From fe46012f8781407f9289530899e4426e4ff5399e Mon Sep 17 00:00:00 2001
From: Gregory Thiemonge <gthiemon@redhat.com>
Date: Wed, 29 Jul 2020 22:49:24 +0200
Subject: [PATCH] Hide CA passphrase in Octavia tasks

Use environment variables for passphrases in openssl related tasks in
Octavia roles. It hides plain text passphrases from deployment logs.

Change-Id: I153b56ad19c9a9f6eea23a0a64eb78c02cbe30ce
Closes-Bug: 1889523
---
 .../tasks/certs_gen.yml                       | 21 ++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/tripleo_ansible/roles/octavia_overcloud_config/tasks/certs_gen.yml b/tripleo_ansible/roles/octavia_overcloud_config/tasks/certs_gen.yml
index d41b028b7..b40d49b98 100644
--- a/tripleo_ansible/roles/octavia_overcloud_config/tasks/certs_gen.yml
+++ b/tripleo_ansible/roles/octavia_overcloud_config/tasks/certs_gen.yml
@@ -35,7 +35,10 @@
 - name: Generating certificate authority private key
   become: true
   shell: |
-    openssl genrsa -passout pass:{{ ca_passphrase }} -aes256 -out {{ openssl_temp_dir }}/private/cakey.pem 2048
+    openssl genrsa -passout env:CA_PASSPHRASE -aes256 \
+        -out {{ openssl_temp_dir }}/private/cakey.pem 2048
+  environment:
+    CA_PASSPHRASE: "{{ ca_passphrase }}"
   when:
     - not (force_certs_update | default(false) | bool)
 
@@ -61,10 +64,12 @@
     - name: Update CA private key
       shell: |
         openssl rsa -aes256 \
-            -passin pass:{{ ca_passphrase }} \
-            -passout pass:{{ ca_passphrase }} \
+            -passin env:CA_PASSPHRASE \
+            -passout env:CA_PASSPHRASE \
             -in {{ openssl_temp_dir }}/private/cakey.old.pem \
             -out {{ openssl_temp_dir }}/private/cakey.pem
+      environment:
+        CA_PASSPHRASE: "{{ ca_passphrase }}"
   when:
     - force_certs_update | default(false) | bool
     - force_private_key_update | default(false) | bool
@@ -81,10 +86,13 @@
 - name: Generating certificate authority certificate
   become: true
   shell: |
-    openssl req -x509 -passin pass:{{ ca_passphrase }} -new -nodes -key {{ openssl_temp_dir }}/private/cakey.pem \
+    openssl req -x509 -passin env:CA_PASSPHRASE -new -nodes \
+                -key {{ openssl_temp_dir }}/private/cakey.pem \
                 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
                 -days 18250 -config {{ openssl_temp_dir }}/openssl.cnf \
                 -out {{ openssl_temp_dir }}/ca_01.pem
+  environment:
+    CA_PASSPHRASE: "{{ ca_passphrase }}"
 
 - name: Reading CA certificate
   become: true
@@ -105,8 +113,11 @@
 - name: Signing service certificate request
   become: true
   shell: |
-    openssl ca -config {{ openssl_temp_dir }}/openssl.cnf -passin pass:{{ ca_passphrase }} -in {{ openssl_temp_dir }}/client.csr \
+    openssl ca -config {{ openssl_temp_dir }}/openssl.cnf \
+                -passin env:CA_PASSPHRASE -in {{ openssl_temp_dir }}/client.csr \
                 -days 3650 -out {{ openssl_temp_dir }}/client-.pem -batch
+  environment:
+    CA_PASSPHRASE: "{{ ca_passphrase }}"
 
 - name: Read service private key and public certifcate
   become: true