diff --git a/Puppetfile_extras b/Puppetfile_extras index 8553ce4b1..1dbd1c739 100644 --- a/Puppetfile_extras +++ b/Puppetfile_extras @@ -41,7 +41,7 @@ mod 'fluentd', mod 'certmonger', :git => 'https://github.com/saltedsignal/puppet-certmonger', - :ref => 'v1.1.1' + :ref => 'v2.6.0' mod 'ptp', :git => 'https://github.com/redhat-nfvpe/ptp', diff --git a/manifests/certmonger/ceph_dashboard.pp b/manifests/certmonger/ceph_dashboard.pp index a9d83a9f4..2f701b2b1 100644 --- a/manifests/certmonger/ceph_dashboard.pp +++ b/manifests/certmonger/ceph_dashboard.pp @@ -39,6 +39,10 @@ # (Optional) The service principal that is set for the service in kerberos. # Defaults to undef # +# [*key_size*] +# (Optional) Specifies the private key size used when creating the certificate. +# Defaults to 2048bits. +# class tripleo::certmonger::ceph_dashboard ( $hostname, $service_certificate, @@ -46,6 +50,7 @@ class tripleo::certmonger::ceph_dashboard ( $postsave_cmd = undef, $certmonger_ca = hiera('certmonger_ca', 'local'), $principal = undef, + $key_size = 2048, ) { ensure_resource('file', '/usr/bin/certmonger-dashboard-refresh.sh', { @@ -64,6 +69,7 @@ class tripleo::certmonger::ceph_dashboard ( principal => $principal, postsave_cmd => $postsave_cmd, ca => $certmonger_ca, + key_size => $key_size, wait => true, require => Class['::certmonger'], } diff --git a/manifests/certmonger/ceph_grafana.pp b/manifests/certmonger/ceph_grafana.pp index acc232721..f4d611611 100644 --- a/manifests/certmonger/ceph_grafana.pp +++ b/manifests/certmonger/ceph_grafana.pp @@ -39,6 +39,10 @@ # (Optional) The service principal that is set for the service in kerberos. # Defaults to undef # +# [*key_size*] +# (Optional) Specifies the private key size used when creating the certificate. +# Defaults to 2048bits. +# class tripleo::certmonger::ceph_grafana ( $hostname, $service_certificate, @@ -46,6 +50,7 @@ class tripleo::certmonger::ceph_grafana ( $postsave_cmd = undef, $certmonger_ca = hiera('certmonger_ca', 'local'), $principal = undef, + $key_size = 2048, ) { ensure_resource('file', '/usr/bin/certmonger-grafana-refresh.sh', { @@ -64,6 +69,7 @@ class tripleo::certmonger::ceph_grafana ( principal => $principal, postsave_cmd => $postsave_cmd, ca => $certmonger_ca, + key_size => $key_size, wait => true, require => Class['::certmonger'], } diff --git a/manifests/certmonger/ceph_rgw.pp b/manifests/certmonger/ceph_rgw.pp index b0b7aa8fd..07049a712 100644 --- a/manifests/certmonger/ceph_rgw.pp +++ b/manifests/certmonger/ceph_rgw.pp @@ -42,6 +42,10 @@ # (Optional) The service principal that is set for the service in kerberos. # Defaults to undef # +# [*key_size*] +# (Optional) Specifies the private key size used when creating the certificate. +# Defaults to 2048bits. +# class tripleo::certmonger::ceph_rgw ( $hostname, $service_certificate, @@ -50,6 +54,7 @@ class tripleo::certmonger::ceph_rgw ( $postsave_cmd = undef, $certmonger_ca = hiera('certmonger_ca', 'local'), $principal = undef, + $key_size = 2048, ) { ensure_resource('file', '/usr/bin/certmonger-rgw-refresh.sh', { @@ -68,6 +73,7 @@ class tripleo::certmonger::ceph_rgw ( principal => $principal, postsave_cmd => $postsave_cmd, ca => $certmonger_ca, + key_size => $key_size, wait => true, require => Class['::certmonger'], } diff --git a/manifests/certmonger/etcd.pp b/manifests/certmonger/etcd.pp index b0b123261..652c68acc 100644 --- a/manifests/certmonger/etcd.pp +++ b/manifests/certmonger/etcd.pp @@ -44,6 +44,10 @@ # (Optional) The haproxy service principal that is set for etcd in kerberos. # Defaults to undef # +# [*key_size*] +# (Optional) Specifies the private key size used when creating the certificate. +# Defaults to 2048bits. +# class tripleo::certmonger::etcd ( $hostname, $service_certificate, @@ -52,6 +56,7 @@ class tripleo::certmonger::etcd ( $dnsnames = $hostname, $postsave_cmd = undef, $principal = undef, + $key_size = 2048, ) { include ::certmonger @@ -70,6 +75,7 @@ class tripleo::certmonger::etcd ( dnsname => $dnsnames, principal => $principal, postsave_cmd => $postsave_cmd, + key_size => $key_size, ca => $certmonger_ca, wait => true, require => Class['::certmonger'], diff --git a/manifests/certmonger/haproxy.pp b/manifests/certmonger/haproxy.pp index 455fb391f..d623b63c3 100644 --- a/manifests/certmonger/haproxy.pp +++ b/manifests/certmonger/haproxy.pp @@ -48,6 +48,10 @@ # The post-save-command that certmonger will use once it renews the # certificate. # +# [*key_size*] +# (Optional) Specifies the private key size used when creating the certificate. +# Defaults to 2048bits. +# define tripleo::certmonger::haproxy ( $service_pem, $service_certificate, @@ -57,6 +61,7 @@ define tripleo::certmonger::haproxy ( $dnsnames = undef, $principal = undef, $postsave_cmd = undef, + $key_size = 2048, ){ include ::certmonger include ::haproxy::params @@ -103,6 +108,7 @@ define tripleo::certmonger::haproxy ( keyfile => $service_key, postsave_cmd => $postsave_cmd, principal => $principal_real, + key_size => $key_size, eku => ['id-kp-clientAuth', 'id-kp-serverAuth'], wait => true, tag => 'haproxy-cert', diff --git a/manifests/certmonger/httpd.pp b/manifests/certmonger/httpd.pp index 18c2de2e6..ba8bca0b5 100644 --- a/manifests/certmonger/httpd.pp +++ b/manifests/certmonger/httpd.pp @@ -44,6 +44,10 @@ # [*principal*] # The haproxy service principal that is set for HAProxy in kerberos. # +# [*key_size*] +# (Optional) Specifies the private key size used when creating the certificate. +# Defaults to 2048bits. +# define tripleo::certmonger::httpd ( $hostname, $service_certificate, @@ -52,6 +56,7 @@ define tripleo::certmonger::httpd ( $dnsnames = undef, $postsave_cmd = undef, $principal = undef, + $key_size = 2048, ) { include ::certmonger include ::apache::params @@ -71,6 +76,7 @@ define tripleo::certmonger::httpd ( principal => $principal, postsave_cmd => $postsave_cmd, ca => $certmonger_ca, + key_size => $key_size, wait => true, tag => 'apache-cert', require => Class['::certmonger'], diff --git a/manifests/certmonger/libvirt.pp b/manifests/certmonger/libvirt.pp index 8ce003778..0eb69df2f 100644 --- a/manifests/certmonger/libvirt.pp +++ b/manifests/certmonger/libvirt.pp @@ -44,6 +44,10 @@ # (Optional) The service principal that is set for the service in kerberos. # Defaults to undef # +# [*key_size*] +# (Optional) Specifies the private key size used when creating the certificate. +# Defaults to 2048bits. +# define tripleo::certmonger::libvirt ( $hostname, $service_certificate, @@ -51,6 +55,7 @@ define tripleo::certmonger::libvirt ( $certmonger_ca = hiera('certmonger_ca', 'local'), $postsave_cmd = undef, $principal = undef, + $key_size = 2048, ) { include ::certmonger include ::nova::params @@ -65,6 +70,7 @@ define tripleo::certmonger::libvirt ( principal => $principal, postsave_cmd => $postsave_cmd_real, ca => $certmonger_ca, + key_size => $key_size, wait => true, tag => 'libvirt-cert', require => Class['::certmonger'], diff --git a/manifests/certmonger/libvirt_vnc.pp b/manifests/certmonger/libvirt_vnc.pp index dcdd1aa04..5397a4c2f 100644 --- a/manifests/certmonger/libvirt_vnc.pp +++ b/manifests/certmonger/libvirt_vnc.pp @@ -48,6 +48,10 @@ # (Optional) Service to reload when certificate is created/renewed # Defaults to $::nova::params::libvirt_service_name # +# [*key_size*] +# (Optional) Specifies the private key size used when creating the certificate. +# Defaults to 2048bits. +# define tripleo::certmonger::libvirt_vnc ( $hostname, $service_certificate, @@ -57,6 +61,7 @@ define tripleo::certmonger::libvirt_vnc ( $principal = undef, $cacertfile = undef, $notify_service = undef, + $key_size = 2048, ) { include ::certmonger include ::nova::params @@ -74,6 +79,7 @@ define tripleo::certmonger::libvirt_vnc ( principal => $principal, postsave_cmd => $postsave_cmd_real, ca => $certmonger_ca, + key_size => $key_size, cacertfile => $cacertfile, wait => true, tag => 'libvirt-cert', diff --git a/manifests/certmonger/metrics_qdr.pp b/manifests/certmonger/metrics_qdr.pp index d266e716f..7e2abc5c6 100644 --- a/manifests/certmonger/metrics_qdr.pp +++ b/manifests/certmonger/metrics_qdr.pp @@ -46,6 +46,10 @@ # (Optional) The haproxy service principal that is set for metrics_qdr in kerberos. # Defaults to undef # +# [*key_size*] +# (Optional) Specifies the private key size used when creating the certificate. +# Defaults to 2048bits. +# class tripleo::certmonger::metrics_qdr ( $hostname, $service_certificate, @@ -53,6 +57,7 @@ class tripleo::certmonger::metrics_qdr ( $certmonger_ca = hiera('certmonger_ca', 'local'), $postsave_cmd = undef, $principal = undef, + $key_size = 2048, ) { include ::certmonger include ::qdr::params @@ -73,6 +78,7 @@ class tripleo::certmonger::metrics_qdr ( principal => $principal, postsave_cmd => $postsave_cmd, ca => $certmonger_ca, + key_size => $key_size, wait => true, require => Class['::certmonger'], } diff --git a/manifests/certmonger/mysql.pp b/manifests/certmonger/mysql.pp index cadcf455b..48bae0e2e 100644 --- a/manifests/certmonger/mysql.pp +++ b/manifests/certmonger/mysql.pp @@ -46,6 +46,10 @@ # (Optional) The haproxy service principal that is set for MySQL in kerberos. # Defaults to undef # +# [*key_size*] +# (Optional) Specifies the private key size used when creating the certificate. +# Defaults to 2048bits. +# class tripleo::certmonger::mysql ( $hostname, $service_certificate, @@ -54,6 +58,7 @@ class tripleo::certmonger::mysql ( $dnsnames = $hostname, $postsave_cmd = undef, $principal = undef, + $key_size = 2048, ) { include ::certmonger @@ -66,6 +71,7 @@ class tripleo::certmonger::mysql ( principal => $principal, postsave_cmd => $postsave_cmd, ca => $certmonger_ca, + key_size => $key_size, wait => true, require => Class['::certmonger'], } diff --git a/manifests/certmonger/neutron.pp b/manifests/certmonger/neutron.pp index 4260318c6..a5a167f9a 100644 --- a/manifests/certmonger/neutron.pp +++ b/manifests/certmonger/neutron.pp @@ -38,6 +38,10 @@ # (Optional) The haproxy service principal that is set for neutron in kerberos. # Defaults to undef # +# [*key_size*] +# (Optional) Specifies the private key size used when creating the certificate. +# Defaults to 2048bits. +# class tripleo::certmonger::neutron ( $hostname, $service_certificate, @@ -45,6 +49,7 @@ class tripleo::certmonger::neutron ( $certmonger_ca = hiera('certmonger_ca', 'local'), $postsave_cmd = undef, $principal = undef, + $key_size = 2048, ) { include ::certmonger @@ -64,6 +69,7 @@ class tripleo::certmonger::neutron ( principal => $principal, postsave_cmd => $postsave_cmd, ca => $certmonger_ca, + key_size => $key_size, wait => true, require => Class['::certmonger'], } diff --git a/manifests/certmonger/neutron_ovn.pp b/manifests/certmonger/neutron_ovn.pp index f86479a3c..50cb9276d 100644 --- a/manifests/certmonger/neutron_ovn.pp +++ b/manifests/certmonger/neutron_ovn.pp @@ -38,6 +38,10 @@ # (Optional) The haproxy service principal that is set for neutron in kerberos. # Defaults to undef # +# [*key_size*] +# (Optional) Specifies the private key size used when creating the certificate. +# Defaults to 2048bits. +# class tripleo::certmonger::neutron_ovn ( $hostname, $service_certificate, @@ -45,6 +49,7 @@ class tripleo::certmonger::neutron_ovn ( $certmonger_ca = hiera('certmonger_ca', 'local'), $postsave_cmd = undef, $principal = undef, + $key_size = 2048, ) { include ::certmonger @@ -57,6 +62,7 @@ class tripleo::certmonger::neutron_ovn ( principal => $principal, postsave_cmd => $postsave_cmd, ca => $certmonger_ca, + key_size => $key_size, wait => true, require => Class['::certmonger'], } diff --git a/manifests/certmonger/novnc_proxy.pp b/manifests/certmonger/novnc_proxy.pp index 037adf670..30362c278 100644 --- a/manifests/certmonger/novnc_proxy.pp +++ b/manifests/certmonger/novnc_proxy.pp @@ -45,6 +45,9 @@ # [*notify_service*] # (Optional) Service to reload when certificate is created/renewed # Defaults to $::nova::params::libvirt_service_name +# [*key_size*] +# (Optional) Specifies the private key size used when creating the certificate. +# Defaults to 2048bits. # class tripleo::certmonger::novnc_proxy ( $hostname, @@ -53,6 +56,7 @@ class tripleo::certmonger::novnc_proxy ( $certmonger_ca = hiera('certmonger_ca', 'local'), $notify_service = undef, $postsave_cmd = undef, + $key_size = 2048, $principal = undef, ) { include ::certmonger @@ -76,6 +80,7 @@ class tripleo::certmonger::novnc_proxy ( principal => $principal, postsave_cmd => $postsave_cmd, ca => $certmonger_ca, + key_size => $key_size, wait => true, tag => 'novnc-proxy', require => Class['::certmonger'], diff --git a/manifests/certmonger/openvswitch.pp b/manifests/certmonger/openvswitch.pp index 4cf42c58e..67a9cff41 100644 --- a/manifests/certmonger/openvswitch.pp +++ b/manifests/certmonger/openvswitch.pp @@ -39,6 +39,10 @@ # (Optional) The haproxy service principal that is set for openvswitch in kerberos. # Defaults to undef # +# [*key_size*] +# (Optional) Specifies the private key size used when creating the certificate. +# Defaults to 2048bits. +# class tripleo::certmonger::openvswitch ( $hostname, $service_certificate, @@ -46,6 +50,7 @@ class tripleo::certmonger::openvswitch ( $certmonger_ca = hiera('certmonger_ca', 'local'), $postsave_cmd = 'systemctl reload openvswitch', $principal = undef, + $key_size = 2048, ) { include ::certmonger @@ -58,6 +63,7 @@ class tripleo::certmonger::openvswitch ( principal => $principal, postsave_cmd => $postsave_cmd, ca => $certmonger_ca, + key_size => $key_size, wait => true, require => Class['::certmonger'], } diff --git a/manifests/certmonger/ovn_controller.pp b/manifests/certmonger/ovn_controller.pp index c2ad9d3fc..65c911595 100644 --- a/manifests/certmonger/ovn_controller.pp +++ b/manifests/certmonger/ovn_controller.pp @@ -38,6 +38,10 @@ # (Optional) The haproxy service principal that is set for neutron in kerberos. # Defaults to undef # +# [*key_size*] +# (Optional) Specifies the private key size used when creating the certificate. +# Defaults to 2048bits. +# class tripleo::certmonger::ovn_controller ( $hostname, $service_certificate, @@ -45,6 +49,7 @@ class tripleo::certmonger::ovn_controller ( $certmonger_ca = hiera('certmonger_ca', 'local'), $postsave_cmd = undef, $principal = undef, + $key_size = 2048, ) { include ::certmonger @@ -57,6 +62,7 @@ class tripleo::certmonger::ovn_controller ( principal => $principal, postsave_cmd => $postsave_cmd, ca => $certmonger_ca, + key_size => $key_size, wait => true, require => Class['::certmonger'], } diff --git a/manifests/certmonger/ovn_dbs.pp b/manifests/certmonger/ovn_dbs.pp index 7d9d2a4b7..aba33cdb3 100644 --- a/manifests/certmonger/ovn_dbs.pp +++ b/manifests/certmonger/ovn_dbs.pp @@ -38,6 +38,10 @@ # (Optional) The haproxy service principal that is set for neutron in kerberos. # Defaults to undef # +# [*key_size*] +# (Optional) Specifies the private key size used when creating the certificate. +# Defaults to 2048bits. +# class tripleo::certmonger::ovn_dbs ( $hostname, $service_certificate, @@ -45,6 +49,7 @@ class tripleo::certmonger::ovn_dbs ( $certmonger_ca = hiera('certmonger_ca', 'local'), $postsave_cmd = undef, $principal = undef, + $key_size = 2048, ) { include ::certmonger @@ -57,6 +62,7 @@ class tripleo::certmonger::ovn_dbs ( principal => $principal, postsave_cmd => $postsave_cmd, ca => $certmonger_ca, + key_size => $key_size, wait => true, require => Class['::certmonger'], } diff --git a/manifests/certmonger/ovn_metadata.pp b/manifests/certmonger/ovn_metadata.pp index 93476dc14..1c5f1b748 100644 --- a/manifests/certmonger/ovn_metadata.pp +++ b/manifests/certmonger/ovn_metadata.pp @@ -38,6 +38,10 @@ # (Optional) The haproxy service principal that is set for neutron in kerberos. # Defaults to undef # +# [*key_size*] +# (Optional) Specifies the private key size used when creating the certificate. +# Defaults to 2048bits. +# class tripleo::certmonger::ovn_metadata ( $hostname, $service_certificate, @@ -45,6 +49,7 @@ class tripleo::certmonger::ovn_metadata ( $certmonger_ca = hiera('certmonger_ca', 'local'), $postsave_cmd = undef, $principal = undef, + $key_size = 2048, ) { include ::certmonger @@ -57,6 +62,7 @@ class tripleo::certmonger::ovn_metadata ( principal => $principal, postsave_cmd => $postsave_cmd, ca => $certmonger_ca, + key_size => $key_size, wait => true, require => Class['::certmonger'], } diff --git a/manifests/certmonger/ovn_octavia.pp b/manifests/certmonger/ovn_octavia.pp index 4c062f98b..22ed8c3eb 100644 --- a/manifests/certmonger/ovn_octavia.pp +++ b/manifests/certmonger/ovn_octavia.pp @@ -38,6 +38,10 @@ # (Optional) The haproxy service principal that is set for neutron in kerberos. # Defaults to undef # +# [*key_size*] +# (Optional) Specifies the private key size used when creating the certificate. +# Defaults to 2048bits. +# class tripleo::certmonger::ovn_octavia ( $hostname, $service_certificate, @@ -45,6 +49,7 @@ class tripleo::certmonger::ovn_octavia ( $certmonger_ca = hiera('certmonger_ca', 'local'), $postsave_cmd = undef, $principal = undef, + $key_size = 2048, ) { include ::certmonger @@ -57,6 +62,7 @@ class tripleo::certmonger::ovn_octavia ( principal => $principal, postsave_cmd => $postsave_cmd, ca => $certmonger_ca, + key_size => $key_size, wait => true, require => Class['::certmonger'], } diff --git a/manifests/certmonger/qemu.pp b/manifests/certmonger/qemu.pp index 67e0418ee..e4e3471fa 100644 --- a/manifests/certmonger/qemu.pp +++ b/manifests/certmonger/qemu.pp @@ -47,6 +47,10 @@ # (Optional) Specifies that path to write the CA cerftificate to. # Defaults to undef # +# [*key_size*] +# (Optional) Specifies the private key size used when creating the certificate. +# Defaults to 2048bits. +# define tripleo::certmonger::qemu ( $hostname, $service_certificate, @@ -55,6 +59,7 @@ define tripleo::certmonger::qemu ( $cacertfile = undef, $postsave_cmd = undef, $principal = undef, + $key_size = 2048, ) { include ::certmonger include ::nova::params @@ -68,6 +73,7 @@ define tripleo::certmonger::qemu ( principal => $principal, postsave_cmd => $postsave_cmd, ca => $certmonger_ca, + key_size => $key_size, cacertfile => $cacertfile, wait => true, tag => 'qemu-cert', diff --git a/manifests/certmonger/rabbitmq.pp b/manifests/certmonger/rabbitmq.pp index 3a2e40204..2851c585d 100644 --- a/manifests/certmonger/rabbitmq.pp +++ b/manifests/certmonger/rabbitmq.pp @@ -39,6 +39,10 @@ # (Optional) The service principal that is set for the service in kerberos. # Defaults to undef # +# [*key_size*] +# (Optional) Specifies the private key size used when creating the certificate. +# Defaults to 2048bits. +# class tripleo::certmonger::rabbitmq ( $hostname, $service_certificate, @@ -46,6 +50,7 @@ class tripleo::certmonger::rabbitmq ( $certmonger_ca = hiera('certmonger_ca', 'local'), $postsave_cmd = undef, $principal = undef, + $key_size = 2048, ) { include ::certmonger @@ -65,6 +70,7 @@ class tripleo::certmonger::rabbitmq ( principal => $principal, postsave_cmd => $postsave_cmd, ca => $certmonger_ca, + key_size => $key_size, wait => true, require => Class['::certmonger'], } diff --git a/manifests/certmonger/redis.pp b/manifests/certmonger/redis.pp index 449aa41e6..d986700f4 100644 --- a/manifests/certmonger/redis.pp +++ b/manifests/certmonger/redis.pp @@ -45,6 +45,10 @@ # (Optional) The service principal that is set for the service in kerberos. # Defaults to undef # +# [*key_size*] +# (Optional) Specifies the private key size used when creating the certificate. +# Defaults to 2048bits. +# class tripleo::certmonger::redis ( $hostname, $service_certificate, @@ -53,6 +57,7 @@ class tripleo::certmonger::redis ( $dnsnames = $hostname, $postsave_cmd = undef, $principal = undef, + $key_size = 2048, ) { include ::certmonger @@ -72,6 +77,7 @@ class tripleo::certmonger::redis ( principal => $principal, postsave_cmd => $postsave_cmd, ca => $certmonger_ca, + key_size => $key_size, wait => true, require => Class['::certmonger'], }