Provide better flexability for SSH keypair options

At the moment we do generate SSH keypairs for octavia with pre-defined options for backwards compatability. In the meanwhile it might not make much sense for new deployments, though there's no clear way to overrride these options.] With that we implement a bunch of new variables that allows to tune properties for the SSH key to be used. Change-Id: I5c4c20e7375b2471cc47ac628e007d6297bdeb7e
2024-09-02 12:59:57 +02:00 · 2024-09-02 12:59:57 +02:00 · f976e5fd28
commit f976e5fd28
parent 689aa04a20
3 changed files with 40 additions and 8 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -341,9 +341,22 @@ octavia_security_group_name: octavia_sec_grp
 octavia_security_group_additional_rules: []
 # Restrict access to only authorized hosts
 octavia_security_group_rule_cidr: "{{ octavia_management_net_subnet_cidr }}"
+
+octavia_resources_deploy_host: localhost
+octavia_resources_deploy_python_interpreter: "{{ ansible_playbook_python }}"
 # ssh enabled - switch to True if you need ssh access to the amphora
 octavia_ssh_enabled: False
+octavia_ssh_key_manage: True
 octavia_ssh_key_name: octavia_key
+octavia_ssh_key_dir: "{{ lookup('env', 'HOME') ~ '/.ssh' }}"
+# SSH Key variables below are set to "old" values for backwards compatability
+# of how Nova used to generate keypairs.
+octavia_ssh_key_comment: Generated-by-Nova
+# Options: ssh, pkcs1 and pkcs8
+octavia_ssh_key_format: ssh
+# Options: rsa, dsa, rsa1, ecdsa, ed25519
+octavia_ssh_key_type: rsa
+octavia_ssh_key_size: 2048
 # port the agent listens on
 octavia_agent_port: "9443"
 octavia_health_manager_port: 5555
--- a/releasenotes/notes/octavia_ssh_keypair_options-a6f9cfeb51bdfefa.yaml
+++ b/releasenotes/notes/octavia_ssh_keypair_options-a6f9cfeb51bdfefa.yaml
@ -0,0 +1,16 @@
+---
+
+features:
+  - |
+    Added variables to better control SSH keypair generation for Octavia:
+
+      * ``octavia_ssh_key_manage`` (True): Enables an Octavia role to generate
+        and manage SSH keypair to be used for Amphoras.
+      * ``octavia_resources_deploy_host`` (localhost): The host on which SSH key will be
+        created.
+      * ``octavia_ssh_key_dir`` (${HOME}/.ssh): Directory under which keypair
+        will be created on the ``octavia_resources_deploy_host``
+      * ``octavia_ssh_key_comment`` (Generated-by-Nova): Comment for the keypair.
+      * ``octavia_ssh_key_format`` (ssh): Format for the stored private key
+      * ``octavia_ssh_key_type`` (rsa): Type of the SSH keypair generated
+      * ``octavia_ssh_key_size`` (2048): Private key length.
--- a/tasks/octavia_resources.yml
+++ b/tasks/octavia_resources.yml
@ -29,6 +29,8 @@
  vars:
    openstack_resources_setup_host: "{{ octavia_service_setup_host }}"
    openstack_resources_python_interpreter: "{{ octavia_service_setup_host_python_interpreter }}"
+    openstack_resources_deploy_host: "{{ octavia_resources_deploy_host }}"
+    openstack_resources_deploy_python_interpreter: "{{ octavia_resources_deploy_python_interpreter }}"
    openstack_resources_image: "{{ (octavia_download_artefact | bool) | ternary({'images': octavia_amp_image_resource}, {}) }}"
    openstack_resources_identity:
      quotas:
@ -116,15 +118,13 @@
          extra_specs: "{{ octavia_amp_extra_specs | default({}) }}"
    _octavia_keypairs:
      keypairs:
-        # NOTE(noonedeadpunk): We define old/short keypair algorythms for backwards compatibiltiy with
-        #                      previous keypair generation which was handled by Nova:
-        #                      https://opendev.org/openstack/nova/src/commit/7e8e0dd1ab2e46c6f95746b47189e81b5a228c69/nova/crypto.py#L97
        - name: "{{ octavia_ssh_key_name }}"
-          path: "{{ octavia_ssh_key_dir | default(lookup('env', 'HOME') ~ '/.ssh') }}/{{ octavia_ssh_key_name }}"
+          path: "{{ octavia_ssh_key_dir }}/{{ octavia_ssh_key_name }}"
          state: "{{ (octavia_ssh_enabled | bool) | ternary('present', 'absent') }}"
-          private_key_format: ssh
-          size: 2048
-          comment: Generated-by-Nova
+          private_key_format: "{{ octavia_ssh_key_format }}"
+          size: "{{ octavia_ssh_key_size }}"
+          comment: "{{ octavia_ssh_key_comment }}"
+          type: "{{ octavia_ssh_key_type }}"
          auth:
            auth_url: "{{ keystone_service_adminurl }}"
            username: "{{ octavia_service_user_name }}"
@ -134,7 +134,10 @@
            project_domain_name: "{{ octavia_service_project_domain_id }}"

    openstack_resources_compute: |-
-      {% set compute_resources = _octavia_keypairs %}
+      {% set compute_resources = {} %}
+      {% if octavia_ssh_key_manage %}
+      {%   set _ = compute_resources.update(_octavia_keypairs) %}
+      {% endif %}
      {% if octavia_nova_flavor_uuid is not defined %}
      {%   set _ = compute_resources.update(_octavia_flavors) %}
      {% endif %}