Fix octavia deployment tasks for FIPS environment

Under FIPS, creating an md5 hash using ssh-keygen will fail.
As nova does not yet provide fingerprints other than md5, download
and compute the fingerprint locally insted.

Also fix genrsa, which is deprecated, and will also fail under FIPS

Signed-off-by: Jiri Podivin <jpodivin@redhat.com>
Change-Id: Ida652c946f8414b2f6ad35baf6e26d0e068da991
This commit is contained in:
Jiri Podivin 2021-09-15 13:47:43 +02:00 committed by Ade Lee
parent f25924ce8c
commit 1e87f235b1
2 changed files with 8 additions and 6 deletions

View File

@ -35,8 +35,8 @@
- name: Generating certificate authority private key
become: true
shell: |
openssl genrsa -passout env:CA_PASSPHRASE -aes256 \
-out {{ openssl_temp_dir }}/private/cakey.pem 2048
openssl genpkey -algorithm RSA -pass env:CA_PASSPHRASE -aes-256-cbc \
-out {{ openssl_temp_dir }}/private/cakey.pem
environment:
CA_PASSPHRASE: "{{ ca_passphrase }}"
when:

View File

@ -70,16 +70,18 @@
when:
- amp_ssh_key_path is not defined or ((amp_ssh_key_path | length) < 1)
- name: get the desired public key fingerprint
- name: get the desired sha-256 public key fingerprint
shell: |
set -o pipefail
ssh-keygen -E md5 -lf {{ amp_ssh_key_path_final }} | awk '{ print $2 }' | cut -c 5-
ssh-keygen -E sha256 -lf {{ amp_ssh_key_path_final }} | awk '{ print $2 }'
no_log: "{{ octavia_undercloud_config_hide_sensitive_logs | bool }}"
register: ssh_keygen_results
- name: get existing public key fingerprint
- name: get existing public key sha-256 fingerprint
shell: |
openstack keypair show -f value -c fingerprint {{ amp_ssh_key_name }}
set -o pipefail
openstack keypair show --public-key {{ amp_ssh_key_name }} | \
ssh-keygen -E sha256 -lf - | awk '{ print $2 }'
ignore_errors: true
no_log: "{{ octavia_undercloud_config_hide_sensitive_logs | bool }}"
environment: