Don't send CA keys to mine
Exposing CA keys in a mine creates a security flaw, thus such
should be avoided.
This change removes code responsible for putting and retrieving
CA key from a mine and changes the ca.sls state to allow configuring
where CA cert and its key would be generated as well as their owners.
Fixes PROD-13439
Change-Id: I6d78b13dcb3754c51606edd7e2d8158e128244a4
diff --git a/tests/pillar/minion_pki_ca.sls b/tests/pillar/minion_pki_ca.sls
index 935014b..d11adbf 100644
--- a/tests/pillar/minion_pki_ca.sls
+++ b/tests/pillar/minion_pki_ca.sls
@@ -44,3 +44,28 @@
ca_intermediate:
type: v3_intermediate_ca
minions: '*'
+ salt-ca-alt:
+ common_name: Alt CA Testing
+ country: Czech
+ state: Prague
+ locality: Cesky Krumlov
+ days_valid:
+ authority: 3650
+ certificate: 90
+ signing_policy:
+ cert_server:
+ type: v3_edge_cert_server
+ minions: '*'
+ cert_client:
+ type: v3_edge_cert_client
+ minions: '*'
+ ca_edge:
+ type: v3_edge_ca
+ minions: '*'
+ ca_intermediate:
+ type: v3_intermediate_ca
+ minions: '*'
+ ca_file: '/etc/test/ca.crt'
+ ca_key_file: '/etc/test/ca.key'
+ user: test
+ group: test
diff --git a/tests/pillar/minion_pki_cert.sls b/tests/pillar/minion_pki_cert.sls
index 745f3c4..9e6fef5 100644
--- a/tests/pillar/minion_pki_cert.sls
+++ b/tests/pillar/minion_pki_cert.sls
@@ -59,3 +59,23 @@
# salt.ci.local
#signing_policy:
# cert_server
+ test_cert:
+ alternative_names:
+ IP:127.0.0.1,DNS:salt.ci.local,DNS:test.ci.local
+ cert_file:
+ /srv/salt/pki/ci/test.ci.local.crt
+ common_name:
+ test.ci.local
+ key_file:
+ /srv/salt/pki/ci/test.ci.local.key
+ country: CZ
+ state: Prague
+ locality: Cesky Krumlov
+ signing_cert:
+ /etc/test/ca.crt
+ signing_private_key:
+ /etc/test/ca.key
+ # Kitchen-Salt CI trigger `salt-call --local`, below attributes
+ # can't be used as there is no required SaltMaster connectivity
+ authority:
+ salt-ca-alt