Salt Stack - salt-key-accepter
During my adventures with Salt Stack, I wanted to accept keys automatically on the master. However, I wanted to do this more intelligently than just accepting all of them.
To solve this, I threw together a quick script that would accept keys of salt-minions that were in an approved subnet. I use incrontab
to watch the minions_pre
directory for new keys to be created. It then fires off the salt-key-accepter
script.
Here is the logical flow of the script:
- Accept Key temporarily.
- Tell the minion to Sync its grains.
- Pull the IPv4 info from grains.
- Check if any of the IPs are in the allowed
allowed_ip_cidrs
list. - If Allowed: trigger
state.highstate
. - If Denied: move key to rejected list.
To get the key off of the rejected list and into the approved list, you need to use the bash mv
command, because salt-key won’t move keys between accepted and rejected. Keys are stored in the pki_dir.
If you want to know how to use it, check out the readme.
If you have issues with it, please use the issue tracker.
General questions and comments can be made here and I’ll get to them as I can.
Tested on: Debian Squeeze