{% import 'globals.jinja' as globals -%}
x509_signing_policies:
  deployment_client:
    - signing_private_key: /data/admin/pki/deployment/ca.key
    - signing_cert: /data/admin/pki/deployment/ca.crt
    - copypath: /data/admin/pki/deployment/issued_certs
    - prepend_cn: True
    - days_valid: 90
    - basicConstraints: "critical CA:false"
    - keyUsage: "critical keyEncipherment"
    - extendedKeyUsage: "clientAuth"
    - subjectKeyIdentifier: hash
    - authorityKeyIdentifier: keyid,issuer:always
{%- for attr, value in pillar['global']['certificate_attributes']['deployment'].items() %}
    - {{ attr }}: {{ value }}
{%- endfor %}
  deployment_server:
    - minions: {{ ','.join(globals.admin_hosts) }}
    - signing_private_key: /data/admin/pki/deployment/ca.key
    - signing_cert: /data/admin/pki/deployment/ca.crt
    - copypath: /data/admin/pki/deployment/issued_certs
    - prepend_cn: True
    - days_valid: 90
    - basicConstraints: "critical CA:false"
    - keyUsage: "critical keyEncipherment"
    - extendedKeyUsage: "serverAuth,clientAuth"
    - subjectKeyIdentifier: hash
    - authorityKeyIdentifier: keyid,issuer:always
{%- for attr, value in pillar['global']['certificate_attributes']['deployment'].items() %}
    - {{ attr }}: {{ value }}
{%- endfor %}