openstack
/
puppet-tripleo
Code Issues Proposed changes

Adding key_size option on the certmonger_certificate function 

certmonger_certificate function currently does not support
creating certificates with private keys stronger than 2048bits.
Adding a key_size option.

key_size option were added on puppet_certmonger on the v2.6.0
upstream: https://github.com/saltedsignal/puppet-certmonger/releases/tag/v2.6.0

Change-Id: I4da96f2164cf1d136f9471f1d6251bdd8cfd2d0b
This commit is contained in:
Raildo 2020-10-09 10:52:26 -03:00 committed by Raildo Mascena de Sousa Filho
parent eaca38aa67
commit 190aebca60
23 changed files with 132 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Puppetfile_extras
View File

@ -35,7 +35,7 @@ mod 'fdio',
mod 'certmonger',
:git => 'https://github.com/saltedsignal/puppet-certmonger',
:ref => 'v1.1.1'
:ref => 'v2.6.0'
mod 'ptp',
:git => 'https://github.com/redhat-nfvpe/ptp',

6
manifests/certmonger/ceph_dashboard.pp
View File

@ -39,6 +39,10 @@
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ceph_dashboard (
$hostname,
$service_certificate,
@ -46,6 +50,7 @@ class tripleo::certmonger::ceph_dashboard (
$postsave_cmd = undef,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$principal = undef,
$key_size = 2048,
) {
ensure_resource('file', '/usr/bin/certmonger-dashboard-refresh.sh', {
@ -64,6 +69,7 @@ class tripleo::certmonger::ceph_dashboard (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

6
manifests/certmonger/ceph_grafana.pp
View File

@ -39,6 +39,10 @@
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ceph_grafana (
$hostname,
$service_certificate,
@ -46,6 +50,7 @@ class tripleo::certmonger::ceph_grafana (
$postsave_cmd = undef,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$principal = undef,
$key_size = 2048,
) {
ensure_resource('file', '/usr/bin/certmonger-grafana-refresh.sh', {
@ -64,6 +69,7 @@ class tripleo::certmonger::ceph_grafana (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

6
manifests/certmonger/ceph_rgw.pp
View File

@ -42,6 +42,10 @@
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ceph_rgw (
$hostname,
$service_certificate,
@ -50,6 +54,7 @@ class tripleo::certmonger::ceph_rgw (
$postsave_cmd = undef,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$principal = undef,
$key_size = 2048,
) {
ensure_resource('file', '/usr/bin/certmonger-rgw-refresh.sh', {
@ -68,6 +73,7 @@ class tripleo::certmonger::ceph_rgw (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

6
manifests/certmonger/etcd.pp
View File

@ -44,6 +44,10 @@
# (Optional) The haproxy service principal that is set for etcd in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::etcd (
$hostname,
$service_certificate,
@ -52,6 +56,7 @@ class tripleo::certmonger::etcd (
$dnsnames = $hostname,
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
@ -70,6 +75,7 @@ class tripleo::certmonger::etcd (
dnsname => $dnsnames,
principal => $principal,
postsave_cmd => $postsave_cmd,
key_size => $key_size,
ca => $certmonger_ca,
wait => true,
require => Class['::certmonger'],

6
manifests/certmonger/haproxy.pp
View File

@ -48,6 +48,10 @@
# The post-save-command that certmonger will use once it renews the
# certificate.
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
define tripleo::certmonger::haproxy (
$service_pem,
$service_certificate,
@ -57,6 +61,7 @@ define tripleo::certmonger::haproxy (
$dnsnames = undef,
$principal = undef,
$postsave_cmd = undef,
$key_size = 2048,
){
include certmonger
include haproxy::params
@ -103,6 +108,7 @@ define tripleo::certmonger::haproxy (
keyfile => $service_key,
postsave_cmd => $postsave_cmd,
principal => $principal_real,
key_size => $key_size,
eku => ['id-kp-clientAuth', 'id-kp-serverAuth'],
wait => true,
tag => 'haproxy-cert',

6
manifests/certmonger/httpd.pp
View File

@ -44,6 +44,10 @@
# [*principal*]
# The haproxy service principal that is set for HAProxy in kerberos.
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
define tripleo::certmonger::httpd (
$hostname,
$service_certificate,
@ -52,6 +56,7 @@ define tripleo::certmonger::httpd (
$dnsnames = undef,
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
include apache::params
@ -71,6 +76,7 @@ define tripleo::certmonger::httpd (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
tag => 'apache-cert',
require => Class['::certmonger'],

6
manifests/certmonger/libvirt.pp
View File

@ -40,6 +40,10 @@
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
define tripleo::certmonger::libvirt (
$hostname,
$service_certificate,
@ -47,6 +51,7 @@ define tripleo::certmonger::libvirt (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
include nova::params
@ -61,6 +66,7 @@ define tripleo::certmonger::libvirt (
principal => $principal,
postsave_cmd => $postsave_cmd_real,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
tag => 'libvirt-cert',
require => Class['::certmonger'],

6
manifests/certmonger/libvirt_vnc.pp
View File

@ -48,6 +48,10 @@
# (Optional) Service to reload when certificate is created/renewed
# Defaults to $::nova::params::libvirt_service_name
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
define tripleo::certmonger::libvirt_vnc (
$hostname,
$service_certificate,
@ -57,6 +61,7 @@ define tripleo::certmonger::libvirt_vnc (
$principal = undef,
$cacertfile = undef,
$notify_service = undef,
$key_size = 2048,
) {
include certmonger
include nova::params
@ -74,6 +79,7 @@ define tripleo::certmonger::libvirt_vnc (
principal => $principal,
postsave_cmd => $postsave_cmd_real,
ca => $certmonger_ca,
key_size => $key_size,
cacertfile => $cacertfile,
wait => true,
tag => 'libvirt-cert',

6
manifests/certmonger/memcached.pp
View File

@ -40,6 +40,10 @@
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::memcached (
$hostname,
$service_certificate,
@ -47,6 +51,7 @@ class tripleo::certmonger::memcached (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = '/usr/bin/certmonger-memcached-refresh.sh',
$principal = undef,
$key_size = 2048,
) {
include certmonger
@ -66,6 +71,7 @@ class tripleo::certmonger::memcached (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

6
manifests/certmonger/metrics_qdr.pp
View File

@ -40,6 +40,10 @@
# (Optional) The haproxy service principal that is set for metrics_qdr in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::metrics_qdr (
$hostname,
$service_certificate,
@ -47,6 +51,7 @@ class tripleo::certmonger::metrics_qdr (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
include qdr::params
@ -67,6 +72,7 @@ class tripleo::certmonger::metrics_qdr (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

6
manifests/certmonger/mysql.pp
View File

@ -46,6 +46,10 @@
# (Optional) The haproxy service principal that is set for MySQL in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::mysql (
$hostname,
$service_certificate,
@ -54,6 +58,7 @@ class tripleo::certmonger::mysql (
$dnsnames = $hostname,
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
@ -66,6 +71,7 @@ class tripleo::certmonger::mysql (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

6
manifests/certmonger/neutron.pp
View File

@ -38,6 +38,10 @@
# (Optional) The haproxy service principal that is set for neutron in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::neutron (
$hostname,
$service_certificate,
@ -45,6 +49,7 @@ class tripleo::certmonger::neutron (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
@ -64,6 +69,7 @@ class tripleo::certmonger::neutron (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

6
manifests/certmonger/neutron_ovn.pp
View File

@ -38,6 +38,10 @@
# (Optional) The haproxy service principal that is set for neutron in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::neutron_ovn (
$hostname,
$service_certificate,
@ -45,6 +49,7 @@ class tripleo::certmonger::neutron_ovn (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
@ -57,6 +62,7 @@ class tripleo::certmonger::neutron_ovn (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

5
manifests/certmonger/novnc_proxy.pp
View File

@ -42,6 +42,9 @@
# [*notify_service*]
# (Optional) Service to reload when certificate is created/renewed
# Defaults to $::nova::params::libvirt_service_name
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::novnc_proxy (
$hostname,
@ -50,6 +53,7 @@ class tripleo::certmonger::novnc_proxy (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$notify_service = undef,
$postsave_cmd = undef,
$key_size = 2048,
$principal = undef,
) {
include certmonger
@ -73,6 +77,7 @@ class tripleo::certmonger::novnc_proxy (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
tag => 'novnc-proxy',
require => Class['::certmonger'],

6
manifests/certmonger/openvswitch.pp
View File

@ -39,6 +39,10 @@
# (Optional) The haproxy service principal that is set for openvswitch in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::openvswitch (
$hostname,
$service_certificate,
@ -46,6 +50,7 @@ class tripleo::certmonger::openvswitch (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = 'systemctl reload openvswitch',
$principal = undef,
$key_size = 2048,
) {
include certmonger
@ -58,6 +63,7 @@ class tripleo::certmonger::openvswitch (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

6
manifests/certmonger/ovn_controller.pp
View File

@ -38,6 +38,10 @@
# (Optional) The haproxy service principal that is set for neutron in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ovn_controller (
$hostname,
$service_certificate,
@ -45,6 +49,7 @@ class tripleo::certmonger::ovn_controller (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
@ -57,6 +62,7 @@ class tripleo::certmonger::ovn_controller (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

6
manifests/certmonger/ovn_dbs.pp
View File

@ -38,6 +38,10 @@
# (Optional) The haproxy service principal that is set for neutron in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ovn_dbs (
$hostname,
$service_certificate,
@ -45,6 +49,7 @@ class tripleo::certmonger::ovn_dbs (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
@ -57,6 +62,7 @@ class tripleo::certmonger::ovn_dbs (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

6
manifests/certmonger/ovn_metadata.pp
View File

@ -38,6 +38,10 @@
# (Optional) The haproxy service principal that is set for neutron in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ovn_metadata (
$hostname,
$service_certificate,
@ -45,6 +49,7 @@ class tripleo::certmonger::ovn_metadata (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
@ -57,6 +62,7 @@ class tripleo::certmonger::ovn_metadata (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

6
manifests/certmonger/ovn_octavia.pp
View File

@ -38,6 +38,10 @@
# (Optional) The haproxy service principal that is set for neutron in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ovn_octavia (
$hostname,
$service_certificate,
@ -45,6 +49,7 @@ class tripleo::certmonger::ovn_octavia (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
@ -57,6 +62,7 @@ class tripleo::certmonger::ovn_octavia (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

6
manifests/certmonger/qemu.pp
View File

@ -43,6 +43,10 @@
# (Optional) Specifies that path to write the CA cerftificate to.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
define tripleo::certmonger::qemu (
$hostname,
$service_certificate,
@ -51,6 +55,7 @@ define tripleo::certmonger::qemu (
$cacertfile = undef,
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
include nova::params
@ -64,6 +69,7 @@ define tripleo::certmonger::qemu (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
cacertfile => $cacertfile,
wait => true,
tag => 'qemu-cert',

6
manifests/certmonger/rabbitmq.pp
View File

@ -39,6 +39,10 @@
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::rabbitmq (
$hostname,
$service_certificate,
@ -46,6 +50,7 @@ class tripleo::certmonger::rabbitmq (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
@ -65,6 +70,7 @@ class tripleo::certmonger::rabbitmq (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

6
manifests/certmonger/redis.pp
View File

@ -45,6 +45,10 @@
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::redis (
$hostname,
$service_certificate,
@ -53,6 +57,7 @@ class tripleo::certmonger::redis (
$dnsnames = $hostname,
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
@ -72,6 +77,7 @@ class tripleo::certmonger::redis (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}