Adding key_size option on the certificate creation

Adding the ability to specifies the private key size
used when creating the certificate. We have defined the
default value the same as we have before 2048 bits.
Also, it'll be able to override the key_size value
per service.

Depends-on: I4da96f2164cf1d136f9471f1d6251bdd8cfd2d0b
Change-Id: Ic2edabb7f1bd0caf4a5550d03f60fab7c8354d65
(cherry picked from commit 9760977529)

deployment/apache/apache-baremetal-puppet.j2.yaml

@@ -47,10 +47,21 @@ parameters:
     type: string
     description: Specifies the default CA cert to use if TLS is used for
                  services in the internal network.
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  ApacheCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 conditions:
 
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+  key_size_override_unset: {equals: [{get_param: ApacheCertificateKeySize}, '']}
 
 resources:
 
@@ -116,6 +127,11 @@ outputs:
                         hostname: "%{hiera('fqdn_NETWORK')}"
                         principal: "HTTP/%{hiera('fqdn_NETWORK')}"
                         postsave_cmd: "pkill -USR1 httpd"
+                        key_size:
+                          if:
+                            - key_size_override_unset
+                            - {get_param: CertificateKeySize}
+                            - {get_param: ApacheCertificateKeySize}
                     for_each:
                       NETWORK: {get_attr: [ApacheNetworks, value]}
             - {}

deployment/ceph-ansible/ceph-grafana.yaml

@@ -59,9 +59,20 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  GrafanaCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 conditions:
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+  key_size_override_unset: {equals: [{get_param: GrafanaCertificateKeySize}, '']}
 
 resources:
   CephBase:
@@ -151,6 +162,11 @@ outputs:
                     params:
                       NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
                 postsave_cmd: "/usr/bin/certmonger-grafana-refresh.sh"
+                key_size:
+                  if:
+                    - key_size_override_unset
+                    - {get_param: CertificateKeySize}
+                    - {get_param: GrafanaCertificateKeySize}
             - {}
           - tripleo::ceph_grafana::firewall_rules:
               '123 ceph_dashboard':

deployment/ceph-ansible/ceph-mgr.yaml

@@ -45,6 +45,16 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  CephCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 conditions:
   dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
@@ -54,6 +64,7 @@ conditions:
       - equals:
           - get_param: EnableInternalTLS
           - true
+  key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']}
 
 resources:
   CephBase:
@@ -144,6 +155,11 @@ outputs:
                     params:
                       NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
                 postsave_cmd: "/usr/bin/certmonger-dashboard-refresh.sh"
+                key_size:
+                  if:
+                    - key_size_override_unset
+                    - {get_param: CertificateKeySize}
+                    - {get_param: CephCertificateKeySize}
             - {}
           - tripleo::ceph_mgr::firewall_rules:
               '113 ceph_mgr':

deployment/ceph-ansible/ceph-rgw.yaml

@@ -45,10 +45,21 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  CephRgwCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 conditions:
   dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+  key_size_override_unset: {equals: [{get_param: CephRgwCertificateKeySize}, '']}
 
 resources:
   CephBase:
@@ -184,6 +195,11 @@ outputs:
                     params:
                       NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
                 postsave_cmd: "/usr/bin/certmonger-rgw-refresh.sh"
+                key_size:
+                  if:
+                    - key_size_override_unset
+                    - {get_param: CertificateKeySize}
+                    - {get_param: CephRgwCertificateKeySize}
             - {}
       metadata_settings:
         if:

deployment/database/mysql-base.yaml

@@ -62,11 +62,22 @@ parameters:
     default: false
     description: Enable IPv6 in MySQL
     type: boolean
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  MysqlCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 
 conditions:
 
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+  key_size_override_unset: {equals: [{get_param: MysqlCertificateKeySize}, '']}
 
 outputs:
   role_data:
@@ -157,6 +168,11 @@ outputs:
                     template: "mysql/%{hiera('fqdn_NETWORK')}"
                     params:
                       NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
+                key_size:
+                  if:
+                    - key_size_override_unset
+                    - {get_param: CertificateKeySize}
+                    - {get_param: MysqlCertificateKeySize}
             - {}
       step_config: |
         include ::tripleo::profile::base::database::mysql

deployment/database/redis-container-puppet.yaml

@@ -39,10 +39,21 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  RedisCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 conditions:
 
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+  key_size_override_unset: {equals: [{get_param: RedisCertificateKeySize}, '']}
 
 resources:
 
@@ -113,6 +124,11 @@ outputs:
                     params:
                       NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
                 postsave_cmd: "/usr/bin/certmonger-redis-refresh.sh"
+                key_size:
+                  if:
+                    - key_size_override_unset
+                    - {get_param: CertificateKeySize}
+                    - {get_param: RedisCertificateKeySize}
             - {}
       service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]}
       # BEGIN DOCKER SETTINGS

deployment/etcd/etcd-container-puppet.yaml

@@ -61,12 +61,23 @@ parameters:
     default: false
     description: Set to True to enable debugging on all services.
     type: boolean
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  EtcdCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 conditions:
   internal_tls_enabled:
     and:
       - {equals: [{get_param: EnableInternalTLS}, true]}
       - {equals: [{get_param: EnableEtcdInternalTLS}, true]}
+  key_size_override_unset: {equals: [{get_param: EtcdCertificateKeySize}, '']}
 
 resources:
   ContainersCommon:
@@ -132,6 +143,11 @@ outputs:
                     params:
                       NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
               postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh'
+              key_size:
+                if:
+                  - key_size_override_unset
+                  - {get_param: CertificateKeySize}
+                  - {get_param: EtcdCertificateKeySize}
             etcd::trusted_ca_file: {get_param: InternalTLSCAFile}
             etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile}
           -

deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml

@@ -36,6 +36,20 @@ parameters:
   HAProxyInternalTLSKeysDirectory:
     default: '/etc/pki/tls/private/haproxy'
     type: string
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  HAProxyCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
+
+conditions:
+
+  key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
 
 resources:
 
@@ -92,6 +106,11 @@ outputs:
                   - "%{hiera('fqdn_NETWORK')}"
                 principal: "haproxy/%{hiera('fqdn_NETWORK')}"
                 postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload NETWORK"
+                key_size:
+                  if:
+                    - key_size_override_unset
+                    - {get_param: CertificateKeySize}
+                    - {get_param: HAProxyCertificateKeySize}
             for_each:
               NETWORK: {get_attr: [HAProxyNetworks, value]}
       metadata_settings:

deployment/haproxy/haproxy-public-tls-certmonger.yaml

@@ -41,6 +41,20 @@ parameters:
     description: >
         The filepath of the certificate as it will be stored in the controller.
     type: string
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  HAProxyCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
+
+conditions:
+
+  key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
 
 outputs:
   role_data:
@@ -78,6 +92,11 @@ outputs:
               params:
                 NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
           postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload external"
+          key_size:
+            if:
+              - key_size_override_unset
+              - {get_param: CertificateKeySize}
+              - {get_param: HAProxyCertificateKeySize}
       metadata_settings:
         - service: haproxy
           network: {get_param: [ServiceNetMap, PublicNetwork]}

deployment/metrics/qdr-container-puppet.yaml

@@ -142,11 +142,22 @@ parameters:
     default: false
     description: Set to true to enable configuration for STF client.
     type: boolean
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  QdrCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 conditions:
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
   listener_ssl_enabled: {equals: [{get_param: MetricsQdrUseSSL}, true]}
   enable_stf: {equals: [{get_param: EnableSTF}, true]}
+  key_size_override_unset: {equals: [{get_param: QdrCertificateKeySize}, '']}
 
 
 resources:
@@ -249,6 +260,11 @@ outputs:
                               template: "ROLENAMEMetricsQdrNetwork"
                               params:
                                 ROLENAME: {get_param: RoleName}
+                key_size:
+                  if:
+                    - key_size_override_unset
+                    - {get_param: CertificateKeySize}
+                    - {get_param: QdrCertificateKeySize}
               tripleo::profile::base::metrics::qdr::ssl_profiles:
                 list_concat:
                   - get_param: MetricsQdrSSLProfiles

deployment/neutron/neutron-api-container-puppet.yaml

@@ -158,6 +158,16 @@ parameters:
     type: string
     description: Specifies the default CA cert to use if TLS is used for
                  services in the internal network.
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  NeutronCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
   # DEPRECATED: the following options are deprecated and are currently maintained
   # for backwards compatibility. They will be removed in the Ocata cycle.
   NeutronL3HA:
@@ -193,6 +203,7 @@ conditions:
   az_unset: {equals: [{get_param: NeutronDefaultAvailabilityZones}, '']}
   omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]}
   ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]}
+  key_size_override_unset: {equals: [{get_param: NeutronCertificateKeySize}, '']}
 
 resources:
 
@@ -387,6 +398,11 @@ outputs:
                     template: "neutron_ovn/%{hiera('fqdn_NETWORK')}"
                     params:
                       NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
+                key_size:
+                  if:
+                    - key_size_override_unset
+                    - {get_param: CertificateKeySize}
+                    - {get_param: NeutronCertificateKeySize}
             - {}
       service_config_settings:
         rsyslog:

deployment/neutron/neutron-dhcp-container-puppet.yaml

@@ -147,6 +147,16 @@ parameters:
       Enable dhcp-host entry with list of addresses when port has multiple
       IPv6 addresses in the same subnet.
     type: boolean
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  NeutronDhcpCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 conditions:
 
@@ -160,6 +170,7 @@ conditions:
   is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]}
   az_unset: {equals: [{get_param: NeutronDhcpAgentAvailabilityZone}, '']}
   omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]}
+  key_size_override_unset: {equals: [{get_param: NeutronDhcpCertificateKeySize}, '']}
 
 resources:
 
@@ -260,6 +271,11 @@ outputs:
                       params:
                         NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
                   postsave_cmd: "/usr/bin/certmonger-neutron-dhcpd-refresh.sh"
+                  key_size:
+                    if:
+                      - key_size_override_unset
+                      - {get_param: CertificateKeySize}
+                      - {get_param: NeutronDhcpCertificateKeySize}
               - {}
           - if:
               - dhcp_ovs_intergation_bridge_unset

deployment/nova/nova-libvirt-container-puppet.yaml

@@ -116,6 +116,31 @@ parameters:
     default: '/etc/pki/CA/certs/qemu.pem'
     type: string
     description: Specifies the CA cert to use for qemu.
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  LibvirtCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
+  LibvirtVNCServerCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
+  QemuServerCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
+  QemuClientCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
   LibvirtCACert:
     type: string
     default: ''
@@ -325,6 +350,11 @@ conditions:
         - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, '']
       - equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, true]
 
+  key_size_libvirt_override_unset: {equals: [{get_param: LibvirtCertificateKeySize}, '']}
+  key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCServerCertificateKeySize}, '']}
+  key_size_qemu_client_override_unset: {equals: [{get_param: QemuClientCertificateKeySize}, '']}
+  key_size_qemu_server_override_unset: {equals: [{get_param: QemuServerCertificateKeySize}, '']}
+
 resources:
   RoleParametersValue:
     type: OS::Heat::Value
@@ -475,6 +505,11 @@ outputs:
                         template: "libvirt/%{hiera('fqdn_NETWORK')}"
                         params:
                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                    key_size:
+                      if:
+                        - key_size_libvirtvnc_override_unset
+                        - {get_param: CertificateKeySize}
+                        - {get_param: LibvirtCertificateKeySize}
                 # create the qemu and qemu_ndb dirs and certs also when when tls for nbd
                 # is not enabled this allows us to enable it even at a later time without
                 # restart of instances
@@ -504,6 +539,11 @@ outputs:
                         template: "qemu/%{hiera('fqdn_NETWORK')}"
                         params:
                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                    key_size:
+                      if:
+                        - key_size_qemu_server_override_unset
+                        - {get_param: CertificateKeySize}
+                        - {get_param: QemuServerCertificateKeySize}
                   qemu-nbd-client-cert:
                     service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem'
                     service_key: '/etc/pki/libvirt-nbd/client-key.pem'
@@ -517,6 +557,11 @@ outputs:
                         template: "qemu/%{hiera('fqdn_NETWORK')}"
                         params:
                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                    key_size:
+                      if:
+                        - key_size_qemu_client_override_unset
+                        - {get_param: CertificateKeySize}
+                        - {get_param: QemuClientCertificateKeySize}
               -
                 nova::migration::libvirt::live_migration_inbound_addr:
                   str_replace:
@@ -556,6 +601,11 @@ outputs:
                         template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
                         params:
                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                    key_size:
+                      if:
+                        - key_size_libvirtvnc_override_unset
+                        - {get_param: CertificateKeySize}
+                        - {get_param: LibvirtVNCServerCertificateKeySize}
               - {}
           -
             if:

deployment/nova/nova-vnc-proxy-container-puppet.yaml

@@ -54,6 +54,21 @@ parameters:
     default: '/etc/pki/CA/certs/vnc.crt'
     type: string
     description: Specifies the CA cert to use for VNC TLS.
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  NovaVNCCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
+  LibvirtVNCClientCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
   LibvirtVncCACert:
     type: string
     default: ''
@@ -94,6 +109,9 @@ conditions:
     # Allow noauth VNC connections during P->Q upgrade. Remove in Rocky.
     equals: [{get_param: StackUpdateType}, 'UPGRADE']
 
+  key_size_novavnc_override_unset: {equals: [{get_param: NovaVNCCertificateKeySize}, '']}
+  key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCClientCertificateKeySize}, '']}
+
 resources:
 
   ContainersCommon:
@@ -185,6 +203,11 @@ outputs:
                         template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
                         params:
                           NETWORK: {get_param: [ServiceNetMap, NovaVncProxyNetwork]}
+                    key_size:
+                      if:
+                        - key_size_libvirtvnc_override_unset
+                        - {get_param: CertificateKeySize}
+                        - {get_param: LibvirtVNCClientCertificateKeySize}
                 novnc_proxy_certificates_specs:
                   service_certificate: '/etc/pki/tls/certs/novnc_proxy.crt'
                   service_key: '/etc/pki/tls/private/novnc_proxy.key'
@@ -198,6 +221,11 @@ outputs:
                       template: "novnc-proxy/%{hiera('fqdn_NETWORK')}"
                       params:
                         NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
+                  key_size:
+                    if:
+                      - key_size_novavnc_override_unset
+                      - {get_param: CertificateKeySize}
+                      - {get_param: NovaVNCCertificateKeySize}
               - {}
       service_config_settings:
         rsyslog:

deployment/octavia/providers/ovn-provider-config.yaml

@@ -45,6 +45,16 @@ parameters:
     type: string
     description: Specifies the default CA cert to use if TLS is used for
                  services in the internal network.
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  OctaviaCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 conditions:
 
@@ -52,6 +62,7 @@ conditions:
   is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]}
   ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]}
   octavia_provider_ovn_protocol_unset: {equals: [{get_param: OctaviaOvnProviderProtocol}, '']}
+  key_size_override_unset: {equals: [{get_param: OctaviaCertificateKeySize}, '']}
 
 outputs:
   role_data:
@@ -86,6 +97,11 @@ outputs:
                       template: "ovn_octavia/%{hiera('fqdn_NETWORK')}"
                       params:
                         NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
+                  key_size:
+                    if:
+                      - key_size_override_unset
+                      - {get_param: CertificateKeySize}
+                      - {get_param: OctaviaCertificateKeySize}
               - {}
       puppet_tags: octavia_ovn_provider_config
       provider_driver_labels:

deployment/ovn/ovn-controller-container-puppet.yaml

@@ -104,11 +104,22 @@ parameters:
                  The value can be multiple addresses separated by commas.
     type: comma_delimited_list
     default: []
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  ContainerOvnCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 conditions:
   force_config_drive:  {equals: [{get_param: OVNMetadataEnabled}, false]}
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
   insecure_registry_is_empty: {equals : [{get_param: DockerInsecureRegistryAddress}, []]}
+  key_size_override_unset: {equals: [{get_param: ContainerOvnCertificateKeySize}, '']}
 
 resources:
 
@@ -181,6 +192,11 @@ outputs:
                     template: "ovn_controller/%{hiera('fqdn_NETWORK')}"
                     params:
                       NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
+                key_size:
+                  if:
+                    - key_size_override_unset
+                    - {get_param: CertificateKeySize}
+                    - {get_param: ContainerOvnCertificateKeySize}
             - {}
       service_config_settings: {}
       # BEGIN DOCKER SETTINGS

deployment/ovn/ovn-dbs-pacemaker-puppet.yaml

@@ -84,7 +84,16 @@ parameters:
     description: timeout for monitor of ovn dbs resource in seconds
     type: number
     default: 60
-
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  OvnDBSCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 conditions:
   puppet_debug_enabled: {get_param: ConfigDebug}
@@ -92,6 +101,7 @@ conditions:
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
   common_tag_enabled: {equals: [{get_param: ClusterCommonTag}, true]}
   use_external_load_balancer: {equals: [{get_param: EnableLoadBalancer}, false]}
+  key_size_override_unset: {equals: [{get_param: OvnDBSCertificateKeySize}, '']}
 
 resources:
 
@@ -170,6 +180,11 @@ outputs:
                     template: "ovn_dbs/%{hiera('fqdn_NETWORK')}"
                     params:
                       NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
+                key_size:
+                  if:
+                    - key_size_override_unset
+                    - {get_param: CertificateKeySize}
+                    - {get_param: OvnDBSCertificateKeySize}
             - {}
       service_config_settings: {}
       # BEGIN DOCKER SETTINGS

deployment/ovn/ovn-metadata-container-puppet.yaml

@@ -112,6 +112,16 @@ parameters:
     description: Additional domain sockets for the docker daemon to bind to (useful for mounting
                  into containers that launch other containers)
     type: comma_delimited_list
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  OvnMetadataCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 conditions:
   haproxy_wrapper_enabled: {equals: [{get_param: OVNEnableHaproxyDockerWrapper}, true]}
@@ -119,6 +129,7 @@ conditions:
   service_debug_unset: {equals : [{get_param: OVNWrapperDebug}, false]}
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
   neutron_workers_unset: {equals : [{get_param: NeutronWorkers}, '']}
+  key_size_override_unset: {equals: [{get_param: OvnMetadataCertificateKeySize}, '']}
 
 resources:
 
@@ -201,6 +212,11 @@ outputs:
                     template: "ovn_metadata/%{hiera('fqdn_NETWORK')}"
                     params:
                       NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
+                key_size:
+                  if:
+                    - key_size_override_unset
+                    - {get_param: CertificateKeySize}
+                    - {get_param: OvnMetadataCertificateKeySize}
             - {}
 
       puppet_config:

deployment/rabbitmq/rabbitmq-container-puppet.yaml

@@ -93,10 +93,21 @@ parameters:
     description: >
       Setting this to a unique value will re-run any deployment tasks which
       perform configuration on a Heat stack-update.
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  RabbitmqCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 conditions:
 
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+  key_size_override_unset: {equals: [{get_param: RabbitmqCertificateKeySize}, '']}
 
 resources:
 
@@ -205,6 +216,11 @@ outputs:
                     params:
                       NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
                 postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"
+                key_size:
+                  if:
+                    - key_size_override_unset
+                    - {get_param: CertificateKeySize}
+                    - {get_param: RabbitmqCertificateKeySize}
             - {}
           - rabbitmq::admin_enable: false
             rabbitmq::management_enable: true

deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml

@@ -66,9 +66,20 @@ parameters:
     description: >
       Setting this to a unique value will re-run any deployment tasks which
       perform configuration on a Heat stack-update.
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  RabbitmqMessageCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 conditions:
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+  key_size_override_unset: {equals: [{get_param: RabbitmqMessageCertificateKeySize}, '']}
 
 resources:
 
@@ -157,6 +168,11 @@ outputs:
                     params:
                       NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
                 postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"
+                key_size:
+                  if:
+                    - key_size_override_unset
+                    - {get_param: CertificateKeySize}
+                    - {get_param: RabbitmqMessageCertificateKeySize}
             - {}
       # BEGIN DOCKER SETTINGS
       puppet_config:

deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml

@@ -67,9 +67,20 @@ parameters:
     description: >
       Setting this to a unique value will re-run any deployment tasks which
       perform configuration on a Heat stack-update.
+  CertificateKeySize:
+    type: string
+    default: '2048'
+    description: Specifies the private key size used when creating the
+                 certificate.
+  RpcCertificateKeySize:
+    type: string
+    default: ''
+    description: Override the private key size used when creating the
+                 certificate for this service
 
 conditions:
   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+  key_size_override_unset: {equals: [{get_param: RpcCertificateKeySize}, '']}
 
 resources:
 
@@ -157,6 +168,11 @@ outputs:
                     params:
                       NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
                 postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"
+                key_size:
+                  if:
+                    - key_size_override_unset
+                    - {get_param: CertificateKeySize}
+                    - {get_param: RpcCertificateKeySize}
             - {}
       # BEGIN DOCKER SETTINGS
       puppet_config: