From 32ac3cf679812f078d01efcf73b59d33b3b398b8 Mon Sep 17 00:00:00 2001
From: jeanluc <lkubb@protonmail.com>
Date: Wed, 17 Apr 2024 02:35:24 +0200
Subject: [PATCH] Make `x509_v2` the default `x509` modules

---
 changelog/66384.changed.md                    |  1 +
 salt/modules/x509.py                          |  8 ++--
 salt/modules/x509_v2.py                       | 37 +++++++++----------
 salt/states/x509.py                           |  8 ++--
 salt/states/x509_v2.py                        |  8 +---
 tests/integration/states/test_x509.py         |  1 +
 .../functional/modules/test_x509_v2.py        |  3 --
 .../pytests/functional/states/test_x509_v2.py |  3 --
 .../integration/modules/test_x509_v2.py       |  4 --
 .../integration/states/test_x509_v2.py        |  4 --
 10 files changed, 30 insertions(+), 47 deletions(-)
 create mode 100644 changelog/66384.changed.md

diff --git a/changelog/66384.changed.md b/changelog/66384.changed.md
new file mode 100644
index 00000000000..564b6eaf7c7
--- /dev/null
+++ b/changelog/66384.changed.md
@@ -0,0 +1 @@
+Made x509_v2 the default x509 modules. Until they are removed in the next major release, you can still revert to the old modules by setting `features: {x509_v2: false}` in the configuration
diff --git a/salt/modules/x509.py b/salt/modules/x509.py
index 4b50af2548a..3bff5163ebc 100644
--- a/salt/modules/x509.py
+++ b/salt/modules/x509.py
@@ -13,9 +13,9 @@ Manage X509 certificates
     modules. For breaking changes between both versions,
     you can refer to the :ref:`x509_v2 execution module docs <x509-setup>`.
 
-    They will become the default ``x509`` modules in Salt 3008 (Argon).
-    You can explicitly switch to the new modules before that release
-    by setting ``features: {x509_v2: true}`` in your minion configuration.
+    They have become the default ``x509`` modules in Salt 3008.0 (Argon).
+    Until they are removed, you can still revert to the deprecated modules
+    by setting ``features: {x509_v2: false}`` in your minion configuration.
 """
 
 import ast
@@ -92,7 +92,7 @@ def __virtual__():
     only load this module if m2crypto is available
     """
     # salt.features appears to not be setup when invoked via peer publishing
-    if __opts__.get("features", {}).get("x509_v2"):
+    if __opts__.get("features", {}).get("x509_v2", True):
         return (False, "Superseded, using x509_v2")
     if HAS_M2:
         salt.utils.versions.warn_until(
diff --git a/salt/modules/x509_v2.py b/salt/modules/x509_v2.py
index 2a4383d04f9..67b3641c1a2 100644
--- a/salt/modules/x509_v2.py
+++ b/salt/modules/x509_v2.py
@@ -9,6 +9,10 @@ Manage X.509 certificates
     This module represents a complete rewrite of the original ``x509`` modules
     and is named ``x509_v2`` since it introduces breaking changes.
 
+.. versionchanged:: 3008.0
+
+    This module is now the default ``x509`` module and therefore does not need
+    to be enabled explicitly anymore.
 
 .. note::
 
@@ -19,19 +23,6 @@ Manage X.509 certificates
 
 Configuration
 -------------
-Explicit activation
-~~~~~~~~~~~~~~~~~~~
-Since this module uses the same virtualname as the previous ``x509`` modules,
-but is incompatible with them, it needs to be explicitly activated on each
-minion by including the following line in the minion configuration:
-
-.. code-block:: yaml
-
-    # /etc/salt/minion.d/x509.conf
-
-    features:
-      x509_v2: true
-
 Peer communication
 ~~~~~~~~~~~~~~~~~~
 To be able to remotely sign certificates, it is required to configure the Salt
@@ -163,6 +154,18 @@ Breaking changes versus the previous ``x509`` modules
 
 Note that when a ``ca_server`` is involved, both peers must use the updated module version.
 
+Revert to old modules
+~~~~~~~~~~~~~~~~~~~~~
+Until they are removed, you can still revert to the deprecated ``x509`` modules
+by setting the following minion configuration value:
+
+.. code-block:: yaml
+
+    # /etc/salt/minion.d/x509.conf
+
+    features:
+      x509_v2: false
+
 .. _x509-setup:
 """
 
@@ -201,12 +204,8 @@ def __virtual__():
     if not HAS_CRYPTOGRAPHY:
         return (False, "Could not load cryptography")
     # salt.features appears to not be setup when invoked via peer publishing
-    if not __opts__.get("features", {}).get("x509_v2"):
-        return (
-            False,
-            "x509_v2 needs to be explicitly enabled by setting `x509_v2: true` "
-            "in the minion configuration value `features` until Salt 3008 (Argon).",
-        )
+    if not __opts__.get("features", {}).get("x509_v2", True):
+        return (False, "x509_v2 modules were explicitly disabled in `features:x509_v2`")
     return __virtualname__
 
 
diff --git a/salt/states/x509.py b/salt/states/x509.py
index a487b89ca63..24f7abe93c6 100644
--- a/salt/states/x509.py
+++ b/salt/states/x509.py
@@ -13,9 +13,9 @@ Manage X509 Certificates
     modules. For breaking changes between both versions,
     you can refer to the :ref:`x509_v2 execution module docs <x509-setup>`.
 
-    They will become the default ``x509`` modules in Salt 3008 (Argon).
-    You can explicitly switch to the new modules before that release
-    by setting ``features: {x509_v2: true}`` in your minion configuration.
+    They have become the default ``x509`` modules in Salt 3008.0 (Argon).
+    Until they are removed, you can still revert to the deprecated modules
+    by setting ``features: {x509_v2: false}`` in your minion configuration.
 
 
 This module can enable managing a complete PKI infrastructure including creating private keys, CAs,
@@ -204,7 +204,7 @@ def __virtual__():
     """
     only load this module if the corresponding execution module is loaded
     """
-    if __opts__["features"].get("x509_v2"):
+    if __opts__["features"].get("x509_v2", True):
         return (False, "Superseded, using x509_v2")
     if "x509.get_pem_entry" in __salt__:
         salt.utils.versions.warn_until(
diff --git a/salt/states/x509_v2.py b/salt/states/x509_v2.py
index 773006b6694..24fc3748cf4 100644
--- a/salt/states/x509_v2.py
+++ b/salt/states/x509_v2.py
@@ -211,12 +211,8 @@ __virtualname__ = "x509"
 def __virtual__():
     if not HAS_CRYPTOGRAPHY:
         return (False, "Could not load cryptography")
-    if not __opts__["features"].get("x509_v2"):
-        return (
-            False,
-            "x509_v2 needs to be explicitly enabled by setting `x509_v2: true` "
-            "in the minion configuration value `features` until Salt 3008 (Argon).",
-        )
+    if not __opts__["features"].get("x509_v2", True):
+        return (False, "x509_v2 modules were explicitly disabled in `features:x509_v2`")
     return __virtualname__
 
 
diff --git a/tests/integration/states/test_x509.py b/tests/integration/states/test_x509.py
index 228afce78f8..02359bda3a5 100644
--- a/tests/integration/states/test_x509.py
+++ b/tests/integration/states/test_x509.py
@@ -23,6 +23,7 @@ except ImportError:
 log = logging.getLogger(__name__)
 
 
+@pytest.mark.skip(reason="x509 modules are deprecated")
 @pytest.mark.usefixtures("salt_sub_minion")
 @pytest.mark.skipif(not HAS_M2CRYPTO, reason="Skip when no M2Crypto found")
 class x509Test(ModuleCase, SaltReturnAssertsMixin):
diff --git a/tests/pytests/functional/modules/test_x509_v2.py b/tests/pytests/functional/modules/test_x509_v2.py
index dfb973af108..5b34249d5b3 100644
--- a/tests/pytests/functional/modules/test_x509_v2.py
+++ b/tests/pytests/functional/modules/test_x509_v2.py
@@ -62,9 +62,6 @@ def minion_config_overrides():
                 "X509v3 Basic Constraints": "critical CA:FALSE",
             },
         },
-        "features": {
-            "x509_v2": True,
-        },
     }
 
 
diff --git a/tests/pytests/functional/states/test_x509_v2.py b/tests/pytests/functional/states/test_x509_v2.py
index 01c877fceda..613275bc3d5 100644
--- a/tests/pytests/functional/states/test_x509_v2.py
+++ b/tests/pytests/functional/states/test_x509_v2.py
@@ -48,9 +48,6 @@ def minion_config_overrides():
                 "CN": "from_signing_policy",
             },
         },
-        "features": {
-            "x509_v2": True,
-        },
     }
 
 
diff --git a/tests/pytests/integration/modules/test_x509_v2.py b/tests/pytests/integration/modules/test_x509_v2.py
index a6a99d27f30..d0febc10cf1 100644
--- a/tests/pytests/integration/modules/test_x509_v2.py
+++ b/tests/pytests/integration/modules/test_x509_v2.py
@@ -160,9 +160,6 @@ def ca_minion_config(x509_minion_id, ca_cert, ca_key, ca_key_enc):
                 "X509v3 Basic Constraints": "critical CA:FALSE",
             },
         },
-        "features": {
-            "x509_v2": True,
-        },
     }
 
 
@@ -188,7 +185,6 @@ def x509_salt_minion(x509_salt_master, x509_minion_id):
         x509_minion_id,
         defaults={
             "open_mode": True,
-            "features": {"x509_v2": True},
             "grains": {"testgrain": "foo"},
         },
     )
diff --git a/tests/pytests/integration/states/test_x509_v2.py b/tests/pytests/integration/states/test_x509_v2.py
index f127c183b35..15c9771e709 100644
--- a/tests/pytests/integration/states/test_x509_v2.py
+++ b/tests/pytests/integration/states/test_x509_v2.py
@@ -175,9 +175,6 @@ def ca_minion_config(x509_minion_id, ca_cert, ca_key_enc, rsa_privkey, ca_new_ce
                 "subjectKeyIdentifier": "hash",
             },
         },
-        "features": {
-            "x509_v2": True,
-        },
     }
 
 
@@ -203,7 +200,6 @@ def x509_salt_minion(x509_salt_master, x509_minion_id):
         x509_minion_id,
         defaults={
             "open_mode": True,
-            "features": {"x509_v2": True},
             "grains": {"testgrain": "foo"},
         },
     )