Publish CA certificates¶

If you use certificates issued by Certificate Authorities that are not recognized by an operating system, you must publish them.

To publish CA certificates:

1. Open your project Git repository with the Reclass model on the cluster level.

2. Create the /infra/ssl/init.yml file with the following configuration as an example:

   parameters:
     linux:
       system:
         ca_certificates:
           ca-salt_master_ca: |
             -----BEGIN CERTIFICATE-----
             MIIGXzCCBEegAwIBAgIDEUB0MA0GCSqGSIb3DQEBCwUAMFkxEzARBgoJkiaJk/Is
             ...
             YqQO
             -----END CERTIFICATE-----
           ca-salt_master_ca_old: |
             -----BEGIN CERTIFICATE-----
             MIIFgDCCA2igAwIBAgIDET0sMA0GCSqGSIb3DQEBCwUAMFkxEzARBgoJkiaJk/Is
             ...
             WzUuf8H9dBW2DPtk5Jq/+QWtYMs=
             -----END CERTIFICATE-----
   

3. To publish the certificates on all nodes managed by Salt, update /infra/init.yml by adding the newly created class:

   classes:
   - cluster.<cluster_name>.infra.ssl
   

4. To publish the certificates on a specific node, update /infra/config.yml. For example:

   parameters:
     reclass:
       storage:
         node:
           openstack_control_node01:
             classes:
             - cluster.${_param:cluster_name}.openstack.ssl
   

5. Log in to the Salt Master node.

6. Update the Reclass storage:

   salt-call state.sls reclass.storage -l debug
   

7. Apply the linux.system state on all nodes:

   salt \* state.sls linux.system.certificate -l debug