From d653e7f158ae1e769e801204bddfe74f97f059f9 Mon Sep 17 00:00:00 2001
From: Clark Boylan <clark.boylan@gmail.com>
Date: Fri, 25 Aug 2017 13:26:12 -0700
Subject: [PATCH] Trust infracloud directly using public cert

Rather than needing to manage /usr/local/share/ca-certificates and keep
the global cert list up to date with update-ca-certificates just
directly trust the appropriate cert when talking to infracloud. This is
how we have done it on nodepool and it is a very simple method for
managing this setup.

Change-Id: I702e30de81f1ef3211caa113616fef0be51f4821
---
 manifests/site.pp                                | 16 ++++++++++++++++
 .../templates/puppetmaster/all-clouds.yaml.erb   | 12 ++++++------
 .../puppetmaster/ansible-clouds.yaml.erb         |  4 ++--
 3 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/manifests/site.pp b/manifests/site.pp
index bfdd9fedaa..bfd578cfa7 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -171,6 +171,22 @@ node 'puppetmaster.openstack.org' {
     mqtt_password                              => hiera('mqtt_service_user_password'),
     mqtt_ca_cert_contents                      => hiera('mosquitto_tls_ca_file'),
   }
+  file { '/etc/openstack/infracloud_vanilla_cacert.pem':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0444',
+    content => hiera('infracloud_vanilla_ssl_cert_file_contents'),
+    require => Class['::openstack_project::puppetmaster'],
+  }
+  file { '/etc/openstack/infracloud_chocolate_cacert.pem':
+    ensure  => present,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0444',
+    content => hiera('infracloud_chocolate_ssl_cert_file_contents'),
+    require => Class['::openstack_project::puppetmaster'],
+  }
 }
 
 # Node-OS: trusty
diff --git a/modules/openstack_project/templates/puppetmaster/all-clouds.yaml.erb b/modules/openstack_project/templates/puppetmaster/all-clouds.yaml.erb
index 4199ec8e1a..c6a0cd7cf3 100644
--- a/modules/openstack_project/templates/puppetmaster/all-clouds.yaml.erb
+++ b/modules/openstack_project/templates/puppetmaster/all-clouds.yaml.erb
@@ -9,7 +9,7 @@ clouds:
       project_domain_name: default
       user_domain_name: default
     identity_api_version: '3'
-    cacert: /etc/ssl/certs/ca-certificates.crt
+    cacert: /etc/openstack/infracloud_vanilla_cacert.pem
   admin-infracloud-chocolate:
     region_name: RegionOne
     auth:
@@ -20,7 +20,7 @@ clouds:
       project_domain_name: default
       user_domain_name: default
     identity_api_version: '3'
-    cacert: /etc/ssl/certs/ca-certificates.crt
+    cacert: /etc/openstack/infracloud_chocolate_cacert.pem
   infra-files-ro:
     profile: rackspace
     auth:
@@ -46,7 +46,7 @@ clouds:
       user_domain_name: default
     identity_api_version: '3'
     floating_ip_source: None
-    cacert: /etc/ssl/certs/ca-certificates.crt
+    cacert: /etc/openstack/infracloud_vanilla_cacert.pem
   openstackci-infracloud-chocolate:
     region_name: RegionOne
     auth:
@@ -58,7 +58,7 @@ clouds:
       user_domain_name: default
     identity_api_version: '3'
     floating_ip_source: None
-    cacert: /etc/ssl/certs/ca-certificates.crt
+    cacert: /etc/openstack/infracloud_chocolate_cacert.pem
   openstackci-internap:
     profile: internap
     auth:
@@ -152,7 +152,7 @@ clouds:
       user_domain_name: default
     identity_api_version: '3'
     floating_ip_source: None
-    cacert: /etc/ssl/certs/ca-certificates.crt
+    cacert: /etc/openstack/infracloud_vanilla_cacert.pem
   openstackzuul-infracloud-chocolate:
     region_name: RegionOne
     auth:
@@ -164,7 +164,7 @@ clouds:
       user_domain_name: default
     identity_api_version: '3'
     floating_ip_source: None
-    cacert: /etc/ssl/certs/ca-certificates.crt
+    cacert: /etc/openstack/infracloud_chocolate_cacert.pem
   openstackjenkins-rax:
     regions:
       - DFW
diff --git a/modules/openstack_project/templates/puppetmaster/ansible-clouds.yaml.erb b/modules/openstack_project/templates/puppetmaster/ansible-clouds.yaml.erb
index 55c5092c48..5de9169b62 100644
--- a/modules/openstack_project/templates/puppetmaster/ansible-clouds.yaml.erb
+++ b/modules/openstack_project/templates/puppetmaster/ansible-clouds.yaml.erb
@@ -90,7 +90,7 @@ clouds:
       user_domain_name: default
     identity_api_version: '3'
     floating_ip_source: None
-    cacert: /etc/ssl/certs/ca-certificates.crt
+    cacert: /etc/openstack/infracloud_vanilla_cacert.pem
   openstackci-infracloud-chocolate:
     region_name: RegionOne
     auth:
@@ -102,7 +102,7 @@ clouds:
       user_domain_name: default
     identity_api_version: '3'
     floating_ip_source: None
-    cacert: /etc/ssl/certs/ca-certificates.crt
+    cacert: /etc/openstack/infracloud_chocolate_cacert.pem
   openstackci-citycloud:
     regions:
       - Lon1