Configure 32 chars length server_certs_key_passphrase for Octavia

This change is related to I886f2b8ac7092d9b3da38852e92a615d5666eea7
and Ibcdbe2605a7cabe3a5ef8245b4460c8f70220989.

Related-Bug: #1833942

Change-Id: I5c2629d9e7700fe1dd6f915bc257b1f058e40617
(cherry picked from commit d9564d7c23)
(cherry picked from commit 381f1a34da)
(cherry picked from commit 39b9d44e47)
This commit is contained in:
Nir Magnezi 2019-06-23 16:39:36 +03:00
parent bdcd8132a1
commit 4967222fc7
3 changed files with 42 additions and 11 deletions

View File

@ -30,8 +30,8 @@
#
# [*server_certs_key_passphrase*]
# (Optional) Passphrase for encrypting Amphora Certificates and Private Keys.
# Defaults to $::os_service_default
#
# Must be exactly 32 characters.
# Defaults to 'insecure-key-do-not-use-this-key'
#
# [*ca_private_key_passphrase*]
# (Optional) CA password used to sign certificates
@ -80,7 +80,7 @@ class octavia::certificates (
$endpoint_type = $::os_service_default,
$ca_certificate = $::os_service_default,
$ca_private_key = $::os_service_default,
$server_certs_key_passphrase = $::os_service_default,
$server_certs_key_passphrase = 'insecure-key-do-not-use-this-key',
$ca_private_key_passphrase = $::os_service_default,
$client_ca = undef,
$client_cert = $::os_service_default,
@ -109,7 +109,13 @@ class octavia::certificates (
'haproxy_amphora/client_cert' : value => $client_cert;
'haproxy_amphora/server_ca' : value => $ca_certificate;
}
if !$server_certs_key_passphrase {
fail('server_certs_key_passphrase is required for Octavia. Please provide a 32 characters passphrase.')
}
if length($server_certs_key_passphrase)!=32 {
fail("The passphrase '${server_certs_key_passphrase}' is invalid for server_certs_key_passphrase. Please provide a 32 characters
passphrase.")
}
# The file creation will create the parent directory for each file if necessary, but
# only to one level.
if $ca_certificate_data {

View File

@ -0,0 +1,4 @@
---
fixes:
- The passphrase for config option 'server_certs_key_passphrase', is used as
a Fernet key in Octavia and thus must be 32 chars long.

View File

@ -11,7 +11,6 @@ describe 'octavia::certificates' do
is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('<SERVICE DEFAULT>')
end
@ -30,7 +29,7 @@ describe 'octavia::certificates' do
:endpoint_type => 'internalURL',
:ca_certificate => '/etc/octavia/ca.pem',
:ca_private_key => '/etc/octavia/key.pem',
:server_certs_key_passphrase => 'secure123',
:server_certs_key_passphrase => 'insecure-key-do-not-use-this-key',
:ca_private_key_passphrase => 'secure123',
:client_cert => '/etc/octavia/client.pem'
}
@ -43,7 +42,7 @@ describe 'octavia::certificates' do
is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('internalURL')
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('insecure-key-do-not-use-this-key')
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
end
@ -58,7 +57,7 @@ describe 'octavia::certificates' do
let :params do
{ :ca_certificate => '/etc/octavia/ca.pem',
:ca_private_key => '/etc/octavia/key.pem',
:server_certs_key_passphrase => 'secure123',
:server_certs_key_passphrase => 'insecure-key-do-not-use-this-key',
:ca_private_key_passphrase => 'secure123',
:client_cert => '/etc/octavia/client.pem',
:ca_certificate_data => 'on_my_authority_this_is_a_certificate',
@ -70,7 +69,7 @@ describe 'octavia::certificates' do
it 'configures octavia certificate manager' do
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('insecure-key-do-not-use-this-key')
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
end
@ -115,7 +114,7 @@ describe 'octavia::certificates' do
let :params do
{ :ca_certificate => '/etc/octavia/ca.pem',
:ca_private_key => '/etc/octavia1/key.pem',
:server_certs_key_passphrase => 'secure123',
:server_certs_key_passphrase => 'insecure-key-do-not-use-this-key',
:ca_private_key_passphrase => 'secure123',
:client_cert => '/etc/octavia2/client.pem',
:ca_certificate_data => 'on_my_authority_this_is_a_certificate',
@ -127,7 +126,7 @@ describe 'octavia::certificates' do
it 'configures octavia certificate manager' do
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia1/key.pem')
is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('insecure-key-do-not-use-this-key')
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
end
@ -221,6 +220,28 @@ describe 'octavia::certificates' do
}
end
context 'When invalid non 32 characters server_certs_key_passphrase provided' do
let :params do
{ :server_certs_key_passphrase => 'non-32-chars-key',
}
end
it 'fails without an invalid server_certs_key_passphrase' do
is_expected.to raise_error(Puppet::Error)
end
end
context 'When no server_certs_key_passphrase provided' do
let :params do
{ :server_certs_key_passphrase => '',
}
end
it 'fails without a server_certs_key_passphrase' do
is_expected.to raise_error(Puppet::Error)
end
end
it 'should configure certificates' do
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
is_expected.to contain_octavia_config('controller_worker/client_ca').with_value('/etc/octavia/client_ca.pem')