Revert "Remove salt"

This reverts commit b149b2e5d7.

enroll/ansible_renderer/roles/managed_files.py

@@ -29,8 +29,8 @@ from ..yamlutil import _merge_mappings_overwrite, _yaml_load_mapping
 class AnsibleManagedFileRoleSpec:
     """Declarative managed-file singleton role rendering spec.
 
-    Puppet collects these singleton snapshots in a simple loop and feeds
-    each one through the same managed-content renderer. Ansible has more
+    Puppet and Salt collect these singleton snapshots in a simple loop and feed
+    each one through the same managed-content renderer.  Ansible has more
     layout concerns (defaults vs host_vars, optional JinjaTurtle templates,
     handlers), but the resource intent is the same, so keep the per-role
     differences in data rather than spelling out one branch per role.
@@ -246,7 +246,7 @@ def _render_managed_file_roles(
     manifest_plan: AnsibleManifestPlan,
     roles: Dict[str, Any],
 ) -> None:
-    """Render file-centric singleton roles in the same loop style as Puppet."""
+    """Render file-centric singleton roles in the same loop style as Puppet/Salt."""
 
     for spec in MANAGED_FILE_ROLE_SPECS:
         snapshot = roles.get(spec.key, {})

enroll/ansible_renderer/tasks.py

@@ -104,8 +104,8 @@ def _render_generic_files_tasks(
 def _render_install_packages_tasks(role: str, var_prefix: str) -> str:
     """Render package installation through Ansible's generic package provider.
 
-    Puppet uses provider-backed package resources instead of selecting
-    apt/dnf/yum in the generated manifest. Ansible's package module is the
+    Puppet and Salt use provider-backed package resources instead of selecting
+    apt/dnf/yum in the generated manifest.  Ansible's package module is the
     equivalent abstraction: it proxies to the target host's detected package
     manager and keeps generated roles provider-neutral.
     """

enroll/cli.py

@@ -310,13 +310,13 @@ def _encrypt_harvest_dir_to_sops(
 def _add_common_manifest_args(p: argparse.ArgumentParser) -> None:
     p.add_argument(
         "--target",
-        choices=["ansible", "puppet"],
+        choices=["ansible", "puppet", "salt"],
         default="ansible",
         help="Manifest target to generate (default: ansible).",
     )
     p.add_argument(
         "--fqdn",
-        help="Host FQDN/name for site-mode output (creates target-specific host inventory/data such as Ansible host_vars or Puppet Hiera).",
+        help="Host FQDN/name for site-mode output (creates target-specific host inventory/data such as Ansible host_vars, Puppet Hiera, or Salt pillar).",
     )
     p.add_argument(
         "--no-common-roles",

enroll/cm.py

@@ -12,7 +12,7 @@ class CMModule:
     """Renderer-neutral configuration-management resource group.
 
     A CMModule is intentionally small: it captures the resources that a target
-    renderer can turn into Ansible tasks, Puppet resources, etc.
+    renderer can turn into Ansible tasks, Puppet resources, Salt states, etc.
     The renderer may still decide how to name/include/order the group.
     """
 
@@ -249,8 +249,8 @@ def _drop_duplicate_mapping_items(
 def resolve_catalog_conflicts(modules: Iterable[CMModule]) -> None:
     """Resolve global catalog conflicts before renderer output.
 
-    Puppet compiles a single resource catalog. Ansible can tolerate the same
-    package, service, or parent directory appearing in more than one role;
+    Puppet and Salt compile a single resource catalog. Ansible can tolerate the
+    same package, service, or parent directory appearing in more than one role;
     catalog targets cannot. Resolve those conflicts in the shared model rather
     than deleting renderer output after the fact.
     """

enroll/manifest.py

@@ -9,6 +9,7 @@ from typing import List, Optional
 
 from .ansible import manifest_from_bundle_dir as manifest_ansible_from_bundle_dir
 from .puppet import manifest_from_bundle_dir as manifest_puppet_from_bundle_dir
+from .salt import manifest_from_bundle_dir as manifest_salt_from_bundle_dir
 from .remote import _safe_extract_tar
 from .sopsutil import (
     decrypt_file_binary_to,
@@ -190,7 +191,7 @@ def manifest(
       - In plain mode: None
     """
     target = (target or "ansible").strip().lower()
-    if target not in {"ansible", "puppet"}:
+    if target not in {"ansible", "puppet", "salt"}:
         raise ValueError(f"unsupported manifest target: {target!r}")
 
     sops_mode = bool(sops_fingerprints)
@@ -210,6 +211,13 @@ def manifest(
                     fqdn=fqdn,
                     no_common_roles=no_common_roles,
                 )
+            elif target == "salt":
+                manifest_salt_from_bundle_dir(
+                    resolved_bundle_dir,
+                    out,
+                    fqdn=fqdn,
+                    no_common_roles=no_common_roles,
+                )
             else:
                 manifest_ansible_from_bundle_dir(
                     resolved_bundle_dir,
@@ -238,6 +246,13 @@ def manifest(
                 fqdn=fqdn,
                 no_common_roles=no_common_roles,
             )
+        elif target == "salt":
+            manifest_salt_from_bundle_dir(
+                resolved_bundle_dir,
+                str(tmp_out),
+                fqdn=fqdn,
+                no_common_roles=no_common_roles,
+            )
         else:
             manifest_ansible_from_bundle_dir(
                 resolved_bundle_dir,