diff --git a/salt/ca/dirs.sls b/salt/ca/dirs.sls new file mode 100644 index 000000000..36f37b760 --- /dev/null +++ b/salt/ca/dirs.sls @@ -0,0 +1,4 @@ +pki_issued_certs: + file.directory: + - name: /etc/pki/issued_certs + - makedirs: True diff --git a/salt/ca/init.sls b/salt/ca/init.sls index 9c30b5c5e..a69c779a7 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -1,17 +1,14 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +include: + - ca.dirs + {% set manager = salt['grains.get']('master') %} /etc/salt/minion.d/signing_policies.conf: file.managed: - source: salt://ca/files/signing_policies.conf -/etc/pki: - file.directory: [] - -/etc/pki/issued_certs: - file.directory: [] - pki_private_key: x509.private_key_managed: - name: /etc/pki/ca.key diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 93eb6a27d..1bd218d8f 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -16,20 +16,16 @@ {% endif %} {% if grains.id.split('_')|last in ['manager', 'managersearch', 'eval', 'standalone', 'import', 'helixsensor'] %} - {% set trusttheca_text = salt['cp.get_file_str']('/etc/pki/ca.crt')|replace('\n', '') %} - {% set ca_server = grains.id %} include: - ca + {% set trusttheca_text = salt['cp.get_file_str']('/etc/pki/ca.crt')|replace('\n', '') %} + {% set ca_server = grains.id %} {% else %} - {% set x509dict = salt['mine.get']('*', 'x509.get_pem_entries') %} - {% for host in x509dict %} - {% if 'manager' in host.split('_')|last or host.split('_')|last == 'standalone' %} - {% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %} - {% do global_ca_server.append(host) %} - {% endif %} - {% endfor %} - {% set trusttheca_text = global_ca_text[0] %} - {% set ca_server = global_ca_server[0] %} +include: + - ca.dirs + {% set x509dict = salt['mine.get'](manager, 'x509.get_pem_entries') %} + {% set trusttheca_text = x509dict[manager].get('/etc/pki/ca.crt')|replace('\n', '') %} + {% set ca_server = manager %} {% endif %} # Trust the CA