Adding key_size option on the certificate creation

Adding the ability to specifies the private key size used when creating the certificate. We have defined the default value the same as we have before 2048 bits. Also, it'll be able to override the key_size value per service. Depends-on: I4da96f2164cf1d136f9471f1d6251bdd8cfd2d0b Change-Id: Ic2edabb7f1bd0caf4a5550d03f60fab7c8354d65 (cherry picked from commit 9760977)
openstack-archive · Jan 6, 2021 · 977fc27 · 977fc27
1 parent ffe4be7
commit 977fc27
Show file tree

Hide file tree

Showing 21 changed files with 388 additions and 0 deletions.
diff --git a/deployment/apache/apache-baremetal-puppet.j2.yaml b/deployment/apache/apache-baremetal-puppet.j2.yaml
@@ -47,10 +47,21 @@ parameters:
     type: string
     description: Specifies the default CA cert to use if TLS is used for
                  services in the internal network.
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  ApacheCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 conditions:
 
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+  key_size_override_unset: {equals: [{get_param: ApacheCertificateKeySize}, '']}
 
 resources:
 
@@ -116,6 +127,11 @@ outputs:
                         hostname: "%{hiera('fqdn_NETWORK')}"
                         principal: "HTTP/%{hiera('fqdn_NETWORK')}"
                         postsave_cmd: "pkill -USR1 httpd"
+                        key_size:
+                          if:
+                            - key_size_override_unset
+                            - {get_param: CertificateKeySize}
+                            - {get_param: ApacheCertificateKeySize}
                     for_each:
                       NETWORK: {get_attr: [ApacheNetworks, value]}
             - {}

diff --git a/deployment/ceph-ansible/ceph-grafana.yaml b/deployment/ceph-ansible/ceph-grafana.yaml
@@ -63,9 +63,20 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  GrafanaCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 conditions:
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+  key_size_override_unset: {equals: [{get_param: GrafanaCertificateKeySize}, '']}
 
 resources:
   CephBase:
@@ -165,6 +176,11 @@ outputs:
                     params:
                       NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
                 postsave_cmd: "/usr/bin/certmonger-grafana-refresh.sh"
+                key_size:
+                  if:
+                    - key_size_override_unset
+                    - {get_param: CertificateKeySize}
+                    - {get_param: GrafanaCertificateKeySize}
             - {}
       metadata_settings:
         if:

diff --git a/deployment/ceph-ansible/ceph-mgr.yaml b/deployment/ceph-ansible/ceph-mgr.yaml
@@ -49,6 +49,16 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  CephCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 conditions:
   dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
@@ -58,6 +68,7 @@ conditions:
       - equals:
           - get_param: EnableInternalTLS
           - true
+  key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']}
 
 resources:
   CephBase:
@@ -157,6 +168,11 @@ outputs:
                     params:
                       NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
                 postsave_cmd: "/usr/bin/certmonger-dashboard-refresh.sh"
+                key_size:
+                  if:
+                    - key_size_override_unset
+                    - {get_param: CertificateKeySize}
+                    - {get_param: CephCertificateKeySize}
             - {}
       metadata_settings:
         if:

diff --git a/deployment/ceph-ansible/ceph-rgw.yaml b/deployment/ceph-ansible/ceph-rgw.yaml
@@ -45,10 +45,21 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  CephRgwCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 conditions:
   dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+  key_size_override_unset: {equals: [{get_param: CephRgwCertificateKeySize}, '']}
 
 resources:
   CephBase:
@@ -183,6 +194,11 @@ outputs:
                     params:
                       NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
                 postsave_cmd: "/usr/bin/certmonger-rgw-refresh.sh"
+                key_size:
+                  if:
+                    - key_size_override_unset
+                    - {get_param: CertificateKeySize}
+                    - {get_param: CephRgwCertificateKeySize}
             - {}
       metadata_settings:
         if:

diff --git a/deployment/database/mysql-base.yaml b/deployment/database/mysql-base.yaml
@@ -62,6 +62,16 @@ parameters:
     default: false
     description: Enable IPv6 in MySQL
     type: boolean
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  MysqlCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 parameter_groups:
 - label: deprecated
@@ -80,6 +90,7 @@ conditions:
     equals:
       - {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, MysqlNetwork]}]}
       - 6
+  key_size_override_unset: {equals: [{get_param: MysqlCertificateKeySize}, '']}
 
 outputs:
   role_data:
@@ -161,6 +172,11 @@ outputs:
                     template: "mysql/%{hiera('fqdn_NETWORK')}"
                     params:
                       NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+                key_size:
+                  if:
+                    - key_size_override_unset
+                    - {get_param: CertificateKeySize}
+                    - {get_param: MysqlCertificateKeySize}
             - {}
       step_config: |
         include tripleo::profile::base::database::mysql

diff --git a/deployment/database/redis-container-puppet.yaml b/deployment/database/redis-container-puppet.yaml
@@ -39,10 +39,21 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  RedisCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 conditions:
 
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+  key_size_override_unset: {equals: [{get_param: RedisCertificateKeySize}, '']}
 
 resources:
 
@@ -113,6 +124,11 @@ outputs:
                     params:
                       NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
                 postsave_cmd: "/usr/bin/certmonger-redis-refresh.sh"
+                key_size:
+                  if:
+                    - key_size_override_unset
+                    - {get_param: CertificateKeySize}
+                    - {get_param: RedisCertificateKeySize}
             - {}
       service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]}
       # BEGIN DOCKER SETTINGS

diff --git a/deployment/etcd/etcd-container-puppet.yaml b/deployment/etcd/etcd-container-puppet.yaml
@@ -61,12 +61,23 @@ parameters:
     default: false
     description: Set to True to enable debugging on all services.
     type: boolean
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  EtcdCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 conditions:
   internal_tls_enabled:
     and:
       - {equals: [{get_param: EnableInternalTLS}, true]}
       - {equals: [{get_param: EnableEtcdInternalTLS}, true]}
+  key_size_override_unset: {equals: [{get_param: EtcdCertificateKeySize}, '']}
 
 resources:
   ContainersCommon:
@@ -132,6 +143,11 @@ outputs:
                     params:
                       NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
               postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh'
+              key_size:
+                if:
+                  - key_size_override_unset
+                  - {get_param: CertificateKeySize}
+                  - {get_param: EtcdCertificateKeySize}
             etcd::trusted_ca_file: {get_param: InternalTLSCAFile}
             etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile}
           -

diff --git a/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml b/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml
@@ -36,6 +36,20 @@ parameters:
   HAProxyInternalTLSKeysDirectory:
     default: '/etc/pki/tls/private/haproxy'
     type: string
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  HAProxyCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
+
+conditions:
+
+  key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
 
 resources:
 
@@ -92,6 +106,11 @@ outputs:
                   - "%{hiera('fqdn_NETWORK')}"
                 principal: "haproxy/%{hiera('fqdn_NETWORK')}"
                 postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload NETWORK"
+                key_size:
+                  if:
+                    - key_size_override_unset
+                    - {get_param: CertificateKeySize}
+                    - {get_param: HAProxyCertificateKeySize}
             for_each:
               NETWORK: {get_attr: [HAProxyNetworks, value]}
       metadata_settings:

diff --git a/deployment/haproxy/haproxy-public-tls-certmonger.yaml b/deployment/haproxy/haproxy-public-tls-certmonger.yaml
@@ -41,6 +41,20 @@ parameters:
     description: >
         The filepath of the certificate as it will be stored in the controller.
     type: string
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  HAProxyCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
+
+conditions:
+
+  key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
 
 outputs:
   role_data:
@@ -78,6 +92,11 @@ outputs:
               params:
                 NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
           postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload external"
+          key_size:
+            if:
+              - key_size_override_unset
+              - {get_param: CertificateKeySize}
+              - {get_param: HAProxyCertificateKeySize}
       metadata_settings:
         - service: haproxy
           network: {get_param: [ServiceNetMap, PublicNetwork]}

diff --git a/deployment/metrics/qdr-container-puppet.yaml b/deployment/metrics/qdr-container-puppet.yaml
@@ -144,10 +144,21 @@ parameters:
     default: false
     description: Set to true to enable configuration for STF client.
     type: boolean
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  QdrCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 conditions:
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
   enable_stf: {equals: [{get_param: EnableSTF}, true]}
+  key_size_override_unset: {equals: [{get_param: QdrCertificateKeySize}, '']}
 
 
 resources:
@@ -244,6 +255,11 @@ outputs:
                               template: "ROLENAMEMetricsQdrNetwork"
                               params:
                                 ROLENAME: {get_param: RoleName}
+                key_size:
+                  if:
+                    - key_size_override_unset
+                    - {get_param: CertificateKeySize}
+                    - {get_param: QdrCertificateKeySize}
               tripleo::profile::base::metrics::qdr::ssl_profiles:
                 list_concat:
                   - get_param: MetricsQdrSSLProfiles

diff --git a/deployment/neutron/neutron-api-container-puppet.yaml b/deployment/neutron/neutron-api-container-puppet.yaml
@@ -163,6 +163,16 @@ parameters:
     type: string
     description: Specifies the default CA cert to use if TLS is used for
                  services in the internal network.
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  NeutronCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
   # DEPRECATED: the following options are deprecated and are currently maintained
   # for backwards compatibility. They will be removed in the Ocata cycle.
   NeutronL3HA:
@@ -198,6 +208,7 @@ conditions:
   omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]}
   ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]}
   enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
+  key_size_override_unset: {equals: [{get_param: NeutronCertificateKeySize}, '']}
 
 resources:
 
@@ -405,6 +416,11 @@ outputs:
                     template: "neutron_ovn/%{hiera('fqdn_NETWORK')}"
                     params:
                       NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
+                key_size:
+                  if:
+                    - key_size_override_unset
+                    - {get_param: CertificateKeySize}
+                    - {get_param: NeutronCertificateKeySize}
             - {}
       service_config_settings:
         rsyslog: