From f976e5fd281f28fecb4e5f7d2be3e8c9769adceb Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
Date: Mon, 2 Sep 2024 12:59:57 +0200
Subject: [PATCH] Provide better flexability for SSH keypair options

At the moment we do generate SSH keypairs for octavia with pre-defined
options for backwards compatability.
In the meanwhile it might not make much sense for new deployments,
though there's no clear way to overrride these options.]

With that we implement a bunch of new variables that allows to tune
properties for the SSH key to be used.

Change-Id: I5c4c20e7375b2471cc47ac628e007d6297bdeb7e
---
 defaults/main.yml                             | 13 +++++++++++++
 ..._ssh_keypair_options-a6f9cfeb51bdfefa.yaml | 16 ++++++++++++++++
 tasks/octavia_resources.yml                   | 19 +++++++++++--------
 3 files changed, 40 insertions(+), 8 deletions(-)
 create mode 100644 releasenotes/notes/octavia_ssh_keypair_options-a6f9cfeb51bdfefa.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index 1a776d00..743051f0 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -341,9 +341,22 @@ octavia_security_group_name: octavia_sec_grp
 octavia_security_group_additional_rules: []
 # Restrict access to only authorized hosts
 octavia_security_group_rule_cidr: "{{ octavia_management_net_subnet_cidr }}"
+
+octavia_resources_deploy_host: localhost
+octavia_resources_deploy_python_interpreter: "{{ ansible_playbook_python }}"
 # ssh enabled - switch to True if you need ssh access to the amphora
 octavia_ssh_enabled: False
+octavia_ssh_key_manage: True
 octavia_ssh_key_name: octavia_key
+octavia_ssh_key_dir: "{{ lookup('env', 'HOME') ~ '/.ssh' }}"
+# SSH Key variables below are set to "old" values for backwards compatability
+# of how Nova used to generate keypairs.
+octavia_ssh_key_comment: Generated-by-Nova
+# Options: ssh, pkcs1 and pkcs8
+octavia_ssh_key_format: ssh
+# Options: rsa, dsa, rsa1, ecdsa, ed25519
+octavia_ssh_key_type: rsa
+octavia_ssh_key_size: 2048
 # port the agent listens on
 octavia_agent_port: "9443"
 octavia_health_manager_port: 5555
diff --git a/releasenotes/notes/octavia_ssh_keypair_options-a6f9cfeb51bdfefa.yaml b/releasenotes/notes/octavia_ssh_keypair_options-a6f9cfeb51bdfefa.yaml
new file mode 100644
index 00000000..9bb8041b
--- /dev/null
+++ b/releasenotes/notes/octavia_ssh_keypair_options-a6f9cfeb51bdfefa.yaml
@@ -0,0 +1,16 @@
+---
+
+features:
+  - |
+    Added variables to better control SSH keypair generation for Octavia:
+
+      * ``octavia_ssh_key_manage`` (True): Enables an Octavia role to generate
+        and manage SSH keypair to be used for Amphoras.
+      * ``octavia_resources_deploy_host`` (localhost): The host on which SSH key will be
+        created.
+      * ``octavia_ssh_key_dir`` (${HOME}/.ssh): Directory under which keypair
+        will be created on the ``octavia_resources_deploy_host``
+      * ``octavia_ssh_key_comment`` (Generated-by-Nova): Comment for the keypair.
+      * ``octavia_ssh_key_format`` (ssh): Format for the stored private key
+      * ``octavia_ssh_key_type`` (rsa): Type of the SSH keypair generated
+      * ``octavia_ssh_key_size`` (2048): Private key length.
diff --git a/tasks/octavia_resources.yml b/tasks/octavia_resources.yml
index f084a992..0db0680d 100644
--- a/tasks/octavia_resources.yml
+++ b/tasks/octavia_resources.yml
@@ -29,6 +29,8 @@
   vars:
     openstack_resources_setup_host: "{{ octavia_service_setup_host }}"
     openstack_resources_python_interpreter: "{{ octavia_service_setup_host_python_interpreter }}"
+    openstack_resources_deploy_host: "{{ octavia_resources_deploy_host }}"
+    openstack_resources_deploy_python_interpreter: "{{ octavia_resources_deploy_python_interpreter }}"
     openstack_resources_image: "{{ (octavia_download_artefact | bool) | ternary({'images': octavia_amp_image_resource}, {}) }}"
     openstack_resources_identity:
       quotas:
@@ -116,15 +118,13 @@
           extra_specs: "{{ octavia_amp_extra_specs | default({}) }}"
     _octavia_keypairs:
       keypairs:
-        # NOTE(noonedeadpunk): We define old/short keypair algorythms for backwards compatibiltiy with
-        #                      previous keypair generation which was handled by Nova:
-        #                      https://opendev.org/openstack/nova/src/commit/7e8e0dd1ab2e46c6f95746b47189e81b5a228c69/nova/crypto.py#L97
         - name: "{{ octavia_ssh_key_name }}"
-          path: "{{ octavia_ssh_key_dir | default(lookup('env', 'HOME') ~ '/.ssh') }}/{{ octavia_ssh_key_name }}"
+          path: "{{ octavia_ssh_key_dir }}/{{ octavia_ssh_key_name }}"
           state: "{{ (octavia_ssh_enabled | bool) | ternary('present', 'absent') }}"
-          private_key_format: ssh
-          size: 2048
-          comment: Generated-by-Nova
+          private_key_format: "{{ octavia_ssh_key_format }}"
+          size: "{{ octavia_ssh_key_size }}"
+          comment: "{{ octavia_ssh_key_comment }}"
+          type: "{{ octavia_ssh_key_type }}"
           auth:
             auth_url: "{{ keystone_service_adminurl }}"
             username: "{{ octavia_service_user_name }}"
@@ -134,7 +134,10 @@
             project_domain_name: "{{ octavia_service_project_domain_id }}"
 
     openstack_resources_compute: |-
-      {% set compute_resources = _octavia_keypairs %}
+      {% set compute_resources = {} %}
+      {% if octavia_ssh_key_manage %}
+      {%   set _ = compute_resources.update(_octavia_keypairs) %}
+      {% endif %}
       {% if octavia_nova_flavor_uuid is not defined %}
       {%   set _ = compute_resources.update(_octavia_flavors) %}
       {% endif %}