Manage legacy OS::TripleO::RandomString resources in constants

Instead of generated OS::TripleO::RandomString from the Heat Template,
make the password generated among other passwords so we can re-use the
data across undercloud-container re-install or updates, when Heat and
environments are re-generated.

Note: it keeps the same password constraints as it was in THT.

Co-Authored-By: Dan Prince <dprince@redhat.com>
Co-Authored-By: Martin André <m.andre@redhat.com>
Change-Id: I9da2220ce5635d06c2ca9a21bd07eb2b6ee50aaa
Related-Bug: #1736779

releasenotes/notes/passwords-79661a3f27a33528.yaml

@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    HeatAuthEncryptionKey, HorizonSecret, MysqlRootPassword, PcsdPassword
+    and RabbitCookie are now generated by tripleo-common among other
+    passwords managed by TripleO. If existing version of these parameters
+    have been generated by the Heat stack we first harvest those before
+    generating new version.

tripleo_common/actions/parameters.py

@@ -202,6 +202,18 @@ class GeneratePasswordsAction(base.TripleOAction):
         try:
             stack_env = heat.stacks.environment(
                 stack_id=self.container)
+
+            # legacy heat resource names from overcloud.yaml
+            # We don't modify these to avoid changing defaults
+            for pw_res in constants.LEGACY_HEAT_PASSWORD_RESOURCE_NAMES:
+                try:
+                    res = heat.resources.get(self.container, pw_res)
+                    param_defaults = stack_env.get('parameter_defaults', {})
+                    param_defaults[pw_res] = res.attributes['value']
+                except heat_exc.HTTPNotFound:
+                    LOG.debug('Heat resouce not found: %s' % pw_res)
+                    pass
+
         except heat_exc.HTTPNotFound:
             stack_env = None
 

tripleo_common/constants.py

@@ -82,8 +82,10 @@ PASSWORD_PARAMETER_NAMES = (
     'GlancePassword',
     'GnocchiPassword',
     'HAProxyStatsPassword',
+    'HeatAuthEncryptionKey',
     'HeatPassword',
     'HeatStackDomainAdminPassword',
+    'HorizonSecret',
     'IronicPassword',
     'LibvirtTLSPassword',
     'KeystoneCredential0',
@@ -94,6 +96,7 @@ PASSWORD_PARAMETER_NAMES = (
     'ManilaPassword',
     'MistralPassword',
     'MysqlClustercheckPassword',
+    'MysqlRootPassword',
     'NeutronMetadataProxySharedSecret',
     'NeutronPassword',
     'NovaPassword',
@@ -103,6 +106,8 @@ PASSWORD_PARAMETER_NAMES = (
     'OctaviaPassword',
     'PacemakerRemoteAuthkey',
     'PankoPassword',
+    'PcsdPassword',
+    'RabbitCookie',
     'RabbitPassword',
     'RedisPassword',
     'SaharaPassword',
@@ -113,6 +118,14 @@ PASSWORD_PARAMETER_NAMES = (
     'TrovePassword',
     'ZaqarPassword',
 )
+# List of legacy resource names from overcloud.yaml
+LEGACY_HEAT_PASSWORD_RESOURCE_NAMES = (
+    'HeatAuthEncryptionKey',
+    'HorizonSecret',
+    'MysqlRootPassword',
+    'PcsdPassword',
+    'RabbitCookie',
+)
 
 PLAN_NAME_PATTERN = '^[a-zA-Z0-9-]+$'
 

tripleo_common/tests/actions/test_parameters.py

@@ -31,6 +31,11 @@ _EXISTING_PASSWORDS = {
     'CeilometerMeteringSecret': 'CbHTGK4md4Cc8P8ZyzTns6wry',
     'ZaqarPassword': 'bbFgCTFbAH8vf9n3xvZCP8aMR',
     'NovaPassword': '7dZATgVPwD7Ergs9kTTDMCr7F',
+    'MysqlRootPassword': 'VqJYpEdKks',
+    'RabbitCookie': 'BqJYpEdKksAqJYpEdKks',
+    'HeatAuthEncryptionKey': '9xZXehsKc2HbmFFMKjuqxTJHn',
+    'PcsdPassword': 'KjEzeitus8eu751a',
+    'HorizonSecret': 'mjEzeitus8eu751B',
     'NovajoinPassword': '7dZATgVPwD7Ergs9kTTDMCr7F',
     'IronicPassword': '4hFDgn9ANeVfuqk84pHpD4ksa',
     'RedisPassword': 'xjj3QZDcUQmU6Q7NzWBHRUhGd',
@@ -419,6 +424,11 @@ class GeneratePasswordsActionTest(base.TestCase):
         mock_orchestration.stacks.environment.return_value = {
             'parameter_defaults': {}
         }
+        mock_resource = mock.MagicMock()
+        mock_resource.attributes = {
+            'value': 'existing_value'
+        }
+        mock_orchestration.resources.get.return_value = mock_resource
         mock_get_orchestration_client.return_value = mock_orchestration
 
         action = parameters.GeneratePasswordsAction()
@@ -427,6 +437,14 @@ class GeneratePasswordsActionTest(base.TestCase):
         for password_param_name in constants.PASSWORD_PARAMETER_NAMES:
             self.assertTrue(password_param_name in result,
                             "%s is not in %s" % (password_param_name, result))
+
+            if password_param_name in \
+                    constants.LEGACY_HEAT_PASSWORD_RESOURCE_NAMES:
+                self.assertEqual(result[password_param_name], 'existing_value')
+            else:
+                self.assertNotEqual(result[password_param_name],
+                                    'existing_value')
+
         mock_cache.assert_called_once_with(
             mock_ctx,
             "overcloud",

tripleo_common/utils/passwords.py

@@ -75,6 +75,21 @@ def generate_passwords(mistralclient=None, stack_env=None):
             passwords[name] = create_ssh_keypair()
         elif name == 'BarbicanSimpleCryptoKek':
             passwords[name] = create_keystone_credential()
+        elif name.startswith("MysqlRootPassword"):
+            passwords[name] = passutils.generate_password(
+                size=10)
+        elif name.startswith("RabbitCookie"):
+            passwords[name] = passutils.generate_password(
+                size=20)
+        elif name.startswith("PcsdPassword"):
+            passwords[name] = passutils.generate_password(
+                size=16)
+        elif name.startswith("HorizonSecret"):
+            passwords[name] = passutils.generate_password(
+                size=10)
+        elif name.startswith("HeatAuthEncryptionKey"):
+            passwords[name] = passutils.generate_password(
+                size=32)
         else:
             passwords[name] = passutils.generate_password(
                 size=_MIN_PASSWORD_SIZE)