Configure server_certs_key_passphrase for Octavia

A recent change[1] to Octavia added a parameter named
server_certs_key_passphrase, which means that TripleO should
generate a password for it to avoid using the default value.

Closes-Bug: #1821751

[1] I06d329ca53bc36bd27f7870ae7c7ca0cf18575b2

Change-Id: Id6c0d156715147c6559dc39098a6eaabf77ac426

manifests/certificates.pp

@@ -28,6 +28,11 @@
 #   (Optional) Path for private key used to sign certificates
 #   Defaults to $::os_service_default
 #
+# [*server_certs_key_passphrase*]
+#   (Optional) Passphrase for encrypting Amphora Certificates and Private Keys.
+#   Defaults to $::os_service_default
+#
+#
 # [*ca_private_key_passphrase*]
 #   (Optional) CA password used to sign certificates
 #   Defaults to $::os_service_default
@@ -69,21 +74,22 @@
 #   Defaults to 'octavia'
 #
 class octavia::certificates (
-  $cert_generator            = $::os_service_default,
+  $cert_generator              = $::os_service_default,
-  $cert_manager              = $::os_service_default,
+  $cert_manager                = $::os_service_default,
-  $region_name               = $::os_service_default,
+  $region_name                 = $::os_service_default,
-  $endpoint_type             = $::os_service_default,
+  $endpoint_type               = $::os_service_default,
-  $ca_certificate            = $::os_service_default,
+  $ca_certificate              = $::os_service_default,
-  $ca_private_key            = $::os_service_default,
+  $ca_private_key              = $::os_service_default,
-  $ca_private_key_passphrase = $::os_service_default,
+  $server_certs_key_passphrase = $::os_service_default,
-  $client_ca                 = undef,
+  $ca_private_key_passphrase   = $::os_service_default,
-  $client_cert               = $::os_service_default,
+  $client_ca                   = undef,
-  $ca_certificate_data       = undef,
+  $client_cert                 = $::os_service_default,
-  $ca_private_key_data       = undef,
+  $ca_certificate_data         = undef,
-  $client_ca_data            = undef,
+  $ca_private_key_data         = undef,
-  $client_cert_data          = undef,
+  $client_ca_data              = undef,
-  $file_permission_owner     = 'octavia',
+  $client_cert_data            = undef,
-  $file_permission_group     = 'octavia'
+  $file_permission_owner       = 'octavia',
+  $file_permission_group       = 'octavia'
 ) {
 
   include ::octavia::deps
@@ -91,16 +97,17 @@ class octavia::certificates (
   $client_ca_real = pick($client_ca, $ca_certificate)
 
   octavia_config {
-    'certificates/cert_generator'            : value => $cert_generator;
+    'certificates/cert_generator'              : value => $cert_generator;
-    'certificates/cert_manager'              : value => $cert_manager;
+    'certificates/cert_manager'                : value => $cert_manager;
-    'certificates/region_name'               : value => $region_name;
+    'certificates/region_name'                 : value => $region_name;
-    'certificates/endpoint_type'             : value => $endpoint_type;
+    'certificates/endpoint_type'               : value => $endpoint_type;
-    'certificates/ca_certificate'            : value => $ca_certificate;
+    'certificates/ca_certificate'              : value => $ca_certificate;
-    'certificates/ca_private_key'            : value => $ca_private_key;
+    'certificates/ca_private_key'              : value => $ca_private_key;
-    'certificates/ca_private_key_passphrase' : value => $ca_private_key_passphrase;
+    'certificates/server_certs_key_passphrase' : value => $server_certs_key_passphrase;
-    'controller_worker/client_ca'            : value => $client_ca_real;
+    'certificates/ca_private_key_passphrase'   : value => $ca_private_key_passphrase;
-    'haproxy_amphora/client_cert'            : value => $client_cert;
+    'controller_worker/client_ca'              : value => $client_ca_real;
-    'haproxy_amphora/server_ca'              : value => $ca_certificate;
+    'haproxy_amphora/client_cert'              : value => $client_cert;
+    'haproxy_amphora/server_ca'                : value => $ca_certificate;
   }
 
   # The file creation will create the parent directory for each file if necessary, but

releasenotes/notes/generate-server_certs_key_passphrase-45d716a67b0e83b3.yaml

@@ -0,0 +1,4 @@
+---
+features:
+  - The passphrase for config option 'server_certs_key_passphrase', that was
+    recently added to Octavia, will now be auto-generated.

spec/classes/octavia_certificates_spec.rb

@@ -11,6 +11,7 @@ describe 'octavia::certificates' do
         is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('<SERVICE DEFAULT>')
       end
 
@@ -23,14 +24,15 @@ describe 'octavia::certificates' do
 
     context 'when certificates are configured' do
       let :params do
-        { :cert_generator            => 'local_cert_generator',
+        { :cert_generator              => 'local_cert_generator',
-          :cert_manager              => 'barbican_cert_manager',
+          :cert_manager                => 'barbican_cert_manager',
-          :region_name               => 'RegionOne',
+          :region_name                 => 'RegionOne',
-          :endpoint_type             => 'internalURL',
+          :endpoint_type               => 'internalURL',
-          :ca_certificate            => '/etc/octavia/ca.pem',
+          :ca_certificate              => '/etc/octavia/ca.pem',
-          :ca_private_key            => '/etc/octavia/key.pem',
+          :ca_private_key              => '/etc/octavia/key.pem',
-          :ca_private_key_passphrase => 'secure123',
+          :server_certs_key_passphrase => 'secure123',
-          :client_cert               => '/etc/octavia/client.pem'
+          :ca_private_key_passphrase   => 'secure123',
+          :client_cert                 => '/etc/octavia/client.pem'
         }
       end
 
@@ -41,6 +43,7 @@ describe 'octavia::certificates' do
         is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('internalURL')
         is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
         is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
+        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
         is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
       end
 
@@ -53,19 +56,21 @@ describe 'octavia::certificates' do
 
     context 'when certificates are configured with data provided' do
       let :params do
-        { :ca_certificate            => '/etc/octavia/ca.pem',
+        { :ca_certificate              => '/etc/octavia/ca.pem',
-          :ca_private_key            => '/etc/octavia/key.pem',
+          :ca_private_key              => '/etc/octavia/key.pem',
-          :ca_private_key_passphrase => 'secure123',
+          :server_certs_key_passphrase => 'secure123',
-          :client_cert               => '/etc/octavia/client.pem',
+          :ca_private_key_passphrase   => 'secure123',
-          :ca_certificate_data       => 'on_my_authority_this_is_a_certificate',
+          :client_cert                 => '/etc/octavia/client.pem',
-          :ca_private_key_data       => 'this_is_my_private_key_woot_woot',
+          :ca_certificate_data         => 'on_my_authority_this_is_a_certificate',
-          :client_cert_data          => 'certainly_for_the_client',
+          :ca_private_key_data         => 'this_is_my_private_key_woot_woot',
+          :client_cert_data            => 'certainly_for_the_client',
         }
       end
 
       it 'configures octavia certificate manager' do
         is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
         is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
+        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
         is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
       end
 
@@ -118,19 +123,21 @@ describe 'octavia::certificates' do
 
     context 'when certificates are configured with data provided but different paths' do
       let :params do
-        { :ca_certificate            => '/etc/octavia/ca.pem',
+        { :ca_certificate              => '/etc/octavia/ca.pem',
-          :ca_private_key            => '/etc/octavia1/key.pem',
+          :ca_private_key              => '/etc/octavia1/key.pem',
-          :ca_private_key_passphrase => 'secure123',
+          :server_certs_key_passphrase => 'secure123',
-          :client_cert               => '/etc/octavia2/client.pem',
+          :ca_private_key_passphrase   => 'secure123',
-          :ca_certificate_data       => 'on_my_authority_this_is_a_certificate',
+          :client_cert                 => '/etc/octavia2/client.pem',
-          :ca_private_key_data       => 'this_is_my_private_key_woot_woot',
+          :ca_certificate_data         => 'on_my_authority_this_is_a_certificate',
-          :client_cert_data          => 'certainly_for_the_client',
+          :ca_private_key_data         => 'this_is_my_private_key_woot_woot',
+          :client_cert_data            => 'certainly_for_the_client',
         }
       end
 
       it 'configures octavia certificate manager' do
         is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
         is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia1/key.pem')
+        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
         is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
       end