If you use certificates issued by Certificate Authorities that are not recognized by an operating system, you must publish them.
To publish CA certificates:
Open your project Git repository with the Reclass model on the cluster level.
Create the /infra/ssl/init.yml
file with the following configuration
as an example:
parameters:
linux:
system:
ca_certificates:
ca-salt_master_ca: |
-----BEGIN CERTIFICATE-----
MIIGXzCCBEegAwIBAgIDEUB0MA0GCSqGSIb3DQEBCwUAMFkxEzARBgoJkiaJk/Is
...
YqQO
-----END CERTIFICATE-----
ca-salt_master_ca_old: |
-----BEGIN CERTIFICATE-----
MIIFgDCCA2igAwIBAgIDET0sMA0GCSqGSIb3DQEBCwUAMFkxEzARBgoJkiaJk/Is
...
WzUuf8H9dBW2DPtk5Jq/+QWtYMs=
-----END CERTIFICATE-----
To publish the certificates on all nodes managed by Salt,
update /infra/init.yml
by adding the newly created class:
classes:
- cluster.<cluster_name>.infra.ssl
To publish the certificates on a specific node, update
/infra/config.yml
. For example:
parameters:
reclass:
storage:
node:
openstack_control_node01:
classes:
- cluster.${_param:cluster_name}.openstack.ssl
Log in to the Salt Master node.
Update the Reclass storage:
salt-call state.sls reclass.storage -l debug
Apply the linux.system
state on all nodes:
salt \* state.sls linux.system.certificate -l debug