openstack/kolla-ansible
Code Issues Proposed changes
kolla-ansible/ansible/roles/barbican/templates/barbican.conf.j2
Mark Goddard 2e4359069e Barbican simple_crypto plugin broken - invalid key 
When using the simple_crypto plugin, barbican expects the
[simple_crypto_plugin] kek config value to be a base64-encoded 32 byte
value. However, kolla-ansible is providing a standard autogenerated
password.

There are two relevant variables in kolla-ansible -
barbican_crypto_password (a standard password) and barbican_crypto_key
(a HMAC-SHA256 key). There is no use of barbican_crypto_key other than
when it is generated. barbican_crypto_password is used to set the
[simple_crypto_plugin] kek config value but causes an error when the
simple_crypto plugin is used as the value is not in the expected format.
Using barbican_crypto_key instead resolves the error. Clearly there is a
naming issue here and we should be using barbican_crypto_key instead of
barbican_crypto_password.

This change removes the barbican_crypto_password variable and uses
barbican_crypto_key instead.

Change-Id: I63e2b381c260265e5901ee88ca0a649d96952bda
Closes-Bug: #1699014
Related-Bug: #1683216
Co-Authored-By: Stig Telfer <stig@stackhpc.com>
2017-06-21 17:07:17 +01:00

77 lines
2.9 KiB
Django/Jinja
Raw Blame History

[DEFAULT]
debug = {{ barbican_logging_debug }}
log_dir = /var/log/kolla/barbican
bind_port = {{ barbican_api_port }}
bind_host = {{ api_interface_address }}
host_href = {{ public_protocol }}://{{ kolla_external_fqdn }}:{{ barbican_api_port }}
backlog = 4096
max_allowed_secret_in_bytes = 10000
max_allowed_request_size_in_bytes = 1000000
db_auto_create = False
sql_connection = mysql+pymysql://{{ barbican_database_user }}:{{ barbican_database_password }}@{{ barbican_database_address }}/{{ barbican_database_name }}
transport_url = rabbit://{% for host in groups['rabbitmq'] %}{{ rabbitmq_user }}:{{ rabbitmq_password }}@{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ rabbitmq_port }}{% if not loop.last %},{% endif %}{% endfor %}
# ================= Secret Store Plugin ===================
[secretstore]
namespace = barbican.secretstore.plugin
enabled_secretstore_plugins = store_crypto
# ================= Crypto plugin ===================
[crypto]
namespace = barbican.crypto.plugin
enabled_crypto_plugins = {{ barbican_crypto_plugin }}
{% if barbican_crypto_plugin == 'p11_crypto' %}
[p11_crypto_plugin]
# Path to vendor PKCS11 library
library_path = {{ barbican_library_path }}
# Password to login to PKCS11 session
login = '{{ barbican_p11_password }}'
# Label to identify master KEK in the HSM (must not be the same as HMAC label)
mkek_label = 'kolla_master_kek'
# Length in bytes of master KEK
mkek_length = 32
# Label to identify HMAC key in the HSM (must not be the same as MKEK label)
hmac_label = 'kolla_hmac'
{% endif %}
{% if barbican_crypto_plugin == 'simple_crypto' %}
[simple_crypto_plugin]
# the kek should be a 32-byte value which is base64 encoded
kek = '{{ barbican_crypto_key }}'
{% endif %}
[keystone_notifications]
enable = True
[keystone_authtoken]
auth_uri = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}
project_domain_id = default
project_name = service
user_domain_id = default
username = {{ barbican_keystone_user }}
password = {{ barbican_keystone_password }}
auth_url = {{ admin_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}
auth_type = password
memcache_security_strategy = ENCRYPT
memcache_secret_key = {{ memcache_secret_key }}
{% if orchestration_engine == 'KUBERNETES' %}
memcache_servers = {{ memcached_servers }}
{% else %}
memcached_servers = {% for host in groups['memcached'] %}{{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
{% endif %}
[service_credentials]
auth_url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}
region_name = {{ openstack_region_name }}
password = {{ barbican_keystone_password }}
username = {{ barbican_keystone_user }}
project_name = service
project_domain_id = default
user_domain_id = default
auth_type = password
View Git Blame Copy Permalink