Merge branch 'main' into copy-fail

Author: JacobCoffee

.github/CODEOWNERS

@@ -1,2 +1,7 @@
-# Notify @EWDurbin for all opened Issues and Pull Requests
+# Notify @JacobCoffee for all opened Issues and Pull Requests
 * @JacobCoffee
+
+# Additionally, notify Stan for docs things
+.github/workflows/docs-redirects.yml  @StanFromIreland @JacobCoffee
+salt/docs/*                           @StanFromIreland @JacobCoffee
+tests/docs-redirects/*                @StanFromIreland @JacobCoffee

pillar/base/users/antoine.sls

@@ -1,14 +1,6 @@
 users:
   barry:
     access:
-      docs:
-        allowed: true
-        groups:
-        - docs
-      downloads:
-        allowed: true
-        groups:
-        - downloads
       gnumailman:
         allowed: true
         sudo: true

pillar/base/users/barry.sls

@@ -0,0 +1,12 @@
+users:
+  stan:
+    access:
+      docs:
+        allowed: true
+        groups:
+        - docs
+        - docsbuild
+        sudo: true
+    fullname: Stan Ulbrych
+    ssh_keys:
+    - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtjkM3s7q8kLYuQ0GkcLKXO+kFdJIBEVZ1Cg2IbkCrR

pillar/base/users/gbrandl.sls

@@ -2,6 +2,7 @@
 
 import binascii
 import datetime
+import fcntl
 import os.path
 
 import salt.loader
@@ -342,10 +343,18 @@ def ext_pillar(minion_id, pillar, base="/etc/ssl", name="PSFCA", cert_opts=None)
             opts["CN"] = certificate
             opts["days"] = config.get("days", 1)
 
-            create_ca_signed_cert(base, name, **opts)
+            # Lock per-CN to prevent concurrent pillar compilations from
+            # racing on the same cert/key files.
+            lockp = os.path.join(base, name, "certs", "{}.lock".format(certificate))
+            lock_fd = open(lockp, "w")
+            try:
+                fcntl.flock(lock_fd, fcntl.LOCK_EX)
+                create_ca_signed_cert(base, name, **opts)
+                cert_data = get_ca_signed_cert(base, name, certificate)
+            finally:
+                fcntl.flock(lock_fd, fcntl.LOCK_UN)
+                lock_fd.close()
 
-            # Add the signed certificates to the pillar data
-            cert_data = get_ca_signed_cert(base, name, certificate)
             data["tls"]["certs"][certificate] = cert_data
 
     # Collect ACME certs (acme.cert) for this minion based on its roles

pillar/base/users/larry.sls

@@ -48,6 +48,6 @@ server {
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "Upgrade";
-      proxy_pass http://localhost:9010/ws;
+      proxy_pass http://127.0.0.1:9010/ws;
   }
 }

pillar/base/users/loewis.sls

@@ -1,5 +1,8 @@
+{% set acl_token = salt['pillar.get']("consul:acl:tokens:default") %}
+{% if not acl_token %}
+{# Fail rendering rather than write an empty acl.json, which would break consul #}
+{{ MISSING_CONSUL_ACL_TOKEN }}
+{% endif %}
 {
-    {% if "default" in salt['pillar.get']("consul:acl:tokens", []) %}
-    "acl_token": "{{ pillar['consul']['acl']['tokens']['default'] }}"
-    {% endif %}
+    "acl_token": "{{ acl_token }}"
 }