Howto create a Concatenation/Combined CA file using salt?

[ghost]

I would like to have to following a bit more clean, I'm trying to create concatenated CA file using Salt.
To accomplish this I first have to collect all glusterfs.pem files from all my minions to the salt-master minions cache and then output all glusterfs.pem into a single CA file (glusterfs.ca) on the salt-master to later on enroll them again on all minions.
Actually my solution is working but its simply out of the salt context and looks crappy to me. I'm new to salt, I never worked with reactors or so and I was hoping to find some help (preferably with a example if possible) around here.

This is my current situation only using states:

glusterfs/init.sls (only runs on minions)

/etc/ssl/glusterfs.key:
  x509.private_key_managed:
    - order: 9
    - bits: 2048
    - name: /etc/ssl/glusterfs.key

/etc/ssl/glusterfs.pem:
  x509.certificate_managed:
    - order: 10
    - signing_private_key: /etc/ssl/glusterfs.key
    - CN: {{ grains.id }}
    - C: UA
    - ST: Unavailable
    - L: Unavailable
    - basicConstraints: "critical CA:true"
    - keyUsage: "critical cRLSign, keyCertSign"
    - subjectKeyIdentifier: hash
    - authorityKeyIdentifier: keyid,issuer:always
    - days_valid: 3650
    - days_remaining: 0

/etc/ssl/glusterfs.ca:
  file:
    - order: 11
    - managed
    - source: salt://glusterfs/glusterfs.ca

ca.sls (only runs on salt-master):

collect_glusterfs_certs:
  cmd.run:
    - order: 1
    - name: salt -C 'not salt' cp.push /etc/ssl/glusterfs.pem

concatenation_glusterfs_certs:
  cmd.run:
    - order: 2
    - onlyif: 'test ! -e /var/cache/salt/master/minions/{master*,worker*}/files/etc/ssl/glusterfs.pem && test ! -e /srv/salt/glusterfs/glusterfs.ca'
    - name: 'cat /var/cache/salt/master/minions/*/files/etc/ssl/glusterfs.pem > /srv/salt/glusterfs/glusterfs.ca'

So I basically first pull all glusterfs.pem to the local salt-master minion cache and afterwards create the concatenated glusterfs.ca file which I than later on deploy onto all minion I previously collected the glusterfs.pem file from ...
Is there maybe a better way to get this done? Currently I also have the problem that my very first enrolment fails as
/etc/ssl/glusterfs.pem might be not present at that moment.

Thanks in advance

[welcome]

Hi there! Welcome to the Salt Community! Thank you for making your first contribution. We have a lengthy process for issues and PRs. Someone from the Core Team will follow up as soon as possible. In the meantime, here’s some information that may help as you continue your Salt journey.
Please be sure to review our Code of Conduct. Also, check out some of our community resources including:

• Community Wiki
• Salt’s Contributor Guide
• Join our Community Slack
• IRC on Freenode
• SaltStack YouTube channel
• SaltStackInc Twitch channel

There are lots of ways to get involved in our community. Every month, there are around a dozen opportunities to meet with other contributors and the Salt Core team and collaborate in real time. The best way to keep track is by subscribing to the Salt Community Events Calendar.
If you have additional questions, email us at [email protected] or reach out directly to the Community Manager, Cassandra Faris via Slack. We’re glad you’ve joined our community and look forward to doing awesome things with you!

[OrangeDog]

I think it's broken: #58481

[sagetherage]

Might be related and this bug may need more for the combination #58482