Fix octavia deployment tasks for FIPS environment

Under FIPS, creating an md5 hash using ssh-keygen will fail.
As nova does not yet provide fingerprints other than md5, download
and compute the fingerprint locally insted.

Also fix genrsa, which is deprecated, and will also fail under FIPS

Signed-off-by: Jiri Podivin <jpodivin@redhat.com>
Change-Id: Ida652c946f8414b2f6ad35baf6e26d0e068da991
(cherry picked from commit 1e87f235b1)

tripleo_ansible/roles/octavia_overcloud_config/tasks/certs_gen.yml

@@ -35,8 +35,8 @@
 - name: Generating certificate authority private key
   become: true
   shell: |
-    openssl genrsa -passout env:CA_PASSPHRASE -aes256 \
-        -out {{ openssl_temp_dir }}/private/cakey.pem 2048
+    openssl genpkey -algorithm RSA -pass env:CA_PASSPHRASE -aes-256-cbc \
+        -out {{ openssl_temp_dir }}/private/cakey.pem
   environment:
     CA_PASSPHRASE: "{{ ca_passphrase }}"
   when:

tripleo_ansible/roles/octavia_undercloud/tasks/main.yml

@@ -70,16 +70,18 @@
   when:
     - amp_ssh_key_path is not defined or ((amp_ssh_key_path | length) < 1)
 
-- name: get the desired public key fingerprint
+- name: get the desired sha-256 public key fingerprint
   shell: |
     set -o pipefail
-    ssh-keygen -E md5 -lf {{ amp_ssh_key_path_final }} | awk '{ print $2 }' | cut -c 5-
+    ssh-keygen -E sha256 -lf {{ amp_ssh_key_path_final }} | awk '{ print $2 }'
   no_log: "{{ octavia_undercloud_config_hide_sensitive_logs | bool }}"
   register: ssh_keygen_results
 
-- name: get existing public key fingerprint
+- name: get existing public key sha-256 fingerprint
   shell: |
-    openstack keypair show -f value -c fingerprint {{ amp_ssh_key_name }}
+    set -o pipefail
+    openstack keypair show --public-key {{ amp_ssh_key_name }} | \
+    ssh-keygen -E sha256 -lf - | awk '{ print $2 }'
   ignore_errors: true
   no_log: "{{ octavia_undercloud_config_hide_sensitive_logs | bool }}"
   environment: