openstack
/
octavia
Code Issues Proposed changes
3,947 Commits
9 Branches
32 Tags
87 MiB
stable/2023.1
master
stable/wallaby
stable/yoga
stable/zed
stable/xena
stable/train
stable/ussuri
stable/victoria
xena-em
12.0.0
12.0.0.0rc2
12.0.0.0rc1
9.1.0
wallaby-em
11.0.0
11.0.0.0rc1
victoria-em
10.0.0
10.0.0.0rc1
7.1.2
9.0.1
8.0.1
ussuri-em
6.2.2
9.0.0
9.0.0.0rc1
6.2.1
train-em
5.1.2
8.0.0
8.0.0.0rc2
8.0.0.0rc1
6.2.0
5.1.1
7.1.1
stein-eol
7.1.0
5.1.0
stein-em
4.1.4
6.1.0
5.0.3
7.0.0
7.0.0.0rc1
queens-eol
rocky-eol
4.1.3
5.0.2
6.0.1
4.1.2
pike-eol
ocata-eol
6.0.0
6.0.0.0rc1
rocky-em
3.2.2
5.0.1
4.1.1
3.2.1
queens-em
5.0.0
5.0.0.0rc2
4.1.0
3.2.0
2.1.2
5.0.0.0rc1
4.0.1
3.1.1
2.1.1
pike-em
1.0.5
3.1.0
2.1.0
ocata-em
4.0.0
4.0.0.0rc3
4.0.0.0rc2
4.0.0.0rc1
2.0.4
3.0.2
2.0.3
1.0.4
3.0.1
1.0.3
2.0.2
3.0.0
3.0.0.0rc3
3.0.0.0rc2
3.0.0.0rc1
3.0.0.0b3
3.0.0.0b2
3.0.0.0b1
2.0.1
1.0.2
2.0.0
2.0.0.0rc2
2.0.0.0rc1
2.0.0.0b3
2.0.0.0b2
2.0.0.0b1
newton-eol
0.9.2
1.0.1
1.0.0
1.0.0.0rc2
1.0.0.0rc1
1.0.0.0b3
mitaka-eol
1.0.0.0b2
1.0.0.0b1
liberty-eol
0.10.0
0.8.1
0.9.1
0.9.0
0.8.0
0.5.2
0.5.1
0.5.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
Commit Graph

6 Commits (master)

Author SHA1 Message Date
Takashi Kajinami b0032b7bf9 Passphrase parameters should be secret 
Passphrase parameters are considered to be secret information and
should not appear in logs even when debug is enabled.

This change marks the following two passphrase parameters as secrets
and ensures actual values are hidden in oslo.config debug logs.
 - [certificates] server_certs_key_passphrase
 - [certificates] ca_private_key_passphrase

Change-Id: I623aa9b42ea40bdf420f124b981b7755e6c630f8
 1 year ago
Nir Magnezi a77667339d Validate server_certs_key_passphrase is 32 chars 
Fernet checks[1] for 32 characters long key, so Octavia should validate
the value provided for server_certs_key_passphrase, to reject an invalid
passphrase as early as possible.

This[2] Red Hat Bug showed a case in which an invalid passphrase got
configured, and as a result, Octavia was unable to create any
load balancers.

Related-bug: #1833942

[1] 784676de33/src/cryptography/fernet.py (L36)
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1723051

Change-Id: I334364d4654491bc0d289472ca9ab5fe462d5139
 4 years ago
Adam Harwell 57d653cc63 Make amphora cert validity time configurable 
This affects only the internal certificates that we generate and install
on Amphorae for use with the amphora-agent.

Change-Id: I8c3eb71246d339bd2d43092cce4e6122a49e9534
 4 years ago
Nir Magnezi ae7c87f54a Encrypt certs and keys 
Octavia creates certificates and keys to manage encrypted
communication channel to amphorae.
When debug is enabled, the python taskflow module will log
all the information we provide to tasks (and sub-flows)
when we create amphorae or handle with anything related to
certificates and keys management (rotations, etc).

There are ways to tell taskflow to exclude specific things
from being logged (e.g., I136081045787c1bbe3ee846d5845a34201c57864).
While this handles some information in specific flows from being
logged, it is susceptive to code changes.

To avoid an everlasting whack-a-mole game, this patch will merely
encrypt sensitive information so we can safely log it and decrypts
it only when we need to use it.

Change-Id: I06d329ca53bc36bd27f7870ae7c7ca0cf18575b2
 4 years ago
Doug Wiegley ccecb6ea26 Sync with oslo-incubator, tweak as needed 
Change-Id: Ice3cfd55ebdfc0b1355ecbb48d42c123cdb743bb
 8 years ago
Adam Harwell 1e866f3ba2 Local development implementation for Certificates 
A basic local filesystem implementation of CertManager and
a local pyOpenSSL implementation of CertGenerator.

Change-Id: I0eb0476afaad8a1bbb2eaaf90564eb63f7872546
Partially-implements: blueprint tls-data-security
 9 years ago