From 9410d79e6910b3324df4b73e57e39bb15fedbb83 Mon Sep 17 00:00:00 2001 From: Raildo Date: Thu, 26 Nov 2020 09:50:35 -0300 Subject: [PATCH] Adding key_size option on the certificate creation Adding the ability to specifies the private key size used when creating the certificate. We have defined the default value the same as we have before 2048 bits. Also, it'll be able to override the key_size value per service. Depends-on: I4da96f2164cf1d136f9471f1d6251bdd8cfd2d0b Change-Id: Ic2edabb7f1bd0caf4a5550d03f60fab7c8354d65 (cherry picked from commit 97609775297417620ede0436c80156456a6c41da) --- .../apache/apache-baremetal-puppet.j2.yaml | 16 ++++++ deployment/ceph-ansible/ceph-grafana.yaml | 16 ++++++ deployment/ceph-ansible/ceph-mgr.yaml | 16 ++++++ deployment/ceph-ansible/ceph-rgw.yaml | 16 ++++++ deployment/database/mysql-base.yaml | 16 ++++++ .../database/redis-container-puppet.yaml | 16 ++++++ deployment/etcd/etcd-container-puppet.yaml | 16 ++++++ .../haproxy-internal-tls-certmonger.j2.yaml | 19 +++++++ .../haproxy-public-tls-certmonger.yaml | 19 +++++++ deployment/metrics/qdr-container-puppet.yaml | 16 ++++++ .../neutron/neutron-api-container-puppet.yaml | 16 ++++++ .../neutron-dhcp-container-puppet.yaml | 16 ++++++ .../nova/nova-libvirt-container-puppet.yaml | 50 +++++++++++++++++++ .../nova/nova-vnc-proxy-container-puppet.yaml | 28 +++++++++++ .../providers/ovn-provider-config.yaml | 16 ++++++ .../ovn/ovn-controller-container-puppet.yaml | 16 ++++++ deployment/ovn/ovn-dbs-pacemaker-puppet.yaml | 17 ++++++- .../ovn/ovn-metadata-container-puppet.yaml | 16 ++++++ .../rabbitmq/rabbitmq-container-puppet.yaml | 16 ++++++ ...tmq-messaging-notify-container-puppet.yaml | 16 ++++++ ...bbitmq-messaging-rpc-container-puppet.yaml | 16 ++++++ 21 files changed, 388 insertions(+), 1 deletion(-) diff --git a/deployment/apache/apache-baremetal-puppet.j2.yaml b/deployment/apache/apache-baremetal-puppet.j2.yaml index d8f78a124a..538ba51474 100644 --- a/deployment/apache/apache-baremetal-puppet.j2.yaml +++ b/deployment/apache/apache-baremetal-puppet.j2.yaml @@ -47,10 +47,21 @@ parameters: type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + ApacheCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: ApacheCertificateKeySize}, '']} resources: @@ -116,6 +127,11 @@ outputs: hostname: "%{hiera('fqdn_NETWORK')}" principal: "HTTP/%{hiera('fqdn_NETWORK')}" postsave_cmd: "pkill -USR1 httpd" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: ApacheCertificateKeySize} for_each: NETWORK: {get_attr: [ApacheNetworks, value]} - {} diff --git a/deployment/ceph-ansible/ceph-grafana.yaml b/deployment/ceph-ansible/ceph-grafana.yaml index ecc67e3970..0e00515cd1 100644 --- a/deployment/ceph-ansible/ceph-grafana.yaml +++ b/deployment/ceph-ansible/ceph-grafana.yaml @@ -59,9 +59,20 @@ parameters: EnableInternalTLS: type: boolean default: false + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + GrafanaCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: GrafanaCertificateKeySize}, '']} resources: CephBase: @@ -151,6 +162,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]} postsave_cmd: "/usr/bin/certmonger-grafana-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: GrafanaCertificateKeySize} - {} - tripleo::ceph_grafana::firewall_rules: '123 ceph_dashboard': diff --git a/deployment/ceph-ansible/ceph-mgr.yaml b/deployment/ceph-ansible/ceph-mgr.yaml index a5a10c2894..50fa303500 100644 --- a/deployment/ceph-ansible/ceph-mgr.yaml +++ b/deployment/ceph-ansible/ceph-mgr.yaml @@ -45,6 +45,16 @@ parameters: EnableInternalTLS: type: boolean default: false + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + CephCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]} @@ -54,6 +64,7 @@ conditions: - equals: - get_param: EnableInternalTLS - true + key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']} resources: CephBase: @@ -144,6 +155,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]} postsave_cmd: "/usr/bin/certmonger-dashboard-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: CephCertificateKeySize} - {} - tripleo::ceph_mgr::firewall_rules: '113 ceph_mgr': diff --git a/deployment/ceph-ansible/ceph-rgw.yaml b/deployment/ceph-ansible/ceph-rgw.yaml index 49b081a3fa..ceb080daf3 100644 --- a/deployment/ceph-ansible/ceph-rgw.yaml +++ b/deployment/ceph-ansible/ceph-rgw.yaml @@ -45,10 +45,21 @@ parameters: EnableInternalTLS: type: boolean default: false + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + CephRgwCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: CephRgwCertificateKeySize}, '']} resources: CephBase: @@ -184,6 +195,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]} postsave_cmd: "/usr/bin/certmonger-rgw-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: CephRgwCertificateKeySize} - {} metadata_settings: if: diff --git a/deployment/database/mysql-base.yaml b/deployment/database/mysql-base.yaml index cc04b26ac2..e0b000b7d9 100644 --- a/deployment/database/mysql-base.yaml +++ b/deployment/database/mysql-base.yaml @@ -62,11 +62,22 @@ parameters: default: false description: Enable IPv6 in MySQL type: boolean + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + MysqlCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: MysqlCertificateKeySize}, '']} outputs: role_data: @@ -157,6 +168,11 @@ outputs: template: "mysql/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: MysqlCertificateKeySize} - {} step_config: | include ::tripleo::profile::base::database::mysql diff --git a/deployment/database/redis-container-puppet.yaml b/deployment/database/redis-container-puppet.yaml index b9bbb5f4c8..5f8e241f5e 100644 --- a/deployment/database/redis-container-puppet.yaml +++ b/deployment/database/redis-container-puppet.yaml @@ -39,10 +39,21 @@ parameters: EnableInternalTLS: type: boolean default: false + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + RedisCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: RedisCertificateKeySize}, '']} resources: @@ -113,6 +124,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, RedisNetwork]} postsave_cmd: "/usr/bin/certmonger-redis-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RedisCertificateKeySize} - {} service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS diff --git a/deployment/etcd/etcd-container-puppet.yaml b/deployment/etcd/etcd-container-puppet.yaml index aba8b04b64..459c563cec 100644 --- a/deployment/etcd/etcd-container-puppet.yaml +++ b/deployment/etcd/etcd-container-puppet.yaml @@ -61,12 +61,23 @@ parameters: default: false description: Set to True to enable debugging on all services. type: boolean + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + EtcdCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: and: - {equals: [{get_param: EnableInternalTLS}, true]} - {equals: [{get_param: EnableEtcdInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: EtcdCertificateKeySize}, '']} resources: ContainersCommon: @@ -132,6 +143,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]} postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh' + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: EtcdCertificateKeySize} etcd::trusted_ca_file: {get_param: InternalTLSCAFile} etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile} - diff --git a/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml b/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml index dd45631118..e9259cfcd1 100644 --- a/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml +++ b/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml @@ -36,6 +36,20 @@ parameters: HAProxyInternalTLSKeysDirectory: default: '/etc/pki/tls/private/haproxy' type: string + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + HAProxyCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + +conditions: + + key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']} resources: @@ -92,6 +106,11 @@ outputs: - "%{hiera('fqdn_NETWORK')}" principal: "haproxy/%{hiera('fqdn_NETWORK')}" postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload NETWORK" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: HAProxyCertificateKeySize} for_each: NETWORK: {get_attr: [HAProxyNetworks, value]} metadata_settings: diff --git a/deployment/haproxy/haproxy-public-tls-certmonger.yaml b/deployment/haproxy/haproxy-public-tls-certmonger.yaml index f7184475c7..0abcbf7977 100644 --- a/deployment/haproxy/haproxy-public-tls-certmonger.yaml +++ b/deployment/haproxy/haproxy-public-tls-certmonger.yaml @@ -41,6 +41,20 @@ parameters: description: > The filepath of the certificate as it will be stored in the controller. type: string + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + HAProxyCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + +conditions: + + key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']} outputs: role_data: @@ -78,6 +92,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, PublicNetwork]} postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload external" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: HAProxyCertificateKeySize} metadata_settings: - service: haproxy network: {get_param: [ServiceNetMap, PublicNetwork]} diff --git a/deployment/metrics/qdr-container-puppet.yaml b/deployment/metrics/qdr-container-puppet.yaml index 3bf9432b77..4f7b44a9db 100644 --- a/deployment/metrics/qdr-container-puppet.yaml +++ b/deployment/metrics/qdr-container-puppet.yaml @@ -142,11 +142,22 @@ parameters: default: false description: Set to true to enable configuration for STF client. type: boolean + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + QdrCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} listener_ssl_enabled: {equals: [{get_param: MetricsQdrUseSSL}, true]} enable_stf: {equals: [{get_param: EnableSTF}, true]} + key_size_override_unset: {equals: [{get_param: QdrCertificateKeySize}, '']} resources: @@ -249,6 +260,11 @@ outputs: template: "ROLENAMEMetricsQdrNetwork" params: ROLENAME: {get_param: RoleName} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: QdrCertificateKeySize} tripleo::profile::base::metrics::qdr::ssl_profiles: list_concat: - get_param: MetricsQdrSSLProfiles diff --git a/deployment/neutron/neutron-api-container-puppet.yaml b/deployment/neutron/neutron-api-container-puppet.yaml index 3f51a03faf..04dc45c7de 100644 --- a/deployment/neutron/neutron-api-container-puppet.yaml +++ b/deployment/neutron/neutron-api-container-puppet.yaml @@ -158,6 +158,16 @@ parameters: type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + NeutronCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service # DEPRECATED: the following options are deprecated and are currently maintained # for backwards compatibility. They will be removed in the Ocata cycle. NeutronL3HA: @@ -193,6 +203,7 @@ conditions: az_unset: {equals: [{get_param: NeutronDefaultAvailabilityZones}, '']} omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]} ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]} + key_size_override_unset: {equals: [{get_param: NeutronCertificateKeySize}, '']} resources: @@ -387,6 +398,11 @@ outputs: template: "neutron_ovn/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: NeutronCertificateKeySize} - {} service_config_settings: rsyslog: diff --git a/deployment/neutron/neutron-dhcp-container-puppet.yaml b/deployment/neutron/neutron-dhcp-container-puppet.yaml index e94cc32fda..4d6aae466f 100644 --- a/deployment/neutron/neutron-dhcp-container-puppet.yaml +++ b/deployment/neutron/neutron-dhcp-container-puppet.yaml @@ -147,6 +147,16 @@ parameters: Enable dhcp-host entry with list of addresses when port has multiple IPv6 addresses in the same subnet. type: boolean + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + NeutronDhcpCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: @@ -160,6 +170,7 @@ conditions: is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]} az_unset: {equals: [{get_param: NeutronDhcpAgentAvailabilityZone}, '']} omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]} + key_size_override_unset: {equals: [{get_param: NeutronDhcpCertificateKeySize}, '']} resources: @@ -260,6 +271,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]} postsave_cmd: "/usr/bin/certmonger-neutron-dhcpd-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: NeutronDhcpCertificateKeySize} - {} - if: - dhcp_ovs_intergation_bridge_unset diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml index 8a76e8436e..b0d255d7b1 100644 --- a/deployment/nova/nova-libvirt-container-puppet.yaml +++ b/deployment/nova/nova-libvirt-container-puppet.yaml @@ -116,6 +116,31 @@ parameters: default: '/etc/pki/CA/certs/qemu.pem' type: string description: Specifies the CA cert to use for qemu. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + LibvirtCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + LibvirtVNCServerCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + QemuServerCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + QemuClientCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service LibvirtCACert: type: string default: '' @@ -325,6 +350,11 @@ conditions: - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, ''] - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, true] + key_size_libvirt_override_unset: {equals: [{get_param: LibvirtCertificateKeySize}, '']} + key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCServerCertificateKeySize}, '']} + key_size_qemu_client_override_unset: {equals: [{get_param: QemuClientCertificateKeySize}, '']} + key_size_qemu_server_override_unset: {equals: [{get_param: QemuServerCertificateKeySize}, '']} + resources: RoleParametersValue: type: OS::Heat::Value @@ -475,6 +505,11 @@ outputs: template: "libvirt/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + key_size: + if: + - key_size_libvirtvnc_override_unset + - {get_param: CertificateKeySize} + - {get_param: LibvirtCertificateKeySize} # create the qemu and qemu_ndb dirs and certs also when when tls for nbd # is not enabled this allows us to enable it even at a later time without # restart of instances @@ -504,6 +539,11 @@ outputs: template: "qemu/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + key_size: + if: + - key_size_qemu_server_override_unset + - {get_param: CertificateKeySize} + - {get_param: QemuServerCertificateKeySize} qemu-nbd-client-cert: service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem' service_key: '/etc/pki/libvirt-nbd/client-key.pem' @@ -517,6 +557,11 @@ outputs: template: "qemu/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + key_size: + if: + - key_size_qemu_client_override_unset + - {get_param: CertificateKeySize} + - {get_param: QemuClientCertificateKeySize} - nova::migration::libvirt::live_migration_inbound_addr: str_replace: @@ -556,6 +601,11 @@ outputs: template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + key_size: + if: + - key_size_libvirtvnc_override_unset + - {get_param: CertificateKeySize} + - {get_param: LibvirtVNCServerCertificateKeySize} - {} - if: diff --git a/deployment/nova/nova-vnc-proxy-container-puppet.yaml b/deployment/nova/nova-vnc-proxy-container-puppet.yaml index 54a8f1a457..c2bac58421 100644 --- a/deployment/nova/nova-vnc-proxy-container-puppet.yaml +++ b/deployment/nova/nova-vnc-proxy-container-puppet.yaml @@ -54,6 +54,21 @@ parameters: default: '/etc/pki/CA/certs/vnc.crt' type: string description: Specifies the CA cert to use for VNC TLS. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + NovaVNCCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service + LibvirtVNCClientCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service LibvirtVncCACert: type: string default: '' @@ -94,6 +109,9 @@ conditions: # Allow noauth VNC connections during P->Q upgrade. Remove in Rocky. equals: [{get_param: StackUpdateType}, 'UPGRADE'] + key_size_novavnc_override_unset: {equals: [{get_param: NovaVNCCertificateKeySize}, '']} + key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCClientCertificateKeySize}, '']} + resources: ContainersCommon: @@ -185,6 +203,11 @@ outputs: template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaVncProxyNetwork]} + key_size: + if: + - key_size_libvirtvnc_override_unset + - {get_param: CertificateKeySize} + - {get_param: LibvirtVNCClientCertificateKeySize} novnc_proxy_certificates_specs: service_certificate: '/etc/pki/tls/certs/novnc_proxy.crt' service_key: '/etc/pki/tls/private/novnc_proxy.key' @@ -198,6 +221,11 @@ outputs: template: "novnc-proxy/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} + key_size: + if: + - key_size_novavnc_override_unset + - {get_param: CertificateKeySize} + - {get_param: NovaVNCCertificateKeySize} - {} service_config_settings: rsyslog: diff --git a/deployment/octavia/providers/ovn-provider-config.yaml b/deployment/octavia/providers/ovn-provider-config.yaml index b4dad6f361..c0d7e0dce4 100644 --- a/deployment/octavia/providers/ovn-provider-config.yaml +++ b/deployment/octavia/providers/ovn-provider-config.yaml @@ -45,6 +45,16 @@ parameters: type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + OctaviaCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: @@ -52,6 +62,7 @@ conditions: is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]} ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]} octavia_provider_ovn_protocol_unset: {equals: [{get_param: OctaviaOvnProviderProtocol}, '']} + key_size_override_unset: {equals: [{get_param: OctaviaCertificateKeySize}, '']} outputs: role_data: @@ -86,6 +97,11 @@ outputs: template: "ovn_octavia/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: OctaviaCertificateKeySize} - {} puppet_tags: octavia_ovn_provider_config provider_driver_labels: diff --git a/deployment/ovn/ovn-controller-container-puppet.yaml b/deployment/ovn/ovn-controller-container-puppet.yaml index ca3b86b90d..3edb47a85d 100644 --- a/deployment/ovn/ovn-controller-container-puppet.yaml +++ b/deployment/ovn/ovn-controller-container-puppet.yaml @@ -104,11 +104,22 @@ parameters: The value can be multiple addresses separated by commas. type: comma_delimited_list default: [] + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + ContainerOvnCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: force_config_drive: {equals: [{get_param: OVNMetadataEnabled}, false]} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} insecure_registry_is_empty: {equals : [{get_param: DockerInsecureRegistryAddress}, []]} + key_size_override_unset: {equals: [{get_param: ContainerOvnCertificateKeySize}, '']} resources: @@ -181,6 +192,11 @@ outputs: template: "ovn_controller/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: ContainerOvnCertificateKeySize} - {} service_config_settings: {} # BEGIN DOCKER SETTINGS diff --git a/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml b/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml index 539b7e31ec..f8960c3278 100644 --- a/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml +++ b/deployment/ovn/ovn-dbs-pacemaker-puppet.yaml @@ -84,7 +84,16 @@ parameters: description: timeout for monitor of ovn dbs resource in seconds type: number default: 60 - + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + OvnDBSCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: puppet_debug_enabled: {get_param: ConfigDebug} @@ -92,6 +101,7 @@ conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} common_tag_enabled: {equals: [{get_param: ClusterCommonTag}, true]} use_external_load_balancer: {equals: [{get_param: EnableLoadBalancer}, false]} + key_size_override_unset: {equals: [{get_param: OvnDBSCertificateKeySize}, '']} resources: @@ -170,6 +180,11 @@ outputs: template: "ovn_dbs/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: OvnDBSCertificateKeySize} - {} service_config_settings: {} # BEGIN DOCKER SETTINGS diff --git a/deployment/ovn/ovn-metadata-container-puppet.yaml b/deployment/ovn/ovn-metadata-container-puppet.yaml index 896a860067..9883451f0c 100644 --- a/deployment/ovn/ovn-metadata-container-puppet.yaml +++ b/deployment/ovn/ovn-metadata-container-puppet.yaml @@ -112,6 +112,16 @@ parameters: description: Additional domain sockets for the docker daemon to bind to (useful for mounting into containers that launch other containers) type: comma_delimited_list + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + OvnMetadataCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: haproxy_wrapper_enabled: {equals: [{get_param: OVNEnableHaproxyDockerWrapper}, true]} @@ -119,6 +129,7 @@ conditions: service_debug_unset: {equals : [{get_param: OVNWrapperDebug}, false]} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} neutron_workers_unset: {equals : [{get_param: NeutronWorkers}, '']} + key_size_override_unset: {equals: [{get_param: OvnMetadataCertificateKeySize}, '']} resources: @@ -201,6 +212,11 @@ outputs: template: "ovn_metadata/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]} + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: OvnMetadataCertificateKeySize} - {} puppet_config: diff --git a/deployment/rabbitmq/rabbitmq-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-container-puppet.yaml index a9d05701b9..e48c30e58c 100644 --- a/deployment/rabbitmq/rabbitmq-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-container-puppet.yaml @@ -93,10 +93,21 @@ parameters: description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + RabbitmqCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: RabbitmqCertificateKeySize}, '']} resources: @@ -205,6 +216,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]} postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RabbitmqCertificateKeySize} - {} - rabbitmq::admin_enable: false rabbitmq::management_enable: true diff --git a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml index 926f770551..c5196f8e28 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml @@ -66,9 +66,20 @@ parameters: description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + RabbitmqMessageCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: RabbitmqMessageCertificateKeySize}, '']} resources: @@ -157,6 +168,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]} postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RabbitmqMessageCertificateKeySize} - {} # BEGIN DOCKER SETTINGS puppet_config: diff --git a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml index da23c17a5f..5e2ebf898a 100644 --- a/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml +++ b/deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml @@ -67,9 +67,20 @@ parameters: description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. + CertificateKeySize: + type: string + default: '2048' + description: Specifies the private key size used when creating the + certificate. + RpcCertificateKeySize: + type: string + default: '' + description: Override the private key size used when creating the + certificate for this service conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + key_size_override_unset: {equals: [{get_param: RpcCertificateKeySize}, '']} resources: @@ -157,6 +168,11 @@ outputs: params: NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]} postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh" + key_size: + if: + - key_size_override_unset + - {get_param: CertificateKeySize} + - {get_param: RpcCertificateKeySize} - {} # BEGIN DOCKER SETTINGS puppet_config: