Allow setting ca_certificate option for metadata api

This allows os-collect-config to pass a ca_certificate when making
requests to an SSL metadata server.

Change-Id: I06056c0d3a4f26f7483980305898e4e2b1e08c6e

elements/os-collect-config/README.md

@@ -21,6 +21,7 @@ Heat Metadata can be used to configure os-collect-config:
         access_key_id: abcdefghijklmnop091234
         secret_access_key: fffeeeeddddccccaaaa99999
         path: ThisResource.Metadata
+        ca_certificate: /etc/ssl/ca.crt
       ec2:
         metadata_url: http://169.254.169.254/latest/meta-data
       heat_local:
@@ -30,7 +31,8 @@ Note that `metadata_url` is optional, as it should be determined by the
 file `heat_metadata_hint` refers to. This file is injected by Heat via
 cloud-init at first boot. Those two parameters are the only optional
 parameters. All of the others are required for the cfn data source
-to function.
+to function. Note that `ca_certificate` is also optional but required
+in many cases where the metadata api is behind ssl.
 
 `ec2` and `heat_local` do not require any configuration to work.
 
@@ -54,6 +56,7 @@ template:
                 - SecretAccessKey
               stack_name:
                 Ref: AWS::StackName
+              ca_certificate: /etc/ssl/ca.crt
 
 The EC2 collector takes this metadata, passes it to os-apply-config
 which in turn writes it out to /etc/os-collect-config.conf.

elements/os-collect-config/os-apply-config/etc/os-collect-config.conf

@@ -25,6 +25,9 @@ stack_name = {{stack_name}}
 secret_access_key = {{secret_access_key}}
 access_key_id = {{access_key_id}}
 path = {{path}}
+{{#ca_certificate}}
+ca_certificate = {{.}}
+{{/ca_certificate}}
 {{/cfn}}
 
 {{#heat}}