Salt Stack - salt-key-accepter

2013, Sep 21    

During my adventures with Salt Stack, I wanted to accept keys automatically on the master. However, I wanted to do this more intelligently than just accepting all of them.

To solve this, I threw together a quick script that would accept keys of salt-minions that were in an approved subnet. I use incrontab to watch the minions_pre directory for new keys to be created. It then fires off the salt-key-accepter script.

Here is the logical flow of the script:

  • Accept Key temporarily.
  • Tell the minion to Sync its grains.
  • Pull the IPv4 info from grains.
  • Check if any of the IPs are in the allowed allowed_ip_cidrs list.
  • If Allowed: trigger state.highstate.
  • If Denied: move key to rejected list.

To get the key off of the rejected list and into the approved list, you need to use the bash mv command, because salt-key won’t move keys between accepted and rejected. Keys are stored in the pki_dir.

If you want to know how to use it, check out the readme.

If you have issues with it, please use the issue tracker.

General questions and comments can be made here and I’ll get to them as I can.

Tested on: Debian Squeeze