Adding key_size option on the certificate creation
Adding the ability to specifies the private key size
used when creating the certificate. We have defined the
default value the same as we have before 2048 bits.
Also, it'll be able to override the key_size value
per service.
Depends-on: I4da96f2164cf1d136f9471f1d6251bdd8cfd2d0b
Change-Id: Ic2edabb7f1bd0caf4a5550d03f60fab7c8354d65
(cherry picked from commit 9760977529
)
This commit is contained in:
parent
63a2f24cdf
commit
9410d79e69
|
@ -47,10 +47,21 @@ parameters:
|
|||
type: string
|
||||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
ApacheCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: ApacheCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -116,6 +127,11 @@ outputs:
|
|||
hostname: "%{hiera('fqdn_NETWORK')}"
|
||||
principal: "HTTP/%{hiera('fqdn_NETWORK')}"
|
||||
postsave_cmd: "pkill -USR1 httpd"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: ApacheCertificateKeySize}
|
||||
for_each:
|
||||
NETWORK: {get_attr: [ApacheNetworks, value]}
|
||||
- {}
|
||||
|
|
|
@ -59,9 +59,20 @@ parameters:
|
|||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
GrafanaCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: GrafanaCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
CephBase:
|
||||
|
@ -151,6 +162,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-grafana-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: GrafanaCertificateKeySize}
|
||||
- {}
|
||||
- tripleo::ceph_grafana::firewall_rules:
|
||||
'123 ceph_dashboard':
|
||||
|
|
|
@ -45,6 +45,16 @@ parameters:
|
|||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
CephCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
|
||||
|
@ -54,6 +64,7 @@ conditions:
|
|||
- equals:
|
||||
- get_param: EnableInternalTLS
|
||||
- true
|
||||
key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
CephBase:
|
||||
|
@ -144,6 +155,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-dashboard-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: CephCertificateKeySize}
|
||||
- {}
|
||||
- tripleo::ceph_mgr::firewall_rules:
|
||||
'113 ceph_mgr':
|
||||
|
|
|
@ -45,10 +45,21 @@ parameters:
|
|||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
CephRgwCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: CephRgwCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
CephBase:
|
||||
|
@ -184,6 +195,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-rgw-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: CephRgwCertificateKeySize}
|
||||
- {}
|
||||
metadata_settings:
|
||||
if:
|
||||
|
|
|
@ -62,11 +62,22 @@ parameters:
|
|||
default: false
|
||||
description: Enable IPv6 in MySQL
|
||||
type: boolean
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
MysqlCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
|
||||
conditions:
|
||||
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: MysqlCertificateKeySize}, '']}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
|
@ -157,6 +168,11 @@ outputs:
|
|||
template: "mysql/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: MysqlCertificateKeySize}
|
||||
- {}
|
||||
step_config: |
|
||||
include ::tripleo::profile::base::database::mysql
|
||||
|
|
|
@ -39,10 +39,21 @@ parameters:
|
|||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
RedisCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: RedisCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -113,6 +124,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-redis-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RedisCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
|
|
|
@ -61,12 +61,23 @@ parameters:
|
|||
default: false
|
||||
description: Set to True to enable debugging on all services.
|
||||
type: boolean
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
EtcdCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled:
|
||||
and:
|
||||
- {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
- {equals: [{get_param: EnableEtcdInternalTLS}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: EtcdCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
ContainersCommon:
|
||||
|
@ -132,6 +143,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
||||
postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh'
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: EtcdCertificateKeySize}
|
||||
etcd::trusted_ca_file: {get_param: InternalTLSCAFile}
|
||||
etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile}
|
||||
-
|
||||
|
|
|
@ -36,6 +36,20 @@ parameters:
|
|||
HAProxyInternalTLSKeysDirectory:
|
||||
default: '/etc/pki/tls/private/haproxy'
|
||||
type: string
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
HAProxyCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
|
||||
key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -92,6 +106,11 @@ outputs:
|
|||
- "%{hiera('fqdn_NETWORK')}"
|
||||
principal: "haproxy/%{hiera('fqdn_NETWORK')}"
|
||||
postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload NETWORK"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: HAProxyCertificateKeySize}
|
||||
for_each:
|
||||
NETWORK: {get_attr: [HAProxyNetworks, value]}
|
||||
metadata_settings:
|
||||
|
|
|
@ -41,6 +41,20 @@ parameters:
|
|||
description: >
|
||||
The filepath of the certificate as it will be stored in the controller.
|
||||
type: string
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
HAProxyCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
|
||||
key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
|
@ -78,6 +92,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload external"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: HAProxyCertificateKeySize}
|
||||
metadata_settings:
|
||||
- service: haproxy
|
||||
network: {get_param: [ServiceNetMap, PublicNetwork]}
|
||||
|
|
|
@ -142,11 +142,22 @@ parameters:
|
|||
default: false
|
||||
description: Set to true to enable configuration for STF client.
|
||||
type: boolean
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
QdrCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
listener_ssl_enabled: {equals: [{get_param: MetricsQdrUseSSL}, true]}
|
||||
enable_stf: {equals: [{get_param: EnableSTF}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: QdrCertificateKeySize}, '']}
|
||||
|
||||
|
||||
resources:
|
||||
|
@ -249,6 +260,11 @@ outputs:
|
|||
template: "ROLENAMEMetricsQdrNetwork"
|
||||
params:
|
||||
ROLENAME: {get_param: RoleName}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: QdrCertificateKeySize}
|
||||
tripleo::profile::base::metrics::qdr::ssl_profiles:
|
||||
list_concat:
|
||||
- get_param: MetricsQdrSSLProfiles
|
||||
|
|
|
@ -158,6 +158,16 @@ parameters:
|
|||
type: string
|
||||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
NeutronCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
# DEPRECATED: the following options are deprecated and are currently maintained
|
||||
# for backwards compatibility. They will be removed in the Ocata cycle.
|
||||
NeutronL3HA:
|
||||
|
@ -193,6 +203,7 @@ conditions:
|
|||
az_unset: {equals: [{get_param: NeutronDefaultAvailabilityZones}, '']}
|
||||
omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]}
|
||||
ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]}
|
||||
key_size_override_unset: {equals: [{get_param: NeutronCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -387,6 +398,11 @@ outputs:
|
|||
template: "neutron_ovn/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: NeutronCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings:
|
||||
rsyslog:
|
||||
|
|
|
@ -147,6 +147,16 @@ parameters:
|
|||
Enable dhcp-host entry with list of addresses when port has multiple
|
||||
IPv6 addresses in the same subnet.
|
||||
type: boolean
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
NeutronDhcpCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
|
||||
|
@ -160,6 +170,7 @@ conditions:
|
|||
is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]}
|
||||
az_unset: {equals: [{get_param: NeutronDhcpAgentAvailabilityZone}, '']}
|
||||
omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]}
|
||||
key_size_override_unset: {equals: [{get_param: NeutronDhcpCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -260,6 +271,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-neutron-dhcpd-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: NeutronDhcpCertificateKeySize}
|
||||
- {}
|
||||
- if:
|
||||
- dhcp_ovs_intergation_bridge_unset
|
||||
|
|
|
@ -116,6 +116,31 @@ parameters:
|
|||
default: '/etc/pki/CA/certs/qemu.pem'
|
||||
type: string
|
||||
description: Specifies the CA cert to use for qemu.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
LibvirtCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
LibvirtVNCServerCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
QemuServerCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
QemuClientCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
LibvirtCACert:
|
||||
type: string
|
||||
default: ''
|
||||
|
@ -325,6 +350,11 @@ conditions:
|
|||
- equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, '']
|
||||
- equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, true]
|
||||
|
||||
key_size_libvirt_override_unset: {equals: [{get_param: LibvirtCertificateKeySize}, '']}
|
||||
key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCServerCertificateKeySize}, '']}
|
||||
key_size_qemu_client_override_unset: {equals: [{get_param: QemuClientCertificateKeySize}, '']}
|
||||
key_size_qemu_server_override_unset: {equals: [{get_param: QemuServerCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
RoleParametersValue:
|
||||
type: OS::Heat::Value
|
||||
|
@ -475,6 +505,11 @@ outputs:
|
|||
template: "libvirt/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_libvirtvnc_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: LibvirtCertificateKeySize}
|
||||
# create the qemu and qemu_ndb dirs and certs also when when tls for nbd
|
||||
# is not enabled this allows us to enable it even at a later time without
|
||||
# restart of instances
|
||||
|
@ -504,6 +539,11 @@ outputs:
|
|||
template: "qemu/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_qemu_server_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: QemuServerCertificateKeySize}
|
||||
qemu-nbd-client-cert:
|
||||
service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem'
|
||||
service_key: '/etc/pki/libvirt-nbd/client-key.pem'
|
||||
|
@ -517,6 +557,11 @@ outputs:
|
|||
template: "qemu/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_qemu_client_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: QemuClientCertificateKeySize}
|
||||
-
|
||||
nova::migration::libvirt::live_migration_inbound_addr:
|
||||
str_replace:
|
||||
|
@ -556,6 +601,11 @@ outputs:
|
|||
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_libvirtvnc_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: LibvirtVNCServerCertificateKeySize}
|
||||
- {}
|
||||
-
|
||||
if:
|
||||
|
|
|
@ -54,6 +54,21 @@ parameters:
|
|||
default: '/etc/pki/CA/certs/vnc.crt'
|
||||
type: string
|
||||
description: Specifies the CA cert to use for VNC TLS.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
NovaVNCCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
LibvirtVNCClientCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
LibvirtVncCACert:
|
||||
type: string
|
||||
default: ''
|
||||
|
@ -94,6 +109,9 @@ conditions:
|
|||
# Allow noauth VNC connections during P->Q upgrade. Remove in Rocky.
|
||||
equals: [{get_param: StackUpdateType}, 'UPGRADE']
|
||||
|
||||
key_size_novavnc_override_unset: {equals: [{get_param: NovaVNCCertificateKeySize}, '']}
|
||||
key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCClientCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
ContainersCommon:
|
||||
|
@ -185,6 +203,11 @@ outputs:
|
|||
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaVncProxyNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_libvirtvnc_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: LibvirtVNCClientCertificateKeySize}
|
||||
novnc_proxy_certificates_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/novnc_proxy.crt'
|
||||
service_key: '/etc/pki/tls/private/novnc_proxy.key'
|
||||
|
@ -198,6 +221,11 @@ outputs:
|
|||
template: "novnc-proxy/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_novavnc_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: NovaVNCCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings:
|
||||
rsyslog:
|
||||
|
|
|
@ -45,6 +45,16 @@ parameters:
|
|||
type: string
|
||||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
OctaviaCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
|
||||
|
@ -52,6 +62,7 @@ conditions:
|
|||
is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]}
|
||||
ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]}
|
||||
octavia_provider_ovn_protocol_unset: {equals: [{get_param: OctaviaOvnProviderProtocol}, '']}
|
||||
key_size_override_unset: {equals: [{get_param: OctaviaCertificateKeySize}, '']}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
|
@ -86,6 +97,11 @@ outputs:
|
|||
template: "ovn_octavia/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: OctaviaCertificateKeySize}
|
||||
- {}
|
||||
puppet_tags: octavia_ovn_provider_config
|
||||
provider_driver_labels:
|
||||
|
|
|
@ -104,11 +104,22 @@ parameters:
|
|||
The value can be multiple addresses separated by commas.
|
||||
type: comma_delimited_list
|
||||
default: []
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
ContainerOvnCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
force_config_drive: {equals: [{get_param: OVNMetadataEnabled}, false]}
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
insecure_registry_is_empty: {equals : [{get_param: DockerInsecureRegistryAddress}, []]}
|
||||
key_size_override_unset: {equals: [{get_param: ContainerOvnCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -181,6 +192,11 @@ outputs:
|
|||
template: "ovn_controller/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: ContainerOvnCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings: {}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
|
|
|
@ -84,7 +84,16 @@ parameters:
|
|||
description: timeout for monitor of ovn dbs resource in seconds
|
||||
type: number
|
||||
default: 60
|
||||
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
OvnDBSCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
puppet_debug_enabled: {get_param: ConfigDebug}
|
||||
|
@ -92,6 +101,7 @@ conditions:
|
|||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
common_tag_enabled: {equals: [{get_param: ClusterCommonTag}, true]}
|
||||
use_external_load_balancer: {equals: [{get_param: EnableLoadBalancer}, false]}
|
||||
key_size_override_unset: {equals: [{get_param: OvnDBSCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -170,6 +180,11 @@ outputs:
|
|||
template: "ovn_dbs/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: OvnDBSCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings: {}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
|
|
|
@ -112,6 +112,16 @@ parameters:
|
|||
description: Additional domain sockets for the docker daemon to bind to (useful for mounting
|
||||
into containers that launch other containers)
|
||||
type: comma_delimited_list
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
OvnMetadataCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
haproxy_wrapper_enabled: {equals: [{get_param: OVNEnableHaproxyDockerWrapper}, true]}
|
||||
|
@ -119,6 +129,7 @@ conditions:
|
|||
service_debug_unset: {equals : [{get_param: OVNWrapperDebug}, false]}
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
neutron_workers_unset: {equals : [{get_param: NeutronWorkers}, '']}
|
||||
key_size_override_unset: {equals: [{get_param: OvnMetadataCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -201,6 +212,11 @@ outputs:
|
|||
template: "ovn_metadata/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: OvnMetadataCertificateKeySize}
|
||||
- {}
|
||||
|
||||
puppet_config:
|
||||
|
|
|
@ -93,10 +93,21 @@ parameters:
|
|||
description: >
|
||||
Setting this to a unique value will re-run any deployment tasks which
|
||||
perform configuration on a Heat stack-update.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
RabbitmqCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: RabbitmqCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -205,6 +216,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RabbitmqCertificateKeySize}
|
||||
- {}
|
||||
- rabbitmq::admin_enable: false
|
||||
rabbitmq::management_enable: true
|
||||
|
|
|
@ -66,9 +66,20 @@ parameters:
|
|||
description: >
|
||||
Setting this to a unique value will re-run any deployment tasks which
|
||||
perform configuration on a Heat stack-update.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
RabbitmqMessageCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: RabbitmqMessageCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -157,6 +168,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RabbitmqMessageCertificateKeySize}
|
||||
- {}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
puppet_config:
|
||||
|
|
|
@ -67,9 +67,20 @@ parameters:
|
|||
description: >
|
||||
Setting this to a unique value will re-run any deployment tasks which
|
||||
perform configuration on a Heat stack-update.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
RpcCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: RpcCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -157,6 +168,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RpcCertificateKeySize}
|
||||
- {}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
puppet_config:
|
||||
|
|
Loading…
Reference in New Issue