From 4559d3b74f6827e6509f04b158cfbeba26041e22 Mon Sep 17 00:00:00 2001
From: Nir Magnezi <nmagnezi@redhat.com>
Date: Mon, 25 Mar 2019 15:23:47 +0200
Subject: [PATCH] Configure server_certs_key_passphrase for Octavia

A recent change[1] to Octavia added a parameter named
server_certs_key_passphrase, which means that TripleO should
generate a password for it to avoid using the default value.

This patch adds OctaviaServerCertsKeyPassphrase to the list
of parameters TripleO configures in Octavia.

Closes-Bug: #1821756
Related-Bug: #1821751

[1] I06d329ca53bc36bd27f7870ae7c7ca0cf18575b2
Depends-On: I9699961faf8b3430e4372e4ff3ae2bf7e7ceea18
Depends-On: Id6c0d156715147c6559dc39098a6eaabf77ac426
Depends-On: I5e60e8fbb7af381b59c6d7b02d5ba8eb47e91720
Change-Id: Icadd090f027af6f958c25af6bfb09195a4019aa8
---
 ci/environments/scenario010-multinode-containers.yaml |  1 +
 ci/environments/scenario010-standalone.yaml           |  1 +
 deployment/octavia/octavia-base.yaml                  |  6 ++++++
 deployment/octavia/octavia-deployment-config.j2.yaml  | 11 +++++++++--
 environments/services-baremetal/octavia.yaml          |  5 +++--
 environments/services/octavia.yaml                    |  5 +++--
 ...-server_certs_key_passphrase-229a677df1b7f6e0.yaml |  6 ++++++
 7 files changed, 29 insertions(+), 6 deletions(-)
 create mode 100644 releasenotes/notes/generate-server_certs_key_passphrase-229a677df1b7f6e0.yaml

diff --git a/ci/environments/scenario010-multinode-containers.yaml b/ci/environments/scenario010-multinode-containers.yaml
index 0c7783e119..fb3f530eb0 100644
--- a/ci/environments/scenario010-multinode-containers.yaml
+++ b/ci/environments/scenario010-multinode-containers.yaml
@@ -109,6 +109,7 @@ parameter_defaults:
   NeutronEnableForceMetadata: true
   OctaviaManageNovaFlavor: true
   # For now, we hardcode it but soon it'll be generated in tripleo-common
+  OctaviaServerCertsKeyPassphrase: 'insecure-key-do-not-use-this-key'
   OctaviaCaKeyPassphrase: 'upstreamci'
   OctaviaGenerateCerts: true
   # Remove ContainerCli once this scenario is tested on CentOS8
diff --git a/ci/environments/scenario010-standalone.yaml b/ci/environments/scenario010-standalone.yaml
index 8738a7eb06..42d48c7a7f 100644
--- a/ci/environments/scenario010-standalone.yaml
+++ b/ci/environments/scenario010-standalone.yaml
@@ -32,6 +32,7 @@ resource_registry:
 
 parameter_defaults:
   OctaviaAmphoraSshKeyFile: /home/zuul/.ssh/id_rsa.pub
+  OctaviaServerCertsKeyPassphrase: 'insecure-key-do-not-use-this-key'
   NodeDataLookup:
     AB4114B1-9C9D-409A-BEFB-D88C151BF2C3: {"foo": "bar"}
     8CF1A7EA-7B4B-4433-AC83-17675514B1B8: {"foo2": "bar2"}
diff --git a/deployment/octavia/octavia-base.yaml b/deployment/octavia/octavia-base.yaml
index b629f862ad..c3d0a84ceb 100644
--- a/deployment/octavia/octavia-base.yaml
+++ b/deployment/octavia/octavia-base.yaml
@@ -101,6 +101,11 @@ parameters:
                  If provided, this will create or update a file on the host
                  with the path provided in OctaviaCaKeyFile with the key
                  data.
+  OctaviaServerCertsKeyPassphrase:
+    description: Passphrase for encrypting Amphora Certificates and
+                 Private Keys.
+    type: string
+    hidden: true
   OctaviaCaKeyPassphrase:
     description: CA private key passphrase.
     type: string
@@ -196,6 +201,7 @@ outputs:
             octavia::service_auth::auth_type: 'password'
             octavia::certificates::ca_certificate: {get_param: OctaviaCaCertFile}
             octavia::certificates::ca_private_key: {get_param: OctaviaCaKeyFile}
+            octavia::certificates::server_certs_key_passphrase: {get_param: OctaviaServerCertsKeyPassphrase}
             octavia::certificates::ca_private_key_passphrase: {get_param: OctaviaCaKeyPassphrase}
             octavia::controller::amp_boot_network_list: {get_param: OctaviaAmphoraNetworkList}
             octavia::controller::amp_flavor_id: {get_param: OctaviaFlavorId}
diff --git a/deployment/octavia/octavia-deployment-config.j2.yaml b/deployment/octavia/octavia-deployment-config.j2.yaml
index eeefb9dd34..ef1880f80b 100644
--- a/deployment/octavia/octavia-deployment-config.j2.yaml
+++ b/deployment/octavia/octavia-deployment-config.j2.yaml
@@ -124,6 +124,11 @@ parameters:
     type: string
     default: '/etc/octavia/certs/private/cakey.pem'
     description: Octavia CA private key file path.
+  OctaviaServerCertsKeyPassphrase:
+    description: Passphrase for encrypting Amphora Certificates and
+                 Private Keys.
+    type: string
+    hidden: true
   OctaviaCaKeyPassphrase:
     description: CA private key passphrase.
     type: string
@@ -138,8 +143,9 @@ parameters:
     description: Enable internal generation of certificates for secure
                  communication with amphorae for isolated private clouds or
                  systems where security is not a concern. Otherwise, use
-                 OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase and
-                 OctaviaClientCert to configure Octavia.
+                 OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase,
+                 OctaviaClientCert and OctaviaServerCertsKeyPassphrase
+                 to configure Octavia.
   OctaviaMgmtPortDevName:
     type: string
     default: "o-hm0"
@@ -213,6 +219,7 @@ resources:
           lb_mgmt_subnet_pool_end: { get_param: OctaviaControlSubnetPoolEnd }
           ca_cert_path: { get_param: OctaviaCaCertFile }
           ca_private_key_path: { get_param: OctaviaCaKeyFile }
+          server_certs_key_passphrase: {get_param: OctaviaServerCertsKeyPassphrase}
           ca_passphrase: { get_param: OctaviaCaKeyPassphrase }
           client_cert_path: { get_param: OctaviaClientCertFile }
           generate_certs: { get_param: OctaviaGenerateCerts }
diff --git a/environments/services-baremetal/octavia.yaml b/environments/services-baremetal/octavia.yaml
index c62008ab4a..c7b2594101 100644
--- a/environments/services-baremetal/octavia.yaml
+++ b/environments/services-baremetal/octavia.yaml
@@ -9,7 +9,8 @@ parameter_defaults:
     NeutronEnableForceMetadata: true
 
     # This flag enables internal generation of certificates for communication
-    # with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase
-    # and OctaviaClient cert to configure secure production environments.
+    # with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase,
+    # OctaviaClient and OctaviaServerCertsKeyPassphrase cert to configure
+    # secure production environments.
     OctaviaGenerateCerts: true
 
diff --git a/environments/services/octavia.yaml b/environments/services/octavia.yaml
index 223ba4f16d..c7b2594101 100644
--- a/environments/services/octavia.yaml
+++ b/environments/services/octavia.yaml
@@ -9,7 +9,8 @@ parameter_defaults:
     NeutronEnableForceMetadata: true
 
     # This flag enables internal generation of certificates for communication
-    # with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase
-    # and OctaviaClientCert to configure secure production environments.
+    # with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase,
+    # OctaviaClient and OctaviaServerCertsKeyPassphrase cert to configure
+    # secure production environments.
     OctaviaGenerateCerts: true
 
diff --git a/releasenotes/notes/generate-server_certs_key_passphrase-229a677df1b7f6e0.yaml b/releasenotes/notes/generate-server_certs_key_passphrase-229a677df1b7f6e0.yaml
new file mode 100644
index 0000000000..e358f9b3b5
--- /dev/null
+++ b/releasenotes/notes/generate-server_certs_key_passphrase-229a677df1b7f6e0.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - The passphrase for config option 'server_certs_key_passphrase', that was
+    recently added to Octavia, and will now be auto-generated by TripleO by
+    adding OctaviaServerCertsKeyPassphrase to the list of parameters TripleO
+    configures in Octavia.