Enable trust anchor injection

This commit enables the injection of a trust anchor or root
certificate into every node in the overcloud. This is in case that the
TLS certificates for the controllers are signed with a self-signed CA
or if the deployer would like to inject a relevant root certificate
for other purposes. In this case the other nodes might need to have
the root certificate in their trust chain in order to do proper
validation

Change-Id: Ia45180fe0bb979cf12d19f039dbfd22e26fb4856

9 files changed, 136 insertions, 6 deletions

diff --git a/environments/inject-trust-anchor.yaml b/environments/inject-trust-anchor.yaml
new file mode 100644
index 00000000..3ecb0d27
--- /dev/null
+++ b/environments/inject-trust-anchor.yaml
@@ -0,0 +1,6 @@
+parameter_defaults:
+  SSLRootCertificate: |
+    The contents of your root CA certificate go here
+
+resource_registry:
+  OS::TripleO::NodeTLSCAData: ../puppet/extraconfig/tls/ca-inject.yaml
diff --git a/overcloud-resource-registry-puppet.yaml b/overcloud-resource-registry-puppet.yaml
index bf1cc25c..18824ace 100644
--- a/overcloud-resource-registry-puppet.yaml
+++ b/overcloud-resource-registry-puppet.yaml
@@ -33,6 +33,7 @@ resource_registry:
   # NodeExtraConfig == All nodes configuration pre service deployment
   # NodeExtraConfigPost == All nodes configuration post service deployment
   OS::TripleO::NodeUserData: firstboot/userdata_default.yaml
+  OS::TripleO::NodeTLSCAData: puppet/extraconfig/tls/no-ca.yaml
   OS::TripleO::NodeTLSData: puppet/extraconfig/tls/no-tls.yaml
   OS::TripleO::ControllerExtraConfigPre: puppet/extraconfig/pre_deploy/default.yaml
   OS::TripleO::ComputeExtraConfigPre: puppet/extraconfig/pre_deploy/default.yaml
diff --git a/puppet/ceph-storage.yaml b/puppet/ceph-storage.yaml
index 0bf0fde4..7d36b46c 100644
--- a/puppet/ceph-storage.yaml
+++ b/puppet/ceph-storage.yaml
@@ -176,6 +176,13 @@ resources:
                 ceph::profile::params::cluster_network: {get_input: ceph_cluster_network}
                 ceph::profile::params::public_network: {get_input: ceph_public_network}
 
+  # Resource for site-specific injection of root certificate
+  NodeTLSCAData:
+    depends_on: CephStorageDeployment
+    type: OS::TripleO::NodeTLSCAData
+    properties:
+      server: {get_resource: CephStorage}
+
   # Hook for site-specific additional pre-deployment config, e.g extra hieradata
   CephStorageExtraConfigPre:
     depends_on: CephStorageDeployment
@@ -186,7 +193,7 @@ resources:
   # Hook for site-specific additional pre-deployment config,
   # applying to all nodes, e.g node registration/unregistration
   NodeExtraConfig:
-    depends_on: CephStorageExtraConfigPre
+    depends_on: [CephStorageExtraConfigPre, NodeTLSCAData]
     type: OS::TripleO::NodeExtraConfig
     properties:
         server: {get_resource: CephStorage}
@@ -227,5 +234,6 @@ outputs:
       list_join:
       - ','
       - - {get_attr: [CephStorageDeployment, deploy_stdout]}
+        - {get_attr: [NodeTLSCAData, deploy_stdout]}
         - {get_attr: [CephStorageExtraConfigPre, deploy_stdout]}
         - {get_param: UpdateIdentifier}
diff --git a/puppet/cinder-storage.yaml b/puppet/cinder-storage.yaml
index b500e43b..19d5bb51 100644
--- a/puppet/cinder-storage.yaml
+++ b/puppet/cinder-storage.yaml
@@ -257,10 +257,17 @@ resources:
                 snmpd_readonly_user_name: {get_input: snmpd_readonly_user_name}
                 snmpd_readonly_user_password: {get_input: snmpd_readonly_user_password}
 
+  # Resource for site-specific injection of root certificate
+  NodeTLSCAData:
+    depends_on: BlockStorageDeployment
+    type: OS::TripleO::NodeTLSCAData
+    properties:
+      server: {get_resource: BlockStorage}
+
   # Hook for site-specific additional pre-deployment config,
   # applying to all nodes, e.g node registration/unregistration
   NodeExtraConfig:
-    depends_on: BlockStorageDeployment
+    depends_on: NodeTLSCAData
     type: OS::TripleO::NodeExtraConfig
     properties:
         server: {get_resource: BlockStorage}
@@ -304,4 +311,5 @@ outputs:
       list_join:
         - ''
         - - {get_attr: [BlockStorageDeployment, deploy_stdout]}
+          - {get_attr: [NodeTLSCAData, deploy_stdout]}
           - {get_param: UpdateIdentifier}
diff --git a/puppet/compute.yaml b/puppet/compute.yaml
index 6ae39132..1d16a254 100644
--- a/puppet/compute.yaml
+++ b/puppet/compute.yaml
@@ -540,6 +540,13 @@ resources:
         enable_package_install: {get_param: EnablePackageInstall}
         enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]}
 
+  # Resource for site-specific injection of root certificate
+  NodeTLSCAData:
+    depends_on: NovaComputeDeployment
+    type: OS::TripleO::NodeTLSCAData
+    properties:
+      server: {get_resource: NovaCompute}
+
   # Hook for site-specific additional pre-deployment config, e.g extra hieradata
   ComputeExtraConfigPre:
     depends_on: NovaComputeDeployment
@@ -550,7 +557,7 @@ resources:
   # Hook for site-specific additional pre-deployment config,
   # applying to all nodes, e.g node registration/unregistration
   NodeExtraConfig:
-    depends_on: ComputeExtraConfigPre
+    depends_on: [ComputeExtraConfigPre, NodeTLSCAData]
     type: OS::TripleO::NodeExtraConfig
     properties:
         server: {get_resource: NovaCompute}
@@ -602,5 +609,6 @@ outputs:
       list_join:
       - ','
       - - {get_attr: [NovaComputeDeployment, deploy_stdout]}
+        - {get_attr: [NodeTLSCAData, deploy_stdout]}
         - {get_attr: [ComputeExtraConfigPre, deploy_stdout]}
         - {get_param: UpdateIdentifier}
diff --git a/puppet/controller.yaml b/puppet/controller.yaml
index e6289219..81fa6c11 100644
--- a/puppet/controller.yaml
+++ b/puppet/controller.yaml
@@ -701,9 +701,16 @@ resources:
         bridge_name: br-ex
         interface_name: {get_param: NeutronPublicInterface}
 
+  # Resource for site-specific injection of root certificate
+  NodeTLSCAData:
+    depends_on: NetworkDeployment
+    type: OS::TripleO::NodeTLSCAData
+    properties:
+      server: {get_resource: Controller}
+
   # Hook for site-specific passing of private keys/certificates
   NodeTLSData:
-    depends_on: NetworkDeployment
+    depends_on: NodeTLSCAData
     type: OS::TripleO::NodeTLSData
     properties:
       server: {get_resource: Controller}
@@ -1305,7 +1312,7 @@ resources:
   # Hook for site-specific additional pre-deployment config,
   # applying to all nodes, e.g node registration/unregistration
   NodeExtraConfig:
-    depends_on: ControllerExtraConfigPre
+    depends_on: [ControllerExtraConfigPre, NodeTLSData]
     type: OS::TripleO::NodeExtraConfig
     properties:
         server: {get_resource: Controller}
@@ -1385,6 +1392,7 @@ outputs:
       list_join:
         - ','
         - - {get_attr: [ControllerDeployment, deploy_stdout]}
+          - {get_attr: [NodeTLSCAData, deploy_stdout]}
           - {get_attr: [NodeTLSData, deploy_stdout]}
           - {get_attr: [ControllerExtraConfigPre, deploy_stdout]}
           - {get_param: UpdateIdentifier}
diff --git a/puppet/extraconfig/tls/ca-inject.yaml b/puppet/extraconfig/tls/ca-inject.yaml
new file mode 100644
index 00000000..7e34f071
--- /dev/null
+++ b/puppet/extraconfig/tls/ca-inject.yaml
@@ -0,0 +1,66 @@
+heat_template_version: 2015-04-30
+
+description: >
+  This is a template which will inject the trusted anchor.
+
+parameters:
+  # Can be overriden via parameter_defaults in the environment
+  SSLRootCertificate:
+    description: >
+      The content of a CA's SSL certificate file in PEM format.
+      This is evaluated on the client side.
+    type: string
+  SSLRootCertificatePath:
+    default: '/etc/pki/ca-trust/source/anchors/ca.crt.pem'
+    description: >
+      The filepath of the root certificate as it will be stored in the nodes.
+      Note that the path has to be one that can be picked up by the update
+      trust anchor command. e.g. in RHEL it would be
+      /etc/pki/ca-trust/source/anchors/ca.crt.pem
+    type: string
+  UpdateTrustAnchorsCommand:
+    default: update-ca-trust extract
+    description: >
+        command that will be executed to update the trust anchors.
+    type: string
+
+  # Passed in by controller.yaml
+  server:
+    description: ID of the node to apply this config to
+    type: string
+
+resources:
+  CAConfig:
+    type: OS::Heat::SoftwareConfig
+    properties:
+      group: script
+      inputs:
+        - name: cacert_path
+        - name: cacert_content
+        - name: update_anchor_command
+      outputs:
+        - name: root_cert_md5sum
+      config: |
+        #!/bin/sh
+        cat > ${cacert_path} << EOF
+        ${cacert_content}
+        EOF
+        chmod 0440 ${cacert_path}
+        chown root:root ${cacert_path}
+        ${update_anchor_command}
+        md5sum ${cacert_path} > ${heat_outputs_path}.root_cert_md5sum
+
+  CADeployment:
+    type: OS::Heat::SoftwareDeployment
+    properties:
+      config: {get_resource: CAConfig}
+      server: {get_param: server}
+      input_values:
+        cacert_path: {get_param: SSLRootCertificatePath}
+        cacert_content: {get_param: SSLRootCertificate}
+        update_anchor_command: {get_param: UpdateTrustAnchorsCommand}
+
+outputs:
+  deploy_stdout:
+    description: Deployment reference
+    value: {get_attr: [CADeployment, root_cert_md5sum]}
diff --git a/puppet/extraconfig/tls/no-ca.yaml b/puppet/extraconfig/tls/no-ca.yaml
new file mode 100644
index 00000000..5862a85c
--- /dev/null
+++ b/puppet/extraconfig/tls/no-ca.yaml
@@ -0,0 +1,17 @@
+heat_template_version: 2015-04-30
+
+description: >
+  This is a default no-op template which can be passed to the
+  OS::Nova::Server resources. This template can be replaced with
+  a different implementation via the resource registry, such that
+  deployers may customize their configuration.
+
+parameters:
+  server:    # Here for compatibility with controller.yaml
+    description: ID of the controller node to apply this config to
+    type: string
+
+outputs:
+  deploy_stdout:
+    description: Deployment reference, used to trigger puppet apply on changes
+    value: 'Root CA cert injection not enabled.'
diff --git a/puppet/swift-storage.yaml b/puppet/swift-storage.yaml
index 19a7c7a3..b1746dcb 100644
--- a/puppet/swift-storage.yaml
+++ b/puppet/swift-storage.yaml
@@ -218,10 +218,17 @@ resources:
         enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]}
         swift_management_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, SwiftMgmtNetwork]}]}
 
+  # Resource for site-specific injection of root certificate
+  NodeTLSCAData:
+    depends_on: SwiftStorageHieraDeploy
+    type: OS::TripleO::NodeTLSCAData
+    properties:
+      server: {get_resource: SwiftStorage}
+
   # Hook for site-specific additional pre-deployment config,
   # applying to all nodes, e.g node registration/unregistration
   NodeExtraConfig:
-    depends_on: SwiftStorageHieraDeploy
+    depends_on: NodeTLSCAData
     type: OS::TripleO::NodeExtraConfig
     properties:
         server: {get_resource: SwiftStorage}
@@ -272,4 +279,5 @@ outputs:
       list_join:
         - ','
         - - {get_attr: [SwiftStorageHieraDeploy, deploy_stdout]}
+          - {get_attr: [NodeTLSCAData, deploy_stdout]}
           - {get_param: UpdateIdentifier}