ssl: Add support for a CA Certificate

Add SSLCACertificate to the overcloud yaml.

This allows a CA certificate to be specified in cases where the Cert
does not come from a CA in the system bundle.

Partially implements: blueprint tripleo-ssl-overcloud

Full set of blueprint changes:

https://review.openstack.org/#/c/85098
https://review.openstack.org/#/c/85099
https://review.openstack.org/#/c/85100

Change-Id: I67d7c1362df323762023be5c74fbe75b1583570c

diff --git a/overcloud-source.yaml b/overcloud-source.yaml
index cf1eecd..f3bf154 100644 (file)
--- a/overcloud-source.yaml
+++ b/overcloud-source.yaml
@@ -587,6 +587,7 @@ Resources:
       input_values:
         ssl_certificate: {Ref: SSLCertificate}
         ssl_key: {Ref: SSLKey}
+        ssl_ca_certificate: {Ref: SSLCACertificate}
   controller0Passthrough:
     Type: OS::Heat::StructuredDeployment
     Properties:

diff --git a/ssl-source.yaml b/ssl-source.yaml
index c3edbe7..1d6ac24 100644 (file)
--- a/ssl-source.yaml
+++ b/ssl-source.yaml
@@ -10,6 +10,10 @@ Parameters:
     Description: If set, the contents of an SSL certificate .key file for encrypting SSL endpoints.
     Type: String
     NoEcho: true
+  SSLCACertificate:
+    Default: ''
+    Description: If set, the contents of an SSL certificate authority file.
+    Type: String
 Resources:
   SSLConfig:
     Type: OS::Heat::StructuredConfig
@@ -21,6 +25,8 @@ Resources:
             get_input: ssl_certificate
           key:
             get_input: ssl_key
+          cacert:
+            get_input: ssl_ca_certificate
           ports:
            - name: 'ec2'
              accept: 13773