From 97609775297417620ede0436c80156456a6c41da Mon Sep 17 00:00:00 2001 From: Raildo Date: Thu, 26 Nov 2020 09:50:35 -0300 Subject: [PATCH] Adding key_size option on the certificate creation Adding the ability to specifies the private key size used when creating the certificate. We have defined the default value the same as we have before 2048 bits. Also, it'll be able to override the key_size value per service. Depends-on: I4da96f2164cf1d136f9471f1d6251bdd8cfd2d0b Change-Id: Ic2edabb7f1bd0caf4a5550d03f60fab7c8354d65 --- .../apache/apache-baremetal-puppet.j2.yaml | 16 ++++++ deployment/ceph-ansible/ceph-grafana.yaml | 16 ++++++ deployment/ceph-ansible/ceph-mgr.yaml | 16 ++++++ deployment/ceph-ansible/ceph-rgw.yaml | 16 ++++++ deployment/database/mysql-base.yaml | 16 ++++++ .../database/redis-container-puppet.yaml | 16 ++++++ deployment/etcd/etcd-container-puppet.yaml | 16 ++++++ .../haproxy-internal-tls-certmonger.j2.yaml | 19 +++++++ .../haproxy-public-tls-certmonger.yaml | 19 +++++++ .../memcached/memcached-container-puppet.yaml | 16 ++++++ deployment/metrics/qdr-container-puppet.yaml | 16 ++++++ .../neutron/neutron-api-container-puppet.yaml | 16 ++++++ .../neutron-dhcp-container-puppet.yaml | 16 ++++++ .../nova/nova-libvirt-container-puppet.yaml | 50 +++++++++++++++++++ .../nova/nova-vnc-proxy-container-puppet.yaml | 28 +++++++++++ .../providers/ovn-provider-config.yaml | 16 ++++++ .../ovn/ovn-controller-container-puppet.yaml | 16 ++++++ deployment/ovn/ovn-dbs-pacemaker-puppet.yaml | 16 ++++++ .../ovn/ovn-metadata-container-puppet.yaml | 16 ++++++ .../rabbitmq/rabbitmq-container-puppet.yaml | 16 ++++++ ...tmq-messaging-notify-container-puppet.yaml | 16 ++++++ ...bbitmq-messaging-rpc-container-puppet.yaml | 16 ++++++ 22 files changed, 404 insertions(+) diff --git a/deployment/apache/apache-baremetal-puppet.j2.yaml b/deployment/apache/apache-baremetal-puppet.j2.yaml index 774721fc47..f78640d4ff 100644 --- a/deployment/apache/apache-baremetal-puppet.j2.yaml +++ b/deployment/apache/apache-baremetal-puppet.j2.yaml @@ -47,10 +47,21 @@ parameters: type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + ApacheCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: ApacheCertificateKeySize}, '']} resources: @@ -116,6 +127,11 @@ outputs: hostname: "%{hiera('fqdn_NETWORK')}" principal: "HTTP/%{hiera('fqdn_NETWORK')}" postsave_cmd: "pkill -USR1 httpd" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: ApacheCertificateKeySize} for_each: NETWORK: {get_attr: [ApacheNetworks, value]} - {} diff --git a/deployment/ceph-ansible/ceph-grafana.yaml b/deployment/ceph-ansible/ceph-grafana.yaml index 0ae21c03f3..c2e9736abd 100644 --- a/deployment/ceph-ansible/ceph-grafana.yaml +++ b/deployment/ceph-ansible/ceph-grafana.yaml @@ -63,9 +63,20 @@ parameters: EnableInternalTLS: type: boolean default: false + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + GrafanaCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: GrafanaCertificateKeySize}, '']} resources: CephBase: @@ -165,6 +176,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]} postsave_cmd: "/usr/bin/certmonger-grafana-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: GrafanaCertificateKeySize} - {} metadata_settings: if: diff --git a/deployment/ceph-ansible/ceph-mgr.yaml b/deployment/ceph-ansible/ceph-mgr.yaml index 87f089787e..1a06fdec24 100644 --- a/deployment/ceph-ansible/ceph-mgr.yaml +++ b/deployment/ceph-ansible/ceph-mgr.yaml @@ -49,6 +49,16 @@ parameters: EnableInternalTLS: type: boolean default: false + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + CephCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]} @@ -58,6 +68,7 @@ conditions: - equals: - get_param: EnableInternalTLS - true + key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']} resources: CephBase: @@ -157,6 +168,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]} postsave_cmd: "/usr/bin/certmonger-dashboard-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: CephCertificateKeySize} - {} metadata_settings: if: diff --git a/deployment/ceph-ansible/ceph-rgw.yaml b/deployment/ceph-ansible/ceph-rgw.yaml index 4b01fbf14e..194c0c2c23 100644 --- a/deployment/ceph-ansible/ceph-rgw.yaml +++ b/deployment/ceph-ansible/ceph-rgw.yaml @@ -45,10 +45,21 @@ parameters: EnableInternalTLS: type: boolean default: false + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + CephRgwCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: CephRgwCertificateKeySize}, '']} resources: CephBase: @@ -183,6 +194,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]} postsave_cmd: "/usr/bin/certmonger-rgw-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: CephRgwCertificateKeySize} - {} metadata_settings: if: diff --git a/deployment/database/mysql-base.yaml b/deployment/database/mysql-base.yaml index 86c33d70c6..e98216f47c 100644 --- a/deployment/database/mysql-base.yaml +++ b/deployment/database/mysql-base.yaml @@ -67,6 +67,16 @@ parameters: description: Buffer pool size for MySQL database; this needs to be larger for at-scale deployments default: '' + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + MysqlCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service parameter_groups: - label: deprecated @@ -86,6 +96,7 @@ conditions: - {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, MysqlNetwork]}]} - 6 innodb_buffer_pool_size: {not: {equals: [{get_param: MysqlInnodbBufferPoolSize}, '']}} + key_size_override_unset: {equals: [{get_param: MysqlCertificateKeySize}, '']} outputs: role_data: @@ -167,6 +178,11 @@ outputs: template: "mysql/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: MysqlCertificateKeySize} - {} - if: diff --git a/deployment/database/redis-container-puppet.yaml b/deployment/database/redis-container-puppet.yaml index f96dfb6176..c2efb41a00 100644 --- a/deployment/database/redis-container-puppet.yaml +++ b/deployment/database/redis-container-puppet.yaml @@ -39,10 +39,21 @@ parameters: EnableInternalTLS: type: boolean default: false + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + RedisCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: RedisCertificateKeySize}, '']} resources: @@ -113,6 +124,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, RedisNetwork]} postsave_cmd: "/usr/bin/certmonger-redis-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RedisCertificateKeySize} - {} service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS diff --git a/deployment/etcd/etcd-container-puppet.yaml b/deployment/etcd/etcd-container-puppet.yaml index 0a7954284a..513c0417b7 100644 --- a/deployment/etcd/etcd-container-puppet.yaml +++ b/deployment/etcd/etcd-container-puppet.yaml @@ -61,12 +61,23 @@ parameters: default: false description: Set to True to enable debugging on all services. type: boolean + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + EtcdCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: and: - {equals: [{get_param: EnableInternalTLS}, true]} - {equals: [{get_param: EnableEtcdInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: EtcdCertificateKeySize}, '']} resources: ContainersCommon: @@ -132,6 +143,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]} postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh' + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: EtcdCertificateKeySize} etcd::trusted_ca_file: {get_param: InternalTLSCAFile} etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile} - diff --git a/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml b/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml index dd45631118..e9259cfcd1 100644 --- a/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml +++ b/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml @@ -36,6 +36,20 @@ parameters: HAProxyInternalTLSKeysDirectory: default: '/etc/pki/tls/private/haproxy' type: string + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + HAProxyCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + +conditions: + + key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']} resources: @@ -92,6 +106,11 @@ outputs: - "%{hiera('fqdn_NETWORK')}" principal: "haproxy/%{hiera('fqdn_NETWORK')}" postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload NETWORK" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: HAProxyCertificateKeySize} for_each: NETWORK: {get_attr: [HAProxyNetworks, value]} metadata_settings: diff --git a/deployment/haproxy/haproxy-public-tls-certmonger.yaml b/deployment/haproxy/haproxy-public-tls-certmonger.yaml index f7184475c7..0abcbf7977 100644 --- a/deployment/haproxy/haproxy-public-tls-certmonger.yaml +++ b/deployment/haproxy/haproxy-public-tls-certmonger.yaml @@ -41,6 +41,20 @@ parameters: description: > The filepath of the certificate as it will be stored in the controller. type: string + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + HAProxyCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + +conditions: + + key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']} outputs: role_data: @@ -78,6 +92,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, PublicNetwork]} postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload external" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: HAProxyCertificateKeySize} metadata_settings: - service: haproxy network: {get_param: [ServiceNetMap, PublicNetwork]} diff --git a/deployment/memcached/memcached-container-puppet.yaml b/deployment/memcached/memcached-container-puppet.yaml index c635db7b6a..233b08369e 100644 --- a/deployment/memcached/memcached-container-puppet.yaml +++ b/deployment/memcached/memcached-container-puppet.yaml @@ -66,6 +66,16 @@ parameters: default: false description: Set to True to enable TLS on Memcached service. type: boolean + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + MemcachedCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]} @@ -79,6 +89,7 @@ conditions: equals: - {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, MemcachedNetwork]}]} - 6 + key_size_override_unset: {equals: [{get_param: MemcachedCertificateKeySize}, '']} resources: @@ -178,6 +189,11 @@ outputs: params: $NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]} postsave_cmd: "/usr/bin/certmonger-memcached-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: MemcachedCertificateKeySize} - {} service_config_settings: collectd: diff --git a/deployment/metrics/qdr-container-puppet.yaml b/deployment/metrics/qdr-container-puppet.yaml index 5a66b0c7d1..d2022565ef 100644 --- a/deployment/metrics/qdr-container-puppet.yaml +++ b/deployment/metrics/qdr-container-puppet.yaml @@ -144,11 +144,22 @@ parameters: default: false description: Set to true to enable configuration for STF client. type: boolean + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + QdrCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} listener_ssl_enabled: {equals: [{get_param: MetricsQdrUseSSL}, true]} enable_stf: {equals: [{get_param: EnableSTF}, true]} + key_size_override_unset: {equals: [{get_param: QdrCertificateKeySize}, '']} resources: @@ -249,6 +260,11 @@ outputs: template: "ROLENAMEMetricsQdrNetwork" params: ROLENAME: {get_param: RoleName} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: QdrCertificateKeySize} tripleo::profile::base::metrics::qdr::ssl_profiles: list_concat: - get_param: MetricsQdrSSLProfiles diff --git a/deployment/neutron/neutron-api-container-puppet.yaml b/deployment/neutron/neutron-api-container-puppet.yaml index c6bf67f889..5b8fb44a6e 100644 --- a/deployment/neutron/neutron-api-container-puppet.yaml +++ b/deployment/neutron/neutron-api-container-puppet.yaml @@ -163,6 +163,16 @@ parameters: type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + NeutronCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service # DEPRECATED: the following options are deprecated and are currently maintained # for backwards compatibility. They will be removed in the Ocata cycle. NeutronL3HA: @@ -198,6 +208,7 @@ conditions: omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]} ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]} enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]} + key_size_override_unset: {equals: [{get_param: NeutronCertificateKeySize}, '']} resources: @@ -404,6 +415,11 @@ outputs: template: "neutron_ovn/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: NeutronCertificateKeySize} - {} service_config_settings: rsyslog: diff --git a/deployment/neutron/neutron-dhcp-container-puppet.yaml b/deployment/neutron/neutron-dhcp-container-puppet.yaml index a2beb9e666..373815e1a6 100644 --- a/deployment/neutron/neutron-dhcp-container-puppet.yaml +++ b/deployment/neutron/neutron-dhcp-container-puppet.yaml @@ -147,6 +147,16 @@ parameters: Enable dhcp-host entry with list of addresses when port has multiple IPv6 addresses in the same subnet. type: boolean + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + NeutronDhcpCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: @@ -160,6 +170,7 @@ conditions: is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]} az_unset: {equals: [{get_param: NeutronDhcpAgentAvailabilityZone}, '']} omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]} + key_size_override_unset: {equals: [{get_param: NeutronDhcpCertificateKeySize}, '']} resources: @@ -260,6 +271,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]} postsave_cmd: "/usr/bin/certmonger-neutron-dhcpd-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: NeutronDhcpCertificateKeySize} - {} - if: - dhcp_ovs_intergation_bridge_unset diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml index 0272d78db3..51b7218888 100644 --- a/deployment/nova/nova-libvirt-container-puppet.yaml +++ b/deployment/nova/nova-libvirt-container-puppet.yaml @@ -116,6 +116,31 @@ parameters: default: '/etc/pki/CA/certs/qemu.pem' type: string description: Specifies the CA cert to use for qemu. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + LibvirtCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + LibvirtVNCServerCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + QemuServerCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + QemuClientCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service LibvirtCACert: type: string default: '' @@ -319,6 +344,11 @@ conditions: - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, ''] - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, true] + key_size_libvirt_override_unset: {equals: [{get_param: LibvirtCertificateKeySize}, '']} + key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCServerCertificateKeySize}, '']} + key_size_qemu_client_override_unset: {equals: [{get_param: QemuClientCertificateKeySize}, '']} + key_size_qemu_server_override_unset: {equals: [{get_param: QemuServerCertificateKeySize}, '']} + resources: RoleParametersValue: type: OS::Heat::Value @@ -464,6 +494,11 @@ outputs: template: "libvirt/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + key_size: + if: + - key_size_libvirtvnc_override_unset + - {get_param: CertificateKeySize} + - {get_param: LibvirtCertificateKeySize} # create the qemu and qemu_ndb dirs and certs also when when tls for nbd # is not enabled this allows us to enable it even at a later time without # restart of instances @@ -493,6 +528,11 @@ outputs: template: "qemu/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + key_size: + if: + - key_size_qemu_server_override_unset + - {get_param: CertificateKeySize} + - {get_param: QemuServerCertificateKeySize} qemu-nbd-client-cert: service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem' service_key: '/etc/pki/libvirt-nbd/client-key.pem' @@ -506,6 +546,11 @@ outputs: template: "qemu/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + key_size: + if: + - key_size_qemu_client_override_unset + - {get_param: CertificateKeySize} + - {get_param: QemuClientCertificateKeySize} - nova::migration::libvirt::live_migration_inbound_addr: str_replace: @@ -545,6 +590,11 @@ outputs: template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + key_size: + if: + - key_size_libvirtvnc_override_unset + - {get_param: CertificateKeySize} + - {get_param: LibvirtVNCServerCertificateKeySize} - {} - if: diff --git a/deployment/nova/nova-vnc-proxy-container-puppet.yaml b/deployment/nova/nova-vnc-proxy-container-puppet.yaml index 276d44d2ce..d611801257 100644 --- a/deployment/nova/nova-vnc-proxy-container-puppet.yaml +++ b/deployment/nova/nova-vnc-proxy-container-puppet.yaml @@ -54,6 +54,21 @@ parameters: default: '/etc/pki/CA/certs/vnc.crt' type: string description: Specifies the CA cert to use for VNC TLS. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + NovaVNCCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + LibvirtVNCClientCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service LibvirtVncCACert: type: string default: '' @@ -114,6 +129,9 @@ conditions: # Allow noauth VNC connections during P->Q upgrade. Remove in Rocky. equals: [{get_param: StackUpdateType}, 'UPGRADE'] + key_size_novavnc_override_unset: {equals: [{get_param: NovaVNCCertificateKeySize}, '']} + key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCClientCertificateKeySize}, '']} + resources: ContainersCommon: @@ -224,6 +242,11 @@ outputs: template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaVncProxyNetwork]} + key_size: + if: + - key_size_libvirtvnc_override_unset + - {get_param: CertificateKeySize} + - {get_param: LibvirtVNCClientCertificateKeySize} novnc_proxy_certificates_specs: service_certificate: '/etc/pki/tls/certs/novnc_proxy.crt' service_key: '/etc/pki/tls/private/novnc_proxy.key' @@ -237,6 +260,11 @@ outputs: template: "novnc-proxy/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} + key_size: + if: + - key_size_novavnc_override_unset + - {get_param: CertificateKeySize} + - {get_param: NovaVNCCertificateKeySize} - {} service_config_settings: rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq} diff --git a/deployment/octavia/providers/ovn-provider-config.yaml b/deployment/octavia/providers/ovn-provider-config.yaml index b4dad6f361..c0d7e0dce4 100644 --- a/deployment/octavia/providers/ovn-provider-config.yaml +++ b/deployment/octavia/providers/ovn-provider-config.yaml @@ -45,6 +45,16 @@ parameters: type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + OctaviaCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: @@ -52,6 +62,7 @@ conditions: is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]} ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]} octavia_provider_ovn_protocol_unset: {equals: [{get_param: OctaviaOvnProviderProtocol}, '']} + key_size_override_unset: {equals: [{get_param: OctaviaCertificateKeySize}, '']} outputs: role_data: @@ -86,6 +97,11 @@ outputs: template: "ovn_octavia/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: OctaviaCertificateKeySize} - {} puppet_tags: octavia_ovn_provider_config provider_driver_labels: diff --git a/deployment/ovn/ovn-controller-container-puppet.yaml b/deployment/ovn/ovn-controller-container-puppet.yaml index 3e5cf1ae53..18b2f49a65 100644 --- a/deployment/ovn/ovn-controller-container-puppet.yaml +++ b/deployment/ovn/ovn-controller-container-puppet.yaml @@ -98,10 +98,21 @@ parameters: OpenvSwitch integration bridge, in seconds. type: number default: 60 + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + ContainerOvnCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: force_config_drive: {equals: [{get_param: OVNMetadataEnabled}, false]} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: ContainerOvnCertificateKeySize}, '']} resources: @@ -190,6 +201,11 @@ outputs: template: "ovn_controller/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: ContainerOvnCertificateKeySize} - {} service_config_settings: {} # BEGIN DOCKER SETTINGS diff --git a/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml b/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml index 381f94c1e8..37b1ee93f5 100644 --- a/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml +++ b/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml @@ -96,6 +96,16 @@ parameters: in backup mode and connects to the active ovsdb-server for replication type: number default: 60000 + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + OvnDBSCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: puppet_debug_enabled: {get_param: ConfigDebug} @@ -104,6 +114,7 @@ conditions: common_tag_enabled: {equals: [{get_param: ClusterCommonTag}, true]} common_tag_full: {equals: [{get_param: ClusterFullTag}, true]} use_external_load_balancer: {equals: [{get_param: EnableLoadBalancer}, false]} + key_size_override_unset: {equals: [{get_param: OvnDBSCertificateKeySize}, '']} resources: @@ -187,6 +198,11 @@ outputs: template: "ovn_dbs/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: OvnDBSCertificateKeySize} - {} service_config_settings: {} # BEGIN DOCKER SETTINGS diff --git a/deployment/ovn/ovn-metadata-container-puppet.yaml b/deployment/ovn/ovn-metadata-container-puppet.yaml index a8d62e25ee..bbb2fbfd8a 100644 --- a/deployment/ovn/ovn-metadata-container-puppet.yaml +++ b/deployment/ovn/ovn-metadata-container-puppet.yaml @@ -122,6 +122,16 @@ parameters: description: Probe interval in ms type: number default: 60000 + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + OvnMetadataCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: haproxy_wrapper_enabled: {equals: [{get_param: OVNEnableHaproxyDockerWrapper}, true]} @@ -129,6 +139,7 @@ conditions: service_debug_unset: {equals : [{get_param: OVNWrapperDebug}, false]} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} neutron_metadata_workers_unset: {equals : [{get_param: NeutronMetadataWorkers}, '']} + key_size_override_unset: {equals: [{get_param: OvnMetadataCertificateKeySize}, '']} resources: @@ -212,6 +223,11 @@ outputs: template: "ovn_metadata/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: OvnMetadataCertificateKeySize} - {} puppet_config: diff --git a/deployment/rabbitmq/rabbitmq-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-container-puppet.yaml index b248d0c0ac..9f3bb1eab3 100644 --- a/deployment/rabbitmq/rabbitmq-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-container-puppet.yaml @@ -93,6 +93,16 @@ parameters: description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + RabbitmqCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service parameter_groups: - label: deprecated @@ -116,6 +126,7 @@ conditions: equals: - {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, RabbitmqNetwork]}]} - 6 + key_size_override_unset: {equals: [{get_param: RabbitmqCertificateKeySize}, '']} resources: @@ -224,6 +235,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RabbitmqCertificateKeySize} - {} - rabbitmq::admin_enable: false rabbitmq::management_enable: true diff --git a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml index 419481605f..e165671b7b 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml @@ -66,6 +66,16 @@ parameters: description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + RabbitmqMessageCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} @@ -74,6 +84,7 @@ conditions: equals: - {get_param: RabbitCookie} - '' + key_size_override_unset: {equals: [{get_param: RabbitmqMessageCertificateKeySize}, '']} resources: @@ -162,6 +173,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RabbitmqMessageCertificateKeySize} - {} # BEGIN DOCKER SETTINGS puppet_config: diff --git a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml index df29b9e493..439e3425e6 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml @@ -67,6 +67,16 @@ parameters: description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + RpcCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} @@ -75,6 +85,7 @@ conditions: equals: - {get_param: RabbitCookie} - '' + key_size_override_unset: {equals: [{get_param: RpcCertificateKeySize}, '']} resources: @@ -162,6 +173,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]} postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RpcCertificateKeySize} - {} # BEGIN DOCKER SETTINGS puppet_config: