Adds constraint: OctaviaServerCertsKeyPassphrase must be 32 chars long

Closes-bug: #1833942

Depends-On: I5c2629d9e7700fe1dd6f915bc257b1f058e40617
Depends-On: Ibcdbe2605a7cabe3a5ef8245b4460c8f70220989
Change-Id: I886f2b8ac7092d9b3da38852e92a615d5666eea7
This commit is contained in:
Nir Magnezi 2019-06-23 16:10:50 +03:00
parent e3edf7b84c
commit a6fef3aad6
3 changed files with 11 additions and 2 deletions

View File

@ -84,8 +84,10 @@ parameters:
with the path provided in OctaviaCaKeyFile with the key
data.
OctaviaServerCertsKeyPassphrase:
constraints:
- length: { min: 32, max: 32}
description: Passphrase for encrypting Amphora Certificates and
Private Keys.
Private Keys. Must be exactly 32 characters.
type: string
hidden: true
OctaviaCaKeyPassphrase:

View File

@ -125,8 +125,10 @@ parameters:
default: '/etc/octavia/certs/private/cakey.pem'
description: Octavia CA private key file path.
OctaviaServerCertsKeyPassphrase:
constraints:
- length: { min: 32, max: 32}
description: Passphrase for encrypting Amphora Certificates and
Private Keys.
Private Keys. Must be exactly 32 characters.
type: string
hidden: true
OctaviaCaKeyPassphrase:

View File

@ -0,0 +1,5 @@
---
fixes:
- The passphrase for config option 'server_certs_key_passphrase', is used as
a Fernet key in Octavia and thus must be 32 bytes long. In the case of an
operator-provided passphrase, TripleO will validate that.