Add default simple key to secrets

Currently we deploy barbican with weird crypto key. We should generate unique one with secrets. Also we define `barbican_ceilometer_enabled` variable to avoid notifications queue overflow caused by absent listener. Needed-By: https://review.opendev.org/759084 Change-Id: I1732916102dd8cc387d65566f3d3f96038e30e40
2020-10-21 18:44:33 +03:00 · 2020-10-21 18:44:33 +03:00 · 83eaf03d99
commit 83eaf03d99
parent 886e586f10
4 changed files with 10 additions and 3 deletions
--- a/etc/openstack_deploy/user_secrets.yml
+++ b/etc/openstack_deploy/user_secrets.yml
@ -235,6 +235,7 @@ barbican_oslomsg_rpc_password:
 # your user variables.
 #barbican_oslomsg_notify_password:
 barbican_service_password:
+barbican_simple_crypto_key:

 ## Blazar Options
 blazar_oslomsg_rpc_password:
--- a/inventory/group_vars/barbican_all.yml
+++ b/inventory/group_vars/barbican_all.yml
@ -16,3 +16,4 @@
 barbican_service_region: "{{ service_region }}"
 barbican_service_in_ldap: "{{ service_ldap_backend_enabled }}"
 barbican_keystone_auth: yes
+barbican_ceilometer_enabled: "{{ (groups['ceilometer_all'] is defined) and (groups['ceilometer_all'] | length > 0) }}"
--- a/releasenotes/notes/token-gen-key-0395ca56015506d1.yaml
+++ b/releasenotes/notes/token-gen-key-0395ca56015506d1.yaml
@ -0,0 +1,5 @@
+---
+other:
+  - |
+    pw-token-gen.py script will generate always 32 char string instead of
+    random choice between 24 or 32 length.
--- a/scripts/pw-token-gen.py
+++ b/scripts/pw-token-gen.py
@ -42,7 +42,7 @@ class CredentialGenerator(object):
    password: 16 - 64 character string
    secret:  16 - 64 character string
    token: 64 - 72 character string
-    key: 24, or 32 character string (Needs to be AES compatible)
+    key: 32 character string (Needs to be AES compatible)

    Usage:
    >>> generator = CredentialGenerator()
@ -96,14 +96,14 @@ class CredentialGenerator(object):
        return encoded_bytes[:random.randrange(64, 72)]

    def _key_gen(self, encoded_bytes):
-        """Returns ``str`` with a length of 24 or 32.
+        """Returns ``str`` with a length of 32.

        Length restriction are required for key type secrets because of
        requirements in AES.

        :param encoded_bytes: ``str`` must be at least 32 charters long
        """
-        return encoded_bytes[:random.choice([24, 32])]
+        return encoded_bytes[:32]


 def args():