Merge "Adds constraint: OctaviaServerCertsKeyPassphrase must be 32 chars long" into stable/queens

docker/services/octavia/octavia-deployment-config.yaml

@@ -111,8 +111,10 @@ parameters:
     default: '/etc/octavia/certs/private/cakey.pem'
     description: Octavia CA private key file path.
   OctaviaServerCertsKeyPassphrase:
+    constraints:
+      - length: { min: 32, max: 32}
     description: Passphrase for encrypting Amphora Certificates and
-                 Private Keys.
+                 Private Keys. Must be exactly 32 characters.
     type: string
     hidden: true
   OctaviaCaKeyPassphrase:

puppet/services/octavia-base.yaml

@@ -104,8 +104,10 @@ parameters:
                  with the path provided in OctaviaCaKeyFile with the key
                  data.
   OctaviaServerCertsKeyPassphrase:
+    constraints:
+      - length: { min: 32, max: 32}
     description: Passphrase for encrypting Amphora Certificates and
-                 Private Keys.
+                 Private Keys. Must be exactly 32 characters.
     type: string
     hidden: true
   OctaviaCaKeyPassphrase:

releasenotes/notes/input-validation-server_certs_key_passphrase-908471f31d09f088.yaml

@@ -0,0 +1,5 @@
+---
+fixes:
+  - The passphrase for config option 'server_certs_key_passphrase', is used as
+    a Fernet key in Octavia and thus must be 32 bytes long. In the case of an
+    operator-provided passphrase, TripleO will validate that.