Merge "added chain file for salt api ssl"
diff --git a/salt/api.sls b/salt/api.sls
index 61e5687..2d7ac5a 100644
--- a/salt/api.sls
+++ b/salt/api.sls
@@ -15,6 +15,20 @@
- watch_in:
- service: salt_api_service
+{%- if api.get('ssl', {}).authority is defined %}
+
+{%- set cert_file = "/etc/ssl/certs/" + api.ssl.get('name', grains.id) + ".crt" %}
+{%- set ca_file = "/etc/ssl/certs/ca-" + api.ssl.authority + ".crt" %}
+
+salt_api_init_tls:
+ cmd.run:
+ - name: "cat {{ cert_file }} {{ ca_file }} > /etc/ssl/certs/{{ api.ssl.get('name', grains.id) }}-chain.crt"
+ - creates: /etc/ssl/certs/{{ api.ssl.get('name', grains.id) }}-chain.crt
+ - watch_in:
+ - service: salt_api_service
+
+{%- endif %}
+
salt_api_service:
service.running:
- name: salt-api
@@ -23,4 +37,4 @@
- watch:
- file: /etc/salt/master.d/_api.conf
-{%- endif %}
+{%- endif %}
\ No newline at end of file
diff --git a/salt/files/_api.conf b/salt/files/_api.conf
index a1e2368..26856f8 100644
--- a/salt/files/_api.conf
+++ b/salt/files/_api.conf
@@ -9,8 +9,11 @@
ssl_crt: /etc/letsencrypt/live/{{ api.ssl.name }}/cert.pem
ssl_key: /etc/letsencrypt/live/{{ api.ssl.name }}/privkey.pem
{%- elif api.ssl.engine == 'salt' %}
- ssl_crt: /etc/ssl/certs/{{ system.name }}.{{ system.domain }}.crt
- ssl_key: /etc/ssl/private/{{ system.name }}.{{ system.domain }}.key
+ ssl_crt: /etc/ssl/certs/{{ api.ssl.get('name', grains.id) }}.crt
+ ssl_key: /etc/ssl/private/{{ api.ssl.get('name', grains.id) }}.key
+ {%- if api.ssl.authority is defined %}
+ ssl_chain: /etc/ssl/certs/{{ api.ssl.get('name', grains.id) }}-chain.crt
+ {%- endif %}
{%- else %}
ssl_crt: {{ api.ssl.get('cert_file')|default("/etc/ssl/certs/"+grains.get('fqdn')+".crt") }}
ssl_key: {{ api.ssl.get('key_file')|default("/etc/ssl/private/"+grains.get('fqdn')+".key") }}
@@ -25,3 +28,4 @@
{#-
vim: syntax=jinja
-#}
+