diff options
author | Steven Hardy <shardy@redhat.com> | 2015-12-09 18:23:08 +0000 |
---|---|---|
committer | Steven Hardy <shardy@redhat.com> | 2015-12-09 18:26:03 +0000 |
commit | 293f19b2a41386e1eea47a9e6add24b006c69c42 (patch) | |
tree | b51c3a2dfd32638d97585c7ca5ac4021dafa6f21 /puppet | |
parent | 99bd9970d6bedee8228a6c8ff3d6f45aa1380e22 (diff) |
Remove unsafe "unset" defaults
All of our sensitive parameters are defaulted to easily predictable
values, which is very bad from a security perspective because we don't
force clients to make sane choices thus risk deploying with the
predictable default values. tripleoclient supports generating random
values for all of these, so remove the defaults, for non-tripleoclient
usage we can create a developer-only environment with defaults.
Related-Bug: #1516027
Change-Id: Ia0cf3b7e2de1aa42cf179cba195fb7770a1fc21c
Depends-On: Ifb34b43fdedc55ad220df358c3ccc31e3c2e7c14
Diffstat (limited to 'puppet')
-rw-r--r-- | puppet/cinder-storage.yaml | 2 | ||||
-rw-r--r-- | puppet/compute.yaml | 7 | ||||
-rw-r--r-- | puppet/controller.yaml | 14 | ||||
-rw-r--r-- | puppet/swift-storage.yaml | 2 |
4 files changed, 0 insertions, 25 deletions
diff --git a/puppet/cinder-storage.yaml b/puppet/cinder-storage.yaml index 82c0e814..3e232ba4 100644 --- a/puppet/cinder-storage.yaml +++ b/puppet/cinder-storage.yaml @@ -17,7 +17,6 @@ parameters: description: The size of the loopback file used by the cinder LVM driver. type: number CinderPassword: - default: unset description: The password for the cinder service and db account, used by cinder-api. type: string hidden: true @@ -70,7 +69,6 @@ parameters: description: The user name for SNMPd with readonly rights running on all Overcloud nodes type: string SnmpdReadonlyUserPassword: - default: unset description: The user password for SNMPd with readonly rights running on all Overcloud nodes type: string hidden: true diff --git a/puppet/compute.yaml b/puppet/compute.yaml index 42c6e276..6082a522 100644 --- a/puppet/compute.yaml +++ b/puppet/compute.yaml @@ -5,7 +5,6 @@ description: > parameters: AdminPassword: - default: unset description: The password for the keystone admin account, used for monitoring, querying neutron etc. type: string hidden: true @@ -16,12 +15,10 @@ parameters: constraints: - allowed_values: ['', Present] CeilometerMeteringSecret: - default: unset description: Secret shared by the ceilometer services. type: string hidden: true CeilometerPassword: - default: unset description: The password for the ceilometer service account. type: string hidden: true @@ -110,7 +107,6 @@ parameters: VLAN on the 'datacentre' physical network (See NeutronBridgeMappings). type: comma_delimited_list NeutronPassword: - default: unset description: The password for the neutron service account, used by neutron agents. type: string hidden: true @@ -147,7 +143,6 @@ parameters: default: 'False' type: string NeutronMetadataProxySharedSecret: - default: 'unset' description: Shared secret to prevent spoofing type: string hidden: true @@ -212,7 +207,6 @@ parameters: description: Whether to enable or not the Rbd backend for Nova type: boolean NovaPassword: - default: unset description: The password for the nova service account, used by nova-api. type: string hidden: true @@ -258,7 +252,6 @@ parameters: description: The user name for SNMPd with readonly rights running on all Overcloud nodes type: string SnmpdReadonlyUserPassword: - default: unset description: The user password for SNMPd with readonly rights running on all Overcloud nodes type: string hidden: true diff --git a/puppet/controller.yaml b/puppet/controller.yaml index 97b5456b..5906f924 100644 --- a/puppet/controller.yaml +++ b/puppet/controller.yaml @@ -10,12 +10,10 @@ parameters: type: string hidden: true AdminPassword: - default: unset description: The password for the keystone admin account, used for monitoring, querying neutron etc. type: string hidden: true AdminToken: - default: unset description: The keystone auth secret and db password. type: string hidden: true @@ -27,12 +25,10 @@ parameters: description: The ceilometer backend type. type: string CeilometerMeteringSecret: - default: unset description: Secret shared by the ceilometer services. type: string hidden: true CeilometerPassword: - default: unset description: The password for the ceilometer service and db account. type: string hidden: true @@ -72,7 +68,6 @@ parameters: CinderEnableNfsBackend is true. type: comma_delimited_list CinderPassword: - default: unset description: The password for the cinder service and db account, used by cinder-api. type: string hidden: true @@ -170,7 +165,6 @@ parameters: type: string default: '' GlancePassword: - default: unset description: The password for the glance service and db account, used by the glance services. type: string hidden: true @@ -210,14 +204,12 @@ parameters: description: Syslog address where HAproxy will send its log type: string HeatPassword: - default: unset description: The password for the Heat service and db account, used by the Heat services. type: string hidden: true HeatStackDomainAdminPassword: description: Password for heat_domain_admin user. type: string - default: '' hidden: true HeatAuthEncryptionKey: description: Auth encryption key for heat-engine @@ -367,7 +359,6 @@ parameters: description: Whether to configure Neutron Distributed Virtual Routers type: string NeutronMetadataProxySharedSecret: - default: 'unset' description: Shared secret to prevent spoofing type: string hidden: true @@ -430,7 +421,6 @@ parameters: VLAN on the 'datacentre' physical network (See NeutronBridgeMappings). type: comma_delimited_list NeutronPassword: - default: unset description: The password for the neutron service and db account, used by neutron agents. type: string hidden: true @@ -482,7 +472,6 @@ parameters: type: string default: '' NovaPassword: - default: unset description: The password for the nova service and db account, used by nova-api. type: string hidden: true @@ -542,12 +531,10 @@ parameters: description: The user name for SNMPd with readonly rights running on all Overcloud nodes type: string SnmpdReadonlyUserPassword: - default: unset description: The user password for SNMPd with readonly rights running on all Overcloud nodes type: string hidden: true SwiftHashSuffix: - default: unset description: A random string to be used as a salt when hashing to determine mappings in the ring. hidden: true @@ -565,7 +552,6 @@ parameters: description: Partition Power to use when building Swift rings type: number SwiftPassword: - default: unset description: The password for the swift service account, used by the swift proxy services. hidden: true diff --git a/puppet/swift-storage.yaml b/puppet/swift-storage.yaml index a8183f76..49d916a1 100644 --- a/puppet/swift-storage.yaml +++ b/puppet/swift-storage.yaml @@ -7,7 +7,6 @@ parameters: constraints: - custom_constraint: nova.flavor HashSuffix: - default: unset description: A random string to be used as a salt when hashing to determine mappings in the ring. hidden: true @@ -40,7 +39,6 @@ parameters: description: The user name for SNMPd with readonly rights running on all Overcloud nodes type: string SnmpdReadonlyUserPassword: - default: unset description: The user password for SNMPd with readonly rights running on all Overcloud nodes type: string hidden: true |