From cfb8e97867e2cd546efcb46303ae8583765d3876 Mon Sep 17 00:00:00 2001
From: Nir Magnezi <nmagnezi@redhat.com>
Date: Sun, 23 Jun 2019 16:10:50 +0300
Subject: [PATCH] Adds constraint: OctaviaServerCertsKeyPassphrase must be 32
 chars long

Closes-bug: #1833942

Depends-On: I5c2629d9e7700fe1dd6f915bc257b1f058e40617
Depends-On: Ibcdbe2605a7cabe3a5ef8245b4460c8f70220989
Change-Id: I886f2b8ac7092d9b3da38852e92a615d5666eea7
(cherry picked from commit a6fef3aad6f6f3171eb38b7d25c62a5bb485e67f)
---
 deployment/octavia/octavia-base.yaml                         | 4 +++-
 deployment/octavia/octavia-deployment-config.j2.yaml         | 4 +++-
 ...idation-server_certs_key_passphrase-908471f31d09f088.yaml | 5 +++++
 3 files changed, 11 insertions(+), 2 deletions(-)
 create mode 100644 releasenotes/notes/input-validation-server_certs_key_passphrase-908471f31d09f088.yaml

diff --git a/deployment/octavia/octavia-base.yaml b/deployment/octavia/octavia-base.yaml
index 4f501ccd2b..b90d91bd90 100644
--- a/deployment/octavia/octavia-base.yaml
+++ b/deployment/octavia/octavia-base.yaml
@@ -102,8 +102,10 @@ parameters:
                  with the path provided in OctaviaCaKeyFile with the key
                  data.
   OctaviaServerCertsKeyPassphrase:
+    constraints:
+      - length: { min: 32, max: 32}
     description: Passphrase for encrypting Amphora Certificates and
-                 Private Keys.
+                 Private Keys. Must be exactly 32 characters.
     type: string
     hidden: true
   OctaviaCaKeyPassphrase:
diff --git a/deployment/octavia/octavia-deployment-config.j2.yaml b/deployment/octavia/octavia-deployment-config.j2.yaml
index ef1880f80b..34cc8b6c8e 100644
--- a/deployment/octavia/octavia-deployment-config.j2.yaml
+++ b/deployment/octavia/octavia-deployment-config.j2.yaml
@@ -125,8 +125,10 @@ parameters:
     default: '/etc/octavia/certs/private/cakey.pem'
     description: Octavia CA private key file path.
   OctaviaServerCertsKeyPassphrase:
+    constraints:
+      - length: { min: 32, max: 32}
     description: Passphrase for encrypting Amphora Certificates and
-                 Private Keys.
+                 Private Keys. Must be exactly 32 characters.
     type: string
     hidden: true
   OctaviaCaKeyPassphrase:
diff --git a/releasenotes/notes/input-validation-server_certs_key_passphrase-908471f31d09f088.yaml b/releasenotes/notes/input-validation-server_certs_key_passphrase-908471f31d09f088.yaml
new file mode 100644
index 0000000000..eba31b22b7
--- /dev/null
+++ b/releasenotes/notes/input-validation-server_certs_key_passphrase-908471f31d09f088.yaml
@@ -0,0 +1,5 @@
+---
+fixes:
+  - The passphrase for config option 'server_certs_key_passphrase', is used as
+    a Fernet key in Octavia and thus must be 32 bytes long. In the case of an
+    operator-provided passphrase, TripleO will validate that.