Currently, accepting the salt key for provisioned hosts doesn’t work for all os:
- autosign_file is no longer possible because foreman requires to write the autosign_file but salt-master since v2018 ignores the file content if the access permissions are “to open”
- before_provision hook in foreman only works if the request is exactly timed. For some operating systems (e.g. SLES) this doesn’t work in an acceptable way.
- Remove autosign_file and use autosign_grains instead: https://docs.saltstack.com/en/latest/topics/tutorials/autoaccept_grains.html#tutorial-autoaccept-grains
- smart_proxy_salt could write a autosign_grains/fqdn entry for each host which will be cleaned later if the host is then available in salt-key. Cleanup can be done in e.g. foreman-node.
It would be great to have an opinion of other salt users and discuss possible solutions.