Update ro excludes

When container-puppet.sh (or docker-puppet.sh) runs, we always bind
mount in certain directories and files. However if these files change
while we're running the puppet execution externally on the host, they
end up being copied to our puppet-generated path. This path is copied
into the container when kolla starts up. Because we re-mount these same
paths in the end container as read-only, kolla will try and update the
read-only mount which errors. This change updates our rsync excludes to
include:

 * /etc/pki/ca-trust/extracted
 * /etc/pki/ca-trust/source/anchors
 * /etc/pki/tls/certs/ca-bundle.crt
 * /etc/pki/tls/certs/ca-bundle.trust.crt
 * /etc/pki/tls/cert.pem
 * /etc/hosts
 * /etc/localtime

Conflicts:
        common/container-puppet.sh

Change-Id: I858a7b8745688c6271b01795460ab4adbf3f2be5
Closes-Bug: #1860607
(cherry picked from commit 36ea0148e8)

common/container-puppet.py

@@ -355,7 +355,10 @@ if not os.path.exists(sh_script):
 
             # Exclude read-only mounted directories/files which we do not want
             # to copy or delete.
-            ro_files="/etc/puppetlabs/ /opt/puppetlabs/"
+            ro_files="/etc/puppetlabs/ /opt/puppetlabs/ /etc/pki/ca-trust/extracted "
+            ro_files+="/etc/pki/ca-trust/source/anchors /etc/pki/tls/certs/ca-bundle.crt "
+            ro_files+="/etc/pki/tls/certs/ca-bundle.trust.crt /etc/pki/tls/cert.pem "
+            ro_files+="/etc/hosts /etc/localtime"
             for ro in $ro_files; do
                 if [ -e "$ro" ]; then
                     exclude_files+=" --exclude=$ro"