commit de89ff12b94b19736f3604305d248f1b4dd629db
author Kirill Bespalov <kbespalov@mirantis.com> Wed Jun 07 20:45:40 2017 +0300
committer Kirill Bespalov <kbespalov@mirantis.com> Wed Jun 07 21:13:44 2017 +0300
tree 4d6e1e968f98e6cf69bad1ac4b111b0849b69e49
parent 5c58de3f46d4045cdbdabdddd78b8f7553522f2d

[salt.minion.cert] Improve certificates management

1. Remove implicit creation of "local_trusted_symlink".
   To install a system-wide certificates the linux.system.cert
   state or 'trusted_ca_minion' option must be used.

2. A ca-cert file may exist on a file-system and
   not be pulled from mine. So, in this case
   the following state be incorrect:

   - watch:
     - x509: ca_file

   To support this case, we need to replace `watch` statement
   with `watch_in`.

Change-Id: If41d050b56913d72da1ef7981f30780fec5d6d95

salt/minion/cert.sls

diff --git a/salt/minion/cert.sls b/salt/minion/cert.sls
index d86ff77..0999127 100644
--- a/salt/minion/cert.sls
+++ b/salt/minion/cert.sls
@@ -35,8 +35,12 @@
 {{ key_file }}:
   x509.private_key_managed:
     - bits: {{ cert.get('bits', 4096) }}
-  require:
-    - file: salt_minion_cert_{{ cert_name }}_dirs
+    - require:
+      - file: salt_minion_cert_{{ cert_name }}_dirs
+    {%- if cert.all_file is defined %}
+    - watch_in:
+      - cmd: salt_minion_cert_{{ cert_name }}_all
+    {%- endif %}
 
 {{ key_file }}_key_permissions:
   file.managed:
@@ -81,6 +85,10 @@
     - backup: True
     - watch:
       - x509: {{ key_file }}
+    {%- if cert.all_file is defined %}
+    - watch_in:
+      - cmd: salt_minion_cert_{{ cert_name }}_all
+    {%- endif %}
 
 {{ cert_file }}_cert_permissions:
   file.managed:
@@ -107,6 +115,11 @@
     - text: {{ ca_cert|replace('\n', '') }}
     - watch:
       - x509: {{ cert_file }}
+    {%- if cert.all_file is defined %}
+    - watch_in:
+      - cmd: salt_minion_cert_{{ cert_name }}_all
+    {%- endif %}
+
 
 {{ ca_file }}_cert_permissions:
   file.managed:
@@ -115,13 +128,6 @@
     - watch:
       - x509: {{ ca_file }}
 
-{{ ca_file }}_local_trusted_symlink:
-  file.symlink:
-    - name: "{{ cacerts_dir }}/ca-{{ cert.authority }}.crt"
-    - target: {{ ca_file }}
-    - watch_in:
-      - cmd: salt_update_certificates
-
 {%- endif %}
 
 {%- endfor %}
@@ -129,13 +135,10 @@
 {%- endif %}
 
 {%- if cert.all_file is defined %}
+
 salt_minion_cert_{{ cert_name }}_all:
   cmd.wait:
     - name: cat {{ key_file }} {{ cert_file }} {{ ca_file }} > {{ cert.all_file }}
-    - watch:
-      - x509: {{ key_file }}
-      - x509: {{ cert_file }}
-      - x509: {{ ca_file }}
 
 {{ cert.all_file }}_cert_permissions:
   file.managed:
@@ -205,4 +208,3 @@
 {%- endif %}
 
 {%- endif %}
-