Enable and use salt_api proxy by default
* Use nginx as proxy
* Misc: define defaults for
salt_master_host
infra_config_address
reclass_config_master
jenkins_salt_api_url
* Pass certs dir for jenkins docker slaves
Related: PROD-27641(PROD:27641)
Related: PROD-30528(PROD:30528)
Change-Id: I5fac90101131a8d8d4fa7857982f18c855e0771c
diff --git a/salt/master/api.yml b/salt/master/api.yml
index f0fa081..50a9d3e 100644
--- a/salt/master/api.yml
+++ b/salt/master/api.yml
@@ -1,9 +1,15 @@
+classes:
+# Enabled ssl api by default
+- system.salt.minion.cert.salt_api
+- system.nginx.server.single
+- system.nginx.server.proxy.ssl
+- system.nginx.server.proxy.salt_api
parameters:
salt:
api:
enabled: true
bind:
- address: 0.0.0.0
+ address: ${_param:salt_master_api_bind_address}
port: ${_param:salt_master_api_port}
master:
command_timeout: 600
diff --git a/salt/minion/cert/salt_api.yml b/salt/minion/cert/salt_api.yml
index acd9bba..71441b1 100644
--- a/salt/minion/cert/salt_api.yml
+++ b/salt/minion/cert/salt_api.yml
@@ -3,9 +3,20 @@
minion:
cert:
salt_api:
+ common_name: salt_api
host: ${_param:salt_minion_ca_host}
authority: ${_param:salt_minion_ca_authority}
- common_name: salt_api
+ key_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}.key
+ cert_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}.crt
+ all_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}-chain-with-key.pem
+ ca_file: /srv/salt/pki/${_param:cluster_name}/${salt:minion:cert:salt_api:common_name}-ca.pem
signing_policy: cert_server
- alternative_names: IP:${_param:salt_master_host},IP:127.0.0.1,DNS:${_param:infra_config_hostname}.${_param:cluster_domain}
+ alternative_names: >
+ IP:${_param:salt_master_host},
+ IP:127.0.0.1,
+ IP:${_param:infra_config_address},
+ DNS:${_param:salt_master_host},
+ DNS:127.0.0.1,
+ DNS:${_param:infra_config_address},
+ DNS:${_param:infra_config_hostname}.${_param:cluster_domain}
mode: '0644'