How to setup dynamic pillar data available to minions in a saltstack deployment?

Question

I want to setup the salt pillar to make key value pairs available to a particular instance in a dynamic way. It appears that ext_pillar (which can be used to generate key pairs dynamically) cannot restrict access to particular minions. In my scenario minions can be destroyed and new ones can join automatically.

In this situation, one solution for my problem (which seems quite tedious and inefficient) is:

1. When a new minion is accepted on the Salt Master, via a script, generate the private data for that minion, and create a YAML file with this information as key-value pairs in the salt pillar directory.
2. Use a script to automatically edit the pillar top file to allow this minion access to the private data generated in the previous step.
3. Refresh the pillar data on that minion
4. Access the private data on the minion.

I am hoping there is a better way to do the same thing. Any ideas?

Answer 1

ext_pillar allows you return any data that you want. It is provided the minion id as well as the minion grains and other info. That allows you to decide what info to return from the ext_pillar. So you can, indeed, restrict access to data to particular minions.