Browse Source

Merge "Configure server_certs_key_passphrase for Octavia"

changes/10/661710/4
Zuul 3 years ago
committed by Gerrit Code Review
parent
commit
1ce6d43d1b
  1. 1
      ci/environments/scenario010-multinode-containers.yaml
  2. 1
      ci/environments/scenario010-standalone.yaml
  3. 6
      deployment/octavia/octavia-base.yaml
  4. 11
      deployment/octavia/octavia-deployment-config.j2.yaml
  5. 5
      environments/services-baremetal/octavia.yaml
  6. 5
      environments/services/octavia.yaml
  7. 6
      releasenotes/notes/generate-server_certs_key_passphrase-229a677df1b7f6e0.yaml

1
ci/environments/scenario010-multinode-containers.yaml

@ -109,6 +109,7 @@ parameter_defaults:
NeutronEnableForceMetadata: true
OctaviaManageNovaFlavor: true
# For now, we hardcode it but soon it'll be generated in tripleo-common
OctaviaServerCertsKeyPassphrase: 'insecure-key-do-not-use-this-key'
OctaviaCaKeyPassphrase: 'upstreamci'
OctaviaGenerateCerts: true
# Remove ContainerCli once this scenario is tested on CentOS8

1
ci/environments/scenario010-standalone.yaml

@ -32,6 +32,7 @@ resource_registry:
parameter_defaults:
OctaviaAmphoraSshKeyFile: /home/zuul/.ssh/id_rsa.pub
OctaviaServerCertsKeyPassphrase: 'insecure-key-do-not-use-this-key'
NodeDataLookup:
AB4114B1-9C9D-409A-BEFB-D88C151BF2C3: {"foo": "bar"}
8CF1A7EA-7B4B-4433-AC83-17675514B1B8: {"foo2": "bar2"}

6
deployment/octavia/octavia-base.yaml

@ -101,6 +101,11 @@ parameters:
If provided, this will create or update a file on the host
with the path provided in OctaviaCaKeyFile with the key
data.
OctaviaServerCertsKeyPassphrase:
description: Passphrase for encrypting Amphora Certificates and
Private Keys.
type: string
hidden: true
OctaviaCaKeyPassphrase:
description: CA private key passphrase.
type: string
@ -196,6 +201,7 @@ outputs:
octavia::service_auth::auth_type: 'password'
octavia::certificates::ca_certificate: {get_param: OctaviaCaCertFile}
octavia::certificates::ca_private_key: {get_param: OctaviaCaKeyFile}
octavia::certificates::server_certs_key_passphrase: {get_param: OctaviaServerCertsKeyPassphrase}
octavia::certificates::ca_private_key_passphrase: {get_param: OctaviaCaKeyPassphrase}
octavia::controller::amp_boot_network_list: {get_param: OctaviaAmphoraNetworkList}
octavia::controller::amp_flavor_id: {get_param: OctaviaFlavorId}

11
deployment/octavia/octavia-deployment-config.j2.yaml

@ -124,6 +124,11 @@ parameters:
type: string
default: '/etc/octavia/certs/private/cakey.pem'
description: Octavia CA private key file path.
OctaviaServerCertsKeyPassphrase:
description: Passphrase for encrypting Amphora Certificates and
Private Keys.
type: string
hidden: true
OctaviaCaKeyPassphrase:
description: CA private key passphrase.
type: string
@ -138,8 +143,9 @@ parameters:
description: Enable internal generation of certificates for secure
communication with amphorae for isolated private clouds or
systems where security is not a concern. Otherwise, use
OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase and
OctaviaClientCert to configure Octavia.
OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase,
OctaviaClientCert and OctaviaServerCertsKeyPassphrase
to configure Octavia.
OctaviaMgmtPortDevName:
type: string
default: "o-hm0"
@ -213,6 +219,7 @@ resources:
lb_mgmt_subnet_pool_end: { get_param: OctaviaControlSubnetPoolEnd }
ca_cert_path: { get_param: OctaviaCaCertFile }
ca_private_key_path: { get_param: OctaviaCaKeyFile }
server_certs_key_passphrase: {get_param: OctaviaServerCertsKeyPassphrase}
ca_passphrase: { get_param: OctaviaCaKeyPassphrase }
client_cert_path: { get_param: OctaviaClientCertFile }
generate_certs: { get_param: OctaviaGenerateCerts }

5
environments/services-baremetal/octavia.yaml

@ -9,7 +9,8 @@ parameter_defaults:
NeutronEnableForceMetadata: true
# This flag enables internal generation of certificates for communication
# with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase
# and OctaviaClient cert to configure secure production environments.
# with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase,
# OctaviaClient and OctaviaServerCertsKeyPassphrase cert to configure
# secure production environments.
OctaviaGenerateCerts: true

5
environments/services/octavia.yaml

@ -9,7 +9,8 @@ parameter_defaults:
NeutronEnableForceMetadata: true
# This flag enables internal generation of certificates for communication
# with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase
# and OctaviaClientCert to configure secure production environments.
# with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase,
# OctaviaClient and OctaviaServerCertsKeyPassphrase cert to configure
# secure production environments.
OctaviaGenerateCerts: true

6
releasenotes/notes/generate-server_certs_key_passphrase-229a677df1b7f6e0.yaml

@ -0,0 +1,6 @@
---
features:
- The passphrase for config option 'server_certs_key_passphrase', that was
recently added to Octavia, and will now be auto-generated by TripleO by
adding OctaviaServerCertsKeyPassphrase to the list of parameters TripleO
configures in Octavia.
Loading…
Cancel
Save