_v2.py
@ -62,9 +62,6 @@ def minion_config_overrides():
                "X509v3 Basic Constraints": "critical CA:FALSE",
            },
        },
-        "features": {
-            "x509_v2": True,
-        },
    }


--- a/tests/pytests/functional/states/test_x509_v2.py
+++ b/tests/pytests/functional/states/test_x509_v2.py
@ -48,9 +48,6 @@ def minion_config_overrides():
                "CN": "from_signing_policy",
            },
        },
-        "features": {
-            "x509_v2": True,
-        },
    }


--- a/tests/pytests/integration/modules/test_x509_v2.py
+++ b/tests/pytests/integration/modules/test_x509_v2.py
@ -160,9 +160,6 @@ def ca_minion_config(x509_minion_id, ca_cert, ca_key, ca_key_enc):
                "X509v3 Basic Constraints": "critical CA:FALSE",
            },
        },
-        "features": {
-            "x509_v2": True,
-        },
    }


@ -188,7 +185,6 @@ def x509_salt_minion(x509_salt_master, x509_minion_id):
        x509_minion_id,
        defaults={
            "open_mode": True,
-            "features": {"x509_v2": True},
            "grains": {"testgrain": "foo"},
        },
    )
--- a/tests/pytests/integration/states/test_x509_v2.py
+++ b/tests/pytests/integration/states/test_x509_v2.py
@ -175,9 +175,6 @@ def ca_minion_config(x509_minion_id, ca_cert, ca_key_enc, rsa_privkey, ca_new_ce
                "subjectKeyIdentifier": "hash",
            },
        },
-        "features": {
-            "x509_v2": True,
-        },
    }


@ -203,7 +200,6 @@ def x509_salt_minion(x509_salt_master, x509_minion_id):
        x509_minion_id,
        defaults={
            "open_mode": True,
-            "features": {"x509_v2": True},
            "grains": {"testgrain": "foo"},
        },
    )
				`@ -0,0 +1 @@`
				Made x509_v2 the default x509 modules. Until they are removed in the next major release, you can still revert to the old modules by setting `features: {x509_v2: false}` in the configuration