Add nested sample environments for inject-trust-anchor

Fix a bug that prevented these working.  A unit test and
documentation for the nested environment functionality is also
included.

Change-Id: I2d4aeb584eb624178d601cfd6bc0a6473cb5289f

1 files changed, 33 insertions, 0 deletions

diff --git a/sample-env-generator/ssl.yaml b/sample-env-generator/ssl.yaml
index 2f379f30..6963e842 100644
--- a/sample-env-generator/ssl.yaml
+++ b/sample-env-generator/ssl.yaml
@@ -22,6 +22,39 @@ environments:
             The contents of the private key go here
     resource_registry:
       OS::TripleO::NodeTLSData: ../../puppet/extraconfig/tls/tls-cert-inject.yaml
+  - name: ssl/inject-trust-anchor
+    title: Inject SSL Trust Anchor on Overcloud Nodes
+    description: |
+      When using an SSL certificate signed by a CA that is not in the default
+      list of CAs, this environment allows adding a custom CA certificate to
+      the overcloud nodes.
+    files:
+      puppet/extraconfig/tls/ca-inject.yaml:
+        parameters:
+          - SSLRootCertificate
+    sample_values:
+      SSLRootCertificate: |-
+        |
+            The contents of your certificate go here
+    resource_registry:
+      OS::TripleO::NodeTLSCAData: ../../puppet/extraconfig/tls/ca-inject.yaml
+    children:
+      - name: ssl/inject-trust-anchor-hiera
+        files:
+          puppet/services/ca-certs.yaml:
+            parameters:
+              - CAMap
+        # Need to clear this so we don't inherit the parent registry
+        resource_registry: {}
+        sample_values:
+          CAMap:  |-2
+
+                first-ca-name:
+                  content: |
+                    The content of the CA cert goes here
+                second-ca-name:
+                  content: |
+                    The content of the CA cert goes here
   -
     name: ssl/tls-endpoints-public-ip
     title: Deploy Public SSL Endpoints as IP Addresses