ensure /etc/pki is created and simplify ca logic for non manager in ssl state

salt/ca/dirs.sls

@@ -0,0 +1,4 @@
+pki_issued_certs:
+  file.directory:
+    - name: /etc/pki/issued_certs
+    - makedirs: True

salt/ca/init.sls

@@ -1,17 +1,14 @@
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls in allowed_states %}
 
+include:
+  - ca.dirs
+
 {% set manager = salt['grains.get']('master') %}
 /etc/salt/minion.d/signing_policies.conf:
   file.managed:
     - source: salt://ca/files/signing_policies.conf
 
-/etc/pki:
-  file.directory: []
-
-/etc/pki/issued_certs:
-  file.directory: []
-
 pki_private_key:
   x509.private_key_managed:
     - name: /etc/pki/ca.key

salt/ssl/init.sls

@@ -16,20 +16,16 @@
 {% endif %}
 
 {% if grains.id.split('_')|last in ['manager', 'managersearch', 'eval', 'standalone', 'import', 'helixsensor'] %}
-    {% set trusttheca_text = salt['cp.get_file_str']('/etc/pki/ca.crt')|replace('\n', '') %}
-    {% set ca_server = grains.id %}
 include:
   - ca
+    {% set trusttheca_text = salt['cp.get_file_str']('/etc/pki/ca.crt')|replace('\n', '') %}
+    {% set ca_server = grains.id %}
 {% else %}
-    {% set x509dict = salt['mine.get']('*', 'x509.get_pem_entries') %}
+include:
-    {% for host in x509dict %}
+  - ca.dirs
-      {% if 'manager' in host.split('_')|last or host.split('_')|last == 'standalone' %}
+    {% set x509dict = salt['mine.get'](manager, 'x509.get_pem_entries') %}
-        {% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %}
+    {% set trusttheca_text = x509dict[manager].get('/etc/pki/ca.crt')|replace('\n', '') %}
-        {% do global_ca_server.append(host) %}
+    {% set ca_server = manager %}
-      {% endif %}
-    {% endfor %}
-    {% set trusttheca_text = global_ca_text[0] %}
-    {% set ca_server = global_ca_server[0] %}
 {% endif %}
 
 # Trust the CA