salt.master: configure publisher_acl

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2023-01-22 15:33:30 +01:00 · 2023-01-22 15:33:30 +01:00 · 5668bcc4e4
commit 5668bcc4e4
parent 4f633d8d4e
2 changed files with 13 additions and 0 deletions
--- a/pillar/role/salt/master.sls
+++ b/pillar/role/salt/master.sls
@ -60,3 +60,4 @@ salt:
    syndic_user: ${'secret_salt:master:syndic_user'}
    cache.redis.unix_socket_path: ${'secret_salt:master:cache.redis.unix_socket_path'}
    cache.redis.password: ${'secret_salt:master:cache.redis.password'}
+    publisher_acl: ${'secret_salt:master:publisher_acl'}
--- a/salt/profile/salt/master.sls
+++ b/salt/profile/salt/master.sls
@ -101,3 +101,15 @@ salt_redis_service_start:
      - pkg: redis
    - watch:
      - file: {{ redis_config }}
+
+{%- if pillar['secret_salt'] is defined %}
+admin_salt_membership:
+  group.present:
+    - name: salt
+    - addusers:
+      {%- for user in pillar['secret_salt']['master']['publisher_acl'] %}
+      - {{ user }}
+      {%- endfor %}
+    - require:
+      - pkg: salt-master
+{%- endif %}