Fix octavia deployment tasks for FIPS environment
Under FIPS, creating an md5 hash using ssh-keygen will fail. As nova does not yet provide fingerprints other than md5, download and compute the fingerprint locally insted. Also fix genrsa, which is deprecated, and will also fail under FIPS Signed-off-by: Jiri Podivin <jpodivin@redhat.com> Change-Id: Ida652c946f8414b2f6ad35baf6e26d0e068da991
This commit is contained in:
parent
f25924ce8c
commit
1e87f235b1
|
@ -35,8 +35,8 @@
|
|||
- name: Generating certificate authority private key
|
||||
become: true
|
||||
shell: |
|
||||
openssl genrsa -passout env:CA_PASSPHRASE -aes256 \
|
||||
-out {{ openssl_temp_dir }}/private/cakey.pem 2048
|
||||
openssl genpkey -algorithm RSA -pass env:CA_PASSPHRASE -aes-256-cbc \
|
||||
-out {{ openssl_temp_dir }}/private/cakey.pem
|
||||
environment:
|
||||
CA_PASSPHRASE: "{{ ca_passphrase }}"
|
||||
when:
|
||||
|
|
|
@ -70,16 +70,18 @@
|
|||
when:
|
||||
- amp_ssh_key_path is not defined or ((amp_ssh_key_path | length) < 1)
|
||||
|
||||
- name: get the desired public key fingerprint
|
||||
- name: get the desired sha-256 public key fingerprint
|
||||
shell: |
|
||||
set -o pipefail
|
||||
ssh-keygen -E md5 -lf {{ amp_ssh_key_path_final }} | awk '{ print $2 }' | cut -c 5-
|
||||
ssh-keygen -E sha256 -lf {{ amp_ssh_key_path_final }} | awk '{ print $2 }'
|
||||
no_log: "{{ octavia_undercloud_config_hide_sensitive_logs | bool }}"
|
||||
register: ssh_keygen_results
|
||||
|
||||
- name: get existing public key fingerprint
|
||||
- name: get existing public key sha-256 fingerprint
|
||||
shell: |
|
||||
openstack keypair show -f value -c fingerprint {{ amp_ssh_key_name }}
|
||||
set -o pipefail
|
||||
openstack keypair show --public-key {{ amp_ssh_key_name }} | \
|
||||
ssh-keygen -E sha256 -lf - | awk '{ print $2 }'
|
||||
ignore_errors: true
|
||||
no_log: "{{ octavia_undercloud_config_hide_sensitive_logs | bool }}"
|
||||
environment:
|
||||
|
|
Loading…
Reference in New Issue