Enable trust anchor injection

This commit enables the injection of a trust anchor or root
certificate into every node in the overcloud. This is in case that the
TLS certificates for the controllers are signed with a self-signed CA
or if the deployer would like to inject a relevant root certificate
for other purposes. In this case the other nodes might need to have
the root certificate in their trust chain in order to do proper
validation

Change-Id: Ia45180fe0bb979cf12d19f039dbfd22e26fb4856

1 files changed, 17 insertions, 0 deletions

diff --git a/puppet/extraconfig/tls/no-ca.yaml b/puppet/extraconfig/tls/no-ca.yaml
new file mode 100644
index 00000000..5862a85c
--- /dev/null
+++ b/puppet/extraconfig/tls/no-ca.yaml
@@ -0,0 +1,17 @@
+heat_template_version: 2015-04-30
+
+description: >
+  This is a default no-op template which can be passed to the
+  OS::Nova::Server resources. This template can be replaced with
+  a different implementation via the resource registry, such that
+  deployers may customize their configuration.
+
+parameters:
+  server:    # Here for compatibility with controller.yaml
+    description: ID of the controller node to apply this config to
+    type: string
+
+outputs:
+  deploy_stdout:
+    description: Deployment reference, used to trigger puppet apply on changes
+    value: 'Root CA cert injection not enabled.'