OpenStack Snap

incompatible auth_encryption_key between heat and heat-cfn

Bug #2036890 reported by Guillaume Boutry
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juju Charmed Operator - Heat K8S
Fix Committed
High
Hemanth Nakkina
OpenStack Snap
Triaged
High
Unassigned

Bug Description

auth_encryption_key is used by heat to stored sensitive data in database. This must be the same between all units.

Since charm-heat-k8s stores this value in its peer relation which is not shared between heat and heat-cfn.

Since heat requests are executed by both engines (asynchronously thanks to rabbitmq), some part of the sensitive data is stored with heat's auth_encryption_key and cannot be read by heat-cfn's engine (and vice-versa)

Tags: in-main
Guillaume Boutry (gboutry)
Changed in charm-heat-k8s:
importance: Undecided → High
Hemanth Nakkina (hemanth-n)
Changed in charm-heat-k8s:
status: New → Triaged
assignee: nobody → Hemanth Nakkina (hemanth-n)
Hemanth Nakkina (hemanth-n)
Changed in snap-openstack:
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-heat-k8s (main)

Fix proposed to branch: main
Review: https://review.opendev.org/c/openstack/charm-heat-k8s/+/897663

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-heat-k8s (main)

Reviewed: https://review.opendev.org/c/openstack/charm-heat-k8s/+/897663
Committed: https://opendev.org/openstack/charm-heat-k8s/commit/0459106b3c1ac573286898f8aefc0280f0bf4358
Submitter: "Zuul (22348)"
Branch: main

commit 0459106b3c1ac573286898f8aefc0280f0bf4358
Author: Hemanth Nakkina <email address hidden>
Date: Mon Oct 9 16:37:03 2023 +0530

    Share auth encryption key over relation

    Currently the Auth encryption key for heat-api
    and heat-api-cfn deployed via charm-heat-k8s
    charm instances are different and so causes
    issues when heat-engine from heat-api-cfn handles
    request for heat-api. The heat-engines of both
    heat-api and heat-api-cfn are used for handling
    both heat-api and heat-api-cfn stacks as the AMQP
    topic is same and not configurable.

    Add a new interface heat-shared-config to share
    the auth encryption key between heat-api and
    heat-api-cfn.
    heat-api update the relation data with auth
    encryption key once the key is generated or
    any new relations are connected via heat-shared-config.
    Save the auth encryption key as juju secret
    instead of plain text and grant access to
    peer and units connected via heat-shared-interface.

    Closes-Bug: #2036890
    Change-Id: I2ec7f03b5c64d87585141e15b20b01172b14ecc4

tags: added: in-main
Hemanth Nakkina (hemanth-n)
Changed in charm-heat-k8s:
status: Triaged → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to charm-heat-k8s (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/charm-heat-k8s/+/897740

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to charm-heat-k8s (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/charm-heat-k8s/+/897740
Committed: https://opendev.org/openstack/charm-heat-k8s/commit/c55b4e0c9fc909b40220811312d80b73baa9feb2
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit c55b4e0c9fc909b40220811312d80b73baa9feb2
Author: Hemanth Nakkina <email address hidden>
Date: Mon Oct 9 16:37:03 2023 +0530

    Share auth encryption key over relation

    Currently the Auth encryption key for heat-api
    and heat-api-cfn deployed via charm-heat-k8s
    charm instances are different and so causes
    issues when heat-engine from heat-api-cfn handles
    request for heat-api. The heat-engines of both
    heat-api and heat-api-cfn are used for handling
    both heat-api and heat-api-cfn stacks as the AMQP
    topic is same and not configurable.

    Add a new interface heat-shared-config to share
    the auth encryption key between heat-api and
    heat-api-cfn.
    heat-api update the relation data with auth
    encryption key once the key is generated or
    any new relations are connected via heat-shared-config.
    Save the auth encryption key as juju secret
    instead of plain text and grant access to
    peer and units connected via heat-shared-interface.

    Closes-Bug: #2036890
    Change-Id: I2ec7f03b5c64d87585141e15b20b01172b14ecc4
    (cherry picked from commit 0459106b3c1ac573286898f8aefc0280f0bf4358)

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.