diff --git a/ci/environments/scenario010-standalone.yaml b/ci/environments/scenario010-standalone.yaml new file mode 100644 index 0000000000..42d48c7a7f --- /dev/null +++ b/ci/environments/scenario010-standalone.yaml @@ -0,0 +1,99 @@ +resource_registry: + OS::TripleO::Services::CephMgr: ../../deployment/ceph-ansible/ceph-mgr.yaml + OS::TripleO::Services::CephMon: ../../deployment/ceph-ansible/ceph-mon.yaml + OS::TripleO::Services::CephOSD: ../../deployment/ceph-ansible/ceph-osd.yaml + OS::TripleO::Services::CephClient: ../../deployment/ceph-ansible/ceph-client.yaml + OS::TripleO::Services::Keepalived: OS::Heat::None + OS::TripleO::Services::OsloMessagingRpc: ../../deployment/rabbitmq/rabbitmq-messaging-rpc-container-puppet.yaml + OS::TripleO::Services::OsloMessagingNotify: ../../deployment/rabbitmq/rabbitmq-messaging-notify-shared-puppet.yaml + # NOTE(mmagr): We need to disable Sensu client deployment for now as the container health check is based + # on successful RabbitMQ connection, which does not happen in this case. We can enable it again when we + # will implement default connection to overcloud RabbitMQ instance, + #OS::TripleO::Services::SensuClient: ../../deployment/deprecated/monitoring/sensu-client-container-puppet.yaml + # Some infra instances don't pass the ping test but are otherwise working. + # Since the OVB jobs also test this functionality we can shut it off here. + OS::TripleO::AllNodes::Validation: ../common/all-nodes-validation-disabled.yaml + OS::TripleO::Services::OctaviaApi: ../../deployment/octavia/octavia-api-container-puppet.yaml + OS::TripleO::Services::OctaviaHousekeeping: ../../deployment/octavia/octavia-housekeeping-container-puppet.yaml + OS::TripleO::Services::OctaviaHealthManager: ../../deployment/octavia/octavia-health-manager-container-puppet.yaml + OS::TripleO::Services::OctaviaWorker: ../../deployment/octavia/octavia-worker-container-puppet.yaml + OS::TripleO::Services::OctaviaDeploymentConfig: ../../deployment/octavia/octavia-deployment-config.yaml + OS::TripleO::Services::CinderApi: OS::Heat::None + OS::TripleO::Services::CinderBackup: OS::Heat::None + OS::TripleO::Services::CinderScheduler: OS::Heat::None + OS::TripleO::Services::CinderVolume: OS::Heat::None + OS::TripleO::Services::SwiftProxy: OS::Heat::None + OS::TripleO::Services::SwiftDispersion: OS::Heat::None + OS::TripleO::Services::SwiftRingBuilder: OS::Heat::None + OS::TripleO::Services::SwiftStorage: OS::Heat::None + OS::TripleO::Services::SwiftRingBuilder: OS::Heat::None + OS::TripleO::Services::SwiftStorage: OS::Heat::None + OS::TripleO::Services::Horizon: OS::Heat::None + +parameter_defaults: + OctaviaAmphoraSshKeyFile: /home/zuul/.ssh/id_rsa.pub + OctaviaServerCertsKeyPassphrase: 'insecure-key-do-not-use-this-key' + NodeDataLookup: + AB4114B1-9C9D-409A-BEFB-D88C151BF2C3: {"foo": "bar"} + 8CF1A7EA-7B4B-4433-AC83-17675514B1B8: {"foo2": "bar2"} + Debug: true + # fetch dir needed for standalone + LocalCephAnsibleFetchDirectoryBackup: /var/lib/ceph_ansible_fetch + CephAnsibleDisksConfig: + osd_objectstore: bluestore + osd_scenario: lvm + lvm_volumes: + - data: ceph_lv_data + data_vg: ceph_vg + db: ceph_lv_db + db_vg: ceph_vg + wal: ceph_lv_wal + wal_vg: ceph_vg + CephPoolDefaultPgNum: 32 + CephPoolDefaultSize: 1 + CephAnsibleExtraConfig: + centos_package_dependencies: [] + ceph_osd_docker_memory_limit: '1g' + ceph_mds_docker_memory_limit: '1g' + #NOTE: These ID's and keys should be regenerated for + # a production deployment. What is here is suitable for + # developer and CI testing only. + CephClusterFSID: '4b5c8c0a-ff60-454b-a1b4-9747aa737d19' + CephMonKey: 'AQC+Ox1VmEr3BxAALZejqeHj50Nj6wJDvs96OQ==' + CephAdminKey: 'AQDLOh1VgEp6FRAAFzT7Zw+Y9V6JJExQAsRnRQ==' + CephClientKey: 'AQC+vYNXgDAgAhAAc8UoYt+OTz5uhV7ItLdwUw==' + CephAnsiblePlaybookVerbosity: 1 + CephAnsibleEnvironmentVariables: + ANSIBLE_SSH_RETRIES: '4' + DEFAULT_FORKS: '3' + NovaEnableRbdBackend: true + CinderEnableRbdBackend: true + CinderBackupBackend: ceph + GlanceBackend: rbd + CinderEnableIscsiBackend: false + BannerText: | + ****************************************************************** + * This system is for the use of authorized users only. Usage of * + * this system may be monitored and recorded by system personnel. * + * Anyone using this system expressly consents to such monitoring * + * and is advised that if such monitoring reveals possible * + * evidence of criminal activity, system personnel may provide * + * the evidence from such monitoring to law enforcement officials.* + ****************************************************************** + CollectdExtraPlugins: + - rrdtool + LoggingServers: + - host: 127.0.0.1 + port: 24224 + MonitoringRabbitHost: 127.0.0.1 + MonitoringRabbitPort: 5676 + MonitoringRabbitPassword: sensu + TtyValues: + - console + - tty1 + - tty2 + - tty3 + - tty4 + - tty5 + - tty6 + ContainerCli: podman diff --git a/docker/services/octavia/octavia-deployment-config.yaml b/docker/services/octavia/octavia-deployment-config.yaml index a67e7c7d0c..bc726686f9 100644 --- a/docker/services/octavia/octavia-deployment-config.yaml +++ b/docker/services/octavia/octavia-deployment-config.yaml @@ -110,6 +110,11 @@ parameters: type: string default: '/etc/octavia/certs/private/cakey.pem' description: Octavia CA private key file path. + OctaviaServerCertsKeyPassphrase: + description: Passphrase for encrypting Amphora Certificates and + Private Keys. + type: string + hidden: true OctaviaCaKeyPassphrase: description: CA private key passphrase. type: string @@ -124,8 +129,9 @@ parameters: description: Enable internal generation of certificates for secure communication with amphorae for isolated private clouds or systems where security is not a concern. Otherwise, use - OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase and - OctaviaClientCert to configure Octavia. + OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase, + OctaviaClientCert and OctaviaServerCertsKeyPassphrase + to configure Octavia. OctaviaMgmtPortDevName: type: string default: "o-hm0" diff --git a/environments/services-baremetal/octavia.yaml b/environments/services-baremetal/octavia.yaml index b592bf8e43..017ebd7b26 100644 --- a/environments/services-baremetal/octavia.yaml +++ b/environments/services-baremetal/octavia.yaml @@ -9,7 +9,8 @@ parameter_defaults: NeutronEnableForceMetadata: true # This flag enables internal generation of certificates for communication - # with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase - # and OctaviaClient cert to configure secure production environments. + # with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase, + # OctaviaClient and OctaviaServerCertsKeyPassphrase cert to configure + # secure production environments. OctaviaGenerateCerts: true diff --git a/environments/services/octavia.yaml b/environments/services/octavia.yaml index 96372dd90d..b2385cf2b7 100644 --- a/environments/services/octavia.yaml +++ b/environments/services/octavia.yaml @@ -9,7 +9,8 @@ parameter_defaults: NeutronEnableForceMetadata: true # This flag enables internal generation of certificates for communication - # with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase - # and OctaviaClient cert to configure secure production environments. + # with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase, + # OctaviaClient and OctaviaServerCertsKeyPassphrase cert to configure + # secure production environments. OctaviaGenerateCerts: true diff --git a/puppet/services/octavia-base.yaml b/puppet/services/octavia-base.yaml index bffb142dc6..738960a398 100644 --- a/puppet/services/octavia-base.yaml +++ b/puppet/services/octavia-base.yaml @@ -103,6 +103,11 @@ parameters: If provided, this will create or update a file on the host with the path provided in OctaviaCaKeyFile with the key data. + OctaviaServerCertsKeyPassphrase: + description: Passphrase for encrypting Amphora Certificates and + Private Keys. + type: string + hidden: true OctaviaCaKeyPassphrase: description: CA private key passphrase. type: string @@ -151,6 +156,7 @@ outputs: octavia::service_auth::auth_type: 'password' octavia::certificates::ca_certificate: {get_param: OctaviaCaCertFile} octavia::certificates::ca_private_key: {get_param: OctaviaCaKeyFile} + octavia::certificates::server_certs_key_passphrase: {get_param: OctaviaServerCertsKeyPassphrase} octavia::certificates::ca_private_key_passphrase: {get_param: OctaviaCaKeyPassphrase} - if: diff --git a/releasenotes/notes/generate-server_certs_key_passphrase-229a677df1b7f6e0.yaml b/releasenotes/notes/generate-server_certs_key_passphrase-229a677df1b7f6e0.yaml new file mode 100644 index 0000000000..e358f9b3b5 --- /dev/null +++ b/releasenotes/notes/generate-server_certs_key_passphrase-229a677df1b7f6e0.yaml @@ -0,0 +1,6 @@ +--- +features: + - The passphrase for config option 'server_certs_key_passphrase', that was + recently added to Octavia, and will now be auto-generated by TripleO by + adding OctaviaServerCertsKeyPassphrase to the list of parameters TripleO + configures in Octavia.