summaryrefslogtreecommitdiffstats
path: root/puppet
diff options
context:
space:
mode:
authorSteven Hardy <shardy@redhat.com>2015-12-09 18:23:08 +0000
committerSteven Hardy <shardy@redhat.com>2015-12-09 18:26:03 +0000
commit293f19b2a41386e1eea47a9e6add24b006c69c42 (patch)
treeb51c3a2dfd32638d97585c7ca5ac4021dafa6f21 /puppet
parent99bd9970d6bedee8228a6c8ff3d6f45aa1380e22 (diff)
Remove unsafe "unset" defaults
All of our sensitive parameters are defaulted to easily predictable values, which is very bad from a security perspective because we don't force clients to make sane choices thus risk deploying with the predictable default values. tripleoclient supports generating random values for all of these, so remove the defaults, for non-tripleoclient usage we can create a developer-only environment with defaults. Related-Bug: #1516027 Change-Id: Ia0cf3b7e2de1aa42cf179cba195fb7770a1fc21c Depends-On: Ifb34b43fdedc55ad220df358c3ccc31e3c2e7c14
Diffstat (limited to 'puppet')
-rw-r--r--puppet/cinder-storage.yaml2
-rw-r--r--puppet/compute.yaml7
-rw-r--r--puppet/controller.yaml14
-rw-r--r--puppet/swift-storage.yaml2
4 files changed, 0 insertions, 25 deletions
diff --git a/puppet/cinder-storage.yaml b/puppet/cinder-storage.yaml
index 82c0e814..3e232ba4 100644
--- a/puppet/cinder-storage.yaml
+++ b/puppet/cinder-storage.yaml
@@ -17,7 +17,6 @@ parameters:
description: The size of the loopback file used by the cinder LVM driver.
type: number
CinderPassword:
- default: unset
description: The password for the cinder service and db account, used by cinder-api.
type: string
hidden: true
@@ -70,7 +69,6 @@ parameters:
description: The user name for SNMPd with readonly rights running on all Overcloud nodes
type: string
SnmpdReadonlyUserPassword:
- default: unset
description: The user password for SNMPd with readonly rights running on all Overcloud nodes
type: string
hidden: true
diff --git a/puppet/compute.yaml b/puppet/compute.yaml
index 42c6e276..6082a522 100644
--- a/puppet/compute.yaml
+++ b/puppet/compute.yaml
@@ -5,7 +5,6 @@ description: >
parameters:
AdminPassword:
- default: unset
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
type: string
hidden: true
@@ -16,12 +15,10 @@ parameters:
constraints:
- allowed_values: ['', Present]
CeilometerMeteringSecret:
- default: unset
description: Secret shared by the ceilometer services.
type: string
hidden: true
CeilometerPassword:
- default: unset
description: The password for the ceilometer service account.
type: string
hidden: true
@@ -110,7 +107,6 @@ parameters:
VLAN on the 'datacentre' physical network (See NeutronBridgeMappings).
type: comma_delimited_list
NeutronPassword:
- default: unset
description: The password for the neutron service account, used by neutron agents.
type: string
hidden: true
@@ -147,7 +143,6 @@ parameters:
default: 'False'
type: string
NeutronMetadataProxySharedSecret:
- default: 'unset'
description: Shared secret to prevent spoofing
type: string
hidden: true
@@ -212,7 +207,6 @@ parameters:
description: Whether to enable or not the Rbd backend for Nova
type: boolean
NovaPassword:
- default: unset
description: The password for the nova service account, used by nova-api.
type: string
hidden: true
@@ -258,7 +252,6 @@ parameters:
description: The user name for SNMPd with readonly rights running on all Overcloud nodes
type: string
SnmpdReadonlyUserPassword:
- default: unset
description: The user password for SNMPd with readonly rights running on all Overcloud nodes
type: string
hidden: true
diff --git a/puppet/controller.yaml b/puppet/controller.yaml
index 97b5456b..5906f924 100644
--- a/puppet/controller.yaml
+++ b/puppet/controller.yaml
@@ -10,12 +10,10 @@ parameters:
type: string
hidden: true
AdminPassword:
- default: unset
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
type: string
hidden: true
AdminToken:
- default: unset
description: The keystone auth secret and db password.
type: string
hidden: true
@@ -27,12 +25,10 @@ parameters:
description: The ceilometer backend type.
type: string
CeilometerMeteringSecret:
- default: unset
description: Secret shared by the ceilometer services.
type: string
hidden: true
CeilometerPassword:
- default: unset
description: The password for the ceilometer service and db account.
type: string
hidden: true
@@ -72,7 +68,6 @@ parameters:
CinderEnableNfsBackend is true.
type: comma_delimited_list
CinderPassword:
- default: unset
description: The password for the cinder service and db account, used by cinder-api.
type: string
hidden: true
@@ -170,7 +165,6 @@ parameters:
type: string
default: ''
GlancePassword:
- default: unset
description: The password for the glance service and db account, used by the glance services.
type: string
hidden: true
@@ -210,14 +204,12 @@ parameters:
description: Syslog address where HAproxy will send its log
type: string
HeatPassword:
- default: unset
description: The password for the Heat service and db account, used by the Heat services.
type: string
hidden: true
HeatStackDomainAdminPassword:
description: Password for heat_domain_admin user.
type: string
- default: ''
hidden: true
HeatAuthEncryptionKey:
description: Auth encryption key for heat-engine
@@ -367,7 +359,6 @@ parameters:
description: Whether to configure Neutron Distributed Virtual Routers
type: string
NeutronMetadataProxySharedSecret:
- default: 'unset'
description: Shared secret to prevent spoofing
type: string
hidden: true
@@ -430,7 +421,6 @@ parameters:
VLAN on the 'datacentre' physical network (See NeutronBridgeMappings).
type: comma_delimited_list
NeutronPassword:
- default: unset
description: The password for the neutron service and db account, used by neutron agents.
type: string
hidden: true
@@ -482,7 +472,6 @@ parameters:
type: string
default: ''
NovaPassword:
- default: unset
description: The password for the nova service and db account, used by nova-api.
type: string
hidden: true
@@ -542,12 +531,10 @@ parameters:
description: The user name for SNMPd with readonly rights running on all Overcloud nodes
type: string
SnmpdReadonlyUserPassword:
- default: unset
description: The user password for SNMPd with readonly rights running on all Overcloud nodes
type: string
hidden: true
SwiftHashSuffix:
- default: unset
description: A random string to be used as a salt when hashing to determine mappings
in the ring.
hidden: true
@@ -565,7 +552,6 @@ parameters:
description: Partition Power to use when building Swift rings
type: number
SwiftPassword:
- default: unset
description: The password for the swift service account, used by the swift proxy
services.
hidden: true
diff --git a/puppet/swift-storage.yaml b/puppet/swift-storage.yaml
index a8183f76..49d916a1 100644
--- a/puppet/swift-storage.yaml
+++ b/puppet/swift-storage.yaml
@@ -7,7 +7,6 @@ parameters:
constraints:
- custom_constraint: nova.flavor
HashSuffix:
- default: unset
description: A random string to be used as a salt when hashing to determine mappings
in the ring.
hidden: true
@@ -40,7 +39,6 @@ parameters:
description: The user name for SNMPd with readonly rights running on all Overcloud nodes
type: string
SnmpdReadonlyUserPassword:
- default: unset
description: The user password for SNMPd with readonly rights running on all Overcloud nodes
type: string
hidden: true