Configure server_certs_key_passphrase for Octavia

A recent change[1] to Octavia added a parameter named
server_certs_key_passphrase, which means that TripleO should
generate a password for it to avoid using the default value.

Closes-Bug: #1821751

[1] I06d329ca53bc36bd27f7870ae7c7ca0cf18575b2

Change-Id: Id6c0d156715147c6559dc39098a6eaabf77ac426

manifests/certificates.pp

@@ -28,6 +28,11 @@
 #   (Optional) Path for private key used to sign certificates
 #   Defaults to $::os_service_default
 #
+# [*server_certs_key_passphrase*]
+#   (Optional) Passphrase for encrypting Amphora Certificates and Private Keys.
+#   Defaults to $::os_service_default
+#
+#
 # [*ca_private_key_passphrase*]
 #   (Optional) CA password used to sign certificates
 #   Defaults to $::os_service_default
@@ -75,6 +80,7 @@ class octavia::certificates (
   $endpoint_type               = $::os_service_default,
   $ca_certificate              = $::os_service_default,
   $ca_private_key              = $::os_service_default,
+  $server_certs_key_passphrase = $::os_service_default,
   $ca_private_key_passphrase   = $::os_service_default,
   $client_ca                   = undef,
   $client_cert                 = $::os_service_default,
@@ -97,6 +103,7 @@ class octavia::certificates (
     'certificates/endpoint_type'               : value => $endpoint_type;
     'certificates/ca_certificate'              : value => $ca_certificate;
     'certificates/ca_private_key'              : value => $ca_private_key;
+    'certificates/server_certs_key_passphrase' : value => $server_certs_key_passphrase;
     'certificates/ca_private_key_passphrase'   : value => $ca_private_key_passphrase;
     'controller_worker/client_ca'              : value => $client_ca_real;
     'haproxy_amphora/client_cert'              : value => $client_cert;

releasenotes/notes/generate-server_certs_key_passphrase-45d716a67b0e83b3.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - The passphrase for config option 'server_certs_key_passphrase', that was
+    recently added to Octavia, will now be auto-generated.

spec/classes/octavia_certificates_spec.rb

@@ -11,6 +11,7 @@ describe 'octavia::certificates' do
         is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('<SERVICE DEFAULT>')
       end
 
@@ -29,6 +30,7 @@ describe 'octavia::certificates' do
           :endpoint_type               => 'internalURL',
           :ca_certificate              => '/etc/octavia/ca.pem',
           :ca_private_key              => '/etc/octavia/key.pem',
+          :server_certs_key_passphrase => 'secure123',
           :ca_private_key_passphrase   => 'secure123',
           :client_cert                 => '/etc/octavia/client.pem'
         }
@@ -41,6 +43,7 @@ describe 'octavia::certificates' do
         is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('internalURL')
         is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
         is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
+        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
         is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
       end
 
@@ -55,6 +58,7 @@ describe 'octavia::certificates' do
       let :params do
         { :ca_certificate              => '/etc/octavia/ca.pem',
           :ca_private_key              => '/etc/octavia/key.pem',
+          :server_certs_key_passphrase => 'secure123',
           :ca_private_key_passphrase   => 'secure123',
           :client_cert                 => '/etc/octavia/client.pem',
           :ca_certificate_data         => 'on_my_authority_this_is_a_certificate',
@@ -66,6 +70,7 @@ describe 'octavia::certificates' do
       it 'configures octavia certificate manager' do
         is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
         is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
+        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
         is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
       end
 
@@ -120,6 +125,7 @@ describe 'octavia::certificates' do
       let :params do
         { :ca_certificate              => '/etc/octavia/ca.pem',
           :ca_private_key              => '/etc/octavia1/key.pem',
+          :server_certs_key_passphrase => 'secure123',
           :ca_private_key_passphrase   => 'secure123',
           :client_cert                 => '/etc/octavia2/client.pem',
           :ca_certificate_data         => 'on_my_authority_this_is_a_certificate',
@@ -131,6 +137,7 @@ describe 'octavia::certificates' do
       it 'configures octavia certificate manager' do
         is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
         is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia1/key.pem')
+        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
         is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
       end