Adding key_size option on the certificate creation
Adding the ability to specifies the private key size used when creating the certificate. We have defined the default value the same as we have before 2048 bits. Also, it'll be able to override the key_size value per service. Depends-on: I4da96f2164cf1d136f9471f1d6251bdd8cfd2d0b Change-Id: Ic2edabb7f1bd0caf4a5550d03f60fab7c8354d65
This commit is contained in:
parent
666091c949
commit
9760977529
|
@ -47,10 +47,21 @@ parameters:
|
|||
type: string
|
||||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
ApacheCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: ApacheCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -116,6 +127,11 @@ outputs:
|
|||
hostname: "%{hiera('fqdn_NETWORK')}"
|
||||
principal: "HTTP/%{hiera('fqdn_NETWORK')}"
|
||||
postsave_cmd: "pkill -USR1 httpd"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: ApacheCertificateKeySize}
|
||||
for_each:
|
||||
NETWORK: {get_attr: [ApacheNetworks, value]}
|
||||
- {}
|
||||
|
|
|
@ -63,9 +63,20 @@ parameters:
|
|||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
GrafanaCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: GrafanaCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
CephBase:
|
||||
|
@ -165,6 +176,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-grafana-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: GrafanaCertificateKeySize}
|
||||
- {}
|
||||
metadata_settings:
|
||||
if:
|
||||
|
|
|
@ -49,6 +49,16 @@ parameters:
|
|||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
CephCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
|
||||
|
@ -58,6 +68,7 @@ conditions:
|
|||
- equals:
|
||||
- get_param: EnableInternalTLS
|
||||
- true
|
||||
key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
CephBase:
|
||||
|
@ -157,6 +168,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-dashboard-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: CephCertificateKeySize}
|
||||
- {}
|
||||
metadata_settings:
|
||||
if:
|
||||
|
|
|
@ -45,10 +45,21 @@ parameters:
|
|||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
CephRgwCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: CephRgwCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
CephBase:
|
||||
|
@ -183,6 +194,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-rgw-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: CephRgwCertificateKeySize}
|
||||
- {}
|
||||
metadata_settings:
|
||||
if:
|
||||
|
|
|
@ -67,6 +67,16 @@ parameters:
|
|||
description: Buffer pool size for MySQL database; this needs to be larger
|
||||
for at-scale deployments
|
||||
default: ''
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
MysqlCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
parameter_groups:
|
||||
- label: deprecated
|
||||
|
@ -86,6 +96,7 @@ conditions:
|
|||
- {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, MysqlNetwork]}]}
|
||||
- 6
|
||||
innodb_buffer_pool_size: {not: {equals: [{get_param: MysqlInnodbBufferPoolSize}, '']}}
|
||||
key_size_override_unset: {equals: [{get_param: MysqlCertificateKeySize}, '']}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
|
@ -167,6 +178,11 @@ outputs:
|
|||
template: "mysql/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: MysqlCertificateKeySize}
|
||||
- {}
|
||||
-
|
||||
if:
|
||||
|
|
|
@ -39,10 +39,21 @@ parameters:
|
|||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
RedisCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: RedisCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -113,6 +124,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-redis-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RedisCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
|
|
|
@ -61,12 +61,23 @@ parameters:
|
|||
default: false
|
||||
description: Set to True to enable debugging on all services.
|
||||
type: boolean
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
EtcdCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled:
|
||||
and:
|
||||
- {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
- {equals: [{get_param: EnableEtcdInternalTLS}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: EtcdCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
ContainersCommon:
|
||||
|
@ -132,6 +143,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
||||
postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh'
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: EtcdCertificateKeySize}
|
||||
etcd::trusted_ca_file: {get_param: InternalTLSCAFile}
|
||||
etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile}
|
||||
-
|
||||
|
|
|
@ -36,6 +36,20 @@ parameters:
|
|||
HAProxyInternalTLSKeysDirectory:
|
||||
default: '/etc/pki/tls/private/haproxy'
|
||||
type: string
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
HAProxyCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
|
||||
key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -92,6 +106,11 @@ outputs:
|
|||
- "%{hiera('fqdn_NETWORK')}"
|
||||
principal: "haproxy/%{hiera('fqdn_NETWORK')}"
|
||||
postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload NETWORK"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: HAProxyCertificateKeySize}
|
||||
for_each:
|
||||
NETWORK: {get_attr: [HAProxyNetworks, value]}
|
||||
metadata_settings:
|
||||
|
|
|
@ -41,6 +41,20 @@ parameters:
|
|||
description: >
|
||||
The filepath of the certificate as it will be stored in the controller.
|
||||
type: string
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
HAProxyCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
|
||||
key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
|
@ -78,6 +92,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload external"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: HAProxyCertificateKeySize}
|
||||
metadata_settings:
|
||||
- service: haproxy
|
||||
network: {get_param: [ServiceNetMap, PublicNetwork]}
|
||||
|
|
|
@ -66,6 +66,16 @@ parameters:
|
|||
default: false
|
||||
description: Set to True to enable TLS on Memcached service.
|
||||
type: boolean
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
MemcachedCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]}
|
||||
|
@ -79,6 +89,7 @@ conditions:
|
|||
equals:
|
||||
- {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, MemcachedNetwork]}]}
|
||||
- 6
|
||||
key_size_override_unset: {equals: [{get_param: MemcachedCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -178,6 +189,11 @@ outputs:
|
|||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-memcached-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: MemcachedCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings:
|
||||
collectd:
|
||||
|
|
|
@ -144,11 +144,22 @@ parameters:
|
|||
default: false
|
||||
description: Set to true to enable configuration for STF client.
|
||||
type: boolean
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
QdrCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
listener_ssl_enabled: {equals: [{get_param: MetricsQdrUseSSL}, true]}
|
||||
enable_stf: {equals: [{get_param: EnableSTF}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: QdrCertificateKeySize}, '']}
|
||||
|
||||
|
||||
resources:
|
||||
|
@ -249,6 +260,11 @@ outputs:
|
|||
template: "ROLENAMEMetricsQdrNetwork"
|
||||
params:
|
||||
ROLENAME: {get_param: RoleName}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: QdrCertificateKeySize}
|
||||
tripleo::profile::base::metrics::qdr::ssl_profiles:
|
||||
list_concat:
|
||||
- get_param: MetricsQdrSSLProfiles
|
||||
|
|
|
@ -163,6 +163,16 @@ parameters:
|
|||
type: string
|
||||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
NeutronCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
# DEPRECATED: the following options are deprecated and are currently maintained
|
||||
# for backwards compatibility. They will be removed in the Ocata cycle.
|
||||
NeutronL3HA:
|
||||
|
@ -198,6 +208,7 @@ conditions:
|
|||
omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]}
|
||||
ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]}
|
||||
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: NeutronCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -404,6 +415,11 @@ outputs:
|
|||
template: "neutron_ovn/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: NeutronCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings:
|
||||
rsyslog:
|
||||
|
|
|
@ -147,6 +147,16 @@ parameters:
|
|||
Enable dhcp-host entry with list of addresses when port has multiple
|
||||
IPv6 addresses in the same subnet.
|
||||
type: boolean
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
NeutronDhcpCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
|
||||
|
@ -160,6 +170,7 @@ conditions:
|
|||
is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]}
|
||||
az_unset: {equals: [{get_param: NeutronDhcpAgentAvailabilityZone}, '']}
|
||||
omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]}
|
||||
key_size_override_unset: {equals: [{get_param: NeutronDhcpCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -260,6 +271,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-neutron-dhcpd-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: NeutronDhcpCertificateKeySize}
|
||||
- {}
|
||||
- if:
|
||||
- dhcp_ovs_intergation_bridge_unset
|
||||
|
|
|
@ -116,6 +116,31 @@ parameters:
|
|||
default: '/etc/pki/CA/certs/qemu.pem'
|
||||
type: string
|
||||
description: Specifies the CA cert to use for qemu.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
LibvirtCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
LibvirtVNCServerCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
QemuServerCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
QemuClientCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
LibvirtCACert:
|
||||
type: string
|
||||
default: ''
|
||||
|
@ -319,6 +344,11 @@ conditions:
|
|||
- equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, '']
|
||||
- equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, true]
|
||||
|
||||
key_size_libvirt_override_unset: {equals: [{get_param: LibvirtCertificateKeySize}, '']}
|
||||
key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCServerCertificateKeySize}, '']}
|
||||
key_size_qemu_client_override_unset: {equals: [{get_param: QemuClientCertificateKeySize}, '']}
|
||||
key_size_qemu_server_override_unset: {equals: [{get_param: QemuServerCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
RoleParametersValue:
|
||||
type: OS::Heat::Value
|
||||
|
@ -464,6 +494,11 @@ outputs:
|
|||
template: "libvirt/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_libvirtvnc_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: LibvirtCertificateKeySize}
|
||||
# create the qemu and qemu_ndb dirs and certs also when when tls for nbd
|
||||
# is not enabled this allows us to enable it even at a later time without
|
||||
# restart of instances
|
||||
|
@ -493,6 +528,11 @@ outputs:
|
|||
template: "qemu/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_qemu_server_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: QemuServerCertificateKeySize}
|
||||
qemu-nbd-client-cert:
|
||||
service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem'
|
||||
service_key: '/etc/pki/libvirt-nbd/client-key.pem'
|
||||
|
@ -506,6 +546,11 @@ outputs:
|
|||
template: "qemu/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_qemu_client_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: QemuClientCertificateKeySize}
|
||||
-
|
||||
nova::migration::libvirt::live_migration_inbound_addr:
|
||||
str_replace:
|
||||
|
@ -545,6 +590,11 @@ outputs:
|
|||
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_libvirtvnc_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: LibvirtVNCServerCertificateKeySize}
|
||||
- {}
|
||||
-
|
||||
if:
|
||||
|
|
|
@ -54,6 +54,21 @@ parameters:
|
|||
default: '/etc/pki/CA/certs/vnc.crt'
|
||||
type: string
|
||||
description: Specifies the CA cert to use for VNC TLS.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
NovaVNCCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
LibvirtVNCClientCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
LibvirtVncCACert:
|
||||
type: string
|
||||
default: ''
|
||||
|
@ -114,6 +129,9 @@ conditions:
|
|||
# Allow noauth VNC connections during P->Q upgrade. Remove in Rocky.
|
||||
equals: [{get_param: StackUpdateType}, 'UPGRADE']
|
||||
|
||||
key_size_novavnc_override_unset: {equals: [{get_param: NovaVNCCertificateKeySize}, '']}
|
||||
key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCClientCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
ContainersCommon:
|
||||
|
@ -224,6 +242,11 @@ outputs:
|
|||
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaVncProxyNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_libvirtvnc_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: LibvirtVNCClientCertificateKeySize}
|
||||
novnc_proxy_certificates_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/novnc_proxy.crt'
|
||||
service_key: '/etc/pki/tls/private/novnc_proxy.key'
|
||||
|
@ -237,6 +260,11 @@ outputs:
|
|||
template: "novnc-proxy/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_novavnc_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: NovaVNCCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings:
|
||||
rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq}
|
||||
|
|
|
@ -45,6 +45,16 @@ parameters:
|
|||
type: string
|
||||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
OctaviaCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
|
||||
|
@ -52,6 +62,7 @@ conditions:
|
|||
is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]}
|
||||
ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]}
|
||||
octavia_provider_ovn_protocol_unset: {equals: [{get_param: OctaviaOvnProviderProtocol}, '']}
|
||||
key_size_override_unset: {equals: [{get_param: OctaviaCertificateKeySize}, '']}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
|
@ -86,6 +97,11 @@ outputs:
|
|||
template: "ovn_octavia/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: OctaviaCertificateKeySize}
|
||||
- {}
|
||||
puppet_tags: octavia_ovn_provider_config
|
||||
provider_driver_labels:
|
||||
|
|
|
@ -98,10 +98,21 @@ parameters:
|
|||
OpenvSwitch integration bridge, in seconds.
|
||||
type: number
|
||||
default: 60
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
ContainerOvnCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
force_config_drive: {equals: [{get_param: OVNMetadataEnabled}, false]}
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: ContainerOvnCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -190,6 +201,11 @@ outputs:
|
|||
template: "ovn_controller/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: ContainerOvnCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings: {}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
|
|
|
@ -96,6 +96,16 @@ parameters:
|
|||
in backup mode and connects to the active ovsdb-server for replication
|
||||
type: number
|
||||
default: 60000
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
OvnDBSCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
puppet_debug_enabled: {get_param: ConfigDebug}
|
||||
|
@ -104,6 +114,7 @@ conditions:
|
|||
common_tag_enabled: {equals: [{get_param: ClusterCommonTag}, true]}
|
||||
common_tag_full: {equals: [{get_param: ClusterFullTag}, true]}
|
||||
use_external_load_balancer: {equals: [{get_param: EnableLoadBalancer}, false]}
|
||||
key_size_override_unset: {equals: [{get_param: OvnDBSCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -187,6 +198,11 @@ outputs:
|
|||
template: "ovn_dbs/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: OvnDBSCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings: {}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
|
|
|
@ -122,6 +122,16 @@ parameters:
|
|||
description: Probe interval in ms
|
||||
type: number
|
||||
default: 60000
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
OvnMetadataCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
haproxy_wrapper_enabled: {equals: [{get_param: OVNEnableHaproxyDockerWrapper}, true]}
|
||||
|
@ -129,6 +139,7 @@ conditions:
|
|||
service_debug_unset: {equals : [{get_param: OVNWrapperDebug}, false]}
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
neutron_metadata_workers_unset: {equals : [{get_param: NeutronMetadataWorkers}, '']}
|
||||
key_size_override_unset: {equals: [{get_param: OvnMetadataCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -212,6 +223,11 @@ outputs:
|
|||
template: "ovn_metadata/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: OvnMetadataCertificateKeySize}
|
||||
- {}
|
||||
|
||||
puppet_config:
|
||||
|
|
|
@ -93,6 +93,16 @@ parameters:
|
|||
description: >
|
||||
Setting this to a unique value will re-run any deployment tasks which
|
||||
perform configuration on a Heat stack-update.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
RabbitmqCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
parameter_groups:
|
||||
- label: deprecated
|
||||
|
@ -116,6 +126,7 @@ conditions:
|
|||
equals:
|
||||
- {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, RabbitmqNetwork]}]}
|
||||
- 6
|
||||
key_size_override_unset: {equals: [{get_param: RabbitmqCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -224,6 +235,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RabbitmqCertificateKeySize}
|
||||
- {}
|
||||
- rabbitmq::admin_enable: false
|
||||
rabbitmq::management_enable: true
|
||||
|
|
|
@ -66,6 +66,16 @@ parameters:
|
|||
description: >
|
||||
Setting this to a unique value will re-run any deployment tasks which
|
||||
perform configuration on a Heat stack-update.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
RabbitmqMessageCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
|
@ -74,6 +84,7 @@ conditions:
|
|||
equals:
|
||||
- {get_param: RabbitCookie}
|
||||
- ''
|
||||
key_size_override_unset: {equals: [{get_param: RabbitmqMessageCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -162,6 +173,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RabbitmqMessageCertificateKeySize}
|
||||
- {}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
puppet_config:
|
||||
|
|
|
@ -67,6 +67,16 @@ parameters:
|
|||
description: >
|
||||
Setting this to a unique value will re-run any deployment tasks which
|
||||
perform configuration on a Heat stack-update.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
RpcCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
|
@ -75,6 +85,7 @@ conditions:
|
|||
equals:
|
||||
- {get_param: RabbitCookie}
|
||||
- ''
|
||||
key_size_override_unset: {equals: [{get_param: RpcCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -162,6 +173,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RpcCertificateKeySize}
|
||||
- {}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
puppet_config:
|
||||
|
|
Loading…
Reference in New Issue