Configure server_certs_key_passphrase for Octavia
A recent change[1] to Octavia added a parameter named
server_certs_key_passphrase, which means that TripleO should
generate a password for it to avoid using the default value.
This patch adds OctaviaServerCertsKeyPassphrase to the list
of parameters TripleO configures in Octavia.
Conflicts:
ci/environments/scenario010-standalone.yaml
deployment/octavia/octavia-base.yaml
environments/services/octavia.yaml
Note that octavia-base.yaml exists under puppet/services since
https://review.opendev.org/#/c/638762 got merged in
stable/stein.
Closes-Bug: #1821756
Related-Bug: #1821751
[1] I06d329ca53bc36bd27f7870ae7c7ca0cf18575b2
Depends-On: I9699961faf8b3430e4372e4ff3ae2bf7e7ceea18
Depends-On: Id6c0d156715147c6559dc39098a6eaabf77ac426
Depends-On: I5e60e8fbb7af381b59c6d7b02d5ba8eb47e91720
Change-Id: Icadd090f027af6f958c25af6bfb09195a4019aa8
(cherry picked from commit 4559d3b74f
)
This commit is contained in:
parent
d6184b8330
commit
de16ec8b02
|
@ -69,6 +69,7 @@ parameter_defaults:
|
|||
NeutronEnableForceMetadata: true
|
||||
OctaviaManageNovaFlavor: true
|
||||
# For now, we hardcode it but soon it'll be generated in tripleo-common
|
||||
OctaviaServerCertsKeyPassphrase: 'insecure-key-do-not-use-this-key'
|
||||
OctaviaCaKeyPassphrase: 'upstreamci'
|
||||
OctaviaGenerateCerts: true
|
||||
|
||||
|
|
|
@ -0,0 +1,99 @@
|
|||
resource_registry:
|
||||
OS::TripleO::Services::CephMgr: ../../deployment/ceph-ansible/ceph-mgr.yaml
|
||||
OS::TripleO::Services::CephMon: ../../deployment/ceph-ansible/ceph-mon.yaml
|
||||
OS::TripleO::Services::CephOSD: ../../deployment/ceph-ansible/ceph-osd.yaml
|
||||
OS::TripleO::Services::CephClient: ../../deployment/ceph-ansible/ceph-client.yaml
|
||||
OS::TripleO::Services::Keepalived: OS::Heat::None
|
||||
OS::TripleO::Services::OsloMessagingRpc: ../../deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml
|
||||
OS::TripleO::Services::OsloMessagingNotify: ../../deployment/rabbitmq/rabbitmq-messaging-notify-shared-puppet.yaml
|
||||
# NOTE(mmagr): We need to disable Sensu client deployment for now as the container health check is based
|
||||
# on successful RabbitMQ connection, which does not happen in this case. We can enable it again when we
|
||||
# will implement default connection to overcloud RabbitMQ instance,
|
||||
#OS::TripleO::Services::SensuClient: ../../deployment/deprecated/monitoring/sensu-client-container-puppet.yaml
|
||||
# Some infra instances don't pass the ping test but are otherwise working.
|
||||
# Since the OVB jobs also test this functionality we can shut it off here.
|
||||
OS::TripleO::AllNodes::Validation: ../common/all-nodes-validation-disabled.yaml
|
||||
OS::TripleO::Services::OctaviaApi: ../../deployment/octavia/octavia-api-container-puppet.yaml
|
||||
OS::TripleO::Services::OctaviaHousekeeping: ../../deployment/octavia/octavia-housekeeping-container-puppet.yaml
|
||||
OS::TripleO::Services::OctaviaHealthManager: ../../deployment/octavia/octavia-health-manager-container-puppet.yaml
|
||||
OS::TripleO::Services::OctaviaWorker: ../../deployment/octavia/octavia-worker-container-puppet.yaml
|
||||
OS::TripleO::Services::OctaviaDeploymentConfig: ../../deployment/octavia/octavia-deployment-config.yaml
|
||||
OS::TripleO::Services::CinderApi: OS::Heat::None
|
||||
OS::TripleO::Services::CinderBackup: OS::Heat::None
|
||||
OS::TripleO::Services::CinderScheduler: OS::Heat::None
|
||||
OS::TripleO::Services::CinderVolume: OS::Heat::None
|
||||
OS::TripleO::Services::SwiftProxy: OS::Heat::None
|
||||
OS::TripleO::Services::SwiftDispersion: OS::Heat::None
|
||||
OS::TripleO::Services::SwiftRingBuilder: OS::Heat::None
|
||||
OS::TripleO::Services::SwiftStorage: OS::Heat::None
|
||||
OS::TripleO::Services::SwiftRingBuilder: OS::Heat::None
|
||||
OS::TripleO::Services::SwiftStorage: OS::Heat::None
|
||||
OS::TripleO::Services::Horizon: OS::Heat::None
|
||||
|
||||
parameter_defaults:
|
||||
OctaviaAmphoraSshKeyFile: /home/zuul/.ssh/id_rsa.pub
|
||||
OctaviaServerCertsKeyPassphrase: 'insecure-key-do-not-use-this-key'
|
||||
NodeDataLookup:
|
||||
AB4114B1-9C9D-409A-BEFB-D88C151BF2C3: {"foo": "bar"}
|
||||
8CF1A7EA-7B4B-4433-AC83-17675514B1B8: {"foo2": "bar2"}
|
||||
Debug: true
|
||||
# fetch dir needed for standalone
|
||||
LocalCephAnsibleFetchDirectoryBackup: /var/lib/ceph_ansible_fetch
|
||||
CephAnsibleDisksConfig:
|
||||
osd_objectstore: bluestore
|
||||
osd_scenario: lvm
|
||||
lvm_volumes:
|
||||
- data: ceph_lv_data
|
||||
data_vg: ceph_vg
|
||||
db: ceph_lv_db
|
||||
db_vg: ceph_vg
|
||||
wal: ceph_lv_wal
|
||||
wal_vg: ceph_vg
|
||||
CephPoolDefaultPgNum: 32
|
||||
CephPoolDefaultSize: 1
|
||||
CephAnsibleExtraConfig:
|
||||
centos_package_dependencies: []
|
||||
ceph_osd_docker_memory_limit: '1g'
|
||||
ceph_mds_docker_memory_limit: '1g'
|
||||
#NOTE: These ID's and keys should be regenerated for
|
||||
# a production deployment. What is here is suitable for
|
||||
# developer and CI testing only.
|
||||
CephClusterFSID: '4b5c8c0a-ff60-454b-a1b4-9747aa737d19'
|
||||
CephMonKey: 'AQC+Ox1VmEr3BxAALZejqeHj50Nj6wJDvs96OQ=='
|
||||
CephAdminKey: 'AQDLOh1VgEp6FRAAFzT7Zw+Y9V6JJExQAsRnRQ=='
|
||||
CephClientKey: 'AQC+vYNXgDAgAhAAc8UoYt+OTz5uhV7ItLdwUw=='
|
||||
CephAnsiblePlaybookVerbosity: 1
|
||||
CephAnsibleEnvironmentVariables:
|
||||
ANSIBLE_SSH_RETRIES: '4'
|
||||
DEFAULT_FORKS: '3'
|
||||
NovaEnableRbdBackend: true
|
||||
CinderEnableRbdBackend: true
|
||||
CinderBackupBackend: ceph
|
||||
GlanceBackend: rbd
|
||||
CinderEnableIscsiBackend: false
|
||||
BannerText: |
|
||||
******************************************************************
|
||||
* This system is for the use of authorized users only. Usage of *
|
||||
* this system may be monitored and recorded by system personnel. *
|
||||
* Anyone using this system expressly consents to such monitoring *
|
||||
* and is advised that if such monitoring reveals possible *
|
||||
* evidence of criminal activity, system personnel may provide *
|
||||
* the evidence from such monitoring to law enforcement officials.*
|
||||
******************************************************************
|
||||
CollectdExtraPlugins:
|
||||
- rrdtool
|
||||
LoggingServers:
|
||||
- host: 127.0.0.1
|
||||
port: 24224
|
||||
MonitoringRabbitHost: 127.0.0.1
|
||||
MonitoringRabbitPort: 5676
|
||||
MonitoringRabbitPassword: sensu
|
||||
TtyValues:
|
||||
- console
|
||||
- tty1
|
||||
- tty2
|
||||
- tty3
|
||||
- tty4
|
||||
- tty5
|
||||
- tty6
|
||||
ContainerCli: podman
|
|
@ -112,6 +112,11 @@ parameters:
|
|||
type: string
|
||||
default: '/etc/octavia/certs/private/cakey.pem'
|
||||
description: Octavia CA private key file path.
|
||||
OctaviaServerCertsKeyPassphrase:
|
||||
description: Passphrase for encrypting Amphora Certificates and
|
||||
Private Keys.
|
||||
type: string
|
||||
hidden: true
|
||||
OctaviaCaKeyPassphrase:
|
||||
description: CA private key passphrase.
|
||||
type: string
|
||||
|
@ -126,8 +131,9 @@ parameters:
|
|||
description: Enable internal generation of certificates for secure
|
||||
communication with amphorae for isolated private clouds or
|
||||
systems where security is not a concern. Otherwise, use
|
||||
OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase and
|
||||
OctaviaClientCert to configure Octavia.
|
||||
OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase,
|
||||
OctaviaClientCert and OctaviaServerCertsKeyPassphrase
|
||||
to configure Octavia.
|
||||
OctaviaMgmtPortDevName:
|
||||
type: string
|
||||
default: "o-hm0"
|
||||
|
@ -182,6 +188,7 @@ resources:
|
|||
lb_mgmt_subnet_pool_end: { get_param: OctaviaControlSubnetPoolEnd }
|
||||
ca_cert_path: { get_param: OctaviaCaCertFile }
|
||||
ca_private_key_path: { get_param: OctaviaCaKeyFile }
|
||||
server_certs_key_passphrase: {get_param: OctaviaServerCertsKeyPassphrase}
|
||||
ca_passphrase: { get_param: OctaviaCaKeyPassphrase }
|
||||
client_cert_path: { get_param: OctaviaClientCertFile }
|
||||
generate_certs: { get_param: OctaviaGenerateCerts }
|
||||
|
|
|
@ -9,7 +9,8 @@ parameter_defaults:
|
|||
NeutronEnableForceMetadata: true
|
||||
|
||||
# This flag enables internal generation of certificates for communication
|
||||
# with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase
|
||||
# and OctaviaClient cert to configure secure production environments.
|
||||
# with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase,
|
||||
# OctaviaClient and OctaviaServerCertsKeyPassphrase cert to configure
|
||||
# secure production environments.
|
||||
OctaviaGenerateCerts: true
|
||||
|
||||
|
|
|
@ -9,7 +9,8 @@ parameter_defaults:
|
|||
NeutronEnableForceMetadata: true
|
||||
|
||||
# This flag enables internal generation of certificates for communication
|
||||
# with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase
|
||||
# and OctaviaClient cert to configure secure production environments.
|
||||
# with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase,
|
||||
# OctaviaClient and OctaviaServerCertsKeyPassphrase cert to configure
|
||||
# secure production environments.
|
||||
OctaviaGenerateCerts: true
|
||||
|
||||
|
|
|
@ -103,6 +103,11 @@ parameters:
|
|||
If provided, this will create or update a file on the host
|
||||
with the path provided in OctaviaCaKeyFile with the key
|
||||
data.
|
||||
OctaviaServerCertsKeyPassphrase:
|
||||
description: Passphrase for encrypting Amphora Certificates and
|
||||
Private Keys.
|
||||
type: string
|
||||
hidden: true
|
||||
OctaviaCaKeyPassphrase:
|
||||
description: CA private key passphrase.
|
||||
type: string
|
||||
|
@ -153,6 +158,7 @@ outputs:
|
|||
octavia::service_auth::auth_type: 'password'
|
||||
octavia::certificates::ca_certificate: {get_param: OctaviaCaCertFile}
|
||||
octavia::certificates::ca_private_key: {get_param: OctaviaCaKeyFile}
|
||||
octavia::certificates::server_certs_key_passphrase: {get_param: OctaviaServerCertsKeyPassphrase}
|
||||
octavia::certificates::ca_private_key_passphrase: {get_param: OctaviaCaKeyPassphrase}
|
||||
-
|
||||
if:
|
||||
|
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
features:
|
||||
- The passphrase for config option 'server_certs_key_passphrase', that was
|
||||
recently added to Octavia, and will now be auto-generated by TripleO by
|
||||
adding OctaviaServerCertsKeyPassphrase to the list of parameters TripleO
|
||||
configures in Octavia.
|
Loading…
Reference in New Issue