At the moment, wmf-reimage relied on having a local salt master to add the key of a specific server to the salt ring of trust. This isn't possible anymore now that the salt master is on a separate server than the puppet master.
I have had a few ideas:
- Create a simple script running on neodymium that just looks at the unaccepted keys locally, checks the puppet master for accepted certs with the same name, and in case signs the salt key
- Use some keyholder mechanism to allow wmf-reimage to connect to neodymium (but this is highly suboptimal)