From 98652da2ab272c8919a31348a4e7f6f33b8321c9 Mon Sep 17 00:00:00 2001 From: Giulio Fidente Date: Fri, 21 Feb 2020 11:33:17 +0100 Subject: [PATCH] Check Ceph*Key value format and halt on error The CephX keys secret is expected to have a specific format, this adds a constraint in the templates to ensure it has the correct format. Change-Id: Ic12c3c287a921d696de1395bc887691c48146359 Closes-Bug: 1864185 (cherry picked from commit 0940dfd95ef64cb4d1d87edfe74374b08db9c9f2) (cherry picked from commit 33ce60d6acafc8e06b42366a7ef873871597a736) --- deployment/ceph-ansible/ceph-base.yaml | 6 ++++++ deployment/ceph-ansible/ceph-mon.yaml | 4 ++++ deployment/manila/manila-backend-cephfs.yaml | 2 ++ deployment/nova/nova-compute-container-puppet.yaml | 2 ++ deployment/nova/nova-libvirt-container-puppet.yaml | 2 ++ 5 files changed, 16 insertions(+) diff --git a/deployment/ceph-ansible/ceph-base.yaml b/deployment/ceph-ansible/ceph-base.yaml index 98bb1b783b..8cd66fc9a5 100644 --- a/deployment/ceph-ansible/ceph-base.yaml +++ b/deployment/ceph-ansible/ceph-base.yaml @@ -126,6 +126,8 @@ parameters: description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. type: string hidden: true + constraints: + - allowed_pattern: "^[a-zA-Z0-9+/]{38}==$" CephClientUserName: default: openstack type: string @@ -137,6 +139,8 @@ parameters: with ceph-authtool --gen-print-key. type: string hidden: true + constraints: + - allowed_pattern: "^[a-zA-Z0-9+/]{38}==$" CephPoolDefaultSize: description: default minimum replication for RBD copies type: number @@ -165,6 +169,8 @@ parameters: description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. type: string hidden: true + constraints: + - allowed_pattern: "^[a-zA-Z0-9+/]{38}==$" CephIPv6: default: False type: boolean diff --git a/deployment/ceph-ansible/ceph-mon.yaml b/deployment/ceph-ansible/ceph-mon.yaml index b4fd64cd41..7530734f7d 100644 --- a/deployment/ceph-ansible/ceph-mon.yaml +++ b/deployment/ceph-ansible/ceph-mon.yaml @@ -34,11 +34,15 @@ parameters: description: The Ceph monitors key. Can be created with ceph-authtool --gen-print-key. type: string hidden: true + constraints: + - allowed_pattern: "^[a-zA-Z0-9+/]{38}==$" CephAdminKey: default: '' description: The Ceph admin client key. Can be created with ceph-authtool --gen-print-key. type: string hidden: true + constraints: + - allowed_pattern: "^[a-zA-Z0-9+/]{38}==$" CephValidationRetries: type: number default: 40 diff --git a/deployment/manila/manila-backend-cephfs.yaml b/deployment/manila/manila-backend-cephfs.yaml index 27a1f82f1c..ad9b69163b 100644 --- a/deployment/manila/manila-backend-cephfs.yaml +++ b/deployment/manila/manila-backend-cephfs.yaml @@ -76,6 +76,8 @@ parameters: description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. type: string hidden: true + constraints: + - allowed_pattern: "^[a-zA-Z0-9+/]{38}==$" outputs: role_data: diff --git a/deployment/nova/nova-compute-container-puppet.yaml b/deployment/nova/nova-compute-container-puppet.yaml index 7a46620562..d015310238 100644 --- a/deployment/nova/nova-compute-container-puppet.yaml +++ b/deployment/nova/nova-compute-container-puppet.yaml @@ -81,6 +81,8 @@ parameters: description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. type: string hidden: true + constraints: + - allowed_pattern: "^[a-zA-Z0-9+/]{38}==$" CephClusterFSID: type: string description: The Ceph cluster FSID. Must be a UUID. diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml index 63f7c41d08..623a4af154 100644 --- a/deployment/nova/nova-libvirt-container-puppet.yaml +++ b/deployment/nova/nova-libvirt-container-puppet.yaml @@ -65,6 +65,8 @@ parameters: description: The Ceph client key. Can be created with ceph-authtool --gen-print-key. type: string hidden: true + constraints: + - allowed_pattern: "^[a-zA-Z0-9+/]{38}==$" CephClusterFSID: type: string description: The Ceph cluster FSID. Must be a UUID.