From fcd1225ae6c2d4ca546a71a63c7cc0eadb2a3a1f Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Tue, 16 Aug 2022 16:28:02 +0900
Subject: [PATCH] Support customizing ssh key type

This change introduces a few new parameters to customize type of
the ssh key automatically generated. This is required especially in
recent operating systems like CentOS 9 which no longer allow RSA key
by default.

Closes-Bug: #1986651
Change-Id: I73f8b584ac228a0ba65b531c2e8d9f6495d63ad2
---
 manifests/worker.pp                           | 17 +++++--
 .../notes/ssh_key_type-08bccff227a885e2.yaml  |  9 ++++
 spec/classes/octavia_worker_spec.rb           | 48 ++++++++++++++++++-
 3 files changed, 69 insertions(+), 5 deletions(-)
 create mode 100644 releasenotes/notes/ssh_key_type-08bccff227a885e2.yaml

diff --git a/manifests/worker.pp b/manifests/worker.pp
index 6eb41ca9..da227b58 100644
--- a/manifests/worker.pp
+++ b/manifests/worker.pp
@@ -35,9 +35,18 @@
 #   Defaults to '/etc/octavia/.ssh/octavia_ssh_key'
 #
 # [*manage_keygen*]
-#   (optional) Whether or not create OpenStack keypair for communicating with amphora
+#   (optional) Whether or not create OpenStack keypair for communicating with
+#   amphora.
 #   Defaults to false
 #
+# [*ssh_key_type*]
+#   (optional) Type of ssh key to create.
+#   Defaults to 'rsa'
+#
+# [*ssh_key_bits*]
+#   (optional) Number of bits in ssh key.
+#   Defaults to 2048
+#
 # [*amp_project_name*]
 #   (optional) Set the project to be used for creating load balancer instances.
 #   Defaults to 'services'
@@ -51,6 +60,8 @@ class octavia::worker (
   $nova_flavor_config     = {},
   $key_path               = '/etc/octavia/.ssh/octavia_ssh_key',
   $manage_keygen          = false,
+  $ssh_key_type           = 'rsa',
+  $ssh_key_bits           = 2048,
   $amp_project_name       = 'services',
 ) inherits octavia::params {
 
@@ -136,8 +147,8 @@ class octavia::worker (
 
     ssh_keygen { $::octavia::controller::amp_ssh_key_name:
       user     => $::octavia::params::user,
-      type     => 'rsa',
-      bits     => 2048,
+      type     => $ssh_key_type,
+      bits     => $ssh_key_bits,
       filename => "${key_path}/${::octavia::controller::amp_ssh_key_name}",
       comment  => 'Used for Octavia Service VM'
     }
diff --git a/releasenotes/notes/ssh_key_type-08bccff227a885e2.yaml b/releasenotes/notes/ssh_key_type-08bccff227a885e2.yaml
new file mode 100644
index 00000000..6f8d43d2
--- /dev/null
+++ b/releasenotes/notes/ssh_key_type-08bccff227a885e2.yaml
@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    The following parameters have been added the ``octavia::worker`` class, to
+    support customizing type of the ssh key generated when
+    the ``manage_keygen`` parameter is ``True``.
+
+    - ``ssh_key_type``
+    - ``ssh_key_bits``
diff --git a/spec/classes/octavia_worker_spec.rb b/spec/classes/octavia_worker_spec.rb
index e434e79f..44e125a8 100644
--- a/spec/classes/octavia_worker_spec.rb
+++ b/spec/classes/octavia_worker_spec.rb
@@ -121,11 +121,12 @@ describe 'octavia::worker' do
       end
     end
 
-    context 'with enabled sshkey gen' do
+    context 'with enabled sshkey gen(rsa)' do
       before do
         params.merge!({
           :manage_keygen => true,
-          :key_path      => '/etc/octavia/.ssh/octavia_ssh_key'})
+          :key_path      => '/etc/octavia/.ssh/octavia_ssh_key'
+        })
       end
 
       it 'configures ssh_keygen and directory' do
@@ -142,6 +143,49 @@ describe 'octavia::worker' do
           :group   => 'octavia',
           :owner   => 'octavia'
         )
+
+        is_expected.to contain_ssh_keygen('octavia-ssh-key').with(
+          :user     => 'octavia',
+          :type     => 'rsa',
+          :bits     => 2048,
+          :filename => '/etc/octavia/.ssh/octavia_ssh_key/octavia-ssh-key',
+          :comment  => 'Used for Octavia Service VM',
+        )
+      end
+    end
+
+    context 'with enabled sshkey gen(ecdsa)' do
+      before do
+        params.merge!({
+          :manage_keygen => true,
+          :key_path      => '/etc/octavia/.ssh/octavia_ssh_key',
+          :ssh_key_type  => 'ecdsa',
+          :ssh_key_bits  => 256,
+        })
+      end
+
+      it 'configures ssh_keygen and directory' do
+        is_expected.to contain_exec('create_amp_key_dir').with(
+          :path    => ['/bin', '/usr/bin'],
+          :command => 'mkdir -p /etc/octavia/.ssh/octavia_ssh_key',
+          :creates => '/etc/octavia/.ssh/octavia_ssh_key'
+        )
+
+        is_expected.to contain_file('amp_key_dir').with(
+          :ensure  => 'directory',
+          :path    => '/etc/octavia/.ssh/octavia_ssh_key',
+          :mode    => '0700',
+          :group   => 'octavia',
+          :owner   => 'octavia'
+        )
+
+        is_expected.to contain_ssh_keygen('octavia-ssh-key').with(
+          :user     => 'octavia',
+          :type     => 'ecdsa',
+          :bits     => 256,
+          :filename => '/etc/octavia/.ssh/octavia_ssh_key/octavia-ssh-key',
+          :comment  => 'Used for Octavia Service VM',
+        )
       end
     end