diff options
author | Steven Hardy <shardy@redhat.com> | 2015-02-20 12:04:47 -0500 |
---|---|---|
committer | Steven Hardy <shardy@redhat.com> | 2015-03-13 06:08:56 -0400 |
commit | b05137d61ae3a0ab2abcf0e259446183d3f5ddd8 (patch) | |
tree | be8066061b32cbdd94f6b9f18f94676f021e775a | |
parent | 8772095c427c0c90747077271c70d84b16741359 (diff) |
Make heat auth_encryption_key random
Currently we have a hard-coded default for auth_encryption_key,
which isn't ideal as it's used as a salt for the DB encryption.
Instead, reference an OS::Heat::RandomString resource so we create
a random key for each deployment.
Change-Id: Ic76b89db17603c114d98d28c01f75cc287fb2e90
-rw-r--r-- | controller.yaml | 6 | ||||
-rw-r--r-- | deprecated/overcloud-source.yaml | 5 | ||||
-rw-r--r-- | overcloud-without-mergepy.yaml | 4 | ||||
-rw-r--r-- | puppet/controller-puppet.yaml | 6 |
4 files changed, 18 insertions, 3 deletions
diff --git a/controller.yaml b/controller.yaml index a5ebab4f..0f69d23a 100644 --- a/controller.yaml +++ b/controller.yaml @@ -129,6 +129,9 @@ parameters: type: string default: '' hidden: true + HeatAuthEncryptionKey: + description: Auth encryption key for heat-engine + type: string Image: type: string default: overcloud-control @@ -457,7 +460,7 @@ resources: admin_password: {get_input: heat_password} admin_tenant_name: service admin_user: heat - auth_encryption_key: unset___________ + auth_encryption_key: {get_input: heat_auth_encryption_key} db: {get_input: heat_dsn} debug: {get_input: debug} stack_domain_admin_password: {get_input: heat_stack_domain_admin_password} @@ -690,6 +693,7 @@ resources: - '/glance' heat_password: {get_param: HeatPassword} heat_stack_domain_admin_password: {get_param: HeatStackDomainAdminPassword} + heat_auth_encryption_key: {get_param: HeatAuthEncryptionKey} heat_dsn: list_join: - '' diff --git a/deprecated/overcloud-source.yaml b/deprecated/overcloud-source.yaml index 91b6b7fd..82fe6755 100644 --- a/deprecated/overcloud-source.yaml +++ b/deprecated/overcloud-source.yaml @@ -475,6 +475,8 @@ resources: SubKey: resources.NovaCompute0PassthroughSpecific parameters: passthrough_config_specific: {get_param: NovaComputeExtraConfig} + HeatAuthEncryptionKey: + type: OS::Heat::RandomString controllerConfig: type: OS::Heat::StructuredConfig properties: @@ -561,7 +563,8 @@ resources: get_param: HeatPassword admin_tenant_name: service admin_user: heat - auth_encryption_key: unset___________ + auth_encryption_key: + get_resource: HeatAuthEncryptionKey db: Fn::Join: - '' diff --git a/overcloud-without-mergepy.yaml b/overcloud-without-mergepy.yaml index c311a479..10a8a7fa 100644 --- a/overcloud-without-mergepy.yaml +++ b/overcloud-without-mergepy.yaml @@ -496,6 +496,9 @@ parameters: resources: + HeatAuthEncryptionKey: + type: OS::Heat::RandomString + Controller: type: OS::Heat::ResourceGroup properties: @@ -522,6 +525,7 @@ resources: GlanceLogFile: {get_param: GlanceLogFile} HeatPassword: {get_param: HeatPassword} HeatStackDomainAdminPassword: {get_param: HeatStackDomainAdminPassword} + HeatAuthEncryptionKey: {get_resource: HeatAuthEncryptionKey} Image: {get_param: controllerImage} ImageUpdatePolicy: {get_param: ImageUpdatePolicy} KeyName: {get_param: KeyName} diff --git a/puppet/controller-puppet.yaml b/puppet/controller-puppet.yaml index 3e2957f9..ae14910b 100644 --- a/puppet/controller-puppet.yaml +++ b/puppet/controller-puppet.yaml @@ -129,6 +129,9 @@ parameters: type: string default: '' hidden: true + HeatAuthEncryptionKey: + description: Auth encryption key for heat-engine + type: string Image: type: string default: overcloud-control @@ -433,6 +436,7 @@ resources: - - 'http://' - {get_param: VirtualIP} - ':8000/v1/waitcondition' + heat_auth_encryption_key: {get_param: HeatAuthEncryptionKey} admin_password: {get_param: AdminPassword} admin_token: {get_param: AdminToken} neutron_public_interface_ip: {get_param: NeutronPublicInterfaceIP} @@ -636,7 +640,7 @@ resources: heat::engine::heat_watch_server_url: {get_input: heat.watch_server_url} heat::engine::heat_metadata_server_url: {get_input: heat.metadata_server_url} heat::engine::heat_waitcondition_server_url: {get_input: heat.waitcondition_server_url} - heat::engine::auth_encryption_key: unset___________ + heat::engine::auth_encryption_key: {get_input: heat_auth_encryption_key} heat::rabbit_userid: {get_input: rabbit_username} heat::rabbit_password: {get_input: rabbit_password} heat::rabbit_host: {get_input: controller_virtual_ip} |