During my adventures with Salt Stack, I wanted to accept keys automatically on the master. However, I wanted to do this more intelligently than just accepting all of them.
To solve this, I threw together a quick script that would accept keys of salt-minions that were in an approved subnet. I use
incrontab to watch the
minions_pre directory for new keys to be created. It then fires off the
Here is the logical flow of the script:
- Accept Key temporarily.
- Tell the minion to Sync its grains.
- Pull the IPv4 info from grains.
- Check if any of the IPs are in the allowed
- If Allowed: trigger
- If Denied: move key to rejected list.
To get the key off of the rejected list and into the approved list, you need to use the bash
mv command, because salt-key won’t move keys between accepted and rejected. Keys are stored in the pki_dir.
If you want to know how to use it, check out the readme.
If you have issues with it, please use the issue tracker.
General questions and comments can be made here and I’ll get to them as I can.
Tested on: Debian Squeeze