Browse Source

Configure 32 chars length server_certs_key_passphrase for Octavia

This change is related to I886f2b8ac7092d9b3da38852e92a615d5666eea7
and Ibcdbe2605a7cabe3a5ef8245b4460c8f70220989.

Related-Bug: #1833942

Change-Id: I5c2629d9e7700fe1dd6f915bc257b1f058e40617
(cherry picked from commit d9564d7c23)
(cherry picked from commit 381f1a34da)
(cherry picked from commit 39b9d44e47)
changes/24/669824/2
Nir Magnezi 2 months ago
parent
commit
4967222fc7

+ 10
- 4
manifests/certificates.pp View File

@@ -30,8 +30,8 @@
30 30
 #
31 31
 # [*server_certs_key_passphrase*]
32 32
 #   (Optional) Passphrase for encrypting Amphora Certificates and Private Keys.
33
-#   Defaults to $::os_service_default
34
-#
33
+#   Must be exactly 32 characters.
34
+#   Defaults to 'insecure-key-do-not-use-this-key'
35 35
 #
36 36
 # [*ca_private_key_passphrase*]
37 37
 #   (Optional) CA password used to sign certificates
@@ -80,7 +80,7 @@ class octavia::certificates (
80 80
   $endpoint_type               = $::os_service_default,
81 81
   $ca_certificate              = $::os_service_default,
82 82
   $ca_private_key              = $::os_service_default,
83
-  $server_certs_key_passphrase = $::os_service_default,
83
+  $server_certs_key_passphrase = 'insecure-key-do-not-use-this-key',
84 84
   $ca_private_key_passphrase   = $::os_service_default,
85 85
   $client_ca                   = undef,
86 86
   $client_cert                 = $::os_service_default,
@@ -109,7 +109,13 @@ class octavia::certificates (
109 109
     'haproxy_amphora/client_cert'              : value => $client_cert;
110 110
     'haproxy_amphora/server_ca'                : value => $ca_certificate;
111 111
   }
112
-
112
+  if !$server_certs_key_passphrase  {
113
+    fail('server_certs_key_passphrase is required for Octavia. Please provide a 32 characters passphrase.')
114
+  }
115
+  if length($server_certs_key_passphrase)!=32 {
116
+      fail("The passphrase '${server_certs_key_passphrase}' is invalid for server_certs_key_passphrase. Please provide a 32 characters
117
+      passphrase.")
118
+  }
113 119
   # The file creation will create the parent directory for each file if necessary, but
114 120
   # only to one level.
115 121
   if $ca_certificate_data {

+ 4
- 0
releasenotes/notes/fix-generated-server_certs_key_passphrase-in-spec-524a44297ec76bd0.yaml View File

@@ -0,0 +1,4 @@
1
+---
2
+fixes:
3
+  - The passphrase for config option 'server_certs_key_passphrase', is used as
4
+    a Fernet key in Octavia and thus must be 32 chars long.

+ 28
- 7
spec/classes/octavia_certificates_spec.rb View File

@@ -11,7 +11,6 @@ describe 'octavia::certificates' do
11 11
         is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('<SERVICE DEFAULT>')
12 12
         is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('<SERVICE DEFAULT>')
13 13
         is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('<SERVICE DEFAULT>')
14
-        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('<SERVICE DEFAULT>')
15 14
         is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('<SERVICE DEFAULT>')
16 15
       end
17 16
 
@@ -30,7 +29,7 @@ describe 'octavia::certificates' do
30 29
           :endpoint_type               => 'internalURL',
31 30
           :ca_certificate              => '/etc/octavia/ca.pem',
32 31
           :ca_private_key              => '/etc/octavia/key.pem',
33
-          :server_certs_key_passphrase => 'secure123',
32
+          :server_certs_key_passphrase => 'insecure-key-do-not-use-this-key',
34 33
           :ca_private_key_passphrase   => 'secure123',
35 34
           :client_cert                 => '/etc/octavia/client.pem'
36 35
         }
@@ -43,7 +42,7 @@ describe 'octavia::certificates' do
43 42
         is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('internalURL')
44 43
         is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
45 44
         is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
46
-        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
45
+        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('insecure-key-do-not-use-this-key')
47 46
         is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
48 47
       end
49 48
 
@@ -58,7 +57,7 @@ describe 'octavia::certificates' do
58 57
       let :params do
59 58
         { :ca_certificate              => '/etc/octavia/ca.pem',
60 59
           :ca_private_key              => '/etc/octavia/key.pem',
61
-          :server_certs_key_passphrase => 'secure123',
60
+          :server_certs_key_passphrase => 'insecure-key-do-not-use-this-key',
62 61
           :ca_private_key_passphrase   => 'secure123',
63 62
           :client_cert                 => '/etc/octavia/client.pem',
64 63
           :ca_certificate_data         => 'on_my_authority_this_is_a_certificate',
@@ -70,7 +69,7 @@ describe 'octavia::certificates' do
70 69
       it 'configures octavia certificate manager' do
71 70
         is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
72 71
         is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
73
-        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
72
+        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('insecure-key-do-not-use-this-key')
74 73
         is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
75 74
       end
76 75
 
@@ -115,7 +114,7 @@ describe 'octavia::certificates' do
115 114
       let :params do
116 115
         { :ca_certificate              => '/etc/octavia/ca.pem',
117 116
           :ca_private_key              => '/etc/octavia1/key.pem',
118
-          :server_certs_key_passphrase => 'secure123',
117
+          :server_certs_key_passphrase => 'insecure-key-do-not-use-this-key',
119 118
           :ca_private_key_passphrase   => 'secure123',
120 119
           :client_cert                 => '/etc/octavia2/client.pem',
121 120
           :ca_certificate_data         => 'on_my_authority_this_is_a_certificate',
@@ -127,7 +126,7 @@ describe 'octavia::certificates' do
127 126
       it 'configures octavia certificate manager' do
128 127
         is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
129 128
         is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia1/key.pem')
130
-        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
129
+        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('insecure-key-do-not-use-this-key')
131 130
         is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
132 131
       end
133 132
 
@@ -221,6 +220,28 @@ describe 'octavia::certificates' do
221 220
         }
222 221
       end
223 222
 
223
+    context 'When invalid non 32 characters server_certs_key_passphrase provided' do
224
+      let :params do
225
+        { :server_certs_key_passphrase => 'non-32-chars-key',
226
+        }
227
+      end
228
+
229
+      it 'fails without an invalid server_certs_key_passphrase' do
230
+        is_expected.to raise_error(Puppet::Error)
231
+      end
232
+    end
233
+
234
+    context 'When no server_certs_key_passphrase provided' do
235
+      let :params do
236
+        { :server_certs_key_passphrase => '',
237
+        }
238
+      end
239
+
240
+      it 'fails without a server_certs_key_passphrase' do
241
+        is_expected.to raise_error(Puppet::Error)
242
+      end
243
+    end
244
+
224 245
       it 'should configure certificates' do
225 246
         is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
226 247
         is_expected.to contain_octavia_config('controller_worker/client_ca').with_value('/etc/octavia/client_ca.pem')

Loading…
Cancel
Save