|
- orchestrate:
- master:
- priority: 60
- minion:
- priority: 70
- control:
- priority: 400
- require:
- - salt: salt.master
-
- minion:
- {%- if pillar.get('salt', {}).get('minion', {}).get('ca') %}
- pki:
- {%- from "salt/map.jinja" import minion with context %}
- x509_signing_policies:
- {%- for ca_name,ca in minion.ca.items() %}
- {%- for signing_policy_name, signing_policy in ca.signing_policy.iteritems() %}
- {{ ca_name }}_{{ signing_policy_name }}:
- - minions: '{{ signing_policy.minions }}'
- - signing_private_key: /etc/pki/ca/{{ ca_name }}/ca.key
- - signing_cert: /etc/pki/ca/{{ ca_name }}/ca.crt
- {%- if ca.country is defined %}
- - C: {{ ca.country }}
- {%- endif %}
- {%- if ca.state is defined %}
- - ST: {{ ca.state }}
- {%- endif %}
- {%- if ca.locality is defined %}
- - L: {{ ca.locality }}
- {%- endif %}
- {%- if ca.organization is defined %}
- - O: {{ ca.organization }}
- {%- endif %}
- {%- if ca.organization_unit is defined %}
- - OU: {{ ca.organization_unit }}
- {%- endif %}
- {%- if signing_policy.type == 'v3_edge_cert_client' %}
- - basicConstraints: "CA:FALSE"
- - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
- - extendedKeyUsage: "critical clientAuth"
- {%- elif signing_policy.type == 'v3_edge_cert_server' %}
- - basicConstraints: "CA:FALSE"
- - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
- - extendedKeyUsage: "critical,serverAuth"
- {%- elif signing_policy.type == 'v3_intermediate_ca' %}
- - basicConstraints: "CA:TRUE"
- - keyUsage: "critical cRLSign,keyCertSign"
- {%- elif signing_policy.type == 'v3_edge_ca' %}
- - basicConstraints: "CA:TRUE,pathlen:0"
- - keyUsage: "critical cRLSign,keyCertSign"
- {%- elif signing_policy.type == 'v3_edge_cert_open' %}
- - basicConstraints: "CA:FALSE"
- {%- endif %}
- - subjectKeyIdentifier: hash
- - authorityKeyIdentifier: keyid,issuer:always
- - days_valid: {{ ca.days_valid.certificate }}
- - copypath: /etc/pki/ca/{{ ca_name }}/certs/
- {%- endfor %}
- {%- endfor %}
- {%- endif %}
-
- {%- if pillar.salt.control is defined and pillar.salt.control.virt_enabled is defined %}
- virt:
- {% from "salt/map.jinja" import control with context %}
- {%- if control.net_profile is defined or control.disk_profile is defined %}
- virt:
- {%- if control.net_profile is defined %}
- nic:
- {%- for item_name, item in control.net_profile.iteritems() %}
- {{ item_name }}:
- {%- for iface_name, iface in item.iteritems() %}
- {{ iface_name }}:
- {%- if iface.bridge is defined %}
- bridge: {{ iface.bridge }}
- {%- endif %}
- {%- if iface.network is defined %}
- network: {{ iface.network }}
- {%- endif %}
- {%- if iface.model is defined %}
- model: {{ iface.model }}
- {%- endif %}
- {%- endfor %}
- {%- endfor %}
- {%- endif %}
- {%- if control.disk_profile is defined %}
- disk:
- {%- for item_name, item in control.disk_profile.iteritems() %}
- {{ item_name }}:
- {%- for disk_name, disk in item.iteritems() %}
- - {{ disk }}:
- {%- if disk.size is defined %}
- size: {{ disk.size }}
- {%- endif %}
- {%- endfor %}
- {%- endfor %}
- {%- endif %}
- {%- endif %}
- virt.images: /var/lib/libvirt/images
- {%- endif %}
-
- {#-
- vim: syntax=jinja
- -#}
|