Add generate_passwords.py to generate passwords
As with all tools, this is a first pass at the generation. Perhaps we even want to move this into kolla/kolla/cmd and be generated with tox itself in the future. This tool, when run, will only populate empty fields that have no values meaning that it is safe to run repeatedly on the same file. Of note, there is no way to preserve comments in the file after it has been processed by the yaml parser in python. Comments and sections will remain in the passwords.yml template for additional documentation if the user wishes to populate the file themselves. Use SystemRandom and clean up the docs a bit to not use pronouns. Co-Authored-By: Steven Dake <stdake@cisco.com> Closes-Bug: #1559266 Change-Id: I2932d592df8871f1b7811059206d0b4d0553a687
This commit is contained in:
parent
ff3095f56e
commit
f03e06e09b
@ -165,6 +165,7 @@ function configure_operator {
|
||||
|
||||
tox -c ${KOLLA_PATH}/tox.ini -e genconfig
|
||||
cp -r ${KOLLA_PATH}/etc/kolla/ /etc/kolla
|
||||
${KOLLA_PATH}/tools/generate_passwords.py
|
||||
mkdir -p /usr/share/kolla
|
||||
chown -R vagrant: /etc/kolla /usr/share/kolla
|
||||
|
||||
|
@ -390,6 +390,15 @@ the Ansible inventory file can be found in the Ansible `inventory introduction
|
||||
All variables for the environment can be specified in the files:
|
||||
"/etc/kolla/globals.yml" and "/etc/kolla/passwords.yml"
|
||||
|
||||
Generate passwords for /etc/kolla/passwords.yml using the provided
|
||||
kolla-genpwd tool. The tool will populate all empty fields in the
|
||||
"/etc/kolla/passwords.yml" file using randomly generated values to secure the
|
||||
deployment. Optionally, the passwords may be populate in the file by hand.
|
||||
|
||||
::
|
||||
|
||||
kolla-genpwd
|
||||
|
||||
Start by editing /etc/kolla/globals.yml. Check and edit, if needed, these
|
||||
parameters: kolla_base_distro, kolla_install_type.
|
||||
|
||||
|
@ -1,66 +1,62 @@
|
||||
---
|
||||
# TODO(SamYaple): This file should have generated values by default. Propose
|
||||
# Ansible vault for locking down the secrets properly.
|
||||
|
||||
|
||||
###################
|
||||
# Ceph options
|
||||
####################
|
||||
ceph_cluster_fsid: "5fba2fbc-551d-11e5-a8ce-01ef4c5cf93c"
|
||||
rbd_secret_uuid: "bbc5b4d5-6fca-407d-807d-06a4f4a7bccb"
|
||||
|
||||
# These options must be UUID4 values in string format
|
||||
# XXXXXXXX-XXXX-4XXX-XXXX-XXXXXXXXXXXX
|
||||
ceph_cluster_fsid:
|
||||
rbd_secret_uuid:
|
||||
|
||||
###################
|
||||
# Database options
|
||||
####################
|
||||
database_password: "password"
|
||||
|
||||
database_password:
|
||||
|
||||
####################
|
||||
# Docker options
|
||||
####################
|
||||
# This should only be set if you require a password for your Docker registry
|
||||
docker_registry_password:
|
||||
|
||||
|
||||
####################
|
||||
# OpenStack options
|
||||
####################
|
||||
keystone_admin_password: "password"
|
||||
keystone_database_password: "password"
|
||||
keystone_admin_password:
|
||||
keystone_database_password:
|
||||
|
||||
glance_database_password: "password"
|
||||
glance_keystone_password: "password"
|
||||
glance_database_password:
|
||||
glance_keystone_password:
|
||||
|
||||
nova_database_password: "password"
|
||||
nova_api_database_password: "password"
|
||||
nova_keystone_password: "password"
|
||||
nova_database_password:
|
||||
nova_api_database_password:
|
||||
nova_keystone_password:
|
||||
|
||||
neutron_database_password: "password"
|
||||
neutron_keystone_password: "password"
|
||||
metadata_secret: "password"
|
||||
neutron_database_password:
|
||||
neutron_keystone_password:
|
||||
metadata_secret:
|
||||
|
||||
cinder_database_password: "password"
|
||||
cinder_keystone_password: "password"
|
||||
cinder_database_password:
|
||||
cinder_keystone_password:
|
||||
|
||||
swift_keystone_password: "password"
|
||||
swift_hash_path_suffix: "kolla"
|
||||
swift_hash_path_prefix: "kolla"
|
||||
swift_keystone_password:
|
||||
swift_hash_path_suffix:
|
||||
swift_hash_path_prefix:
|
||||
|
||||
heat_database_password: "password"
|
||||
heat_keystone_password: "password"
|
||||
heat_domain_admin_password: "password"
|
||||
heat_database_password:
|
||||
heat_keystone_password:
|
||||
heat_domain_admin_password:
|
||||
|
||||
murano_database_password: "password"
|
||||
murano_keystone_password: "password"
|
||||
murano_database_password:
|
||||
murano_keystone_password:
|
||||
|
||||
ironic_database_password: "password"
|
||||
ironic_keystone_password: "password"
|
||||
ironic_database_password:
|
||||
ironic_keystone_password:
|
||||
|
||||
magnum_database_password: "password"
|
||||
magnum_keystone_password: "password"
|
||||
magnum_database_password:
|
||||
magnum_keystone_password:
|
||||
|
||||
mistral_database_password: "password"
|
||||
mistral_keystone_password: "password"
|
||||
mistral_database_password:
|
||||
mistral_keystone_password:
|
||||
|
||||
horizon_secret_key: "password"
|
||||
|
||||
@ -72,12 +68,11 @@ memcache_secret_key: "password"
|
||||
####################
|
||||
# RabbitMQ options
|
||||
####################
|
||||
rabbitmq_password: "password"
|
||||
rabbitmq_cluster_cookie: "password"
|
||||
|
||||
rabbitmq_password:
|
||||
rabbitmq_cluster_cookie:
|
||||
|
||||
####################
|
||||
# HAProxy options
|
||||
####################
|
||||
haproxy_password: "password"
|
||||
keepalived_password: "password"
|
||||
haproxy_password:
|
||||
keepalived_password:
|
||||
|
51
kolla/cmd/genpwd.py
Executable file
51
kolla/cmd/genpwd.py
Executable file
@ -0,0 +1,51 @@
|
||||
#!/usr/bin/env python
|
||||
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
import random
|
||||
import string
|
||||
import uuid
|
||||
import yaml
|
||||
|
||||
|
||||
def main():
|
||||
# These keys should be random uuids
|
||||
uuid_keys = ['ceph_cluster_fsid', 'rbd_secret_uuid']
|
||||
|
||||
# If these keys are None, leave them as None
|
||||
blank_keys = ['docker_registry_password']
|
||||
|
||||
# length of password
|
||||
length = 40
|
||||
|
||||
with open('/etc/kolla/passwords.yml', 'r') as f:
|
||||
passwords = yaml.load(f.read())
|
||||
|
||||
for k, v in passwords.items():
|
||||
if v is None:
|
||||
if k in blank_keys and v is None:
|
||||
continue
|
||||
if k in uuid_keys:
|
||||
passwords[k] = str(uuid.uuid4())
|
||||
else:
|
||||
passwords[k] = ''.join([
|
||||
random.SystemRandom().choice(
|
||||
string.ascii_letters + string.digits)
|
||||
for n in range(length)
|
||||
])
|
||||
|
||||
with open('/etc/kolla/passwords.yml', 'w') as f:
|
||||
f.write(yaml.dump(passwords, default_flow_style=False))
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
@ -35,6 +35,7 @@ scripts =
|
||||
[entry_points]
|
||||
console_scripts =
|
||||
kolla-build = kolla.cmd.build:main
|
||||
kolla-genpwd = kolla.cmd.genpwd:main
|
||||
oslo.config.opts =
|
||||
kolla = kolla.opts:list_opts
|
||||
|
||||
|
1
tools/generate_passwords.py
Symbolic link
1
tools/generate_passwords.py
Symbolic link
@ -0,0 +1 @@
|
||||
../kolla/cmd/genpwd.py
|
@ -13,6 +13,8 @@ function setup_config {
|
||||
tox -e genconfig
|
||||
# Copy configs
|
||||
sudo cp -a etc/kolla /etc/
|
||||
# Generate passwords
|
||||
sudo tools/generate_passwords.py
|
||||
|
||||
# Use Infra provided pypi
|
||||
echo "RUN echo $(base64 -w0 /etc/pip.conf) | base64 -d > /etc/pip.conf" | sudo tee /etc/kolla/header
|
||||
|
Loading…
Reference in New Issue
Block a user