kolla-ansible

Barbican configuration should not override maximum allowed secret size

Bug #1957795 reported by Pierre Riteau
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
Medium
Unassigned

Bug Description

barbican.conf.j2 currently sets:

[DEFAULT]
max_allowed_secret_in_bytes = 10000

This overrides the default configuration value, which has been bumped from 10000 to 20000 upstream.

This maximum size can be too small for some certificates.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/824562

Changed in kolla-ansible:
status: New → In Progress
Mark Goddard (mgoddard)
Changed in kolla-ansible:
importance: Undecided → Medium
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/824562
Committed: https://opendev.org/openstack/kolla-ansible/commit/20a3b14001f68d5f64aa70b124d7a6dcd6a4e777
Submitter: "Zuul (22348)"
Branch: master

commit 20a3b14001f68d5f64aa70b124d7a6dcd6a4e777
Author: Pierre Riteau <email address hidden>
Date: Tue Jan 18 16:22:03 2022 +0100

    Remove custom value of max_allowed_secret_in_bytes

    Barbican has recently bumped max_allowed_secret_in_bytes from 10 KB to
    20 KB since the original value was too small for some certificates [1].
    Remove custom value from the barbican.conf template, which anyway was
    the same as the default configuration before the recent upstream change.

    The upstream change was backported to Wallaby and has been proposed to
    Victoria, Ussuri and Train [2], so this change should be backported too.

    [1] https://review.opendev.org/c/openstack/barbican/+/783381
    [2] https://review.opendev.org/q/I59d11c5c9c32128ab9d71eaecdf46dd2d789a8d1

    Change-Id: I83e4cb48192c8024650a8d347363f6babb75ad90
    Closes-Bug: #1957795

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/825060

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/825061

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/victoria)

Fix proposed to branch: stable/victoria
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/825062

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/ussuri)

Fix proposed to branch: stable/ussuri
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/825063

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/825060
Committed: https://opendev.org/openstack/kolla-ansible/commit/c80d2068eaa57a61b9e46f6e08aa22bc030378e7
Submitter: "Zuul (22348)"
Branch: stable/xena

commit c80d2068eaa57a61b9e46f6e08aa22bc030378e7
Author: Pierre Riteau <email address hidden>
Date: Tue Jan 18 16:22:03 2022 +0100

    Remove custom value of max_allowed_secret_in_bytes

    Barbican has recently bumped max_allowed_secret_in_bytes from 10 KB to
    20 KB since the original value was too small for some certificates [1].
    Remove custom value from the barbican.conf template, which anyway was
    the same as the default configuration before the recent upstream change.

    The upstream change was backported to Wallaby and has been proposed to
    Victoria, Ussuri and Train [2], so this change should be backported too.

    [1] https://review.opendev.org/c/openstack/barbican/+/783381
    [2] https://review.opendev.org/q/I59d11c5c9c32128ab9d71eaecdf46dd2d789a8d1

    Change-Id: I83e4cb48192c8024650a8d347363f6babb75ad90
    Closes-Bug: #1957795
    (cherry picked from commit 20a3b14001f68d5f64aa70b124d7a6dcd6a4e777)

tags: added: in-stable-xena
tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/825061
Committed: https://opendev.org/openstack/kolla-ansible/commit/e477227ca7281b189dd8b58ea9c1fe4b30e033bc
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit e477227ca7281b189dd8b58ea9c1fe4b30e033bc
Author: Pierre Riteau <email address hidden>
Date: Tue Jan 18 16:22:03 2022 +0100

    Remove custom value of max_allowed_secret_in_bytes

    Barbican has recently bumped max_allowed_secret_in_bytes from 10 KB to
    20 KB since the original value was too small for some certificates [1].
    Remove custom value from the barbican.conf template, which anyway was
    the same as the default configuration before the recent upstream change.

    The upstream change was backported to Wallaby and has been proposed to
    Victoria, Ussuri and Train [2], so this change should be backported too.

    [1] https://review.opendev.org/c/openstack/barbican/+/783381
    [2] https://review.opendev.org/q/I59d11c5c9c32128ab9d71eaecdf46dd2d789a8d1

    Change-Id: I83e4cb48192c8024650a8d347363f6babb75ad90
    Closes-Bug: #1957795
    (cherry picked from commit 20a3b14001f68d5f64aa70b124d7a6dcd6a4e777)

tags: added: in-stable-victoria
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/victoria)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/825062
Committed: https://opendev.org/openstack/kolla-ansible/commit/748c82751e8e6d01f8650ea9e2c28d7c03ed472b
Submitter: "Zuul (22348)"
Branch: stable/victoria

commit 748c82751e8e6d01f8650ea9e2c28d7c03ed472b
Author: Pierre Riteau <email address hidden>
Date: Tue Jan 18 16:22:03 2022 +0100

    Remove custom value of max_allowed_secret_in_bytes

    Barbican has recently bumped max_allowed_secret_in_bytes from 10 KB to
    20 KB since the original value was too small for some certificates [1].
    Remove custom value from the barbican.conf template, which anyway was
    the same as the default configuration before the recent upstream change.

    The upstream change was backported to Wallaby and has been proposed to
    Victoria, Ussuri and Train [2], so this change should be backported too.

    [1] https://review.opendev.org/c/openstack/barbican/+/783381
    [2] https://review.opendev.org/q/I59d11c5c9c32128ab9d71eaecdf46dd2d789a8d1

    Change-Id: I83e4cb48192c8024650a8d347363f6babb75ad90
    Closes-Bug: #1957795
    (cherry picked from commit 20a3b14001f68d5f64aa70b124d7a6dcd6a4e777)

tags: added: in-stable-ussuri
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/ussuri)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/825063
Committed: https://opendev.org/openstack/kolla-ansible/commit/1f7a8d021152d7011fc3c399533b01416b7795aa
Submitter: "Zuul (22348)"
Branch: stable/ussuri

commit 1f7a8d021152d7011fc3c399533b01416b7795aa
Author: Pierre Riteau <email address hidden>
Date: Tue Jan 18 16:22:03 2022 +0100

    Remove custom value of max_allowed_secret_in_bytes

    Barbican has recently bumped max_allowed_secret_in_bytes from 10 KB to
    20 KB since the original value was too small for some certificates [1].
    Remove custom value from the barbican.conf template, which anyway was
    the same as the default configuration before the recent upstream change.

    The upstream change was backported to Wallaby and has been proposed to
    Victoria, Ussuri and Train [2], so this change should be backported too.

    [1] https://review.opendev.org/c/openstack/barbican/+/783381
    [2] https://review.opendev.org/q/I59d11c5c9c32128ab9d71eaecdf46dd2d789a8d1

    Change-Id: I83e4cb48192c8024650a8d347363f6babb75ad90
    Closes-Bug: #1957795
    (cherry picked from commit 20a3b14001f68d5f64aa70b124d7a6dcd6a4e777)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 11.3.0

This issue was fixed in the openstack/kolla-ansible 11.3.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 14.0.0.0rc1

This issue was fixed in the openstack/kolla-ansible 14.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 12.4.0

This issue was fixed in the openstack/kolla-ansible 12.4.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 13.1.0

This issue was fixed in the openstack/kolla-ansible 13.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible ussuri-eol

This issue was fixed in the openstack/kolla-ansible ussuri-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.