tempest/enable-fips.yaml at 96af1d0e40bc3d42a18c565ebeab857e5fe9078c - tempest - OpenDev: Free Software Needs Free Tools

openstack/tempest

Ade Lee 6ded070b51 Add support for ecdsa keys

In FIPS mode, using RSA keys for ssh is fine as long as SHA-1 is
not used for the signature algorithm.  Unfortunately, the version
of cirros used in OpenStack CI does not have a version of dropbear
that supports SHA-2 signatures.  So, any connections from a FIPS
enabled machine will fail as the cirros instance will only support
ssh-rsa (SHA-1 signatures).

To get around this, we add a new option to specify the key type
(validation.ssh_key_type).  This will allow the addition of other
key types in future if needed.

Tempest now supports 'rsa' and 'ecdsa' key types.

We also add a fips job to the experimental queue to test the usage
of the new key type.

Change-Id: Ib59eb8432fa1a2813b3047955157d1b3d24a55f8

2022-01-18 15:25:38 +00:00

5 lines

68 B

YAML

Raw Blame History

 - hosts: all
   tasks:
     - include_role:
         name: enable-fips