Add deployment of CAs via hieradata

This enables us to pass a map of CAs to deploy the CA certificates
using puppet and hiera instead of the bash script we were using. It
also gives us the feature that we will be able to deploy several CA
certificates on the nodes instead of just one as was the case before.

Change-Id: I9559487874b80aeb093cc2fa2cfa7c0479d5a8b2
Depends-On: I84273b4cd6576a63fa78dc93ad6b077dd2a780c7

4 files changed, 49 insertions, 0 deletions

diff --git a/environments/inject-trust-anchor-hiera.yaml b/environments/inject-trust-anchor-hiera.yaml
new file mode 100644
index 00000000..b4908c1b
--- /dev/null
+++ b/environments/inject-trust-anchor-hiera.yaml
@@ -0,0 +1,8 @@
+parameter_defaults:
+  CAMap:
+    first-ca-name:
+      content: |
+        The content of the CA cert goes here
+    second-ca-name:
+      content: |
+        The content of the CA cert goes here
diff --git a/overcloud-resource-registry-puppet.yaml b/overcloud-resource-registry-puppet.yaml
index 817ff2c8..81cc4f89 100644
--- a/overcloud-resource-registry-puppet.yaml
+++ b/overcloud-resource-registry-puppet.yaml
@@ -130,6 +130,7 @@ resource_registry:
 
   # services
   OS::TripleO::Services: puppet/services/services.yaml
+  OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml
   OS::TripleO::Services::CephMon: OS::Heat::None
   OS::TripleO::Services::CephOSD: OS::Heat::None
   OS::TripleO::Services::CephClient: OS::Heat::None
diff --git a/overcloud.yaml b/overcloud.yaml
index a4f8fee1..92b83f2b 100644
--- a/overcloud.yaml
+++ b/overcloud.yaml
@@ -109,6 +109,7 @@ parameters:
 
   ControllerServices:
     default:
+      - OS::TripleO::Services::CACerts
       - OS::TripleO::Services::CephMon
       - OS::TripleO::Services::CephExternal
       - OS::TripleO::Services::CinderApi
@@ -179,6 +180,7 @@ parameters:
 
   ComputeServices:
     default:
+      - OS::TripleO::Services::CACerts
       - OS::TripleO::Services::CephClient
       - OS::TripleO::Services::CephExternal
       - OS::TripleO::Services::Timezone
@@ -211,6 +213,7 @@ parameters:
     type: json
   BlockStorageServices:
     default:
+      - OS::TripleO::Services::CACerts
       - OS::TripleO::Services::CinderVolume
       - OS::TripleO::Services::Kernel
       - OS::TripleO::Services::Ntp
@@ -235,6 +238,7 @@ parameters:
     type: json
   ObjectStorageServices:
     default:
+      - OS::TripleO::Services::CACerts
       - OS::TripleO::Services::Kernel
       - OS::TripleO::Services::Ntp
       - OS::TripleO::Services::SwiftStorage
@@ -262,6 +266,7 @@ parameters:
     type: json
   CephStorageServices:
     default:
+      - OS::TripleO::Services::CACerts
       - OS::TripleO::Services::CephOSD
       - OS::TripleO::Services::Kernel
       - OS::TripleO::Services::Ntp
diff --git a/puppet/services/ca-certs.yaml b/puppet/services/ca-certs.yaml
new file mode 100644
index 00000000..1a534156
--- /dev/null
+++ b/puppet/services/ca-certs.yaml
@@ -0,0 +1,35 @@
+heat_template_version: 2016-04-08
+
+description: >
+  HAproxy service configured with Puppet
+
+parameters:
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  CAMap:
+    description: >
+      Map containing the CA certs and information needed for deploying them.
+    default: {}
+    type: json
+
+outputs:
+  role_data:
+    description: Role data for injecting CA certificates.
+    value:
+      service_name: ca_certs
+      config_settings:
+        tripleo::trusted_cas::ca_map: {get_param: CAMap}
+      step_config: |
+        include ::tripleo::trusted_cas