Merge "Adding key_size option on the certificate creation" into stable/victoria
This commit is contained in:
commit
f84212cde7
|
@ -47,10 +47,21 @@ parameters:
|
|||
type: string
|
||||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
ApacheCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: ApacheCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -116,6 +127,11 @@ outputs:
|
|||
hostname: "%{hiera('fqdn_NETWORK')}"
|
||||
principal: "HTTP/%{hiera('fqdn_NETWORK')}"
|
||||
postsave_cmd: "pkill -USR1 httpd"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: ApacheCertificateKeySize}
|
||||
for_each:
|
||||
NETWORK: {get_attr: [ApacheNetworks, value]}
|
||||
- {}
|
||||
|
|
|
@ -63,9 +63,20 @@ parameters:
|
|||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
GrafanaCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: GrafanaCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
CephBase:
|
||||
|
@ -165,6 +176,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, CephGrafanaNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-grafana-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: GrafanaCertificateKeySize}
|
||||
- {}
|
||||
metadata_settings:
|
||||
if:
|
||||
|
|
|
@ -49,6 +49,16 @@ parameters:
|
|||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
CephCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
|
||||
|
@ -58,6 +68,7 @@ conditions:
|
|||
- equals:
|
||||
- get_param: EnableInternalTLS
|
||||
- true
|
||||
key_size_override_unset: {equals: [{get_param: CephCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
CephBase:
|
||||
|
@ -157,6 +168,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, CephDashboardNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-dashboard-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: CephCertificateKeySize}
|
||||
- {}
|
||||
metadata_settings:
|
||||
if:
|
||||
|
|
|
@ -45,10 +45,21 @@ parameters:
|
|||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
CephRgwCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
dashboard_enabled: {equals: [{get_param: CephEnableDashboard}, true]}
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: CephRgwCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
CephBase:
|
||||
|
@ -183,6 +194,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, CephRgwNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-rgw-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: CephRgwCertificateKeySize}
|
||||
- {}
|
||||
metadata_settings:
|
||||
if:
|
||||
|
|
|
@ -67,6 +67,16 @@ parameters:
|
|||
description: Buffer pool size for MySQL database; this needs to be larger
|
||||
for at-scale deployments
|
||||
default: ''
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
MysqlCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
parameter_groups:
|
||||
- label: deprecated
|
||||
|
@ -86,6 +96,7 @@ conditions:
|
|||
- {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, MysqlNetwork]}]}
|
||||
- 6
|
||||
innodb_buffer_pool_size: {not: {equals: [{get_param: MysqlInnodbBufferPoolSize}, '']}}
|
||||
key_size_override_unset: {equals: [{get_param: MysqlCertificateKeySize}, '']}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
|
@ -167,6 +178,11 @@ outputs:
|
|||
template: "mysql/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: MysqlCertificateKeySize}
|
||||
- {}
|
||||
-
|
||||
if:
|
||||
|
|
|
@ -39,10 +39,21 @@ parameters:
|
|||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
RedisCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: RedisCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -113,6 +124,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, RedisNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-redis-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RedisCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
|
|
|
@ -61,12 +61,23 @@ parameters:
|
|||
default: false
|
||||
description: Set to True to enable debugging on all services.
|
||||
type: boolean
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
EtcdCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled:
|
||||
and:
|
||||
- {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
- {equals: [{get_param: EnableEtcdInternalTLS}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: EtcdCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
ContainersCommon:
|
||||
|
@ -132,6 +143,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, EtcdNetwork]}
|
||||
postsave_cmd: '/usr/bin/certmonger-etcd-refresh.sh'
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: EtcdCertificateKeySize}
|
||||
etcd::trusted_ca_file: {get_param: InternalTLSCAFile}
|
||||
etcd::peer_trusted_ca_file: {get_param: InternalTLSCAFile}
|
||||
-
|
||||
|
|
|
@ -36,6 +36,20 @@ parameters:
|
|||
HAProxyInternalTLSKeysDirectory:
|
||||
default: '/etc/pki/tls/private/haproxy'
|
||||
type: string
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
HAProxyCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
|
||||
key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -92,6 +106,11 @@ outputs:
|
|||
- "%{hiera('fqdn_NETWORK')}"
|
||||
principal: "haproxy/%{hiera('fqdn_NETWORK')}"
|
||||
postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload NETWORK"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: HAProxyCertificateKeySize}
|
||||
for_each:
|
||||
NETWORK: {get_attr: [HAProxyNetworks, value]}
|
||||
metadata_settings:
|
||||
|
|
|
@ -41,6 +41,20 @@ parameters:
|
|||
description: >
|
||||
The filepath of the certificate as it will be stored in the controller.
|
||||
type: string
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
HAProxyCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
|
||||
key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
|
@ -78,6 +92,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload external"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: HAProxyCertificateKeySize}
|
||||
metadata_settings:
|
||||
- service: haproxy
|
||||
network: {get_param: [ServiceNetMap, PublicNetwork]}
|
||||
|
|
|
@ -66,6 +66,16 @@ parameters:
|
|||
default: false
|
||||
description: Set to True to enable TLS on Memcached service.
|
||||
type: boolean
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
MemcachedCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled: {equals: [{get_param: MemcachedTLS}, true]}
|
||||
|
@ -79,6 +89,7 @@ conditions:
|
|||
equals:
|
||||
- {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, MemcachedNetwork]}]}
|
||||
- 6
|
||||
key_size_override_unset: {equals: [{get_param: MemcachedCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -178,6 +189,11 @@ outputs:
|
|||
params:
|
||||
$NETWORK: {get_param: [ServiceNetMap, MemcachedNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-memcached-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: MemcachedCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings:
|
||||
collectd:
|
||||
|
|
|
@ -144,11 +144,22 @@ parameters:
|
|||
default: false
|
||||
description: Set to true to enable configuration for STF client.
|
||||
type: boolean
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
QdrCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
listener_ssl_enabled: {equals: [{get_param: MetricsQdrUseSSL}, true]}
|
||||
enable_stf: {equals: [{get_param: EnableSTF}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: QdrCertificateKeySize}, '']}
|
||||
|
||||
|
||||
resources:
|
||||
|
@ -249,6 +260,11 @@ outputs:
|
|||
template: "ROLENAMEMetricsQdrNetwork"
|
||||
params:
|
||||
ROLENAME: {get_param: RoleName}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: QdrCertificateKeySize}
|
||||
tripleo::profile::base::metrics::qdr::ssl_profiles:
|
||||
list_concat:
|
||||
- get_param: MetricsQdrSSLProfiles
|
||||
|
|
|
@ -163,6 +163,16 @@ parameters:
|
|||
type: string
|
||||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
NeutronCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
# DEPRECATED: the following options are deprecated and are currently maintained
|
||||
# for backwards compatibility. They will be removed in the Ocata cycle.
|
||||
NeutronL3HA:
|
||||
|
@ -198,6 +208,7 @@ conditions:
|
|||
omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]}
|
||||
ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]}
|
||||
enable_sqlalchemy_collectd: {equals : [{get_param: EnableSQLAlchemyCollectd}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: NeutronCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -404,6 +415,11 @@ outputs:
|
|||
template: "neutron_ovn/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: NeutronCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings:
|
||||
rsyslog:
|
||||
|
|
|
@ -147,6 +147,16 @@ parameters:
|
|||
Enable dhcp-host entry with list of addresses when port has multiple
|
||||
IPv6 addresses in the same subnet.
|
||||
type: boolean
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
NeutronDhcpCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
|
||||
|
@ -160,6 +170,7 @@ conditions:
|
|||
is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]}
|
||||
az_unset: {equals: [{get_param: NeutronDhcpAgentAvailabilityZone}, '']}
|
||||
omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]}
|
||||
key_size_override_unset: {equals: [{get_param: NeutronDhcpCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -260,6 +271,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-neutron-dhcpd-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: NeutronDhcpCertificateKeySize}
|
||||
- {}
|
||||
- if:
|
||||
- dhcp_ovs_intergation_bridge_unset
|
||||
|
|
|
@ -116,6 +116,31 @@ parameters:
|
|||
default: '/etc/pki/CA/certs/qemu.pem'
|
||||
type: string
|
||||
description: Specifies the CA cert to use for qemu.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
LibvirtCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
LibvirtVNCServerCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
QemuServerCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
QemuClientCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
LibvirtCACert:
|
||||
type: string
|
||||
default: ''
|
||||
|
@ -325,6 +350,11 @@ conditions:
|
|||
- equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, '']
|
||||
- equals: [{get_param: [RoleParameters, NovaNfsEnabled]}, true]
|
||||
|
||||
key_size_libvirt_override_unset: {equals: [{get_param: LibvirtCertificateKeySize}, '']}
|
||||
key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCServerCertificateKeySize}, '']}
|
||||
key_size_qemu_client_override_unset: {equals: [{get_param: QemuClientCertificateKeySize}, '']}
|
||||
key_size_qemu_server_override_unset: {equals: [{get_param: QemuServerCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
RoleParametersValue:
|
||||
type: OS::Heat::Value
|
||||
|
@ -472,6 +502,11 @@ outputs:
|
|||
template: "libvirt/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_libvirtvnc_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: LibvirtCertificateKeySize}
|
||||
# create the qemu and qemu_ndb dirs and certs also when when tls for nbd
|
||||
# is not enabled this allows us to enable it even at a later time without
|
||||
# restart of instances
|
||||
|
@ -501,6 +536,11 @@ outputs:
|
|||
template: "qemu/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_qemu_server_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: QemuServerCertificateKeySize}
|
||||
qemu-nbd-client-cert:
|
||||
service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem'
|
||||
service_key: '/etc/pki/libvirt-nbd/client-key.pem'
|
||||
|
@ -514,6 +554,11 @@ outputs:
|
|||
template: "qemu/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_qemu_client_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: QemuClientCertificateKeySize}
|
||||
-
|
||||
nova::migration::libvirt::live_migration_inbound_addr:
|
||||
str_replace:
|
||||
|
@ -553,6 +598,11 @@ outputs:
|
|||
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_libvirtvnc_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: LibvirtVNCServerCertificateKeySize}
|
||||
- {}
|
||||
-
|
||||
if:
|
||||
|
|
|
@ -54,6 +54,21 @@ parameters:
|
|||
default: '/etc/pki/CA/certs/vnc.crt'
|
||||
type: string
|
||||
description: Specifies the CA cert to use for VNC TLS.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
NovaVNCCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
LibvirtVNCClientCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
LibvirtVncCACert:
|
||||
type: string
|
||||
default: ''
|
||||
|
@ -114,6 +129,9 @@ conditions:
|
|||
# Allow noauth VNC connections during P->Q upgrade. Remove in Rocky.
|
||||
equals: [{get_param: StackUpdateType}, 'UPGRADE']
|
||||
|
||||
key_size_novavnc_override_unset: {equals: [{get_param: NovaVNCCertificateKeySize}, '']}
|
||||
key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCClientCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
ContainersCommon:
|
||||
|
@ -211,6 +229,11 @@ outputs:
|
|||
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaVncProxyNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_libvirtvnc_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: LibvirtVNCClientCertificateKeySize}
|
||||
novnc_proxy_certificates_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/novnc_proxy.crt'
|
||||
service_key: '/etc/pki/tls/private/novnc_proxy.key'
|
||||
|
@ -224,6 +247,11 @@ outputs:
|
|||
template: "novnc-proxy/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_novavnc_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: NovaVNCCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings:
|
||||
rsyslog:
|
||||
|
|
|
@ -45,6 +45,16 @@ parameters:
|
|||
type: string
|
||||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
OctaviaCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
|
||||
|
@ -52,6 +62,7 @@ conditions:
|
|||
is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]}
|
||||
ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]}
|
||||
octavia_provider_ovn_protocol_unset: {equals: [{get_param: OctaviaOvnProviderProtocol}, '']}
|
||||
key_size_override_unset: {equals: [{get_param: OctaviaCertificateKeySize}, '']}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
|
@ -86,6 +97,11 @@ outputs:
|
|||
template: "ovn_octavia/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: OctaviaCertificateKeySize}
|
||||
- {}
|
||||
puppet_tags: octavia_ovn_provider_config
|
||||
provider_driver_labels:
|
||||
|
|
|
@ -98,10 +98,21 @@ parameters:
|
|||
OpenvSwitch integration bridge, in seconds.
|
||||
type: number
|
||||
default: 60
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
ContainerOvnCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
force_config_drive: {equals: [{get_param: OVNMetadataEnabled}, false]}
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: ContainerOvnCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -190,6 +201,11 @@ outputs:
|
|||
template: "ovn_controller/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: ContainerOvnCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings: {}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
|
|
|
@ -96,6 +96,16 @@ parameters:
|
|||
in backup mode and connects to the active ovsdb-server for replication
|
||||
type: number
|
||||
default: 60000
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
OvnDBSCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
puppet_debug_enabled: {get_param: ConfigDebug}
|
||||
|
@ -104,6 +114,7 @@ conditions:
|
|||
common_tag_enabled: {equals: [{get_param: ClusterCommonTag}, true]}
|
||||
common_tag_full: {equals: [{get_param: ClusterFullTag}, true]}
|
||||
use_external_load_balancer: {equals: [{get_param: EnableLoadBalancer}, false]}
|
||||
key_size_override_unset: {equals: [{get_param: OvnDBSCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -189,6 +200,11 @@ outputs:
|
|||
template: "ovn_dbs/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: OvnDBSCertificateKeySize}
|
||||
- {}
|
||||
service_config_settings: {}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
|
|
|
@ -122,6 +122,16 @@ parameters:
|
|||
description: Probe interval in ms
|
||||
type: number
|
||||
default: 60000
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
OvnMetadataCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
haproxy_wrapper_enabled: {equals: [{get_param: OVNEnableHaproxyDockerWrapper}, true]}
|
||||
|
@ -129,6 +139,7 @@ conditions:
|
|||
service_debug_unset: {equals : [{get_param: OVNWrapperDebug}, false]}
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
neutron_metadata_workers_unset: {equals : [{get_param: NeutronMetadataWorkers}, '']}
|
||||
key_size_override_unset: {equals: [{get_param: OvnMetadataCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -212,6 +223,11 @@ outputs:
|
|||
template: "ovn_metadata/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: OvnMetadataCertificateKeySize}
|
||||
- {}
|
||||
|
||||
puppet_config:
|
||||
|
|
|
@ -89,6 +89,16 @@ parameters:
|
|||
description: >
|
||||
Setting this to a unique value will re-run any deployment tasks which
|
||||
perform configuration on a Heat stack-update.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
RabbitmqCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
parameter_groups:
|
||||
- label: deprecated
|
||||
|
@ -112,6 +122,7 @@ conditions:
|
|||
equals:
|
||||
- {get_param: [ServiceData, net_ip_version_map, {get_param: [ServiceNetMap, RabbitmqNetwork]}]}
|
||||
- 6
|
||||
key_size_override_unset: {equals: [{get_param: RabbitmqCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -220,6 +231,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, RabbitmqNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RabbitmqCertificateKeySize}
|
||||
- {}
|
||||
- rabbitmq::admin_enable: false
|
||||
rabbitmq::management_enable: true
|
||||
|
|
|
@ -66,6 +66,16 @@ parameters:
|
|||
description: >
|
||||
Setting this to a unique value will re-run any deployment tasks which
|
||||
perform configuration on a Heat stack-update.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
RabbitmqMessageCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
|
@ -74,6 +84,7 @@ conditions:
|
|||
equals:
|
||||
- {get_param: RabbitCookie}
|
||||
- ''
|
||||
key_size_override_unset: {equals: [{get_param: RabbitmqMessageCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -162,6 +173,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OsloMessagingNotifyNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RabbitmqMessageCertificateKeySize}
|
||||
- {}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
puppet_config:
|
||||
|
|
|
@ -67,6 +67,16 @@ parameters:
|
|||
description: >
|
||||
Setting this to a unique value will re-run any deployment tasks which
|
||||
perform configuration on a Heat stack-update.
|
||||
CertificateKeySize:
|
||||
type: string
|
||||
default: '2048'
|
||||
description: Specifies the private key size used when creating the
|
||||
certificate.
|
||||
RpcCertificateKeySize:
|
||||
type: string
|
||||
default: ''
|
||||
description: Override the private key size used when creating the
|
||||
certificate for this service
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
|
@ -75,6 +85,7 @@ conditions:
|
|||
equals:
|
||||
- {get_param: RabbitCookie}
|
||||
- ''
|
||||
key_size_override_unset: {equals: [{get_param: RpcCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -162,6 +173,11 @@ outputs:
|
|||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OsloMessagingRpcNetwork]}
|
||||
postsave_cmd: "/usr/bin/certmonger-rabbitmq-refresh.sh"
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- {get_param: RpcCertificateKeySize}
|
||||
- {}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
puppet_config:
|
||||
|
|
Loading…
Reference in New Issue