2e4359069e
When using the simple_crypto plugin, barbican expects the [simple_crypto_plugin] kek config value to be a base64-encoded 32 byte value. However, kolla-ansible is providing a standard autogenerated password. There are two relevant variables in kolla-ansible - barbican_crypto_password (a standard password) and barbican_crypto_key (a HMAC-SHA256 key). There is no use of barbican_crypto_key other than when it is generated. barbican_crypto_password is used to set the [simple_crypto_plugin] kek config value but causes an error when the simple_crypto plugin is used as the value is not in the expected format. Using barbican_crypto_key instead resolves the error. Clearly there is a naming issue here and we should be using barbican_crypto_key instead of barbican_crypto_password. This change removes the barbican_crypto_password variable and uses barbican_crypto_key instead. Change-Id: I63e2b381c260265e5901ee88ca0a649d96952bda Closes-Bug: #1699014 Related-Bug: #1683216 Co-Authored-By: Stig Telfer <stig@stackhpc.com>
22 lines
939 B
YAML
22 lines
939 B
YAML
---
|
|
upgrade:
|
|
- |
|
|
Fixes an issue with the barbican service when using the ``simple_crypto``
|
|
plugin whereby an invalid value is generated and used as the plugin's
|
|
encryption key.
|
|
|
|
The encryption key is configured via the ``[simple_crypto_plugin]: kek``
|
|
configuration option in ``barbican.conf``. This option was previously
|
|
configured using the kolla-ansible variable ``barbican_crypto_password``,
|
|
but is now configured using ``barbican_crypto_key`` which uses the correct
|
|
format.
|
|
|
|
Operators that have set ``barbican_crypto_password`` to a valid value
|
|
to work around this issue should ensure that ``barbican_crypto_key``
|
|
is configured in ``passwords.yml`` with the same value that was used for
|
|
``barbican_crypto_password``. This will ensure that existing barbican
|
|
secrets can be decrypted.
|
|
|
|
The variable ``barbican_crypto_password`` may safely be removed from
|
|
``passwords.yml``.
|