|
- {%- set service_grains = {'salt': {'graph': []}} %}
- {%- for service_name, service in pillar.items() %}
- {%- set grains_fragment_file = service_name+'/meta/meta.yml' %}
- {%- macro load_grains_file() %}{% include grains_fragment_file ignore missing %}{% endmacro %}
- {%- set grains_yaml = load_grains_file()|load_yaml %}
- {%- if grains_yaml is mapping %}
- {%- for node in grains_yaml.graph if grains_yaml.graph %}
- {%- do service_grains.salt.graph.append(node) %}
- {%- endfor %}
- {%- endif %}
- {%- endfor %}
- grain:
- salt:
- {{ service_grains|yaml(False)|indent(4) }}
- orchestrate:
- master:
- priority: 60
- minion:
- priority: 70
- control:
- priority: 400
- require:
- - salt: salt.master
- minion:
- {%- if pillar.get('salt', {}).get('minion', {}).get('ca') %}
- pki:
- {%- from "salt/map.jinja" import minion with context %}
- x509_signing_policies:
- {%- for ca_name,ca in minion.ca.items() %}
-
- {%- set ca_file = ca.get('ca_file', '/etc/pki/ca/' ~ ca_name ~ '/ca.crt') %}
- {%- set ca_key_file = ca.get('ca_key_file', '/etc/pki/ca/' ~ ca_name ~ '/ca.key') %}
- {%- set ca_certs_dir = salt['file.dirname'](ca_file) ~ '/certs/' %}
-
- {%- for signing_policy_name, signing_policy in ca.signing_policy.iteritems() %}
- {{ ca_name }}_{{ signing_policy_name }}:
- - minions: '{{ signing_policy.minions }}'
- - signing_private_key: {{ ca_key_file }}
- - signing_cert: {{ ca_file }}
- {%- if ca.country is defined %}
- - C: {{ ca.country }}
- {%- endif %}
- {%- if ca.state is defined %}
- - ST: {{ ca.state }}
- {%- endif %}
- {%- if ca.locality is defined %}
- - L: {{ ca.locality }}
- {%- endif %}
- {%- if ca.organization is defined %}
- - O: {{ ca.organization }}
- {%- endif %}
- {%- if ca.organization_unit is defined %}
- - OU: {{ ca.organization_unit }}
- {%- endif %}
- {%- if signing_policy.type == 'v3_edge_cert_client' %}
- - basicConstraints: "CA:FALSE"
- - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
- - extendedKeyUsage: "critical clientAuth"
- {%- elif signing_policy.type == 'v3_edge_cert_server' %}
- - basicConstraints: "CA:FALSE"
- - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
- - extendedKeyUsage: "critical,serverAuth"
- {%- elif signing_policy.type == 'v3_intermediate_ca' %}
- - basicConstraints: "CA:TRUE"
- - keyUsage: "critical cRLSign,keyCertSign"
- {%- elif signing_policy.type == 'v3_edge_ca' %}
- - basicConstraints: "CA:TRUE,pathlen:0"
- - keyUsage: "critical cRLSign,keyCertSign"
- {%- elif signing_policy.type == 'v3_edge_cert_open' %}
- - basicConstraints: "CA:FALSE"
- {%- endif %}
- - subjectKeyIdentifier: hash
- - authorityKeyIdentifier: keyid,issuer:always
- - days_valid: {{ ca.days_valid.certificate }}
- - copypath: {{ ca_certs_dir }}
- {%- endfor %}
- {%- endfor %}
- {%- endif %}
-
- {%- if pillar.salt.control is defined and pillar.salt.control.virt_enabled is defined %}
- virt:
- {% from "salt/map.jinja" import control with context %}
- {%- if control.net_profile is defined or control.disk_profile is defined %}
- virt:
- {%- if control.net_profile is defined %}
- nic:
- {%- for item_name, item in control.net_profile.iteritems() %}
- {{ item_name }}:
- {%- for iface_name, iface in item.iteritems() %}
- {{ iface_name }}:
- {%- if iface.bridge is defined %}
- bridge: {{ iface.bridge }}
- {%- endif %}
- {%- if iface.network is defined %}
- network: {{ iface.network }}
- {%- endif %}
- {%- if iface.model is defined %}
- model: {{ iface.model }}
- {%- endif %}
- {%- endfor %}
- {%- endfor %}
- {%- endif %}
- {%- if control.disk_profile is defined %}
- disk:
- {%- for item_name, item in control.disk_profile.iteritems() %}
- {{ item_name }}:
- {%- for disk_name, disk in item.iteritems() %}
- - {{ disk }}:
- {%- if disk.size is defined %}
- size: {{ disk.size }}
- {%- endif %}
- {%- endfor %}
- {%- endfor %}
- {%- endif %}
- {%- endif %}
- virt.images: /var/lib/libvirt/images
- {%- endif %}
-
- {#-
- vim: syntax=jinja
- -#}
|