certmonger_certificate function currently does not support
creating certificates with private keys stronger than 2048bits.
Adding a key_size option.
key_size option were added on puppet_certmonger on the v2.6.0
upstream: https://github.com/saltedsignal/puppet-certmonger/releases/tag/v2.6.0
Change-Id: I4da96f2164cf1d136f9471f1d6251bdd8cfd2d0b
(cherry picked from commit 190aebca609e8ec68586cfa4ced9f2efa65758d1)
https://review.opendev.org/#/c/677082/ merged today and moved puppet-rabbitmq to 9.1.0
which is breaking our spec tests:
https://zuul.opendev.org/t/openstack/build/e767db93fe214514bebc065a64288548/log/job-output.txt
So we error out with things like:
2019-08-19 07:19:37.527187 | centos-7 | 1) tripleo::certmonger::rabbitmq on redhat-7-x86_64 behaves like tripleo::certmonger::rabbitmq should include the base for using certmonger
2019-08-19 07:19:37.527435 | centos-7 | Failure/Error: include ::rabbitmq::params
2019-08-19 07:19:37.527713 | centos-7 | Puppet::PreformattedError:
2019-08-19 07:19:37.528769 | centos-7 | Evaluation Error: Error while evaluating a Function Call, Could not find class ::rabbitmq::params for centos-7-rax-ord-0010255916 (file: /home/zuul/workspace/spec/fixtures/modules/tripleo/manifests/certmonger/rabbitmq.pp, line: 51, column: 3) on node centos-7-rax-ord-0010255916
Let's remove any reference to rabbitmq::params and also the following
two notifies:
File[$service_certificate] ~> Service<| title == $::rabbitmq::service_name |>
File[$service_key] ~> Service<| title == $::rabbitmq::service_name |>
They do nothing in a containerized deployment anyway.
Tested as follows:
- Full downstream OSP15 HA deploy
Change-Id: Ib7c373c10ff7bcd8ec33cb912a8a0a4a32a196e2
Closes-Bug: #1840641
The default command didn't work, so we need to fix that.
The script additionally copies the certificates in the right place
and instead of restarting RabbitMQ, it triggers a pem cache reload.
Related-Bug: #1811401
Needed-By: I3e564f9a5abdbf11d0580c4ff801092f32bcc678
Change-Id: Id06633a1adaafe1fef1d3d7f6b2af3ef5ffc9d4a
We no longer have the rabbitmq user as part of the overcloud
hosts. We rely instead on kolla setting the right permissions in
the container.
Change-Id: Iaa159fcfe78d16be59e2d9baf51a65119f50c427
Closes-Bug: #1771752
We need to make it configurable since these commands don't apply for
containerized environments. This way we can restart containers or
disable restarting and rely on other means.
This stems from the issue that some services get accidentally started by
certmonger on containerized environments, which makes the container
initialization fail.
bp tls-via-certmonger-containers
Change-Id: I62ff89362cfcc80e6e62fad09110918c36802813
This parameter was used at some point in the implementation but ended up
not being needed in favor of getting this information from the puppet
manifest. So it's removed as the parameter doesn't actually exist.
Change-Id: I09f4091ee7a2221b26249959ea2927090d36ba0f
This optionally enables TLS for RabbitMQ in the internal network. Note
that this leaves enable_internal_tls as undef instead of using the
regular default. This is because we don't want to enable this just now,
since we first want to pass the necessary hieradata via t-h-t. This will
be cleaned in further commits.
bp tls-via-certmonger
Depends-On: I4f37e77ae12e9582fab7d326ebd4c70127c5445f
Depends-On: Ic32b2cb253fa0dc43aad7226b24919b7e588faa9
Change-Id: Ic2a7f877745a0a490ddc9315123bd1180b03c514