commit ff1730eca224ff6ce70131e334a84c01931a771b
author Aleksey Zvyagintsev <azvyagintsev@mirantis.com> Tue Jul 31 14:37:31 2018 +0000
committer Gerrit Code Review <gerrit2@84b5d06f6116> Tue Jul 31 14:37:31 2018 +0000
tree 4aea703b1e4d730b3362a208c888198313b0fb62
parent 16d77d390e8f14776648f655298e94de00858bd0
parent 18ddd1435778172d89c0d255ea64de8245be07f9

Merge "Repair multi-ca generating states"

salt/minion/ca.sls

diff --git a/salt/minion/ca.sls b/salt/minion/ca.sls
index fdad603..41a58a5 100644
--- a/salt/minion/ca.sls
+++ b/salt/minion/ca.sls
@@ -4,6 +4,8 @@
 include:
 - salt.minion.service
 
+{%- set all_ca_certs_dir = '/etc/pki/all_cas' %}
+
 {%- for ca_name,ca in minion.ca.iteritems() %}
 
 {%- set ca_file = ca.get('ca_file', '/etc/pki/ca/' ~ ca_name ~ '/ca.crt') %}
@@ -87,15 +89,25 @@
     - require:
       - x509: {{ ca_file }}
 
-salt_system_ca_mine_send_ca_{{ ca_name }}:
-  module.run:
-  - name: mine.send
-  - func: x509.get_pem_entries
-  - kwargs:
-      glob_path: {{ ca_file }}
+copy_to_{{all_ca_certs_dir}}/{{ ca_name }}:
+  file.copy:
+  - name: {{ all_ca_certs_dir }}/{{ ca_name }}.crt
+  - source: {{ ca_file }}
+  - makedirs: True
+  - force: True
+  - unless:
+    - diff -q {{ ca_file }} {{ all_ca_certs_dir }}/{{ ca_name }}.crt
   - require:
     - x509: {{ ca_file }}
 
 {%- endfor %}
 
+salt_system_ca_mine_send_ca:
+  module.run:
+  - name: mine.send
+  - func: x509.get_pem_entries
+  - kwargs:
+      mine_function: x509.get_pem_entries
+      glob_path: {{ all_ca_certs_dir }}/*
+
 {%- endif %}

salt/minion/cert.sls

diff --git a/salt/minion/cert.sls b/salt/minion/cert.sls
index 720a695..4d1296a 100644
--- a/salt/minion/cert.sls
+++ b/salt/minion/cert.sls
@@ -110,7 +110,7 @@
 {%- if cert.host is defined and ca_file not in created_ca_files %}
 {%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries').get(cert.host, {}).iteritems() %}
 
-{%- if '/etc/pki/ca/'+cert.authority in ca_path %}
+{%- if '/etc/pki/all_cas/'+cert.authority in ca_path %}
 
 {{ ca_file }}:
   x509.pem_managed:
@@ -123,7 +123,6 @@
       - cmd: salt_minion_cert_{{ cert_name }}_all
     {%- endif %}
 
-
 # TODO: Squash this with the previous state after switch to Salt version >= 2016.11.2
 {{ ca_file }}_cert_permissions:
   file.managed:
@@ -194,7 +193,7 @@
 {%- if ca_path.endswith('ca.crt') %}
 
 {# authority name can be obtained only from a cacert path in case of mine.get #}
-{%- set ca_authority = ca_path.split("/")[-2] %}
+{%- set ca_authority = ca_path.split("/")[-1].split(".")[0] %}
 {%- set cacert_file="%s/ca-%s.crt" % (cacerts_dir,ca_authority) %}
 
 salt_trust_ca_{{ cacert_file }}: