Use Password Generation provided by the Mistral workflows

Password generation was recently added to tripleo-common and the Mistral workflows. This patch removes the generation code from tripleoclient as it is no longer needed. Closes-Bug: #1632013 Co-Authored-By: Dougal Matthews <dougal@redhat.com> Depends-On: I94428d1deb000c65a1c0266d01f660b76d4a3ee5 Depends-On: I186217fd0e1125519149763e610d3efdff583388 Change-Id: Ibe76a40b4d19219aa8e4fc72ddde519ea6f6d2ba
2016-09-14 14:56:26 -04:00 · 2016-09-14 14:56:26 -04:00 · 1969ccff64
parent 846e7f35d4
commit 1969ccff64
6 changed files with 88 additions and 305 deletions
--- a/tripleoclient/tests/test_utils.py
+++ b/tripleoclient/tests/test_utils.py
@ -27,132 +27,6 @@ from tripleoclient.tests.v1.utils import (
 from tripleoclient import utils


-class TestPasswordsUtil(TestCase):
-
-    @mock.patch("os.path.isfile", return_value=False)
-    @mock.patch("passlib.utils.generate_password",
-                return_value="PASSWORD")
-    @mock.patch("tripleoclient.utils.create_cephx_key",
-                return_value="CEPHX_KEY")
-    @mock.patch("tripleoclient.utils.create_keystone_credential",
-                return_value="PASSWORD")
-    def test_generate_passwords(self, create_keystone_creds_mock,
-                                create_cephx_key_mock, generate_password_mock,
-                                isfile_mock):
-
-        mock_open = mock.mock_open()
-
-        with mock.patch('six.moves.builtins.open', mock_open):
-            passwords = utils.generate_overcloud_passwords(
-                create_password_file=True)
-        mock_calls = [
-            mock.call('NEUTRON_METADATA_PROXY_SHARED_SECRET=PASSWORD\n'),
-            mock.call('OVERCLOUD_ADMIN_PASSWORD=PASSWORD\n'),
-            mock.call('OVERCLOUD_ADMIN_TOKEN=PASSWORD\n'),
-            mock.call('OVERCLOUD_AODH_PASSWORD=PASSWORD\n'),
-            mock.call('OVERCLOUD_BARBICAN_PASSWORD=PASSWORD\n'),
-            mock.call('OVERCLOUD_CEILOMETER_PASSWORD=PASSWORD\n'),
-            mock.call('OVERCLOUD_CEILOMETER_SECRET=PASSWORD\n'),
-            mock.call('OVERCLOUD_CEPH_ADMIN_KEY=CEPHX_KEY\n'),
-            mock.call('OVERCLOUD_CEPH_CLIENT_KEY=CEPHX_KEY\n'),
-            mock.call('OVERCLOUD_CEPH_MON_KEY=CEPHX_KEY\n'),
-            mock.call('OVERCLOUD_CEPH_RGW_KEY=CEPHX_KEY\n'),
-            mock.call('OVERCLOUD_CINDER_PASSWORD=PASSWORD\n'),
-            mock.call('OVERCLOUD_DEMO_PASSWORD=PASSWORD\n'),
-            mock.call('OVERCLOUD_GLANCE_PASSWORD=PASSWORD\n'),
-            mock.call('OVERCLOUD_GNOCCHI_PASSWORD=PASSWORD\n'),
-            mock.call('OVERCLOUD_HAPROXY_STATS_PASSWORD=PASSWORD\n'),
-            mock.call('OVERCLOUD_HEAT_PASSWORD=PASSWORD\n'),
-            mock.call('OVERCLOUD_HEAT_STACK_DOMAIN_PASSWORD=PASSWORD\n'),
-            mock.call('OVERCLOUD_IRONIC_PASSWORD=PASSWORD\n'),
-            mock.call('OVERCLOUD_KEYSTONE_CREDENTIALS_0=PASSWORD\n'),
-            mock.call('OVERCLOUD_KEYSTONE_CREDENTIALS_1=PASSWORD\n'),
-            mock.call('OVERCLOUD_MANILA_PASSWORD=PASSWORD\n'),
-            mock.call('OVERCLOUD_MISTRAL_PASSWORD=PASSWORD\n'),
-            mock.call('OVERCLOUD_MYSQL_CLUSTERCHECK_PASSWORD=PASSWORD\n'),
-            mock.call('OVERCLOUD_NEUTRON_PASSWORD=PASSWORD\n'),
-            mock.call('OVERCLOUD_NOVA_PASSWORD=PASSWORD\n'),
-            mock.call('OVERCLOUD_RABBITMQ_PASSWORD=PASSWORD\n'),
-            mock.call('OVERCLOUD_REDIS_PASSWORD=PASSWORD\n'),
-            mock.call('OVERCLOUD_SAHARA_PASSWORD=PASSWORD\n'),
-            mock.call('OVERCLOUD_SWIFT_HASH=PASSWORD\n'),
-            mock.call('OVERCLOUD_SWIFT_PASSWORD=PASSWORD\n'),
-            mock.call('OVERCLOUD_TROVE_PASSWORD=PASSWORD\n'),
-            mock.call('OVERCLOUD_ZAQAR_PASSWORD=PASSWORD\n'),
-        ]
-        self.assertEqual(sorted(mock_open().write.mock_calls), mock_calls)
-        self.assertEqual(generate_password_mock.call_count +
-                         create_keystone_creds_mock.call_count +
-                         create_cephx_key_mock.call_count, len(mock_calls))
-
-        self.assertEqual(len(passwords), len(mock_calls))
-
-    def test_generate_passwords_update(self):
-
-        mock_open = mock.mock_open()
-
-        with mock.patch('six.moves.builtins.open', mock_open):
-            with self.assertRaises(exceptions.PasswordFileNotFound):
-                utils.generate_overcloud_passwords()
-
-    @mock.patch("os.path.isfile", return_value=True)
-    @mock.patch("passlib.utils.generate_password",
-                return_value="PASSWORD")
-    @mock.patch("tripleoclient.utils.create_cephx_key",
-                return_value="CEPHX_KEY")
-    @mock.patch("tripleoclient.utils.create_keystone_credential",
-                return_value="PASSWORD")
-    def test_load_passwords(self, create_keystone_creds_mock,
-                            create_cephx_key_mock, generate_password_mock,
-                            isfile_mock):
-        PASSWORDS = [
-            'OVERCLOUD_ADMIN_PASSWORD=PASSWORD\n',
-            'OVERCLOUD_ADMIN_TOKEN=PASSWORD\n',
-            'OVERCLOUD_AODH_PASSWORD=PASSWORD\n',
-            'OVERCLOUD_BARBICAN_PASSWORD=PASSWORD\n',
-            'OVERCLOUD_CEILOMETER_PASSWORD=PASSWORD\n',
-            'OVERCLOUD_CEILOMETER_SECRET=PASSWORD\n',
-            'OVERCLOUD_CEPH_ADMIN_KEY=CEPHX_KEY\n',
-            'OVERCLOUD_CEPH_CLIENT_KEY=CEPHX_KEY\n',
-            'OVERCLOUD_CEPH_MON_KEY=CEPHX_KEY\n',
-            'OVERCLOUD_CEPH_RGW_KEY=CEPHX_KEY\n',
-            'OVERCLOUD_CINDER_PASSWORD=PASSWORD\n',
-            'OVERCLOUD_DEMO_PASSWORD=PASSWORD\n',
-            'OVERCLOUD_GLANCE_PASSWORD=PASSWORD\n',
-            'OVERCLOUD_GNOCCHI_PASSWORD=PASSWORD\n',
-            'OVERCLOUD_HAPROXY_STATS_PASSWORD=PASSWORD\n',
-            'OVERCLOUD_HEAT_PASSWORD=PASSWORD\n',
-            'OVERCLOUD_HEAT_STACK_DOMAIN_PASSWORD=PASSWORD\n',
-            'OVERCLOUD_IRONIC_PASSWORD=PASSWORD\n',
-            'OVERCLOUD_KEYSTONE_CREDENTIALS_0=PASSWORD\n',
-            'OVERCLOUD_KEYSTONE_CREDENTIALS_1=PASSWORD\n',
-            'OVERCLOUD_MANILA_PASSWORD=PASSWORD\n',
-            'OVERCLOUD_MISTRAL_PASSWORD=PASSWORD\n',
-            'OVERCLOUD_MYSQL_CLUSTERCHECK_PASSWORD=PASSWORD\n',
-            'OVERCLOUD_NEUTRON_PASSWORD=PASSWORD\n',
-            'OVERCLOUD_NOVA_PASSWORD=PASSWORD\n',
-            'OVERCLOUD_RABBITMQ_PASSWORD=PASSWORD\n',
-            'OVERCLOUD_REDIS_PASSWORD=PASSWORD\n',
-            'OVERCLOUD_SAHARA_PASSWORD=PASSWORD\n',
-            'OVERCLOUD_SWIFT_HASH=PASSWORD\n',
-            'OVERCLOUD_SWIFT_PASSWORD=PASSWORD\n',
-            'OVERCLOUD_TROVE_PASSWORD=PASSWORD\n',
-            'OVERCLOUD_ZAQAR_PASSWORD=PASSWORD\n',
-            'NEUTRON_METADATA_PROXY_SHARED_SECRET=PASSWORD\n',
-        ]
-        mock_open = mock.mock_open(read_data=''.join(PASSWORDS))
-        mock_open.return_value.__iter__ = lambda self: self
-        mock_open.return_value.__next__ = lambda self: self.readline()
-
-        with mock.patch('six.moves.builtins.open', mock_open):
-            passwords = utils.generate_overcloud_passwords()
-
-        generate_password_mock.assert_not_called()
-        self.assertEqual(len(passwords), len(PASSWORDS))
-        for name in utils._PASSWORD_NAMES:
-            self.assertEqual('PASSWORD', passwords[name])
-
-
 class TestCheckHypervisorUtil(TestCase):
    def test_check_hypervisor_stats(self):

@ -460,9 +334,11 @@ class TestCreateOvercloudRC(TestCase):
        tempdir = tempfile.mkdtemp()
        rcfile = os.path.join(tempdir, 'teststackrc')
        rcfile_v3 = os.path.join(tempdir, 'teststackrc.v3')
+        mock_clients = mock.Mock()

        try:
-            utils.create_overcloudrc(stack=stack,
+            utils.create_overcloudrc(clients=mock_clients,
+                                     stack=stack,
                                     no_proxy='127.0.0.1',
                                     config_directory=tempdir)
            rc = open(rcfile, 'rt').read()
--- a/tripleoclient/tests/v1/overcloud_deploy/test_overcloud_deploy.py
+++ b/tripleoclient/tests/v1/overcloud_deploy/test_overcloud_deploy.py
@ -499,11 +499,9 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):

        mock_create_tempest_deployer_input.assert_called_with()

-    @mock.patch('tripleoclient.v1.overcloud_deploy.DeployOvercloud.'
-                'set_overcloud_passwords', autospec=True)
    @mock.patch('tripleoclient.v1.overcloud_deploy.DeployOvercloud.'
                '_deploy_tripleo_heat_templates', autospec=True)
-    def test_missing_sat_url(self, mock_deploy_tht, mock_set_ov_passwords):
+    def test_missing_sat_url(self, mock_deploy_tht):

        arglist = ['--templates', '--rhel-reg',
                   '--reg-method', 'satellite', '--reg-org', '123456789',
@ -635,8 +633,6 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):

    @mock.patch('tripleoclient.utils.create_tempest_deployer_input',
                autospec=True)
-    @mock.patch('tripleoclient.v1.overcloud_deploy.DeployOvercloud.'
-                'set_overcloud_passwords', autospec=True)
    @mock.patch('tripleoclient.utils.create_overcloudrc', autospec=True)
    @mock.patch('tripleoclient.utils.get_overcloud_endpoint', autospec=True)
    @mock.patch('tripleoclient.v1.overcloud_deploy.DeployOvercloud.'
@ -645,7 +641,6 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):
    def test_rhel_reg_params_provided(self, mock_copytree, mock_deploy_tht,
                                      mock_oc_endpoint,
                                      mock_create_ocrc,
-                                      mock_set_oc_passwords,
                                      mock_create_tempest_deployer_input):

        arglist = ['--templates', '--rhel-reg',
@ -950,8 +945,6 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):

    @mock.patch('tripleoclient.utils.create_tempest_deployer_input',
                autospec=True)
-    @mock.patch('tripleoclient.v1.overcloud_deploy.DeployOvercloud.'
-                'set_overcloud_passwords', autospec=True)
    @mock.patch('tripleoclient.utils.create_overcloudrc', autospec=True)
    @mock.patch('tripleoclient.utils.get_overcloud_endpoint', autospec=True)
    @mock.patch('tripleoclient.v1.overcloud_deploy.DeployOvercloud.'
@ -959,7 +952,6 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):
    def test_dry_run(self, mock_deploy_tht,
                     mock_oc_endpoint,
                     mock_create_ocrc,
-                     mock_set_ov_passwords,
                     mock_create_tempest_deployer_input):

        arglist = ['--templates', '--dry-run']
@ -985,13 +977,10 @@ class TestDeployOvercloud(fakes.TestDeployOvercloud):
    @mock.patch('tripleoclient.utils.get_overcloud_endpoint', autospec=True)
    @mock.patch('tripleoclient.v1.overcloud_deploy.DeployOvercloud.'
                '_heat_deploy', autospec=True)
-    @mock.patch('tripleoclient.v1.overcloud_deploy.DeployOvercloud.'
-                'set_overcloud_passwords', autospec=True)
    @mock.patch('shutil.copytree', autospec=True)
    @mock.patch('tempfile.mkdtemp', autospec=True)
    @mock.patch('shutil.rmtree', autospec=True)
    def test_answers_file(self, mock_rmtree, mock_tmpdir, mock_copy,
-                          mock_set_overcloud_passwords,
                          mock_heat_deploy,
                          mock_oc_endpoint,
                          mock_create_ocrc,
--- a/tripleoclient/tests/v1/utils.py
+++ b/tripleoclient/tests/v1/utils.py
@ -13,11 +13,40 @@
 #   under the License.
 #

-from tripleoclient import utils
+_EXISTING_PASSWORDS = (
+    'MistralPassword',
+    'BarbicanPassword',
+    'AdminPassword',
+    'CeilometerMeteringSecret',
+    'ZaqarPassword',
+    'NovaPassword',
+    'IronicPassword',
+    'RedisPassword',
+    'SaharaPassword',
+    'AdminToken',
+    'CinderPassword',
+    'GlancePassword',
+    'RabbitPassword',
+    'CephAdminKey',
+    'HAProxyStatsPassword',
+    'TrovePassword',
+    'CeilometerPassword',
+    'GnocchiPassword',
+    'HeatStackDomainAdminPassword',
+    'CephRgwKey',
+    'AodhPassword',
+    'ManilaPassword',
+    'NeutronMetadataProxySharedSecret',
+    'CephMonKey',
+    'SwiftHashSuffix',
+    'SnmpdReadonlyUserPassword',
+    'SwiftPassword',
+    'HeatPassword',
+    'MysqlClustercheckPassword',
+    'CephClientKey',
+    'NeutronPassword',
+)


-def generate_overcloud_passwords_mock():
-    passwords = utils._PASSWORD_NAMES + utils._CEPH_PASSWORD_NAMES + \
-        utils._KEYSTONE_CREDENTIALS_NAME
-
-    return dict((password, 'password') for password in passwords)
+def generate_overcloud_passwords_mock(*args):
+    return dict((password, 'password') for password in _EXISTING_PASSWORDS)
--- a/tripleoclient/utils.py
+++ b/tripleoclient/utils.py
@ -21,13 +21,13 @@ import json
 import logging
 import os
 import os.path
-import passlib.utils as passutils
 import six
 import socket
 import struct
 import subprocess
 import sys
 import time
+import uuid
 import yaml

 from heatclient.common import event_utils
@ -37,91 +37,20 @@ from six.moves import configparser
 from six.moves import urllib

 from tripleoclient import exceptions
-
-_MIN_PASSWORD_SIZE = 25
-_PASSWORD_NAMES = (
-    "OVERCLOUD_ADMIN_PASSWORD",
-    "OVERCLOUD_ADMIN_TOKEN",
-    "OVERCLOUD_AODH_PASSWORD",
-    "OVERCLOUD_BARBICAN_PASSWORD",
-    "OVERCLOUD_CEILOMETER_PASSWORD",
-    "OVERCLOUD_CEILOMETER_SECRET",
-    "OVERCLOUD_CINDER_PASSWORD",
-    "OVERCLOUD_DEMO_PASSWORD",
-    "OVERCLOUD_GLANCE_PASSWORD",
-    "OVERCLOUD_GNOCCHI_PASSWORD",
-    "OVERCLOUD_HAPROXY_STATS_PASSWORD",
-    "OVERCLOUD_HEAT_PASSWORD",
-    "OVERCLOUD_HEAT_STACK_DOMAIN_PASSWORD",
-    "OVERCLOUD_IRONIC_PASSWORD",
-    "OVERCLOUD_MANILA_PASSWORD",
-    "OVERCLOUD_MISTRAL_PASSWORD",
-    "OVERCLOUD_MYSQL_CLUSTERCHECK_PASSWORD",
-    "OVERCLOUD_NEUTRON_PASSWORD",
-    "OVERCLOUD_NOVA_PASSWORD",
-    "OVERCLOUD_RABBITMQ_PASSWORD",
-    "OVERCLOUD_REDIS_PASSWORD",
-    "OVERCLOUD_SAHARA_PASSWORD",
-    "OVERCLOUD_SWIFT_HASH",
-    "OVERCLOUD_SWIFT_PASSWORD",
-    "OVERCLOUD_TROVE_PASSWORD",
-    "OVERCLOUD_ZAQAR_PASSWORD",
-    "NEUTRON_METADATA_PROXY_SHARED_SECRET"
-)
-_CEPH_PASSWORD_NAMES = (
-    "OVERCLOUD_CEPH_MON_KEY",
-    "OVERCLOUD_CEPH_ADMIN_KEY",
-    "OVERCLOUD_CEPH_CLIENT_KEY",
-    "OVERCLOUD_CEPH_RGW_KEY"
-)
-
-_KEYSTONE_CREDENTIALS_NAME = (
-    "OVERCLOUD_KEYSTONE_CREDENTIALS_0",
-    "OVERCLOUD_KEYSTONE_CREDENTIALS_1"
-)
+from tripleoclient.workflows import parameters


-def generate_overcloud_passwords(output_file="tripleo-overcloud-passwords",
-                                 create_password_file=False):
-    """Create the passwords needed for the overcloud
+def generate_overcloud_passwords(clients, plan_name):
+    """Retrieve passwords needed for the overcloud

-    This will create the set of passwords required by the overcloud, store
-    them in the output file path and return a dictionary of passwords. If the
-    file already exists the existing passwords will be returned instead,
+    This will retrieve the set of passwords required by the overcloud stored
+    in the deployment plan and accessible via a workflow.
    """
-
-    log = logging.getLogger(__name__ + ".generate_overcloud_passwords")
-
-    log.debug("Using password file: {0}".format(os.path.abspath(output_file)))
-
-    passwords = {}
-    if os.path.isfile(output_file):
-        with open(output_file) as f:
-            passwords = dict(line.split('=', 1)
-                             for line in f.read().splitlines())
-    elif not create_password_file:
-        raise exceptions.PasswordFileNotFound(
-            "The password file could not be found!")
-
-    for name in _PASSWORD_NAMES:
-        if not passwords.get(name):
-            passwords[name] = passutils.generate_password(
-                size=_MIN_PASSWORD_SIZE)
-
-    # CephX keys aren't random strings
-    for name in _CEPH_PASSWORD_NAMES:
-        if not passwords.get(name):
-            passwords[name] = create_cephx_key()
-
-    for name in _KEYSTONE_CREDENTIALS_NAME:
-        if not passwords.get(name):
-            passwords[name] = create_keystone_credential()
-
-    with open(output_file, 'w') as f:
-        for name, password in passwords.items():
-            f.write("{0}={1}\n".format(name, password))
-
-    return passwords
+    workflow_input = {
+        "container": plan_name,
+        "queue_name": str(uuid.uuid4()),
+    }
+    return parameters.get_overcloud_passwords(clients, **workflow_input)


 def bracket_ipv6(address):
@ -151,7 +80,7 @@ def unbracket_ipv6(address):
    return address


-def create_overcloudrc(stack, no_proxy, config_directory='.'):
+def create_overcloudrc(clients, stack, no_proxy, config_directory='.'):
    """Given proxy settings and stack, create the overcloudrc

    stack: Heat stack containing the deployed overcloud
@ -176,7 +105,8 @@ def create_overcloudrc(stack, no_proxy, config_directory='.'):
                           'SSLContext object is not available"'),
    }
    rc_params.update({
-        'OS_PASSWORD': get_password('OVERCLOUD_ADMIN_PASSWORD'),
+        'OS_PASSWORD': get_password(clients, stack.stack_name,
+                                    'AdminPassword'),
        'OS_AUTH_URL': overcloud_endpoint,
    })

@ -502,14 +432,14 @@ def get_endpoint(key, stack):
 __password_cache = None


-def get_password(pass_name):
-    """Retrieve a password by name, such as 'OVERCLOUD_ADMIN_PASSWORD'.
+def get_password(clients, plan_name, pass_name):
+    """Retrieve a password by name, such as 'AdminPassword'.

    Raises KeyError if password does not exist.
    """
    global __password_cache
    if __password_cache is None:
-        __password_cache = generate_overcloud_passwords()
+        __password_cache = generate_overcloud_passwords(clients, plan_name)
    return __password_cache[pass_name]


--- a/tripleoclient/v1/overcloud_deploy.py
+++ b/tripleoclient/v1/overcloud_deploy.py
@ -55,78 +55,11 @@ class DeployOvercloud(command.Command):
    predeploy_errors = 0
    predeploy_warnings = 0

-    def set_overcloud_passwords(self, stack_is_new, parameters):
-        """Add passwords to the parameters dictionary
-
-        :param parameters: A dictionary for the passwords to be added to
-        :type parameters: dict
-        """
-
-        undercloud_ceilometer_snmpd_password = utils.get_config_value(
-            "auth", "undercloud_ceilometer_snmpd_password")
-        if not undercloud_ceilometer_snmpd_password:
-            self.log.warning("Undercloud ceilometer SNMPd password missing!")
-
-        passwords = utils.generate_overcloud_passwords(
-            create_password_file=stack_is_new)
-
-        ceilometer_pass = passwords['OVERCLOUD_CEILOMETER_PASSWORD']
-        ceilometer_secret = passwords['OVERCLOUD_CEILOMETER_SECRET']
-        parameters['AdminPassword'] = passwords['OVERCLOUD_ADMIN_PASSWORD']
-        parameters['AdminToken'] = passwords['OVERCLOUD_ADMIN_TOKEN']
-        parameters['AodhPassword'] = passwords['OVERCLOUD_AODH_PASSWORD']
-        parameters['BarbicanPassword'] = (
-            passwords['OVERCLOUD_BARBICAN_PASSWORD'])
-        parameters['CeilometerPassword'] = ceilometer_pass
-        parameters['CeilometerMeteringSecret'] = ceilometer_secret
-        parameters['CinderPassword'] = passwords[
-            'OVERCLOUD_CINDER_PASSWORD']
-        parameters['GlancePassword'] = passwords[
-            'OVERCLOUD_GLANCE_PASSWORD']
-        parameters['GnocchiPassword'] = passwords['OVERCLOUD_GNOCCHI_PASSWORD']
-        parameters['HAProxyStatsPassword'] = passwords[
-            'OVERCLOUD_HAPROXY_STATS_PASSWORD']
-        parameters['HeatPassword'] = passwords['OVERCLOUD_HEAT_PASSWORD']
-        parameters['HeatStackDomainAdminPassword'] = passwords[
-            'OVERCLOUD_HEAT_STACK_DOMAIN_PASSWORD']
-        parameters['IronicPassword'] = passwords['OVERCLOUD_IRONIC_PASSWORD']
-        parameters['MistralPassword'] = passwords['OVERCLOUD_MISTRAL_PASSWORD']
-        parameters['MysqlClustercheckPassword'] = passwords[
-            'OVERCLOUD_MYSQL_CLUSTERCHECK_PASSWORD']
-        parameters['NeutronPassword'] = passwords[
-            'OVERCLOUD_NEUTRON_PASSWORD']
-        parameters['NovaPassword'] = passwords['OVERCLOUD_NOVA_PASSWORD']
-        parameters['RabbitPassword'] = passwords['OVERCLOUD_RABBITMQ_PASSWORD']
-        parameters['RedisPassword'] = passwords['OVERCLOUD_REDIS_PASSWORD']
-        parameters['SaharaPassword'] = (
-            passwords['OVERCLOUD_SAHARA_PASSWORD'])
-        parameters['SwiftHashSuffix'] = passwords['OVERCLOUD_SWIFT_HASH']
-        parameters['SwiftPassword'] = passwords['OVERCLOUD_SWIFT_PASSWORD']
-        parameters['SnmpdReadonlyUserPassword'] = (
-            undercloud_ceilometer_snmpd_password)
-        parameters['TrovePassword'] = (
-            passwords['OVERCLOUD_TROVE_PASSWORD'])
-        parameters['ZaqarPassword'] = passwords['OVERCLOUD_ZAQAR_PASSWORD']
-        parameters['ManilaPassword'] = passwords['OVERCLOUD_MANILA_PASSWORD']
-        parameters['NeutronMetadataProxySharedSecret'] = (
-            passwords['NEUTRON_METADATA_PROXY_SHARED_SECRET'])
-        parameters['CephMonKey'] = passwords['OVERCLOUD_CEPH_MON_KEY']
-        parameters['CephAdminKey'] = passwords['OVERCLOUD_CEPH_ADMIN_KEY']
-        parameters['CephClientKey'] = passwords['OVERCLOUD_CEPH_CLIENT_KEY']
-        parameters['CephRgwKey'] = passwords['OVERCLOUD_CEPH_RGW_KEY']
-        parameters['KeystoneCredential0'] = passwords[
-            'OVERCLOUD_KEYSTONE_CREDENTIALS_0']
-        parameters['KeystoneCredential1'] = passwords[
-            'OVERCLOUD_KEYSTONE_CREDENTIALS_1']
-
    def _update_parameters(self, args, network_client, stack):
        parameters = {}

        stack_is_new = stack is None

-        self.log.debug("Generating overcloud passwords")
-        self.set_overcloud_passwords(stack_is_new, parameters)
-
        timestamp = int(time.time())
        parameters['DeployIdentifier'] = timestamp
        parameters['UpdateIdentifier'] = ''
@ -578,7 +511,7 @@ class DeployOvercloud(command.Command):

        keystone_client = clients.get_keystone_client(
            'admin',
-            utils.get_password('OVERCLOUD_ADMIN_PASSWORD'),
+            utils.get_password(stack.stack_name, 'AdminPassword'),
            'admin',
            overcloud_endpoint)

@ -616,11 +549,13 @@ class DeployOvercloud(command.Command):
                admin_port = endpoint_map.get('KeystoneAdmin').get('port')
                internal_port = endpoint_map.get(
                    'KeystoneInternal').get('port')
+
+            # TODO(rbrady): check usages of get_password
            keystone.initialize(
                keystone_admin_ip,
-                utils.get_password('OVERCLOUD_ADMIN_TOKEN'),
+                utils.get_password(stack.stack_name, 'AdminToken'),
                'admin@example.com',
-                utils.get_password('OVERCLOUD_ADMIN_PASSWORD'),
+                utils.get_password(stack.stack_name, 'AdminPassword'),
                ssl=keystone_tls_host,
                public=overcloud_ip_or_fqdn,
                user=parsed_args.overcloud_ssh_user,
@ -670,8 +605,8 @@ class DeployOvercloud(command.Command):
        service_data = {}
        password_field = data.get('password_field')
        if password_field:
-            service_data['password'] = utils.get_password(
-                password_field)
+            service_data['password'] = utils.get_password(stack.stack_name,
+                                                          password_field)

        # Set internal endpoint
        service_name_internal = self._format_endpoint_name(service, 'internal')
@ -1226,7 +1161,7 @@ class DeployOvercloud(command.Command):
        # Force fetching of attributes
        stack.get()

-        utils.create_overcloudrc(stack, parsed_args.no_proxy)
+        utils.create_overcloudrc(clients, stack, parsed_args.no_proxy)
        utils.create_tempest_deployer_input()

        # Run postconfig on create or force. Use force to makes sure endpoints
--- a/tripleoclient/workflows/parameters.py
+++ b/tripleoclient/workflows/parameters.py
@ -21,3 +21,27 @@ def update_parameters(workflow_client, **input_):
 def reset_parameters(workflow_client, **input_):
    return base.call_action(workflow_client, 'tripleo.parameters.reset',
                            **input_)
+
+
+def get_overcloud_passwords(clients, **workflow_input):
+    """Retrieves overcloud passwords from a plan via a workflow
+
+    :param clients:
+    :param workflow_input:
+    :return:
+    """
+
+    workflow_client = clients.workflow_engine
+    tripleoclients = clients.tripleoclient
+    queue_name = workflow_input['queue_name']
+
+    execution = base.start_workflow(
+        workflow_client,
+        'tripleo.plan_management.v1.get_passwords',
+        workflow_input=workflow_input
+    )
+
+    with tripleoclients.messaging_websocket(queue_name) as ws:
+        message = ws.wait_for_message(execution.id)
+        assert message['status'] == "SUCCESS"
+        return message['message']