Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-models / mcp-virtual-aio / bc52ba0abcdd755e30777c96543ea52317c0c4c8^! / . / salt
commitbc52ba0abcdd755e30777c96543ea52317c0c4c8[log] [tgz]
authorAles Komarek <ales.komarek@newt.cz>Fri Jan 13 08:53:36 2017 -0800
committerAles Komarek <ales.komarek@newt.cz>Fri Jan 13 08:53:36 2017 -0800
treefab36585d7e8dc64a27deab9ab53d01abad04985
parenta831609649a1d07a64aad6728173ed6a720bf4a3 [diff]
Fix Salt PKI setup

diff --git a/salt/master/api.yml b/salt/master/api.yml
index 1cfeb42..1c0c3fb 100644
--- a/salt/master/api.yml
+++ b/salt/master/api.yml

@@ -1,6 +1,12 @@
 parameters:
   _param:
     salt_master_api_port: 8000
+    salt_master_api_permissions:
+    - '.*'
+    - '@local'
+    - '@wheel'   # to allow access to all wheel modules
+    - '@runner'  # to allow access to all runner modules
+    - '@jobs'    # to allow access to the jobs runner and/or wheel mo
   salt:
     api:
       enabled: true
@@ -11,12 +17,7 @@
       command_timeout: 600
       user:
         salt:
-          permissions:
-          - '.*'
-          - '@local'
-          - '@wheel'   # to allow access to all wheel modules
-          - '@runner'  # to allow access to all runner modules
-          - '@jobs'    # to allow access to the jobs runner and/or wheel mo
+          permissions: ${_param:salt_master_api_permissions}
   linux:
     system:
       user:

diff --git a/salt/minion/ca/salt_master.yml b/salt/minion/ca/salt_master.yml
new file mode 100644
index 0000000..30c9d9b
--- /dev/null
+++ b/salt/minion/ca/salt_master.yml

@@ -0,0 +1,26 @@
+parameters:
+  _param:
+    salt_minion_ca_common_name: Salt Master CA
+    salt_minion_ca_country: cz 
+    salt_minion_ca_locality: Prague
+    salt_minion_ca_organization: Mirantis
+    salt_minion_ca_days_valid_authority: 3650
+    salt_minion_ca_days_valid_certificate: 365
+  salt:
+    minion:
+      ca:
+        salt_master_ca:
+          common_name: ${_param:salt_minion_ca_common_name}
+          country: ${_param:salt_minion_ca_country}
+          locality: ${_param:salt_minion_ca_locality}
+          organization: ${_param:salt_minion_ca_organization}
+          signing_policy:
+            cert_server:
+              type: v3_edge_cert_server
+              minions: '*'
+            cert_client:
+              type: v3_edge_cert_client
+              minions: '*'
+          days_valid:
+            authority: ${_param:salt_minion_ca_days_valid_authority}
+            certificate: ${_param:salt_minion_ca_days_valid_certificate}

diff --git a/salt/minion/cert/proxy.yml b/salt/minion/cert/proxy.yml
new file mode 100644
index 0000000..fac9aa5
--- /dev/null
+++ b/salt/minion/cert/proxy.yml

@@ -0,0 +1,11 @@
+parameters:
+  _param:
+    salt_minion_ca_authority: salt_master_ca
+  salt:
+    minion:
+      cert:
+        proxy:
+          host: ${_param:salt_minion_ca_host}
+          signing_policy: cert_server
+          authority: ${_param:salt_minion_ca_authority}
+          common_name: ${_param:cluster_public_host}