Reusable certificates
- store cert under /srv/salt/pki
- isolate certs per cluster name
- reclass overrides (openstack, wildcard)
diff --git a/salt/minion/cert/ceph/init.yml b/salt/minion/cert/ceph/init.yml
new file mode 100644
index 0000000..8b2e61c
--- /dev/null
+++ b/salt/minion/cert/ceph/init.yml
@@ -0,0 +1,12 @@
+parameters:
+ _param:
+ salt_minion_ca_authority: salt_master_ca
+ salt:
+ minion:
+ cert:
+ ceph:
+ host: ${_param:salt_minion_ca_host}
+ signing_policy: cert_server
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: ${_param:cluster_public_host}
+
diff --git a/salt/minion/cert/ceph/openstack.yml b/salt/minion/cert/ceph/openstack.yml
new file mode 100644
index 0000000..664352d
--- /dev/null
+++ b/salt/minion/cert/ceph/openstack.yml
@@ -0,0 +1,11 @@
+classes:
+- system.salt.minion.cert.ceph
+parameters:
+ _param:
+ salt_pki_ceph_alt_names: IP:${_param:cluster_public_host},DNS:${_param:cluster_public_host}
+ salt:
+ minion:
+ cert:
+ ceph:
+ common_name: ceph
+ alternative_names: IP:127.0.0.1,${_param:salt_pki_ceph_alt_names}
diff --git a/salt/minion/cert/ceph/pki.yml b/salt/minion/cert/ceph/pki.yml
new file mode 100644
index 0000000..259fc38
--- /dev/null
+++ b/salt/minion/cert/ceph/pki.yml
@@ -0,0 +1,8 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ ceph:
+ key_file: /srv/salt/pki/${_param:cluster_name}/ceph.${_param:cluster_public_host}.key
+ cert_file: /srv/salt/pki/${_param:cluster_name}/ceph.${_param:cluster_public_host}.crt
+ all_file: /srv/salt/pki/${_param:cluster_name}/ceph-with-key.${_param:cluster_public_host}.pem
diff --git a/salt/minion/cert/pki.yml b/salt/minion/cert/pki.yml
deleted file mode 100644
index 6e4026b..0000000
--- a/salt/minion/cert/pki.yml
+++ /dev/null
@@ -1,3 +0,0 @@
-classes:
-- system.salt.minion.cert.wildcard
-- system.salt.minion.cert.proxy
diff --git a/salt/minion/cert/proxy.yml b/salt/minion/cert/proxy.yml
deleted file mode 100644
index 847e287..0000000
--- a/salt/minion/cert/proxy.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-parameters:
- _param:
- salt_minion_ca_authority: salt_master_ca
- salt:
- minion:
- cert:
- proxy:
- host: ${_param:salt_minion_ca_host}
- signing_policy: cert_server
- authority: ${_param:salt_minion_ca_authority}
- common_name: ${_param:cluster_public_host}
- alternative_names: IP:127.0.0.1,IP:${_param:openstack_proxy_address},IP:${_param:cluster_public_host},DNS:${_param:cluster_public_host},DNS:${_param:cluster_domain}
- key_file: /srv/salt/env/${_param:salt_master_base_environment}/prx.${_param:cluster_public_host}.key
- cert_file: /srv/salt/env/${_param:salt_master_base_environment}/prx.${_param:cluster_public_host}.crt
- all_file: /srv/salt/env/${_param:salt_master_base_environment}/prx-with-key.${_param:cluster_public_host}.pem
diff --git a/salt/minion/cert/proxy/init.yml b/salt/minion/cert/proxy/init.yml
new file mode 100644
index 0000000..fac9aa5
--- /dev/null
+++ b/salt/minion/cert/proxy/init.yml
@@ -0,0 +1,11 @@
+parameters:
+ _param:
+ salt_minion_ca_authority: salt_master_ca
+ salt:
+ minion:
+ cert:
+ proxy:
+ host: ${_param:salt_minion_ca_host}
+ signing_policy: cert_server
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: ${_param:cluster_public_host}
diff --git a/salt/minion/cert/proxy/openstack.yml b/salt/minion/cert/proxy/openstack.yml
new file mode 100644
index 0000000..627d96b
--- /dev/null
+++ b/salt/minion/cert/proxy/openstack.yml
@@ -0,0 +1,11 @@
+classes:
+- system.salt.minion.cert.proxy
+parameters:
+ _param:
+ salt_pki_proxy_alt_names: IP:${_param:cluster_public_host},DNS:${_param:cluster_public_host},DNS:proxy.${_param:cluster_public_host},DNS:horizon.${_param:cluster_public_host}
+ salt:
+ minion:
+ cert:
+ proxy:
+ common_name: proxy
+ alternative_names: IP:127.0.0.1,${_param:salt_pki_proxy_alt_names}
diff --git a/salt/minion/cert/proxy/pki.yml b/salt/minion/cert/proxy/pki.yml
new file mode 100644
index 0000000..9a93bbf
--- /dev/null
+++ b/salt/minion/cert/proxy/pki.yml
@@ -0,0 +1,8 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ proxy:
+ key_file: /srv/salt/pki/${_param:cluster_name}/proxy.${_param:cluster_public_host}.key
+ cert_file: /srv/salt/pki/${_param:cluster_name}/proxy.${_param:cluster_public_host}.crt
+ all_file: /srv/salt/pki/${_param:cluster_name}/proxy-with-key.${_param:cluster_public_host}.pem
diff --git a/salt/minion/cert/swift/init.yml b/salt/minion/cert/swift/init.yml
new file mode 100644
index 0000000..28859cf
--- /dev/null
+++ b/salt/minion/cert/swift/init.yml
@@ -0,0 +1,11 @@
+parameters:
+ _param:
+ salt_minion_ca_authority: salt_master_ca
+ salt:
+ minion:
+ cert:
+ swift:
+ host: ${_param:salt_minion_ca_host}
+ signing_policy: cert_server
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: ${_param:cluster_public_host}
diff --git a/salt/minion/cert/swift/openstack.yml b/salt/minion/cert/swift/openstack.yml
new file mode 100644
index 0000000..5560e1b
--- /dev/null
+++ b/salt/minion/cert/swift/openstack.yml
@@ -0,0 +1,11 @@
+classes:
+- system.salt.minion.cert.swift
+parameters:
+ _param:
+ salt_pki_swift_alt_names: IP:${_param:cluster_public_host},DNS:${_param:cluster_public_host}
+ salt:
+ minion:
+ cert:
+ swift:
+ common_name: swift
+ alternative_names: IP:127.0.0.1,${_param:salt_pki_swift_alt_names}
diff --git a/salt/minion/cert/swift/pki.yml b/salt/minion/cert/swift/pki.yml
new file mode 100644
index 0000000..dd24060
--- /dev/null
+++ b/salt/minion/cert/swift/pki.yml
@@ -0,0 +1,8 @@
+parameters:
+ salt:
+ minion:
+ cert:
+ swift:
+ key_file: /srv/salt/pki/${_param:cluster_name}/swift.${_param:cluster_public_host}.key
+ cert_file: /srv/salt/pki/${_param:cluster_name}/swift.${_param:cluster_public_host}.crt
+ all_file: /srv/salt/pki/${_param:cluster_name}/swift-with-key.${_param:cluster_public_host}.pem
diff --git a/salt/minion/cert/wildcard.yml b/salt/minion/cert/wildcard.yml
deleted file mode 100644
index a199756..0000000
--- a/salt/minion/cert/wildcard.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-parameters:
- _param:
- salt_minion_ca_authority: salt_master_ca
- salt:
- minion:
- cert:
- wildcard:
- host: ${_param:salt_minion_ca_host}
- signing_policy: cert_server
- authority: ${_param:salt_minion_ca_authority}
- common_name: wildcard.${_param:cluster_public_host}
- alternative_names: IP:127.0.0.1,IP:${_param:openstack_proxy_address},IP:${_param:cluster_public_host},DNS:*.${_param:cluster_public_host},DNS:${_param:cluster_domain},DNS:*.${_param:cluster_domain}
- key_file: /srv/salt/pki/wildcard.${_param:cluster_public_host}.key
- cert_file: /srv/salt/pki/wildcard.${_param:cluster_public_host}.crt
- all_file: /srv/salt/pki/wildcard-with-key.${_param:cluster_public_host}.pem
diff --git a/salt/minion/cert/wildcard/init.yml b/salt/minion/cert/wildcard/init.yml
new file mode 100644
index 0000000..3bc2d52
--- /dev/null
+++ b/salt/minion/cert/wildcard/init.yml
@@ -0,0 +1,16 @@
+parameters:
+ _param:
+ salt_minion_ca_authority: salt_master_ca
+ salt_pki_wildcard_alt_names: IP:${_param:cluster_public_host},DNS:${_param:cluster_public_host},DNS:*.${_param:cluster_public_host},DNS:${_param:cluster_domain},DNS:*.${_param:cluster_domain}
+ salt:
+ minion:
+ cert:
+ proxy:
+ host: ${_param:salt_minion_ca_host}
+ signing_policy: cert_server
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: wildcard
+ alternative_names: IP:127.0.0.1,${_param:salt_pki_wildcard_alt_names}
+ key_file: /srv/salt/pki/${_param:cluster_name}/wildcard.${_param:cluster_public_host}.key
+ cert_file: /srv/salt/pki/${_param:cluster_name}/wildcard.${_param:cluster_public_host}.crt
+ all_file: /srv/salt/pki/${_param:cluster_name}/wildcard-with-key.${_param:cluster_public_host}.pem