Configure 32 chars length server_certs_key_passphrase for Octavia

This change is related to I886f2b8ac7092d9b3da38852e92a615d5666eea7 and Ibcdbe2605a7cabe3a5ef8245b4460c8f70220989. Related-Bug: #1833942 Change-Id: I5c2629d9e7700fe1dd6f915bc257b1f058e40617
2019-06-23 16:39:36 +03:00 · 2019-06-23 16:39:36 +03:00 · d9564d7c23
commit d9564d7c23
parent ebf09d9166
3 changed files with 42 additions and 11 deletions
--- a/manifests/certificates.pp
+++ b/manifests/certificates.pp
@ -30,8 +30,8 @@
 #
 # [*server_certs_key_passphrase*]
 #   (Optional) Passphrase for encrypting Amphora Certificates and Private Keys.
-#   Defaults to $::os_service_default
-#
+#   Must be exactly 32 characters.
+#   Defaults to 'insecure-key-do-not-use-this-key'
 #
 # [*ca_private_key_passphrase*]
 #   (Optional) CA password used to sign certificates
@ -80,7 +80,7 @@ class octavia::certificates (
  $endpoint_type               = $::os_service_default,
  $ca_certificate              = $::os_service_default,
  $ca_private_key              = $::os_service_default,
-  $server_certs_key_passphrase = $::os_service_default,
+  $server_certs_key_passphrase = 'insecure-key-do-not-use-this-key',
  $ca_private_key_passphrase   = $::os_service_default,
  $client_ca                   = undef,
  $client_cert                 = $::os_service_default,
@ -109,7 +109,13 @@ class octavia::certificates (
    'haproxy_amphora/client_cert'              : value => $client_cert;
    'haproxy_amphora/server_ca'                : value => $ca_certificate;
  }
-
+  if !$server_certs_key_passphrase  {
+    fail('server_certs_key_passphrase is required for Octavia. Please provide a 32 characters passphrase.')
+  }
+  if length($server_certs_key_passphrase)!=32 {
+      fail("The passphrase '${server_certs_key_passphrase}' is invalid for server_certs_key_passphrase. Please provide a 32 characters
+      passphrase.")
+  }
  # The file creation will create the parent directory for each file if necessary, but
  # only to one level.
  if $ca_certificate_data {
--- a/releasenotes/notes/fix-generated-server_certs_key_passphrase-in-spec-524a44297ec76bd0.yaml
+++ b/releasenotes/notes/fix-generated-server_certs_key_passphrase-in-spec-524a44297ec76bd0.yaml
@ -0,0 +1,4 @@
+---
+fixes:
+  - The passphrase for config option 'server_certs_key_passphrase', is used as
+    a Fernet key in Octavia and thus must be 32 chars long.
--- a/spec/classes/octavia_certificates_spec.rb
+++ b/spec/classes/octavia_certificates_spec.rb
@ -11,7 +11,6 @@ describe 'octavia::certificates' do
        is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('<SERVICE DEFAULT>')
-        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('<SERVICE DEFAULT>')
      end

@ -30,7 +29,7 @@ describe 'octavia::certificates' do
          :endpoint_type               => 'internalURL',
          :ca_certificate              => '/etc/octavia/ca.pem',
          :ca_private_key              => '/etc/octavia/key.pem',
-          :server_certs_key_passphrase => 'secure123',
+          :server_certs_key_passphrase => 'insecure-key-do-not-use-this-key',
          :ca_private_key_passphrase   => 'secure123',
          :client_cert                 => '/etc/octavia/client.pem'
        }
@ -43,7 +42,7 @@ describe 'octavia::certificates' do
        is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('internalURL')
        is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
        is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
-        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
+        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('insecure-key-do-not-use-this-key')
        is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
      end

@ -58,7 +57,7 @@ describe 'octavia::certificates' do
      let :params do
        { :ca_certificate              => '/etc/octavia/ca.pem',
          :ca_private_key              => '/etc/octavia/key.pem',
-          :server_certs_key_passphrase => 'secure123',
+          :server_certs_key_passphrase => 'insecure-key-do-not-use-this-key',
          :ca_private_key_passphrase   => 'secure123',
          :client_cert                 => '/etc/octavia/client.pem',
          :ca_certificate_data         => 'on_my_authority_this_is_a_certificate',
@ -70,7 +69,7 @@ describe 'octavia::certificates' do
      it 'configures octavia certificate manager' do
        is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
        is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
-        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
+        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('insecure-key-do-not-use-this-key')
        is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
      end

@ -125,7 +124,7 @@ describe 'octavia::certificates' do
      let :params do
        { :ca_certificate              => '/etc/octavia/ca.pem',
          :ca_private_key              => '/etc/octavia1/key.pem',
-          :server_certs_key_passphrase => 'secure123',
+          :server_certs_key_passphrase => 'insecure-key-do-not-use-this-key',
          :ca_private_key_passphrase   => 'secure123',
          :client_cert                 => '/etc/octavia2/client.pem',
          :ca_certificate_data         => 'on_my_authority_this_is_a_certificate',
@ -137,7 +136,7 @@ describe 'octavia::certificates' do
      it 'configures octavia certificate manager' do
        is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
        is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia1/key.pem')
-        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
+        is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('insecure-key-do-not-use-this-key')
        is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
      end

@ -240,6 +239,28 @@ describe 'octavia::certificates' do
        }
      end

+    context 'When invalid non 32 characters server_certs_key_passphrase provided' do
+      let :params do
+        { :server_certs_key_passphrase => 'non-32-chars-key',
+        }
+      end
+
+      it 'fails without an invalid server_certs_key_passphrase' do
+        is_expected.to raise_error(Puppet::Error)
+      end
+    end
+
+    context 'When no server_certs_key_passphrase provided' do
+      let :params do
+        { :server_certs_key_passphrase => '',
+        }
+      end
+
+      it 'fails without a server_certs_key_passphrase' do
+        is_expected.to raise_error(Puppet::Error)
+      end
+    end
+
      it 'should configure certificates' do
        is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
        is_expected.to contain_octavia_config('controller_worker/client_ca').with_value('/etc/octavia/client_ca.pem')