The *.ssl x509.certificate_managed states hard-failed the state run when
the CA/manager minion was unreachable (ca_server did not respond), and the
paired private_key_managed states then failed on the prereq requisite. The
- timeout: 30 on these states was a no-op (Salt has no per-state timeout
requisite; only retry accepts until/attempts/interval/splay).
Add an onlyif CA-reachability gate to every certificate_managed state so the
state is skipped as a clean success when the CA does not answer a peer
test.ping within 3s and the cert already exists. When the cert is missing
(initial provisioning) the state still runs so the existing retry waits for
the CA. The reachability command is centralized as CA.reachable_cmd in
ca/map.jinja, and the master peer config now permits test.ping. The no-op
- timeout: 30 is removed from all cert states.
Load component and index templates as throttled background jobs (max 10
concurrent) instead of sequential curl PUTs, matching the bounded-concurrency
+ flock-serialized-output pattern used by the fleet/ILM load scripts. Keeps a
wait barrier between the component phase and the index phase so index
templates never load before their referenced component templates. Failures are
tracked via per-job marker files since counter increments can't escape
background subshells.
A single printf per block was not actually one write() call, so
concurrent jobs still occasionally interleaved their label and response
lines. Hold an flock around just the printf (curl still runs in
parallel) so each policy's block prints intact, keeping live
completion-order streaming.
Run the ~300 ILM policy PUTs concurrently (bounded to 10 in flight via a
throttle gate) instead of one serial curl per policy. Adds a put_policy
helper and waits for all background jobs before exiting. Preserves policy
parity; only the scheduling changes. Drops the dead empty sid cookie arg
(falls back to basic auth from curl.config as before).