Code Review / apex-tripleo-heat-templates.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 8772095)
Make heat auth_encryption_key random
authorSteven Hardy <shardy@redhat.com>
Fri, 20 Feb 2015 17:04:47 +0000 (12:04 -0500)
committerSteven Hardy <shardy@redhat.com>
Fri, 13 Mar 2015 10:08:56 +0000 (06:08 -0400)
Currently we have a hard-coded default for auth_encryption_key,
which isn't ideal as it's used as a salt for the DB encryption.

Instead, reference an OS::Heat::RandomString resource so we create
a random key for each deployment.

Change-Id: Ic76b89db17603c114d98d28c01f75cc287fb2e90

controller.yaml patch | blob | history
deprecated/overcloud-source.yaml patch | blob | history
overcloud-without-mergepy.yaml patch | blob | history
puppet/controller-puppet.yaml patch | blob | history

diff --git a/controller.yaml b/controller.yaml
index a5ebab4..0f69d23 100644 (file)
--- a/controller.yaml
+++ b/controller.yaml
@@ -129,6 +129,9 @@ parameters:
     type: string
     default: ''
     hidden: true
+  HeatAuthEncryptionKey:
+    description: Auth encryption key for heat-engine
+    type: string
   Image:
     type: string
     default: overcloud-control
@@ -457,7 +460,7 @@ resources:
           admin_password: {get_input: heat_password}
           admin_tenant_name: service
           admin_user: heat
-          auth_encryption_key: unset___________
+          auth_encryption_key: {get_input: heat_auth_encryption_key}
           db: {get_input: heat_dsn}
           debug: {get_input: debug}
           stack_domain_admin_password: {get_input: heat_stack_domain_admin_password}
@@ -690,6 +693,7 @@ resources:
               - '/glance'
         heat_password: {get_param: HeatPassword}
         heat_stack_domain_admin_password: {get_param: HeatStackDomainAdminPassword}
+        heat_auth_encryption_key: {get_param: HeatAuthEncryptionKey}
         heat_dsn:
           list_join:
             - ''
diff --git a/deprecated/overcloud-source.yaml b/deprecated/overcloud-source.yaml
index 91b6b7f..82fe675 100644 (file)
--- a/deprecated/overcloud-source.yaml
+++ b/deprecated/overcloud-source.yaml
@@ -475,6 +475,8 @@ resources:
     SubKey: resources.NovaCompute0PassthroughSpecific
     parameters:
         passthrough_config_specific: {get_param: NovaComputeExtraConfig}
+  HeatAuthEncryptionKey:
+    type: OS::Heat::RandomString
   controllerConfig:
     type: OS::Heat::StructuredConfig
     properties:
@@ -561,7 +563,8 @@ resources:
             get_param: HeatPassword
           admin_tenant_name: service
           admin_user: heat
-          auth_encryption_key: unset___________
+          auth_encryption_key:
+            get_resource: HeatAuthEncryptionKey
           db:
             Fn::Join:
               - ''
diff --git a/overcloud-without-mergepy.yaml b/overcloud-without-mergepy.yaml
index c311a47..10a8a7f 100644 (file)
--- a/overcloud-without-mergepy.yaml
+++ b/overcloud-without-mergepy.yaml
@@ -496,6 +496,9 @@ parameters:
 
 resources:
 
+  HeatAuthEncryptionKey:
+    type: OS::Heat::RandomString
+
   Controller:
     type: OS::Heat::ResourceGroup
     properties:
@@ -522,6 +525,7 @@ resources:
           GlanceLogFile: {get_param: GlanceLogFile}
           HeatPassword: {get_param: HeatPassword}
           HeatStackDomainAdminPassword: {get_param: HeatStackDomainAdminPassword}
+          HeatAuthEncryptionKey: {get_resource: HeatAuthEncryptionKey}
           Image: {get_param: controllerImage}
           ImageUpdatePolicy: {get_param: ImageUpdatePolicy}
           KeyName: {get_param: KeyName}
diff --git a/puppet/controller-puppet.yaml b/puppet/controller-puppet.yaml
index 3e2957f..ae14910 100644 (file)
--- a/puppet/controller-puppet.yaml
+++ b/puppet/controller-puppet.yaml
@@ -129,6 +129,9 @@ parameters:
     type: string
     default: ''
     hidden: true
+  HeatAuthEncryptionKey:
+    description: Auth encryption key for heat-engine
+    type: string
   Image:
     type: string
     default: overcloud-control
@@ -433,6 +436,7 @@ resources:
             - - 'http://'
               - {get_param: VirtualIP}
               - ':8000/v1/waitcondition'
+        heat_auth_encryption_key: {get_param: HeatAuthEncryptionKey}
         admin_password: {get_param: AdminPassword}
         admin_token: {get_param: AdminToken}
         neutron_public_interface_ip: {get_param: NeutronPublicInterfaceIP}
@@ -636,7 +640,7 @@ resources:
                 heat::engine::heat_watch_server_url: {get_input: heat.watch_server_url}
                 heat::engine::heat_metadata_server_url: {get_input: heat.metadata_server_url}
                 heat::engine::heat_waitcondition_server_url: {get_input: heat.waitcondition_server_url}
-                heat::engine::auth_encryption_key: unset___________
+                heat::engine::auth_encryption_key: {get_input: heat_auth_encryption_key}
                 heat::rabbit_userid: {get_input: rabbit_username}
                 heat::rabbit_password: {get_input: rabbit_password}
                 heat::rabbit_host: {get_input: controller_virtual_ip}