summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSteven Hardy <shardy@redhat.com>2015-02-20 12:04:47 -0500
committerSteven Hardy <shardy@redhat.com>2015-03-13 06:08:56 -0400
commitb05137d61ae3a0ab2abcf0e259446183d3f5ddd8 (patch)
treebe8066061b32cbdd94f6b9f18f94676f021e775a
parent8772095c427c0c90747077271c70d84b16741359 (diff)
Make heat auth_encryption_key random
Currently we have a hard-coded default for auth_encryption_key, which isn't ideal as it's used as a salt for the DB encryption. Instead, reference an OS::Heat::RandomString resource so we create a random key for each deployment. Change-Id: Ic76b89db17603c114d98d28c01f75cc287fb2e90
-rw-r--r--controller.yaml6
-rw-r--r--deprecated/overcloud-source.yaml5
-rw-r--r--overcloud-without-mergepy.yaml4
-rw-r--r--puppet/controller-puppet.yaml6
4 files changed, 18 insertions, 3 deletions
diff --git a/controller.yaml b/controller.yaml
index a5ebab4f..0f69d23a 100644
--- a/controller.yaml
+++ b/controller.yaml
@@ -129,6 +129,9 @@ parameters:
type: string
default: ''
hidden: true
+ HeatAuthEncryptionKey:
+ description: Auth encryption key for heat-engine
+ type: string
Image:
type: string
default: overcloud-control
@@ -457,7 +460,7 @@ resources:
admin_password: {get_input: heat_password}
admin_tenant_name: service
admin_user: heat
- auth_encryption_key: unset___________
+ auth_encryption_key: {get_input: heat_auth_encryption_key}
db: {get_input: heat_dsn}
debug: {get_input: debug}
stack_domain_admin_password: {get_input: heat_stack_domain_admin_password}
@@ -690,6 +693,7 @@ resources:
- '/glance'
heat_password: {get_param: HeatPassword}
heat_stack_domain_admin_password: {get_param: HeatStackDomainAdminPassword}
+ heat_auth_encryption_key: {get_param: HeatAuthEncryptionKey}
heat_dsn:
list_join:
- ''
diff --git a/deprecated/overcloud-source.yaml b/deprecated/overcloud-source.yaml
index 91b6b7fd..82fe6755 100644
--- a/deprecated/overcloud-source.yaml
+++ b/deprecated/overcloud-source.yaml
@@ -475,6 +475,8 @@ resources:
SubKey: resources.NovaCompute0PassthroughSpecific
parameters:
passthrough_config_specific: {get_param: NovaComputeExtraConfig}
+ HeatAuthEncryptionKey:
+ type: OS::Heat::RandomString
controllerConfig:
type: OS::Heat::StructuredConfig
properties:
@@ -561,7 +563,8 @@ resources:
get_param: HeatPassword
admin_tenant_name: service
admin_user: heat
- auth_encryption_key: unset___________
+ auth_encryption_key:
+ get_resource: HeatAuthEncryptionKey
db:
Fn::Join:
- ''
diff --git a/overcloud-without-mergepy.yaml b/overcloud-without-mergepy.yaml
index c311a479..10a8a7fa 100644
--- a/overcloud-without-mergepy.yaml
+++ b/overcloud-without-mergepy.yaml
@@ -496,6 +496,9 @@ parameters:
resources:
+ HeatAuthEncryptionKey:
+ type: OS::Heat::RandomString
+
Controller:
type: OS::Heat::ResourceGroup
properties:
@@ -522,6 +525,7 @@ resources:
GlanceLogFile: {get_param: GlanceLogFile}
HeatPassword: {get_param: HeatPassword}
HeatStackDomainAdminPassword: {get_param: HeatStackDomainAdminPassword}
+ HeatAuthEncryptionKey: {get_resource: HeatAuthEncryptionKey}
Image: {get_param: controllerImage}
ImageUpdatePolicy: {get_param: ImageUpdatePolicy}
KeyName: {get_param: KeyName}
diff --git a/puppet/controller-puppet.yaml b/puppet/controller-puppet.yaml
index 3e2957f9..ae14910b 100644
--- a/puppet/controller-puppet.yaml
+++ b/puppet/controller-puppet.yaml
@@ -129,6 +129,9 @@ parameters:
type: string
default: ''
hidden: true
+ HeatAuthEncryptionKey:
+ description: Auth encryption key for heat-engine
+ type: string
Image:
type: string
default: overcloud-control
@@ -433,6 +436,7 @@ resources:
- - 'http://'
- {get_param: VirtualIP}
- ':8000/v1/waitcondition'
+ heat_auth_encryption_key: {get_param: HeatAuthEncryptionKey}
admin_password: {get_param: AdminPassword}
admin_token: {get_param: AdminToken}
neutron_public_interface_ip: {get_param: NeutronPublicInterfaceIP}
@@ -636,7 +640,7 @@ resources:
heat::engine::heat_watch_server_url: {get_input: heat.watch_server_url}
heat::engine::heat_metadata_server_url: {get_input: heat.metadata_server_url}
heat::engine::heat_waitcondition_server_url: {get_input: heat.waitcondition_server_url}
- heat::engine::auth_encryption_key: unset___________
+ heat::engine::auth_encryption_key: {get_input: heat_auth_encryption_key}
heat::rabbit_userid: {get_input: rabbit_username}
heat::rabbit_password: {get_input: rabbit_password}
heat::rabbit_host: {get_input: controller_virtual_ip}