From b2065e2be485c756d4bdd868c9594e47d5b80373 Mon Sep 17 00:00:00 2001
From: Nir Magnezi <nmagnezi@redhat.com>
Date: Sun, 23 Jun 2019 16:10:50 +0300
Subject: [PATCH] Adds constraint: OctaviaServerCertsKeyPassphrase must be 32
 chars long

Conflicts:
      deployment/octavia/octavia-base.yaml

Closes-bug: #1833942

Depends-On: https://review.opendev.org/#/c/669824/
Depends-On: https://review.opendev.org/#/c/669829/
Change-Id: I886f2b8ac7092d9b3da38852e92a615d5666eea7
(cherry picked from commit a6fef3aad6f6f3171eb38b7d25c62a5bb485e67f)
(cherry picked from commit cfb8e97867e2cd546efcb46303ae8583765d3876)
(cherry picked from commit 992ad5437cf21696958ca86f6675d23848f7c547)
---
 docker/services/octavia/octavia-deployment-config.yaml       | 4 +++-
 puppet/services/octavia-base.yaml                            | 4 +++-
 ...idation-server_certs_key_passphrase-908471f31d09f088.yaml | 5 +++++
 3 files changed, 11 insertions(+), 2 deletions(-)
 create mode 100644 releasenotes/notes/input-validation-server_certs_key_passphrase-908471f31d09f088.yaml

diff --git a/docker/services/octavia/octavia-deployment-config.yaml b/docker/services/octavia/octavia-deployment-config.yaml
index bc726686f9..df7b986a47 100644
--- a/docker/services/octavia/octavia-deployment-config.yaml
+++ b/docker/services/octavia/octavia-deployment-config.yaml
@@ -111,8 +111,10 @@ parameters:
     default: '/etc/octavia/certs/private/cakey.pem'
     description: Octavia CA private key file path.
   OctaviaServerCertsKeyPassphrase:
+    constraints:
+      - length: { min: 32, max: 32}
     description: Passphrase for encrypting Amphora Certificates and
-                 Private Keys.
+                 Private Keys. Must be exactly 32 characters.
     type: string
     hidden: true
   OctaviaCaKeyPassphrase:
diff --git a/puppet/services/octavia-base.yaml b/puppet/services/octavia-base.yaml
index 738960a398..047631603d 100644
--- a/puppet/services/octavia-base.yaml
+++ b/puppet/services/octavia-base.yaml
@@ -104,8 +104,10 @@ parameters:
                  with the path provided in OctaviaCaKeyFile with the key
                  data.
   OctaviaServerCertsKeyPassphrase:
+    constraints:
+      - length: { min: 32, max: 32}
     description: Passphrase for encrypting Amphora Certificates and
-                 Private Keys.
+                 Private Keys. Must be exactly 32 characters.
     type: string
     hidden: true
   OctaviaCaKeyPassphrase:
diff --git a/releasenotes/notes/input-validation-server_certs_key_passphrase-908471f31d09f088.yaml b/releasenotes/notes/input-validation-server_certs_key_passphrase-908471f31d09f088.yaml
new file mode 100644
index 0000000000..eba31b22b7
--- /dev/null
+++ b/releasenotes/notes/input-validation-server_certs_key_passphrase-908471f31d09f088.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - The passphrase for config option 'server_certs_key_passphrase', is used as
+    a Fernet key in Octavia and thus must be 32 bytes long. In the case of an
+    operator-provided passphrase, TripleO will validate that.