Don't send CA keys to mine Exposing CA keys in a mine creates a security flaw, thus such should be avoided. This change removes code responsible for putting and retrieving CA key from a mine and changes the ca.sls state to allow configuring where CA cert and its key would be generated as well as their owners. Fixes PROD-13439 Change-Id: I6d78b13dcb3754c51606edd7e2d8158e128244a4

commit: 457e5723f1f208281ed5c6d01bd0164903c640ad [log] [tgz]
author: Elena Ezhova <eezhova@mirantis.com> Tue Aug 01 11:32:40 2017 +0400
committer: Elena Ezhova <eezhova@mirantis.com> Wed Aug 09 14:47:21 2017 +0400
tree: f7976eff8eefad3179bccc921ff8134cd8a47bd4
parent: 8d606a9616c175ecf66b66e3212cc652a401a893 [diff] [blame]
diff --git a/tests/pillar/minion_pki_cert.sls b/tests/pillar/minion_pki_cert.sls
index 745f3c4..9e6fef5 100644
--- a/tests/pillar/minion_pki_cert.sls
+++ b/tests/pillar/minion_pki_cert.sls

@@ -59,3 +59,23 @@
           #   salt.ci.local
           #signing_policy:
           #   cert_server
+      test_cert:
+          alternative_names:
+              IP:127.0.0.1,DNS:salt.ci.local,DNS:test.ci.local
+          cert_file:
+              /srv/salt/pki/ci/test.ci.local.crt
+          common_name:
+              test.ci.local
+          key_file:
+              /srv/salt/pki/ci/test.ci.local.key
+          country: CZ
+          state: Prague
+          locality: Cesky Krumlov
+          signing_cert:
+              /etc/test/ca.crt
+          signing_private_key:
+              /etc/test/ca.key
+          # Kitchen-Salt CI trigger `salt-call --local`, below attributes
+          # can't be used as there is no required SaltMaster connectivity
+          authority:
+             salt-ca-alt
commit	457e5723f1f208281ed5c6d01bd0164903c640ad	[log] [tgz]
author	Elena Ezhova <eezhova@mirantis.com>	Tue Aug 01 11:32:40 2017 +0400
committer	Elena Ezhova <eezhova@mirantis.com>	Wed Aug 09 14:47:21 2017 +0400
tree	f7976eff8eefad3179bccc921ff8134cd8a47bd4
parent	8d606a9616c175ecf66b66e3212cc652a401a893 [diff] [blame]