Enable trust anchor injection

This commit enables the injection of a trust anchor or root
certificate into every node in the overcloud. This is in case that the
TLS certificates for the controllers are signed with a self-signed CA
or if the deployer would like to inject a relevant root certificate
for other purposes. In this case the other nodes might need to have
the root certificate in their trust chain in order to do proper
validation

Change-Id: Ia45180fe0bb979cf12d19f039dbfd22e26fb4856

1 files changed, 9 insertions, 1 deletions

diff --git a/puppet/swift-storage.yaml b/puppet/swift-storage.yaml
index 19a7c7a3..b1746dcb 100644
--- a/puppet/swift-storage.yaml
+++ b/puppet/swift-storage.yaml
@@ -218,10 +218,17 @@ resources:
         enable_package_upgrade: {get_attr: [UpdateDeployment, update_managed_packages]}
         swift_management_network: {get_attr: [NetIpMap, net_ip_map, {get_param: [ServiceNetMap, SwiftMgmtNetwork]}]}
 
+  # Resource for site-specific injection of root certificate
+  NodeTLSCAData:
+    depends_on: SwiftStorageHieraDeploy
+    type: OS::TripleO::NodeTLSCAData
+    properties:
+      server: {get_resource: SwiftStorage}
+
   # Hook for site-specific additional pre-deployment config,
   # applying to all nodes, e.g node registration/unregistration
   NodeExtraConfig:
-    depends_on: SwiftStorageHieraDeploy
+    depends_on: NodeTLSCAData
     type: OS::TripleO::NodeExtraConfig
     properties:
         server: {get_resource: SwiftStorage}
@@ -272,4 +279,5 @@ outputs:
       list_join:
         - ','
         - - {get_attr: [SwiftStorageHieraDeploy, deploy_stdout]}
+          - {get_attr: [NodeTLSCAData, deploy_stdout]}
           - {get_param: UpdateIdentifier}