openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Merge "Adding key_size option on the certificate creation"

This commit is contained in:
Zuul 2021-01-06 10:22:15 +00:00 committed by Gerrit Code Review
parent 420cee58ea 9760977529
commit b159f8c822
22 changed files with 404 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
deployment/apache/apache-baremetal-puppet.j2.yaml
View File

@ -47,10 +47,21 @@ parameters:
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
ApacheCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: ApacheCertificateKeySize}, '']}
resources:
@ -116,6 +127,11 @@ outputs:
hostname: "%{hiera('fqdn_NETWORK')}"
principal: "HTTP/%{hiera('fqdn_NETWORK')}"
postsave_cmd: "pkill -USR1 httpd"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: ApacheCertificateKeySize}
for_each:
NETWORK: {get_attr: [ApacheNetworks, value]}
- {}

16
deployment/ceph-ansible/ceph-grafana.yaml
View File

@ -63,9 +63,20 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
GrafanaCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: GrafanaCertificateKeySize}, '']}
resources:
CephBase:
@ -165,6 +176,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
postsave_cmd: "/usr/bin/certmonger-grafana-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: GrafanaCertificateKeySize}
- {}
metadata_settings:
if:

16
deployment/ceph-ansible/ceph-mgr.yaml
View File

@ -49,6 +49,16 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
CephCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
@ -58,6 +68,7 @@ conditions:
- equals:
- get_param: EnableInternalTLS
- true
key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']}
resources:
CephBase:
@ -157,6 +168,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
postsave_cmd: "/usr/bin/certmonger-dashboard-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: CephCertificateKeySize}
- {}
metadata_settings:
if:

16
deployment/ceph-ansible/ceph-rgw.yaml
View File

@ -45,10 +45,21 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
CephRgwCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: CephRgwCertificateKeySize}, '']}
resources:
CephBase:
@ -183,6 +194,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
postsave_cmd: "/usr/bin/certmonger-rgw-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: CephRgwCertificateKeySize}
- {}
metadata_settings:
if:

16
deployment/database/mysql-base.yaml
View File

@ -67,6 +67,16 @@ parameters:
description: Buffer pool size for MySQL database; this needs to be larger
for at-scale deployments
default: ''
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
MysqlCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
parameter_groups:
- label: deprecated
@ -86,6 +96,7 @@ conditions:
- {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, MysqlNetwork]}]}
- 6
innodb_buffer_pool_size: {not: {equals: [{get_param: MysqlInnodbBufferPoolSize}, '']}}
key_size_override_unset: {equals: [{get_param: MysqlCertificateKeySize}, '']}
outputs:
role_data:
@ -167,6 +178,11 @@ outputs:
template: "mysql/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: MysqlCertificateKeySize}
- {}
-
if:

16
deployment/database/redis-container-puppet.yaml
View File

@ -39,10 +39,21 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
RedisCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: RedisCertificateKeySize}, '']}
resources:
@ -113,6 +124,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
postsave_cmd: "/usr/bin/certmonger-redis-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RedisCertificateKeySize}
- {}
service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS

16
deployment/etcd/etcd-container-puppet.yaml
View File

@ -61,12 +61,23 @@ parameters:
default: false
description: Set to True to enable debugging on all services.
type: boolean
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
EtcdCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
internal_tls_enabled:
and:
- {equals: [{get_param: EnableInternalTLS}, true]}
- {equals: [{get_param: EnableEtcdInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: EtcdCertificateKeySize}, '']}
resources:
ContainersCommon:
@ -132,6 +143,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh'
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: EtcdCertificateKeySize}
etcd::trusted_ca_file: {get_param: InternalTLSCAFile}
etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile}
-

19
deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml
View File

@ -36,6 +36,20 @@ parameters:
HAProxyInternalTLSKeysDirectory:
default: '/etc/pki/tls/private/haproxy'
type: string
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
HAProxyCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
resources:
@ -92,6 +106,11 @@ outputs:
- "%{hiera('fqdn_NETWORK')}"
principal: "haproxy/%{hiera('fqdn_NETWORK')}"
postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload NETWORK"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: HAProxyCertificateKeySize}
for_each:
NETWORK: {get_attr: [HAProxyNetworks, value]}
metadata_settings:

19
deployment/haproxy/haproxy-public-tls-certmonger.yaml
View File

@ -41,6 +41,20 @@ parameters:
description: >
The filepath of the certificate as it will be stored in the controller.
type: string
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
HAProxyCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
outputs:
role_data:
@ -78,6 +92,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload external"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: HAProxyCertificateKeySize}
metadata_settings:
- service: haproxy
network: {get_param: [ServiceNetMap, PublicNetwork]}

16
deployment/memcached/memcached-container-puppet.yaml
View File

@ -66,6 +66,16 @@ parameters:
default: false
description: Set to True to enable TLS on Memcached service.
type: boolean
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
MemcachedCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]}
@ -79,6 +89,7 @@ conditions:
equals:
- {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, MemcachedNetwork]}]}
- 6
key_size_override_unset: {equals: [{get_param: MemcachedCertificateKeySize}, '']}
resources:
@ -178,6 +189,11 @@ outputs:
params:
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
postsave_cmd: "/usr/bin/certmonger-memcached-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: MemcachedCertificateKeySize}
- {}
service_config_settings:
collectd:

16
deployment/metrics/qdr-container-puppet.yaml
View File

@ -144,11 +144,22 @@ parameters:
default: false
description: Set to true to enable configuration for STF client.
type: boolean
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
QdrCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
listener_ssl_enabled: {equals: [{get_param: MetricsQdrUseSSL}, true]}
enable_stf: {equals: [{get_param: EnableSTF}, true]}
key_size_override_unset: {equals: [{get_param: QdrCertificateKeySize}, '']}
resources:
@ -249,6 +260,11 @@ outputs:
template: "ROLENAMEMetricsQdrNetwork"
params:
ROLENAME: {get_param: RoleName}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: QdrCertificateKeySize}
tripleo::profile::base::metrics::qdr::ssl_profiles:
list_concat:
- get_param: MetricsQdrSSLProfiles

16
deployment/neutron/neutron-api-container-puppet.yaml
View File

@ -163,6 +163,16 @@ parameters:
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
NeutronCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
# DEPRECATED: the following options are deprecated and are currently maintained
# for backwards compatibility. They will be removed in the Ocata cycle.
NeutronL3HA:
@ -198,6 +208,7 @@ conditions:
omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]}
ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]}
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
key_size_override_unset: {equals: [{get_param: NeutronCertificateKeySize}, '']}
resources:
@ -404,6 +415,11 @@ outputs:
template: "neutron_ovn/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: NeutronCertificateKeySize}
- {}
service_config_settings:
rsyslog:

16
deployment/neutron/neutron-dhcp-container-puppet.yaml
View File

@ -147,6 +147,16 @@ parameters:
Enable dhcp-host entry with list of addresses when port has multiple
IPv6 addresses in the same subnet.
type: boolean
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
NeutronDhcpCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
@ -160,6 +170,7 @@ conditions:
is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]}
az_unset: {equals: [{get_param: NeutronDhcpAgentAvailabilityZone}, '']}
omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]}
key_size_override_unset: {equals: [{get_param: NeutronDhcpCertificateKeySize}, '']}
resources:
@ -260,6 +271,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
postsave_cmd: "/usr/bin/certmonger-neutron-dhcpd-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: NeutronDhcpCertificateKeySize}
- {}
- if:
- dhcp_ovs_intergation_bridge_unset

50
deployment/nova/nova-libvirt-container-puppet.yaml
View File

@ -116,6 +116,31 @@ parameters:
default: '/etc/pki/CA/certs/qemu.pem'
type: string
description: Specifies the CA cert to use for qemu.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
LibvirtCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
LibvirtVNCServerCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
QemuServerCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
QemuClientCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
LibvirtCACert:
type: string
default: ''
@ -324,6 +349,11 @@ conditions:
- equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, '']
- equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, true]
key_size_libvirt_override_unset: {equals: [{get_param: LibvirtCertificateKeySize}, '']}
key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCServerCertificateKeySize}, '']}
key_size_qemu_client_override_unset: {equals: [{get_param: QemuClientCertificateKeySize}, '']}
key_size_qemu_server_override_unset: {equals: [{get_param: QemuServerCertificateKeySize}, '']}
resources:
RoleParametersValue:
type: OS::Heat::Value
@ -470,6 +500,11 @@ outputs:
template: "libvirt/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
key_size:
if:
- key_size_libvirtvnc_override_unset
- {get_param: CertificateKeySize}
- {get_param: LibvirtCertificateKeySize}
# create the qemu and qemu_ndb dirs and certs also when when tls for nbd
# is not enabled this allows us to enable it even at a later time without
# restart of instances
@ -499,6 +534,11 @@ outputs:
template: "qemu/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
key_size:
if:
- key_size_qemu_server_override_unset
- {get_param: CertificateKeySize}
- {get_param: QemuServerCertificateKeySize}
qemu-nbd-client-cert:
service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem'
service_key: '/etc/pki/libvirt-nbd/client-key.pem'
@ -512,6 +552,11 @@ outputs:
template: "qemu/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
key_size:
if:
- key_size_qemu_client_override_unset
- {get_param: CertificateKeySize}
- {get_param: QemuClientCertificateKeySize}
-
nova::migration::libvirt::live_migration_inbound_addr:
str_replace:
@ -551,6 +596,11 @@ outputs:
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
key_size:
if:
- key_size_libvirtvnc_override_unset
- {get_param: CertificateKeySize}
- {get_param: LibvirtVNCServerCertificateKeySize}
- {}
-
if:

28
deployment/nova/nova-vnc-proxy-container-puppet.yaml
View File

@ -54,6 +54,21 @@ parameters:
default: '/etc/pki/CA/certs/vnc.crt'
type: string
description: Specifies the CA cert to use for VNC TLS.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
NovaVNCCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
LibvirtVNCClientCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
LibvirtVncCACert:
type: string
default: ''
@ -114,6 +129,9 @@ conditions:
# Allow noauth VNC connections during P->Q upgrade. Remove in Rocky.
equals: [{get_param: StackUpdateType}, 'UPGRADE']
key_size_novavnc_override_unset: {equals: [{get_param: NovaVNCCertificateKeySize}, '']}
key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCClientCertificateKeySize}, '']}
resources:
ContainersCommon:
@ -224,6 +242,11 @@ outputs:
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaVncProxyNetwork]}
key_size:
if:
- key_size_libvirtvnc_override_unset
- {get_param: CertificateKeySize}
- {get_param: LibvirtVNCClientCertificateKeySize}
novnc_proxy_certificates_specs:
service_certificate: '/etc/pki/tls/certs/novnc_proxy.crt'
service_key: '/etc/pki/tls/private/novnc_proxy.key'
@ -237,6 +260,11 @@ outputs:
template: "novnc-proxy/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
key_size:
if:
- key_size_novavnc_override_unset
- {get_param: CertificateKeySize}
- {get_param: NovaVNCCertificateKeySize}
- {}
service_config_settings:
rabbitmq: {get_attr: [NovaBase, role_data, service_config_settings], rabbitmq}

16
deployment/octavia/providers/ovn-provider-config.yaml
View File

@ -45,6 +45,16 @@ parameters:
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
OctaviaCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
@ -52,6 +62,7 @@ conditions:
is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]}
ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]}
octavia_provider_ovn_protocol_unset: {equals: [{get_param: OctaviaOvnProviderProtocol}, '']}
key_size_override_unset: {equals: [{get_param: OctaviaCertificateKeySize}, '']}
outputs:
role_data:
@ -86,6 +97,11 @@ outputs:
template: "ovn_octavia/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: OctaviaCertificateKeySize}
- {}
puppet_tags: octavia_ovn_provider_config
provider_driver_labels:

16
deployment/ovn/ovn-controller-container-puppet.yaml
View File

@ -98,10 +98,21 @@ parameters:
OpenvSwitch integration bridge, in seconds.
type: number
default: 60
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
ContainerOvnCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
force_config_drive: {equals: [{get_param: OVNMetadataEnabled}, false]}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
key_size_override_unset: {equals: [{get_param: ContainerOvnCertificateKeySize}, '']}
resources:
@ -190,6 +201,11 @@ outputs:
template: "ovn_controller/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: ContainerOvnCertificateKeySize}
- {}
service_config_settings: {}
# BEGIN DOCKER SETTINGS

16
deployment/ovn/ovn-dbs-pacemaker-puppet.yaml
View File

@ -96,6 +96,16 @@ parameters:
in backup mode and connects to the active ovsdb-server for replication
type: number
default: 60000
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
OvnDBSCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
puppet_debug_enabled: {get_param: ConfigDebug}
@ -104,6 +114,7 @@ conditions:
common_tag_enabled: {equals: [{get_param: ClusterCommonTag}, true]}
common_tag_full: {equals: [{get_param: ClusterFullTag}, true]}
use_external_load_balancer: {equals: [{get_param: EnableLoadBalancer}, false]}
key_size_override_unset: {equals: [{get_param: OvnDBSCertificateKeySize}, '']}
resources:
@ -187,6 +198,11 @@ outputs:
template: "ovn_dbs/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: OvnDBSCertificateKeySize}
- {}
service_config_settings: {}
# BEGIN DOCKER SETTINGS

16
deployment/ovn/ovn-metadata-container-puppet.yaml
View File

@ -122,6 +122,16 @@ parameters:
description: Probe interval in ms
type: number
default: 60000
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
OvnMetadataCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
haproxy_wrapper_enabled: {equals: [{get_param: OVNEnableHaproxyDockerWrapper}, true]}
@ -129,6 +139,7 @@ conditions:
service_debug_unset: {equals : [{get_param: OVNWrapperDebug}, false]}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
neutron_metadata_workers_unset: {equals : [{get_param: NeutronMetadataWorkers}, '']}
key_size_override_unset: {equals: [{get_param: OvnMetadataCertificateKeySize}, '']}
resources:
@ -212,6 +223,11 @@ outputs:
template: "ovn_metadata/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: OvnMetadataCertificateKeySize}
- {}
puppet_config:

16
deployment/rabbitmq/rabbitmq-container-puppet.yaml
View File

@ -93,6 +93,16 @@ parameters:
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
RabbitmqCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
parameter_groups:
- label: deprecated
@ -116,6 +126,7 @@ conditions:
equals:
- {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, RabbitmqNetwork]}]}
- 6
key_size_override_unset: {equals: [{get_param: RabbitmqCertificateKeySize}, '']}
resources:
@ -224,6 +235,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RabbitmqCertificateKeySize}
- {}
- rabbitmq::admin_enable: false
rabbitmq::management_enable: true

16
deployment/rabbitmq/rabbitmq-messaging-notify-container-puppet.yaml
View File

@ -66,6 +66,16 @@ parameters:
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
RabbitmqMessageCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
@ -74,6 +84,7 @@ conditions:
equals:
- {get_param: RabbitCookie}
- ''
key_size_override_unset: {equals: [{get_param: RabbitmqMessageCertificateKeySize}, '']}
resources:
@ -162,6 +173,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RabbitmqMessageCertificateKeySize}
- {}
# BEGIN DOCKER SETTINGS
puppet_config:

16
deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml
View File

@ -67,6 +67,16 @@ parameters:
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
RpcCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
@ -75,6 +85,7 @@ conditions:
equals:
- {get_param: RabbitCookie}
- ''
key_size_override_unset: {equals: [{get_param: RpcCertificateKeySize}, '']}
resources:
@ -162,6 +173,11 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- {get_param: RpcCertificateKeySize}
- {}
# BEGIN DOCKER SETTINGS
puppet_config: