Browse Source

Do not rotate CephX secrets

we do not want the CephX keys to rotate by default, some cannot
be changed at all after the cluster has been deployed

Change-Id: Iefe87eb869e248ea1e98d9ae34cdeeea57aa5426
(cherry picked from commit 621ebcea78)
tags/11.4.0
Giulio Fidente 2 months ago
committed by Jesse Pretorius (odyssey4me)
parent
commit
6945b14796
2 changed files with 10 additions and 7 deletions
  1. +4
    -0
      tripleo_common/constants.py
  2. +6
    -7
      tripleo_common/utils/passwords.py

+ 4
- 0
tripleo_common/constants.py View File

@@ -154,6 +154,10 @@ DO_NOT_ROTATE_LIST = (
'KeystoneFernetKey0',
'KeystoneFernetKey1',
'KeystoneFernetKeys',
'CephClientKey',
'CephClusterFSID',
'CephManilaClientKey',
'CephRgwKey',
)

PLAN_NAME_PATTERN = '^[a-zA-Z0-9-]+$'


+ 6
- 7
tripleo_common/utils/passwords.py View File

@@ -52,13 +52,12 @@ def generate_passwords(mistralclient=None, stack_env=None,
if (stack_env and name in stack_env.get('parameter_defaults', {}) and
not rotate_passwords):
passwords[name] = stack_env['parameter_defaults'][name]
elif name.startswith("Ceph"):
if name == "CephClusterFSID":
# The FSID must be a UUID
passwords[name] = six.text_type(uuid.uuid4())
else:
# CephX keys aren't random strings
passwords[name] = create_cephx_key()
elif name in ('CephClientKey', 'CephManilaClientKey', 'CephRgwKey'):
# CephX keys aren't random strings
passwords[name] = create_cephx_key()
elif name == "CephClusterFSID":
# The FSID must be a UUID
passwords[name] = six.text_type(uuid.uuid4())
# Since by default passlib.pwd.genword uses all digits and ascii upper
# & lowercase letters, it provides ~5.95 entropy per character.
# Make the length of the default authkey 4096 bytes, which should give


Loading…
Cancel
Save