Add deployment of CAs via hieradata

This enables us to pass a map of CAs to deploy the CA certificates
using puppet and hiera instead of the bash script we were using. It
also gives us the feature that we will be able to deploy several CA
certificates on the nodes instead of just one as was the case before.

Change-Id: I9559487874b80aeb093cc2fa2cfa7c0479d5a8b2
Depends-On: I84273b4cd6576a63fa78dc93ad6b077dd2a780c7

diff --git a/environments/inject-trust-anchor-hiera.yaml b/environments/inject-trust-anchor-hiera.yaml
new file mode 100644 (file)
index 0000000..b4908c1
--- /dev/null
+++ b/environments/inject-trust-anchor-hiera.yaml
@@ -0,0 +1,8 @@
+parameter_defaults:
+  CAMap:
+    first-ca-name:
+      content: |
+        The content of the CA cert goes here
+    second-ca-name:
+      content: |
+        The content of the CA cert goes here

diff --git a/overcloud-resource-registry-puppet.yaml b/overcloud-resource-registry-puppet.yaml
index 817ff2c..81cc4f8 100644 (file)
--- a/overcloud-resource-registry-puppet.yaml
+++ b/overcloud-resource-registry-puppet.yaml
@@ -130,6 +130,7 @@ resource_registry:
 
   # services
   OS::TripleO::Services: puppet/services/services.yaml
+  OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml
   OS::TripleO::Services::CephMon: OS::Heat::None
   OS::TripleO::Services::CephOSD: OS::Heat::None
   OS::TripleO::Services::CephClient: OS::Heat::None

diff --git a/overcloud.yaml b/overcloud.yaml
index a4f8fee..92b83f2 100644 (file)
--- a/overcloud.yaml
+++ b/overcloud.yaml
@@ -109,6 +109,7 @@ parameters:
 
   ControllerServices:
     default:
+      - OS::TripleO::Services::CACerts
       - OS::TripleO::Services::CephMon
       - OS::TripleO::Services::CephExternal
       - OS::TripleO::Services::CinderApi
@@ -179,6 +180,7 @@ parameters:
 
   ComputeServices:
     default:
+      - OS::TripleO::Services::CACerts
       - OS::TripleO::Services::CephClient
       - OS::TripleO::Services::CephExternal
       - OS::TripleO::Services::Timezone
@@ -211,6 +213,7 @@ parameters:
     type: json
   BlockStorageServices:
     default:
+      - OS::TripleO::Services::CACerts
       - OS::TripleO::Services::CinderVolume
       - OS::TripleO::Services::Kernel
       - OS::TripleO::Services::Ntp
@@ -235,6 +238,7 @@ parameters:
     type: json
   ObjectStorageServices:
     default:
+      - OS::TripleO::Services::CACerts
       - OS::TripleO::Services::Kernel
       - OS::TripleO::Services::Ntp
       - OS::TripleO::Services::SwiftStorage
@@ -262,6 +266,7 @@ parameters:
     type: json
   CephStorageServices:
     default:
+      - OS::TripleO::Services::CACerts
       - OS::TripleO::Services::CephOSD
       - OS::TripleO::Services::Kernel
       - OS::TripleO::Services::Ntp

diff --git a/puppet/services/ca-certs.yaml b/puppet/services/ca-certs.yaml
new file mode 100644 (file)
index 0000000..1a53415
--- /dev/null
+++ b/puppet/services/ca-certs.yaml
@@ -0,0 +1,35 @@
+heat_template_version: 2016-04-08
+
+description: >
+  HAproxy service configured with Puppet
+
+parameters:
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  CAMap:
+    description: >
+      Map containing the CA certs and information needed for deploying them.
+    default: {}
+    type: json
+
+outputs:
+  role_data:
+    description: Role data for injecting CA certificates.
+    value:
+      service_name: ca_certs
+      config_settings:
+        tripleo::trusted_cas::ca_map: {get_param: CAMap}
+      step_config: |
+        include ::tripleo::trusted_cas