New version of salt-formula from Saltstack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

104 lines
3.6KB

  1. orchestrate:
  2. master:
  3. priority: 60
  4. minion:
  5. priority: 70
  6. control:
  7. priority: 400
  8. require:
  9. - salt: salt.master
  10. minion:
  11. {%- if pillar.get('salt', {}).get('minion', {}).get('ca') %}
  12. pki:
  13. {%- from "salt/map.jinja" import minion with context %}
  14. x509_signing_policies:
  15. {%- for ca_name,ca in minion.ca.items() %}
  16. {%- for signing_policy_name, signing_policy in ca.signing_policy.iteritems() %}
  17. {{ ca_name }}_{{ signing_policy_name }}:
  18. - minions: '{{ signing_policy.minions }}'
  19. - signing_private_key: /etc/pki/ca/{{ ca_name }}/ca.key
  20. - signing_cert: /etc/pki/ca/{{ ca_name }}/ca.crt
  21. {%- if ca.country is defined %}
  22. - C: {{ ca.country }}
  23. {%- endif %}
  24. {%- if ca.state is defined %}
  25. - ST: {{ ca.state }}
  26. {%- endif %}
  27. {%- if ca.locality is defined %}
  28. - L: {{ ca.locality }}
  29. {%- endif %}
  30. {%- if ca.organization is defined %}
  31. - O: {{ ca.organization }}
  32. {%- endif %}
  33. {%- if ca.organization_unit is defined %}
  34. - OU: {{ ca.organization_unit }}
  35. {%- endif %}
  36. {%- if signing_policy.type == 'v3_edge_cert_client' %}
  37. - basicConstraints: "CA:FALSE"
  38. - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
  39. - extendedKeyUsage: "critical clientAuth"
  40. {%- elif signing_policy.type == 'v3_edge_cert_server' %}
  41. - basicConstraints: "CA:FALSE"
  42. - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
  43. - extendedKeyUsage: "critical,serverAuth"
  44. {%- elif signing_policy.type == 'v3_intermediate_ca' %}
  45. - basicConstraints: "CA:TRUE"
  46. - keyUsage: "critical cRLSign,keyCertSign"
  47. {%- elif signing_policy.type == 'v3_edge_ca' %}
  48. - basicConstraints: "CA:TRUE,pathlen:0"
  49. - keyUsage: "critical cRLSign,keyCertSign"
  50. {%- elif signing_policy.type == 'v3_edge_cert_open' %}
  51. - basicConstraints: "CA:FALSE"
  52. {%- endif %}
  53. - subjectKeyIdentifier: hash
  54. - authorityKeyIdentifier: keyid,issuer:always
  55. - days_valid: {{ ca.days_valid.certificate }}
  56. - copypath: /etc/pki/ca/{{ ca_name }}/certs/
  57. {%- endfor %}
  58. {%- endfor %}
  59. {%- endif %}
  60. {%- if pillar.salt.control is defined and pillar.salt.control.virt_enabled is defined %}
  61. virt:
  62. {% from "salt/map.jinja" import control with context %}
  63. {%- if control.net_profile is defined or control.disk_profile is defined %}
  64. virt:
  65. {%- if control.net_profile is defined %}
  66. nic:
  67. {%- for item_name, item in control.net_profile.iteritems() %}
  68. {{ item_name }}:
  69. {%- for iface_name, iface in item.iteritems() %}
  70. {{ iface_name }}:
  71. {%- if iface.bridge is defined %}
  72. bridge: {{ iface.bridge }}
  73. {%- endif %}
  74. {%- if iface.network is defined %}
  75. network: {{ iface.network }}
  76. {%- endif %}
  77. {%- if iface.model is defined %}
  78. model: {{ iface.model }}
  79. {%- endif %}
  80. {%- endfor %}
  81. {%- endfor %}
  82. {%- endif %}
  83. {%- if control.disk_profile is defined %}
  84. disk:
  85. {%- for item_name, item in control.disk_profile.iteritems() %}
  86. {{ item_name }}:
  87. {%- for disk_name, disk in item.iteritems() %}
  88. - {{ disk }}:
  89. {%- if disk.size is defined %}
  90. size: {{ disk.size }}
  91. {%- endif %}
  92. {%- endfor %}
  93. {%- endfor %}
  94. {%- endif %}
  95. {%- endif %}
  96. virt.images: /var/lib/libvirt/images
  97. {%- endif %}
  98. {#-
  99. vim: syntax=jinja
  100. -#}