[FIPS] keystone_ssh | nova_ssh images fails with ssh key limitation

OS Rocky Linux 9.2
Kernel 5.14.0-284.18.1.el9_2.x86_64
Kolla-Ansible: 16.1.0 (2023.1 Antelope)
Docker Version: Docker version 24.0.4, build 3713ee1
Docker image type: source
Docker images:

quay.io/openstack.kolla/keystone-ssh 2023.1-rocky-9 8a5df44c24bb 4 weeks ago 1.15GB
quay.io/openstack.kolla/nova-ssh 2023.1-rocky-9 ff342f52e262 4 weeks ago 1.36GB

The image itself works just fine in a non-FIPS compliant environment, but when FIPS is enabled the keystone-ssh and nova_ssh containers will error out with the following message:

```
++ SSH_HOST_KEY_TYPES=("rsa" "dsa" "ecdsa" "ed25519")
++ for key_type in ${SSH_HOST_KEY_TYPES[@]}
++ KEY_PATH=/etc/ssh/ssh_host_rsa_key
++ [[ ! -f /etc/ssh/ssh_host_rsa_key ]]
++ for key_type in ${SSH_HOST_KEY_TYPES[@]}
++ KEY_PATH=/etc/ssh/ssh_host_dsa_key
++ [[ ! -f /etc/ssh/ssh_host_dsa_key ]]
++ ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''
DSA keys are not allowed in FIPS mode
```

This is hardcoded into the image: https://opendev.org/openstack/kolla/src/branch/stable/2023.1/docker/keystone/keystone-ssh/extend_start.sh

https://opendev.org/openstack/kolla/src/branch/stable/2023.1/docker/nova/nova-ssh/extend_start.sh

Workaround:
Custom image changing the key type.

Reproduce:

Deploy Kolla in an environment with FIPS enabled `fips-mode-setup --enable`.

I should note that while this works in non-FIPS clouds, this should be taken into serious consideration as there are a number of end users with FIPS requirements ramping up that will eventually run into this as time progresses.

Suggested Fix:

nova:

#!/bin/bash

# Remove "dsa" from the list as it's not FIPS compliant
SSH_HOST_KEY_TYPES=( "rsa" "ecdsa" "ed25519" )

for key_type in ${SSH_HOST_KEY_TYPES[@]}; do
    KEY_PATH=/etc/ssh/ssh_host_${key_type}_key

    # Check existing key lengths for RSA to ensure they are FIPS compliant
    if [[ -f "${KEY_PATH}" ]] && [[ "${key_type}" == "rsa" ]]; then
        key_length=$(ssh-keygen -l -f ${KEY_PATH} | awk '{print $1}')
        if [[ "${key_length}" -lt 2048 ]]; then
            echo "RSA key length is less than 2048 bits, regenerating..."
            rm -f "${KEY_PATH}"
            rm -f "${KEY_PATH}.pub"
        fi
    fi

    # Generate keys
    if [[ ! -f "${KEY_PATH}" ]]; then
        if [[ "${key_type}" == "rsa" ]]; then
            ssh-keygen -q -t ${key_type} -b 2048 -f ${KEY_PATH} -N ""
        elif [[ "${key_type}" == "ecdsa" ]]; then
            ssh-keygen -q -t ${key_type} -b 256 -f ${KEY_PATH} -N ""
        else
            ssh-keygen -q -t ${key_type} -f ${KEY_PATH} -N ""
        fi
    fi
done

mkdir -p /var/lib/nova/.ssh

if [[ $(stat -c %U:%G /var/lib/nova/.ssh) != "nova:nova" ]]; then
    chown nova: /var/lib/nova/.ssh
fi

keystone:

#!/bin/bash

# Remove "dsa" from the list as it's not FIPS compliant
SSH_HOST_KEY_TYPES=( "rsa" "ecdsa" "ed25519" )

for key_type in ${SSH_HOST_KEY_TYPES[@]}; do
    KEY_PATH=/etc/ssh/ssh_host_${key_type}_key

    # Check existing key lengths for RSA to ensure they are FIPS compliant
    if [[ -f "${KEY_PATH}" ]] && [[ "${key_type}" == "rsa" ]]; then
        key_length=$(ssh-keygen -l -f ${KEY_PATH} | awk '{print $1}')
        if [[ "${key_length}" -lt 2048 ]]; then
            echo "RSA key length is less than 2048 bits, regenerating..."
            rm -f "${KEY_PATH}"
            rm -f "${KEY_PATH}.pub"
        fi
    fi

    # Generate keys
    if [[ ! -f "${KEY_PATH}" ]]; then
        if [[ "${key_type}" == "rsa" ]]; then
            ssh-keygen -q -t ${key_type} -b 2048 -f ${KEY_PATH} -N ""
        elif [[ "${key_type}" == "ecdsa" ]]; then
            ssh-keygen -q -t ${key_type} -b 256 -f ${KEY_PATH} -N ""
        else
            ssh-keygen -q -t ${key_type} -f ${KEY_PATH} -N ""
        fi
    fi
done

mkdir -p /var/lib/keystone/.ssh

if [[ $(stat -c %U:%G /var/lib/keystone/.ssh) != "keystone:keystone" ]]; then
    sudo chown keystone: /var/lib/keystone/.ssh
fi