diff --git a/deployment/apache/apache-baremetal-puppet.j2.yaml b/deployment/apache/apache-baremetal-puppet.j2.yaml index 774721fc47..f78640d4ff 100644 --- a/deployment/apache/apache-baremetal-puppet.j2.yaml +++ b/deployment/apache/apache-baremetal-puppet.j2.yaml @@ -47,10 +47,21 @@ parameters: type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + ApacheCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: ApacheCertificateKeySize}, '']} resources: @@ -116,6 +127,11 @@ outputs: hostname: "%{hiera('fqdn_NETWORK')}" principal: "HTTP/%{hiera('fqdn_NETWORK')}" postsave_cmd: "pkill -USR1 httpd" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: ApacheCertificateKeySize} for_each: NETWORK: {get_attr: [ApacheNetworks, value]} - {} diff --git a/deployment/ceph-ansible/ceph-grafana.yaml b/deployment/ceph-ansible/ceph-grafana.yaml index 0ae21c03f3..c2e9736abd 100644 --- a/deployment/ceph-ansible/ceph-grafana.yaml +++ b/deployment/ceph-ansible/ceph-grafana.yaml @@ -63,9 +63,20 @@ parameters: EnableInternalTLS: type: boolean default: false + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + GrafanaCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: GrafanaCertificateKeySize}, '']} resources: CephBase: @@ -165,6 +176,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]} postsave_cmd: "/usr/bin/certmonger-grafana-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: GrafanaCertificateKeySize} - {} metadata_settings: if: diff --git a/deployment/ceph-ansible/ceph-mgr.yaml b/deployment/ceph-ansible/ceph-mgr.yaml index 87f089787e..1a06fdec24 100644 --- a/deployment/ceph-ansible/ceph-mgr.yaml +++ b/deployment/ceph-ansible/ceph-mgr.yaml @@ -49,6 +49,16 @@ parameters: EnableInternalTLS: type: boolean default: false + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + CephCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]} @@ -58,6 +68,7 @@ conditions: - equals: - get_param: EnableInternalTLS - true + key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']} resources: CephBase: @@ -157,6 +168,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]} postsave_cmd: "/usr/bin/certmonger-dashboard-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: CephCertificateKeySize} - {} metadata_settings: if: diff --git a/deployment/ceph-ansible/ceph-rgw.yaml b/deployment/ceph-ansible/ceph-rgw.yaml index 4b01fbf14e..194c0c2c23 100644 --- a/deployment/ceph-ansible/ceph-rgw.yaml +++ b/deployment/ceph-ansible/ceph-rgw.yaml @@ -45,10 +45,21 @@ parameters: EnableInternalTLS: type: boolean default: false + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + CephRgwCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: CephRgwCertificateKeySize}, '']} resources: CephBase: @@ -183,6 +194,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]} postsave_cmd: "/usr/bin/certmonger-rgw-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: CephRgwCertificateKeySize} - {} metadata_settings: if: diff --git a/deployment/database/mysql-base.yaml b/deployment/database/mysql-base.yaml index 10d4fdee3f..f2ae14bd39 100644 --- a/deployment/database/mysql-base.yaml +++ b/deployment/database/mysql-base.yaml @@ -62,6 +62,16 @@ parameters: default: false description: Enable IPv6 in MySQL type: boolean + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + MysqlCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service parameter_groups: - label: deprecated @@ -80,6 +90,7 @@ conditions: equals: - {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, MysqlNetwork]}]} - 6 + key_size_override_unset: {equals: [{get_param: MysqlCertificateKeySize}, '']} outputs: role_data: @@ -161,6 +172,11 @@ outputs: template: "mysql/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: MysqlCertificateKeySize} - {} step_config: | include tripleo::profile::base::database::mysql diff --git a/deployment/database/redis-container-puppet.yaml b/deployment/database/redis-container-puppet.yaml index defa885964..712677135a 100644 --- a/deployment/database/redis-container-puppet.yaml +++ b/deployment/database/redis-container-puppet.yaml @@ -39,10 +39,21 @@ parameters: EnableInternalTLS: type: boolean default: false + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + RedisCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: RedisCertificateKeySize}, '']} resources: @@ -113,6 +124,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, RedisNetwork]} postsave_cmd: "/usr/bin/certmonger-redis-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RedisCertificateKeySize} - {} service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS diff --git a/deployment/etcd/etcd-container-puppet.yaml b/deployment/etcd/etcd-container-puppet.yaml index 0a7954284a..513c0417b7 100644 --- a/deployment/etcd/etcd-container-puppet.yaml +++ b/deployment/etcd/etcd-container-puppet.yaml @@ -61,12 +61,23 @@ parameters: default: false description: Set to True to enable debugging on all services. type: boolean + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + EtcdCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: and: - {equals: [{get_param: EnableInternalTLS}, true]} - {equals: [{get_param: EnableEtcdInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: EtcdCertificateKeySize}, '']} resources: ContainersCommon: @@ -132,6 +143,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]} postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh' + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: EtcdCertificateKeySize} etcd::trusted_ca_file: {get_param: InternalTLSCAFile} etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile} - diff --git a/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml b/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml index dd45631118..e9259cfcd1 100644 --- a/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml +++ b/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml @@ -36,6 +36,20 @@ parameters: HAProxyInternalTLSKeysDirectory: default: '/etc/pki/tls/private/haproxy' type: string + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + HAProxyCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + +conditions: + + key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']} resources: @@ -92,6 +106,11 @@ outputs: - "%{hiera('fqdn_NETWORK')}" principal: "haproxy/%{hiera('fqdn_NETWORK')}" postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload NETWORK" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: HAProxyCertificateKeySize} for_each: NETWORK: {get_attr: [HAProxyNetworks, value]} metadata_settings: diff --git a/deployment/haproxy/haproxy-public-tls-certmonger.yaml b/deployment/haproxy/haproxy-public-tls-certmonger.yaml index f7184475c7..0abcbf7977 100644 --- a/deployment/haproxy/haproxy-public-tls-certmonger.yaml +++ b/deployment/haproxy/haproxy-public-tls-certmonger.yaml @@ -41,6 +41,20 @@ parameters: description: > The filepath of the certificate as it will be stored in the controller. type: string + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + HAProxyCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + +conditions: + + key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']} outputs: role_data: @@ -78,6 +92,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, PublicNetwork]} postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload external" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: HAProxyCertificateKeySize} metadata_settings: - service: haproxy network: {get_param: [ServiceNetMap, PublicNetwork]} diff --git a/deployment/metrics/qdr-container-puppet.yaml b/deployment/metrics/qdr-container-puppet.yaml index 5a66b0c7d1..d2022565ef 100644 --- a/deployment/metrics/qdr-container-puppet.yaml +++ b/deployment/metrics/qdr-container-puppet.yaml @@ -144,11 +144,22 @@ parameters: default: false description: Set to true to enable configuration for STF client. type: boolean + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + QdrCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} listener_ssl_enabled: {equals: [{get_param: MetricsQdrUseSSL}, true]} enable_stf: {equals: [{get_param: EnableSTF}, true]} + key_size_override_unset: {equals: [{get_param: QdrCertificateKeySize}, '']} resources: @@ -249,6 +260,11 @@ outputs: template: "ROLENAMEMetricsQdrNetwork" params: ROLENAME: {get_param: RoleName} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: QdrCertificateKeySize} tripleo::profile::base::metrics::qdr::ssl_profiles: list_concat: - get_param: MetricsQdrSSLProfiles diff --git a/deployment/neutron/neutron-api-container-puppet.yaml b/deployment/neutron/neutron-api-container-puppet.yaml index 9907cff1c9..d9c6f7a6c8 100644 --- a/deployment/neutron/neutron-api-container-puppet.yaml +++ b/deployment/neutron/neutron-api-container-puppet.yaml @@ -163,6 +163,16 @@ parameters: type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + NeutronCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service # DEPRECATED: the following options are deprecated and are currently maintained # for backwards compatibility. They will be removed in the Ocata cycle. NeutronL3HA: @@ -198,6 +208,7 @@ conditions: omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]} ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]} enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]} + key_size_override_unset: {equals: [{get_param: NeutronCertificateKeySize}, '']} resources: @@ -405,6 +416,11 @@ outputs: template: "neutron_ovn/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: NeutronCertificateKeySize} - {} service_config_settings: rsyslog: diff --git a/deployment/neutron/neutron-dhcp-container-puppet.yaml b/deployment/neutron/neutron-dhcp-container-puppet.yaml index a35c629eb2..9b8fbeaa22 100644 --- a/deployment/neutron/neutron-dhcp-container-puppet.yaml +++ b/deployment/neutron/neutron-dhcp-container-puppet.yaml @@ -147,6 +147,16 @@ parameters: Enable dhcp-host entry with list of addresses when port has multiple IPv6 addresses in the same subnet. type: boolean + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + NeutronDhcpCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: @@ -160,6 +170,7 @@ conditions: is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]} az_unset: {equals: [{get_param: NeutronDhcpAgentAvailabilityZone}, '']} omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]} + key_size_override_unset: {equals: [{get_param: NeutronDhcpCertificateKeySize}, '']} resources: @@ -260,6 +271,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]} postsave_cmd: "/usr/bin/certmonger-neutron-dhcpd-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: NeutronDhcpCertificateKeySize} - {} - if: - dhcp_ovs_intergation_bridge_unset diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml index a2995a8f8b..7f8aa705ee 100644 --- a/deployment/nova/nova-libvirt-container-puppet.yaml +++ b/deployment/nova/nova-libvirt-container-puppet.yaml @@ -116,6 +116,31 @@ parameters: default: '/etc/pki/CA/certs/qemu.pem' type: string description: Specifies the CA cert to use for qemu. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + LibvirtCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + LibvirtVNCServerCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + QemuServerCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + QemuClientCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service LibvirtCACert: type: string default: '' @@ -325,6 +350,11 @@ conditions: - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, ''] - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, true] + key_size_libvirt_override_unset: {equals: [{get_param: LibvirtCertificateKeySize}, '']} + key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCServerCertificateKeySize}, '']} + key_size_qemu_client_override_unset: {equals: [{get_param: QemuClientCertificateKeySize}, '']} + key_size_qemu_server_override_unset: {equals: [{get_param: QemuServerCertificateKeySize}, '']} + resources: RoleParametersValue: type: OS::Heat::Value @@ -472,6 +502,11 @@ outputs: template: "libvirt/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + key_size: + if: + - key_size_libvirtvnc_override_unset + - {get_param: CertificateKeySize} + - {get_param: LibvirtCertificateKeySize} # create the qemu and qemu_ndb dirs and certs also when when tls for nbd # is not enabled this allows us to enable it even at a later time without # restart of instances @@ -501,6 +536,11 @@ outputs: template: "qemu/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + key_size: + if: + - key_size_qemu_server_override_unset + - {get_param: CertificateKeySize} + - {get_param: QemuServerCertificateKeySize} qemu-nbd-client-cert: service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem' service_key: '/etc/pki/libvirt-nbd/client-key.pem' @@ -514,6 +554,11 @@ outputs: template: "qemu/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + key_size: + if: + - key_size_qemu_client_override_unset + - {get_param: CertificateKeySize} + - {get_param: QemuClientCertificateKeySize} - nova::migration::libvirt::live_migration_inbound_addr: str_replace: @@ -553,6 +598,11 @@ outputs: template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + key_size: + if: + - key_size_libvirtvnc_override_unset + - {get_param: CertificateKeySize} + - {get_param: LibvirtVNCServerCertificateKeySize} - {} - if: diff --git a/deployment/nova/nova-vnc-proxy-container-puppet.yaml b/deployment/nova/nova-vnc-proxy-container-puppet.yaml index 2efad0cbff..a78d85e49b 100644 --- a/deployment/nova/nova-vnc-proxy-container-puppet.yaml +++ b/deployment/nova/nova-vnc-proxy-container-puppet.yaml @@ -54,6 +54,21 @@ parameters: default: '/etc/pki/CA/certs/vnc.crt' type: string description: Specifies the CA cert to use for VNC TLS. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + NovaVNCCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + LibvirtVNCClientCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service LibvirtVncCACert: type: string default: '' @@ -109,6 +124,9 @@ conditions: # Allow noauth VNC connections during P->Q upgrade. Remove in Rocky. equals: [{get_param: StackUpdateType}, 'UPGRADE'] + key_size_novavnc_override_unset: {equals: [{get_param: NovaVNCCertificateKeySize}, '']} + key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCClientCertificateKeySize}, '']} + resources: ContainersCommon: @@ -202,6 +220,11 @@ outputs: template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaVncProxyNetwork]} + key_size: + if: + - key_size_libvirtvnc_override_unset + - {get_param: CertificateKeySize} + - {get_param: LibvirtVNCClientCertificateKeySize} novnc_proxy_certificates_specs: service_certificate: '/etc/pki/tls/certs/novnc_proxy.crt' service_key: '/etc/pki/tls/private/novnc_proxy.key' @@ -215,6 +238,11 @@ outputs: template: "novnc-proxy/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} + key_size: + if: + - key_size_novavnc_override_unset + - {get_param: CertificateKeySize} + - {get_param: NovaVNCCertificateKeySize} - {} service_config_settings: rsyslog: diff --git a/deployment/octavia/providers/ovn-provider-config.yaml b/deployment/octavia/providers/ovn-provider-config.yaml index b4dad6f361..c0d7e0dce4 100644 --- a/deployment/octavia/providers/ovn-provider-config.yaml +++ b/deployment/octavia/providers/ovn-provider-config.yaml @@ -45,6 +45,16 @@ parameters: type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + OctaviaCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: @@ -52,6 +62,7 @@ conditions: is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]} ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]} octavia_provider_ovn_protocol_unset: {equals: [{get_param: OctaviaOvnProviderProtocol}, '']} + key_size_override_unset: {equals: [{get_param: OctaviaCertificateKeySize}, '']} outputs: role_data: @@ -86,6 +97,11 @@ outputs: template: "ovn_octavia/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: OctaviaCertificateKeySize} - {} puppet_tags: octavia_ovn_provider_config provider_driver_labels: diff --git a/deployment/ovn/ovn-controller-container-puppet.yaml b/deployment/ovn/ovn-controller-container-puppet.yaml index 918a2d9ea5..f9caea9b01 100644 --- a/deployment/ovn/ovn-controller-container-puppet.yaml +++ b/deployment/ovn/ovn-controller-container-puppet.yaml @@ -98,10 +98,21 @@ parameters: OpenvSwitch integration bridge, in seconds. type: number default: 60 + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + ContainerOvnCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: force_config_drive: {equals: [{get_param: OVNMetadataEnabled}, false]} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: ContainerOvnCertificateKeySize}, '']} resources: @@ -174,6 +185,11 @@ outputs: template: "ovn_controller/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: ContainerOvnCertificateKeySize} - {} service_config_settings: {} # BEGIN DOCKER SETTINGS diff --git a/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml b/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml index d1a8c24836..5f4512b06a 100644 --- a/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml +++ b/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml @@ -90,6 +90,16 @@ parameters: in backup mode and connects to the active ovsdb-server for replication type: number default: 60000 + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + OvnDBSCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: puppet_debug_enabled: {get_param: ConfigDebug} @@ -97,6 +107,7 @@ conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} common_tag_enabled: {equals: [{get_param: ClusterCommonTag}, true]} use_external_load_balancer: {equals: [{get_param: EnableLoadBalancer}, false]} + key_size_override_unset: {equals: [{get_param: OvnDBSCertificateKeySize}, '']} resources: @@ -177,6 +188,11 @@ outputs: template: "ovn_dbs/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: OvnDBSCertificateKeySize} - {} service_config_settings: {} # BEGIN DOCKER SETTINGS diff --git a/deployment/ovn/ovn-metadata-container-puppet.yaml b/deployment/ovn/ovn-metadata-container-puppet.yaml index a8d62e25ee..bbb2fbfd8a 100644 --- a/deployment/ovn/ovn-metadata-container-puppet.yaml +++ b/deployment/ovn/ovn-metadata-container-puppet.yaml @@ -122,6 +122,16 @@ parameters: description: Probe interval in ms type: number default: 60000 + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + OvnMetadataCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: haproxy_wrapper_enabled: {equals: [{get_param: OVNEnableHaproxyDockerWrapper}, true]} @@ -129,6 +139,7 @@ conditions: service_debug_unset: {equals : [{get_param: OVNWrapperDebug}, false]} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} neutron_metadata_workers_unset: {equals : [{get_param: NeutronMetadataWorkers}, '']} + key_size_override_unset: {equals: [{get_param: OvnMetadataCertificateKeySize}, '']} resources: @@ -212,6 +223,11 @@ outputs: template: "ovn_metadata/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: OvnMetadataCertificateKeySize} - {} puppet_config: diff --git a/deployment/rabbitmq/rabbitmq-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-container-puppet.yaml index e351e59d0d..cb432addde 100644 --- a/deployment/rabbitmq/rabbitmq-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-container-puppet.yaml @@ -89,6 +89,16 @@ parameters: description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + RabbitmqCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service parameter_groups: - label: deprecated @@ -107,6 +117,7 @@ conditions: equals: - {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, RabbitmqNetwork]}]} - 6 + key_size_override_unset: {equals: [{get_param: RabbitmqCertificateKeySize}, '']} resources: @@ -215,6 +226,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RabbitmqCertificateKeySize} - {} - rabbitmq::admin_enable: false rabbitmq::management_enable: true diff --git a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml index 7944dc7f88..75434cfe6a 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml @@ -66,9 +66,20 @@ parameters: description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + RabbitmqMessageCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: RabbitmqMessageCertificateKeySize}, '']} resources: @@ -157,6 +168,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RabbitmqMessageCertificateKeySize} - {} # BEGIN DOCKER SETTINGS puppet_config: diff --git a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml index ee6ad51a29..703e4d44ef 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml @@ -67,9 +67,20 @@ parameters: description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + RpcCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: RpcCertificateKeySize}, '']} resources: @@ -157,6 +168,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]} postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RpcCertificateKeySize} - {} # BEGIN DOCKER SETTINGS puppet_config: