Skip to content
This repository has been archived by the owner on Feb 29, 2024. It is now read-only.

Commit

Permalink
Merge "Adding key_size option on the certificate creation" into stabl…
Browse files Browse the repository at this point in the history 
…e/ussuri
  • Loading branch information
@openstack-gerrit
Zuul authored and openstack-gerrit committed Jan 9, 2021
2 parents a8e519c + 977fc27 commit 47829ff
Show file tree
Hide file tree
Showing 21 changed files with 388 additions and 0 deletions.
16 changes: 16 additions & 0 deletions deployment/apache/apache-baremetal-puppet.j2.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,10 +47,21 @@ parameters:
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
ApacheCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service

conditions:

internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: ApacheCertificateKeySize}, '']}

resources:

Expand Down Expand Up @@ -116,6 +127,11 @@ outputs:
hostname: "%{hiera('fqdn_NETWORK')}"
principal: "HTTP/%{hiera('fqdn_NETWORK')}"
postsave_cmd: "pkill -USR1 httpd"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: ApacheCertificateKeySize}
for_each:
NETWORK: {get_attr: [ApacheNetworks, value]}
- {}
Expand Down
16 changes: 16 additions & 0 deletions deployment/ceph-ansible/ceph-grafana.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,9 +63,20 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
GrafanaCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service

conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: GrafanaCertificateKeySize}, '']}

resources:
CephBase:
Expand Down Expand Up @@ -165,6 +176,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
postsave_cmd: "/usr/bin/certmonger-grafana-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: GrafanaCertificateKeySize}
- {}
metadata_settings:
if:
Expand Down
16 changes: 16 additions & 0 deletions deployment/ceph-ansible/ceph-mgr.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,16 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
CephCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service

conditions:
dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
Expand All @@ -58,6 +68,7 @@ conditions:
- equals:
- get_param: EnableInternalTLS
- true
key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']}

resources:
CephBase:
Expand Down Expand Up @@ -157,6 +168,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
postsave_cmd: "/usr/bin/certmonger-dashboard-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: CephCertificateKeySize}
- {}
metadata_settings:
if:
Expand Down
16 changes: 16 additions & 0 deletions deployment/ceph-ansible/ceph-rgw.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,10 +45,21 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
CephRgwCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service

conditions:
dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: CephRgwCertificateKeySize}, '']}

resources:
CephBase:
Expand Down Expand Up @@ -183,6 +194,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
postsave_cmd: "/usr/bin/certmonger-rgw-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: CephRgwCertificateKeySize}
- {}
metadata_settings:
if:
Expand Down
16 changes: 16 additions & 0 deletions deployment/database/mysql-base.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,16 @@ parameters:
default: false
description: Enable IPv6 in MySQL
type: boolean
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
MysqlCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service

parameter_groups:
- label: deprecated
Expand All @@ -80,6 +90,7 @@ conditions:
equals:
- {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, MysqlNetwork]}]}
- 6
key_size_override_unset: {equals: [{get_param: MysqlCertificateKeySize}, '']}

outputs:
role_data:
Expand Down Expand Up @@ -161,6 +172,11 @@ outputs:
template: "mysql/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: MysqlCertificateKeySize}
- {}
step_config: |
include tripleo::profile::base::database::mysql
Expand Down
16 changes: 16 additions & 0 deletions deployment/database/redis-container-puppet.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,10 +39,21 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
RedisCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service

conditions:

internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: RedisCertificateKeySize}, '']}

resources:

Expand Down Expand Up @@ -113,6 +124,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
postsave_cmd: "/usr/bin/certmonger-redis-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RedisCertificateKeySize}
- {}
service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS
Expand Down
16 changes: 16 additions & 0 deletions deployment/etcd/etcd-container-puppet.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,12 +61,23 @@ parameters:
default: false
description: Set to True to enable debugging on all services.
type: boolean
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
EtcdCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service

conditions:
internal_tls_enabled:
and:
- {equals: [{get_param: EnableInternalTLS}, true]}
- {equals: [{get_param: EnableEtcdInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: EtcdCertificateKeySize}, '']}

resources:
ContainersCommon:
Expand Down Expand Up @@ -132,6 +143,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh'
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: EtcdCertificateKeySize}
etcd::trusted_ca_file: {get_param: InternalTLSCAFile}
etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile}
-
Expand Down
19 changes: 19 additions & 0 deletions deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,20 @@ parameters:
HAProxyInternalTLSKeysDirectory:
default: '/etc/pki/tls/private/haproxy'
type: string
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
HAProxyCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service

conditions:

key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}

resources:

Expand Down Expand Up @@ -92,6 +106,11 @@ outputs:
- "%{hiera('fqdn_NETWORK')}"
principal: "haproxy/%{hiera('fqdn_NETWORK')}"
postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload NETWORK"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: HAProxyCertificateKeySize}
for_each:
NETWORK: {get_attr: [HAProxyNetworks, value]}
metadata_settings:
Expand Down
19 changes: 19 additions & 0 deletions deployment/haproxy/haproxy-public-tls-certmonger.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,20 @@ parameters:
description: >
The filepath of the certificate as it will be stored in the controller.
type: string
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
HAProxyCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service

conditions:

key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}

outputs:
role_data:
Expand Down Expand Up @@ -78,6 +92,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload external"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: HAProxyCertificateKeySize}
metadata_settings:
- service: haproxy
network: {get_param: [ServiceNetMap, PublicNetwork]}
Expand Down
16 changes: 16 additions & 0 deletions deployment/metrics/qdr-container-puppet.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -144,11 +144,22 @@ parameters:
default: false
description: Set to true to enable configuration for STF client.
type: boolean
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
QdrCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service

conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
listener_ssl_enabled: {equals: [{get_param: MetricsQdrUseSSL}, true]}
enable_stf: {equals: [{get_param: EnableSTF}, true]}
key_size_override_unset: {equals: [{get_param: QdrCertificateKeySize}, '']}


resources:
Expand Down Expand Up @@ -249,6 +260,11 @@ outputs:
template: "ROLENAMEMetricsQdrNetwork"
params:
ROLENAME: {get_param: RoleName}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: QdrCertificateKeySize}
tripleo::profile::base::metrics::qdr::ssl_profiles:
list_concat:
- get_param: MetricsQdrSSLProfiles
Expand Down
16 changes: 16 additions & 0 deletions deployment/neutron/neutron-api-container-puppet.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -163,6 +163,16 @@ parameters:
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
NeutronCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
# DEPRECATED: the following options are deprecated and are currently maintained
# for backwards compatibility. They will be removed in the Ocata cycle.
NeutronL3HA:
Expand Down Expand Up @@ -198,6 +208,7 @@ conditions:
omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]}
ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]}
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
key_size_override_unset: {equals: [{get_param: NeutronCertificateKeySize}, '']}

resources:

Expand Down Expand Up @@ -405,6 +416,11 @@ outputs:
template: "neutron_ovn/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: NeutronCertificateKeySize}
- {}
service_config_settings:
rsyslog:
Expand Down
Loading

0 comments on commit 47829ff

Please sign in to comment.