Make default pki directory configurable

The files in /etc/salt/pki are not configuration files in the sense
of the FHS ("local file used to control the operation of a program").
Debian wants to change the default location to /var/lib/salt/pki (to
properly follow FHS and to allow setting StateDirectory in the salt
master systemd configuration).

Therefore introduce a STATE_DIR syspaths variable which defaults to
CONFIG_DIR, but can be individually customized.

fixes saltstack#3396
Bug-Debian: https://bugs.debian.org/698898
Forwarded: saltstack#46277
Signed-off-by: Benjamin Drung <benjamin.drung@cloud.ionos.com>

salt/config/__init__.py

@@ -972,7 +972,7 @@ def _gather_buffer_space():
         "syndic_finger": "",
         "user": salt.utils.user.get_user(),
         "root_dir": salt.syspaths.ROOT_DIR,
-        "pki_dir": os.path.join(salt.syspaths.CONFIG_DIR, "pki", "minion"),
+        "pki_dir": os.path.join(salt.syspaths.STATE_DIR, "pki", "minion"),
         "id": "",
         "id_function": {},
         "cachedir": os.path.join(salt.syspaths.CACHE_DIR, "minion"),
@@ -1262,7 +1262,7 @@ def _gather_buffer_space():
         "keep_jobs": 24,
         "archive_jobs": False,
         "root_dir": salt.syspaths.ROOT_DIR,
-        "pki_dir": os.path.join(salt.syspaths.CONFIG_DIR, "pki", "master"),
+        "pki_dir": os.path.join(salt.syspaths.STATE_DIR, "pki", "master"),
         "key_cache": "",
         "cachedir": os.path.join(salt.syspaths.CACHE_DIR, "master"),
         "file_roots": {
@@ -1609,7 +1609,7 @@ def _gather_buffer_space():
         "proxy_always_alive": True,
         "proxy_keep_alive": True,  # by default will try to keep alive the connection
         "proxy_keep_alive_interval": 1,  # frequency of the proxy keepalive in minutes
-        "pki_dir": os.path.join(salt.syspaths.CONFIG_DIR, "pki", "proxy"),
+        "pki_dir": os.path.join(salt.syspaths.STATE_DIR, "pki", "proxy"),
         "cachedir": os.path.join(salt.syspaths.CACHE_DIR, "proxy"),
         "sock_dir": os.path.join(salt.syspaths.SOCK_DIR, "proxy"),
     }

salt/syspaths.py

@@ -42,6 +42,7 @@
     "SPM_PILLAR_PATH",
     "SPM_REACTOR_PATH",
     "SHARE_DIR",
+    "STATE_DIR",
 )
 
 try:
@@ -133,6 +134,10 @@
 if SRV_ROOT_DIR is None:
     SRV_ROOT_DIR = os.path.join(ROOT_DIR, "srv")
 
+STATE_DIR = __generated_syspaths.STATE_DIR
+if STATE_DIR is None:
+    STATE_DIR = CONFIG_DIR
+
 BASE_FILE_ROOTS_DIR = __generated_syspaths.BASE_FILE_ROOTS_DIR
 if BASE_FILE_ROOTS_DIR is None:
     BASE_FILE_ROOTS_DIR = os.path.join(SRV_ROOT_DIR, "salt")

setup.py

@@ -353,6 +353,7 @@ def run(self):
                 cache_dir=self.distribution.salt_cache_dir,
                 sock_dir=self.distribution.salt_sock_dir,
                 srv_root_dir=self.distribution.salt_srv_root_dir,
+                state_dir=self.distribution.salt_state_dir,
                 base_file_roots_dir=self.distribution.salt_base_file_roots_dir,
                 base_pillar_roots_dir=self.distribution.salt_base_pillar_roots_dir,
                 base_master_roots_dir=self.distribution.salt_base_master_roots_dir,
@@ -748,6 +749,7 @@ def finalize_options(self):
 CACHE_DIR = {cache_dir!r}
 SOCK_DIR = {sock_dir!r}
 SRV_ROOT_DIR= {srv_root_dir!r}
+STATE_DIR = {state_dir!r}
 BASE_FILE_ROOTS_DIR = {base_file_roots_dir!r}
 BASE_PILLAR_ROOTS_DIR = {base_pillar_roots_dir!r}
 BASE_MASTER_ROOTS_DIR = {base_master_roots_dir!r}
@@ -947,6 +949,11 @@ class SaltDistribution(distutils.dist.Distribution):
             ("salt-cache-dir=", None, "Salt's pre-configured cache directory"),
             ("salt-sock-dir=", None, "Salt's pre-configured socket directory"),
             ("salt-srv-root-dir=", None, "Salt's pre-configured service directory"),
+            (
+                "salt-state-dir=",
+                None,
+                "Salt's pre-configured variable state directory (used for storing pki data)",
+            ),
             (
                 "salt-base-file-roots-dir=",
                 None,
@@ -996,6 +1003,7 @@ def __init__(self, attrs=None):
         self.salt_cache_dir = None
         self.salt_sock_dir = None
         self.salt_srv_root_dir = None
+        self.salt_state_dir = None
         self.salt_base_file_roots_dir = None
         self.salt_base_thorium_roots_dir = None
         self.salt_base_pillar_roots_dir = None