add lock to ca,ensure acl isnt rotated if no pillar data

Author: JacobCoffee

salt/_extensions/pillar/ca.py

@@ -2,6 +2,7 @@
 
 import binascii
 import datetime
+import fcntl
 import os.path
 
 import salt.loader
@@ -342,10 +343,18 @@ def ext_pillar(minion_id, pillar, base="/etc/ssl", name="PSFCA", cert_opts=None)
             opts["CN"] = certificate
             opts["days"] = config.get("days", 1)
 
-            create_ca_signed_cert(base, name, **opts)
+            # Lock per-CN to prevent concurrent pillar compilations from
+            # racing on the same cert/key files.
+            lockp = os.path.join(base, name, "certs", "{}.lock".format(certificate))
+            lock_fd = open(lockp, "w")
+            try:
+                fcntl.flock(lock_fd, fcntl.LOCK_EX)
+                create_ca_signed_cert(base, name, **opts)
+                cert_data = get_ca_signed_cert(base, name, certificate)
+            finally:
+                fcntl.flock(lock_fd, fcntl.LOCK_UN)
+                lock_fd.close()
 
-            # Add the signed certificates to the pillar data
-            cert_data = get_ca_signed_cert(base, name, certificate)
             data["tls"]["certs"][certificate] = cert_data
 
     # Collect ACME certs (acme.cert) for this minion based on its roles

salt/consul/etc/acl.json.jinja

@@ -1,5 +1,8 @@
+{% set acl_token = salt['pillar.get']("consul:acl:tokens:default") %}
+{% if not acl_token %}
+{# Fail rendering rather than write an empty acl.json, which would break consul #}
+{{ MISSING_CONSUL_ACL_TOKEN }}
+{% endif %}
 {
-    {% if "default" in salt['pillar.get']("consul:acl:tokens", []) %}
-    "acl_token": "{{ pillar['consul']['acl']['tokens']['default'] }}"
-    {% endif %}
+    "acl_token": "{{ acl_token }}"
 }