feat(templates): don't get openssh pillars in templates

We pass the pillars via the template engine context, this avoid the
need to load `map.jinja` from the templates themselves and recude the
number of `pillar.get` calls.

* openssh/config.sls (sshd_config): pass `sshd_config` in the
  context.
  (ssh_config): pass `ssh_config` in the context.

* openssh/files/default/ssh_config: remove `map.jinja` import since
  it's now in the context.

* openssh/files/default/sshd_config: ditoo.

* openssh/known_hosts.sls: pass `known_hosts` in the context.

* openssh/files/default/ssh_known_hosts: use `known_hosts` from the
  context instead of calling `pillar.get` several times.

BREAKING CHANGE: Minimum Salt version support is now `2019.2` in line
with official upstream support; also use of the `traverse` Jinja filter.

openssh/config.sls

@@ -16,6 +16,8 @@ sshd_config:
                                     'sshd_config'
               ) }}
     - template: jinja
+    - context:
+        sshd_config: {{ sshd_config }}
     - user: {{ openssh.sshd_config_user }}
     - group: {{ openssh.sshd_config_group }}
     - mode: {{ openssh.sshd_config_mode }}
@@ -37,6 +39,8 @@ ssh_config:
                                     'ssh_config'
               ) }}
     - template: jinja
+    - context:
+        ssh_config: {{ ssh_config }}
     - user: {{ openssh.ssh_config_user }}
     - group: {{ openssh.ssh_config_group }}
     - mode: {{ openssh.ssh_config_mode }}

openssh/files/default/ssh_config

@@ -1,5 +1,3 @@
-{% from "openssh/map.jinja" import ssh_config with context %}
-
 {#- present in ssh_config and known in actual file options -#}
 {%- set processed_options = [] -%}
 {%- set string_or_list_options = ['KexAlgorithms', 'Ciphers', 'MACs'] -%}

openssh/files/default/ssh_known_hosts

@@ -55,20 +55,20 @@
 {%- endmacro -%}
 
 {#- Pre-fetch pillar data #}
-{%- set target = salt['pillar.get']('openssh:known_hosts:target', "*.{}".format(grains['domain'])) -%}
-{%- set tgt_type = salt['pillar.get']('openssh:known_hosts:tgt_type', 'glob') -%}
-{%- set keys_function = salt['pillar.get']('openssh:known_hosts:mine_keys_function', 'public_ssh_host_keys') -%}
-{%- set hostname_function = salt['pillar.get']('openssh:known_hosts:mine_hostname_function', 'public_ssh_hostname') -%}
-{%- set use_hostnames = salt['pillar.get']('openssh:known_hosts:hostnames', False) -%}
+{%- set target = known_hosts | traverse('target', "*.{}".format(grains['domain'])) -%}
+{%- set tgt_type = known_hosts | traverse('tgt_type', 'glob') -%}
+{%- set keys_function = known_hosts | traverse('mine_keys_function', 'public_ssh_host_keys') -%}
+{%- set hostname_function = known_hosts | traverse('mine_hostname_function', 'public_ssh_hostname') -%}
+{%- set use_hostnames = known_hosts | traverse('hostnames', False) -%}
 {%- set hostnames_target_default = '*' if grains['domain'] == '' else "*.{}".format(grains['domain']) -%}
-{%- set hostnames_target = salt['pillar.get']('openssh:known_hosts:hostnames:target', hostnames_target_default) -%}
-{%- set hostnames_tgt_type = salt['pillar.get']('openssh:known_hosts:hostnames:tgt_type', 'glob') -%}
-{%- set include_localhost = salt['pillar.get']('openssh:known_hosts:include_localhost', False) -%}
-{%- set omit_ip_address = salt['pillar.get']('openssh:known_hosts:omit_ip_address', []) -%}
+{%- set hostnames_target = known_hosts | traverse('hostnames:target', hostnames_target_default) -%}
+{%- set hostnames_tgt_type = known_hosts | traverse('hostnames:tgt_type', 'glob') -%}
+{%- set include_localhost = known_hosts | traverse('include_localhost', False) -%}
+{%- set omit_ip_address = known_hosts | traverse('omit_ip_address', []) -%}
 
 {#- Lookup IP of all aliases so that when we have a matching IP, we inject the alias name
     in the SSH known_hosts entry -#}
-{%- set aliases = salt['pillar.get']('openssh:known_hosts:aliases', []) -%}
+{%- set aliases = known_hosts | traverse('aliases', []) -%}
 {%- set aliases_ips = {} -%}
 {%- for alias in aliases -%}
   {%- for ip in salt['dig.A'](alias) + salt['dig.AAAA'](alias) -%}
@@ -81,26 +81,21 @@
 {%- set host_names = salt['mine.get'](target, hostname_function, tgt_type=tgt_type) -%}
 
 {#- Salt SSH (if any) #}
-{%- for minion_id, minion_host_keys in salt['pillar.get'](
-  'openssh:known_hosts:salt_ssh:public_ssh_host_keys',
-  {}
-).items() -%}
+{%- set public_ssh_host_keys = known_hosts | traverse('salt_ssh:public_ssh_host_keys', {}) %}
+{%- for minion_id, minion_host_keys in public_ssh_host_keys.items() -%}
 {%-   if salt["match.{}".format(tgt_type)](target, minion_id=minion_id) -%}
 {%      do host_keys.update({minion_id: minion_host_keys}) %}
 {%-   endif -%}
 {%- endfor -%}
-{%- for minion_id, minion_host_names in salt['pillar.get'](
-  'openssh:known_hosts:salt_ssh:public_ssh_host_names',
-  {}
-).items() -%}
+{%- set public_ssh_host_names = known_hosts | traverse('salt_ssh:public_ssh_host_names', {}) %}
+{%- for minion_id, minion_host_names in public_ssh_host_names.items() -%}
 {%-   if salt["match.{}".format(tgt_type)](target, minion_id=minion_id) -%}
 {%      do host_names.update({minion_id: minion_host_names}) %}
 {%-   endif -%}
 {%- endfor %}
 
 {#- Static Pillar data #}
-{%- do host_keys.update(salt['pillar.get']('openssh:known_hosts:static',
-    {}).items()) -%}
+{%- do host_keys.update(known_hosts | traverse('static', {})) -%}
 
 {#- Loop over targetted minions -#}
 {%- for host, keys in host_keys| dictsort -%}

openssh/files/default/sshd_config

@@ -1,4 +1,3 @@
-{% from "openssh/map.jinja" import sshd_config with context %}
 {#- present in sshd_config and known in actual file options -#}
 {%- set processed_options = [] -%}
 

openssh/known_hosts.sls

@@ -14,6 +14,8 @@ manage ssh_known_hosts file:
                                'manage ssh_known_hosts file'
               ) }}
     - template: jinja
+    - context:
+        known_hosts: {{ openssh | traverse("known_hosts", {}) }}
     - user: root
     - group: {{ openssh.ssh_config_group }}
     - mode: 644