Browse Source

Merge "Adds constraint: OctaviaServerCertsKeyPassphrase must be 32 chars long" into stable/queens

tags/8.4.1
Zuul 1 month ago
parent
commit
a6451f0915

+ 3
- 1
docker/services/octavia/octavia-deployment-config.yaml View File

@@ -111,8 +111,10 @@ parameters:
111 111
     default: '/etc/octavia/certs/private/cakey.pem'
112 112
     description: Octavia CA private key file path.
113 113
   OctaviaServerCertsKeyPassphrase:
114
+    constraints:
115
+      - length: { min: 32, max: 32}
114 116
     description: Passphrase for encrypting Amphora Certificates and
115
-                 Private Keys.
117
+                 Private Keys. Must be exactly 32 characters.
116 118
     type: string
117 119
     hidden: true
118 120
   OctaviaCaKeyPassphrase:

+ 3
- 1
puppet/services/octavia-base.yaml View File

@@ -104,8 +104,10 @@ parameters:
104 104
                  with the path provided in OctaviaCaKeyFile with the key
105 105
                  data.
106 106
   OctaviaServerCertsKeyPassphrase:
107
+    constraints:
108
+      - length: { min: 32, max: 32}
107 109
     description: Passphrase for encrypting Amphora Certificates and
108
-                 Private Keys.
110
+                 Private Keys. Must be exactly 32 characters.
109 111
     type: string
110 112
     hidden: true
111 113
   OctaviaCaKeyPassphrase:

+ 5
- 0
releasenotes/notes/input-validation-server_certs_key_passphrase-908471f31d09f088.yaml View File

@@ -0,0 +1,5 @@
1
+---
2
+fixes:
3
+  - The passphrase for config option 'server_certs_key_passphrase', is used as
4
+    a Fernet key in Octavia and thus must be 32 bytes long. In the case of an
5
+    operator-provided passphrase, TripleO will validate that.

Loading…
Cancel
Save