Fix salt.minion.cert CA certs generation

In case of trust_salt_ca usage, the salt.minion.cert state
generates broken certs body due to a space replacing:


To fix it the "x509.pem_managed" is used.

If a symlink to CA cert is already exists, then the state is failing.
The force=True (replace) is used now to avoid the issue.

Change-Id: I4a2bd7c882e179560657a3dc7edf18c7e5835492
diff --git a/salt/minion/cert.sls b/salt/minion/cert.sls
index d86ff77..f069374 100644
--- a/salt/minion/cert.sls
+++ b/salt/minion/cert.sls
@@ -18,9 +18,10 @@
 {%- set key_file  = cert.get('key_file', '/etc/ssl/private/' + cert.common_name + '.key') %}
 {%- set cert_file = cert.get('cert_file', '/etc/ssl/certs/' + cert.common_name + '.crt') %}
 {%- set ca_file = cert.get('ca_file', '/etc/ssl/certs/ca-' + cert.authority + '.crt') %}
-{%- set key_dir = key_file|replace(key_file.split('/')[-1], "") %}
-{%- set cert_dir = cert_file|replace(cert_file.split('/')[-1], "") %}
-{%- set ca_dir = ca_file|replace(ca_file.split('/')[-1], "") %}
+{%- set key_dir = salt['file.dirname'](key_file) %}
+{%- set cert_dir = salt['file.dirname'](cert_file) %}
+{%- set ca_dir = salt['file.dirname'](ca_file) %}
 {# Only ensure directories exists, don't touch permissions, etc. #}
 salt_minion_cert_{{ cert_name }}_dirs:
@@ -119,6 +120,7 @@
     - name: "{{ cacerts_dir }}/ca-{{ cert.authority }}.crt"
     - target: {{ ca_file }}
+    - force: True
     - watch_in:
       - cmd: salt_update_certificates
@@ -178,31 +180,34 @@
     - require:
       - pkg: salt_ca_certificates_packages
-{%- if minion.get('cert', {}).get('trust_salt_ca', 'True') %}
+{%- if minion.get('trust_salt_ca', True) %}
 {%- for trusted_ca_minion in minion.get('trusted_ca_minions', []) %}
 {%- for ca_host, certs in salt['mine.get'](trusted_ca_minion+'*', 'x509.get_pem_entries').iteritems() %}
 {%- for ca_path, ca_cert in certs.iteritems() %}
-{%- if not 'ca.crt' in  ca_path %}{% continue %}{% endif %}
+{%- if ca_path.startswith('/etc/pki/ca/') and ca_path.endswith('ca.crt') %}
-{%- set cacert_file="ca-"+ca_path.split("/")[4]+".crt" %}
+{# authority name can be obtained only from a cacert path in case of mine.get #}
+{%- set ca_authority = ca_path.split("/")[4] %}
+{%- set cacert_file="%s/ca-%s.crt" % (cacerts_dir,ca_authority) %}
-salt_cert_{{ cacerts_dir }}/{{ cacert_file }}:
+salt_trust_ca_{{ cacert_file }}:
+  x509.pem_managed:
+    - name: {{ cacert_file }}
+    - text: {{ ca_cert|replace('\n', '') }}
+    - watch_in:
+      - file: salt_trust_ca_{{ cacert_file }}_permissions
+      - cmd: salt_update_certificates
+salt_trust_ca_{{ cacert_file }}_permissions:
-  - name: {{ cacerts_dir }}/{{ cacert_file }}
-  - contents: |
-      {{ ca_cert|replace('  ', '')|indent(6) }}
-  - makedirs: True
-  - show_changes: True
-  - follow_symlinks: True
-  - watch_in:
-    - cmd: salt_update_certificates
+    - name: {{ cacert_file }}
+    - mode: 0444
+{%- endif %}
 {%- endfor %}
 {%- endfor %}
 {%- endfor %}
 {%- endif %}
 {%- endif %}