Add the Zanata server CRT into the Java keystore

Java does not like to make connections to untrusted HTTPS hosts, and
makes it rather difficult to not verify the certificate and its CA
chain, like our Python scripts are currently doing. To that end, drag
down the CRT for the configured Zanata server, and inject it into the
default Java keystore -- since passing a non-default keystore would
also require changes to Zanata.

Change-Id: If6aaf4d560acc25e626027d82ed103dd46328802
Depends-On: I32ef72eba436c338052be2eb83ce39e4400d047c

manifests/client.pp

@@ -26,6 +26,7 @@ class zanata::client(
 ) {
 
   $server_id = parse_server_id($server_url)
+  $server_name = regsubst($server_id, '_', '.', 'G')
 
   file { '/opt/zanata':
     ensure  => directory,
@@ -50,6 +51,36 @@ class zanata::client(
     require => Exec['get_zanata_client_dist_tarball'],
   }
 
+  exec { 'get_zanata_server_certificate':
+    command => "openssl s_client -connect ${server_name}:443 -prexit 2>/dev/null | openssl x509 -in /dev/stdin -out /opt/zanata/${server_id}.crt",
+    path    => '/bin:/usr/bin',
+    creates => "/opt/zanata/${server_id}.crt",
+    require => File['/opt/zanata'],
+  }
+
+  file { "/opt/zanata/${server_id}.crt":
+    ensure  => present,
+    owner   => $user,
+    group   => $group,
+    mode    => '0644',
+    require => Exec['get_zanata_server_certificate'],
+  }
+
+  java_ks { 'zanata_server:keystore':
+    ensure       => latest,
+    certificate  => "/opt/zanata/${server_id}.crt",
+    target       => '/etc/ssl/certs/java/cacerts',
+    password     => 'changeit',
+    require      => File["/opt/zanata/${server_id}.crt"],
+  }
+
+  file { '/etc/ssl/certs/java/cacerts':
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    require => Java_ks['zanata_server:keystore']
+  }
+
   exec { 'unpack_zanata_client_dist_tarball':
     command => "tar zxf zanata-cli-${version}-dist.tar.gz",
     path    => '/bin:/usr/bin',