Skip to content
This repository has been archived by the owner on Feb 29, 2024. It is now read-only.

Commit

Permalink
Adding key_size option on the certificate creation
Browse files Browse the repository at this point in the history
Adding the ability to specifies the private key size
used when creating the certificate. We have defined the
default value the same as we have before 2048 bits.
Also, it'll be able to override the key_size value
per service.

Depends-on: I4da96f2164cf1d136f9471f1d6251bdd8cfd2d0b
Change-Id: Ic2edabb7f1bd0caf4a5550d03f60fab7c8354d65
  • Loading branch information
Raildo committed Dec 17, 2020
1 parent 666091c commit 9760977
Show file tree
Hide file tree
Showing 22 changed files with 404 additions and 0 deletions.
16 changes: 16 additions & 0 deletions deployment/apache/apache-baremetal-puppet.j2.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -47,10 +47,21 @@ parameters:
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
ApacheCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service

conditions:

internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: ApacheCertificateKeySize}, '']}

resources:

Expand Down Expand Up @@ -116,6 +127,11 @@ outputs:
hostname: "%{hiera('fqdn_NETWORK')}"
principal: "HTTP/%{hiera('fqdn_NETWORK')}"
postsave_cmd: "pkill -USR1 httpd"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: ApacheCertificateKeySize}
for_each:
NETWORK: {get_attr: [ApacheNetworks, value]}
- {}
Expand Down
16 changes: 16 additions & 0 deletions deployment/ceph-ansible/ceph-grafana.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -63,9 +63,20 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
GrafanaCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service

conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: GrafanaCertificateKeySize}, '']}

resources:
CephBase:
Expand Down Expand Up @@ -165,6 +176,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
postsave_cmd: "/usr/bin/certmonger-grafana-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: GrafanaCertificateKeySize}
- {}
metadata_settings:
if:
Expand Down
16 changes: 16 additions & 0 deletions deployment/ceph-ansible/ceph-mgr.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,16 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
CephCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service

conditions:
dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
Expand All @@ -58,6 +68,7 @@ conditions:
- equals:
- get_param: EnableInternalTLS
- true
key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']}

resources:
CephBase:
Expand Down Expand Up @@ -157,6 +168,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
postsave_cmd: "/usr/bin/certmonger-dashboard-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: CephCertificateKeySize}
- {}
metadata_settings:
if:
Expand Down
16 changes: 16 additions & 0 deletions deployment/ceph-ansible/ceph-rgw.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -45,10 +45,21 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
CephRgwCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service

conditions:
dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: CephRgwCertificateKeySize}, '']}

resources:
CephBase:
Expand Down Expand Up @@ -183,6 +194,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
postsave_cmd: "/usr/bin/certmonger-rgw-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: CephRgwCertificateKeySize}
- {}
metadata_settings:
if:
Expand Down
16 changes: 16 additions & 0 deletions deployment/database/mysql-base.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,16 @@ parameters:
description: Buffer pool size for MySQL database; this needs to be larger
for at-scale deployments
default: ''
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
MysqlCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service

parameter_groups:
- label: deprecated
Expand All @@ -86,6 +96,7 @@ conditions:
- {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, MysqlNetwork]}]}
- 6
innodb_buffer_pool_size: {not: {equals: [{get_param: MysqlInnodbBufferPoolSize}, '']}}
key_size_override_unset: {equals: [{get_param: MysqlCertificateKeySize}, '']}

outputs:
role_data:
Expand Down Expand Up @@ -167,6 +178,11 @@ outputs:
template: "mysql/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: MysqlCertificateKeySize}
- {}
-
if:
Expand Down
16 changes: 16 additions & 0 deletions deployment/database/redis-container-puppet.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,10 +39,21 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
RedisCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service

conditions:

internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: RedisCertificateKeySize}, '']}

resources:

Expand Down Expand Up @@ -113,6 +124,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
postsave_cmd: "/usr/bin/certmonger-redis-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RedisCertificateKeySize}
- {}
service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS
Expand Down
16 changes: 16 additions & 0 deletions deployment/etcd/etcd-container-puppet.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -61,12 +61,23 @@ parameters:
default: false
description: Set to True to enable debugging on all services.
type: boolean
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
EtcdCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service

conditions:
internal_tls_enabled:
and:
- {equals: [{get_param: EnableInternalTLS}, true]}
- {equals: [{get_param: EnableEtcdInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: EtcdCertificateKeySize}, '']}

resources:
ContainersCommon:
Expand Down Expand Up @@ -132,6 +143,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh'
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: EtcdCertificateKeySize}
etcd::trusted_ca_file: {get_param: InternalTLSCAFile}
etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile}
-
Expand Down
19 changes: 19 additions & 0 deletions deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,20 @@ parameters:
HAProxyInternalTLSKeysDirectory:
default: '/etc/pki/tls/private/haproxy'
type: string
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
HAProxyCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service

conditions:

key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}

resources:

Expand Down Expand Up @@ -92,6 +106,11 @@ outputs:
- "%{hiera('fqdn_NETWORK')}"
principal: "haproxy/%{hiera('fqdn_NETWORK')}"
postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload NETWORK"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: HAProxyCertificateKeySize}
for_each:
NETWORK: {get_attr: [HAProxyNetworks, value]}
metadata_settings:
Expand Down
19 changes: 19 additions & 0 deletions deployment/haproxy/haproxy-public-tls-certmonger.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,20 @@ parameters:
description: >
The filepath of the certificate as it will be stored in the controller.
type: string
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
HAProxyCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service

conditions:

key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}

outputs:
role_data:
Expand Down Expand Up @@ -78,6 +92,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload external"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: HAProxyCertificateKeySize}
metadata_settings:
- service: haproxy
network: {get_param: [ServiceNetMap, PublicNetwork]}
Expand Down
16 changes: 16 additions & 0 deletions deployment/memcached/memcached-container-puppet.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,16 @@ parameters:
default: false
description: Set to True to enable TLS on Memcached service.
type: boolean
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
MemcachedCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service

conditions:
internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]}
Expand All @@ -79,6 +89,7 @@ conditions:
equals:
- {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, MemcachedNetwork]}]}
- 6
key_size_override_unset: {equals: [{get_param: MemcachedCertificateKeySize}, '']}

resources:

Expand Down Expand Up @@ -178,6 +189,11 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
postsave_cmd: "/usr/bin/certmonger-memcached-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: MemcachedCertificateKeySize}
- {}
service_config_settings:
collectd:
Expand Down
16 changes: 16 additions & 0 deletions deployment/metrics/qdr-container-puppet.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -144,11 +144,22 @@ parameters:
default: false
description: Set to true to enable configuration for STF client.
type: boolean
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
QdrCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service

conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
listener_ssl_enabled: {equals: [{get_param: MetricsQdrUseSSL}, true]}
enable_stf: {equals: [{get_param: EnableSTF}, true]}
key_size_override_unset: {equals: [{get_param: QdrCertificateKeySize}, '']}


resources:
Expand Down Expand Up @@ -249,6 +260,11 @@ outputs:
template: "ROLENAMEMetricsQdrNetwork"
params:
ROLENAME: {get_param: RoleName}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: QdrCertificateKeySize}
tripleo::profile::base::metrics::qdr::ssl_profiles:
list_concat:
- get_param: MetricsQdrSSLProfiles
Expand Down
Loading

0 comments on commit 9760977

Please sign in to comment.