Commit Graph

6 Commits (master)

Author SHA1 Message Date
Takashi Kajinami b0032b7bf9 Passphrase parameters should be secret
Passphrase parameters are considered to be secret information and
should not appear in logs even when debug is enabled.

This change marks the following two passphrase parameters as secrets
and ensures actual values are hidden in oslo.config debug logs.
 - [certificates] server_certs_key_passphrase
 - [certificates] ca_private_key_passphrase

Change-Id: I623aa9b42ea40bdf420f124b981b7755e6c630f8
1 year ago
Nir Magnezi a77667339d Validate server_certs_key_passphrase is 32 chars
Fernet checks[1] for 32 characters long key, so Octavia should validate
the value provided for server_certs_key_passphrase, to reject an invalid
passphrase as early as possible.

This[2] Red Hat Bug showed a case in which an invalid passphrase got
configured, and as a result, Octavia was unable to create any
load balancers.

Related-bug: #1833942

[1] 784676de33/src/cryptography/ (L36)

Change-Id: I334364d4654491bc0d289472ca9ab5fe462d5139
4 years ago
Adam Harwell 57d653cc63 Make amphora cert validity time configurable
This affects only the internal certificates that we generate and install
on Amphorae for use with the amphora-agent.

Change-Id: I8c3eb71246d339bd2d43092cce4e6122a49e9534
4 years ago
Nir Magnezi ae7c87f54a Encrypt certs and keys
Octavia creates certificates and keys to manage encrypted
communication channel to amphorae.
When debug is enabled, the python taskflow module will log
all the information we provide to tasks (and sub-flows)
when we create amphorae or handle with anything related to
certificates and keys management (rotations, etc).

There are ways to tell taskflow to exclude specific things
from being logged (e.g., I136081045787c1bbe3ee846d5845a34201c57864).
While this handles some information in specific flows from being
logged, it is susceptive to code changes.

To avoid an everlasting whack-a-mole game, this patch will merely
encrypt sensitive information so we can safely log it and decrypts
it only when we need to use it.

Change-Id: I06d329ca53bc36bd27f7870ae7c7ca0cf18575b2
4 years ago
Doug Wiegley ccecb6ea26 Sync with oslo-incubator, tweak as needed
Change-Id: Ice3cfd55ebdfc0b1355ecbb48d42c123cdb743bb
8 years ago
Adam Harwell 1e866f3ba2 Local development implementation for Certificates
A basic local filesystem implementation of CertManager and
a local pyOpenSSL implementation of CertGenerator.

Change-Id: I0eb0476afaad8a1bbb2eaaf90564eb63f7872546
Partially-implements: blueprint tls-data-security
9 years ago