ssl: Add support for a CA Certificate

Add SSLCACertificate to the overcloud yaml.

This allows a CA certificate to be specified in cases where the Cert
does not come from a CA in the system bundle.

Partially implements: blueprint tripleo-ssl-overcloud

Full set of blueprint changes:

https://review.openstack.org/#/c/85098
https://review.openstack.org/#/c/85099
https://review.openstack.org/#/c/85100

Change-Id: I67d7c1362df323762023be5c74fbe75b1583570c

2 files changed, 7 insertions, 0 deletions

diff --git a/overcloud-source.yaml b/overcloud-source.yaml
index cf1eecda..f3bf1540 100644
--- a/overcloud-source.yaml
+++ b/overcloud-source.yaml
@@ -587,6 +587,7 @@ Resources:
       input_values:
         ssl_certificate: {Ref: SSLCertificate}
         ssl_key: {Ref: SSLKey}
+        ssl_ca_certificate: {Ref: SSLCACertificate}
   controller0Passthrough:
     Type: OS::Heat::StructuredDeployment
     Properties:
diff --git a/ssl-source.yaml b/ssl-source.yaml
index c3edbe75..1d6ac246 100644
--- a/ssl-source.yaml
+++ b/ssl-source.yaml
@@ -10,6 +10,10 @@ Parameters:
     Description: If set, the contents of an SSL certificate .key file for encrypting SSL endpoints.
     Type: String
     NoEcho: true
+  SSLCACertificate:
+    Default: ''
+    Description: If set, the contents of an SSL certificate authority file.
+    Type: String
 Resources:
   SSLConfig:
     Type: OS::Heat::StructuredConfig
@@ -21,6 +25,8 @@ Resources:
             get_input: ssl_certificate
           key:
             get_input: ssl_key
+          cacert:
+            get_input: ssl_ca_certificate
           ports:
            - name: 'ec2'
              accept: 13773