From 977fc27fae120779da5e191b2a1cc49a74446d0d Mon Sep 17 00:00:00 2001 From: Raildo Date: Thu, 26 Nov 2020 09:50:35 -0300 Subject: [PATCH] Adding key_size option on the certificate creation Adding the ability to specifies the private key size used when creating the certificate. We have defined the default value the same as we have before 2048 bits. Also, it'll be able to override the key_size value per service. Depends-on: I4da96f2164cf1d136f9471f1d6251bdd8cfd2d0b Change-Id: Ic2edabb7f1bd0caf4a5550d03f60fab7c8354d65 (cherry picked from commit 97609775297417620ede0436c80156456a6c41da) --- .../apache/apache-baremetal-puppet.j2.yaml | 16 ++++++ deployment/ceph-ansible/ceph-grafana.yaml | 16 ++++++ deployment/ceph-ansible/ceph-mgr.yaml | 16 ++++++ deployment/ceph-ansible/ceph-rgw.yaml | 16 ++++++ deployment/database/mysql-base.yaml | 16 ++++++ .../database/redis-container-puppet.yaml | 16 ++++++ deployment/etcd/etcd-container-puppet.yaml | 16 ++++++ .../haproxy-internal-tls-certmonger.j2.yaml | 19 +++++++ .../haproxy-public-tls-certmonger.yaml | 19 +++++++ deployment/metrics/qdr-container-puppet.yaml | 16 ++++++ .../neutron/neutron-api-container-puppet.yaml | 16 ++++++ .../neutron-dhcp-container-puppet.yaml | 16 ++++++ .../nova/nova-libvirt-container-puppet.yaml | 50 +++++++++++++++++++ .../nova/nova-vnc-proxy-container-puppet.yaml | 28 +++++++++++ .../providers/ovn-provider-config.yaml | 16 ++++++ .../ovn/ovn-controller-container-puppet.yaml | 16 ++++++ deployment/ovn/ovn-dbs-pacemaker-puppet.yaml | 16 ++++++ .../ovn/ovn-metadata-container-puppet.yaml | 16 ++++++ .../rabbitmq/rabbitmq-container-puppet.yaml | 16 ++++++ ...tmq-messaging-notify-container-puppet.yaml | 16 ++++++ ...bbitmq-messaging-rpc-container-puppet.yaml | 16 ++++++ 21 files changed, 388 insertions(+) diff --git a/deployment/apache/apache-baremetal-puppet.j2.yaml b/deployment/apache/apache-baremetal-puppet.j2.yaml index 774721fc47..f78640d4ff 100644 --- a/deployment/apache/apache-baremetal-puppet.j2.yaml +++ b/deployment/apache/apache-baremetal-puppet.j2.yaml @@ -47,10 +47,21 @@ parameters: type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + ApacheCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: ApacheCertificateKeySize}, '']} resources: @@ -116,6 +127,11 @@ outputs: hostname: "%{hiera('fqdn_NETWORK')}" principal: "HTTP/%{hiera('fqdn_NETWORK')}" postsave_cmd: "pkill -USR1 httpd" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: ApacheCertificateKeySize} for_each: NETWORK: {get_attr: [ApacheNetworks, value]} - {} diff --git a/deployment/ceph-ansible/ceph-grafana.yaml b/deployment/ceph-ansible/ceph-grafana.yaml index 0ae21c03f3..c2e9736abd 100644 --- a/deployment/ceph-ansible/ceph-grafana.yaml +++ b/deployment/ceph-ansible/ceph-grafana.yaml @@ -63,9 +63,20 @@ parameters: EnableInternalTLS: type: boolean default: false + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + GrafanaCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: GrafanaCertificateKeySize}, '']} resources: CephBase: @@ -165,6 +176,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]} postsave_cmd: "/usr/bin/certmonger-grafana-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: GrafanaCertificateKeySize} - {} metadata_settings: if: diff --git a/deployment/ceph-ansible/ceph-mgr.yaml b/deployment/ceph-ansible/ceph-mgr.yaml index 87f089787e..1a06fdec24 100644 --- a/deployment/ceph-ansible/ceph-mgr.yaml +++ b/deployment/ceph-ansible/ceph-mgr.yaml @@ -49,6 +49,16 @@ parameters: EnableInternalTLS: type: boolean default: false + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + CephCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]} @@ -58,6 +68,7 @@ conditions: - equals: - get_param: EnableInternalTLS - true + key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']} resources: CephBase: @@ -157,6 +168,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]} postsave_cmd: "/usr/bin/certmonger-dashboard-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: CephCertificateKeySize} - {} metadata_settings: if: diff --git a/deployment/ceph-ansible/ceph-rgw.yaml b/deployment/ceph-ansible/ceph-rgw.yaml index 4b01fbf14e..194c0c2c23 100644 --- a/deployment/ceph-ansible/ceph-rgw.yaml +++ b/deployment/ceph-ansible/ceph-rgw.yaml @@ -45,10 +45,21 @@ parameters: EnableInternalTLS: type: boolean default: false + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + CephRgwCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: CephRgwCertificateKeySize}, '']} resources: CephBase: @@ -183,6 +194,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]} postsave_cmd: "/usr/bin/certmonger-rgw-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: CephRgwCertificateKeySize} - {} metadata_settings: if: diff --git a/deployment/database/mysql-base.yaml b/deployment/database/mysql-base.yaml index 10d4fdee3f..f2ae14bd39 100644 --- a/deployment/database/mysql-base.yaml +++ b/deployment/database/mysql-base.yaml @@ -62,6 +62,16 @@ parameters: default: false description: Enable IPv6 in MySQL type: boolean + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + MysqlCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service parameter_groups: - label: deprecated @@ -80,6 +90,7 @@ conditions: equals: - {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, MysqlNetwork]}]} - 6 + key_size_override_unset: {equals: [{get_param: MysqlCertificateKeySize}, '']} outputs: role_data: @@ -161,6 +172,11 @@ outputs: template: "mysql/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: MysqlCertificateKeySize} - {} step_config: | include tripleo::profile::base::database::mysql diff --git a/deployment/database/redis-container-puppet.yaml b/deployment/database/redis-container-puppet.yaml index defa885964..712677135a 100644 --- a/deployment/database/redis-container-puppet.yaml +++ b/deployment/database/redis-container-puppet.yaml @@ -39,10 +39,21 @@ parameters: EnableInternalTLS: type: boolean default: false + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + RedisCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: RedisCertificateKeySize}, '']} resources: @@ -113,6 +124,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, RedisNetwork]} postsave_cmd: "/usr/bin/certmonger-redis-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RedisCertificateKeySize} - {} service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS diff --git a/deployment/etcd/etcd-container-puppet.yaml b/deployment/etcd/etcd-container-puppet.yaml index 0a7954284a..513c0417b7 100644 --- a/deployment/etcd/etcd-container-puppet.yaml +++ b/deployment/etcd/etcd-container-puppet.yaml @@ -61,12 +61,23 @@ parameters: default: false description: Set to True to enable debugging on all services. type: boolean + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + EtcdCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: and: - {equals: [{get_param: EnableInternalTLS}, true]} - {equals: [{get_param: EnableEtcdInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: EtcdCertificateKeySize}, '']} resources: ContainersCommon: @@ -132,6 +143,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]} postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh' + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: EtcdCertificateKeySize} etcd::trusted_ca_file: {get_param: InternalTLSCAFile} etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile} - diff --git a/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml b/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml index dd45631118..e9259cfcd1 100644 --- a/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml +++ b/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml @@ -36,6 +36,20 @@ parameters: HAProxyInternalTLSKeysDirectory: default: '/etc/pki/tls/private/haproxy' type: string + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + HAProxyCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + +conditions: + + key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']} resources: @@ -92,6 +106,11 @@ outputs: - "%{hiera('fqdn_NETWORK')}" principal: "haproxy/%{hiera('fqdn_NETWORK')}" postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload NETWORK" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: HAProxyCertificateKeySize} for_each: NETWORK: {get_attr: [HAProxyNetworks, value]} metadata_settings: diff --git a/deployment/haproxy/haproxy-public-tls-certmonger.yaml b/deployment/haproxy/haproxy-public-tls-certmonger.yaml index f7184475c7..0abcbf7977 100644 --- a/deployment/haproxy/haproxy-public-tls-certmonger.yaml +++ b/deployment/haproxy/haproxy-public-tls-certmonger.yaml @@ -41,6 +41,20 @@ parameters: description: > The filepath of the certificate as it will be stored in the controller. type: string + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + HAProxyCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + +conditions: + + key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']} outputs: role_data: @@ -78,6 +92,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, PublicNetwork]} postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload external" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: HAProxyCertificateKeySize} metadata_settings: - service: haproxy network: {get_param: [ServiceNetMap, PublicNetwork]} diff --git a/deployment/metrics/qdr-container-puppet.yaml b/deployment/metrics/qdr-container-puppet.yaml index fb3769133f..ddf434dc11 100644 --- a/deployment/metrics/qdr-container-puppet.yaml +++ b/deployment/metrics/qdr-container-puppet.yaml @@ -144,10 +144,21 @@ parameters: default: false description: Set to true to enable configuration for STF client. type: boolean + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + QdrCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} enable_stf: {equals: [{get_param: EnableSTF}, true]} + key_size_override_unset: {equals: [{get_param: QdrCertificateKeySize}, '']} resources: @@ -244,6 +255,11 @@ outputs: template: "ROLENAMEMetricsQdrNetwork" params: ROLENAME: {get_param: RoleName} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: QdrCertificateKeySize} tripleo::profile::base::metrics::qdr::ssl_profiles: list_concat: - get_param: MetricsQdrSSLProfiles diff --git a/deployment/neutron/neutron-api-container-puppet.yaml b/deployment/neutron/neutron-api-container-puppet.yaml index 9907cff1c9..d9c6f7a6c8 100644 --- a/deployment/neutron/neutron-api-container-puppet.yaml +++ b/deployment/neutron/neutron-api-container-puppet.yaml @@ -163,6 +163,16 @@ parameters: type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + NeutronCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service # DEPRECATED: the following options are deprecated and are currently maintained # for backwards compatibility. They will be removed in the Ocata cycle. NeutronL3HA: @@ -198,6 +208,7 @@ conditions: omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]} ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]} enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]} + key_size_override_unset: {equals: [{get_param: NeutronCertificateKeySize}, '']} resources: @@ -405,6 +416,11 @@ outputs: template: "neutron_ovn/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: NeutronCertificateKeySize} - {} service_config_settings: rsyslog: diff --git a/deployment/neutron/neutron-dhcp-container-puppet.yaml b/deployment/neutron/neutron-dhcp-container-puppet.yaml index a35c629eb2..9b8fbeaa22 100644 --- a/deployment/neutron/neutron-dhcp-container-puppet.yaml +++ b/deployment/neutron/neutron-dhcp-container-puppet.yaml @@ -147,6 +147,16 @@ parameters: Enable dhcp-host entry with list of addresses when port has multiple IPv6 addresses in the same subnet. type: boolean + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + NeutronDhcpCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: @@ -160,6 +170,7 @@ conditions: is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]} az_unset: {equals: [{get_param: NeutronDhcpAgentAvailabilityZone}, '']} omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]} + key_size_override_unset: {equals: [{get_param: NeutronDhcpCertificateKeySize}, '']} resources: @@ -260,6 +271,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]} postsave_cmd: "/usr/bin/certmonger-neutron-dhcpd-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: NeutronDhcpCertificateKeySize} - {} - if: - dhcp_ovs_intergation_bridge_unset diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml index a2995a8f8b..7f8aa705ee 100644 --- a/deployment/nova/nova-libvirt-container-puppet.yaml +++ b/deployment/nova/nova-libvirt-container-puppet.yaml @@ -116,6 +116,31 @@ parameters: default: '/etc/pki/CA/certs/qemu.pem' type: string description: Specifies the CA cert to use for qemu. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + LibvirtCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + LibvirtVNCServerCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + QemuServerCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + QemuClientCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service LibvirtCACert: type: string default: '' @@ -325,6 +350,11 @@ conditions: - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, ''] - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, true] + key_size_libvirt_override_unset: {equals: [{get_param: LibvirtCertificateKeySize}, '']} + key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCServerCertificateKeySize}, '']} + key_size_qemu_client_override_unset: {equals: [{get_param: QemuClientCertificateKeySize}, '']} + key_size_qemu_server_override_unset: {equals: [{get_param: QemuServerCertificateKeySize}, '']} + resources: RoleParametersValue: type: OS::Heat::Value @@ -472,6 +502,11 @@ outputs: template: "libvirt/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + key_size: + if: + - key_size_libvirtvnc_override_unset + - {get_param: CertificateKeySize} + - {get_param: LibvirtCertificateKeySize} # create the qemu and qemu_ndb dirs and certs also when when tls for nbd # is not enabled this allows us to enable it even at a later time without # restart of instances @@ -501,6 +536,11 @@ outputs: template: "qemu/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + key_size: + if: + - key_size_qemu_server_override_unset + - {get_param: CertificateKeySize} + - {get_param: QemuServerCertificateKeySize} qemu-nbd-client-cert: service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem' service_key: '/etc/pki/libvirt-nbd/client-key.pem' @@ -514,6 +554,11 @@ outputs: template: "qemu/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + key_size: + if: + - key_size_qemu_client_override_unset + - {get_param: CertificateKeySize} + - {get_param: QemuClientCertificateKeySize} - nova::migration::libvirt::live_migration_inbound_addr: str_replace: @@ -553,6 +598,11 @@ outputs: template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + key_size: + if: + - key_size_libvirtvnc_override_unset + - {get_param: CertificateKeySize} + - {get_param: LibvirtVNCServerCertificateKeySize} - {} - if: diff --git a/deployment/nova/nova-vnc-proxy-container-puppet.yaml b/deployment/nova/nova-vnc-proxy-container-puppet.yaml index 2efad0cbff..a78d85e49b 100644 --- a/deployment/nova/nova-vnc-proxy-container-puppet.yaml +++ b/deployment/nova/nova-vnc-proxy-container-puppet.yaml @@ -54,6 +54,21 @@ parameters: default: '/etc/pki/CA/certs/vnc.crt' type: string description: Specifies the CA cert to use for VNC TLS. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + NovaVNCCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + LibvirtVNCClientCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service LibvirtVncCACert: type: string default: '' @@ -109,6 +124,9 @@ conditions: # Allow noauth VNC connections during P->Q upgrade. Remove in Rocky. equals: [{get_param: StackUpdateType}, 'UPGRADE'] + key_size_novavnc_override_unset: {equals: [{get_param: NovaVNCCertificateKeySize}, '']} + key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCClientCertificateKeySize}, '']} + resources: ContainersCommon: @@ -202,6 +220,11 @@ outputs: template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaVncProxyNetwork]} + key_size: + if: + - key_size_libvirtvnc_override_unset + - {get_param: CertificateKeySize} + - {get_param: LibvirtVNCClientCertificateKeySize} novnc_proxy_certificates_specs: service_certificate: '/etc/pki/tls/certs/novnc_proxy.crt' service_key: '/etc/pki/tls/private/novnc_proxy.key' @@ -215,6 +238,11 @@ outputs: template: "novnc-proxy/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} + key_size: + if: + - key_size_novavnc_override_unset + - {get_param: CertificateKeySize} + - {get_param: NovaVNCCertificateKeySize} - {} service_config_settings: rsyslog: diff --git a/deployment/octavia/providers/ovn-provider-config.yaml b/deployment/octavia/providers/ovn-provider-config.yaml index b4dad6f361..c0d7e0dce4 100644 --- a/deployment/octavia/providers/ovn-provider-config.yaml +++ b/deployment/octavia/providers/ovn-provider-config.yaml @@ -45,6 +45,16 @@ parameters: type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + OctaviaCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: @@ -52,6 +62,7 @@ conditions: is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]} ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]} octavia_provider_ovn_protocol_unset: {equals: [{get_param: OctaviaOvnProviderProtocol}, '']} + key_size_override_unset: {equals: [{get_param: OctaviaCertificateKeySize}, '']} outputs: role_data: @@ -86,6 +97,11 @@ outputs: template: "ovn_octavia/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: OctaviaCertificateKeySize} - {} puppet_tags: octavia_ovn_provider_config provider_driver_labels: diff --git a/deployment/ovn/ovn-controller-container-puppet.yaml b/deployment/ovn/ovn-controller-container-puppet.yaml index 918a2d9ea5..f9caea9b01 100644 --- a/deployment/ovn/ovn-controller-container-puppet.yaml +++ b/deployment/ovn/ovn-controller-container-puppet.yaml @@ -98,10 +98,21 @@ parameters: OpenvSwitch integration bridge, in seconds. type: number default: 60 + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + ContainerOvnCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: force_config_drive: {equals: [{get_param: OVNMetadataEnabled}, false]} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: ContainerOvnCertificateKeySize}, '']} resources: @@ -174,6 +185,11 @@ outputs: template: "ovn_controller/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: ContainerOvnCertificateKeySize} - {} service_config_settings: {} # BEGIN DOCKER SETTINGS diff --git a/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml b/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml index d1a8c24836..5f4512b06a 100644 --- a/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml +++ b/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml @@ -90,6 +90,16 @@ parameters: in backup mode and connects to the active ovsdb-server for replication type: number default: 60000 + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + OvnDBSCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: puppet_debug_enabled: {get_param: ConfigDebug} @@ -97,6 +107,7 @@ conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} common_tag_enabled: {equals: [{get_param: ClusterCommonTag}, true]} use_external_load_balancer: {equals: [{get_param: EnableLoadBalancer}, false]} + key_size_override_unset: {equals: [{get_param: OvnDBSCertificateKeySize}, '']} resources: @@ -177,6 +188,11 @@ outputs: template: "ovn_dbs/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: OvnDBSCertificateKeySize} - {} service_config_settings: {} # BEGIN DOCKER SETTINGS diff --git a/deployment/ovn/ovn-metadata-container-puppet.yaml b/deployment/ovn/ovn-metadata-container-puppet.yaml index a8d62e25ee..bbb2fbfd8a 100644 --- a/deployment/ovn/ovn-metadata-container-puppet.yaml +++ b/deployment/ovn/ovn-metadata-container-puppet.yaml @@ -122,6 +122,16 @@ parameters: description: Probe interval in ms type: number default: 60000 + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + OvnMetadataCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: haproxy_wrapper_enabled: {equals: [{get_param: OVNEnableHaproxyDockerWrapper}, true]} @@ -129,6 +139,7 @@ conditions: service_debug_unset: {equals : [{get_param: OVNWrapperDebug}, false]} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} neutron_metadata_workers_unset: {equals : [{get_param: NeutronMetadataWorkers}, '']} + key_size_override_unset: {equals: [{get_param: OvnMetadataCertificateKeySize}, '']} resources: @@ -212,6 +223,11 @@ outputs: template: "ovn_metadata/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: OvnMetadataCertificateKeySize} - {} puppet_config: diff --git a/deployment/rabbitmq/rabbitmq-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-container-puppet.yaml index e351e59d0d..cb432addde 100644 --- a/deployment/rabbitmq/rabbitmq-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-container-puppet.yaml @@ -89,6 +89,16 @@ parameters: description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + RabbitmqCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service parameter_groups: - label: deprecated @@ -107,6 +117,7 @@ conditions: equals: - {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, RabbitmqNetwork]}]} - 6 + key_size_override_unset: {equals: [{get_param: RabbitmqCertificateKeySize}, '']} resources: @@ -215,6 +226,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RabbitmqCertificateKeySize} - {} - rabbitmq::admin_enable: false rabbitmq::management_enable: true diff --git a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml index 7944dc7f88..75434cfe6a 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml @@ -66,9 +66,20 @@ parameters: description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + RabbitmqMessageCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: RabbitmqMessageCertificateKeySize}, '']} resources: @@ -157,6 +168,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RabbitmqMessageCertificateKeySize} - {} # BEGIN DOCKER SETTINGS puppet_config: diff --git a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml index ee6ad51a29..703e4d44ef 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml @@ -67,9 +67,20 @@ parameters: description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + RpcCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: RpcCertificateKeySize}, '']} resources: @@ -157,6 +168,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]} postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RpcCertificateKeySize} - {} # BEGIN DOCKER SETTINGS puppet_config: