Check Ceph*Key value format and halt on error

The CephX keys secret is expected to have a specific format, this adds a constraint in the templates to ensure it has the correct format. Change-Id: Ic12c3c287a921d696de1395bc887691c48146359 Closes-Bug: 1864185
2020-02-21 11:33:17 +01:00 · 2020-02-21 11:33:17 +01:00 · 0940dfd95e
commit 0940dfd95e
parent 38a95f12b1
6 changed files with 18 additions and 0 deletions
--- a/deployment/ceph-ansible/ceph-base.yaml
+++ b/deployment/ceph-ansible/ceph-base.yaml
@ -130,6 +130,8 @@ parameters:
    description: The Ceph client key. Can be created with ceph-authtool --gen-print-key.
    type: string
    hidden: true
+    constraints:
+    - allowed_pattern: "^[a-zA-Z0-9+/]{38}==$"
  CephClientUserName:
    default: openstack
    type: string
@ -141,6 +143,8 @@ parameters:
                 with ceph-authtool --gen-print-key.
    type: string
    hidden: true
+    constraints:
+    - allowed_pattern: "^[a-zA-Z0-9+/]{38}==$"
  CephPoolDefaultSize:
    description: default minimum replication for RBD copies
    type: number
@ -169,6 +173,8 @@ parameters:
    description: The Ceph client key. Can be created with ceph-authtool --gen-print-key.
    type: string
    hidden: true
+    constraints:
+    - allowed_pattern: "^[a-zA-Z0-9+/]{38}==$"
  CephIPv6:
    default: False
    type: boolean
--- a/deployment/ceph-ansible/ceph-mds.yaml
+++ b/deployment/ceph-ansible/ceph-mds.yaml
@ -35,6 +35,8 @@ parameters:
                 with ceph-authtool --gen-print-key.
    type: string
    hidden: true
+    constraints:
+    - allowed_pattern: "^[a-zA-Z0-9+/]{38}==$"
  CephEnableDashboard:
    type: boolean
    default: false
--- a/deployment/ceph-ansible/ceph-mon.yaml
+++ b/deployment/ceph-ansible/ceph-mon.yaml
@ -34,11 +34,15 @@ parameters:
    description: The Ceph monitors key. Can be created with ceph-authtool --gen-print-key.
    type: string
    hidden: true
+    constraints:
+    - allowed_pattern: "^[a-zA-Z0-9+/]{38}==$"
  CephAdminKey:
    default: ''
    description: The Ceph admin client key. Can be created with ceph-authtool --gen-print-key.
    type: string
    hidden: true
+    constraints:
+    - allowed_pattern: "^[a-zA-Z0-9+/]{38}==$"
  CephValidationRetries:
    type: number
    default: 40
--- a/deployment/manila/manila-backend-cephfs.yaml
+++ b/deployment/manila/manila-backend-cephfs.yaml
@ -76,6 +76,8 @@ parameters:
    description: The Ceph client key. Can be created with ceph-authtool --gen-print-key.
    type: string
    hidden: true
+    constraints:
+    - allowed_pattern: "^[a-zA-Z0-9+/]{38}==$"

 outputs:
  role_data:
--- a/deployment/nova/nova-compute-container-puppet.yaml
+++ b/deployment/nova/nova-compute-container-puppet.yaml
@ -81,6 +81,8 @@ parameters:
    description: The Ceph client key. Can be created with ceph-authtool --gen-print-key.
    type: string
    hidden: true
+    constraints:
+    - allowed_pattern: "^[a-zA-Z0-9+/]{38}==$"
  CephClusterFSID:
    type: string
    description: The Ceph cluster FSID. Must be a UUID.
--- a/deployment/nova/nova-libvirt-container-puppet.yaml
+++ b/deployment/nova/nova-libvirt-container-puppet.yaml
@ -65,6 +65,8 @@ parameters:
    description: The Ceph client key. Can be created with ceph-authtool --gen-print-key.
    type: string
    hidden: true
+    constraints:
+    - allowed_pattern: "^[a-zA-Z0-9+/]{38}==$"
  CephClusterFSID:
    type: string
    description: The Ceph cluster FSID. Must be a UUID.