Make heat auth_encryption_key random

Currently we have a hard-coded default for auth_encryption_key,
which isn't ideal as it's used as a salt for the DB encryption.

Instead, reference an OS::Heat::RandomString resource so we create
a random key for each deployment.

Change-Id: Ic76b89db17603c114d98d28c01f75cc287fb2e90

1 files changed, 5 insertions, 1 deletions

diff --git a/puppet/controller-puppet.yaml b/puppet/controller-puppet.yaml
index 3e2957f9..ae14910b 100644
--- a/puppet/controller-puppet.yaml
+++ b/puppet/controller-puppet.yaml
@@ -129,6 +129,9 @@ parameters:
     type: string
     default: ''
     hidden: true
+  HeatAuthEncryptionKey:
+    description: Auth encryption key for heat-engine
+    type: string
   Image:
     type: string
     default: overcloud-control
@@ -433,6 +436,7 @@ resources:
             - - 'http://'
               - {get_param: VirtualIP}
               - ':8000/v1/waitcondition'
+        heat_auth_encryption_key: {get_param: HeatAuthEncryptionKey}
         admin_password: {get_param: AdminPassword}
         admin_token: {get_param: AdminToken}
         neutron_public_interface_ip: {get_param: NeutronPublicInterfaceIP}
@@ -636,7 +640,7 @@ resources:
                 heat::engine::heat_watch_server_url: {get_input: heat.watch_server_url}
                 heat::engine::heat_metadata_server_url: {get_input: heat.metadata_server_url}
                 heat::engine::heat_waitcondition_server_url: {get_input: heat.waitcondition_server_url}
-                heat::engine::auth_encryption_key: unset___________
+                heat::engine::auth_encryption_key: {get_input: heat_auth_encryption_key}
                 heat::rabbit_userid: {get_input: rabbit_username}
                 heat::rabbit_password: {get_input: rabbit_password}
                 heat::rabbit_host: {get_input: controller_virtual_ip}