Skip to content

[cephx_key] Add aes256k cipher support#3910

Merged
openshift-merge-bot[bot] merged 1 commit into
openstack-k8s-operators:mainfrom
fultonj:OSPRH-29667
May 12, 2026
Merged

[cephx_key] Add aes256k cipher support#3910
openshift-merge-bot[bot] merged 1 commit into
openstack-k8s-operators:mainfrom
fultonj:OSPRH-29667

Conversation

@fultonj
Copy link
Copy Markdown
Contributor

@fultonj fultonj commented May 7, 2026
edited by openshift-ci Bot
Loading

Add an optional cipher parameter (choices: aes, aes256k; default: aes) to the cephx_key Ansible module so CI jobs can generate AES-256k (32-byte, type=2) CephX keys.

  • Refactor __create_cephx_key() to accept cipher argument; use key_type=2 and os.urandom(32) for aes256k, key_type=1 and os.urandom(16) for aes (default, backward compatible).
  • Update DOCUMENTATION, EXAMPLES and RETURN docstrings.
  • Update the "Generate a cephx key" task in hooks/playbooks/ceph.yml to pass cipher: "{{ cifmw_ceph_key_cipher | default('aes') }}", allowing scenarios to opt in via a single variable.
  • Add tests/unit/modules/test_cephx_key.py with 8 tests covering both cipher modes, invalid input, base64 validity, and key randomness.

Jira: OSPRH-29667

@fultonj fultonj requested a review from fmount May 7, 2026 16:40
@centosinfra-prod-github-app
Copy link
Copy Markdown

centosinfra-prod-github-app Bot commented May 7, 2026

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/zuul/t/rdoproject.org/buildset/beafcabb265a48c1916e4dc01a720972

✔️ openstack-k8s-operators-content-provider SUCCESS in 2h 18m 57s
podified-multinode-edpm-deployment-crc FAILURE in 1h 47m 59s
cifmw-crc-podified-edpm-baremetal FAILURE in 53m 36s
cifmw-crc-podified-edpm-baremetal-minor-update FAILURE in 47m 33s
✔️ podified-multinode-hci-deployment-crc SUCCESS in 2h 04m 54s
✔️ noop SUCCESS in 0s
✔️ cifmw-pod-ansible-test SUCCESS in 8m 47s
✔️ cifmw-pod-pre-commit SUCCESS in 8m 11s

fmount
fmount approved these changes May 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@fmount fmount left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci Bot added the lgtm label May 8, 2026
@fmount
Copy link
Copy Markdown
Contributor

fmount commented May 8, 2026

the task works in the basic scenario [1] and doesn't introduce any regression.

[1] https://gateway-cloud-softwarefactory.apps.ocp.cloud.ci.centos.org/logs//880/rdoproject.org/8806d7d0f9b84211abc4d11558e49e11/controller/ci-framework-data/logs/post_ceph_80_run_ceph_hook_playbook.log

@fmount
Copy link
Copy Markdown
Contributor

fmount commented May 8, 2026

recheck

@fultonj @claude
[cephx_key] Add aes256k cipher support
6b72731 
Add an optional `cipher` parameter (choices: aes, aes256k; default: aes)
to the `cephx_key` Ansible module so CI jobs can generate AES-256k
(32-byte, type=2) CephX keys.

- Refactor __create_cephx_key() to accept cipher argument; use
  key_type=2 and os.urandom(32) for aes256k, key_type=1 and
  os.urandom(16) for aes (default, backward compatible).
- Update DOCUMENTATION, EXAMPLES and RETURN docstrings.
- Update the "Generate a cephx key" task in hooks/playbooks/ceph.yml
  to pass `cipher: "{{ cifmw_ceph_key_cipher | default('aes') }}"`,
  allowing scenarios to opt in via a single variable.
- Add tests/unit/modules/test_cephx_key.py with 8 tests covering both
  cipher modes, invalid input, base64 validity, and key randomness.

Jira: OSPRH-29667

Signed-off-by: John Fulton <fulton@redhat.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@openshift-ci openshift-ci Bot removed the lgtm label May 8, 2026
michburk
michburk approved these changes May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@michburk michburk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci Bot added the lgtm label May 12, 2026
@michburk
Copy link
Copy Markdown
Contributor

michburk commented May 12, 2026

/approve

@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented May 12, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: michburk

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot Bot merged commit 03fdc8f into openstack-k8s-operators:main May 12, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fmount fmount fmount approved these changes

@michburk michburk michburk approved these changes

Assignees

@fmount fmount

@michburk michburk

Labels

approved lgtm Ready For Review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fultonj @fmount @michburk