Adding key_size option on the certmonger_certificate function

certmonger_certificate function currently does not support
creating certificates with private keys stronger than 2048bits.
Adding a key_size option.

key_size option were added on puppet_certmonger on the v2.6.0
upstream: https://github.com/saltedsignal/puppet-certmonger/releases/tag/v2.6.0

Change-Id: I4da96f2164cf1d136f9471f1d6251bdd8cfd2d0b
(cherry picked from commit 190aebca60)
This commit is contained in:
Raildo 2020-10-09 10:52:26 -03:00 committed by Ade Lee
parent d632847311
commit 963b473380
22 changed files with 126 additions and 1 deletions

View File

@ -35,7 +35,7 @@ mod 'fdio',
mod 'certmonger',
:git => 'https://github.com/saltedsignal/puppet-certmonger',
:ref => 'v1.1.1'
:ref => 'v2.6.0'
mod 'ptp',
:git => 'https://github.com/redhat-nfvpe/ptp',

View File

@ -39,6 +39,10 @@
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ceph_dashboard (
$hostname,
$service_certificate,
@ -46,6 +50,7 @@ class tripleo::certmonger::ceph_dashboard (
$postsave_cmd = undef,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$principal = undef,
$key_size = 2048,
) {
ensure_resource('file', '/usr/bin/certmonger-dashboard-refresh.sh', {
@ -64,6 +69,7 @@ class tripleo::certmonger::ceph_dashboard (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

View File

@ -39,6 +39,10 @@
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ceph_grafana (
$hostname,
$service_certificate,
@ -46,6 +50,7 @@ class tripleo::certmonger::ceph_grafana (
$postsave_cmd = undef,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$principal = undef,
$key_size = 2048,
) {
ensure_resource('file', '/usr/bin/certmonger-grafana-refresh.sh', {
@ -64,6 +69,7 @@ class tripleo::certmonger::ceph_grafana (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

View File

@ -42,6 +42,10 @@
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ceph_rgw (
$hostname,
$service_certificate,
@ -50,6 +54,7 @@ class tripleo::certmonger::ceph_rgw (
$postsave_cmd = undef,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$principal = undef,
$key_size = 2048,
) {
ensure_resource('file', '/usr/bin/certmonger-rgw-refresh.sh', {
@ -68,6 +73,7 @@ class tripleo::certmonger::ceph_rgw (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

View File

@ -44,6 +44,10 @@
# (Optional) The haproxy service principal that is set for etcd in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::etcd (
$hostname,
$service_certificate,
@ -52,6 +56,7 @@ class tripleo::certmonger::etcd (
$dnsnames = $hostname,
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
@ -70,6 +75,7 @@ class tripleo::certmonger::etcd (
dnsname => $dnsnames,
principal => $principal,
postsave_cmd => $postsave_cmd,
key_size => $key_size,
ca => $certmonger_ca,
wait => true,
require => Class['::certmonger'],

View File

@ -48,6 +48,10 @@
# The post-save-command that certmonger will use once it renews the
# certificate.
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
define tripleo::certmonger::haproxy (
$service_pem,
$service_certificate,
@ -57,6 +61,7 @@ define tripleo::certmonger::haproxy (
$dnsnames = undef,
$principal = undef,
$postsave_cmd = undef,
$key_size = 2048,
){
include certmonger
include haproxy::params
@ -103,6 +108,7 @@ define tripleo::certmonger::haproxy (
keyfile => $service_key,
postsave_cmd => $postsave_cmd,
principal => $principal_real,
key_size => $key_size,
eku => ['id-kp-clientAuth', 'id-kp-serverAuth'],
wait => true,
tag => 'haproxy-cert',

View File

@ -44,6 +44,10 @@
# [*principal*]
# The haproxy service principal that is set for HAProxy in kerberos.
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
define tripleo::certmonger::httpd (
$hostname,
$service_certificate,
@ -52,6 +56,7 @@ define tripleo::certmonger::httpd (
$dnsnames = undef,
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
include apache::params
@ -71,6 +76,7 @@ define tripleo::certmonger::httpd (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
tag => 'apache-cert',
require => Class['::certmonger'],

View File

@ -44,6 +44,10 @@
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
define tripleo::certmonger::libvirt (
$hostname,
$service_certificate,
@ -51,6 +55,7 @@ define tripleo::certmonger::libvirt (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
include nova::params
@ -65,6 +70,7 @@ define tripleo::certmonger::libvirt (
principal => $principal,
postsave_cmd => $postsave_cmd_real,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
tag => 'libvirt-cert',
require => Class['::certmonger'],

View File

@ -48,6 +48,10 @@
# (Optional) Service to reload when certificate is created/renewed
# Defaults to $::nova::params::libvirt_service_name
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
define tripleo::certmonger::libvirt_vnc (
$hostname,
$service_certificate,
@ -57,6 +61,7 @@ define tripleo::certmonger::libvirt_vnc (
$principal = undef,
$cacertfile = undef,
$notify_service = undef,
$key_size = 2048,
) {
include certmonger
include nova::params
@ -74,6 +79,7 @@ define tripleo::certmonger::libvirt_vnc (
principal => $principal,
postsave_cmd => $postsave_cmd_real,
ca => $certmonger_ca,
key_size => $key_size,
cacertfile => $cacertfile,
wait => true,
tag => 'libvirt-cert',

View File

@ -46,6 +46,10 @@
# (Optional) The haproxy service principal that is set for metrics_qdr in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::metrics_qdr (
$hostname,
$service_certificate,
@ -53,6 +57,7 @@ class tripleo::certmonger::metrics_qdr (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
include qdr::params
@ -73,6 +78,7 @@ class tripleo::certmonger::metrics_qdr (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

View File

@ -46,6 +46,10 @@
# (Optional) The haproxy service principal that is set for MySQL in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::mysql (
$hostname,
$service_certificate,
@ -54,6 +58,7 @@ class tripleo::certmonger::mysql (
$dnsnames = $hostname,
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
@ -66,6 +71,7 @@ class tripleo::certmonger::mysql (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

View File

@ -38,6 +38,10 @@
# (Optional) The haproxy service principal that is set for neutron in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::neutron (
$hostname,
$service_certificate,
@ -45,6 +49,7 @@ class tripleo::certmonger::neutron (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
@ -64,6 +69,7 @@ class tripleo::certmonger::neutron (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

View File

@ -38,6 +38,10 @@
# (Optional) The haproxy service principal that is set for neutron in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::neutron_ovn (
$hostname,
$service_certificate,
@ -45,6 +49,7 @@ class tripleo::certmonger::neutron_ovn (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
@ -57,6 +62,7 @@ class tripleo::certmonger::neutron_ovn (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

View File

@ -45,6 +45,9 @@
# [*notify_service*]
# (Optional) Service to reload when certificate is created/renewed
# Defaults to $::nova::params::libvirt_service_name
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::novnc_proxy (
$hostname,
@ -53,6 +56,7 @@ class tripleo::certmonger::novnc_proxy (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$notify_service = undef,
$postsave_cmd = undef,
$key_size = 2048,
$principal = undef,
) {
include certmonger
@ -76,6 +80,7 @@ class tripleo::certmonger::novnc_proxy (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
tag => 'novnc-proxy',
require => Class['::certmonger'],

View File

@ -39,6 +39,10 @@
# (Optional) The haproxy service principal that is set for openvswitch in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::openvswitch (
$hostname,
$service_certificate,
@ -46,6 +50,7 @@ class tripleo::certmonger::openvswitch (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = 'systemctl reload openvswitch',
$principal = undef,
$key_size = 2048,
) {
include certmonger
@ -58,6 +63,7 @@ class tripleo::certmonger::openvswitch (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

View File

@ -38,6 +38,10 @@
# (Optional) The haproxy service principal that is set for neutron in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ovn_controller (
$hostname,
$service_certificate,
@ -45,6 +49,7 @@ class tripleo::certmonger::ovn_controller (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
@ -57,6 +62,7 @@ class tripleo::certmonger::ovn_controller (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

View File

@ -38,6 +38,10 @@
# (Optional) The haproxy service principal that is set for neutron in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ovn_dbs (
$hostname,
$service_certificate,
@ -45,6 +49,7 @@ class tripleo::certmonger::ovn_dbs (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
@ -57,6 +62,7 @@ class tripleo::certmonger::ovn_dbs (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

View File

@ -38,6 +38,10 @@
# (Optional) The haproxy service principal that is set for neutron in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ovn_metadata (
$hostname,
$service_certificate,
@ -45,6 +49,7 @@ class tripleo::certmonger::ovn_metadata (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
@ -57,6 +62,7 @@ class tripleo::certmonger::ovn_metadata (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

View File

@ -38,6 +38,10 @@
# (Optional) The haproxy service principal that is set for neutron in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::ovn_octavia (
$hostname,
$service_certificate,
@ -45,6 +49,7 @@ class tripleo::certmonger::ovn_octavia (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
@ -57,6 +62,7 @@ class tripleo::certmonger::ovn_octavia (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

View File

@ -47,6 +47,10 @@
# (Optional) Specifies that path to write the CA cerftificate to.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
define tripleo::certmonger::qemu (
$hostname,
$service_certificate,
@ -55,6 +59,7 @@ define tripleo::certmonger::qemu (
$cacertfile = undef,
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
include nova::params
@ -68,6 +73,7 @@ define tripleo::certmonger::qemu (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
cacertfile => $cacertfile,
wait => true,
tag => 'qemu-cert',

View File

@ -39,6 +39,10 @@
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::rabbitmq (
$hostname,
$service_certificate,
@ -46,6 +50,7 @@ class tripleo::certmonger::rabbitmq (
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
@ -65,6 +70,7 @@ class tripleo::certmonger::rabbitmq (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}

View File

@ -45,6 +45,10 @@
# (Optional) The service principal that is set for the service in kerberos.
# Defaults to undef
#
# [*key_size*]
# (Optional) Specifies the private key size used when creating the certificate.
# Defaults to 2048bits.
#
class tripleo::certmonger::redis (
$hostname,
$service_certificate,
@ -53,6 +57,7 @@ class tripleo::certmonger::redis (
$dnsnames = $hostname,
$postsave_cmd = undef,
$principal = undef,
$key_size = 2048,
) {
include certmonger
@ -72,6 +77,7 @@ class tripleo::certmonger::redis (
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
key_size => $key_size,
wait => true,
require => Class['::certmonger'],
}