Adding key_size option on the certmonger_certificate function

certmonger_certificate function currently does not support creating certificates with private keys stronger than 2048bits. Adding a key_size option. key_size option were added on puppet_certmonger on the v2.6.0 upstream: https://github.com/saltedsignal/puppet-certmonger/releases/tag/v2.6.0 Change-Id: I4da96f2164cf1d136f9471f1d6251bdd8cfd2d0b (cherry picked from commit 190aebca60)
2020-10-09 10:52:26 -03:00 · 2020-10-09 10:52:26 -03:00 · 963b473380
commit 963b473380
parent d632847311
22 changed files with 126 additions and 1 deletions
--- a/2
+++ b/2
@ -35,7 +35,7 @@ mod 'fdio',

 mod 'certmonger',
  :git => 'https://github.com/saltedsignal/puppet-certmonger',
-  :ref => 'v1.1.1'
+  :ref => 'v2.6.0'

 mod 'ptp',
  :git => 'https://github.com/redhat-nfvpe/ptp',
--- a/manifests/certmonger/ceph_dashboard.pp
+++ b/manifests/certmonger/ceph_dashboard.pp
@ -39,6 +39,10 @@
 #   (Optional) The service principal that is set for the service in kerberos.
 #   Defaults to undef
 #
+# [*key_size*]
+#   (Optional) Specifies the private key size used when creating the certificate.
+#   Defaults to 2048bits.
+#
 class tripleo::certmonger::ceph_dashboard (
  $hostname,
  $service_certificate,
@ -46,6 +50,7 @@ class tripleo::certmonger::ceph_dashboard (
  $postsave_cmd = undef,
  $certmonger_ca = hiera('certmonger_ca', 'local'),
  $principal     = undef,
+  $key_size      = 2048,
 ) {

  ensure_resource('file', '/usr/bin/certmonger-dashboard-refresh.sh', {
@ -64,6 +69,7 @@ class tripleo::certmonger::ceph_dashboard (
    principal    => $principal,
    postsave_cmd => $postsave_cmd,
    ca           => $certmonger_ca,
+    key_size     => $key_size,
    wait         => true,
    require      => Class['::certmonger'],
  }
--- a/manifests/certmonger/ceph_grafana.pp
+++ b/manifests/certmonger/ceph_grafana.pp
@ -39,6 +39,10 @@
 #   (Optional) The service principal that is set for the service in kerberos.
 #   Defaults to undef
 #
+# [*key_size*]
+#   (Optional) Specifies the private key size used when creating the certificate.
+#   Defaults to 2048bits.
+#
 class tripleo::certmonger::ceph_grafana (
  $hostname,
  $service_certificate,
@ -46,6 +50,7 @@ class tripleo::certmonger::ceph_grafana (
  $postsave_cmd = undef,
  $certmonger_ca = hiera('certmonger_ca', 'local'),
  $principal     = undef,
+  $key_size      = 2048,
 ) {

  ensure_resource('file', '/usr/bin/certmonger-grafana-refresh.sh', {
@ -64,6 +69,7 @@ class tripleo::certmonger::ceph_grafana (
    principal    => $principal,
    postsave_cmd => $postsave_cmd,
    ca           => $certmonger_ca,
+    key_size     => $key_size,
    wait         => true,
    require      => Class['::certmonger'],
  }
--- a/manifests/certmonger/ceph_rgw.pp
+++ b/manifests/certmonger/ceph_rgw.pp
@ -42,6 +42,10 @@
 #   (Optional) The service principal that is set for the service in kerberos.
 #   Defaults to undef
 #
+# [*key_size*]
+#   (Optional) Specifies the private key size used when creating the certificate.
+#   Defaults to 2048bits.
+#
 class tripleo::certmonger::ceph_rgw (
  $hostname,
  $service_certificate,
@ -50,6 +54,7 @@ class tripleo::certmonger::ceph_rgw (
  $postsave_cmd = undef,
  $certmonger_ca = hiera('certmonger_ca', 'local'),
  $principal     = undef,
+  $key_size      = 2048,
 ) {

  ensure_resource('file', '/usr/bin/certmonger-rgw-refresh.sh', {
@ -68,6 +73,7 @@ class tripleo::certmonger::ceph_rgw (
    principal    => $principal,
    postsave_cmd => $postsave_cmd,
    ca           => $certmonger_ca,
+    key_size     => $key_size,
    wait         => true,
    require      => Class['::certmonger'],
  }
--- a/manifests/certmonger/etcd.pp
+++ b/manifests/certmonger/etcd.pp
@ -44,6 +44,10 @@
 #   (Optional) The haproxy service principal that is set for etcd in kerberos.
 #   Defaults to undef
 #
+# [*key_size*]
+#   (Optional) Specifies the private key size used when creating the certificate.
+#   Defaults to 2048bits.
+#
 class tripleo::certmonger::etcd (
  $hostname,
  $service_certificate,
@ -52,6 +56,7 @@ class tripleo::certmonger::etcd (
  $dnsnames      = $hostname,
  $postsave_cmd  = undef,
  $principal     = undef,
+  $key_size      = 2048,
 ) {
  include certmonger

@ -70,6 +75,7 @@ class tripleo::certmonger::etcd (
    dnsname      => $dnsnames,
    principal    => $principal,
    postsave_cmd => $postsave_cmd,
+    key_size     => $key_size,
    ca           => $certmonger_ca,
    wait         => true,
    require      => Class['::certmonger'],
--- a/manifests/certmonger/haproxy.pp
+++ b/manifests/certmonger/haproxy.pp
@ -48,6 +48,10 @@
 #   The post-save-command that certmonger will use once it renews the
 #   certificate.
 #
+# [*key_size*]
+#   (Optional) Specifies the private key size used when creating the certificate.
+#   Defaults to 2048bits.
+#
 define tripleo::certmonger::haproxy (
  $service_pem,
  $service_certificate,
@ -57,6 +61,7 @@ define tripleo::certmonger::haproxy (
  $dnsnames      = undef,
  $principal     = undef,
  $postsave_cmd  = undef,
+  $key_size      = 2048,
 ){
    include certmonger
    include haproxy::params
@ -103,6 +108,7 @@ define tripleo::certmonger::haproxy (
      keyfile      => $service_key,
      postsave_cmd => $postsave_cmd,
      principal    => $principal_real,
+      key_size     => $key_size,
      eku          => ['id-kp-clientAuth', 'id-kp-serverAuth'],
      wait         => true,
      tag          => 'haproxy-cert',
--- a/manifests/certmonger/httpd.pp
+++ b/manifests/certmonger/httpd.pp
@ -44,6 +44,10 @@
 # [*principal*]
 #   The haproxy service principal that is set for HAProxy in kerberos.
 #
+# [*key_size*]
+#   (Optional) Specifies the private key size used when creating the certificate.
+#   Defaults to 2048bits.
+#
 define tripleo::certmonger::httpd (
  $hostname,
  $service_certificate,
@ -52,6 +56,7 @@ define tripleo::certmonger::httpd (
  $dnsnames      = undef,
  $postsave_cmd  = undef,
  $principal     = undef,
+  $key_size      = 2048,
 ) {
  include certmonger
  include apache::params
@ -71,6 +76,7 @@ define tripleo::certmonger::httpd (
    principal    => $principal,
    postsave_cmd => $postsave_cmd,
    ca           => $certmonger_ca,
+    key_size     => $key_size,
    wait         => true,
    tag          => 'apache-cert',
    require      => Class['::certmonger'],
--- a/manifests/certmonger/libvirt.pp
+++ b/manifests/certmonger/libvirt.pp
@ -44,6 +44,10 @@
 #   (Optional) The service principal that is set for the service in kerberos.
 #   Defaults to undef
 #
+# [*key_size*]
+#   (Optional) Specifies the private key size used when creating the certificate.
+#   Defaults to 2048bits.
+#
 define tripleo::certmonger::libvirt (
  $hostname,
  $service_certificate,
@ -51,6 +55,7 @@ define tripleo::certmonger::libvirt (
  $certmonger_ca = hiera('certmonger_ca', 'local'),
  $postsave_cmd  = undef,
  $principal     = undef,
+  $key_size      = 2048,
 ) {
  include certmonger
  include nova::params
@ -65,6 +70,7 @@ define tripleo::certmonger::libvirt (
    principal    => $principal,
    postsave_cmd => $postsave_cmd_real,
    ca           => $certmonger_ca,
+    key_size     => $key_size,
    wait         => true,
    tag          => 'libvirt-cert',
    require      => Class['::certmonger'],
--- a/manifests/certmonger/libvirt_vnc.pp
+++ b/manifests/certmonger/libvirt_vnc.pp
@ -48,6 +48,10 @@
 #   (Optional) Service to reload when certificate is created/renewed
 #   Defaults to $::nova::params::libvirt_service_name
 #
+# [*key_size*]
+#   (Optional) Specifies the private key size used when creating the certificate.
+#   Defaults to 2048bits.
+#
 define tripleo::certmonger::libvirt_vnc (
  $hostname,
  $service_certificate,
@ -57,6 +61,7 @@ define tripleo::certmonger::libvirt_vnc (
  $principal        = undef,
  $cacertfile       = undef,
  $notify_service   = undef,
+  $key_size      = 2048,
 ) {
  include certmonger
  include nova::params
@ -74,6 +79,7 @@ define tripleo::certmonger::libvirt_vnc (
    principal    => $principal,
    postsave_cmd => $postsave_cmd_real,
    ca           => $certmonger_ca,
+    key_size     => $key_size,
    cacertfile   => $cacertfile,
    wait         => true,
    tag          => 'libvirt-cert',
--- a/manifests/certmonger/metrics_qdr.pp
+++ b/manifests/certmonger/metrics_qdr.pp
@ -46,6 +46,10 @@
 #   (Optional) The haproxy service principal that is set for metrics_qdr in kerberos.
 #   Defaults to undef
 #
+# [*key_size*]
+#   (Optional) Specifies the private key size used when creating the certificate.
+#   Defaults to 2048bits.
+#
 class tripleo::certmonger::metrics_qdr (
  $hostname,
  $service_certificate,
@ -53,6 +57,7 @@ class tripleo::certmonger::metrics_qdr (
  $certmonger_ca = hiera('certmonger_ca', 'local'),
  $postsave_cmd  = undef,
  $principal     = undef,
+  $key_size      = 2048,
 ) {
  include certmonger
  include qdr::params
@ -73,6 +78,7 @@ class tripleo::certmonger::metrics_qdr (
    principal    => $principal,
    postsave_cmd => $postsave_cmd,
    ca           => $certmonger_ca,
+    key_size     => $key_size,
    wait         => true,
    require      => Class['::certmonger'],
  }
--- a/manifests/certmonger/mysql.pp
+++ b/manifests/certmonger/mysql.pp
@ -46,6 +46,10 @@
 #   (Optional) The haproxy service principal that is set for MySQL in kerberos.
 #   Defaults to undef
 #
+# [*key_size*]
+#   (Optional) Specifies the private key size used when creating the certificate.
+#   Defaults to 2048bits.
+#
 class tripleo::certmonger::mysql (
  $hostname,
  $service_certificate,
@ -54,6 +58,7 @@ class tripleo::certmonger::mysql (
  $dnsnames      = $hostname,
  $postsave_cmd  = undef,
  $principal     = undef,
+  $key_size      = 2048,
 ) {
  include certmonger

@ -66,6 +71,7 @@ class tripleo::certmonger::mysql (
    principal    => $principal,
    postsave_cmd => $postsave_cmd,
    ca           => $certmonger_ca,
+    key_size     => $key_size,
    wait         => true,
    require      => Class['::certmonger'],
  }
--- a/manifests/certmonger/neutron.pp
+++ b/manifests/certmonger/neutron.pp
@ -38,6 +38,10 @@
 #   (Optional) The haproxy service principal that is set for neutron in kerberos.
 #   Defaults to undef
 #
+# [*key_size*]
+#   (Optional) Specifies the private key size used when creating the certificate.
+#   Defaults to 2048bits.
+#
 class tripleo::certmonger::neutron (
  $hostname,
  $service_certificate,
@ -45,6 +49,7 @@ class tripleo::certmonger::neutron (
  $certmonger_ca = hiera('certmonger_ca', 'local'),
  $postsave_cmd  = undef,
  $principal     = undef,
+  $key_size      = 2048,
 ) {
  include certmonger

@ -64,6 +69,7 @@ class tripleo::certmonger::neutron (
    principal    => $principal,
    postsave_cmd => $postsave_cmd,
    ca           => $certmonger_ca,
+    key_size     => $key_size,
    wait         => true,
    require      => Class['::certmonger'],
  }
--- a/manifests/certmonger/neutron_ovn.pp
+++ b/manifests/certmonger/neutron_ovn.pp
@ -38,6 +38,10 @@
 #   (Optional) The haproxy service principal that is set for neutron in kerberos.
 #   Defaults to undef
 #
+# [*key_size*]
+#   (Optional) Specifies the private key size used when creating the certificate.
+#   Defaults to 2048bits.
+#
 class tripleo::certmonger::neutron_ovn (
  $hostname,
  $service_certificate,
@ -45,6 +49,7 @@ class tripleo::certmonger::neutron_ovn (
  $certmonger_ca = hiera('certmonger_ca', 'local'),
  $postsave_cmd  = undef,
  $principal     = undef,
+  $key_size      = 2048,
 ) {
  include certmonger

@ -57,6 +62,7 @@ class tripleo::certmonger::neutron_ovn (
    principal    => $principal,
    postsave_cmd => $postsave_cmd,
    ca           => $certmonger_ca,
+    key_size     => $key_size,
    wait         => true,
    require      => Class['::certmonger'],
  }
--- a/manifests/certmonger/novnc_proxy.pp
+++ b/manifests/certmonger/novnc_proxy.pp
@ -45,6 +45,9 @@
 # [*notify_service*]
 #   (Optional) Service to reload when certificate is created/renewed
 #   Defaults to $::nova::params::libvirt_service_name
+# [*key_size*]
+#   (Optional) Specifies the private key size used when creating the certificate.
+#   Defaults to 2048bits.
 #
 class tripleo::certmonger::novnc_proxy (
  $hostname,
@ -53,6 +56,7 @@ class tripleo::certmonger::novnc_proxy (
  $certmonger_ca = hiera('certmonger_ca', 'local'),
  $notify_service   = undef,
  $postsave_cmd  = undef,
+  $key_size      = 2048,
  $principal     = undef,
 ) {
  include certmonger
@ -76,6 +80,7 @@ class tripleo::certmonger::novnc_proxy (
    principal    => $principal,
    postsave_cmd => $postsave_cmd,
    ca           => $certmonger_ca,
+    key_size     => $key_size,
    wait         => true,
    tag          => 'novnc-proxy',
    require      => Class['::certmonger'],
--- a/manifests/certmonger/openvswitch.pp
+++ b/manifests/certmonger/openvswitch.pp
@ -39,6 +39,10 @@
 #   (Optional) The haproxy service principal that is set for openvswitch in kerberos.
 #   Defaults to undef
 #
+# [*key_size*]
+#   (Optional) Specifies the private key size used when creating the certificate.
+#   Defaults to 2048bits.
+#
 class tripleo::certmonger::openvswitch (
  $hostname,
  $service_certificate,
@ -46,6 +50,7 @@ class tripleo::certmonger::openvswitch (
  $certmonger_ca = hiera('certmonger_ca', 'local'),
  $postsave_cmd  = 'systemctl reload openvswitch',
  $principal     = undef,
+  $key_size      = 2048,
 ) {
  include certmonger

@ -58,6 +63,7 @@ class tripleo::certmonger::openvswitch (
    principal    => $principal,
    postsave_cmd => $postsave_cmd,
    ca           => $certmonger_ca,
+    key_size     => $key_size,
    wait         => true,
    require      => Class['::certmonger'],
  }
--- a/manifests/certmonger/ovn_controller.pp
+++ b/manifests/certmonger/ovn_controller.pp
@ -38,6 +38,10 @@
 #   (Optional) The haproxy service principal that is set for neutron in kerberos.
 #   Defaults to undef
 #
+# [*key_size*]
+#   (Optional) Specifies the private key size used when creating the certificate.
+#   Defaults to 2048bits.
+#
 class tripleo::certmonger::ovn_controller (
  $hostname,
  $service_certificate,
@ -45,6 +49,7 @@ class tripleo::certmonger::ovn_controller (
  $certmonger_ca = hiera('certmonger_ca', 'local'),
  $postsave_cmd  = undef,
  $principal     = undef,
+  $key_size      = 2048,
 ) {
  include certmonger

@ -57,6 +62,7 @@ class tripleo::certmonger::ovn_controller (
    principal    => $principal,
    postsave_cmd => $postsave_cmd,
    ca           => $certmonger_ca,
+    key_size     => $key_size,
    wait         => true,
    require      => Class['::certmonger'],
  }
--- a/manifests/certmonger/ovn_dbs.pp
+++ b/manifests/certmonger/ovn_dbs.pp
@ -38,6 +38,10 @@
 #   (Optional) The haproxy service principal that is set for neutron in kerberos.
 #   Defaults to undef
 #
+# [*key_size*]
+#   (Optional) Specifies the private key size used when creating the certificate.
+#   Defaults to 2048bits.
+#
 class tripleo::certmonger::ovn_dbs (
  $hostname,
  $service_certificate,
@ -45,6 +49,7 @@ class tripleo::certmonger::ovn_dbs (
  $certmonger_ca = hiera('certmonger_ca', 'local'),
  $postsave_cmd  = undef,
  $principal     = undef,
+  $key_size      = 2048,
 ) {
  include certmonger

@ -57,6 +62,7 @@ class tripleo::certmonger::ovn_dbs (
    principal    => $principal,
    postsave_cmd => $postsave_cmd,
    ca           => $certmonger_ca,
+    key_size     => $key_size,
    wait         => true,
    require      => Class['::certmonger'],
  }
--- a/manifests/certmonger/ovn_metadata.pp
+++ b/manifests/certmonger/ovn_metadata.pp
@ -38,6 +38,10 @@
 #   (Optional) The haproxy service principal that is set for neutron in kerberos.
 #   Defaults to undef
 #
+# [*key_size*]
+#   (Optional) Specifies the private key size used when creating the certificate.
+#   Defaults to 2048bits.
+#
 class tripleo::certmonger::ovn_metadata (
  $hostname,
  $service_certificate,
@ -45,6 +49,7 @@ class tripleo::certmonger::ovn_metadata (
  $certmonger_ca = hiera('certmonger_ca', 'local'),
  $postsave_cmd  = undef,
  $principal     = undef,
+  $key_size      = 2048,
 ) {
  include certmonger

@ -57,6 +62,7 @@ class tripleo::certmonger::ovn_metadata (
    principal    => $principal,
    postsave_cmd => $postsave_cmd,
    ca           => $certmonger_ca,
+    key_size     => $key_size,
    wait         => true,
    require      => Class['::certmonger'],
  }
--- a/manifests/certmonger/ovn_octavia.pp
+++ b/manifests/certmonger/ovn_octavia.pp
@ -38,6 +38,10 @@
 #   (Optional) The haproxy service principal that is set for neutron in kerberos.
 #   Defaults to undef
 #
+# [*key_size*]
+#   (Optional) Specifies the private key size used when creating the certificate.
+#   Defaults to 2048bits.
+#
 class tripleo::certmonger::ovn_octavia (
  $hostname,
  $service_certificate,
@ -45,6 +49,7 @@ class tripleo::certmonger::ovn_octavia (
  $certmonger_ca = hiera('certmonger_ca', 'local'),
  $postsave_cmd  = undef,
  $principal     = undef,
+  $key_size      = 2048,
 ) {
  include certmonger

@ -57,6 +62,7 @@ class tripleo::certmonger::ovn_octavia (
    principal    => $principal,
    postsave_cmd => $postsave_cmd,
    ca           => $certmonger_ca,
+    key_size     => $key_size,
    wait         => true,
    require      => Class['::certmonger'],
  }
--- a/manifests/certmonger/qemu.pp
+++ b/manifests/certmonger/qemu.pp
@ -47,6 +47,10 @@
 #   (Optional) Specifies that path to write the CA cerftificate to.
 #   Defaults to undef
 #
+# [*key_size*]
+#   (Optional) Specifies the private key size used when creating the certificate.
+#   Defaults to 2048bits.
+#
 define tripleo::certmonger::qemu (
  $hostname,
  $service_certificate,
@ -55,6 +59,7 @@ define tripleo::certmonger::qemu (
  $cacertfile    = undef,
  $postsave_cmd  = undef,
  $principal     = undef,
+  $key_size      = 2048,
 ) {
  include certmonger
  include nova::params
@ -68,6 +73,7 @@ define tripleo::certmonger::qemu (
    principal    => $principal,
    postsave_cmd => $postsave_cmd,
    ca           => $certmonger_ca,
+    key_size     => $key_size,
    cacertfile   => $cacertfile,
    wait         => true,
    tag          => 'qemu-cert',
--- a/manifests/certmonger/rabbitmq.pp
+++ b/manifests/certmonger/rabbitmq.pp
@ -39,6 +39,10 @@
 #   (Optional) The service principal that is set for the service in kerberos.
 #   Defaults to undef
 #
+# [*key_size*]
+#   (Optional) Specifies the private key size used when creating the certificate.
+#   Defaults to 2048bits.
+#
 class tripleo::certmonger::rabbitmq (
  $hostname,
  $service_certificate,
@ -46,6 +50,7 @@ class tripleo::certmonger::rabbitmq (
  $certmonger_ca = hiera('certmonger_ca', 'local'),
  $postsave_cmd  = undef,
  $principal     = undef,
+  $key_size      = 2048,
 ) {
  include certmonger

@ -65,6 +70,7 @@ class tripleo::certmonger::rabbitmq (
    principal    => $principal,
    postsave_cmd => $postsave_cmd,
    ca           => $certmonger_ca,
+    key_size     => $key_size,
    wait         => true,
    require      => Class['::certmonger'],
  }
--- a/manifests/certmonger/redis.pp
+++ b/manifests/certmonger/redis.pp
@ -45,6 +45,10 @@
 #   (Optional) The service principal that is set for the service in kerberos.
 #   Defaults to undef
 #
+# [*key_size*]
+#   (Optional) Specifies the private key size used when creating the certificate.
+#   Defaults to 2048bits.
+#
 class tripleo::certmonger::redis (
  $hostname,
  $service_certificate,
@ -53,6 +57,7 @@ class tripleo::certmonger::redis (
  $dnsnames      = $hostname,
  $postsave_cmd  = undef,
  $principal     = undef,
+  $key_size      = 2048,
 ) {
  include certmonger

@ -72,6 +77,7 @@ class tripleo::certmonger::redis (
    principal    => $principal,
    postsave_cmd => $postsave_cmd,
    ca           => $certmonger_ca,
+    key_size     => $key_size,
    wait         => true,
    require      => Class['::certmonger'],
  }