Skip to content

Instantly share code, notes, and snippets.

@renoirb

renoirb/etc-salt-master-d-pillars.conf

Created November 27, 2013 18:36
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save renoirb/7680862 to your computer and use it in GitHub Desktop.
Save renoirb/7680862 to your computer and use it in GitHub Desktop.
Download ZIP
Separating a secret pillar repository, and spreading SSL certificates among hosts.
Raw
etc-salt-master-d-pillars.conf
## in /etc/salt/master.d/pillars.conf
pillar_roots:
base:
- /srv/pillar
- /srv/private/pillar
Raw
pillar-top.sls
## In /srv/pillar/top.sls
base:
'db*':
- backup
- rsync.shares
- rsync.backup
- monitor.db
- mysql
'db1*':
- mysql.db1 # Each db host has its own file that way
Raw
private-pillar-mysql-init.sls
## In /srv/private/pillar/mysql/init.sls
mysql:
ssl:
ca-cert.pem: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
ca-key.pem: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
{% if grains['host'] == 'db8' %}
server.pem: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
{% endif %}
Raw
salt-mysql-certificates.sls
## In /srv/salt/mysql/certificates.sls:
/etc/mysql/certs:
file.managed:
- user: mysql
- group: mysql
- mode: 750
/etc/mysql/server.pem:
file.managed:
- user: mysql
- group: mysql
- mode: 640
- contents: {{ salt['pillar.get']('mysql:ssl:server.pem') }}
/etc/mysql/ca-key.pem:
file.managed:
- user: mysql
- group: mysql
- mode: 640
- contents: {{ salt['pillar.get']('mysql:ssl:ca-key.pem') }}
/etc/mysql/ca-cert.pem:
file.managed:
- user: mysql
- group: mysql
- mode: 640
- contents: {{ salt['pillar.get']('mysql:ssl:ca-cert.pem') }}
@renoirb
Copy link
Author

renoirb commented Dec 1, 2013

I made a better version here: https://gist.github.com/renoirb/7728455

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment