kolla-ansible

History

Mark Goddard 2e4359069e Barbican simple_crypto plugin broken - invalid key When using the simple_crypto plugin, barbican expects the [simple_crypto_plugin] kek config value to be a base64-encoded 32 byte value. However, kolla-ansible is providing a standard autogenerated password. There are two relevant variables in kolla-ansible - barbican_crypto_password (a standard password) and barbican_crypto_key (a HMAC-SHA256 key). There is no use of barbican_crypto_key other than when it is generated. barbican_crypto_password is used to set the [simple_crypto_plugin] kek config value but causes an error when the simple_crypto plugin is used as the value is not in the expected format. Using barbican_crypto_key instead resolves the error. Clearly there is a naming issue here and we should be using barbican_crypto_key instead of barbican_crypto_password. This change removes the barbican_crypto_password variable and uses barbican_crypto_key instead. Change-Id: I63e2b381c260265e5901ee88ca0a649d96952bda Closes-Bug: #1699014 Related-Bug: #1683216 Co-Authored-By: Stig Telfer <stig@stackhpc.com>	2017-06-21 17:07:17 +01:00
..
globals.yml	Add Hyper-V role	2017-06-15 16:12:31 +03:00
passwords.yml	Barbican simple_crypto plugin broken - invalid key	2017-06-21 17:07:17 +01:00

Mark Goddard 2e4359069e Barbican simple_crypto plugin broken - invalid key

When using the simple_crypto plugin, barbican expects the
[simple_crypto_plugin] kek config value to be a base64-encoded 32 byte
value. However, kolla-ansible is providing a standard autogenerated
password.

There are two relevant variables in kolla-ansible -
barbican_crypto_password (a standard password) and barbican_crypto_key
(a HMAC-SHA256 key). There is no use of barbican_crypto_key other than
when it is generated. barbican_crypto_password is used to set the
[simple_crypto_plugin] kek config value but causes an error when the
simple_crypto plugin is used as the value is not in the expected format.
Using barbican_crypto_key instead resolves the error. Clearly there is a
naming issue here and we should be using barbican_crypto_key instead of
barbican_crypto_password.

This change removes the barbican_crypto_password variable and uses
barbican_crypto_key instead.

Change-Id: I63e2b381c260265e5901ee88ca0a649d96952bda
Closes-Bug: #1699014
Related-Bug: #1683216
Co-Authored-By: Stig Telfer <stig@stackhpc.com>

2017-06-21 17:07:17 +01:00

globals.yml

Add Hyper-V role

2017-06-15 16:12:31 +03:00

passwords.yml

Barbican simple_crypto plugin broken - invalid key

2017-06-21 17:07:17 +01:00