Allow/Support Changing the passwords on the Overcloud

Registered by Graeme Gillies on 2016-11-01

Currently once you do a deployment with TripleO, you are unable to change or rotate any of the passwords used in the overcloud.

For day 2 operations we need to be able to change all passwords in the environment in a case where an Operator leaves, or as part of standard security protocol (passwords rotated every 6 months).

Ideally we would support you specifying the passwords you would like in tripleo-overcloud-passwords, and the environment being changed to reflect that on stack-update (or even preseeding the file yourself before deployment)

Blueprint information

Status:
Complete
Approver:
Steven Hardy
Priority:
High
Drafter:
Graeme Gillies
Direction:
Approved
Assignee:
None
Definition:
Obsolete
Series goal:
None
Implementation:
Informational Informational
Milestone target:
milestone icon ocata-3
Completed by
Emilien Macchi on 2016-12-15

Related branches

Sprints

Whiteboard

(shardy) Would fixing bug #1611704 be sufficient for this? Then you can do openstack overcloud deploy --templates -e the_passwords.yaml ?

If there's specific interface improvements beyond that it'd be good to define them (not necessarily via a spec, a linked etherpad with use-case examples would be enough). In particular do we need to support some way of forcibly re-generating random passwords, or can we always assume operators provide them?

(ggillies) I think that bug is likely covering all aspects hopefully. As long as there is a clear interface to setting the passwords how I like. As for supporting generating random passwords, I guess that would be nice to have, but I understand that might make things harder, so I would be happy to just make operators generate their own passwords outside of tripleo and pass them in (as it's a trivial task for us to do)

(emilien) I'm closing this blueprint since it will be covered by https://bugs.launchpad.net/tripleo/+bug/1611704 -- feel free to re-open it if I did wrong.

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.