Remove unsafe "unset" defaults
All of our sensitive parameters are defaulted to easily predictable values, which is very bad from a security perspective because we don't force clients to make sane choices thus risk deploying with the predictable default values. tripleoclient supports generating random values for all of these, so remove the defaults, for non-tripleoclient usage we can create a developer-only environment with defaults. Related-Bug: #1516027 Change-Id: Ia0cf3b7e2de1aa42cf179cba195fb7770a1fc21c Depends-On: Ifb34b43fdedc55ad220df358c3ccc31e3c2e7c14
This commit is contained in:
parent
99bd9970d6
commit
293f19b2a4
@ -13,7 +13,6 @@ parameters:
|
|||||||
|
|
||||||
# Common parameters (not specific to a role)
|
# Common parameters (not specific to a role)
|
||||||
AdminPassword:
|
AdminPassword:
|
||||||
default: unset
|
|
||||||
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
|
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -22,12 +21,10 @@ parameters:
|
|||||||
description: The ceilometer backend type.
|
description: The ceilometer backend type.
|
||||||
type: string
|
type: string
|
||||||
CeilometerMeteringSecret:
|
CeilometerMeteringSecret:
|
||||||
default: unset
|
|
||||||
description: Secret shared by the ceilometer services.
|
description: Secret shared by the ceilometer services.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
CeilometerPassword:
|
CeilometerPassword:
|
||||||
default: unset
|
|
||||||
description: The password for the ceilometer service account.
|
description: The password for the ceilometer service account.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -138,7 +135,6 @@ parameters:
|
|||||||
description: The tenant network type for Neutron, either gre or vxlan.
|
description: The tenant network type for Neutron, either gre or vxlan.
|
||||||
type: string
|
type: string
|
||||||
NeutronPassword:
|
NeutronPassword:
|
||||||
default: unset
|
|
||||||
description: The password for the neutron service account, used by neutron agents.
|
description: The password for the neutron service account, used by neutron agents.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -169,7 +165,6 @@ parameters:
|
|||||||
description: Whether to configure Neutron Distributed Virtual Routers
|
description: Whether to configure Neutron Distributed Virtual Routers
|
||||||
type: string
|
type: string
|
||||||
NeutronMetadataProxySharedSecret:
|
NeutronMetadataProxySharedSecret:
|
||||||
default: 'unset'
|
|
||||||
description: Shared secret to prevent spoofing
|
description: Shared secret to prevent spoofing
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -227,7 +222,6 @@ parameters:
|
|||||||
default: 1
|
default: 1
|
||||||
description: The number of neutron dhcp agents to schedule per network
|
description: The number of neutron dhcp agents to schedule per network
|
||||||
NovaPassword:
|
NovaPassword:
|
||||||
default: unset
|
|
||||||
description: The password for the nova service account, used by nova-api.
|
description: The password for the nova service account, used by nova-api.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -279,7 +273,6 @@ parameters:
|
|||||||
description: The user name for SNMPd with readonly rights running on all Overcloud nodes
|
description: The user name for SNMPd with readonly rights running on all Overcloud nodes
|
||||||
type: string
|
type: string
|
||||||
SnmpdReadonlyUserPassword:
|
SnmpdReadonlyUserPassword:
|
||||||
default: unset
|
|
||||||
description: The user password for SNMPd with readonly rights running on all Overcloud nodes
|
description: The user password for SNMPd with readonly rights running on all Overcloud nodes
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -298,7 +291,6 @@ parameters:
|
|||||||
|
|
||||||
# Controller-specific params
|
# Controller-specific params
|
||||||
AdminToken:
|
AdminToken:
|
||||||
default: unset
|
|
||||||
description: The keystone auth secret.
|
description: The keystone auth secret.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -319,7 +311,6 @@ parameters:
|
|||||||
CinderEnableNfsBackend is true.
|
CinderEnableNfsBackend is true.
|
||||||
type: comma_delimited_list
|
type: comma_delimited_list
|
||||||
CinderPassword:
|
CinderPassword:
|
||||||
default: unset
|
|
||||||
description: The password for the cinder service account, used by cinder-api.
|
description: The password for the cinder service account, used by cinder-api.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -416,7 +407,6 @@ parameters:
|
|||||||
type: string
|
type: string
|
||||||
default: noop
|
default: noop
|
||||||
GlancePassword:
|
GlancePassword:
|
||||||
default: unset
|
|
||||||
description: The password for the glance service account, used by the glance services.
|
description: The password for the glance service account, used by the glance services.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -428,14 +418,12 @@ parameters:
|
|||||||
constraints:
|
constraints:
|
||||||
- allowed_values: ['swift', 'file', 'rbd']
|
- allowed_values: ['swift', 'file', 'rbd']
|
||||||
HeatPassword:
|
HeatPassword:
|
||||||
default: unset
|
|
||||||
description: The password for the Heat service account, used by the Heat services.
|
description: The password for the Heat service account, used by the Heat services.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
HeatStackDomainAdminPassword:
|
HeatStackDomainAdminPassword:
|
||||||
description: Password for heat_domain_admin user.
|
description: Password for heat_domain_admin user.
|
||||||
type: string
|
type: string
|
||||||
default: ''
|
|
||||||
hidden: true
|
hidden: true
|
||||||
InstanceNameTemplate:
|
InstanceNameTemplate:
|
||||||
default: 'instance-%08x'
|
default: 'instance-%08x'
|
||||||
@ -515,12 +503,10 @@ parameters:
|
|||||||
This should be int_public when a VLAN is being used.
|
This should be int_public when a VLAN is being used.
|
||||||
type: string
|
type: string
|
||||||
SwiftHashSuffix:
|
SwiftHashSuffix:
|
||||||
default: unset
|
|
||||||
description: A random string to be used as a salt when hashing to determine mappings in the ring.
|
description: A random string to be used as a salt when hashing to determine mappings in the ring.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
SwiftPassword:
|
SwiftPassword:
|
||||||
default: unset
|
|
||||||
description: The password for the swift service account, used by the swift proxy services.
|
description: The password for the swift service account, used by the swift proxy services.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
|
@ -17,7 +17,6 @@ parameters:
|
|||||||
description: The size of the loopback file used by the cinder LVM driver.
|
description: The size of the loopback file used by the cinder LVM driver.
|
||||||
type: number
|
type: number
|
||||||
CinderPassword:
|
CinderPassword:
|
||||||
default: unset
|
|
||||||
description: The password for the cinder service and db account, used by cinder-api.
|
description: The password for the cinder service and db account, used by cinder-api.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -70,7 +69,6 @@ parameters:
|
|||||||
description: The user name for SNMPd with readonly rights running on all Overcloud nodes
|
description: The user name for SNMPd with readonly rights running on all Overcloud nodes
|
||||||
type: string
|
type: string
|
||||||
SnmpdReadonlyUserPassword:
|
SnmpdReadonlyUserPassword:
|
||||||
default: unset
|
|
||||||
description: The user password for SNMPd with readonly rights running on all Overcloud nodes
|
description: The user password for SNMPd with readonly rights running on all Overcloud nodes
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
|
@ -5,7 +5,6 @@ description: >
|
|||||||
|
|
||||||
parameters:
|
parameters:
|
||||||
AdminPassword:
|
AdminPassword:
|
||||||
default: unset
|
|
||||||
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
|
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -16,12 +15,10 @@ parameters:
|
|||||||
constraints:
|
constraints:
|
||||||
- allowed_values: ['', Present]
|
- allowed_values: ['', Present]
|
||||||
CeilometerMeteringSecret:
|
CeilometerMeteringSecret:
|
||||||
default: unset
|
|
||||||
description: Secret shared by the ceilometer services.
|
description: Secret shared by the ceilometer services.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
CeilometerPassword:
|
CeilometerPassword:
|
||||||
default: unset
|
|
||||||
description: The password for the ceilometer service account.
|
description: The password for the ceilometer service account.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -110,7 +107,6 @@ parameters:
|
|||||||
VLAN on the 'datacentre' physical network (See NeutronBridgeMappings).
|
VLAN on the 'datacentre' physical network (See NeutronBridgeMappings).
|
||||||
type: comma_delimited_list
|
type: comma_delimited_list
|
||||||
NeutronPassword:
|
NeutronPassword:
|
||||||
default: unset
|
|
||||||
description: The password for the neutron service account, used by neutron agents.
|
description: The password for the neutron service account, used by neutron agents.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -147,7 +143,6 @@ parameters:
|
|||||||
default: 'False'
|
default: 'False'
|
||||||
type: string
|
type: string
|
||||||
NeutronMetadataProxySharedSecret:
|
NeutronMetadataProxySharedSecret:
|
||||||
default: 'unset'
|
|
||||||
description: Shared secret to prevent spoofing
|
description: Shared secret to prevent spoofing
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -212,7 +207,6 @@ parameters:
|
|||||||
description: Whether to enable or not the Rbd backend for Nova
|
description: Whether to enable or not the Rbd backend for Nova
|
||||||
type: boolean
|
type: boolean
|
||||||
NovaPassword:
|
NovaPassword:
|
||||||
default: unset
|
|
||||||
description: The password for the nova service account, used by nova-api.
|
description: The password for the nova service account, used by nova-api.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -258,7 +252,6 @@ parameters:
|
|||||||
description: The user name for SNMPd with readonly rights running on all Overcloud nodes
|
description: The user name for SNMPd with readonly rights running on all Overcloud nodes
|
||||||
type: string
|
type: string
|
||||||
SnmpdReadonlyUserPassword:
|
SnmpdReadonlyUserPassword:
|
||||||
default: unset
|
|
||||||
description: The user password for SNMPd with readonly rights running on all Overcloud nodes
|
description: The user password for SNMPd with readonly rights running on all Overcloud nodes
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
|
@ -10,12 +10,10 @@ parameters:
|
|||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
AdminPassword:
|
AdminPassword:
|
||||||
default: unset
|
|
||||||
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
|
description: The password for the keystone admin account, used for monitoring, querying neutron etc.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
AdminToken:
|
AdminToken:
|
||||||
default: unset
|
|
||||||
description: The keystone auth secret and db password.
|
description: The keystone auth secret and db password.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -27,12 +25,10 @@ parameters:
|
|||||||
description: The ceilometer backend type.
|
description: The ceilometer backend type.
|
||||||
type: string
|
type: string
|
||||||
CeilometerMeteringSecret:
|
CeilometerMeteringSecret:
|
||||||
default: unset
|
|
||||||
description: Secret shared by the ceilometer services.
|
description: Secret shared by the ceilometer services.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
CeilometerPassword:
|
CeilometerPassword:
|
||||||
default: unset
|
|
||||||
description: The password for the ceilometer service and db account.
|
description: The password for the ceilometer service and db account.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -72,7 +68,6 @@ parameters:
|
|||||||
CinderEnableNfsBackend is true.
|
CinderEnableNfsBackend is true.
|
||||||
type: comma_delimited_list
|
type: comma_delimited_list
|
||||||
CinderPassword:
|
CinderPassword:
|
||||||
default: unset
|
|
||||||
description: The password for the cinder service and db account, used by cinder-api.
|
description: The password for the cinder service and db account, used by cinder-api.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -170,7 +165,6 @@ parameters:
|
|||||||
type: string
|
type: string
|
||||||
default: ''
|
default: ''
|
||||||
GlancePassword:
|
GlancePassword:
|
||||||
default: unset
|
|
||||||
description: The password for the glance service and db account, used by the glance services.
|
description: The password for the glance service and db account, used by the glance services.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -210,14 +204,12 @@ parameters:
|
|||||||
description: Syslog address where HAproxy will send its log
|
description: Syslog address where HAproxy will send its log
|
||||||
type: string
|
type: string
|
||||||
HeatPassword:
|
HeatPassword:
|
||||||
default: unset
|
|
||||||
description: The password for the Heat service and db account, used by the Heat services.
|
description: The password for the Heat service and db account, used by the Heat services.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
HeatStackDomainAdminPassword:
|
HeatStackDomainAdminPassword:
|
||||||
description: Password for heat_domain_admin user.
|
description: Password for heat_domain_admin user.
|
||||||
type: string
|
type: string
|
||||||
default: ''
|
|
||||||
hidden: true
|
hidden: true
|
||||||
HeatAuthEncryptionKey:
|
HeatAuthEncryptionKey:
|
||||||
description: Auth encryption key for heat-engine
|
description: Auth encryption key for heat-engine
|
||||||
@ -367,7 +359,6 @@ parameters:
|
|||||||
description: Whether to configure Neutron Distributed Virtual Routers
|
description: Whether to configure Neutron Distributed Virtual Routers
|
||||||
type: string
|
type: string
|
||||||
NeutronMetadataProxySharedSecret:
|
NeutronMetadataProxySharedSecret:
|
||||||
default: 'unset'
|
|
||||||
description: Shared secret to prevent spoofing
|
description: Shared secret to prevent spoofing
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -430,7 +421,6 @@ parameters:
|
|||||||
VLAN on the 'datacentre' physical network (See NeutronBridgeMappings).
|
VLAN on the 'datacentre' physical network (See NeutronBridgeMappings).
|
||||||
type: comma_delimited_list
|
type: comma_delimited_list
|
||||||
NeutronPassword:
|
NeutronPassword:
|
||||||
default: unset
|
|
||||||
description: The password for the neutron service and db account, used by neutron agents.
|
description: The password for the neutron service and db account, used by neutron agents.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -482,7 +472,6 @@ parameters:
|
|||||||
type: string
|
type: string
|
||||||
default: ''
|
default: ''
|
||||||
NovaPassword:
|
NovaPassword:
|
||||||
default: unset
|
|
||||||
description: The password for the nova service and db account, used by nova-api.
|
description: The password for the nova service and db account, used by nova-api.
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -542,12 +531,10 @@ parameters:
|
|||||||
description: The user name for SNMPd with readonly rights running on all Overcloud nodes
|
description: The user name for SNMPd with readonly rights running on all Overcloud nodes
|
||||||
type: string
|
type: string
|
||||||
SnmpdReadonlyUserPassword:
|
SnmpdReadonlyUserPassword:
|
||||||
default: unset
|
|
||||||
description: The user password for SNMPd with readonly rights running on all Overcloud nodes
|
description: The user password for SNMPd with readonly rights running on all Overcloud nodes
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
SwiftHashSuffix:
|
SwiftHashSuffix:
|
||||||
default: unset
|
|
||||||
description: A random string to be used as a salt when hashing to determine mappings
|
description: A random string to be used as a salt when hashing to determine mappings
|
||||||
in the ring.
|
in the ring.
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -565,7 +552,6 @@ parameters:
|
|||||||
description: Partition Power to use when building Swift rings
|
description: Partition Power to use when building Swift rings
|
||||||
type: number
|
type: number
|
||||||
SwiftPassword:
|
SwiftPassword:
|
||||||
default: unset
|
|
||||||
description: The password for the swift service account, used by the swift proxy
|
description: The password for the swift service account, used by the swift proxy
|
||||||
services.
|
services.
|
||||||
hidden: true
|
hidden: true
|
||||||
|
@ -7,7 +7,6 @@ parameters:
|
|||||||
constraints:
|
constraints:
|
||||||
- custom_constraint: nova.flavor
|
- custom_constraint: nova.flavor
|
||||||
HashSuffix:
|
HashSuffix:
|
||||||
default: unset
|
|
||||||
description: A random string to be used as a salt when hashing to determine mappings
|
description: A random string to be used as a salt when hashing to determine mappings
|
||||||
in the ring.
|
in the ring.
|
||||||
hidden: true
|
hidden: true
|
||||||
@ -40,7 +39,6 @@ parameters:
|
|||||||
description: The user name for SNMPd with readonly rights running on all Overcloud nodes
|
description: The user name for SNMPd with readonly rights running on all Overcloud nodes
|
||||||
type: string
|
type: string
|
||||||
SnmpdReadonlyUserPassword:
|
SnmpdReadonlyUserPassword:
|
||||||
default: unset
|
|
||||||
description: The user password for SNMPd with readonly rights running on all Overcloud nodes
|
description: The user password for SNMPd with readonly rights running on all Overcloud nodes
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
|
Loading…
Reference in New Issue
Block a user