Allow setting ca_certificate option for metadata api

This allows os-collect-config to pass a ca_certificate when making requests to an SSL metadata server. Change-Id: I06056c0d3a4f26f7483980305898e4e2b1e08c6e
2014-12-05 11:22:00 +01:00 · 2014-12-05 11:22:00 +01:00 · 71d9a26741
parent 2c52702d71
commit 71d9a26741
2 changed files with 7 additions and 1 deletions
--- a/elements/os-collect-config/README.md
+++ b/elements/os-collect-config/README.md
@ -21,6 +21,7 @@ Heat Metadata can be used to configure os-collect-config:
        access_key_id: abcdefghijklmnop091234
        secret_access_key: fffeeeeddddccccaaaa99999
        path: ThisResource.Metadata
+        ca_certificate: /etc/ssl/ca.crt
      ec2:
        metadata_url: http://169.254.169.254/latest/meta-data
      heat_local:
@ -30,7 +31,8 @@ Note that `metadata_url` is optional, as it should be determined by the
 file `heat_metadata_hint` refers to. This file is injected by Heat via
 cloud-init at first boot. Those two parameters are the only optional
 parameters. All of the others are required for the cfn data source
-to function.
+to function. Note that `ca_certificate` is also optional but required
+in many cases where the metadata api is behind ssl.

 `ec2` and `heat_local` do not require any configuration to work.

@ -54,6 +56,7 @@ template:
                - SecretAccessKey
              stack_name:
                Ref: AWS::StackName
+              ca_certificate: /etc/ssl/ca.crt

 The EC2 collector takes this metadata, passes it to os-apply-config
 which in turn writes it out to /etc/os-collect-config.conf.
--- a/elements/os-collect-config/os-apply-config/etc/os-collect-config.conf
+++ b/elements/os-collect-config/os-apply-config/etc/os-collect-config.conf
@ -25,6 +25,9 @@ stack_name = {{stack_name}}
 secret_access_key = {{secret_access_key}}
 access_key_id = {{access_key_id}}
 path = {{path}}
+{{#ca_certificate}}
+ca_certificate = {{.}}
+{{/ca_certificate}}
 {{/cfn}}

 {{#heat}}