Use forward dependency for ca_file instead of reverse one

We can have this failing because of bad mine data:
salt['mine.get'](cert.host, 'x509.get_pem_entries')

Without this change, dependency between salt_minion_cert_*_all and
ca_file is just ignored and salt_minion_cert_*_all state fails because
it can't find appropriate file.

Change-Id: I2a5dd12e08159bf110ff0d9879ebf0ad5d9d97c1

salt/minion/cert.sls

 
 {%- if minion.cert is defined %}
 
+{%- set created_ca_files = [] %}
+
 {%- for cert_name,cert in minion.get('cert', {}).iteritems() %}
 {%- set rowloop = loop %}
 
     - watch:
       - x509: {{ cert_file }}
 
-{%- if cert.host is defined %}
+{%- if cert.host is defined and ca_file not in created_ca_files %}
 {%- for ca_path,ca_cert in salt['mine.get'](cert.host, 'x509.get_pem_entries').get(cert.host, {}).iteritems() %}
 
 {%- if '/etc/pki/ca/'+cert.authority in ca_path %}
 
-{{ ca_file }}_{{ rowloop.index }}:
+{{ ca_file }}:
   x509.pem_managed:
     - name: {{ ca_file }}
     - text: {{ ca_cert|replace('\n', '') }}
     - watch:
       - x509: {{ cert_file }}
-    {%- if cert.all_file is defined %}
-    - watch_in:
-      - cmd: salt_minion_cert_{{ cert_name }}_all
-    {%- endif %}
 
-{{ ca_file }}_cert_permissions_{{ rowloop.index }}:
+{{ ca_file }}_cert_permissions:
   file.managed:
     - name: {{ ca_file }}
     - mode: 0644
     - watch:
       - x509: {{ ca_file }}
 
-{{ ca_file }}_{{ rowloop.index }}_local_trusted_symlink:
+{{ ca_file }}_local_trusted_symlink:
   file.symlink:
     - name: "{{ cacerts_dir }}/ca-{{ cert.authority }}.crt"
     - target: {{ ca_file }}
 {%- endif %}
 
 {%- endfor %}
+{%- do created_ca_files.append(ca_file) %}
 {%- endif %}
 
 {%- if cert.all_file is defined %}
     - watch:
       - x509: {{ key_file }}
       - x509: {{ cert_file }}
+      - x509: {{ ca_file }}
 
 {{ cert.all_file }}_cert_permissions:
   file.managed: