Il 05/10/2023 15:54, Laura Smith via linux-fai ha scritto:
Its been a while since I worked with Salt, but IIRC it sounds like what is not
"clicking" is that you need to fix the TOFU problem.
Actually there are 2 distinct problems:
- pass the pubkey from the minion to FAI during the install (possibly in
an authenticated way)
- authorize that key in Salt from FAI
Looking back through my notes, it
seemshttps://docs.saltproject.io/en/latest/topics/tutorials/multimaster_pki.html
might be worth a read.
I don't understand. In my scenario, FAI is not a Salt master. And I
don't see how making it one could help. It would only double the burden.
In particular, maybe "master_sign_pubkey: True" on the Salt master,
"verify_master_pubkey_sign: True" on the minion, and the master pubkeys put in
"/etc/salt/pki/minion/" on the minions.
Then on Salt master all you have to do is approve the new connections as they
come online.
I'd have to approve on *both* masters. :(
--
Diego Zuccato
DIFA - Dip. di Fisica e Astronomia
Servizi Informatici
Alma Mater Studiorum - Università di Bologna
V.le Berti-Pichat 6/2 - 40127 Bologna - Italy
tel.: +39 051 20 95786
