From 20a3b14001f68d5f64aa70b124d7a6dcd6a4e777 Mon Sep 17 00:00:00 2001 From: Pierre Riteau Date: Tue, 18 Jan 2022 16:22:03 +0100 Subject: [PATCH] Remove custom value of max_allowed_secret_in_bytes Barbican has recently bumped max_allowed_secret_in_bytes from 10 KB to 20 KB since the original value was too small for some certificates [1]. Remove custom value from the barbican.conf template, which anyway was the same as the default configuration before the recent upstream change. The upstream change was backported to Wallaby and has been proposed to Victoria, Ussuri and Train [2], so this change should be backported too. [1] https://review.opendev.org/c/openstack/barbican/+/783381 [2] https://review.opendev.org/q/I59d11c5c9c32128ab9d71eaecdf46dd2d789a8d1 Change-Id: I83e4cb48192c8024650a8d347363f6babb75ad90 Closes-Bug: #1957795 --- ansible/roles/barbican/templates/barbican.conf.j2 | 1 - .../barbican-max-allowed-secret-size-1941307ab5d2a9fd.yaml | 7 +++++++ 2 files changed, 7 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/barbican-max-allowed-secret-size-1941307ab5d2a9fd.yaml diff --git a/ansible/roles/barbican/templates/barbican.conf.j2 b/ansible/roles/barbican/templates/barbican.conf.j2 index dd285796e5..e1faf71a6d 100644 --- a/ansible/roles/barbican/templates/barbican.conf.j2 +++ b/ansible/roles/barbican/templates/barbican.conf.j2 @@ -10,7 +10,6 @@ bind_host = {{ api_interface_address }} host_href = {{ barbican_public_endpoint }} backlog = 4096 -max_allowed_secret_in_bytes = 10000 max_allowed_request_size_in_bytes = 1000000 db_auto_create = False diff --git a/releasenotes/notes/barbican-max-allowed-secret-size-1941307ab5d2a9fd.yaml b/releasenotes/notes/barbican-max-allowed-secret-size-1941307ab5d2a9fd.yaml new file mode 100644 index 0000000000..97f343ed96 --- /dev/null +++ b/releasenotes/notes/barbican-max-allowed-secret-size-1941307ab5d2a9fd.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + Removes custom value of ``max_allowed_secret_in_bytes`` in + ``barbican.conf``. The default maximum size in Barbican was doubled to + avoid issues with some certificates. + `LP #1957795 `__