From 42cfbbc8bfbaa401d6e774b58cb78f4bbaccc2d9 Mon Sep 17 00:00:00 2001
From: Rabi Mishra <ramishra@redhat.com>
Date: Thu, 14 May 2020 13:03:58 +0530
Subject: [PATCH] Add cacert to clouds.yaml

We need to add the cacert for both undercloud and overclud
in clouds.yaml

Closes-Bug: #1878540
Depends-On: https://review.opendev.org/728358
Change-Id: I1f209bcae7707af2c8653ad21f69097f81ec6947
---
 .../keystone/keystone-container-puppet.yaml   | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)

diff --git a/deployment/keystone/keystone-container-puppet.yaml b/deployment/keystone/keystone-container-puppet.yaml
index 1aab101527..192cfe853d 100644
--- a/deployment/keystone/keystone-container-puppet.yaml
+++ b/deployment/keystone/keystone-container-puppet.yaml
@@ -52,6 +52,26 @@ parameters:
     default: 'fernet'
     constraints:
       - allowed_values: ['fernet']
+  SSLCertificate:
+    default: ''
+    description: >
+      The content of the SSL certificate (without Key) in PEM format.
+    type: string
+  PublicSSLCertificateAutogenerated:
+    default: false
+    description: >
+      Whether the public SSL certificate was autogenerated or not.
+    type: boolean
+  EnablePublicTLS:
+    default: true
+    description: >
+      Whether to enable TLS on the public interface or not.
+    type: boolean
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
   EnableInternalTLS:
     type: boolean
     default: false
@@ -318,6 +338,17 @@ resources:
 
 conditions:
 
+  public_tls_enabled:
+    and:
+    - {get_param: EnablePublicTLS}
+    - or:
+      - not:
+          equals:
+          - {get_param: SSLCertificate}
+          - ""
+      - equals:
+          - {get_param: PublicSSLCertificateAutogenerated}
+          - true
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
   keystone_fernet_tokens: {equals: [{get_param: KeystoneTokenProvider}, "fernet"]}
   keystone_ldap_domain_enabled: {equals: [{get_param: KeystoneLDAPDomainEnable}, True]}
@@ -720,6 +751,11 @@ outputs:
                     project_name: admin
                     user_domain_name: Default
                     username: admin
+                  cacert:
+                    if:
+                      - public_tls_enabled
+                      - {get_param: InternalTLSCAFile}
+                      - ''
                   identity_api_version: '3'
                   region_name: {get_param: KeystoneRegion}
         - name: Manage Keystone resources