Salt PKI fixes
diff --git a/salt/files/_acl.conf b/salt/files/_acl.conf
new file mode 100644
index 0000000..c9b2eb6
--- /dev/null
+++ b/salt/files/_acl.conf
@@ -0,0 +1,4 @@
+
+peer:
+ .*:
+ - x509.sign_remote_certificate
\ No newline at end of file
diff --git a/salt/files/_peer.conf b/salt/files/_peer.conf
new file mode 100644
index 0000000..be3f8a7
--- /dev/null
+++ b/salt/files/_peer.conf
@@ -0,0 +1,6 @@
+{% from "salt/map.jinja" import master with context %}
+
+peer:
+{%- for peer_name,peer_rules in master.peer.items() %}
+ {{ peer_name }}: {{ peer_rules }}
+{%- endfor %}
\ No newline at end of file
diff --git a/salt/files/_signing_policies.conf b/salt/files/_pki.conf
similarity index 100%
rename from salt/files/_signing_policies.conf
rename to salt/files/_pki.conf
diff --git a/salt/master/service.sls b/salt/master/service.sls
index 4fd05aa..76f3ca2 100644
--- a/salt/master/service.sls
+++ b/salt/master/service.sls
@@ -15,6 +15,20 @@
- watch_in:
- service: salt_master_service
+{%- if master.peer is defined %}
+
+/etc/salt/master.d/_peer.conf:
+ file.managed:
+ - source: salt://salt/files/_peer.conf
+ - user: root
+ - template: jinja
+ - require:
+ - pkg: salt_master_packages
+ - watch_in:
+ - service: salt_master_service
+
+{%- endif %}
+
salt_master_service:
service.running:
- name: {{ master.service }}
@@ -26,4 +40,4 @@
- mode: 755
- makedirs: true
-{%- endif %}
+{%- endif %}
\ No newline at end of file
diff --git a/salt/minion/ca.sls b/salt/minion/ca.sls
index e3027bb..ca8aa75 100644
--- a/salt/minion/ca.sls
+++ b/salt/minion/ca.sls
@@ -4,9 +4,9 @@
include:
- salt.minion.service
-/etc/salt/minion.d/_signing_policies.conf:
+/etc/salt/minion.d/_pki.conf:
file.managed:
- - source: salt://salt/files/_signing_policies.conf
+ - source: salt://salt/files/_pki.conf
- template: jinja
- require:
- pkg: salt_minion_packages
diff --git a/salt/minion/cert.sls b/salt/minion/cert.sls
index 419ca5a..3330524 100644
--- a/salt/minion/cert.sls
+++ b/salt/minion/cert.sls
@@ -16,7 +16,7 @@
/etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.crt:
x509.certificate_managed:
- - ca_server: wst01.newt.cz
+ - ca_server: {{ cert.host }}
- signing_policy: {{ cert.authority }}
- public_key: /etc/pki/cert/{{ cert.authority }}/{{ cert.common_name }}.key
- CN: {{ cert.common_name }}
diff --git a/tests/pillar/minion_pki_cert.sls b/tests/pillar/minion_pki_cert.sls
index 13f7515..76a9fcb 100644
--- a/tests/pillar/minion_pki_cert.sls
+++ b/tests/pillar/minion_pki_cert.sls
@@ -3,5 +3,6 @@
enabled: true
cert:
test_service:
+ host: minion.with.ca
authority: Company CA
- common_name: test.service.domain.tld
\ No newline at end of file
+ common_name: test.service.domain.tld