Manage minion.d using support metadata

Change-Id: I6f1292779858c45f9cf6f4caf3657ee000b2cf06

salt/control/virt.sls

   pkg.installed:
     - names: {{ control.virt_pkgs }}
 
+{% if grains.oscodename == 'trusty' %}
+{#- This tool is not available in newer releases #}
 update-guestfs-appliance:
   cmd.wait:
     - watch:
       - pkg: salt_control_virt_packages
-
-{#
-{%- for package in control.virt_pips %}
-
-{{ package }}:
-  pip.installed:
-  - require:
-    - pkg: salt_control_virt_packages
-
-{%- endfor %}
-#}
-
-/etc/salt/minion.d/_virt.conf:
-  file.managed:
-  - source: salt://salt/files/_virt.conf
-  - user: root
-  - group: root
-  - template: jinja
-  - require:
-    - pkg: salt_control_virt_packages
-  {%- if not grains.get('noservices', False) %}
-  - watch_in:
-    - service: salt_minion_service
-  {%- endif %}
+{%- endif %}
 
 {%- for cluster_name, cluster in control.cluster.iteritems() %}
 

salt/files/_pki.conf

-{%- from "salt/map.jinja" import minion with context %}
-
-x509_signing_policies:
-{%- for ca_name,ca in minion.ca.items() %}
-{%- for signing_policy_name, signing_policy in ca.signing_policy.iteritems() %}
-  {{ ca_name }}_{{ signing_policy_name }}:
-    - minions: '{{ signing_policy.minions }}'
-    - signing_private_key: /etc/pki/ca/{{ ca_name }}/ca.key
-    - signing_cert: /etc/pki/ca/{{ ca_name }}/ca.crt
-    {%- if ca.country is defined %}
-    - C: {{ ca.country }}
-    {%- endif %}
-    {%- if ca.state is defined %}
-    - ST: {{ ca.state }}
-    {%- endif %}
-    {%- if ca.locality is defined %}
-    - L: {{ ca.locality }}
-    {%- endif %}
-    {%- if ca.organization is defined %}
-    - O: {{ ca.organization }}
-    {%- endif %}
-    {%- if ca.organization_unit is defined %}
-    - OU: {{ ca.organization_unit }}
-    {%- endif %}
-    {%- if signing_policy.type == 'v3_edge_cert_client' %}
-    - basicConstraints: "CA:FALSE"
-    - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
-    - extendedKeyUsage: "critical clientAuth"
-    {%- elif signing_policy.type == 'v3_edge_cert_server' %}
-    - basicConstraints: "CA:FALSE"
-    - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
-    - extendedKeyUsage: "critical,serverAuth"
-    {%- elif signing_policy.type == 'v3_intermediate_ca' %}
-    - basicConstraints: "CA:TRUE"
-    - keyUsage: "critical cRLSign,keyCertSign"
-    {%- elif signing_policy.type == 'v3_edge_ca' %}
-    - basicConstraints: "CA:TRUE,pathlen:0"
-    - keyUsage: "critical cRLSign,keyCertSign"
-    {%- elif signing_policy.type == 'v3_edge_cert_open' %}
-    - basicConstraints: "CA:FALSE"
-    {%- endif %}
-    - subjectKeyIdentifier: hash
-    - authorityKeyIdentifier: keyid,issuer:always
-    - days_valid: {{ ca.days_valid.certificate }}
-    - copypath: /etc/pki/ca/{{ ca_name }}/certs/
-{%- endfor %}
-{%- endfor %}

salt/files/_virt.conf

-{% from "salt/map.jinja" import control with context %}
-
-{%- if control.net_profile is defined or control.disk_profile is defined %}
-virt:
-  {%- if control.net_profile is defined %}
-  nic:
-    {%- for item_name, item in control.net_profile.iteritems() %}
-    {{ item_name }}:
-      {%- for iface_name, iface in item.iteritems() %}
-      {{ iface_name }}:
-        {%- if iface.bridge is defined %}
-        bridge: {{ iface.bridge }}
-        {%- endif %}
-        {%- if iface.network is defined %}
-        network: {{ iface.network }}
-        {%- endif %}
-        {%- if iface.model is defined %}
-        model: {{ iface.model }}
-        {%- endif %}
-      {%- endfor %}
-    {%- endfor %}
-  {%- endif %}
-  {%- if control.disk_profile is defined %}
-  disk:
-    {%- for item_name, item in control.disk_profile.iteritems() %}
-    {{ item_name }}:
-      {%- for disk_name, disk in item.iteritems() %}
-      - {{ disk }}:
-          {%- if disk.size is defined %}
-          size: {{ disk.size }}
-          {%- endif %}
-      {%- endfor %} 
-    {%- endfor %} 
-  {%- endif %}
-{%- endif %}
-
-virt.images: /var/lib/libvirt/images

salt/map.jinja

 Arch:
   pkgs:
   - salt-zmq
-  grains_validity_pkgs:
-  - python-yaml
 Debian:
   pkgs:
   - salt-minion
   - python-m2crypto
   - python-psutil
-  grains_validity_pkgs:
   - python-yaml
 Gentoo:
   pkgs:
   - salt-minion
   - m2crypto
   - psutils
-  grains_validity_pkgs:
   - PyYAML
 {%- endload %}
 

salt/meta/salt.yml

 orchestrate:
   master:
     priority: 60
-  minion: 
+  minion:
     priority: 70
-  control: 
+  control:
     priority: 400
     require:
     - salt: salt.master
 
+minion:
+  {%- if pillar.salt.minion is defined and pillar.salt.minion.ca is defined %}
+  pki:
+    {%- from "salt/map.jinja" import minion with context %}
+    x509_signing_policies:
+    {%- for ca_name,ca in minion.ca.items() %}
+    {%- for signing_policy_name, signing_policy in ca.signing_policy.iteritems() %}
+      {{ ca_name }}_{{ signing_policy_name }}:
+        - minions: '{{ signing_policy.minions }}'
+        - signing_private_key: /etc/pki/ca/{{ ca_name }}/ca.key
+        - signing_cert: /etc/pki/ca/{{ ca_name }}/ca.crt
+        {%- if ca.country is defined %}
+        - C: {{ ca.country }}
+        {%- endif %}
+        {%- if ca.state is defined %}
+        - ST: {{ ca.state }}
+        {%- endif %}
+        {%- if ca.locality is defined %}
+        - L: {{ ca.locality }}
+        {%- endif %}
+        {%- if ca.organization is defined %}
+        - O: {{ ca.organization }}
+        {%- endif %}
+        {%- if ca.organization_unit is defined %}
+        - OU: {{ ca.organization_unit }}
+        {%- endif %}
+        {%- if signing_policy.type == 'v3_edge_cert_client' %}
+        - basicConstraints: "CA:FALSE"
+        - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
+        - extendedKeyUsage: "critical clientAuth"
+        {%- elif signing_policy.type == 'v3_edge_cert_server' %}
+        - basicConstraints: "CA:FALSE"
+        - keyUsage: "critical digitalSignature,nonRepudiation,keyEncipherment"
+        - extendedKeyUsage: "critical,serverAuth"
+        {%- elif signing_policy.type == 'v3_intermediate_ca' %}
+        - basicConstraints: "CA:TRUE"
+        - keyUsage: "critical cRLSign,keyCertSign"
+        {%- elif signing_policy.type == 'v3_edge_ca' %}
+        - basicConstraints: "CA:TRUE,pathlen:0"
+        - keyUsage: "critical cRLSign,keyCertSign"
+        {%- elif signing_policy.type == 'v3_edge_cert_open' %}
+        - basicConstraints: "CA:FALSE"
+        {%- endif %}
+        - subjectKeyIdentifier: hash
+        - authorityKeyIdentifier: keyid,issuer:always
+        - days_valid: {{ ca.days_valid.certificate }}
+        - copypath: /etc/pki/ca/{{ ca_name }}/certs/
+    {%- endfor %}
+    {%- endfor %}
+  {%- endif %}
+
+  {%- if pillar.salt.control is defined and pillar.salt.control.virt_enabled is defined %}
+  virt:
+    {% from "salt/map.jinja" import control with context %}
+    {%- if control.net_profile is defined or control.disk_profile is defined %}
+    virt:
+      {%- if control.net_profile is defined %}
+      nic:
+        {%- for item_name, item in control.net_profile.iteritems() %}
+        {{ item_name }}:
+          {%- for iface_name, iface in item.iteritems() %}
+          {{ iface_name }}:
+            {%- if iface.bridge is defined %}
+            bridge: {{ iface.bridge }}
+            {%- endif %}
+            {%- if iface.network is defined %}
+            network: {{ iface.network }}
+            {%- endif %}
+            {%- if iface.model is defined %}
+            model: {{ iface.model }}
+            {%- endif %}
+          {%- endfor %}
+        {%- endfor %}
+      {%- endif %}
+      {%- if control.disk_profile is defined %}
+      disk:
+        {%- for item_name, item in control.disk_profile.iteritems() %}
+        {{ item_name }}:
+          {%- for disk_name, disk in item.iteritems() %}
+          - {{ disk }}:
+              {%- if disk.size is defined %}
+              size: {{ disk.size }}
+              {%- endif %}
+          {%- endfor %}
+        {%- endfor %}
+      {%- endif %}
+    {%- endif %}
+    virt.images: /var/lib/libvirt/images
+  {%- endif %}
+
+{#-
+  vim: syntax=jinja
+-#}

salt/minion/ca.sls

 include:
 - salt.minion.service
 
-/etc/salt/minion.d/_pki.conf:
-  file.managed:
-  - source: salt://salt/files/_pki.conf
-  - template: jinja
-  - require:
-    - {{ minion.install_state }}
-  {%- if not grains.get('noservices', False) %}
-  - watch_in:
-    - service: salt_minion_service
-  {%- endif %}
-
 {%- for ca_name,ca in minion.ca.iteritems() %}
 
 /etc/pki/ca/{{ ca_name }}/certs:

salt/minion/grains.sls

   - require:
     - file: salt_minion_grains_dir
 
-salt_minion_grains_pkg_validity_check:
-  pkg.installed:
-  - pkgs: {{ minion.grains_validity_pkgs }}
-
 {%- for service_name, service in pillar.items() %}
   {%- set support_fragment_file = service_name+'/meta/salt.yml' %}
   {%- macro load_support_file() %}{% include support_fragment_file ignore missing %}{% endmacro %}
   {%- set support_yaml = load_support_file()|load_yaml %}
 
-  {%- if support_yaml %}
+  {%- if support_yaml and support_yaml.get('grain', {}) %}
     {%- for name, grain in support_yaml.get('grain', {}).iteritems() %}
 salt_minion_grain_{{ service_name }}_{{ name }}:
   file.managed:
 salt_minion_grain_{{ service_name }}_{{ name }}_validity_check:
   cmd.wait:
     - name: python -c "import yaml; stream = file('/etc/salt/grains.d/{{ name }}', 'r'); yaml.load(stream); stream.close()"
-    - require:
-      - pkg: salt_minion_grains_pkg_validity_check
     - watch:
       - file: salt_minion_grain_{{ service_name }}_{{ name }}
     - watch_in:

salt/minion/service.sls

     - service: salt_minion_service
   {%- endif %}
 
+{%- for service_name, service in pillar.items() %}
+    {%- set support_fragment_file = service_name+'/meta/salt.yml' %}
+    {%- macro load_support_file() %}{% include support_fragment_file ignore missing %}{% endmacro %}
+    {%- set support_yaml = load_support_file()|load_yaml %}
+
+    {%- if support_yaml and support_yaml.get('minion', {}) %}
+      {%- for name, conf in support_yaml.get('minion', {}).iteritems() %}
+salt_minion_config_{{ service_name }}_{{ name }}:
+  file.managed:
+    - name: /etc/salt/minion.d/_{{ name }}.conf
+    - contents: |
+        {{ conf|yaml(False)|indent(8) }}
+    - require:
+      - {{ minion.install_state }}
+
+salt_minion_config_{{ service_name }}_{{ name }}_validity_check:
+  cmd.wait:
+    - name: python -c "import yaml; stream = file('/etc/salt/minion.d/_{{ name }}.conf', 'r'); yaml.load(stream); stream.close()"
+    - watch:
+      - file: salt_minion_config_{{ service_name }}_{{ name }}
+        {%- if not grains.get('noservices', False) %}
+    - watch_in:
+      - service: salt_minion_service
+        {%- endif %}
+      {%- endfor %}
+    {%- endif %}
+{%- endfor %}
+
 {%- if not grains.get('noservices', False) %}
 salt_minion_service:
   service.running: