Automating Salt-Minion Installation

I have to setup a new salt configuration. For minion setup I want to devise an approach. I came up with this.

Make entry of the new minion in /etc/salt/roster file so that I can use salt-ssh.
Run a salt formula to install salt-minion on this new minion.
Generate minion fingerprint with salt-call key.finger --local on the minion and somehow(still figuring) get it to master and maintain it in some file till the minion actually tries to connect.
When the minion actually tries to connect to the master, master makes sure about the minion identity with the stored fingerprint and then accepts the key.

Once this is done salt state can then bring the minion up to its desired state.

The manual chores associated with this:

I'll have to do manual entries viz. minion-id, IP and user in the /etc/salt/roster file for every new minion that I want up.

Other than this I can't figure any drawbacks.

My questions are:

Is this approach feasible?
Are there any security risks?
Is a better approach already out there ?

P.S. Master and minions may or may not be on public network.

Solution

There is salt-cloud to provision new nodes. This includes among others a provider saltify that will use SSH for the provisioning. See here for the online documentation. It will do the following all in one step:

create a new set of keys for the minion
register the minion's key with the master
connect to the minion using SSH and bootstrap the minion with salt and the minion's keys

If you want the minions to verify the master's key once they connect, you can publish a certificate to the minions and sign the master's key with the certificate like described here. Please double-check if saltify already supports this.

Some time ago I have prepared a salt-cloud setup that works both with DigitalOcean and with Vagrant on my Github account. The Vagrant provisioning uses salt-cloud with saltify. Have a look at the included cheatsheet.adoc for the Vagrant commands.