Fix octavia deployment tasks for FIPS environment
Under FIPS, creating an md5 hash using ssh-keygen will fail.
As nova does not yet provide fingerprints other than md5, download
and compute the fingerprint locally insted.
Also fix genrsa, which is deprecated, and will also fail under FIPS
Signed-off-by: Jiri Podivin <jpodivin@redhat.com>
Change-Id: Ida652c946f8414b2f6ad35baf6e26d0e068da991
(cherry picked from commit 1e87f235b1
)
This commit is contained in:
parent
7866c5e1a8
commit
c668da793a
@ -35,8 +35,8 @@
|
||||
- name: Generating certificate authority private key
|
||||
become: true
|
||||
shell: |
|
||||
openssl genrsa -passout env:CA_PASSPHRASE -aes256 \
|
||||
-out {{ openssl_temp_dir }}/private/cakey.pem 2048
|
||||
openssl genpkey -algorithm RSA -pass env:CA_PASSPHRASE -aes-256-cbc \
|
||||
-out {{ openssl_temp_dir }}/private/cakey.pem
|
||||
environment:
|
||||
CA_PASSPHRASE: "{{ ca_passphrase }}"
|
||||
when:
|
||||
|
@ -70,16 +70,18 @@
|
||||
when:
|
||||
- amp_ssh_key_path is not defined or ((amp_ssh_key_path | length) < 1)
|
||||
|
||||
- name: get the desired public key fingerprint
|
||||
- name: get the desired sha-256 public key fingerprint
|
||||
shell: |
|
||||
set -o pipefail
|
||||
ssh-keygen -E md5 -lf {{ amp_ssh_key_path_final }} | awk '{ print $2 }' | cut -c 5-
|
||||
ssh-keygen -E sha256 -lf {{ amp_ssh_key_path_final }} | awk '{ print $2 }'
|
||||
no_log: "{{ octavia_undercloud_config_hide_sensitive_logs | bool }}"
|
||||
register: ssh_keygen_results
|
||||
|
||||
- name: get existing public key fingerprint
|
||||
- name: get existing public key sha-256 fingerprint
|
||||
shell: |
|
||||
openstack keypair show -f value -c fingerprint {{ amp_ssh_key_name }}
|
||||
set -o pipefail
|
||||
openstack keypair show --public-key {{ amp_ssh_key_name }} | \
|
||||
ssh-keygen -E sha256 -lf - | awk '{ print $2 }'
|
||||
ignore_errors: true
|
||||
no_log: "{{ octavia_undercloud_config_hide_sensitive_logs | bool }}"
|
||||
environment:
|
||||
|
Loading…
Reference in New Issue
Block a user