Reusable certificates
- store cert under /srv/salt/pki
- isolate certs per cluster name
- reclass overrides (openstack, wildcard)
diff --git a/salt/minion/cert/wildcard/init.yml b/salt/minion/cert/wildcard/init.yml
new file mode 100644
index 0000000..3bc2d52
--- /dev/null
+++ b/salt/minion/cert/wildcard/init.yml
@@ -0,0 +1,16 @@
+parameters:
+ _param:
+ salt_minion_ca_authority: salt_master_ca
+ salt_pki_wildcard_alt_names: IP:${_param:cluster_public_host},DNS:${_param:cluster_public_host},DNS:*.${_param:cluster_public_host},DNS:${_param:cluster_domain},DNS:*.${_param:cluster_domain}
+ salt:
+ minion:
+ cert:
+ proxy:
+ host: ${_param:salt_minion_ca_host}
+ signing_policy: cert_server
+ authority: ${_param:salt_minion_ca_authority}
+ common_name: wildcard
+ alternative_names: IP:127.0.0.1,${_param:salt_pki_wildcard_alt_names}
+ key_file: /srv/salt/pki/${_param:cluster_name}/wildcard.${_param:cluster_public_host}.key
+ cert_file: /srv/salt/pki/${_param:cluster_name}/wildcard.${_param:cluster_public_host}.crt
+ all_file: /srv/salt/pki/${_param:cluster_name}/wildcard-with-key.${_param:cluster_public_host}.pem