diff --git a/deployment/apache/apache-baremetal-puppet.j2.yaml b/deployment/apache/apache-baremetal-puppet.j2.yaml index d8f78a124a..538ba51474 100644 --- a/deployment/apache/apache-baremetal-puppet.j2.yaml +++ b/deployment/apache/apache-baremetal-puppet.j2.yaml @@ -47,10 +47,21 @@ parameters: type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + ApacheCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: ApacheCertificateKeySize}, '']} resources: @@ -116,6 +127,11 @@ outputs: hostname: "%{hiera('fqdn_NETWORK')}" principal: "HTTP/%{hiera('fqdn_NETWORK')}" postsave_cmd: "pkill -USR1 httpd" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: ApacheCertificateKeySize} for_each: NETWORK: {get_attr: [ApacheNetworks, value]} - {} diff --git a/deployment/ceph-ansible/ceph-grafana.yaml b/deployment/ceph-ansible/ceph-grafana.yaml index ecc67e3970..0e00515cd1 100644 --- a/deployment/ceph-ansible/ceph-grafana.yaml +++ b/deployment/ceph-ansible/ceph-grafana.yaml @@ -59,9 +59,20 @@ parameters: EnableInternalTLS: type: boolean default: false + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + GrafanaCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: GrafanaCertificateKeySize}, '']} resources: CephBase: @@ -151,6 +162,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]} postsave_cmd: "/usr/bin/certmonger-grafana-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: GrafanaCertificateKeySize} - {} - tripleo::ceph_grafana::firewall_rules: '123 ceph_dashboard': diff --git a/deployment/ceph-ansible/ceph-mgr.yaml b/deployment/ceph-ansible/ceph-mgr.yaml index a5a10c2894..50fa303500 100644 --- a/deployment/ceph-ansible/ceph-mgr.yaml +++ b/deployment/ceph-ansible/ceph-mgr.yaml @@ -45,6 +45,16 @@ parameters: EnableInternalTLS: type: boolean default: false + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + CephCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]} @@ -54,6 +64,7 @@ conditions: - equals: - get_param: EnableInternalTLS - true + key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']} resources: CephBase: @@ -144,6 +155,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]} postsave_cmd: "/usr/bin/certmonger-dashboard-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: CephCertificateKeySize} - {} - tripleo::ceph_mgr::firewall_rules: '113 ceph_mgr': diff --git a/deployment/ceph-ansible/ceph-rgw.yaml b/deployment/ceph-ansible/ceph-rgw.yaml index 49b081a3fa..ceb080daf3 100644 --- a/deployment/ceph-ansible/ceph-rgw.yaml +++ b/deployment/ceph-ansible/ceph-rgw.yaml @@ -45,10 +45,21 @@ parameters: EnableInternalTLS: type: boolean default: false + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + CephRgwCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: CephRgwCertificateKeySize}, '']} resources: CephBase: @@ -184,6 +195,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]} postsave_cmd: "/usr/bin/certmonger-rgw-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: CephRgwCertificateKeySize} - {} metadata_settings: if: diff --git a/deployment/database/mysql-base.yaml b/deployment/database/mysql-base.yaml index cc04b26ac2..e0b000b7d9 100644 --- a/deployment/database/mysql-base.yaml +++ b/deployment/database/mysql-base.yaml @@ -62,11 +62,22 @@ parameters: default: false description: Enable IPv6 in MySQL type: boolean + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + MysqlCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: MysqlCertificateKeySize}, '']} outputs: role_data: @@ -157,6 +168,11 @@ outputs: template: "mysql/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: MysqlCertificateKeySize} - {} step_config: | include ::tripleo::profile::base::database::mysql diff --git a/deployment/database/redis-container-puppet.yaml b/deployment/database/redis-container-puppet.yaml index b9bbb5f4c8..5f8e241f5e 100644 --- a/deployment/database/redis-container-puppet.yaml +++ b/deployment/database/redis-container-puppet.yaml @@ -39,10 +39,21 @@ parameters: EnableInternalTLS: type: boolean default: false + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + RedisCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: RedisCertificateKeySize}, '']} resources: @@ -113,6 +124,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, RedisNetwork]} postsave_cmd: "/usr/bin/certmonger-redis-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RedisCertificateKeySize} - {} service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS diff --git a/deployment/etcd/etcd-container-puppet.yaml b/deployment/etcd/etcd-container-puppet.yaml index aba8b04b64..459c563cec 100644 --- a/deployment/etcd/etcd-container-puppet.yaml +++ b/deployment/etcd/etcd-container-puppet.yaml @@ -61,12 +61,23 @@ parameters: default: false description: Set to True to enable debugging on all services. type: boolean + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + EtcdCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: and: - {equals: [{get_param: EnableInternalTLS}, true]} - {equals: [{get_param: EnableEtcdInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: EtcdCertificateKeySize}, '']} resources: ContainersCommon: @@ -132,6 +143,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]} postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh' + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: EtcdCertificateKeySize} etcd::trusted_ca_file: {get_param: InternalTLSCAFile} etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile} - diff --git a/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml b/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml index dd45631118..e9259cfcd1 100644 --- a/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml +++ b/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml @@ -36,6 +36,20 @@ parameters: HAProxyInternalTLSKeysDirectory: default: '/etc/pki/tls/private/haproxy' type: string + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + HAProxyCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + +conditions: + + key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']} resources: @@ -92,6 +106,11 @@ outputs: - "%{hiera('fqdn_NETWORK')}" principal: "haproxy/%{hiera('fqdn_NETWORK')}" postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload NETWORK" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: HAProxyCertificateKeySize} for_each: NETWORK: {get_attr: [HAProxyNetworks, value]} metadata_settings: diff --git a/deployment/haproxy/haproxy-public-tls-certmonger.yaml b/deployment/haproxy/haproxy-public-tls-certmonger.yaml index f7184475c7..0abcbf7977 100644 --- a/deployment/haproxy/haproxy-public-tls-certmonger.yaml +++ b/deployment/haproxy/haproxy-public-tls-certmonger.yaml @@ -41,6 +41,20 @@ parameters: description: > The filepath of the certificate as it will be stored in the controller. type: string + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + HAProxyCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + +conditions: + + key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']} outputs: role_data: @@ -78,6 +92,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, PublicNetwork]} postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload external" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: HAProxyCertificateKeySize} metadata_settings: - service: haproxy network: {get_param: [ServiceNetMap, PublicNetwork]} diff --git a/deployment/metrics/qdr-container-puppet.yaml b/deployment/metrics/qdr-container-puppet.yaml index 3bf9432b77..4f7b44a9db 100644 --- a/deployment/metrics/qdr-container-puppet.yaml +++ b/deployment/metrics/qdr-container-puppet.yaml @@ -142,11 +142,22 @@ parameters: default: false description: Set to true to enable configuration for STF client. type: boolean + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + QdrCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} listener_ssl_enabled: {equals: [{get_param: MetricsQdrUseSSL}, true]} enable_stf: {equals: [{get_param: EnableSTF}, true]} + key_size_override_unset: {equals: [{get_param: QdrCertificateKeySize}, '']} resources: @@ -249,6 +260,11 @@ outputs: template: "ROLENAMEMetricsQdrNetwork" params: ROLENAME: {get_param: RoleName} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: QdrCertificateKeySize} tripleo::profile::base::metrics::qdr::ssl_profiles: list_concat: - get_param: MetricsQdrSSLProfiles diff --git a/deployment/neutron/neutron-api-container-puppet.yaml b/deployment/neutron/neutron-api-container-puppet.yaml index 3f51a03faf..04dc45c7de 100644 --- a/deployment/neutron/neutron-api-container-puppet.yaml +++ b/deployment/neutron/neutron-api-container-puppet.yaml @@ -158,6 +158,16 @@ parameters: type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + NeutronCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service # DEPRECATED: the following options are deprecated and are currently maintained # for backwards compatibility. They will be removed in the Ocata cycle. NeutronL3HA: @@ -193,6 +203,7 @@ conditions: az_unset: {equals: [{get_param: NeutronDefaultAvailabilityZones}, '']} omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]} ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]} + key_size_override_unset: {equals: [{get_param: NeutronCertificateKeySize}, '']} resources: @@ -387,6 +398,11 @@ outputs: template: "neutron_ovn/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: NeutronCertificateKeySize} - {} service_config_settings: rsyslog: diff --git a/deployment/neutron/neutron-dhcp-container-puppet.yaml b/deployment/neutron/neutron-dhcp-container-puppet.yaml index e94cc32fda..4d6aae466f 100644 --- a/deployment/neutron/neutron-dhcp-container-puppet.yaml +++ b/deployment/neutron/neutron-dhcp-container-puppet.yaml @@ -147,6 +147,16 @@ parameters: Enable dhcp-host entry with list of addresses when port has multiple IPv6 addresses in the same subnet. type: boolean + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + NeutronDhcpCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: @@ -160,6 +170,7 @@ conditions: is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]} az_unset: {equals: [{get_param: NeutronDhcpAgentAvailabilityZone}, '']} omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]} + key_size_override_unset: {equals: [{get_param: NeutronDhcpCertificateKeySize}, '']} resources: @@ -260,6 +271,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]} postsave_cmd: "/usr/bin/certmonger-neutron-dhcpd-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: NeutronDhcpCertificateKeySize} - {} - if: - dhcp_ovs_intergation_bridge_unset diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml index 8a76e8436e..b0d255d7b1 100644 --- a/deployment/nova/nova-libvirt-container-puppet.yaml +++ b/deployment/nova/nova-libvirt-container-puppet.yaml @@ -116,6 +116,31 @@ parameters: default: '/etc/pki/CA/certs/qemu.pem' type: string description: Specifies the CA cert to use for qemu. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + LibvirtCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + LibvirtVNCServerCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + QemuServerCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + QemuClientCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service LibvirtCACert: type: string default: '' @@ -325,6 +350,11 @@ conditions: - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, ''] - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, true] + key_size_libvirt_override_unset: {equals: [{get_param: LibvirtCertificateKeySize}, '']} + key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCServerCertificateKeySize}, '']} + key_size_qemu_client_override_unset: {equals: [{get_param: QemuClientCertificateKeySize}, '']} + key_size_qemu_server_override_unset: {equals: [{get_param: QemuServerCertificateKeySize}, '']} + resources: RoleParametersValue: type: OS::Heat::Value @@ -475,6 +505,11 @@ outputs: template: "libvirt/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + key_size: + if: + - key_size_libvirtvnc_override_unset + - {get_param: CertificateKeySize} + - {get_param: LibvirtCertificateKeySize} # create the qemu and qemu_ndb dirs and certs also when when tls for nbd # is not enabled this allows us to enable it even at a later time without # restart of instances @@ -504,6 +539,11 @@ outputs: template: "qemu/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + key_size: + if: + - key_size_qemu_server_override_unset + - {get_param: CertificateKeySize} + - {get_param: QemuServerCertificateKeySize} qemu-nbd-client-cert: service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem' service_key: '/etc/pki/libvirt-nbd/client-key.pem' @@ -517,6 +557,11 @@ outputs: template: "qemu/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + key_size: + if: + - key_size_qemu_client_override_unset + - {get_param: CertificateKeySize} + - {get_param: QemuClientCertificateKeySize} - nova::migration::libvirt::live_migration_inbound_addr: str_replace: @@ -556,6 +601,11 @@ outputs: template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + key_size: + if: + - key_size_libvirtvnc_override_unset + - {get_param: CertificateKeySize} + - {get_param: LibvirtVNCServerCertificateKeySize} - {} - if: diff --git a/deployment/nova/nova-vnc-proxy-container-puppet.yaml b/deployment/nova/nova-vnc-proxy-container-puppet.yaml index 54a8f1a457..c2bac58421 100644 --- a/deployment/nova/nova-vnc-proxy-container-puppet.yaml +++ b/deployment/nova/nova-vnc-proxy-container-puppet.yaml @@ -54,6 +54,21 @@ parameters: default: '/etc/pki/CA/certs/vnc.crt' type: string description: Specifies the CA cert to use for VNC TLS. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + NovaVNCCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + LibvirtVNCClientCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service LibvirtVncCACert: type: string default: '' @@ -94,6 +109,9 @@ conditions: # Allow noauth VNC connections during P->Q upgrade. Remove in Rocky. equals: [{get_param: StackUpdateType}, 'UPGRADE'] + key_size_novavnc_override_unset: {equals: [{get_param: NovaVNCCertificateKeySize}, '']} + key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCClientCertificateKeySize}, '']} + resources: ContainersCommon: @@ -185,6 +203,11 @@ outputs: template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaVncProxyNetwork]} + key_size: + if: + - key_size_libvirtvnc_override_unset + - {get_param: CertificateKeySize} + - {get_param: LibvirtVNCClientCertificateKeySize} novnc_proxy_certificates_specs: service_certificate: '/etc/pki/tls/certs/novnc_proxy.crt' service_key: '/etc/pki/tls/private/novnc_proxy.key' @@ -198,6 +221,11 @@ outputs: template: "novnc-proxy/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} + key_size: + if: + - key_size_novavnc_override_unset + - {get_param: CertificateKeySize} + - {get_param: NovaVNCCertificateKeySize} - {} service_config_settings: rsyslog: diff --git a/deployment/octavia/providers/ovn-provider-config.yaml b/deployment/octavia/providers/ovn-provider-config.yaml index b4dad6f361..c0d7e0dce4 100644 --- a/deployment/octavia/providers/ovn-provider-config.yaml +++ b/deployment/octavia/providers/ovn-provider-config.yaml @@ -45,6 +45,16 @@ parameters: type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + OctaviaCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: @@ -52,6 +62,7 @@ conditions: is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]} ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]} octavia_provider_ovn_protocol_unset: {equals: [{get_param: OctaviaOvnProviderProtocol}, '']} + key_size_override_unset: {equals: [{get_param: OctaviaCertificateKeySize}, '']} outputs: role_data: @@ -86,6 +97,11 @@ outputs: template: "ovn_octavia/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: OctaviaCertificateKeySize} - {} puppet_tags: octavia_ovn_provider_config provider_driver_labels: diff --git a/deployment/ovn/ovn-controller-container-puppet.yaml b/deployment/ovn/ovn-controller-container-puppet.yaml index ca3b86b90d..3edb47a85d 100644 --- a/deployment/ovn/ovn-controller-container-puppet.yaml +++ b/deployment/ovn/ovn-controller-container-puppet.yaml @@ -104,11 +104,22 @@ parameters: The value can be multiple addresses separated by commas. type: comma_delimited_list default: [] + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + ContainerOvnCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: force_config_drive: {equals: [{get_param: OVNMetadataEnabled}, false]} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} insecure_registry_is_empty: {equals : [{get_param: DockerInsecureRegistryAddress}, []]} + key_size_override_unset: {equals: [{get_param: ContainerOvnCertificateKeySize}, '']} resources: @@ -181,6 +192,11 @@ outputs: template: "ovn_controller/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: ContainerOvnCertificateKeySize} - {} service_config_settings: {} # BEGIN DOCKER SETTINGS diff --git a/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml b/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml index 539b7e31ec..f8960c3278 100644 --- a/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml +++ b/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml @@ -84,7 +84,16 @@ parameters: description: timeout for monitor of ovn dbs resource in seconds type: number default: 60 - + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + OvnDBSCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: puppet_debug_enabled: {get_param: ConfigDebug} @@ -92,6 +101,7 @@ conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} common_tag_enabled: {equals: [{get_param: ClusterCommonTag}, true]} use_external_load_balancer: {equals: [{get_param: EnableLoadBalancer}, false]} + key_size_override_unset: {equals: [{get_param: OvnDBSCertificateKeySize}, '']} resources: @@ -170,6 +180,11 @@ outputs: template: "ovn_dbs/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: OvnDBSCertificateKeySize} - {} service_config_settings: {} # BEGIN DOCKER SETTINGS diff --git a/deployment/ovn/ovn-metadata-container-puppet.yaml b/deployment/ovn/ovn-metadata-container-puppet.yaml index 896a860067..9883451f0c 100644 --- a/deployment/ovn/ovn-metadata-container-puppet.yaml +++ b/deployment/ovn/ovn-metadata-container-puppet.yaml @@ -112,6 +112,16 @@ parameters: description: Additional domain sockets for the docker daemon to bind to (useful for mounting into containers that launch other containers) type: comma_delimited_list + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + OvnMetadataCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: haproxy_wrapper_enabled: {equals: [{get_param: OVNEnableHaproxyDockerWrapper}, true]} @@ -119,6 +129,7 @@ conditions: service_debug_unset: {equals : [{get_param: OVNWrapperDebug}, false]} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} neutron_workers_unset: {equals : [{get_param: NeutronWorkers}, '']} + key_size_override_unset: {equals: [{get_param: OvnMetadataCertificateKeySize}, '']} resources: @@ -201,6 +212,11 @@ outputs: template: "ovn_metadata/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: OvnMetadataCertificateKeySize} - {} puppet_config: diff --git a/deployment/rabbitmq/rabbitmq-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-container-puppet.yaml index a9d05701b9..e48c30e58c 100644 --- a/deployment/rabbitmq/rabbitmq-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-container-puppet.yaml @@ -93,10 +93,21 @@ parameters: description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + RabbitmqCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: RabbitmqCertificateKeySize}, '']} resources: @@ -205,6 +216,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RabbitmqCertificateKeySize} - {} - rabbitmq::admin_enable: false rabbitmq::management_enable: true diff --git a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml index 926f770551..c5196f8e28 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml @@ -66,9 +66,20 @@ parameters: description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + RabbitmqMessageCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: RabbitmqMessageCertificateKeySize}, '']} resources: @@ -157,6 +168,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RabbitmqMessageCertificateKeySize} - {} # BEGIN DOCKER SETTINGS puppet_config: diff --git a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml index da23c17a5f..5e2ebf898a 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml @@ -67,9 +67,20 @@ parameters: description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + RpcCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: RpcCertificateKeySize}, '']} resources: @@ -157,6 +168,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]} postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RpcCertificateKeySize} - {} # BEGIN DOCKER SETTINGS puppet_config: