Publish CA certificates

Publish CA certificates

If you use certificates issued by Certificate Authorities that are not recognized by an operating system, you must publish them.

To publish CA certificates:

  1. Open your project Git repository with the Reclass model on the cluster level.

  2. Create the /infra/ssl/init.yml file with the following configuration as an example:

    parameters:
      linux:
        system:
          ca_certificates:
            ca-salt_master_ca: |
              -----BEGIN CERTIFICATE-----
              MIIGXzCCBEegAwIBAgIDEUB0MA0GCSqGSIb3DQEBCwUAMFkxEzARBgoJkiaJk/Is
              ...
              YqQO
              -----END CERTIFICATE-----
            ca-salt_master_ca_old: |
              -----BEGIN CERTIFICATE-----
              MIIFgDCCA2igAwIBAgIDET0sMA0GCSqGSIb3DQEBCwUAMFkxEzARBgoJkiaJk/Is
              ...
              WzUuf8H9dBW2DPtk5Jq/+QWtYMs=
              -----END CERTIFICATE-----
    
  3. To publish the certificates on all nodes managed by Salt, update /infra/init.yml by adding the newly created class:

    classes:
    - cluster.<cluster_name>.infra.ssl
    
  4. To publish the certificates on a specific node, update /infra/config.yml. For example:

    parameters:
      reclass:
        storage:
          node:
            openstack_control_node01:
              classes:
              - cluster.${_param:cluster_name}.openstack.ssl
    
  5. Log in to the Salt Master node.

  6. Update the Reclass storage:

    salt-call state.sls reclass.storage -l debug
    
  7. Apply the linux.system state on all nodes:

    salt \* state.sls linux.system.certificate -l debug