salt: x509 Certs Generation Fails

@oliverisaac We’re facing same issue here, is there a PR ready to merge for this. @garethgreenaway Any chances to see this fix in 3000.1 ?

I’m running into the same problem as described in this issue in my Salt 2019.2.2 setup. @oliverisaac’s patch seems to work perfectly!

I can’t easily describe our exact setup because it’s a nesting of a nesting of config/formulas. In short, we are using salt as the CA authority for our db clusters. When we try to generate the cert, we specify that the signing_policy is, for example: mysql-prod-*. Then, when our minion needs a cert, that signing_policy is globbed against the minion’s hostname. However, this happens on the salt master. So when the globbing happens, match.glob is called with a specific hostname.

If you look at the code in my commit linked above ( https://github.com/oliverisaac/salt/commit/bd5b20ab705f619fbde2b0a734d5e0fd8b060856#diff-889b4ad7294d8f45dfd1c3a87b9ba427L286-R314 ) you’ll see that if you call match.glob("mysql-*", minion_id="mysql-prod-01") while running on a minion with a non-matching hostname (e.g. salt01) then the function will fail.

Lines 302 and 307 both copy __opts__ into the local variable opts but then that local opts isn’t passed onto the final matchers function. Instead the original __opts__ is passed.