Add support for providing Octavia cert data

This patch adds heat parameters for configuring the contents
of the Octavia CA and cert files.

Depends-On: I8d46bad372b8c24b290500ee6040207cb808ba23
Change-Id: I8595d85b7c9be703f9a247e07b677da0cfdb932c

puppet/services/octavia-base.yaml

@@ -78,10 +78,23 @@ parameters:
     type: string
     default: '/etc/octavia/certs/ca_01.pem'
     description: Octavia CA certificate file path.
+  OctaviaCaCert:
+    type: string
+    default: ''
+    description: Octavia CA certificate data. If provided, this will create
+                 or update a file on the host with the path provided in
+                 OctaviaCaCertFile with the certificate data.
   OctaviaCaKeyFile:
     type: string
     default: '/etc/octavia/certs/private/cakey.pem'
     description: Octavia CA private key file path.
+  OctaviaCaKey:
+    type: string
+    default: ''
+    description: The private key for the certificate provided in OctaviaCaCert.
+                 If provided, this will create or update a file on the host
+                 with the path provided in OctaviaCaKeyFile with the key
+                 data.
   OctaviaCaKeyPassphrase:
     description: CA private key passphrase.
     type: string
@@ -89,6 +102,8 @@ parameters:
 
 conditions:
   service_debug_unset: {equals : [{get_param: OctaviaDebug}, '']}
+  octavia_ca_cert_unset: {equals: [{get_param: OctaviaCaCert}, '']}
+  octavia_ca_key_unset: {equals: [{get_param: OctaviaCaKey}, '']}
 
 outputs:
   role_data:
@@ -96,24 +111,35 @@ outputs:
     value:
        service_name: octavia_base
        config_settings:
-         octavia::debug:
-          if:
-          - service_debug_unset
-          - {get_param: Debug }
-          - {get_param: OctaviaDebug }
-         octavia::purge_config: {get_param: EnableConfigPurge}
-         octavia::notification_driver: {get_param: NotificationDriver}
-         octavia::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
-         octavia::rabbit_userid: {get_param: RabbitUserName}
-         octavia::rabbit_password: {get_param: RabbitPassword}
-         octavia::rabbit_port: {get_param: RabbitClientPort}
-         octavia::service_auth::auth_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
-         octavia::service_auth::auth_type: 'password'
-         octavia::service_auth::username: 'octavia'
-         octavia::service_auth::password: {get_param: OctaviaPassword}
-         octavia::service_auth::project_name: 'service'
-         octavia::service_auth::project_domain_name: 'Default'
-         octavia::service_auth::user_domain_name: 'Default'
-         octavia::certificates::ca_certificate: {get_param: OctaviaCaCertFile}
-         octavia::certificates::ca_private_key: {get_param: OctaviaCaKeyFile}
-         octavia::certificates::ca_private_key_passphrase: {get_param: OctaviaCaKeyPassphrase}
+         map_merge:
+           - octavia::debug:
+              if:
+              - service_debug_unset
+              - {get_param: Debug }
+              - {get_param: OctaviaDebug }
+             octavia::purge_config: {get_param: EnableConfigPurge}
+             octavia::notification_driver: {get_param: NotificationDriver}
+             octavia::rabbit_use_ssl: {get_param: RabbitClientUseSSL}
+             octavia::rabbit_userid: {get_param: RabbitUserName}
+             octavia::rabbit_password: {get_param: RabbitPassword}
+             octavia::rabbit_port: {get_param: RabbitClientPort}
+             octavia::service_auth::auth_url: {get_param: [EndpointMap, KeystonePublic, uri_no_suffix]}
+             octavia::service_auth::auth_type: 'password'
+             octavia::service_auth::username: 'octavia'
+             octavia::service_auth::password: {get_param: OctaviaPassword}
+             octavia::service_auth::project_name: 'service'
+             octavia::service_auth::project_domain_name: 'Default'
+             octavia::service_auth::user_domain_name: 'Default'
+             octavia::certificates::ca_certificate: {get_param: OctaviaCaCertFile}
+             octavia::certificates::ca_private_key: {get_param: OctaviaCaKeyFile}
+             octavia::certificates::ca_private_key_passphrase: {get_param: OctaviaCaKeyPassphrase}
+           -
+             if:
+               - octavia_ca_cert_unset
+               - {}
+               - octavia::certificates::ca_certificate_data: {get_param: OctaviaCaCert}
+           -
+             if:
+               - octavia_ca_key_unset
+               - {}
+               - octavia::certificates::ca_private_key_data: {get_param: OctaviaCaKey}

puppet/services/octavia-worker.yaml

@@ -67,9 +67,16 @@ parameters:
     default: '/etc/octavia/certs/client.pem'
     description: client certificate for amphoras
     type: string
+  OctaviaClientCert:
+    default: ''
+    description: Client certificate data. If provided, this will create or update
+                 a file on the host with the path provided in OctaviaClientCertFile
+                 with the certificate data.
+    type: string
 
 conditions:
   octavia_topology_unset: {equals : [{get_param: OctaviaLoadBalancerTopology}, ""]}
+  octavia_client_cert_unset: {equals: [{get_param: OctaviaClientCert}, ""]}
 
 resources:
 
@@ -106,6 +113,12 @@ outputs:
             - octavia_topology_unset
             - {}
             - octavia::worker::loadbalancer_topology: {get_param: OctaviaLoadBalancerTopology}
+          -
+            if:
+            - octavia_client_cert_unset
+            - {}
+            - octavia::certificates::client_cert_data: {get_param: OctaviaClientCert}
+
       step_config: |
         include tripleo::profile::base::octavia::worker
 

releasenotes/notes/add-octavia-cert-key-variables-48133267832ee196.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    Added support for providing Octavia certificate data through heat parameters.