Explicit set qemu certificate group ownership

While the certificates get requested with the appropriate group
root:qemu [1] and copied to /etc/pki/qemu/ with -a it has seen
that the group ownership is not correct on the target certificate
files. Lets set explicit group ownership via the run_after
script.

Closes-Bug: #1933330

[1] https://github.com/openstack/tripleo-heat-templates/blob/master/deployment/nova/nova-libvirt-container-puppet.yaml#L777-L779

Change-Id: I67698dafb3ade4239d8cee868c0333c5ec89472c

deployment/nova/nova-libvirt-container-puppet.yaml

@@ -796,6 +796,7 @@ outputs:
                                 chmod 644 /etc/pki/qemu/ca-cert.pem
                                 cp -a /etc/pki/tls/certs/qemu-server-cert.crt /etc/pki/qemu/server-cert.pem
                                 cp -a /etc/pki/tls/private/qemu-server-cert.key /etc/pki/qemu/server-key.pem
+                                chgrp qemu /etc/pki/qemu/server-*
                                 chmod 0640 /etc/pki/qemu/server-cert.pem
                                 chmod 0640 /etc/pki/qemu/server-key.pem
                                 systemctl reload tripleo_nova_libvirt
@@ -828,6 +829,7 @@ outputs:
                             # Copy cert and key to qemu dir
                             cp -a /etc/pki/tls/certs/qemu-client-cert.crt /etc/pki/qemu/client-cert.pem
                             cp -a /etc/pki/tls/private/qemu-client-cert.key /etc/pki/qemu/client-key.pem
+                            chgrp qemu /etc/pki/qemu/client-*
                             chmod 0640 /etc/pki/qemu/client-cert.pem
                             chmod 0640 /etc/pki/qemu/client-key.pem
                             systemctl reload tripleo_nova_libvirt