Configure server_certs_key_passphrase for Octavia

A recent change[1] to Octavia added a parameter named
server_certs_key_passphrase, which means that TripleO should
generate a password for it to avoid using the default value.

This patch adds OctaviaServerCertsKeyPassphrase to the list
of parameters TripleO configures in Octavia.

Closes-Bug: #1821756
Related-Bug: #1821751

[1] I06d329ca53bc36bd27f7870ae7c7ca0cf18575b2
Depends-On: I9699961faf8b3430e4372e4ff3ae2bf7e7ceea18
Depends-On: Id6c0d156715147c6559dc39098a6eaabf77ac426
Depends-On: I5e60e8fbb7af381b59c6d7b02d5ba8eb47e91720
Change-Id: Icadd090f027af6f958c25af6bfb09195a4019aa8
(cherry picked from commit 4559d3b74f)

ci/environments/scenario010-multinode-containers.yaml

@@ -109,6 +109,7 @@ parameter_defaults:
   NeutronEnableForceMetadata: true
   OctaviaManageNovaFlavor: true
   # For now, we hardcode it but soon it'll be generated in tripleo-common
+  OctaviaServerCertsKeyPassphrase: 'insecure-key-do-not-use-this-key'
   OctaviaCaKeyPassphrase: 'upstreamci'
   OctaviaGenerateCerts: true
   # Remove ContainerCli once this scenario is tested on CentOS8

ci/environments/scenario010-standalone.yaml

@@ -32,6 +32,7 @@ resource_registry:
 
 parameter_defaults:
   OctaviaAmphoraSshKeyFile: /home/zuul/.ssh/id_rsa.pub
+  OctaviaServerCertsKeyPassphrase: 'insecure-key-do-not-use-this-key'
   NodeDataLookup:
     AB4114B1-9C9D-409A-BEFB-D88C151BF2C3: {"foo": "bar"}
     8CF1A7EA-7B4B-4433-AC83-17675514B1B8: {"foo2": "bar2"}

deployment/octavia/octavia-base.yaml

@@ -101,6 +101,11 @@ parameters:
                  If provided, this will create or update a file on the host
                  with the path provided in OctaviaCaKeyFile with the key
                  data.
+  OctaviaServerCertsKeyPassphrase:
+    description: Passphrase for encrypting Amphora Certificates and
+                 Private Keys.
+    type: string
+    hidden: true
   OctaviaCaKeyPassphrase:
     description: CA private key passphrase.
     type: string
@@ -196,6 +201,7 @@ outputs:
             octavia::service_auth::auth_type: 'password'
             octavia::certificates::ca_certificate: {get_param: OctaviaCaCertFile}
             octavia::certificates::ca_private_key: {get_param: OctaviaCaKeyFile}
+            octavia::certificates::server_certs_key_passphrase: {get_param: OctaviaServerCertsKeyPassphrase}
             octavia::certificates::ca_private_key_passphrase: {get_param: OctaviaCaKeyPassphrase}
             octavia::controller::amp_boot_network_list: {get_param: OctaviaAmphoraNetworkList}
             octavia::controller::amp_flavor_id: {get_param: OctaviaFlavorId}

deployment/octavia/octavia-deployment-config.j2.yaml

@@ -124,6 +124,11 @@ parameters:
     type: string
     default: '/etc/octavia/certs/private/cakey.pem'
     description: Octavia CA private key file path.
+  OctaviaServerCertsKeyPassphrase:
+    description: Passphrase for encrypting Amphora Certificates and
+                 Private Keys.
+    type: string
+    hidden: true
   OctaviaCaKeyPassphrase:
     description: CA private key passphrase.
     type: string
@@ -138,8 +143,9 @@ parameters:
     description: Enable internal generation of certificates for secure
                  communication with amphorae for isolated private clouds or
                  systems where security is not a concern. Otherwise, use
-                 OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase and
-                 OctaviaClientCert to configure Octavia.
+                 OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase,
+                 OctaviaClientCert and OctaviaServerCertsKeyPassphrase
+                 to configure Octavia.
   OctaviaMgmtPortDevName:
     type: string
     default: "o-hm0"
@@ -213,6 +219,7 @@ resources:
           lb_mgmt_subnet_pool_end: { get_param: OctaviaControlSubnetPoolEnd }
           ca_cert_path: { get_param: OctaviaCaCertFile }
           ca_private_key_path: { get_param: OctaviaCaKeyFile }
+          server_certs_key_passphrase: {get_param: OctaviaServerCertsKeyPassphrase}
           ca_passphrase: { get_param: OctaviaCaKeyPassphrase }
           client_cert_path: { get_param: OctaviaClientCertFile }
           generate_certs: { get_param: OctaviaGenerateCerts }

environments/services-baremetal/octavia.yaml

@@ -9,7 +9,8 @@ parameter_defaults:
     NeutronEnableForceMetadata: true
 
     # This flag enables internal generation of certificates for communication
-    # with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase
-    # and OctaviaClient cert to configure secure production environments.
+    # with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase,
+    # OctaviaClient and OctaviaServerCertsKeyPassphrase cert to configure
+    # secure production environments.
     OctaviaGenerateCerts: true
 

environments/services/octavia.yaml

@@ -9,7 +9,8 @@ parameter_defaults:
     NeutronEnableForceMetadata: true
 
     # This flag enables internal generation of certificates for communication
-    # with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase
-    # and OctaviaClientCert to configure secure production environments.
+    # with amphorae. Use OctaviaCaCert, OctaviaCaKey, OctaviaCaKeyPassphrase,
+    # OctaviaClient and OctaviaServerCertsKeyPassphrase cert to configure
+    # secure production environments.
     OctaviaGenerateCerts: true
 

releasenotes/notes/generate-server_certs_key_passphrase-229a677df1b7f6e0.yaml

@@ -0,0 +1,6 @@
+---
+features:
+  - The passphrase for config option 'server_certs_key_passphrase', that was
+    recently added to Octavia, and will now be auto-generated by TripleO by
+    adding OctaviaServerCertsKeyPassphrase to the list of parameters TripleO
+    configures in Octavia.