Add generate_passwords.py to generate passwords

As with all tools, this is a first pass at the generation. Perhaps we
even want to move this into kolla/kolla/cmd and be generated with tox
itself in the future.

This tool, when run, will only populate empty fields that have no
values meaning that it is safe to run repeatedly on the same file.

Of note, there is no way to preserve comments in the file after it has
been processed by the yaml parser in python. Comments and sections
will remain in the passwords.yml template for additional documentation
if the user wishes to populate the file themselves.

Use SystemRandom and clean up the docs a bit to not use pronouns.

Co-Authored-By: Steven Dake <stdake@cisco.com>

Closes-Bug: #1559266
Change-Id: I2932d592df8871f1b7811059206d0b4d0553a687

dev/vagrant/bootstrap.sh

@@ -165,6 +165,7 @@ function configure_operator {
 
     tox -c ${KOLLA_PATH}/tox.ini -e genconfig
     cp -r ${KOLLA_PATH}/etc/kolla/ /etc/kolla
+    ${KOLLA_PATH}/tools/generate_passwords.py
     mkdir -p /usr/share/kolla
     chown -R vagrant: /etc/kolla /usr/share/kolla
 

doc/quickstart.rst

@@ -390,6 +390,15 @@ the Ansible inventory file can be found in the Ansible `inventory introduction
 All variables for the environment can be specified in the files:
 "/etc/kolla/globals.yml" and "/etc/kolla/passwords.yml"
 
+Generate passwords for /etc/kolla/passwords.yml using the provided
+kolla-genpwd tool.  The tool will populate all empty fields in the
+"/etc/kolla/passwords.yml" file using randomly generated values to secure the
+deployment.  Optionally, the passwords may be populate in the file by hand.
+
+::
+
+    kolla-genpwd
+
 Start by editing /etc/kolla/globals.yml. Check and edit, if needed, these
 parameters: kolla_base_distro, kolla_install_type.
 

etc/kolla/passwords.yml

@@ -1,66 +1,62 @@
 ---
-# TODO(SamYaple): This file should have generated values by default. Propose
-# Ansible vault for locking down the secrets properly.
-
-
 ###################
 # Ceph options
 ####################
-ceph_cluster_fsid: "5fba2fbc-551d-11e5-a8ce-01ef4c5cf93c"
-rbd_secret_uuid: "bbc5b4d5-6fca-407d-807d-06a4f4a7bccb"
-
+# These options must be UUID4 values in string format
+# XXXXXXXX-XXXX-4XXX-XXXX-XXXXXXXXXXXX
+ceph_cluster_fsid:
+rbd_secret_uuid:
 
 ###################
 # Database options
 ####################
-database_password: "password"
-
+database_password:
 
 ####################
 # Docker options
 ####################
+# This should only be set if you require a password for your Docker registry
 docker_registry_password:
 
-
 ####################
 # OpenStack options
 ####################
-keystone_admin_password: "password"
-keystone_database_password: "password"
+keystone_admin_password:
+keystone_database_password:
 
-glance_database_password: "password"
-glance_keystone_password: "password"
+glance_database_password:
+glance_keystone_password:
 
-nova_database_password: "password"
-nova_api_database_password: "password"
-nova_keystone_password: "password"
+nova_database_password:
+nova_api_database_password:
+nova_keystone_password:
 
-neutron_database_password: "password"
-neutron_keystone_password: "password"
-metadata_secret: "password"
+neutron_database_password:
+neutron_keystone_password:
+metadata_secret:
 
-cinder_database_password: "password"
-cinder_keystone_password: "password"
+cinder_database_password:
+cinder_keystone_password:
 
-swift_keystone_password: "password"
-swift_hash_path_suffix: "kolla"
-swift_hash_path_prefix: "kolla"
+swift_keystone_password:
+swift_hash_path_suffix:
+swift_hash_path_prefix:
 
-heat_database_password: "password"
-heat_keystone_password: "password"
-heat_domain_admin_password: "password"
+heat_database_password:
+heat_keystone_password:
+heat_domain_admin_password:
 
-murano_database_password: "password"
-murano_keystone_password: "password"
+murano_database_password:
+murano_keystone_password:
 
-ironic_database_password: "password"
-ironic_keystone_password: "password"
+ironic_database_password:
+ironic_keystone_password:
 
-magnum_database_password: "password"
-magnum_keystone_password: "password"
+magnum_database_password:
+magnum_keystone_password:
 
-mistral_database_password: "password"
-mistral_keystone_password: "password"
+mistral_database_password:
+mistral_keystone_password:
 
 horizon_secret_key: "password"
 
@@ -72,12 +68,11 @@ memcache_secret_key: "password"
 ####################
 # RabbitMQ options
 ####################
-rabbitmq_password: "password"
-rabbitmq_cluster_cookie: "password"
-
+rabbitmq_password:
+rabbitmq_cluster_cookie:
 
 ####################
 # HAProxy options
 ####################
-haproxy_password: "password"
-keepalived_password: "password"
+haproxy_password:
+keepalived_password:

kolla/cmd/genpwd.py

@@ -0,0 +1,51 @@
+#!/usr/bin/env python
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import random
+import string
+import uuid
+import yaml
+
+
+def main():
+    # These keys should be random uuids
+    uuid_keys = ['ceph_cluster_fsid', 'rbd_secret_uuid']
+
+    # If these keys are None, leave them as None
+    blank_keys = ['docker_registry_password']
+
+    # length of password
+    length = 40
+
+    with open('/etc/kolla/passwords.yml', 'r') as f:
+        passwords = yaml.load(f.read())
+
+    for k, v in passwords.items():
+        if v is None:
+            if k in blank_keys and v is None:
+                continue
+            if k in uuid_keys:
+                passwords[k] = str(uuid.uuid4())
+            else:
+                passwords[k] = ''.join([
+                    random.SystemRandom().choice(
+                        string.ascii_letters + string.digits)
+                    for n in range(length)
+                ])
+
+    with open('/etc/kolla/passwords.yml', 'w') as f:
+        f.write(yaml.dump(passwords, default_flow_style=False))
+
+if __name__ == '__main__':
+    main()

setup.cfg

@@ -35,6 +35,7 @@ scripts =
 [entry_points]
 console_scripts =
     kolla-build = kolla.cmd.build:main
+    kolla-genpwd = kolla.cmd.genpwd:main
 oslo.config.opts =
     kolla = kolla.opts:list_opts
 

tools/generate_passwords.py

@@ -0,0 +1 @@
+../kolla/cmd/genpwd.py

tools/setup_gate.sh

@@ -13,6 +13,8 @@ function setup_config {
     tox -e genconfig
     # Copy configs
     sudo cp -a etc/kolla /etc/
+    # Generate passwords
+    sudo tools/generate_passwords.py
 
     # Use Infra provided pypi
     echo "RUN echo $(base64 -w0 /etc/pip.conf) | base64 -d > /etc/pip.conf" | sudo tee /etc/kolla/header