Browse Source

Adding key_size option on the certificate creation

Adding the ability to specifies the private key size
used when creating the certificate. We have defined the
default value the same as we have before 2048 bits.
Also, it'll be able to override the key_size value
per service.

Depends-on: I4da96f2164cf1d136f9471f1d6251bdd8cfd2d0b
Change-Id: Ic2edabb7f1bd0caf4a5550d03f60fab7c8354d65
(cherry picked from commit 9760977529)
changes/13/769513/4
Raildo 8 months ago
committed by Alex Schultz
parent
commit
9410d79e69
  1. 16
      deployment/apache/apache-baremetal-puppet.j2.yaml
  2. 16
      deployment/ceph-ansible/ceph-grafana.yaml
  3. 16
      deployment/ceph-ansible/ceph-mgr.yaml
  4. 16
      deployment/ceph-ansible/ceph-rgw.yaml
  5. 16
      deployment/database/mysql-base.yaml
  6. 16
      deployment/database/redis-container-puppet.yaml
  7. 16
      deployment/etcd/etcd-container-puppet.yaml
  8. 19
      deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml
  9. 19
      deployment/haproxy/haproxy-public-tls-certmonger.yaml
  10. 16
      deployment/metrics/qdr-container-puppet.yaml
  11. 16
      deployment/neutron/neutron-api-container-puppet.yaml
  12. 16
      deployment/neutron/neutron-dhcp-container-puppet.yaml
  13. 50
      deployment/nova/nova-libvirt-container-puppet.yaml
  14. 28
      deployment/nova/nova-vnc-proxy-container-puppet.yaml
  15. 16
      deployment/octavia/providers/ovn-provider-config.yaml
  16. 16
      deployment/ovn/ovn-controller-container-puppet.yaml
  17. 17
      deployment/ovn/ovn-dbs-pacemaker-puppet.yaml
  18. 16
      deployment/ovn/ovn-metadata-container-puppet.yaml
  19. 16
      deployment/rabbitmq/rabbitmq-container-puppet.yaml
  20. 16
      deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml
  21. 16
      deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml

16
deployment/apache/apache-baremetal-puppet.j2.yaml

@ -47,10 +47,21 @@ parameters:
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
ApacheCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: ApacheCertificateKeySize}, '']}
resources:
@ -116,6 +127,11 @@ outputs:
hostname: "%{hiera('fqdn_NETWORK')}"
principal: "HTTP/%{hiera('fqdn_NETWORK')}"
postsave_cmd: "pkill -USR1 httpd"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: ApacheCertificateKeySize}
for_each:
NETWORK: {get_attr: [ApacheNetworks, value]}
- {}

16
deployment/ceph-ansible/ceph-grafana.yaml

@ -59,9 +59,20 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
GrafanaCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: GrafanaCertificateKeySize}, '']}
resources:
CephBase:
@ -151,6 +162,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
postsave_cmd: "/usr/bin/certmonger-grafana-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: GrafanaCertificateKeySize}
- {}
- tripleo::ceph_grafana::firewall_rules:
'123 ceph_dashboard':

16
deployment/ceph-ansible/ceph-mgr.yaml

@ -45,6 +45,16 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
CephCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
@ -54,6 +64,7 @@ conditions:
- equals:
- get_param: EnableInternalTLS
- true
key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']}
resources:
CephBase:
@ -144,6 +155,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
postsave_cmd: "/usr/bin/certmonger-dashboard-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: CephCertificateKeySize}
- {}
- tripleo::ceph_mgr::firewall_rules:
'113 ceph_mgr':

16
deployment/ceph-ansible/ceph-rgw.yaml

@ -45,10 +45,21 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
CephRgwCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: CephRgwCertificateKeySize}, '']}
resources:
CephBase:
@ -184,6 +195,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
postsave_cmd: "/usr/bin/certmonger-rgw-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: CephRgwCertificateKeySize}
- {}
metadata_settings:
if:

16
deployment/database/mysql-base.yaml

@ -62,11 +62,22 @@ parameters:
default: false
description: Enable IPv6 in MySQL
type: boolean
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
MysqlCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: MysqlCertificateKeySize}, '']}
outputs:
role_data:
@ -157,6 +168,11 @@ outputs:
template: "mysql/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: MysqlCertificateKeySize}
- {}
step_config: |
include ::tripleo::profile::base::database::mysql

16
deployment/database/redis-container-puppet.yaml

@ -39,10 +39,21 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
RedisCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: RedisCertificateKeySize}, '']}
resources:
@ -113,6 +124,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
postsave_cmd: "/usr/bin/certmonger-redis-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RedisCertificateKeySize}
- {}
service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS

16
deployment/etcd/etcd-container-puppet.yaml

@ -61,12 +61,23 @@ parameters:
default: false
description: Set to True to enable debugging on all services.
type: boolean
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
EtcdCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
internal_tls_enabled:
and:
- {equals: [{get_param: EnableInternalTLS}, true]}
- {equals: [{get_param: EnableEtcdInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: EtcdCertificateKeySize}, '']}
resources:
ContainersCommon:
@ -132,6 +143,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh'
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: EtcdCertificateKeySize}
etcd::trusted_ca_file: {get_param: InternalTLSCAFile}
etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile}
-

19
deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml

@ -36,6 +36,20 @@ parameters:
HAProxyInternalTLSKeysDirectory:
default: '/etc/pki/tls/private/haproxy'
type: string
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
HAProxyCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
resources:
@ -92,6 +106,11 @@ outputs:
- "%{hiera('fqdn_NETWORK')}"
principal: "haproxy/%{hiera('fqdn_NETWORK')}"
postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload NETWORK"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: HAProxyCertificateKeySize}
for_each:
NETWORK: {get_attr: [HAProxyNetworks, value]}
metadata_settings:

19
deployment/haproxy/haproxy-public-tls-certmonger.yaml

@ -41,6 +41,20 @@ parameters:
description: >
The filepath of the certificate as it will be stored in the controller.
type: string
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
HAProxyCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
outputs:
role_data:
@ -78,6 +92,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload external"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: HAProxyCertificateKeySize}
metadata_settings:
- service: haproxy
network: {get_param: [ServiceNetMap, PublicNetwork]}

16
deployment/metrics/qdr-container-puppet.yaml

@ -142,11 +142,22 @@ parameters:
default: false
description: Set to true to enable configuration for STF client.
type: boolean
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
QdrCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
listener_ssl_enabled: {equals: [{get_param: MetricsQdrUseSSL}, true]}
enable_stf: {equals: [{get_param: EnableSTF}, true]}
key_size_override_unset: {equals: [{get_param: QdrCertificateKeySize}, '']}
resources:
@ -249,6 +260,11 @@ outputs:
template: "ROLENAMEMetricsQdrNetwork"
params:
ROLENAME: {get_param: RoleName}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: QdrCertificateKeySize}
tripleo::profile::base::metrics::qdr::ssl_profiles:
list_concat:
- get_param: MetricsQdrSSLProfiles

16
deployment/neutron/neutron-api-container-puppet.yaml

@ -158,6 +158,16 @@ parameters:
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
NeutronCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
# DEPRECATED: the following options are deprecated and are currently maintained
# for backwards compatibility. They will be removed in the Ocata cycle.
NeutronL3HA:
@ -193,6 +203,7 @@ conditions:
az_unset: {equals: [{get_param: NeutronDefaultAvailabilityZones}, '']}
omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]}
ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]}
key_size_override_unset: {equals: [{get_param: NeutronCertificateKeySize}, '']}
resources:
@ -387,6 +398,11 @@ outputs:
template: "neutron_ovn/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: NeutronCertificateKeySize}
- {}
service_config_settings:
rsyslog:

16
deployment/neutron/neutron-dhcp-container-puppet.yaml

@ -147,6 +147,16 @@ parameters:
Enable dhcp-host entry with list of addresses when port has multiple
IPv6 addresses in the same subnet.
type: boolean
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
NeutronDhcpCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
@ -160,6 +170,7 @@ conditions:
is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]}
az_unset: {equals: [{get_param: NeutronDhcpAgentAvailabilityZone}, '']}
omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]}
key_size_override_unset: {equals: [{get_param: NeutronDhcpCertificateKeySize}, '']}
resources:
@ -260,6 +271,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
postsave_cmd: "/usr/bin/certmonger-neutron-dhcpd-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: NeutronDhcpCertificateKeySize}
- {}
- if:
- dhcp_ovs_intergation_bridge_unset

50
deployment/nova/nova-libvirt-container-puppet.yaml

@ -116,6 +116,31 @@ parameters:
default: '/etc/pki/CA/certs/qemu.pem'
type: string
description: Specifies the CA cert to use for qemu.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
LibvirtCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
LibvirtVNCServerCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
QemuServerCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
QemuClientCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
LibvirtCACert:
type: string
default: ''
@ -325,6 +350,11 @@ conditions:
- equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, '']
- equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, true]
key_size_libvirt_override_unset: {equals: [{get_param: LibvirtCertificateKeySize}, '']}
key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCServerCertificateKeySize}, '']}
key_size_qemu_client_override_unset: {equals: [{get_param: QemuClientCertificateKeySize}, '']}
key_size_qemu_server_override_unset: {equals: [{get_param: QemuServerCertificateKeySize}, '']}
resources:
RoleParametersValue:
type: OS::Heat::Value
@ -475,6 +505,11 @@ outputs:
template: "libvirt/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
key_size:
if:
- key_size_libvirtvnc_override_unset
- {get_param: CertificateKeySize}
- {get_param: LibvirtCertificateKeySize}
# create the qemu and qemu_ndb dirs and certs also when when tls for nbd
# is not enabled this allows us to enable it even at a later time without
# restart of instances
@ -504,6 +539,11 @@ outputs:
template: "qemu/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
key_size:
if:
- key_size_qemu_server_override_unset
- {get_param: CertificateKeySize}
- {get_param: QemuServerCertificateKeySize}
qemu-nbd-client-cert:
service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem'
service_key: '/etc/pki/libvirt-nbd/client-key.pem'
@ -517,6 +557,11 @@ outputs:
template: "qemu/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
key_size:
if:
- key_size_qemu_client_override_unset
- {get_param: CertificateKeySize}
- {get_param: QemuClientCertificateKeySize}
-
nova::migration::libvirt::live_migration_inbound_addr:
str_replace:
@ -556,6 +601,11 @@ outputs:
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
key_size:
if:
- key_size_libvirtvnc_override_unset
- {get_param: CertificateKeySize}
- {get_param: LibvirtVNCServerCertificateKeySize}
- {}
-
if:

28
deployment/nova/nova-vnc-proxy-container-puppet.yaml

@ -54,6 +54,21 @@ parameters:
default: '/etc/pki/CA/certs/vnc.crt'
type: string
description: Specifies the CA cert to use for VNC TLS.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
NovaVNCCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
LibvirtVNCClientCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
LibvirtVncCACert:
type: string
default: ''
@ -94,6 +109,9 @@ conditions:
# Allow noauth VNC connections during P->Q upgrade. Remove in Rocky.
equals: [{get_param: StackUpdateType}, 'UPGRADE']
key_size_novavnc_override_unset: {equals: [{get_param: NovaVNCCertificateKeySize}, '']}
key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCClientCertificateKeySize}, '']}
resources:
ContainersCommon:
@ -185,6 +203,11 @@ outputs:
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaVncProxyNetwork]}
key_size:
if:
- key_size_libvirtvnc_override_unset
- {get_param: CertificateKeySize}
- {get_param: LibvirtVNCClientCertificateKeySize}
novnc_proxy_certificates_specs:
service_certificate: '/etc/pki/tls/certs/novnc_proxy.crt'
service_key: '/etc/pki/tls/private/novnc_proxy.key'
@ -198,6 +221,11 @@ outputs:
template: "novnc-proxy/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
key_size:
if:
- key_size_novavnc_override_unset
- {get_param: CertificateKeySize}
- {get_param: NovaVNCCertificateKeySize}
- {}
service_config_settings:
rsyslog:

16
deployment/octavia/providers/ovn-provider-config.yaml

@ -45,6 +45,16 @@ parameters:
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
OctaviaCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
@ -52,6 +62,7 @@ conditions:
is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]}
ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]}
octavia_provider_ovn_protocol_unset: {equals: [{get_param: OctaviaOvnProviderProtocol}, '']}
key_size_override_unset: {equals: [{get_param: OctaviaCertificateKeySize}, '']}
outputs:
role_data:
@ -86,6 +97,11 @@ outputs:
template: "ovn_octavia/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: OctaviaCertificateKeySize}
- {}
puppet_tags: octavia_ovn_provider_config
provider_driver_labels:

16
deployment/ovn/ovn-controller-container-puppet.yaml

@ -104,11 +104,22 @@ parameters:
The value can be multiple addresses separated by commas.
type: comma_delimited_list
default: []
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
ContainerOvnCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
force_config_drive: {equals: [{get_param: OVNMetadataEnabled}, false]}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
insecure_registry_is_empty: {equals : [{get_param: DockerInsecureRegistryAddress}, []]}
key_size_override_unset: {equals: [{get_param: ContainerOvnCertificateKeySize}, '']}
resources:
@ -181,6 +192,11 @@ outputs:
template: "ovn_controller/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: ContainerOvnCertificateKeySize}
- {}
service_config_settings: {}
# BEGIN DOCKER SETTINGS

17
deployment/ovn/ovn-dbs-pacemaker-puppet.yaml

@ -84,7 +84,16 @@ parameters:
description: timeout for monitor of ovn dbs resource in seconds
type: number
default: 60
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
OvnDBSCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
puppet_debug_enabled: {get_param: ConfigDebug}
@ -92,6 +101,7 @@ conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
common_tag_enabled: {equals: [{get_param: ClusterCommonTag}, true]}
use_external_load_balancer: {equals: [{get_param: EnableLoadBalancer}, false]}
key_size_override_unset: {equals: [{get_param: OvnDBSCertificateKeySize}, '']}
resources:
@ -170,6 +180,11 @@ outputs:
template: "ovn_dbs/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: OvnDBSCertificateKeySize}
- {}
service_config_settings: {}
# BEGIN DOCKER SETTINGS

16
deployment/ovn/ovn-metadata-container-puppet.yaml

@ -112,6 +112,16 @@ parameters:
description: Additional domain sockets for the docker daemon to bind to (useful for mounting
into containers that launch other containers)
type: comma_delimited_list
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
OvnMetadataCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
haproxy_wrapper_enabled: {equals: [{get_param: OVNEnableHaproxyDockerWrapper}, true]}
@ -119,6 +129,7 @@ conditions:
service_debug_unset: {equals : [{get_param: OVNWrapperDebug}, false]}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
neutron_workers_unset: {equals : [{get_param: NeutronWorkers}, '']}
key_size_override_unset: {equals: [{get_param: OvnMetadataCertificateKeySize}, '']}
resources:
@ -201,6 +212,11 @@ outputs:
template: "ovn_metadata/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: OvnMetadataCertificateKeySize}
- {}
puppet_config:

16
deployment/rabbitmq/rabbitmq-container-puppet.yaml

@ -93,10 +93,21 @@ parameters:
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
RabbitmqCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: RabbitmqCertificateKeySize}, '']}
resources:
@ -205,6 +216,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RabbitmqCertificateKeySize}
- {}
- rabbitmq::admin_enable: false
rabbitmq::management_enable: true

16
deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml

@ -66,9 +66,20 @@ parameters:
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
RabbitmqMessageCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: RabbitmqMessageCertificateKeySize}, '']}
resources:
@ -157,6 +168,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RabbitmqMessageCertificateKeySize}
- {}
# BEGIN DOCKER SETTINGS
puppet_config:

16
deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml

@ -67,9 +67,20 @@ parameters:
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
RpcCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: RpcCertificateKeySize}, '']}
resources:
@ -157,6 +168,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RpcCertificateKeySize}
- {}
# BEGIN DOCKER SETTINGS
puppet_config:

Loading…
Cancel
Save