tripleo-heat-templates/puppet/extraconfig/tls/ca-inject.yaml

heat_template_version: rocky

description: >
  This is a template which will inject the trusted anchor.  

parameters:
  # Can be overridden via parameter_defaults in the environment
  SSLRootCertificate:
    description: >
      The content of a CA's SSL certificate file in PEM format.
      This is evaluated on the client side.      
    type: string
  SSLRootCertificatePath:
    default: '/etc/pki/ca-trust/source/anchors/ca.crt.pem'
    description: >
      The filepath of the root certificate as it will be stored in the nodes.
      Note that the path has to be one that can be picked up by the update
      trust anchor command. e.g. in RHEL it would be
      /etc/pki/ca-trust/source/anchors/ca.crt.pem      
    type: string
  UpdateTrustAnchorsCommand:
    default: update-ca-trust extract
    description: >
        command that will be executed to update the trust anchors.        
    type: string

  # Passed in by controller.yaml
  server:
    description: ID of the node to apply this config to
    type: string

resources:
  CAConfig:
    type: OS::Heat::SoftwareConfig
    properties:
      group: script
      inputs:
        - name: cacert_path
        - name: cacert_content
        - name: update_anchor_command
      outputs:
        - name: root_cert_md5sum
      config: |
        #!/bin/sh
        cat > ${cacert_path} << EOF
        ${cacert_content}
        EOF
        chmod 0444 ${cacert_path}
        chown root:root ${cacert_path}
        ${update_anchor_command}
        md5sum ${cacert_path} > ${heat_outputs_path}.root_cert_md5sum        

  CADeployment:
    type: OS::Heat::SoftwareDeployment
    properties:
      name: CADeployment
      config: {get_resource: CAConfig}
      server: {get_param: server}
      input_values:
        cacert_path: {get_param: SSLRootCertificatePath}
        cacert_content: {get_param: SSLRootCertificate}
        update_anchor_command: {get_param: UpdateTrustAnchorsCommand}