From e65fc34af694041e7f5e5a06fd50c026b2c9509b Mon Sep 17 00:00:00 2001
From: Paul Belanger <pabelanger@redhat.com>
Date: Tue, 17 Oct 2017 10:59:20 -0400
Subject: [PATCH] Add /etc/ssl/certs to trusted_ro_paths for zuul-executors

If we download things over HTTPs inside bwrap, we'll need access to
/etc/ssl/certs to validate certs.

Change-Id: Ib662afbc0e3375a2d461ef7fc6e7e4f8741a700c
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
---
 manifests/site.pp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/manifests/site.pp b/manifests/site.pp
index 7abc361219..e9b3703f1c 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -1196,7 +1196,7 @@ node /^ze\d+\.openstack\.org$/ {
     gearman_ssl_ca           => hiera('gearman_ssl_ca'),
     #TODO(pabelanger): Add openafs role for zuul-jobs to setup /etc/openafs
     # properly. We need to revisting this post Queens PTG.
-    trusted_ro_paths         => ['/etc/openafs', '/var/lib/zuul/ssh'],
+    trusted_ro_paths         => ['/etc/openafs', '/etc/ssl/certs', '/var/lib/zuul/ssh'],
     trusted_rw_paths         => ['/afs'],
     disk_limit_per_job       => 5000,  # Megabytes
     site_variables_yaml_file => $::project_config::zuul_site_variables_yaml,